The Streetwise Security Zone Glossary

Security and Technical Terms (and Acronyms) Explained

This constantly growing list of definitions and acronyms is not exhaustive, and probably never will be. Feel free to add comments or questions, so we can make the meanings more clear for you. And, if there are terms you’d like to see added, please let us know. (For a much more detailed “techno-geek glossary” please see TechTarget’s awesome Web site.)

This page is freely accessible by all visitors. But if you haven't already joined, we'd appreciate it if you'd sign up for our Weekly Streetwise Security Tips newsletter by entering your name and email address... Thanks!

Accreditation - Formal acceptance by senior management of risk before operational system deployment.

(AA) Accreditation Authority - The role, usually a business owner, who accredits a system and accepts the risk of going live (regardless of whether it is formally declared or not).

Availability - A characteristic of a system, usually described in a Statement of Sensitivity, that indicates a system’s requirements for the information and services to be available for a certain percentage of time, certain average lengths of time between failures, or with defined average lengths of time being continuously unavailable.

(CA) Certificate Authority - A role responsible for overseeing the issuance and management of digital certificates used in Public Key Infrastructure (PKI) -based applications. Digital certificates, such as those used in web servers offering SSL security, provide a way of reliably identifying the creator of whatever piece of data they are attached to (e.g. files, programs, packets, etc.)

(CP) Certificate Policies - The policies defined for governing the issuance and use of digital certificates issued by a Certificate Authority, used within PKI-based security systems. They define when certificates can be trusted and what happens if the policies are violated.

(Security Certification aka) Certification - The evaluation of a system’s security posture (or level of risk it carries).

Certification Authority - The organization or role-holder having the authority to assess the security posture, or level of risk, of a system against its security requirements.

(C&A) Certification and Accreditation - The process of having a system’s security posture formally assessed (certified) and approved for operation (accreditated) by the appropriate authorities designated by the organization that owns the system.

(CPS) Certification Practice Statement - A document used in PKI-based security systems that describes the processes and procedures detailing how a Certificate Authority complies with its associated Certificate Policies.

(CISO) Corporate Information Security Officer (or CSO - Chief Security Officer) - The individual within an organization responsible for defining and maintaining the organization’s Information Security policies.

(CSO) Corporate Security Officer or Chief Security Officer - The individual within an organization responsible for defining and maintaining ALL security policies (including physical and personnel security). The CISO (for information security) usually reports to the CSO.

Confidentiality - A security measure or type of safeguard used to protect a specific piece of data from being accessed by unauthorized individuals or systems. Encryption can provide confidentiality protection, ensuring that only the holder of the decryption key can decode (or decypher) the data to its readable form.

Digital Certificate (or X.509 Certificate) - A data structure that, through complex mathematical formulae, securely binds an individual or entity to a Public Key used in cryptographic operations such as digital signatures or asymmetric encryption.

(DMZ) Demilitarized Zone (or Public Access Zone) - A semi-protected and strictly controlled network area used to terminate connections from the Internet and forward them to systems in an Operations Zone without unduly exposing sensitive systems and information to the hostile Internet or Public Zone.

Drive-By Download - One of the fastest growing types of threats on the Internet, triggered by visiting an infected website. The result is that the malicious code on the infected website attempts to exploit vulnerabilities in the visitor's browser, or tries to trick the user into accepting or executing a program on their computer. The result can be a silently installed key logger that collects passwords; or it could even be zombie program that can be controlled remotely to collect information or attack other computers on the local network or the Internet, on command. Recent reports estimate that as many as 70% of sites infected with malicious code are actually sites that are generally trusted by the public.

Infosec - An abbreviation for Information Security. That's it!

Integrity - One of the primary security services, usually identified in a Statement of Sensitivity, indicating the system’s requirement for protecting information or systems from being corrupted, changed or deleted.

(IS) Information System - A collection of hardware and software components and interconnections, as well as the information contained within them, and to some degree, the facilities that contain and protect them.

Operations Zone - A protected network area where business systems operate with senstive information, isolated from more hostile networks such as the Internet through a DMZ or Public Access Zone.

(OOB) Out of Band - A technique for passing secret information such as one-time passwords to another entity using a different communication channel than the primary network channel. For example, when you try to recover a password during a Web browser session, the website will sometimes email you a message with a special link in it to complete the transaction. This email would be called an Out of Band message because it adds a different medium, and prevents a person with access to just your browser from changing your password without you knowing.

PEBKAC - Problem Exists Between Keyboard and Chair; A derogatory acronym sometimes used in contempt of unaware individuals, to indicate that the problem was caused by the user (closely related to the ID-10-T, or IDIOT error). It's like when the waiter calls you stupid in another language he doesn't think you understand!

Privacy - The right of an individual to control the collection and handling of their own sensitive personal information. This is particularly important, whether or not the information is offered with the individual’s consent. While it is related to confidentiality, privacy deals more with the larger intent of protecting an individual's rights than with providing a strong technical safeguard on a particular piece of data - the intent of maintaining confidentiality.

(PAZ) Public Access Zone (or DMZ) - A network segment that is strictly controlled, often by multiple firewall devices, to isolate a sensitive operational business network from the hostile Internet. Without a DMZ, hackers can often easily reach critical systems protected by only a single firewall.

(PKI) Public Key Infrastructure - A system of software and hardware components that enables strong security safeguards for authenticating individuals, limiting access, digitally signing and encrypting information. It relies on chains of trust and complex mathematical operations to provide a high assurance, scalable solution, but is often too expensive to deploy and operate for most low to moderate value information assets.

Residual Risk - The risk remaining after implementation of chosen safeguards.

Risk - The potential resultant impact and expected loss associated with a Threat Event, dependent on the likelihood and impact of its occurrence.

Risk Management - The overall process of evaluating potential risks and choosing to a) Reduce, b) Transfer (insure), c) Avoid, or d) Ignore or e) Accept the resultant risk.

Risk Profile - The amount of risk exposure that an organization is willing to accept when deploying a system. For example, a medical or financial organization serving many people will probably have a LOW risk profile. In contrast, some military organizations operating in hostile territory must sometime accept a higher risk exposure to accomplish their mission.

Safeguard - A mechanism (technology based or procedurally based), usually recommended within a Threat and Risk Assessment, that provides for protection of an asset through security measures such as Confidentiality, Integrity or Availability. Security safeguards are also sometimes referred to as security controls.

Security Posture - The assessed risk level of a certified system, usually stated relative to its target risk profile. Most business systems aim to have a security posture of a LOW residual risk (after implementation of recommended safeguards).

(SLA) Service Level Agreement - An agreement between a provider and consumer stating the allowable response times and service availability.

(SDLC) System Development Life-Cycle - The name used to describe whatever methodology is in use for bringing an information system into existence. The SDLC is usually considered to start with Requirements or Opportunity Identification, and often includes phases such as Requirements Analysis, Design, Implementation or Coding, Testing, Accreditation and Operation. The ongoing maintenance and upgrade cycles are also considered to be part of the SDLC, as well as the eventual "Decommissioning" activity to deconstruct and dispose of the system in an orderly and secure way.

Threat Agent - An individual (e.g. a hacker)that could initiate an attack on an asset; or a naturally occurring event that could cause a catastrophic failure or loss of a system or associated component.

Threat Event - An attempt by an attacker (or Threat Agent) to gain unauthorized access.

Threat Scenario - A situation and manner in which an attacker (or Threat Agent) attempts to gain unauthorized access; or an accidental scenario such as a natural disaster.

Virus - A type of malicious software or unwanted program designed to infect computer systems and replicate itself, sometimes causing damage to the infected systems, or stealing information.

(VPN) Virtual Private Network - A secure method of connecting computers over a network that encrypts all the information travelling between them. It can be expensive to implement, but is usually much cheaper than running dedicated data networks.

Vulnerability - the potential for compromise of an Information System asset. For example, if you are not running anti-virus software on all computers connected to a network, there is a vulnerability that they will become infected.

Zero Day Attack - an attack that exploits a software vulnerability in an application or system that is so newly discovered that there are no security patches available from its vendor. There is a window of vulnerability between when the vulnerability is discovered (possibly by a hacker who doesn't tell anyone) and when a patch is available AND applied to a system it is running on. Hackers are getting better at exploiting newly discovered vulnerabilities, which means you need to keep software-based systems up to date with available security patches.