Skip to main content
In light of recent global events, there is a heightened risk of cyber-attacks. We urge local organisations to exercise additional vigilance when monitoring IT infrastructure. Please report suspicious activity to us via our Cyber Concerns Reporting Tool.


Software that downloads or displays unwanted advertisements in the application being used. Adware can also collect data on which sites the user visits and sends this data back to the adware company to deliver targeted advertising to the user.

Allow list

An allow list, known in some places as a whitelist, is the opposite of a deny list. It is a list of trusted resources or destinations that a user or application can access. Allow listing is typically resource intensive, but is more secure than deny listing.

Anti-virus software

Designed to identify and remove computer viruses, other malware and spyware on a device or IT system. To be effective it should be kept up-to-date with the latest anti-virus signatures and definitions.

Arbitrary Code Execution - ACE

The ability of an attacker to execute any command they choose on a targeted device.

Attack surface

The aggregate of the different points where hackers could try to enter data or extract data from an environment. It applies to software, networks and humans, representing the sum of an organisation’s security risk exposure to hackers and internal users.


The act of confirming the truth of a single piece of data that a user claims is true. There are three primary categories of factors that can be used for user authentication: something the user knows (e.g. password, PIN or security question), something the user owns (e.g. ID card, mobile phone or hardware token) and something the user is (e.g. fingerprints).

Both user location and time of access are now also considered authentication factors.

Authentication can be split into categories depending on the number of factors used in the authentication process: single-factor, two-factor, and multi-factor (please see separate entries below for further details).


A backdoor is a method of bypassing normal authentication on a device. They are often used for securing remote access to a computer, or obtaining access to plaintext in cryptographic systems.


The process of making a copy of data in an archive which can be used to reconstruct the original data in the event of a loss, corruption or disaster.


We're now using the term 'deny list' instead of 'blacklist'. The National Cyber Security Centre (NCSC) have written a blog that helps to explain this change.


An interconnected network of computers (bots) infected with malware without the user's knowledge and controlled by cybercriminals.

Typically used to send spam emails, transmit malware and engage in other acts of cybercrime that a single machine would not be able to undertake.

Brute-force attack

A brute-force attack consists of an attacker systematically checking all possible passwords/passphrases in the hope of eventually guessing correctly.

Buffer overflow

A buffer overflow occurs when a program or process attempts to write more data to a fixed length block of memory, or buffer, than the buffer is allocated to hold.

Since buffers are created to contain a defined amount of data, the extra data can overwrite data values in memory addresses adjacent to the destination buffer unless the program includes sufficient bounds checking to flag or discard data when too much is sent to a memory buffer.

This enables an attacker to access data stored in memory by pushing extra data into the stack, causing it to overflow.

Code injection

An attack that introduces malicious code into a software application and then executes the code when the application is opened. Examples include SQL injection, which can compromise or modify information in a database, and cross-site scripting (XSS) which can allow hackers to hijack user accounts or display fraudulent content.

Common Vulnerabilities and Exposures - CVE

The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures.

Common Vulnerability Scoring System - CVSS

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities.

Cross-site request forgery

An attack that uses unauthorised commands from trusted users in order to perform malicious actions on a targeted website.

Cross Site Scripting - XSS

Malicious instructions (script) are injected into otherwise innocent and trusted web sites, allowing the attacker to modify the web page to suit the attacker's objectives. For example extracting data, bypassing other security controls or delivering malicious code for the browser to execute on the user’s computer.

Credential harvesting

Collecting legitimate users’ usernames and passwords to gain access to target systems, for malicious purposes.


A cryptocurrency (AKA crypto-currency) is a digital asset that is designed to act as an exchange medium. They use cryptography to verify and secure transactions, control the creation of new assets and protect the identity of asset holders. Popular cryptocurrencies include:

  • Bitcoin
  • Ethereum
  • Monero


Cryptography is a method of storing and transmitting data in a particular form so that only those for whom it is intended can read and process it.

Modern cryptography is the central mechanism for achieving the following four security objectives:

  • confidentiality
  • integrity
  • non-repudiation
  • authentication


Deliberate exploitation of information systems to cause harm.


An event, whether intentional or not, that causes adverse consequences to an information system or its data.

Cyber security

Protecting people and their computers, networks, programs and data from unauthorised access, exploitation, or modification.

Dark web

A collection of thousands of websites which are not indexed by conventional search engines. They often use anonymity tools, like the Tor network, to hide their IP address and preserve the anonymity of the creators and visitors.

The anonymity (also known as the dark net) provided can be used for both good and bad causes, including protecting communications made by subjects of oppressive regimes or protecting the identity of criminals.  


The process of transforming encrypted data back into a state in which it is usable by the system.

Denial-of-service - DoS

An attack where an attempt is made to flood a network, server or website with so much data to make it unusable.

Technically, DoS refers to an attack involving a single source which can easily be blocked. However, DoS is often used to describe all denial-of-service attacks including DDoS and other attacks which affect availability.

Deny list

A deny list, known in some places as a blacklist, refers to a list of untrusted resources or destinations that a user or application may not access.

Distributed Denial-of-Service - DDoS

A coordinated attack in which a botnet of multiple connected machines (usually infected with malware or otherwise compromised to co-opt them into the attack) flood a network, server or website with so much data to make it unusable. As multiple sources are involved this attack is much harder to block.

DNS reflection

A Denial of Service (DoS) attack where an adversary sends a malicious Domain Name Service (DNS) request to a DNS server that fools the server into responding instead to the victim of the attack. The origin of the attack is concealed from the victim.

DNS server

A Domain Name Service (DNS) Server translates a domain name (which is easy for humans to remember such as into its corresponding IP address used by computers to route the traffic to the correct destination. Both public (open) and private DNS servers can be implemented.


A tool used to download and install another payload on a target system. Typically used as the first stage for an infection.


A download which a user is not aware of or has not consented to. Commonly used to refer to malware downloaded from compromised legitimate websites.


A method to scramble a message, file or other data and turn it into a secret code using an algorithm (complex mathematical formula). The code can only be read using a key or other piece of information (such as a password) which can decrypt the code.

Endpoint protection

Technologies, software and strategies for securing devices such as laptops, mobile phones, tablets, workstations and servers that connect to a network. The devices are known as endpoints.


Unauthorised transferal or copying of data from a system. It is also referred to as data theft or extraction.


A security system that monitors and controls traffic between an internal network (trusted to be secure) and an external network (not trusted). It is generally considered insufficient against modern cyber threats.

General Data Protection Regulation - GDPR

The General Data Protection Regulation (GDPR) 2016/679 is a European Union regulation covering data protection and individual privacy rights. It was introduced in April 2018 and enforced on 25th May 2018.


A hacker is a computer and networking attacker who systematically attempts to penetrate a computer system or network using tools and attack methodologies to find and exploit security vulnerabilities.

Security professionals called penetration testers use the same tools and techniques as hackers to identify vulnerabilities so they can be remediated before they are exploited by hackers.


Despite the absence of ‘cyber’ in their title, these hacker activists deserve a mention in our glossary. Hacktivists are computer hackers that have aligned themselves with a specific protest organisation or group of activists. Their activities can be similar to those of cyber terrorists or cyber-saboteurs.


The product of passing an arbitrary amount of data through a cryptographic hashing function. Hashes typically have a fixed length and are unique to the original data. Common hashing functions include:

  • MD5 - 128-bit hash value - 32 character string
  • SHA1 - 160-bit hash value - 40 character string
  • SHA256 - 256-bit hash value - 64 character string

Hypertext Transfer Protocol - HTTP

The Hypertext Transfer Protocol is a client-server application-layer protocol for distributed information systems and is the basic protocol used by the internet.

Data sent between a client and server over HTTP is not encrypted and could be intercepted and tampered with by a man-in-the-middle attacker.

Hypertext Transfer Protocol Secure - HTTPS

HTTPS, is an extension for HTTP for secure communications. HTTPS use transport layer security to authenticate and encrypt HTTP traffic.


Manages the creation and execution of virtual machines on a host computer system.

Indicators of Compromise - IoC

Pieces of forensic data which indicate computer or network compromise that can assist in identifying potentially malicious activity on a system or network.

Threats such as a specific variant or malware have specific IoCs which can be used to identify the variant of malware you are infected with. For example, certain files are created or altered in a certain way and perhaps within a specific location, an IP address may be contacted.

Information Security

The preservation, confidentiality, integrity and availability of information; other properties such as authenticity, accountability and nonrepudiation may be involved.

Internet-of-things - IoT

The network of devices and objects that can connect to the Internet. This includes devices such as smartphones, tablets, laptops and servers, but also is starting to extend to transport, buildings and household items like doorbells, thermostats, lightbulbs and toys.

In a healthcare setting this can also include examples such as patient monitoring and asset tracking. This represents a major security challenge as any device can potentially be a target or conduit for an attack and remediation will be difficult to implement.

Internet Service Provider (ISP)

An Internet Service Provider is a company that provides a service allowing business or personal users to access the internet.

IP address

An IP address (Internet Protocol Address) is a label assigned to computer devices.

An IP address is essential for Internet Protocol communication.

IP addresses can be represented as an IPv4 address (example: or an IPv6 address (example: 2001:0db8:85a3:0000:0000:8a2e:0370:7334).

Key generators

Key generators, often referred to as keygens, are tools designed to generate legitimate software activation keys. 


Keylogging, also known as keystroke logging or keyboard capture, is the action of recording, often secretly, the keys struck on a keyboard. An application used to perform keylogging is called a keylogger.

Keyloggers are typically used to gain access to sensitive information or credentials, and are most commonly seen in spyware or banking trojans.

MAC address

A media access control (MAC, IEEE 802) address is a unique identifier assigned to a device's network interface controller. Typically stored in some form or read-only memory, MAC addresses are also known as hardware or physical addresses.


Malvertising is the act of inserting malicious advertisements into otherwise legitimate webpages or advertising networks.


Malware is  malicious or hostile software used to disrupt, damage or compromise a computer system or network. It is often embedded in non-malicious files or programs and often includes:

  • computer viruses
  • worms
  • ransomware
  • spyware

Malware usually consists of a downloader which downloads a payload (from a command and control server) that contains the malicious code which attacks a target.

Malware-as-a-Service - MaaS

Authors of malicious software selling malware as a cloud-based service, similar to the wider legitimate IT industry.

For example, users can purchase spam campaigns from email botnets, rent ransomware kits and offer a portion of the payments to the operators or buy tailored information from a banking trojan. 

Man-in-the-Middle - MitM

An attack method where the attacker is able to intercept messages passing between two victims and inject new ones without the victims being aware. Encryption tools can defend against an attack.


Miners, also known as cryptocurrency miners or cryptominers, are a form of malware that uses the resources of an infected device to generate units of a cryptocurrency.

Multi-factor Authentication (MFA)

An authentication process that uses at least two forms of identification, for example, some payments may require a bankcard, a PIN, and a fingerprint. MFA is considered the strongest form of authentication.  See Single-factor (1FA) and Two-factor Authentication (2FA) for comparison.

Patches and Patch management

Patch management covers acquiring, testing and installing multiple patches (manufacturer released code changes) to a computer system or application. Firmware and software vendors release patches to fix defects, change functionality and to address known security vulnerabilities.


Phishing is a type of fraud in which the attacker attempts to steal sensitive data such as passwords or credit card numbers, via social engineering. Phishing can be performed via:

  • email
  • phone calls
  • instant messaging
  • other communication channels


A pop-up or pop-over is a form of online advertising that creates a new browser window. This new browser window appears in front of the current browser window.

Pop-ups can be created through clicking on a link or automatically by the web site.

Privilege escalation

Privilege escalation exploits a bug, design flaw or misconfiguration in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.

An application with more privileges than intended by the developer or system administrator can perform unauthorised actions.

Proof of concept - PoC

A proof of concept demonstrates how a system can be protected or compromised without building a complete working model.


A type of malware that prevents access to the target’s computer system or data until a ransom is paid to the attacker.

Different variants of ransomware can encrypt files, full disks or system configurations to prevent access and hold the user to ransom until a decryption key is paid for (usually by Bitcoin).

Anti-malware suppliers work to publish decryption tools. It is not recommended to pay any ransom demands and organisations should implement backup and recovery strategies to enable recovery from ransomware. 

Remote Access Trojan - RAT

Software that allows a remote user to control a system. It can also be referred to as a remote administration tool.

Legitimate implementations are common but RAT software can also be used for malicious activity. The malicious RAT software is typically installed by a trojan without the victim's knowledge and will try to hide its operation from the victim and from security software.

Remote Code Execution - RCE

The ability to execute arbitrary commands issued from one device on another device. It is typically used to refer to execution over a wide-area network, such as the internet.


The ability of an organisation to manage cybersecurity incidents, recover from failure or damage and keep running continuously despite growing threats.

Rogue wireless device

Unauthorised hardware that is connected to or near an organisation’s wireless network. The device can be used to gain access to sensitive data, send it back to an adversary or connect other devices to a network.

Secure Shell - SSH

Secure Shell, also known as SSH, is a cryptographic network protocol used to securely run network services over insecure connections, typically using TCP port 22. 

Security breach

A security incident that results in unauthorised access to data, applications, services, networks and/or devices by bypassing underlying security mechanisms.

A security breach could affect confidentiality, integrity or availability

Security Information and Event Management - SIEM

In the field of information security, SIEM is used to provide real-time analysis of security events and alerts generated by network hardware, operating system and applications.

SIEM solutions are generally used to consolidate logs from multiple ICT assets and syslog servers into one system. Anomalies and security events/alerts can be detected across an ICT estate in real time, which can then be investigated and responded to by security analysts.

Server Message Block - SMB

Server Message Block (SMB, also known as Common Internet File System, CIFS) is an application-layer networking protocol used for sharing access to files, devices or other miscellaneous communications between nodes on a network over TCP ports 139 and 445. It is primarily used by the Windows operating system, with several open-source implementations such as Samba available for other operating systems.

Single-factor Authentication (1FA)

An authentication process that uses a single form of identification, such as a contactless payment that requires a bankcard.  1FA is the weakest form of authentication.  More secure processes are Two-factor (2FA) and Multi-factor Authentication (MFA).


A type of phishing attack that uses SMS messages (or other types instead of mobile messaging such as MMS or IM services) instead of email messages.

Social engineering

An attack method that tricks people into breaking normal security procedures by masquerading as a reputable entity or person in email, IM or other communication channels.

Social engineers try to trick victims into disclosing sensitive information or by allowing or doing something which compromises security, such as allowing physical access to a secure area or a user executing a malicious executable at the social engineers request.


The programs used by a computer, as well as other information that it relies on to operate.


Unwanted and unsolicited bulk email. The email messages may be commercial by nature but can also contain disguised links that appear to be for familiar websites but lead to phishing websites or sites that are hosting malware.

Spam email may also include malware as scripts or other executable file attachments.

Spear phishing

Spear phishing is a type of fraud whereby a phishing attempt is targeted against specific individuals or organisations. Attackers attempts to steal sensitive data such as passwords or credit card numbers, via social engineering. Attackers may gather personal information about their target to increase their probability of success. It is often used as part of reconnaissance activity by a hacker.

Spear phishing can be performed via email, phone calls, IM or other communication channels.


An attacker or program successfully masquerades as another by falsifying data for malicious reasons. Spoofing an email address to fool a recipients or an attacker spoofing their IP or hardware (mac) address in a man-in-the-middle attack are well known attack examples.


Software that gathers information about a person or organisation without their knowledge. The information may be sent to a remote destination and is usually used for malicious purposes.


The practice of concealing a file, message, image, or video within another file, message, image, or video.


The potential cause of an incident that could result in harm to systems and the organisation. Threats lead to the compromise of security.

Threat actors

Individuals or groups of people which express or pose a threat to your organisation, including hackers and internal employees (such as disgruntled, unskilled or overworked employees).

Threat detection

Methods for identifying system vulnerabilities and hacking behaviours. These can include a number of software and hardware technologies, such as machine learning, statistical modelling and network and web monitoring.

Tor - The Onion Router

Open-source network software that disguises a user’s identity and location by encrypting data and routing traffic around an intercontinental network of servers run by volunteers. Often used by sites on the dark web, among others.


Named after the trojan horse from Greek mythology, a trojan is a type of malware that is often disguised as legitimate software, which tricks a user into installing it. Trojans usually have a payload of other malware and some open a backdoor that allows an attacker access to the victim's machine.

Two-factor authentication (2FA)

An authentication process that uses two different forms of identification, such as a larger payment might require a bankcard and a PIN. This is a more secure authentication process than Single-factor authentication.  Compare with Multi-factor Authentication that uses at least two factors.

Virtual Private Network - VPN

A VPN is a method of hosting a private network across public infrastructure or the internet. End-to-end encryption and additional security measures are implemented to protect the traffic.


A malware that can make changes, corrupt or delete data on a computer. A virus needs user interaction to trigger it.


A vulnerability is a weakness which allows an attacker to compromise security (integrity, confidentiality or availability).

Vulnerability scanner

Software program that automatically finds, assesses and reports vulnerabilities and weaknesses in a computer system, network or application. This is a popular form of threat detection.


A wiper is a software tool used to erase information on computer hard drives.


A type of malware that is standalone and spreads to other machines by replicating itself. The replication rapidly consumes storage and creates performance issues. Worms are triggered without user interaction and are capable of targeted attacks. Worms can be used to distribute and drop other malware such as ransomware.

Zero-day attack

Attacks that exploit a vulnerability in software that is unknown to the vendor and has no remediation available. This type of threat is particularly difficult to detect and defend against. The name refers to a vendor or organisation having no time to fix the vulnerability prior to attack. Can also be written as '0-day attack'.


This page was last updated 18/01/2023