Common cyber incident terms

Baselining: monitoring resources to determine typical use patterns so that significant deviations can be detected.

Botnet: a compromised network of computers. Typically, such computers are compromised without the knowledge of their owners and can then be controlled remotely by a third party. The third party can then use the combined power of these computers to launch attacks that give rise to cyber security incidents.

Buffer overflow: a buffer is a holding area used to store data. If too much data is sent to the buffer, it causes overflow that may expose weaknesses in the system, which could be exploited by third parties.

Cryptographic hash: a specific algorithm used to verify a file’s integrity.

Cyber security incident: breach or imminent threat of a breach of an organisation’s computer systems, including computer security policies or procedures.

DOS attack, or denial of  service attack: a type of cyber incident involving a deliberate attempt to disrupt the operation of a computer system or network that is connected to the internet.

DDoS attack, or distributed denial of service attack: a more sophisticated form of a DoS attack that uses a compromised network of computers (botnets), to launch the attack.

False positive: an alert that incorrectly indicates that malicious activity is occurring.

Hacktivism: an act by a person or entity that is seeking to influence or affect an organisation for an ideological reason by using some form of cyber attack.

Hacktivist: a person who engages in hacktivism.

Indicator: a sign that an incident may have occurred or may be occurring.

IM: incident management.

IP: Internet protocol.

ISP: Internet service provider.

ICT: information and communications technologies.

Jump kit, or grab bag: a collection of IT tools and information held in one place and used in an emergency to counter a cyber security incident.

Malware: a virus, worm, Trojan horse, or other code-based malicious entity that successfully infects a host.

Precursor: a sign that an attacker may be preparing to cause an incident.

Profiling: measuring the characteristics of expected activity so that changes to it can be more easily identified.

Packet sniffer: software used to analyse and investigate a suspicious packet.

Port: computer system access point.

Removal media: devices that can be readily introduced and removed from an IT system, such as USB sticks and CDs.

Sandbox: form of containment that enable the organisation to monitor the attack and potentially gather additional evidence.

Signature: a recognisable, distinguished pattern associated with an attack, such as a binary string in a virus or a particular set of keystrokes used to gain unauthorised access to a system.

Spear phishing: efforts to acquire sensitive or confidential information about individuals or organisations through fraudulent electronic communications such as fake emails or links to fake websites.

Trojan Horse or Trojan programs: non-self-replicating malware programs that hack into a computer system or network by appearing to perform a useful function. Instead they deliver a harmful payload. As with worms, the payload will often include a backdoor that gives unauthorised access to the network or system. Trojans do not try to insert themselves into other files, like viruses, but they can steal information and harm host computer systems and networks.

URL: uniform resource locator.

Viruses: malware that, when executed, replicate by "infecting" other computer programs, systems or files. As well as replicating, viruses often corrupt or steal data, displaying political messages or logging keystrokes. These other functions are known as the virus "payload".

Whaling: spear phishing attacks specifically targeted at senior executives or other high-profile targets within a business.

Worms: stand-alone malware programs that replicate to spread to other computers. Unlike viruses, they do not need to attach themselves to existing programs to replicate. As with viruses, worms can carry a harmful payload (although even those that do not can cause disruption through increased network traffic and other unintended consequences). A common payload for worms is to install a "back-door" to enable a computer to be controlled by an external third party, for example, for use as part of a botnet (see denial of service/distributed denial of service attacks, above).