Glossary of IT Security terms

A physical or technical security feature that ensures only authorised users can gain access to specific IT resources, premises or systems. The control can be based upon the identity or role of the user, or can be specified via a list or rule. Many access control systems also require the user to be in possession of a token; known as two factor authentication, this is an increasingly popular method of access control.

Often referred to as ACL, this is a table that provides information to the computer’s operating system about the permissions or access rights which each user or group has to a system resource such as a file directory or individual file. In essence the ACL defines who has permission to access the resource and what level of permission is granted. The most common permissions include the ability to only read the file, to write to the file, or to execute the file.

Term used to describe the process of collecting legitimate user IDs and passwords, usually with the intention of using these for illegal or malicious purposes. The activity typically involves using programs to search areas of the internet in order to gather the sought-after data. Such areas might include chat rooms, newsgroups, message boards and online directories. Methods used to combat this threat include the masking of email addresses and setting up two separate email addresses – one for personal messages and another for public posting purposes.
See also munging

A targeted attack on a business or political body, launched by an attacker with substantial means and motivation to carry out a sustained assault. APTs differ from other cyber attacks in that they often use customised tools and intrusion techniques which are designed specifically to penetrate the target organisation. In addition, they typically occur over long periods of time during which the attackers move slowly and quietly to avoid detection, unlike the more conventional attacks where the intruder tries to get in and out as quickly as possible in order to avoid detection. An APT is persistent because the attacker can spend months gathering intelligence about the target and use that intelligence to launch multiple attacks over an extended period of time. The main targets of an APT attack are often government facilities, defence contractors or organisations with large amounts of sensitive information such as source code or trade secrets.

Software that is integrated with a computer program and results in advertising banners being displayed when the program is run. however, adware can often go beyond the reasonable levels of advertising that might be expected from shareware and can take the form of spyware, as it may include code that tracks and reports upon the user’s online activities.

A symmetric 128-bit block data encryption technique that the US government adopted in October 2000, replacing the DES encryption technique it previously used. AES is based upon the Rijndael algorithm that was developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen. While there have been numerous discussions in the media with regard to attacks on AES none have proved to be effective or be practical.

The use of several different anti-spam technologies in combination, with a view to minimising the potential impact of spam upon an organisation. These technologies can include content filtering and the use of spam signatures and heuristics. by using such technologies in tandem, the number of false positives is reduced, while the reliable identification of spam is increased.

Security measures that validate an individual, message, file or other data. The most common security-related use is to confirm that a user is who they claim to be prior to gaining access to IT resources. It can also be used to verify that a message is authentic and has not been altered or forged. From a user’s perspective authentication usually occurs through the use of one or more authentication factors such as something you know (such as a password), something you have (such as a token) and something you are (a biometric characteristic such as a finger print or a facial feature). using a combination of two of these factors is an increasingly popular approach to user authentication – see two factor authentication.

A Trojan horse program that provides a remote user or hacker with the means to bypass the normal access control of a computer and gives them unauthorised control over it. Typically a virus is used to place the backdoor Trojan onto a computer, and it then monitors the computer’s usage until it is connected to the internet. Once the computer is online, the person who sent the Trojan can run programs on the infected computer, access personal files, modify and upload files, and send out spam mail.

A generic term used to describe data collection or advertising software that is downloaded or installed unintentionally without the computer user’s knowledge. barnacles can have a detrimental effect on the computer’s performance and can be very difficult to uninstall. The term comes from the marine crustacean that attaches itself to rocks or ship bottoms.
See also adware and spyware.

The only host computer on a network that is outside the demilitarised zone (DMZ) and which can be addressed directly from the public network. Its role is to defend against attacks aimed at inside the network by minimising the chances of a security penetration.

Refers to technologies for measuring and analysing human body characteristics such as fingerprints, eye retinas and irises, voice patterns, facial patterns, and hand measurements. This analysis is usually carried out as part of an authentication processes and is likely to play an increasing role in e-business security. Fingerprint, facial, or other biometric data can be placed on a smartcard and users can present both the smartcard and their fingerprints or faces to merchants, banks, or telephones for an extra degree of authentication.

Skilled hackers who illegally use their abilities and knowledge of the vulnerabilities of IT systems for private gain. They seek to exploit these vulnerabilities rather than revealing them to either the general public or the manufacturer for correction.
See also White hats.

Term used to describe a multi-pronged attack on a computer network in which a variety of different types of malware are utilised. For example, a spam email might also contain links to a phishing website while at the same time carrying a virus or Trojan horse payload. by utilising multiple methods of attack and self-propagation, blended attacks can spread rapidly and cause widespread damage.

The practice of sending unsolicited text messages to mobile users using Bluetooth. users can avoid such messages by setting their device to ‘invisible’ or turning off Bluetooth when they are not using it.
See also Bluesnarfing.

Also referred to as snarf attacking, this is a hacking technique that uses a Bluetooth connection to gain unauthorised access to information on a wireless device, such as a mobile phone or PDA. The types of information typically stolen are a user’s contact lists, emails, text messages and calendar entries.
See also Bluejacking.

A type of investment fraud promoted over the telephone. This type of fraudulent telemarketing operation is run from a high-pressure sales operations from which sales people call unsuspecting investors with the intention of persuading them to invest in worthless offshore trading ventures. Typical characteristics of a boiler room scam are high-pressure sales tactics, outrageous promises of high profit at little or no risk, a demand for an immediate decision, and a reluctance to provide information about the sales firmer the investment.

Bot is derived from the word ‘robot’ and is a program that operates as an agent for a user or another program. In addition to being used as spiders or crawlers on the internet, bots can also be used to perform malicious activities, in particular as a launching pad for distributed denial of service attacks. In such cases malicious software is installed on user’s computer without their knowledge, and these bot-infected machines are able to pass the control of the machine to a remote attacker and act as per instructions from the attacker. Such computers are popularly known as zombies.

In a security context this term is used to describe an act from outside the organisation that bypasses the existing security defences and results in the unauthorised access of data, applications, services, networks and/or devices. It is commonly used in situations where personal data held by service providers is illegally accessed and in such circumstances the Information Commissioner’s Office describes this as resulting in ‘...the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provisions of a public electronic communications service.’

An attempt to decode security passwords or encryption keys by sequentially testing them against every possible permutation of upper and lower case letters, numbers, punctuation marks etc, rather than employing a more ‘scientific’ approach. Theoretically the brute force approach will always work. however, its fallibility lies in the fact that the sophistication and complexity of most cryptographic schemes means that it may actually take several years to achieve its aim.

Also known as a Certificate Authority, this is a third party that is authorised and trusted to issue digital certificates. These certificates are used to create digital signatures and public–private key pairs which play a critical role in online transactions as they guarantee that the two parties exchanging information are really who they claim to be. For example, a CA such as VeriSign will issue certificates for use on web servers once they have verified that the server and domain are owned and managed by the organisation or individual applying for the certificate. This in turn provides reassurances to potential customers about the trustworthiness of the online service being run from that server.

Frequently referred to as the CIA triad, it is a popular way of encapsulating the three fundamental principles of information security. The model is intended to guide policies for information security within an organisation. In this context, ‘confidentiality’ describes the need for information to be accessible only to those that are authorised to view it, ‘integrity’ is the assurance that the information is trustworthy and accurate, and ‘availability’ is a guarantee of information being available to those users that require it, when they require it.

An algorithm that is used for encrypting or decrypting information, which works by hiding words or text via encryption. It does this by replacing original letters with other letters, numbers and symbols through substitution or transposition. The resultant output is known as ciphertext. To transform a piece of plaintext into ciphertext, or to transform ciphertext into plaintext, an individual needs both an algorithm and a key.

Term used to describe an encrypted text message. The message is sent in a scrambled, unreadable form which is converted from plaintext using an encryption algorithm and which can be transformed back into the readable plaintext with an appropriate decryption key.

A type of online fraud where advertising banners on websites are clicked without there being any interest in the advertised product or service. A person, computer program or automated script is maliciously used to register clicks on pay-per-click (PPC) advertising, with each click accruing as a cost to the advertiser. So, for example, a competitor may use this approach to disrupt an advertiser’s campaign by registering large volumes of clicks and, as a consequence, impacting upon their advertising budget as well as giving a false view of the popularity of the advertised goods. According to industry metrics up to 20% of all pay-per-click traffic delivered to advertisers from search engines originates from such fraudulent sources.

A security threat where, through the use of iframes and web page layers in DHTML (dynamic hypertext markup language), a potentially malicious button can be overlayed on top of an existing legitimate web page button so that when a user clicks it they believe they are clicking the legitimate button instead of the malicious overlay. This all happens transparently to the user and can result in harmful software being downloaded or the user being directed to a mirror website that tricks them into believing they are still on the original site and provides the opportunity for the hacker to gather personal or financial data.

The application of investigation and analysis techniques to gather and preserve digital information from hard disk storage, mobile devices or any other electronic source. The purpose of the retrieval is usually to present the digital information as evidence in a court of law, since computer forensics is normally applied following a cyber crime. Investigators use a variety of techniques and proprietary software forensic applications to examine the media and search hidden folders and unallocated disk space for copies of deleted, encrypted, or damaged files. There is often the requirement for a legal audit trail to show how the information was collected.

A security action or measure implemented in order to prevent, avert or reduce a potential threat to an IT system or service. Technical countermeasures include anti-virus software and firewalls. Within risk management it is also possible to consider non-technical countermeasures, such as transferring a possible risk to another party, for example by contracting a third party to assume responsibility for a particular service, or insuring against the occurrence of a specific risk. With all countermeasures it is important to ensure that they are proportional to the risks they are intended to guard against (don’t spend £10,000 protecting your business against a risk that will only cost you £500 if it actually occurs).

Commonly referred to as XSS, this is a security exploit in which the attacker inserts malicious coding into a link that appears to be from a trustworthy source. When an unsuspecting user clicks on the link, the embedded programming is submitted as part of the client’s web request and can execute on their computer. Attacks exploiting XSS vulnerabilities can steal data, take control of a user’s session, run malicious code, or be used as part of a phishing scam. Web server applications that generate pages dynamically are particularly vulnerable to a cross-site scripting exploit if they fail to validate user input and ensure that the pages generated are properly encoded. In such cases malicious script can be hidden in the page within legitimate requests. A vulnerability that enables cross-site scripting is often known as an XSS hole.

Greek word meaning ‘hidden writing’. It is the name given to the science of scrambling data in such a way that renders it totally unintelligible to the unauthorised viewer but which enables the intended recipient to unscramble it sensibly. In the online world it is typically used to protect data as it travels along communications links between different systems.

Generic term used to describe attacks on websites. These can range from the simple electronic defacing of an existing web page through to major denial of service attacks where attackers bombard the website with a huge number of demands for information with a view to slowing or completely halting its operation.

Term used to describe the deliberate or accidental release of sensitive corporate data, commonly relating to finances, customers, intellectual property and other confidential information. The term has become more commonplace with the growing use of mobile devices and the advent of BYOD (bring your own device), both of which pose increasing end-point security risks. The increase in data leakage has been attributed in many quarters to a lack of corporate policies or inadequate communication of these policies to employees using mobile devices. The growing threat posed by data leakage has seen a corresponding increase in data loss prevention (DLP) solutions which use business rules to examine file content and tag confidential information so that users cannot disclose it.

An electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and also ensure that the original content of the message or document that has been sent is unchanged. Digital signatures are easily transportable, cannot be imitated by someone else, and can be automatically time-stamped. The ability to ensure that the original signed message arrived means that the sender cannot easily repudiate it later. A digital signature can be used with any kind of message, whether it is encrypted or not, simply so that the receiver can be sure of the sender’s identity. A digital certificate contains the digital signature of the certification authority so that the recipient can verify that the certificate is real.

The intention of such an attack is to deny access to authorised users of a website, usually as a result of the implementation of malicious procedures by hackers. Denial of service is achieved by attacking network components, such as routers and computer systems, by attacking applications or the operating system. The result is an inoperable condition that may cause the website to offer a reduced level of service or, in some cases, may result in the website ceasing operation until the problems are resolved. This can result in a financial loss for the company and has, in some instances, actually resulted in the company going out of business, particularly if it operates exclusively within an e-business environment.

A security zone with a separate security policy that is used to partition public servers such as email and web servers away from internal networks. Typically, this involves putting a firewall behind the servers that require expanded internet access so that if they are breached the remainder of the internal networks are still protected by a firewall.

See WAF (Web application firewalling).

A new type of security threat where an attacker is able to change the DNS settings on a user’s broadband router or wireless access point as a result of that user visiting a malicious website. This is made possible when a broadband router is not password protected or an attacker is able to guess the password – for example, most routers come with a well-known default password that a user never changes. From this point on, every time the user browses a website, DNS resolution will be performed by the attacker. This gives the attacker complete discretion over which websites the victim visits on the internet. For example, the user may think they are visiting their online banking website but in reality they have been redirected to the attacker’s site and when they enter their user name and password, the attacker can steal this information. The attacker will then be able to access the victim’s account on the ‘real’ bank site and transfer funds or create new accounts.
See also pharming.

In an IT context this refers to the practice of rummaging through a business’s discarded material in order to find confidential or sensitive information that could be used in order to carry out an attack on the corporate network. This can include passwords or access codes, or indeed any corporate information that might assist the attacker. The term is also used at the personal level, where thieves search through household rubbish for personal or financial details of the occupiers which might be used for the purposes of identity theft.

The unauthorised intercepting and reading of messages and conversations by unintended recipients. Eavesdropping can be done over telephone lines, email, instant messaging, and any other method of communication considered private. Communications can be protected from eavesdropping through the use of encryption techniques.

The translation of data into a secret code that cannot be easily understood by an unauthorised person. Encryption utilises algorithmic schemes that encode plain text into non-readable form or cyphertext, thereby providing privacy. The receiver of the encrypted text uses a ‘key’ to decrypt the message, returning it to its original plain text form. The stronger the cipher – that is, the harder it is for unauthorised people to break it, the better. however, as the strength of encryption increases, so does the cost. Initially, 64-bit encryption was considered quite strong, but today 128-bit encryption is the standard, and this will undoubtedly increase in the future. Web browsers will encrypt text automatically when connected to a secure server, as indicated by a web address beginning with https. Email correspondence can also be encrypted through the use of encryption programs that feature plug-ins or interfaces for popular email clients, the most longstanding of which is PGP (Pretty Good Privacy). Encryption has become particularly important in wireless communications, since wireless circuits are easier to ‘tap’ into than hard-wired networks. It also plays an increasingly important role in protecting sensitive data that may be held on mobile devices and memory sticks.

A security approach whereby each device (end point) is responsible for its own security, with security software being distributed to every device that connects to the corporate network and subsequently monitored and updated from a server or gateway.

An IT security expert who is employed by an organisation to undertake an attempt to penetrate their networks or computer systems using the same methods as a hacker. The intention is to identify vulnerabilities that a hacker could exploit and so enable the organisation to take pre-emptive measures against any possible malicious attacks.
See also penetration testing.

Term used for a rogue wireless access point that masquerades as a real one. The evil twin is set up by a hacker with the intention of gathering personal or corporate information. Typically such access points are set up near locations where the victim would expect to be able to access free wireless hotspots, such as airports, coffee shops, hotels or libraries. In effect the hacker sets up a hotspot with the same network name and settings as a genuine access point located nearby and tricks the user into using the false one to access the internet. Once the connection is made, the hacker can intercept any sensitive data.

Essentially this is an agreed standard for sharing an identity with multiple parties with multiple privileges. In a security environment it refers to the process of enabling a user to use a single ID to authenticate themselves across multiple systems. This can be across different systems on a corporate network, or different external services where an agreement is in place between the various service providers involved. The main advantage of federated identity is one of convenience, since it removes the necessity for the user to manage a range of different ID details.

A hardware or software security device that filters information passing between internal and external networks. usually run on a specific server, it controls access to the internet by internal users, and prevents outside parties gaining access to systems and information on the internal network. In particular it protects the internal network from intruders or hackers who might try to use the internet as a means of breaking into those systems.

Originally a term of respect for a highly proficient computer programmer who seeks to gain unauthorised access to systems without malicious intent. however, the press has increasingly used the term to describe individuals who gain unauthorised access to computer systems for malicious purposes. The result is that the term ‘hacker’ (along with black hat) is now used almost exclusively to describe someone who breaks into systems, destroys data, steals copyrighted software, and performs other destructive or illegal acts with computers and networks.

Term used to describe a hacker with a political or ethical axe to grind who seeks to exploit security vulnerabilities in those companies or organisations whose policies, political viewpoints or business activities they do not agree with. Victims of this form of social activism might include companies selling fur, tobacco or arms. Such companies would be included in the hacktivist’s WDLY lists, where the acronym stands for ‘We Don’t Like You’ and is generally seen as a sufficient motive for hacking a particular computer.

The process of providing various layers of protection to a computer system. This is achieved, for example, by patching the operating system software and other exposed services with the latest security fixes, installing a firewall, closing certain ports such as server ports and removing all non-essential software programs and utilities. The goal is to eliminate as many risks and threats to the computer system as possible.

An anti-virus program that detects viruses by applying general rules about the characteristics of viruses and how they behave. The program scans files and alerts the user if it deems the format of the file to be suspicious. Though this type of program does not require frequent updates, it can be prone to false alarms.

Term used to describe decoy servers or systems that are set up to gather information regarding an attacker or intruder to a company’s systems. They are intended to tempt intruders into areas which appear attractive, worth investigating and easy to access, possibly taking them away from the really sensitive areas of the company’s systems. They are designed to help a company learn how attacks are formed and identify who is attacking them. honey pot traps can be set for internal, external and remote access systems.

Small applications, written in Java, that are intended to surreptitiously access and transmit data on hard drives, including email addresses, credit card records, and other account information. This contrasts with conventional applets that are designed to extend the capabilities of browsers or provide website-specific functionality.

A symmetric block cipher algorithm that was used in PGP (Pretty Good Privacy). It is one of the few widely used ciphers that is protected by a patent, which is held by the Swiss company Ascom-Tech AG. It uses a 128bit key that is twice the length of the now out of date DES key and is currently only breakable by brute force. It is a common misconception that IDEA is an official standard. Identity management is an integrated set of processes, policies and technologies, including password management and access management, used to control user access to network resources and online applications. Identity management is responsible for identifying individuals in a system, and controlling their access to resources within that system by associating user rights and restrictions with the established identity. It also acts as a single point of administration for adding and deleting user accounts.

Identity theft occurs when somebody steals the name and personal information of another person for fraudulent purposes. This can pose serious risks at both the personal and, increasingly, the corporate level, as web technology enables the perpetrator to use this information to fraudulently misuse bank accounts and credit cards, or access sensitive corporate data.

Security software that monitors traffic on a network or host computer for suspicious activity and automatically alerts system administrators when someone or something is trying to compromise the system through malicious activities or security policy violations. It does this by inspecting all inbound and outbound activity and identifying suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system. There are different types of IDS systems including network-based (NIDS), host-based (HIDS), signature-based and anomaly-based.

An IETF standard for TCP/IP layer security that provides encryption, host authentication, and data integrity. IPsec is most commonly used in the implementation of VPNs (virtual private networks) and for remote user access through dial-up connection to private networks. One of the major benefits of IPsec is that security arrangements can be handled without requiring changes to individual user computers.

An email spam attack aimed at tarnishing the reputation of the apparent sender and to possibly induce the recipients to take action against him. The victim’s email address is used as the ‘sender’s address’ and, in most cases, their website URL is advertised. The email will not only be sent to thousands or even millions of addresses, but it will be sent multiple times – possibly dozens or hundreds – to each recipient before the attack ends. The term derives from an attack on Joe Doll, proprietor of Joe’s CyberPost (joes.com).

A trusted third-party authentication protocol developed at the Massachusetts Institute of Technology (MIT). Kerberos lets a user request an encrypted ticket from a third-party authentication process that can then be used to request a particular service from a server. The server requires a Kerberos ticket before it will proceed with any request. Once the server receives the ticket, it accepts it (if it is valid) and then performs the required service. Key to Kerberos is the fact that use of the ticket system means there is no requirement for user passwords to be passed across a network. This is because it employs a single sign-on environment where a user needs only to enter their password once during login and from thereon uses the ticket system.

A small program designed to record which keys are pressed on a computer keyboard. The key logger is commonly downloaded unwittingly as spyware and executed remotely. The key logger program records each keystroke the user types and uploads the information over the internet periodically to whoever installed the program. This information may contain details of passwords, usernames and online banking services, all of which can subsequently be used for fraudulent purposes.

Deals with the secure generation, distribution, and storage of keys used in cryptography. A key is a value that determines the output of an encryption algorithm when transforming plain text to ciphertext – with the length of the key generally determining how difficult it will be to decrypt the ciphertext. The growth in the use of cryptography within security solutions means that an organisation using a wide variety of encryption tools might have possibly thousands of encryption keys. The challenge is that each of these must be securely stored, adequately protected and reliably retrievable. however, key management is not just an operational challenge, since as regulatory bodies become more aware of the importance of key management, the security and audit requirements specific to these processes are becoming more stringent.

Programming code, inserted surreptitiously or intentionally into the software of an application or operating system. This lies dormant for a predetermined period of time, or until a specific event occurs, at which point the code is triggered into action. A logic bomb is malicious in intent, and can be viewed as a delayed action virus or Trojan horse. They can perform such actions as reformatting a hard drive or deleting, altering or corrupting data.

Term used to describe the sending, or urging of others to send, large amounts of email (often with large files attached) to a single system or person. The intention is frequently to crash the recipient’s system. A successful mail bomb may cause the victim’s disk quota to be exhausted, the disk holding their mailbox to fill up, or their computer to spend a large proportion of its time processing mail.

A temporary email address set up and used by spammers to receive replies to spam. The email account from which the spam was sent is then cancelled by the spammer as part of their efforts to avoid detection.

Code that has been developed with the express intention of causing damage to a computer or network. It looks to exploit weaknesses in computer software and then replicate itself or attach itself to other programs. It can also send messages through email and steal information or cause damage by deleting files. Frequently it appears to perform a useful or desirable feature and so tricks the user into executing it and thereby gains access to system resources. Examples include viruses, Trojan horses and worms.

Short for malicious software, it is a generic term that covers a range of software programs that are designed to attack, degrade, infiltrate or prevent the use of an IT system or network. Types of malware can include viruses, worms, Trojan horses, malicious active content and spyware.

A type of attack in which data communications between two parties are intercepted by an attacker (or man-in-the-middle) without their knowledge or consent. It is a form of eavesdropping and usually occurs within a public key exchange. The attacker can intercept messages and replace them with their own if they wish, while making the two parties believe that they are talking directly to each other over a private connection. This obviously compromises the data being passed between the two legitimate parties, but the fact that the data can also be modified opens up the opportunity for fraud or other criminal activity.

In a security context masquerading is when a user presents himself or herself to a system or network as another user. This may be done in order to gain unauthorised access to information or resources, to disseminate information in somebody else’s name, or to block or deny a system from operating correctly. A masquerade may be attempted through the use of stolen log-on IDs and passwords, through finding security gaps in programs, or through bypassing the authentication mechanism.

Provides a business with centralised control for smartphones, tablets and other mobile devices. The popularity of this software has grown with the uptake of BYOD as businesses recognise the need to allow for effective mobile device use while also protecting sensitive data on these devices from unauthorised access. Security services can be deployed across multiple mobile service providers and across multiple mobile operating systems. Security features offered by MDM solutions include the ability to securely enrol devices in an enterprise environment, configure and update settings, monitor compliance with corporate policies, and remotely wipe or lock devices that have been lost or stolen. In addition, it is possible to provide over-the-air distribution of applications, data and configuration settings to all mobile devices.

Term used to describe the deliberate modification of one’s email address, with the intention of making the address unusable for the junk emailers who build up mailing lists from the internet for spamming purposes. Spambots are used to scour the internet, particularly newsgroups and discussion groups, for email addresses. Anything with an @ sign is usually considered to be an address. Therefore munging is a technique used to ensure such programs are unable to pick up your correct email address. Examples might include: yourname(AT)example(DOT)com see_my_sig@for.my.real.address. A key factor in munging is to ensure that anybody reading the address can easily work out what the correct address should be.

A process which translates the IP addresses of a group of computers inside a private network to a single IP address. So computers outside the private network see only one IP address, while those within the network can see each system’s unique address. The main benefit of NAT is that it limits the number of public IP addresses that an organisation needs to use. however, it also enhances security since the translation process takes place in a router that interfaces to both domains and operates on a symmetric basis. This means that since because each outgoing or incoming request must go through this translation process it also offers the opportunity to qualify or authenticate the request or match it to a previous request.

A secret series of characters that enables a user to gain access to a file, computer or program and prevents unauthorised use. It is important that users are encouraged to set passwords that contain letters, non-letters, numbers and uppercase letters and are used in a combination that is difficult to guess, as poorly set passwords can compromise the security of the computer system. A password is usually used in conjunction with a user ID. The use of a multi word pass phrase is preferred over a simple password. For example, ‘correct horse batter staple’. These are easier for people to remember and harder for computers to guess.

A small piece of software that is designed to update or fix problems with a computer program. It will usually be free to download and is intended to be installed on top of the existing program. The patch may be intended as an upgrade to add new features, as a quick repair job to fix a known problem, or as a measure to address an identified security vulnerability with the computer program.

A process that focuses upon the defined methods of identifying and testing various types of code changes to an IT system. The key elements of patch management are maintaining a knowledge of available patches together with all code changes and patches that have been applied to a particular system, ensuring that the installation of a patch is performed properly, and running a number of tests after the code changes have been completed. There are a number of products available that automate patch management tasks.

In general IT terms a payload is the actual application data in a packet or file. however, in a security context it is used to describe the harmful result caused by the malicious software content that a virus or Trojan horse executes.

Refers to the use of ‘tiger teams’ or groups of ethical hackers that an organisation can hire to perform a variety of tests on the security of their network. The intention is to identify any potential vulnerabilities in the security of the network (including those that could be exploited by any denial of service attacks) before a potential hacker is able to do so.

An email security program. It is available free of charge on the internet and works on a variety of platforms. It uses public key cryptography and gives users privacy and authentication. Since it was introduced in 1991 it has become somewhat of a standard for encryption on the internet, largely because of its availability.

A scamming practice in which the perpetrator redirects a user from a legitimate website that they intend to visit and leads them to a malicious one. The bogus site to which the user is redirected looks the same as the genuine site and will encourage the user to provide personal information such as a credit card number, bank account number or a password. Once obtained, this can be used for identity theft. One of the more common techniques used in pharming is known as DNS poisoning, in which the domain name system table in a server is modified so that someone who thinks they are accessing a legitimate website is automatically directed toward a fraudulent one without their knowledge or consent.
See also phishing.

Term used to describe the use of bogus emails and websites to trick the user into supplying confidential or personal information. Typically the user receives an email that purports to come from a reputable organisation such as a bank. The email includes what appears to be a link to that organisation’s website. however, if the user follows this link, they are connected to a replica of the website, where they are encouraged to provide personal financial details such as account numbers, PINs or passwords. Once obtained, these details are then used for fraudulent purposes by the hackers who created the bogus site.

The act of illegally breaking into a telephone network, usually with the intention of making free calls or to charge calls to another person’s account. The person who breaks in is referred to as a phreak. Telephone companies have introduced a variety of security safeguards to make phreaking more difficult to achieve.

The term was originally coined to describe the act of stealing data by connecting an Apple iPod to a computer network and downloading information to its internal memory. however, it now also increasingly refers to the use of any other similar portable devices with large amounts of memory such as MP3 players and flash drives for the same purpose.

A standard protocol, sponsored by Microsoft, that allows organisations to extend their own corporate network through private ‘tunnels’ over the public internet. Effectively an organisation uses a wide area network as a single local area network. An organisation no longer needs to lease its own lines for wide area communication but can securely use the public networks. This kind of interconnection is known as a virtual private network.

A secret value used in public key cryptography for deciphering a message enciphered by a public key, or for enciphering a message to be deciphered by a public key.

A server that acts as an intermediary between a company’s internal network and the internet. This software enables the proxy server to keep the two worlds separate. All outward HTTP requests from the internal network pass through the proxy server and similarly all information retrieved comes back in via the proxy server and is then passed back to the client. benefits of using a proxy server include stopping employees from accessing undesirable websites, improving performance by storing web pages locally, and hiding the internal network’s identity in order to make monitoring more difficult for external users.

A publicly known value used in public key cryptography for deciphering a message enciphered by a private key or for enciphering a message to be deciphered by a private key.

A framework for creating a secure method of electronically transferring information and funds. This uses cryptography to support a variety of functions, including: the ability to confirm the identity of an individual or company as established by an intermediary (the Certification Authority) who is trusted by your company; the ability to prove that a transaction actually originated with that individual or company so it cannot subsequently be denied (often called non-repudiation); the ability to seal data, such as transactions, to prevent the contents being altered; and the ability to encrypt data to prevent it being seen by unauthorised people. The Certification Authority is the foundation of PKI since it issues and verifies the digital certificates that contain the encryption key and confirm the authenticity of the transaction party.

Malicious software that encrypts some or all of the files on the victim’s computer and then demands payment for these to be decrypted. It typically infiltrates the computer as a worm or Trojan horse by taking advantage of a security vulnerability. The user is advised that, in essence, the data has been ‘kidnapped’ and that payment is required to ‘release’ it. Once payment has been received and processed, an automated system will either send the user the decryption program or provide a serial key for activating the program on the scammer’s website. At that point the files can be decrypted and the ransomware is removed. It should be noted that payment of the ransom is no guarantee that the unlock key will be provided. There have been numerous reports of payments having been made, particularly where the kidnapped data is core to the business, such as a customer database. however, as with real life kidnappings, it is believed that details of many payments have never been revealed.

A remote administration tool is a piece of software that allows a remote attacker to control a system as if they have physical access to that system. Such software is typically installed on a computer using malware or a Trojan application. Once installed an attacker could potentially gain access to information installed on the computer and the local network.

Term usually associated with the increasing practice by spammers of using real email accounts of large legitimate web mail providers with trusted reputations in order to send spam. This involves overcoming the security measures of such web mail providers and creating large numbers of email accounts which are then used to send out massive quantities of spam. Such email is more likely to get through antispam filtering systems as it appears to come from a legitimate and trusted sender address. The term is also sometimes used to describe the hacking of legitimate websites from trusted organisations and causing these sites to invisibly distribute malware to the visitors.

A set of programs or utilities that runs at the lowest level of a computer and takes fundamental control of it without the system user’s authorisation. The key characteristic of a rootkit is that its presence is undetectable to the user. Rootkit technology is commonly used for malicious purposes as it enables hackers and virus creators to hide the files they create in order to change system configurations, access log files or monitor activity covertly. however, it can also be used legitimately by, for example, manufacturers of digital rights management software.

A security measure used by a computer operating system to isolate individual applications. A sandboxed application has strict limitations placed upon it. These limit what system resources the application can request or access, thereby limiting any potential problems that it may cause to the system. In an anti-virus context, sandboxes can also be used when executable code comes from unknown or untrusted sources, enabling the user to run the untrusted code safely.

A type of malware that is used to trick internet users into purchasing and downloading software that they do not require. Scareware generates pop-up adverts that tell the user there are problems with their PC. Typically these will be virus or registry errors, or claims that the machine is damaged or corrupted. Very often the pop-up resembles a Microsoft window, which can trick the user into believing that their own operating system is generating the message. They are then directed to a download site to purchase the fix, which in some instances can be harmless, but in others is spyware or other form of malware.

A type of scam in which an email from Nigeria, or other overseas country such as Sierra Leone or the Philippines, offers the recipient the ‘opportunity’ to share in a percentage of large amounts of money that the author, a self-proclaimed government official, is trying to transfer illegally out of that country. The recipient is encouraged to send information to the author, such as blank letterhead stationery, bank name and account numbers and other identifying information. In reality, the money does not exist and the victim eventually ends up with nothing but loss. Such schemes originated in Nigeria and violate section 419 of the Nigerian criminal code, hence the ‘section 419 scam’.

A standard cryptography-based protocol for securing online transactions developed by Visa and MasterCard. It is a three-way transaction, with the customer, the merchant and the bank all using the protocol. The customer sets up a valid account and then receives a digital certificate validating their identity. Similarly merchants also need to be certified, being issued with a digital certificate as part of their agreement. Once the price and product information are processed, the merchant verifies the customer’s digital signature and sends the order to the bank with its own certificate and payment information. At the end of the process the bank verifies the merchant’s signature and payment component of the message and then authorises payment so the merchant can fulfil the order.

Software that automates the collection and subsequent analysis of multiple sources of security information and log data from security devices such as firewalls, proxy servers, intrusion detection systems and anti-virus software. A key benefit of this approach to security management is that it provides a holistic view of the organisation’s security activities, making it easier to spot trends and see patterns that are out of the ordinary. It can also help to address compliance requirements as its log management capabilities support the maintenance of an audit trail of activity that is commonly required. The term comes from combining the individual product categories of SIM (security information management) and SEM (security event management).

Term used to describe a situation where an attacker illegally takes over a web session between user and web server. The result is that the attacker can masquerade as the authorised user, bypassing the authentication process and gaining unauthorised access to the server. The hijacking occurs when a session token is sent to a client browser from the web server following the successful authentication of a client logon. The attacker compromises the token by either confiscating or guessing what an authentic token session will be. because most authentication only occurs at the start of a TCP session the attacker is then able to do anything that the user is authorised to. A common type of session hijacking is the man-in-the-middle attack.

Looking over someone’s shoulder when they enter a password or PIN in order to obtain that information. In an office environment this can pose a particular problem when an employee stands over a desk while their colleague enters security details. Outside of the office it can be an issue when entering a PIN number at a cash point or a password at a cybercafé.

A type of denial of service attack which exploits known characteristics of the internet protocol (IP) and the internet control message protocol (ICMP). The attacker sends large volumes of ICMP ping messages, which appear to come from the source address of the intended victim, out to IP broadcast addresses. Echo responses to the ping messages are then sent back to the victim’s address in such volume that they can flood their network and make it unusable for genuine traffic.

A program that monitors data travelling over a network. It can be used as a legitimate network management tool to detect bottlenecks and problems and ensure that traffic flows efficiently. however, it can also be used for illicit purposes, since it may be able to read the data in a packet as well as the source and destination addresses. It can, therefore, be used by a hacker to steal information off a network, and is increasingly used for the purpose of stealing a user’s password or credit card number.

The use of deception and manipulation to gain access to confidential information such as passwords or user IDs. This non-technical approach often relies on the natural helpfulness of people as well as on their weaknesses. Appealing to vanity, authority and greed are all commonly used techniques, as are eavesdropping and shoulder surfing. In many cases the approach also relies upon the victim not being aware of the value of the information that they possess, or being careless about protecting it. It is for these reasons that the dangers posed by social engineering should be clearly spelled out in any corporate security policy.

Junk mail on the internet, usually in the form of unsolicited and unwelcome email messages. The term was originally used most frequently in the context of newsgroups, referring to the same article being posted repeatedly to different newsgroups. It is now increasingly used to describe the sending of bulk email, with addresses provided by companies that specialise in creating email distribution lists. It is generally perceived by the recipient as junk mail (much the same as the unsolicited mail shots that come through our letterbox everyday) and is considered poor netiquette. The term is believed to originated as a reference to the famous Monty Python ‘spam, spam, spam’ sketch where spam is served with everything.

A program that specialises in gathering email addresses in order to build mailing lists that are subsequently used to send spam. It basically follows links and saves any email addresses it finds as it goes along. A spambot usually gathers email addresses from the web, or from newsgroups and discussion groups. A number of specific programs have been written in an attempt to foil spambots. In addition a technique known as munging has been developed to disguise email addresses from spambots.

Term used to describe any highly targeted phishing attack. Phishers are now sending more targeted emails to businesses and these are designed to appear as though they were sent by another member of staff at the same company, typically from somebody in authority within the IT or HR departments. The intention is to fool the recipient into revealing their user names or passwords, and so enable the phisher to gain access to confidential data on the company’s IT systems.

Delivery of spam through instant messaging (IM) rather than via the more conventional email messaging. This type of spam is a growing threat, not least because it bypasses firewalls and antivirus software and is therefore a relatively easy means of passing on viruses and other malware.

Describes the unsolicited broadcast of voice mail via VoIP to phones connected to the internet.

A fake blog website that the author has created solely for the purpose of promoting an affiliated website. The content of a splog is essentially an advert for the affiliated website, containing little or no original content and with the intention of boosting the number of visitors to that site or increasing the indexing results arising from web crawlers.

A term used to describe an imposter who is pretending to be someone or something they are not. The most common form of spoofing is the forging of an email header so that the message appears to have come from someone other than the actual source. This approach is frequently used by distributors of spam. however, such messages can also pose security risks if, for example, they claim to be from a financial organisation and request sensitive data such as credit card numbers or bank account details which are then used for criminal purposes. Spoofing is also used to describe the practice of setting up a fake website, with a view to deceiving visitors into believing that it is the authentic site that they were in fact looking for.

Technology that covertly gathers web user information and activity without the user’s knowledge. This information, which can include keystrokes, passwords, and other confidential and private information, is then transmitted to advertisers or other interested parties and can be exploited for marketing purposes or for more malicious uses such as identity theft. A spyware program will usually be installed unintentionally by the user, often by piggybacking on a piece of desirable software.

A type of security attack in which SQL (structured query language) code is added to input data in order to exploit a vulnerability in the database layer of an application. An SQL query is a request for some action to be performed on a database, so the insertion of malicious code into the query enables the attacker to undertake a range of actions. These can include reading sensitive data from the database, modifying database data, executing administration operations on the database and, in some cases, issuing commands to the operating system.

A protocol developed by Netscape for transmitting private documents via the internet. SSL creates an encrypted link between a web server and a web browser. The link ensures that all data passed between the web server and browser remains private and secure and is indicated by a secure padlock which appears in the browser window. by convention, URLs that require an SSL connection start with https: instead of http. The use of SSL is now largely replaced with a newer protocol called Transport Layer Security (TLS). However, the two terms, SSL and TLS, are often used to mean the same thing.

A virtual private network (VPN) that is protected by the SSL (secure sockets layer) protocol. Unlike the IPsec (internet protocol security) protocol that is also used to secure VPNs, SSL does not need specialised software on the end user’s computer. This greatly increases the flexibility of SSL VPNs, as well as reducing the systems administration requirements.

The process of monitoring email traffic in order to identify addresses that are sending suspiciously large volumes of email. This can be an indication that the address is being used for the purposes of sending spam.

A person or group that poses a security threat to a company or computer system.

A software application that directs internet traffic through a free, worldwide, volunteer network consisting of many thousands of relay servers to conceal a user’s identity and location. Often used to connect to the so called ‘dark web’ to complete criminal activity. However, it has also been used by political groups who believe that they are under surveillance.

A program that appears to be legitimate but actually contains another program or block of undesired malicious, destructive code, deliberately disguised and intentionally hidden in a block of desirable code. The Trojan horse program is not itself a virus but a vehicle in which viruses can be concealed.

Term used to describe any security authentication mechanism where more than one thing is required to authenticate a user. The two factors are frequently referred to as ‘something you have’ and ‘something you know’. A common example is the chip and pin card, where the card is the physical item and the PIN is the number known to the user. Increasingly in e-business the ‘something you have’ is provided by a small token card that is a compact electronic device displaying a number on a small screen. by entering this number, which changes frequently, when attempting to log onto a system, the user proves that they are in possession of the card. The use of smartphone applications to generate the code numbers is now common.

Refers to the ability to centrally manage encryption across all data risk areas, including desktops, laptops, PDAs, USB sticks and other removable media. user ID short for user identification. A short and cryptic string of characters (usually eight or fewer) that identifies a user to a system. user IDs are unique on a given computer or network – no two users can have the same user ID. Commonly used in conjunction with a password for logging-on purposes.

A term originally coined by IDC that describes a comprehensive security product that is designed to provide a range of security solutions in a single integrated package, thereby reducing costs and simplifying the whole process of security systems management and installation. The minimum requirement for a UTM is a firewall, VPN, anti-virus and intrusion detection/prevention. Some UTMs may also provide anti-spam, web content inspection spyware protection, centralised management, monitoring, and logging capabilities. See also XTM.

A special kind of computer program capable of reproducing itself in systems other than the one on which it was created. It spreads across disks and networks by making copies of itself. As it spreads it is said to be infecting the system. It always requires a trigger or external request for execution, and when executed it can produce a range of side effects including serious corruption and destruction in the computers in which it is active.

Term used to describe a type of blended phishing that combines emails or text messages and VoIP. It operates in much the same way as phishing, in that it seeks to persuade the victim to divulge their personal financial details. Commonly, a customer receives an email or text message, apparently sent by their credit card company, explaining that their account has been suspended, deactivated, or terminated. The customer is then asked to reauthorise their card by calling a toll free number. This number leads them (via VoIP) to an automated system in a foreign country that, quite convincingly, asks that they enter their credit card details. The growth of inexpensive VoIP technology has resulted in it becoming increasingly easy for fraudsters to set up these types of phoney operations.

A VPN is a private data network that makes use of the public telecommunications infrastructure. VPNs maintain privacy through the use of tunnelling protocol (which provides a secure point to point ‘tunnel’ for data transfer) and other security procedures, particularly data encryption.

An automated process intended to proactively identify the security vulnerabilities of the computing systems in a network in order to determine if and where a system can be exploited and/or threatened. It employs software that seeks out security flaws based on a database that contains all the information required to check a system for security holes. A report of the findings is generated which can be used to tighten the network’s security. Vulnerability scanning differs from penetration testing in that it looks for known vulnerabilities in a system and reports potential exposures, whereas penetration testing is designed to actually exploit weaknesses in the system architecture or computing environment. because of the way in which it highlights potential flaws, vulnerability scanning is often used by hackers as well as security professionals.

An appliance, server plug-in or filter that applies rules to HTTP (essentially web server and browser) conversations. This is sometimes also known as DPI (deep packet inspection). By customising the rules to the application, many attacks can be identified and blocked. However, the effort to perform this customisation can be significant and needs to be maintained as the application is modified. Dedicated devices are available, together with other multifunctional solutions, incorporating various security product mixes.

Term used to describe the practice of searching for unsecured wireless LAN (WLAN) signals within a geographic area. While some computer hackers are content to simply map any open, unsecured WLANs they find, others have adopted the practice of war chalking, tagging nearby pavements to allow others to tap in and either steal bandwidth from those networks or attempt to gain access to corporate networks. War driving is a controversial practice but it has, nevertheless, helped raise awareness of some of the basic problems associated with WLAN security.

Rather than attacking an identified victim directly, another approach is let your ‘prey’ come to you, attacking them passively by gaining control of a trusted third-party website – a so-called ‘watering hole’. The attack itself is made up of three distinct stages:

• The attackers gather information about their targeted organisation, in particular the trusted websites often visited by the employees or members of their targeted entity.
• The attackers then insert an exploit into the selected site(s).
• Once the targeted victims visit the compromised site, the exploit takes advantage of software vulnerabilities, either old or new, to drop malware. The dropped malware is commonly in the form of a remote access Trojan horse which allows the attackers to access sensitive data on the organisation’s host network.

Relying on websites that the group trusts makes this strategy efficient even with groups that are resistant to spear phishing and other forms of more conventional attack.

An ethical hacker who identifies a security weakness in a computer system or network but, instead of taking malicious advantage of it, exposes the weakness in a way that will allow the system’s owners to fix the breach before it can be exploited by others. This contrasts with a black hat who would seek to exploit such a weakness for their own purposes or gain.

A malicious program that replicates itself over a computer network. Worms reside in parts of the operating system that are usually invisible to the user, so they are frequently not noticed until the effects of their propagation consumes system resources to such an extent that tasks are slowed or completely halted.

Stands for Wi-Fi protected access 2. It is a security technology commonly used on wireless networks, replacing the original WPA technology in 2006. based on the IEEE 802.11i standard, WPA2 provides a high level of assurance to users that only authorised users can access their wireless networks.

Specification for incorporating security information into SOAP messages. Developed at OASIS, the WSS specification describes enhancements to the existing SOAP messaging to provide quality of protection through the application of message integrity, message confidentiality, and single message authentication to SOAP messages. These basic mechanisms can be combined in various ways to accommodate building a wide variety of security models using a range of cryptographic technologies. WSS also provides a general-purpose mechanism for associating security tokens with messages. It is designed to support multiple security token formats in order to accommodate a variety of authentication and authorisation mechanisms.

A development of the UTM (unified threat management) approach to security, which combines fast throughput with advanced networking features to handle high volume traffic. The XTM system approach is suitable for 50-10,000 or more users. XTM expands on the UTM approach in three key areas: more security features, greater networking capabilities and more management flexibility.

A virus or other type of malware that takes advantage of a newly discovered vulnerability in a program or operating system on the same day that the vulnerability has become generally known and before the software developer has made a fix available, or even before they are actually aware that the vulnerability exists. Typically, when security researchers find a vulnerability or hole in some piece of software, they announce it, and then the software developer in question works on a fix as quickly as possible. however, increasingly frequently, attacks take place before the fixes are in place.

Term used to describe a computer system, typically connected to a broadband connection, that is maliciously infected by some form of remote control software without the owner’s knowledge. Zombies are often used in a co-ordinated attack to launch an overwhelming number of requests towards a website which is then unable to service legitimate requests from its users. This is also known as a distributed denial-of service attack.
See also bot-infected computer.