General security

Commonly confused security topics

Commonly Confused Security Topics

Working in cybersecurity and information security tests your skills and abilities, forcing you to keep learning and studying. It means a lot of hard work, especially when you must keep up with all the common terminology and security principles that come with the territory. Add to that the constant change and innovation that happens within information technology, and you’ve got a complex set of parameters that you have to understand and continuously learn about.

It is therefore no surprise that there are some common misconceptions about certain topics relating to information security, and getting terminology confused doesn’t leave a good impression in a professional environment. Sometimes people will confuse security topics because they are similar or sound the same as something else.

Let’s delve into the subject and reveal some of the most commonly-searched-for security topics that people tend to get confused with, and hopefully dispel some of the bad information that’s out there.

Cyberthreats versus cyber-risks

These two terms get thrown around a lot. Perhaps it’s because they are sometimes used interchangeably during a discussion — after all, a threat and a risk do have similar meanings. However, there are some key differences between the two when used in a cybersecurity context. Let’s look at the definitions of each on more closely.

How would you define cyberthreats?

The Oxford Living Dictionaries defines cyberthreats as “The possibility of a malicious attempt to damage or disrupt a computer network or system.” Another way to think of cyberthreats is that they are the likelihood or the potential occurrence of a malicious event such as a malware infection or hacking.

Common examples of cyberthreats are:

• Malware
• System breaches
• Social engineering: Non-technical theft of user credentials such as passwords and login details
• Phishing
• Zero-day exploits

How would you define cyber-risks?

Cyber-risk is a measure of how vulnerable an organization is to all threats relating to IT and digital systems. Cyber-risk management fosters cooperation amongst all departments of an organization, including IT and management. The scientific paper Future developments in cyber-risk assessment for the internet of things defines cyber-risk with the following formula:

“Risk = Likelihood × Consequences, and cyber-risk can be defined as a function of: R = {si, pi, xi}, i = 1, 2, …, N, R – risk; s – the description of a scenario (undesirable event); p – the probability of a scenario; x – the measure of consequences or damage caused by a scenario; N – the number of possible scenarios that may cause damage to a system.” (Source)

What’s the difference?

Think of it this way: Cyberthreat is the likelihood of a cyberattack occurring, while cyber-risk is a measurement of how impactful a cyberattack would be on the organization or company should it occur.

Exploit versus cyber-exploitation

Here are another two security terms that get used out of context quite often. We hear about exploits being used by cybercriminals when they hack a computer system, such as Cross-Site Scripting (XSS) or SQL injection. These exploits can be defined as cyberattacks, while cyber-exploitation is a completely different method used by cybercriminals to extort their victims. Let’s define each of these terms.

What is an exploit?

The Dictionary of Information Security by Robert Slade defines an exploit as a “specific attack or vulnerability used to take advantage of a particular loophole or weakness in security measures”.

Common exploits identified by MIT (Massachusetts Institute of Technology) are:

• Null or default passwords
• Default shared keys
• IP spoofing
• Eavesdropping
• Service vulnerabilities
• Application vulnerabilities

What is cyber-exploitation?

The Commission on Peace Officer Standards and Training (POST) defines cyber-exploitation as “the non-consensual distribution of intimate photos and/or videos … These photos or videos may be posted to humiliate and degrade the victims, to cause damage to their reputation, and/or used to extort them”.

Examples of cyber-exploitation

• Ex-lovers or ex-spouses threatening to use this material after a relationship has ended. They might be in possession of this material through legitimate means, but then threaten to distribute the material to damage the victim’s reputation or image
• A stranger might come across this material, either by recovering deleted data from a discarded storage device such as a hard drive or thumb drive, logging into a storage account on a public computer with saved credentials, finding a device such as a laptop or smartphone or through theft of these devices
• A cybercriminal might break into a device or personal account that holds this material and then demand money in exchange for them not releasing the material to the public.
• Images and videos can be doctored to portray a victim as performing certain activities even though they did not. There could be reputational damage from releasing such material, so can be used as blackmail material

What’s the difference?

An exploit is a broad term that is used for the many different types of malicious and/or illegal activities that could occur on an IT system when unauthorized people try to gain access to steal data or cause damage to a system through an identified weakness or loophole. These include systems such as a computer, servers or networks.

Cyber-exploitation is an act of blackmail or extortion carried out with material that is generally digital, such as pictures, videos or documents. This material could be obtained legitimately (sent with permission that has since been revoked), through hacking or through theft. The offending party usually communicates with the victim through an electronic medium such as text or chat services.

Cybersecurity versus network security

The difference between cybersecurity and network security is quite simple. You could easily think about network security as being a subset of cybersecurity, but that’s not helpful if you were to try and explain the difference between the two properly. Simply put, cybersecurity’s primary concern is with threats that are external to the organization while network security is involved with the internal functioning of the organization’s network infrastructure security requirements.

What is cybersecurity?

Merriam-Webster defines cybersecurity as “measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack”.  Common cybersecurity responsibilities include:

• Network protection from the Internet, local threats on the LAN and all external threats
• Regulating and monitoring traffic coming into and going out of the organization
• Testing user password security and conducting audits on user permissions
• Controlling antivirus and other products that protect the network
• Penetration testing of firewalls and routers
• Controlling access to the network from the Internet

What is network security?

Cisco defines network security as “any activity designed to protect the usability and integrity of your network and data. It includes both hardware and software technologies. Effective network security manages access to the network. It targets a variety of threats and stops them from entering or spreading on your network”. Competencies that are required include:

• Network maintenance and administration
• Monitoring of Internet usage, generating usage reports for management
• Maintaining usernames and passwords for users, setting user permissions
• Firewall and router maintenance and configuration
• Controlling Internet access for users on the network

What’s the difference?

There are differences between cybersecurity and network security, yes, but there are also plenty of areas where they overlap. Smaller organizations might have a small team that looks after both cybersecurity and network security within the organization, so the two areas are not separate from one another. Instead they share many similarities, but they focus on different areas.

Transport layer encryption versus end-to-end encryption

Understanding which protocol you are using to encrypt your traffic is more than just a lesson in abstract technical thinking. Each protocol method has its own areas where it is the most effective choice versus another similar protocol, so knowing what choices you have when establishing communications will make you a far more effective IT professional in the long run. Transport Layer Security and end-to-end encryption are both useful in certain instances, but how are the two of them different?

What is Transport Layer Security?

The Institute of Electrical and Electronics Engineers defines Transport Layer Security (TLS) as “the successor of the Secure Sockets Layer (SSL). The protocols define the mechanisms to ensure secure transmission of data over the internet. The standards are controlled by The Internet Engineering Task Force (IETF®). The standard defines the negotiation handshake which defines the encryption and protocol to be used to transmit data records. The varied nature of the implementations of the standard provides a venue for disruption, i.e., it is possible to promote successful attacks by CyberSecutity [sic] hackers.”

What is end-to-end encryption?

End-to-end encryption is unreadable to everyone else except for the sender and receiver of the data or message. Even the server that is hosting the char session cannot read this data. Whatsapp has implemented E2EE as a way to secure their chat feature, and a whitepaper outlining their reasoning and implementation can be found here.

What’s the difference?

Data that is sent using Transport Layer Security is readable to both sending and receiving parties, as well as the machine that is hosting the session (usually a Web or application server). End-to-end encryption is unreadable to anyone else but the parties that are communicating with one another.

XSS versus CSRF

You don’t have to be a developer or programmer to care about the sanitization of user input. These two methods became very common as forms of attack, though they have both been mitigated by popular website and online platforms for the most part. If you are a cybersecurity professional that is supporting a product that has the potential to open one of these vulnerabilities to your websites, then you need to know the difference between these attack methods.

XSS (Cross-Site Scripting)

OWASP defines XSS as “a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

“An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.”

CSRF (Cross-Site Request Forgery)

OWASP defines CSRF as “an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.”

What’s the difference?

XSS is an injection that affects Web applications and allows attackers to execute scripts across the site that target other users or forces another user to execute a malicious script. CSRF is an attack that forces a user to perform actions that they did not want to execute.

Conclusion

There are many more examples of terminologies and concepts that sound very similar but mean something quite different when you look a little deeper. By always learning and keeping your skills sharp and relevant, you can avoid a conversational blunder the next time you are talking tech with your colleagues or worse still, your boss.

This is a good opportunity to look at some of the other cybersecurity terms that you use daily and find out how accurately you are placing them in your day-to-day speech. You might be surprised to find that some of the meanings have shifted slightly, or that there are better ways of describing certain problems or techniques in cybersecurity.

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Download Now

 

Sources

1. Petar Radanliev, David Charles De Roure, Razvan Nicolescu, Michael Huth, Rafael Mantilla Montalvo, Stacy Cannady, Peter Burnap. "Future developments in cyber risk assessment for the internet of things," Computers in Industry
2. Cyber Exploitation, CA.gov
3. Cross-Site Request Forgery (CSRF), OWASP
4. Cross-site Scripting (XSS), OWASP
5. Cybersecurity, Merriam-Webster
6. What Is Network Security?, Cisco