Rob Slade's Dictionary Errata Page
(maintained by Rob Slade)
This is version 1.15, completed
You may have visited here before and found the full dictionary. The
dictionary has now been published, by
Syngress Publishing as the "Dictionary
of Information Security" with a real ISBN (1-59749-115-2) and pages
and everything. You can get it from
Syngress, or
from
Amazon US or
Amazon UK or
Amazon Canada. And other places as well, for all I know. If you
want the full dictionary (and I hope you do) you'll have to get the
print version.
What is going to be here is the errata page. This is where I will be
posting updates and corrections as I maintain the dictionary. This
glossary is still very much "in process," as is the field of
information security itself. Please report any errors, or terms you
think should be added, to
Rob Slade.
I was recently interviewed about the book by
Martin McKeay for his
security podcast. The
interview is in
episode
37.
This glossary update, in hypertext format, is maintained at
Victoria
TelecommunityNet. Not all the links will work at this time, since
this is not the full dictionary. (Rather ironically, as I make more
corrections, more of the links will start to work :-) For those
links that don't work, you'll have to look the targets up in the print
version.
Announcements in regard to the glossary are made through the secgloss
mailing list via eGroups/Yahoo Groups. You can
subscribe by
email. For more information you can view the
Website.
302
(1) HyperText Transfer Protocol code indicating that the file
specified is correct and has been found
(2) the minor section of the Sarbanes-Oxley Act (SOX) with
implications for information security
404
(1) HyperText Transfer Protocol code indicating that the file
specified is incorrect and has not been found, and that the
user is a clueless idiot
(2) the major section of the Sarbanes-Oxley Act (SOX) with
implications for information security
aggregation
(1) circumstance in which higher level information (which may be
thought to be subject to a higher level of security clearance) may be
inferred from a large number of lower level data items. As a result,
a collection of information items may require classification at a
higher security level than any of the individual items that comprise
it. Specifically addressed in database security, but also an issue in
espionage and counterintelligence.
(2) situation where a single event may affect multiple entities, or
may have multiple effects, particularly where the effects build on
each other
algorithm
sequence of steps needed to solve logical or mathematical problems.
Algorithm is, at heart, just a fancier word for
procedure.
In security, the term usually refers to
cryptographic algorithms used in
encryption or
decryption of data files and messages and to
create digital signatures, but it may
also refer to pattern matching in virus or
intrusion detection which
does not rely on the use of a simple scan string (see
signature).
application level proxy
firewall system in which service is provided
by processes that maintain state and sequencing, but which may also
examine the contents of the data and the implications for the
requested process. Application level proxies may be considered the
most secure of firewalls, but at a cost in terms of performance and
memory. In addition, these systems are application specific, so a
proxy must be provided for each service run, and should be backstopped
by a more general packet filter in order
to prevent system intrusions. See also proxy
server.
attack surface
interfaces, resources, and system components exposed to
threat or potential
compromise
attack tree
representation, often in graphical form, of an
attack outcome (such as obtaining access to a
system), and the various means or routes that might be used to
accomplish the outcome. Attack trees may become quite complex,
detailing additional routes towards the postulated means to the
ultimate end, and sometimes assessing the cost or
work factor (in various elements) of the
differing routes. Attack trees may also be used in a reverse
direction, examining a given exploit or
vulnerability and noting the possible
attack outcomes that may arise from it. Also known as attack graphs
or threat trees.
audit program
checklist of tasks to be performed during an
audit. Note that many audit programs derive from
structures and assumptions intended for financial auditing, and that
these may not be sufficient for dealing with complex information
systems.
authentication
(1) the process of verifying identity, origin, or lack of modification
of a subject or object.
Authentication of a user is generally based on something the user
knows (generally a password), is
(biometric
identification), or has (often a
token).
(2) the use of some kind of system to ensure that a file or message
which purports to come from a given individual or company actually
does. Many authentication systems are now looking towards public key
encryption, and the calculation of a check based upon the contents of
the file or message as well as a password or key. Related concepts
are change detection and
integrity.
authentication token
portable device used for authenticating a user.
Authentication
tokens operate by
challenge/response, time-based code
sequences, or other techniques. These may include paper-based lists
of one-time passwords.
backhoe degradation
degradation, on a communications channel, generally refers to the
attenuation of the signal, or the addition of
noise and potential corruption of the signal.
Backhoe degradation refers to 100% attenuation of the signal when some
person of low intellectual capacity fails to check out the location of
underground cables before they start digging ditches.
BAD
acronym for Broken As Designed, said of a program that is useless
because of bad design rather than bugs. See also
flaw.
baseline
(1) situation of a system either in normal operation, or at a
particular point in time. Generally this is measured by an image or
calculation taken on a system at a given moment.
(2) a fundamental or minimal requirement of system performance or
operation, usually in regard to the security
policy
Bayesian analysis
form of statistical analysis currently very popular as a type of
spam filter. A Bayesian filter is quite
simple for users to operate, and accommodates
individual differences of tolerance for spam,
since it relies on the user providing the system with samples of spam
and legitimate email messages. Once the user has "trained" the
system, it may only need minor tuning over time. Unfortunately,
management of Bayesian filtering for a large population of users may
have extensive management, storage, and processing requirements.
best practice
(1) the gold standard for security
buzzphrases. In fact, there was an extended discussion on the use of
the phrase "best practice" on the CISSPforum in July of 2005. The
implication of best practice is that it is an optimum procedure for
most situations, although it may also imply a practice that works in
every situation, or a minimum standard. It was, however, noted that
"best practice" is never a guarantee or panacea. Other phrases
discussed were standard practice (what most people do), essential
practice (what should be done as an absolute minimum), and leading
practice (what the "best" companies do).
(2) in an attempt to keep this phrase off the scrap heap, GH has
proposed that it is "to align security
controls with risks that
are relevant to the context of the organization."
black box
(1) component or module in a system the exact operations of which are
not known. Military encryption frequently
relies upon black boxes so that the user does not
have knowledge of the encryption
algorithm or key being used. However, the use
of black boxes relies on design secrecy and is a form of
security by obscurity. In
addition, in the case of failure or replacement of black box
components, there may be unknown functions and
dependencies with unknown implications for
the system.
(2) type of testing that assumes nothing is known about the device or
module in question. Specially crafted probes or input are imposed
upon the unit and the resulting output, response, or affects are
noted. Very similar in concept to the
ciphertext-only attack in
cryptanalysis.
blacklist
spam filtering technology based on the
identification of individuals or domains known to send spam.
Blacklists are somewhat controversial since false claims may be made
against a domain as a form of denial of
service. Compare with whitelist.
bluejack
to send a message (usually text, but sounds and graphics are also
possible) to a cellular phone or other mobile device using the
Bluetooth wireless network protocol and
service. Despite the similarity to the term
hijacking, bluejacking is not involved in
intrusion or obtaining illicit access to the
device. Bluejack messages may also be used for
social engineering in order to
convince a mobile user to "pair" or associate the
user's device with that being used for a
bluesnarf attack.
bluesnarf
to obtain or download information; such as contact lists, calendar
data, message data, and notes; from a Bluetooth
wireless enabled mobile device without the
consent or knowledge of the user or owner of the device. By default,
most such devices are set to be "discoverable," have no protection
enabled, and are vulnerable to having all information remotely
retrieved. In additon, some recent attacks are
more active, gaining access to the services and
resources of the target device.
blurge
conflation of blot out and purge. A file or record that has been
blurged Definitely Can Not Be Seen And Is Not There Any More.
(Attributed to Verity Stob.) See also enron,
erasure, and
overwrite procedure.
botnet
bot, a term derived from robot, is used to refer to automated programs
performing some task, usually in regard to network communications.
The term was first used for automated greeters or servers on Internet
Relay Chat (IRC) channels. Bots can perform a variety of services,
good or bad. Botnets are collections of such programs, dedicated to a
specific purpose, and usually negative. Botnets are usually formed by
the spread of some kind of malware. The first
botnets were generally zombie
clients in a DDoS network,
but more recently botnets have been turned to a variety of purposes,
such as the use of spambotnets to distribute
spam. Botnets composed of RATs
are highly flexible, and can be turned to any programmable use.
RATs and zombies provide an interesting example of
an error in the use of technical terminology. Traditionally, the
program run on the naive user's computer, or the computer that is
running such a program, has been referred to as a
client, particularly when it is part of a
botnet. Technically, however, the RAT or zombie agent program is
providing a service at the request of the malicious controller.
Therefore, properly the controller would be the client, and the
controlled user computer (and the software running on it) would be the
server. However, this correct usage is almost never followed.
bozone
substance surrounding users that stops intelligent
ideas from penetrating, and held to be responsible for the difficulty
of creating effective security awareness programs. The bozone layer
shows no signs of breaking down, even with the increase in
cloroflorocarbon compounds. Indeed, anecdotal reports indicate an
increase in density of the bozone layer in the presence of hairspray.
browser chrome
see chrome
canary
check value or code, placed in a location likely to suffer from a
buffer overflow, which can be
periodically tested for changes. Real canaries, susceptible to
pollutants in the air, were once used in mines (particularly in coal
mining) as early warning detectors for gases in the air or a lack of
oxygen. In the same way software canaries may detect improper
modifications, usually by dying. See also
honeytoken.
canonicalization
process of converting data which can have multiple representations
into a single form. In most of the fields of information technology,
canonicalization refers to procedures for ensuring, for example, that
all date fields are in the same format, but it has numerous
implications for security. When computing a
crytographic checksum,
digest, or hash
result for a document, the same text file will give different
results if stored on a Windows system, which uses a carriage
return/line feed pair at then end of each line, rather than a UNIX
system, which terminates each line with a line feed character only.
In addition, when filtering for
spam, directory
traversal commands, or escape codes for
SQL injection attacks and the like, the
signature characters can be represented in a
number of ways, and so all of these forms must be included in
checking. See also malformed input and
Unicode attack.
CAPTCHA
acronym for Completely Automated Public Turing test to tell Computers
and Humans Apart (trademarked by Carnegie Mellon University). The
term may also refer to the fact that it is catching or capturing
automated submissions to a system. Generally a captcha (although it
is an acronym, in common use it is most frequently seen in lower case)
is a series of characters that are presented in an image that it
distorted or obscured, thus making it difficult for computers to
parse, but relatively easy for humans to read. This affords a means
for online signup forms to quickly determine whether then entry is
being made by a person or an automated agent or bot. CAPTCHAs are not
foolproof: there are a number of ways for systems to
spoof the system, but it will tend to slow
automated submissions. Text-only forms of the concept exist in the
variant spellings and use of alternate characters ("l8r" for "[see
you] later") used in text messages and "leetspeak" (see
B1FF).
cat bonds
abbreviation of catastrophe bonds, a financial instrument that can be
used as a form of insurance or risk
transference. In one form of cat bond, the bond would be issued
yielding a higher than normal rate, thus collecting a pool of capital.
If the projected disaster occurs, then the capital raised (the
principal of the bond) is returned to the entity affected and issuing
the bond. Cat bonds are used to protect against large disasters and
may form part of a disaster recovery
plan: rather than a single insurance company insuring many
entities, a single entity would collect a large pool of capital from a
sizable number of insurers (the purchasers of the bond).
certificate chaining
under a public key infrastructure (PKI) not every
key will be directly digitally signed by the
certification authority (CA).
The central CA may use certain keys to sign keys for various
registration authorities, and these, in turn, may sign keys for use by
various offices or companies. Therfore, it is likely that a given
certificate may have a chain of signatures
and public keys attached to it, all verified
by the CA key and signature at the end of the chain.
certification
the comprehensive evaluation of the technical and nontechnical
security features of a system and other
safeguards, made in support of the
accreditation process, that establishes
the extent to which a particular design and
implementation meet a specified set of security requirements. At
times design alone is sufficient: note that Evaluation Assurance
Levels (EAL) 1 to 4 of the Common
Criteria require only design approval. Note that certification
has no relation to an asymmetric key encryption
certificate, or the related authorities and
lists.
chain of custody
documentation of the handling and preservation of
evidence from the time it was collected until
presented in court, proving who had access to the material, and that
it has not been altered or modified. Also known as chain of evidence.
chrome
framing material around a window on a computer screen, particularly a
browser window. Window chrome is comprised of frames, menus,
toolbars, and scroll bars. Browser chrome may involve the URL
(Uniform Resource Locator) address box, security indicators (such as
the padlock symbol that indicates an active SSL
(Secure Sockets Layer) session,
and the status bar (which often indicates the URK for a link).
Phishing sites now use "fake chrome" which
spoofs the chrome that would be displayed on a
legitimate site. For example, a borderless window can be created to
exactly overlay the URL address box, showing the address of a
legitimate site, and hiding the fact that the user is actually
communicating with a phishing site.
cipher lock
type of keyless, physical lock accessed by entering numbers or
characters on a keypad
clearance
authorization for a
subject, (generally a user)
to access sensitive information or other system resources. Whereas a
subject or user is assigned a clearance, an
object or data is given a
sensitivity label.
(Although security people have been talking about clearance since
Peter Denning was in short pants, it seems that nobody has ever gotten
around to defining it. In my research, I couldn't find a single
definition of clearance, although some defined security clearance [the
process of making sure people had the right clearance] and clearance
level [the level that gives the proper amount of clearance]. The
closest was in the original version of "Computer Security Basics,"
which said that it was the sensitivity label assigned to a subject.
So, if you don't like my definition, too bad: it's the only one you've
got.)
client
system entity that requests and uses a service or resource provided by
another system entity (the server)
RATs and zombies provide an
interesting example of an error in the use of technical terminology.
Traditionally, the program run on the naive user's computer, or the
computer that is running such a program, has been referred to as a
client, particularly when it is part of a
botnet. Technically, however, the RAT or zombie
agent program is providing a service at the request of the malicious
controller. Therefore, properly the controller would be the client,
and the controlled user computer (and the software running on it)
would be the client. However, this correct usage is almost never
followed.
cluster
set of coupled computers that can be viewed and operated as a single
computing entity. Clustering technologies are beneficial for
availability (with an inherent component
of redundancy), load balancing, and
performance. (Note that while Microsoft does have a limited
clustering technology, it also has two additional products or
functions, both going by the cluster name, which are more properly
designated as fail over technologies.)
code entropy
tendency of programming code for a given system to fragment and
disintegrate over time, generally due to additions and modifications,
as well as changes to the specifications of the system overall.
Proper change management can
mitigate, but not completely eliminate, code entropy.
code of ethics
statement of the ethics, moral principles, or
behaviour of an organzation. Often equated with code of conduct,
although there is a subtle difference between the two: a code of
ethics is teleological in nature (outlining
the goals, principles, or guidelines of the
enterprise) whereas a code of conduct is
deontological (noting actions to be taken or
avoided and specific standards).
code orange
based upon the colour-coded threat levels promulgated by the United
States Department of Homeland Security (DHS), the phrase "code
orange," or "another code orange day," has become a reference to the
futility of raising an alarm, without giving details of the specific
threat to be faced. See also
security theatre. (Phrase attributed
to Bruce Shneier.)
compliance
(1) being in conformance with a certain standard
(2) during 2005, and particularly following the passage of the Gramm-
Leach-Bliley (GLB, financial services) and Sarbannes-Oxley (SOX,
reporting of information for public companies) Acts in the United
States, corporations became obsessed with ensuring "compliance."
Since these pieces of legislation were new, and untested in the courts
(and also since the legislation basically reiterated the requirements
for due care, and
due diligence, which were already
established principles in law), there were no codified standards to
follow. This increased interest in various
security frameworks such as
British Standard 7799 and the
various related systems, and other auditing related documents such as
COSO and Basel II. Predictably, various security
consultants made a fortune.
concurrent engineering
another new term in engineering and development circles. Throw all
your models of the
system development
lifecycle out the window: the latest rage is doing all the phases
at once. We've seen that before: it used to be called "code first,
design later," and it's what got us into our current mess. OK, I'm
willing to assume that "concurrent engineering" has some formality
behind what initially looks like chaos, but it sounds very complex,
and complexity is the enemy of security.
concurrent sign-on
provision for allowing a single user identity to be signed on to a
system multiple times, or from multiple locations. While an advantage
for availability this function may create
numerous problems in terms of access
control.
COSO
Committee Of Sponsoring Organizations of the Treadway Commission, and
particularly the set of standards in regard to fraudulent reporting of
financial information for publicly traded companies
COTS
acronym for Commercial-Off-The-Shelf, a principle of design for using
only commonly available components in a system, rather than custom-
designed parts. COTS is felt to increase
resilience, since commercially available
items generally have multiple suppliers. (COTS is also held to reduce
costs over systems designed with custom-made parts.) However, COTS
may provide opportunities for an adversary to
analyze the components of your system, and COTS is no guarantee of
availability if the parts are determined,
by commercial manufacturers, to be obsolete in current systems. The
term is originally from the United States military, but now commonly
used.
covert channel
communications channel that allows the transfer of information in a
manner that violates the system's security
policy, generally violating
confidentiality. More specifically, a
means of information leaking from a system via a channel not normally
considered a communications medium. Covert channels are considered to
be of two major types,
covert storage channels, and
covert timing channels.
Synonymous with
confinement channel, although the
latter term is infrequently used. See also
information flow control and
security flow analysis.
covert storage channel
covert channel that involves the direct
or indirect writing of a storage location (usually memory or disk
space) by one process and the direct or indirect reading of the
storage location by another process. Covert storage channels
typically involve a resource (such as sectors on a disk, or uncleared
memory) that is shared by two subjects at
different security levels. See also object
reuse and residue.
covert timing channel
covert channel in which one process
signals information to another by modulating its own use of system
resources (for example CPU time) in such a way that this manipulation
affects the real response time observed by the second process, or
where an outside process observes an effect that provides evidence of
an activity which cannot be directly observed. See also
emanations,
jitterbug, and
non-inference model.
cross-site request
forgery (CSRF)
type of malformed input
attack that exploits the
authorization,
permission, or trust
that a particular Web server may give to a specific
user. In a CSRF attack, a malicious server will
use some form of social engineering
to get a user to click on a particular link (generally by appearing to
be a legitimate server, or possibly via
cross-site scripting). Unlike a
phishing attack, which would ask the user to
enter identification and
authentication data, clicking on the
link will send login or session data previously
stored on the user (client) machine by the
legitimate server. The malicious server then recrafts the request
sent by the user, along with the login, session, or other data that is
required by the legitimate server, and can then submit a request or
command to the legitimate server.
cross-site scripting (XSS)
term is used to describe a number of
vulnerabilities, usually related to
scripted content on a Web page (often JavaScript), and possibly
involving multiple sites. In one form, a malicious Web page could
contain a link to a page on the client machine
in an attempt to have the browser (such as Internet Explorer) run the
script or other malicious active content with elevated
permissions. (In this case only the browser
on the client machine and the content on the Web server are involved,
and no additional site is needed.) In a second form of XSS, a page on
a malicious server may contain a link to a page on a legitimate
server, where the page on the legitimate server may respond to
specifically crafted active content submitted by the malicious server
when the user merely clicks the link on their
client browser. The fact that two servers are involved may not be
apparent to the user, who may only perceive a relation to the
legitimate server. (There is little agreement as to the significance
of this type of attack.) A third type of XSS
relies on systems which store input from users without
sanity checks or
filters for later display to other users, such
as online message boards or comments fields on blogs (Web logs or
diaries). If the input contains HTML code or active content, various
types of attacks or social
engineering can be mounted. See also
incomplete parameter
checking.
Cross-site request forgeries
use similarly malformed input and
techniques.
Because of the variety of forms XXS can take,
controls or
countermeasures against such attacks
will vary depending upon the particular form or
exploit. A general
safeguard is the
same origin policy.
cumulative incremental
backup
see differential backup
dancing pigs
given a choice between dancing pigs and security,
users will choose dancing pigs every time - Ed
Felten
data leak protection (DLP)
marketing term which came to prominence in late 2006. Depending upon
the vendor you speak with, data leak protection may be used to refer
to an intrusion detection
system, intrusion prevention system, cache cleaning,
egress scanning, egress content
scanning, various technologies to prevent data from being moved to
removable storage or external devices, technologies to encrypt data
being sent via network applications or moved to removable storage,
remote access (generally known, in this contaxt, as network access or
admission control), or plain old access
control (particularly in relation to database applications). Even
when you know what kind of "data leak protection" is being offered
there are still numbers of questions to be asked about the technology.
For example, if a system does egress content scanning, how does one
specify the content to be checked, how broadly does the scanning apply
if wording is changed, what network applications can be accommodated,
if improper or covert channels can be
detected and handled, can the system handle removable storage (and
what types), what data file formats can be accommodated, and how
readily can the system deal with encryption. This term is therefore
almost completely undefined, and should not be used. This term is
therefore almost completely undefined, and should not be used. The
term is also closely tied to the equally fuzzy
endpoint security.
Deep Crack
multiprocessor computer purpose built to perform a
brute force attack on
the Data Encryption Standard.
The development was led by John Gilmore and Paul Kocher, financed with
$250,000 from the Electronic Frontier Foundation, and won the RSA
Laboratories DES II challenge in July of 1998. The computer had
roughly 36,000 application specific processors (depending upon
configuration).
deontology
study of ethics of duty, specifying particular
actions to be taken or avoided. Codes of conduct are generally
deontological in nature. See also teleology.
design
(n) plan, pattern, or set of directions for the creation of a system,
component, or project, or
(v) to create such a plan. In project management methodologies, the
design phase is generally preceded by the specification of
requirements, and is followed by
implementation at the level of creation
of a working entity. Design is a more abstract level of detail than
implementation, but less so than architecture.
directory traversal
publicly available files on Web servers are very often separated from
system or private files only be being kept in a separate directory.
Therefore, adversaries may attempt to submit
HTTP requests containing the indications for the root directory of the
server (typically a slash character) or "parent directory" (usually
two periods) in order to traverse from the public directory to one
with more interesting files.
diversity
choice and inclusion of various technologies, both in terms of
security and general information systems. The use of diversity is
problematic: it eliminates single
points of failure through redundancy and
therefore builds resilience and
availability, but it adds complexity,
which may create difficulties with integrity
and confidentiality. See also
monoculture.
drinking the koolaid
commonly, a slang term referring to the uncritical, and perhaps
irrational, acceptance of an assumption which may not be valid,
particularly where such acceptance or belief may lead to danger or
risk. In information security, this refers
specifically to an attitude which refuses to acknowledge the existence
of a threat, or, particularly, an unjustified
belief that a specific technical control may
prevent any attack or
exploit.
drive by download
software and linking code on a Website programmed in such a manner
that the software is loaded on to a user's machine when the user
merely visits or browses the site, or performs some normal action.
Generally the software is adware,
spyware, RATs or other
malware. Most drive by downloads rely on the
user having permissions set too leniently
(permission is set to allow installation of software or upgrades
without notifying the user), taking advantage of
exploits in browser software, or the use of ActiveX, JavaScript, or other active content. Due
to the functional linking of email and Web browser software, drive by
downloads may also be installed via specially crafted email messages.
egress scanning
in the traditional view of security, we tend to see ourselves as the
inhabitants of a bastion host, with all
the dangers on the outside. Given the variety of possibilities for
the introduction of malware, it is wise to scan
traffic that is leaving our system, to determine if we are,
unknowingly, attacking other systems. This can
also be used as a generic indication of an
infection in our own system.
elliptic curve cryptography
(ECC)
type of asymmetric
cryptography based on mathematics of
groups that are defined by the points on a curve. The most efficient
implementation of ECC is claimed to be stronger per bit of key length
than any other known form of asymmetric cryptography. ECC was known
as a possible encryption problem quite early, but was felt to be too
difficult for implementation on a computer. However, it turned out to
be surprisingly easy, and also very fast, particularly in small
hardware systems. ECC can be used to produce all applications of
asymmetric cryptography: an algorithm for key agreement (that is an
analog of Diffie-Hellman), encryption,
and digital signature. Given the various advantages of EEC it will
probably be the major asymmetric algorithm in future.
endpoint security
term relating to the relatively recent recognition that most security
technologies are aimed at protecting large or centralized systems, or
systems within a security perimeter,
and that the endpoints; leaf nodes or user interfacing devices; are
often vulnerable. Endpoints are generally taken to be desktops,
laptops, PDAs (Personal Digital Assistants), or high functioning
cellular phones. Endpoint security is poorly defined, being primarily
a marketing term, but is usually associated more with assurance than
provision of security, and is therefore sometimes referred to as
endpoint compliance. Two vendor initiatives; Network Admission
Control (NAC) and Network Access Protection (NAP); relate to the
concept and are often used as synonyms.
enron
complete destruction of data, usually in large quantities, often in
reference to data that can be used as
evidence. Can be used as a noun ("be careful
not to format the mail server disk and pull an
enron on us") or verb ("make sure you enron everything in the
shredding bin before you leave.") A reference to the energy company
and the auditors working for them in the wake of the discovery of
financial irregularities. See also blurge,
degauss,
overwrite procedure and
residue.
environmental controls
used by information systems auditors to refer to administrative
controls, but loosely defined to include
contracting issues, and possibly general operations procedures as well
escape rate
based the assumption that errors are going to be missed in any
process, this is the attempt to keep those errors below a threshhold
established on the basis of the importance of the item under
production. This is consistent with our
risk management on the basis of
classification and criticality of the
asset under protection.
Evaluation Assurance Level
(EAL)
one of seven standard, defined levels of testing within the
Common Criteria, specified in Part 3 of
the Criteria
evidence
information or objects lending credibility to a certain interpretation
of events. In regard to forensics, often
specifically tied to the identification
of the person responsible for a given activity. In regard to
digital forensics, note that there
are definite limitations on evidence in regard to relevance, legal
admissibility, and in particular the protection and
chain of custody.
exception
(1) error condition generated by hardware or software. Developers
must consider possible errors and exceptions to normal operation, and
provide exception handling, often through special software modules
known as exception handlers. Failure to address exceptions may result
in bugs such as buffer
overflows. Less critical types of exception handling may involve
protection of data integrity, such as sanity
checking. (Thanks, Fred.)
(2) anomaly in operations for which an exemption or
waiver from certain
policies, procedures,
or standards must be made for business
reasons. Overall organizational policy should address the need for
exceptions, and should have guidelines and
procedures for dealing with them.
federated identity
management
basically a new marketing term for
single sign-on
filtering router
internetwork router that selectively prevents the passage of data
packets according to a security policy.
A filtering router may be used as a firewall
or part of a firewall. Also referred to as a
screening router. More recently both
terms have been subsumed under the term
packet filter.
fire point
in fire protection terminology, the temperature at which fire is
sustained, or material will spontaneously flash into fire. This is
different from the flash point, the
temperature at which material will briefly ignite if exposed to open
flame. (Note also that we are talking about actual flames, not email
flames.)
firewall
secured system passing and examining traffic between an internal
trusted network and an external untrusted network such as the
Internet. Firewalls can be used to detect, prevent, or mitigate
certain types of network attack. There are many
types of firewall, such as the packet
filter (otherwise known as a filtering
router or screening router),
stateful inspection, or a
proxy server, of which there are two
types, the circuit level proxy (such as SOCKS or
network address
translation) and the
application level proxy or
application level gateway.
flash point
in fire protection terminology, the temperature at which material will
briefly ignite if exposed to open flame. This is different from the
fire point, the temperature at which fire is
sustained, or material will spontaneously flash into fire. Note that
this definition is in some contradiction to the common understanding
of flash point. (Note also that we are talking about actual flames,
not email flames.)
fraggle
denial of service
attack crafted using broadcast addresses and a
spoofed origin address for a UDP (User
Datagram Protocol) echo (ping) packet. See also
smurfing.
fuzzing
submitting packets or data of varying size or content in order to
solicit information, response, or reaction from a system, which can
tehn be used to determine internals structures, operations, or
vulnerabilities. A type of black box
testing, which term is more commonly known and used. (Fuzzing, as a
term, is currently confined to a small community of those performing
software forensics or software
penetration testing.) See also
brute force.
homograph attack
spoofing attack and a
form of social engineering intended
to fool users into believing they are contacting a
legitimate Website (or other entity) instead of a malicious site.
Those mounting this type of attack will typical create domain names
with characters that look like the written form (homograph) of
legitimate domains. For example, the digit one (1) or exclamation
mark (!) may be used in place of the lowercase letter "l": thus sites
like paypa1.com or paypa!.com may appear similar to paypal.com. In
addition, some sites may be created using versions of the
Unicode attack to create domains with
ideographic characters that are similar to those of legitimate sites.
honeyclient
in a sense, an inverted honeypot. Instead of
acting like a host computer, and accepting activity from malicious
users, a honeyclient acts like a user, and submits
apparently normal requests to a suspicious site, collecting any
indications of unfriendly activity, such as a
drive by download. Also known as a
honey monkey, which runs on virtual machines, actively mimicking the
actions of a user surfing the Web. Honeyclient operations bear a
strong resemblence to Webbot (also known as Web crawler or Web spider)
agents that support Web search engines, except that honeyclients may
have additional features (such as random delays or occasional typing
errors) to mimic the behaviour of a person, as opposed to an automated
function.
honeynet
honeypot built to appear to be an entire
collection or variety of systems, or a system of honeypots and
intrusion detection systems
designed to collect information on a broader scale than a single
honeypot can manage
honeytoken
a value used to detect misuse. In a sense, a
canary is a form of honeytoken, although a
honeytoken is more usually thought of in terms of
intrusion detection. Books,
particularly dictionaries, maybe even dictionaries of information
security, frequently contain misinformation or even disinformation in
order to detect when someone copies or plagiarises material.
implementation
in both project management and application development literature, two
possible definitions are found for this term:
(1) phase of the system development or project process in which the
detailed specifications are translated into actual system components
(following design, and prior to testing) or
(2) phase of the system development or project process in which the
completed component or system is translated from development into
production, prior to operation. At this point in the project process
there are a number of security considerations to fulfill: for example,
permissions and privileges for the
development team must be revoked, and those for operations put in
place. (In project methodologies using implementation in this second
sense, the phase of creation of components or systems is generally
known as development.)
Please note that care must be taken to specify which of the two
possible meanings for this term are being used when writing about the
development process, as the implications differ significantly.
instant messaging (IM)
real-time text based communication, sometimes known as "chat" (the
standard Internet form is known as Internet Relay Chat or IRC). IM is
an extremely popular but informal means of communication. Due to its
immediacy and popularity, it has also started to be used for business
communications. Most forms of IM have little or no means of
authentication. In addition, most applications have functions that
will allow for remote submission of files, remote installation of
software, and distribution of private data. Many users are unaware of
these functions, or their extent. In addition, most IM applications
have functions for avoiding detection by network scanning software, as
well as functions for passing data through
firewalls. Instant messaging should be
considered very carefully in terms of policies
and acceptable use by employees.
ISMS
in its current usage, Information Security Management System, and
particularly the acronym ISMS, appears to have been popularized by
British Standard 7799 and its
descendent standards, such as ISO 17799 and the
27000 family. The use of this term tends to indicate a BS 7799
influence.
ISO
International Organization for Standardization, group responsible for
many international standards, particularly in communications: a number
relate to security such as ISO 9000 (on quality) and the ISO 17799
security guideline. You will note that the
name of the organization does not fit the acronym. Legend has it
that, since the body was international in nature, it would be unfair
to have the name in a particular language, and therefore the acronym
ISO was derived from the Greek word "isos" (which means equal) so that
no language would have an expansion that fit. (Many English-speakers
refer, incorrectly, to the "International Standards Organization.")
jitter
variation in delay or latency. Real-time
communications systems are generally tolerant of latency, but
intolerant of jitter.
jitterbug
form of covert timing channel
which can be used to signal information from a system by making minor
variations in the delay or latency between
transmitted packets
joe job
in general terms, a joe job is an attack based
upon an annoying activity carried out under a
spoofed identity. Thus any retaliation or
responses to the annoyance are directed at the spoofed identity,
rather than the attacker. In some situations the reaction to the
annoyance is sufficient to contitute a
denial of service.
Smurfing uses a similar concept. Most joe
jobs involve spam in some way, and many spammers
will utilize an address from their harvested lists, knowing that any
bounces from porrly managed mail servers will reply to that address,
rather than the spammer or the mail relay being used.
Despite the appropriateness of the name, it appears that the term "joe
job" comes from the first use of the phrase in relation to an attack
on joes.com, and the owner, Joe Doll.
Kahn's Maxim
Few false ideas have more firmly gripped the minds of so many
intelligent men than the one that, if they just tried, they could
invent a cipher that no one could break. (Since
this certainty of security usually rests in some "secret trick," it is
in violation of Kerckhoffs' Law.)
Kerckhoffs' Law
also known as Kerckhoffs' principle, assumption, or axiom, states that
a cryptosystem or
cryptographic algorithm must be
secure even if all its inner workings, and everything about it (saving
only the key) is known. Originally stated (by
Auguste Kerckhoffs in the 19th century) that a system "must not be
required to be secret, and it must be able to fall into the hands of
the enemy without inconvenience." Compare with
security by obscurity.
keyless encryption
cryptographic
hash or
digest process which provides
one way encryption without the use
of any key or
cryptovariable
keyword filter
spam filtering technology based on specific
words commonly used in spam but not in normal
email messages. Keyword filtering is difficult
to tune effectively: filtering on the word "breast" will likely
eliminate some forms of pornographic spam, but would also trap
messages about breast cancer or someone forwarding Clement C. Moore's
"A Visit from St. Nicholas" to you ("The moon on the breast of the
new-fallen snow" and all that). (Of course, depending upon how you
feel about chain letters, that may be what
you wanted.) Spammers avoid keyword filtering by placing spaces (or
non-displaying characters) between letters in common keywords, using
"!33tspeak" variant spellings (see B1FF), or using
graphics.
label-based access
control
LBAC
if you see the odd reference to this term, it is a reference to
mandatory access control,
which matches the sensitivity label
of the object against the
clearance of the
subject. (If you see LBAC occasionally used as
lattice-based access control, this is a careless reference to formal,
abstract security
lattice models, not access systems as
such.)
latency
(1) delay or period between transmission and receipt of data, or
between a command to, and response from, a system. Variation in
latency is known as jitter.
(2) situation where a system may be penetrated but some time may
elapse
between the penetration and further activity. This term is generally
used in connection with malware such as
viruses and worms. A virus
with a long latent period may have time to reproduce and spread
further before an overt payload renders
detection likely. On the other hand, since viruses in the wild are regularly detected within hours of release,
a latent period may simply ensure that the virus is eliminated before
it has a chance to trigger.
Linus's Law
given enough eyeballs, all bugs are shallow. (Term
attributed to Eric S. Raymond.)
Luhn formula
version of checksum, or a simplistic form of
cyclic redundancy check, used
to test the validity of credit card, Canadian Social Insurance,
Australian Tax File and other similar types of
identification numbers. Also known as a
"Mod 10" check. The Luhn formula is not a
cryptographic checksum, and is
easily spoofed, and therefore electronic
commerce sites which only rely on the Mod 10 check, and do not use
other means of authentication may be
subject to fraud.
malformed input
data submitted to a system that is formulated incorrectly, and
sometimes maliciously so. In particular, malformed input refers to
symbols submitted as data, but which can be interpreted or executed as
program code. Special attack instances of
malformed input are buffer overflow,
cross-site request forgery,
cross-site scripting, the
ping of death,
SQL injection, and
Unicode attack. Controls against
malformed input are proper design, proper
exception handling,
filters,
penetration testing and
sanity checks. See also
incomplete parameter
checking.
malleability
characteristic of a cryptosystem where
changes to the ciphertext result in
meaningful or apparently reasonable modifications to the
plaintext. In
cryptanalysis this can be used to mount
an attack against the integrity of a
cryptographic authentication system.
misfeasance
sometimes referred to as carrying out a legal act illegally. In
contract law it may refer to partial fulfillment of an agreement.
This is in some oppostion to malfeasance, commonly considered to be
any wrongdoing.
mix network
attempt to defeat tracing and traffic
analysis by using a chain of proxy
servers. Each message layer is specifically
encrypted to each proxy; the resulting
encryption is layered like an onion. Even if all but one of the
proxies are compromised the message transit
cannot be fully traced. Also called mix cascade. See also
onion routing.
monoculture
term used in a 2003 paper by Dan Geer (and others), noting the danger
inherent in basing a large infrastructure on a single technology.
Similar to the danger in having entire crops and food sources based on
a single species, a monoculture has limited
resilience and is susceptible to a
single point of failure. (Food
crops based on a single species have been destroyed by a single crop
disease: infrastructures based on, for example, a single operating
system may face widespread failure due to a single variety of network
worm.) Creation of
diversity in acceptable technologies helps
build redundancy.
mosaic problem
similar to aggregation, a situation in
which sensitive information may be determined from a collection of
pieces of data which are either classified at a lower
security level, or which have been
carelessly left without sufficient protection. This term is more
frequently used in espionage and counterintelligence than in
data security. See also
aggregation problem.
mule
based on the term used for those who are paid for, or fooled or
coerced into transporting illicit drugs, in the infosec world mules
(sometimes referred to as money mules) are those who assist in the
laundering of illegal profits from fraud,
phishing,
identity theft, or other activities.
Mules in money laundering rings are generally recruited by
advertisements for "work at home" jobs with unrealistically high
wages. They may not be told what the work entails, other than
"reshipping" or money forwarding, although it should be easy enough to
figure out that something that sounds too good to be true probably is.
However, some mules are simply defrauded themselves, never paid for
their functions, and left as cut-outs with the evidence for illegal
activies pointing squarely at them.
multilevel security
having, or capable of dealing with, data or programs of differing
sensitivity, or differing requirements in respect of
confidentiality,
integrity, or
availability. This would appear to be
obvious in terms of most modern operating systems, but it should be
ntoed that not all platforms are suitable for multilevel security.
Murphy's Law
commonly stated as "If anything can go wrong it will." This
fatalistic sentiment is, in fact, a corruption of the original
assertion, by engineer Edward A. Murphy, Jr. in 1949, that if you
design a system or component that a technician (or user) can connect
(or use) improperly, at some point they will. If the world can
misunderstand your famous quote, it will.
In fact, the story of Murhpy's Law is even more convoluted. While
Murphy was undoubtedly and by all accounts the person who made the
statement that inspired the law, the formulation of the law itself may
have come from George Nichols, an engineer on United States Air Force
project MX981 (research into deceleration and the human body), or it
may have been a collaborative effort by his engineering team. Another
candidate for the formal statement of the law, and certainly the man
who promulgated it to the wider world, is John Paul Stapp, an officer
and medical doctor in charge of the project. (He was known for the
creation of pithy aphorisms.) Stapp used himself as a test subject in
the research, and was instrumental in using the data gathered to push
for seatbelts in automobiles, and other safety features. An article
outlining some of the people involved was written by Nick Spark, and
published in the September/October 2003 edition of the Annals of
Improbable Research (volume 9, number 5). If the world can confuse
the origin of your famous quote, it will.
Network Access Protection
(NAP)
see endpoint security
network address translation
(NAT)
means to allow a network to use one set of IP addresses (usually
non-routable) for internal traffic and a second set of addresses for
external traffic. NAT may be used as a circuit level
proxy server or
firewall, often re-addressing traffic so that
outgoing traffic appears to have originated from the firewall, rather
than the internal host. The NAT server changes the source address,
and usually also the port, of outgoing packets from the internal to
the external address and reverses it for packets returning. NAT can
be used to map a large number of computers onto a small assigned
address space, but also hides the internal structure of the network
from attackers and probes.
Network Admission Control
(NAC)
see endpoint security
node authentication
authentication of a machine or device,
rather than the user operating it. Regardless of
the clearance or
permission level of a user, certain
operations may be restricted unless the individual is connecting via
the proper node, such as a console terminal. In addition, network or
other devices operating under certain levels of
trust will need authentication even in the
absence of user involvement.
nondeducibility
specialized form of non-inference
model in which in can be proven that a
subject with low
clearance cannot know, with certainty, what
input a user with high clearance is making. In
practical terms nondeducibility is of little value, since it is
possible, under the model, for a low clearance user to be relatively
confident without knowing for sure.
null cipher
(1) cryptographic mode, key, or
cryptovariable which does not result in
alteration or hiding of the plaintext. Used in testing, debugging, or
for compatibility with a receiver that may not have
decryption capabilities.
(2) combining characters or bits of the
plaintext with non-message data to hide the
plaintext without transposing, substituting, scrambling or enciphering
data. A form of steganography.
(3) in classical cryptography a null is intended to confuse the
cryptanalyst. Typically, a null will be a character or block which
decrypts to obvious nonsense at the end of an otherwise intelligible
phrase or block of data. In a null cipher, most of the characters may
be nulls.
(4) use of the Ceasar Cipher with a letter shift of zero, which the
Romans considered suitable for export.
object reuse
reassignment and reuse of a storage medium (e.g., page frame,
disk sector, magnetic tape) that once contained one or more
objects. To be securely reused and assigned to
a new subject, storage media must contain no
residual data (including magnetic
remanence) from the object(s) previously contained in the media.
packet filter
(1) one of the simplest forms of a firewall, a
packet filter accepts or rejects traffic based on source and
destination addresses, and possibly the type of traffic. A router
usually receives a packet from a network and decides where to forward
it on a second network. A filtering router does the same, but first
decides whether the packet should be forwarded at all, according to
specific security policy. The policy is implemented by rules loaded
into the router. The rules mostly involve values of data packet
control fields, especially source and destination addresses, protocol
fields, and port numbers. Sometimes also known as a
filtering router or
screening router.
(2) specific rule implemented in a filtering router or screening
router
Parker Parameter
85.4, also known as the "experts' number." This number can be used in
any situation to bolster any argument: after all, 85.4% of all
statistics are made up on the spot. 85.4 is sufficiently large to be
convincing (with being so large as to lack credibility), the digits
are random enough not to appear to have been planned, and the three
significant digits adds a feeling of accuracy (without being so
precise as to arouse suspicion.
password
private or secret character string used to
authenticate an identity. Passwords, or
sometimes passphrases, are the most commonly implemented form of
authenticator, being the primary example
of something the user (and presumably nobody else)
knows. However, it is widely understood among security professionals
that users make very bad decisions in choosing secure passwords.
Users do not seem to realize that commonly known information about
them; such as a birthdate, spouse's name, or favourite pet; is not a
good choice for a "secret" password.
password space
total number of possible (unique) passwords
that can be created by a given password generation scheme. See also
key space.
patch management
formal process for testing, approving, distributing, and applying
patches (modifications or corrections to existing
and operating software). Because patches may involve security fixes,
and there is an increasingly dangerous window of
vulnerability between the time a
vlunerability is discovered and the time the patch is made available
or applied, some firms may have specific
policies or procedures
to shorten or waive the testing and approval
period in the case of security specific patches. This circumvention
would not normally be a part of change
management.
PATRIOT Act
United States law granting special powers to law enforcement and the
intelligence agencies in relation to activities and subjects suspected
of being involved in terrorism. The name PATRIOT is an acronym for
Providing Appropriate Tools Required to Intercept and Obstruct
Terrorism. There is controversy regarding to extent to which the act
abrogates the right to privacy.
PDCA
Plan, Do, Check, Act, an acronym for the four basic parts of any work
or planning cycle. Sometimes referred to as the "Deming Model," after
the process control and management cycle seminars created and
delivered by W. Edwards Deming. Change
management, System
Development Methodologies, and other project management process
often follow the PDCA structure.
ping
network troubleshooting utility designed to provide an automatic
response (echo) if the addressed system is active and connected. Ping
has, however, been misused in a number of
attacks such as fraggle,
smurf, and the
ping of death, as well as tools such as
the ping sweep which are used to identify
machines to be probed for
vulnerabilities. Some references state
that ping is an acronym for Packet INternet
Groper but this seems to be an expansion created after the fact. The
name was probably chosen in reference to sonar pings: the originator
of the utility worked for the military.
policy
organizational-level rules governing acceptable use of computing
resources, security practices, and guiding development of operational
procedures. Policies are supported by more detailed
baselines,
guidelines,
procedures, and
standards. See also
compliance,
exception, and waiver.
pornado
a storm of popup windows generated by Websites advertising
pornographic content. As quickly as one is deleted, another pops up.
Dealing with this nuisance is not easy, and usually requires
knowledgable use of Task Manager, or similar level system utilities,
to stop.
port knocking
sending packets to ports in a specific sequence.
This can be used to communicate in a non-obvious manner, and therefore
might lead to a covert channel of the
covert timing channel type. In
network security this process may be used to unlock a given port or
provide access. It may, therefore, be used as a
form of authentication, but is
observable, and is therefore possibly
security by obscurity.
pretexting
form of social engineering using
spoofing and the pretext or pretence of being
a legitimate customer or authority, usually in an attempt to get a
company to disclose information that can be utilized for
identity theft. One of the sillier
additions to the security lexicon during 2006, since we already have
perfectly valid terms to describe the practice.
proxy server
computer attached to two or more networks, providing service to more
than one client or server as if to a single machine. Most often used
to connect multiple machines on a local area network to a public
network such as the Internet. Often used as a type of
firewall since the proxy server can be
hardened or used to examine data content, and attacks will be directed
against the proxy server rather than the actual servers behind it.
There are usually considered to be two types of proxy servers in
relation to firewalls, the
application level proxy and the
circuit level proxy, such as
network address translation
or SOCKS. Compare with
packet filter.
race condition
(1) flaw in a system where the output may be
inconsistent, dependending upon the relative timing of events,
particularly processes operating in parallel. The term and concept
originates from electronics, and particularly the
design of logic circuits. Also known as a race
hazard. See also TOC/TOU.
(2) when the track is dry, the weather is cool, and most of the NASCAR
drivers are sober - RJ
rainbow table
specially constructed database of one
way encryption or hash results applied
to a statistically chosen subset of all possible
passwords, that allows quick lookup, or lookup
and calculation, that will reveal a given password. The table is
formulated from the result of brute force
calculations, but, once created, can be used to minimize the necessary
time and processing of the password
attack.
RAT (Remote Access Trojan)
program designed to provide access to, and control over, a network-
attached computer from a remote computer or location, in effect
providing a backdoor. Interestingly, RATs are
often described, by their creators, as "Remote Administration Tools"
in an attempt to present them as legitimate utility software. The
distinction between valid remote tools and RATs generally lies in the
provisions for RATs to be installed without the direct knowledge of
the user or operator of the computer to be controlled, and additional
functions to announce the installation of the RAT, and the address of
the computer being controlled, to public venues such as Usenet
newsgroups and IRC (Internet Relay Chat).
RATs and zombies provide an interesting example
of an error in the use of technical terminology. Traditionally, the
program run on the naive user's computer, or the computer that is
running such a program, has been referred to as a
client, particularly when it is part of a
botnet. Technically, however, the RAT or zombie
agent program is providing a service at the request of the malicious
controller. Therefore, properly the controller would be the client,
and the controlled user computer (and the software running on it)
would be the client. However, this correct usage is almost never
followed.
regression bug
bug or flaw which appears in a
formerly functional program, system, or application after a change is
made. Even with rigorous change control
and change management security fixes
or patches often produce regression bugs.
regression test
comparison of operation of the original, or working, version of an
application with a modified version, in order to assess issues of
compatibility, or unexpected operations not specified in the
change management process.
Regression tests may also be part of a
patch management
procedure.
return on testing
RoT
we've always just assumed that you need to test. Apparently that
isn't a valid assumption any more. Management is now asking for
business cases to justify any test
protocols and
procedures. Well, I suppose we have always
preached the gospel of cost-benefit
analysis, too, but isn't there a point at which the cost of
producing business cases for every single activity outweighs the
benefit of doing the cost/benefit? Especially in regard to
"best practices"? (Then again, I hate that
term, too, so ...)
Richards' Laws of Data
Security
(1) Don't buy a computer.
(2) If you do buy a computer, don't turn it on.
These laws were determined and formalized by Jeff Richards while he
was at Simon Fraser University. They are similar in intent to the
assertion made by Eugene H. Spafford, director of the Purdue Center
for Education and Research in Information Assurance and Security, to
the effect that "[t]he only system that is truly secure is one that is
switched off and unplugged, locked in a titanium safe, buried in a
concrete vault on the bottom of the sea and surrounded by very highly
paid armed guards. Even then I wouldn't bet on it."
role-based
access control (RBAC)
method of access control management
whereby the level of clearance and
permission is primarily determined by the
job or role that the individual fulfills in the organization. RBAC
may also be used in partial form or a hybrid situation where other
access control factors come into play. Originally RBAC was seen in
application to mandatory access
control systems, but it is now frequently implemented via the
group facility in
discretionary access
control. Generally speaking the acronym RBAC is used in reference
to role-based access control rather than
rule-based access control.
rule-based access control
system of access control implemented by
sets of rules. Rule-based access control can be implemented in a
number of ways and at a number of levels of complexity. For example,
an access control list is a very
simple implementation of rule-based access control with a single rule:
is the requested permsission on the list.
Content-based access control may have an extremely complex set of
rules.
Due to the similarity of names, many see rule-based access control and
role-based access control as
opposites, in the same way that
discretionary access
control and mandatory access
control divide the access control field. This is a mistake, since
rule-based access control deals with implementation and granularity,
while role-based access control addresses access control management.
same origin policy
technical security policy requiring
that a Web document or script from one origin not obtain or modify
settings of a document from a different origin. "Origin" is defined
to include the domain name or address, protocol, and specific port.
This safeguard can help protect against
cross-site scripting
attacks. While this limited form of
control is implemented in most browsers, the
concept may be extended to a more general policy
requiring all items on a given Web page to be from a given origin.
However, this latter, broader standard is
widely disregarded in electronic commerce, where pages may contain
items from a variety of sources. This practice makes cross-site
scripting, phishing, and other attacks more
likely.
security framework
used in a variety of ways, but in 2006 it came to be used as an
aggregate term for the various documents, from a variety of sources,
that give specific advice on topics related to information systems
security. Some of these are information security
guidelines such as
British Standard 7799, auditing
outlines such as CObIT, or the (free)
"Self-Assessment Questionnaire" prepared by the United States National
Institute of Standards and Technology (NIST). Others are preipherally
related, such as the Common Criteria on
specifications and evaluation. Still others are more tenuously
connected, such as the advice on fraudulent financial reporting from
COSO.
security information
management (SIM)
vaguely defined term, which started to be used in 2005, primarily for
marketing purposes. Systems referred to as SIMs were generally either
vulnerability scanners or related to
intrusion detection systems
and their alerting functions. Related terms are
security event management (SEM) and security event information
management (SEIM). Without further definition it is recommended that
these terms not be used.
security policy
(1) set of laws, regulations, rules, and practices that regulate how
an organization manages, protects, and distributes
sensitive information. Usually
there is an overall and general
policy, backed up by more detailed
baselines,
guidelines,
procedures, and
standards.
(2) a technical implementation and set of
controls enforcing the general policy. This
latter definition is that used in most vendor manuals.
security theatre
highly visible security measures which have little protective effect.
The term is meant to indicate that some supposed
safeguards are intended only to demonstrate
that "something is being done," even if the control is ineffective
against a particular threat, as well as being
annoying and possibly counterproductive. See also
code orange. (Term attributed to Bruce
Schneier.)
software forensics
analysis of source or object code, or other executable entities, for
indications of author identity, cultural affiliations, plagiarism, or
malicious functions. A broader overview than code analysis or
forensic programming and one of
the major sections of digital
forensics.
software token
despite the implication of execution in the term, a software
token is a piece of data granting
authorization to use a resource, and
sometimes also used for authentication.
See also ticket-oriented.
Spaf's
First Principle of Security Administration
if you have responsibility for security, but have no authority to set
rules or punish violators, your own role in the organization is to
take the blame when something big goes wrong
spam filter
any of a number of technologies intended to automate the
identification of spam as distinct from legitimate
email messages, and reduce the requirement for
user consideration and action. Common spam
filtering technologies are
Bayesian analysis,
blacklist,
keyword filter, sender identification
(of which the most widely promoted is SPF, and
whitelist.
spambotnet
specialized type of botnet, used to distribute
spam. Spambotnets are very useful to spammers,
since each compromised machine acts as its
own mail server, and thus there is no single mail server that can be
tracked and shut down. In addition, the computers in the spambotnet
are usually geographically and (network) topologically dispersed, and
therefore can deliver a flood of messages quite quickly.
Spambotnets were, after DDoS
zombies, the first of the major botnet groups,
and many were created by virus writers (vxers) in
2003. Vx groups still have a major relationship to spambotnets, and
use the spambotnets to send out new versions of viruses, in order to
create further spambotnets.
spear phishing
phishing attacks targeted to a select group of
individuals, usually within a company, rather than the generic
messages that are spammed indiscriminately to a
large mass of addresses. Since phishers use mass spam address lists
that may contain any addresses, you may receive phishing solicitations
from an institution that you do not deal with, or which may not even
exist in your location, and these will be ignored by most recipients.
Spear phishing messages have a higher probability of relating to an
institution that the recipient does deal with. However, spear
phishing, and the work necessary to identify the target audience, is a
lot of work, so the activity is relatively rare.
SPF
SPF allows the owner of a domain to specify and publish their mail
sending policy, specifically which mail servers they use to send mail
from their domain. Another mail server receiving a message claiming
to come from that domain may then check whether the message complies
with the domain's stated policy. If the message comes from an unknown
server, it can be considered spam. In terms of
spam filtering, SPF has promise, but relies
on administration by both sender and receiver. SPF is currently held
to stand for Sender Policy Framework, but was previously Sender
Permitted Form.
SQL injection
malformed input
attack using commands or queries crafted in the
Structured Query Language (SQL). Web servers, and particularly
electronic commerce sites, are frequently supported by back end
databases, and use SQL statements to build pages to display to the
user, or to create transactions and orders.
Generally the Web requests transmit the SQL statements, and therefore
the commands are visible to anyone who cares to examine the data
stream. Adversaries are able to create their
own requests, either to probe the system, or, based upon the command
structure they observe, request data which is not provided in the
programmed options. Using escape sequences, adversaries may also be
able to submit commands to the underlying platform.
STRIDE
acronym and mnemonic for some of the major types of information system
attacks, spoofing, tampering,
repudiation, information
(disclosure), DoS
(denial of service), and elevation or
escalation of privilege or
permission
strong star property
later extension suggested to the
Bell-La Padula security model for
use in database situations, limiting reading and writing to the
subject's own security level. Since the model
was restricted to considerations of
confidentiality, allowing write access
to records at a higher classification could lead to inadvertant
overwriting of sensitive records, and a potential problem of
integrity or
availability. Usage rare.
tarball
(1) a sticky situation that entraps or immobilizes the entity
involved. Various security systems are described as tarballs. See
also tarpit
(2) refers to a tape archive with full set of files, usually for
software distribution
teleology
study of ethics of purpose or general principle
rather than particular duties or behaviour. The ethical philosophy of
utilitarianism, which is commonly (if simplistically) described as
"the greatest good to the greatest number," is teleological.
Codes of ethics are generally
teleological in nature. See also
deontology.
Transport Layer
Security (TLS)
Internet standard, application agnostic
end-to-end encryption based on
the Secure Sockets Layer protocol
troll
(n) deliberately inflammatory message generally posted to a newsgroup,
mailing list, or other forum where the reaction will be negative (such
as one extolling dogs posted to rec.pets.cats, or one praising cats
posted to rec.pets.dogs) solely in an attempt to create furor and
reaction, or
(v) the posting of such a message. See also
flame. The term trolling is probably the
inspiration for the creation of the terms
phishing and
vishing.
Unicode attack
any of a variety of attacks that use the Unicode
data representation scheme to obfuscate commands or parameters.
Unicode representations, normally used to present non-Latin alphabet
characters, may not be displayed properly to users, or may be
displayed properly but have a difference in the underlying data that
has an implication that the user may not understand. (For example,
the lowercase letter "a" is normally represented in hexadecimal
notation as value 61 or 0061, but can also be represented as value
FF41. To the user they would look the same, but digital devices would
perceive a difference and possibly act differently on the data.) In
addition filters may not be programmed to deal
properly with Unicode representation and may miss attack signatures. Unicode representation may be used
to avoid spam filtering or may be used to spoof legitimate sites in
phishing attacks. However, the greatest
danger is conceived to be the obfuscation of data or commands (and
thus malformed input) related to
directory traversal or
SQL injection attacks.
Because of the use of variant symbols which may be mistaken for other
characters, and thus possibly false
identification of a site, Unicode
attacks are sometimes held to be a special case of
homograph or homographic attacks,
although the latter terms are not widely used at present. In
addition, homographic does not fully relate to the obfuscation
function which Unicode attacks may also use.
virtual machine
program, operating on one hardware platform or operating system, which
gives the functional appearance of another hardware platform or
operating system, including and particularly in terms of execution of
programs. Virtual machines (sometimes called emulators) have many
uses in normal system operations (such as running diverse
applications, programmed for different platforms, on a single
machine). In regard to security, virtual machines may be used to
present a false impression of a machine to an
adversary (see
honeypot and pseudo
flaw) or may be used to test software (possibly
malware) in an environment where escape or
actual damage is restricted (see sandbox).
virtualization
process or software separating a specific system from the underlying
infrastructure or implementation details. Since most vendors use this
term in relation to software products, this is essentially what used
to be known, particularly in terms of database systems and database
backed Websites, as middleware.
vishing
obtaining authentication, identity, or personal data by fraudulent
requests via telephone (voice) rather than email or Websites (see
phishing). Vishing is voice (over IP)
phishing and usually uses VoIP technology.
VoIP
(Voice over Internet Protocol) the currently popular term for the
sending of real-time, two-way voice traffic over the TCP/IP
packet network, previously known as Internet
telephony, and sometimes H.323 (after a signalling and call setup
protocol). The importance to security is multifaceted. First, VoIP
brings together both data network and telephony security concerns.
(Telephony service is one of the few areas where simple use can create
a direct cost to the company.) Also, with the rising popularity of
VoIP many vendors are more concerned with adding functions to their
products than testing for security. VoIP systems and gateways also do
not have the same determination of endpoints, and so caller-ID and
Automatic Number Identification systems may not provide reliable
information. (This situation will undoubtedly become even more
problematic with the recent production of cellular telephones which
can establish links over WiFi/wireless LAN
connections.) VoIP is frequently used for telemarketing, particularly
fraudulently, since the cost of the calls is low (or possibly non-
existent if an unsecured gateway is found) and VoIP works well with
automated voice systems.
WEP
Wired Equivalent Privacy (and not, as is frequently misstated,
Wireless Encryption Protocol). WEP is a protocol for the
encryption of
wireless LAN traffic, for those using the
802.11 range of networking protocols. The correct name is actually
well chosen: a wired LAN is hard to get at but once you can make a
physical connection you can see all the traffic, whereas a wireless
LAN is easy to read but the traffic is encrypted. Unfortunately, WEP
is badly flawed and subject to various forms of
cryptanalytic
attack. The newer WPA is
more secure.
whitelist
spam filtering technology based upon denial
of all messages other than those from approved origins. The inverse
of blacklist. Whitelisting can be defeated
by spambotnets where addresses are harvested
from the compromised machines and the
user of the machine is
identified as the sender: presumably
that sender has already been verified to the whitelist. In addition,
whitelist addresses should never be subscribed to mailing lists lists
since the bounces and requests for verification from the whitelist are
annoying to the members of the mailing list and may lead to a
mail storm.
wireless
data connection without a physical link, using radio frequency
transmission or other means of communication. Note that the term
wireless is used both for connections using cellular telephone
technology (usually to enable Internet connectivity) and for the local
area networking using the 802.11 range of protocols or Bluetooth.
(This is confused even further by the fact that many cell phones also
use Bluetooth, sometimes even for intra-phone communications and
messaging.) However, wireless LANs are now commonly using the term
WiFi for computer-to-computer networking.
Wireless technologies of all types present a number of security
issues, primarily due to the fact that most of these technologies are
broadcast, and present the ultimate in promiscuous networks.
Encryption is generally seen as the answer
to all these problems, despite the fact that most systems use
link encryption rather than
end-to-end encryption. In
addition, the most widely implemented encryption standard,
WEP, is badly flawed, although the newer
WPA and WPA2 are more secure.
WPA
Wi-Fi Protected Access. WPA is a subset of the security aspects of
the 802.11i wireless networking protocol.
Using a per-packet, rather than a static,
encryption key, it is
more resistant to attack than is
WEP. WPA2 is the full implementation of the
802.11i standard and uses a stronger
encryption algorithm.
zombie
specialized type of backdoor or remote access
program designed as the agent, or client (middle layer) component of a
DDoS (Distributed Denial of Service) network.
Once a zombie is installed on a computer, it identifies itself to a
master computer, and then waits for instructions from the master
computer. Upon receipt of instructions from the master computer, a
number of zombie machines will send attack
packets to a target computer. Zombie may refer
to the control program run to control one of the middle layer
computers, or it may refer to a computer so controlled. See also
RAT.
RATs and zombies provide an interesting example of
an error in the use of technical terminology. Traditionally, the
program run on the naive user's computer, or the computer that is
running such a program, has been referred to as a
client, particularly when it is part of a
botnet. Technically, however, the RAT or zombie
agent program is providing a service at the request of the malicious
controller. Therefore, properly the controller would be the client,
and the controlled user computer (and the software running on it)
would be the client. However, this correct usage is almost never
followed.
HyperText version Book Review Index
(may take a while to load)
Book reviews main topic menu