EDR / MDRIdentify, contain, respond, and stop malicious activity on endpoints
SIEMCentralize threat visibility and analysis, backed by cutting-edge threat intelligence
Risk Assessment & Vulnerability ManagementIdentify unknown cyber risks and routinely scan for vulnerabilities
Identity ManagementSecure and streamline client access to devices and applications with strong authentication and SSO
Cloud App SecurityMonitor and manage security risk for SaaS apps
SASEZero trust secure access for users, locations, and devices
SOC ServicesProvide 24/7 threat monitoring and response backed by ConnectWise SOC experts
Policy ManagementCreate, deploy, and manage client security policies and profiles
Incident Response ServiceOn-tap cyber experts to address critical security incidents
Cybersecurity GlossaryGuide to the most common, important terms in the industry
The ConnectWise Cybersecurity Glossary
Cybersecurity is a growing area of concern for many small to midsize businesses (SMBs), and it's a huge area of opportunity for managed service providers (MSPs). As more widespread and damaging attacks make the daily news, companies are turning to MSPs for cybersecurity services and support, such as security operations centers (SOC), dark web monitoring, and more.
Cybersecurity is the differentiating factor for MSPs moving forward. ConnectWise enables MSPs to add cybersecurity offerings—also known as an MSP+ model—with a range of MSP-specific software products, events, certificates, educational materials, frameworks, playbooks, and more.
In this cybersecurity glossary, we break down some of the most common, important terms in the industry. Click through our glossary to get up to speed on cybersecurity language and explore key terms in more depth.
Antivirus / Anti-malware
Threat actors—such as hackers or hacking groups—often use viruses and other harmful code to infiltrate company networks and endpoints such as computers. A standard tool in any organization’s cybersecurity toolkit, antivirus software is used to detect, alert, block, and remove these kinds of malicious programs, such as viruses, ransomware, and more. Another word for anti-virus is anti-malware, which also refers to its key function of protecting endpoints against harmful programs.
Advanced Persistent Threat
Instead of being an attack or a broad approach (such as a widespread phishing campaign), advanced persistent threats (APTs) are attacks where organizations are targeted over a long period of time. These types of attacks are usually perpetrated by well-organized, and well-funded groups, such as nation states.
An assessment is the process by which an organization examines its cybersecurity controls. Assessments cover everything from processes, trainings, policies, and tools in place to protect the organization’s users and data. Assessments are often conducted to compare an organization’s controls and posture against a third-party framework or compliance standard.
See Threat Actor.
Composed of IT professionals and other cybersecurity or technology experts, a blue team refers to a group tasked with defending an organization from cybersecurity threats. Blue teams detect threats, take actions to contain them, and then remediate the problem. They also handle prevention of future threats. Blue teams can help organizations get ahead of cybersecurity threats. They are often pitted against a red team.
Business Email Compromise (BEC)
A form of phishing, business email compromise (BEC) typically occurs when a threat actor poses as a legitimate business colleague—such as a co-worker, vendor, or partner—to facilitate some kind of malicious activity. Perpetrators of BEC may be trying to gain some kind of payment (such as convincing employees to send them money), exfiltrate data, or otherwise harm the business for their own gain.
Chief Information Security Officer (CISO)
A CISO is an executive focused on implementing, maintaining, and continually updating an organization’s cybersecurity posture. They’re typically the most senior-level person at an organization charged with cybersecurity, and they work alongside a suite of other C-level executives.
The cybersecurity buck stops with the CISO, and their team is responsible for preventing cybersecurity incidents and—if and when they occur—responding to those incidents.
Depending on their organizational maturity and how far they’ve come on their cybersecurity journey, not all organizations will have a CISO in place. In some cases, this role is filled by a lower-level security professional or an IT team member. Many small businesses outsource IT and security altogether to a managed service provider (MSP) or managed security service provider (MSSP). Sometimes this is done via a virtual CISO (vCISO), a role some MSPs and MSSPs have started providing to clients who need CISO level support but do not plan to bring the role in-house.
Once organizations have adopted controls to protect their data and systems, they need to ensure that those measures continue to work. Continuous monitoring means keeping an eye on an organization’s system/environments, assessing whether controls continue to be effective, and addressing any gaps.
The National Institute for Standards and Technology (NIST), includes continuous monitoring as part of a six-step risk management framework. They have released an FAQ with more details, definitions, and context around the role of continuous monitoring in managing risk.
In cybersecurity, controls are the processes, tools, and policies in place to prevent or limit the reach of a cybersecurity incident.
Cloud computing refers to software and services hosted on remote servers, rather than on local servers, machines, or endpoints.
Cyber hygiene, or cybersecurity hygiene, refers to a set of practices organizations and individuals perform regularly to ensure the safe handling of critical data, secure networks, and enterprise-wide assets. By maintaining properly functioning devices, organizations can better protect themselves from malware, cyberattacks, or data breaches.
Cyber resiliency is the ability of an IT system to remain operational and provide services in the event of unexpected disruptions, outages, or other unforeseen circumstances. It is the capacity for a system to recover from a disruption quickly and effectively and return to normal functionality.
Cryptography is a field focused on the processes, technologies, and approaches used to secure information as it moves from one party to another. Cryptography protects information—such as emails and files—from being read by people outside the sender and recipient. For example, encryption and decryption are two cryptography techniques that scramble and unscramble code according to a cipher, rendering information unreadable to outside parties. Cryptographical approaches are considered best practices in cybersecurity.
Cybersecurity, broadly speaking, is the field or practice of securely managing and protecting the confidentiality, integrity, and availability of devices, environments, assets, and data from bad actors. These bad actors can be external (such as hackers) or internal (such as disgruntled employees, partners, or vendors).
A cybersecurity framework is an organized, formalized set of processes, procedures, best practices, and requirements designed to ensure a high level of security. There are numerous frameworks globally. For example, one of the most well-known is the National Institute of Standards and Technology (NIST)’s Cybersecurity Framework.
Cyber Threat Intelligence and Information Sharing
Cyber threat intelligence (CTI) is the process of collecting, analyzing, and integrating information about existing or potential threats to an organization’s digital infrastructure. It’s a crucial step in developing effective cybersecurity management protocols against an ever-changing landscape of cyber threats and a vital component of an organization's overall security apparatus.
The Dark Web
Many people first heard of the “dark web” via the Silk Road scandal in the mid 2000s and the site’s eventual shutdown in 2013. However, the dark web is more extensive and complex than many realize. Broadly speaking, the dark web is an entire secret internet that cannot be found via normal routes, such as search engines. It operates beneath the surface and is usually only accessible via tools like Tor. Criminals often use the dark web to conduct business. This is where stolen credentials, social security numbers, personal data, hacking tools, and other illegal information is bought and sold by cybercriminals.
Dark Web Scan
While the dark web is accessible only via special tools such as VPNs or browser extensions, companies can take steps to monitor for stolen information that could compromise their business. A dark web scan is a process by which an MSP or other cybersecurity team searches certain parts of the dark web for information, such as company email addresses, to catch or prevent compromises.
Dark Web Assessment / Dark Web Risk Assessment
Organizations should be aware of whether their information is being traded on the dark web. To do so, they may conduct a dark web assessment to uncover whether their data is being sold online. A dark web assessment can include a variety of different processes and tools, such as dark web scan.
A data breach is when data is unlawfully accessed and removed from an organization’s systems. Data breaches can be perpetrated by external factors, such as hackers, or by internal actors—also known as insiders—such as employees, vendors, or partners who have legitimate access to an organization’s systems. Of note: This term has a very specific meaning, and it should only be used by legal counsel or as part of business communications approved by legal counsel.
When a data breach occurs, data exfiltration is the act of actually moving organizational data from corporate systems to another location, such as a server, computer, or cloud account, controlled by the bad actor.
Organizations need to know that their data is correct. Data integrity encompasses processes and policies ensure that data is properly collected, stored, and accessed without compromising or altering the content. When a cybersecurity incident takes place, data integrity is an essential part of understanding the scope of the incident or compromise and managing risk.
Data Loss Prevention (DLP)
Organizations can take steps to prevent data exfiltration with data loss prevention, which is a combination of processes and tools designed to prevent data from being stolen. Data loss prevention tools are typically referred to as “DLPs.”
Decryption is the process by which organizations make data readable after it has been encrypted. Decryption is only possible with access to the cipher originally used to scramble the data.
Like other forms of forensics used in criminal and other investigations, digital forensics is a field focused on the close scientific analysis of devices, endpoints, software, and IT systems. With digital forensics, investigators can understand the what, who, where, and how of an event or cybersecurity incident. Organizations may engage in digital forensics after a data incident, during a legal case, or other instances where IT systems need to be closely examined for criminal activity.
Distributed Denial of Service (DDoS) Attacks
During distributed denial of service attacks (DDoS), an external actor—or actors—attempt to overwhelm an organization’s system or website with the goal of making it impossible for legitimate users to gain access. These attacks earn their name of “distributed” because the attacks come from multiple sources. For example, hackers may target a corporate website by overwhelming it with fake traffic, causing it to crash and preventing others from accessing the site. DDoS Attacks are often used in multi-step and multi-tool attacks where the initial DDoS flood serves to overwhelm security controls and staff, distracting them from secondary targeted attacks.
Dwell time refers to the amount of time a malicious actor has access to a compromised system before an MSP detects a threat. The longer the dwell time, the more opportunity an attacker has to cause damage, steal sensitive information, and spread harmful software and viruses to other parts of a company’s network.
Encryption is the process by which organizations protect data from unauthorized use or access by scrambling it to make it unreadable. Organizations encrypt data with a secret code that dictates how the data is scrambled, also called a cipher. Data can only be decrypted—or unscrambled and made readable again—with that cipher.
Endpoint Protection (EPP)
Endpoint protection (EPP) is a term encompassing multiple technologies and/or processes that secure an organization’s endpoints (e.g. servers, laptops and desktops, and mobile devices) and protects them against viruses, malware, and other threats. Antivirus or anti-malware software, for example, can be included in endpoint protection.
Technology deployed to laptops, desktops, servers, mobile devices, and other endpoints that provide organizations with one or more of the following functions: instrumentation, detection, prevention, and deception. Endpoint security technology may also enable organizations to take administrative action on a given device.
An event is any change or activity in an organization’s IT systems that is outside of normal behavior. An event is a broad term, and it doesn’t necessarily mean something malicious has occurred. For example, an employee skirting existing processes could be an event, although no harm was intended or no incident occurred. An event can escalate into an incident, in which a cybersecurity threat, malicious or otherwise, does occur.
An exploit is the method a threat actor uses to exploit—hence the name—a weakness in software, hardware, or other elements to get into an organization’s systems. Exploits are often code-based.
A factor used to determine risk when assessing data and systems based on the attack surface that they present externally.
Firewall technology is one of the earliest tools created to fend off cyber attackers and is a fundamental security control. A firewall creates a barrier between an endpoint (such as a laptop) or network and the outside world by restricting access in or out of the network.
Governance is the set of processes, rules, and systems of accountability that an organization uses to oversee and manage its IT infrastructure and cybersecurity.
Hacker is a broad term that refers to someone who uses technological skills to enter an organization's IT systems without authorization or permission. Hackers can be individuals or groups. They can be independent actors with malicious intent, state-sponsored individuals working for nations to perpetrate espionage, and more. Hackers can also be non-malicious, in the case of red team groups hired to help organizations uncover security holes, penetration testers, individuals participating in bug bounty programs, and more.
Impact refers to the consequences and reach of a given cybersecurity incident. Impact can be measured in terms of finances (such as the cost of remediating an incident or compromise), liability, data loss, organizational reputation, and more.
In cybersecurity, an incident is a negative security event that occurs on an organization's servers, devices, systems, etc. An incident could be an employee clicking on a phishing email, someone trying to break into an account via a password, an application exfiltrating information outside the network, and more. Sometimes incidents are accidental and sometimes they are malicious.
Information assurance refers to the IT and organizational practices that businesses implement to ensure their information is properly managed and accessible only to authorized users.
Information System Resilience
From environmental disasters, cybersecurity threats such as distributed denials of service (DDoS) attacks, electrical grid failures, and more, IT systems need to be able to withstand any number of disruptions and threats. Information system resilience refers to the preparations organizations put in place to enable their IT systems to survive perturbations such as those listed above. One element of information system resilience could include backups and disaster recovery services and software.
Incident response (IR) is the way in which an organization reacts to and addresses a cybersecurity event, such as an incident, compromise, or ransomware attack. When organizations have a response plan in place (see more below), the processes and steps a company takes follow a specific path and have designated roles and responsibilities. When organizations do not have a plan in place, their cyber incident response may not be as coherent or organized.
Incident Response Plan
An incident response plan is a predetermined plan that organizations create as a framework for what will happen during and after a cybersecurity incident. These plans detail what needs to happen, when it needs to happen, and who will be responsible for what actions. Whether or not an organization has actually experienced a cybersecurity incident in the past, a cyber response plan is necessary to limit potential damage and address risk for the future.
While many people may think of “hackers” as synonymous with cybersecurity threats, organizations are also at risk from the inside. Insiders are users who have typically been granted legitimate access, such as employees, partners, vendors, or anyone else the organization allowed access into corporate systems.
Whether through mistakes (such as clicking a phishing email) or bad intentions (e.g. stealing data to sell externally), insiders can trigger cybersecurity incidents, such as data leaks. Data prevention programs work to limit the risk of accidental or intentional data loss.
An intrusion is any form of unauthorized access to an organization’s IT systems or accounts.
As users, machines, and/or software make changes in an organization’s systems, a software program collects logs of that activity. Log collection notes important information such as the user, date and time, action taken, and more. Oftentimes used synonymously with “event collection,” although the roots of the term relate back to sys log collection.
As software performs log collection, the data should be organized and managed in a way that benefits the organization’s security strategy. Log management refers to the collection, storage, and analysis of an organization’s logs.
Malware is a software-based attack tool and refers to a huge range of malicious software that attackers use with the intention of harm, exploitation, theft, and other damaging activities. Examples of malware include ransomware, spyware, and viruses.
Managed Detection and Response (MDR)
When cybersecurity threats arise, they need to be dealt with quickly. With a combination of a security operations center (SOC) team and cybersecurity tools, a managed detection and response (MDR) service constantly monitors an organization’s infrastructure, looks for threats, and eliminates them in real time if/when they occur.
The MITRE ATT&CK framework
The MITRE ATT&CK® framework is an open-source knowledge base of tactics and techniques used by cyber attackers to gain access, evade detection, and move laterally within a network.
When a compromise or other cybersecurity incident occurs, mitigation is the process and/or steps taken to reduce the impact of the event.
Mobile Device Management (MDM)
Organizations have embraced laptops, smartphones, tablets, and other mobile devices to facilitate convenient and efficient work. Mobile device management (MDM) is the practice of managing the security of these various devices through technologies, policies, and processes, including specialized solutions for MDM.
MSP+ Cybersecurity Framework
Established by ConnectWise, the MSP+ Cybersecurity Framework is designed as a resource to help MSPs assess and enhance their cybersecurity practices as well as the cybersecurity posture of their clients. It is a compilation of best-in-class, MSP-specific guidance from well-known frameworks including NIST CSF, CIS 20, UK Cyber Essentials, Australia’s Essential Eight, and others.
Multi-Factor Authentication (MFA)
Multi-factor authentication (MFA) is a process that uses two or more authenticating factors to bring a higher level of security and prevent account takeovers. These factors usually fall into one or more of the following: something only the user can answer (such as a password or personal question); something unique that only the user has access to (such as a passcode or token); or something unique to the user’s physical presence (such as a fingerprint).
An example of MFA would be when a user logs into their email account, receives a code on their mobile device, and is asked to enter that code at login. 2FA (two-factor authentication) is a popular form of MFA.
The National Institute of Standards and Technology (NIST)
One of the most well-known and well-respected technology organizations in the U.S., the National Institute of Standards and Technology (NIST) issues widely used frameworks, guidance, and best practices for cybersecurity.
Established by the National Institute of Standards and Technology (NIST) and developed in collaboration across the private and public sectors, the NIST Cybersecurity Framework is designed to help organizations adhere to a high level of cybersecurity practices. There is no mandate to adhere to the NIST Cybersecurity Framework; organizations are free to adopt the framework on a voluntary basis.
Penetration testing is when organizations intentionally attempt to hack into or find vulnerabilities in their systems (or hire an outside consultant or firm to do so). In other words, they try to penetrate their own defenses to proactively find problems and address them before a cyber attacker can take advantage of them.
Phishing is a form of social engineering when bad actors send emails or other message types with malicious links or harmful content to an organization’s users. These phishing emails can be quite sophisticated and mimic content from legitimate and trusted sources, such as vendors, partners, or colleagues. When a user engages with the email, they may unintentionally download malware or be asked to provide sensitive information that can then be used to hack their accounts.
Ransomware is a form of malware that infects an organization’s devices and/or systems and locks legitimate users out of their accounts. Hackers will then demand payment—a “ransom”—in exchange for returning control of the device or system to the organization. Often even after payment is rendered, the hackers do not return access.
Recovery Point Objective (RPO)
Recovery point objective (RPO) is the maximum acceptable amount of data loss possible after an unexpected disaster event involving data loss. Examples of such events include widespread power outages or damage to hard drives in server enclosures. This translates to the point before a disaster event where data can be successfully recovered and business continuity is maintained.
Recovery Time Objective (RTO)
Surviving a major disaster and maintaining business continuity and operations involves relying on a well-prepared team and IT infrastructure. MSPs should aim to be as prepared as possible to fully restore a business to normal operations well under each client’s Recovery Time Objective (RTO). Failure to adequately plan ahead can lead to major downtimes and revenue loss for both the business and its clients.
Red teams are hackers or groups of hackers specifically hired to break into an organization’s systems. While they are not malicious actors or actual threats, they test IT systems as if they were. Red teams can uncover serious vulnerabilities in an organization’s IT systems and overall cybersecurity posture before a real threat can exploit those weaknesses.
Risk is, simply put, the likelihood that any given negative cybersecurity event could happen to an organization. Organizations must manage and reduce risk according to their unique circumstances, IT maturity, and priority. Each organization will have differing degrees of appetite for risk, and certain industries will be more risk averse or have greater regulations to reduce risk, such as the healthcare industry.
Organizations conduct risk assessments to get ahead of cybersecurity threats. A risk assessment examines an organization’s security posture against cybersecurity threats and identifies areas of improvement. It is a valuable tool in any organization’s work to head off security problems before they ever occur.
Risk management is a broad term that includes an organization’s holistic program to uncover and understand their unique risk characteristics and help prioritize security threats and severity, and ultimately reduce the risk with appropriate steps. The term can also include other organizational elements such financial risk management, HR-related risk management, and more. Risk management, like the cybersecurity landscape, is constantly evolving.
Security Information and Event Management (SIEM)
Security information and event management (SIEM) systems are a type of software that companies can use to collect data on activity in their systems and, through correlation of that data, receive alerts for unusual behavior. A SIEM solution generally collects data from across an organization’s systems, analyzes it, provides reports, and flags potential threats.
Security Operations Center (SOC)
Defending against cybersecurity threats is a round-the-clock job, and a security operations center (SOC) is a 24-hour team of experts who proactively hunt for, triage, and respond to threats in real-time. Large organizations may have an embedded SOC, but smaller organizations often outsource them.
Security theater refers to security measures put into place to give people the psychological feeling of safety.
Service Access Secure Edge (SASE)
Service Access Secure Edge (SASE) is a security service that enables organizations to securely access networks from any location while protecting against unauthorized access.
Shadow IT is the use of information technology software and devices in a manner inconsistent with a business’s protocols and without the knowledge of that business’s IT professionals.
Single Sign-On (SSO)
Organizations today use many different tools and software platforms, and password management can be a challenge. A single sign-on (SSO) platform is a method that allows users to securely access many tools using a single set of credentials.
Supply Chain Attacks
Supply chain attacks are malicious attempts to access or disrupt vital components of a company's supply chain. These attacks are typically initiated to gain unauthorized control of sensitive data, hold assets ransom, or cause harm to an organization's operations.
Threat actor is a broad term encompassing an individual, group of individuals, harmful organization (such as nation-state attackers) or others who present cybersecurity threats to governments, private sector companies, and others. Threat actors can include hackers.
Threat Research Team / Threat Intelligence Team
A threat intelligence team is a group of cybersecurity experts who monitor the Internet, conduct research, and simulate real-life scenarios in order to gather information about emerging threats. These teams leverage research in combination with automated tools, environmental knowledge, and their expertise to proactively hunt for specific types of malicious activity and share their findings with the cybersecurity community to benefit other organizations.
Third-party Risk Management
Most organizations engage with third parties, such as vendors, contractors or subcontractors, and others. Each third-party introduces new risk in the supply chain, and they will have varying degrees of IT and cybersecurity maturity. Third-party risk management is how organizations understand and reduce the risk of a cybersecurity incident from a third party. It can include policies, procedures, and legal agreements that define and guide practices and responsibilities. Third-party risk management is part of a thorough risk assessment process.
Tier 1 vs. Tier 2 vs. Tier 3 Cybersecurity
Traceroute is a valuable tool that you can use to trace the path of data packets from a computer to its destination on the internet. It's like following a map of data's journey through various networks and devices.
Unauthorized access occurs when a user accesses an organization’s IT systems or network without permission from the organization. This can happen through breaking into the system through weaknesses such as outdated operating systems or unpatched software. It can also happen even when the credentials used to access the system are authorized. For example, if an employee’s account credentials are stolen and used by a hacker to access corporate systems, that is still unauthorized access.
In cybersecurity, a vulnerability is a weak spot in a system, piece of software, or other digital asset that is not well-guarded and can be used by hackers to gain unauthorized access.
Zero day—or a zero-day exploit—is when hackers take advantage of a vulnerability in software code before the vendor is aware. Vendors such as Microsoft issue regular hotfixes, patches, and updates to address new vulnerabilities as they become aware of them (which is why timely patch management is crucial).
Have a cybersecurity term that you’d like to see defined, or that has your team baffled? Submit new terms to our team, and we’ll add them to our glossary!
An annual event, the ConnectWise IT Nation Secure conference brings together TSPs and MSPs from around the world to learn from one another, explore best practices, and discuss the hottest topics in cybersecurity today.
If you’re looking to offer cybersecurity products and services through your MSP, check out our starter kit. We’ve included videos, co-branded information for your clients, templates, and more to give you solid footing to start your cybersecurity journey.
Are you interested in offering cybersecurity products and services, but you’re not sure where to start? Take this self-assessment designed specifically for MSPs to see where you stand, and where you can grow your business further this year.
MSPs can use this checklist to walk potential and existing customers through a 30-point cybersecurity assessment. Our checklist includes important areas such as having a privacy program, core tools such as a VPN and firewall, system hardening measures, and more.
Blog post >>
Jumping into cybersecurity can be intimidating. In this blog post, a ConnectWise expert explores three core areas your MSP can explore to ramp up your cybersecurity knowledge and get on the path to offering cybersecurity services. First up? Make sure your own house is protected.
Cybersecurity is a top area of opportunity for MSPs around the world, and the team at ConnectWise wants to help you grow your offerings. In this eBook, we walk through some core steps, topics, and considerations to help grow this area of your business.
SMBs are at risk from cyberattacks, and more organizations are becoming aware of the dangers. Our annual SMB report conducted by Vanson Bourne uncovered numerous insights about SMB cybersecurity, preparedness, and plans for the year. Download it today for insights into how your potential clients are viewing cybersecurity services.
Blog post >>
Cybersecurity is a joint responsibility between an MSP and their customer—and it all starts with a shared cultural view of the importance of cybersecurity. Read this blog post for perspective and tips on how to build a “risk first” culture that puts security at the forefront of operations and processes.