The Streetwise Security Zone Glossary

Security and Technical Terms (and Acronyms) Explained

This constantly growing list of definitions and acronyms is not exhaustive, and probably never will be. Feel free to add comments or questions, so we can make the meanings more clear for you. And, if there are terms you’d like to see added, please let us know. (For a much more detailed “techno-geek glossary” please see TechTarget’s awesome Web site.)

This page is freely accessible by all visitors. But if you haven't already joined, we'd appreciate it if you'd sign up for our Weekly Streetwise Security Tips newsletter by entering your name and email address... Thanks!

Accreditation - Formal acceptance by senior management of risk before operational system deployment.

(AA) Accreditation Authority - The role, usually a business owner, who accredits a system and accepts the risk of going live (regardless of whether it is formally declared or not).

Availability - A characteristic of a system, usually described in a Statement of Sensitivity, that indicates a system’s requirements for the information and services to be available for a certain percentage of time, certain average lengths of time between failures, or with defined average lengths of time being continuously unavailable.

Anti-Malware - the name now given to the evolving solutions that were once called Anti-Virus solutions. This now includes anti-spyware, anti-rootkit, anti-phishing, and other technologies that attempt to identify and/or block malicious programs.

Botnet - a secret network of computers that have become infected by a "Master" computer that is designed to send commands to the network's "Slaves". Without knowing it, your computer could be under the control of a hacker's botnet, sending SPAM to other users' email accounts or even attacking computers on internal or external networks. Because of the liability this brings to the owner of the infected computer, this can be one of the most dangerous types of malware infections. Examples include the Psybot, GhostNet and ShadowNet botnets.

(CA) Certificate Authority - A role responsible for overseeing the issuance and management of digital certificates used in Public Key Infrastructure (PKI) -based applications. Digital certificates, such as those used in web servers offering SSL security, provide a way of reliably identifying the creator of whatever piece of data they are attached to (e.g. files, programs, packets, etc.)

(CP) Certificate Policies - The policies defined for governing the issuance and use of digital certificates issued by a Certificate Authority, used within PKI-based security systems. They define when certificates can be trusted and what happens if the policies are violated.

(Security Certification aka) Certification - The evaluation of a system’s security posture (or level of risk it carries). Certifications also apply to individuals who have achieved proficiency in certain areas of security as in professional certifications such as Certified Information Security Auditor (CISA), Certified Information Security Manager (CISM), Certified Information System Security Professional (CISSP), and many others.

Certification Authority - The organization or role-holder having the authority to assess the security posture, or level of risk, of a system against its security requirements.

(C&A) Certification and Accreditation - The process of having a system’s security posture formally assessed (certified) and approved for operation (accreditated) by the appropriate authorities designated by the organization that owns the system.

(CPS) Certification Practice Statement - A document used in PKI-based security systems that describes the processes and procedures detailing how a Certificate Authority complies with its associated Certificate Policies.

(CISO) Corporate Information Security Officer (or CSO - Chief Security Officer) - The individual within an organization responsible for defining and maintaining the organization’s Information Security policies.

Cloud Security - the general idea that many services are being offered on the Internet need to have adequate security measures, including authentication of users, as well as access control or encryption to protect confidentiality and integrity of data. Availability is also a concern if systems are attacked or go down, just as it would be if the service was conducted internally.

(CSO) Corporate Security Officer or Chief Security Officer - The individual within an organization responsible for defining and maintaining ALL security policies (including physical and personnel security). The CISO (for information security) usually reports to the CSO.

Confidentiality - A security measure or type of safeguard used to protect a specific piece of data from being accessed by unauthorized individuals or systems. Encryption can provide confidentiality protection, ensuring that only the holder of the decryption key can decode (or decypher) the data to its readable form.

Cryptography - the general practice of using encryption (or enciphering) to essentially scramble sensitive data and information into a form that is unrecognizable, usually using a piece of data called a key together with a mathematical operation on the original data. The data must be decrypted (or deciphered) in order to access or view it in its original form. The process involves complex mathematical calculations and transformations. For sensitive data, the strength of encryption algorithms is important because attackers can use many methods to try to break the encryption using very powerful computers.

Decryption - the inverse operation to encryption, where encrypted data is transformed back to its original form using a piece of data called an encryption key and a mathematical formula.

Digital Certificate (or X.509 Certificate) - A data structure that, through complex mathematical formulae, securely binds an individual or entity to a Public Key used in cryptographic operations such as digital signatures or asymmetric encryption.

(DMZ) Demilitarized Zone (or Public Access Zone) - A semi-protected and strictly controlled network area used to terminate connections from the Internet and forward them to systems in an Operations Zone without unduly exposing sensitive systems and information to the hostile Internet or Public Zone.

Encryption - as described in the cryptography definition above, a method for scrambling some originally readable data (called plain text) into unreadable data (called cipher text) to protect its confidentiality, and to limit access to only those who have the proper decryption key. There are many types of encryption algorithms or methods. Each one has a particular corresponding method for decryption of the data to obtain the original plain text. Some methods, called symmetric encryption, require the same key (sometimes called a secret or symmetric key) to decrypt as was used for encrypting, which is typically a fast operation, but presents challenges with sharing and managing keys. Others use a different key (sometimes called an asymmetric key), which is usually slower to use, but allows for efficient sharing and management of keys.

Firewall - a software or hardware safeguard that is used to control or limit what data is allowed to flow between two areas of a network, or to actually separate networks with different levels of sensitivity. Software firewalls are often used to protect individual workstations or servers, and can make those systems seem invisible to other systems on the same network from which an attacker or malware may be trying to discover new targets. Hardware firewalls are usually used to protect entire network segments, and can have sophisticated rules for allowing or disallowing data or connections between systems on either side of the devices.

Firmware - the semi-permanently installed software in a device such as a computer or router, which controls its basic functions on startup. Firmware occasionally needs to be updated, which may require a manual process.

Drive-By Download - One of the fastest growing types of threats on the Internet, triggered by visiting an infected website. The result is that the malicious code on the infected website attempts to exploit vulnerabilities in the visitor's browser, or tries to trick the user into accepting or executing a program on their computer. The result can be a silently installed key logger that collects passwords; or it could even be zombie program that can be controlled remotely to collect information or attack other computers on the local network or the Internet, on command. Recent reports estimate that as many as 70% of sites infected with malicious code are actually sites that are generally trusted by the public.

Infosec - An abbreviation for Information Security. That's it!

Integrity - One of the primary security services, usually identified in a Statement of Sensitivity, indicating the system’s requirement for protecting information or systems from being corrupted, changed or deleted.

(IS) Information System - A collection of hardware and software components and interconnections, as well as the information contained within them, and to some degree, the facilities that contain and protect them.

Mule - An unwitting accomplice in a crime, often tricked into carrying parcels, or handling money or funds transfers. Parcel mules are often hired through classified ads that promise easy money for limited effort.

Operations Zone - A protected network area where business systems operate with senstive information, isolated from more hostile networks such as the Internet through a DMZ or Public Access Zone.

(OOB) Out of Band - A technique for passing secret information such as one-time passwords to another entity using a different communication channel than the primary network channel. For example, when you try to recover a password during a Web browser session, the website will sometimes email you a message with a special link in it to complete the transaction. This email would be called an Out of Band message because it adds a different medium, and prevents a person with access to just your browser from changing your password without you knowing. NOTE: Patches issued by Microsoft for Windows or other software that occur outside the normal "Patch Tuesday" cycle is sometimes called an Out of Band patch; but should be called "Out of Cycle" patches.

PEBKAC - Problem Exists Between Keyboard and Chair; A derogatory acronym sometimes used in contempt of unaware individuals, to indicate that the problem was caused by the user (closely related to the ID-10-T, or IDIOT error). It's like when the waiter calls you stupid in another language he doesn't think you understand!

Privacy - The right of an individual to control the collection and handling of their own sensitive personal information. This is particularly important, whether or not the information is offered with the individual’s consent. While it is related to confidentiality, privacy deals more with the larger intent of protecting an individual's rights than with providing a strong technical safeguard on a particular piece of data - the intent of maintaining confidentiality.

(PAZ) Public Access Zone (or DMZ) - A network segment that is strictly controlled, often by multiple firewall devices, to isolate a sensitive operational business network from the hostile Internet. Without a DMZ, hackers can often easily reach critical systems protected by only a single firewall.

(PKI) Public Key Infrastructure - A system of software and hardware components that enables strong security safeguards for authenticating individuals, limiting access, digitally signing and encrypting information. It relies on chains of trust and complex mathematical operations to provide a high assurance, scalable solution, but is often too expensive to deploy and operate for most low to moderate value information assets.

Residual Risk - The risk remaining after implementation of chosen safeguards.

Risk - The potential resultant impact and expected loss associated with a Threat Event, dependent on the likelihood and impact of its occurrence.

Risk Management - The overall process of evaluating potential risks and choosing to a) Reduce, b) Transfer (insure), c) Avoid, or d) Ignore or e) Accept the resultant risk.

Risk Profile - The amount of risk exposure that an organization is willing to accept when deploying a system. For example, a medical or financial organization serving many people will probably have a LOW risk profile. In contrast, some military organizations operating in hostile territory must sometime accept a higher risk exposure to accomplish their mission.

Safeguard - A mechanism (technology based or procedurally based), usually recommended within a Threat and Risk Assessment, that provides for protection of an asset through security measures such as Confidentiality, Integrity or Availability. Security safeguards are also sometimes referred to as security controls.

Security Posture - The risk level to which a system or organization is exposed. In organizations that use formal certification and accreditation processes, such as government departments, security posture is usually stated relative to its target risk profile. Most business systems aim to have a security posture of a LOW residual risk (after implementation of recommended safeguards).

(SLA) Service Level Agreement - An agreement between a provider and consumer stating the allowable response times and service availability.

(SDLC) System Development Life-Cycle - The name used to describe whatever methodology is in use for bringing an information system into existence. The SDLC is usually considered to start with Requirements or Opportunity Identification, and often includes phases such as Requirements Analysis, Design, Implementation or Coding, Testing, Accreditation and Operation. The ongoing maintenance and upgrade cycles are also considered to be part of the SDLC, as well as the eventual "Decommissioning" activity to deconstruct and dispose of the system in an orderly and secure way.

Social Engineering - a method of tricking an individual into doing something they would not otherwise have done if they had known the intentions of the attacker. Examples include the old "Telephone repair technician" who arrives at the door unannounced, saying he received a complaint or some other order to inspect and fix a problem within a home or secure area. People tend to be trusting or don't know that these are actually attacks to gain access to information or systems.

Threat Agent - An individual (e.g. a hacker)that could initiate an attack on an asset; or a naturally occurring event that could cause a catastrophic failure or loss of a system or associated component.

Threat Event - An attempt by an attacker (or Threat Agent) to gain unauthorized access.

Threat Scenario - A situation and manner in which an attacker (or Threat Agent) attempts to gain unauthorized access; or an accidental scenario such as a natural disaster.

Virus - A type of malicious software or unwanted program designed to infect computer systems and replicate itself, sometimes causing damage to the infected systems, or stealing information.

(VPN) Virtual Private Network - A secure method of connecting computers over a network that encrypts all the information travelling between them. It can be expensive to implement, but is usually much cheaper than running dedicated data networks.

Vulnerability - the potential for compromise of an Information System asset. For example, if you are not running anti-virus software on all computers connected to a network, there is a vulnerability that they will become infected if attacked by a virus or worm.

Web Application Security - the need to ensure that software applications accessible via the HTTP protocol are secure. This often involves strengthening the System Development Life-Cycle (SDLC) used by the software's developers to reduce the number of exploitable bugs or features, therefore improving the software's quality and robustness. Attacks in the realm of Web Application Security involve SQL Injection, URL substitution and malformed data files or links that cause software to end up in a state where remote attackers can take over the computer running the software.

Zero Day Attack - an attack that exploits a software vulnerability in an application or system that is so newly discovered that there are no security patches available from its vendor. There is a window of vulnerability between when the vulnerability is discovered (possibly by a hacker who doesn't tell anyone) and when a patch is available AND applied to a system it is running on. Hackers are getting better at exploiting newly discovered vulnerabilities, which means you need to keep software-based systems up to date with available security patches.

This glossary was compiled by Scott Wright. If you found this reference useful, please let me know at scott@streetwise-security-zone.com or simply JOIN the Streetwise Security Zone.