|
Do you have a definition
that you would like to add to the glossary?
Click
here to submit definitions.
Click on the letter that corresponds to the definition
or scroll down.
A
| B | C | D
| E | F | G
| H | I | J |
K | L | M | N |
O | P | Q | R
| S | T | U
| V | W | X | Y | Z
A
Abuse of Privilege: When a user performs an action
that they should not have, according to organizational
policy or law.
Access: The ability to enter a secured area. The
process of interacting with a system. Used as either a verb
or a noun.
Access Authorization:
Permission granted to users, programs or workstations.
Access Control: A set of
procedures performed by hardware, software and
administrators to monitor access, identify users requesting
access, record access attempts, and grant or deny access.
Access Sharing:
Permitting two or more users simultaneous access to file
servers or devices.
Alphanumeric Key: A
sequence of letters, numbers, symbols and blank spaces from
one to 80 characters long.
ANSI: The American
National Standards Institute. Develops standards for
transmission storage, languages and protocols. Represents
the United States in the ISO (International Standards
Organization).
Application Level Gateway
[Firewall]: A firewall system in which service is
provided by processes that maintain complete TCP connection
state and sequencing. Application level firewalls often
re-address traffic so that outgoing traffic appears to have
originated from the firewall, rather than the internal host.
Audit: The independent
collection of records to access their veracity and
completeness.
Audit Trail: An audit
trail may be on paper or on disk. In computer security
systems, a chronological record of when users log in, how
long they arc engaged in various activities, what they were
doing, whether any actual or attempted security violations
occurred.
Authenticate: In
networking, to establish the validity of a user or an object
(i.e. communications server).
Authentication: The
process of establishing the legitimacy of a node or user
before allowing access to requested information. During the
process, the user enters a name or account number
(identification) and password (authentication).
Authentication Tool: A
software or hand-held hardware "key" or "token" utilized
during the user authentication process. See key and token.
Authentication Token: A
portable device used for authenticating a user.
Authentication tokens operate by challenge/response,
time-based code sequences, or other techniques. This may
include paper-based lists of one-time passwords.
Authorization: The
process of determining what @ of activities are permitted.
Usually, authorization is in the context of authentication.
Once you have authenticated a user, the user may be
authorized different @s of access or activity.
B
Back Door: An entry point to a program or a system that
is hidden or disguised, often created by the software's
author for maintenance. A certain sequence of control
characters permits access to the system manager account. If
the back door becomes known, unauthorized users (or
malicious software) can gain entry and cause damage.
Bastion Host: A system
that has been hardened to resist attack at some critical
point of entry, and which is installed on a network in such
a way that it is expected to come under attack. Bastion
hosts are often components of firewalls, or may be 'outside"
Web servers or public access systems. Generally, a bastion
host is running some form of general-purpose operating
system (e.g., LNIX, VMS, WNT, etc.) rather than a ROM-based
or firmware operating system.
Biometric Access Control:
Any means of controlling access through human measurements,
such as fingerprinting and voiceprinting.
Bit:
The unit in which encryption key-length, or strength, is
measured. The more bits, the stronger the encryption.
Brute Force Search:
A method of attempting to break encryption by simply trying
all possible keys. Strong encryption must have a large
enough keyspace to ensure that a brute force search is not
feasible.
C
CERT: The Computer
Emergency Response Team was established at Carnegie-Mellon
University after the 1988 Internet worm attack.
Challenge/Response: A
security procedure in which one communicator requests
authentication of another communicator, and the latter
replies with a pre-established appropriate reply.
Chroot: A technique under
UNIX whereby a process is permanently restricted to an
isolated subset of the file system.
Coded File: In
encryption, a coded file contains unreadable information.
Combined Evaluation:
Method using proxy and state or filter evaluations as
allowed by administrator. [See State Full Evaluation].
Communications Server:
Procedures designed to ensure that telecommunications
messages maintain their integrity and are not accessible by
unauthorized individuals.
Computer Security:
Technological and managerial procedures applied to computer
systems to ensure the availability, integrity and
confidentiality of information managed by the computer
system.
Computer Security Audit:
An independent evaluation of the controls employed to ensure
appropriate protection of an organization's information
assets.
Credit Card numbers:
One of the most easily transferable means of cash on the
Internet, only 12 numbers gives a user access to sometimes
tens of thousands of dollars in credit. This number could be
used to make a long distance phone call or to order a new
ski-jacket online. It could be obtained without permission
on left over purchase receipts or by malicious clerks,
waiters, and salespeople. If an insecure connection is used
to transmit credit card information, it could be intercepted
by an untrusted third-party. It is an area of online
commerce that has to be monitored and insured that
verification occurs if users are to trust the Internet for
making purchases.
Cryptanalysis:
The art of
decoding text. Cryptanalysis is a complex process, involving
statistical analysis, analytical reasoning, math tools and
pattern finding.
Cryptographic Checksum: A
one-way function applied to a file to produce a unique
"fingerprint" of the file for later reference. Checksum
systems are a primary means of detecting file system
tampering on UNIX.
D
Data Driven Attack: A form of attack
in which the attack is encoded in innocuous-seeming data
that is executed by a user or other software to implement an
attack. In the case of firewalls, a data driven attack is a
concern since it may get through the fir-firewall in data
form and launch an attack against a system behind the
firewall.
Data Encryption Standard:
An encryption standard developed by EBM and then tested and
adopted by the National Bureau of Standards. Published in
1977, the DES standard has proven itself over nearly 20
years of use in both government and private sectors.
Decode: Conversion of
encoded text to plain text through the use of a code.
Decrypt: Conversion of
either encoded or enciphered text into plaintext.
Decryption: The
art of decrypting text - the process by which encoded text
is made readable.
Dedicated: A special
purpose device. Although it is capable of performing other
duties, it is assigned to only one.
Defense in Depth: The
security approach whereby each system on the network is
secured to the greatest possible degree. May be used in
conjunction with firewalls.
DES:
The U.S.
Government's Data Encryption Standard. It is 56-bit.
DNS Spoofing: Assuming
the DNS name of another system by either corrupting the name
service cache of a victim system, or by compromising a
domain name server for a valid domain.
Dual Homed Gateway:
1) A system that has two or more
network interfaces, each of which is connected to a
different network. In firewall configurations, a dual homed
gateway usually acts to block or filter some or all of the
traffic trying to pass between the networks.
2) A firewall implement without the use of a screening
router.
E
E-mail Bombs: Code that when executed sends many
messages to the same address(s) for the purpose of using up
disk space and/or overloading the E-mail or web server.
Encrypting Router: See
Tunneling Router and Virtual Network Perimeter.
Encryption: the
translation of information, text, or data, into a format
that is unreadable to insure only the intended receiver
views the information. The data is encoded with a key, a
password that will allow the data to be decoded only with
the specific key used to encrypt the data.
End-to-End Encryption:
Encryption at the point of origin in a network, followed by
decryption at the destination.
Environment: The
aggregate of external circumstances, conditions and events
that affect the development, operation and maintenance of a
system.
Escrow Agent:
An entity that holds encryption keys for other users.
F
Firewall: A system or combination of systems that
enforces a boundary between two or more networks.
Flooding programs: Code
which when executed will bombard the selected system with
requests in an effort to slow down or shut down the system.
Anonymous FTP: A guest
account, which allows anyone to login to the FTP Server. It
can be a point to begin access on the host server.
G
Gateway: A bridge between two networks.
Generic Utilities:
General purpose code and devices; i.e., screen grabbers and
sniffers that look at data and capture information like
passwords, keys and secrets.
Global Security: The
ability of an access control package to permit protection
across a variety of mainframe environments, providing users
with a common security interface to all.
Granularity: The relative
fineness or coarseness by which a mechanism can be adjusted.
H
Hack: Any software in which a significant portion of the
code was originally another program.
Hacker: Those who are
intent upon entering an environment to which they are not
entitled entry for whatever purpose [entertainment, profit,
theft, prank, Usually iterative techniques escalating to
more advanced methodologies and use of devices to intercept
the communications property of another.
Host-based Security: The
technique of securing an individual system from attack.
Host-based security is operating system and version
dependent.
Hot Standby: A backup
system configured in such a way that it may be used if the
system goes down.
Hybrid Gateways - An
unusual configuration with routers that maintain the
complete state of the TCP/IP connections or examine the
traffic to try to detect and prevent attack [may involve
baston host]. If verycomplicated it is difficult to
attach; and, difficult to maintain and audit.
I
IETF: The Internet Engineering Task Force, a public
forum that develops standards and resolves operational
issues for the Internet. IETF is purely voluntary.
Information Systems
Technology: The protection of information assets from
accidental or intentional but unauthorized disclosure,
modification, or destruction, or the inability to process
that information.
Insecure:
An insecure connection or
protocol is one in which it is possible for a third party to
intercept or overhear an exchange between two parties. Phone
systems are insecure since wiretaps still occur and can
overhear the conversation of two parties. Computer networks
that have not implemented security measures are insecure and
thus the transmission of data through a network can be
overheard.
Insider Attack: An attack originating from inside a
protected network.
Internet (The Beginning):
The Internet had its roots in early 1969 when the ARPANET
was formed. ARPA stands for Advanced Research Projects
Agency (which was part of the U.S. Department of Defense).
One of the goals of ARPANET was research in distributed
computer systems for military purposes. The first
configuration involved four computers and was designed to
demonstrate the feasibility of building networks using
computers dispersed over a wide area. The advent of OPEN
networks in the late 1980's required a new model of
communications. The amalgamation of many types of systems
into mixed environments demanded better translator between
these operating systems and a non-proprietary approach to
networking in general. Telecommunications Protocol/Internet
Protocol {TCP/IP) provided the best solutions to this.
Internet (TOM): A web of
different, intercommunicating networks funded by both
commercial and government organizations. It connects
networks in 40 countries. No one owns or runs the Internet.
There are thousands of enterprise networks connected to the
Internet, and there are millions of users, with thousands
more joining every day.
Intrusion Detection:
Detection of break-ins or break-in attempts either manually
via software expert systems that operate on logs or other
information available on the network.
IP Sniffing: Stealing
network addresses by reading the packets. Harmful data is
then sent stamped with internal trusted addresses.
IP Spoofing: An attack
whereby an active, established, session is intercepted and
co-opted by the attacker. EP Splicing attacks may occur
after an authentication has been made, permitting the
attacker to assume the role of an already authorized user.
Primary protections against IP Splicing rely on encryption
at the session or network layer.
IP Spoofing: An attack
whereby a system attempts to illicitly impersonate another
system by using its EP network address.
ISO: International
Standards Organization sets standards for data
communications.
ISSA: Information Systems
Security Association.
J
K
Key: Similar to a password, allows you to access or
decrypt encrypted data. In encryption, a key is a sequence
of characters used to encode and decode a file. You can
enter a key in two formats: alphanumeric and condensed
(hexadecimal). In the network access security market, "key"
often refers to the "token," or authentication tool, a
device utilized to send and receive challenges and responses
during the user authentication process. Keys may be small,
hand-held hardware devices similar to pocket calculators or
credit cards, or they may be loaded onto a PC as
copy-protected, software.
Key Recovery or Key Escrow: System by
which encryption users deposit the keys to encrypted
information with a third party for storage and/or retrieval.
Keyspace: The span of available keys. The
longer the key-length, the more possible combinations a
potential code-breaker would have to test. The table below
shows the number of possibilities for common key length
(Source: FreeMarket.Net: Policy Spotlight, October-November
1997.)
Key Length Possible
Keys
40 bits
1,099,511,647,776
56 bits
72,057,594,037,927,900
90 bits
1,237,940,039,285,380,000,000,000,000
128 bits
340,282,366,920,938,000,000,000,000,000,000,000,000
L
Least Privilege: Designing operational aspects of a
system to operate with a minimum amount of system privilege.
This reduces the authorization level at which various
actions are performed and decreases the chance that a
process or user with high privileges may be caused to
perform unauthorized activity resulting in a security
breach.
Local Area Network (LAN):
An interconnected system of computers and peripherals, LAN
users share data stored on hard disks and can share printers
connected to the network.
Logging: The process of
storing information about events that occurred on the
firewall or network.
Log Processing: How audit
logs are processed, searched for key events, or summarized.
Log Retention: How long
audit logs are retained and maintained.
M
N
Network-Level Firewall: A firewall in which traffic is
examined at the network protocol packet level.
Network Worm: A program
or command file that uses a computer network as a means for
adversely affecting a system's integrity, reliability or
availability, A network worm may attack from one system to
another by establishing a network connection. It is usually
a self-contained program that does not need to attach itself
to a host file to infiltrate network after network.
O
One-Time Password: In network security, a password
issued only once as a result of a challenge-response
authentication process. Cannot be "stolen" or reused for
unauthorized access.
Operating System: The
layer of software that sits between a computer and an
application, such as an accounting system or E-mail.
Orange Book: The
Department of Defense Trusted Computer System Evaluation
Criteria. It provides information to classify computer
systems, defining the degree of trust that may be placed in
them.
P
Password: A secret code assigned to a user. A@ known by
the computer system. Knowledge of the password associated
with the user ID is considered proof of authorization. (See
One-Time Password.)
Perimeter-based Security:
The technique of securing a network by controlling access to
all entry and exit points of the network.
PIN: In computer
security, a personal identification number used during the
authentication process. Known only to the user. (See
Challenge/Response, Two-Factor Authentication.)
Pretty Good Privacy:
Written by Phil Zimmerman, was the first publicly available
cryptography program and provided an easy and simple
interface to creating public and private key pairs.
Zimmerman's program was "encryption for the masses" and
allowed anyone to download the software and use it to
establish communication. His company, PGP, was recently
bought by the software company known as Macafee Associates
and has since renamed itself
Network Associates. Zimmerman and PGP were
adamantly against key escrow policy, and since its
acquisition of PGP, Network Associates have
withdrawn their alliance with the
Key
Recovery Alliance.
Policy:
Organizational-level rules governing acceptable use of
computing resources, security practices, and operational
procedures.
Private Key: In
encryption, one key (or password) is used to both lock and
unlock data. Compare with public key.
Protocols: Agreed-upon
methods of communications used by computers.
Proxy: 1) A method of
replacing the code for service applications with an improved
version that is more security aware. Preferred method is by
"service communities", i.e. Oracle, rather than individual
applications. Evolved from socket implementations.
2) A software agent that acts on behalf of a user. Typical
proxies accept a connection from a user, make a decision as
to whether or not the user or client IP address is permitted
to use the proxy, perhaps does additional authentication,
and then completes a connection on behalf of the user to a
remote destination.
Public-Key Cryptography:
A technique that uses a pair of asymmetric keys for
encryption and decryption. One is the public key (that can
be distributed widely) and the private key (which is held by
its owner and never distributed). When data is encrypted
using the private key, it can only be decrypted using the
public key; conversely, data encrypted using the public key
can only be decrypted using the private key.
Q
R
Risk Analysis: The
analysis of an organization's information resources,
existing controls and computer system vulnerabilities. It
establishes a potential level of damage in dollars and/or
other assets.
Rogue program: Any
program intended to damage programs or data. Encompasses
malicious Trojan Horses.
RSA: A public key
cryptosystem named by its inventors, Rivest, Shamir and
Adelman, who hold the patent.
S
Screened Host Gateway: A
host on a network behind a screening router. The degree to
which a screened host may be accessed depends on the
screening rules in the router.
Screened Subnet: An
isolated subnet created behind a screening router to protect
the private network. The degree to which the subnet may be
accessed depends on the screening rules in the router.
Screening Router: A
router configured to permit or deny traffic using filtering
techniques; based on a set of permission rules installed by
the administrator. A component of many firewalls usually
used to block traffic between the network and specific hosts
on an IP port level. Not very secure; used when "speed" is
the only decision criteria.
Secure:
A secure connection is one in
which information can be exchanged between two or more
parties without fear of an untrusted third-party
interception. This is especially important when transferring
critical data such as financial information, pass codes, or
military information to name a few.
Secure Communication Protocol:
Secure communication protocols
are methods of communication in which information cannot be
intercepted by an untrusted third-party. SSL, S/MIME, and
Digital Certificates are some examples.
Secure Sockets Layer (SSL):
SSL is
a
standard for layering communication between two parties and
using public key encryption techniques to insure a secure
communication.
Session Stealing: See IP Splicing.
Single key cryptography:
Allows a user to encrypt a message and submit to another
user only if he uses a pre-arranged key that both parties
agreed on. Once the data is encrypted it can only be
decrypted by using the secret key that allows the
information to be transferred confidently across a network
without worrying about third party interception.
Smart Card: A credit-card-sized device with embedded
microelectronics circuitry for storing information about an
individual. This is not a key or token, as used in the
remote access authentication process.
Social Engineering: An
attack based on deceiving users or administrators at the
target site. Social engineering attacks are typically
carried out by telephoning users or operators and pretending
to be an authorized user, to attempt to gain illicit access
to systems.
State Full Evaluation:
Methodology using mixture of proxy or filtering technology
intermittently depending upon perceived threat [and/or need
for "speed"].
T
Token: A "token" is an
authentication too, a device utilized to send and receive
challenges and responses during the user authentication
process. Tokens may be small, hand-held hardware devices
similar to pocket calculators or credit cards. See key.
Trojan Horse: 1) Any
program designed to do things that the user of the program
did not intend to do or that disguises its harmful intent.
2) Program that installs itself while the user is making an
authorized entry; and, then are used to break-in and exploit
the system.
Tunneling Router: A
router or system capable of routing traffic by encrypting it
and encapsulating it for transmission across an untrusted
network, for eventual de-encapsulation and decryption.
Turn Commands: Commands
inserted to forward mail to another address for
interception.
Two-Factor Authentication:
Two-factor authentication is based on something a user knows
(factor one) plus something the user has (factor two). In
order to access a network, the user must have both "factors"
- just as he/she must have an ATM card and a Personal
Identification Number (PIN) to retrieve money from a bank
account, In order to be authenticated during the
challenge/response process, users must have this specific
(private) information.
U
User: Any person who
interacts directly with a computer system.
User ID: A unique
character string that identifies users.
User Identification: User
identification is the process by which a user identifies
himself to the system as a valid user. (As opposed to
authentication, which is the process of establishing that
the user is indeed that user and has a right to use the
system.)
V
Virtual Network Perimeter:
A network that appears to be a single protected network
behind firewalls, which actually encompasses encrypted
virtual links over untrusted networks.
Virus: A self-replicating
code segment. Viruses may or may not contain attack programs
or trapdoors.
W
X
Y
Z
|
