Understand these cyber-security terms and concepts to better protect your business
30 Aug 2023, by Slade Baylis
It’s an unfortunate reality (and almost a rule within the digital world!) that the threat of cyber-crime will continue to grow year after year. The reason for this is fairly easy to understand when you consider the incentives involved. With more and more business being done online - as well as more sensitive information being stored digitally - the monetary value of compromising these systems increases year on year for the cyber-criminals willing to take the risk of being caught.
Another factor that helps explain the increase, is the unfortunate but understandable willingness of Australian businesses to “fund” cyber-crime. Whilst not their direct intention, for years, many Australian organisations have effectively funded the proliferation of further cyber-attacks through paying millions in ransoms to hackers who have stolen or encrypted their data. As reported by ABC1 "It’s an open secret within the tight-lipped world of cybersecurity. For years, Australian organisations have been quietly paying millions in ransoms to hackers who have stolen or encrypted their data." This of course only acts to further encourage criminal organisations to conduct further attacks and so a vicious cycle is created and perpetrated.
And so we thought with this ever-growing risk, it’s important to understand the terms that are used in the cyber-security space so that you are able to remain informed, secure and avoid being the one hit. This includes the terminology that is used for the different ways that organisations can and will be targeted; the types of attack they’re targeted with; as well as the technologies and techniques that can be used to combat these attacks.
What are “Attack Vectors”? The many different ways organisations can be targeted
The ways that an organisation can be compromised are numerous. When it comes to cyber-security, each of these avenues of attack are called “attack vectors”. Put simply, an attack vector is any method - or combination of methods - that can be used to break into or infiltrate a victim’s systems.
With that defined, let’s start off by describing the common terms for attack vectors that businesses, large and small, can both find themselves vulnerable to.
Bugs and Vulnerabilities
When building anything complex, it’s almost a guarantee that there will be at least some errors and flaws in the final product – and the same is true with computer software. Especially as systems grow in complexity over time, with code being written and rewritten, as well as functionally being modified and added over time - it’s almost a guarantee that software will have flaws, errors, and exhibit unintended behaviour.
All these flaws, errors, and mistakes within a piece of software are referred to as “bugs”. However for problems that aren’t benign - meaning problems that make the software more vulnerable to compromise - the term “vulnerability” is used to more accurately describe the type and severity of the bug.
Vulnerabilities can be considered a sub-category of bugs - as they specifically refer to weaknesses in software that have the potential to be exploited by malicious actors, making the software susceptible to unauthorised access, data breaches, or other types of cyber-attacks.
Zero-days
The term “zero-day” actually just refers to the amount of time that has passed since the vendor became aware of a vulnerability or exploit. It’s a term that is often used interchangeably to refer to both “zero-day vulnerabilities” and also “zero-day exploits” - though these are actually two different but related terms. A zero-day vulnerability is an unpatched security vulnerability that was previously unknown to the software vender, whereas a zero-day exploit is a cyber-attack that leverages and exploits one of these vulnerabilities for nefarious ends.
Unlike other types of vulnerability, wherein a proper maintenance and patching would be able to protect you from them, as the vendor is yet unaware of them any updates will not secure your systems against them being used as an attack vector to get into your systems. Zero-days are particularly dangerous as malicious actors can potentially take advantage of them for large swaths of time before the vendor becomes aware of them, or at least before they have a chance to patch them.
Phishing
“Phishing” is a type of attack that targets people through attempting to trick them into providing malicious third-parties with personal information or providing them with access to systems they shouldn’t have access to. This can include online banking details, credit card details, or login details to common online services.
One of the most common forms of phishing attack is “email phishing”, wherein the malicious actor sends out an email that looks like it came from a legitimate source – such as PayPal, a bank, or a government department – which contains a link though a fake website that attempts to trick visitors into entering their confidential information.
However, there are many more forms of phishing, so for more information as well as a brief history on the origins of phishing, check out our recent Deep Dive – What is phishing, where did it come from, and how can you avoid it? article.
Social Engineering
“Social engineering” is a particularly nefarious form of attack, as it is a form of attack wherein a malicious actor attempts to gain a person’s trust through deceitful means, and then exploits that trust to gain access to data or systems. This often takes the form of pretending to be someone they are not, such as pretending to be a colleague within an organisation, or someone close to the target.
However, social engineering is not limited exclusively to impersonation – in fact, any attack that targets a person and attempts to deceive and manipulate them into divulging information, performing certain actions, or even making certain decisions can be classified as social engineering. In this way, phishing can be seen to actually be a sub-category of social engineering.
In our recent How AI voice cloning has opened the door to a horrific new type of phishing scam article, we covered how new developments with AI have enabled cyber-criminals to even clone the voices of your loved ones in order to deceive you.
Identity Theft
Due to impersonation often being used in social engineering attacks, it is also closely related to another form of attack referred to as “identity theft” – which is a form of cyber-crime wherein an individual’s personal and sensitive information is stolen and then used by someone else without their permission. This information can be used for operating fraudulent bank accounts, applying for loans or credit cards, or even gaining access to medical services or prescription drugs.
What is the “Malicious Payload"? The part of an attack which causes harm
With the attack vector describing the methods that malicious actors can use to gain access to systems, we now need to cover the next step - the part wherein actual harm is caused to the victim. In a cyber-attack, the component that causes the harm is referred to as the “malicious payload”, which can include malware, viruses, ransomware, and much more.
Malware
The word “malware” is just a shortening of the term “malicious software” - so it’s easy to know what it describes. Any form of software that is designed to cause harm falls into this “malware” category.
Viruses
A “virus” is a sub-set of malware, specifically describing software that is designed to infect computers without their knowledge, which then look to spread to other computers.
Ransomware
“Ransomware” can also be viewed as a sub-set of viruses, as it is malicious software that infects one’s computer, looks to spread to any other connected devices, and then encrypts and steals information and demands a ransom to the victim to undo the encryption.
Given the large risk it poses to organisations and the unfortunately ever-increasing rate of attack, we’ve covered ransomware quite a bit over the years. For those after more information on ransomware attacks, check out our Ransomware: How much would an attack damage your business? article.
Exfiltration
“Exfiltration” in the context of cyber-security refers to the unauthorised and often covert transfer of sensitive information from one system to an external location controlled by the attacker. Whilst this type of data-theft can occur due to malware that’s been installed, it can also be manually performed by attackers that have gained access through other means, such as through phishing or other forms of social engineering.
Some big examples of this form of cyber-attack include the recent data breaches of Optus, Medibank, and Harcourts, which we discussed in our previous Optus, Medibank, and now Harcourts – If they can be breached, what can you do to prevent it? article. Each of these companies were compromised in a different way – Optus via an insecure internal system that was believed to be isolated at the network level; Medibank via the stolen login details of one of their staff; and Harcourts allegedly being compromised via a hacked device at one of their upstream SaaS providers. However, once access was gained, the type of attack was the same – malicious actors “exfiltrated” sensitive data for their own purposes or demanded a ransom.
Due to the severity of this type of breach - with not just the company’s own data at risk, but often the data of their clients as well – there are obligations on companies to disclose cyber-security incidents to the Australian Cyber Security Centre (ACSC) within 12 hours once they become aware of them. This allows ACSC to both assist the company in dealing with the breach, as well as allow them to take actions that are in the best interest of the affected clients – such as with the Optus breach, with state and local governments making it easier for those affected to replace identity documents (e.g. driver’s licenses) that may have been compromised.
Distributed Denial of Service (DDoS) attack
A “Distributed Denial of Service (DDoS)” attack is a type of attack wherein cyber-criminals attempt to negatively affect the functionality of an online service, or even take it offline, through flooding that service with traffic. There are many different types of DDoS attacks - with the first type that comes to mind being “Volumetric DDoS” attacks – which attempt to affect services through sheer volume alone.
However, two other more crafted attacks include: “Protocol DDoS” attacks – which target weaknesses in internet protocols; and “Application-based DDoS” attacks (also known as a “Layer 7 DDoS” attacks) – which look to exploit vulnerabilities within applications themselves to disrupt normal function.
In much the same way as ransomware, malicious actors often use DDoS attacks (or the threats of such) as a way to threaten businesses into paying them exorbitant amounts of money – however, in some cases they are purely carried out just to do damage to a business or organisation and not for financial gain.
Fighting back – Different ways of combatting the threat of cyber-attack
It’s not all doom and gloom on the cyber-security front though - as there is a myriad of ways to improve your security posture and reduce the risk of being compromised.
Threat Assessment
The first step towards knowing how to improve the security within your organisation is to know where you are currently vulnerable – that’s where “threat assessments” come in. In cyber-security terms a threat assessment refers to the systematic evaluation and analysis of potential threats that could affect your systems, data, assets, operations, and overall security posture.
These assessments are focussed on cyber-security, and should be viewed as a vital component of any organisation’s risk management strategy. They help organisations make informed decisions about their technology investments, prioritise their security measures, as well as develop incident response plans should they ever unfortunately get targeted.
Firewalls and WAFs
A “firewall” is a network security device or service that acts as a barrier between a trusted network and untrusted external networks, such as the internet. They can be both a physical appliance, or a virtualised software-based one. The primary purpose of a firewall is to monitor and control both incoming and outgoing traffic, acting as a gatekeeper, allowing or denying traffic to pass based on predetermined security rules.
Although the terminology is similar, a “Web Application Firewall (WAF)” is different in that it doesn’t look at traffic at a network level, but rather it specifically analyses traffic at the application layer. A WAF looks to analyse the content of the network traffic, looking for behaviour which seems malicious within the context of the type of application that traffic is being sent to.
We’ve covered this difference before, so for those interested, check out our previous WAFs vs Network Firewalls – Protection for applications and networks article.
Penetration Testing and Vulnerability Scanning
One of the best – but often expensive - ways to learn if your systems and networks are vulnerable is to perform a “penetration test” of your infrastructure. In these tests, authorised experts help identify security vulnerabilities and weaknesses in your systems by performing simulated cyber-attacks themselves, looking to use all the most current forms of attack that are used “out in the wild”.
This form of security testing is often expensive, as the expertise and tools required to perform this sort of testing is often not cheap. Though, at the end of this test, organisations are able to get full reports on how they stack up, as well as advice about how they can help improve their posture for next time.
In a similar way, “vulnerability scanning” is a service that can be used to help identify weaknesses in your infrastructure and system configuration, through utilising advanced security software to perform the testing instead. Vulnerability scanning services are usually largely automated using sophisticated cyber-security tools and aren’t as bespoke or hand-crafted as penetration tests – meaning they are more affordable.
Antivirus and Endpoint Detection and Response (EDR)
“Antivirus applications” are something that most people are somewhat familiar with – being applications that you install to increase your security through scanning files on your computer to look for anything that appears suspicious. Over the years they have also become more complex and useful, often coming with services such as web filters to prevent malicious files from being downloaded, or real-time scanning which scans files as you attempt to open them to make sure they’re not malicious.
However, with the growing sophistication of attacks, many different cyber-attacks have evolved to the point where traditional antivirus solutions are no longer adequate to protect individuals or organisations.
As a response to this we have a new form of security service, called “EDR (Endpoint Detection and Response)” solutions. These solutions look to protect “endpoints” (another term for a physical or virtual device connected to a computer network) through analysing the behaviour of the software running on them, rather than the software’s code itself.
We’ve also covered the growing need for EDR solutions previously, so for more information, check out our With 80% of malware evading antivirus applications, signature-based protection isn’t enough anymore article.
Have any questions about the cyber-security terms we’ve covered?
We’ve covered a lot of terminology in this article, but if you have any questions about anything we’ve mentioned, reach out to us! You can call us on 1300 769 972 (Option #1) or email us at sales@micron21.com
We can help remove any mystery or complexity from these different concept and terms, as well as provide guidance about how to improve your security posture specifically!
Sources
1, ABC News, “Australian organisations are quietly paying hackers millions in a 'tsunami of cyber crime’”, <https://www.abc.net.au/news/science/2021-07-16/australian-organisations-paying-millions-ransomware-hackers/100291542>