Table of Contents
A lot of specialized terminology has sprung up over the years in the field of information security: words and phrases that never existed until as recently as a couple years ago are now commonly bandied about. This causes confusion to newcomers to email security. Here are some commonly used terms to help you make the transition from a newbie to a well-informed professional ready to take on today’s information security challenges.
Using psychological manipulation techniques in an attempt to convince victims to divulge sensitive information or to open a link or document. Phishing and ransomware rely on social engineering techniques to dupe users into navigating to suspicious links or opening documents with viral payloads.
Any program designed specifically to cause harm to a computer, network, or data. Viruses, trojans, worms, adware, ransomware, scareware, and spyware are all considered forms of malware.
A misspelling of “Fishing,” based on the idea of using social engineering techniques (bait) to tempt users (fish) to divulge information. In a phishing attack, content is sent that is designed to entice users to click a link to a spoofed web page or send information directly in response to the phishing email. Phishing emails use social engineering techniques, giving hackers potential access to usernames, passwords, company tax records, banking and financial data, and more. Though email is the most common vector of phishing attacks, they also occur via online advertising and SMS.
Ransomware is a form of malware that blocks access to files or systems until a ransom is paid. Cryptolocker, Locky, Petya, and Jigsaw are all well-known variants of ransomware, and there are many more. Ransomware has existed for many years, but with the rise of virtual currencies, it has become more widespread due to the ability of the sender and receiver of the ransom payment to remain anonymous. Over 91% of ransomware attacks begin with a phishing email, resulting in millions of dollars of lost revenue to businesses each year.
A robot network.
Any network of internet connected devices that has been infected with malware and co-opted by cyber criminals. Botnets are used for sending spam and phishing emails, distribute malware, and launch distributed denial of service (DDoS) attacks. Each botnet may contain a million devices or more, and they are responsible for sending up to 60 billion spam emails in a single day.
A phishing attack focused on a specific person or group of people, often purporting to be sent from a person or company well known to the target. Celebrities, corporate officers, and government officials are often the target of this form of attack. See “Whaling.”
Advanced Persistent Threat (APT)
An ongoing attack against a system or network made up of several different stealthy attack strategies brought to bear over time. Many different types of threat (malware, phishing, etc.) and multiple attack vectors such as email and messaging are used over the course of the attack.
Distributed Denial of Service (DDoS)
The intentional overloading of computational resources by an attacker. DDoS attacks are typically conducted using a botnet, and are intended to deny access to data during the duration of the attack by bringing computer and network performance to a crawl or standstill.
Software installed on a system or individual computer that renders advertising in an attempt to generate revenue. Many forms of adware display modal popups that the user is unable to close. Besides being irritating, adware can also contain spyware that attempts to grab confidential information from the user. Stolen certificates that disable a computer’s anti-virus software are sometimes also used. Adware can affect not only computers, but any device that can connect to the internet (such as cell phones and tablets).
The use of online advertising to spread malware. Such malware is inserted into advertising sites in order that it may be spread more quickly via user clicks. Victims are easily duped because the infected sites often appear to be professional and legitimate, and they don’t have to click on a link in a phishing email in order to contract the malware.
A sophisticated form of phishing attack in which a genuine email is used to create a nearly identical email (from the same sender and containing the same content). The legitimate link or attachent in the first email is replaced with a malicious one in the clone. This very easily may dupe users into clicking the attachment, because not only the sender, but the email itself, is well known to them.
A phishing attack against a corporate executive. C-level executives in a corporation control and have access to secure information, bank records, and account credentials. Whaling attacks are an attempt to gain access to funds or information by gaining the confidence of highly placed individuals. Successful Whaling attacks are usually the payout of a “long con,” involving much contact over an extended period of time in order to build trust using social engineering techniques.
DomainKeys Identified Mail.
A method of allowing an organization to take responsibility for a message in transit. The organization is the original sender or an intermediary. DKIM uses cryptographic techniques to validate the authenticity of the domain name associated with a message.
Domain-based Message Authentication, Reporting, and Conformance.
An email validation system designed to prevent spoofing. DMARC was built using both SPF and DKIM. It allows the owner of a domain to establish policy whether DKIM, SPF, or both is used when sending email from the domain, and also how the receiver should respond to failures.
Any software that attempts to gather personal or organizational information surreptitiously. Spyware typically acts without consent, but may also obtain consent by installing cookies. There are four main types of spyware: adware, system monitors, tracking cookies, and trojans.
Malware that uses social engineering techniques to build anxiety that something is wrong that can only be fixed by buying unwanted software. Often, the software sold is fake anti-virus software that is either non-functional or malware in and of itself. The virus the fake software is supposed to remove is very often also fake. In a broader sense, the name “scareware” applies to any software that intentionally causes anxiety or panic.
Unsolicited bulk email or messaging. Most spam messages are commercial, and attempt to see the user some good or service. Even if the good or service being sold is legitimate, if the email is unsolicited (in the sense of not being opted into by the user) and the sending is done using a “shotgun” approach, the communication is referred to as spam. Spam is usually sent out of botnets, with the cost of sending borne by the recipients. This makes spam an electronic form of postage-due advertising.
The term “spam” comes from a cannssled form of spiced ham by way of a Monty Python sketch in which the meat is everywhere, and the word is used repeatedly in a song.
An attack in which information used to identify the legitimacy of a message or other transaction is replaced with false information in order to gain some advantage. Domain names, email sender addresses, and other information may all be spoofed, leading an unwary user to believe that an email comes from a trusted user or a web site is legitimate rather than illegitimate.
Domain Name Spoofing
A form of spoofing in which the domain name in a link is replaced with one that appears very similar or identical to the real one, but which is not. An example of this is “paypaI” with an uppercase “I” replacing the correct “paypal” with a lowercase “L.” Often, users clicking on a spoofed link will be directed to a site that appears to be legitimate, allowing the attacker to gain access to login credentials.
Email Address Spoofing
A form of spoofing in which the sender address is replaced with an address well known to the recipient, in an attempt to gain access to sensitive information.
Sender Policy Framework.
A protocol that validates email and attempts to detect and block email spoofing by allowing receiving systems to verify whether the incoming mail’s IP address comes from a list of IP addresses authorized by the sender’s domain administrators. This list is published by the sender using specially formed TXT records in the DNS system.
Simple Mail Transfer Protocol.
An internet standard for email transmission, defined in RFC 821 in 1982, and extended in 2008 with RFC 5321. Email servers and mail transfer agents use SMTP to both send and receive email messages, but user-level clients use SMTP only for sending, and typically use either IMAP or POP3 for retrieving email.
Also called an HTTP cookie, web cookie, internet cookie, or browser cookie. A small piece of data sent from a web site to store “stateful” information on the user’s computer from within the browser. The intent of cookies is to allow a site to remember information about a user between visits or during page transitions.
Cookies cannot hold runnable code (so can’t contain viruses, etc.) but they can support malicious actions. Being simple text files, they are also vulnerable to being picked up and read by other applications in order to access the information stored in them.
A special type of cookie that is shared by more than one site or service. Commonly used for legitimate marketing or advertising, tracking cookies become a threat when they are used by hackers to gain access and track user behavior across multiple sites.
Software that monitors the activity on a computer and captures keystrokes, visited sites, emails, and other data. The data captured is then used to compromise security on the affected computer or obtain direct access to secured systems or data.
Named for the wooden horse containing Greek soldiers used during the sack of Troy. The Trojans, assuming the horse to be a gift left by the conquered Greeks, hauled it into the city. The Greeks snuck out of the horse and defeated the Trojans under cover of night, thus ending the war.
A “Trojan Horse,” or simply “Trojan,” is therefore a piece of malware that masquerades as some other form of legitimate software. Once installed, it may even nominally carry out its intended function, but provide a backdoor into the system, allowing unauthorized access.
Internet Message Access Protocol.
A protocol used by email clients to retrieve email from a mail server over TCP/IP defined in RFC 3501. IMAP typically listens on port 143, with IMAP over SSL listening on port 993. IMAP and POP3 are the two most widely used protocols for retrieving email.
The most recent version of the Post Office Protocol, used to by email clients to retrieve email from a server. POP3 has been largely superseded by IMAP, but both protocols are still in common use in email client applications.
Mail Transfer Agent (MTA)
Software that makes use of a client-server architecture to transfer email messages from one computer to another. An MTA implements and comprises both the sending and receiving side of the SMTP architecture.
A cryptographic network protocol that allows the operation of network services securely over an unsecured network. Remote login services make use of SSH to allow users to log onto their office systems from home, for example. Any network service can be secured using SSH. The standard SSH service uses TCP port 22.
Secure Sockets Layer.
A security protocol that establishes encrypted links between a web server and a client in some form of online communication. SSL makes use of PKI to secure information and gate access; an SSL certificate is required for access. SSL was in common use until the POODLE vulnerability was discovered in 2014. Since that time, SSL has been deprecated in favor of TLS.
Transport Layer Security.
A successor security protocol to SSL that uses symmetric cryptography to encrypt communicated data. Because the shared secret cannot be guessed or fully known to any party, a man-in-the-middle attack such as original POODLE cannot successfully compromise a TLS connection.
Padding Oracle On Downgraded Legacy Encryption.
A form of MITM attack that takes advantage of a vulnerability in SSL 3.0. A successful attack only requires 256 SSL 3.0 requests to reveal one byte of encrypted messages. TLS was considered safe against POODLE attacks until December 8, 2014, when a variation of POODLE that compromises TLS was announced.
Abbreviated MITM, a Man-in-the-Middle attack is a form of exploit where the attacker relays and possibly alters communications between two parties in secret. The parties on each end of the communication believe they are directly communicating. MITM attacks can be used for simple eavesdropping, or to make parties disclose information by requesting it directly during the course of the attack.
A network protocol is a specification of the processes, requirements and constraints of establishing a connection and conducting communication between computers, servers, routers, and other devices on a network. Both the sender and receiver must conform to the protocol for communication to be successful.
There are three basic classifications of network protocol: communication, security, and management. Communication protocols include TCP/IP, HTTP, and FTP, among others. Security protocols such as HTTPS, SSL, and SFTP define rules for secure communications. Management protocols such as SNMP and ICMP provide governance and maintenance functions.
Transmission Control Protocol / Internet Protocol.
Also known as the Internet Protocol, TCP/IP provides end to end data communication on the internet. It specifies the packaging, addressing, transmission, routing, and receiving of data.
TCP/IP architecture is organized into four abstraction layers: the link, internet, transport, and application layers. The link layer provides methods for communication within a single segment of a network. The internet layer provides for communications between networks specified at the link layer. The transport layer gives applications the ability to communicate with one another. Finally, the application layer provides services to users, and system functions.
A Public Key Infrastructure.
A PKI specifies the protocols for the creation, management, distribution, storage and revocation of digital certificates in the support of public key cryptography. PKIs make possible the secure transfer of data over networks where simple password protection is insufficient for protection and the identity of the parties involved must be proven.
In a PKI, public keys are bound with the identities of individuals or corporations. This is done by registering for and receiving a certificate from a Certificate Authority.
Public Key Cryptography
Also known as Asymmetric Cryptography. Any cryptographic strategy that makes use of a pair of public and private keys. Public keys are well known to all users of the system, whereas private keys are known only to to the person owning that key. Anyone knowing the public key of a user may send them a message by encrypting it with that public key. The message can only be decrypted using the private key of the recipient. This ensures both security and authentication.
Often abbreviated CA. Any organization that distributes digital certificates. A digital certificate verifies that the owner of a given public key is the person named on the certificate – in other words, it certifies the identity of the owner of a public key. This allows users of a system to rely on assertions made about the private key corresponding to the certified public key. The certificate therefore acts as a disinterested third party in public key cryptography.
A cryptographic system in which the same key is used to both encrypt and decrypt the message. The key must therefore be known by both the sender and receiver of the message. In a symmetric key algorithm, the two keys are either identical, or there is a simple transformation to get from one to the other key. In this case, the transformation algorithm might only be known to one party, making the scheme slightly more secure.
File Transfer Protocol.
A protocol covering the transfer of files between a server and a client on a computer network. FTP uses separate control and data connections between the client and server. Users typically authenticate using a clear text user id and password, but some systems are configured to allow anonymous access as well.
Secure File Transfer Protocol.
A version of FTP in which the client has already authenticated using SSH or other secure means before the first file is transfered. The entire session is conducted over the secure channel.
Simple Network Management Protocol.
An internet protocol that defines the collection and management of information from devices on a TCP/IP network. SNMP is supported by a wide variety of devices such as routers, switches, cable modems, printers, and of course computers. Such devices are remotely managed and monitored using the SNMP protocol.
Internet Control Message Protocol.
A network protocol that defines the format and passing of error and other messages in response to certain events on the TCP/IP stack. An example is the automatic decrementing of the TTL header on a packet. When the TTL (Time To Live) reaches 0, an ICMP “Time Exceeded In Transit” message is generated and the packet is discarded.