Security Awareness Terms

Security Awareness Terms

Top Awareness Terms in Simple English

Sometimes information security can be confusing. Even some of the terms themselves can easily be misunderstood. To help, we have created a list of the most commonly used information security awareness terms and what they mean in simple English. Primary editors for this reference are Lenny Zeltser, SANS Institute Instructor and Ed Skoudis, SANS Institute Instructor and Founder, Counter Hack Challenges.

Anti-Virus
A security program that can run on a computer or mobile device and protects you by identifying and stopping the spread of malware on your system. Anti-virus cannot detect all malware, so even if it is active, your system might still get infected. Anti-virus can also be used at the organizational level. For example, email servers may have anti-virus integrated with it to scan incoming or outgoing email. Sometimes anti-virus tools are called 'anti-malware', because these products are designed to defend against various types of malicious software.
Drive-by Download
These attacks exploit vulnerabilities in your browser or it's plugins and helper applications when you simply surf to an attacker-controlled website. Some computer attackers set up their own evil websites that are designed to automatically attack and exploit anyone that visits the website. Other attackers compromise trusted websites such as ecommerce sites and deploy their exploit software there. Often these attacks occur without the victims realizing that they are under attack.
Exploit
Code that is designed to take advantage of a vulnerability. An exploit is designed to give an attacker the ability to execute additional malicious programs on the compromised system or to provide unauthorized access to affected data or application.
Firewall
A security program that filters inbound and outbound network connections. In some ways you can think of firewalls as a virtual traffic cop, determining which traffic can go through the firewall. Almost all computers today come with firewall software installed. In addition, firewalls can be implemented as network devices to filter traffic that traverses through them.
Malware
Stands for 'malicious software'. It is any type of code or program cyber attackers use to perform malicious actions. For example, malware could be used to capture all your keystrokes or use your computer to harm others. Such malicious actions often occur without the user of the system realizing that it has been infected. Malware is a generic term and includes any type of virus, worm, Trojan or other types of malicious code.
Patch
A patch is an update to a vulnerable program or system. A common practice to keep your computer and mobile devices secure is installing the latest vendor's patches in a timely fashion. Some vendors release patches on a monthly or quarterly basis. Therefore, having a computer that is unpatched for even a few weeks could leave it vulnerable.
Phishing
Phishing is a social engineering technique where cyber attackers attempt to fool you into taking an action in response to an email. Phishing was a term originally used to describe a specific attack scenario. Attackers would send out emails pretending to be a trusted bank or financial institution, their goal was to fool victims into clicking on a link in the email. Once clicked, victims were taken to a website that pretended to be the bank, but was really created and controlled by the attacker. If the victim attempted to login thinking they were at their bank, their login and password would then be stolen by the attacker. The term has evolved and often means not just attacks designed to steal your password, but emails designed to send you to websites that hack into your browser, or even emails with infected attachments.
Social Engineering
A psychological attack used by cyber attackers to deceive their victims into taking an action that will place the victim at risk. For example, cyber attackers may trick you into revealing your password or fool you into installing malicious software on your computer. They often do this by pretending to be someone you know or trust, such as a bank, company or even a friend.
Spam
Unwanted or unsolicited emails, typically sent to numerous recipients with the hope of enticing people to read the embedded advertisements, click on a link or open an attachment. Spam is often used to convince recipients to purchase illegal or questionable products and services, such as pharmaceuticals from fake companies. Spam is also often used to distribute malware to potential victims.
Spear Phishing
Spear phishing describes a type of phishing attacks that target to specific victims. But instead of sending out an email to millions of email addresses, cyber attackers send out a very small number of crafted emails to very specific individuals, usually all at the same organization. Because of the targeted nature of this attack, spear phishing attacks are often harder to detect and usually more effective at fooling the victims.
Virus, Worm, Trojan, Spyware
Different types of malware that are based on their capabilities and means of propagation. These technical distinctions between different types of malware are becoming less relevant, because modern malware often combines characteristics from each of them in a single attack.
  • Virus: A type of malware that spreads by infecting other files, rather than existing in a standalone manner. Viruses often, though not always, usually spread through human interaction, such as opening an infected file or application.)
  • Worm: A type of malware that can propagate automatically, typically without requiring any human interaction for it to spread. Worms often spread across networks, though can also infect systems through other means, such as USB keys. An example of a worm is Conficker, which infected millions of computer systems starting in 2008 and is still active today.
  • Trojan: A shortened form of "Trojan Horse", this type of malware appears to have a legitimate or at least benign use, but masks a hidden sinister function. For example, you may download and install a free screensaver which actually works well as a screensaver. But that software could also be malicious, it will infect your computer once you install it.
  • Spyware: A type of malware that is designed to spy on the victim's activities, capturing sensitive data such as the person's passwords, online shopping, and screen contents. One popular type of spyware, a keylogger, is optimized for logging the victim's keyboard activity and transmitting the captured information to the remote attacker.
Vulnerability
This is a weakness that attackers or their malicious programs may be able to exploit. For example it can be a bug in a computer program or a misconfigured webserver. An attacker or malware may be able to take advantage of the vulnerability to gain unauthorized access to the affected system. However, vulnerabilities can also be a weakness in people or organizational processes.
If you would like to learn more about information security or stay current with the latest security issues, we recommend you subscribe to the free, monthly security awareness newsletter OUCH!, published in over ten different languages.
 
Advantages of the SANS Securing The Human Program Include:
  • Go beyond compliance and focus on changing behaviors.
  • Training mapped against the 20 Critical Controls framework.
  • Create your own program by choosing from over 30 different training modules.
  • Meets mandated compliance requirements.
  • Fully SCORM compliant, host on the SANS VLE or your own LMS.
  • All content is updated twice annually.
  • Offered in over 20 different languages.
Latest Blog Posts

Guest Post - Go Beyond ‘Check-the-Box’ Compliance

May 13, 2013 - 1:13 PM

Editor's Note:This guest blog post is from John Andrew at Honeywell. How do we persuade folks who are resistant to ‘Security Awareness’ efforts? Great question! I was fortunate to pick up a rare last minute opening - to go on a 3 day backpacking & camping trip at Cumberland Island National Forest on the coast of Georgia. The backcountry orientation by the National Forest Service was great.  One of the first things they brought to our attention was an old ‘Smokey  [...] More

A New OUCH!

May 09, 2013 - 2:21 PM

Earlier this week we released the latest edition of the OUCH! security awareness newsletter, "Passwords / Passphrases".  We explain in simple terms how you can create strong passwords using passhrases, and some simple steps to using the [...] More

Request Free Trial
Contact Us
(301) 654-SANS(7267)
Mon - Fri | 9am-8pm EST/EDT
info@securingthehuman.org