Security 101
A Guide to security-related terminology found in
the Internet Security Threat Report and elsewhere
Adware
Adware is software, usually unwanted, that facilitates the delivery of advertising content to
a computer.
Antispam
Antispam is any product, tool, service or best practice that works to prevent spam sent through
email before it becomes a nuisance to users. Antispam should be part of a standard multi-tiered
security approach.
Antivirus
Antivirus is a category of security software which protects a computer from viruses, usually
through real-time detection and also system scans and virus quarantine and removal.
Antivirus should be part of a standard multi-tiered security approach.
Attack Vector
An attack vector is the method a threat uses to attack a system.
Back Door
A back door is a piece of malicious code that allows remote access to a compromised
computer.
Behavioral-Based Protection
Unlike heuristics or fingerprint-based scanners, behavior blocking security software
integrates with the operating system of a host computer and monitors program behavior in
real-time for malicious actions. The behavior blocking software then blocks potentially
malicious actions before they have a chance to affect the system. Behavioral-based
protection should be part of a standard multi-tiered security approach.
Blacklisting
Blacklisting is the process of identifying known bad or malicious programs, e-mails, IP
addresses or domains and blocking them.
Bot
A bot is an individual computer infected with malware and part of a botnet.
Botnet
A botnet, or bot network, is a collection of computers under the control of a bot master via a
command and control channel. These computers are typically distributed across the
Internet and are used for malicious activities such as sending spam and distributed denial of
service attacks. Botnets are created by infecting computers with malware which gives the
attacker access to the machine. The owners of the infected computers are usually unaware
that their machine is part of a botnet unless they have security software which informs
them of the infection.
1
Command and Control Channel
A command and control channel is the means by which an attacker communicates with and
controls malware-infected computers making up a botnet.
Crimeware
Crimware is software that performs illegal actions unanticipated by a user running the
software; these actions are intended to yield financial benefits to the distributor of the
software. Crimeware is a subclass of the more broad category of malware, which refers
generally to unwanted software that performs malicious actions on a user’s computer.
Cybercrime
Cybercrime as any crime that is committed using a computer, network or hardware device.
The computer or device may be the agent of the crime, the facilitator of the crime, or the
target of the crime. The crime may take place on the computer alone or in addition to other
locations.
Data Breach
A data breach is any compromise of a system exposing information to an untrusted
environment. Data breaches are often the result of malicious attacks seeking to acquire
sensitive information that can be used for criminal or other malicious gain.
Denial of Service (DoS)
Denial of service is an attack in which the perpetrator attempts to make the resources of a
computer or location on a network unavailable to users. A distributed denial of service
attack (DDoS) is one in which the attacker leverages a network of distributed computers,
such as a botnet, to carry out the attack.
Drive-by download
A drive-by download is a download of malware through exploitation of a Web browser,
email client or browser plug-in vulnerability without any user intervention whatsoever.
Drive-by downloads can happen by visiting a Web site, viewing an email message or by
clicking on a deceptive popup window.
Encryption
Encryption is a method of scrambling or encoding data to prevent unauthorized users from
reading or tampering with the data. Only individuals with access to a password or key can
decrypt and use the data. Malware sometimes uses encryption to hide itself from security
software. That is, the encrypted malware jumbles up its program code to make it difficult to
detect.
Exploit
2
Exploits are programs or techniques that take advantage of vulnerabilities in software and
that can be used for breaking security or otherwise attacking a computer over a network.
Firewall
A firewall is a security application designed to block connections on certain system ports,
regardless of whether the traffic is malicious or benign. A firewall should be part of a
standard multi-tiered security approach.
Greylisting
Greylisting is a method of defending email users against spam. Emails are temporarily
rejected from a sender the mail transfer agent does not recognize. If the mail is legitimate,
the originating server will try again and the email will be accepted. If the mail is from a
spammer, it will likely not be retried and therefore it will not get passed the mail transfer
agent.
Heuristics-Based Protection
Heuristics is a form of antivirus technology which detects infections by scrutinizing a
program’s overall structure, its computer instructions and other data contained in the file. A
heuristic-based scanner makes an assessment of the likelihood that the program is
malicious based on the logic’s apparent intent. Such a scheme can detect unknown
infections since it searches for generally suspicious logic rather than looking for specific
malware fingerprints, such as traditional signature-based antivirus approaches. Heuristicsbased protection should be part of a standard multi-tiered security approach.
Intrusion Detection System
An intrusion detection system is a service that monitors and analyzes system events to find
and provide real-time or near real-time warnings of attempts to access system resources in
an unauthorized manner. This is the detection of break-ins or break-in attempts, by
reviewing logs or other information available on a network. An intrusion detection system
should be part of a standard multi-tiered security approach.
Intrusion Prevention System
An intrusion prevention system is any device (hardware or software) that monitors
network and/or system activities for malicious or unwanted behavior and can react in realtime to block or prevent those activities. An intrusion prevention system should be part of a
standard multi-tiered security approach.
Keystroke Logger
A keystroke logger is a type of malware designed to capture keystrokes and mouse
movements/clicks, usually covertly, in an attempt to steal personal information, such as
credit card numbers and passwords.
Malware
3
Malware is a general descriptor for any computer program that has undesired or malicious
affects. It includes viruses, worms, Trojans, and back doors. Malware will often utilize
popular communication tools, such as email and instant messaging, as well as removable
media, such as USB devices, to spread. Malware also gets spread via drive-by downloads
and by exploiting security vulnerabilities in software. Most of today’s top malware seeks to
steal personal information which can be used by attackers for criminal gain.
Misleading Applications
Misleading applications are programs that attempt to trick computer users into taking
further actions which are usually aimed at causing additional malware to be downloaded or
getting users to divulge sensitive personal information. An example is rogue security
software, which is also known as scareware.
Multistage Attack
A multistage attack is an infection that typically involves an initial compromise, followed by
the installation of an additional piece of malicious code. An example is a Trojan that
downloads and installs adware.
Payload
A payload is the malicious activity that malware carries out. A payload is separate from the
installation and propagation actions malware performs.
Peer-to-Peer (P2P) Networking
A peer-to-peer network is a distributed virtual network of participants that make a portion
of their computing resources available to other network participants, all without the need
for centralized servers. Peer-to-peer networking is commonly used to share music, movies,
games and other files. However, peer-to-peer networking is also a very common mechanism
for distributing viruses, bots, spyware, adware, Trojans, rootkits, worms and other types of
malware.
Propagation Mechanism
A propagation mechanism is the method a threat uses to infect a system.
Pharming
Pharming is an attack method aimed at redirecting a Web site's traffic to another, bogus
site, usually designed to mimic the legitimate site. The goal is for users to remain unaware
of the redirection and enter personal information, such as online banking credentials, into
the fraudulent site. Pharming can be conducted either by changing the hosts file on a
victim’s computer or by exploitation of a vulnerability in DNS server software.
Phishing
Phishing is a scam in which attackers use spam and instant messages to trick people into
divulging sensitive information, such as banking credentials and credit card information.
4
Typically, phishing attacks will purport to be something they are not, such as
communication from your financial institution.
Plug-in
A plug-in is a small software application that is designed to extend the capabilities of a
larger program. Plug-in security vulnerabilities are often targeted by attackers, particularly
Web browser plug-ins.
Polymorphic Threats
Polymorphism denotes the ability to mutate. Therefore, polymorphic threats are those in
which every instance of the malware is slightly different than the one before it. The
automated changes in code made to each instance do not alter the malware’s functionality,
but virtually render traditional antivirus detection technologies all but useless against them.
Reputation-Based Security
Reputation-based security is a threat identification approach that ranks applications based
on certain criteria or attributes in order determine if they are likely malicious or benign.
These attributes can include such things as file age, file download source, digital signature
and file prevalence. The attributes are then combined to determine a file’s safety reputation.
The reputation ratings are then used by computer users to better determine what is safe to
allow onto their systems. Reputation-based security should be part of a standard multitiered security approach.
Rogue Security Software
A rogue security software program is a type of misleading application that pretends to be
legitimate security software, such as an antivirus scanner or registry cleaner, but which
actually provides a user with little or no protection and, in some cases, can actually facilitate
the installation of malicious code that it purports to protect against.
Rootkit
A rootkit is a component of malware that uses stealth to maintain a persistent and
undetectable presence on a computer. Actions performed by a rootkit, such as installation
and any form of code execution, are done without end user consent or knowledge.
Rootkits do not infect machines by themselves like viruses or worms, but rather, seek to
provide an undetectable environment for malicious code to execute. Attackers will typically
leverage vulnerabilities in the target machine, or use social engineering techniques, to
manually install rootkits. Or, in some cases, rootkits can be installed automatically upon
execution of a virus or worm or simply even by browsing to a malicious website.
Once installed, an attacker can perform virtually any function on the system to include
remote access, eavesdropping, as well as hide processes, files, registry keys and
communication channels.
5
Signature
A signature is a file that provides information to antivirus software to find and repair risks.
Antivirus signatures provide protection for all the latest viruses, worms, Trojans and other
security risks. Antivirus signatures are also known as virus definitions.
Social Engineering
Social engineering is a method used by attackers to trick computer users into performing an
action which will typically result in negative consequences, such as downloading malware
or divulging personal information. Phishing attacks often leverage social engineering
tactics.
Spear Phishing
Spear phishing is a scam in which phishing messages are targeted to a specific organization
or group in an attempt to trick organization or group insiders into divulging sensitive
information.
Spam
Also known as junk email, spam is email that involves nearly identical messages sent to
numerous recipients. A common synonym for spam is Unsolicited Commercial Email (UCE).
Malware is often used to propagate spam messages by infecting a machine, scanning it for
email addresses and then using that machine to send spam messages. Spam messages are
often used as a method of spreading phishing attacks.
Spam Zombie
A spam zombie is a bot—a computer infected with malware and under the control of an
attacker—being used to send spam.
Spyware
Spyware is any software package that tracks and sends personally identifiable information
or confidential information to third parties. Personally identifiable information is
information that can be traced to a specific person such as a full name. Confidential
information includes data that most people would not be willing to share with someone and
includes bank details, credit card numbers and passwords. Third parties may be remote
systems or parties with local access.
Targeted Attack
Targeted attacks are those designed to penetrate the security of a specific organization or
group. They are increasingly aimed at stealing information for the purpose of identity theft.
These attacks typically exploit system vulnerabilities, improper credentials, SQL injections
and targeted malware in order to get access to private or sensitive data.
Threat
6
A computer threat is any circumstance, event or person with the potential to cause harm to
a system in the form of theft, destruction, disclosure, data modification and/or Denial of
Service (DoS).
Toolkit
A toolkit, also known as an attack kit, is any package of software designed to aid hackers in
creating and propagating malicious code. Toolkits often automate malware creation and
propagation enough that even novice cybercriminals are able to utilize complex threats.
Toolkits can also be used to launch web-based attacks, send spam and create phishing sites
and email messages.
Trojan
Trojans are a type of malicious code that appear to be something they are not. A very
important distinction between Trojans and true viruses is that Trojans do not infect other
files and do not automatically propagate. Trojans contain malicious code that when
triggered cause the loss, even theft, of data. Trojans will also often contain a backdoor
component, giving an attacker the ability to download addition threats onto an infected
machine. Trojans are typically spread via drive-by downloads, email attachments or
willingly downloading and running a file from the Internet, usually after an attacker has
used social engineering to convince a user to do so.
Underground Economy
The online underground economy is the digital marketplace where goods and services
obtained through cybercrime and for the use of committing cybercrime are bought and sold.
Two of the most common platforms available to participants in the online underground
economy are channels on IRC servers and Web-based forums. Both feature discussion
groups that participants use to buy and sell fraudulent goods and services. Items sold
include credit card data, bank account credentials, email accounts and malware-creation
toolkits. Services can include cashiers who can transfer funds from stolen accounts into true
currency, phishing and scam page hosting, and job advertisements for roles such as scam
developers or phishing partners.
Variants
Variants are new strains of malware that borrow code, to varying degrees, directly from
other known viruses. Variants are usually identified by a letter, or letters, following the
malware family name; for example, W32.Downadup.A, W32.Downadup.B, and so on.
Virus
A computer virus is a computer program written to alter the way a computer operates,
without the permission or knowledge of the user. A virus must meet two criteria:

It must execute itself. It often places its own code in the path of execution of another
program.
7

It must replicate itself. For example, it may replace other executable files with a copy
of the virus infected file. Viruses can infect desktop computers and network servers
alike.
Many of today’s viruses are programmed to operate with stealth a user’s computer in order
to steal personal information for use in criminal gain. Others damage the computer by
damaging programs, deleting files or reformatting the hard disk. Still others are not
designed to do any damage, but simply to replicate themselves and make their presence
known by presenting text, video, and audio messages, though this type of notoriety attack is
growing less common as authors of viruses and other malware are increasingly after
criminal monetary gain.
Virus Definition File
A virus definition is a file that provides information to antivirus software to identify security
risks. Definition files contain protection for all the latest viruses, worms, Trojans and other
security risks. Virus definitions are also known as antivirus signatures.
Vulnerability
A vulnerability is a flawed state in a computing system (or set of systems) which affects the
systems’ confidentiality, integrity and availability (CIA) properties. Vulnerabilities can:




Allow an attacker to execute commands as another user
Allow an attacker to access data that is contrary to the specified access restrictions
for that data
Allow an attacker to pose as another entity
Allow an attacker to conduct a denial of service
Web-Based Attack
A Web-based attack is any attack that is carried out against a client-side application
originating from a location on the Web, either from compromised legitimate sites or else
from malicious sites that have been created to intentionally target Web users.
Whitelisting
Whitelisting is an approach typically used by spam blocking programs in which emails from
known or approved email addresses or domain names are allowed past the security
software.
Wild
A threat that is said to be in the wild indicates that it is already spreading among computer
users.
Worm
8
Worms are malicious programs that replicate themselves from system to system without
the use of a host file. This is in contrast to viruses, which requires the spreading of an
infected host file.
9