Cybersecurity 101:
The Fundamentals of Cybersecurity

Active Directory Federation Service (AD FS) is a single sign on (SSO) feature developed by Microsoft that provides authenticated access to any domain, device, web application or system within the organization’s active directory (AD).

Active Directory is a directory service offered by Microsoft Windows that helps administrators configure permissions and network access.

Address Resolution Protocol (ARP) spoofing or ARP poisoning is a form of spoofing attack that hackers use to intercept data. A hacker commits an ARP spoofing attack by tricking one device into sending messages to the hacker instead of the intended recipient.

Advanced endpoint protection (AEP) is a next-generation endpoint security solution that uses AI, machine learning, and other intelligent automation capabilities to provide more comprehensive cybersecurity protection from a variety of modern threats.

An advanced persistent threat (APT) is a sophisticated, sustained cyberattack in which an intruder establishes an undetected presence in a network in order to steal sensitive data over a prolonged period of time.

Adware – or advertising supported software – is an automated, unwanted software designed to bombard users with advertisements, banners and pop-ups.

Application monitoring is the process of collecting log data in order to help developers track availability, bugs, resource use, and changes to performance in applications that affect the end-user experience (UX).

Application security is a set of measures designed to prevent data or code within applications from being stolen or manipulated.

An attack surface is the sum of all possible security risk exposures in an organization’s software environment.

Attack surface management is the continuous discovery, monitoring, evaluation, prioritization and remediation of attack vectors within an organization's IT infrastructure.

In this article, we go beyond the generic AWS best practices and offer recommendations to help you scale and enhance your AWS security.

In this article, we’ll explore the most common sets of misconfigurations across the most common services, and give advice on how to stay safe and prevent potential breaches when making any modification to your infrastructure

Backporting is when a software patch or update is taken from a recent software version and applied to an older version of the same software.

A botnet is a network of computers infected with malware that are controlled by a bot herder.

A brute force attack is uses a trial-and-error approach to systematically guess login info, credentials, and encryption keys. The attacker submits combinations of usernames and passwords until they finally guess correctly.

BYOD stands for Bring Your Own Device and refers to a business policy that allows employees to use personally owned devices for work purposes.

Centralized logging is the process of collecting logs from networks, infrastructure, and applications into a single location for storage and analysis.

CI/CD combines the practices of continuous integration (CI) and Continuous Delivery (CD) to allow DevOps teams to deliver code updates frequently, reliably, and quickly.

A cloud access security broker (CASB) is a security check point between cloud network users and cloud-based applications that manages and enforces all data security policies and practices, including authentication, authorization, alerts and encryption.

Cloud application security is the process of securing cloud-based software applications throughout the development lifecycle.

Cloud compliance is the act of complying with regulatory standards of cloud usage. The key difference between traditional and cloud compliance is largely how you go about meeting such requirements.

Cloud data security refers to the technologies, policies, services and security controls that protect any type of data in the cloud from loss, leakage or misuse through breaches, exfiltration and unauthorized access.

Cloud encryption is the process of transforming data from its original plain text format to an unreadable format before it is transferred to and stored in the cloud.

Cloud infrastructure is a collective term used to refer to the various components that enable cloud computing, including hardware, software, network devices, data storage and an abstraction layer that allows users to access virtualized resources.

CIEM helps enterprises to manage entitlements across all of their cloud infrastructure resources. The primary goal of this tool is to mitigate the risk that comes from the unintentional and unchecked granting of excessive permissions to cloud resources.

Cloud security combines technology, policies, services, and controls to protect cloud computing systems against cybersecurity threats.

Cloud security architecture is the umbrella term used to describe all hardware, software and infrastructure that protects the cloud environment and its components, such as data, workloads, containers, virtual machines and APIs.

A cloud security assessment is an evaluation that tests and analyzes an organization’s cloud infrastructure to ensure the organization is protected from a variety of security risks and threats.

Learn the constructs of cloud security, how to implement the right tools and best practices to protect your cloud-hosted workloads, and how to evolve the maturity of your security practices.

Cloud security posture management (CSPM) automates the identification and remediation of risks across cloud infrastructures.

As companies increase their use of cloud hosting for storage and computing, so increases the risk of attack on their cloud services. Companies must acknowledge this risk and defend their organization against potential cloud vulnerabilities.

Cloud Workload Protection platforms offer organizations a solution to continuously monitor for, and remove threats from their cloud workloads and containers.

A CWPP is a unified cloud security solution that offers continuous threat monitoring and detection for workloads operating in the public cloud.

A cloud-native application protection platform (CNAPP) is an all-in-one cloud-native software platform that simplifies monitoring, detecting, and acting on potential cloud security threats and vulnerabilities.

Compromise assessments are high-level investigations where skilled teams utilize advanced tools to dig more deeply into their environment to identify ongoing or past attacker activity in addition to identifying existing weaknesses in controls and practices. The intent of the comprehensive assessment is to answer the critical question: “Has my organization been breached?”

is the continuous process of using security tools to protect containers, the container pipeline, deployment infrastructure, and the supply chain from cyber threats and vulnerabilities.

Containerization is a technology that allows software developers to package software and applications in code and run them in isolated compute environments as immutable executable images.

Credential stuffing is a cyberattack where cybercriminals use stolen login credentials from one system to attempt to access an unrelated system.

Cross Site Scripting (XSS) is a code injection attack in which an adversary inserts malicious code within a legitimate website.

CRUD is the acronym for CREATE, READ, UPDATE and DELETE. These terms describe the four essential operations for creating and managing persistent data elements, mainly in relational and NoSQL databases.

Crypto-malware is a type of malicious software, or malware, designed to carry out long-term cryptojacking cyberattacks.

Cryptojacking is the unauthorized use of a person's or organization's computing resources to mine cryptocurrency.

Cyber big game hunting is a type of cyberattack that usually leverages ransomware to target large, high-value organizations or high-profile entities.

Cyber espionage, or cyber spying, is a type of cyberattack in which an unauthorized user attempts to access sensitive or classified data or intellectual property (IP) for economic gain, competitive advantage or political reasons.

Cyber insurance, sometimes referred to as cyber liability insurance or cyber risk insurance, is a type of insurance that limits a policy holder’s liability and manages recovery costs in the event of a cyberattack, data breach or act of cyberterrorism.

The cyber kill chain is an adaptation of the military’s kill chain, which is a step-by-step approach that identifies and stops enemy activity.

A cyberattack is an attempt by cybercriminals, hackers or other digital adversaries to access a computer network or system, usually for the purpose of altering, stealing, destroying or exposing information.

Cybersecurity is the act of defending digital assets, including networks, systems, computers and data, from cyberattacks.

The dark web is the part of the internet where users can access unindexed web content anonymously through special web browsers like TOR.

Dark web monitoring is the process of searching for, and tracking, your organization’s information on the dark web.

Data exfiltration is the theft or unauthorized transfer of data from a device or network.

Data logging is the process of capturing, storing and displaying one or more datasets to analyze activity, identify trends and help predict future events.

Data loss prevention (DLP) is an overall security strategy that focuses on detecting and preventing the loss, leakage or misuse of an organization's data.

Defense in depth provides intensive security measures using a layered approach to protect your company from cyberattacks.

A Denial-of-Service (DoS) attack is a malicious, targeted attack that floods a network with false requests in order to disrupt business operations.

Detection engineering is the process of identifying threats before they can do significant damage.

DevOps is a set of practices, tools, and a cultural mindset that follows a collaborative organizational model. It combines the software development and operations teams into one collaborative group that helps an organization gain competitive edge through fast, high-quality service and application delivery.

DevOps monitoring is the practice of tracking and measuring the performance and health of systems and applications in order to identify and correct issues early.

DevOps and DevSecOps share cultural similarities but address different business goals. Knowing when to use each practice or transition from DevOps to DevSecOps can improve your business.

DevSecOps—short for Development, Security and Operations— is the practice of integrating security continuously throughout the software and/or application development lifecycle.

Digital Forensics and Incident Response (DFIR) is a field within cybersecurity that focuses on the identification, investigation, and remediation of cyberattacks.

A Distributed-denial-of-service (DDoS) attack is a cybercrime that attempts to interrupt a server or network by flooding it with fake internet traffic.

Domain spoofing is a form of phishing where an attacker impersonates a known business or person with fake website or email domain to fool people into the trusting them.

Email spoofing is a type of cyberattack that targets businesses by using emails with forged sender addresses. Because the recipient trusts the alleged sender, they are more likely to open the email and interact with its contents, such as a malicious link or attachment.

An endpoint is any device that can be connected to a network. Common examples of endpoints include computers, laptops, mobile phones, tablets and servers.

Endpoint Detection and Response (EDR), also referred to as endpoint detection and threat response (EDTR), is an endpoint security solution that continuously monitors endpoint devices to detect and mitigate cyber threats.

Endpoint management is an IT and cybersecurity process that consists of two main tasks: evaluating, assigning and overseeing the access rights of all endpoints; and applying security policies and tools that will reduce the risk of an attack or prevent such events.

An endpoint protection platform (EPP) is a suite of endpoint security technologies such as antivirus, data encryption, and data loss prevention that work together on an endpoint device to detect and prevent security threats like file-based malware attacks and malicious activity.

Endpoint protection software offers a centralized management system from which security administrators can monitor, protect, and investigate vulnerabilities across all endpoints, including computers, mobile devices, servers and connected devices.

Endpoint security, or endpoint protection, is the cybersecurity approach to defending endpoints – such as desktops, laptops, and mobile devices – from malicious activity.

An ethical hacker, also known as a ‘white hat hacker’, is employed to legally break into computers and networks to test an organization’s overall security. Ethical hackers possess all the skills of a cyber criminal but use their knowledge to improve organizations rather than exploit and damage them.

An event is any significant action or occurence that's recognized by a software system and is then recorded in a special file called the event log.

File integrity monitoring (FIM) is a security process that monitors and analyzes the integrity of critical assets, including file systems, directories, databases, network devices, the operating system (OS), OS components and software applications for signs of tampering or corruption, which may be an indication of a cyberattack.

Fileless malware is a type of malicious activity that uses native, legitimate tools built in to a system to execute a cyber attack. Unlike traditional malware, fileless malware does not require an attacker to install any code on a target’s system, making it hard to detect.

A Golden Ticket attack is a malicious cybersecurity attack in which a threat actor attempts to gain almost unlimited access to an organization’s domain.

Hacktivism is a combination of the words “hack” and “activism”. Hacktivists engage in disruptive or damaging activity on behalf of a cause, be it political, social or religious in nature.

Ransomware first cropped up around 2005 as just one subcategory of the overall class of scareware. Learn how it's evolved since then.

A honeypot is a cybersecurity mechanism that leverages a manufactured attack target to lure cybercriminals away from legitimate targets and gather intelligence about the identity, methods and motivations of adversaries.

Businesses of all sizes are vulnerable to cyberattacks like ransomware. To protect against this increasing risk, business owners can invest in endpoint protection solutions and educate themselves about how to prevent and mitigate the impact of ransomware.

The hybrid cloud is an IT environment that combines elements of a public cloud, private cloud and on-premises infrastructure into a single, common, unified architecture.

Hybrid cloud security is the protection of data and infrastructure that combines elements of private cloud, public cloud, and on-premises infrastructure into a unified architecture.

A hypervisor, or virtual machine monitor (VMM), is virtualization software that creates and manages multiple virtual machines (VMs) from a single physical host machine.

Identity and access management (IAM) is a framework that allows the IT team to control access to systems, networks and assets based on each user’s identity.

Identity security is a comprehensive solution that protects all types of identities to detect and prevent identity-driven breaches.

Identity segmentation is a method to restrict access to applications/resources based on identities. These identities could be human accounts, service (programmatic accounts), or privileged accounts.

Incident response (IR) is the steps used to prepare for, detect, contain, and recover from a data breach.

Most IR plans can be summed up in 4 common steps: Preparation, Detection & Analysis, Containment & Eradication, and Post-Incident Activity.

An Indicator of Compromise (IOC) is a piece of digital forensics that suggests that an endpoint or network may have been breached.

Infrastructure as a Service (IaaS) is a cloud computing model in which a third-party cloud service provider offers virtualized compute resources such as servers, data storage and network equipment on demand over the internet to clients.

IaC is an IT practice that leverages code to automate infrastructure provisioning, deployment, configuration and management.

An insider threat refers to the potential for a person to leverage a position of trust to harm the organization through misuse, theft or sabotage of critical assets.

An insider threat is a cybersecurity risk that comes from within the organization — usually by a current or former employee or other person who has direct access to the company network, sensitive data and intellectual property (IP).

IoT security focuses on protecting, monitoring and remediating threats related to the Internet of Things (IoT) — the network of connected devices equipped to gather, store and share data via the internet. 

Indicators of Attack vs Indicators of Compromise: Defining & Understanding the Differences

IT security is the overarching term used to describe the collective strategies, methods, solutions and tools used to protect the confidentiality, integrity and availability of the organization’s data and digital assets.

Kerberoasting is a post-exploitation attack technique that attempts to crack the password of a service account within the Active Directory (AD).

Lateral movement refers to the techniques that a cyberattacker uses, after gaining initial access, to move deeper into a network in search of sensitive data and other high-value assets.

Log aggregation is the mechanism for capturing, normalizing, and consolidating logs from different sources to a centralized platform for correlating and analyzing the data.

Log analysis is the process of reviewing computer-generated event logs to proactively identify bugs, security threats, factors affecting system or application performance, or other risks.

A log file is an event that took place at a certain time and might have metadata that contextualizes it.

Log management is the practice of continuously gathering, storing, processing, synthesizing and analyzing data from disparate programs and applications.

Setting up meaningful log levels is an important step in the log management process. Logging levels allow team members who are accessing and reading logs to understand the significance of the message they see in the log or observability tools being used.

This article provides an overview of foundational machine learning concepts and explains the growing application of machine learning in the cybersecurity industry, as well as key benefits, top use cases, common misconceptions and CrowdStrike’s approach to machine learning.

Malvertising is a relatively new cyberattack technique that injects malicious code within digital ads.

Malware (malicious software) is a term used to describe any program or code that is created with the intent to do harm to a computer, network, or server.

Malware analysis is the process of understanding the behavior and purpose of a suspicious file or URL to help detect and mitigate potential threats.

The term malware describes any program or code created with the intent to do harm to a computer, network or server. A virus is a type of malware limited only to programs or code that self-replicates or copies itself in order to spread to other devices or areas of the network.

A man-in-the-middle attack is a type of cyberattack in which an attacker eavesdrops on a conversation between two targets.

Managed detection and response (MDR) is a cybersecurity service that combines technology and human expertise to perform threat hunting, monitoring, and response.

Mean time to repair (MTTR) is a key performance indicator (KPI) that represents the average time required to restore a system to functionality after an incident.

The MITRE ATTACK Framework is a curated knowledge base that tracks cyber adversary tactics and techniques used by threat actors across the entire attack lifecycle.

Mobile malware is malicious software designed to target mobile devices. Click here to read about the different types and distribution methods.

It is important to implement multi-cloud security to protect your infrastructure, application, and data across multiple clouds.

Multi-factor authentication (MFA) is a multi-layered security system that grants users access to a network, system or application only after confirming their identity with more than one credential or authentication factor.

Network monitoring is an IT process that continuously monitors and evaluates a computer network and its assets.

Network security refers to the tools, technologies and processes that protect an organization’s network and critical infrastructure from unauthorized use, cyberattacks, data loss and other security threats.

Network segmentation is a strategy used to segregate and isolate segments in the enterprise network to reduce the attack surface.

Next-Generation Antivirus (NGAV) uses a combination of artificial intelligence, behavioral detection, machine learning algorithms, and exploit mitigation, so known and unknown threats can be anticipated and immediately prevented.

Windows New Technology LAN Manager (NTLM) is a suite of security protocols offered by Microsoft to authenticate users’ identity and protect the integrity and confidentiality of their activity.

Observability is when you infer the internal state of a system only by observing its external outputs.

Open source intelligence (OSINT) is the act of gathering and analyzing publicly available data for intelligence purposes.

Pass the hash is a type of cybersecurity attack in which an adversary steals a “hashed” user credential and uses it to create a new user session on the same network.

A Password spraying attack involve an attacker using a single common password against multiple accounts on the same application.

Patch management is the process of identifying and deploying software updates, or “patches,” to a variety of endpoints, including computers, mobile devices, and servers.

Penetration testing, or pen testing, is the simulation of real-world attacks in order to test an organization’s detection and response capabilities. 

Phishing is an email scam that impersonates a reputable person or organization with the intent to steal credentials or sensitive information.

Platform as a Service (PaaS) is a cloud computing model in which a third-party cloud provider maintains an environment for customers to build, develop, run and manage their own applications.

A polymorphic virus, sometimes referred to as a metamorphic virus, is a type of malware that is programmed to repeatedly mutate its appearance or signature files through new decryption routines.

Pretexting is a form of social engineering in which an attacker gets access to information, a system or a service through deceptive means. The attacker will present a false scenario — or pretext — to gain the victim’s trust and may pretend to be an experienced investor, HR representative, IT specialist or other seemingly legitimate source.

The principle of least privilege (POLP) is a computer security concept and practice that gives users limited access rights based on the tasks necessary to their job.

A privilege escalation attack is a cyberattack designed to gain unauthorized privileged access into a system.

A public cloud is a third-party IT management solution that hosts computing services and physical infrastructure.

The key difference between public and private cloud computing relates to access. In a public cloud, organizations use shared cloud infrastructure, while in a private cloud, organizations use their own infrastructure.

Ransomware is a type of malware that encrypts a victim’s data until a payment is made to the attacker. If the payment is made, the victim receives a decryption key to restore access to their files. If the ransom payment is not made, the malicious actor publishes the data on data leak sites (DLS) or blocks access to the files in perpetuity.

Ransomware as a Service (RaaS) is a business model used by ransomware developers, in which they lease ransomware variants in the same way that legitimate software developers lease SaaS products.

Ransomware detection is the first defense against dangerous malware since it finds the infection earlier so that victims can take action to prevent irreversible damage.

In this post, we explore 12 recent ransomware examples to outline the adversaries behind them and how they work.

In a red team/blue team exercise, the red team is made up of offensive security experts who try to attack an organization's cybersecurity defenses. The blue team defends against and responds to the red team attack.

Red team testing uses ethical hacking by simulating real-world techniques so your team can identify vulnerabilities in your system and practice response methods. Red teaming goes beyond a penetration test, or pen test, because it puts a team of adversaries — the red team — against an organization’s security team — the blue team.

Remote code execution (RCE) refers to a class of cyberattacks in which attackers remotely execute commands to place malware or other malicious code on your computer or network.

RDP is software that allows users to control a remote desktop as if it were local.

Risk-based vulnerability management is a cybersecurity process that aims to identify and remediate vulnerabilities that pose the greatest risk to an organization.

Rootkit malware is a collection of software designed to give malicious actors control of a computer, network or application.

Runtime Application Self-Protection (RASP) is a term coined by Gartner more than a decade ago to describe what was then an emerging technology that incorporated security functionality within software applications.

Scareware is a type of malware attack that claims to have detected a virus or other issue on a device and directs the user to download or buy malicious software to resolve the problem.

Security as a service (SECaaS) is a comprehensive solution that helps an organization address any security issue without needing its own dedicated security staff.

SIEM stands for security information and event management and is a set of tools and services that enable analysts to review log and event data, understand and prepare for threats, and retrieve and report on log data.

A security operations center, or SOC, is the collective term for the people, processes and technologies responsible for monitoring, analyzing and maintaining an organization’s information security.

Building a first-class security operations center is no simple feat – maintaining it is even harder. We discuss four security operations center best practices that every organization should strive for. 

Security orchestration, automation and response (SOAR) is a collection of software programs developed to bolster an organization’s cybersecurity posture. A SOAR platform enables a security analyst team to monitor security data from a variety of sources, including security information and management systems and threat intelligence platforms.

Shadow IT is the unauthorized use of any digital service or device that is not formally approved of and supported by the IT department.

The Shared Responsibility Model dictates that a cloud provider must monitor and respond to security threats related to the cloud itself and its underlying infrastructure and end users are responsible for protecting data and other assets they store in any cloud environment.

Shift Left security embeds security into the earliest phases of the application development process. Vulnerable code is identified as it is developed rather than in the testing phase, which reduces costs and results in more secure apps.

Understand the difference in capabilities, definitions, and costs between a SIEM and a log management solutions (LMS).

As development teams require more flexibility, scalability and speed, traditional monolithic software development models have become largely obsolete. To meet the needs of the modern landscape, two options have emerged for effectively and efficiently building and running large-scale, complex applications: service oriented architecture (SOA) and microservices.

SOC-as-a-Service (SOCaaS) is a security model wherein a third-party vendor operates and maintains a fully-managed SOC on a subscription basis via the cloud.

Social engineering is the act of manipulating people to take a desired action, like giving up confidential information. Social engineering attacks work because humans can be compelled to act by powerful motivations, such as money, love, and fear.

Software as a Service (SaaS) is a cloud-based software delivery model that allows users to access applications through an internet-connected device rather than requiring an upfront purchase and installation of physical software.

Spear phishing is a targeted attack on a specific person or organization, whereas general phishing campaigns are sent to a large volume of people. 

Spear-phishing is a targeted attack that uses fraudulent emails, texts and phone calls in order to steal a specific person's sensitive information.

Spyware is a type of unwanted, malicious software that infects a computer or other device and collects information about a user’s web activity without their knowledge or consent.

SQL injection is a code injection technique used by hackers to gain access to and modify information in your back-end database. SQL injection is a common hacking technique, so it’s important to protect your business from it.

Structured, semi structured and unstructured logging falls on a large spectrum each with its own set of benefits and challenges. Unstructured and semi structured logs are easy to read by humans but can be tough for machines to extract while structured logs are easy to parse in your log management system but difficult to use without a log management tool.

A supply chain attack is a type of cyberattack that targets a trusted third party vendor who offers services or software vital to the supply chain.

A threat actor, also known as a malicious actor, is any person or organization that intentionally causes harm in the digital sphere.

Threat hunting is the practice of proactively searching for cyber threats that are lurking undetected in a network. Cyber threat hunting digs deep to find malicious actors in your environment that have slipped past your initial endpoint security defenses.

Threat intelligence is data that is collected, processed, and analyzed to understand a threat actor's motives, targets, and attack behaviors.

A Threat Intelligence Platform automates the collection, aggregation, and reconciliation of external threat data, providing security teams with most recent threat insights to reduce threat risks relevant for their organization.

A threat model evaluates threats and risks to information systems, identifies the likelihood that each threat will succeed and assesses the organization's ability to respond to each identified threat.

TrickBot malware is a banking Trojan released in 2016 that has since evolved into a modular, multi-phase malware capable of a wide variety of illicit operations.

A Trojan Horse (Trojan) is a type of malware that disguises itself as legitimate code. Attackers can export files, modify data, and delete files on your device.

Vulnerability management is the ongoing, regular process of identifying, assessing, reporting on, managing and remediating security risks to keep all systems and assets in a network protected.

There are five main stages in the vulnerability management lifecycle include: Assess, Prioritize, Act, Reassess, Improve.

A Web Application Firewall (WAF) is a security device designed to protect organizations at the application level by filtering, monitoring and analyzing HTTP and HTTPS traffic between the web application and the internet.

A whaling attack is a social engineering attack against a specific executive or senior employee with the purpose of stealing money or information, or gaining access to the person’s computer in order to execute further attacks.

Spoofing is when a cybercriminal disguises communication or activity from a malicious source and presents it as a familiar or trusted source.

XDR (extended detection and response) collects and correlates data from endpoints, cloud workloads, networks and email, analyzes and prioritizes them, and delivers them to security teams in a normalized format through a single console.

Zero Trust is a security concept that requires all users to be authenticated and authorized before being granted access to applications and data.

In this post, we'll outline a framework for a true Zero Trust model that adheres to industry best practices while specifically avoiding the potential pitfalls.

We will take a closer look at Zero Trust and SASE and answer some common questions that organizations have when incorporating these into their overarching cybersecurity framework.

A Zero-Day Exploit is the technique or attack a malicious actor deploys to leverage an unknown security vulnerability to gain access into a system.