As if new technology isn’t confusing enough, there’s a whole new language out there that’s used to define the ways that malicious hackers are working to undermine you and your data security.
Do you know your DDoS from your zero-days? Here’s a glossary of the some of the terminology used by the good guys and the bad guys, which will come in handy when determining how to keep your business’s systems secure.
Android: An operating system built on open-source code and backed by Google for smartphones and tablet computers that feature touchscreen abilities and applications. While the format is popular for developers, the OS is also source of concern for data security and IT professionals. Why? Unlike rival Apple’s software, Android’s are largely available unchecked when it comes to malware (see below)—and can open loopholes, backdoor entries, and other vulnerabilities to cyber criminals on the devices it is running on. For small businesses using an Android-powered tablet computer or smartphone, that can be a highly risky proposition.
Botnet: A vast connection of computers linked together to process a piece of software to perform a task, many times unbeknownst to a device’s owner. In recent years, these “robot networks” have hijacked millions of computers, harnessing the collective computing ability to launch attacks or shut down a site (see DDoS below). A device can be infected from a mere click on a malicious link (see phishing), a visit to a rogue site that injects a string of dangerous code, or lack of updated antivirus protections. The next frontier for this type of “zombie army”: mobile phones.
Breach: An unauthorized entry behind a computer security perimeter, where data can be accessed, copied, stolen, destroyed, or worse. (Here’s the 2013 Verizon Data Breach Investigations Report to elaborate.)
Brute-force attack It’s nothing physical. This type of assault usually occurs when a criminal hacker can’t find access to an account or network by the usual nefarious means, so they resort to trying all combinations of letters and numbers until the correct lineup permits entry via the ill-gotten user name and password. (Remember that password-guessing scene in WarGames?) The brute-force attack has made business headlines lately, with the disturbing coordinated effort to breach WordPress-powered websites.
Distributed denial of service (DDoS): The simple denial-of-service (DoS) attack is an attempt by one computer to shut down access to a website by overwhelming the target’s servers with a manufactured surge of traffic that renders it unavailable to users. The distributed denial of service variety (DDoS) is the same concept on a grand scale, with the resources of thousands of computers sometimes harnessed via botnets (see above). A team fighting off a DDoS attack needs to address all sources of the flood of data, which can be a time-consuming and difficult process. The hacktivist group Anonymous is notorious for using DDoS to shut down businesses and government agencies. (Here are some DDoS attacks that made headlines.)
Exploit: An attack on a vulnerability in a computer security system, derived from the act of exploiting a weakness to gain unauthorized access.
Malware: This term is short for “malicious software.” It comes in countless forms—spyware, viruses, worms, hidden bits of computer code that establishes unseen backdoor access. Generally, it’s a program that gets installed on a machine to perform activities unwanted by the owner, usually to benefit another party. A Microsoft and IDC study put businesses’ cost of dealing with malware just from pirated software at $114 billion this year.
Out-of-band authentication: An IT security system that requires passwords from two separate networks. For example, logging in to a financial account [DP2] requires a password that is established through an institution or on a secure website. However, a diligent hacker could learn that secret code by keylogging, which is a type of hidden malware that records every letter or number you type and reports it back to its bad-guy owner. With OOBA, as it is known, gaining entry to a secure system would require a password from an unrelated device operating on another channel, which would be out of the reach of a distant hacker—a text-message code to a cellphone, for instance. Even if a fraudulent user gained all primary security credentials to a user's account, a transaction wouldn’t be able to be completed without access to the OOBA’s second authentication network.
Phishing: Think about going to a lake with your rod and reel and landing a big one—that’s how malicious hackers are using this tactic. Phishing is the act of trying to trick email or chat users to divulge personal information (like a Social Security number or bank account PIN) via websites or emails that look legit, but are actually a front for thieves looking to cash in on the information, which they use themselves or sell on the black market. Data security firm RSA estimates worldwide losses of more than $2 billion this year through phishing scams, at a rate of more than 37,000 attacks a month. One other type of swindle to watch: typo squatting. Bad news if you’re a lousy speller. Phishers sometimes purchase a URL—the Web address—that’s one mistyped letter away from a popular site, where they wait for their prey. (Here’s Naked Security’s findings.)
Ransomware: Ever have a frightening screen pop up with a demand for money to unfreeze your computer? Just like the stagecoach stickup artists of the Old West, today’s hostage-takers are brazen in their attempts to strong-arm money out of unwitting victims. One of the most frequent versions: the “FBI takeover” of a device, in which cyber villains mimic what appears to be a government notice and account seizure—which can be removed if you just [DP3] send money. (Do not send money!) Here’s how to get rid of this one.
Spear-phishing: Take phishing (see above) and then focus it on a specific target—like one company or organization. This was the hacking tactic that made headlines this year when the New York Times, Wall Street Journal, and Washington Post all were breached. Employees reportedly clicked on a rogue link in an email from a seemingly known source. Instead, the click triggered hidden programs that opened a door to overseas hackers. One step further: whaling, which aims to fool a business’s upper management into biting on a phony link.
Two-factor authentication: If you are on Facebook or Twitter, you’re likely using “2FA” to access your account from any new or unknown device. In addition to a regular password, a security barrier requires a string of numbers shipped to an outside phone via text message. Why is it a good idea? Let Wired reporter Mat Horan’s 2012 tale of Gmail woe illustrate that for you.
VPN, or virtual private network: This is a group of computers linked together on a trusted network via the Internet. For businesses with employees who use their devices on the road, a VPN permits a connection to the home base’s internal network and all of its resources without exposing the link directly to the Internet, which increases security. Inside an office, it’s an extra layer of insulation for your IT network. Anyone who might intercept encrypted data won’t be able to read it.
White-hat hacker: This is the trained and certified security expert who tests the strength of companies’ websites and computer networks, often with the tricks used by malicious hackers. Also known as a certified ethical hacker, these pros employ assessments like a penetration test, which is the process of trying to find the hidden loopholes in computer protection systems. (See our interview with certified ethical hacker Charles Tendell here.)
Zero-day attack: An assault on a computer system through means that no one knows about, so named for the amount of time—zero days—that an IT security team has to respond before the flaw is being exploited by the bad guys. (Or even the good guys, depending on your perspective.)