Access Control

Access Control ensures that resources are only granted to those users who are entitled to them.

Access Control List (ACL)

A mechanism that implements access control for a system resource by listing the identities of the system entities that are permitted to access the resource.

Access Control Service

A security service that provides protection of system resources against unauthorized access. The two basic mechanisms for implementing this service are ACLs and tickets.

ActiveX

ActiveX is a technology developed by Microsoft for improving interactive control and executing Windows applications over the Web. It is similar in some ways to Java. ActiveX is based on Microsoft's OLE and COM technologies, and ActiveX components can be written in many different programming languages. ActiveX components are often embedded in Web pages, to extend their functionality and interactivity.

Address Resolution Protocol (ARP)

Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address to a physical machine address that is recognized in the local network. A table, usually called the ARP cache, is used to maintain a correlation between each MAC address and its corresponding IP address. ARP provides the protocol rules for making this correlation and providing address conversion in both directions.

Advanced Encryption Standard (AES)

An encryption standard being developed by NIST. Intended to specify an unclassified, publicly-disclosed, symmetric encryption algorithm.

Algorithm

A finite set of step-by-step instructions for a problem-solving or computation procedure, especially one that can be implemented by a computer.

Applet

Java programs; an application program that uses the client's web browser to provide a user interface.

Application Layer Firewall

Application layer firewalls function in one of two modes: passive or active. Active application firewalls actively inspect all incoming requests -- including the actual message being exchanged -- against known vulnerabilities such as SQL injection, parameter and cookie tampering, and cross-site scripting. Only requests that are deemed "clean" are passed to the application. Passive application layer firewalls act in a manner similar to an IDS (Intrusion Detection System) in that they also inspect all incoming requests against known vulnerabilities, but they do not actively reject or deny those requests if a potential attack is discovered.

Application layer firewalls improve the overall security of the application infrastructure by preventing attacks that are likely to cause a service outage or cause structural damage to data sources. Application layer firewalls are generally remotely updateable, which allows them to prevent newly discovered vulnerabilities. These firewalls are often more up to date than specific security-focused code included in applications, due to the longer development and testing cycles required to include such code within applications.

Auditing

Auditing is the information gathering and analysis of assets to ensure such things as policy compliance and security from vulnerabilities.

Authentication

Authentication is the process of confirming the correctness of the claimed identity.

Authenticity

Authenticity is the validity and conformance of the original information.

Authorization

Authorization is the approval, permission, or empowerment for someone or something to do something.

Autonomous System

One network or series of networks that are all under one administrative control. An autonomous system is also sometimes referred to as a routing domain. An autonomous system is assigned a globally unique number, sometimes called an Autonomous System Number (ASN).

Availability

Availability is the need to ensure that the business purpose of the system can be met and that it is accessible to those who need to use it.

Backdoor

A backdoor is a tool installed after a compromise to give an attacker easier access to the compromised system around any security mechanisms that are in place.

Backup

Backup is the routine copying of data to ensure its protection in the event of data loss through accidental deletion, equipment failure, or some other mishap. As more and more data is created and and stored for longer periods of time, backup costs and the "backup window" (the time allocated to complete a backup operation) can increase to unmanageable levels.

Bandwidth

Commonly used to mean the capacity of a communication channel to pass data through the channel in a given amount of time. Usually expressed in bits per second.

Basic Authentication

Basic Authentication is the simplest web-based authentication scheme that works by sending the username and password with each request.

Bastion Host

A bastion host has been hardened in anticipation of vulnerabilities that have not been discovered yet.

Bit

The smallest unit of information storage; a contraction of the term "binary digit;" one of two symbolsÑ"0" (zero) and "1" (one) - that are used to represent binary numbers.

Block Cipher

A block cipher encrypts one block of data at a time.

Boot Record Infector

A boot record infector is a piece of malware that inserts malicious code into the boot sector of a disk.

Border Gateway Protocol (BGP)

An inter-autonomous system routing protocol. BGP is used to exchange routing information for the Internet and is the protocol used between Internet service providers (ISP).

Bridge

A product that connects a local area network (LAN) to another local area network that uses the same protocol (for example, Ethernet or token ring).

British Standard 7799

A standard code of practice and provides guidance on how to secure an information system. It includes the management framework, objectives, and control requirements for information security management systems.

Broadcast

To simultaneously send the same message to multiple recipients. One host to all hosts on network.

Broadcast Address

An address used to broadcast a datagram to all hosts on a given network using UDP or ICMP protocol.

Browser

A client computer program that can retrieve and display information from servers on the World Wide Web.

Brute Force

A cryptanalysis technique or other kind of attack method involving an exhaustive procedure that tries all possibilities, one-by-one.

Buffer Overflow

A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them.

Business Continuity Plan (BCP)

A Business Continuity Plan is the plan for emergency response, backup operations, and post-disaster recovery steps that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation.

Business Impact Analysis (BIA)

A Business Impact Analysis determines what levels of impact to a system are tolerable.

Byte

A fundamental unit of computer storage; the smallest addressable unit in a computer's architecture. Usually holds one character of information and usually means eight bits.

Cache

Pronounced cash, a special high-speed storage mechanism. It can be either a reserved section of main memory or an independent high-speed storage device. Two types of caching are commonly used in personal computers: memory caching and disk caching.

Cache Cramming

Cache Cramming is the technique of tricking a browser to run cached Java code from the local disk, instead of the internet zone, so it runs with less restrictive permissions.

Cache Poisoning

Malicious or misleading data from a remote name server is saved [cached] by another name server. Typically used with DNS cache poisoning attacks

Cipher

A cryptographic algorithm for encryption and decryption.

Ciphertext

Ciphertext is the encrypted form of the message being sent.

Circuit Switched Network

A circuit switched network is where a single continuous physical circuit connected two endpoints where the route was immutable once set up.

Client

A system entity that requests and uses a service provided by another system entity, called a "server." In some cases, the server may itself be a client of some other server.

Computer Emergency Response Team (CERT)

An organization that studies computer and network INFOSEC in order to provide incident response services to victims of attacks, publish alerts concerning vulnerabilities and threats, and offer other information to help improve computer and network security.

Computer Network

A collection of host computers together with the sub-network or inter-network through which they can exchange data.

Confidentiality

Confidentiality is the need to ensure that information is disclosed only to those who are authorized to view it.

Configuration Management

Establish a known baseline condition and manage it.

Cookie

Data exchanged between an HTTP server and a browser (a client of the server) to store state information on the client side and retrieve it later for server use. An HTTP server, when sending data to a client, may send along a cookie, which the client retains after the HTTP connection closes. A server can use this mechanism to maintain persistent client-side state information for HTTP-based applications, retrieving the state information in later connections.

Corruption

A threat action that undesirably alters system operation by adversely modifying system functions or data.

Cost Benefit Analysis

A cost benefit analysis compares the cost of implementing countermeasures with the value of the reduced risk.

Countermeasure

Reactive methods used to prevent an exploit from successfully occurring once a threat has been detected. Intrusion Prevention Systems (IPS) commonly employ countermeasures to prevent intruders form gaining further access to a computer network. Other counter measures are patches, access control lists and malware filters.

Covert Channels

Covert Channels are the means by which information can be communicated between two parties in a covert fashion using normal system operations. For example by changing the amount of hard drive space that is available on a file server can be used to communicate information.

Crossover Cable

A crossover cable reverses the pairs of cables at the other end and can be used to connect devices directly together.

Daemon

A program which is often started at the time the system boots and runs continuously without intervention from any of the users on the system. The daemon program forwards the requests to other programs (or processes) as appropriate. The term daemon is a Unix term, though many other operating systems provide support for daemons, though they're sometimes called other names. Windows, for example, refers to daemons and System Agents and services.

Data Deduplication (DeDupe)

Data deduplication (often called "intelligent compression" or "single-instance storage") is a method of reducing storage needs by eliminating redundant data. Only one unique instance of the data is actually retained on storage media, such as disk or tape. Redundant data is replaced with a pointer to the unique data copy. For example, a typical email system might contain 100 instances of the same one megabyte (MB) file attachment. If the email platform is backed up or archived, all 100 instances are saved, requiring 100 MB storage space. With data deduplication, only one instance of the attachment is actually stored; each subsequent instance is just referenced back to the one saved copy. In this example, a 100 MB storage demand could be reduced to only one MB.

Data deduplication offers other benefits. Lower storage space requirements will save money on disk expenditures. The more efficient use of disk space also allows for longer disk retention periods, which provides better recovery time objectives (RTO) for a longer time and reduces the need for tape backups. Data deduplication also reduces the data that must be sent across a WAN for remote backups, replication, and disaster recovery.

Data deduplication can generally operate at the file, block, and even the bit level. File deduplication eliminates duplicate files (as in the example above), but this is not a very efficient means of deduplication. Block and bit deduplication looks within a file and saves unique iterations of each block or bit. Each chunk of data is processed using a hash algorithm such as MD5 or SHA-1. This process generates a unique number for each piece which is then stored in an index. If a file is updated, only the changed data is saved. That is, if only a few bytes of a document or presentation are changed, only the changed blocks or bytes are saved, the changes don't constitute an entirely new file. This behavior makes block and bit deduplication far more efficient. However, block and bit deduplication take more processing power and uses a much larger index to track the individual pieces.

Data Custodian

A Data Custodian is the entity currently using or manipulating the data, and therefore, temporarily taking responsibility for the data.

 

Data Encryption Standard (DES)

A widely-used method of data encryption using a private (secret) key. There are 72,000,000,000,000,000 (72 quadrillion) or more possible encryption keys that can be used. For each given message, the key is chosen at random from among this enormous number of keys. Like other private key cryptographic methods, both the sender and the receiver must know and use the same private key.

Data Mining

Data Mining is a technique used to analyze existing information, usually with the intention of pursuing new avenues to pursue business.

Data Owner

A Data Owner is the entity having responsibility and authority for the data.

Data Warehousing

Data Warehousing is the consolidation of several previously independent databases into one location.

Day Zero

The "Day Zero" or "Zero Day" is the day a new vulnerability is made known. In some cases, a "zero day" exploit is referred to an exploit for which no patch is available yet. ("day one"-> day at which the patch is made available).

Demilitarized Zone (DMZ)

In computer security, in general a demilitarized zone (DMZ) or perimeter network is a network area (a subnetwork) that sits between an organization's internal network and an external network, usually the Internet. DMZ's help to enable the layered security model in that they provide subnetwork segmentation based on security requirements or policy. DMZ's provide either a transit mechanism from a secure source to an insecure destination or from an insecure source to a more secure destination. In some cases, a screened subnet which is used for servers accessible from the outside is referred to as a DMZ.

Denial of Service

The prevention of authorized access to a system resource or the delaying of system operations and functions.

Dictionary Attack

An attack that tries all of the phrases or words in a dictionary, trying to crack a password or key. A dictionary attack uses a predefined list of words compared to a brute force attack that tries all possible combinations.

Diffie-Hellman

A key agreement algorithm published in 1976 by Whitfield Diffie and Martin Hellman. Diffie-Hellman does key establishment, not encryption. However, the key that it produces may be used for encryption, for further key management operations, or for any other cryptography.

Digest Authentication

Digest Authentication allows a web client to compute MD5 hashes of the password to prove it has the password.

Digital Certificate

A digital certificate is an electronic "credit card" that establishes your credentials when doing business or other transactions on the Web. It is issued by a certification authority. It contains your name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real.

Digital Envelope

A digital envelope is an encrypted message with the encrypted session key.

Digital Signature

A digital signature is a hash of a message that uniquely identifies the sender of the message and proves the message hasn't changed since transmission.

Digital Signature Algorithm (DSA)

An asymmetric cryptographic algorithm that produces a digital signature in the form of a pair of large numbers. The signature is computed using rules and parameters such that the identity of the signer and the integrity of the signed data can be verified.

Digital Signature Standard (DSS)

The US Government standard that specifies the Digital Signature Algorithm (DSA), which involves asymmetric cryptography.

Disassembly

The process of taking a binary program and deriving the source code from it.

Disaster Recovery Plan (DRP)

A Disaster Recovery Plan is the process of recovery of IT systems in the event of a disruption or disaster.

Discretionary Access Control (DAC)

Discretionary Access Control consists of something the user can manage, such as a document password.

Disruption

A circumstance or event that interrupts or prevents the correct operation of system services and functions.

Domain

A sphere of knowledge, or a collection of facts about some program entities or a number of network points or addresses, identified by a name. On the Internet, a domain consists of a set of network addresses. In the Internet's domain name system, a domain is a name with which name server records are associated that describe sub-domains or host. In Windows NT and Windows 2000, a domain is a set of network resources (applications, printers, and so forth) for a group of users. The user need only to log in to the domain to gain access to the resources, which may be located on a number of different servers in the network.

Domain Hijacking

Domain hijacking is an attack by which an attacker takes over a domain by first blocking access to the domain's DNS server and then putting his own server up in its place.

Domain Name

A domain name locates an organization or other entity on the Internet. For example, the domain name www.castleforce.co.uk locates an Internet address for "castleforce.co.uk" at Internet point and a particular host server named "www". The ".co.uk" part of the domain name reflects the purpose of the organization or entity (in this example, "company in the UK") and is called the top-level domain name. The "castleforce" part of the domain name defines the organization or entity and together with the top-level is called the second-level domain name.

Domain Name System (DNS)

The domain name system (DNS) is the way that Internet domain names are located and translated into Internet Protocol addresses. A domain name is a meaningful and easy-to-remember "handle" for an Internet address.

Due Care

Due care ensures that a minimal level of protection is in place in accordance with the best practice in the industry.

Due Diligence

Due diligence is the requirement that organizations must develop and deploy a protection plan to prevent fraud, abuse, and additional deploy a means to detect them if they occur

Eavesdropping

Eavesdropping is simply listening to a private conversation which may reveal information which can provide access to a facility or network.

Echo Reply

An echo reply is the response a machine that has received an echo request sends over ICMP.

Echo Request

An echo request is an ICMP message sent to a machine to determine if it is online and how long traffic takes to get to it.

Egress Filtering

Filtering outbound traffic.

Encapsulation

The inclusion of one data structure within another structure so that the first data structure is hidden for the time being.

Encryption

Cryptographic transformation of data (called "plaintext") into a form (called "cipher text") that conceals the data's original meaning to prevent it from being known or used.

Escrow Passwords

Escrow Passwords are passwords that are written down and stored in a secure location (like a safe) that are used by emergency personnel when privileged personnel are unavailable.

Ethernet

The most widely-installed LAN technology. Specified in a standard, IEEE 802.3, an Ethernet LAN typically uses coaxial cable or special grades of twisted pair wires. Devices are connected to the cable and compete for access using a CSMA/CD protocol.

Event

An event is an observable occurrence in a system or network

Event Aggregation

The consolidation of similar log entries into a single entry containing a count of the number of occurrences of the event.

Event Correlation

Finding relationships between two or more log entries.

Event Filtering

The suppression of log entries from analysis, reporting, or long-term storage because their characteristics indicate that they are unlikely to contain information of interest.

Event Reduction

Removing unneeded data fields from all log entries to create a new log that is smaller.

False Rejects

False Rejects are when an authentication system fails to recognize a valid user.

Fast File System

The first major revision to the Unix file system, providing faster read access and faster (delayed, asynchronous) write access through a disk cache and better file system layout on disk. It uses inodes (pointers) and data blocks.

Fault Line Attacks

Fault Line Attacks use weaknesses between interfaces of systems to exploit gaps in coverage.

File Transfer Protocol (FTP)

A TCP/IP protocol specifying the transfer of text or binary files across the network.

Filter

A filter is used to specify which packets will or will not be used. It can be used in sniffers to determine which packets get displayed, or by firewalls to determine which packets get blocked.

Filtering Router

An inter-network router that selectively prevents the passage of data packets according to a security policy. A filtering router may be used as a firewall or part of a firewall. A router usually receives a packet from a network and decides where to forward it on a second network. A filtering router does the same, but first decides whether the packet should be forwarded at all, according to some security policy. The policy is implemented by rules (packet filters) loaded into the router.

Firewall

A logical or physical discontinuity in a network to prevent unauthorized access to data or resources.

Flooding

An attack that attempts to cause a failure in (especially, in the security of) a computer system or other data processing entity by providing more input than the entity can process properly.

Forest

A forest is a set of Active Directory domains that replicate their databases with each other.

Fork Bomb

A Fork Bomb works by using the fork() call to create a new process which is a copy of the original. By doing this repeatedly, all available processes on the machine can be taken up.

Form-Based Authentication

Form-Based Authentication uses forms on a webpage to ask a user to input username and password information.

Forward Lookup

Forward lookup uses an Internet domain name to find an IP address

Forward Proxy

Forward Proxies are designed to be the server through which all requests are made.

Fragment Offset

The fragment offset field tells the sender where a particular fragment falls in relation to other fragments in the original larger packet.

Fragment Overlap Attack

A TCP/IP Fragmentation Attack that is possible because IP allows packets to be broken down into fragments for more efficient transport across various media. The TCP packet (and its header) are carried in the IP packet. In this attack the second fragment contains incorrect offset. When packet is reconstructed, the port number will be overwritten.

Fragmentation

The process of storing a data file in several "chunks" or fragments rather than in a single contiguous sequence of bits in one place on the storage medium.

Frames

Data that is transmitted between network points as a unit complete with addressing and necessary protocol control information. A frame is usually transmitted serial bit by bit and contains a header field and a trailer field that "frame" the data. (Some control frames contain no data.)

Full Duplex

A type of duplex communications channel which carries data in both directions at once. Refers to the transmission of data in two directions simultaneously. Communications in which both sender and receiver can send at the same time.

Fully-Qualified Domain Name

A Fully-Qualified Domain Name is a server name with a hostname followed by the full domain name.

Fuzzing

The use of special regression testing tools to generate out-of-spec input for an application in order to find security vulnerabilities. Also see "regression testing".

 

Federal Information

Processing Standards (FIPS)

On July 17, 1995, the National Institute of Standards and Technology (NIST) established the Cryptographic Module Validation Program (CMVP) that validates cryptographic modules to Federal Information Processing Standards (FIPS)140-1 Security Requirements for Cryptographic Modules, and other FIPS cryptography based standards. The CMVP is a joint effort between NIST and the Communications Security Establishment Canada (CSEC). FIPS 140-2, Security Requirements for Cryptographic Modules, was released on May 25, 2001 and supersedes FIPS 140-1.

FIPS 140-1 and FIPS 140-2 Vendor List