15 Cybersecurity Terms You (and Your CEO) Ought to Know by Now
For an enterprise to be more secure – and more satisfying in terms of its digital employee experience – security leaders need to ditch the jargon. It’s time to get everyone speaking the same language.
Nothing says “poor digital employee experience” louder than your employer getting hit with a successful cyberattack. Suddenly the company’s reputation is in tatters, its stock price is in the tank, and your personal information is for sale on the dark web.
Avoiding worst-case scenarios like this requires getting everyone on the same page from a security perspective. And that starts with talking about security concepts in ways your non-cyber colleagues can understand. At some point early in the birth of information technology, we became addicted to jargon. The industry is thick with it, and it’s easy to forget that even some of the most basic terms cyber pros take for granted are jibberish to colleagues in other departments and – most important – on the board.
Translating cyber-speak into everyday English is the key to getting your point across, not to mention getting your budgets approved. And it is a significant driver of employee engagement.
Starting with the right terminology is also a good way to launch a bigger conversation about the most serious threats to the business, and what it’s going to take to minimize or mitigate them, says Malcolm Harkins, chief security and trust officer at AI security firm HiddenLayer.
Here’s a quick layperson’s guide to 15 key cybersecurity concepts, from APT to ZTA. Use it as a translation guide, or share it with other business leaders before your next budget approval meeting.
1. APT
An acronym for advanced persistent threat or, more specifically, an attacker that lurks on your network for extended periods, quietly siphoning off information. Imagine a stranger hiding out in your attic for months, secretly eavesdropping on your conversations and tapping your Wi-Fi. That’s an APT. Infamous threat groups known for this include Russia-based APT28 (aka Fancy Bear) and Iran-based APT34, among many others.
What to remember: Instead of APTs, think of them as “entrenched intruders” or “digital spies.”
Imagine a stranger hiding out in your attic for months, secretly eavesdropping on your conversations and tapping your Wi-Fi. That’s an APT.
2. Black hats
Hackers who breach systems and steal data for their own evil purposes or on behalf of clients. They’re the opposite of white hats, who penetrate systems to identify vulnerabilities so they can be patched before the bad guys strike (also sometimes called “ethical hackers”). Gray hats exist between the two, sometimes working for good and sometimes not. There are also red hats (vigilantes who launch counterattacks against black hats), blue hats (hackers seeking revenge against a specific target), and green hats (newbies who aspire to one of the other colors).
What to remember: Before you let anyone onto your network, make sure you know what hat they’re wearing.
3. CIA
No, not the spy agency. This acronym stands for confidentiality, integrity, and availability, better known as the cybersecurity triad. Ensuring CIA is job number one for security professionals, but they can’t do it without having the right processes, policies, and people in place, notes Sue Bergamo, a longtime chief information officer and chief information security officer (CIO/CISO) and executive adviser.
What to remember: If you think technology alone can achieve CIA, you’ve probably already been breached.
4. Deepfakes
AI-generated images, audio, or video designed to fool you into thinking you’re dealing with a real person – like the audio deepfake that conned an employee of a Hong Kong financial services firm to transfer $25 million to a phone scammer, thinking it was his CFO. A deepfake can be part of a social engineering attack (see below) to gain employees’ trust and persuade them to reveal sensitive information.
What to remember: If it looks too good/weird/shocking to be true, it’s probably AI.
5. IOCs
Indicators of compromise is geek-speak for signs that your device or network has been hacked, such as unusual account activity, changes to system files, or requests for increased access privileges. Finding an IOC is like coming home and finding the front window smashed and your TV missing. It won’t get you your stuff back, but it can give you enough information to limit future break-ins and warn others.
What to remember: That IOC says it’s time to install bars on the windows and get a dog.
That IOC [indicator of compromise] says it’s time to install bars on the windows and get a dog.
6. LOLBins
OK, we’ve got to break this down. LOL is actually short for LOTL, or “living off the land,” which refers to a type of cyberattack in which hackers co-opt tools and systems already installed on a network. Bins = binaries. While non-tech civilians may be familiar with “binary code” – all the 1s and 0s that make up the fundamental language computers use – they may be (make that are likely) less aware that the word also refers to files and libraries of this code.
So living-off-the-land binaries are legitimate code libraries built into your operating environment that adversaries can use against you. For example, an attacker could use Windows’ PowerShell scripting language to extract a system administrator’s login credentials. These are also known as “fileless” attacks because they don’t install malware, thus bypassing most antivirus software tools. Security software that looks for unusual system activity in addition to malware signatures can help identify LOLBins.
What to remember: Having an APT that’s LOL on your network is no laughing matter.
If a data breach is keeping you up at night, it’s probably material.
7. Material breach
Any data leak or attack that requires a public company to disclose it in their SEC filings, per the agency’s new rules that went into effect in December. If the breach causes a major revenue loss, reputational damage, or a drop in the company’s stock price, it can be considered “material.” But what that means in practical terms is up to you (and your company’s chief counsel).
What to remember: If a data breach is keeping you up at night, it’s probably material.
[Read also: The SEC prepares to regulate – and regulate – the finserv sector]
8. MFA
Multifactor authentication is that annoying but necessary extra step needed for a user to log in to a network or a device, usually involving a code sent via text or a mobile app, that adds an extra layer of protection to their (probably weak and easily hacked) password. And, no, for the umpteenth time, “12345,” “password,” and the name of your fave World Cup player are not good passwords (though those three remain remarkably popular).
What to remember: MFAs are still less annoying than hackers stealing your logins and locking you out of your accounts.
9. Patching
Regularly updating software to fix newly discovered vulnerabilities, usually as a temporary solution until a more secure version of the software can be released. This is not without its own risks; patching one application may break another app that relies on it, or it can introduce new vulnerabilities, notes Harkins.
What to remember: When apps go too long between full product releases, they can end up resembling a patchwork quilt.
[Read also: The essential guide to slow patching – the reasons, the risks, the remedies]
10. Privilege escalation
When malicious actors gain entry into a network and use stolen credentials or exploit vulnerabilities to climb the chain of command, ultimately obtaining administrative privileges. It’s like someone breaking into the janitor’s closet and stealing the keys to all the other rooms in the building; they’re not going to stop until they reach the top floor. Limiting the number of people with admin powers and closely monitoring those accounts is a good first step toward limiting escalation.
What to remember: Membership may have its privileges, but hopefully not all of them.
11. Red team/blue team
The red team actively attacks your network to identify points of vulnerability; think of them as white hat hackers with stock options and 401(k)s. The blue team plays defense, trying to prevent successful attacks or mitigate incidents as they occur. There are also purple teams that combine elements of both. A robust security posture should include regular red/blue (or purple) exercises.
What to remember: When done correctly, security is always a team sport.
12. Social engineering
Fooling individuals into clicking a malicious link in a phishing email, responding to a scam SMS text (smishing), or giving out sensitive information on the phone (vishing). Social engineering accounts for 70 to 90% of successful attacks, notes Roger Grimes, data-driven defense evangelist for security training firm KnowBe4, and is most effective when the scammer pretends to be someone you trust.
What to remember: That call coming from inside the CEO’s office might not actually be from the CEO.
[Read also: What is social engineering in cybersecurity? Check out this comprehensive guide]
13. Supply chain attack
When an adversary breaches your defenses by successfully compromising one of your trusted suppliers. This is usually done by infecting their applications with malware or installing malicious microchips on their circuit boards, thus opening a backdoor to your network. Assessing third-party risk by carefully screening potential vendors – automated assessment tools can help with that – is a fundamental step in any supplier relationship.
What to remember: Keep your friends close, your enemies closer, and your third-party suppliers in the back pocket of your skinniest jeans.
Zero trust is more than an architecture or a technology – it’s a culture.
14. Zero-day vulnerability
A weakness in a software or hardware system that the bad guys know about but you don’t – which means that its victims have zero days to prepare for it. Existing anti-malware protections are unlikely to detect a zero-day attack until after it’s been launched, if at all. Fortunately, most zero-day attacks take advantage of outdated software and rely on social engineering to find their way in, so regular patching and security training can limit your exposure.
What to remember: Any day is a bad day for a zero day.
15. ZTA
Zero trust architecture, or simply zero trust, requires every user and every device to be verified not just at login but also before accessing any network asset. And it starts with the assumption that users and devices are not to be trusted until proven otherwise. This can prevent problems like privilege escalation (you can read that for-internal-use-only document, but your summer intern can’t) and limit damage from successful social engineering attacks.
“Zero trust is more than an architecture or a technology – it’s a culture,” says Harkins. “And it really needs to proliferate across everything, not just your IT environment. Executives need to understand the full complexity of what zero trust entails before they decide to implement it.”
What to remember: With zero trust, even your mother needs to show some ID. And that’s a good thing.