Rob Slade's Dictionary Errata Page

(maintained by Rob Slade)
This is version 1.15, completed
You may have visited here before and found the full dictionary. The dictionary has now been published, by Syngress Publishing as the "Dictionary of Information Security" with a real ISBN (1-59749-115-2) and pages and everything. You can get it from Syngress, or from Amazon US or Amazon UK or Amazon Canada. And other places as well, for all I know. If you want the full dictionary (and I hope you do) you'll have to get the print version.

What is going to be here is the errata page. This is where I will be posting updates and corrections as I maintain the dictionary. This glossary is still very much "in process," as is the field of information security itself. Please report any errors, or terms you think should be added, to Rob Slade.

I was recently interviewed about the book by Martin McKeay for his security podcast. The interview is in episode 37.

This glossary update, in hypertext format, is maintained at Victoria TelecommunityNet. Not all the links will work at this time, since this is not the full dictionary. (Rather ironically, as I make more corrections, more of the links will start to work :-) For those links that don't work, you'll have to look the targets up in the print version.

Announcements in regard to the glossary are made through the secgloss mailing list via eGroups/Yahoo Groups. You can subscribe by email. For more information you can view the Website.

(1) HyperText Transfer Protocol code indicating that the file specified is correct and has been found
(2) the minor section of the Sarbanes-Oxley Act (SOX) with implications for information security

(1) HyperText Transfer Protocol code indicating that the file specified is incorrect and has not been found, and that the user is a clueless idiot
(2) the major section of the Sarbanes-Oxley Act (SOX) with implications for information security

(1) circumstance in which higher level information (which may be thought to be subject to a higher level of security clearance) may be inferred from a large number of lower level data items. As a result, a collection of information items may require classification at a higher security level than any of the individual items that comprise it. Specifically addressed in database security, but also an issue in espionage and counterintelligence.
(2) situation where a single event may affect multiple entities, or may have multiple effects, particularly where the effects build on each other

sequence of steps needed to solve logical or mathematical problems. Algorithm is, at heart, just a fancier word for procedure. In security, the term usually refers to cryptographic algorithms used in encryption or decryption of data files and messages and to create digital signatures, but it may also refer to pattern matching in virus or intrusion detection which does not rely on the use of a simple scan string (see signature).

application level proxy
firewall system in which service is provided by processes that maintain state and sequencing, but which may also examine the contents of the data and the implications for the requested process. Application level proxies may be considered the most secure of firewalls, but at a cost in terms of performance and memory. In addition, these systems are application specific, so a proxy must be provided for each service run, and should be backstopped by a more general packet filter in order to prevent system intrusions. See also proxy server.

attack surface
interfaces, resources, and system components exposed to threat or potential compromise

attack tree
representation, often in graphical form, of an attack outcome (such as obtaining access to a system), and the various means or routes that might be used to accomplish the outcome. Attack trees may become quite complex, detailing additional routes towards the postulated means to the ultimate end, and sometimes assessing the cost or work factor (in various elements) of the differing routes. Attack trees may also be used in a reverse direction, examining a given exploit or vulnerability and noting the possible attack outcomes that may arise from it. Also known as attack graphs or threat trees.

audit program
checklist of tasks to be performed during an audit. Note that many audit programs derive from structures and assumptions intended for financial auditing, and that these may not be sufficient for dealing with complex information systems.

(1) the process of verifying identity, origin, or lack of modification of a subject or object. Authentication of a user is generally based on something the user knows (generally a password), is (biometric identification), or has (often a token).
(2) the use of some kind of system to ensure that a file or message which purports to come from a given individual or company actually does. Many authentication systems are now looking towards public key encryption, and the calculation of a check based upon the contents of the file or message as well as a password or key. Related concepts are change detection and integrity.

authentication token
portable device used for authenticating a user. Authentication tokens operate by challenge/response, time-based code sequences, or other techniques. These may include paper-based lists of one-time passwords.

backhoe degradation
degradation, on a communications channel, generally refers to the attenuation of the signal, or the addition of noise and potential corruption of the signal. Backhoe degradation refers to 100% attenuation of the signal when some person of low intellectual capacity fails to check out the location of underground cables before they start digging ditches.

acronym for Broken As Designed, said of a program that is useless because of bad design rather than bugs. See also flaw.

(1) situation of a system either in normal operation, or at a particular point in time. Generally this is measured by an image or calculation taken on a system at a given moment. (2) a fundamental or minimal requirement of system performance or operation, usually in regard to the security policy

Bayesian analysis
form of statistical analysis currently very popular as a type of spam filter. A Bayesian filter is quite simple for users to operate, and accommodates individual differences of tolerance for spam, since it relies on the user providing the system with samples of spam and legitimate email messages. Once the user has "trained" the system, it may only need minor tuning over time. Unfortunately, management of Bayesian filtering for a large population of users may have extensive management, storage, and processing requirements.

best practice
(1) the gold standard for security buzzphrases. In fact, there was an extended discussion on the use of the phrase "best practice" on the CISSPforum in July of 2005. The implication of best practice is that it is an optimum procedure for most situations, although it may also imply a practice that works in every situation, or a minimum standard. It was, however, noted that "best practice" is never a guarantee or panacea. Other phrases discussed were standard practice (what most people do), essential practice (what should be done as an absolute minimum), and leading practice (what the "best" companies do). (2) in an attempt to keep this phrase off the scrap heap, GH has proposed that it is "to align security controls with risks that are relevant to the context of the organization."

black box
(1) component or module in a system the exact operations of which are not known. Military encryption frequently relies upon black boxes so that the user does not have knowledge of the encryption algorithm or key being used. However, the use of black boxes relies on design secrecy and is a form of security by obscurity. In addition, in the case of failure or replacement of black box components, there may be unknown functions and dependencies with unknown implications for the system. (2) type of testing that assumes nothing is known about the device or module in question. Specially crafted probes or input are imposed upon the unit and the resulting output, response, or affects are noted. Very similar in concept to the ciphertext-only attack in cryptanalysis.

spam filtering technology based on the identification of individuals or domains known to send spam. Blacklists are somewhat controversial since false claims may be made against a domain as a form of denial of service. Compare with whitelist.

to send a message (usually text, but sounds and graphics are also possible) to a cellular phone or other mobile device using the Bluetooth wireless network protocol and service. Despite the similarity to the term hijacking, bluejacking is not involved in intrusion or obtaining illicit access to the device. Bluejack messages may also be used for social engineering in order to convince a mobile user to "pair" or associate the user's device with that being used for a bluesnarf attack.

to obtain or download information; such as contact lists, calendar data, message data, and notes; from a Bluetooth wireless enabled mobile device without the consent or knowledge of the user or owner of the device. By default, most such devices are set to be "discoverable," have no protection enabled, and are vulnerable to having all information remotely retrieved. In additon, some recent attacks are more active, gaining access to the services and resources of the target device.

conflation of blot out and purge. A file or record that has been blurged Definitely Can Not Be Seen And Is Not There Any More. (Attributed to Verity Stob.) See also enron, erasure, and overwrite procedure.

bot, a term derived from robot, is used to refer to automated programs performing some task, usually in regard to network communications. The term was first used for automated greeters or servers on Internet Relay Chat (IRC) channels. Bots can perform a variety of services, good or bad. Botnets are collections of such programs, dedicated to a specific purpose, and usually negative. Botnets are usually formed by the spread of some kind of malware. The first botnets were generally zombie clients in a DDoS network, but more recently botnets have been turned to a variety of purposes, such as the use of spambotnets to distribute spam. Botnets composed of RATs are highly flexible, and can be turned to any programmable use.
RATs and zombies provide an interesting example of an error in the use of technical terminology. Traditionally, the program run on the naive user's computer, or the computer that is running such a program, has been referred to as a client, particularly when it is part of a botnet. Technically, however, the RAT or zombie agent program is providing a service at the request of the malicious controller. Therefore, properly the controller would be the client, and the controlled user computer (and the software running on it) would be the server. However, this correct usage is almost never followed.

substance surrounding users that stops intelligent ideas from penetrating, and held to be responsible for the difficulty of creating effective security awareness programs. The bozone layer shows no signs of breaking down, even with the increase in cloroflorocarbon compounds. Indeed, anecdotal reports indicate an increase in density of the bozone layer in the presence of hairspray.

browser chrome
see chrome

check value or code, placed in a location likely to suffer from a buffer overflow, which can be periodically tested for changes. Real canaries, susceptible to pollutants in the air, were once used in mines (particularly in coal mining) as early warning detectors for gases in the air or a lack of oxygen. In the same way software canaries may detect improper modifications, usually by dying. See also honeytoken.

process of converting data which can have multiple representations into a single form. In most of the fields of information technology, canonicalization refers to procedures for ensuring, for example, that all date fields are in the same format, but it has numerous implications for security. When computing a crytographic checksum, digest, or hash result for a document, the same text file will give different results if stored on a Windows system, which uses a carriage return/line feed pair at then end of each line, rather than a UNIX system, which terminates each line with a line feed character only. In addition, when filtering for spam, directory traversal commands, or escape codes for SQL injection attacks and the like, the signature characters can be represented in a number of ways, and so all of these forms must be included in checking. See also malformed input and Unicode attack.

acronym for Completely Automated Public Turing test to tell Computers and Humans Apart (trademarked by Carnegie Mellon University). The term may also refer to the fact that it is catching or capturing automated submissions to a system. Generally a captcha (although it is an acronym, in common use it is most frequently seen in lower case) is a series of characters that are presented in an image that it distorted or obscured, thus making it difficult for computers to parse, but relatively easy for humans to read. This affords a means for online signup forms to quickly determine whether then entry is being made by a person or an automated agent or bot. CAPTCHAs are not foolproof: there are a number of ways for systems to spoof the system, but it will tend to slow automated submissions. Text-only forms of the concept exist in the variant spellings and use of alternate characters ("l8r" for "[see you] later") used in text messages and "leetspeak" (see B1FF).

cat bonds
abbreviation of catastrophe bonds, a financial instrument that can be used as a form of insurance or risk transference. In one form of cat bond, the bond would be issued yielding a higher than normal rate, thus collecting a pool of capital. If the projected disaster occurs, then the capital raised (the principal of the bond) is returned to the entity affected and issuing the bond. Cat bonds are used to protect against large disasters and may form part of a disaster recovery plan: rather than a single insurance company insuring many entities, a single entity would collect a large pool of capital from a sizable number of insurers (the purchasers of the bond).

certificate chaining
under a public key infrastructure (PKI) not every key will be directly digitally signed by the certification authority (CA). The central CA may use certain keys to sign keys for various registration authorities, and these, in turn, may sign keys for use by various offices or companies. Therfore, it is likely that a given certificate may have a chain of signatures and public keys attached to it, all verified by the CA key and signature at the end of the chain.

the comprehensive evaluation of the technical and nontechnical security features of a system and other safeguards, made in support of the accreditation process, that establishes the extent to which a particular design and implementation meet a specified set of security requirements. At times design alone is sufficient: note that Evaluation Assurance Levels (EAL) 1 to 4 of the Common Criteria require only design approval. Note that certification has no relation to an asymmetric key encryption certificate, or the related authorities and lists.

chain of custody
documentation of the handling and preservation of evidence from the time it was collected until presented in court, proving who had access to the material, and that it has not been altered or modified. Also known as chain of evidence.

framing material around a window on a computer screen, particularly a browser window. Window chrome is comprised of frames, menus, toolbars, and scroll bars. Browser chrome may involve the URL (Uniform Resource Locator) address box, security indicators (such as the padlock symbol that indicates an active SSL (Secure Sockets Layer) session, and the status bar (which often indicates the URK for a link). Phishing sites now use "fake chrome" which spoofs the chrome that would be displayed on a legitimate site. For example, a borderless window can be created to exactly overlay the URL address box, showing the address of a legitimate site, and hiding the fact that the user is actually communicating with a phishing site.

cipher lock
type of keyless, physical lock accessed by entering numbers or characters on a keypad

authorization for a subject, (generally a user) to access sensitive information or other system resources. Whereas a subject or user is assigned a clearance, an object or data is given a sensitivity label.
(Although security people have been talking about clearance since Peter Denning was in short pants, it seems that nobody has ever gotten around to defining it. In my research, I couldn't find a single definition of clearance, although some defined security clearance [the process of making sure people had the right clearance] and clearance level [the level that gives the proper amount of clearance]. The closest was in the original version of "Computer Security Basics," which said that it was the sensitivity label assigned to a subject. So, if you don't like my definition, too bad: it's the only one you've got.)

system entity that requests and uses a service or resource provided by another system entity (the server)
RATs and zombies provide an interesting example of an error in the use of technical terminology. Traditionally, the program run on the naive user's computer, or the computer that is running such a program, has been referred to as a client, particularly when it is part of a botnet. Technically, however, the RAT or zombie agent program is providing a service at the request of the malicious controller. Therefore, properly the controller would be the client, and the controlled user computer (and the software running on it) would be the client. However, this correct usage is almost never followed.

set of coupled computers that can be viewed and operated as a single computing entity. Clustering technologies are beneficial for availability (with an inherent component of redundancy), load balancing, and performance. (Note that while Microsoft does have a limited clustering technology, it also has two additional products or functions, both going by the cluster name, which are more properly designated as fail over technologies.)

code entropy
tendency of programming code for a given system to fragment and disintegrate over time, generally due to additions and modifications, as well as changes to the specifications of the system overall. Proper change management can mitigate, but not completely eliminate, code entropy.

code of ethics
statement of the ethics, moral principles, or behaviour of an organzation. Often equated with code of conduct, although there is a subtle difference between the two: a code of ethics is teleological in nature (outlining the goals, principles, or guidelines of the enterprise) whereas a code of conduct is deontological (noting actions to be taken or avoided and specific standards).

code orange
based upon the colour-coded threat levels promulgated by the United States Department of Homeland Security (DHS), the phrase "code orange," or "another code orange day," has become a reference to the futility of raising an alarm, without giving details of the specific threat to be faced. See also security theatre. (Phrase attributed to Bruce Shneier.)

(1) being in conformance with a certain standard
(2) during 2005, and particularly following the passage of the Gramm- Leach-Bliley (GLB, financial services) and Sarbannes-Oxley (SOX, reporting of information for public companies) Acts in the United States, corporations became obsessed with ensuring "compliance." Since these pieces of legislation were new, and untested in the courts (and also since the legislation basically reiterated the requirements for due care, and due diligence, which were already established principles in law), there were no codified standards to follow. This increased interest in various security frameworks such as British Standard 7799 and the various related systems, and other auditing related documents such as COSO and Basel II. Predictably, various security consultants made a fortune.

concurrent engineering
another new term in engineering and development circles. Throw all your models of the system development lifecycle out the window: the latest rage is doing all the phases at once. We've seen that before: it used to be called "code first, design later," and it's what got us into our current mess. OK, I'm willing to assume that "concurrent engineering" has some formality behind what initially looks like chaos, but it sounds very complex, and complexity is the enemy of security.

concurrent sign-on
provision for allowing a single user identity to be signed on to a system multiple times, or from multiple locations. While an advantage for availability this function may create numerous problems in terms of access control.

Committee Of Sponsoring Organizations of the Treadway Commission, and particularly the set of standards in regard to fraudulent reporting of financial information for publicly traded companies

acronym for Commercial-Off-The-Shelf, a principle of design for using only commonly available components in a system, rather than custom- designed parts. COTS is felt to increase resilience, since commercially available items generally have multiple suppliers. (COTS is also held to reduce costs over systems designed with custom-made parts.) However, COTS may provide opportunities for an adversary to analyze the components of your system, and COTS is no guarantee of availability if the parts are determined, by commercial manufacturers, to be obsolete in current systems. The term is originally from the United States military, but now commonly used.

covert channel
communications channel that allows the transfer of information in a manner that violates the system's security policy, generally violating confidentiality. More specifically, a means of information leaking from a system via a channel not normally considered a communications medium. Covert channels are considered to be of two major types, covert storage channels, and covert timing channels. Synonymous with confinement channel, although the latter term is infrequently used. See also information flow control and security flow analysis.

covert storage channel
covert channel that involves the direct or indirect writing of a storage location (usually memory or disk space) by one process and the direct or indirect reading of the storage location by another process. Covert storage channels typically involve a resource (such as sectors on a disk, or uncleared memory) that is shared by two subjects at different security levels. See also object reuse and residue.

covert timing channel
covert channel in which one process signals information to another by modulating its own use of system resources (for example CPU time) in such a way that this manipulation affects the real response time observed by the second process, or where an outside process observes an effect that provides evidence of an activity which cannot be directly observed. See also emanations, jitterbug, and non-inference model.

cross-site request forgery (CSRF)
type of malformed input attack that exploits the authorization, permission, or trust that a particular Web server may give to a specific user. In a CSRF attack, a malicious server will use some form of social engineering to get a user to click on a particular link (generally by appearing to be a legitimate server, or possibly via cross-site scripting). Unlike a phishing attack, which would ask the user to enter identification and authentication data, clicking on the link will send login or session data previously stored on the user (client) machine by the legitimate server. The malicious server then recrafts the request sent by the user, along with the login, session, or other data that is required by the legitimate server, and can then submit a request or command to the legitimate server.

cross-site scripting (XSS)
term is used to describe a number of vulnerabilities, usually related to scripted content on a Web page (often JavaScript), and possibly involving multiple sites. In one form, a malicious Web page could contain a link to a page on the client machine in an attempt to have the browser (such as Internet Explorer) run the script or other malicious active content with elevated permissions. (In this case only the browser on the client machine and the content on the Web server are involved, and no additional site is needed.) In a second form of XSS, a page on a malicious server may contain a link to a page on a legitimate server, where the page on the legitimate server may respond to specifically crafted active content submitted by the malicious server when the user merely clicks the link on their client browser. The fact that two servers are involved may not be apparent to the user, who may only perceive a relation to the legitimate server. (There is little agreement as to the significance of this type of attack.) A third type of XSS relies on systems which store input from users without sanity checks or filters for later display to other users, such as online message boards or comments fields on blogs (Web logs or diaries). If the input contains HTML code or active content, various types of attacks or social engineering can be mounted. See also incomplete parameter checking. Cross-site request forgeries use similarly malformed input and techniques.
Because of the variety of forms XXS can take, controls or countermeasures against such attacks will vary depending upon the particular form or exploit. A general safeguard is the same origin policy.

cumulative incremental backup
see differential backup

dancing pigs
given a choice between dancing pigs and security, users will choose dancing pigs every time - Ed Felten

data leak protection (DLP)
marketing term which came to prominence in late 2006. Depending upon the vendor you speak with, data leak protection may be used to refer to an intrusion detection system, intrusion prevention system, cache cleaning, egress scanning, egress content scanning, various technologies to prevent data from being moved to removable storage or external devices, technologies to encrypt data being sent via network applications or moved to removable storage, remote access (generally known, in this contaxt, as network access or admission control), or plain old access control (particularly in relation to database applications). Even when you know what kind of "data leak protection" is being offered there are still numbers of questions to be asked about the technology. For example, if a system does egress content scanning, how does one specify the content to be checked, how broadly does the scanning apply if wording is changed, what network applications can be accommodated, if improper or covert channels can be detected and handled, can the system handle removable storage (and what types), what data file formats can be accommodated, and how readily can the system deal with encryption. This term is therefore almost completely undefined, and should not be used. This term is therefore almost completely undefined, and should not be used. The term is also closely tied to the equally fuzzy endpoint security.

Deep Crack
multiprocessor computer purpose built to perform a brute force attack on the Data Encryption Standard. The development was led by John Gilmore and Paul Kocher, financed with $250,000 from the Electronic Frontier Foundation, and won the RSA Laboratories DES II challenge in July of 1998. The computer had roughly 36,000 application specific processors (depending upon configuration).

study of ethics of duty, specifying particular actions to be taken or avoided. Codes of conduct are generally deontological in nature. See also teleology.

(n) plan, pattern, or set of directions for the creation of a system, component, or project, or
(v) to create such a plan. In project management methodologies, the design phase is generally preceded by the specification of requirements, and is followed by implementation at the level of creation of a working entity. Design is a more abstract level of detail than implementation, but less so than architecture.

directory traversal
publicly available files on Web servers are very often separated from system or private files only be being kept in a separate directory. Therefore, adversaries may attempt to submit HTTP requests containing the indications for the root directory of the server (typically a slash character) or "parent directory" (usually two periods) in order to traverse from the public directory to one with more interesting files.

choice and inclusion of various technologies, both in terms of security and general information systems. The use of diversity is problematic: it eliminates single points of failure through redundancy and therefore builds resilience and availability, but it adds complexity, which may create difficulties with integrity and confidentiality. See also monoculture.

drinking the koolaid
commonly, a slang term referring to the uncritical, and perhaps irrational, acceptance of an assumption which may not be valid, particularly where such acceptance or belief may lead to danger or risk. In information security, this refers specifically to an attitude which refuses to acknowledge the existence of a threat, or, particularly, an unjustified belief that a specific technical control may prevent any attack or exploit.

drive by download
software and linking code on a Website programmed in such a manner that the software is loaded on to a user's machine when the user merely visits or browses the site, or performs some normal action. Generally the software is adware, spyware, RATs or other malware. Most drive by downloads rely on the user having permissions set too leniently (permission is set to allow installation of software or upgrades without notifying the user), taking advantage of exploits in browser software, or the use of ActiveX, JavaScript, or other active content. Due to the functional linking of email and Web browser software, drive by downloads may also be installed via specially crafted email messages.

egress scanning
in the traditional view of security, we tend to see ourselves as the inhabitants of a bastion host, with all the dangers on the outside. Given the variety of possibilities for the introduction of malware, it is wise to scan traffic that is leaving our system, to determine if we are, unknowingly, attacking other systems. This can also be used as a generic indication of an infection in our own system.

elliptic curve cryptography (ECC)
type of asymmetric cryptography based on mathematics of groups that are defined by the points on a curve. The most efficient implementation of ECC is claimed to be stronger per bit of key length than any other known form of asymmetric cryptography. ECC was known as a possible encryption problem quite early, but was felt to be too difficult for implementation on a computer. However, it turned out to be surprisingly easy, and also very fast, particularly in small hardware systems. ECC can be used to produce all applications of asymmetric cryptography: an algorithm for key agreement (that is an analog of Diffie-Hellman), encryption, and digital signature. Given the various advantages of EEC it will probably be the major asymmetric algorithm in future.

endpoint security
term relating to the relatively recent recognition that most security technologies are aimed at protecting large or centralized systems, or systems within a security perimeter, and that the endpoints; leaf nodes or user interfacing devices; are often vulnerable. Endpoints are generally taken to be desktops, laptops, PDAs (Personal Digital Assistants), or high functioning cellular phones. Endpoint security is poorly defined, being primarily a marketing term, but is usually associated more with assurance than provision of security, and is therefore sometimes referred to as endpoint compliance. Two vendor initiatives; Network Admission Control (NAC) and Network Access Protection (NAP); relate to the concept and are often used as synonyms.

complete destruction of data, usually in large quantities, often in reference to data that can be used as evidence. Can be used as a noun ("be careful not to format the mail server disk and pull an enron on us") or verb ("make sure you enron everything in the shredding bin before you leave.") A reference to the energy company and the auditors working for them in the wake of the discovery of financial irregularities. See also blurge, degauss, overwrite procedure and residue.

environmental controls
used by information systems auditors to refer to administrative controls, but loosely defined to include contracting issues, and possibly general operations procedures as well

escape rate
based the assumption that errors are going to be missed in any process, this is the attempt to keep those errors below a threshhold established on the basis of the importance of the item under production. This is consistent with our risk management on the basis of classification and criticality of the asset under protection.

Evaluation Assurance Level (EAL)
one of seven standard, defined levels of testing within the Common Criteria, specified in Part 3 of the Criteria

information or objects lending credibility to a certain interpretation of events. In regard to forensics, often specifically tied to the identification of the person responsible for a given activity. In regard to digital forensics, note that there are definite limitations on evidence in regard to relevance, legal admissibility, and in particular the protection and chain of custody.

(1) error condition generated by hardware or software. Developers must consider possible errors and exceptions to normal operation, and provide exception handling, often through special software modules known as exception handlers. Failure to address exceptions may result in bugs such as buffer overflows. Less critical types of exception handling may involve protection of data integrity, such as sanity checking. (Thanks, Fred.)
(2) anomaly in operations for which an exemption or waiver from certain policies, procedures, or standards must be made for business reasons. Overall organizational policy should address the need for exceptions, and should have guidelines and procedures for dealing with them.

federated identity management
basically a new marketing term for single sign-on

filtering router
internetwork router that selectively prevents the passage of data packets according to a security policy. A filtering router may be used as a firewall or part of a firewall. Also referred to as a screening router. More recently both terms have been subsumed under the term packet filter.

fire point
in fire protection terminology, the temperature at which fire is sustained, or material will spontaneously flash into fire. This is different from the flash point, the temperature at which material will briefly ignite if exposed to open flame. (Note also that we are talking about actual flames, not email flames.)

secured system passing and examining traffic between an internal trusted network and an external untrusted network such as the Internet. Firewalls can be used to detect, prevent, or mitigate certain types of network attack. There are many types of firewall, such as the packet filter (otherwise known as a filtering router or screening router), stateful inspection, or a proxy server, of which there are two types, the circuit level proxy (such as SOCKS or network address translation) and the application level proxy or application level gateway.

flash point
in fire protection terminology, the temperature at which material will briefly ignite if exposed to open flame. This is different from the fire point, the temperature at which fire is sustained, or material will spontaneously flash into fire. Note that this definition is in some contradiction to the common understanding of flash point. (Note also that we are talking about actual flames, not email flames.)

denial of service attack crafted using broadcast addresses and a spoofed origin address for a UDP (User Datagram Protocol) echo (ping) packet. See also smurfing.

submitting packets or data of varying size or content in order to solicit information, response, or reaction from a system, which can tehn be used to determine internals structures, operations, or vulnerabilities. A type of black box testing, which term is more commonly known and used. (Fuzzing, as a term, is currently confined to a small community of those performing software forensics or software penetration testing.) See also brute force.

homograph attack
spoofing attack and a form of social engineering intended to fool users into believing they are contacting a legitimate Website (or other entity) instead of a malicious site. Those mounting this type of attack will typical create domain names with characters that look like the written form (homograph) of legitimate domains. For example, the digit one (1) or exclamation mark (!) may be used in place of the lowercase letter "l": thus sites like or paypa!.com may appear similar to In addition, some sites may be created using versions of the Unicode attack to create domains with ideographic characters that are similar to those of legitimate sites.

in a sense, an inverted honeypot. Instead of acting like a host computer, and accepting activity from malicious users, a honeyclient acts like a user, and submits apparently normal requests to a suspicious site, collecting any indications of unfriendly activity, such as a drive by download. Also known as a honey monkey, which runs on virtual machines, actively mimicking the actions of a user surfing the Web. Honeyclient operations bear a strong resemblence to Webbot (also known as Web crawler or Web spider) agents that support Web search engines, except that honeyclients may have additional features (such as random delays or occasional typing errors) to mimic the behaviour of a person, as opposed to an automated function.

honeypot built to appear to be an entire collection or variety of systems, or a system of honeypots and intrusion detection systems designed to collect information on a broader scale than a single honeypot can manage

a value used to detect misuse. In a sense, a canary is a form of honeytoken, although a honeytoken is more usually thought of in terms of intrusion detection. Books, particularly dictionaries, maybe even dictionaries of information security, frequently contain misinformation or even disinformation in order to detect when someone copies or plagiarises material.

in both project management and application development literature, two possible definitions are found for this term:
(1) phase of the system development or project process in which the detailed specifications are translated into actual system components (following design, and prior to testing) or
(2) phase of the system development or project process in which the completed component or system is translated from development into production, prior to operation. At this point in the project process there are a number of security considerations to fulfill: for example, permissions and privileges for the development team must be revoked, and those for operations put in place. (In project methodologies using implementation in this second sense, the phase of creation of components or systems is generally known as development.)
Please note that care must be taken to specify which of the two possible meanings for this term are being used when writing about the development process, as the implications differ significantly.

instant messaging (IM)
real-time text based communication, sometimes known as "chat" (the standard Internet form is known as Internet Relay Chat or IRC). IM is an extremely popular but informal means of communication. Due to its immediacy and popularity, it has also started to be used for business communications. Most forms of IM have little or no means of authentication. In addition, most applications have functions that will allow for remote submission of files, remote installation of software, and distribution of private data. Many users are unaware of these functions, or their extent. In addition, most IM applications have functions for avoiding detection by network scanning software, as well as functions for passing data through firewalls. Instant messaging should be considered very carefully in terms of policies and acceptable use by employees.

in its current usage, Information Security Management System, and particularly the acronym ISMS, appears to have been popularized by British Standard 7799 and its descendent standards, such as ISO 17799 and the 27000 family. The use of this term tends to indicate a BS 7799 influence.

International Organization for Standardization, group responsible for many international standards, particularly in communications: a number relate to security such as ISO 9000 (on quality) and the ISO 17799 security guideline. You will note that the name of the organization does not fit the acronym. Legend has it that, since the body was international in nature, it would be unfair to have the name in a particular language, and therefore the acronym ISO was derived from the Greek word "isos" (which means equal) so that no language would have an expansion that fit. (Many English-speakers refer, incorrectly, to the "International Standards Organization.")

variation in delay or latency. Real-time communications systems are generally tolerant of latency, but intolerant of jitter.

form of covert timing channel which can be used to signal information from a system by making minor variations in the delay or latency between transmitted packets

joe job
in general terms, a joe job is an attack based upon an annoying activity carried out under a spoofed identity. Thus any retaliation or responses to the annoyance are directed at the spoofed identity, rather than the attacker. In some situations the reaction to the annoyance is sufficient to contitute a denial of service. Smurfing uses a similar concept. Most joe jobs involve spam in some way, and many spammers will utilize an address from their harvested lists, knowing that any bounces from porrly managed mail servers will reply to that address, rather than the spammer or the mail relay being used.
Despite the appropriateness of the name, it appears that the term "joe job" comes from the first use of the phrase in relation to an attack on, and the owner, Joe Doll.

Kahn's Maxim
Few false ideas have more firmly gripped the minds of so many intelligent men than the one that, if they just tried, they could invent a cipher that no one could break. (Since this certainty of security usually rests in some "secret trick," it is in violation of Kerckhoffs' Law.)

Kerckhoffs' Law
also known as Kerckhoffs' principle, assumption, or axiom, states that a cryptosystem or cryptographic algorithm must be secure even if all its inner workings, and everything about it (saving only the key) is known. Originally stated (by Auguste Kerckhoffs in the 19th century) that a system "must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience." Compare with security by obscurity.

keyless encryption
cryptographic hash or digest process which provides one way encryption without the use of any key or cryptovariable

keyword filter
spam filtering technology based on specific words commonly used in spam but not in normal email messages. Keyword filtering is difficult to tune effectively: filtering on the word "breast" will likely eliminate some forms of pornographic spam, but would also trap messages about breast cancer or someone forwarding Clement C. Moore's "A Visit from St. Nicholas" to you ("The moon on the breast of the new-fallen snow" and all that). (Of course, depending upon how you feel about chain letters, that may be what you wanted.) Spammers avoid keyword filtering by placing spaces (or non-displaying characters) between letters in common keywords, using "!33tspeak" variant spellings (see B1FF), or using graphics.

label-based access control LBAC
if you see the odd reference to this term, it is a reference to mandatory access control, which matches the sensitivity label of the object against the clearance of the subject. (If you see LBAC occasionally used as lattice-based access control, this is a careless reference to formal, abstract security lattice models, not access systems as such.)

(1) delay or period between transmission and receipt of data, or between a command to, and response from, a system. Variation in latency is known as jitter.
(2) situation where a system may be penetrated but some time may elapse between the penetration and further activity. This term is generally used in connection with malware such as viruses and worms. A virus with a long latent period may have time to reproduce and spread further before an overt payload renders detection likely. On the other hand, since viruses in the wild are regularly detected within hours of release, a latent period may simply ensure that the virus is eliminated before it has a chance to trigger.

Linus's Law
given enough eyeballs, all bugs are shallow. (Term attributed to Eric S. Raymond.)

Luhn formula
version of checksum, or a simplistic form of cyclic redundancy check, used to test the validity of credit card, Canadian Social Insurance, Australian Tax File and other similar types of identification numbers. Also known as a "Mod 10" check. The Luhn formula is not a cryptographic checksum, and is easily spoofed, and therefore electronic commerce sites which only rely on the Mod 10 check, and do not use other means of authentication may be subject to fraud.

malformed input
data submitted to a system that is formulated incorrectly, and sometimes maliciously so. In particular, malformed input refers to symbols submitted as data, but which can be interpreted or executed as program code. Special attack instances of malformed input are buffer overflow, cross-site request forgery, cross-site scripting, the ping of death, SQL injection, and Unicode attack. Controls against malformed input are proper design, proper exception handling, filters, penetration testing and sanity checks. See also incomplete parameter checking.

characteristic of a cryptosystem where changes to the ciphertext result in meaningful or apparently reasonable modifications to the plaintext. In cryptanalysis this can be used to mount an attack against the integrity of a cryptographic authentication system.

sometimes referred to as carrying out a legal act illegally. In contract law it may refer to partial fulfillment of an agreement. This is in some oppostion to malfeasance, commonly considered to be any wrongdoing.

mix network
attempt to defeat tracing and traffic analysis by using a chain of proxy servers. Each message layer is specifically encrypted to each proxy; the resulting encryption is layered like an onion. Even if all but one of the proxies are compromised the message transit cannot be fully traced. Also called mix cascade. See also onion routing.

term used in a 2003 paper by Dan Geer (and others), noting the danger inherent in basing a large infrastructure on a single technology. Similar to the danger in having entire crops and food sources based on a single species, a monoculture has limited resilience and is susceptible to a single point of failure. (Food crops based on a single species have been destroyed by a single crop disease: infrastructures based on, for example, a single operating system may face widespread failure due to a single variety of network worm.) Creation of diversity in acceptable technologies helps build redundancy.

mosaic problem
similar to aggregation, a situation in which sensitive information may be determined from a collection of pieces of data which are either classified at a lower security level, or which have been carelessly left without sufficient protection. This term is more frequently used in espionage and counterintelligence than in data security. See also aggregation problem.

based on the term used for those who are paid for, or fooled or coerced into transporting illicit drugs, in the infosec world mules (sometimes referred to as money mules) are those who assist in the laundering of illegal profits from fraud, phishing, identity theft, or other activities. Mules in money laundering rings are generally recruited by advertisements for "work at home" jobs with unrealistically high wages. They may not be told what the work entails, other than "reshipping" or money forwarding, although it should be easy enough to figure out that something that sounds too good to be true probably is. However, some mules are simply defrauded themselves, never paid for their functions, and left as cut-outs with the evidence for illegal activies pointing squarely at them.

multilevel security
having, or capable of dealing with, data or programs of differing sensitivity, or differing requirements in respect of confidentiality, integrity, or availability. This would appear to be obvious in terms of most modern operating systems, but it should be ntoed that not all platforms are suitable for multilevel security.

Murphy's Law
commonly stated as "If anything can go wrong it will." This fatalistic sentiment is, in fact, a corruption of the original assertion, by engineer Edward A. Murphy, Jr. in 1949, that if you design a system or component that a technician (or user) can connect (or use) improperly, at some point they will. If the world can misunderstand your famous quote, it will.
In fact, the story of Murhpy's Law is even more convoluted. While Murphy was undoubtedly and by all accounts the person who made the statement that inspired the law, the formulation of the law itself may have come from George Nichols, an engineer on United States Air Force project MX981 (research into deceleration and the human body), or it may have been a collaborative effort by his engineering team. Another candidate for the formal statement of the law, and certainly the man who promulgated it to the wider world, is John Paul Stapp, an officer and medical doctor in charge of the project. (He was known for the creation of pithy aphorisms.) Stapp used himself as a test subject in the research, and was instrumental in using the data gathered to push for seatbelts in automobiles, and other safety features. An article outlining some of the people involved was written by Nick Spark, and published in the September/October 2003 edition of the Annals of Improbable Research (volume 9, number 5). If the world can confuse the origin of your famous quote, it will.

Network Access Protection (NAP)
see endpoint security

network address translation (NAT)
means to allow a network to use one set of IP addresses (usually non-routable) for internal traffic and a second set of addresses for external traffic. NAT may be used as a circuit level proxy server or firewall, often re-addressing traffic so that outgoing traffic appears to have originated from the firewall, rather than the internal host. The NAT server changes the source address, and usually also the port, of outgoing packets from the internal to the external address and reverses it for packets returning. NAT can be used to map a large number of computers onto a small assigned address space, but also hides the internal structure of the network from attackers and probes.

Network Admission Control (NAC)
see endpoint security

node authentication
authentication of a machine or device, rather than the user operating it. Regardless of the clearance or permission level of a user, certain operations may be restricted unless the individual is connecting via the proper node, such as a console terminal. In addition, network or other devices operating under certain levels of trust will need authentication even in the absence of user involvement.

specialized form of non-inference model in which in can be proven that a subject with low clearance cannot know, with certainty, what input a user with high clearance is making. In practical terms nondeducibility is of little value, since it is possible, under the model, for a low clearance user to be relatively confident without knowing for sure.

null cipher
(1) cryptographic mode, key, or cryptovariable which does not result in alteration or hiding of the plaintext. Used in testing, debugging, or for compatibility with a receiver that may not have decryption capabilities. (2) combining characters or bits of the plaintext with non-message data to hide the plaintext without transposing, substituting, scrambling or enciphering data. A form of steganography. (3) in classical cryptography a null is intended to confuse the cryptanalyst. Typically, a null will be a character or block which decrypts to obvious nonsense at the end of an otherwise intelligible phrase or block of data. In a null cipher, most of the characters may be nulls. (4) use of the Ceasar Cipher with a letter shift of zero, which the Romans considered suitable for export.

object reuse
reassignment and reuse of a storage medium (e.g., page frame, disk sector, magnetic tape) that once contained one or more objects. To be securely reused and assigned to a new subject, storage media must contain no residual data (including magnetic remanence) from the object(s) previously contained in the media.

packet filter
(1) one of the simplest forms of a firewall, a packet filter accepts or rejects traffic based on source and destination addresses, and possibly the type of traffic. A router usually receives a packet from a network and decides where to forward it on a second network. A filtering router does the same, but first decides whether the packet should be forwarded at all, according to specific security policy. The policy is implemented by rules loaded into the router. The rules mostly involve values of data packet control fields, especially source and destination addresses, protocol fields, and port numbers. Sometimes also known as a filtering router or screening router.
(2) specific rule implemented in a filtering router or screening router

Parker Parameter
85.4, also known as the "experts' number." This number can be used in any situation to bolster any argument: after all, 85.4% of all statistics are made up on the spot. 85.4 is sufficiently large to be convincing (with being so large as to lack credibility), the digits are random enough not to appear to have been planned, and the three significant digits adds a feeling of accuracy (without being so precise as to arouse suspicion.

private or secret character string used to authenticate an identity. Passwords, or sometimes passphrases, are the most commonly implemented form of authenticator, being the primary example of something the user (and presumably nobody else) knows. However, it is widely understood among security professionals that users make very bad decisions in choosing secure passwords. Users do not seem to realize that commonly known information about them; such as a birthdate, spouse's name, or favourite pet; is not a good choice for a "secret" password.

password space
total number of possible (unique) passwords that can be created by a given password generation scheme. See also key space.

patch management
formal process for testing, approving, distributing, and applying patches (modifications or corrections to existing and operating software). Because patches may involve security fixes, and there is an increasingly dangerous window of vulnerability between the time a vlunerability is discovered and the time the patch is made available or applied, some firms may have specific policies or procedures to shorten or waive the testing and approval period in the case of security specific patches. This circumvention would not normally be a part of change management.

United States law granting special powers to law enforcement and the intelligence agencies in relation to activities and subjects suspected of being involved in terrorism. The name PATRIOT is an acronym for Providing Appropriate Tools Required to Intercept and Obstruct Terrorism. There is controversy regarding to extent to which the act abrogates the right to privacy.

Plan, Do, Check, Act, an acronym for the four basic parts of any work or planning cycle. Sometimes referred to as the "Deming Model," after the process control and management cycle seminars created and delivered by W. Edwards Deming. Change management, System Development Methodologies, and other project management process often follow the PDCA structure.

network troubleshooting utility designed to provide an automatic response (echo) if the addressed system is active and connected. Ping has, however, been misused in a number of attacks such as fraggle, smurf, and the ping of death, as well as tools such as the ping sweep which are used to identify machines to be probed for vulnerabilities. Some references state that ping is an acronym for Packet INternet Groper but this seems to be an expansion created after the fact. The name was probably chosen in reference to sonar pings: the originator of the utility worked for the military.

organizational-level rules governing acceptable use of computing resources, security practices, and guiding development of operational procedures. Policies are supported by more detailed baselines, guidelines, procedures, and standards. See also compliance, exception, and waiver.

a storm of popup windows generated by Websites advertising pornographic content. As quickly as one is deleted, another pops up. Dealing with this nuisance is not easy, and usually requires knowledgable use of Task Manager, or similar level system utilities, to stop.

port knocking
sending packets to ports in a specific sequence. This can be used to communicate in a non-obvious manner, and therefore might lead to a covert channel of the covert timing channel type. In network security this process may be used to unlock a given port or provide access. It may, therefore, be used as a form of authentication, but is observable, and is therefore possibly security by obscurity.

form of social engineering using spoofing and the pretext or pretence of being a legitimate customer or authority, usually in an attempt to get a company to disclose information that can be utilized for identity theft. One of the sillier additions to the security lexicon during 2006, since we already have perfectly valid terms to describe the practice.

proxy server
computer attached to two or more networks, providing service to more than one client or server as if to a single machine. Most often used to connect multiple machines on a local area network to a public network such as the Internet. Often used as a type of firewall since the proxy server can be hardened or used to examine data content, and attacks will be directed against the proxy server rather than the actual servers behind it. There are usually considered to be two types of proxy servers in relation to firewalls, the application level proxy and the circuit level proxy, such as network address translation or SOCKS. Compare with packet filter.

race condition
(1) flaw in a system where the output may be inconsistent, dependending upon the relative timing of events, particularly processes operating in parallel. The term and concept originates from electronics, and particularly the design of logic circuits. Also known as a race hazard. See also TOC/TOU.
(2) when the track is dry, the weather is cool, and most of the NASCAR drivers are sober - RJ

rainbow table
specially constructed database of one way encryption or hash results applied to a statistically chosen subset of all possible passwords, that allows quick lookup, or lookup and calculation, that will reveal a given password. The table is formulated from the result of brute force calculations, but, once created, can be used to minimize the necessary time and processing of the password attack.

RAT (Remote Access Trojan)
program designed to provide access to, and control over, a network- attached computer from a remote computer or location, in effect providing a backdoor. Interestingly, RATs are often described, by their creators, as "Remote Administration Tools" in an attempt to present them as legitimate utility software. The distinction between valid remote tools and RATs generally lies in the provisions for RATs to be installed without the direct knowledge of the user or operator of the computer to be controlled, and additional functions to announce the installation of the RAT, and the address of the computer being controlled, to public venues such as Usenet newsgroups and IRC (Internet Relay Chat).
RATs and zombies provide an interesting example of an error in the use of technical terminology. Traditionally, the program run on the naive user's computer, or the computer that is running such a program, has been referred to as a client, particularly when it is part of a botnet. Technically, however, the RAT or zombie agent program is providing a service at the request of the malicious controller. Therefore, properly the controller would be the client, and the controlled user computer (and the software running on it) would be the client. However, this correct usage is almost never followed.

regression bug
bug or flaw which appears in a formerly functional program, system, or application after a change is made. Even with rigorous change control and change management security fixes or patches often produce regression bugs.

regression test
comparison of operation of the original, or working, version of an application with a modified version, in order to assess issues of compatibility, or unexpected operations not specified in the change management process. Regression tests may also be part of a patch management procedure.

return on testing RoT
we've always just assumed that you need to test. Apparently that isn't a valid assumption any more. Management is now asking for business cases to justify any test protocols and procedures. Well, I suppose we have always preached the gospel of cost-benefit analysis, too, but isn't there a point at which the cost of producing business cases for every single activity outweighs the benefit of doing the cost/benefit? Especially in regard to "best practices"? (Then again, I hate that term, too, so ...)

Richards' Laws of Data Security
(1) Don't buy a computer.
(2) If you do buy a computer, don't turn it on.
These laws were determined and formalized by Jeff Richards while he was at Simon Fraser University. They are similar in intent to the assertion made by Eugene H. Spafford, director of the Purdue Center for Education and Research in Information Assurance and Security, to the effect that "[t]he only system that is truly secure is one that is switched off and unplugged, locked in a titanium safe, buried in a concrete vault on the bottom of the sea and surrounded by very highly paid armed guards. Even then I wouldn't bet on it."

role-based access control (RBAC)
method of access control management whereby the level of clearance and permission is primarily determined by the job or role that the individual fulfills in the organization. RBAC may also be used in partial form or a hybrid situation where other access control factors come into play. Originally RBAC was seen in application to mandatory access control systems, but it is now frequently implemented via the group facility in discretionary access control. Generally speaking the acronym RBAC is used in reference to role-based access control rather than rule-based access control.

rule-based access control
system of access control implemented by sets of rules. Rule-based access control can be implemented in a number of ways and at a number of levels of complexity. For example, an access control list is a very simple implementation of rule-based access control with a single rule: is the requested permsission on the list. Content-based access control may have an extremely complex set of rules.
Due to the similarity of names, many see rule-based access control and role-based access control as opposites, in the same way that discretionary access control and mandatory access control divide the access control field. This is a mistake, since rule-based access control deals with implementation and granularity, while role-based access control addresses access control management.

same origin policy
technical security policy requiring that a Web document or script from one origin not obtain or modify settings of a document from a different origin. "Origin" is defined to include the domain name or address, protocol, and specific port. This safeguard can help protect against cross-site scripting attacks. While this limited form of control is implemented in most browsers, the concept may be extended to a more general policy requiring all items on a given Web page to be from a given origin. However, this latter, broader standard is widely disregarded in electronic commerce, where pages may contain items from a variety of sources. This practice makes cross-site scripting, phishing, and other attacks more likely.

security framework
used in a variety of ways, but in 2006 it came to be used as an aggregate term for the various documents, from a variety of sources, that give specific advice on topics related to information systems security. Some of these are information security guidelines such as British Standard 7799, auditing outlines such as CObIT, or the (free) "Self-Assessment Questionnaire" prepared by the United States National Institute of Standards and Technology (NIST). Others are preipherally related, such as the Common Criteria on specifications and evaluation. Still others are more tenuously connected, such as the advice on fraudulent financial reporting from COSO.

security information management (SIM)
vaguely defined term, which started to be used in 2005, primarily for marketing purposes. Systems referred to as SIMs were generally either vulnerability scanners or related to intrusion detection systems and their alerting functions. Related terms are security event management (SEM) and security event information management (SEIM). Without further definition it is recommended that these terms not be used.

security policy
(1) set of laws, regulations, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information. Usually there is an overall and general policy, backed up by more detailed baselines, guidelines, procedures, and standards. (2) a technical implementation and set of controls enforcing the general policy. This latter definition is that used in most vendor manuals.

security theatre
highly visible security measures which have little protective effect. The term is meant to indicate that some supposed safeguards are intended only to demonstrate that "something is being done," even if the control is ineffective against a particular threat, as well as being annoying and possibly counterproductive. See also code orange. (Term attributed to Bruce Schneier.)

software forensics
analysis of source or object code, or other executable entities, for indications of author identity, cultural affiliations, plagiarism, or malicious functions. A broader overview than code analysis or forensic programming and one of the major sections of digital forensics.

software token
despite the implication of execution in the term, a software token is a piece of data granting authorization to use a resource, and sometimes also used for authentication. See also ticket-oriented.

Spaf's First Principle of Security Administration
if you have responsibility for security, but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong

spam filter
any of a number of technologies intended to automate the identification of spam as distinct from legitimate email messages, and reduce the requirement for user consideration and action. Common spam filtering technologies are Bayesian analysis, blacklist, keyword filter, sender identification (of which the most widely promoted is SPF, and whitelist.

specialized type of botnet, used to distribute spam. Spambotnets are very useful to spammers, since each compromised machine acts as its own mail server, and thus there is no single mail server that can be tracked and shut down. In addition, the computers in the spambotnet are usually geographically and (network) topologically dispersed, and therefore can deliver a flood of messages quite quickly.
Spambotnets were, after DDoS zombies, the first of the major botnet groups, and many were created by virus writers (vxers) in 2003. Vx groups still have a major relationship to spambotnets, and use the spambotnets to send out new versions of viruses, in order to create further spambotnets.

spear phishing
phishing attacks targeted to a select group of individuals, usually within a company, rather than the generic messages that are spammed indiscriminately to a large mass of addresses. Since phishers use mass spam address lists that may contain any addresses, you may receive phishing solicitations from an institution that you do not deal with, or which may not even exist in your location, and these will be ignored by most recipients. Spear phishing messages have a higher probability of relating to an institution that the recipient does deal with. However, spear phishing, and the work necessary to identify the target audience, is a lot of work, so the activity is relatively rare.

SPF allows the owner of a domain to specify and publish their mail sending policy, specifically which mail servers they use to send mail from their domain. Another mail server receiving a message claiming to come from that domain may then check whether the message complies with the domain's stated policy. If the message comes from an unknown server, it can be considered spam. In terms of spam filtering, SPF has promise, but relies on administration by both sender and receiver. SPF is currently held to stand for Sender Policy Framework, but was previously Sender Permitted Form.

SQL injection
malformed input attack using commands or queries crafted in the Structured Query Language (SQL). Web servers, and particularly electronic commerce sites, are frequently supported by back end databases, and use SQL statements to build pages to display to the user, or to create transactions and orders. Generally the Web requests transmit the SQL statements, and therefore the commands are visible to anyone who cares to examine the data stream. Adversaries are able to create their own requests, either to probe the system, or, based upon the command structure they observe, request data which is not provided in the programmed options. Using escape sequences, adversaries may also be able to submit commands to the underlying platform.

acronym and mnemonic for some of the major types of information system attacks, spoofing, tampering, repudiation, information (disclosure), DoS (denial of service), and elevation or escalation of privilege or permission

strong star property
later extension suggested to the Bell-La Padula security model for use in database situations, limiting reading and writing to the subject's own security level. Since the model was restricted to considerations of confidentiality, allowing write access to records at a higher classification could lead to inadvertant overwriting of sensitive records, and a potential problem of integrity or availability. Usage rare.

(1) a sticky situation that entraps or immobilizes the entity involved. Various security systems are described as tarballs. See also tarpit (2) refers to a tape archive with full set of files, usually for software distribution

study of ethics of purpose or general principle rather than particular duties or behaviour. The ethical philosophy of utilitarianism, which is commonly (if simplistically) described as "the greatest good to the greatest number," is teleological. Codes of ethics are generally teleological in nature. See also deontology.

Transport Layer Security (TLS)
Internet standard, application agnostic end-to-end encryption based on the Secure Sockets Layer protocol

(n) deliberately inflammatory message generally posted to a newsgroup, mailing list, or other forum where the reaction will be negative (such as one extolling dogs posted to rec.pets.cats, or one praising cats posted to rec.pets.dogs) solely in an attempt to create furor and reaction, or
(v) the posting of such a message. See also flame. The term trolling is probably the inspiration for the creation of the terms phishing and vishing.

Unicode attack
any of a variety of attacks that use the Unicode data representation scheme to obfuscate commands or parameters. Unicode representations, normally used to present non-Latin alphabet characters, may not be displayed properly to users, or may be displayed properly but have a difference in the underlying data that has an implication that the user may not understand. (For example, the lowercase letter "a" is normally represented in hexadecimal notation as value 61 or 0061, but can also be represented as value FF41. To the user they would look the same, but digital devices would perceive a difference and possibly act differently on the data.) In addition filters may not be programmed to deal properly with Unicode representation and may miss attack signatures. Unicode representation may be used to avoid spam filtering or may be used to spoof legitimate sites in phishing attacks. However, the greatest danger is conceived to be the obfuscation of data or commands (and thus malformed input) related to directory traversal or SQL injection attacks.
Because of the use of variant symbols which may be mistaken for other characters, and thus possibly false identification of a site, Unicode attacks are sometimes held to be a special case of homograph or homographic attacks, although the latter terms are not widely used at present. In addition, homographic does not fully relate to the obfuscation function which Unicode attacks may also use.

virtual machine
program, operating on one hardware platform or operating system, which gives the functional appearance of another hardware platform or operating system, including and particularly in terms of execution of programs. Virtual machines (sometimes called emulators) have many uses in normal system operations (such as running diverse applications, programmed for different platforms, on a single machine). In regard to security, virtual machines may be used to present a false impression of a machine to an adversary (see honeypot and pseudo flaw) or may be used to test software (possibly malware) in an environment where escape or actual damage is restricted (see sandbox).

process or software separating a specific system from the underlying infrastructure or implementation details. Since most vendors use this term in relation to software products, this is essentially what used to be known, particularly in terms of database systems and database backed Websites, as middleware.

obtaining authentication, identity, or personal data by fraudulent requests via telephone (voice) rather than email or Websites (see phishing). Vishing is voice (over IP) phishing and usually uses VoIP technology.

(Voice over Internet Protocol) the currently popular term for the sending of real-time, two-way voice traffic over the TCP/IP packet network, previously known as Internet telephony, and sometimes H.323 (after a signalling and call setup protocol). The importance to security is multifaceted. First, VoIP brings together both data network and telephony security concerns. (Telephony service is one of the few areas where simple use can create a direct cost to the company.) Also, with the rising popularity of VoIP many vendors are more concerned with adding functions to their products than testing for security. VoIP systems and gateways also do not have the same determination of endpoints, and so caller-ID and Automatic Number Identification systems may not provide reliable information. (This situation will undoubtedly become even more problematic with the recent production of cellular telephones which can establish links over WiFi/wireless LAN connections.) VoIP is frequently used for telemarketing, particularly fraudulently, since the cost of the calls is low (or possibly non- existent if an unsecured gateway is found) and VoIP works well with automated voice systems.

Wired Equivalent Privacy (and not, as is frequently misstated, Wireless Encryption Protocol). WEP is a protocol for the encryption of wireless LAN traffic, for those using the 802.11 range of networking protocols. The correct name is actually well chosen: a wired LAN is hard to get at but once you can make a physical connection you can see all the traffic, whereas a wireless LAN is easy to read but the traffic is encrypted. Unfortunately, WEP is badly flawed and subject to various forms of cryptanalytic attack. The newer WPA is more secure.

spam filtering technology based upon denial of all messages other than those from approved origins. The inverse of blacklist. Whitelisting can be defeated by spambotnets where addresses are harvested from the compromised machines and the user of the machine is identified as the sender: presumably that sender has already been verified to the whitelist. In addition, whitelist addresses should never be subscribed to mailing lists lists since the bounces and requests for verification from the whitelist are annoying to the members of the mailing list and may lead to a mail storm.

data connection without a physical link, using radio frequency transmission or other means of communication. Note that the term wireless is used both for connections using cellular telephone technology (usually to enable Internet connectivity) and for the local area networking using the 802.11 range of protocols or Bluetooth. (This is confused even further by the fact that many cell phones also use Bluetooth, sometimes even for intra-phone communications and messaging.) However, wireless LANs are now commonly using the term WiFi for computer-to-computer networking.
Wireless technologies of all types present a number of security issues, primarily due to the fact that most of these technologies are broadcast, and present the ultimate in promiscuous networks. Encryption is generally seen as the answer to all these problems, despite the fact that most systems use link encryption rather than end-to-end encryption. In addition, the most widely implemented encryption standard, WEP, is badly flawed, although the newer WPA and WPA2 are more secure.

Wi-Fi Protected Access. WPA is a subset of the security aspects of the 802.11i wireless networking protocol. Using a per-packet, rather than a static, encryption key, it is more resistant to attack than is WEP. WPA2 is the full implementation of the 802.11i standard and uses a stronger encryption algorithm.

specialized type of backdoor or remote access program designed as the agent, or client (middle layer) component of a DDoS (Distributed Denial of Service) network. Once a zombie is installed on a computer, it identifies itself to a master computer, and then waits for instructions from the master computer. Upon receipt of instructions from the master computer, a number of zombie machines will send attack packets to a target computer. Zombie may refer to the control program run to control one of the middle layer computers, or it may refer to a computer so controlled. See also RAT.
RATs and zombies provide an interesting example of an error in the use of technical terminology. Traditionally, the program run on the naive user's computer, or the computer that is running such a program, has been referred to as a client, particularly when it is part of a botnet. Technically, however, the RAT or zombie agent program is providing a service at the request of the malicious controller. Therefore, properly the controller would be the client, and the controlled user computer (and the software running on it) would be the client. However, this correct usage is almost never followed.

HyperText version Book Review Index (may take a while to load)

Book reviews main topic menu