802.11 The original IEEE standard defining medium access and physical layer specifications for up to 2 Mbps wireless connectivity on local area networks. The 802.11 standard covers both DSSS and FHSS microwave radio LANs and infrared links. See also DSSS and FHSS.
802.11a A revision to the 802.11 IEEE standard that operates in the UNII band and supports data rates up to 54 Mbps using DSSS. See also DSSS and UNII.
802.11b A revision to the 802.11 IEEE standard that operates in the middle ISM band and supports data rates up to 11 Mbps using DSSS. See also DSSS and ISM.
802.11g A revision to the 802.11 IEEE standard that operates in the middle ISM band and supports data rates up to 54 Mbps using DSSS and possessing backward compatibility with 802.11b. See also DSSS and ISM.
802.11i The IEEE wireless LAN security standard currently under development by the 802.11i Task Group. 802.11i combines the use of 802.1x and TKIP/CCMP encryption protocols to provide user authentication and data confidentiality and integrity on wireless LANs (WLANs). See also CCMP and TKIP.
802.15 The IEEE communications specification approved in early 2002 for wireless personal area networks (WPANs).
802.1x The IEEE standard for layer two port-based access control and authentication.
access control A technique used to permit or deny use of data or information system resources to specific users, programs, processes, or other systems based on previously granted authorization to those resources.
access control list (ACL) List that specifies who can do what with an object. For example, an ACL on a file specifies who can read, write, execute, delete, and otherwise manipulate the file.
access point A layer two connectivity device that interfaces wired and wireless networks and controls the networking parameters of its wireless LAN.
accountability The ability to trace activities on information resources to unique individuals who accept responsibility for their activities on the network.
account expiration A date after which an account cannot be used.
account lockout A method of disabling an account after some number of incorrect tries at logging on is unsuccessful. This control is usually set in order to automatically disable accounts that are being brute forced. See also brute-force attack.
active scanning A method by which client devices discover wireless networks. Active scanning involves a client device broadcasting a probe request frame and receiving a probe response frame containing the parameters of the responding network.
Address Resolution Protocol (ARP) A protocol that uses broadcast network packets to convert logical IP addresses into their Ethernet media (MAC) addresses on the local LAN. See also Mac address.
ad hoc network A wireless LAN composed of wireless stations without an access point. Also referred to as an independent network or independent basic service set (IBSS).
ADO (ActiveX data object) A Microsoft COM wrapper for OLE DB, used to communicate with databases.
AES (Advanced Encryption Standard) A new encryption algorithm chosen by the United States as a replacement for DES (the data encryption standard), the official government encryption standard.
agent An IDS detection device or node. See also intrusion-detection system.
aggregation The collecting of all monitored events from distributed sensors at one management console.
alert Either: (noun) a high-priority threat event communicated in real time, or (verb) to bring attention to a security violation or activities that exceed predefined thresholds, in an immediate manner so as to provoke immediate response.
anomaly detection (AD) An IDS model that detects threats by modeling known good network behavior and characteristics and alerting on exceptional differences. See also intrusion-detection system.
ANSI bomb Early DOS-based malware that relied on ansi.sys being loaded in memory to remap the keyboard so that different keys caused malicious actions, such as formatting the hard drive.
appending virus A computer virus that inserts itself at the end of a host file. See also boot virus, macro virus, memory-resident virus, multipartite virus, nonresident virus, overwriting virus, parasitic virus, prepending virus, stealth virus, and virus.
application domain (appdomain) A controlled environment or “sandbox” within which one or more assemblies execute, safe from the danger of interference from code running within other application domains.
application-specific integrated circuit (ASIC) A programmable logic chip with all instructions burned into the chip. ASICs are not easily upgradeable.
assembly The fundamental logical unit of managed code, consisting of one or more files containing Common Intermediate Language instructions and metadata.
attack Unauthorized activity with malicious intent that uses specially crafted code or techniques.
attacker A person or computer program that intentionally attempts to gain unauthorized access to information resources, or that attempts to prevent legitimate access to those resources.
attack scripts Prepackaged collections of hostile software that are intended to be easy to use and don’t necessarily require any special skills or knowledge on the part of the user. Attack scripts can be used by anybody who wants to attack computer systems and networks.
attack signature The characteristics of network traffic, either in the heading of a packet or in the pattern of a group of packets, which distinguish attacks from legitimate traffic.
attenuation Loss of RF signal amplitude due to the resistance of RF cables, connectors, or obstacles on the signal path. See also RF.
audit An independent review and examination of records and observation of activities to check that security controls comply with established security policies and procedures, and to recommend any necessary changes in those controls, policies, and procedures.
audit trail A chronological record of activities on information resources that enables the reconstruction and examination of sequences of activities on those information resources for later review.
authentication Verification of who a person or information resource claims to be that sufficiently convinces the authenticator that the identity claim is true. This is followed by an evaluation of whether that entity should be granted access to resources.
authentication controls Configuration choices that strengthen password-based security. Controls are factors like password length, password history, and so on.
authenticator In 802.1x, the relay between the authentication server, such as a Remote Authentication Dial-In User Service Protocol (RADIUS), and the supplicant. On wireless networks, the authenticator is usually the access point; on wired LANs, high-end switches can perform such functions. In Kerberos authentication, an encrypted timestamp is used to support authentication.
authorization A determination, based on prior authentication, of what rights a person or information resource has, and what elements they should be granted access to.
authorized Having been granted access, based on appropriate authentication and authorization rules and security checks.
availability Requirement for information to be accessible when it is needed.
back door A means of bypassing established authentication, authorization, and access controls protecting an information resource. Back doors are usually left in place intentionally by the original developers to allow them unauthorized access by circumventing security controls. Also called a trap door.
banner grabbing A hacker fingerprinting method where a service or device is probed to see if it can be identified by the information it returns.
behavior-monitoring HIDS A HIDS utilizing real-time monitoring to intercept previously defined potentially malicious behavior. See also host-based IDS.
bindery The foundation of NetWare 3.x and earlier Novell networks. The bindery uses three hidden files that contain information about users, groups, and associated rights for all network resources, including printers, print queues, files, and directories.
block cipher A cryptographic algorithm that operates on a block of bits at a time.
blocking access Protecting a network or system by keeping unauthorized parties out using an all-or-nothing paradigm instead of using a granular or graduated approach.
Bluetooth A part of the 802.15 specification for WPANs developed and supported by the Bluetooth Special Interest Group, founded by Ericsson, Nokia, IBM, Intel, and Toshiba. Bluetooth radios are low-power FHSS transceivers operating in the middle ISM band. See also FHSS and ISM.
boot virus A computer virus that infects a hard drive or floppy disk boot sector. See also appending virus, macro virus, memory-resident virus, multipartite virus, nonresident virus, overwriting virus, parasitic virus, prepending virus, stealth virus, and virus.
bridge A network device connecting two different network segments into one larger network segment.
broadcast A type of network traffic that is destined for all hosts on a particular network segment. See also unicast.
brute-force attack A method used for breaking encryption systems. Brute-force methodology entails trying all the possible keys until the proper one is found.
buffer overrun Copying too much information to a memory location, leading to denial of service or elevation of privilege attacks.
CCMP (counter mode with CBC-MAC) An AES-based encryption protocol which is planned as a WEP and TKIP replacement when the 802.11i security standard is finally released. CCMP will be required by the WPA version 2 certification. See also TKIP, WEP, and WPA.
challenge and response An authentication process whereby the server sends a challenge message to the client, and the client responds, usually by encrypting the challenge with the client’s password hash and then returning the result as the response.
change control A formal procedure that is used to approve and manage all modifications to software and hardware running on the network. Change control is usually coordinated by a change control board (CCB).
checksum HIDS See file-integrity HIDS.
cipher An encoded message.
client-side script A programming script, written in a scripting language such as JavaScript or VBScript, that is invoked at the endpoint system rather than on the central server.
closed system ESSID Hiding the ESSID by removing the ESSID value string from beacon and/or probe response frames. Like MAC address filtering, it is easily bypassed by determined attackers. See also ESSID.
cluster in a box Two or more systems combined in a single unit. The difference between these systems and Redundant System Slot systems is that each unit has its own CPU, bus, peripherals, operating system, and applications. See also Redundant System Slot.
code-access security The process of authorizing managed code execution by evaluating evidence concerning that code rather than authorizing the identity of the user attempting to execute the code.
code group A classification applied to managed code by the Common Language Runtime for the purpose of assigning the code a particular set of permissions. See also Common Language Runtime.
co-location Installing multiple access points on a single network using different non-interfering frequencies. Co-location is used to increase throughput on wireless LANs.
Common Intermediate Language (CIL) The language of managed code; a platform and language-neutral representation of a compiled program, consisting of instructions for an abstract stack machine.
Common Language Runtime (CLR) The virtual machine that executes Common Intermediate Language instructions.
Common Vulnerabilities and Exposures (CVE) Mitre’s threat index detailing known attacks and vulnerabilities (www.cve.mitre.org).
confidential information Information that requires special handling and protection because it is not intended to be viewed, modified, or discarded by everyone.
confidentiality Sharing information among a select group of recipients while protecting it from access by everyone else. Confidentiality is different from privacy, in which information is kept a secret known only to the originators of that information. See also privacy.
connectionless Describes network protocols that do not establish a connection between the source and destination before transmitting data.
connection-oriented Describes network protocols that establish and confirm a connection between source and destination hosts before transmitting data.
containment fields Areas of a network (or different networks) that are separated with the use of access control technologies, such as firewalls and access control lists (ACLs), because those areas of the network have security requirements that differ from each other. See also access control list.
correlation Organizing and recognizing one related event threat out of several reported, but previously distinct, events.
cracker A hacker who attempts to break into computers. See also hacker.
cross-site scripting Is a class of attacks made possible by the failure of a web site to validate user input and which results in malicious code being run in a victim’s browser. Because of an error in a legitimate site’s web code, an attacker is able to get the site to return code from his site to the browser of someone visiting the legitimate site. The victim’s browser thinks it’s from the legitimate site and executes it.
CSMA/CA (Carrier Sense Multiple Access/Collision Avoidance) A layer two contention protocol used on 802.11 by compliant wireless LANs and by Ethernet networks. CSMA/CA employs positive ACKs for every transmitted frame to avoid collisions on wireless networks.
database auditing Recording specific actions that are performed on a database server. Auditing can be specified at the level of the database server or on specific database objects.
database permissions Permissions placed on objects within a database. Database permissions specify which actions a database user can perform on tables, views, stored procedures, and other objects.
database roles Groupings of database users, usually based on functional requirements, that can be used to implement and manage database security permissions.
database triggers Database objects that can be used to automatically execute operations whenever information stored in tables is accessed or modified.
database view A logical database object that refers to underlying database tables. Views generally do not contain data, do not require storage space, and can be used to better manage security permissions.
data vaulting Contracting with an online service that automatically and regularly connects to a host or hosts and copies identified data to an online server. Typical arrangements can be made to back up everything, data only, or specific datasets.
datagram See network packet.
defense Protection of physical or electronic information resources and data.
defense in depth Utilizing multiple layers of security controls to present several challenges to attackers that must all be compromised sequentially in order to gain unauthorized access.
denial of service (DoS) Causing an information resource to be partially or completely unable to process requests. This is usually accomplished by flooding the resource with more requests than it can handle, thereby rendering it incapable of providing normal levels of service.
detection Protective measures intended to reduce the likelihood of a successful compromise of information resources by recognizing that an attack has occurred or is occurring. An IDS system is a detection measure.
deterrence The use of negative behavior reinforcement to cause would-be attackers either to avoid attempts to breach security or to go elsewhere with their attacks.
DHCP (Dynamic Host Configuration Protocol) A protocol that provides a means to dynamically allocate Internet Protocol (IP) addresses to computers on a LAN. The system administrator assigns a range of IP addresses to DHCP, and each client computer on the LAN has its TCP/IP software configured to request an IP address from the DHCP server. The request and grant process uses a lease concept with a controllable time period.
dictionary attack An attack against encrypted ciphertext in which a dictionary, or word list, is used. Each word in the list is encrypted in the same manner that a user password is, and then they are compared to the stored, encrypted passwords. If a match is found, the password is cracked. See also brute-force attack.
differential backup Like an incremental backup, a differential backup only backs up files with the archive bit set—files that have changed since the last backup. Unlike the incremental backup, however, the differential backup does not reset the archive bit. Each differential backup backs up all files that have changed since the last backup that reset the bits. Using this strategy, a full backup is followed by differential backups. A restore consists of restoring the full backup and then only the last differential backup made. See also grandfather, father, son (GFS) backup; incremental backup; and Tower of Hanoi backup.
differential database backup A database backup operation that copies only the database pages that have been modified since the last full database backup.
Digital Rights Management (DRM) The use of encryption and access control technologies in an attempt to limit access to authorized users. DRM is typically built into software programs and the data files they manipulate.
disk-to-disk (D2D) technology Use of a disk array or appliance disk to store data. A slow tape backup system may be a bottleneck, as servers may be able to provide data faster than the tape system can record it. D2D servers don’t wait for a tape drive, and disks can be provided over high-speed dedicated backup networks, so both backups and restores can be faster.
DSSS (Direct Sequence Spread Spectrum) One of two approaches to spread spectrum radio signal transmission. In DSSS, the stream of transmitted data is divided into small pieces, each of which is allocated across a wide frequency channel. A data signal at the point of transmission is combined with a higher-data-rate bit sequence that divides the data according to a spreading ratio.
EAP (Extensible Authentication Protocol) A flexible authentication protocol originally designed for PPP authentication and used by the 802.1x standard. EAP is defined by RFC 2284.
EAP (Extensible Authentication Protocol) methods Specific EAP authentication mechanism types. Common EAP methods include EAP-MD5, EAP-TLS, EAP-TTLS, EAP-PEAP, and EAP-LEAP.
EAPOL (EAP over LAN) Encapsulation of EAP frames on a wired LAN. EAPOL is defined separately for Ethernet and token ring.
effective rights The set of rights in a NetWare network that specify what an object can actually do after all security factors are considered. These rights are calculated each time an object attempts an action.
EIRP (effective isotropic radiated power) The actual wireless power output at the antenna, calculated as IR + antenna gain. See also IR.
EJB (Enterprise Java Beans) A server-side J2EE component primarily used to embody the business logic of an application. See also J2EE component.
elevation of privilege An attack that enables the attacker to operate code with more rights than normally allowed. Such attacks are the most prized by attackers.
embedded operating system An operating system that can be deployed on embedded devices, which are stripped-down versions of desktop computers.
enabling technologies Technologies that complement business functions in such a way as to make the business more effective and profitable and to increase productivity.
encoding Data conversion techniques used to obscure plaintext characters.
enterprise-management system (EMS) A central reporting console to which all security devices in a given domain report (such as firewalls, antivirus programs, IDSs, and honeypots). See also firewall, honeypot, and intrusion-detection system.
equivalent security Security controls that are implemented at an identical level for all information resources and that complement each other in protecting a particular asset by securing the asset as well as all other resources that have access to that asset with the same strength of security. Also called transitive security.
ESSID (Extended Service Set ID) The identifying name of an 802.11-compliant network. The ESSID must be known in order to associate with the wireless LAN. See also 802.11.
ETSI (European Telecommunications Standards Institute) A nonprofit organization that produces telecommunication standards and regulations for use throughout Europe.
event A possibly malicious threat detected by a computer security system.
exploit Either: an attack technique that can be directed at a particular computer system or software component and that takes advantage of a specific vulnerability, or the act of successfully implementing such an attack technique.
exposure A condition of an information resource that may allow unauthorized access, denial of service, or other successful attacks.
extensible architecture A network security architecture that can be scaled to fit the requirements of the business as the business evolves, as opposed to a static network security design that is not flexible.
extranet A network that is outside the control of the company. Extranets are usually connections to outside companies, service providers, customers, and business partners.
false-negative An incorrect result as reported by a detective device, such as a IDS or antiviral program or biometric security device. For example, an antiviral program may not ‘catch’ a viral infected file, or a fingerprint reader may incorrectly fail the fingerprint of the true user.
false-positive An incorrect result is reported by a detective device. In this case, a harmless attachment to an e-mail is reported as a virus, or an imposter is given access to an account protected by a fingerprint reader.
FCC (Federal Communications Commission) An independent U.S. government agency directly responsible to Congress. The FCC regulates all forms of interstate and U.S. international communications.
fear, uncertainty, and doubt (FUD) A means of convincing people or justifying a decision by frightening or disturbing the audience, so that they will want to support the decision in order to avoid unpleasant consequences. This technique is commonly used to justify security technologies and costs.
FHSS (Frequency Hopping Spread Spectrum) One of two approaches to spread spectrum radio signal transmission. FHSS is characterized by a carrier signal that hops pseudo-randomly from frequency to frequency over a defined wide band.
Field Programmable Gate Array (FPGA) chip A programmable logic chip that interacts with software, allowing easy upgrades and modifications to its firmware.
file-integrity HIDS (sometimes called snapshot or checksum HIDS) A HIDS that compares file properties recorded at one point in time with the file properties recorded at another time and notes the differences. See also host-based IDS.
fine-tuning Analysis and modifications done to a computer security device to improve its accuracy, speed, or functionality.
fingerprinting Using software techniques to discover the identity (version, patch level, or operating system) of remote software or hardware. Fingerprinting is often used by malicious hackers in preparation for an attack.
firewall A network access control system that uses rules to block or allow connections and data transmission between a private network and an untrusted network, such as the Internet.
flag A bit (set to 0 or 1) present in network packet headers that represents a certain state or condition of the packet (such as a fragmentation flag).
fragmentation The process that splits a network packet into two or more packets to decrease the original packet size for transmission between source and destination. Fragments can be reassembled later to make a larger single packet.
fragmentation flag A bit in an IP packet header that indicates whether the packet is part of a larger fragmented packet and needs reassembly.
fragment offset A byte location within a fragment, used to reassemble packets correctly.
free space path loss Decrease of RF signal amplitude due to the signal dispersion. See also RF.
Fresnel zone In simplified terms, an elliptical area around the straight line of sight between two wireless transmitters. The Fresnel zone should not be obstructed by more than 20 percent in order to maintain a reasonable wireless link quality.
gain An increase in RF signal amplitude, estimated in decibels. See also RF.
girlfriend program A program handed to an employee on a floppy disk or CD-ROM by a trusted friend, but which actually contains a Trojan program designed to open a connection on the employee’s machine and allow unrestricted access to an attacker. Since the attack takes advantage of an employee’s personal trust in the attacker, these attacks are very effective and not at all uncommon.
grandfather, father, son (GFS) backup In the GFS rotation strategy, a backup is made to separate media each day. Each Sunday a full backup is made, and each day of the week an incremental backup is made. Full weekly backups are kept for the current month, and the current week’s incremental backups are also kept. (Each week, a new set of incremental backups are made, and at the end of the month you have four or five weekly backups and one set of daily backups, the last set.)
On the first Sunday of the month, a new tape or disk is used to make a full backup. The previous full backup becomes the last full backup of the prior month and is labeled as a monthly backup. Weekly and daily tapes are rotated as needed, with the oldest being used for the current backup.
Thus, on any one day of the month, that week’s backup is available, as well as the previous four or five weeks’ backups, and the incremental backups taken each day of the preceding week. If the backup scheme has been in use for a while, prior month backups are also available. See also differential backup; incremental backup; and Tower of Hanoi backup.
Group Policy A feature of Windows 2000 and later versions that can be used to set literally hundreds of security and general administrative settings for diverse machines and users in an automated fashion.
GUID (globally unique identifier) A unique 16-byte number that is randomly generated and can be used for identifying items without fearing that someone else will randomly generate the same number as well.
hacker Either: a person who explores computers and networks to discover their capabilities, or a malicious intruder who tries to discover information by gaining unauthorized access and who may make changes or commit hostile acts.
heuristic attack An attack, usually against a password, which attempts to apply knowledge of how users commonly create passwords. It exploits the common ways people think. For example, when asked to add numbers to passwords, users commonly add them to the end of the password. The heuristic attack looks for numbers in the last two digits before looking for characters there. Another example is the use of capital letters. User’s commonly capitalize the first character. An example of a seemingly complex password which will be cracked fairly quickly by a heuristic attack is Kopper2.
Hierarchical Storage Management (HSM) An automated process that moves the least-used files to progressively more remote data storage. In other words, frequently used and changed data is stored online on high-speed local disks. As data ages (as it is not accessed or changed) it is moved to more remote storage locations, such as disk appliances or even tape systems. However, the data is still cataloged and appears readily available to the user.
honeypot A host-based IDS where the entire system is created solely to monitor, detect, and capture security threats against it. See also intrusion-detection system.
host-based IDS (HIDS) An IDS used to monitor a single host. Usually a HIDS is software that is installed on the host it protects. See also intrusion-detection system.
hub A simple network device where all hosts connected to it are in the same network segment and collision domain.
IBSS An independent basic service set, another name for an ad hoc network. See also ad hoc network.
IEEE The International Electrical and Electronics Engineers, Inc., a non-profit technical association with members in 150 countries. It is the developer of over 900 standards.
IIOP (Internet Inter-Orb Protocol) A TCP-based wire protocol used by CORBA-compliant distributed clients and servers to communicate remotely.
incremental backup A backup that saves files that have changed since the last backup. When data is backed up, the archive bit on a file is turned off, and when changes are made to the file, the archive bit is set again. An incremental backup uses this information to only back up files that have changed since the last backup. An incremental backup turns the archive bit off again, and the next incremental backup backs up only the files that have changed since the last incremental backup. This sort of backup saves time, but it means that the restore process will involve restoring the last full backup and every incremental backup made after it. See also differential backup; grandfather, father, son (GFS) backup; and Tower of Hanoi backup.
information resources Software, web browsers, e-mail, computer systems, workstations, PCs, servers, entities connected on the network, software, data, telephones, voice mail, fax machines, and any information that could be considered valuable to the business.
information security The practice of protecting information in all its forms, whether written, spoken, electronic, graphical, or using other methods of communication.
InfoSec Information Security (as defined by the U.S. government), usually used to denote blocking most or all access to computers, controlling internal access to confidential data, and using TEMPEST shielding to prevent emissions from computers from interception.
Inherited Rights Filter (IRF) Specifies the rights that are inherited from a higher object within the file or object tree hierarchy.
injection attack A hacker attack where malicious commands are sent in response to host requests solely for the purpose of exploiting the host.
inline Describes a network device or system positioned on the network in such a way as to be able to regulate the flow of data between two different networks. For example, an inline IDS can analyze traffic flowing from the Internet to a local network and can drop malicious traffic.
integer overflow When the result of integer arithmetic wraps beyond the largest possible integer value, or wraps under the smallest possible value.
integrity Validation and verification that information exists in the form it is supposed to, that it hasn’t been modified, and that it is completely intact.
Internetwork Packet Exchange (IPX) A proprietary Novell protocol for the NetWare operating system.
intrusion-detection system (IDS) A hardware appliance or software designed to detect, alert on, and report malicious attacks and unauthorized misuse on a network or host. An IDS does not do anything about the attack, it simply raises an alert.
intrusion-prevention system (IPS) Either: an inline device that examines network activity passing through it, dropping any communications that are identified as malicious, or software that resides on a computer system that blocks activity identified as inappropriate (such as buffer overflows, memory allocation violations, and so on). Unlike an IDS, the IPS resonds to an attack with some action. The IDS simply reports it. See also inline.
IrDA (Infrared Data Association) A nonprofit trade association providing standards to ensure the quality and interoperability of infrared networking hardware.
IR (intentional radiator) An RF transmitting device with cabling and connectors but excluding the antenna. IR is defined by the FCC for power output regulations implementation. See also FCC and RF.
ISM (Industrial, Scientific, Medical) Frequency bands authorized by the FCC for use by industrial, scientific, and medical radio appliances without a need to obtain a license. These bands include 902–928 MHz, 2.4–2.5 GHz, and 5.725–5.875 GHz. See also FCC and RF.
isolated storage A carefully controlled area of the file system, to which .NET applications may safely write user preferences and other persistent data without the danger of interference from other applications.
J2EE component A collection of Java code (such as servlets, JSPs, and EJBs) that represent application logic and run within a J2EE container. See also EJB, Java, and JSP.
J2EE container A JVM running in an application server in which a J2EE application runs. The J2EE container is responsible for providing the contained application with a standard interface to commonly used services, such as database connectivity, transaction management, and security. See also JVM.
J2EE (Java 2 Enterprise Edition) A well-defined collection of Java-related technologies commonly used to build enterprise-scale applications.
JAAS (Java Authentication and Authorization Service) Standard interfaces used by Java applications to access and extend system-level authentication and authorization services.
jamming Intentional introduction of interference into a wireless data channel. Jamming is a layer one DoS attack against wireless networks. See also denial of service.
Java A platform-independent, object-oriented programming language developed by Sun Microsystems.
JDBC A generic Java interface used to communicate with relational database systems.
JMS (Java Messaging Service) A generic Java interface used to communicate with enterprise point-to-point and publish-subscribe messaging systems.
JNDI (Java Naming and Directory Interface) A generic Java interface used to communicate with naming and directory servers, such as Lightweight Directory Access Protocol (LDAP), the Common Object Request Broker Architecture (CORBA) Naming Service, and Domain Name System (DNS).
JRMP (Java Remote Method Protocol) The default wire protocol used by Java RMI. See also Java and RMI.
JSP (Java Server Pages) An automated technology that allows developers to build servlets quickly by embedding Java programming statements directly in HTML content.
JVM (Java Virtual Machine) A runtime interpreter that executes Java bytecode.
keyspace The number and range of keys that can be used in a cryptographic algorithm.
line of sight A straight line of visibility between two antennas.
lobes The electrical fields emitted by an antenna. Also called beams.
login scripts Batch files that customize the network environment when a user logs on.
lollipop model Uses the principle of perimeter security to produce a “hard, crunchy exterior” that protects a “soft, chewy center” (as with a Tootsie Pop lollipop). See also onion model.
macro virus A computer virus written using an application’s macro language. See also appending virus, boot virus, memory-resident virus, multipartite virus, nonresident virus, overwriting virus, parasitic virus, prepending virus, stealth virus, and virus.
MAC address A 48-bit hexadecimal address assigned to a network card by the manufacturer. The address is used by layer two of the OSI model for addressing packets on the local network segment.
malware Malicious software.
managed code Code compiled into Common Intermediate Language instructions, for execution by the .NET Common Language Runtime. See also Common Intermediate Language and Common Language Runtime.
managed security service provider (MSSP) An external computer security firm with the expertise to deploy and manage computer security products for clients.
management console A central computer or device used to collect or report on data from one or more distributed devices.
maximum transmission unit (MTU) The maximum number of bytes that can be sent at one time in a packet between source and destination.
memory-resident virus A computer virus that remains in active memory after the host program is finished executing. See also appending virus, boot virus, macro virus, multipartite virus, nonresident virus, overwriting virus, parasitic virus, prepending virus, stealth virus, and virus.
metadata Information stored within an assembly concerning the classes defined in that assembly (such as names and types of fields, method signatures, dependence on other classes, and so on).
MIC (message integrity check) A one-way hash employed by the 802.11i security standard to ensure the integrity of data transmitted over a wireless LAN. See also 802.11i.
misuse Any activity that is unauthorized, and which may or may not include specially crafted code or techniques.
monoalphabetic algorithms Encryption algorithms that use a single alphabet.
multicast Network traffic headed to more than one destination host machine, usually directed by the source host using a predefined multicast network segment address.
multipartite virus A computer virus with more than one vector of attack; for example, a virus that infects boot sectors and file executables. See also appending virus, boot virus, macro virus, memory-resident virus, nonresident virus, overwriting virus, parasitic virus, prepending virus, stealth virus, and virus.
mutual authentication In this process, not only does the client authenticate to the server, but the server also proves its identity to the client.
NCP Packet Signature An enhanced security feature that protects the server and the workstation against packet forgery.
near/far A wireless networking problem caused by hosts in close proximity to the access point overpowering far nodes, effectively cutting them off the network. This could be a result of a layer one man-in-the-middle attack.
NetWare Novell’s network operating system.
NetWare Core Protocol (NCP) A set of procedures that the operating system of a NetWare server uses to service workstation requests.
network-based IDS (NIDS) A hardware or software system designed to detect malicious threats by capturing and analyzing network packets.
network packet A transmission container used to send data across a network. Also called a datagram.
network protocol attack A malicious attack using malformed network packet data to accomplish the exploit.
network segment A logical collection of network nodes within a single logical packet domain. All hosts within a single network segment receive broadcasts sent by any host within the network segment.
non-repudiation A characteristic of a message or a system that prevents the sender from being able to deny sending the message (in practice, this is very difficult to achieve).
nonresident virus A computer virus that does not stay in memory after its execution. It runs and then deactivates until the next time the host executable is run. See also appending virus, boot virus, macro virus, memory-resident virus, multipartite virus, overwriting virus, parasitic virus, prepending virus, stealth virus, and virus.
normalization The process of converting different character formats and encodings into a plaintext data stream. Normalization allows IDS analysis to be more accurate.
Novell Directory Services (NDS) Novell’s distributed computing product that stores information about all Internet, intranet, and network resources on a network.
object-level security Security permissions that are applied to specific database objects. For example, a database administrator might allow certain users to update name and address information within the “Employee” database table.
one-time password system A system in which passwords are used once only, each time the user authenticates.
onion model A layered security strategy, sometimes referred to as defense in depth, that includes the “strong wall” principle of the lollipop model, but goes beyond the idea of a simple barrier by providing multiple layers of security that must be passed. See also defense in depth and lollipop model.
open system authentication The default 802.11 authentication method of exchanging authentication frames containing the same ESSID. This approach does not provide security.
Open Systems Interconnection (OSI) model A seven-layer structure that represents the transmission of data from an application residing on one computer to an application residing on another computer.
overwriting virus A computer virus that permanently writes itself over the host file or a portion of the host file during infection. Damage is not easily repairable. See also appending virus, boot virus, macro virus, memory-resident virus, multipartite virus, nonresident virus, parasitic virus, prepending virus, stealth virus, and virus.
packet-level driver Network interface software that can capture any network packets physically sent to it. Normally, a network interface driver only accepts broadcast packets and packets with its own destination address.
parasitic virus A computer virus that inserts itself into a host file without overwriting the host file’s original contents. See also appending virus, boot virus, macro virus, memory-resident virus, multipartite virus, nonresident virus, overwriting virus, prepending virus, stealth virus, and virus.
passive scanning A method by which client devices discover wireless networks. Passive scanning involves client devices listening for and analyzing beacon management frames.
password history The remembering of previous passwords by the system, forcing the user to create new passwords.
payload The damage routine in malware. See also malware.
perimeter security The technologies, hardware and software, operations, staff, and services that address perimeter defenses to prevent unauthorized connections from outside the perimeter (as opposed to controlling access inside) by controlling network access (using firewalls, vulnerability scanners, and virus detectors), by controlling remote access for traveling computers, and by controlling internal and external network connections with different levels of trust.
permissions Operations that can be applied to or done with an object. Example file permissions are read, write, delete.
plaintext Text that has not been encrypted.
point-in-time recovery An operation that allows database administrators to restore databases to their state at a specific point in time. Generally, point-in-time recovery relies on the availability both of full backups and transaction log backups.
polarization The physical orientation of an antenna in relation to the ground. Polarization can be horizontal or vertical.
policy pockets Areas of a network controlled by common security policies and having similar or identical security controls.
polyalphabetic algorithm An algorithm, such as the Vigenère Square, which uses multiple alphabets.
port mirroring Instructing one or more ports on a switch to copy traffic to a monitor port. Also called port spanning or traffic redirection.
port number A number assigned by the operating system or IP stack to keep track of which service or application belongs to which network data flow.
port spanning See port mirroring.
prepending virus A computer virus that places itself at the beginning of a host file. See also appending virus, boot virus, macro virus, memory-resident virus, multipartite virus, nonresident virus, overwriting virus, parasitic virus, stealth virus, and virus.
privacy Keeping information as a secret, known only to the originators of that information. This contrasts with confidentiality, in which information is shared among a select group of recipients. See also confidentiality.
privileges A process that can be performed on a system, such as shut it down, or log on to it remotely.
promiscuous mode A network interface mode enabled by packet-level drivers allowing all packets detected by a network interface card to be captured. Normally, a network interface driver only accepts broadcast packets and packets with its own destination address. See also packet-level driver.
protocol A set of guidelines defining network traffic formats for the easy communication of data between two hosts.
protocol anomaly detection Anomaly detection done by analyzing network packet headers only.
public key/private key cryptography An asymmetric encryption algorithm that uses two keys.
Quality of Service (QoS) Networking technology that enables network administrators to manage bandwidth and give priority to desired types of application traffic as it traverses the network.
redundancy The assurance of availability by providing duplicate systems or alternative processes. See also availability.
Redundant System Slot (RSS) Entire hot swappable computer units are provided in a single unit. Each system has its own operating system and bus, but all systems are connected and share other components. Like clustered systems, RSS systems can be either active-standby or active-active. RSS systems exist as a unit, and systems cannot be removed from their unit and continue to operate.
reflection site A compromised computer resource used by a hacker to attack other hosts, in an effort to obscure their source location.
relevancy The ability to correlate an attack threat with a related vulnerability in a particular environment. If a threat is executed against a computer asset (such as a computer host or network) with a susceptible vulnerability, relevancy is considered high.
reliable Describes a network protocol that will automatically confirm that sent packets are received by the destination host and will retransmit unconfirmed packets.
Remote Authentication Dial-In User Service (RADIUS) protocol A server used to provide authentication, authorization and audit for remote access services.
return on investment (ROI) A demonstration of the value of an effort or technology, based on the amount of money it generates, usually expressed in currency or a percentage of return versus cost.
revenue vector A source of income, identified by its magnitude (how much money) and its direction (where it comes from or where it goes to).
RF (radio frequency) A generic term for any radio-based technology.
RFMON mode A mode of 802.11 client device operation that allows the capture and analysis of 802.11 frames. RFMON mode is used by wireless attackers for passive network discovery and eavesdropping, and it is necessary for 802.11 network troubleshooting, monitoring, and intrusion detection. Also called monitoring mode or raw frames sniffing mode.
risk The consequences of a realized threat. See also threat.
risk elimination Processing a risk by preventing the risk from occurring by eliminating a vulnerability, eliminating all threats, reducing the cost of a realized threat to zero, or increasing the effectiveness of security measures to 100 percent.
risk management Controlling vulnerabilities, threats, likelihood, loss, or impact with the use of security measures. See also risk, threat, and vulnerability.
risk mitigation Processing a risk by controlling its likelihood, its cost, or its threats, through the use of security measures designed to provide these controls. See also risk and threat.
risk transference Processing a risk by transferring all or part of the cost of the risk to a third party (most commonly an insurance provider). See also risk.
RMI-IIOP An additional version of Java RMI that uses IIOP as its wire protocol. RMI-IIOP is the default wire protocol for remote communication with EJBs. See also EJB and IIOP.
RMI (Remote Method Invocation) The primary Java Remote Procedure Call (RPC) mechanism used to invoke remote application code.
rogue wireless device An unauthorized transceiver on the wireless network. Often an access point or a wireless bridge.
role-based security The practice of authorizing access to a resource on the basis of the user’s identity.
rootkit A suite of programs that is installed to hide the presence of an intruder once they have successfully broken into a computer system. Common functions of a rootkit are to doctor logs, replace system binaries, and install back doors.
rule IDS instruction defining a threat signature. See also threat.
rule-based authorization Uses rules that stipulate what a specific user can do on a system.
rule set Groups of related rules.
security The practice of protecting assets. This is the fundamental level of the security hierarchy, of which information security, data security, and network security are branches.
Security Accounts Manager (SAM) The password database for all NT 4.0 systems and for local accounts of Windows 2000 and higher operating systems.
security control Any technique, technology, activity, or practice that is intended to protect assets.
security demand A declaration by managed code that callers are required to have a certain set of permissions before that code can be executed.
security policy The set of decisions that govern security controls.
security principal In Windows, an entity, such as a user or computer, that can be granted rights and permissions.
security strategy The proactive plan of action governing the implementation of a security infrastructure.
security templates Configuration files that provide settings (or mark them “undefined”) for major security configuration choices in Windows 2000, Windows XP, and Windows Server 2003.
segmentation Splitting a network into different areas using routers and switches, also often accomplished using virtual LAN (VLAN) technology along with access control lists (ACLs). See also access control list and VLAN.
sensor A network device used to capture traffic on one network segment and transmit it to a monitoring host on another segment. Also known as a tap.
servlet A J2EE component that receives an HTTP request as input and returns an HTTP response as output. See also J2EE.
shadow copy This Windows Server 2003 and Windows XP service takes a snapshot of a working volume, and then a normal data backup can be made that includes open files. The shadow copy service doesn’t make a copy—it just fixes a point in time and then places subsequent changes in a hidden volume. When a backup is made, closed files and disk copies of open files are stored along with the changes. When files are stored on Windows Server 2003, the service runs in the background, constantly recording file changes. If a special client is loaded (the client is available for Windows XP), previous versions of a file can be accessed and restored by any user who has authorization to read the file.
shared key authentication A type of 802.11 authentication based on a challenge-response using a previously shared WEP key. This system does not provide strong security. A new standard, 802.1x provides a better authentication mechanism and should be used to replace shared key authentication. See also 802.11, 802.1x, challenge and response, and WEP.
shoulder-surfing Using direct observation techniques, such as looking over someone’s shoulder, to obtain information. This is normally done casually to avoid being noticed.
SID A unique number used in Windows to identify a security principal. See also security principal.
signature Predefined patterns of bytes identifying particular threats.
signature-detection IDS An IDS system that works by comparing captured traffic against databases of known bad patterns. Also known as misuse detection. See also intrusion-detection system and host-based IDS.
single sign-on A process that can allow the user to only have one logon account and password in order to access all systems on their network.
site survey Surveying the area to determine the contours and properties of RF coverage.
snapshot HIDS See file-integrity HIDS.
sniffing The capturing of network packets not intended for the host doing the capturing. This can be used maliciously to discover unauthorized information. Also known as packet capturing or protocol analyzing.
SNR (signal-to-noise ratio) The received signal strength minus the background RF noise ratio.
Software Update Services (SUS) A free server application, SUS can be downloaded from Microsoft. Once installed and configured, the system will periodically download patches from Microsoft. The administrator has the option to approve or disapprove each patch. Client systems (Windows XP Professional, Windows 2000 Professional and Server, and Windows Server 2003) can be configured to use the SUS server and automatically apply approved patches.
specialized information Information that is unique to a company or type of business and that has special value to that company. Specialized information may include trade secrets, such as formulas, production details, and other intellectual property.
spectrum analyzer A receiver that identifies the amplitude of signals at selected frequency sets. These are useful for discovering interference or jamming on wireless networks.
spread spectrum RF modulation technique that spreads the signal power over a frequency band wider than is necessary to carry the data exchanged. See also DSSS and FHSS.
SQL injection The process of manipulating a web application to run SQL commands sent by a hacker.
stack walk A procedure for checking that all callers of an assembly that makes a security demand have the required permissions.
stateful Describes a network protocol that uses flags to communicate various session conditions (such as when establishing a session, acknowledging, closing, and so on).
stateless Describes a network protocol that does not communicate session states during communications (such as UDP).
stealth virus A computer virus coded to avoid inspection. See also appending virus, boot virus, macro virus, memory-resident virus, multipartite virus, nonresident virus, overwriting virus, parasitic virus, prepending virus, and virus.
sticky honeypot A honeypot built to attract malicious threats, and to keep them and slow them down from attacking other legitimate hosts. See also honeypot.
stored procedure A database object that can contain executable database server logic. Permissions can be assigned to stored procedures in order to prevent unwanted data modifications and to provide more granular control of security.
stream cipher A cryptographic algorithm that operates on a stream of characters.
strong security Security controls that approach being completely effective. See also weak security.
supplicant In 802.1x, a client device to be authenticated.
switch A network device giving each connected host its own logical network segment. However, all hosts share the same broadcast domain.
system policy A Windows GUI-based tool that allows the administrator to configure multiple security settings for users, groups, and individual computers, and also to configure system settings such as screensavers.
Systems Management Server (SMS) SMS is a Microsoft server product that is purchased separately from Windows operating systems and that provides multiple Windows management services. It can now be configured to provide patching services for its clients.
tactics The reactive response to security incidents and the day-to-day security operations used to respond to threats. See also threat.
tap See sensor.
TEMPEST A standard for reducing the emission of electromagnetic radiation that can allow the reconstruction of data by monitoring the electromagnetic fields that are produced by the signals or movement of data and that are present in computer displays that use cathode ray tubes (CRTs), printers, and other electronic devices.
threat An event, action or object that may cause harm. A virus is a threat, as is a tornado.
threat vector Information about a particular source of harm including where it originates and what path it takes to reach the protected asset.
TKIP (Temporal Key Integrity Protocol) An RC4-based encryption protocol that lacks many weaknesses of the original static WEP. TKIP is an optional part of the 802.11i standard, which is backward compatible with WEP and does not require a hardware upgrade. See also WEP.
top-down approach A way of designing a system starting with the big picture, by analyzing requirements, developing an architecture, and strategizing, as opposed to taking a bottom-up approach in which designs are based on technical product capabilities.
total cost of ownership (TCO) The total cost of a solution, including purchasing, ongoing costs, labor, and training.
Tower of Hanoi backup A backup strategy based on a game played with three poles and a number of rings. The object is to move the rings from their starting point on one pole to the other pole. However, the rings are of different sizes, and you are not allowed to have a ring on top of one that is smaller than itself. In order to win the game, a certain order must be followed.
The backup strategy requires the use of multiple tapes (or other backup media) in this same complicated order. Each backup is a full backup, and multiple backups are made to each tape. Since each tape’s backups are not sequential, the chance that the loss of one tape or damage to one tape will destroy backups for the current period is nil. A fairly current backup is always available. See also differential backup; grandfather, father, son (GFS) backup; and incremental backup.
traffic redirection See port mirroring.
transaction log backups Special database backups that contain a sequential record of all data modifications that have occurred within a database. Transaction log backups can be used to perform point-in-time recovery. See also point-in-time recovery.
transitive security See equivalent security.
Transmission Control Protocol/Internet Protocol (TCP/IP) The world’s most popular network protocol. It includes protocol types TCP (Transmission Control Protocol), UDP (User Datagram Protocol), and ICMP (Internet Control Message Protocol).
trap door See back door.
Trojan horse An apparently useful and innocent program containing additional hidden code that allows the unauthorized collection, exploitation, falsification, or destruction of data. A Trojan horse is often received from a familiar e-mail address or URL or in the form of a familiar attachment.
trustee assignment Describes the rights that are granted to an object for a specific directory, file, object, or property in NetWare.
trustworthy Having reliable, appropriate, and validated levels of security.
type safety A guarantee that managed code cannot perform an operation on an object unless the operation is permitted for that object. See also managed code.
unicast A type of network packet traffic that is destined for one host only. See also broadcast.
UNII (Unlicensed National Information Infrastructure) A segment of RF bands authorized by the FCC for unlicensed use. This includes 5.15–5.25 GHz, 5.25–5.35 GHz, and 5.725–5.825 GHz frequencies. See also FCC and RF.
variant A threat that is slightly modified to escape detection or that has slightly different behavior.
virtual patching Blocking newly found attacks until the system can be patched. Internet Security Systems (ISS) is integrating its vulnerability scanner (Internet Scanner 7.0) and host-based intrusion-detection system (HIDS) to stop new worms as they come to the attention of the security community. As new attack information is discovered, the scanner will be updated and will examine operating systems, routers, switches, mail servers, and other systems to see if a weakness exists.
virtual private network (VPN) A network connection that traverses an untrusted network and that has two properties: end-to-end network connectivity (hence the term virtual) and confidentiality of data, usually provided by encryption (hence the term private).
virus A self-replicating program that uses other host files or code to replicate. See also appending virus, boot virus, macro virus, memory-resident virus, multipartite virus, nonresident virus, overwriting virus, parasitic virus, prepending virus, and stealth virus.
VLAN (virtual local area network) A logical grouping of two or more nodes that are not necessarily on the same physical network segment but that share the same IP network number. This is often associated with switched Ethernet.
v-table A structure in the header of every C++ object containing the memory addresses of class methods.
vulnerability A characteristic that leads to exposure, and that may be exploited by a threat to cause harm. Vulnerabilities are most commonly a result of a software flaw or misconfiguration. See also threat.
war chalking Labeling the presence and properties of discovered wireless networks with a piece of chalk, using a set of standard symbols. This is an optional extension of war driving.
war-driving/walking/cycling/climbing/flying/sailing Discovering wireless LANs for fun or profit. It can be a harmless hobby or a reconnaissance phase for future attacks against discovered wireless LANs or the wired networks connected to them.
weak security Security controls that are significantly less than completely effective. See also strong security.
well-known ports Network ports from 0 to 1,023 assigned by the Internet Assigned Numbers Authority (www.iana.org) for commonly used network services and applications.
WEP (wired equivalent privacy) An optional 802.11 security feature using RC4 streaming cipher to encrypt traffic on a wireless LAN. Several flaws of WEP have been published and are widely known. See also 802.11.
WIDS (wireless IDS) An intrusion-detection system capable of detecting layer one and two wireless security violations. See also intrusion-detection system.
Wi-Fi Alliance An organization that certifies interoperability of 802.11 devices and promotes Wi-Fias a global wireless LAN compatibility standard. See also 802.11.
Wi-Fi (wireless fidelity) The Wi-Fi Alliance certification standard that ensures proper interoperability among 802.11 products. See also 802.11.
Windows trust relationship A connection between two Windows domains that allows the sharing of resources to accounts in both domains.
wireless man-in-the-middle and hijacking attacks Rogue wireless device insertion attacks that exploit layer one and two vulnerabilities of wireless networks.
WLAN A wireless LAN.
worm A computer program that uses its own coding to replicate, unlike a computer virus that relies on other host files for replication. See also virus.
WPAN A wireless personal area network. See also Bluetooth.
WPA (Wi-Fi Protected Access) A security subset of the interoperability Wi-Fi certification using 802.11i standard features. WPA is currently at version 1.0.
zombie A Trojan horse program that infects host computer systems and awaits a command from a remote hacker to initiate a coordinated attack on another host. See also Trojan horse.
zones of trust Different regions of networks and computer systems that have different levels of trust—some computer systems or networks must be trusted completely, some are trusted incompletely, and some are completely untrusted.