|
|
|
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z |
|
Public-domain UNIX utility to detect the use of a port scanner in real time. See crash. See computer abuse or breach. The technique of limiting access to sensitive resources, such that only authorised subjects (typically users, systems or programs) can reach them. Includes physical, logical and procedural controls e.g. locked doors, passwords and computer suite visitor procedures. Having gained access to an access-controlled resource, a system may limit the subject's access rights (abilities) by access rules (criteria), typically using an ACL. A router used to connect directly to the Internet or other external network. Generally forms the first layer of network perimeter controls. See username. The concept of a higher authority (normally senior management) demanding that an individual takes ownership of a particular issue or activity. When openly promoted by those in authority, the threat of being 'held accountable' for one's actions can be a powerful deterrent control. Implies the ability to trace and link actions uniquely to individuals, generally through the use of audit trails (recording what happened) coupled with access controls and user authentication (specifically identifying the perpetrator). Term is used more loosely in the wider sense of management responsibilities e.g. to implement appropriate governance controls. In most operating systems, an object (e.g. a network port, service, file, directory, memory location or device) may have a set of access control rules attached to it. When a subject (normally a process acting on behalf of a user) attempts to access the object, security functions within the system's kernel check down the access list until the subject's ID is matched, in which case the rule is executed. There may also be a default or implicit rule (e.g. "allow full access" or "disallow all access") in case there is no explicit matching entry. Microsoft software technology for downloading and running signed COM (Component Object Model) code, Win32 programs etc. ("controls") embedded within web pages. The author of each ActiveX control can optionally mark it "safe for scripting", thereby allowing it unrestricted access to the client operating system. If a user inadvertently accepts and executes a malicious or bug-ridden ActiveX control downloaded directly from a hacked web page, or indirectly via a hyperlink to another website, security of the user's client machine and LAN may be severely compromised. See also Java. [System/network] Administration, management In an information security context, administration of computer systems and networks involves the use of privileged system facilities and utilities to configure, monitor and maintain them securely. Deliberate, misguided, incompetent or accidental misuse of these facilities and utilities can completely compromise confidentiality, integrity and/or availability controls. The people who perform these roles should therefore be completely trustworthy, diligent and competent, and they should ideally use standard operating procedures to reduce the risks. The default username of the main system management account on Windows NT systems, broadly equivalent to ROOT for UNIX. System managers or hackers who gain access to this privileged account can bypass practically any automated controls on the system. A law court will only accept evidence which is relevant to the case and reliable. This can create problems in hacking cases where computers have clearly been compromised during the attacks and are therefore not necessarily reliable. Inexperienced investigators can inadvertently compromise computer evidence by seemingly innocuous acts such as running the 'directory' command, whilst if operating system files have been hacked, the output of such commands will also be questionable. Computer forensics investigators take special precautions to avoid such situations. AES (Advanced Encryption Standard) An encryption algorithm (Rijndael) chosen in 2001 by NIST to replace DES (if not triple-DES) as a new Federal Information Processing Standard (FIPS). By aggregating (combining and relating) data from various sources, it is usually possible for a hacker to build up a better picture of a target than by relying on one or a few sources. Similarly, in military situations, data aggregation techniques (such as traffic analysis and data mining) can provide additional clues about an adversary's position. Consider this next time your organisation publishes explicit details of its latest computer systems purchases in a press release! In IPSEC, security mechanisms and key management are independent, separated by an interface called the security association (SA). AH is one of two IP-layer security mechanisms alongside ESP. AH provides message authentication and integrity. AIDE (Advanced Intrusion Detection Environment) Public-domain UNIX utility, similar to Tripwire, used to detect changes in important files (which may indicate they have been hacked or virus infected). Version of Snort for sniffing wireless LANs etc. When a detective control is triggered by some event condition (e.g. someone tries to login with an invalid username/password combination), it generally causes the system to send an alarm message to alert the operator and/or store the message in a security log file, in addition perhaps to taking direct action (e.g. halting the login process). Good systems allow these alarm/alert messages to be prioritised and presented appropriately to the operators in near-real-time. By convention, books and articles about encryption usually use these names to refer to the counterparties exchanging encrypted messages. There is no special significance to the names (except perhaps for their initials) but the convention helps familiarise readers in this complex field. Form of cryptanalysis in which the analyst exploits mathematical weaknesses in the encryption algorithm or process to break the code. Derogatory term for a young/immature hacker who simply uses automated hacking scripts and programs written by others, but probably aspires to become a hacker. See also script kiddie. Annualised Loss Expectancy (ALE) Insurance industry term for the financial value of losses (impacts) typically expected in an 'average' year under particular circumstances. Crudely put, an expected loss of say $30k once every three years equates to an ALE of $10k. Insurers take into account controls that reduce the probability or extent of loss (e.g. in the case of hacking insurance, the chances of a company being hacked should be reduced by the use of professionally-managed information security services) and conversely situations which increase the probability or extent of loss (e.g. a high-profile media campaign against a company), in determining the appropriate level of premium. They also list specific exclusions and terms of cover in the policy small-print (caveat emptor!). Extraordinary activity. Hacks or bugs may be identified as a result of someone noticing something unusual in a system's behaviour (e.g. unexpected entries in a system log file). In his infamous book "The Cuckoo's Egg", Cliff Stoll recounts a chance discovery of a discrepancy between two accounting systems of just a few cents that led eventually to the unravelling of a hack. Many detective controls (e.g. intrusion detection systems) in fact rely on identifying anomalies. Automated 'anomaly detection systems' typically employ knowledge-based intelligent processing to identify exceptional patterns of system activity. A UNIX-based public-domain read-only anonymous FTP server. Anonymous FTP, anonymous login FTP may be configured to allow "anonymous" access to certain "public" directories, i.e. the FTP system does not demand a valid username and password but uses a default account. Most systems may be configured not to request login IDs and/or passwords. The consequences of allowing unauthenticated user access are pretty self-evident, especially if the system's access control settings are so weak as to allow unrestricted access to areas outside the designated public area. However, such security vulnerabilities may not be recognised by system administrators, or may be deliberately ignored due to the 'convenience' of generic file transfers etc. Special security software and procedures designed to detect and prevent the introduction and spread of computer viruses and similar malware into (and sometimes out of) an organisation. In the UK, a copyright holder with reliable information that another party is infringing their copyright may approach the courts for a so-called Anton Pillar order giving the right to search the other party's premises without prior notice in order to obtain further evidence. Application, application program, applet Computer program/s in software or firmware performing one or more useful data processing functions for users of a system. Applications generally rely on calls to underlying operating system software to operate and access physical devices such as disks. Applets are small applications, usually written in Java, embedded in webpages. Well-designed applications incorporate appropriate technical security controls (e.g. automated data-entry validation) and are operated according to defined procedures incorporating appropriate manual controls (e.g. management review), as well as employing appropriate security functions in the operating system (e.g. user authentication and security event logging services). Application-level firewall or gateway Type of firewall that maintains the complete TCP connection state and sequencing but performs security processing according to the data content at the application layer of the TCP/IP stack (e.g. automatic network address translation to hide internal IP addresses from the outside world). Normally also configured as a proxy firewall. Generally means "acceptable to the organisation". Many organisations have corporate policies for 'appropriate use of the Internet' for example, which define legitimate business uses and/or illegitimate activities (e.g. "Do nothing on the Internet which, if disclosed publicly, would cause you or the organisation embarrassment or might lead to prosecution"). Security advisories from CERT and similar organisations often refer to the ability to exploit a bug or other vulnerability to 'execute arbitrary programs' on the compromised system. In effect, this seemingly innocuous term means successful attackers would be able to gain full administrative privileges and command the system. Using a ROOT kit, for example, hackers may edit or delete the system security logs, create back-door entry points and/or use the system as a platform to attack other connected systems (see leapfrog). If the system holds sensitive data, they may take copies or modify them. Until such time as someone notices the breach and takes the system off-line, the hackers have free reign. Beware the term 'arbitrary'! Archived data are not expected to be required in the near-term and are removed from on-line system storage (e.g. hard disk) to off-line storage (e.g. magnetic tape) in order that they may still be accessed subsequently ("retrieved"). Data that are important enough to be archived should generally be copied to duplicate archive media prior to deletion from on-line media, and should be stored securely (typically in physically-separate fire safes or vaults) in case the primary copy is lost (e.g. if the tape is accidentally overwritten or damaged during retrieval). A UNIX-based public-domain IP network monitoring tool. Provides facilities to compare network activities against information security policies etc. ARP (Address Resolution Protocol) Simple TCP/IP protocol for dynamically relating IP addresses of devices broadcasting on an Ethernet segment on a LAN to their corresponding MAC addresses (or, with "Reverse ARP" [RARP], vice versa). Most network devices store addresses received by ARP in local caches to speed look-ups: attacks that damage integrity of the stored data are known as "ARP cache poisoning attacks". Defined in STD 37, RFC 826. Name of a network of networks established in the late 1960's by the US Defence Advanced Research Projects Agency (DARPA) that standardised the TCP/IP protocols subsequently evolved into the Internet. Despite its military origins, information security was not a primary design goal for ARPANET as threats such as cracking were practically nonexistent at the time. ARPANET and the Internet were designed to share information openly rather than restrict it. A UNIX-based public-domain utility to track ARP messages and cross-reference IP addresses against Ethernet addresses on a LAN e.g. for signs of spoofing. Microsoft software (built-in to IIS) that allows web pages to be generated dynamically by the server. As with other similar systems, ASP security vulnerabilities have been abused by hackers to gain unauthorised access to server- or client-side resources. See also CGI. A measure of confidence that the information security and control features, functions and architecture of a computer system (collectively or individually) satisfy (i.e. mediate and enforce) the security requirements, policies etc. Assurance is rarely absolute. Asymetric cryptography Form of Cryptography that uses pairs of complementary (or asymmetric) keys to encrypt and decrypt a message. For more information, see public-key cryptography. A deliberate attempt by a perpetrator to breach security controls on a computer. The attack may actually alter, release, delete or deny access to data and/or systems, or the perpetrator may simply gain unauthorised access to systems and/or data. There may or may not be any direct material impact as a result. The success of a particular attack depends on the vulnerability of the computer system i.e. the effectiveness of existing controls at the time. The independent examination of a sample of records, activities and/or systems to assess the state of governance, to ensure compliance with necessary controls, policies and procedures, and to recommend control improvements where judged necessary to reduce risks. Role performed by Internal and External Auditors and, for computer systems, Computer Auditors. A discrete action detected by the system that may or may not generate an record in the audit log. Depending on audit rules (parameters) governed by the logical security policy, the system determines whether or not to record each specific audit event. Chronological record of audit events, generally linked to the corresponding user or system IDs. Strictly speaking, an audit log is a set of physical/electronic data records whereas an audit trail is the intangible information derived by analysing the log/s to reconstruct the original sequence of events. May also include (or be cross-related to) other logs and records e.g. system security logs, change logs, error logs etc. Chronological record of audit events, generally linked to the corresponding user or system IDs, used to reconstruct/verify an historical sequence of actions. Authenticate, authentication, authenticity The process positively to establish (beyond all reasonable doubt) the validity of a user, program, device or other object's claimed identity, often as a prerequisite to allowing access to controlled resources in a system. Normally involves verifying a distinctive digital signature, password, fingerprint or other biometric etc. and/or the possession of a token, that would be practically impossible for anyone else to forge. Note the terms 'reasonable doubt' and 'practically impossible': authentication can be performed to various degrees of assurance according to the requirements by applying appropriate methods and rigour. Weak network node authentication systems based on IP addresses, for example, contrast markedly with those based on Kerberos. Microsoft protocol that allows developers to digitally-sign their programs so any later program modifications (e.g. Trojans or viruses) should be detectable. Authorisation, authorise, authority The granting of permission by a resource owner to an authenticated individual to access the resource for a specific purpose. Access which is not covered by an explicit authorisation rule may be covered by an all-encompassing default (e.g. "all access is deemed unauthorised unless specifically authorised by management") - this kind of catch-all condition is commonly used in ACLs including access rules for firewalls. Automated or technical controls Security controls enforced and enacted automatically by a computer/network system e.g. the login process. Supplements procedural and physical controls. Automatic system processes that continuously or periodically confirm the correct operation of security controls e.g. by scanning intrusion logs for intruder alerts, re-calculating and comparing against stored hash values for critical files etc. The assurance that data/information, data processing functions and communications services will in fact be ready for use by authorised users when and where expected or required, without unacceptable delay. Part of the CIA triad. Some situations may require the use of fault-tolerance techniques to ensure systems and networks remain on-line 'round-the-clock' (also called '24x7' or '24x365'). See also threat, vulnerability, impact and risk. |
|
A hole in the system access controls deliberately installed by designers, maintainers or hackers. Hidden software or hardware mechanism used to circumvent access controls and allow unauthorised access e.g. the "Back Orifice" Trojan. Some backdoors, originally installed for legitimate purposes (e.g. for support access to a database), are now being exploited illicitly by hackers. See also trapdoor. The process of making one or more duplicate copies of data and/or systems for safe storage (normally in a firesafe, often off-site), such that if the original data or systems are lost or otherwise unavailable, the backups may be retrieved and reloaded, possibly at a secondary (recovery) site. The ability to restore data and data structures from backups (onto a test system, NOT overwiriting the original data!) should be tested occasionally to ensure their effectiveness despite any configuration changes on the systems. See also hot site and warm site. A hardened server, specifically designed to resist hacker attack and located on the network in a position likely to come under attack (e.g. in the DMZ or outside on the public Internet). Widely-implemented formal model of computer security describing a set of object access controls based on the combination of information sensitivity (indicated by classification labels) and subject authorisation. BIND (Berkeley Internet Name Daemon), Bindview Widespread UNIX networking program that implements DNS services. Has been the target of numerous security exploits and patches. Use of a person's physical bodily characteristics (e.g.nbsp;fingerprint, retina pattern, facial features, voice) to determine their identity. Potentially more reliable than password systems if properly designed and implemented, but may be vulnerable to false positives and false negatives, and (with inadequate encryption) to simple replay attacks. BIOS (Basic Input/Output System) When a computer or network system starts up, it initially loads and runs the BIOS, a miniature operating system, normally from firmware (e.g. EEPROM chip). The purpose of the BIOS is to run 'Power On Self Test' (POST) hardware checks and mount certain system devices (such as the boot partition on a PC's C: drive and the console terminal) then load and run the main operating system. On a modern PC, the BIOS may apply some security controls (e.g. to prevent a hacker loading an unauthorised operating system from floppy disk) but this requires that the BIOS settings are themselves secured against modification by the hacker: difficult to do if the hacker has physical or logical access to the BIOS firmware. Cryptanalytical technique relating to the counter-intuitive statistical fact that there is a 50:50 chance that two people in a random group of just 23 celebrate their birthdays on the same day, although it is much less likely that one particular person will share the same birthday with anyone else in the group. Commonly used to attack weak hashing functions such as those used by some operating systems to store user passwords. Figurative term for 'the bad guys' - fraudsters, crackers or hackers with malicious intent towards a target network or system (cf. 'white hats' and 'grey hats'). A type of encryption function that encodes plaintext in fixed-bit blocks using a key whose length is also fixed in length (cf. stream cipher). A 64-bit block cipher having key lengths of 32 to 448 bits. Some 30 years ago, phreakers discovered that they could manipulate certain public telephone systems by sending unauthorised network control signals (audio tones) from handsets, initially using flutes (such as the infamous penny-whistle gift in Cap'n Crunch serial packets) and then more sophisticated electronic devices (one legendary version of which was a box painted, er, blue, hence the name). Wireless LAN specification that includes both link layer and application layer definitions. Operates on microwave radio using 79 frequencies at 1 MHz intervals across the 2.4 GHz band, using spread spectrum frequency hopping at up to 1,600 hops/sec (giving a "high degree of immunity" to noise or deliberate 'jamming' interference) and full-duplex signals (giving a maximum data rate below 1 Mbps). Mostly intended for networking small portable devices. As with other wLANs (e.g. Wireless Ethernet, HomeRF, Infra Red), several information security vulnerabilities exist and, according to Bomb, crash, Blue Screen of Death, bugcheck, crashdump, mail bomb A gross software, firmware or operating system failure that completely stops execution of the function, program or entire system, i.e. it reduces system availability. 'Blue Screen of Death' (BSoD) refers to the typical colour of an exception (system failure) message reporting a complete failure of a computer operating system (also known as a bugcheck or crashdump). 'Mail bombing' refers to hackers sending large volumes of unsolicited EMAILs to a target in an attempt to overload and crash the mailserver. Boot, bootstrap, master boot record, boot sector When computers initially start-up from cold (typically when the power is switched on), they normally go through a standard boot (short for bootstrap - as in pulling oneself up by one's bootstraps) sequence during which they do a Power-On Self Test (POST) to confirm that the system devices are working normally, then load the BIOS from firmware or other boot media, then load the full operating system from disk. This latter step involves loading the partition table from the disk's master boot record (normally its first logical sector) and then system files from another special reserved area called the boot sector. Because the master boot record and boot sector files are the first readily-accessible files loaded by a system and they are loaded with full system access rights, they are targeted by so-called boot-sector viruses. Breach, compromise, incident, violation The materialisation of a risk i.e. the defeat of defensive security controls which actually does result in unauthorised penetration of the system, a loss of system/data integrity, loss of availability etc. A violation of the defensive controls in a particular information system such that information assets or system components are unduly exposed. An intrusion into a computer system where unauthorised disclosure, modification or destruction of sensitive information has or may have occurred. Can include probes, physical events (vandalism, computer room floods/fires, power outages etc.), virus infections, worms etc. See also exploit and intrusion. A network device interconnecting two or more networks that passively transfers data packets between them at the data link or network layers. In contrast to a brouter or router, a bridge has very limited data processing functionality except for the decoding of packet addresses and basic packet integrity checking. It generally does not filter traffic. Broadcast cryptanalysis (also known as Chinese Lottery) Theoretical idea originally published in Applied Cryptography that the Government could distribute specialised key-cracking chips built-in to all new TVs and radios, then broadcast keys over the airwaves to all of these devices for them to attack. The state might run it like a lottery with comparatively small prizes so that lots of people would tune in and receive keys, and would call up with the 'winning' code. Given correct deployment and good luck, it has been calculated that the population of China could crack 56-bit keys efficiently. See halfbakery website for more information. Networks can be swamped by devices that generate huge numbers of packets, whether deliberately (as in Denial of Service attacks caused by so-called Kamikaze, Christmas Tree or Chernobyl packets) or through network faults (including accidental mis-configuration or hardware problems). Nodes which rebroadcast multiple duplicate copies of packets to all nodes can be particularly entertaining or disruptive, depending on your point of view. A network device interconnecting two or more networks which passively transfers certain types or classes of data between the networks but actively filters, blocks or modifies others - a combination of bridge and router. Someone who casually looks around a computer system's files and parameters, looking for 'interesting' files or security vulnerabilities. Often precedes a hacking attempt. Describes a direct frontal method of attacking a target head-on e.g. trying all possible combinations of characters to guess encryption keys or passwords (e.g. see Crack), or 'ram-raiding' (thieves who use cars to smash through windows or walls). British Standard Code of Practice for Information Security Management. First published by the UK Department of Trade and Industry as a Code of Practice, then formalised as BS 7799 in February 1995 by the British Standards Institute. The standard was updated in May 1999 and split into two parts: Part 1 defines a controls framework and processes for establishing and maintaining an adequate level of information security. Part 1 became ISO 17799 in December 2000. Part 2, currently being revised, formally describes an information security management system in the form of a compliance checklist against the control objectives and controls listed in Part 1. BS 7799 certification involves being assessed against part 2. This happens when more data is put into a buffer (a holding area in memory) than it can handle, normally due to a mismatch in processing rates or data length between the data-producing and consuming processes. Buffer overflows can simply cause system crashes (e.g. in Denial of Service attacks) or may be deliberately exploited by skilled hackers to modify (overwrite) program code or data in normally inaccessible areas of memory with arbitrary code and thereby penetrate security defences (e.g. to gain privileged access). An unintended property of a software program or piece of hardware, especially one that obviously causes a gross malfunction (overt bug) but also one that causes an unrecognised or seemingly trivial problem (cryptic bug). It has been estimated that less than 10% of the bugs in commercial software known by developers are ever noticed and reported by users. Bugs in commercial software that expose security vulnerabilities are frequently reported through Internet security news groups etc., followed later by patches from the software vendors concerned. Internet newsgroup through which recent exploits are discussed in some depth. Available on the WWW at www.bugtraq.com |
|
Very weak encryption algorithm involving simple character substitution, used by the infamous Roman soldier Julius Caesar. Each character in the plaintext message is substituted with that obtained by rotating a certain number of positions (the key) through the character set to generate the equivalent ciphertext. Decryption simply involves reversing the direction of rotation. Cryptanalysis is straightforward as underlying linguistic patterns (such as character frequencies) are not obscured, there are relatively few keys to check (one per member of the character set, less one), and each character in the plaintext always translates to the same ciphertext character for a given key ('monoalphabetic'). Relatively simple control used by certain so-called secure telephone modems, whereby remote callers authenticate themselves to the modem, the modem drops the connections and then dials the callers back (generally on pre-defined phone numbers) before proceeding. May be vulnerable to attacks on the authentication mechanism, dial-back database, telephone systems etc. Early 1990's U.S. "Capstone Project" to develop the Clipper chip, resulted in many of the government crypto standards including Skipjack, DSA and SHA.. The Escrowed Encryption Standard (EES) specified a Law Enforcement Access Field (LEAF) that would allow messages to be decrypted by the Government - public outcry at this facility led to the demise of the project, presumably due to distrust of the Government's motives or competence. Name of sniffer system deployed by U.S. FBI under Court Order to intercept and record EMAIL messages to or from a specific IP address or individual user, for the purposes of collecting evidence to support a prosecution. Compact Disk - Read Only Memory data storage device. Useful to store a known good copy of operating system and application program files on a hardened server, as the CD-ROM itself cannot be modified or replaced without physical access to the drive (although it may potentially be bypassed or modified in software if the system is insecurely configured). CERT (Computer Emergency Response Team) Worldwide organisation of white-hats dedicated to collecting and disseminating information about Internet information security exploits, vulnerabilities, software problems/bugs and fixes through the CERT Coordination Centre originally established by DARPA after the Morris worm incident. See digital certificate. [information security] Certification Process by which an independent accredited certification body assesses the information security controls in a computer/network system or organisation against formal criteria (e.g. ISO 17799 or TCSEC) in order to decide whether to award a certificate of compliance. Certificate or Certification Authority (CA) The trusted top-level function/s in a PKI that actually creates valid digital certificates, issues them to authenticated users through Registration Authorities, and revokes them when necessary using the Certificate Revocation List, according to the Certification Practice Statement. Usually generates the users' public and private key pairs directly, although this function may be delegated to local Registration Authorities. Given that one of the main purposes of digital certificates is to authenticate their holders, users place a high degree of trust in the CA's ability to perform this authentication properly, and to maintain confidentiality of its own private key (preventing others from forging certificates). Certificate or Certification Practice Statement (CPS) Formal document describing the structure and operating rules of a PKI. Defines the extent of legal liabilities on the Certification Authority, for instance, and the encryption algorithms and related parameters to be used. CGI (Common Gateway Interface) scripts Server-side programs used to generate dynamic/interactive HTML web pages according to the content of data obtained from the web server. A common source of website vulnerabilities, such as buffer overflows. See also ASP. Challenge-response, negotiation Refers to the sequential process commonly followed to authenticate a user or system to another, whereby: (a) one party issues a challenge, expecting a particular response, (b) the other party duly responds, (c) the first party validates the response to confirm the other's identity. Typical examples are the conventional login process and the establishment of an encrypted network session e.g. using SSL. Log of changes made to a system. Usually entries are created manually but some systems automatically generate change records (which often require manual annotation to provide a complete record). Well-managed systems normally incorporate or are supported by controls to prevent and/or detect unauthorised changes such as the introduction of untested software or viruses. CHAP (Challenge Handshake Authentication Protocol) Challenge-response TCP/IP protocol used to authenticate systems using PPP (Point-to-Point Protocol), as defined in RFC1994. Error-control (data validation) technique that typically uses a hashing function to identify a loss of message or file integrity (i.e. if the data content has been altered in transit or storage). The simplest form is a parity check - a single bit which is set if the number of other set bits in the byte is even, or is reset if there are an odd number of other set bits: although this would not necessarily identify message truncation or other multiple bit changes, it is used for example to detect errors in memory cells. 'Cryptographic checksums' are more reliable but slower to compute. Another simple data validation technique, comparing a key parameter (such as the total number of data items) before and after another function. Separately calculating and comparing column- and row-wise grand totals is a common control in spreadsheet systems, for example. Chosen or known plaintext attack Cryptanalysis technique in which the cryptanalyst possesses both the section of plaintext and the corresponding ciphertext. The known plaintext forms a crib. CIA (Confidentiality, Integrity, Availability) triad By common consensus, effective information security delivers this trio of desirable data/system characteristics: confidentiality (secrecy), integrity (completeness, accuracy, relevance) and availability (access as and when required). Other functional benefits of information security controls (such as non-repudiation) can generally be categorised within CIA (non-repudiation could be considered an important factor determining the integrity of a communications process). The encrypted and unintelligible output version of a plaintext input having been fed through an encryption algorithm. Provided a 'strong' encryption algorithm is used (i.e. one that is highly resistant to cryptanalysis), it should be virtually impossible to reconstruct the plaintext from the ciphertext without knowledge of the secret encryption key/s. Simple type of proxy firewall which validates and sets up the connections, thereafter passing packets between the networks with minimal processing or filtering. CISA (Certified Information Systems Auditor) Internationally-recognised qualification for computer auditors, awarded by ISACA. CISSP (Certified Information Systems Security Professional) Increasingly widely-recognised qualification for information security practitioners (see (ISC)2 website for more information, also GIAC and CISA). CLAS (CESG Listed Advisor Scheme) Scheme run by UK CESG (Communications and Electronics Security Group)to assess and certify advisors for sensitive government information security work etc. See plaintext. CLEF (Certified Licence Evaluation Facility) Name of an agency accredited by the UK Government to evaluate and certify information security products according to the ITSEC criteria. Type of cable used for radio transmission and data networks, consisting of an inner conductor surrounded by a dielectric insulating layer and metallic shield, with an outer plastics sheath. Low quality coax does not have a complete shield and therefore radiates some signal and is more susceptible to external interference. See also UTP and fibre-optic cables. The straightforward conversion of a message or other data to or from a defined format, generally by a published and freely-available simple algorithm or method (cf. encryption, decryption). The term 'computer coding' usually refers to software programming since 'computer code' usually means software. Location to which computer operations may be moved under a Disaster Contingency Plan in the event of a major physical disaster at the primary site. To save costs, a cold-site may be fitted with air-conditioning and mains power but not normally computer or networking equipment, therefore it can easily take a week or more to fit-out and bring a cold-site into effect (cf. warm-site, hot-site or dual-live setups). Name of the world's first computer built at "Station X" (the Government Code and cipher School at Bletchley Park, England) to decrypt Lorenz messages during the second World War. For the full story, see The Bletchley Park Trust website. International version of information security evaluation schemes such as TCSEC and ITSEC run by the US and UK governments respectively. Aims to establish ISO standards for information security and globally-acceptable evaluation and certification processes. Where redundant parts of an information system/network share certain characteristics, they may both be simultaneously vulnerable to the same common threat (e.g. the year 2000 problem simultaneously threatened billions of systems worldwide). Competitive Intelligence (CI), Business Intelligence (BI) More-or-less legitimate use of an organisation's general staff and resources to maintain vigilance on competitors and market developments, channel the disparate information sources to analysts, and distribute the results to those with a need to know. The breadth of inputs to a CI system is hard to match by directed information gathering, but combining sources and assessing the information quality in near-real-time are serious challenges even for modern artificial intelligence systems. See also industrial espionage. State of conformance with requirements laid down in strategies, policies, procedures, guidelines, standards etc. A compliance audit, then, seeks to verify that the subject has not 'broken the rules' (at least not without good reason). See breach. Wilful or negligent unauthorised activity that affects the confidentiality, integrity and/or availability of computer resources, including fraud, embezzlement, theft, malicious/accidental damage, unauthorised use, denial of service, misappropriation, data modification, disclosure or destruction. Specialised branch of auditing concerned with examining and advising on the information security controls environment (technical and procedural controls) within and surrounding computer systems and networks. Typically includes reviewing, testing and advising on information security control frameworks, system security architectures/designs, logical controls, software development projects, operational systems, end-user and system administrator procedures, computer room facilities, computer security incidents etc. Crime involving deliberate misrepresentation, alteration and/or disclosure of computer data in order to obtain unauthorised access to valuable assets (e.g. logging on to a bank system through another person's user ID or sending a forged EMAIL to authorise an illegitimate money transfer). See also extortion. Technical and managerial/operational procedures applied to computer and network systems to ensure the confidentiality, integrity and availability of data and data processing systems. Assurance that sensitive information will be kept secret, with access limited to appropriate authorised persons, program functions etc. using access controls such as limited logical access rights and restrictive clauses in employment contracts limiting disclosure of trade secrets etc. Part of the CIA triad. Configuration management, change control Few controls operate fully and automatically when systems or networks are initially installed, leaving them vulnerable until such time as they are properly set-up. Furthermore, even after a system/network has been securely configured, the accumulation of miscellaneous changes tends to reduce the level of security gradually over time. Effective configuration management or change control is therefore itself an important part of a strong information security framework, typically used in conjunction with security testing/penetration testing and computer auditing. The preparation of emergency action plans in the event of some disaster or crisis, such as a major fire, disk failure or fraud (usually comprising DCP/DRP and/or BCP). Contingency arrangements can vary from little more than mobilising a rapid reaction team to deal with the immediate situation (crisis plan) to long-term commercial arrangements for restoration of operations, IT systems and data at alternative locations. See also dual-live, hot-site, warm-site and cold-site. Action, device, procedure, technique or other measure that reduces the vulnerability of a computer system or network to one or more threats, or reduces those threats (preventive controls), or reduces the impact should breaches occur. (See also detective and/or corrective controls). Some website servers are configured to send cookies - small text files typically containing simple information to identify the user, date and time - to users' client systems via the browser software. At a later time (in the same or subsequent sessions), the cookies may be sent back to those webservers for further processing. Insecurely-configured websites have been known to store confidential data in cookies, even though these plain text files may easily be read or modified on the client PC and, in some cases, may even be accessed by different websites to those which issued them. Most modern browsers incorporate functions to manage cookies. COPS (Computer Oracle and Password System) Public-domain program that identifies certain security risks on a UNIX system, such as null (non-existent) passwords, world-writeable files, mis-configured Anonymous FTP and many others. See also SATAN. Software written in most countries is automatically protected under copyright law as a "literary work" to discourage unauthorised copying or use, unless these rights are explicitly waived by the owner/originator (see public-domain software or freeware). Someone who purchases a commercial software package rarely owns the software as such, but merely buys certain limited rights to copy and use it according to in the licence conditions. See also Anton-Pillar and patents. A class of information security controls designed to reduce the impact of certain breaches by restoring the system more-or-less to the unbreached condition e.g. restoring from backups (cf. preventive and detective controls). Please see control. A public-domain UNIX-based utility that attempts to identify the use of SATAN. Named as in "Caught any [hackers]?" Illicit mechanism for secretly sending information out of a system or organisation to a remote recipient, or vice-versa, often involving a process not intended for [that form of] data communications e.g. timing or performance differences, out-of-band signalling or disk areas beyond end-of-file markers. Some Internet-enabled software applications use the Internet as a covert channel to send certain data to the software vendor. Semi-legitimate purposes might include the communication of information to monitor compliance with software copyright licence terms. However, essentially the same mechanism could potentially be used for unauthorised dissemination of confidential information, including personal data. Even the simple fact that the mechanism is covert will often create distrust. Hacker program that tries to 'guess' passwords by brute-force attack i.e. it sequentially hashes words from a dictionary (which may include usernames in various combinations) or formed from random characters, and compares the result with the values stored in a password file (usually stolen). On a fast system, Crack can guess hundreds/thousands of passwords per second and is highly effective. More generally, the term 'cracking' implies brute-force attacks on encryption keys including those used to enforce copyright protection. Some people refer to malevolent hackers with malicious intent as 'crackers' to distinguish them from those who merely seek the intellectual challenge and pleasure, or ethical hackers who are authorised and usually paid by the client to attack their systems. In practice, it can be very difficult to tell them apart. Both types represent information security threats but crackers are more likely to break things deliberately and wilfully. CRAMM (CCTA Risk Analysis and Management Method Structured, formal risk assessment method, developed for UK Government use and these days available as a Windows PC package. CRAMM is thorough, requiring a large amount of user input. It mechanistically recommends what it regards as appropriate controls from a large database of potential controls, in order to address the identified risks. CRAMM is currently being extended to incorporate ISO 17799, although this appears to be a separate module not fully integrated within the main process. Sudden termination of data processing by a computer or network, typically caused by a bug, power glitch or hacking attack. 'Crash' refers to the dramatic end. 'Abend' (IBM mainframe term) stands for 'abnormal end'. A system which 'hangs' has typically got stuck in an infinite processing loop and may have to be shutdown and re-booted to resume normal processing. All ofthese events, of course, impact system availability. Simple error-correction scheme to increase data integrity. A section of plaintext that is already known or readily guessed (also known as chosen plaintext) becomes a clue to aide the cryptanalyst. The extensive use of standardised words, terms and phrases means modern-day EMAIL messages etc. are replete with potential cribs. Similarly, wartime cryptographers at Bletchley Park arranged for naval mines to be dropped by the Allied Forces at specified map grid positions, knowing that the Axis Forces would report those same positions accurately in encrypted messages. Critical, essential, crucial, vital, irreplaceable Certain assets are so important to an organisation that their loss, damage and/or unauthorised disclosure would be devastating, extremely expensive, severely disrupt operations and/or impact safety. IT assets that fall into this category include computer suites and major systems, networks and servers (especially those running or controlling core operations or involved in maintaining safety); most shared databases and data (e.g. customer lists, financial records, engineering designs, personal data); many computer disks, key system files and bespoke applications; encryption keys; experienced IT staff; and many many more. Such assets should be ideally identified and classified through an explicit, comprehensive and formal/structured risk assessment process and suitably protected through appropriate information security confidentiality, availability - in practice, most organisations follow an informal process if any, sometimes leaving serious gaps in their defences that are (hopefully) never exploited except perhaps during a major disaster (hence the need for effective disaster contingency planning). CRL (Certificate Revocation List) List maintained within a PKI of digital certificates that are no longer valid. After a given certificate is presented but prior to being accepted, the recipient is supposed to check against the CRL in case it has been revoked (withdrawn or invalidated). In a biometric user authentication system, the CER is the error rate at which false-acceptances happen as often as false-rejections. The mathematical/statistical and linguistic analysis of a cryptographic system and/or its inputs and outputs to derive confidential variables and/or sensitive data such as keys and plaintext. Operations performed in converting encrypted messages (ciphertext) to plaintext without initial knowledge of the encryption algorithm and/or key employed in the encryption, e.g. chosen plaintext attack. Specification and/or embodiment of the process and algorithms for encrypting and decrypting data. The mathematical science concerning the principles, means and methods for concealing the meaning of messages, if not their existence, rendering plaintext unintelligible by a defined algorithm and for converting ciphertext back into intelligible form. Includes the study of encryption strength and theoretical proofs. See also steganography. CSS (Content Scrambling System) Encryption system used to copy-protect Digital Versatile Disks (DVDs) that was famously cracked by the DeCSS and Speed Ripper hacker tools. A club of certain individuals, organisations or systems that are invited to join together for common interest, excluding others (may be connected by a VPN or similar mechanism). CVE (Common Vulnerabilities and Exposures) On-line dictionary or list maintained by The MITRE organisation to standardise references to computer vulnerabilities, bugs, exploits and other information security exposures. CVE-compliant information security products (e.g. most anti-virus packages) indicate the unique CVE numbers for exposures they recognise, facilitating cross-referencing. Certain terrorist and activist groups have recognised the ease with which they can threaten and disrupt targets using the Internet, through hacking techniques such as Denial of Service attacks, extortion and adverse publicity, leading to the term cyberterrorism |
|
The name of a background (memory-resident, normally-running) system program, process or service that continually monitors for certain events (e.g. the arrival of network traffic) and then acts on them (e.g. passes the data to the appropriate destination service). A typical system security daemon monitors all logical access attempts and deals appropriately with those which are unauthorised e.g. creating a security log entry and denying access. The electronic, symbolic representation of information (descriptions, values, pictures, commands etc.) as a sequential series of discrete digital bits or arbitrary analogue values within a certain range, grouped together in bytes, words, files, packets, messages etc. To fellow pedants: 'data' is the plural form of 'datum'. The formal name for a packet. According to RFC1594, a datagram is 'a self-contained, independent entity of data carrying sufficient information to be routed from the source to the destination computer without reliance on earlier exchanges between this source and destination computer and the transporting network'. Type of hack that injects malicious code into target systems through seemingly-innocuous data streams that in fact gets interpreted by the target system as executable code or commands. May be used to bypass firewalls. Debugging a program involves modifying the source code to eliminate bugs revealed by testing. Programmers sometimes insert special functions into their programs in order to activate extended error reporting, jump directly to suspect parts of the code, bypass security checks etc.: if these 'debug modes' remain available after the program is released, they may be used illegitimately by hackers to gain unauthorised access. Separate debugger utilities may be used to examine and modify the code, system buffers etc. as a program is executed: these can also provide useful information to hackers intent on revealing how built-in security features (e.g. copy protection schemes) operate. The logical inverse of encryption i.e. the process of recovering plaintext from ciphertext. DeCSS (De-Content-Scrambling-System) Application/software tool to crack the CSS copy-protection system used on Digital Versatile Disks (DVDs). The existence and spread of DeCSS demonstrates the veracity of Bruce Schneier's frequent assertions that the use of encryption is not of itself sufficient to guarantee confidentiality. The publication of potentially libellous or slanderous comments against an individual or organisation. Staff in most organisations may potentially distribute defamatory comments (for example by EMAIL or publication on corporate or private websites), rendering them and/or their employers legally liable to being sued. Defamation is, but is not widely recognised as, a widespread threat due to the ubiquity of EMAIL+ and lack of appropriate controls (such as EMAIL usage policies) in many organisations. Most software applications are initially configured using a single installation username or ID, pre-loaded by the software vendors into their products, along with the corresponding default password, prior to distribution. This rudimentary key distribution mechanism results in the default ID and password combination becoming widely known. To make matters worse, software installation necessarily requires privileged access to the system. Users who fail to disable the default ID/password after installation therefore render themselves liable to being hacked. Name of an infamous annual hackers' conference in America, named from a contraction of the military term 'defense condition'. DefCons are well known for their tongue-in-cheek 'spot the Fed' competitions, as well as the hacking of hotel security and telephone systems etc. and other unruly exploits by attendees. See war dial. Denial of Service (DoS) attack An attack which prevents any part of a computer or network system from functioning in accordance with its intended purpose by denying or delaying access to the service, its inputs or outputs i.e. it reduces availability, one of the three core elements of information security. DoS attacks are fairly commonplace on Internet webservers, partly because of inherent vulnerabilities in the TCP/IP protocols. DES (Data Encryption Standard), DEA (Data Encryption Algorithm) A symmetric cryptographic algorithm, a block cipher, popular in the finance industry. DES with a single 56-bit key (plus 8 parity check bits) survived public scrutiny since the 1970s and was therefore widely trusted until it was demonstrably cracked by brute-force attacks in the late 1990's. It is still widely used in triple-DES (3DES, or TDEA [Triple Data Encryption Algorithm]) form, a more secure, albeit slower, algorithm that repeats the DES encryption three separate times with different keys (most purportedly triple-DES implementations, however, in fact use only two keys: key A for the first round of encryption, key B for the second, and key A again for the third). Being replaced by the new Advanced Encryption Standard defined by NIST. Establishment of the occurrence of an information security incident. A class of information security controls such as Tripwire, designed to identify particular security breaches after they have occurred (cf. preventive or corrective controls). A sub-class of preventive controls that are designed to prevent breaches by deterring potential perpetrators e.g. pre-logon banners that warn of the intent to prosecute hackers (see also detective controls and corrective controls ). DHCP (Dynamic Hosct Control Protocol) Protocol used to issue IP addresses to workstations dynamically on a LAN, or to high-speed dial-up users. See call-back. Form of cryptographic attack in which plaintext words from a dictionary are sequentially encrypted and compared with a section of ciphertext, looking for a match. A classic example is the Crack program which uses a dictionary comprised of usernames and common/well-known/default passwords (amongst other words) in an attempt to break weak passwords. Public-key encryption algorithm used mostly for exchanging symmetric session keys, published by Whitfield Diffie and Martin Hellman in 1976. Its strength rests, apparently, on the difficulty of computing discrete logarithms in a finite field generated by a large prime number. Although Diffie and Hellman were the first to publish the idea of public-key cryptography, the same concept is understood to have already been invented by the UK Communications Electronic Security Group but remained secret. Electronic representation of an identification certificate or passport, issued by a certification authority to a bona fide PKI user, stating identification information, validity period, the holder's public key, the identity and digital signature of the issuer, and the purpose/s for which it was issued (e.g. encryption, signature etc.). Certificates are digitally-signed by the issuer to guarantee their authenticity. A person or system presenting a valid digital certificate is inherently trusted by a recipient who assumes the invulnerability of the associated system of cryptographic and other controls. Data that allows the source of an information asset to be verified, for example the particular nature, sequence and timing of a hacker's activities recorded in the system security logs may reveal the hacker's tools, or copyright information may be hidden within a computer image (steganography). Digital Millennium Copyright Act (DMCA) 1998 American law defining copyright protection for digital publications such as DVDs. Data including a hashword encrypted with the issuer's private key and appended to a file or digital certificate, that can be verified by decrypting with the issuer's public key to prove the integrity and source (i.e. authenticate the user, rather like a traditional written signature) Steganographic technique for storing copyright/ownership information unobtrusively in a program or data file e.g. using small changes to pixel luminance data in a digital image. The goal of image watermarking techniques is to survive image manipulations (e.g. format conversion, printing-and-scanning) without requiring visible changes to the image. DISA (Direct Inward System Access) Feature of many PABXes that allows exernal callers to access internal telephone extensions directly, without the need for separate external phone lines for each phone. Disaster Contingency Plan (DCP), incident plan Plan describing the initial responses (at least) to a physical or logical disaster scenario affecting valuable or sensitive resources and services. Generally links to other emergency plans (e.g. crisis plans, emergency services call-outs) to stabilise and assess the immediate post-disaster situation, before calling on specific disaster recovery plans for long term restitution. Plan should be proactively maintained and regularly tested to ensure continued effectiveness. Disaster recovery, Disaster Recovery Plan (DRP) Process leading to plan describing the steps required to recover critical resources and services to a usable state in the aftermath of a more-or-less specific disaster (e.g. by retrieving data from backups, installing replacement LAN equipment etc.) to minimise the impacts. Disaster situations commonly considered are physical site disasters (fires, floods, explosions), major data losses (e.g. disk failures), major frauds, virus infections, unauthorised systems accesses (hacks) etc. Plan should be proactively maintained and regularly tested to ensure continued effectiveness. The revealing of sensitive information. Unauthorised disclosure of company secrets represents a loss of confidentiality. See also full disclosure. Discretionary Access Controls (DAC) Access control rules that may be modified and/or bypassed by users with the appropriate system rights or privileges (cf. mandatory access controls). Distributed Denial of Service (DDoS) attack A form of Denial of Service attack using hundreds or thousands of 'slave' machines simultaneously targeting the system/s under attack, all initiated and/or co‑ordinated in concert by one or more 'master' systems. Control concept. Certain roles (e.g. writing and signing company cheques) are defined as being mutually exclusive, therefore an individual person should not be permitted to perform both roles. May involve procedural and/or automated controls. Section of network between outer (Internet-facing) and inner (LAN-facing) firewalls, in which hardened web servers, DNS servers etc. are generally located. The outer firewall provides a degree of perimeter access control but permits certain TCP/IP traffic to reach the DMZ servers. The inner firewall provides additional isolation for the LAN. DNS (Domain Name System or Service) General purpose, distributed, replicated, data query service used to lookup IP addresses based on of host names. DNS servers, typically running Bindview, communicate over the Internet to cross-reference numeric IP addresses with their corresponding human-friendly alphanumeric URLs such as http://www.CCCL.net. The DNS protocols (defined in STD 13 and RFCs 1034 and 1035) have inherent vulnerabilities (e.g. see web spoofing), whilst poor network configuration leaves many websites dependent on single DNS servers and hence vulnerable to server outages, Denial of Service attacks or other availability problems, and DNS hijacks.
|
