Clear, plain-English definitions of 74+ essential cyber security terms. Compiled by Mark Hayward — UK cyber security expert and author of 144+ books.
A security mechanism that restricts who can view or use resources in a computing environment. Access control systems manage user permissions and ensure only authorised individuals can access specific data or systems.
A prolonged and targeted cyberattack in which an intruder gains access to a network and remains undetected for an extended period. APTs are typically state-sponsored or highly sophisticated criminal groups aiming to steal data or disrupt operations.
A programme designed to detect, prevent, and remove malicious software (malware) from a computer system. Modern antivirus solutions use signature-based detection and behavioural analysis to identify threats.
The process of verifying the identity of a user, device, or system. Common methods include passwords, biometrics, smart cards, and multi-factor authentication (MFA).
The process of granting or denying access rights to resources after a user has been authenticated. Authorisation defines what an authenticated user is allowed to do within a system.
A hidden method of bypassing normal authentication or encryption in a computer system. Backdoors can be intentionally inserted by developers or maliciously planted by attackers to gain persistent access.
A network of internet-connected devices infected with malicious software and controlled as a group without the owners' knowledge. Botnets are commonly used for distributed denial-of-service (DDoS) attacks, spam campaigns, and credential theft.
A trial-and-error method used to guess passwords, encryption keys, or other credentials by systematically checking all possible combinations until the correct one is found.
A vulnerability that occurs when a programme writes more data to a buffer (temporary storage area) than it can hold, causing adjacent memory to be overwritten. Attackers exploit buffer overflows to execute arbitrary code.
Completely Automated Public Turing test to tell Computers and Humans Apart. A challenge-response test used to determine whether a user is human, preventing automated bots from accessing web services.
A trusted organisation that issues digital certificates used to verify the identity of websites and entities online. CAs are a fundamental component of Public Key Infrastructure (PKI).
The three core principles of information security: Confidentiality (protecting information from unauthorised access), Integrity (ensuring information is accurate and unaltered), and Availability (ensuring authorised users can access information when needed).
Chief Information Security Officer. The senior executive responsible for establishing and maintaining the enterprise vision, strategy, and programme to ensure information assets and technologies are adequately protected.
A cyberattack in which stolen account credentials (usually usernames and passwords) from one breach are used to attempt to gain unauthorised access to other accounts, exploiting the common practice of password reuse.
A web security vulnerability that allows attackers to inject malicious scripts into content viewed by other users. XSS attacks exploit the trust a user has for a particular website.
The practice and study of techniques for secure communication in the presence of adversarial behaviour. Modern cryptography uses mathematical algorithms to encrypt data and ensure its confidentiality, integrity, and authenticity.
A set of practices and steps that computer users take to maintain system health and improve online security. Good cyber hygiene includes regular software updates, strong password practices, and data backups.
A set of standards, guidelines, and best practices to manage cybersecurity risk. Common frameworks include NIST CSF, ISO 27001, and the NCSC Cyber Assessment Framework (CAF).
The part of the internet that is intentionally hidden and inaccessible through standard web browsers. The dark web is often associated with illegal activities, including the sale of stolen data, malware, and other illicit goods.
A security incident in which sensitive, protected, or confidential data is accessed, disclosed, or stolen by an unauthorised individual or group.
A strategy and set of tools that ensure sensitive data is not lost, misused, or accessed by unauthorised users. DLP solutions monitor, detect, and block the transmission of sensitive data.
An attack that floods a target system, server, or network with traffic from multiple sources simultaneously, rendering it unavailable to legitimate users.
A security strategy that employs multiple layers of security controls throughout a system. If one layer fails, additional layers continue to provide protection, reducing the risk of a successful attack.
A cyberattack where corrupted Domain Name System data is introduced into a resolver's cache, causing the name server to return an incorrect IP address and diverting traffic to the attacker's computer.
The process of converting plaintext data into an unreadable format (ciphertext) using an algorithm and a key. Only parties with the correct decryption key can reverse the process and read the original data.
The practice of securing endpoints (individual devices like laptops, smartphones, and servers) on a network. Endpoint security solutions include antivirus software, firewalls, and intrusion detection systems.
The practice of legally and intentionally probing computer systems, networks, and applications for security vulnerabilities that malicious hackers could exploit. Also known as penetration testing or white-hat hacking.
A piece of software, data, or sequence of commands that takes advantage of a vulnerability in a system to cause unintended behaviour. Exploits are used by attackers to gain unauthorised access or cause damage.
A network security device (hardware or software) that monitors and controls incoming and outgoing network traffic based on predetermined security rules. Firewalls create a barrier between trusted internal networks and untrusted external networks.
The application of scientific methods to investigate and establish facts in a cybersecurity incident. Digital forensics involves collecting, preserving, and analysing electronic evidence to understand how an attack occurred.
General Data Protection Regulation. A comprehensive data protection law in the European Union that governs how organisations collect, store, and use personal data. Non-compliance can result in significant financial penalties.
An integrated approach to managing an organisation's governance, risk management, and regulatory compliance activities. GRC frameworks help organisations align IT with business objectives while managing uncertainty and acting with integrity.
A process that converts any input data into a fixed-length string of characters using a mathematical algorithm. Unlike encryption, hashing is a one-way function — it cannot be reversed. Hashes are used to verify data integrity and store passwords securely.
A security mechanism that creates a virtual trap to lure cybercriminals. An intentionally compromised computer system designed to study how attackers work and gather intelligence about attack techniques.
A framework of business processes, policies, and technologies that manages digital identities and controls user access to critical information. IAM ensures the right individuals access the right resources at the right times.
An organised approach to addressing and managing the aftermath of a security breach or cyberattack. The goal is to limit damage, reduce recovery time and costs, and learn from the incident to prevent future occurrences.
A device or software application that monitors a network or systems for malicious activity or policy violations. An IDS alerts administrators to potential threats but does not take direct action to block them.
A network security tool that monitors a network for malicious activity and takes direct action to prevent or block detected threats. An IPS is more proactive than an IDS, automatically blocking suspicious traffic.
An international standard that specifies the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). ISO 27001 certification demonstrates an organisation's commitment to information security.
An international standard for Artificial Intelligence Management Systems (AIMS). ISO 42001 provides requirements and guidance for organisations deploying or developing AI systems, ensuring responsible and ethical AI governance.
A type of malware that records every keystroke made on an infected computer, capturing passwords, credit card numbers, and other sensitive information. Keyloggers can be software-based or hardware devices.
A technique used by attackers who have already gained access to a network to progressively move through it in search of key assets and data. Lateral movement enables attackers to expand their foothold beyond the initial point of entry.
Malicious software designed to infiltrate, damage, or gain unauthorised access to a computer system without the user's knowledge or consent. Types include viruses, worms, ransomware, spyware, and trojans.
An attack where an adversary secretly intercepts and potentially alters communication between two parties who believe they are communicating directly with each other.
A security system that requires more than one form of verification to access an account or system. Typically combines something you know (password), something you have (token), and something you are (biometric).
The National Cyber Security Centre Cyber Assessment Framework. A UK government framework for assessing and improving the cyber resilience of organisations responsible for critical national infrastructure and essential services.
The practice of dividing a computer network into smaller sub-networks (segments) to improve performance and security. Segmentation limits an attacker's ability to move laterally across a network after gaining initial access.
A voluntary framework developed by the National Institute of Standards and Technology providing a policy framework for computer security guidance. The framework consists of five core functions: Identify, Protect, Detect, Respond, and Recover.
Open Source Intelligence. The collection and analysis of data gathered from publicly available sources to be used in an intelligence context. In cybersecurity, OSINT is used in reconnaissance to gather information about targets.
Payment Card Industry Data Security Standard. A set of security standards designed to ensure all companies that accept, process, store, or transmit credit card information maintain a secure environment.
A simulated cyberattack against a computer system, network, or web application to identify security vulnerabilities that an attacker could exploit. Also known as pen testing or ethical hacking.
A cyberattack that uses disguised email, text messages, or websites to trick recipients into revealing sensitive information such as passwords or financial data, or to install malware.
A set of roles, policies, hardware, software, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. PKI enables secure communications and authentication over the internet.
A type of malicious software that encrypts a victim's files or locks their computer, with the attacker demanding a ransom payment for the decryption key to restore access.
The process of identifying, analysing, and evaluating cybersecurity risks to an organisation. Risk assessments help prioritise security investments and develop appropriate controls to manage identified threats.
A collection of malicious software tools designed to provide unauthorised access to a computer or network while hiding its presence from administrators. Rootkits are particularly dangerous because they operate at a very low system level.
A centralised unit that monitors, assesses, and defends an organisation's information systems. SOC teams use security tools and technologies to detect, analyse, and respond to cybersecurity incidents.
Security Information and Event Management. A system that provides real-time analysis of security alerts generated by applications and network hardware. SIEM tools aggregate and correlate data from multiple sources to identify potential threats.
The use of psychological manipulation to trick individuals into divulging confidential information or performing actions that compromise security. Phishing, pretexting, and baiting are common social engineering tactics.
Service Organisation Control 2. A voluntary compliance standard for service organisations, developed by the AICPA, specifying how organisations should manage customer data based on five trust service principles: security, availability, processing integrity, confidentiality, and privacy.
A targeted form of phishing that focuses on specific individuals or organisations. Unlike generic phishing, spear phishing attacks are personalised using information gathered about the target to make the deception more convincing.
A code injection technique that attackers use to insert malicious SQL statements into input fields, allowing them to manipulate or access a database. SQL injection is one of the most common and dangerous web application vulnerabilities.
Secure Sockets Layer / Transport Layer Security. Cryptographic protocols that provide secure communication over a computer network. TLS is the successor to SSL and is used to encrypt data transmitted between web browsers and servers (indicated by HTTPS).
Evidence-based knowledge about existing or emerging threats, including context, mechanisms, indicators, implications, and actionable advice. Threat intelligence helps organisations make better decisions about their security posture.
A structured approach to identifying, quantifying, and addressing security risks associated with an application or system. Threat modelling helps teams understand potential attacks and prioritise defences accordingly.
A type of malware that disguises itself as legitimate software to trick users into installing it. Unlike viruses, trojans do not replicate themselves but can provide attackers with remote access to the infected system.
A subset of multi-factor authentication that requires exactly two forms of verification to access an account. The most common form combines a password with a one-time code sent to a mobile device.
A service that creates a secure, encrypted connection over a less secure network such as the internet. VPNs protect data in transit and can mask a user's IP address and location.
A weakness or flaw in a system, network, or application that could be exploited by attackers to gain unauthorised access or cause harm. Vulnerabilities can exist in software code, configurations, or processes.
The systematic review of security weaknesses in an information system. A vulnerability assessment evaluates if the system is susceptible to known vulnerabilities and assigns severity levels to identified issues.
A highly targeted phishing attack directed at senior executives or high-profile individuals within an organisation. Whaling attacks are designed to appear as legitimate business communications.
A standalone malware programme that replicates itself to spread to other computers. Unlike viruses, worms do not need to attach themselves to existing programmes and can spread across networks without any user interaction.
A software security flaw that is known to the software vendor but for which no patch has yet been released. Zero-day vulnerabilities are highly valuable to attackers as defenders have had zero days to address them.
A security model based on the principle 'never trust, always verify'. Zero Trust requires strict verification of every person and device attempting to access resources on a network, regardless of whether they are inside or outside the network perimeter.
These definitions are just the start. Mark Hayward's 144+ books cover every one of these topics in depth — from beginner guides to advanced enterprise security.