This glossary of information security terms
is provided by Nemesys Computer Consultants of Cambridge,
UK, to help Internet users learn about information security
issues.
Subject Categories
General
Access Control
Cryptography
Insecurity
Government Security
Government Security - UK
Government Security - US
Legislation
Legislation - UK
Legislation - US
Malware
Network Security
Operating System Security
Operating System Security - Unix
Operating System Security - Windows
Physical Security
Assocations and Qualifications
Risk Analysis
Security Administration
Security History
Security Theory
Web Security
General
|
B Go to top
|
Back Door: A mechanism that provides a concealed method of accessing a systems resources, bypassing normal security controls. An intruder may install a back door after having gained access to a system in order that they are able to gain access in the future, even if their original method of access becomes blocked. Some viruses and worms also install back doors. Occasionally back doors may arise as a result of a failure to remove temporary features installed by system designers for testing purposes.
|
|
Black Box Testing: A security testing process that involves no access to the specifications and designs of the system under test. See also white box testing and grey box testing.
|
|
Bogus: An item that is not what it purports to be. Not the genuine article. A fake or fabricated item.
|
|
Burn-In: The tendency for the contents of random access memory (RAM) to become permanently imprinted on the memory, causing it to become the default state when the memory is powered off and back on again. This can occur if the same data is stored in the same location for very long periods of time. It can also happen as a result of deliberately or accidentally exposing the memory to ionising radiation. These are significant vulnerabilities for systems with cryptographic keys stored in RAM and provide a means to defeat tamper-detection systems which purge keys if the system is tampered with. The effect caused by keys being stored in the same memory locations for long periods of time may be countered by bit flipping, but deliberate exposure to ionising radiation is rather more difficult to counter, and requires special shielding and/or radiation-detection systems to do so.
|
|
C Go to top
|
Compromised: Information, programs or systems that have been subject to a breach of an information security policy. This would include, for example, confidential information that has been disclosed to an unauthorised person, information that has been altered by an unauthorised person, or a program that has been altered by an unauthorised person.
|
|
Computer Security: The protection of a computer system and its data from harm. This is normally interpreted as being protection against losses of confidentiality, integrity and availability. Some security professionals also consider non-repudiation to be an integral component of computer security. Computer security is one of a number of similar, but subtly differing terms. Computer security is a slightly narrower term than information security, and refers only to the security of information inside a computer system. Computer security is synonymous with data security, IT security and IS security.
|
|
Crack: To break the security of an object. The term may be applied to a computer system, a cryptographic algorithm or any security mechanism.
|
|
Crystal Box Testing: See white box testing.
|
|
D Go to top
|
Data Remanence: The tendency for traces of data to remain after it has been ostensibly erased from storage media or memory. Remnance can occur in memory due to burn-in, or on magnetic media (including hard disks) where the head has travelled over a slightly different path when erasing than it did when writing the data. This can result in thin strips of data remaining on the media, which can be recovered using special hardware. Variations in power used to write and erase the data, and variations in height of the write head above the media can give rise to a 3-D pattern of remnant data that can be exposed by repeatedly etching the surface.
|
|
Data Security: Synonymous with computer security, IT security and IS security.
|
|
Data Security: Synonymous with Computer Security.
|
|
Denial Of Service: An attack on the availability of a system. See also Distributed Denial of Service.
|
|
Distributed Denial of Service: A denial of service attack that is carried out by means of agents on a large number of systems, usually subverted by means of viruses or worms. Such attacks may be pre-programmed or controlled by phoning home.
|
|
Dumpster Diving: The practice of physically searching through discarded materials to find information that can be used to breach security. This might be information that is directly useful (e.g. password lists) or, more likely, information that can be used in the process of social engineering (e.g. discarded e-mail printouts, telephone lists, etc.).
|
|
E Go to top
|
Embedded Password: A password that is included into the source code of an application or utility. This is considered to be a bad practice, since it could easily be found by anyone examining the source or object code, and it is difficult to change the password even if it is known to be compromised.
|
|
G Go to top
|
Grey Box Testing: A security testing process that involves some, but not full access to the specifications and designs of the system under test. See also white box testing and black box testing.
|
|
GSS-API: Generic Security Service API. Defined in RFC 2744.
|
|
Guidelines: See Information Security Guidelines.
|
Nemesys security guidelines
|
H Go to top
|
Ham: E-mail that is not spam.
|
|
Harvesting: The practice, carried out by spammers, of examining web sites in order to find e-mail addresses to which they can send spam. Since spam can be considered to be a security issue, prevention of harvesting is also a security issue.
|
|
Hole: A colloquial term for a security vulnerability.
|
|
I Go to top
|
Information Security: The protection of information from harm. This is normally interpreted as being protection against losses of confidentiality, integrity and availability. Some security professionals also consider non-repudiation to be an integral component of information security. Information security is a slightly wider term than computer security and its synonyms (data security, IT security and IS security), and refers to the security of information, both inside and outside of computer systems.
|
|
IS Security: Information System Security. Synonymous with computer security, data security and IT security.
|
|
IT Security: Information Technology Security. Synonymous with computer security, data security and IS security.
|
|
J Go to top
|
Java Sandbox: A sandbox environment within which downloaded Java applets are executed.
|
|
M Go to top
|
Man In The Middle Attack: A form of attack on an exchange of information between two parties A and B, in which a "man in the middle" impersonates B when talking to A and impersonates A when talking to B. By doing this, the man in the middle can provide appropriate responses to challenge-response type authentication. This type of attack can succeed when inadequate authentication has been applied at the network level.
|
|
Manhole: A back door.
|
|
N Go to top
|
Non-Personally Identifiable Information: Information that cannot be linked to an identifiable or contactable individual. Opposite of personally identifiable information. See also non-personally identifying information and personally identifiable information. Note that Non-Personally Identifiable Information and Non-Personally Identifying Information are both abbreviated to NPII.
|
|
Non-Personally Identifying Information: Information that is, in itself, insufficient to identify or contact an individual. When linked together with information that is personally identifying, however, non-personally identifying information becomes personally identifiable. Otherwise, on its own, it remains non-personally identifiable. Note that Non-Personally Identifiable Information and Non-Personally Identifying Information are both abbreviated to NPII.
|
|
NPII: Non-Personally Identifying Information or Non-Personally Identifiable Information.
|
|
O Go to top
|
Obfustication: To process information in a manner that makes its meaning less obvious. This is distinct from encryption, as it does not involve the use of a cryptographic key. It is also different to encryption, since the process of obfustication can be reversed, given knowledge of the algorithm that has been applied. The use of obfustication where encryption should be used is a form of security through obscurity, and is considered to be a very bad practice, although obfustication does sometimes have legitimate uses. ROT13 is a very simple obfustication algorithm that is often to allow users to voluntarily choose to not view some types of information, and is an example of a legitimate use of obfustication. Obfustication also has some uses in the prevention of harvesting e-mail addresses from web sites, for the purposes of sending spam. It is also used by in phishing attacks to obscure the true destination of URLs.
|
|
P Go to top
|
Personally Identifiable Information: Information that can be linked to an identifiable or contactable individual. Opposite of non-personally identifiable information. Differs from personally identifying information in that personally identifiable information may be composed of personally identifying and non-personally identifying components. If the personally identifying components of personally identifable information are removed, then the remaining information is non-personally-identifiable. Note that Personally Identifiable Information and Personally Identifying Information are both abbreviated to PII.
|
|
Personally Identifying Information: Information that identifies or provides a method of contacting an individual. Differs from personally identifiable information in that personally identifiable information may be composed of personally identifying and non-personally identifying components. Note that Personally Identifiable Information and Personally Identifying Information are both abbreviated to PII.
|
|
PII: Personally Identifying Information or Personally Identifiable Information.
|
|
Purge: The act of deleting classified data and/or cryptographic keys from a system. Purging information can be done as a part of normal operations, before data of a different classification or new cryptographic keys are loaded, or it can be an emergency action triggered by a tamper-protection system.
|
|
R Go to top
|
Race Condition: A vulnerability that involves two or more processes that occur concurrently as part of a security-related operation. Typically the system will be in a secure state before the operation begins. An operation is commenced (for example, creating a new user on a badly-designed system), which triggers the creation of more than one process (say, one to create the username locally, and another to assign a password to it on a remote server). Once both processes are complete, the system is again secure. If, in this example, however, the local username creation process is faster than the process that sets up the password, then there will be a short period of time during which the username exists, but no password has yet been assigned. During this short period, the system may be vulnerable to attack. If an attacker is capable of starting the vulnerable process at will, then they may be able to repeat the process many times until, by luck, they eventually manage to launch their attack at exactly the right vulnerable moment. The chances of success in doing this are greatly increased if the attacker is able to generate high amounts of system loading in order to slow down some or all of the processes involved. A race condition is sometimes known as a race hazard.
|
|
Race Hazard: A race condition.
|
|
ROT13: An obfustication algorithm in which each letter is interchanged with the letter that is 13 characters away from it in the alphabet. Every occurrence of the letter A is replaced by N and every N by A, B is swapped with O, C with P, etc. This process is easily reversed and is used only to allow users to voluntarily choose to not view some particular information. Typically it is used on Usenet to hide the solutions to puzzles, information about the plot of movies or television programmes, or any other information that the user may not want to view until a later point in time. ROT13 is not an encryption algorithm.
|
|
S Go to top
|
Sandbox: An closely-controlled environment in which a relatively untrusted application is allowed to execute. The application may, for example, be restricted in the number and size of files it can create, be allowed to create only temporary files, be prevented from reading existing files or be prevented from consuming excessive system resources. When Java applets are downloaded by a web browser, they operate within what is referred to as the Java sandbox.
|
|
SASL: Secure Application Service Layer. Defined in RFC 2222.
|
|
Security: Safety from harm. See information security and computer security.
|
|
Skimming:
1. The practice of extracting the information from the magnetic stripe on a credit card with the intention of making a copy of the card.
2. Another term for harvesting.
|
|
Social Engineering: To practice of using deception of an individual to breach security. This can be done by e-mail, telephone or face-to-face.
|
|
Spam: Unsolicited e-mail. Derived from a Monty Python sketch in which the name "Spam" (referring to the well-known brand of canned meat) is repeated over and over again. Spam is considered to be a security issue, since its consumption of resources can result in a denial of service.
|
|
Spammer: An individual or organisation that sends spam.
|
|
Spoofing: The practice of impersonating another entity in order to subvert security. Examples include IP address spoofing (or IP spoofing) and DNS spoofing.
|
|
Standards: See Information Security Standards.
|
Nemesys security standards
|
Subject: In the context of a security investigation, an individual who is subject to monitoring or surveillance. Note that this term is preferred over "suspect", since "subject" is non-perjorative.
|
|
Suspect: In the context of a security investigation, an individual who is suspected of a breach of information security or who is subject to monitoring or surveillance. Note that the term subject is generally preferred, since it is less perjorative.
|
|
T Go to top
|
Threat: An entity or force that imparts a risk on an asset. e.g. Fire may be a threat to a data centre; A virus may be a threat to a desktop computer, etc.
|
|
Tiger Team: A team of individuals engaged in a penetration test. Traditionally, the term is applied to penetration testers using physical and social engineering methods of penetration.
|
|
Time Stamp: A marker or tag that attests that a particular document or piece of information existed at a particular time. In order to provide assurance that a time stamp is genuine, they are normally a cryptographically signed hash derived from the time, date, and the document in question.
|
|
U Go to top
|
UBE: Unsolicited Bulk E-mail. A type of spam.
|
|
UCE: Unsolicited Commercial E-mail. A type of spam.
|
|
W Go to top
|
White Box Testing: A security testing process that involves full access to the specifications and designs of the system under test. Also known as white box testing. See also black box testing and grey box testing.
|
|
Z Go to top
|
Z: A specification language often used in formal proofs of system security.
|
|
Access Control
|
A Go to top
|
Access Control:
1. The practice of using mechanisms to limit access to resources according to the identity of the person (or system) requesting access. Establishing the identity of indiviuals for access control purposes is done by a process of authentication.
2. A mechanism used to enforce access control (1).
|
|
Authenticated: Having successfully been through the process of authentication.
|
|
Authentication: A process whose objective is to establish proof of identity between two or more entities. Authentication may just involve one party proving their identity to the other (one-way authentication) or it may involve both parties proving their identity to the other (two-way authentication). The most commonly used method of authentication is the password. See also strong authentication, weak authentication. Commonly-used authentication mechanisms include passwords (which may be reusable or one-time), biometric authentication methods and smart cards.
|
|
B Go to top
|
Biometric Authentication: A method of authentication based on measurement of a biological characteristic of the user. Examples include fingerprint recognition, iris recognition, retina recognition and facial recognition.
|
|
E Go to top
|
Enucleation Attack: A particularly gruesome method of defeating biometric authentication methods, by physically removing a body part from the user in order to present it to the authentication device. Although these methods are rarely successful due to secondary checks such as pulse detection, attempts to do this have been reported. Because of this perceived threat, users can be reluctant to accept some forms of biometric authentication.
|
|
F Go to top
|
Facial Recognition: A method of biometric authentication based on recogntion of facial characteristics such as the relative position of eyes, nose and mouth.
|
|
Fingerprint Recognition: A method of biometric authentication based on scanning the user's fingerprint or thumbprint and comparing it to a stored copy. Stronger systems also check for the presence of a pulse to prevent enuclation attacks.
|
|
I Go to top
|
Iris Recognition: A method of biometric authentication based on scanning the pattern on the iris of the user's eye and comparing it to a stored copy. Stronger systems also check for the presence of natural movement in the iris to prevent enuclation attacks.
|
|
K Go to top
|
Kerberos: A distributed authentication system that proves the identities of users, client, and server processes to each other. Kerberos was originally developed at MIT under Project Athena.
|
|
L Go to top
|
Login: A colloquial term for authentication.
|
|
O Go to top
|
One-Time Password: A password that may only be used once. This may be implemented either by storing a pre-generated list of authorised passwords, which the user must carry with them, or by generating passwords according to a pre-determined algorithm, often based on time and date (see also two-factor authentication). One-time passwords have the advantage over reusable passwords that they are immune to eavesdropping and replay attacks. They are, however, still vulnerable to man in the middle attacks.
|
|
One-Way Authentication: An authentication scheme in which only one party proves its identity to the other (c.f. two-way authentication). This is typically the case in password-based authentication schemes where, for example, a user provides a password to a system, but has no way of being sure that this system is, in fact, the system that the user believes it to be.
|
|
P Go to top
|
Passphrase: A secret sequence of characters or words, the knowledge of which is used to authenticate an individual, in a similar manner to a password. Passphrases tend to be significantly longer than passwords, and tend to be composed of a meaningful sequence of words, although this is not a requirement. The use of a meaningful phrase, rather than apparently random sequences of letters, digits and other characters (as is the case with strong passwords) is generally believed to make passphrases easier to remember than passwords, whilst achieving the same strength of authentication.
|
|
Password: A secret sequence of characters, the knowledge of which is used to authenticate an individual. Passwords may be reusable or one-time only. In order to provide stronger authentication, passwords should be forced to have an appropriate minimum length, and should preferably include non-alphabetic or non-printing characters. Passwords tend to be relatively short, and for some purposes, a passphrase is preferred.
|
|
R Go to top
|
Retina Recognition: Also known as retina scanning. A method of biometric authentication based on scanning the pattern of blood vessels on the retina of the user's eye and comparing it to a stored copy. Stronger systems also check for the presence of a pulse to prevent enuclation attacks. Retina scanning has the disadvantage that, in order to see a wide section of the retina, the user must place their eye against a special eyepiece. Most systems available involve the use of a laser to scan the retina, which many users find uncomfortable. Iris recognition is, in general, gaining acceptance over retina recogntion.
|
|
Reusable Password: A password that remains valid after it has been used. Reusable passwords are vulnerable to eavesdropping and replay attacks. c.f. One-time password.
|
|
Role-Based Access Control: An access control system in which users are granted access to resources on the basis of membership of role groups, rather than having individually-allocated permissions. Role-based access control is considered to be a good method of organising access control, since it permits a single operation to adjust the permissions granted to all users in the same role. It also allows the permissions granted to an individual to be easily visualised as a set of roles.
|
|
S Go to top
|
S/Key: A one-time password mechanism which operates by generating a list of authorised passwords, which the user must either store on portable media, or print out and carry. After each password is used, it is deleted from the authorised list, thus preventing replay attacks.
|
|
Static Password: A reusable password.
|
|
Strong Authentication: An authentication method that is difficult to defeat. One-time passwords, biometric authentication and cryptographic authentication methods are generally considered to be strong, but implementation flaws can mean that this is not always the case. c.f. weak authentication.
|
|
T Go to top
|
Two-Factor Authentication: An authentication scheme based on more than one method of authentication. Normally, this is either "something you have" (such as some form of cryptographic device or password generator) and "something you know" (such as a reusable password or passphrase). With the increasing popularity of biometric authentication techniques, one of the factors is sometimes replaced by "something you are".
|
|
Two-Way Authentication: An authentication scheme in which, in addition to the user or client system proving its identity to the server, the server also proves its identity to the user/client.
|
|
W Go to top
|
Weak Authentication: An authentication method that is easy to defeat. Examples of weak authentication are address-based authentication and name-based authentication. Reusable passwords are often considered to be relatively weak, since they are vulnerable to eavesdropping and replay attacks. c.f strong authentication.
|
|
Cryptography
|
A Go to top
|
AH: Authentication Header. A protocol used by IPsec, in which a header is attached to a packet which contains a cryptographic signature of the whole of that packet, including source and destination addresses. This is done to provide assurance of its origin and to make visible any tampering with the packet en-route. The authentication header provides only a guarantee of data integrity, and does not involve any encryption for the purposes of confidentiality. AH may be used in conjunction with Encapsulating Security Payload (ESP), which provides encryption to provide confidentiality. AH is defined in RFC 2402.
|
|
Alice: One of a number of characters used ubiquitously in examples of cryptographic interchanges. Alice takes the part of a person attempting to communicate with another character, Bob. See also Eve, Mallet and Plod.
|
|
B Go to top
|
Bigram: A group of two letters. Bigrams are used in cryptanalysis in assigning probable values to plaintext. This is possible because some permutations of two adjacent letters are much more common than others in any given language. (e.g. the two letters "rs" next to each other are much more common in English than the letters "rq" next to each other). See also bigram table, trigram.
|
|
Bigram Table: A table of bigrams for use in cryptanalysis, in which the bigrams are ordered by the frequency in which they normally occur, in some specified language. It should be noted that a bigram table for English will differ from, for example, one for German. Bigram tables can also be constructed for subsets of languages, such as words relating to a specific subject.
|
|
Bigraph: A bigram.
|
|
Bit Flipping: The practice of periodically inverting all of the bits of a cryptographic key stored in random access memory, to avoid burn-in.
|
|
Block Cipher: A class of encryption algorithms that involve encrypting data as a series of fixed-length blocks. This has the consequence that it is, without modification (e.g. cipher feedback, output feedback), unsuitable for encrypting an interactive stream of data. c.f. stream cipher.
|
|
Blowfish: An encryption algorithm, designed by Bruce Schneier. A symmetric block cipher with a variable key length that can be from 32 to 448 bits, designed to be fast in both software and hardware implementations. Although superceded by Twofish, Blowfish is still considered to be a very strong algorithm.
|
|
Bob: One of a number of characters used ubiquitously in examples of cryptographic interchanges. Bob takes the part of a person to whom Alice is attempting to communicate. See also Eve, Mallet and Plod.
|
|
C Go to top
|
CA: See Certification Authority.
|
|
CBC: See Cipher Block Chaining.
|
|
CBW: See crypt breakers workbench.
|
|
CFB: See Cipher FeedBack.
|
|
Chosen Plaintext Attack: A cryptanalysis technique in which the attacker is able arrange that some plaintext of his/her choosing is encrypted and to gain access to the corresponding ciphertext. The task of the attacker is either to decrypt a different ciphertext that is known to have been encrypted with the same key, or to determine the key itself. See also known plaintext attack.
|
|
Cipher Block Chaining: Usually abbreviated to CBC. A mode of operation of a block cipher (e.g. DES) that links together blocks of ciphertext by using the result of encrypting each block in the encryption process for the next block. The exact process is that, before encryption, the plaintext is combined with the previous block of ciphertext using an exclusive-OR (XOR) operation, and then encrypted. A random value known as an initialisation vector is used as the "previous ciphertext" for the first block of plaintext, and this value is normally prefixed (in plain text) to the ciphertext. The benefit of using CBC that it is impossible to recognise identical blocks of plaintext because they will have different ciphertexts. This differs from Electronic Code Book mode, where identical blocks of plaintext produce identical blocks of ciphertext. The main disadvantage of Cipher Block Chaining is that any single-bit error in the ciphertext will result in two corrupted blocks of decrypted plaintext. Subsequent blocks will, however, decrypt correctly. As with ECB mode, however, any error that results in a shift of block boundaries (such as a missing bit that is not detected as missing) will corrupt all subsequent data.
|
|
Ciphertext: Data that has been enciphered (encrypted).
|
|
Clear: Unencrypted. Text that has not been encrypted is said to be "in clear". See also plaintext.
|
|
Cleartext: A synonym for plaintext.
|
|
Crypt Breakers Workbench: A cryptanalysis tool used to crack the Unix crypt(1) algorithm. The basic process is to examine the code using bigram and trigram tables to try to find groups of characters that fit
|
|
Cryptanalysis: The process of examining cryptosystems with the objective of discovering methods of decrypting ciphertexts in the absence of the decryption key.
|
|
Cryptographic Algorithm: See cipher.
|
|
Cryptography: The practice of making and using ciphers.
|
|
Cryptologist: An individual who studies cryptography.
|
|
Cryptology: The study of cryptography, cryptanalysis and their history.
|
|
Cryptosystem: A cipher.
|
|
D Go to top
|
Data Encryption Algorithm: Usually known as DEA. The original name for DES, the Data Encryption Standard.
|
|
Data Encryption Standard: Originally known as the Data Encryption Algorithm (DEA), DES is an encryption algorithm defined by the US Federal Information Processing Standard (FIPS) 46-3 in 1977, and updated in 1999 to include triple-DES. DES has also been adopted as ANSI standard X3.92. The algorithm was designed by IBM and the NSA, based on IBM's Lucifer. The DES algorithm is a block cipher based on a Feistel network, and operates on 64-bit blocks with a 64-bit key. The effective key length is, however, only 56 bits, since the least significant bit in each byte is used as an (odd) parity bit, and these are discarded. DES has four operating modes, Electronic Code Book (ECB), Cipher Block Chaining (CBC), Cipher FeedBack (CFB) and Output FeedBack (OFB). Although some were suspicious of the strength of DES, due to its origins, it has remained remarkably resistant to cryptanalysis. DES is thought to have been designed specifically to be fast in hardware implementations, but slow in software, in order that brute-force attacks using software would be more difficult (with the implied assumption that an attacker would be unable to procure large numbers of DES hardware chips). It is only now falling into disfavour because the increases in available computing power have at last made brute-force attacks on its 56-bit keyspace feasible. It has been superceded by Triple-DES and the Advanced Encryption Standard (AES).
|
|
DEA: See Data Encryption Algorithm.
|
|
DES: See Data Encryption Standard.
|
|
E Go to top
|
ECB: See Electronic Code Book.
|
|
Electronic Code Book: Usually abbreviated to ECB. A mode of operation of a block cipher (e.g. DES) in which blocks of plaintext are individually encrypted to produce the blocks of ciphertext. The main disadvantage of ECB mode when compared to Cipher Block Chaining (CBC) mode is that identical blocks of plaintext produce identical blocks of ciphertext. On decryption, any single-bit error in the ciphertext will result in that block of plaintext being corrupted, but subsequent blocks will not be affected, unlike CBC mode. As with CBC mode, however, any error that results in a shift of block boundaries (such as a missing bit that is not detected as missing) will corrupt all subsequent data.
|
|
ESP: Encapsulating Security Payload. One of the operating modes of IPsec. ESP is defined in RFC 2406.
|
|
Eve: One of a number of characters used ubiquitously in examples of cryptographic interchanges. Eve takes the part of a person attempting to eavesdrop on a communication between two characters, Alice and Bob. See also Mallet and Plod.
|
|
Exhaustion Attack: A Brute-Force Attack.
|
|
F Go to top
|
Frequency Analysis: A cryptanalysis technique in which the numbers of times that each letter (or groups of letters) occurs in the ciphertext are counted and the resulting set of frequencies compared with an appropriate frequency table. Simple frequency analysis using single letters is, in general, only useful against monoalphabetic substitution ciphers. For polyalphabetic substitution ciphers based on blocks of two or three letters, bigram and trigram tables may be used. Frequency analysis becomes more accurate as the amount of available ciphertext increases, but less accurate as the size of block increases.
|
|
Frequency Table: A table for use in cryptanalysis, showing the letters of the alphabet, showing the frequency with which they normally occur, in some specified language. It should be noted that a frequency table for English will differ from, for example, one for German. Frequency tables can also be constructed for subsets of languages, such as words relating to a specific subject.
|
|
I Go to top
|
Initialisation Vector: A random value used to initialise an encryption process, e.g. DES in cipher block chaining mode.
|
|
IPsec: A protocol defined by RFC 2411 (and a series of other RFCs) that permits authenticated and encrypted communications to be tunnelled across an untrusted network to form a virtual private network (VPN). Note that the correct capitalisation is IPsec, not IPSEC, IPSec or IP-Sec.
|
|
K Go to top
|
KEK: Acronym for Key Encrypting Key.
|
|
Kerckhoff, Auguste: A Flemish cryptographer who, in 1883, published a set of principles for designing cryptographic algorithms known as Kerckhoffs' Principles.
|
|
Kerckhoffs' Law: See Kerckhoffs' Principle.
|
|
Kerckhoffs' Principle: The most important of six principles of cryptography developed by the Flemish cryptographer Auguste Kerckhoffs in 1883. Kerckhoffs' principle states that the security of a cipher must lie in the choice of key and that it must be assumed an attacker is aware of the encryption algorithm. Also known as Kerckhoffs' Law.
|
|
Kerckhoffs' Principles: Six principles of cryptography developed by the Flemish cryptographer Auguste Kerckhoffs in 1883. Kerckhoffs' Principles (translated) state that:
1. The system must be practically, if not mathematically, indecipherable;
2. It must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience;
3. Its key must be communicable and memorable without the help of written notes, and changeable or modifiable at the will of the correspondents;
4. It must be applicable to telegraphic correspondence;
5. It must be portable, and its handling and functioning must not require a large number of people;
6.Taking into account the circumstances under which it will be applied, the system must be easy to use, requiring neither mental strain nor the knowledge of a long series of rules to observe.
|
|
Key: See cryptographic key.
|
|
Key Bundle: The group of three 56-bit DES keys used by Triple-DES.
|
|
Key Encrypting Key: An encryption key that is used to encrypt other encryption keys, either for storage or for transmission. Sometimes abbreviated to KEK.
|
|
Key Fatigue: An encryption key that has been used to encrypt large volumes of data, sufficient to make it vulnerable to cryptanalysis, is said to suffer from key fatigue.
|
|
Key Space: The set of all key values usable for a cryptographic algorithm.
|
|
Key Splitting: The practice of, given one cryptographic key, generating two partial keys such that both are required in order to reconstruct the original. This is used to provide a cryptographic equivalent of the physical dual-key operation principle. Some key splitting algorithms allow keys to be divided arbitrarily into as many parts as required, and some permit the original to be restored by any specified number of the split parts (e.g. any 4 from 5 parts, any 3 from 10 parts, etc).
|
|
Known Plaintext Attack: A cryptanalysis technique in which the attacker is able to gain access to an amount of plaintext and the corresponding ciphertext, but not the key which was used in the encryption process. The task of the attacker is either to decrypt a different ciphertext that is known to have been encrypted with the same key, or to determine the key itself. See also chosen plaintext attack.
|
|
L Go to top
|
L2TP: Layer 2 Tunneling Protocol.
|
|
Lucifer: An encryption algorithm submitted in 1974 by IBM to the National Bureau of Standards as a candidate to become the Data Encryption Algorithm (to be later re-named the Data Encryption Standard, DES). Lucifer operated on 64-bit blocks of data using a 128-bit key. The effective key length was reduced to 56 bits and other minor adjustments made in order to form the final standard.
|
|
M Go to top
|
Mallet: One of a number of characters used ubiquitously in examples of cryptographic interchanges. Mallet takes the part of a man-in-the-middle, intercepting an exchange between Alice and Bob. The difference between Mallet and Eve, an eavesdropper, is that Mallet is capable of modifying messages sent between Alice and Bob.
|
|
MD5: A widely-used hashing algorithm, described in RFC 1321.
|
|
Monoalphabetic Cipher: A substitution cipher in which substitutions are made on a letter-by-letter basis. The Caesar cipher is an example of a monoalphabetic substition cipher.
|
|
MPPE: Microsoft Point-To-Point Encryption. An encrypting protocol defined by RFC 3078, used to protect data sent over a PPP link, by using the RC4 algorithm to provide data confidentiality. The length of the session key to be used for the encryption is negotiated between the client and server. MPPE currently supports 40-bit, 56-bit and 128-bit RC4 session keys.
|
|
O Go to top
|
OFB: See Output FeedBack.
|
|
OTP: See One-Time Pad.
|
|
P Go to top
|
Partial Key: A section of a cryptographic key that has been subjected to key splitting.
|
|
Playfair Cipher: An early polyalphabetic substitution cipher developed in 1854 by Sir Charles Wheatstone, but named after Baron Playfair, who promoted its use. The algorithm operates on bigrams (groups of two letters), which are substituted according to simple rules operating on a grid which is, in turn, constructed from a key word or phrase.
|
|
Plod: One of a number of characters used ubiquitously in examples of cryptographic interchanges. Plod takes the part of a regulatory official observing an interchange between two participants, Alice and Bob. See also Eve and Mallet.
|
|
Polyalphabetic Cipher: A substitution cipher in which substitutions are based on groups of more than one letter. The Vigenere cipher is an example of a polyalphabetic substitution cipher based on groups of two letters.
|
|
PPTP: Point-to-Point Tunneling Protocol.
|
|
R Go to top
|
RA: See Registration Authority.
|
|
RC4: An encryption algorithm developed by RSA. See also RC5.
|
|
RC5: An encryption algorithm developed by RSA. See also RC4.
|
|
S Go to top
|
SHA: See SHA-1.
|
|
SHA-1: A hashing algorithm.
|
|
Simple Substitution Cipher: A monoalphabetic substitution cipher.
|
|
SPN: See Substitution-Permutation Network.
|
|
Steganography: The practice of communicating or storing information in a manner that conceals the existence, as well as the content, of the information. A common form of steganography involves the storage of data in digitised images. This is possible because images tend to have a large amount of redundant information which can be altered in a way that does not significantly affect the overall appearance of the image. It is normal for steganographic systems to encrypt the stored data.
|
|
Stream Cipher: An encryption algorithm which involves encrypting data as a stream of characters or bits. Stream ciphers are required for some stream-oriented operations, such as handling interactive data where each character has to be encrypted and transmitted as soon as it is generated. A block cipher would not be suitable for this purpose, since these algorithms require blocks of data to operate upon. Block ciphers can be modified to operate in a streaming mode (see cipher feedback and output feedback) but they tend to be very computationally inefficient compared to purpose-designed stream ciphers. Stream ciphers are normally implemented by generating a keystream and exclusive-ORing this with the plaintext to obtain the ciphertext.
|
|
Strong Encryption: Encryption using an algorithm that is, after rigorous examination, is considered to be highly resistant to cryptanalysis (c.f. weak encryption). Examples of strong encryption algorithms include triple-DES, Twofish and AES.
|
|
Substitution Cipher: A class of cipher in which each single letter of the alphabet (or small group of letters) is substituted for an alternate one according to a lookup table, in such a way that every occurrence of a particular letter (or group of letters) in the plaintext corresponds to the same letter (or group) in the ciphertext. (e.g. Every "A" becomes a "D", every "B" becomes an "X", etc.). Simple substitution ciphers using single letters (monoalphabetic substitution ciphers) are highly succeptible to frequency analysis and are considered to be weak, but the process of substitution is also used as a single step within more complex, strong encryption algoritithms. Substitution ciphers using groups of letters (e.g. where every occurrence of "AA" becomes "XY", "AB" becomes "JK", etc.) are referred to as polyalphabetic substitution ciphers and are more secure, but still vulnerable to frequency analysis using bigram tables, trigram tables, etc. The more letters are used in a group, however, the more difficult frequency analysis becomes.
|
|
T Go to top
|
Thawte: One of a number of commercial Certification Authorities (CAs).
|
|
Trigram: A group of two letters. Trigrams are used in cryptanalysis in assigning probable values to plaintext. This is possible because some permutations of two adjacent letters are much more common than others in any given language. (e.g. the three letters "ion" next to each other are much more common in English than the letters "erq" next to each other). See also trigram table, bigram.
|
|
Trigram Table: A table of trigrams for use in cryptanalysis, in which the trigrams are ordered by the frequency in which they normally occur, in some specified language. It should be noted that a trigram table for English will differ from, for example, one for German. Trigram tables can also be constructed for subsets of languages, such as words relating to a specific subject.
|
|
Trigraph: A trigram.
|
|
Twofish: An encryption algorithm, designed by Bruce Schneier as a successor to Blowfish. A symmetric block cipher based on a modified Feistel network, with a key length of 128, 192 or 256 bits, designed to be fast in both software and hardware implementations. Twofish was one of the final five contenders in the NIST (National Institute of Standards and Technology) competition to become their approved advanced encryption standard (AES), but lost this to the Rijndael algorithm. Twofish is, nevertheless, considered to be a very strong algorithm.
|
|
V Go to top
|
Verification: The act of checking that a cryptographically signed message has not been altered since it was signed. This is normally done by decrypting the digital signature with the appropriate public key and comparing it with a hash of the message.
|
|
Verisign: One of a number of commercial Certification Authorities (CAs).
|
|
Vernam Cipher: A one-time pad (OTP).
|
|
W Go to top
|
Weak Encryption: Encryption using an algorithm that is known to have defects or is considered to be vulnerable to cryptanalysis. c.f. strong encryption. Examples of weak encryption include the Caesar cipher and the Unix crypt(1) algorithm.
|
|
WEP: Wireless Encryption Protocol.
|
|
Insecurity
|
S Go to top
|
Security Through Obscurity: The practice of constructing security controls whose strength depends largely on the secrecy of the mechanism used. If the design of such a control is disclosed to a potential attacker, the security mechanism becomes greatly weakened or even useless. Security through obscurity is considered to be an extremely bad practice.
|
|
Government Security
|
C Go to top
|
CESG: Computer and Electronics Security Group. The division of GCHQ that forms the UK Government's National Technical Authority for information security.
|
|
CHECK: The IT security health check scheme run by CESG for government systems operating up to the Confidential classification.
|
|
Cheltenham: The location of GCHQ.
|
|
CLAS: CESG Listed Adviser Scheme.
|
|
CLEF: CommerciaL Evaluation Facility. Formerly Commercial Licenced Evaluation Facility and CESG Licenced Evaluation Facility.
|
|
Computer and Electronics Security Group: See CESG.
|
|
D Go to top
|
Doughnut, The: The main building of GCHQ in Cheltenham, UK, completed in 2003.
|
|
Dual-Use: Technology that could be used either for military or civilian use. Cryptographic technology is considered to be dual-use technology by the US Bureau of Industry and Security and so falls under the Export Administration Regulations (EAR).
|
|
E Go to top
|
EAR: See Export Administration Regulations.
|
|
Echelon: A monitoring system allegedly employed by GCHQ and the NSA to intercept and monitor telecommunications for the occurrence of keywords that might be of interest to governments. Various governmental organisations have, at various times, denied that any such system exists.
|
|
Export Administration Regulations: Commonly known as EAR. Regulations operated by the US Department of Commerce's Bureau of Industry and Security that govern the export of cryptographic materials. Defined by Title 15 of the Code of Federal Regulations, Chapter 7, EAR superceded the International Traffic in Arms Regulations (ITAR). The EAR apply to items on the Commerce Control List, being exported to countries on the Commerce Country Chart, or to persons on the Denied Persons List.
|
|
F Go to top
|
Fort Meade: The location in Maryland of the headquarters of the NSA.
|
|
G Go to top
|
GCHQ: Government Communications Headquarters. The UK government agency responsible for all issues concerning computer and communication security.
|
|
N Go to top
|
NSA: The US National Security Agency. The division of the US government responsible for cryptology. It describes its mission as to "coordinate, direct, and perform highly specialised activities to protect US information systems and produce foreign intelligence information". The NSA is headquartered at Fort Meade, Maryland.
|
|
Government Security - UK
|
C Go to top
|
CESG: Computer and Electronics Security Group. The division of GCHQ that forms the UK Government's National Technical Authority for information security.
|
|
CHECK: The IT security health check scheme run by CESG for government systems operating up to the Confidential classification.
|
|
Cheltenham: The location of GCHQ.
|
|
CLAS: CESG Listed Adviser Scheme.
|
|
CLEF: CommerciaL Evaluation Facility. Formerly Commercial Licenced Evaluation Facility and CESG Licenced Evaluation Facility.
|
|
Computer and Electronics Security Group: See CESG.
|
|
D Go to top
|
Doughnut, The: The main building of GCHQ in Cheltenham, UK, completed in 2003.
|
|
G Go to top
|
GCHQ: Government Communications Headquarters. The UK government agency responsible for all issues concerning computer and communication security.
|
|
Government Security - US
|
E Go to top
|
EAR: See Export Administration Regulations.
|
|
Export Administration Regulations: Commonly known as EAR. Regulations operated by the US Department of Commerce's Bureau of Industry and Security that govern the export of cryptographic materials. Defined by Title 15 of the Code of Federal Regulations, Chapter 7, EAR superceded the International Traffic in Arms Regulations (ITAR). The EAR apply to items on the Commerce Control List, being exported to countries on the Commerce Country Chart, or to persons on the Denied Persons List.
|
|
N Go to top
|
NSA: The US National Security Agency. The division of the US government responsible for cryptology. It describes its mission as to "coordinate, direct, and perform highly specialised activities to protect US information systems and produce foreign intelligence information". The NSA is headquartered at Fort Meade, Maryland.
|
|
Legislation
|
B Go to top
|
Basel II: A voluntary regulatory framework designed to ensure capital adequacy for banks and based on a document entitled "International Convergence of Capital Measurement and Capital Standards: a Revised Framework" endorsed by central bank governors and the heads of bank supervisory authorities in the G10 countries (G10). Part of this framework is a requirement to maintain adequate information security. Basel II was first issued in 2001 and the final revision was published in June 2004. Implementation of Basel II is expected by 2008.
|
|
Basle II: French spelling of Basel II.
|
|
C Go to top
|
CMA: The UK Computer Misuse Act (1990).
|
|
Computer Misuse Act (1990): The UK legislation which defines a number of classes of computer-related crimes.
|
|
D Go to top
|
DMCA: See Digital Millenium Copyright Act.
|
|
O Go to top
|
Orange Book: A colloquial term for the TCSEC (Trusted Computer Systems Evaluation Criteria).
|
|
P Go to top
|
PACE: See Police And Criminal Evidence Act.
|
|
R Go to top
|
Regulation of Investigatory Powers Act (2000): The UK legislation which, amongst other things, lays out the UK legal position on monitoring of communications by the government/police and private individuals/organisations.
|
|
RIPA: See Regulation of Investigatory Powers Act (2000).
|
|
S Go to top
|
Sarbanes-Oxley: The US Public Company Accounting Reform and Investor Protection Act of 2002. Legislation that, amongst other things, imposes a legal duty on directors of companies to ensure that they have taken adequate information security precautions to protect and preserve financial information. Although this legislation was enacted in the USA, its jurisdiction includes all companies that do business within the USA. Also known as SOX, SarbOx or Soxley.
|
|
SarbOx: See Sarbanes-Oxley.
|
|
SOX: See Sarbanes-Oxley.
|
|
Soxley: See Sarbanes-Oxley.
|
|
T Go to top
|
TCSEC: Trusted Computer Systems Evaluation Criteria. A US Government standard for evaluation of secure computer systems. This was the first such standard to be developed, and defined a scheme rating systems from A1 (the strongest), through B3, B2, B1, C2 and C1 to D (the weakest).
|
|
Legislation - UK
|
C Go to top
|
CMA: The UK Computer Misuse Act (1990).
|
|
Computer Misuse Act (1990): The UK legislation which defines a number of classes of computer-related crimes.
|
|
P Go to top
|
PACE: See Police And Criminal Evidence Act.
|
|
R Go to top
|
Regulation of Investigatory Powers Act (2000): The UK legislation which, amongst other things, lays out the UK legal position on monitoring of communications by the government/police and private individuals/organisations.
|
|
RIPA: See Regulation of Investigatory Powers Act (2000).
|
|
Legislation - US
|
D Go to top
|
DMCA: See Digital Millenium Copyright Act.
|
|
O Go to top
|
Orange Book: A colloquial term for the TCSEC (Trusted Computer Systems Evaluation Criteria).
|
|
S Go to top
|
Sarbanes-Oxley: The US Public Company Accounting Reform and Investor Protection Act of 2002. Legislation that, amongst other things, imposes a legal duty on directors of companies to ensure that they have taken adequate information security precautions to protect and preserve financial information. Although this legislation was enacted in the USA, its jurisdiction includes all companies that do business within the USA. Also known as SOX, SarbOx or Soxley.
|
|
SarbOx: See Sarbanes-Oxley.
|
|
SOX: See Sarbanes-Oxley.
|
|
Soxley: See Sarbanes-Oxley.
|
|
T Go to top
|
TCSEC: Trusted Computer Systems Evaluation Criteria. A US Government standard for evaluation of secure computer systems. This was the first such standard to be developed, and defined a scheme rating systems from A1 (the strongest), through B3, B2, B1, C2 and C1 to D (the weakest).
|
|
Malware
|
L Go to top
|
Logic Bomb: A section of executable code that checks to see if a specific set of circumstances have been fulfilled and takes some action, usually destructive, if they have. Typical trigger events include date and time or the presence or content of a particular file or URL. Logic bombs can be constructed to be self-contained, or they can be carried by virus, worms or trojan horses.
|
|
P Go to top
|
Phone Home: An action taken by a virus, worm or Trojan horse, whereby it contacts, normally via the Internet, a particular URL, IRC chat group or Usenet newsgroup in order to send back information and/or to receive new instructions.
|
|
T Go to top
|
Trigger Event: An event that a logic bomb checks for, in order to determine whether it is to activate its payload. Typical trigger events include date and time or the presence or content of a particular file or URL.
|
|
Trojan Horse: An executable object that is not what it purports to be, and takes action that the user does not expect and does not want. Although Trojans may create copies of themselves, they require user interaction to do so, and so are different from viruses and worms, although they are often confused with them. The name Trojan horse is derived from the legendary wooden horse that the Greek army used to gain access to the city of Troy in the Trojan wars. Because it is based on a proper name, the term Trojan horse is always capitalised.
|
|
V Go to top
|
Virus: A self-reproducing section of executable code that attaches itself to another executable object in such a way that the virus code is executed whenever the host object is executed. The virus may then attempt to reproduce by attaching a copy of itself to another executable object, phone home, or to activate a logic bomb. c.f. worm.
|
|
W Go to top
|
Worm: A self-contained, self-reproducing program. Worms are often wrongly referred to as viruses.
|
|
Network Security
|
A Go to top
|
Agent: A piece of software that operates on a client system on behalf of a process running on a server, executing commands on behalf of the server process and/or passing data back to the server.
|
|
C Go to top
|
CHAP: Challenge Handshake Authentication Protocol. One of the authentication protocols supported by the Point to Point Protocol (PPP), defined by RFC 1994. Under CHAP, a challenge is sent by the server which the client combines with the password and generates an MD5 hash. The server carries out the same process and, if the two results match, the server is assured that the client used the correct password in its hash. CHAP is preferred to the alternative, PAP, because, under PAP, the password is sent in plain text. MS-CHAP is a Microsoft variant of CHAP that uses Microsoft encryption.
|
|
D Go to top
|
DDoS: See Distributed Denial of Service.
|
|
H Go to top
|
Hardware Firewall: A firewall. The term "hardware" is inserted to distinguish it from a software firewall, which is not a firewall in the true original sense of the word.
|
Nemesys firewall services
|
M Go to top
|
MS-CHAP: Microsoft Challenge Handshake Authentication Protocol. A variant of CHAP developed by Microsoft. MS-CHAP v1 is only slightly different to CHAP using MD4 instead of MD5, but MS-CHAP v2 performs a two-way authentication, allowing the client to be assured that it is connected to a valid server, as well as the normal client authentication. See also PAP.
|
|
N Go to top
|
Netstumbler: A Windows-based application used in detecting wireless networks. Netstumbler has legitimate network management functions, but is also often used in wardriving. Similar applications exist for other platforms, such as MacStumbler for the Apple Macintosh, and Kismet for Linux.
|
|
O Go to top
|
Open Relay: See open HTTP relay and open SMTP relay.
|
|
P Go to top
|
PAP: Password Authentication Protocol. One of the authentication protocols supported by the Point to Point Protocol (PPP). PAP is inferior to CHAP and MS-CHAP because, under PAP, the password is sent in plain text.
|
|
S Go to top
|
Software Firewall: A software utility that examines incoming and outgoing network transmissions and either accepts or rejects the transmissions according to a set of defined rules. A software firewall is not a true firewall, since it does not form a "fire break" between the network and the client system. If the software firewall is compromised, an attacker may gain direct access to the client system, which is not the case with a true firewall (or hardware firewall).
|
Nemesys firewall services
|
SYN Flooding: A type of denial of service attack in which the target system is swamped by SYN requests. Each SYN (synchronise) packet is a request to open a TCP connection, and the target system responds with an SYN/ACK (synchronise/acknowledge) packet. Usually, however, the address of the attacking system is spoofed, so the SYN/ACK packet does not have a valid destination. Not knowing this, however, the target system must store information relating to the newly-created connection as it awaits an ACK packet (the next in the sequence) that will never come. Distributed SYN attacks can involve tens of thousands of incoming SYN requests per second, and so the amount of memory consumed quickly rises until the target system can no longer function effectively.
|
|
V Go to top
|
Virtual Private Network: A secure network constructed by encrypted tunnelling across an insecure network. Often referred to as a VPN. Proprietary protocols for creating VPNs do exist, but the most common VPN protocol in use is IPsec, a public-domain standard.
|
|
VPN: See Virtual Private Network.
|
|
W Go to top
|
Wardriving: The practice of attempting to detect and gain access to wireless networks by using a portable computer with a wireless (Wi-Fi) network card, and driving around in a vehicle until a signal is detected.
|
|
Operating System Security
|
C Go to top
|
Challenge-Response: A method of authentication in which the host system generates a challenge, to which the user or client system must give the correct response. This is more secure than a simple password authentication, because the response is different on each occasion. This defends the system against replay attacks, where an attacker eavesdrops on an authentication process and simply replays the authentication information to the host system. Because the host system generates a different challenge each time, and expects an appropriate response, an eavesdropper never has the opportunity to re-use the information they have gathered.
|
|
Cops: A security tool that checks and reports on a number of system security settings on a Unix system.
|
|
H Go to top
|
Hardened: A system that has undergone hardening.
|
|
Hardening: The process of modifying a system's hardware or software to make it more resistant to attacks.
|
|
K Go to top
|
Kuang: A security tool that examines a Unix file system and reports on potential privilege escalations.
|
|
M Go to top
|
Magic Cookie: A relatively weak shared-secret mechanism used to provide authentication in the X windowing system.
|
|
P Go to top
|
PAM: Pluggable Authentication Module.
|
|
Privilege Escalation: The process of increasing the level of privilege that a process has, by means of exploiting a security vulnerability (or a series of vulnerabilities).
|
|
S Go to top
|
Snort: A security tool that listens on unused IP ports and reports any activity that is detected.
|
|
Stack Smashing: The practice of attempting to gain system privileges by causing a privileged process to execute an attacker's illicitly-introduced code by means of overwriting return addresses on the stack (usually by using a buffer overflow).
|
|
Sudo: A security tool designed to provide a system administrator with system privileges as and when needed, as an alternative to allowing that user to operate with system privileges at all times. Sudo can exercise control over the commands that may be executed, and logs each usage of the command.
|
|
T Go to top
|
Tripwire: A security utility that generates cryptographic checksums, or hashes, of files on a system, and periodically checks to ensure that they have not changed.
|
|
Operating System Security - Unix
|
C Go to top
|
Cops: A security tool that checks and reports on a number of system security settings on a Unix system.
|
|
K Go to top
|
Kuang: A security tool that examines a Unix file system and reports on potential privilege escalations.
|
|
M Go to top
|
Magic Cookie: A relatively weak shared-secret mechanism used to provide authentication in the X windowing system.
|
|
S Go to top
|
Snort: A security tool that listens on unused IP ports and reports any activity that is detected.
|
|
Sudo: A security tool designed to provide a system administrator with system privileges as and when needed, as an alternative to allowing that user to operate with system privileges at all times. Sudo can exercise control over the commands that may be executed, and logs each usage of the command.
|
|
Physical Security
|
B Go to top
|
Bulk Eraser: A device that uses a powerful magnetic field to erase magnetic media. Normally, this is an oscillating field that is gradually reduced in intensity so as not to saturate the media or permanently magnetise any metal components. Bulk erasuure may be done to facilitate re-use of the media, or may be done prior to disposal of obsolete media. The use of a bulk eraser is preferable to erasing the media using the device that is normally used to access the media, because data remnance issues are reduced. It should be noted that the use of a bulk eraser may render some media unusable (particularly hard disks), due to destruction of timing tracks and similar data that are created at the time of manufacture and cannot be reconstructed by the end user.
|
|
D Go to top
|
Dual-Key Operation: The practice of operating equipment by means of two physical keys that are issued to two trusted individuals. The equipment is designed to function only if the two keys are operated simultaneously.
|
|
E Go to top
|
EMP: Electro-Magnetic Pulse. An electro-magnetic effect that can be caused either by a nuclear detonation, or by a device specifically designed to cause a pulse. The effect of an EMP is to permanently damage electronic equipment that has not been specifically hardened against EMP. The use of EMP devices has been conjectured in large-scale denial of service attacks, but none have been used in practice to date.
|
|
O Go to top
|
Optical TEMPEST: Accidental optical transmissions from a computer system that may be detected by an eavesdropper. This includes optical transmissions from CRT monitors and system LEDs (particularly those on network equipment and modems). Since CRT monitors display their picture sequentially, it is possible to detect the flickering glow in the room caused by it, and to reconstruct the picture by amplifying this and re-displaying it at the same frequency. Similarly, LEDs on modems and other network components that are driven by the data that is being transmitted are vulnerable to this data being read optically at a distance. See also TEMPEST.
|
|
T Go to top
|
TEMPEST: Accidental electromagnetic transmissions from a computer system that may be detected by an eavesdropper. This includes the radio-frequency noise generated mainly by the cables inside and outside a computer acting as transmission aerials, signals generated by CRT and TFT monitors, and optical transmissions from monitors and system LEDs (see Optical TEMPEST). The name is not an acronym, but is a UK/US Government codeword that has moved into general usage.
|
|
Assocations and Qualifications
|
C Go to top
|
CISA: Certified Information Systems Auditor. A qualification offered by ISACA.
|
|
CISM: Certified Information Systems Manager. A qualification offered by ISACA.
|
|
I Go to top
|
ISACA: Information Systems Audit and Control Association.
|
|
ISC2: Information Systems Security Certification Consortium, Inc. A non-profit organisation that issues qualifications such as SSCP and CISSP.
|
|
ISSA: Information Systems Security Association.
|
|
ISSAP: Information Systems Security Architecture Professional. A qualification issued by ISC2 covering information security architecture.
|
|
ISSEP: Information Systems Security Engineering Professional. A qualification issued by ISC2 covering information security engineering.
|
|
ISSMP: Information Systems Security Management Professional. A qualification issued by ISC2 covering information security management.
|
|
Security Administration
|
A Go to top
|
Acceptable Usage Policy: See Acceptable Use Policy.
|
|
Acceptable Use Policy: A document that defines the categories of use that a user is authorised to make of a system or network. Typically, this is phrased as a list of activities that are not permitted, and will result in suspension of permission to use the system or network.
|
|
AUP: See Acceptable Use Policy.
|
|
B Go to top
|
BS 7799: British Standard 7799 is the British Standard for Information Security Management and is divided into two parts, Part 1 and Part 2. Part 1 is the Code of Practice for Information Management Systems, and defines a large number of control requirements for information security. BS 7799 Part 1 has been adopted as ISO/IEC 17799. Part2 is the Specification for Information Management Systems, and defines a management system for maintaining adequate information security controls (referring to controls defined in Part 1). BS 7799 certification is performed against BS 7799 Part 2.
|
|
C Go to top
|
Code of Connection: A document, produced by the owners of a network, that defines a set of security criteria that a system must meet in order that the owners of the network will permit the system to be connected to their network. c.f. Acceptable Use Policy.
|
|
I Go to top
|
Information Security Guidelines: See here.
|
Nemesys security guidelines
|
Information Security Policy: See here.
|
Nemesys security policies
|
Information Security Principles: See here.
|
Nemesys security principles
|
Information Security Standards: See here.
|
Nemesys security standards
|
ISO/IEC 17799: The ISO/IEC standard for Information Security, adopted from BS 7799.
|
|
P Go to top
|
Policy: See Information Security Policy.
|
Nemesys security policies
|
Principles: See Information Security Principles.
|
Nemesys security principles
|
S Go to top
|
Security Audit: The process of reviewing the current status of a set of security controls and comparing it against a document that defines the desired state of the controls (e.g. a security policy).
|
Nemesys security audits
|
Security Guidelines: See Information Security Guidelines.
|
Nemesys security guidelines
|
Security Policy: See Information Security Policy.
|
Nemesys security policies
|
Security Principles: See Information Security Principles.
|
Nemesys security principles
|
Security Review: The process of reviewing the current status of a set of security controls and reporting on the suitability of that status.
|
Nemesys security reviews
|
Security Standards: See Information Security Standards.
|
Nemesys security standards
|
U Go to top
|
User Affirmation Statement: A formal statement signed by a system user that confirms their understanding of the relevant security policies.
|
|
Security Theory
|
A Go to top
|
Availability: A property of information. Availability is the property of being accessible at a time when it is required by an authorised user. Information that has not itself been damaged but, for example, cannot be accessed due to some other unauthorised activity, is said to have suffered a loss of availability. A deliberate attack on information availability is known as a denial of service attack. See also confidentiality, integrity and non-repudiation.
|
|
C Go to top
|
Captcha: Completely Automated Public Turing test to tell Computers and Humans Apart. A test that is designed to be easy for a human to do, but be difficult to automate. An example of a captcha is the practice of displaying distorted letters and asking the user to type them into a form. Captchas are often used to prevent automated registrations on web sites for spamming purposes.
|
|
Confidentiality: A property of information. Confidentiality is the property of being protected against unauthorised disclosure (either deliberate or accidental). See also integrity, availability and non-repudiation.
|
|
D Go to top
|
Domain: See security domain.
|
|
I Go to top
|
Integrity: A property of information. Integrity is the property of being protected against unauthorised alteration (either deliberate or accidental). See also confidentiality, availability and non-repudiation.
|
|
N Go to top
|
Non-Repudiation: A property of information, that refers specifically to transactions between systems. Non-repudiation is the property of being able to prove that a transaction has taken place, and that the other party cannot deny that it took place (or repudiate it). Achieving non-repudiation normally involves the counter-party providing a time-stamped cryptographic signature that only they could possibly have provided. See also confidentiality, integrity and availability.
|
|
P Go to top
|
Perimeter: A conceptual border surrounding an organisation or security domain.
|
|
Privacy: The confidentiality of information relating to an individual person, including their status, beliefs, preferences, abilities and actions.
|
|
R Go to top
|
Repudiate: To deny that an event has taken place. Typically this is used to refer to financial transactions, but can apply to other situations. See also non-repudiation.
|
|
Repudiation: The act of repudiating. See also non-repudiation.
|
|
Terms defined: 293
|
