The NERCCU A-Z list of cyber crime terminology

The NERCCU glossary shows the definitions for commonly used cyber terms. Jump to a section by selecting the first character of the word you want to look up.



Advanced Persistent Threat (APT)

A cyber-attack that uses sophisticated techniques to conduct cyber espionage or other malicious activity on an ongoing basis against targets such as governments and companies. Typically conducted by an adversary with sophisticated levels of expertise and significant resources – frequently associated with nation-state players. These attacks tend to come from multiple entry points and may use several attack vectors (e.g. cyber, physical, deception). Once a system has been breached, it can be very difficult to end the attack.


A notification that a cyber security threat to your information system has been detected or is underway.


Antivirus software is used to monitor a computer or network, to detect cyber security threats ranging from malicious code to malware. As well as alerting you to the presence of a threat, antivirus programs may also remove or neutralise malicious code.

Attack signature

A characteristic or distinctive pattern that can help link one attack to another, identifying possible actors and solutions.


The agent behind the threat: a malicious actor who seeks to change, destroy, steal or disable the information held on computer systems and then exploit the outcome.


The process of verifying the identity or other attributes of a user, process or device.


Behaviour Monitoring

Observing the activities of users, information systems, and processes. Can be used to measure these activities against organisational policies and rule, baselines of normal activity, thresholds, and trends.


A list of entities (users, devices) that are either blocked, denied privileges or access.

Blue Team

The defence group in a mock cyber security attack. The Blue Team defends the enterprise’s information systems while the Red Team attacks. These mock attacks typically take place as part of an operational exercise established and monitored by a neutral group, the White Team.


A computer connected to the Internet that has been compromised with malicious logic to undertake activities under the command and control of a remote administrator.


A network of infected devices, connected to the Internet, used to commit coordinated cyber-attacks without their owner’s knowledge.


The unauthorised access of data, computer systems or networks.

Bring Your Own Device (BYOD)

A strategy or policy whereby an organisation permits employees to use their personal devices for work purposes.

Brute Force Attack

An attack in which computational power is used to automatically enter a vast quantity of number combinations in order to discover passwords and gain access.


A relatively minor defect or flaw in an information system or device.



A digital certificate is a form of digital identity verification that allows a computer, user or organisation to securely exchange information.

Certified Information Systems Auditor (CISA)

A certification for professionals who monitor, audit, control and assess information systems.

Certified Information Systems Security Manager (CISM)

An advanced certification from ISACA for professionals with the knowledge and experience to develop and manage an enterprise information security program.

Certified Information Systems Security Professional (CISSP)

A management certification for CISOs and other information security leaders.


An algorithm for encrypting and decrypting data. Sometimes used interchangeably with the word ‘code’.


The computer misuse act 1990. Designed to protect computer users from criminality such as hacking, unauthorised access to computer systems and purposefully spreading malicious and damaging software.

Computer Incident Response Team (CIRT)

A team of investigators focused on network security breaches. Their role is to analyse how the incident took place and what information has been affected/lost. They then use this insight to provide a response.

Computer Network Defence (CND)

Typically applied to military and government security, CND refers to the measures taken to protect information systems and networks against cyber-attacks and intrusions.

Control Objectives for Information and Related Technologies (COBIT)

A business framework developed and continually updated by ISACA comprising practices, tools and models for management and governance of information technology, including risk management and compliance.


Small text files used by browsers to store data relating to a specific web browsing activity.


The information used to authenticate a user’s identity – for example, password, token, certificate.

Cross Site Scripting (XSS)

Cross-site scripting (XSS) is a software vulnerability usually found in Web applications that allows online criminals to inject client-side script into pages that other users view. The cross-site scripting vulnerability can be employed at the same time by attackers to over-write access controls. This issue can become a significant security risk unless the network administrator or the website owner doesn’t take the necessary security means.


The study of encoding. Also, the use of code/cipher/mathematical techniques to secure data and provide authentication of entities and data.

Cyber Attack

Deliberate and malicious attempts to damage, disrupt or gain access to computer systems, networks or devices, via cyber means.

Cyber Essentials

A UK Government-backed self-assessment certification that helps you protect against cyber-attacks while also demonstrating to others that your organisation is taking measures against cybercrime.

Cyber Incident

A breach of a system or service’s security policy – most commonly;

  • Attempts to gain unauthorised access to a system and/or to data.
  • Unauthorised use of systems for the processing or storing of data.
  • Changes to a system’s firmware, software or hardware without the system owner’s consent.
  • Malicious disruption and/or denial of service.

Cyber Security

Cyber security is a collective term used to describe the protection of electronic and computer networks, programs and data against malicious attacks and unauthorised access.


Data at Rest

Data that is in persistent storage – i.e. data that remains on a device whether or not it is connected to a power source – such as hard disks, removable media or backups.

Data Breach

The unauthorised movement or disclosure of information, usually to a party outside the organisation.

Data Integrity

The quality of data that is complete, intact, and trusted and has not been modified or destroyed in an unauthorized or accidental manner.

Data Loss

No longer having data, whether because it has been stolen, deleted, or its location forgotten.

Data Loss Prevention (DLP)

A security strategy and related programs to prevent sensitive data from passing a secure boundary.

Data Security

The measures taken to protect confidential data and prevent it from being accidentally or deliberately disclosed, compromised, corrupted or destroyed.

Dark Web

Content that is deliberately hidden making it difficult to see ownership. Special software such as Tor can be used to access the dark web.


The process of deciphering coded text into its original plain form.

Denial of Service (DoS)

This is a type of cyber-attack that prevents the authorised use of information system services or resources, or impairs access, usually by overloading the service with requests.

Dictionary Attack

Known dictionary words, phrases or common passwords are used by the attacker to gain access to your information system. This is a type of brute force attack.

Distributed Denial of Service (DDoS)

A denial of service technique where multiple systems are used to perform the attack, overwhelming the service.

Download Attack

Malicious software or a virus that is installed on a device without the user’s knowledge or consent – sometimes known as a drive-by download.


Electronic Warfare (EW)

The use of energy, such as radio waves or lasers, to disrupt or disable the enemy’s electronics. An example would be frequency jamming to disable communication equipment.


The use of a code to convert plain text to cipher text.


The use of a cipher to protect information, making it unreadable to anyone who doesn’t have the key to decode it.


A collective term for internet-capable computer devices connected to a network – for example, modern smartphones, laptops and tablets are all endpoints.

Ethical Hacking

The use of hacking techniques for legitimate purposes – i.e. to identify and test cyber security vulnerabilities. The actors in this instance are sometimes referred to as ‘white hat hackers’.


The transfer of information from a system without consent.


Exchangeable image file format. This can be used to gather data from a photograph.


The act of taking advantage of a vulnerability in an information system. Also used to describe a technique that is used to breach network security.

Exploit Kit

Computer programs designed to discover vulnerabilities in software apps and use them to gain access to a system or network. Once they have infiltrated a system they will feed it with harmful code.



A virtual boundary surrounding a network or device that is used to protect it from unwanted access. Can be hardware or software.



Government Communications Headquarters. This organisation uses foreign intelligence to help combat terrorism, cybercrime and child pornography.


General Data Protection Regulations. European legislation designed to prevent the misuse of data by giving individuals greater control over how their personal information is used online.

Governance, Risk Management and Compliance (GRC)

Three aspects of organisational management that aim to ensure the organisation and its people behave ethically, run the organisation effectively, take appropriate measures to mitigate risks and maintain compliance with internal policies and external regulations.



Someone who breaks into computers, systems and networks.


Using a mathematical algorithm to disguise a piece of data.

Honeypot (Honeynet)

A decoy system or network that serves to attract potential attackers, protecting actual systems by detecting attacks or deflecting them. A good tool for learning about attack styles. Multiple honeypots form a honeynet.



Any breach of the security rules for a system or service. This includes attempts to gain unauthorised access, the unauthorised use of systems for the processing or storing of data, malicious disruption or denial of service, and changes to a system’s firmware, software or hardware without the owner’s consent.

Incident Response Plan

A predetermined plan of action to be undertaken in the event of a cyber incident.


A signal that a cyber incident may have occurred or is in progress.

Industrial Control System (ICS)

An information system used to control industrial processes or infrastructure assets. Commonly found in manufacturing industries, product handling, production and distribution.

Information Security Policy

The directives, regulations, rules, and practices that form an organisation’s strategy for managing, protecting and distributing information.

International Organization for Standardization (ISO)

An independent body that develops voluntary industry standards, including two major information security management standards: ISO 27001 and ISO 27002.

Internet of Things (IoT)

The ability of everyday objects, such as kettles, fridges and televisions, to connect to the internet.

Intrusion Detection System/Intrusion Detection and Prevention (IDS/IDP)

Hardware or software that finds and helps prevent malicious activity on corporate networks.

IP Spoofing

A tactic used by attackers to supply a false IP address in an attempt to trick the user or a cyber security solution into believing it is a legitimate actor.

ISO 27001

The gold standard in information security management systems (ISMS), demonstrating the highest level of accreditation.



The removal of a device’s security restrictions, with the intention of installing unofficial apps and making modifications to the system. Typically applied to a mobile phone.



The numerical value used to encrypt and decrypt cipher text.


A type of software or hardware that tracks keystrokes and keyboard events to monitor user activity.



Local area network. A small sized network that does not span a large geographical area.

Logic Bomb

A piece of code that carries a set of secret instructions. It is inserted in a system and triggered by a particular action. The code typically performs a malicious action, such as deleting files.


Macro Virus

A type of malicious code that uses the macro programming capabilities of a document’s application to carry out misdeeds, replicate itself and spread throughout a system.

Malicious Code

Program code designed for evil. Intended to hurt the confidentiality, integrity or availability of an information system.


The use of online advertising to deliver malware.


Short for malicious software. Any viruses, Trojans, worms, code or content that could adversely impact organisations or individuals.

Man-in-the-Middle Attack (MitM)

Cyber criminals interpose themselves between the victim and the website the victim is trying to reach, either to harvest the information being transmitted or alter it. Sometimes abbreviated as MITM, MIM, MiM or MITMA.


The steps taken to minimise and address cyber security risks.

Mobile Device Management (MDM)

Mobile device management (MDM) is a type of security software, specifically for monitoring, managing and securing mobile, tablet and other devices, allowing remote administration and management of the device.


National Cyber Security Centre (NCSC)

Part of GCHQ. A UK government organisation set up to help protect critical services from cyber-attacks.

National Institute of Standards and Technology (NIST)

A U.S. federal agency. Responsible for the ‘Framework for Improving Critical Infrastructure Cybersecurity’ –
voluntary guidelines used by organisations to manage their security risks.

NIST Cyber Security Standard

A framework used in the U.S. to help businesses prepare their defence against cybercrime.


Packet Sniffer

Software designed to monitor and record network traffic. It can be used for good or evil – either to run diagnostics or troubleshoot problems, or to snoop in on private data exchanges, such as browsing history, downloads, etc.

Passive Attack

Attackers try to gain access to confidential information in order to extract it. Because they’re not trying to change the data, this type of attack is more difficult to detect – hence the name ‘passive’.

Password Sniffing

A technique used to harvest passwords by monitoring or snooping on network traffic to retrieve password data.

Patch Management

Patches (updates) are provided by developers to fix flaws in software. Patch management is the activity of getting, testing and installing software patches for a network and the systems within it.


Applying updates (patches) to firmware or software, whether to improve security or enhance performance.


The element of the malware that performs the malicious action – the cyber security equivalent of the explosive charge of a missile. Usually spoken of in terms of the damaging wreaked.

Payment Card Industry Data Security Standard (PCI-DSS)

The security practices of the global payment card industry. Retailers and service providers that accept card payments (both debit and credit) must comply with PCI-DSS.

Pen Test

A slang term for penetration test or penetration testing.

Penetration Testing

A test designed to explore and expose security weaknesses in an information system so that they can be fixed.

Personally Identifiable Information (PII)

The data that enables an individual to be identified.


An attack on network infrastructure where a user is redirected to an illegitimate website, despite having entered the right address.


Mass emails asking for sensitive information or pushing them to visit a fake website. These emails are generally untargeted.

Proxy Server

A go-between a computer and the internet, used to enhance cyber security by preventing attackers from accessing a computer or private network directly.



Ransomware is a type of malware (malicious software) which encrypts all the data on a PC or mobile device, blocking the data owner’s access to it. After the infection happens, the victim receives a message that tells him/her that a certain amount of money must be paid (usually in Bitcoins) in order to get the decryption key. Usually, there is also a time-limit for the ransom to be paid. There is no guarantee that the decryption key will be handed over if the victim pays the ransom. The most reliable solution is to back up your data in at least three different places (for redundancy) and keep those backups up to date, so you don’t lose important progress.

Red Team

A group authorised and organised to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s cyber security posture.


Additional or alternative systems, sub-systems, assets, or processes that maintain a degree of overall functionality in case of loss or failure of another system, sub-system, asset, or process.

Remote Access Trojan (RAT)

Remote Access Trojans (RATs) use the victim’s access permissions and infect computers to give cyber attackers unlimited access to the data on the PC. Cyber criminals can use RATs to exfiltrate confidential information. RATs include backdoors into the computer system and can enlist the PC into a botnet, while also spreading to other devices. Current RATs can bypass strong authentication and can access sensitive applications, which are later used to exfiltrate information to cyber-criminal controlled servers and websites.


A set of software tools with administrator-level access privileges installed on an information system and designed to hide the presence of the tools, maintain the access privileges, and conceal the activities conducted by the tools.


Secret Key

A cryptographic key that is used for both encryption and decryption, enabling the operation of a symmetric key cryptography scheme.

Security Automation

The use of information technology in place of manual processes for cyber incident response and management.

Security Information and Event Management (SIEM)

Software used to monitor, log, provide alerts and analyse security events to support threat detection and incident response.

Security Monitoring

The collection of data from a range of security systems and the correlation and analysis of this information with threat intelligence to identify signs of compromise.

Security Operations Centre (SOC)

A central unit within an organisation that is responsible for monitoring, assessing and defending security issues.

Security Perimeter

A well-defined boundary within which security controls are enforced.

Security Policy

A rule or set of rules that govern the acceptable use of an organisation’s information and services to a level of acceptable risk and the means for protecting the organisation’s information assets.

Single Sign-On (SSO)

A software process to enable computer users to access more than one application using a single set of credentials, such as a username and password.


Phishing via SMS: mass text messages sent to users asking for sensitive information (eg bank details) or encouraging them to visit a fake website.

Social Engineering

Manipulating people into carrying out specific actions or divulging information that is of use to an attacker. Manipulation tactics include lies, psychological tricks, bribes, extortion, impersonation and other type of threats. Social engineering is often used to extract data and gain unauthorised access to information systems, either of single, private users or which belong to organisations.

Software as a Service (SaaS)

Describes a business model where consumers access centrally-hosted software applications over the Internet.


The abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages.

Spear Phishing

Spear Phishing is a cyber-attack that aims to extract sensitive data from a victim using a very specific and personalised message designed to look like it’s from a person the recipient knows and/or trusts. This message is usually sent to individuals or companies, and it is extremely effective because it’s very well planned. Attackers invest time and resources into gathering information about the victim (interests, activities, personal history, etc.) in order to create the Spear Phishing message (which is usually an email). Spear Phishing uses the sense of urgency and familiarity (appears to come from someone you know) to manipulate the victim, so the target doesn’t have time to double check the information.


Faking the sending address of a transmission to gain unauthorised entry into a secure system.


Spyware is a type of malware designed to collect and steal the victim’s sensitive information, without the victim’s knowledge. Trojans, adware and system monitors are different types of spyware. Spyware monitors and stores the victim’s Internet activity (keystrokes, browser history, etc.) and can also harvest usernames, passwords, financial information and more. It can also send this confidential data to servers operated by cyber criminals so it can be used in consequent cyber-attacks.

SQL Injection

This is a tactic that uses code injection to attack applications that are data-driven. The maliciously injected SQL code can perform several actions, including dumping all the data in a database in a location controlled by the attacker. Through this attack, malicious hackers can spoof identities, modify data or tamper with it, disclose confidential data, delete and destroy the data or make it unavailable. They can also take control of the database completely.

SSL / Secure Sockets Layer

This is an encryption method to ensure the safety of the data sent and received from a user to a specific website and back. Encrypting this data transfer ensures that no one can snoop on the transmission and gain access to confidential information, such as card details in the case of online shopping. Legitimate websites use SSL (start with https). Users should avoid inputting their data in websites that don’t use SSL.


A way of encrypting data, hiding it within text or images, often for malicious intent.

Symmetric Key

A cryptographic key that is used to perform both the cryptographic operation and its inverse, for example to encrypt plain text and decrypt cipher text, or create a message authentication code and to verify the code.


Threat Analysis

The detailed evaluation of the characteristics of individual threats.

Threat Assessment

The product or process of identifying or evaluating entities, actions, or occurrences, whether natural or man-made that have or indicate the potential to harm life, information, operations, and/or property.

Threat Hunting

Cyber threat hunting is the process of proactively searching across networks and endpoints to identify threats that evade existing security controls.

Threat Management

There is no silver bullet to prevent 100% of cyber threats. Successful threat management requires a multi-layered approach encompassing prevention, detection, response and recovery.

Threat Monitoring

During this process, security audits and other information in this category are gathered, analysed and reviewed to see if certain events in the information system could endanger the system’s security. This is a continuous process.


In access control, a ticket is data that authenticates the identity of a client or a service and, together with a temporary encryption key (a session key), forms a credential.


In security, a token is a physical electronic device used to validate a user’s identity. Tokens are usually part of the two-factor or multi-factor authentication mechanisms. Tokens can also replace passwords in some cases and can be found in the form of a key fob, a USB, an ID card or a smart card.

Traffic Light Protocol

A set of designations employing four colours (RED, AMBER, GREEN, and WHITE) used to ensure that sensitive information is shared with the correct audience.

Trojan Horse

A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorisations of a system entity that invokes the program.

Two-Factor Authentication (2FA)

The use of two different components to verify a user’s claimed identity. Also known as multi-factor authentication.

Typhoid Adware

This is a cyber security threat that employs a Man-in-the-middle attack in order to inject advertising into certain web pages a user visits while using a public network, like a public, non-encrypted WiFi hotspot. In this case, the computer being used doesn’t need to have adware on it, so installing a traditional antivirus can’t counteract the threat. While the ads themselves can be non-malicious, they can expose users to other threats. For example, the ads could promote a fake antivirus that is actually malware or a phishing attack.


Unauthorised Access

Any access that violates the stated security policy.

URL Injection

A URL (or link) injection is when a cyber-criminal creates new pages on a website owned by someone else that contain spam words or links. Sometimes, these pages also contain malicious code that redirects your users to other web pages or makes the website’s web server contribute to a DDoS attack. URL injection usually happens because of vulnerabilities in server directories or software used to operate the website, such as an outdated WordPress or plugins.


Virtual Private Network (VPN)

An encrypted network often created to allow secure connections for remote users, for example in an organisation with offices in multiple locations.


Programs that can self-replicate and are designed to infect legitimate software programs or systems. A form of malware.


A weakness, or flaw, in software, a system or process. An attacker may seek to exploit a vulnerability to gain unauthorised access to a system.



A wabbit is one of four main classes of malware, among viruses, worms and Trojan horses. It’s a form of computer program that repeatedly replicates on the local system. Wabbits can be programmed to have malicious side effects. A fork bomb is an example of a Wabbit: it’s a form of DoS attack against a computer that uses the fork function. A fork bomb quickly creates a large number of processes, eventually crashing the system. Wabbits don’t attempt to spread to other computers across networks.

Water-Holing (Watering Hole Attack)

Setting up a fake website (or compromising a real one) in order to exploit visiting users.

Watering Hole

Watering Hole is the name of a computer attack strategy that was detected as early as 2009 and 2010. The victim is a particular, very targeted group, such as a company, organisation, agency, industry, etc. The attacker spends time gaining strategic information about the target: for example, observing which legitimate websites are more often visited by the members of the group. Then the attacker exploits a vulnerability and infects one of those trusted websites with malware, without the knowledge of the site’s owner.

Eventually, someone from that organisation will fall into the trap and their computer will be infected, giving the attacker access to the target’s entire network. These attacks work because of the constant vulnerabilities in website technologies, even with the most popular systems, such as WordPress, making it easier than ever to compromise websites without being noticed.


Highly targeted phishing attacks (masquerading as a legitimate emails) that are aimed at senior executives.

White Team

A group responsible for refereeing an engagement between a Red Team of mock attackers and a Blue Team of actual defenders of information systems.


A list of entities that are considered trustworthy and are granted access or privileges.


A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself.



Recently discovered vulnerabilities (or bugs), not yet known to vendors or antivirus companies that hackers can exploit.


A zombie computer is one connected to the Internet that, in appearance, is performing normally, but can be controlled by a hacker with remote access to it who sends commands through an open port. Zombies are mostly used to perform malicious tasks, such as spreading spam or other infected data to other computers, or launching DoS (Denial of Service) attacks, with the owner being unaware of it.