This is an updated glossary based on our years in Sunbelt Software as an antivirus developer, and in KnowBe4 as a Gartner Leader in the security awareness training space. We are sharing it here as a resource. Each letter starts with acronyms in alphabetical order, then full words. (last updated Aug 4, 2020)
Automatic Clearing House, companies that do Electronic Funds Transfers. There is a tremendous amount of cybercrime and fraud connected to this area.
Access Control List. Access Control is a system or technique for allowing or denying access. Passwords and other types of ID are access controls. In Windows, an access control list (ACL) is a list of access control entries (ACE). Each ACE in an ACL identifies a trustee and specifies the access rights allowed, denied, or audited for that trustee.
Active Directory. AD is a directory service (a database really) that a network administrator uses to control network security. A server running Active Directory is called a domain controller. AD authenticates and authorizes all users, computers and software in a Windows network—assigning and enforcing security policies for all computers and installing or updating software. See Wikipedia. If you want to have your own software communicate with Active Directory, you use the so called "Lightweight Directory Access Protocol" (See LDAP futher below ). In our case, we want to communicate with our customer's AD (using LDAP) to synchronize changes in new users and people leaving the company with the database of users on our side so that there is much less or no user management left to do for the system admin at our customer.
One other word related to Active Directory is "OU" or "Organizational Unit" since we allow our users to specify what they want to synchronize by both security group and OU. Here is a good definition: An organizational unit (OU) is a subdivision within an Active Directory into which you can place users, groups, computers, and other organizational units. You can create organizational units to mirror your organization's functional or business structure.
Acceptable Use Policy. A policy that defines the actions that network users are allowed to perform. Used both inside private organizations, ISPs and public entities like libraries.
In our world, short for Antivirus, not (Audio/Visual). A program that monitors a computer or network to identify all major types of malware and prevent or contain malware incidents.
Application Programming Interface. An application programming interface (API) is an interface given to a software program so that other software can interact with it, much in the same way that software has a user interface in order to allow humans to interact with it. Here is another way to look at it: "An API, short for application programming interface, is a series of rules. To be even clearer, it is an information middleman. APIs allow for an application to extract information from a piece of software and use that information in their own application, or sometimes for data analysis. In the plainest terms, an API is a blueprint that enables "your stuff" to talk to and work with "their stuff." See Wikipedia.
Short: Advanced Persistent Threat (APT) refers to prolonged, stealthy attacks that are generally difficult to detect and may go on for many months before they are discovered. An APT is a threat that is targeted, persistent, evasive and advanced. A key difference between most malware and an APT is the ATP’s ability to persist — that is, to evade detection by network security controls while still collecting and extracting data.
Long: An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, etc.). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.
Address Space Layout Randomization. A security feature in the Windows OS which randomly assigns executable code to 256 potential RAM locations, trying to protect against buffer overflow attacks.
The brand name of a group of Microsoft technologies that allow for special additional features in HTML. You implement ActiveX with “controls”, but using these can open the door to hackers as it makes the attack surface a lot bigger.
A type of scam in which a cybercriminal persuades a potential victim to help transfer a substantial amount of money to an account. The victim is offered a commission for facilitating the transaction or multiple transactions. Many Nigerian scams, also called the 419 scam, are a prime example of advance-fee fraud.
Agile Software Development
Fast and flexible software development methodology that is used by KnowBe4 for rapid development of our products. See Wikipedia.
Adware is any software which automatically plays, displays, or downloads advertisements to a computer after the software is installed on it or while the application is being used. Some types of adware are also spyware and can be classified as privacy-invasive, and can be used by cyber criminals to steal confidential information.
A set of rules to be followed in problem-solving operations. You can use algorithms for practically any kind of computer debugging or handling malware. Here is a YouTube example of a very popular encryption algorithm: SHA-256.
Angler phishing is the practice of masquerading as a customer service account on social media, hoping to reach a disgruntled consumer.
Anti-Phishing Working Group
The Anti-Phishing Working Group (APWG) is an international consortium that brings together businesses affected by phishing attacks, security products and services companies, law enforcement agencies, government agencies, trade association, regional international treaty organizations and communications companies. See Wikipedia.
Anti-Spyware Coalition (ASC)
The Anti-Spyware Coalition (ASC) is a group dedicated to building a consensus about definitions and best practices in the debate surrounding spyware and other potentially unwanted technologies.
The “attack surface” of a software environment is all the points (the “attack vectors”) where an attacker can try to penetrate the network. More at Wikipedia. An organization’s “phishing attack surface” is all the email addresses of that domain that can be found by the bad guys.
An “attack vector” in simple terms is any way, direction or method to get into a network. Some examples of attack vectors can be un-patched software, badly written code that allows for buffer overflows, or social engineering using infected phishing attachments.
A process that provides proof that the person who is trying to log in is in fact legit and authorized to access the network.
An organization in Germany run by Andreas Marx, which provides independent antivirus testing for AV Vendors and for magazines like PCWorld. They are here.
Short for Business Email Compromise, which is also known as CEO Fraud. Also See EAC and VEC.
Best In Class.
BGP hijacks (Border Gateway Protocol) take place when an ISP announces the wrong Internet route to a specific destination. In most cases, BGP hijacks are accidents, such as typos, and result in worldwide Internet providers sending large swaths of traffic to the wrong servers.
But there are also incidents when malicious ISPs intentionally announce a wrong BGP route in order to hijack traffic meant for particular targets, such as crucial DNS servers, financial services, government sites, military domains, and more. The purpose of these malicious BGP hijacks is the have traffic meant for those targets flow through the malicious ISP's network, where it can sniff its content or carry out Man-in-the-Middle attacks. For instance, this really happened. all traffic for Washington DC was routed to China for a few hours. Guess who was sniffing the data...
Browser Helper Object. Designed by Microsoft with the best of intentions, BHO’s were intended as ‘plug-ins’ to add functionality (like toolbars) to Internet Explorer. Unfortunately, malware authors have also exploited the power of BHO’s for other purposes such as spreading malware.
Bring Your Own Device. It’s your network, but it’s their personal device, either a phone, tablet or laptop. What could go wrong? Mobile devices are a fabulous way for hackers to penetrate the network using social engineering techniques. Mobile device security has not kept up with mobile device malware and if hackers can infect a mobile device, it’s an easy way to hack into the network.
Baiting means dangling something in front of a victim so that they take action. It can be through a peer-to-peer or social networking site in the form of a (porn) movie download or it can be a USB drive labeled “Q1 Layoff Plan” left out in a public place for the victim to find. Once the device is used or malicious file is downloaded, the victim’s computer is infected allowing the criminal to take over the network.
A backdoor in a PC is a method of bypassing normal authentication, obtaining remote access to a PC, while attempting to remain undetected. The backdoor may take the form of an installed program (e.g., Back Orifice), or malware could modify existing software on the PC creating a backdoor that way. Here is an overview of the threat types, categories and their descriptions:
Term from Agile software development. Also called ‘Sprint Backlog’. It is a list of items left to be done. See ‘Agile’, ‘Burndown’, and ‘Sprint’.
A document that Sales uses internally, which lists the strengths and the weaknesses of a specific competitor combined with the strengths of our own product.
Banker Trojans, designed to steal financial information entered into browser-based online forms are the cybercriminals’ answer to the crackdown on keylogging. In addition to snatching form input, Banker Trojans are also designed to trick users into visiting web sites designed to look authentic. Once there, users are prompted for personal information causing identity theft.
An old-ish statistical method mainly used as a baseline to filter out spam which does not work very well. The bad guys have found many ways around it.
Antivirus detects malware using signatures, heuristics and behavior. The behavior-based method varies by product.
Testing performed by a group of customers in a live application of the software, at one or more end user sites, in an environment not controlled by the developer.
A list of known bad files, bad domains or bad email addresses you do not want mail from. The first two are blocked by Antivirus when the user tries to access them. Bad email addresses (senders) can be blocked in a variety of ways. Also see Whitelist.
Malware often contains more than one malicious technology. It can have the characteristics of a worm, but use virus technology to infect other machines, and behave like a Trojan. The malicious code is a blend of technologies. This is the thing that system administrators fear the most, by survey.
Software that takes a lot of CPU and Memory resources while running on the computer. Antivirus companies have been adding more and more code over the years to protect against increasingly sophisticated malware. But they are using LOTS of CPU and RAM to do it, and so system admins call these traditional AV vendors as creating ‘bloatware’.
A process that captures traffic addressed to a legitimate website and sends (redirects) it to a different website instead. Some malware does automatic redirection to fool users into thinking they’re interacting with a valid and legitimate site rather than a malicious one.
A virus that infects the Master Boot Record (MBR) of a hard disk drive.
Also called “buffer overrun”. Simplified, it’s a case of sloppy coding which allows an attacker to write data to a memory buffer, overruns that buffer’s boundary, and overwrites the memory next to it with executable code that they can then use to hack into the system.
A more technical explanation is as follows: In computer security, a buffer overrun, or buffer overflow, is an unwanted condition where a process stores data in a memory buffer outside the memory the programmer set aside for it. This extra data overwrites adjacent memory, which may result in a variety of errors, including a breach of system security. Hackers try to trigger buffer overflows with inputs that are designed to execute malicious code. Here is a short video on Youtube explaining that process.
A fault in a program which causes the program to perform in an unintended or unanticipated manner.
A term used in ‘agile’ software development, a method that KnowBe4 uses. The burndown chart is a publicly displayed chart showing remaining work in the sprint backlog. Updated every day, it gives a simple view of the sprint progress. It also provides quick visualizations for reference. See ‘Scrum’, and ‘Sprint’.
Bot, spam bot, ddos bot
Software, owned and controlled by the bad guys, that lives on infected PCs and runs autonomously. See ‘Botnet’ and ‘DDOS’.
Botnet, also called ‘Bot army’
Botnet is a jargon term for a collection of software robots, or ‘bots’, that live on infected PCs and run autonomously. While botnets are often named after their malicious software name, there are typically multiple botnets in operation using the same malicious software families, but operated by different criminal entities. Botnets do many bad things, like spew out spam, attack other PCs or web servers, or send back confidential data to the botnet command-and-control (C&C) servers. They are managed by a “Bot Herder”
The bad guy, who attacks other systems with the botnet(s) that he owns.
A malicious piece of software that changes the web browser’s settings without the permission of the user. Examples: change the Home page to another site, changes the search engine default page and other activities, generally attempting to force hits to a certain website to boost that site’s advertising revenue.
Brute force attack
A Brute Force Attack is a relatively simple, automated method to gain access to a system. The brute force software tries usernames and passwords, over and over again, until it gets in. It’s not very sophisticated, but when users have passwords like ‘123456’ and usernames like ‘admin’, it’s very effective. They are an attack on the weakest link in IT security: the user.
Command & Control Server used to run botnets. See ‘Botnet’.
Spear phishing attacks focusing on people in Accounting, claiming they are the CEO and to urgently transfer large amounts of money. CEO fraud is a form of social engineering that took flight during 2015.
California Database Security Breach Act. CA State law which requires disclosure to CA residents if their PII or PHI has been stolen or is believed to have been stolen (See PII and/or PHI). If more than 500 records are stolen, lawyers almost immediately file a class-action lawsuit.
CDW is the world's largest high-tech reseller. They are a DMR, a Direct Market Reseller also known as an e-tailer which is a company that sells directly to consumers online without operating storefront operations of any kind.
No, not the Langley guys. Information Security term meaning Confidentiality, Integrity, and Availability. It is a model designed to guide policies for information security within an organization. Confidentiality is a set of rules that limits access to information. Integrity is the assurance that the information is relevant, accurate and trustworthy. Availability is a guarantee of ready access to the information by authorized people.
Chief Information Security Officer
Chief Security Officer
Children’s Online Privacy Protection Act. A U.S. Federal Law that requires owners of social media sites and websites directed at children under 13 to get parental consent before the site collects and uses the child’s personal information.
A scheme in which a person uses social media to pretend to be someone they’re not, typically to engage in misleading online romances. To “catfish” is to “lure someone into a relationship by adopting a fictional online persona.” The person doing the deceiving is the catfish.
Data that has been encrypted and cannot be read by a human, as opposed to cleartext.
Data that has not been encrypted and can be read by a human, as opposed to cyphertext. Sending credit card data over the Internet in cleartext is an invitation to disaster. Storing confidential information on hard disk without encrypting it is making a hacker’s life easy.
En eyecatching link or controversial story on a website which encourages people to read on. Can also be used to get users to click on links to malware.
The name ‘cloud computing’ was inspired by the cloud symbol that is often used to represent the Internet in flow charts and diagrams. It means using applications that live on the Internet instead of on your PC or your corporate server. SalesForce.com is a good example, but there are many others. The advantage is that someone else takes care of the hardware and software, (for a fee). There are different categories of cloud computing, here are a few: Software as a Service (SaaS), Utility Computing, and Managed Service Providers (MSP).
A computing model where a company does not have its own servers, but rents server space in large datacenters. KnowBe4 lives in the Amazon cloud.
A stage of the software release life cycle when all the features are coded. At this point lots of testing and a Beta test is needed before the software would be ready for release. See ‘PMD’. See Wikipedia.
Code Signing Certificate
When a software company releases a software product they should sign the application with a code signing certificate that identifies the application as created by them and that the application has not been modified by anyone else. Antivirus companies use this for whitelisting of good applications by the company that signed the application, for example DELL, Microsoft, Apple, etc. They also use this for blacklisting all applications from certain companies like known to create unwanted software.
Company Extinction Event (CEE)
A bug so severe that it would cripple the service you provide so bad, that it would kill the whole company. For instance, antivirus are very powerful engines, so it has the power to bite very hard and make a brick out of people’s workstations instantly, by the millions. It almost happens now and then to most antivirus companies who regularly dodge bullets like this.
The process of determining the ability of two or more systems to exchange information. In a situation where the developed software replaces an already working program, an investigation should be conducted to assess possible comparability problems between the new software and other programs or systems.
The action or fact of complying with a wish or command. From “comply” – act in accordance with a wish or command. From Latin “complire” – to fill or fulfill.
A compliance report is a report to the originator of an order that the order has been done and is a completed cycle. When a compliance officer receives a “done” as a single statement without any evidence, noncompliance can slip through. That is why every compliance report must be accompanied with evidence that shows the cycle is indeed a real “done”. or at the very least an attestation from the Directly Responsible Individual that the task has been completed.
In the context of KnowBe4 Compliance Manager it means having an (IT) environment that is up to the standards of the regulations of that industry one is in. Many industries are regulated by one law or another and need to comply with that law, for instance HIPAA for Health Care organizations, Sarbanes-Oxley for public companies and many others. Also applicable to PCI compliance which are rules laid down by the Payment Card Industry Data Security Standard (PCI DSS). More here on our website. Here is the graph of the word use over the centuries.
The use of algorithms, automation, and big data to shape public life – is becoming a pervasive and ubiquitous part of everyday life.
Forensic Science dealing with legal evidence found in computers and digital storage media. Computer forensics is also known as digital forensics. It’s simply using special software tools to search for and preserve evidence of a crime. See Wikipedia.
Also known as Downup, Downadup and Kido, is a computer worm targeting the Windows operating system, and was first detected in November 2008. It uses flaws in Windows software to make PCs into zombies and link them into a botnet that can be commanded remotely by its criminal owners. Conficker at its peak had more than seven million computers under its control. The worm uses a combination of advanced malware techniques which has made it difficult to counter, and has since spread rapidly into what is now believed to be the largest computer worm infection since the 2003 SQL Slammer. Antivirus catches and quarantines Conficker, but we have to keep on top of this one, as it is being run by very smart bad guys.
A simplified look at a container is a set of processes that are isolated from the rest of the system. All the files necessary to run a container are provided from a distinct image. This means that containers are portable and consistent as they move from development, to testing, and finally to production, and you can quickly get a new AWS instance up & running. Here is a sysadmin guide to containers.
The sudden and complete failure of a computer system or component.
In which hackers rapidly test email and password combinations at a given site or service. These are typically automated processes that prey especially on people who reuse passwords across multiple sites on the internet. Here is an article.
Malware intended to steal money from an individual or financial institution.
The term Cyber- or Computer crime encompass a broad range of potentially illegal activities. In KnowBe4’s context, we mean crimes that target computer networks or devices and their users directly. A few examples out of many more possible:
Cybercrime Attack Map
Kaspersky has a live map that shows all cyber attacks going on in real time. You can see it here.
Organized crime penetrating the network of an organization and emptying their bank accounts via the Internet. Also the title of a book by KnowBe4’s CEO Stu Sjouwerman for executives of enterprises explaining the dangers of cybercrime. See this.
An attacker who is motivated by some idealogy and tries to destroy computers, networks and physical infrastructure like water plants, energy plants and commercial infrastructure like stock markets.
Short for the combination of german-speaking countries Germany, Austria, and Switzerland.
A distributed denial of service attack (DDoS). A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Done in various ways, it generally consists of the concerted efforts of a person or people to prevent an Internet site or service from functioning efficiently or at all.
Data Execution Prevention. A security feature in the Windows OS which tries to prevent hackers from using buffer overflow attacks.
Dynamic Host Control Protocol. It’s a standardized protocol that dynamically provides IP address assignment from a pool of available IP addresses from an ISP or a network router. A “DHCP lease” is the lease of an IP address to a network user. DHCP is part of the Internet’s TCP/IP protocol suite.
DKIM (DomainKeys Identified Mail) is an important authentication mechanism to help protect both email receivers and email senders from forged and phishing email. Forged email is a serious threat to all parties in an email exchange. See DKIM.org
Data Loss Prevention. DLP is a computer security term referring to systems that identify, monitor, and protect corporate data. The systems are designed to detect and prevent the unauthorized use and transmission of confidential information. See Wikipedia.
Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email-validation system designed to detect and prevent email spoofing. ... DMARC is built on top of two existing mechanisms, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). See Wikipedia.
Direct Market Reseller, also known as an e-tailer which is a company that sells directly to consumers online without operating storefront operations of any kind.
Demilitarized Zone. A separate computer host or even a small network placed as a “neutral zone” between an organization’s secure private network and the outside insecure Internet. The DMZ does two things: 1) prevents outside users from getting direct access to a system which has confidential information, and 2) provides Internet access to users in that organization.
DNS hijacking, also known as silent server swaps, is a malicious attack vector that can be used to forcibly redirect web traffic to websites that are either fake or different from the ones you’ve requested. Here is a blog post that explains DNS Hijacking.
Deep Packet Inspection. A form of computer network packet filtering. DPI is performed as the packet passes an inspection point, searching for non-compliance, viruses, spam, intrusions or predefined criteria to decide what actions to take on the packet, including collecting statistical information. This is in contrast to shallow packet inspection (usually called Stateful Packet Inspection) which just checks the header portion of a packet. See Wikipedia
A data breach is the intentional or unintentional release of secure information to an untrusted environment. Other terms for this phenomenon include unintentional information disclosure, data leak and also data spill. More at Wikipedia
The process of changing (encrypted) ciphertext back into cleartext.
Defense in Depth is a security discipline that protects all six levels of an IT infrastructure. including policies, procedures & awareness, perimeter, internal network, host, application and data.
An automated attack on a password that uses common words from dictionaries and compares these to the password being attacked. If you use a common word from a dictionary as your (very weak) password it’s an invitation to be hacked.
A digital stamp or electronic document that verifies the identity of a person or organization. The certificate includes a very secure password issued by a reputable certificate authority, such as VeriSign or Thawte.
Cleaning up a PC that is infected with malware. Disinfection can be done automatically by Antivirus, but sometimes needs to be done manually by our Security Response Team.
False information which is intended to mislead, especially propaganda issued by a government organization to a rival power or the media.
These are also called influence campaigns or manipulation campaigns. Disinformation is often forwarded to friends and family and at that point it is called misinformation.
Russia invented disinformation under the leadership of Joseph Stalin who created a special agency that took propaganda campaigns to w shole new level called Dezinformatsiya.
An IT channel distributor is a business that acts as an intermediary between vendors like KnowBe4, resellers like VARS or system integrators (SIs) in the distribution of software or hardware. Here is a more detailed definition.
The way in which something is placed or arranged, especially in relation to other things. For PhishER, we mean taking "unknown" emails and arranging them into "clean/spam/threat".
Domain Name System (DNS) servers map a human-recognizable identifier (e.g. www.KnowBe4software.com) to a computer-recognizable numeric identification (e.g. 220.127.116.11 which is KnowBe4’s Terminal Services machine). See Wikipedia.
Domain Spoof Test (DST)
A service that KnowBe4 provides, which sends an email to a prospect that is spoofed to come from their own domain. This is not supposed to be able to get through to them. Their mail server needs to be configured so that these emails from the outside that have an inside email address are deleted. Request a free DST here.
Downloader, also Rogue Downloader
Scam applications often are not the first unwanted program to land on a person’s system. A Downloader, such as Trojan.Zlob infect the system first and then download the misleading application to the computer. Once the downloaded application is installed and ready, the malware that installed it will inform the user that they are infected with a new, previously unknown threat. This can be done through a “balloon message” that appears in the lower right-hand side of the system. The misleading application will then present itself and either pretend to download or run a scan of the system.
Drive-by-download, also called Drive-by-install
Something bad got installed on a user’s PC without their knowledge or consent. It is a transfer of software from a web server to an unsuspecting user’s computer. It occurs in the background, with no notification, when a user visits a particular web page. A user need only access the web page to be subject to the download. Such downloads usually include malware when some kind of scam or attack is under way. The expression is used in four increasingly strict technical meanings. See Wikipedia for those.
Dumpster diving involves looking in the trash for any valuable information, like data written on pieces of paper or computer printouts. The hacker can often find passwords, filenames, or other pieces of confidential information.
EAC is short for Email Account Compromise, a close relative of BEC. The primary difference is with EAC, criminals target individuals rather than businesses to initiate fraudulent wire transfers.
Electronic Funds Transfer
Email Exposure Check. KnowBe4 provides a free Email Exposure Check for prospects. We do a ‘deep search’ in the Internet’s search engines for all email addresses that belong to a certain domain. We are able to look into PDFs, Word and Excel files as well. IT security specialists call it the ‘phishing attack surface’. Customers that buy the GOLD package get sent an EEC every month. The EEC has been upgraded to EEC Pro spring 2018 and delivers more information.
The EICAR virus (pronounced eye-car) was developed as a sample virus that is used in the IT security industry to see if antivirus is working. It's completely safe, it's only used to test the basic functionality of antivirus.
End Of Life. Software industry lingo meaning a product will be retired and no longer supported.
End-User License Agreement. (That thing no one ever reads…) A software license agreement is a contract between the “licensor” and purchaser of the right to use computer software. The license may define ways under which the copy can be used, in addition to the automatic rights of the buyer. Many EULAs are only presented to a user as a click-through where the user must “accept” and is then allowed to install the software.
Email Antivirus Scanning
Scanning enterprise email for antivirus can be done in four (!) different spots.
Another word for the workstation that is used by an end-user in an organization. Refers to a computer or device at the end of a network cable. The PC you are reading this from is called an ‘endpoint’ by system administrators. Symantec calls their corporate antivirus Symantec Endpoint Protection (SEP).
Improve or enhance the quality or value of. When adding additional data about reported emails we are giving the admin more at a glance information about what they are looking at, thus we are enriching the messages.
A policy created for employees in an organization which is supposed to be a guide and a reference for said employees that helps them make day-to-day decisions which are “the greatest good for the greatest number”. Also known as a “Code of Ethics”. As opposed to “Acceptable Use Policy” which is more like a Moral Code with hard “survival” rules about do’s and dont’s to keep the organization alive.
Short for ‘Microsoft Exchange Server’ which handles corporate email (and more). There are Antivirus Security Products for Exchange which protect the Exchange server against viruses and spam. MS-Exchange is out there in five versions, 2003, 2007, 2010, 2012 and 2014.
Exploit, sometimes called zero-day exploit
An exploit (French, meaning “achievement”) is (usually malicious) software that takes advantage of a bug, glitch or vulnerability in other code in order to cause unintended or unanticipated behavior to occur, and control of a computer system can be gained. See ‘Zero-day’.
An Exploit Kit (EK) is a malicious piece of code installed on a compromised web server designed to find vulnerabilities (flaws, weaknesses or mistakes in software apps) in the systems (clients) that request data from the server, and use the vulnerabilties to gain access into that (client) system. EKs are used in the first stages of a cyber attack, because they have the ability to download malicious files and feed the attacked system with malicious code after infiltrating it. Example: The owner of A PC with old versions of Flash and the Firefox browser was social engineered to go to a legit but compromised website. The EK discovered the old software versions, looked in its database of known vulnerabilties, and used exploits to take over the PC and infect it with ransomware.
Scams originating from Nigeria are called 419 scams as the number “419” refers to the article of the Nigerian Criminal Code dealing with fraud. Most of the scams are very old, have been used earlier with fax and snail mail, and are now used on the Internet. There is a whole industry in Nigeria around these scams.
Fake news is the promotion and propagation of news articles via social media. These articles are promoted in such a way that they appear to be spread by other users, as opposed to being paid-for advertising. The news stories distributed are designed to influence or manipulate users’ opinions on a certain topic towards certain objectives.
False Positive. In the antivirus world this means a file is flagged as malicious (and possibly quarantined) when it isn’t. This can cause the computer to malfunction. In the antispam world an FP means that a legit email was flagged as spam and quarantined.
A product build is called feature complete when the product team agrees that functional requirements of the system are met and no new features will be put into the release, but significant software bugs may still exist. This happens at the Beta stage in the Software Development Life Cycle (SDLC).
Short: A device or software product that can block attacks by filtering data packets.
Long: A firewall is designed to block unauthorized access while permitting authorized communications. Either hardware or software, it is configured to permit or deny all (in and out) computer traffic based upon a set of rules and other criteria. There are several types of firewalls. See Wikipedia. In KnowBe4 we use the term ‘human firewall’ to indicate all users are trained to a point where they do not fall for any social engineering tricks.
The process you use to rewrite the contents of EPROM like the BIOS. An EPROM is a read-only memory chip whose contents can be erased and reprogrammed.
In our context, “digital forensic science” that deals with legal evidence found in computers and digital storage media. The goal is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting evidence of a cybercrime.
The Gramm-Leach-Bliley Act (GLBA, pronounced “glibba”), also known as the Financial Modernization Act of 1999, is a U.S. federal law that requires banks and financial institutions to protect private information of individuals.
Gamification is the addition of gaming features or principles to something that typically does not have a gaming element--in our case, security awareness training and e-learning content. Gamification has been shown to improve user engagement by increasing people’s inherent ambition to compete, achieve, or master. Studies have shown that when people are intrinsically motivated to complete a task, they learn better and retain more information.
Manipulate (someone) by psychological means into questioning their own sanity. "in the first episode, Karen Valentine is being gaslighted by her husband"
Device or software that is between the internal network and the external network.
A Potentially Unwanted Program, also called “PUP”.
The Health Insurance Portability and Accountability Act, was enacted by the United States Congress and signed by President Bill Clinton in 1996. It requires healthcare organizations to protect personal health information. (See PHI)
Host Intrusion Prevention System. Intrusion prevention systems (IPS) are a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. See Wikipedia
Originally: A person who has advanced computer skills, is enthusiastic and skillful. If they attack computers it is not done with malicious intent. Recently though the definition has changed and means anyone who illegally breaks into or tries to break into networks and/or computers.
About 90% of email that goes through the internet is spam. In the antispam business, the other (good) 10% is called ‘ham’. (no joke)
Heuristic comes from the Greek for “find” or “discover”. They are experience-based techniques that help in problem solving. Heuristics are “rules of thumb”, or educated guesses. Antivirus uses heuristics in the form of dynamic pattern assessment to determine if a code sample is malware.
Antivirus detects malware using signatures, heuristics and behavior.
A term used to describe when two or more characters have shapes that are similar or identical. A simple example is the number zero and a capital letter "o", it's easy to confuse an O a 0.
These are like honeypots, but instead of lying totally dormant, they emulate user’s surfing behavior and can catch malware that way.
A file on a PC or server that sits equipped with a beacon, waiting to be stolen and then calls home to tell its owner where it is and who stole it.
A PC that sits, unprotected, on the Internet waiting to get infected through the FTP and HTTP threat vectors.
A social engineering trick that makes men interact with a fictitious attractive female online. From old spy tactics where a real female was used.
A new version of the software that fixes a bug or adds a new feature.
With our information systems under aggressive attack, we cannot ignore any layer of the defense-in-depth model. The human element of cyber security is too often overlooked. Workforce cyber preparedness is urgently needed. Security Awareness Training can pay off by training users on what they can do to prevent malicious activity and what to do in the event of such activity. It helps people to see their identity as an important part of keeping their organization secure and that what they do matters.
Hijacker, also called ‘Homepage hijacking’
Spyware that changes the default homepage someone has, to a site that displays ads, a different search engine, or worse, porn. They are very hard to get rid of for the average consumer.
The FBI's Internet Crime Complaint Center. They are here.
ICSA Labs provides vendor-neutral testing and certification for security products and solutions. Here they are.
Internationalized Domain Name - A domain name that contains at least one language-specific set of characters. A "normal" domain name, such as KnowBe4.com, uses only Latin characters (those normal ABCs that America thinks are normal). A domain like KnöwBe4.com (see the "o"?) would be an example of an Internationalized Domain Name.
Intrusion Detection System. An Intrusion detection system (IDS) is a network security device (or software) that monitors network and/or system activities for malicious or unwanted behavior. Also see ‘HIPS’
Internet Service Provider.
In The Wild. ItW is the name for malware that is supposed to be out there in the wild. Opposed to the ‘Wildlist’ which is the official CURRENT actual list. That list can change every month. Something that is on the Wildlist is ALWAYS ItW but something that is ItW listed doesn’t necessarily have to be in the actual Wildlist.
Taking someone else’s Social Security Number, Address and other important personal information to establish false credentials and commit fraud. A good example is the creation of fraudulent credit card accounts, racking up charges which are then left unpaid, leaving the identity theft victim with the credit card debt and a ruined credit rating.
Incident Response (IR)
In the event that the security of a system has been compromised, a quick incident response is necessary. It is the responsibility of the security team to respond to the problem quickly and effectively. An example would be a security team’s actions against a hacker who has penetrated a firewall and is currently sniffing internal network traffic. The incident is the breach of security. The response depends upon how the security team reacts, what they do to minimize damages, and when they restore resources, all while attempting to guarantee data integrity. (See Forensics).
Information security is the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.
Take into the body by swallowing or absorbing it. In the case of PhishER, email messages are ingested—taken into— into the system and arrive in the PhishER console for processing.
A fully developed programming language which can be used to create standalone applications,
A separate program that you see inside a browser adding special functionality to a website (HTML page).
During the mid-nineties, Kevin Mitnick was the ‘World’s Most Wanted Hacker’, and now is a very successful Fortune 500 Security Consultant: Based on his 30+ years of first-hand experience with hacking and social engineering, KnowBe4 created its Security Awareness Training. Kevin is part owner of KnowBe4.
The foundation of the Operating System is called the Kernel. It provides basic, low-level services like hardware-software interaction and memory management. If a product works at the kernel level, this has many advantages.
Keylogger aka Keystroke logger
A form of malware or device that observes what someone types on their keyboard and sends this data back to the bad guys. There are several ways to do this, using either software or hardware.
KnowBe4 Product Abbreviations
Kevin Mitnick Security Awareness Training = KMSAT (with year indication)
KnowBe4 Compliance Manager = KCM GRC Platform
Here is an overview of KnowBe4 Training Modules
The kill chain, a military term, is defined as: “The sequence of events that must succeed to destroy a target.” Actively defending across the cyber kill chain may enable a company to detect an attack sooner and potentially disrupt or block it before the real damage occurs. At a minimum, it will force a company to take a closer look at their network and understand how to recognize and defend at various points along a hacker’s methodology.
LAMP is a software bundle, assembled to make an open source web platform consisting of Linux, Apache, MySQL and Perl/PHP/Python.
Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard protocol to access and maintain directory information services like Active Directory. If you want to have your own software communicate with Active Directory, you use the so called "Lightweight Directory Access Protocol" (See Wikipedia).
A Learning Management System (LMS) is software for the administration, documentation, tracking, reporting and delivery of e-learning education courses or training programs. Organizations can have their own LMS in-house or use a cloud-based LMS like Knowbe4 provides.
Diana Kelley, Microsoft's Cybersecurity Field CTO reached in a discussion with Tech Republic. "Phishing is an old threat, but it remains a major one. Kelley points out that it's evolved to become better crafted and more tightly targeted. She wouldn't even call it "spearphishing" any more. "Laserphishing" might, she thinks, be more descriptive and evocative.
Q4 2009, as the first antivirus company ever, Sunbelt Software began to offer VIPRE Antivirus as a “PC Lifetime Subscription” via the Home Shopping Network. Priced at $99.95, Sunbelt calculated the average lifetime of a PC to be four to five years. Other AV companies started this type of subscription in following years.
An extremely popular open-source Unix operating system variant. It comes in many flavors.
A malicious computer program (or part of a program) that is asleep until it gets woken up by a specific logical event. Examples are pieces of code hidden by Chinese military hackers in a U.S. power plant that can disable the plant at a certain time. An example of this is a sleeper ransomware strain that infected workstations but only woke up at a certain time.
Master Boot Record. Specifically designated area on a hard disk drive where the instructions sit for the PC to start up and describes how the drive is set up.
1) An element or "unit of culture" of transmission that may be considered to be passed from one individual to another.
2) A humorous image, video, piece of text, etc., that is copied (often with slight variations) and spread rapidly by Internet users. From Greek mimēma ‘that which is imitated’, on the pattern of gene .
A Managed Service Provider (MSP) is a company that manages information technology services for other companies via the Web.
A managed security service provider (MSSP) is an IT service provider that provides an organization with agreed upon levels of cybersecurity monitoring and management, which may include virus and spam blocking, intrusion detection, firewalls and virtual private network (VPN) management.
Mean TIme Between Failure. Short for mean time between failures, the average time a device will function before failing. MTBF ratings are measured in hours and indicate the sturdiness of hard disk drives and printers. Typical disk drives for personal computers have MTBF ratings of about 500,000 hours. This means that of all the drives tested, one failure occurred every 500,000 hours of testing. See Webopedia for more.
Think of it simply as a branch of statistics, designed for a world of big data. The most common application of machine learning tools is to make predictions. Here are a few examples of prediction problems in a business. Good article here.
A list of (usually text-based) commands and/or instructions that are grouped together and can be run as a single command.
Malware is a shorter version of the term “Malicious Software”. It is an umbrella term used to refer to a wide range of viruses, worms, Trojans and other programs that a hacker can use to damage, steal from, or take control of endpoints and servers. Most malware is installed without the infected person ever realizing it.
Maintenance aka Renewal
The period that a customer gets tech support, updates and new software versions.
Malvertising is malicious advertising that contains active scripts designed to download malware or force unwanted content onto your computer. Exploits in Adobe PDF and Flash are the most common methods used in malvertisements. See ‘Exploit’.
A Service Provider (MSP) that maintains all the computers and networks for a company, often via the Internet. See Cloud Computing.
An attack in which data sent and received between two parties in an ongoing connection is intercepted. The attacker can record, read, or even alter the contents of that traffic.
Technique used by hackers who load malware on a USB drive, CD/DVD, or other readable form of media, and then leave the infected media where it can easily be found. In some cases, thieves actually give the media away at public venues or trade shows. Once the victim loads the drive or disk, the malware does its work and will allow the hacker to do a number of things, including take remote control of the victim’s computer.
Relatively abstract data about other data. Example: records of what cell phone number calls what other number at what time. There are many different kinds of metadata.
Malware that is able to shape-shift to avoid being detected by antivirus products
Malcious software (aka warware) created by the military and/or intelligence agency to cause damage to an adversary’s infrastructure. Milware is stealthy to the extreme and often does not get detected for years. Normal antivirus products seem to not find this type of code. Stuxnet is a good example.
False or inaccurate information, especially that which is deliberately intended to deceive. Often forwarded to friends and family, not knowing it is false. See Disinformation.
A person recruited by a criminal or criminal organization to quickly receive and turn around funds involved in scams. The scams are often related to ACH, credit cards, or similar online transactions. The money mule is often unaware of his or her actual role.
A method of validating the identity of a user by using two or more security mechanisms. For example, a valid user name and password combination along with a fingerprint scan is a form of multi-factor authentication. Modern cybercrime has developed malware to evade some forms of multi-factor authentication.
Never A Dull Moment. The motto of the business we are in.
Network Address Translation. A security technology that hides all IP addresses in a network so attackers cannot get to specific machines.
Network Attached Storage. A network hardware technology that uses a strand-alone storage device that is dedicated to centralized disk storage.
Network Access Control. A piece of technology that controls access to a network. See Wikipedia
Network Access Protection is a Microsoft technology for controlling network access of a computer host based on the system health of that computer. With NAP, system admins can define policies for system health requirements. I.e. are the most recent operating system updates installed? Are the anti-virus software definitions updated? Has that computer a firewall installed and enabled? You get the idea. Computers not in compliance with system health requirements have restricted or no access to the network.
National Cyber Security Awareness Month
National White Collar Crime Center. They are here
Network Intrusion Prevention System. Intrusion prevention systems (IPS) are a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. See Wikipedia
The National Institute of Standards and Technology (NIST) has an excellent publication with templates and guides for what should go into a security awareness training program. The 70-page document is available for free in PDF format from the institute’s Web site.
Original Equipment Manufacturer. An OEM manufactures products or components which are purchased by another company and retailed under the purchasing company’s brand name. OEM refers to the company that originally manufactured the product. See Wikipedia.
Malware scans that are monitoring the system in real-time for any changes and will prevent immediate infection.
ON-DEMAND Scanning, also called ‘drive scan’
Malware scans that are set to run on a scheduled basis, like 3am every night.
ORGANIZATIONAL UNIT (OU)
A word related to Active Directory is "OU" or "Organizational Unit" since we allow our users to specify what they want to synchronize by both security group and OU. Here is a good definition: An organizational unit (OU) is a subdivision within an Active Directory into which you can place users, groups, computers, and other organizational units. You can create organizational units to mirror your organization's functional or business structure. See Active Directory "AD".
Peer-To-Peer software allows end-users to up- and download software (movies, music, games) via a distributed computing architecture, not using centralized servers. There is a significant risk as child porn is also moving through these networks, and can result in SWAT teams busting down your door if a neighbor illegally piggybacks on your Wi-Fi. (no joke).
Payment Card Industry
PCI Security Standards Council
Organization that publishes standards (rules) on how to securely handle credit card processing.
The PCI Data Security Standard – a document published by the Payment Card Industry; it lists all the requirements for securely handling credit cards and credit card information. Organizations that accept credit cards need to be PCI compliant. This includes Security Awareness Training and many other requirements.
Protected Health Information. PHI is all recorded information about an identifiable individual that relates to that person’s health, health care history, provision of health care to an individual, or payment to health care. The U.S. Health Insurance Portability and Accountability Act (HIPAA) governs the protection of Private Health Information
Personally Identifiable Information. PII is defined as any instance of an individual’s first name or first initial, plus the last name, and any more than thirty additional confidential items. If it can be used to uniquely identify a specific individual using non-public information, it’s PII and must be protected.
Product Manager. A product manager researches, selects, develops, and places a company’s products, performing the activity of product management.
Pretty Much Done. One of our old colleagues’ favorite expressions, and indicated that the final product might still be months away from completion.
Period of Performance. How long the customer has paid for maintenance on their product.
Product Services Delivery. The team, part of the Accounting Department, that processes orders and does Roll-Out calls for KnowBe4 Products with the customers. PSD also refers to the in-house process that routes orders from quote acceptance through the delivery process.
Phishing Security Test. This is a simulated phishing attack done by KnowBe4 on email addresses that a prospect or customer upload to our site. We have dozens of templates that existing customers can use on their employees. You can do a one-time free PST to all your employees
A software (security) update intended to repair a vulnerability that was discovered after the product was released for general use.
Patch Tuesday is the second Tuesday of each month, the day on which Microsoft releases security patches. That week, system administrators need to do the testing of these patches in their own environments and then deploy the patches which usually requires a reboot. Sometimes systems are mission critical and cannot be rebooted, which causes them to stay vulnerable and then get infected with a zero-day threat.
Malware often comes in different parts. That is where the term ‘blended malware’ originates. An example is an email claiming to be from the ‘Better Business Bureau’ having a complaint for you about your company. Attached is a PDF. The PDF is the payload and has malware in it, or downloads malware from a compromised server somewhere. Here is a bit of history of the word and where it came from.
(IEEE) Functional testing conducted to evaluate the compliance of a system or component with specified performance requirements.
Perimeter security refers to routers, firewalls, and intrusion detection systems implemented to tightly control access to networks from outside sources. More Here
A term coined by KnowBe4 that indicates the percentage of employees that are prone to click on dangerous phishing links. You can find out what the Phish-prone percentage of your organization is with this free test.
A KnowBe4 product for managing potentially malicious email messages reported by users. Key features include: prioritization, disposition, automated workflows, automated responses, SIEM integration, data enrichment.
Phishing is the process in which bad guys try to trick you into giving out sensitive information or taking a potentially dangerous action, like clicking on a link or downloading an infected attachment. They do this using emails disguised as contacts or organizations you trust so that you react without thinking first. It’s a form of criminally fraudulent social engineering. Also see Spear Phishing.
Phishing Attack Surface
Are you aware that many of the email addresses of your organization are exposed on the Internet and easy to find for cybercriminals? With these addresses they can launch spear phishing attacks on your organization. This type of attack is very hard to defend against, unless your users get next-generation security awareness training. IT Security specialists call it your ‘phishing attack surface‘. The more email addresses that are exposed, the bigger your attack footprint is, and the higher the risk. It’s often a surprise how many of your addresses are actually out there, whose, and where they were found. Here is a datasheet with some more information.
Methods of producing strong passwords. One technique involves creative transformations for a sentence so that, for example, “I never eat rye bread” becomes iN3V3RtaeWRYdearb
A form of fraud that involves directly hacking telecommunications systems, one of the things Kevin Mitnick used to do in the early days.
Also known as cleartext and is used as input for encryption.
An end user that has fallen for a phishing test and clicked on the link or opened up an attachment is given a short remedial training on the spot to make sure they understand the risks and stop doing that. Relying on just this tactic is not sufficient for truly effective security awareness training.
A minor software release that increments with a decimal point. I.e. from V3.0 to V3.1
A feature of a programming language that allows routines to use variables of different types at different times. Here is where this word comes from:
Malware, spam or phishing attacks that change themselves very frequently to try to prevent detection by filters.
Malware that shape-shifts to avoid detection and also encrypts its own content differently all the time.
A set of rules that specify what requirements must be met.
Post Office Protocol, the email protocol that handles incoming email.
Small web browser Window that literally pops up over the browser window you are looking at. Our training uses this technology to present the user with their training session so they need to turn popup blockers off for our website.
The act of creating an invented scenario in order to persuade a targeted victim to release information or perform some action. Pretexting can also be used to impersonate people in certain jobs and roles, such as technical support or law enforcement, to obtain information. It usually takes some back-and-forth dialogue either through email, text or the phone. It is focused on acquiring information directly from the actions taken by the targets, who are usually in HR or Finance.
Principle of least privilege
Giving users the least amount of access required for them to complete their jobs. Also referred to as separation of duties.
Determine the order of dealing with a series of items according to their relative importance. Different organizations have a different idea of priority; some might think digging into threats is priority #1, others might feel that responding to end users letting know that PO they reported is *not* a threat is more important. In either case it's important to get rid of the junk that doesn't matter so the important items are addressable.
Information, especially of a biased or misleading nature, used to promote or publicize a particular political cause or point of view. Interestingly enough, although it has a negative connotation today, it has ostensibly noble origins. In 1622 in an effort to spread Christianity around the world, Pope Gregory XV established in Rome the Sacred Congregation of the Propagation of the Faith, to be entrusted to a handpicked group of cardinals. Just ane xample of how the meaning of words can radically change over time.
Programmable Read Only Memory. A computer chip with content that can be re-written from the outside.
In short, a set of standards to get a specific function done. Example: TCP/IP.
A proxy server is a server (a computer system or an application program) that acts as an intermediary for requests from clients seeking resources from other servers. Mostly used in the context of using a proxy server to connect to the Internet. See Wikipedia.
SHORT: The name of the technology used when a domain name uses language-specific characters. A significant portion of computing systems only expect to see and use Latin characters. When you start introducing fancy letters there has to be an a way to tell the system "get ready, these letters are going to be fancy". Punycode is how that is done.
LONG: The global Domain Name System (DNS), is responsible for turning human-friendly server names into computer-friendly network numbers, but it's restricted to the limited subset of ASCII characters in domain names. The curiously-named system known as punycode is a way of converting words that can’t be written in ASCII, such as the Ancient Greek phrase
ΓΝΩΘΙΣΕΑΥΤΟΝ (know yourself), into an ASCII encoding, like this:
Some letters in the Roman alphabet are the same shape (if not always the same sound) as letters in the Greek, Cyrillic and other alphabets, such as the letters I, E, A, Y, T, O and N in the example above. So you may be able to register a punycode domain name that looks nothing like a well-known ASCII company name, but nevertheless displays very much like it. For example, consider the text string consisting of these lower-case Greek letters: alpha, rho, rho, iota, epsilon. In punycode you get
xn--mxail5aa, but when displayed (depending on the fonts you have installed), you get:
αρριϵ. And that is a trick the bad guys can use to create a domain name that looks like the real thing but isn't.
In hacker jargon, ‘pwn’ means to compromise or control, specifically another computer (server or PC), web site, gateway device, or application. (it’s ‘own’ with a typo in it) It is synonymous with one of the definitions of hacking or cracking. The Pwnie Awards are awarded by a group of security researchers.
Quality Assurance. In KnowBe4 the team that is responsible to find bugs in our code and work with Development to deliver world-class quality to our customers.
Quarterly Business Review. A meeting of a company’s execs to determine strategy.
The operational techniques and procedures used to achieve quality requirements. This is typically handled during the development process.
Antivirus, after it detects malware, can move that malware to a protected space on disk where it cannot do any further harm, and from where it can either be deleted or restored in case it was a false positive. See ‘False Positive’.
RDP Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software.
RBL stands for Realtime Blackhole Listing. RBLs are used for Antivirus Exchange and Antivirus Gateway. It’s a list of domains that are blocked because they are a source of spam. You can find a complete definition of RBL at Webopedia.
Return Materials Authorization. As in: “Shipments without a valid RMA number will not be accepted."
‘Real Soon Now’. A technical term that software developers use to indicate when they expect to deliver shippable code. Also see PMD.
Released To Manufacturing. The day that the final code is shipped out the door to the factory to be duplicated. In KnowBe4’s case, the day that we released the final product on our website.
Virus Bulletin is the world’s most prestigious antivirus lab. Apart from their VB100 certification, they have another interesting test called RAP. It’s for “Reactive and Proactive”, and helps you form an impression of the heuristic -and- generic proactive detection capability of security software products – in particular how well products perform against malware that appears after vendors have submitted their products to Virus Bulletin for testing. They create a quadrant a few times a year, and compare all products they have tested. The antivirus industry is not promoting this website, as it’s not a pretty picture.
The RAP system measures simple static detection rates, testing against common malware samples first seen by the VB lab team within ten days of running each stage of the test.
The "Reactive" measure is the average of three test runs against samples seen in the ten days before the test date, allowing the products to use the latest updates and with full access to any cloud-based resources and reputation systems. For the "Proactive" measure, products and updates are frozen, then products are run offline, without access to cloud systems, against samples seen in the ten days following freezing.
The RAP test aims to give an indication of how well product developers are able to keep up with the incoming flood of new malware using their standard file detection methods (including heuristic rules), and should also give some idea as to how much different products rely on cloud-based systems to supplement client-side technologies.
A password attack that uses a really large set of of hashes that were generated from almost every possible password.
RanSim stands for "Ransomware Simulator". KnowBe4 released a free tool in October 2016 that people can download to check if their antivirus/endpoint protection is effective against ransomware infections. It takes several scenarios and emulates the things that real ransomware would do in a non-destructive way. You can find RanSim here.
Ransomware denies access to a device or files until a ransom has been paid. Also called Cryptoware. Ransomware for PC's is malware that gets installed on a user’s workstation using a social engineering attack where the user gets tricked in clicking on a link, opening an attachment, or clicking on malvertising.
Once the malware is on the machine, it starts to encrypt all data files it can find on the PC itself and on any network shares the PC has access to. Next, when a user wants to access one of these files they are blocked and the system admin finds two files in the directory that indicate the files are taken ransom, and how to pay the ransom to decrypt the files. There are a number of free ransomware decryptors available, however it's a constant battle with hackers then upgrading strains to get past decryption methods. There are many strains of ransomware, two infamous ones are CryptoLocker and CryptoWall. Many more exist and new ransomware strains are released regularly.
Real Time Protection
Protecting a PC as it happens, as opposed to a scheduled scan that is done every 24 hours. See ‘Active Protection, ‘On Access protection.’
(NIST) Rerunning test cases which a program has previously executed correctly in order to detect errors spawned by changes or corrections made during software development and maintenance.
Used mainly in the IT space to indicate that a customer extends their subscription for another year.
System Administrators often manage several geographically dispersed sites. In those cases, they need software to be able to manage the remote site as if they were physically present. For that, they use what is called a ‘remote console’. For instance, a remote console allows them to manage a machine or a whole network when they are in New York and the physical network being managed is in Atlanta.
Deleting malware from a PC. See ‘Disinfection’.
In the context of KnowBe4, reporting means the section of the cloud back-end where customers can see which employees have started their training, finished it or have not even started it. Also which Phishing security tests were sent, who opened, who clicked and a host of other data related to this.
Malware that is loaded in random access memory and is able to interrupt an Operating System function and alter it to do damage.
To disassemble and examine some code in detail to discover how and what the creator, so it can be replicated or killed.
Rogue, also Rogue Scanner, rogue anti-spyware, rogue anti-malware or scareware
Rogue security software is a form of computer malware that deceives or misleads users into paying for the fake or simulated removal of malware. Rogue security software, in recent years, has become a growing and serious security threat in desktop computing. It is a very popular social engineering tactic and there are literally dozens of these programs.
A rootkit is software that consists of one or more programs designed to obscure the fact that a PC or Server has been compromised. See Wikipedia
A router is hardware used to connect two or more computers (or other devices) to each other, and usually to the Internet, by wire or sometimes radio signals.
Ruby on Rails
Often shortened to Rails or RoR, is an open source web application framework for the Ruby programming language. It is intended to be used with an Agile development methodology that is used by KnowBe4 for rapid development.
Short for the Security Awareness Company, which was acquired by KnowBe4 in 2017.
‘Self Assessment Questionnaire’. A form that merchants which accept credit cards complete to evaluate their compliance with PCI SCC rules. There are different SAQs, depending on the way(s) in which the merchant processes transactions and the transaction volume.
Security Awareness Training. To be aware, you need to be able to confront (face things as they are). KnowBe4 helps employees confront the fact bad guys are trying to trick them. Once they confront that, they become aware and able to detect these scam emails and can take appropriate action like deleting the email or not clicking a link. More at Wikipedia [ISAT]
They are a DMR, a Direct Market Reseller also known as an e-tailer which is a company that sells directly to consumers online without operating storefront operations of any kind.
A subscriber-identity-module or alternatively a subscriber-identification-module which is a small card that fits in your smartphone and secure they key and identity of the owner.
Security Information and Event Management. A type of software that pulls together data from multiple sources—often event log files—analyses it, and then can take some sort of action like alerts someone or make a pretty report. Some of the common SIEM platforms are Splunk, QRadar, and LogRythm.
SPF (Sender Policy Framework) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators. See Wikipedia
(Service Set IDentifier) The name assigned to a Wi-Fi (wireless) network. All devices in the network must use this case-sensitive name to communicate over Wi-Fi, which is a text string up to 32 bytes long. Out of the box, wireless routers and access points have a default SSID, which may be the manufacturer's name, such as "linksys" or "netgear" or simply "default."
A company acquired by KnowBe4 in 2017.
Sharable Content Object Reference Model (SCORM) is a collection of Department of Defense created standards and specifications for web-based e-learning. It defines communications between client side content and a host system which is an LMS. (See LMS) KnowBe4’s courseware is SCORM compliant.
Software Development Kit. A set of development tools that allows a software engineer to create an application. An Antivirus SDK allows someone to create their own antimalware software product, and pay the developer for the use of the SDK.
Stock Keeping Unit. A number to specify a separate product.
Service Level Agreement. A service level agreement (SLA) is a commitment between a service provider and a client. Particular aspects of the service – quality, availability, responsibilities – are agreed between the service provider and the service user. Internal SLAs are used to maintain a level of service internally, with an organization, rather than with an external party. Internal SLAs may apply to help desk services, network or application availability and performance, and any other internal processes.
Small and Medium Enterprises (usually up to 500 seats). Also called SMB (Small and Medium Business) Some industry analysts go up to 1,000 seats before they call it ‘Large Enterprise’.
Simple Mail Transfer Protocol (SMTP) is an Internet standard for e-mail transmission, and is the #1 protocol in use today. E-mail servers and other e-mail transfer agents use SMTP to send email.
Security Orchestration, Automation and Response defined: a coordination of automated security tasks across connected security applications and processes.
Security Operations Center (computing), in an organization, a centralized unit that deals with computer security issues
SOC 2 (SOC stands for (Service Organization Controls) is an auditing procedure that ensures your service providers securely manage your data to protect the interests of your organization and the privacy of its clients. For security-conscious businesses, SOC 2 compliance is a minimal requirement when considering a SaaS provider
Statement Of Work. A description of the work that needs to be done, and is agreed upon by the parties before the work starts.
In the computer security world, a ‘Sandbox’ means a safe space where malware can be analyzed. You could call it a virtual container in which untrusted programs can be safely run. Sometimes this is a separate computer that is kept off production networks, sometimes this is software that creates a safe space inside a computer. The Sandbox keeps the malware away from all other resources (like private data).
Scam software, often with limited or no benefit, sold to consumers via unethical marketing practices. The selling approach is designed to cause shock, anxiety, or the perception of a threat, generally directed at an unsuspecting user. Some forms of spyware and adware also use scareware tactics. Read more about this at Wikipedia
A relatively unskilled hacker who downloads and uses “point-and-click” attack software.
A method intended for management of software development projects, it can also be used to run software maintenance teams, or as a general project/program management approach. KnowBe4 uses this method. See Wikipedia
A written document that states how an organization plans to protect its physical assets and information.
An attack method that captures the attributes of a website session from one of the parties involved (usually on the client or user end). It then takes over (hijacks) the session from the legitimate user. The attacker keeps the session going and impersonates the user.
The term vulnerability means a weakness which allows an attacker to penetrate a network. It’s also called ‘attack surface’. A Vulnerability has three elements:
A vulnerability with a known, working, implemented attack is called an exploit. Attackers have a limited window of exploiting the vulnerability: until their access was removed, or a security fix was deployed.
Privileged or proprietary information which, if compromised through alteration, corruption, loss, misuse, or unauthorized disclosure, could cause serious harm to the organization owning it. NOTE: For our purposes, the words sensitive, confidential, and private all mean essentially the same thing
Contact a young girl on a social networking site using a fake identity, gain her trust, extract some highly personal information, and then threaten to expose her intimate exchanges if she doesn’t assent to escalating demands for sexually explicit pictures or videos. Example at the FBI website
A bug found that is severe enough to stop the product from shipping.
Shoulder surfing is a visual technique of gathering passwords by watching over a person’s shoulder while they log in to the system. With some training, a hacker can observe a user log in and then use that password to gain access to the system.
Antivirus detects malware using signatures, heuristics and behavior. The signature-based method is built on proprietary threat information, using multiple sources for the threat definition updates.
Phishing conducted via Short Message Service (SMS), a telephone-based text messaging service. A smishing text, for example, attempts to entice a victim into revealing personal information.
Jargon for packet analyzer software that looks at (sniffs) data packets in a network and shows what is inside the packets. Can be used to troubleshoot networks but also to hack into the network.
Social engineering is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.
Unsolicited, unwanted Email. About 90% of email that goes through the internet is spam. The other 10% is called ‘ham’. (no joke)
Spear Phishing is a small, focused, targeted attack via email on a particular person or organization with the goal to penetrate their defenses. The spear-phishing attack is done after research on the target and has a specific personalized component designed to make the target do something against their own interest. Here is more about how they do it.
Tricking or deceiving computer systems or other computer users. This is typically done by hiding one’s identity or faking the identity of another user on the Internet. E-mail spoofing involves sending messages from a bogus e-mail address or faking the e-mail address of another user. Since people are much more likely to read a message from an address they know, hackers will often spoof addresses to trick the recipient into taking action they would not normally take.
A term used in ‘agile’ software development, a method that KnowBe4 uses. A period of a month after which a deliverable product is ready for shipping. During this sprint, a list of items called ‘backlog’ is ‘burned down’ to completion. See ‘Backlog’ and ‘Burndown’.
An umbrella term for many ‘families’ of malicious software which send a computer user’s confidential data back to (usually) cyber criminals. Some examples of spyware are Trojans, Adware, malicious toolbars, and many others. For a short history on spyware, check out this item on Wikipedia. It’s not complete but gives a reasonable overview.
SQL Injection Attack
SQL injection is a hacker technique that exploits a security vulnerability occurring in the database of an application. The vulnerability is present when user input fields are not checked well.
StopBadware works with its network of partner organizations and individuals to fight back against viruses, spyware, and other badware. You can find them here
(IEEE) Testing conducted to evaluate a system or component at or beyond the limits of its specified requirements.
KnowBe4 founder and CEO Stu Sjouwerman ends staff meetings with:
Milware created by the U.S and Israel with the express goal to destroy Iran’s uranium enrichment facility in Natanz. It escaped and is now used by bad actors to attack sites. More Here
Specialized software modules that look at the PC and make sure nothing gets changed by malware, and sometimes are able to either block changes or revert the system to its original state. See ‘Active Protection’.
Terms Of Service (abbreviated as “ToS” or “TOS”) are rules by which one must agree to abide by in order to use a service. Usually, such terms are legally binding. Terms of service can cover a range of issues, including acceptable user behavior online, a company’s marketing policies, etc. Some organizations, such as Yahoo and Facebook, can change their terms of service without notice to the user base. Here is Knowbe4's TOS
Transmission Control Protocol/Internet Protocol. This is the protocol that the Internet uses to transport data packets from one computer to another.
Uses browser tabs to impersonate legitimate websites and create fake login pages that trick victims into revealing private information. Tabnabbing works when you have two or more tabs open in a web browser. When a tab is left unattended for several minutes, a tabnabber can redirect the site in the unattended tab to a different, malicious login site.
A method used by social engineers to gain access to a building or other protected area. A tailgater waits for an authorized user to open and pass through a secure entry and then follows right behind.
Telnet was developed in 1969 and one of the first Internet standards. The name stands for "teletype network". Telnet is a communications protocol for applications that use 2-way interactive text, using what is called a "virtual terminal" connection. Telnet runs on top of the Transmission Control Protocol (TCP).
Historically, Telnet provided access to a command-line interface (usually, of an operating system) on a remote computer. However, because of serious security concerns when using Telnet over an open network such as the Internet, its use for this purpose has waned significantly in favor of SSH.
The term telnet is also used to refer to the software that implements the client part of the protocol. Telnet client applications are available for virtually all computer platforms. Telnet is also used as a verb. To telnet means to establish a connection with the Telnet protocol as in "To change your password, telnet to the server, log in and run the passwd command." More at WikiPedia
(IEEE) A software module used to invoke a module under test and, often, provide test inputs, control and monitor execution, and report test results.
A collection of test cases used to validate the behavior of a product. There may be several Test Suites for a particular product for example. In most cases however a Test Suite is a high level concept, grouping together possibly hundreds or even thousands of test cases related by what they are intended to test.
Many law enforcement agencies use a surveillance tactic called “tower dump.” The method gives police access to “identity, activity and location” data of users and makes use of multiple [cell phone] towers, and wireless providers, and can net information from thousands of phones. Records show that at least 25 police departments own a Stingray device – which essentially operates as a fake cell phone tower in order to siphon data from nearby phones that connect to it. This was the method that ultimately caught Kevin Mitnick.
The word "tradecraft" is most often associated with spies. But hackers hackers and social engineers also have their tradecraft: a set of techniques they use to get illegal access to hardware, software, or deceive humans.
A condition that causes a virus payload to be executed, usually occurring through user interaction (e.g., opening a file, running a program, clicking on an e-mail file attachment).
A Trojan horse (shortened to trojan), is non-self-replicating malware that appears to perform a desirable function for the user but instead facilitates unauthorized access to the user’s computer system. The term is derived from the Trojan Horse story in Greek mythology. It is the most prevalent form of malware in the timeframe 2010-2014, well over 50% of all malware are Trojans.
Trojan downloader, also called ‘Trojan dropper’
A Trojan Downloader is a program typically installed through an exploit or some other deceptive means and that facilitates the download and installation of other malware onto a victim’s PC. A Trojan Downloader may download adware, spyware or other malware from multiple servers or sources on the internet. See ‘Exploit’.
A software tool to generate a list of typos and common misspellings, for instance for domain names. (i.e. www.goofle.com) These domain names are then used to create a perfect copy of the original, and users tricked into leaving confidential information. This is only one example of typo generator use, many more are possible.
Purchasing web domains that are a character or two different from a legitimate and well-known social or company website. When a person mistypes the web address, a website appears that looks very much like the intended site. Typosquatting is usually done for fraudulent purposes. Also called URL hijacking.
A method of reducing the size and complexity of web URLs, mainly for ease of use. However, URL shortening also disguises a website’s real domain name, and hinders detection of known malicious sites or destinations.
A USB memory stick often used for penetration tests, with malware on it that exposes the network to the attacker. Also called Thumb-drive. The drive is left at common areas like a parking lot or the rest room, and had a label that make the user want to know more, e.g. “Q1 Layoff List”.
Testing of a software module for typographic, syntactic, and logical errors, for correct implementation of its design, and for satisfaction of its requirements. Also called component testing.
A software ‘update’ is usually a patch. A patch is a piece of software designed to fix problems with a computer program or its supporting data. It can include fixing security vulnerabilities and other bugs, and improving the usability or performance.
The term ‘upgrade’ refers to the replacement of a product with a newer version of the same product. In software, it means a replacement with a newer or better version, in order to bring the system up to date or to improve it features. See (and contrast with) ‘Update’ above.
Tests designed to evaluate the machine/user interface. Are the communication device(s) designed in a manner such that the information is displayed in an understandable fashion enabling the operator to correctly interact with the system?
A value-added reseller (VAR) is a company that adds features or services to an existing product, then resells it (usually to end-users) as an integrated product or complete "turn-key" solution.
This stands for “Virus Bulletin 100% Pass”. It means an Antivirus product catches all the malware that is on the WildList and also has NO False Positives. Getting awarded the VB100 is important in the industry and shows a product has attained a certain quality level. It does not mean it catches 100%, no antivirus product does. Here is the Virus Bulletin website.
A Virtual Desktop Infrastructure (VDI) allows a user’s desktops and applications to run in a private virtual machine hosted on servers in a data center rather than locally on the user’s PCs. It’s technically complex and expensive, but it allows users to access their personalized desktop from any PC; and makes life easy for admins.
Vendor Email Compromise. This is a variety of business email compromise (see BEC) attack in which attackers gain access to email accounts at a company in the supply chain, and then use the accounts to target that company’s customers.
Virus, also called ‘File Infector’, or ‘File Virus’
A computer virus is a computer program that can copy itself and infect a computer. The term “virus” is also commonly but erroneously used to refer to other types of malware, adware, and spyware programs that do not have the reproductive ability. Since 2009, viruses in their traditional form are less than 10% of total malware. Microsoft in 2010 estimated it was only 4%. A true virus can only spread from one computer to another (in some form of executable code) when its host (infected file) is taken to the target computer; for instance because a user sent it over a network or the Internet, or carried it (via sneakernet) on a removable medium such as a floppy disk, CD, DVD, or USB drive. Viruses can increase their chances of spreading to other computers by infecting files on a network file system. See ‘Worm’. See Wikipedia.
They do three things: 1) a monthly magazine, 2) an annual conference and 3) bimonthly product certifications.
1) Their name comes from the first thing they started with in 1989: a magazine dedicated to providing PC users with a regular source of intelligence about computer malware, its prevention, detection and removal, and how to recover programs and data following an attack. Virus Bulletin quickly became the leading specialist publication in the field of malware and spam and is today produced in an online format.
2) VB Conference. They first VB conference was in 1991 and the event has become a major highlight of the anti-malware calendar. They present factual information, demonstrate defensive procedures and countermeasures, and provide a platform for experts share their research and set new standards.
3) “VB100″ certification
For many years, Virus Bulletin has carried out independent comparative testing of anti-malware products. The unique VB100 certification is widely recognized within the industry. Virus Bulletin tests anti-malware products free of charge and, unlike other certification schemes, does not allow re-testing – performances are reported exactly as they are found.
This third function is very interesting. Their VB100 stands for “Virus Bulletin 100% Pass”. It means an Antivirus product catches all the malware that is on the WildList (a varying list of around 800 malware samples that are ‘in the wild’, put together by the Virus Bulletin WildList committee. AV products are expected to catch all samples that are in the WildList), and also has NO False Positives. Getting awarded the VB100 is important in the AV industry and shows a product has attained a certain quality level. It does not mean it catches 100%, no antivirus product does.
Virus Definitions, abbreviated to ‘Defs’, also called ‘Patterns’ or ‘Signatures’
The database of virus signatures (detections, patterns) that allows an antivirus product to recognize and disinfect viruses. These definitions are created by an AV Lab team and send to PC’s running that Antivirus very regularly.
Virustotal is a website that delivers a service which analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by about 70 different antivirus companies that scan the file so you basically get the opinion of many different security companies at once. Both good guys and bad guys use Virustotal. The bad guys send their malware up there to see if it gets caught by antivirus engines. It's got free and paid license versions and is owned by Google. You can find them here.
A phishing attack conducted by telephone, usually targeting voice over IP (VoIP) users, such as Skype users. Vishing is the phone equivalent of a phishing attack. There are two forms of this, human and automated. In the human example a scam artist uses the anonymity of a phone call and pretends to be a representative of their target’s bank or credit card company. They manipulate the victim to enter their PIN, credit card number, or bank account (and routing number) with the phone keypad. This allows the scammer to get instant access to another person’s bank credentials.
It’s also known as rogue “IVR” (Interactive Voice Response) and that is where it gets automated. The bad guys use an IVR system to impersonate a real-sounding financial institution’s IVR system. Using a phishing email, the victim is told to call “the bank” using their toll free number, so that the fake bank can “verify” some information. A normal trick is that the system is configured to throw fake error messages so that the victim will try several passwords to get in. More sophisticated scams even have a live body impersonating customer service in case the victim presses “0” for an operator.
Vulnerability Assessment / Vulnerability Scan
A scan through the whole network that looks for and reports on known vulnerabilities in endpoints and all other network devices. There are two types of scans, internal and external. Internal is run inside the network by an administrator or by a bad guy that has penetrated the network and looks for more ways to get and stay inside the network. External scans the company from the outside in and looks at the website and their web applications. KnowBe4 provides the external, outside-in type of scan as a service.
Spamming over Internet telephony. Much like getting spam email, a voice over Internet Protocol (VoIP) user can get junk voicemails. Spammers simply send a voicemail messages to thousands of IP addresses at a time.
What You See Is What You Get - A term in the computer world that means you are working in an environment that is visual. As an example, when you edit something in a WYSIWYG editor, you literally see the changes and how they look, (for example a word processor) as opposed to an HTML editor where you work in code, and you need to render the code into a webpage to see the changes you made in the code.
A Wake-on-LAN (WoL) is a networking standard that allows a computer to be turned on or awakened by a network message. That message is usually sent to the target computer by a program executed on a device connected to the same local area network, could even be an admin's smartphone. This technology can also be used in Wide Area Networks, and even Wi-Fi, a standard called Wake on Wireless LAN (WoWLAN) More about this at Wikipedia.
A technique by which a computer will dial a number repeatedly in a telephone exchange in an attempt to circumvent perimeter security.
Stand-alone software or an appliance (hardware+software) that blocks access to specific Internet websites. A survey done by KnowBe4 shows that system administrators want web filtering on their network for the following reasons:
A commercial organization that tests AV products to see if those products catch all the samples in the WildList. If a product gets all the samples, a certification gets awarded. Here is their website.
Phishing attacks that target high-ranking executives at major organizations or other highly visible public figures. Also known as CEO Fraud.
WhiteList/white list (also abbreviated as WL)
The list of known good files that Antivirus knows do not have to be scanned and should not be quarantined. Can also apply to domain names, which are known to be good and allowed access to. Also, a list of known-good executable files that are allowed to continue to run in an environment that has Application Control enabled.
WildList (also abbreviated as WL)
A varying list of around 800 malware samples that are ‘in the wild’, put together by the Virus Bulletin WildList committee. AV products are expected to catch all samples that are in the WildList.
Windows System Files
System Files are the files that make up the Operating System. These files are protected from deletion or infection by System File Protection (WFP) in Windows 2000, renamed to Windows File Protection (WFP) in Windows XP, and then to Windows Resource Protection (WRP) in Vista and later. WRP introduces protection of the registry.
A free service from Microsoft that regularly updates your PC with the latest bugfixes and security patches and then reboots the PC. For consumers it is highly recommendable to have this set on automatic. Microsoft does this on the second Tuesday of the month, called Patch Tuesday. Businesses should use their own centralized update server, after they test the patches in their environment for compatibility issues.
Workstream (security workstream)
OK, We are going from generic to specific here for this definition. First, a workstream (also known as workflow) is a core area of an activity or project. It's a core process, it can be big and it can be small, depending on where you look. Here is an example to make this a bit more real. If you are planning for a wedding, that's a project. It has a start and end date, it would involve multiple stakeholders and many workstreams. An important one is selecting a caterer. In this instance the workstream would be named ‘Catering’ which is the core process. The activities within this workstream would be the following:
Now, this is a workstream that has a start and a stop. In business, this is a continuous process or flow. A workstream example in KnowBe4 would be the core process from a quote to a PO to an invoice and deploying the platform. Now, in different departments , they have their own workstreams and many times dozens of them.
The security team has a series of workstreams as well, and in the Security Operations Center (See SOC) one of those is handled by the the Incident Response team which received phishing email reports. The whole process of an employee seeing a phishing email, clicking the PAB, this being received in PhishER, looked at by an analyst, and then processed is a great example of a security workstream. If an organization does not have this security workstream, they should!
A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing file. Worms almost always cause at least some harm to the network, if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer. Worms can spread with lightning speed. One worm was able to infect hundreds of thousands of servers worldwide in less than 10 minutes.
YARA (yär-əh): [PhishER]
Yet Another Ridiculous Acronym or Yet Another Recursive Acronym. Officially, YARA is a tool for malware researchers to identify and classify malware. It uses rules to find and match specific words/patterns in something, and very often used to analyze possibly malicious email messages. Those rules are conveniently called YARA rules.
Zero Bug Bounce. A milestone in software development when all the known bugs are fixed and the bug count drops to zero. Usually, the next day a few more bugs are found, so the bug count “bounces” up from zero. Indicator the product is nearly ready to ship.
Zero-day Attack or Zero-day Threat
A zero-day attack is a computer threat that tries to exploit vulnerabilities that are unknown to others, undisclosed to the software vendor, or for which no security fix is available. Bad guys have a field day with zero-day attacks, as there is very little defense against these. There are many of these vulnerabilities for each software product, and there is a lively trade in zero-day vulnerabilities. Both governments spy agencies and cybercrime buy these exploits often for tens of thousands of dollars.
Actual code that can use a security hole to carry out an attack. Used or shared by attackers before the software vendor knows about the vulnerability.
Zombie, also called ‘drone’
A PC that has been taken over by malware and is ‘owned’ by the bad guys. The PC is now part of a botnet and spews out spam, tries to infect other computers, attacks websites or does other nefarious things. Government spy agencies like the NSA also use this tactic and have tens of thousands of machines infected and basically own them.