Words! What are they good for?

This year marks the 20th anniversary of Cybersecurity Awareness Month. A lot has happened since government and industry first came together to raise awareness about cybersecurity.

Significant advances in technology gave us more powerful threat defenses. General knowledge about cybersecurity also improved (though there’s always more to learn), and businesses are better educated about how to protect themselves. However, the battle for security continues as incidents increase in both frequency and sophistication.

In honor of the 20th Cybersecurity Awareness Month, we’re going back to basics by demystifying some common (but not well understood) cybersecurity jargon in plain English. You’ll learn what these terms mean and how to apply this knowledge to your own security best practices. Let’s get started.

Zero-day

While zero-day can technically refer to a type of vulnerability, attack, or exploit, the term is most frequently associated with a vulnerability. So, why is it called zero-day? The unique name stems from the fact that an attacker discovers the vulnerability before the vendor does. With no knowledge that the vulnerability exists, the vendor has zero days to fix it, increasing the probability of an attack being successful. Operating systems, web browsers, hardware, firmware, and Internet of Things (IoT) devices are all vulnerable.

It’s also not uncommon for zero-day exploits to end up on the dark web, where anyone can purchase and use them. With no one aware that they’re there, attackers have two options: attack immediately or lay low and wait for a (lucrative) opportunity to arise. The infamous Log4j, which is widely considered one of the most destructive software flaws ever, was a zero-day vulnerability.

Attack surface

The term attack surface probably conjures up images of a military operation or battlefield. While not as complicated as all that, the true meaning of the term isn’t far off the mark. But what exactly is an attack surface? Essentially, any entryway into your system or network could be considered an attack surface. All attack surfaces fall into one of three categories:

• Digital
• Physical
• Social engineering (which we’ll cover separately)

Digital attack surfaces, such as internet-based applications, are especially vulnerable to attacks and are often considered low-hanging fruit for attackers. Weak passwords, shared databases, and improperly maintained or secured operating systems, software, and firmware are also common attack vectors.

But not every threat comes from the outside. Physical attack surfaces, such as servers and laptops, are also vulnerable in the hands of disgruntled or opportunistic employees and third-party contractors with approved access. According to Security magazine, more than half of all organizations experienced an insider attack in 2022.

Social engineering

Social engineering is so widespread that it’s now part of the general lexicon. But despite its buzzword status, the term still isn’t that well understood. Any action designed to exploit human behavior and/or emotion for the sake of gaining access to information or physical goods can be classified as social engineering.

In the digital world, this includes tricking unsuspecting users into sharing data or taking action that allows access (often via email or text) to this data by evoking strong emotions like fear, excitement, curiosity, anger, guilt, or sadness. People are a lot more likely to make bad choices when they are emotionally motivated. This makes it that much easier for attackers to commit sabotage or theft. Take, for instance, phishing, the most common type of social engineering. Indeed, the 2022 Data Breach Investigations Report found that 90 percent of cyber attacks target people and not technology.

Data breach

You might be wondering why this term made the list. Considering that a data breach occurs every 39 seconds worldwide, it would seem that just about everyone with internet access should know what it is by now, right? But for those who are unsure: Simply put, a data breach is an incident in which an unauthorized party gains access to data.

If someone gains access to an HR database where employee names, dates of birth, and addresses are stored, they may or may not use this information to commit the additional crime of identity theft. Identity theft via data breach is increasingly common. However, just because a data breach occurs, it doesn’t automatically mean that identity theft has or will also occur. For that to happen, an attacker must use the victim’s data to impersonate them, with the primary objective being credit card, insurance, or Social Security fraud. In 2023, the average cost of a data breach reached a record high of $4.45 million.

Distributed denial of service (DDoS)

You may have heard of this common cyber attack strategy. It’s a bit old school but remains a popular choice for attackers who want to wreak havoc on their victim’s website and operations.

Using a small collection of compromised devices (like bots) or virtual machines (which use software instead of physical computers), a hacker constructs an army of attackers—the whole unit is referred to as a botnet. With this army of virtual computers, the hacker sends a flood of requests to the victim’s IP address or website. As millions of requests or pings come in at the same time, the server or network that processes them becomes overwhelmed. The result: The victim’s website crashes and becomes inaccessible to normal traffic and users. If you’ve ever tried to access a popular clothing or electronics website during the holidays only to find a dreaded 404 error, you likely witnessed a DDoS.

Business email compromise (BEC)

Business email compromise is the preferred method for attackers. Why? For starters, it’s very lucrative. A June 2023 FBI report on business email compromise found that domestic and international losses from this attack strategy cost nearly $51 billion over the last decade.

Part of what makes this type of cybercrime so appealing to criminals are the targets, which include executives, financial leaders, and HR managers—all of whom usually have publicly available details and access to bank accounts, confidential information, and employee data. This highly targeted email-based social engineering technique is known as spear phishing. Once an email account is compromised, the attacker can monitor emails in the account and pretend to be a high-ranking employee making a legitimate request for payment to a vendor or account.

Entry-level and new employees may be targeted for these tasks because they are less likely to have a solid understanding of company best practices. Larger firms that handle many financial transactions are the most common targets of BEC, as the scam can be repeated many times across the company.

Putting words into action

Now that you have a better understanding of some of the most common cybersecurity terms, you might be wondering how you can apply this knowledge to your own business. See the articles below for recommendations on everything from general security best practices to detailed security actions and controls for the Zendesk Suite, so you can stay up to speed on your cybersecurity awareness all year.

• General Security Best Practices
• Zendesk Suite Actionable Security Guide
• Zendesk Suite Product Controls and Recommendations