Cyber Security NSW glossary
Glossary
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
|
The process of granting or denying requests for access to systems, applications and information. It can also refer to the process of granting or denying requests for access to facilities. |
|
|
access cross domain solution |
A system permitting access to multiple security domains from a single client device. |
|
account harvesting |
The illegal practice of collecting email accounts from information in the public domain or by using software to search for email addresses stored locally on a computer. Account harvesting may be used for spamming. |
|
active defence |
The principle of proactively implementing a spectrum of security measures to strengthen a network or system to make it more robust against attack. Active defence is different to offensive cyber operations, passive defence and network hardening. Some references to active defence focus on the employment of limited offensive action and counterattacks – commonly referred to as ‘hacking back’. The term active defence is not synonymous with ‘hacking back’, so these terms should not be used interchangeably. |
|
advanced persistent threat (APT) |
A highly sophisticated threat actor that gains unauthorised persistent access to a network. Typically, APTs are nation-state or state-sponsored groups with political or economic motivations to steal data, destroy infrastructure or otherwise disrupt operations. |
|
adversary-in-the-middle (AiTM) |
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle technique to support follow-on behaviours such as Network Sniffing or Transmitted Data Manipulation. By abusing features of common networking protocols that can determine the flow of network traffic adversaries may force a device to communicate through an adversary-controlled system so they can collect information or perform additional actions. |
|
Amazon Web Services S3 |
A cloud-based storage system often used for data management. A bucket is similar to file folders which store objects. |
|
Application Programming Interface (API) |
Code that enables two software programs to communicate. |
|
arbitrary code execution (ACE) |
An attacker’s ability to execute any command or code on a target machine or in a target process. |
|
attack surface |
ICT equipment and software used across a network. |
|
attribution |
The process of assessing the source, perpetrator or sponsor of malicious activity. Statements of attribution often use estimative language and indicate the level of confidence in the assessment. |
|
authentication |
Verifying the identity of a user, process or device as a prerequisite to allowing access to resources in a system. |
|
authentication header |
A protocol used in Internet Protocol Security (IPsec) that provides data integrity and data origin authenticity, but not confidentiality. |
|
availability |
The assurance that systems and information are accessible and usable by authorised entities when required. |
|
A covert method of bypassing normal authentication or encryption of a device or software. Unauthorised users can escalate privileges and steal information or install additional malware. |
|
|
big-game hunting |
When threat actors select and study specific targets, and usually employ sophisticated methods to install ransomware in their victims’ networks. As a result, groups can spend several months lurking in a victim’s network before deploying ransomware or stealing any data. |
|
blockchain |
A distributed database that maintains a continuously growing list of records, called blocks, secured from tampering and revision. Each block contains a timestamp and a link to a previous block. By design, blockchains are inherently resistant to modification of the data – once recorded, the data in a block cannot be altered retrospectively. |
|
blocklist |
A list of entities that are not considered trustworthy and are blocked or denied access. |
|
BlueBorne |
A type of security vulnerability whereby hackers can leverage Bluetooth connections to penetrate and take complete control over targeted devices. BlueBorne can affect ordinary computers, mobile phones, smart devices and wearable gadgets. |
|
botnet |
A collection of infected computers remotely controlled by an actor to conduct malicious activities without the user’s knowledge. |
|
browser hijacking |
Occurs when browser settings are changed without the user’s knowledge or consent. The browser may persistently redirect to malicious or other unwanted websites. |
|
brute force |
An unsophisticated and exhaustive process to determine a cryptographic key or password without the user’s knowledge by systematically trying all alternatives or combinations until the correct one is discovered. |
|
business email compromise (BEC) |
Attacks that use email, instant message, SMS and social media tactics to scam organisations out of money or goods. Threat actors may leverage compromised email accounts of business representatives using similar names, domains and/or fraudulent logos to impersonate a legitimate organisation. |
|
bug bounty program |
A program to pay out rewards to developers who find critical flaws in software. |
|
A web shell commonly used by malicious Chinese advanced persistent threat actors to remotely control web servers. |
|
|
clear net |
The public internet, accessible through conventional web browsers. |
|
command and control (C2) infrastructure |
A set of tools and techniques that attackers use to maintain communication with compromised devices following initial exploitation. Generally, it consists of covert communication channels between devices in a victim organisation and a platform that an attacker controls. |
|
confidentiality |
The assurance that information is disclosed only to authorised entities. |
|
connection forwarding |
The use of network address translation to allow a port on a node inside a network to be accessed from outside the network. Alternatively, using a Secure Shell server to forward a Transmission Control Protocol connection to an arbitrary port on the local host. |
|
credential harvesting |
A process that tricks users into entering their credentials into a fraudulent website to steal their login information. After entering the credentials, the user is often redirected to a legitimate webpage. |
|
credential stuffing |
The automated injection of stolen username and password pairs (credentials) into a website login form to fraudulently gain access to user accounts. |
|
critical infrastructure |
Physical facilities, supply chains, information technologies and communication networks that, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic wellbeing of the nation, or affect a nation’s ability to conduct defence and ensure security. |
|
cross domain solution |
A system capable of implementing comprehensive data flow security policies with a high level of trust between two or more differing security domains. |
|
crypter/crypting |
A software service designed to conceal the presence of other forms of malware, including botnets, keyloggers, remote access Trojans and credential stealers, and render them undetectable by antivirus software. |
|
cryptographic hash |
An algorithm (the hash function) that takes as input a string of any length (the message) and generates a fixed length string (the message digest or fingerprint) as output. The algorithm is designed to make it computationally infeasible to find any input that maps to a given digest, or to find two different messages that map to the same digest. |
|
cryptographic protocol |
An agreed standard for secure communication between two or more entities to provide confidentiality, integrity, authentication and non-repudiation of information. |
|
cryptographic software |
Software designed to perform cryptographic functions. |
|
cryptographic system |
A related set of hardware or software used for cryptographic communication, processing or storage, and the administrative framework in which it operates. |
|
cryptography |
The practice and study of techniques for securing communications whereby plaintext data is converted through a cipher into ciphertext, from which the original data cannot be recovered without the cryptographic key. |
|
cryptomining/cryptojacking |
When the processing power of computers is used to solve complex mathematical problems and verify cybercurrency transactions. The “minders” are then rewarded with a small amount of cryptocurrency. |
|
cyber attack |
A deliberate act through cyberspace to manipulate, disrupt, deny, degrade or destroy computers or networks, or the information resident on them, with the effect of seriously compromising national security, stability or economic prosperity. |
|
cyber-enabled foreign interference |
Cyber operations such as denial of service, phishing and disinformation to covertly disrupt and shape decision-making to the advantage of a foreign power. |
|
cyber espionage |
Malicious activity designed to covertly collect information from a target’s computer systems for intelligence purposes without causing damage to those systems. It can be conducted by nation-states or unaffiliated entities, and can also include theft for commercial advantage. |
|
cyber warfare |
The use of computer technology to disrupt the activities of a nation-state or organisation, especially the deliberate disruption, manipulation or destruction of information systems for strategic, political or military purposes. |
|
cybercrime |
Crimes directed at computers, such as illegally modifying electronic data or seeking a ransom to unlock a computer affected by malicious software. It also includes crimes where computers facilitate an existing offence. |
|
cybercrime-as-a-service (CaaS) |
A business model that involves malware developers, hackers and other threat actors selling or loaning out their hacking tools to buyers, usually on the dark web. This is an umbrella term that includes ransomware-as-a-service (RaaS). |
|
A process exploiting of the DNS traffic redirection process. A threat actor may use a CNAME entry which is no longer linked to a provisioned resource (due to deletion or update) to redirect traffic to a threat actor hosted resource or instance. |
|
|
dark web |
Websites not indexed by search engines and only accessible through special networks such as The Onion Router (Tor). Often, the dark web is used by website operators who want to remain anonymous. The “dark web” is a subset of the “deep web”. |
|
data breach |
When data is lost or subjected to unauthorised access, modification, disclosure or other misuse of interference. Categories include:
|
|
data extortion |
An attack in which threat actors steal data from systems and demand a ransom payment to prevent it being published on dark web leaks sites. A double extortion attack is when this technique is paired with a ransomware attack. |
|
data spill |
The accidental or deliberate exposure of information into an uncontrolled or unauthorised environment, or to people without a need to know that information. |
|
decryptor |
A tool designed to decrypt files encrypted by a specific ransomware strain. |
|
deep web |
The part of the internet that is not indexed by search engines. It includes websites that are password-protected and paywalled, as well as encrypted networks and databases. |
|
denial of service (DoS) |
An attack by a threat actor to prevent legitimate access to online services. For example, by consuming the amount of available bandwidth or processing capacity of the server hosting the online service. |
|
dictionary attack |
Where attackers use ‘password dictionaries’ or long lists of the most commonly used passwords and character combinations against a password in order to guess it and break into a system. |
|
distributed denial of service (DDoS) |
A DoS where the source is comprised of multiple, distributed devices used to flood the bandwidth or resources of a targeted system or network. |
|
Domain Name Server (DNS) over HyperText Transfer Protocol (HTTPs), (DoH) |
A method of encrypting website requests (DNS queries). This is often used to prevent threat actors redirecting visitors to phishing, malware or surveillance sites when browsing the internet. |
|
domain-based message authentication, reporting and conformance (DMARC): |
DMARC is an email protocol that helps protect email senders and recipients from spam, spoofing and phishing. |
|
double encryption |
A tactic where malicious actors encrypt victims’ data with two or more ransomware strains. A double encryption attack commonly takes on one of two forms: layered encryption, which encrypts a victim’s data with one ransomware strain then re-encrypts that encrypted information using a different ransomware sample; or a side-by-side encryption, which uses one ransomware strain to encrypt some systems and another ransomware sample to encrypt others. |
|
double extortion |
An attack in which threat actors steal data from systems before encrypting them, and demand ransom payments to both decrypt the system, and prevent victims’ data being published on dark web leaks sites. |
|
doxing |
Obtaining and publishing private or personal information about an individual over the internet. Information can be obtained through a range of methods including network compromise, social engineering, data breaches or research. |
|
drive-by download |
The unintended (automatic or accidental) download of malware from the internet. |
|
drive-by download attacks |
The unintentional download of malicious code to a computer or mobile device that leaves the user open to an attack. The user does not have to click on anything, download or open a malicious email attachment to have their computer or device infected. |
|
A system that is not solely owned and managed by the Australian Government. |
|
|
forensic analysis |
The practice of gathering, retaining and analysing computer-related data for investigative purposes in a manner that maintains the integrity of the data. |
|
fuzzing |
A method used to discover errors or potential security vulnerabilities in software. Also called ‘fuzz testing’. |
|
A computer expert that can gain unauthorised access to computer systems. ‘Hacker’ is an agnostic term and a hacker does not necessarily have malicious intent. |
|
|
hacktivist |
A hacker whose motivation is political, religious or ideological, as opposed to criminal. |
|
hardware vulnerabilities |
An exploitable weakness in a computer system that enables attacks through remote or physical access to system hardware. |
|
hash value |
A numeric value of a fixed length that uniquely identifies data. |
|
hash-based message authentication code (HMAC) algorithms |
A cryptographic construction that can be used to compute message authentication codes using a hash function and a secret key. |
|
honeypot |
A server configured to appear as if it is running various software as lures to monitor threat actors’ tactics. |
|
host-based intrusion detection system |
Software, resident on a system, which monitors system activities for malicious or unwanted behaviour. |
|
host-based intrusion prevention system |
Software, resident on a system, which monitors system activities for malicious or unwanted behaviour and can react in real time to block or prevent those activities. |
|
Emails that attempt to impersonate a trusted individual or company to try and gain access to corporate finances or data. |
|
|
impersonation scam |
A scam where an individual will try to convince you to make a payment or give personal or financial details by claiming to be from a trusted organisation. |
|
in the wild |
Malware operating on the internet that infects and affects users’ computers. This is opposed to malware seen only in internal test environments or malware collections. |
|
indicators of compromise (IOCs) |
Forensic data or information such as system log entries or files that identify potentially malicious activity. |
|
industrial control system (ICS) |
A term encompassing devices, systems and networks used to operate or automate industrial processes. |
|
insider threat |
An attack where the threat actor is an employee or insider acting against the interests of their employer or other entity |
|
integrity |
The assurance that information has been created, amended or deleted only by authorised individuals. |
|
Internet of Things (IoT) |
The network of physical objects embedded with sensors, software and other technologies for the purpose of connecting and exchanging data with other devices and systems over the internet. |
|
The process whereby a program records the keys that a user types on a device’s keyboard without their knowledge or permission. Some hardware and software programs can also capture screenshots and record audio from a device. Also known as ‘keylogger’. |
|
|
Movement within a network following a breach. |
|
|
Lightweight Directory Access Protocol (LDAP) |
An open platform protocol that facilitates authentication and communication between directory service servers. |
|
living off the land (LOTL) |
A fileless malware technique of using native or legitimate tools within the victim’s system to conduct malicious activity. Unlike traditional malware, fileless malware is difficult to detect, as it does not require the threat actor to install any code on the victim’s system. |
|
Filters or other processes established on a mailbox to assist with filtering content or applying other customised actions to correspondence, such as forwarding or deletion. |
|
|
malicious advertising (malvertising) |
The use of online advertising to spread malware. It typically involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and web pages. |
|
malicious code |
Any software that attempts to subvert the confidentiality, integrity or availability of a system. |
|
malicious code infection |
The occurrence of malicious code infecting a system. |
|
malicious insider |
Individuals who take advantage of their access to inflict harm on an organisation. |
|
malicious links |
A malicious link is created with the purpose of promoting scams, attacks and frauds. By clicking on an infected URL, you can download malware such as a Trojan or virus that can take control of your devices, or you can be persuaded to provide sensitive information on a fake website. |
|
malware |
Short for ‘malicious software’. A software used to gain unauthorised access to computers, steal information and/or disrupt or disable networks. Types of malware include Trojans, viruses and/or worms. |
|
malware-as-a-service (MaaS) |
A service provided by malicious actors that provides clients with malware and other cyber tools, such as exploit kits, to enable them to carry out an attack. Providers usually receive a commission fee for any successful attacks undertaken by the client. |
|
misinformation |
False information that is spread due to ignorance, or by error or mistake without the intent to deceive. |
|
MITRE ATT&CK framework (ATT&CK) |
A globally accessible knowledge base and common language of adversary tactics and techniques, developed by not-for-profit MITRE, based on real-world observations of threat actors’ operations. |
|
misconfiguration |
The incorrect or suboptimal configuration of an information system or system component. |
|
multi-factor authentication (MFA) |
A method of computer access control in which a user is granted access only after successfully presenting several separate pieces of evidence to an authentication mechanism, typically using at least two of the following categories: knowledge (something they know), possession (something they have), or inherence (something they are). |
|
The use of hardware and software to monitor and control physical processes, devices and infrastructure, e.g. monitoring critical infrastructure. |
|
|
A variant of what is known as a brute force attack that attempts to access many accounts (usernames) with a few commonly used passwords. |
|
|
pastebin |
A type of online content-hosting service where users can store plain text. It’s designed for a large user base to communicate in real time, and is popular for sharing plain text, including blocks of source code. |
|
payload |
The component of a malware that performs a malicious activity. |
|
penetration test (pen test) |
A method of evaluating the security of a system by seeking to identify and exploit vulnerabilities to gain access to systems and data. |
|
personal information (PI) |
Information that can be used on its own or with other information to identify, contact or locate a single person, or to identify an individual in context. |
|
phishing |
A fraudulent attempt to gain a victim’s personal or sensitive information, usually conducted through email or instant messaging. Messages may ask users to open a malicious attachment or visit a fake website prompting them to provide information or download malicious content.
|
|
privilege escalation |
An increase in the level of access to computer system resources, often achieved by exploiting a vulnerability in the system. |
|
proof-of-concept (PoC) code |
Code that is developed to demonstrate possible vulnerabilities in software or operating systems, often used to simulate potential attacks. |
|
Python |
An interpreted high-level general-purpose programming language. Python is used for web development, AI, machine learning, operating systems, mobile application development and video games. |
|
Unexpected prize and lottery scams that work by asking you to pay some sort of fee in order to claim your prize or winnings from a competition or lottery you never entered. |
|
|
ransomware |
A highly destructive malware that encrypts or locks a victim’s network and data, and demands payment in return for access or decryption. Victims are unable to access any information on the infected network, making it almost impossible to conduct usual business operations. |
|
ransomware-as-a-service (RaaS) |
A business model used by ransomware developers in which they lease ransomware variants in the same way that legitimate software developers lease software-as-a-service products. |
|
remote administration tool (RAT) |
A software allowing remote access to a device. This can be used legitimately to allow technical support or access to a system. |
|
remote access Trojan (RAT) |
A malicious tool that gives a threat actor remote access and administration privileges to an infected device. |
|
remote code execution (RCE) |
An attack where a threat actor can run code remotely on an affected device, using system level privileges. |
|
rootkit |
A tool or set of tools used by an attacker to compromise a system, gain the highest level of privilege, and then hide their activity. |
|
A virtual space in which new, untrusted or untested software or coding can be run safely without risking harm to the hosting computer. |
|
|
SECRET area |
An area that has been authorised to process, store or communicate SECRET information. Such areas are not necessarily tied to a specific level of security zone. |
|
Secure Shell |
A network protocol that can be used to securely log into, execute commands on, and transfer files between remote workstations and servers. |
|
Secure Sockets Layer (SSL) |
A networking protocol designed for securing connections between web clients and web servers over an insecure network, such as the internet. |
|
Secure/Multipurpose Internet Mail Extension (S/MIME) |
A protocol that allows the encryption and signing of email messages. |
|
secured space |
An area certified to the physical security requirements for a Zone 2 to Zone 5 area, as defined in the Australian Government Protective Security Policy Framework, to allow for the processing or storage of sensitive or classified information. |
|
security posture |
The level of security risk to which a system is exposed. A system with a strong security posture is exposed to a low level of security risk, while a system with a weak security posture is exposed to a high level of security risk. |
|
skimming |
The theft of credit card information using card readers, or skimmers, to record and store victims’ data. |
|
shadow IT |
IT devices, software and services outside the knowledge, ownership or control of an organisation’s IT or security group. |
|
ShadowPad |
One of the largest known supply-chain attacks that allows threat actors to hide backdoor in software used by organisations around the world. |
|
single sign-on (SSO) capability |
A session and user authentication service that permits a user to use one set of login credentials to access multiple applications. |
|
SMS phishing (smishing) |
The fraudulent practice of sending text messages purporting to be from reputable companies to induce individuals to reveal personal information, such as passwords or credit card numbers. |
|
social engineering |
The methods used to manipulate people into carrying out specific actions or divulging information. |
|
software vulnerability |
A security flaw, glitch or weakness found in software code that could be exploited by a threat actor as part of a cyber attack. |
|
SonarQube |
An open-source code review tool that detects bugs and security vulnerabilities in source code. |
|
spamouflage |
Attempts to disguise spam as legitimate messages. |
|
spoofing |
The forgery of an email or domain to mislead a recipient about the origin of a message or website. |
|
spyware |
A type of malicious software designed to enter a computer or mobile device to gather data and information about a person or organisation and forward it to a third party. |
|
Structured Query Language (SQL) |
A special-purpose programming language designed for managing data held in a relational database management system. |
|
Structured Query Language (SQL) injection |
An attack where a threat actor adds SQL code to a web form to gain access to unauthorised resources or alter sensitive data. SQL code is traditionally used to communicate with databases and is often used in website search functionality and login fields. |
|
state-sponsored actor |
An actor or group that conducts activity on behalf of a nation-state. For example, a contracted hacker or company. |
|
subdomain hijacking |
Refers to a threat actor taking control of a subdomain of a target domain. This typically happens when the subdomain has a canonical name in the DNS, but no host is providing content for it. Because a virtual host has either not yet been published or has been removed, an attacker can take over that subdomain by providing their own virtual host and then hosting their own content. |
|
subdomain redirection |
Diverting traffic from its intended destination to another. |
|
Supervisory Control and Data Acquisition (SCADA) |
An industrial control system architecture comprising computers, networked data communications and graphical user interfaces for supervision of machines and processes. |
|
supply chain attack |
Attacks where threat actors target upstream services such as IT software providers for the purpose of compromising client systems or otherwise disrupting client operations. |
|
surveillanceware |
A type of malicious software designed to monitor and collect data from victims, often without their knowledge or consent. Surveillanceware can come in many forms, including spyware, keyloggers and tracking cookies. |
|
The behaviour of an actor. A tactic is the highest-level description of this behaviour, while techniques give a more detailed description of behaviour in the context of a tactic, and procedures an even lower-level, highly detailed description in the context of a technique. |
|
|
threat actor |
A malicious entity or individual that is partially or wholly responsible for an incident that impacts, or has the potential to impact, an organisation’s security. |
|
Tor |
A worldwide network of servers specifically made for private communication. The Tor browser is an internet browser that allows users to surf the web anonymously and access the dark web. |
|
Trojan |
A type of malware that is often disguised as legitimate software and can damage, disrupt or steal information on an infected device or network. |
|
typosquatting |
A technique leveraging common typos or spelling mistakes in URLs, domains or file names to increase the likelihood an individual will engage with malicious content. |
|
A type of cyber attack where a threat actor creates or injects new pages onto an existing website, which redirects users to other sites or uses the website to undertake attacks on other sites. |
|
|
A framework that contains a set of metrics designed to provide a common language for describing security incidents in a structured and standard manner. |
|
|
virtual private network (VPN) |
A service that creates a private network from a public internet connection and disguises an IP address to another location. |
|
voice phishing (vishing) |
A phishing attack that involves the use of voice calls, using either conventional phone systems or voice over internet protocol (VoIP) systems. |
|
vulnerability |
A weakness in system security requirements, design, implementation or operation that could be exploited. |
|
vulnerability assessment |
A documentation-based review of a system’s design, an in-depth hands-on assessment, or automated scanning with software tools. In each case, the goal is to identify as many security vulnerabilities as possible. |
|
vulnerability management |
The process of identifying, prioritising and responding to security vulnerabilities. |
|
Setting up a fake website (or compromising a real one) to infect and exploit visiting users. |
|
|
web shell |
A malicious script used by an attacker with the intent to escalate and maintain persistent access to an already compromised web application. |
|
website defacement |
Illegitimate changes to the visual appearance of a website to delete or modify the content on the site and replace it with their own messages or content. |
|
A way of identifying malware (or other files) by creating rules that look for certain characteristics. The rules are then used in tools that detect malware. |
|
|
A software exploit that has not been disclosed or patched by the software vendor. |
Information Impact Categories
|
None |
No information was exfiltrated, changed, deleted or otherwise compromised |
|
Privacy Breach |
Sensitive personally identifiable information (PII) was accessed or exfiltrated |
|
Sensitive Breach |
Sensitive proprietary information was accessed or exfiltrated |
|
Integrity Loss |
Sensitive or proprietary information was changed or deleted |