Back to Blog

cybersecurity terms

80 Cybersecurity Terms to Know, from Anti-Phishing to Zombie

28 minute read | March 18, 2021
Kindra Cooper

Written by:
Kindra Cooper

Free Cybersecurity Course

Enter the cybersecurity field with our free introductory course. Learn the basics and build a strong foundation.

Enroll for Free

Ready to launch your career?

A cyber attack takes place every 39 seconds, according to a University of Maryland study. Consequently, organizations receive thousands or even millions of alerts each month. Security analysts must stay up to date with the latest cyber-attack strategies, security tools, compliance regulations, and industry trends in order to mount a strong defense.

From network security management to data loss prevention and incident response, working in the field means mastering an array of skill sets. Here’s a list of 80 common cybersecurity terms and concepts you need to know, listed from A-Z. 

Cybersecurity Terms

Click on a letter to jump to the corresponding section.



Account hijacking. A process by which hackers gain access to an individual’s log-in credentials for their email provider, bank account, social media profile, or any other account associated with a computing device. Attackers use these stolen credentials to access sensitive personal data, steal funds or even publicize compromising information while impersonating the victim.

Advanced Persistent Threat (APT). An APT refers to a hacker that remains undetected for a long time after gaining in-depth, unauthorized access to a computer network. These types of attacks are usually perpetrated by a state actor or nation-state, where the goal is to remain unnoticed and observe the victim’s activities over a period of time, rather than simply seizing as much information as possible or wreaking havoc. APTs are usually leveled at high-value targets like nation-states or corporations—targets that have been carefully chosen and researched—because of the level of effort needed to carry out the attack. Hackers typically execute an APT to mine sensitive data, such as intellectual property or classified information. Others may seek to sabotage critical organizational infrastructure.

The recent SolarWinds hack is an example of an APT that went undetected for an estimated nine months.

Adware. Also known as advertising-supported software, adware is a type of software that displays unwanted advertisements. They tend to serve victims with pop-up ads, modify their browser homepage, add spyware and bombard the device with “targeted” ads by monitoring the victim’s browsing history. An adware attack is a common side effect of downloading pirated games or software applications from the internet, but it can also be propagated through phishing emails or malvertising (pushing malware-laden advertisements onto legitimate websites).

Anti-phishing. Anti-phishing software attempts to identify phishing content contained in websites, emails, SMS, or other forms of communication, and either cautioning the user against accessing the content or automatically marking it as spam. Phishing makes use of social engineering, a form of psychological manipulation, to induce someone to click on a link, which then downloads malware onto the victim’s computer. The software scans incoming communications for suspicious elements like an attachment containing a .exe file or a spoofed email address. Some use natural language processing to parse language redolent of spam, such as references to Nigerian princes offering unbelievable investment opportunities (no, really!). Anti-phishing software can come in the form of a web browser plug-in, firewalls, or cloud-based solutions.

Antivirus software. Software designed to prevent, detect and destroy computer viruses by scanning files or directories for malware or known malicious patterns and removing any malicious code detected. The software works by scanning incoming files or code that’s being passed through your network traffic and is trained on an extensive dataset to help it detect, flag, and remove a range of viruses.

Authentication. The act of verifying the identity of a user or device before allowing access to a software application or database. Authentication can be done in a variety of ways, ranging from log-in credentials to single-use codes, voice authentication (analyzing speech patterns to create a unique vocal identifier for each user), keystrokes, or even advanced biomarkers like fingerprints or eye pupil movements. Single-factor authentication requires the user to pass one security check (eg: enter the correct password), while multi-factor authentication combines a number of authentications for heightened security (eg: enter a password plus an access code sent to your mobile device).

Availability. Data availability means that information is readily accessible to authorized users. In other words, minimizing unscheduled downtime of databases, servers, and web applications due to outside interference. Availability can be compromised by a cybercriminal using Distributed Denial-of-Service, the form of attack most commonly aimed at disrupting availability and causing a site to crash. Availability is associated with reliability and system uptime, which can also be impacted by non-malicious issues like human error or traffic overload. Availability is a component of the CIA triad, a framework for how organizations approach cybersecurity policy.


Blacklist/whitelisting. A blacklist is a list of suspicious or malicious entities that should be denied access to a network or system. Blacklisting is used by anti-virus software, spam filters, intrusion detection systems, and other security software programs, which denies access to intruders and keeps suspicious applications from installing or running. Organizations can create their own blacklists and/or use lists created by third parties, such as network security service providers. However, a blacklist can never be comprehensive since new threats emerge every day.

Whitelisting, on the other hand, involves creating a list of permitted entities while blocking everything else. The simplest technique for whitelisting is to identify entities by file name, file type, and size (eg: executable files are typically treated as suspicious).

Bot. A type of software application or script that performs automated tasks on command. Bad bots perform malicious tasks that allow an attacker to remotely control an affected machine. This machine then becomes known as a “zombie” computer.

Botnet. A botnet is a network of hijacked computer devices that have been programmed to run one or more bots. The devices on this network are known as zombie computers. Botnets are used to perform DDoS attacks, steal data, send spam and allow the attacker to remotely access hijacked devices and their connections. The bots perform repetitive tasks, like flooding a website with traffic or sending mass emails. (In fact, most spam email originates from other people’s computers—not the hacker’s—and they don’t even know their machines have been hijacked). However, botnets can be perfectly legal when not used for malicious purposes. For example, they’re used in connection with Internet Relay Chat to run online chat rooms.

Breach. A security breach occurs when a hacker gains unauthorized access to a computer network, application, or device by exploiting a vulnerability in its security mechanisms. Often, this results in the release of secure or private/confidential information to a third party. There is a difference between a security breach and a data breach. A security breach occurs when an intruder breaks in, and a data breach occurs when the intruder successfully steals information. Confidential information (such as classified government information) is often sold on the dark web, while personally identifiable information (eg: names and credit card numbers) is used for identity theft.

cybersecurity terms

Brute force attack. Hackers often use trial-and-error to guess password information and encryption keys or find hidden web pages. This technique involves trying all possible password combinations until the correct one is found. The attacker may have stolen information from elsewhere to make a more educated guess about an individual’s log-in credentials, such as answers to security questions. Depending on the length and complexity of the password, this process can be exceedingly easy or hard—hence why websites advise users to create hard-to-guess passwords using special characters and uncommon letter combinations to withstand a brute force attack. Locking users out of their accounts after too many failed password attempts is another protective mechanism.


CIA triad. Short for Confidentiality, Integrity, and Availability, the CIA triad represents a framework for how organizations define their approach to cybersecurity. Confidentiality refers to how an entity protects sensitive information from unauthorized access (eg: access control lists, volume and file encryption, user permissions, etc.). Integrity refers to protecting data integrity by preventing it from being deleted or modified by a third party. Availability refers to data being reliably accessible to legitimate users and not susceptible to hardware failures, power outages, or cyberattacks.

Computer forensics. Similar to crime forensics, cybersecurity experts investigate data breaches and other cybercrimes by reconstructing a timeline of what may have occurred. In many cases, this means attempting to recover hidden, encrypted, or deleted log information, which contains a record of all activity on a computer network and can reveal an attacker’s movements. Just like a crime scene, the evidence must be compiled in such a way that it is admissible in court: by following a chain of custody and safeguarding the integrity of the data.

A computer forensics analyst may also be called upon to advise law enforcement personnel. These professionals collect and analyze data from computer systems, networks, wireless communications, and storage devices, searching for instances of damaged, deleted, or encrypted files.

Cryptographic key. A cryptographic key is a string of characters used within an encryption algorithm for altering data so that it appears random. Like a physical key, it locks (encrypts) data so that only someone with the right key can unlock (decrypt) it. The original data is known as plaintext—which is readable by humans—and the data after the key encrypts it is known as ciphertext, which can only be interpreted by someone who has the corresponding cryptographic key.

Get To Know Other Cybersecurity Students

Jose Mendoza

Jose Mendoza

Cyber Security Career Track Student at Springboard

Read Story

Rafael Ayala

Rafael Ayala

Mergers And Acquisitions at Autodesk

Read Story

Vianey Luna

Vianey Luna

IT Security Specialist at Cooper Machinery Services

Read Story


Data integrity. Refers to the accuracy and consistency of data over its lifecycle. This is especially important in a computer forensics investigation, where data integrity is required in order for the evidence to be admissible in a court of law. Compromised data is of little use to enterprises and there may be potential dangers associated with the loss of sensitive data. Hackers will attempt to compromise data integrity by modifying or deleting files and/or log information to make it harder for forensics experts to reconstruct the timeline of events during the security invasion and contain the threat.

Data Loss Prevention (DLP). DLP is a strategy for making sure end users do not send sensitive information outside of the corporate network. DLP is often driven by compliance regulations such as HIPAA or GDPR. DLP software classifies regulated, confidential and business-critical data and identifies violations of policies created by organizations, and is critically important for organizations that collect and store customers’ personal information or have intellectual property assets that could put the organization at financial risk if they were stolen. The software helps a network administrator control the data that users can transfer. For example, if an employee tries to forward a business email outside the corporate domain or upload a corporate file to a cloud storage service like Dropbox, they would be denied permission.

Distributed Denial-of-Service (DDoS). This type of cyberattack causes a website to crash by flooding it with malicious traffic or data from multiple sources (often botnets), which can result in lost revenue. Hackers achieve this by remotely controlling a network of computers that have been infected with malware known as botnets. Once a botnet has been established, the attacker can direct an attack by sending remote instructions to each bot. Each bot then sends a request to the victim’s IP address, potentially causing the server or network to become overwhelmed and a denial-of-service to normal traffic.


Encryption. The process of encoding or scrambling information so that it appears to be random data, an essential component of internet security. Encryption involves converting the original representation of the information, known as plaintext, into an alternative form known as ciphertext. The idea is that only authorized users can decipher a ciphertext back to plaintext. Encryption requires the use of a cryptographic key: a set of mathematical values that the sender and the recipient of an encrypted message agree upon, which can be used to decrypt the message back into plaintext.

Ethical hacking. Ethical hacking refers to the practice of legally breaking into computers and devices to test an organization’s cybersecurity defenses. This is done by certified ethical hackers, also known as white hats. Companies engage ethical hackers to find vulnerabilities in their systems. The process is planned and preapproved, where the hacker and the organization predetermine which networks, operating systems, and computer assets should be included in the test, whether or not social engineering and automated vulnerability scanning are allowed, and if attempted service interruptions are allowed in order to accurately simulate a real-world attack.

Exfiltration. Data exfiltration refers to any unauthorized movement of data, otherwise known as data exportation, data extrusion, data leakage, or data theft. Attacks can be perpetrated manually (someone breaks into a computer system and downloads information onto a thumb drive) or remotely. Whenever you hear in the news that a business has suffered a data breach exposing the personal data and credit card information of its customers, that’s usually the result of data exfiltration. Sometimes, this is done by someone within the organization in order to exact revenge on a superior.

Exploit: Computer exploits are specialized programs or snippets of code that take advantage of a software vulnerability or security flaw. Exploits can be anything from complete software applications to strings of code and data, or even just a simple command sequence. Once a hacker identifies a design flaw in a piece of software or a computer system, they can write a computer exploit to infiltrate it. Bear in mind that an exploit isn’t necessarily malicious: it’s simply a tool that hackers use to enter a system and doesn’t account for what they do upon gaining entry.


Firewall. A firewall is a network security device that monitors incoming and outgoing network traffic and permits or blocks data packets (the format in which data is transmitted over a digital network) based on a set of security rules. Typically the first line of defense in network security, the purpose of a firewall is to establish a barrier between your internal network and incoming traffic from external sources to block malicious traffic like viruses and hackers. Firewalls guard at a computer’s entry point, called ports, which is where information is exchanged with external devices. Firewalls can either be software or hardware.

cybersecurity terms


Hacktivism. As its name suggests, hacktivism combines the terms ‘hacking’ and ‘activism.’ It refers to the act of hacking into a computer system for politically or socially motivated purposes. Hacktivism campaigns are more about disruption and sending a message to the target than stealing information for personal financial gain. Hackers use tactics such as doxxing (leaking confidential or incriminating information about an organization or public figure), defacement (changing the visual appearance of a website), and DDoS attacks. WikiLeaks’ decision to release emails from the Democratic National Convention in 2016 is an example of hacktivism.

Honeypot. A honeypot is a sacrificial computer system designed to bait hackers. The system is set up as a decoy designed to look like a real target and collects information on intrusion attempts to root out cybercriminals and understand how they operate. For example, a honeypot could mimic a company’s billing system, a frequent target of attack. Once the hackers are in, cybersecurity experts can assess their behavior for clues on how to make the real network more secure. Honeypots deliberately have built-in security vulnerabilities, which makes them attractive to hackers, such as a weak password. Honeypots can help organizations understand existing threats and spot the emergence of new threats.


Incident response. The process by which an organization handles a data breach. While containment is the most important short-term goal, incident response also involves identifying, analyzing, and correcting security vulnerabilities to prevent a future recurrence. Organizations must prepare an incident response plan, a guided process to be followed when an incident occurs.

Some organizations have a dedicated computer incident response team consisting of security and general IT staff, along with members of the legal, HR, and PR departments. The non-technical departments are responsible for overseeing incident response, providing customers (and the media) with the right information, and protecting employees.

During an incident response, IT teams identify the threat by gathering log files, monitoring error messages, and using intrusion detection systems and firewalls to determine the scope of the breach. Once the threat has been identified, containment ensues. In other words, purging the threat actor from the system and preventing others from getting in, as well as recovering log files that have been deleted or altered and restoring affected systems to their original state.

Information sharing. Sharing information on cybersecurity events is critical to the protection of cybersecurity infrastructure. The Cyber Security Information Sharing Act of 2015 signed into law by President Obama details how public and private entities can share cyber information and establishes provisions for how information should be protected, including personally identifiable information.

This legislation allows U.S. government agencies and non-government entities to share information with each other as they investigate cyberattacks. This provides a critical loophole that would otherwise prevent certain non-government entities from sharing this information. For example, if a hospital is attacked, hospital administrators could be prevented from sharing information with government agencies because of HIPPA regulations.

Intrusion Detection System. An Intrusion Detection System (IDS) is a network security technology built for detecting malicious activity or policy violations on a target application or computer. An example is antivirus software. Most IDS solutions also have IPS (Intrusion Prevention Systems) capabilities, meaning they can block threats upon discovery in addition to detecting them. There are two types of IDS: anomaly-based and signature-based. Anomaly-based IDS uses machine learning to create a defined model of trustworthy activity. If a pattern of activity is seen as anomalous, it is flagged. Signature-based IDS detects possible threats by looking for specific patterns, such as byte sequences in network traffic or known malicious instruction sequences used by malware.

Interoperability. Firms use a variety of cybersecurity tools as part of their security infrastructure. In fact, research shows that large organizations use an average of 47 different cybersecurity tools across their networks. Interoperability ensures that these software systems can communicate with each other and share information, rather than having data siloed in individual systems. Coordinating the implementation of all these products is a challenge of its own. When new tools are introduced but are unable to communicate with other platforms, it is hard to get a useful picture of the threat landscape.

Internet Protocol (IP) address. An IP address is a unique number that is linked to every individual’s online activity. Rather than using a personal identifier, IP addresses identify a device on the internet or a local network. However, an IP address doesn’t exist for surveillance purposes. The IP address enables you to receive information from the websites you visit. All devices find, send and exchange information with other connected devices using this protocol. The internet needs a way to differentiate between different computers, routers, and websites, and IP addresses are a way of doing so.


Key Controls: Key controls are procedures, products or policies used by an organization to mitigate or eliminate cyber security risks. Controls are regularly tested or audited for effectiveness, and typically protect some area of the business rather than offering blanket protection. A control could be something as simple as installing and updating antivirus software, or authenticating a signature on a check.

Keylogger. A keylogger is a type of spyware (activity-monitoring software) that logs the victim’s keystrokes, enabling hackers to see passwords, credit card numbers and sensitive information they type, as well as the web pages they visit. The spyware then sends a log file to a server where cybercriminals can access this information. Sometimes, keyloggers are used legally by IT departments to troubleshoot departments or monitor employee activities, or by parents who want to track their childrens’ internet browsing habits. If you install a keylogger on a device you own, it is legal.


Macro virus. A macro virus is a computer virus written in the same language that is used for software applications such as word processing programs. When a macrovirus infects a software application, it causes a sequence of actions to begin automatically when the application is opened. For example, if Microsoft Word has been infected with a macrovirus and someone opens a Word document, the macrovirus automatically installs on their computer. Macro viruses are often spread through phishing emails containing attachments that have been embedded with the virus. They work by embedding malicious code in the macros that are associated with documents, spreadsheets, and other data files, causing the malicious programs to run as soon as the documents are opened.

Malware. Short for “malicious software” malware is a blanket term for software that is designed to damage computers, servers and computer networks. The term encompasses viruses, worms, trojans, ransomware, and other harmful computer programs hackers use to cause destruction. Malware can be manually installed on a computer by the attacker, either by gaining physical access to the computer or using remote administrator access. It can also be spread through phishing scams or software updates. Malware is a type of software that contains malicious code: a set of instructions detailing how to damage the target computer system.

Man-in-the-Middle Attack (MItM). One of the oldest forms of cyberattack, a Man-in-the-Middle Attack occurs when a hacker secretly insinuates themselves into communication between two parties in order to eavesdrop, modify communications or impersonate one of the parties. Attackers may do this to steal confidential information, login credentials, sabotage communications, or spy on the victim. A hacker gains access to these communications by interfering with legitimate networks or creating fake networks that they control. Compromised traffic is then stripped of encryption to steal or reroute that traffic to the hacker’s destination of choice, such as a phishing website. Another tactic is SSL stripping, in which hackers establish a secure HTTPS connection between themselves and the server, and an unsecured HTTP connection with the user, meaning that any information the user sends is in plaintext without encryption, and can therefore be easily read by the attacker.

Mitigation. Threat mitigation refers to policies, processes, and tools to help prevent security incidents and data breaches and limit the extent of the damage when attacks do happen. This means isolating or containing a threat until the problem can be remedied. Mitigation refers to an all-encompassing strategy, starting with prevention (protecting systems from threat actors) , threat identification (identifying active security threats), and remedy (isolating or containing the threat).


Network resilience. Network resilience or cyber resilience measures an organization’s ability to prepare for, respond to and recover from cyberattacks. The goal of a resilience strategy is to ensure business continuity by limiting the effects of a security incident. The resilience of a computer is determined by four components: threat protection (rate of threat prevention), recoverability (the speed at which normal operations can be restored), adaptability (responding to new tactics), and durability (sustaining routine operations after a security breach). Cyber resilience is important because almost every business is under threat of attack, and it’s reasonable to assume that hackers will breach the system eventually.


Passive attack. Security attacks can be either active or passive. An active attack occurs when a hacker tries to alter, damage, or sabotage a system by manipulating the source code or altering information. In a passive attack, a hacker’s main goal is to enter a system, extract the information they need and exit undetected. They focus on monitoring network activity and acquiring data, rather than changing or sabotaging the computer system. The terms ‘passive’ and ‘active’ also refer to the way the attack is mounted. In a passive attack, cybercriminals monitor a system and scan it for open ports and vulnerabilities using methods like session capture. The purpose is solely to gain information on the target rather than to shut down the system. In an active attack, hackers actively try to force their way into a system in order to cause damage.

Penetration testing. Penetration testing is a type of ethical hacking where an organization hires highly trained hackers to break into a computer system in order to test the strength of the organization’s cybersecurity infrastructure. These simulated attacks are configured around a set of test goals and specific intelligence the organization wants to gather. Then, scanning tools are used to understand how a target responds to intrusions. Once the hacker gains access to the system, they test whether or not certain vulnerabilities can be used for advanced persistent threats—staying in the system long enough to cause significant damage while going undetected. The findings are compiled into a report detailing the specific vulnerabilities exploited and sensitive data accessed during the simulated attack.

Cybersecurity terms

Phishing. Phishing is a cybercrime in which a victim is contacted by phone, email, or text message by someone posing as a representative of a legitimate organization. They do so to lure people to share sensitive data such as PII, credit card details, and passwords. This information is then used to access the victim’s accounts and can result in financial loss.

Hackers attempt to extract information either through social engineering (psychologically manipulating someone into divulging sensitive information) or persuading someone to click on a malicious link, which automatically downloads malware onto their computer or directs them to a spoofed website where they will be asked to enter their personal information. Phishing scams are the most common type of cybercrime. A report found that phishing incidents rose by 220% in 2020 due to global pandemic fears.

Public/private key. A cryptographic key is used to encrypt information—converting it from plaintext, which can be read by a human, to ciphertext, which can only be interpreted by authorized users. These keys can be private or public. A private key is made available via a public directory or repository, while a private cryptographic key is confidential and closely held by the information concealer. The cryptographic system uses a pair of mathematically related keys. Whatever is encrypted via public key can only be decrypted by a private key and vice versa.


Ransomware. Ransomware is a type of malware that encrypts the victim’s files so they can no longer access them. The attacker then demands a ransom for the victim in exchange for a decryption key that will restore access. Phishing emails are the most common conduits for ransomware, whereby the malware downloads itself onto the victim’s computer when they open an email attachment or click on a malicious link. More aggressive forms of ransomware automatically exploit security vulnerabilities without needing to trick users into conferring administrative access. A variation of ransomware is leakware or doxware, where the attacker threatens to publish sensitive data on the victim’s hard drive unless a ransom is paid.

reCAPTCHA. A free service from Google that helps protect websites from spam and abuse. A CAPTCHA is a Turing Test to tell humans and bots apart. These image recognition exercises (eg: identify all images with traffic lights) are easy for humans to solve but hard for bots and other malicious software to figure out. The purpose of reCAPTCHA is to keep bots from engaging in abusive activities on a website so that legitimate users can continue to access the site. Doing so helps prevent cyberattacks like scraping (content pilfering for ad revenue diversion), fraudulent transactions (purchases made with stolen gift cards/credit cards, account takeovers, synthetic accounts (creating fake accounts for future misuse) and false posts (posting of malicious links or misinformation).

Recovery plan. Disaster recovery plans are key to business continuity. According to a study by IBM, the average cost to a business from a single data breach is $3.86 million, which can threaten the survivability of a small business. Note that disaster recovery and cybersecurity recovery are not the same thing. A disaster recovery plan helps an organization resume operations after disruption from man-made or natural causes. This means liaising and communicating with stakeholders and advising legal and PR teams. Cybersecurity recovery protects data assets after a security breach. This approach includes collecting and preserving evidence and analyzing the root cause of the attack.

Red team/blue team. Red teaming is a full-blown multi-layered attack simulation designed to measure how well an organization’s computer networks, software applications, and physical security controls can withstand an attack from a real cybercriminal. While penetration testing focuses on a predefined scope of attack (testing certain applications or operating systems) while minimizing service interruptions, red teaming is a no-holds-barred approach leveraging social engineering as well as physical, application, and network penetration. In fact, the physical aspect includes testing security assets like motion sensors and cameras, data centers, and warehouses.

Some organizations will also hire a blue team of defensive security professionals who are responsible for maintaining internal network defenses against attacks. Red teams simulate attacks against blue teams to test the network’s security.

Residual Risk: The risk that remains after cybersecurity controls are in place. Organizations can’t anticipate every cyber attack or plug every single attack vector. Monitoring residual risk as well as inherent risk is key to mounting a strong cybersecurity defense and may be necessary for compliance. These dangers may be due to uncertain factors or unidentified factors that cannot be resolved or addressed.

Risk: Cybersecurity risk is the probability of exposure to a cyberattack on an organization’s information or communications systems. Risk measures the potential harm related to monetary loss, loss of technical infrastructure and intellectual property, productivity loss, and reputational harm. Risks can be internal or external, malicious or unintentional. A study by IBM found that 95% of security breaches are the result of human error by employees and users — an example of an unintentional, internal risk.

Risk management. The practice of security measures based on the relative impact of the threats they’re designed to guard against. Since no organization can anticipate and intercept every potential cyber threat, they need a triaged approach to address the attacks that have the most business impact. Risk analysis in cybersecurity is calculated using a generic risk equation:

Cyber risk = Consequences of attack x Likelihood of attack

Consequences include revenue loss, customer churn, or regulatory fines. Meanwhile, the likelihood of an attack is determined by things like the attractiveness of an asset to cybercriminals, the value of the impacted asset, and its impact on the business process. A risk analysis helps an organization decide where to allocate investments to drive down the overall cybersecurity risk exposure and/or minimize the business impact of the highest-risk threats. A cyber risk management framework presents a standardized methodology for conducting risk assessments, prioritizing future cybersecurity investments, and executing on those strategies.

Rootkit. A rootkit is a type of malware that allows cybercriminals to remotely control your computer, a clandestine computer program designed to provide administrator-level access to a computer while hiding its presence. Once a rootkit has been installed, the controller has the ability to remotely execute files and change system configurations on the host machine. They also access log files—and manipulate them to cover their tracks—and spy on computer activity.


Secure Email Gateway: Email is the number-one method cybercriminals use to infiltrate an organization, typically through some form of phishing scam or social engineering. A secure email gateway protects employees from malicious content by preventing them from reaching their intended recipient. These gateways work by using spam filters to quarantine suspicious emails containing viruses or malware, or automatically blocking the sender. Content filtering is applied to outbound email sent by employees to prevent sensitive documents from being sent to an external recipient or put a block on specific keywords being sent through the email system.

Security automation. Security automation is the use of cybersecurity technologies that perform tasks without human intervention. These software systems can automatically detect, investigate and remediate cyber threats by identifying incoming threats, triaging and prioritizing alerts as they emerge (something is typically done by a tier 1 SOC analyst), and responding to them. This saves security teams from having to weed through and categorize alerts according to their level of importance while scaling security efforts. According to research by ESG, IT teams ignore 74% of security events due to sheer volume. This is because they have to monitor incoming alerts not only from computer systems and servers but also from mobile devices, cloud infrastructure, and IoT devices.

Situational awareness. Simply put, situational awareness means knowing what is going on around you. From a cybersecurity standpoint, this means that an organization properly perceives its own security posture and threat environment, and developing effective countermeasures. This helps security professionals make decisions to protect organizational assets, such as creating an incident response plan or hiring for certain roles. Situational awareness makes it possible to get relevant information and to disseminate it to help people make better decisions. This is especially important when it comes to protecting federal infrastructure from state-level threat actors.

Social engineering. Instead of using technology to deceive people, social engineering entails using psychological manipulation to trick people into giving away information. This could mean using call spoofing and posing as a customer service rep for a legitimate organization, or taking advantage of vulnerable people such as those who are less tech-savvy. Phishing scams rely on social engineering tactics to induce someone to click on a link, download an attachment, or surrender their personal information. What’s unique about social engineering is that people are the target of the attacks, not computer networks. In fact, people are the weak link in an organization’s cybersecurity arsenal: worker mistakes and misbehavior are the leading cause of data breaches, and social engineering is thought to be behind it.

Spam. Unsolicited bulk messages sent through email, instant messaging, robocalls or other digital communication tools qualify as spam, which is generally used by advertisers. In 2019, spam accounted for 28.5% of email traffic worldwide, down from 59.8% in 2016. Spam is usually sent by botnets on zombie computers rather than the hackers themselves, hence why spam has such a wide reach. Spam can also be found on internet forums, text messages, blog comments, and social media, but email spam is the most prevalent. Spam often comes from marketers selling dubious products or get-rich-quick schemes, but also cyber criminals attempting to steal data and spread malware.

Spoofing. Spoofing occurs when cybercriminals seek to disguise themselves by falsifying their identity to trick the recipient into believing the communication is from someone else. For example, they can disguise their phone number or email address as that of someone you know. However, spoofing can also apply to websites, where a copycat of a legitimate website is used to fool people into divulging personal information. Or, spoofing can be more technical, such as spoofing an IP address, Address Resolution Protocol (ARP), or DNS server. Spoofing can be used to gain access to a target’s personal information, spread malware through infected links or attachments, or bypass network access controls.

Spyware. A type of malware that enables a hacker to remotely obtain information about another person’s computer activities by transmitting data covertly from their hard drive. Often used by nation-states to collect information on both allies and enemies. Spyware can be used to track a person’s activity online, phone calls, read their emails and text messages, and even see account passwords and credit card numbers. Some of this information is sold to marketers or used to commit identity theft and fraud. Adware, tracking cookies, keyloggers, trojans, and system monitors are all examples of spyware.


Threat. A cyber threat is a circumstance or event with the potential to disrupt organizational operations or damage assets. Threats can come from hostile nation-states, terrorist groups, hacktivists, corporate spies, hackers and even disgruntled employees. Accidental actions by authorized users may also result in an internal threat. Threats include things like malware, phishing attacks, Distributed Denial-of-Service (DDoS) attacks, intellectual property theft, reputational damage and more.

Threat actor. Unlike a hacker or cyber attacker, a threat actor does not necessarily have technical skills and may not be the one that physically perpetrates a security breach. Rather, they are a person, organization, or nation-state with malicious intent to compromise an organization’s security and they mobilize the resources to do so. A threat actor may represent a group of hackers or may otherwise employ hackers to penetrate systems on its behalf. By contrast, a hacker is an individual who uses technology to infiltrate an organization’s computer systems.

Threat analysis. The process of formally evaluating the cyber activities of criminals to describe the nature of the threat, determine the threat level, and isolate which components of a system need to be protected.

Traffic Light Protocol (TLP). A set of designations created to classify sensitive information and ensure it is shared with the appropriate audience. TLP uses four different color codes (TLP-RED, TLP-AMBER, TLP-GREEN, and TLP-WHITE), each one denoting different sharing boundaries. This framework provides a simple and intuitive schema for indicating when and how sensitive information can be shared. On one extreme, TLP-RED is used for classified information which must not be shared with any third party, while TLP-WHITE refers to information that carries no “foreseeable risk of misuse.”

Trojan. A trojan is a type of malware that is often disguised as a legitimate software application or file. Similar to the idea of the Trojan horse, a Trojan uses subterfuge to gain access to a system. Hackers can use the malware to spy on you, steal sensitive data and gain unauthorized access to your system in order to delete, block, modify or copy data.


Virtual private network (VPN). A tool that allows the user to remain anonymous while using the internet by masking their location and encrypting traffic. Consequently, your search activity is associated with the VPN server’s IP address, not your own, so your online browsing habits are anonymized. In other words, a VPN creates a private network from a public internet connection, hence why it provides greater security than a secured Wifi hotspot.

A VPN is useful if you are browsing on a public network (like at a cafe) because you could be exposing your private information and browsing habits. With a VPN, your browsing history is hidden from your internet service provider.

Virus. A computer virus is a type of malicious code or program created for the sole purpose of damaging host computer systems. Viruses replicate by creating their own files on an infected system, attaching themselves to a legitimate program, or infecting user documents. However, unlike worms, some human intervention is necessary for viruses to propagate. The virus can spread when the victim opens an email attachment, runs an executable file or visits an infected website. Once the virus has infected the host, it can modify or disable core functions or applications, and copy, delete or encrypt data. In fact, viruses are becoming increasingly hard to detect and purge due to the rise of polymorphic malware, which can dynamically change its code as it spreads.

Cybersecurity terms

Vulnerability. A vulnerability is a weakness in computer networks, systems, hardware, applications and other parts of the IT ecosystem. Weaknesses can be exploited to gain unauthorized access and allow attackers to run code, access a system’s memory, install malware, and steal, destroy or modify sensitive data. A vulnerability with at least one known working attack vector is considered an exploitable vulnerability. An attack vector is simply a means by which an attacker can enter a computer or network without authorization. Sometimes, hackers will attack a third- or fourth-party vendor if they can’t target an organization indirectly.


Whaling. A type of phishing attack where a cyber criminal uses spear phishing methods to target a high-profile person, such as the CEO. This type of attack is different from the phishing scams used against regular employees because high-level executives may be more savvy of spam tactics and have extensive security awareness training because of their rank. However, whaling uses similar social engineering tactics to regular phishing attacks, with the goal of compelling the target to issue a wire transfer, open an attachment or visit a malicious website. This type of phishing is known as spear phishing because of its targeted approach, whereas regular phishing relies on spamming a large number of unidentified individuals in the hopes of duping a few.

White hat/black hat. A white hat is an ethical computer hacker: someone authorized to simulate cyberattacks on an organization’s behalf. These highly trained security experts specialize in penetration testing and other testing methodologies to identify security flaws and make improvement recommendations. A black hat, on the other hand, is a criminal who violates computer security systems for malicious purposes. Their goal is to steal information, destroy files, disable computer systems or extract a ransom.

Worm. A worm is a type of malware that can spread itself from one computer to another without human intervention. Unlike viruses, a worm doesn’t need a host file or to hijack code on the host computer. Instead, they autonomously target pre-existing vulnerabilities in a computer’s operating system in order to gain access. To propagate itself further, it will then exploit holes in networking and file transfer protocols. An organization (or individual) that fails to keep its operating system up to date is especially vulnerable to worm attacks. Worms serve a variety of purposes for attackers. Most modern worms include payloads—code that carries out some larger mission beyond the reproduction of the worm itself. Some turn computers into zombies or bots that launch DDoS attacks, others scour their host for banking information or other sensitive data.


Zombie. In computing, a zombie is a computer connected to a network that has been compromised by a hacker. The hacker controls the computer remotely for malicious purposes, such as carrying out a DDoS attack. Most owners of zombie computers do not realize their system is being used in this way, hence the comparison with the living dead.

Related Read: What Does a Cybersecurity Analyst Do?

Since you’re here…
Breaking into cybersecurity doesn’t take a Trojan Horse. Our Cybersecurity Bootcamp lasts just six months, and we’re ready to help you land a job after graduation or your money back. There’s urgent need in this field, so we’re beaming out tons of freebies to entice you, like this email course on certifications and our guide to becoming a software security analyst. Join in—there are plenty of jobs to go around!

About Kindra Cooper

Kindra Cooper is a content writer at Springboard. She has worked as a journalist and content marketer in the US and Indonesia, covering everything from business and architecture to politics and the arts.