Sophos Threatsaurus
Anonymizing proxy
Allow the user to hide their web browsing activity. They are often used to bypass web security filters—e.g., to access blocked sites from a work computer. Anonymizing proxies hold security and liability risks for organizations: Security: The anonymizing proxy bypasses web security and allows users to access unauthorized webpages Liability: Organizations can be legally liable if their computers are used to view pornography, hate material or to incite illegal behavior. There are also ramifications if users violate third-party licenses through illegal MP3, film and software downloads
Social networking
Allow you to communicate and share information. But they can also be used to spread malware and to steal personal information. Social networking sites, such as Facebook and Twitter, continue to grow in popularity as attack vectors. Unscrupulous individuals can use information you post online to learn details about you that can be useful for social engineering or guessing the answers to security questions on other websites. Attackers may also compromise an account of a friend and use it to distribute malware or other malicious content. Be cautious about what links you click on. Make sure any computer you use to connect to the site is protected with the latest security software and patches. Use strong passwords and use separate passwords for each account. Take advantage of two factor authentication, if available. Be thoughtful about what you post online, and use available privacy settings to limit who can see your information. (See How to be safe on the Internet)
Backdoor Trojan
Allows someone to take control of a user's computer without their permission. May pose as legitimate software to fool users into running it. Alternatively—as is increasingly common—users may unknowingly allow Trojans onto their computer by following a link in spam email or visiting a malicious webpage. Once the Trojan runs, it adds itself to the computer's startup routine. It can then monitor the computer until the user is connected to the Internet. When the computer goes online, the person who sent the Trojan can perform many actions—for example, run programs on the infected computer, access personal files, modify and upload files, track the user's keystrokes, or send out spam email. Well-known backdoor Trojans include Netbus, OptixPro, Subseven, BackOrifice and, more recently, Zbot or ZeuS. To avoid backdoor Trojans, you should keep your computers up to date with the latest patches (to close down vulnerabilities in the operating system), and run anti-spam and antivirus software. You should also use a firewall, which can prevent Trojans from accessing the Internet to make contact with the hacker.
Application control
Allows you to control the use of applications that may be inappropriate for use on business computers or networks. You can use application control to restrict users to chosen business applications. For example, you can set a policy to only allow the use of Internet Explorer and block all other Internet browsers. Controlling which applications your users can run reduces the risk of malware and data loss. Categories of applications that businesses may wish to control include peer to peer file sharing software, games, media players, remote management tools and instant messaging clients. In addition, next generation firewalls can filter network traffic based on specific applications, providing an additional level of control.
Denial-of-service attack
Attack prevents users from accessing a computer or website. A hacker attempts to overload or shut down a service so that legitimate users can no longer access it. Typical attacks target web servers and aim to make websites unavailable. No data is stolen or compromised, but the interruption to the service can be costly for an organization. The most common type of attack involves sending more traffic to a computer than it can handle. There are a variety of methods for attacks, but the simplest and most common is to have a botnet flood a web server with requests. This is called a distributed denial-of-service attack (DDoS). (See Botnet, Command and Control Center, Zombie)
Runtime protection
Blocks attempts to access vulnerable parts of your computer. Analyzes the behavior of all the programs already running on your computer and blocks any activity that looks as if it could be malicious. For example, it checks any changes being made to the Windows registry, which may indicate that malware is installing itself so that it starts automatically whenever you restart the computer. Solutions include: Host intrusion prevention systems (HIPS) monitor the behavior of code to stop malware before a specific detection update is released. Many HIPS solutions monitor code when it runs and intervene if the code is deemed to be suspicious or malicious. Buffer overflow prevention systems (BOPS) will catch attacks targeting security vulnerabilities in both operating system software and applications. Attacks are reported when an attempt is made to exploit a running process using buffer overflow techniques.
Web application control
Blocks unwanted applications that could cause security concerns such as P2P file sharing or instant messaging. It accelerates applications the organization deems critical by making sure they have appropriate bandwidth, while blocking or limiting unwanted, unproductive applications.
Unified threat management (UTM)
Brings together multiple security functions into a single network appliance. This enables organizations to implement multiple layers of protection without the complexity of several independent devices and management consoles. Some functions that may be included in these solutions include next-generation firewall, web content filtering, email antivirus and anti-spam, web application firewall, and endpoint security management.
Vulnerability
Bugs in software programs that hackers exploit to compromise computers. Are commonplace in software products, leaving users open to attacks. Responsible software vendors, when aware of the problem, create and issue patches to address the vulnerability. There are companies that pay researchers to identify new vulnerabilities. There are also hackers that sell new vulnerabilities on the black market. When an attack exploits a vulnerability before it has been discovered or patched by the vendor, it is known as a "zero day" attack. To reduce vulnerabilities, you should apply the latest available patches and/or enable the auto update feature on your operating system and any installed applications. (See Exploit, Patches)
Browser hijacker
Change the default homepage and search engine in your Internet browser without your permission. You may find that you cannot change your browser's homepage once it has been hijacked. Some hijackers edit the Windows registry so that the hijacked settings are restored every time you restart your computer. Others remove options from the browser's tools menu, so that you can't reset the start page. Browser hijacking is used to boost advertising revenue, as in the use of blackhat Search Engine Optimization (SEO), to inflate a site's page ranking in search results. Browser hijackers can be very tenacious, as well as sneaky. Attackers use clickjacking, also known as a UI redress attack, by inserting multiple transparent, or opaque, layers on a webpage. This technique can trick a user into clicking on a button or link on a page other than the one they were intending to click on. Effectively the attacker is hijacking clicks meant for one page and routing them to other another page, most likely owned by another application, domain, or both. Although these threats don't reside on your PC, they do affect your browsing experience.
Botnet
Collection of infected computers that are remotely controlled by a hacker. Once a computer is infected with malicious software (bot), the hacker can control the computer remotely over the Internet. From then on, the computer is a zombie, doing the bidding of the hacker, although the user is completely unaware. Collectively, such computers are called a botnet. The hacker can share or sell access to control the botnet, allowing others to use it for malicious purposes. For example, a spammer can use a botnet to send out spam email. The majority of all spam is distributed this way. This allows the spammers to avoid detection and to get around any blacklisting applied to their own servers. It can also reduce their costs because the computer's owner is paying for the Internet access. Hackers can also use botnets to launch a distributed denial-of-service attack (DDoS). They arrange for thousands of computers to attempt to access the same website simultaneously, so that the web server is unable to handle all the requests reaching it. The website thus becomes inaccessible. (See Zombie, Denial-of-service attack, Spam, Backdoor Trojan, Command and control center)
Appliances
Combination of hardware and software security elements in one solution. This lets you plug appliances in rather than installing the software separately. The most common types of appliances are email appliances, unified threat management (UTM) appliances and web appliances. They sit at the gateway between an organization's IT systems and the Internet, filtering traffic to block malware, spam and data loss. Email appliances block spam, phishing, viruses, spyware and other malware, and—depending on the solution—also employ content filtering and encryption to prevent the loss of confidential or sensitive information via email. Web appliances block malware, spyware, phishing, anonymizing proxies and other unwanted applications at the web gateway. They may also offer tools to enforce Internet use policies. UTM appliances eliminate the complexity of deploying and managing a variety of point solutions to protect an organization against viruses, spam and hackers.
Data theft
Deliberate theft of information, rather than its accidental loss. Can take place both inside an organization (e.g., by a disgruntled employee), or by criminals outside the organization. Criminals often use malware to access a computer and steal data. A common approach is to use a Trojan to install keylogging software that tracks everything the user types, including usernames and passwords, in order to access the user's bank account. In 2013, for example, names, Social Security numbers and other sensitivie data about individuals involved in pending court cases were stolen from the State of Washington Administrative Office of the Courts. Some other recent data thefts include some of the biggest in history: 2011: Email marketing company Epsilon leaks millions of names and email addresses from customer databases of Best Buy, Marks & Spencer and Chase Bank. Initial cost-containment and remediation is estimated at $225M, but could reach as high as $4B 2011: Sony Corp suffers breaches that place 100M customer accounts at risk, costing the company up to $2 billion 2011: Servers are breached for Global Payments, a payments processor for Visa, exposing information on as many as 7M card holders 2012: More than 6 million poorly encrypted LinkedIn passwords are published on an underground criminal website. 2013: Over 50 million names, email addresses, and encrypted passwords are stolen from LivingSocial, a popular daily deals website. Data theft also occurs when devices containing data, such as laptops or USB drives, are stolen. (See Data leakage, Data loss, How to secure your data)
URL or web content filtering
Describes the technology that allows organizations to block specific websites or entire categories. Most malware and phishing attacks are carried out via the web. By restricting access to certain websites, organizations can reduce the risk that their users will become victims.
Anti-spam
Detect unwanted email and prevent it from reaching user inboxes. Programs use a combination of methods to decide whether an email is likely to be spam. They can: Block email that comes from computers on a block list. This can be a commercially available list or a local list of computer addresses that have sent spam to your organization before. Block email that includes certain web addresses. Check whether email comes from a genuine domain name or web address. Spammers often use fake addresses to try to avoid anti-spam programs. Look for keywords or phrases that occur in spam (e.g., "credit card," "lose weight"). Look for patterns that suggest the email's sender is trying to disguise his or her words (e.g., "hardc0re p0rn"). Look for unnecessary HTML code (the code used for writing webpages) within email, as spammers often use HTML to try to conceal their messages and confuse anti-spam programs. Combine all the information it finds to decide the probability of an email being spam. If the probability is high enough, it can block the email or delete it, depending on the settings you choose. Anti-spam software needs frequent updating with new rules so it can recognize the latest techniques used by spammers.
SQL injection
Exploit that takes advantage of database query software that doesn't thoroughly test for correct queries. Cyber criminals use this along with cross-site scripting (XSS) and malware to break into websites and extract data or embed malicious code. SQL injection sends commands via a web server linked to an SQL database. If the server is not correctly designed and hardened, it might treat data entered in a form field (such as username) as a command to be executed on the database server. For example, an attacker might enter a command string designed to output the entire contents of the database such as customer records and payment information. Web application scans can help detect this style of attack with an advanced system of "patterns" designed to detect SQL commands transmitted to the web server. As with any pattern-based system, to offer the best possible protection the patterns must be updated to counter new and creative ways of embedding SQL injection commands. Regular web application scans can help detect SQL vulnerabilities and provide recommendations on how to fix them.
Cookie
Files placed on your computer that allow websites to remember details. When you visit a website, it can place a file on your computer. This allows the website to remember your details and track your visits. Can be a threat to your privacy, but they cannot infect your computer. Were designed to be helpful. For example, when you visit a website, a cookie can store your preferences or login information so you don't have to re-enter them the next time. Also have benefits for webmasters, as they show which webpages are most used, providing useful input when planning a redesign of the site. Can be stored on your computer as small text files without your knowledge or consent, and they contain information about your activity on that website. When you revisit the same website, this data is passed back to the web server, again without your consent. Websites gradually build up a profile of your browsing behavior and interests. This information can be sold or shared with other sites, allowing advertisers to match ads to your interests, display consecutive ads as you visit different sites, and track the number of times you have seen an ad. You can limit the use of cookies to track your behavior using the security and privacy settings in your Internet browser.
Internet worm
Form of malware that replicates across the Internet or local networks. Differ from computer viruses because they can propagate themselves, rather than using a carrier program or file. They simply create copies of themselves and use communication between computers to spread. The Conficker worm is an example of an Internet worm that exploits a system vulnerability to infect machines over the network. Such are capable of spreading very rapidly, infecting large numbers of machines. Some worms open a "back door" on the computer, allowing hackers to take control of it. Such computers can then be used to send spam mail. (see Zombie)
Honeypot
Form of trap security specialists use to detect hacking attacks or collect malware samples. Are frequently used by security specialists or researchers to gather information about current threats and attacks. There are many different types. Some consist of machines connected to the network that are used to capture malware. Others provide fake network services (e.g., a web server) in order to log incoming attacks.
Malware
General term for malicious software. Viruses, worms, Trojans and spyware. Many people use the terms malware and virus interchangeably. Antivirus software usually detects a wider range of threats than just viruses, and can be an effective defense against worms, Trojans and spyware.
Web application firewall (WAF)
Help keep your servers safe from hackers by scanning activity and identifying probes and attacks. Is an otherwise traditional firewall appliance that also performs typical duties handled by multiple systems, including content filtering, spam filtering, intrusion detection and antivirus. Are typically used to protect web servers that are accessible from the Internet.
Device control
Helps you control the use of removable storage, optical media drives and wireless networking protocols. Device control is a central element of data loss prevention strategies. For example, device control helps prevent malware that spreads through USB drives. Many organizations use device control to enforce policies relating to the use of removable storage devices. Depending on the solution you have, device control can help you to decide which devices can connect to computers through a central policy.
HTTPS scanning
How to re-encrypt encrypted traffic from trusted websites. this decrypts, scans and then re-encrypts this data. Automatically finds and removes malicious content without human eyes viewing the content, maintaining the privacy of encrypted traffic.
Zombie
Infected computer that is remotely controlled by a hacker. It is part of a large group of compromised computers called a botnet. Once a hacker can control the computer remotely via the Internet, the computer becomes a zombie. Zombies are commonly used to send spam, launch denial-of-service attacks and infect other systems. (See Botnet)
Drive-by download
Infection of a computer with malware when a user visits a malicious website. Occur without the knowledge of the user. Simply visiting an infected website may be sufficient for the malware to be downloaded and run on a computer. Malware exploits vulnerabilities in a user's browser (and browser plugins) in order to infect their computer. Hackers continually attack legitimate websites in order to compromise them, injecting malicious code into their pages. Then, when a user browses that legitimate (but compromised) site, the injected code is loaded by his/her browser, which initiates the drive-by attack. In this manner, the hacker can infect users without having to trick them into browsing a specific site. To defend against drive-by downloads, you should use an updated browser, coupled with endpoint security software that incorporates web security filtering. (See Exploit)
Command and control center
Is a computer that controls a botnet (a network of compromised computers). Some botnets use distributed systems, making them more resilient. From this, hackers can instruct multiple computers to perform their desired activities. Often used to launch distributed denial-of-service attacks because they can instruct a vast number of computers to perform the same action at the same time. (See Botnet, Zombie, Denial-of-service attack)
Virus
Malicious computer programs that can spread to other files. Can have harmful effects such as displaying irritating messages, stealing data, or giving hackers control over your computer. Can attach themselves to other programs or hide in code that runs automatically when you open certain types of files. Sometimes they can exploit security flaws in your computer's operating system to run and spread automatically. You might receive an infected file in a variety of ways, including via an email attachment, in a download from the Internet, or on a USB drive. (See Parasitic viruses, Email malware distribution, Internet worm, Malware)
Trojan (Trojan horse)
Malicious programs that pretend to be legitimate software, but actually carry out hidden, harmful functions. This program pretends to do one thing, but actually does something different, usually without your knowledge. Popular examples are video codecs that some sites require to view online videos. When a Trojan codec is installed, it may also install spyware or other malicious software. Another example is a malicious link that says "Cool Game." When you download and install the game program, it turns out not to be a game at all, but a harmful Trojan that compromises your computer or erases the data on your hard drive. Trojans are often distributed with pirated software applications and keygens that create illegal license codes for downloadable software. (See Backdoor Trojan)
Autorun worm
Malicious programs that take advantage of the Windows AutoRun feature. They execute automatically when the device on which they are stored is plugged into a computer. Are commonly distributed on USB drives, automatically infecting computers as soon as the USB is plugged in. AutoPlay is a similar technology to AutoRun. It is initiated on removable media prompting users to choose to listen to music with the default media player, or to open the disk in Windows Explorer. Attackers have similarly exploited AutoPlay, most famously via the Conficker worm. On patched and newer operating systems, Microsoft has set AutoRun to off by default. As a result, autorun worms should pose less of a threat in the future.
Mobile phone malware
Malware intended to run on mobile devices, such as smartphones or PDAs. Thousands of these variants have been discovered since late 2010, when the first malware samples for Android and iOS devices were identified. Today, malware researchers have discovered many more malicious apps for Android than for iOS, most likely due to Android devices allowing their users to install apps using third-party sources. File sharing sites often host malicious versions of popular applications and games. With mobile malware, similar to malware for personal computers, the focus for cybercriminals is on making money. Similar to Windows malware, mobile malware spreads fake antivirus applications and steals confidential information. Other types of mobile malware send SMS messages or place calls to premium rate numbers, if the target device is a part of a mobile phone network. Even trusted sources host applications that may pose a risk to the user's privacy. Many advertising frameworks may share a user's personally identifiable information, such as location or phone number. These applications may be classified as potentially unwanted applications (PUAs). You can keep your mobile device free of mobile malware if you keep the mobile operating system current with security updates and by downloading and installing only applications from trusted sources such as Google Play and Apple iTunes. Mobile security software provides an additional layer of protection. To learn how to keep your Android device protected or to download a free tool, please visit: www.sophos.com/androidsecurity.
Email malware distribution
Malware that is distributed via email. Historically, some of the most prolific virus families (e.g., Netsky or SoBig) distributed themselves as file attachments in email. These families relied on users double-clicking an attachment, which would run the malicious code, infect their machine and send itself to more email addresses from that computer. Nowadays, hackers have changed their focus and mainly use the web for malware distribution. They still use email messages, but mostly as a way of distributing links to malicious sites, not for carrying malicious file attachments. However, even today some malware families such as Bredo use email distribution to run malicious code on user machines. You should use strong anti-spam technology in conjunction with current endpoint security software and updated system operating software. In addition, user education can raise awareness of email scams and seemingly legitimate attachments or links. (See Botnet, Exploit, Phishing emails, Spam)
VPN/SSL VPN
Method of connecting remote offices or computers to the central network. This method typically requires remote users to authenticate themselves by entering passwords or keys. Allows users to communicate or access the organization's servers securely over the Internet.
Intrusion prevention systems (IPS)
Monitor network and systems for malicious activity. Can log activity information, and also attempt to block activity and report it to network administrators to prevent network infections.
Buffer overflow
Occurs when a program stores excess data by overwriting other parts of the computer's memory, causing errors or crashes. Take advantage of this weakness by sending more data to a program than it expects. The program may then read in more data than it has reserved space for and overwrite parts of the memory that the operating system is using for other purposes. This may allow unauthorized code to execute or crash the system. Contrary to popular belief, buffer overflows don't just happen in services (such as Windows operating systems) or core programs. They can occur in any application.
DNS (hijacking)
Phone book of the Internet. It allows computers to translate website names, like www.sophos.com, into IP address numbers so that they can communicate with each other. An attack changes a computer's settings to either ignore DNS or use a DNS server that is controlled by malicious hackers. The attackers can then redirect communication to fraudulent sites. DNS hijacking is commonly used to redirect users to fake login pages for banks and other online services in order to steal their login credentials. It can also be used to redirect security sites to non-existent servers to prevent affected users from updating their security software.
Rootkit
Piece of software that hides programs or processes running on a computer. Malware frequently installs rootkits upon infection to hide its activity. This can hide keystroke loggers or password sniffers, which capture confidential information and send it to hackers via the Internet. It can also allow hackers to use the computer for illicit purposes (e.g., to launch a denial-of-service attack against other computers, or send out spam email) without the user's knowledge. Endpoint security products now detect and remove rootkits as part of their standard anti-malware routines. However, some rootkits may require a more comprehensive mitigation strategy.
Firewall
Prevents unauthorized access to a computer or network. As its name suggests, a firewall acts as a barrier between networks or parts of a network, blocking malicious traffic or preventing hacking attempts. A network firewall is installed on the boundary between two networks. This is usually located between the Internet and an organization's network. It can be a piece of hardware or software running on a computer that acts as a gateway to the company network. A client firewall is software that runs on an end user's computer, protecting only that computer. In either case, the firewall inspects all traffic, both inbound and outbound, to see if it meets certain criteria. If it does, it is allowed; if not, the firewall blocks it. A client firewall can also warn the user each time a program attempts to make a connection, and ask whether the connection should be allowed or blocked. Firewalls can filter traffic based on: The source and destination addresses and port numbers (address filtering) The type of network traffic (e.g., HTTP or FTP protocol filtering) The attributes or state of the packets of information sent
Keylogging
Process of secretly recording keystrokes by an unauthorized third party. Often used by malware to steal usernames, passwords, credit card details and other sensitive data.
Potentially unwanted application (PUA)
Programs that are not malicious but may be unsuitable for use in a business environment, and may create security concerns. Some applications are non-malicious and possibly useful in the right context, but are not suitable for company networks. Examples are adware, tools for administering PCs remotely and scanners that identify vulnerabilities in computer systems. Certain antivirus and endpoint security programs can detect PUAs on users' computers and report them.
Anti-malware
Protect you against viruses and other malware threats including Trojans, worms and spyware. Software uses a scanner to identify programs that are or may be malicious. Scanners can detect: Known malware: The scanner compares files on your computer against a library of identities for known malware. If it finds a match, it issues an alert and blocks access to the file. Detection of known malware relies on frequent updates to a database of the latest virus identities or connection to a cloud-based malware database. Previously unknown malware: The scanner analyzes the likely behavior of a program. If it has all the characteristics of a virus, access is blocked, even though the file does not match known viruses. Suspicious files: The scanner analyzes the likely behavior of a program. If that behavior is considered undesirable, the scanner warns that it may be malware. Most anti-malware packages offer both on-access and on-demand scanners. On-access scanners stay active on your computer whenever you are using it. They automatically check files as you try to open or run them, and can prevent you from accessing infected files. On-demand scanners let you start or schedule a scan of specific files or drives.
Endpoint security
Protects computers or devices against a wide range of security, productivity and compliance threats, and lets you centrally manage the security of multiple endpoints. Endpoint security products bring together in one solution the individual point products you need to protect against modern threats. They often integrate the protection for multiple features into one agent or central console, easing management and reporting. They can include: Antivirus software Firewalls Network access control Runtime protection Encryption technology Web security Patch management Data loss prevention We recommend using endpoint security software with web content scanning capabilities. Malware is often delivered from websites. You should also consider turning on security filtering features in your web browser. For a free trial of Sophos Enduser Protection, download at www.sophos.com/endpoint.
Network access control (NAC)
Protects your network and the information on it from the threats posed by users or devices accessing your network. There are three main aspects to this: Authentication of users and devices to check they are who they say they are Assessment of computers attempting to access the network to make sure they are virus-free and meet your security criteria Enforcement of policies based on the role of the user so each person can access information appropriate to his or her role, while preventing inappropriate access to other information
Social engineering
Refers to the methods attackers use to deceive victims into performing an action. Typically, these actions are opening a malicious webpage or running an unwanted file attachment. Many social engineering efforts are focused on tricking users into disclosing usernames or passwords, allowing attackers to send messages as an internal user to further their data stealing attempts. In August 2013, for example, malicious hackers distributed emails that simulated the messages Facebook sends when a user is tagged in a post. The links in the messages led to sites that recommended installing a plugin to view the videos supposedly posted on Facebook. The plugin was, in fact, malware designed to steal saved passwords and hack into users' Facebook accounts.
Mobile device security
Refers to the policies, procedures and tools for securing mobile devices. Attacks targeting mobile devices have increased and will continue to do so, as we integrate mobile devices into our lives. The protection of mobile devices and data stored on them should be a high priority for your organization. Ensure that policies and procedures are updated to cover mobile devices. The advice for keeping PCs secure applies to smartphones and tablets, as well: keep software updated, be cautious about installing new apps, use current security software and investigate suspicious activity. Mobile device management systems can help organizations centralize many of these functions.
Phishing emails
Refers to the process of deceiving recipients into sharing sensitive information with an unknown third party (cyber criminal). Typically in this scam, you receive an email that appears to come from a reputable organization, such as: Banks Social media (Facebook, Twitter) Online games Online services with access to your financial information (e.g., iTunes, student loans, accounting services) Departments in your own organization (from your technical support team, system administrator, help desk, etc.) To protect against phishing attacks, it's good practice not to click on links in email messages. Instead, you should enter the website address in the address field and then navigate to the correct page, or use a bookmark or a Favorite link. Phishing emails may also include attachments, which if opened can infect the machine. Anti-phishing software can block many phishing-related emails.
Fake antivirus malware
Reports non-existent threats in order to scare the user into installing malicious software and/or paying for unnecessary product registration and cleanup. Is commonly known as scareware. Typically it is installed through malicious websites and takes the form of fake online scans. Cybercriminals attract traffic to these sites by sending out spam messages containing links or by compromising legitimate websites. Frequently they also attempt to poison the results of popular search engines so that users access the malicious distribution sites when conducting a search. Fake antivirus malware is financially motivated and is a big earner for cybercriminals. The large profits provide significant resources for investment into creation and distribution of fake antivirus. Hacking gangs are very good at rapidly producing professional-looking bogus websites that pose as legitimate security vendors. Using up-to-date, legitimate antivirus or endpoint security software will protect you against fake antivirus software. Another line of defense includes user awareness training regarding the threats posed by clicking on suspicious links.
Hoax
Reports of false and unsubstantiated claims, in an attempt to trick or defraud users. Could be an attempt to solicit money, an attempt to install malware, or an attempt to consume bandwith (by having users forward a hoax email). In the form of emails, do some or all of the following: Warn you that there is an undetectable, highly destructive new piece of malware Ask you to avoid reading emails with a particular subject line, claiming it contains malware Claim that the warning was issued by a major software company, Internet provider or government agency Claim that the malware can do something improbable Urge you to forward the warning Claim that liking a story or individual on Facebook can result in financial windfalls, charitable contributions and free prizes Many users forwarding such hoax emails can cause a deluge of email, which may overload mail servers. Hoax messages may also distract from efforts to deal with real malware threats. The best defense against hoaxes is to educate yourself and your users. It is also helpful to search online for information about suspected hoaxes.
Data loss
Result of the accidental misplacement of data, rather than its deliberate theft. Frequently occurs through the loss of a device containing data, such as a laptop, tablet, CD/DVD, mobile phone or USB stick. When these are lost, the data is at risk of falling into the wrong hands unless a strong data security technique, such as encryption, is used. (See Data leakage, Data theft, How to secure your data)
IP Security (IPSec)
Secure network protocol suite that authenticates and encrypts each Internet Protocol (IP) packet of a communication session. Includes protocols for establishing authentication between agents at the beginning of a session and negotiates cryptographic keys for use during the session.
Encryption
Secure your data by encrypting your desktops, laptops, removable media, CDs, email, network files, cloud storage and other devices. Information can only be accessed with the right keys to decrypt data by entering a password. Some encryption solutions can be configured so that data is automatically decrypted for authorized users—so they don't need to enter an encryption key or password to access the information. Depending on the product, encryption solutions often include key management (facilitating the storage, exchange and recovery of encryption keys), encryption policy enforcement, and centralized management and reporting features. Encrypting any data you have stored by a third party is an important security measure. Additionally, mobile workers can access encrypted data on the go from their mobile devices, including smartphones and tablets. Encryption solutions allow you to protect your confidential information and comply with regulatory mandates for data security.
Patches
Software add-ons designed to fix software bugs, including security vulnerabilities, in operating systems or applications. Patching for new security vulnerabilities is critical to protect against malware. Many high-profile threats take advantage of security vulnerabilities. If your patches are not applied in a timely manner or not up to date, you risk leaving your computer open to hackers. Many software suppliers routinely release new patches, with Microsoft issuing fixes on the second Tuesday of each month ("Patch Tuesday"), and Adobe issuing quarterly updates to Adobe Reader and Acrobat on the second Tuesday after a quarter begins. To stay abreast of the latest vulnerabilities and patches, subscribe to vulnerability mailing lists. Most reputable vendors offer such a service. For example, Microsoft security information is available at www.microsoft.com/technet/security/bulletin/notify.mspx. Microsoft Windows home users can use Windows Update (Windows Vista/7) or Security Center (Windows XP) to turn on automatic updating. Apple OS X users can click the Apple logo in the upper-left corner of their desktop and select Software Updates. Organizations should make sure that all computers connecting to their network abide by a defined security policy that includes having the latest security patches in place, including for operating systems and applications. (See Exploit, Vulnerability)
Ransomware
Software that denies you access to your files or computer until you pay a ransom. Malicious software can hold your data hostage. For example, the Archiveus Trojan copies the contents of the My Documents folder into a password-protected file and then deletes the original files. It leaves a message telling you that you require a 30-character password to access the folder, and that you will be sent the password if you make purchases from an online pharmacy. In some cases, the password or key is concealed inside the Trojan's code and can be retrieved by malware analysts. However, some criminals use asymmetric or public-key encryption (which uses one key to encrypt the data, but another to decrypt it) so that the password is not easily recoverable.
Adware
Software that displays advertisements on your computer. Displays advertising banners or pop-ups on your computer when you use an application. This is not necessarily a bad thing. Such advertising can fund the development of useful software, which is then distributed free (for example, Android apps and browser toolbars, many of which are adware funded). This becomes a problem if it: installs itself on your computer without your consent installs itself in applications other than the one it came with and displays advertising when you use those applications hijacks your web browser in order to display more ads (see Browser hijacker) gathers data on your web browsing without your consent and sends it to others via the Internet (see Spyware) is designed to be difficult to uninstall Adware can slow down your PC. It can also slow down your Internet connection by downloading advertisements. Sometimes programming flaws in the adware can make your computer unstable. Some antivirus programs detect adware and report it as potentially unwanted applications. You can then either authorize the adware program or remove it from your computer. There are also dedicated programs for detecting adware.
Spyware
Software that permits advertisers or hackers to gather sensitive information without your permission. You can get this on your computer when you visit certain websites. A pop-up message may prompt you to download a software utility that it says you need, or software may be downloaded automatically without your knowledge. When this runs on the computer, it may track your activity (e.g., visits to websites) and report it to unauthorized third parties, such as advertisers. Spyware consumes memory and processing capacity, which may slow or crash the computer. Good antivirus and endpoint security solutions can detect and remove spyware programs, which are treated as a type of Trojan. (See Adware)
Parasitic viruses
Spread by attaching themselves to programs. When you start a program infected with this, the virus code is run. To hide itself, the virus then passes control back to the original program. The operating system on your computer sees the virus as part of the program you were trying to run and gives it the same rights. These rights allow the virus to copy itself, install itself in memory or make changes on your computer. Appeared early in virus history and then became quite rare. However, they are now becoming more common again with recent examples including Sality, Virut and Vetor.
Boot sector malware
Spreads by modifying the program that enables your computer to start up. When you turn on a computer, the hardware looks for the boot sector program, which is usually on the hard disk (but can be on a CD/DVD or Flash Drive), and runs it. This program then loads the rest of the operating system into memory. Replaces the original boot sector with its own, modified version (and usually hides the original somewhere else on the hard disk). The next time you start up, the infected boot sector is used and the malware becomes active. Boot sectors are now used by some malware designed to load before the operating system in order to conceal its presence (e.g., TDL rootkit).
Exploit
Takes advantage of a vulnerability in order to access or infect a computer. Usually this takes advantage of a specific vulnerability in an application and becomes ineffective when that vulnerability is patched. Zero-day ones are those that are used or shared by hackers before the software vendor knows about the vulnerability (and so before there is any patch available). To secure against exploits, you should make sure your antivirus or endpoint security software is active and your computers are fully patched. This includes the operating system (OS) as well as applications. (See Vulnerability, Drive-by download, Buffer overflow)
Document malware
Takes advantage of vulnerabilities in applications that let you read or edit documents. By embedding malicious content within documents, hackers can exploit vulnerabilities in the host applications used for opening the documents. Common examples include specifically crafted Word, Excel and PDF documents. The infamous data breach of RSA Security in 2011 started when an employee opened an Excel spreadsheet containing carefully disguised malware. (See Exploit)
Spearphishing
Targeted phishing using spoof emails to persuade people within an organization to reveal sensitive information or credentials. Unlike phishing, which involves mass-emailing, this is small-scale and well targeted. The attacker emails users in a single organization. The emails may appear to come from another staff member at the same organization, asking you to confirm a username and password. Sometimes the emails seem to come from a trusted department that might plausibly need such details, such as IT or human resources. Links in the emails will redirect to a bogus version of the company website or intranet for stealing credentials. (See Email malware distribution)
Hacktivism
Term used to describe hacking activity that's typically for political and social purposes, attacking corporations, governments, organizations and individuals. Groups may deface websites, redirect traffic, launch denial-of-service attacks and steal information to make their point. A hacktivist group dominated headlines in 2011 with attacks on Sony, PBS, the U.S. Senate, the CIA, FBI affiliate InfraGard and others. Other hacktivist groups have engaged in what they consider to be civil disobedience through distributed denial-of-service attacks against websites of governments, banks and other institutions. Another group released 90,000 email addresses of U.S. military personnel in an attack on a federal government contractor. The variety of targets seems to show that almost any institution could be at risk, although only a small minority is affected by hacktivist attacks.
Advanced Persistent Threat (APT)
Type of targeted attack, characterized by an attacker who has time and resources to plan an infiltration into a network. These attackers actively manage their attack once they have a foothold in a network and are usually seeking information, proprietary or economic, rather than simple financial data. APTs are persistent in that the attackers may remain on a network for some time. APTs should not be confused with botnets, which are usually opportunistic and indiscriminate attacks seeking any available victim rather than specific information.
Data leakage
Unauthorized exposure of information. It can result in data theft or data loss. A top concern for organizations. Is the failure to protect confidential information including the identities of their workforce, their customers and the general public. Users may post and share data without fully understanding the risks and consequences of potential data leakage. A variety of techniques can be used to prevent data leakage. These include antivirus software, encryption, firewalls, access control, written policies and training. (See Data loss, Data theft, How to secure your data)
Spam
Unsolicited bulk email, the electronic equivalent of junk mail, that comes to your inbox. Often disguise their email in an attempt to evade anti-spam software. Increasingly spam arrives via legitimate email addresses whose user credentials have been compromised, from services like Yahoo!, Hotmail and AOL. Scammers are also targeting large email service providers (ESPs) with malware in an effort to compromise their mail transfer agents (MTA) in order to send spam. Spam is often profitable. Spammers can send millions of emails in a single campaign for very little money. If even one recipient out of 10,000 makes a purchase, the spammer can turn a profit. Does spam matter? Spam is frequently used to distribute malware (see Email malware distribution). Spammers often use other people's computers to send spam (see Zombie). Spam, like hoaxes or email viruses, uses bandwidth and fills up databases. Users can easily overlook or delete important email, confusing it with spam. Spam wastes staff time. Users without anti-spam protection have to check which email is spam and then delete it. Spammers are now also exploiting the popularity of instant messaging and social networking sites such as Facebook and Twitter to avoid spam filters and to trick users into revealing sensitive and financial information.
Suspicious files and behavior
When an endpoint security solution scans files, it labels them as clean or malicious. If a file has a number of questionable characteristics or behavior, it is labeled as suspicious. Suspicious behavior refers to files doing questionable things when they run on a computer, such as copying themselves to a system folder. Runtime protection helps protect against suspicious files by analyzing the behavior of all the programs running on your computer and blocking any activity that looks as if it could be malicious. (See Buffer overflow)
Spoofing (Email)
When the sender address of an email is forged for the purposes of social engineering. Can be put to a number of malicious uses. Phishers (criminals who trick users into revealing confidential information) use spoofed sender addresses to make it appear that their email comes from a trusted source, such as your bank. The email can redirect you to a bogus website (e.g., an imitation of an online banking site), where your account details and password can be stolen. Phishers can also send email that appears to come from inside your own organization (e.g., from a system administrator), asking you to change your password or confirm your details. Criminals who use email for scams or frauds can use spoofed addresses to cover their tracks and avoid detection. (See Email malware distribution)
Brute force attack
Where hackers try a large number of possible keyword or password combinations to gain unauthorized access to a system or file. Are often used to defeat a cryptographic scheme, such as those secured by passwords. Hackers use computer programs to try a very large number of passwords to decrypt the message or access the system. To prevent brute force attacks, it is important to make your passwords as secure as possible. (See How to choose secure passwords)