Safe IT Inc. - Main Page               

Glossary of Communications, Data and Information Security Terms


 [ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z ]

          -Symbols-

*-property

a Bell-La Padula security model rule allowing a subject write access to an object only if the security level of the object is higher than, or dominates, the security level of the subject. In other words, you can only tell something to someone whose clearance is equal to or higher than yours. Pronounced, and sometimes written, star property. Also called confinement property. There is a related strong star property in database security.

-Numbers-

3DES
see triple DES

-A-

ABA Guidelines
American Bar Association (ABA) Digital Signature Guidelines, a framework of legal principles for using digital signatures and digital certificates in electronic commerce

Abstract Syntax Notation One (ASN.1)
a standard for describing data objects, this notation format is important to security because of its significance in networking discussions. OSI standards use ASN.1 to specify data formats for protocols. Syntax is needed to define abstract objects, and encoding rules are needed to transform between abstract objects and bit strings. In ASN.1, formal names are written without spaces, and separate words in a name are indicated by capitalizing the first letter of each word except the first word. For example, the name of a CRL is "certificateRevocationList".

*Acceptable Use Policy (AUP)
written policy outlining the usage that may or may not be made of computing or network resources. Previously this applied primarily to institutions (such as universities) providing access to systems such as the Internet. Although not as widely used currently, these should still be part of a company's security policy.

acceptance inspection
the final inspection to determine whether or not a facility or system meets the specified technical and performance standards. Note: This inspection is held immediately after facility and software testing and is the basis for commissioning or accepting the information system. If the system is accepted it receives accreditation.

access
the ability and means to communicate with or otherwise interact with a system: a specific type of interaction between a subject and an object that results in the flow of information from one to the other. A subject may access a file object to obtain data, or a subject may access a system resource and give it command information in order to obtain service. There is not full agreement on the definition of access: some would insist that the simple ability to receive information is not access unless the subject can also command the object.

access control
the process of limiting access to the resources of a system only to authorized programs, processes, or other systems (in a network). Synonymous with controlled access and limited access. Access control may be an administrative, physical, or technical control, but is most commonly considered a technical control limiting access to information or resources on a system. Access control is generally a preventive control.

access control list
a list of users, programs, and/or processes and the specifications of access categories to which each is assigned.

access control mechanism
hardware or software features, operating procedures, management procedures, and various combinations of these designed to detect and prevent unauthorized access and to permit authorized access in an automated system. Access control lists are a technical access control mechanism.

access level
the hierarchical portion of the security level used to identify the sensitivity of data and the clearance or authorization of users. Note: The access level, in conjunction with the nonhierarchical categories, forms the sensitivity label of an object. See category, security level, and sensitivity label.

access period
a segment of time, generally expressed on a daily or weekly basis, during which access rights prevail.

access type
the nature of an access right to a particular device, program, or file (e.g., read, write, execute, append, modify, delete, or create).

accountability
the property that enables activities on a system to be traced to individuals (or entities) who may then be held responsible for their actions.

accreditation
a formal declaration by the command or management authority that the system is approved to operate in a particular security mode using a prescribed set of safeguards. Accreditation is the official management authorization for operation of a system and is based on the certification process as well as other management considerations. The accreditation statement affixes security responsibility with the management or operating authority and shows that due care has been taken for security. Essentially, accreditation involves acceptance of the system.

accreditation authority
management or command level with authority to accept a particular system. active attacks or exploits may be active, involving an attempt to change or influence a system, or passive, which generally involves listening or spying

ActiveX
ActiveX controls are software modules based on Microsoft's Component Object Model (COM) architecture and appear to be Microsoft's preferred form of active content for Web pages. ActiveX controls are, in fact, almost identical in structure to MS Windows programs, and have full system access. The only security provision is a digital signature system called Authenticode which offers only "run/don't run" options, and has additional security problems.

activity monitor
a type of antiviral software which checks for signs of suspicious activity, such as attempts to rewrite program files, format disks, etc. The term activity monitor is usually considered to include operation restrictor type software (also known as activity blocker or behaviour blocker), but is sometimes differentiated in that an activity monitor may sometimes just alert the operator to the attempt, rather than disabling it. activity blocker see operation restrictor

add-on security
the retrofitting of protection mechanisms, implemented by hardware or software.

administrative control
see controls

administrative security
the management constraints and supplemental controls established to provide an acceptable level of protection for data. Synonymous with procedural security. Nowadays more commonly referred to as administrative controls.

adware
while not necessarily malware, adware is considered to go beyond the reasonable advertising that one might expect from freeware or shareware. Typically a separate program that is installed at the same time as a shareware or similar program, adware will usually continue to generate advertising even when the user is not running the origianlly desired program. See also cookies, spyware, and web bugs.

*Advanced Encryption Standard (AES)
a standard developed by NIST to succeed DES. Intended to specify an unclassified, publicly-disclosed, symmetric encryption algorithm, available royalty-free worldwide.

adversary
an entity that attacks, or is a threat to, a system

aggregation
a circumstance in which higher level information (which may be thought to be subject to a higher level of security clearance) may be inferred from a large number of lower level data items. A collection of information items may be required to be classified at a higher security level than any of the individual items that comprise it.

AH
see Authentication Header

AIS
Automated Information System. Term formerly used in United States government and military for computer or electronic information systems. Sometimes found in older security texts.

algorithm
a sequence of steps needed to solve logical or mathematical problems. In security, the term usually refers to cryptographic algorithms used in encryption or decryption of data files and messages and to create digital signatures, but it may also refer to pattern matching in virus or intrusion detection which does not rely on the use of a simple scan string (see signature).

alias
a name that an entity uses in place of its real name, in computing usually for purposes of convenience or brevity, but in security often for the purpose of either anonymity or deception

anomaly detection
detecting intrusions by looking for activity that is different from the user's or system's normal behavior. A type of intrusion detection system.

anonymous
the condition of having an indentity that is unknown or concealed. To hide an entity's real name, an alias may be used. In some applications, anonymous entities may be completely untraceable. See also anonymous login.

anonymous login
an access control feature (or weakness) in many Internet hosts that enables users to gain access to general-purpose or public services and resources on a host (such as allowing any user to transfer data using ftp) without having a pre-established, user-specific account (i.e., user name and secret password). This feature exposes a system to more threats than when all the users are known, pre-registered entities that are individually accountable for their actions.

ANSI bomb
use of certain codes (escape sequences, usually embedded in text files or email messages), which remap keys on the keyboard to commands such as "DELETE" or "FORMAT". ANSI (the American National Standards Institute) is a short form which refers to the ANSI screen formatting rules. Many early MS-DOS programs relied on these rules, and required the use of the ANSI.SYS file, which also allowed keyboard remapping. The use of ANSI.SYS is very rare nowadays.

antiviral
Although an adjective, frequently used as a noun as a short form for antivirus software or systems of all types

antivirus software
see scanner, change detection, activity monitor

antivirus virus
a virus that specifically looks for and removes other viruses. These entities cannot be said to be beneficial or useful examples of viruses, since they have generally created more problems than the viruses they remove. See benign.

applet
a small application transported over the networks, especially as an enhancement to a Web page. Applets often arrive from systems that cannot be verified as trusted. Two common applet systems are ActiveX and Java. Java applets are only allowed access to certain functions or information: this restriction is often referred to as the sandbox.

application level gateway
a firewall system in which service is provided by processes that maintain complete TCP connection state and sequencing. Application level firewalls often re-address traffic so that outgoing traffic appears to have originated from the firewall, rather than the internal host. See also proxy server.

archive
(1) a site containing a large number of files, possibly acquired over time, and often publicly accessible. See also ftp, particularly anonymous ftp.
(2) refers to a file which contains a number of related files, usually in a compressed format to reduce file size and transmission (upload or download) time on electronic bulletin boards or download sites on the Internet. Most software which is distributed as shareware (or similar concepts) is distributed as an archive which contains all related programs, as well as documentation and possibly data files. Archived files, because of the compression, appear to be encrypted and therefore infected files inside archives may not be detected by virus or malware scanning software. See also compressed executable, self-extracting.
(3) often synonymous with backup

armored virus
a virus that tries to prevent analysts from examining its code. The virus may use various methods to make tracing, disassembling and reverse engineering its code more difficult.

ASCII
American Standard Code for Information Interchange, a coding system that assigns numerical values to characters such as letter, numbers, punctuation, and other symbols, and used in most American manufactured computers. Often used as a synonym for text. ASCII allows only seven bits per character (for a total of 128 characters).

ASCII files
ASCII files are files consisting of only ASCII characters, and generally only the printable characters. With effort, it is possible to write program files for Intel based computers consisting only of printable characters. (An example is the EICAR Standard Antivirus Test File). Windows batch (BAT) files and Visual Basic Script files are also typically pure text, and program files, but are interpretted, rather than being executed as object code.

ASN.1
see Abstract Syntax Notation One

asset
an entity of value to the business or enterprise, be it a computer processor, disk, netowrk link, program, datum, or even user

assurance
a measure of confidence that the security features and architecture of a system accurately mediate and enforce the security policy. Assurance is often neglected in planning for security. Assurance may result from formal methods, or it may be partially determined by penetration testing or simulation.

assurance level
a specific level on a hierarchical scale representing successively increased confidence that a target of evaluation adequately fulfills the requirements. The Trusted Computer Security Evaluation Criteria (TCSEC) is one example of such a heirarchy, the Common Criteria is another.

asymmetric key encryption
asymmetric key encryption, also known as public key encryption, uses two keys, one publicly know, and one privately held. There are key management advantages to using asymmetric encryption, although the work factor, and therefore the strength of the system, is felt to be weaker than symmetric systems with equivalent key lengths.

attack
the act of trying to bypass security controls on a system. An attack may be active, resulting in the alteration of data; or passive, resulting in the release of data. Note: The fact that an attack is made does not necessarily mean that it will succeed. The degree of success depends on the vulnerability of the system or activity and the effectiveness of existing countermeasures. Attack is often used as a synonym for a specific exploit. See also brute force, denial of service, distributed denial of service, hijacking, social engineering, sniffing, spoofing, trojan horse, virus.

attack signature
activities or alterations to a system indicating an attack or attempted attack, and particularly a specific type of attack, often determined by examination of audit or network logs

attribute
in MS-DOS and Windows systems, the characteristics representing file permissions

audit
the collection of records of activities to access their compliance with security policy

audit trail
a chronological record of system activities that is sufficient to enable the reconstruction, reviewing, and examination of the sequence of environments and activities surrounding or leading to an operation, a procedure, or an event in a transaction from its inception to final results. Sometimes specifically referred to as a security audit trail.

authenticate
(1) to verify the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to resources in a system.

(2) to verify the integrity of data that have been stored, transmitted, or otherwise exposed to possible unauthorized modification.

authentication
(1) the process of verifying identity, origin, or lack of modification of a subject or object. Authentication of a user is generally based on something the user knows, is, or has.
(2) the use of some kind of system to ensure that a file or message which purports to come from a given individual or company actually does. Many authentication systems are now looking towards public key encryption, and the calculation of a check based upon the contents of the file or message as well as a password or key. Related concepts are change detection and integrity

Authentication Header (AH)
an Internet IPsec protocol (RFC 2402) designed to provide connectionless data integrity service and data origin authentication service for IP datagrams, and (optionally) to provide protection against replay attacks. AH may be used alone, or in combination with the IPsec Encapsulating Security Payload (ESP) protocol, or in a nested fashion with tunneling. ESP can provide the same security services as AH, and ESP can also provide data confidentiality service. The main difference between authentication services provided by ESP and AH is the extent of the coverage; ESP does not protect IP header fields unless they are encapsulated by AH.

authentication token
a portable device used for authenticating a user. Authentication tokens operate by challenge/response, time-based code sequences, or other techniques. This may include paper-based lists of one-time passwords.

authenticator
the means used to confirm the identity or to verify the eligibility of a station, originator, or individual. The standard authenticators are something you have, something you are, or something you know. Sometimes referred to as authentication information.

authenticity
the property of being genuine and able to be verified and be trusted. It is important, in security, not to assume too much about authenticity. For example, authentication of identity does not prove anything about the motives, competency, or activities of the individual so identified. Checksumming of a program verifies that it has not changed, but does not prove that it was not originally intended to be malicious. See also authenticate, authentication, validate, verify.

Authenticode
Microsoft's security system for ActiveX controls as active Web content, and other program verification. A digital signature system, Authenticode verifies only that the code has not changed since it was signed, and that the certificate used to sign the code was originally issued by the certificate authority. Authenticode does not provide for any sandbox restrictions, and, at the time of writing, most systems and applications using Authenticode do not have any certificate revocation capabilities.

authorization
the granting of access or other rights to a user, program, or process

AV
an abbreviation used to distinguish the antiviral research community (AV) from those who call themselves "virus researchers" but who are primarily interested in writing and exchanging viral programs (vx). Also an abbreviation for antivirus software. See also vx.

availability
the state when the system, resources, and data are in the place needed by the user, at the time the user needs them, and in the form needed by the user. Availability is one of the three pillars of security.

-B-

back door
see backdoor

backdoor
a hidden software or hardware mechanism that can be triggered to permit system protection mechanisms to be circumvented. The function will generally provide unusually high, or even full, access to the system either without an account or from a normally restricted account. It is activated in some innocent-appearing manner; for example, a key sequence at a terminal. Invocation of the backdoor can also be done by sending a specific packet to a network port; see RAT. Software developers often introduce backdoors in their code to enable them to reenter the system and perform certain functions; see maintenance hook. The backdoor is sometimes left in a fully developed system either by design or accident. Synonymous with trap door, which was formerly the preferred usage. Usage back door is also very common.

background task
a task executed by the system that generally remains invisible to the user. Most processes in davanced or multi-user systems operate in the background. Some malware is executed by a system as a background task so the user does not realize unwanted actions are occurring. Many attacks often take advantage of loopholes in utility processes operating in the background.

backup
n. a duplicate copy of data made for archiving purposes or for protecting against damage or loss
v. The process of creating duplicate data. Some programs backup data files while maintaining both the current version and the preceding version on disk. However, a backup is not considered secure unless it is stored away from the original, and so removeable media is preferred.

backup plan
procedure for maintaining backups of system and user data. See contingency plan, differential backup, full backup, incremental backup.

bait
in virus detection, a file which is deliberately exposed to be infected

bastion host
a system that has been hardened to resist attack and which is installed on a network in such a way that it is expected to come under attack. Bastion hosts are often components of firewalls, or may be web servers or public access systems connected to an untrusted or public network. A honeypot is often a basiton host with additional audit and alerting functions.

bacterium
a specialized form of virus which does not attach to a specific file. Usage obscure.

bait
usually used in reference to a file, this refers to a virus infection target of initially known characteristics. In order to trap file infectors which insist on larger files, a string of null characters of arbitrary length is often used. Floppy disks are, of course, used as bait for boot sector viruses but the term is not often used in that way. Another name for bait files is goat or sacrificial goat files.

behaviour monitor
see activity monitor

behaviour blocker
see operation restrictor

Bell-La Padula model
a formal state transition model of computer security policy that describes a set of access control rules. In this formal model, the entities in a computer system are divided into abstract sets of subjects and objects. The notion of a secure state is defined, and it is proven that each state transition preserves security by moving from secure state to secure state, thereby inductively proving that the system is secure. A system state is defined to be "secure" if the only permitted access modes of subjects to objects are in accordance with a specific security policy. In order to determine whether or not a specific access mode is allowed, the clearance of a subject is compared to the classification of the object, and a determination is made as to whether the subject is authorized for the specific access mode.

More specifically, Bell-La Padula is concerned with confidentiality. Subjects in the model are forbidden from obtaining (reading) information from an object of higher classification, and forbidden from divulging (writing) information to an object of lower classification. See star property (*-property) and simple security property.

benign
a somewhat careless term often used to describe a virus which appears not to be intentionally malicious in that it does not carry an obviously damaging "payload" code section. Since viral programs may cause problems simply by the use of system resources or the modification of files, many are of the opinion that a good virus is impossible.

benign environment
a nonhostile environment that may be protected from external hostile elements by physical, personnel, and procedural security countermeasures.

between-the-lines entry
unauthorized access obtained by tapping the temporarily inactive terminal of a legitimate user. See hijacking, piggyback.

beyond A1
a level of trust defined by the DoD Trusted Computer System Evaluation Criteria (TCSEC) that is beyond the technology available at the time the criteria were developed. It includes all the A1-level features plus additional ones not required at the A1 level.

bimodal virus
see multipartite

biometric
pertaining to the measurement of the human body: in security terms, relating to means of authentication based on patterns unique to an individual's body, such as fingerprints, voiceprint, retinal patterns, and other such physical measures

BIOS
Basic Input/Output System, the "hardwired" firmware programming used to start the boot process in ISA/Wintel computers. The BIOS is located in the ROM area of the system and is usually stored permanently. There are many BIOS versions in ISA/Wintel computers, but they generally assume the operating system will be interrupt- driven (as MS-DOS is), and start to set up structures to support that model. Since boot sector infectors run before the operating systems starts, and require only the BIOS programming, they are sometimes called BIOS viruses, although the term can create confusion and should be avoided. Some computers now use EEPROM (Electrically Eraseable Programmable Read Only Memory) and at least one virus now tries to erase such "flash" BIOS programming. Otherwise, however, BIOS cannot be infected or corrupted by a virus.

black hat
communities or individuals who either attempt to break into computer systems without prior authorization, or who explore security primarily from an attack perspective. The term originates from old American western genre movies where the "good guys" always wore white hats and the "bad guys" always wore black. See also white hat.

block cipher
a crypto-algorithm that encrypts data in discrete blocks of a given size, rather than as a continuous stream of bits. Compare with stream cipher.

boot
to start (a cold boot) or reset (warm boot) the computer. The term arises from the phrase "bootstrap program," and the idea of lifting oneself by one's own bootstraps, or starting with no support.

boot record
the program recorded in the first physical or logical sector mounted on the disk drive, and containing programming to be used to help get the computer to a usable state. Most commonly used in connection with ISA or Wintel computers, where there are actually two boot records: the master boot record (dealing with disk and hardware structure), and the system boot record (containing pointers to operating system files). See also boot sector.

boot sector
generically, the first sector, or sectors, on any disk, usually containing programming necessary for the boot process. In ISA or Wintel computers, the term is not well defined, although it is generally accepted to be the system boot record, and thus the first physical sector on floppy diskettes and the first logical sector on hard disks. For precision in dealing with security issues and concerns, it is best to refer specifically to the master boot record or system boot record.

*boot sector infector (BSI)
a virus that places its starting code in the boot sector, thus being run before any programming, including the operating system. A BSI is able to take control of interrupts and machine functions, and may be able to subvert some protection and detection measures, and is also considered to be a virus of the base computer hardware, rather than the operating system. In ISA computers, when MS-DOS was the dominant operating system and before widespread use of public networks for data transfer, BSIs were the most successful form of virus, and were considered to be BIOS viruses. Some BIOS boot sector infectors occupied the master boot record, while others inhabited the system boot record: in most cases the displaced record was moved to an unused sector of the disk so that control could be passed to it once the virus had run, and thus the computer would appear to have a normal boot process. Aka boot sector virus, BSV.

boot sector virus
see boot sector infector

Brain
almost certainly the first virus written in the MS-DOS computing environment which became widespread among normal computer users. An example of a "strict" boot sector infector and the earliest known use of stealth virus programming. Sometimes referred to as "Brain (C)" or "(C) Brain" due to the presence of the string "(C) 1986 Brain" in the body of the virus. (Many books and articles use the copyright symbol instead of the "(C)" string, but the copyright symbol does not appear in the body of the virus.)

*British Standard 7799 (BS7799)
a standard code of practice and guidance on how to secure an information system, as well as the management framework, objectives, and control requirements for information security management systems. Part of the input for the Common Criteria.

browsing
the act of searching through storage to locate or acquire information without necessarily knowing of the existence or the format of the information being sought.

brute force
an attack methodology whereby all possible options are used in turn, usually in a programmed sequence attempting to use all possible passwords or decryption keys. See also dictionary attack. BS7799 see British Standard 7799

BSI
see boot sector infector

BSV
see boot sector infector

buffer overrun
common program logic error in which input is not checked for length. Excessive input may overrun the memory allotted and, if not discarded, may create a situation where the program can be forced to execute arbitrary code or switch operation control to an arbitrary location.

bug
an unintentional fault, generally in program logic, that may make a system fail or behave in unexpected ways, and, in any case, causes actions that neither the programmer nor the user planned. Common examples of bugs are buffer overruns, loopholes, or maintenance hooks left in place when a project is complete.

Computer mythology credits Grace Murray Hopper with the invention of the term "bug," but it was known to have been used in engineering circles in the nineteenth century, and Hopper herself referred to the "[f]irst actual case of bug being found" in a machine. The "moth in the Mark II," and its subsequent use as an excuse to Howard Aiken when he asked why the machine was not "makin' numbers," may have been the origin of the use of "debugging" as a verb. The bug can be seen online courtesy of the Smithsonian institution.

business continuity plan (BCP)
plan and preparations directed towards either the immediate recovery of systems critical to the function of the business, or to the ability of the business to operate in the temporary absence of important systems

-C-

call back
a procedure for identifying a remote terminal. In a call back, the host system disconnects the caller and then dials the authorized telephone number of the remote terminal to reestablish the connection. Of limited use for remote access, and recently subject to failure because of call forwarding technologies. Synonymous with dial back.

capability
a protected identifier that both identifies the object and specifies the access rights to be allowed to the accessor who possesses the capability. In a capability-based system, access to protected objects such as files is granted if the would-be accessor possesses a capability for the object.

category
a restrictive label that has been applied to classified or unclassified data as a means of increasing the protection of the data and further restricting access to the data

cavity virus
a type of overwriting virus that overwrites either slack space within or behind the target program file, or sections of null data within the file, such that it can infect the host file without increasing the length of the file while also preserving the host's functionality. Usage rare.

CERT
the Computer Emergency Response Team established at the Software Engineering Institute (SEI) of Carnegie-Mellon University after the 1988 Internet worm attack. Recently the preferred reference has been CERT/CC (Computer Emergency Response Team Coordination Center). CMU has apparently obtained exclusive use of the name CERT, and recommends that other emergency teams style themselves as CIRTs (Computer Incident Response Teams).

certificate
a digitally signed statement that contains information about an entity and the entity's public key

*certificate revocation list (CRL)
a document maintained and published by a certification authority (CA) that lists certificates issued by the CA that are no longer valid

certification
the comprehensive evaluation of the technical and nontechnical security features of a system and other safeguards, made in support of the accreditation process, that establishes the extent to which a particular design and implementation meet a specified set of security requirements.

*certification authority (CA)
a central authority for key management in an overall system for the use of asymmetric encryption known as a public key infrastructure, or PKI. Certification authority, for some reason, is generally capitalized, and is usually referred to by the acronym CA. CA may refer to an individual office or server, but a single CA is usually part of a heirarchy, and certification authority may refere to the entire heirarchy as well.

*Challenge Handshake Authentication Protocol (CHAP)
a peer entity authentication method for PPP (Point to Point Protocol), using a randomly-generated challenge and requiring a matching response that depends on a cryptographic hash of the challenge and a secret key.

challenge/response
a security procedure in which one communicator requests authentication of another communicator, and the latter replies with a response based on data provided by the first. The concepts of challenge/response, initialization vector, nonce, and salt, are closely related. Challenge/response is generally used in regard to password and authentication schemes, initialization vector to block ciphers, nonce to short, automated network messages, and salt to password storage.

change detection
antiviral software which looks for changes in the computer system. A virus must change something, and it is assumed that program files, disk system areas and certain areas of memory should not change. This software is very often referred to as integrity checking software, but it does not necessarily protect the integrity of data, nor does it always assess the reasons for a possibly valid change. Change detection using strong encryption is sometimes also known as authentication software. CHAP see Challenge Handshake Authentication Protocol

checksum
a calculation based on the content of data, which, if performed at one time and then compared against the same calculation at a later time, can be used to determine if the content of the data has changed. In its strictest form, a checksum is a calculation based upon adding up all the bytes or 1-bits in a file or message: Parity bits in asynchronous transmission are a form of checksum. The term is sometimes carelessly used to refer to all forms of change detection or authentication which relies on some form of calculation based upon file contents, such as cyclic redundancy checking (CRC).

chosen-ciphertext attack
a cryptanalysis technique in which the analyst tries to determine the key from knowledge of plaintext that corresponds to ciphertext selected or dictated by the analyst

chosen-plaintext attack
a cryptanalysis technique in which the analyst tries to determine the key from knowledge of ciphertext that corresponds to plaintext selected or dictated by the analyst

CHRISTMA exec
a specific example of a viral type of email message, the earliest known script email virus, using the REXX scripting language. This message was released in December of 1987. The user was asked to type "CHRISTMA" in order to generate an electronic Christmas card, but was not told that the program also made, and mailed, copies of itself during the display. (Within the virus research community the form "CHRISTMA EXEC" is used almost universally. The more correct form is "CHRISTMA exec", since REXX scripts were referred to as "execs" to distinguish them from the earlier EXEC language in IBM mainframes.) CIAC see Computer Incident Advisory Capability

*cipher block chaining (CBC)
a method of operating a symmetric block cipher that uses feedback to combine previously generated ciphertext with new plaintext to avoid repeating patterns

cipher
a cryptographic algorithm for encryption and decryption

cipher block chaining (CBC)
a block cipher mode that enhances electronic codebook mode by chaining together blocks of ciphertext it produces. This mode operates by combining (exclusive OR-ing) the algorithm's ciphertext output block with the next plaintext block to form the next input block for the algorithm.

*cipher feedback (CFB)
a block cipher mode that enhances electronic codebook mode by chaining together the blocks of ciphertext it produces and operating on plaintext segments of variable length less than or equal to the block length. This mode operates by using the previously generated ciphertext segment as the algorithm's input (i.e., by "feeding back" the ciphertext) to generate an output block, and then combining (exclusive OR-ing) that output block with the next plaintext segment (block length or less) to form the next ciphertext segment.

ciphertext
an apparently random string of data, conveying little or no information to an unauthorized entity, but from which an original message or plaintext can be extracted by means of an appropriate key and algorithm

ciphertext-only attack
a cryptanalysis technique in which the analyst tries to determine the key solely from knowledge of intercepted ciphertext (although the analyst may also know other clues, such as the cryptographic algorithm, the language in which the plaintext was written, the subject matter of the plaintext, and some probable plaintext words.)

classification
(1) a grouping of classified information to which a hierarchical, restrictive security label is applied to increase protection of the data.
(2.) The level of protection that is required to be applied to that information. See also security level.

classified
refers to information that is formally required by a security policy to be given data confidentiality service and to be marked with a security label to indicate its protected status. The term is mainly used in government, especially in the military, and particularly in the US Department of Defense. See also unclassified.

client
a system entity that requests and uses a service provided by another system entity

client-server
a model of network operation where services and resources are requested by the client and fulfilled by the server. The significance to security is that security policy should be (but is not always) enforced by the server. In peer-to-peer models of networking a more complex security model must generally be implemented.

closed security environment
an environment in which both of the following conditions hold true:
(1) application developers (including maintainers) have sufficient clearances and authorizations to provide an acceptable presumption that they have not introduced malicious logic.
(2) configuration control provides sufficient assurance that applications and the equipment are protected against the introduction of malicious logic prior to and during the operation of system applications.

cluster virus
a virus that makes a change to disk or directory structure data such that when a valid program is invoked, the virus is run first. Because the data to be changed was very small, it could be made very rapidly, affecting large numbers of files in a short space of time, and therefore these viruses were sometimes called fast infectors. Aka FAT virus (after the MS-DOS File Allocation Table directory structure), sector virus, system virus.

CMOS
stands for complementary metal oxide semiconductor. This is a technology that is used in a form of memory which can be held in the computer, while the main power is off, with low power battery backup. CMOS memory is used in MS-DOS/BIOS/ISA computers to hold small tables of information regarding the basic hardware of the system. Since the memory is maintained while the power is off, there is a myth that viruses can hide in the CMOS. (CMOS memory is too small, and the contents are never executed as a program.) Also, when the battery power fails, the computer is temporarily unusable. This is often attributed, falsely, to viral activity.

code
(1) in computer terminology, refers to either human (source) or machine (object) readable programming or fragments thereof. Since viruses, before they attach to a host program, are not complete programs, they are often referred to as code to distinguish them from programs which are complete in themselves.
(2) a system of symbols used to represent information, which might originally have some other representation. This is often seen as synonymous with cipher or encryption, but codes usually have fixed meaning relations, rather than an algorithmic transformation of data.

Code Red
the first variant of a family that possibly included the almost equally well known Nimda. Code Red infected Internet servers running the Microsoft IIS (Internet Information Server) software, and used a known bug in that program to infect new machines. Probably due to the popularity of the IIS server on low maintenance sites, Code Red infected approximately 350,000 machines within nine to thirteen hours. Despite this success, Code Red was never as dangerous as it was made out to be, and was definitely a media virus.

cold site
in business continuity planning or disaster recovery planning, an alternate site with necessary electrical and communications connections and computer equipment, but no running system, maintained by an organization to facilitate prompt resumption of service after a disaster. See also warm site, hot site.

commercial
programs which are sold either directly from the manufacturer or through normal retail channels, as opposed to shareware. Users are often told to "buy only commercial" as a defence against virus infections or other types of malware. In fact, there is very little risk of obtaining viruses from shareware, and there are many known instances of viral programs infecting commercial software. In terms of other forms of malware, it is often proposed that the number of serious bugs in any new commercial software may rival the number of trojan programs released in any given period of time. See also freeware, public domain, open source, and shareware. Common Criteria
an attempt to harmonize the various national security standards and security philosophies. See Common Criteria for Information Technology Security.

Common Criteria for Information Technology Security Common Criteria
more completely the Common Criteria for Information Technology Security, the Common Criteria is a standard for evaluating information technology products and systems, such as operating systems, computer networks, distributed systems, and applications. It states requirements for security functions and for assurance measures. Canada, France, Germany, the Netherlands, the United Kingdom, and the United States (NIST and NSA) began developing this standard in 1993, based on the European ITSEC, the Canadian Trusted Computer Product Evaluation Criteria (CTCPEC), and the U.S. "Federal Criteria for Information Technology Security" (FC) and its precursor, the TCSEC. Version 2.1 of the Criteria is equivalent to ISO's International Standard 15408 (I15408). The standard addresses confidentiality, integrity, and availability and focuses on threats to information.

communications security (COMSEC)
measures taken to deny unauthorized persons information derived from telecommunications of the U.S. Government concerning national security, and to ensure the authenticity of such telecommunicatons. Communications security includes cryptosecurity, transmission security, emission security, and physical security of communications security material and information.

companion virus
a type of virus which does not actually attach to another program, but which interposes itself into the chain of command, so that the virus is executed before the infected program. Most often, this is done by using a similar name and the rules of program precedence to associate itself with a regular program. Also referred to as a spawning virus.

compartment
a class of information that has need-to-know access controls beyond those normally provided for access to Confidential, Secret or Top Secret information.

compartmented security mode
see modes of operation.

compensation control
see controls

compressed executable
a program file which has been compressed to save disk space, and automatically returns to executable form when invoked. Because compression appears to be a form of encryption, programs which are infected with a virus before being compressed, or those which contain other forms of malware, may hide the infection from scanning software. See also archive, self-extracting.

compromise
(v) to perform an action not in accordance with the security policy, or to cause a system to do so. (n) A violation of the security policy of a system such that unauthorized disclosure of sensitive information may have occurred.

compromising emanations
unintentional data-related or intelligence-bearing signals that, if intercepted and analyzed, disclose the information transmission received, handled, or otherwise processed by any information processing equipment. See TEMPEST.

computer abuse
the misuse, alteration, disruption or destruction of data processing resources. The key aspect is that it is intentional and improper.

computer cryptography
the use of a crypto-algorithm in a computer, microprocessor, or microcomputer to perform encryption or decryption in order to protect information or to authenticate users, sources, or information. US government or military term.

computer forensics
originally the full means of obtaining legal evidence from computers and computer use, computer forensics has now apparently limited itself to recovery of data from computers and computer media. Computer forensics has therefore become only one part of digital forensics.

computer fraud
computer-related crimes involving deliberate misrepresentation, alteration or disclosure of data in order to obtain something of value (usually for monetary gain). A computer system must have been involved in the perpetration or coverup of the act or series of acts. A computer system might have been involved through improper manipulation of input data; output or results; applications programs; data files; computer operations; communications; or computer hardware, systems software, or firmware.

*Computer Incident Advisory Capability (CIAC)
a computer emergency response team in the U.S. Department of Energy, this group is widely knwon for a series of highly regarded messagesa and postings about security vulnerabilities

computer security audit
an independent evaluation of the controls employed to ensure appropriate protection of an organization's information assets. A formal security audit has goals and procedures somewhat different from the normal and ongoing audit process.

computer security subsystem
a device designed to provide limited computer security features in a larger system environment.

Computer Security Technical Vulnerability Reporting Program (CSTVRP)
a program that focuses on technical vulnerabilities in commercially available hardware, firmware and software products acquired by the US DoD. CSTVRP provides for the reporting, cataloging, and discreet dissemination of technical vulnerability and corrective measure information to DoD components on a need-to-know basis.

computer viral program
Rob Slade's own invention. In an attempt to avoid the fights over what constitutes a "true" virus, he uses the term "viral" to refer to self-reproducing programs regardless of other distinctions. So far, he's gotten away with it.

concealment system
a method of achieving confidentiality in which sensitive information is hidden by embedding it in irrelevant data. See also steganography. Concept probably the first Microsoft Word macro virus, and certainly the first macro virus to be successful in the wild

confidentiality
the concept of holding sensitive data in confidence, limited to an appropriate set of individuals or organizations. Confidentiality is considered one of the three pillars of security.

configuration control
the process of controlling modifications to the system's hardware, firmware, software, and documentation that provides sufficient assurance that the system is protected against the introduction of improper modifications prior to, during, and after system implementation. Compare configuration management.

configuration management
the management of security features and assurances through control of changes made to a system's hardware, software, firmware, documentation, test, test fixtures and test documentation throughout the development and operational life of the system. Compare configuration control.

confinement
the prevention of the leaking of sensitive data from a program.

confinement channel
for some reason, synonymous with covert channel.

confinement property
see star property (*-property).

contamination
(1) the intermixing of data at different sensitivity and need-to-know levels. The lower level data is said to be contaminated by the higher level data; thus, the contaminating (higher level) data may not receive the required level of protection.
(2) similarly for data of varying integrity or corruption

contingency plan
a plan for emergency response, backup operations, and post-disaster recovery maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation. Synonymous with disaster plan and emergency plan. See also disaster recovery plan and business continuity plan.

control zone
the space, expressed in feet of radius, surrounding equipment processing sensitive information, that is under sufficient (primarily) physical and (possibly) technical control to preclude an unauthorized entry or compromise.

controlled access
see access control

controlled sharing
the condition that exists when access control is applied to all users and components of a system

controls
controls are an important, but strangely ill-defined, are of security, very similar to safeguards and countermeasures, used to prevent failures of integrity, availability, and confidentiality. Controls are grouped and discussed in a number of not quite orthogonal ways. One way of dividing controls (sometimes referring to categories) examines administrative (policies, procedures, etc.), physical (locks, guards, etc.), and technical (encryption, network auditing, etc.) controls. Another way of classifying (sometimes referring to types) surveys preventative/preventive (deterring and blocking an event), detective (determining and investigating an event), corrective (restoring and recovering from an event), deterrent (increasing perceived risk to an attacker), recovery (restoring lost resources), and compensation (provision of redundancy or other means to counteract loss of resources). Access control is considered to be a special case, but may also be considered preventative/preventive and technical controls. However, access controls could also be considered administrative and deterrent controls. As you can see, these divisions are not always clear.

cookie
(1) a small piece of data originally intended to maintain state between Web browser accesses to a site. (HTTP [HyperText Transfer Protocol] 1.0 did not provide for persistent connections.) Because the data is stored on the user's computer, and because it is possible to store the data in such a way as to allow it to be world readable, careless setting of cookies, or the ubiquitous presence of an entity on many Web sites, may create a situation where a user's privacy is at risk.
(2) the term has been used to indicate some form of authentication information or ticket, and is specifically used for a piece of data in the ISAKMP security association negotiation, but these usages are relatively rare

core wars
a computer game in which two or more programs attempt to destroy each other inside a real or simulated computer. Originally played with real programs in the earliest timesharing computers and inspired by the operations of rogue programs in early multi-tasking machines. Often discussed in connection with the battle between malicious software and protective software developers. Core Wars (captialized) is now a standardized game using a simulated machine language called Redstone code (or redcode).

corrective control
see controls

cost-benefit analysis
the assessment of the costs of providing data protection for a system versus the cost of losing or compromising the data. Sometimes also known as cost-risk analysis.

countermeasure
any action, device, procedure, technique, or other measure that reduces the vulnerability of or threat to a system. See also safeguard.

covert channel
a communications channel that allows two cooperating processes to transfer information in a manner that violates the system's security policy. More specifically, a means of information leaking from a system via a channel not normally considered a communications medium. Synonymous with confinement channel.

covert storage channel
a covert channel that involves the direct or indirect writing of a storage location by one process and the direct or indirect reading of the storage location by another process. Covert storage channels typically involve a finite resource (e.g., sectors on a disk) that is shared by two subjects at different security levels.

covert timing channel
a covert channel in which one process signals information to another by modulating its own use of system resources (e.g., CPU time) in such a way that this manipulation affects the real response time observed by the second process.

crab
originally "crabs" was a prank program on Macintosh and Atari computers which erased the screen display by having graphical crabs "eat" it. An obscure usage refers to malicious software which erases screen displays. (There are very few examples of this.)

cracker
someone who tries to break the security of, and gain access to, someone else's system without being invited to do so. This is, of course, an attempt to avoid the controversial usage of hacker. See also adversary and intruder. CRC see cyclic redundancy check

critical
(1) a condition of a service or other system resource such that denial of access to, or lack of availability of, that resource would jeopardize a system user's ability to perform a primary function or would result in other serious consequences
(2) each extension of an X.509 certificate (or CRL) is marked as being either critical or non-critical. If an extension is critical and a certificate user (or CRL user) does not recognize the extension type or does not implement its semantics, then the user is required to treat the certificate (or CRL) as invalid. CRL see certificate revocation list

*crossover error rate (CER)
if the false acceptance rate and false rejection rate are graphed as the sensitivity of a security system is varied, false acceptance will start off at a high value and fall, whereas false rejection will start off with a low value and climb. The point at which the graph of the FAR crosses that of the FRR is the crossover error rate, and is generally considered to be a reasonable overall measure of the accuracy of a system. (It is easy to demonstrate situations where the CER is not the best measure or setting for a system.)

cryptanalysis
the science that deals with analysis of a cryptographic system in order to gain knowledge needed to break or circumvent the protection that the system is designed to provide. In sme cases this would be conversion of ciphertext to plaintext, but in other cases it might involve forging of digital signatures or certificates. The basic cryptanalytic attacks on encryption systems are ciphertext-only, known-plaintext, chosen-plaintext, and chosen-ciphertext; and these generalize to the other kinds of cryptography. See also cryptology.

crypto
formerly widely used as an abbreviation for cryptography, cryptographic, cryptology, or even ecnryption, this term probably should not be used because of the potential for misunderstanding.

*cryptographic algorithm
a well-defined procedure or sequence of rules or steps used to produce a key stream or ciphertext from plaintext and vice versa. Older usage is crypto-algorithm.

cryptographic checksum
a one-way function applied to a file to produce a unique "fingerprint" of the file for later reference. Often part of the process of creating a digital signature.

cryptographic key
see key

cryptography
the principles, means and methods for rendering information unintelligible, and for restoring encrypted information to intelligible form. Literally, hidden writing.

cryptology
a slightly more general field than cryptography, cryptology includes cryptanalysis, or code breaking, as well as code making

cryptoperiod
the time span during which a particular key is authorized to be used in a cryptographic system, an aspect of key management. Aka key lifetime and validity period.

cryptosecurity
the security or protection resulting from the proper use of technically sound cryptosystems.

cryptosystem
a complete and functional system for cryptography, including a sound crypto-algorithm, provisions for the required functions of the system, and proper key choice and management

*cyclic redundancy check (CRC)
a version of change detection which performs calculation on the data in a file or message as a matrix. This can detect multiple or subtle changes which ordinary checksum calculations miss. Also used extensively in data communications for ensuring the integrity of file transfers.

cypherpunk
a community of users and developers dedicated to creating systems for anonymous communications and network access. Since the cypherpunk community is generally opposed to any invasion of privacy or any form of surveillance, the law enforcement community generally perceives them in a negative light. Unfortunately there does seem to be a relation between certain segments of the cypherpunk community and some groups engaged in software piracy and other forms of intellectual property theft.

-D-

DAC
Discretionary Access Control

DAME
Dark Avenger's Mutation Engine. See MtE.

Dark Avenger
the pseudonym of a Bulgarian virus writer thought to be responsible for the "Eddie" family of viral programs (among others) and the polymorphic code known as the MtE

data diddling
this term generally refers to an activity that makes small, random, or incremental changes to information, rather than complete erasure of files or purposeful changing of data. Use of this term is not recommended since the phrase is vague and not well defined.

*Data Encryption Algorithm (DEA)
a symmetric block cipher, defined as part of the US government's Data Encryption Standard. Generally speaking, in US government systems, there will be an algorithm which is the mathematical engine, and a standard which is the fully working implementation.

*Data Encryption Standard (DES)
a cryptographic algorithm for the protection of unclassified data, published in US Federal Information Processing Standard (FIPS) 46. The DES, which was approved by the National Institute of Standards and Technology, was intended for public and government use. A stronger version is provided by triple DES (or 3DES), which comes in a variety of forms. The grand old DES algorithm is no longer the officially sanctioned standard, and will soon be replaced by the Advanced Encryption Standard (AES).

data flow control
synonymous with information flow control

data integrity
the property that data meet an a priori expectation of quality

data security
the protection of data from unauthorized (accidental or intentional) modification, destruction, or disclosure

*DDoS
Distributed Denial of Service. A form of network denial of service (DoS) attack in which a master computer controls a number of client computers to flood the target (or victim) with traffic, using backdoor agent, client, or zombie software on a number of client machines. The master computer will attempt to control these machines and coordinate an attack on a target. The master computer never contacts the target directly, and the large number of zombie machines multiplies the force of the attack. The zombie program is generally distributed as some form of trojan horse, although zombies may be installed if control has already been obtained by means of a RAT. Usage of the acronym, DDoS, in preference to the full phrase is almost universal. DEA see Data Encryption Algorithm

deception
to present false or forged identity or authentication in order to break security policy. See also social engineering, and spoofing. decipher see decryption

declassification
an administrative decision or procedure to remove or reduce the security classification of the object or information

decryption
the process of extracting an original message, or plaintext, from a ciphertext by the application of an appropriate key and algorithm

dedicated security mode
see modes of operation

default account
a system login account that has been predefined in a manufactured system to permit initial access when the system is first put into service. Sometimes, the default user name and password are the same in each copy of the system. In any case, when the system is put into service, the default password should immediately be changed or the default account should be disabled.

default classification
a temporary classification reflecting the highest classification being processed in a system. The default classification is included in the caution statement affixed to the object.

default password
the password on system administration or service accounts when a system is shipped from the manufacturer. Failing to change default passwords or default accounts is a major security risk.

defense in depth
a security approach whereby each system on the network is secured to the greatest possible degree, using layers of defences whereby penetrations successful at one point will be caught by another

degauss
to reduce magnetic flux density to zero by applying a reverse magnetizing field. Deguassing destroys information on magnetic media: hence the warning not to store backup floppies by sticking them to your computer with a magnet.

degausser
an electrical device that can generate a magnetic field for the purpose of degaussing magnetic storage media

delayed disclosure
a form of vulnerability disclosure in which information about the vulnerability is not released to the general public until it has first been made known to the product vendor

DES
see Data Encryption Standard

denial of service (DoS)
any action or series of actions that prevent any part of a system from functioning in accordance with its intended purpose. This includes any action that causes unauthorized delay of service. More specifically, DoS refers to an action which does not destroy data or resources, but prevents access or use. In network operations, flooding a node or link with traffic is an effective form of denial of service. This form of malicious attack is particularly suited to viruses where no data is actually erased or corrupted but where system resources are occupied to the extent that normal service is restricted. The CHRISTMA exec did not corrupt data, but occupied mail links to the point where normal transfers could not take place. The Internet Worm did not erase files, but multiple copies of the process eventually meant almost all processing was devoted to the Worm. Modern Internet DoS attacks typically try to flood a machine with synchronization requests from non-existent addresses. Not to be confused with DOS, which stands for Disk Operating System, and particularly the MS-DOS operating system and its variants. Synonymous with interdiction. Usage of the phrase, denial of service, or the acronym (DoS) is inconsistent, although there is a slight preference for the full phrase in order to avoid confusion with DOS.

Descriptive Top-Level Specification (DTLS)
a top-level specification that is written in a natural language (e.g., English), an informal design notation, or a combination of the two

Designated Approving Authority (DAA)
the official who has the authority to decide on accepting the security safeguards prescribed for an AIS or that official who may be responsible for issuing an accreditation statement that records the decision to accept those safeguards. US government or military.

deterrent control
see controls

detective control
see controls

dial back
synonymous with call back

dial-up
the service whereby a computer terminal can use the telephone to initiate and effect communication with a computer or network

dictionary attack
a version of a brute force attack, refined by the assumption that, for example, passwords are more likely to be real words rather than random character strings, and so trying only words found in a dictionary file, or other common source

differential backup
a backup process that copies only such items that have been changed since the last full backup. A differential backup plan requires only the last full backup and the latest differential backup for complete restoration. See also incremental backup.

Diffie-Hellman algorithm (DH)
a public key (asymmetric) algorithm primarily used for secure key exchange

digest
a piece of data of specific length, calculated from a file or message, in such a way that there is a high probability that any change to the original will result in a change to the digest. Usually part of a digital signature. Also known as hash or message digest. See also cryptographic checksum.

digital forensics
sometimes known as digital forensic research or digital forensic science, this has recently become the umbrella term for all forms of research and analysis of computers and computer use directed at obtaining evidence of intrusion, attack, or wrongdoing. The First Digital Forensic Research Workshop defined digital forensic science as "[t]he use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentaiton and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations." Three major fields of digital forensics are computer forensics, forensic programming, and network forensics.

digital signature
a piece of information generated by cryptographic methods, whereby it can be demonstrated that an original message or file has not been deliberately altered or accidentally corrupted, and that the identity of the originator of the file can be authenticated

*Digital Signature Algorithm (DSA)
an asymmetric cryptographic algorithm that produces a digital signature in the form of a pair of large numbers. Used in the Digital Signature Standard.

*Digital Signature Standard (DSS)
US government standard that specifies the Digital Signature Algorithm (DSA).

digital watermarking
computing techniques for inseparably embedding unobtrusive marks or labels as bits in digital data--text, graphics, images, video, or audio--and for detecting or extracting the marks later. The set of embedded bits (the digital watermark) is sometimes hidden, usually imperceptible, and always intended to be unobtrusive. Depending on the particular technique that is used, digital watermarking can assist in proving ownership, controlling duplication, tracing distribution, ensuring data integrity, and performing other functions to protect intellectual property rights. See also steganography.

direct action virus
a virus that immediately loads itself into memory, infects other files, and then unloads itself from memory

disaster plan
synonymous with contingency plan

disaster recovery plan (DRP)
a plan and preparations directed towards the resumption of business and the recovery of systems after catastrophic loss of important systems. A disaster recovery plan is generally concerned with longer time frames than a business continuity plan. Sometimes also referred to as a business resumption plan.

disclosure
(1) the act of providing access to specific information, usually without restriction
(2) relating to a philosophical debate about the value or necessity of making information about security vulerabilities or exploits publicly available. Proponents of full disclosure would state that the information, including full details and possibly working exploit code to demonstrate the problem, needs to be made available to everyone in order to ensure that anyone charged with security provision has access to it, and to force vendors to face up to the fact that the problem exists. Proponents of non-disclosure insist that making information available means that it is made available to those who would use it to attack systems. Most would recommend some form of partial disclosure, such as making the information available to the vendor for a month before publishing a warning about the exitence of the problem. See also limited disclosure, delayed disclosure, security by obscurity.

discretionary access control (DAC)
a means of restricting access to objects based on the identity and need-to-know of the user, process and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject. Compare mandatory access control.

disinfection
in virus work, the term can mean either the disabling of a virus's ability to operate, the removal of virus code, or the return of the system to a state identical to that prior to infection. Since these definitions can differ substantially in practice, discussions of the ability to disinfect an infected system can be problematic. Disinfection is the means users generally prefer to use in dealing with virus infections, but the safest means of dealing with an infection is to delete all infected objects and replace with safe files from backup.

disk compression
real time compression and decompression of files on disk in order to effectively increase disk space. (Disk compression programs typically promise to double the size of the hard diskand are sometimes known as disk doublers.) Because compression is a form of encryption, scanning a compressed disk without the compression software running will typically hide viruses and other malware from a scanner. Disk compression is less of an issue of late given the drop in prices for large capacity disks.

Distributed Denial of Service (DDoS) distributed denial of service is almost universally referred to by its acronym, DDoS

DNS spoofing
assuming the DNS (Domain Name Service) name of another system by either corrupting the name service cache of a victim system, or by compromising a domain name server for a valid domain

*DoD Trusted Computer System Evaluation Criteria (TCSEC)
a document published by the US National Computer Security Center containing a uniform set of basic requirements and evaluation classes for assessing degrees of assurance in the effectiveness of hardware and software security controls built into systems. These criteria were intended for use in the design and evaluation of systems that would process and/or store sensitive or classified data. This document is US Government Standard DoD 5200.28-STD and is frequently referred to as "The Orange Book." It was one of the standards that went into the production of the Common Criteria.

domain
the unique context (e.g., access control parameters) in which a program is operating; in effect, the set of objects that a subject has the ability to access. Should not be confused with the domain names used in Internet addressing. See process and subject.

dominate
security level S1 is said to dominate security level S2 if the hierarchical classification of S1 is greater than or equal to that of S2 and the nonhierarchical categories of S1 include all those of S2 as a subset

dongle
a portable, physical, electronic device that is required to be attached to a computer to enable a particular software program to run. A form of authentication token.

DoS
see denial of service

DOS
Disk Operating System. Generally any computer operating system, though currently often used as shorthand for Microsoft's MS-DOS or the related PC-DOS and DR-DOS. Not to be confused with DoS (denial of service).

*DMZ
de-militarized zone, originally an area between two opposing armies or nations, not used by either side, and stripped of any cover in order to avoid penetration attempts by either side. (Similar to "no man's land" in World War One.) Now frequently used to describe the unused or unimportant area, physical or logical, between two layers of control in a defence in depth system. In particular, a firewall architecture where internal company networks are separated from publicly accessible servers, such as Web servers, which are themselves separated from the public Internet by another firewall.

dropper
a program, not itself infected, that will install a virus on a computer system. Virus author often use droppers to seed their creations in the wild, particularly in the case of boot sector infectors. The term injector may refer to a dropper that installs a virus only in memory.

DSA
see Digital Signature Algorithm

DSS
see Digital Signature Standard

DTLS
Descriptive Top-Level Specification

dual homed host
a system that has two or more network interfaces, each of which is connected to a different network. In firewall configurations, a dual homed host usually acts to block or filter some or all of the traffic trying to pass between the networks. Sometimes called dual homed gateway.

dual infector
see multipartite

-E-

easter egg
an undocumented function in a program, generally intended as a prank or treat to frequent users. Easter eggs range greatly in scope from mildly amusing error messages to the full implementation of a kind of flight simulator that appeared in one version of Microsoft's Excel spreadsheet program. Opinion regarding easter eggs varies, from those who see them as simply harmless jokes to those who consider the more complex inclusions to be trojan horses. In general, however, the practice of including easter eggs and other undocumented code in programs is detrimental to strict security.

eavesdropping
passive wiretapping done secretly, i.e., without the knowledge of the originator or the intended recipients of the communication

ECB see electronic codebook

economy of mechanism
the principle that each security mechanism should be designed to be as simple as possible, so that the mechanism can be correctly implemented and so that it can be verified that the operation of the mechanism enforces the containing system's security policy

EICAR
European Institute of Computer Anti-Virus Research. See also EICAR Standard Antivirus Test File.

EICAR Standard Antivirus Test File (EICAR)
In conjunction with several antivirus software companies, EICAR has developed a test file for antivirus software. This text file consists of one line of 68 printable characters; if saved as EICAR.COM, it can be executed and displays the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!" This provides an easily reproducible executable file that many antiviral developers have agreed to detect with their programs. It thus affords a safe and simple way of testing whether an antiviral scanner is operating without using a real virus. The actual string is:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

*El Gamal algorithm
an algorithm for asymmetric cryptography, invented in 1985 by Taher El Gamal, that is based on the difficulty of calculating discrete logarithms and can be used for both encryption and digital signatures

*electronic codebook (ECB)
a block cipher mode that uses no feedback. Identical blocks of plaintext are transformed into identical ciphertext blocks. Considered the weakest form of block cipher.

*elliptic curve cryptography (ECC)
a type of asymmetric cryptography based on mathematics of groups that are defined by the points on a curve. The most efficient implementation of ECC is claimed to be stronger per bit of key than any other known form of asymmetric cryptography. ECC can be used to define both an algorithm for key agreement that is an analog of Diffie-Hellman and an algorithm for digital signature that is an analog of the Digital Signature Algorithm.

emanations
see compromising emanations

embedded system
a system that performs or controls a function, either in whole or in part, as an integral element of a larger system or subsystem

emergency plan
synonymous with contingency plan

emission security
the protection resulting from all measures taken to deny unauthorized persons information of value that might be derived from intercept and from an analysis of compromising emanations from systems

*Encapsulating Security Payload (ESP)
an Internet IPsec protocol (RFC 2406) designed to provide a mix of security services--especially data confidentiality service--in the Internet Protocol. See also Authentication Header. ESP may be used alone, or in combination with the IPsec AH protocol, or in a nested fashion with tunneling. The ESP header is encapsulated by the IP header, and the ESP header encapsulates either the upper layer protocol header (transport mode) or an IP header (tunnel mode). ESP can provide confidentiality service, origin authentication service, connectionless data integrity service, an anti-replay service, and limited traffic flow confidentiality.

encrypted virus
a virus whose code begins with a decryption algorithm and continues with scrambled or encrypted code for the remainder of the virus. Each time it infects, a different encryption key is chosen in order to avoid providing a consistent scan string to use as a signature. Through this method, the virus tries to avoid detection by antivirus software. The term "encrypted virus" is a loose one, and seldom used in the antiviral research community. More rigorously, the term self-encryption is used, as a spcific type of polymorphic activity.

encryption
the process of transforming a message, or plaintext, into apparently random noise, or ciphertext, such that the message can be extracted by those in possession of an appropriate key, but is difficult or impossible to extract by unauthorized parties. Also, the process of placing a coffin in a mausoleum - GJS per ME.

end-to-end encryption
the protection of information passed in a telecommunications system by cryptographic means, from point of origin to point of destination, provided by encrypting data when it leaves its source, leaving it encrypted while it passes through any intermediate computers (such as routers), and decrypting only when the data arrives at the intended destination. When two points are separated by multiple communication links that are connected by one or more intermediate relays, end-to-end encryption enables the source and destination systems to protect their communications without depending on the intermediate systems to provide the protection.

Endorsed Tools List (ETL)
the list of formal verification tools endorsed by the NCSC for the development of systems with high levels of trust. US government and military.

entrapment
the deliberate planting of apparent flaws in a system for the purpose of detecting attempted penetrations. See honeypot, pseudo flaw.

environment
the aggregate of external procedures, conditions, and objects that affect the development, operation, and maintenance of a system

ephemeral key
a key that is relatively short-lived, see session key

erasure
a process by which a signal recorded on magnetic media is removed. Erasure is accomplished in two ways: (1) by alternating current erasure, by which the information is destroyed by applying an alternating high and low magnetic field to the media; or (2) by direct current erasure, by which the media are saturated by applying a unidirectional magnetic field. Deleting a file, particularly under a desktop operating system, does not necessarily erase the contents of the file.

ESP
see Encapsulating Security Payload

Evaluated Products List (EPL)
a list of equipments, hardware, software, and/or firmware that have been evaluated against, and found to be technically compliant, at a particular level of trust, with the US DoD TCSEC by the NCSC. The EPL is included in the National Security Agency Information Systems Security Products and Services Catalogue, which is available through the Government Printing Office. US government and military.

executive state
one of several states in which a system may operate and the only one in which certain privileged instructions may be executed. Such instructions cannot be executed when the system is operating in other (e.g., user) states. Synonymous with supervisor state.

exploit
a specific attack or vulnerability used to take advantage of a particular loophole or weakness in security measures. Very similar in meaning to exposure, and sometimes the two terms are used synonymously.

exploitable channel
any information channel that is usable or detectable by subjects external to the trusted computing base whose purpose is to violate the security policy of the system. See covert channel.

exposure
a particular weakness or vulnerability to a specific attack. Also, the measure of risk to a particular threat.

-F-

fail safe
pertaining to the automatic protection of programs and/or processing systems to maintain safety when a hardware or software failure is detected in a system

fail soft
pertaining to the selective termination of affected nonessential processing when a hardware or software failure is detected in a system. The term "graceful degradation" is sometimes used.

failure access
an unauthorized and usually inadvertent access to data resulting from a hardware or software failure in the system

failure control
the methodology used to detect and provide fail safe or fail soft recovery from hardware and software failures in a system

false acceptance
an error condition where a subject, object, or operation is accepted as valid, when it should have been rejected as invalid, incorrect, or a compromise of the security policy. Also known as a Type II error. See also false rejection, false negative, crossover error rate.

*false acceptance rate (FAR)
a measure of the accuracy of a security safeguard, expressed as a proportion or percentage of the number of false acceptance, or Type II, errors against the total number of events. See also crossover error rate.

false alarm
see false rejection, false positive

false negative
there are two types of false reports from antiviral software. A false negative report is when an antiviral reports no viral activity or presence, when there is a virus present. References to false negatives are usually only made in technical reports. Most people simply refer to an antiviral "missing" a virus. A false negative is more generally known in the security community as a false acceptance, or a Type II error.

false positive
the second kind of false report that an antiviral can make is to report the activity or presence of a virus when there is, in fact, no virus. False positive has come to be very widely used among those who know about viral and antiviral programs. Very few use the analogous term, "false alarm." A false positive is more generally known in the security community as a false rejection, or a Type I error.

false rejection
an error condition where a subject, object, or operation which should be accepted as valid, is rejected as invalid, incorrect, or a compromise of the security policy. Also known as a Type I error. See also false acceptance, false positive, and crossover error rate.

false rejection rate (FRR)
a measure of the accuracy of a security safeguard, expressed as a proportion or percentage of the number of false rejection, or Type I, errors against the total number of events. See also crossover error rate.

fan out
in terms of incident response, a system whereby each person notified of the incident has the responsibility to call additional personnel, thus speeding the contact process. It should be noted that provision should be made for redundancy in such a system in order to prevent situations where a failure at one point would prevent contact of an entire segment of the team.

fast burner
a virus, usually email or network based, that spreads around the world within hours. Melissa and Loveletter are considered the prototypical fast burners. The original Internet Worm and Code Red certainly spread around the world within hours, but only created tens or hundreds of thousands of copies, whereas true fast burners are generally measured in the millions.

fast infector
originally this referred to a virus that infected any program file opened, even if the program was not executed. Later viruses were able to search for and infect files even if they were not opened, so the distinction became meaningless. This term is seldom used in virus research any longer.

FAT virus
see cluster virus

fault
a condition that causes a device or system component to fail to perform in a required manner

fetch protection
a system-provided restriction to prevent a program from accessing data in another user's segment of storage

*File Allocation Table (FAT)
this is an MS-DOS specific term for that area of system information on the disk which refers to the physical areas of the disk which are taken up by files or portions of files. Certain viral programs are said to take over a file pointer without affecting directory information by manipulating FAT information. This is not quite accurate, and most researchers tend to prefer the use of the term cluster virus or system virus.

file infector
a virus which attaches itself to, or associates itself with, a file, usually a program file. File infectors most often append or prepend themselves to regular program files, or overwrite program code. The file infector class is often also used to refer to programs which do not physically attach to files but associate themselves with program filenames. See also system virus, companion virus.

file protection
the aggregate of all processes and procedures in a system designed to inhibit unauthorized access, contamination, or elimination of a file

file security
the means by which access to computer files is limited to authorized users only

filtering router
an internetwork router that selectively prevents the passage of data packets according to a security policy. A filtering router may be used as a firewall or part of a firewall. A router usually receives a packet from a network and decides where to forward it on a second network. A filtering router does the same, but first decides whether the packet should be forwarded at all, according to some security policy. The policy is implemented by rules (packet filters) loaded into the router. The rules mostly involve values of data packet control fields, especially IP source and destination addresses and TCP port numbers.

firewall
a secured system passing and examining traffic between an internal trusted network and an external untrusted network such as the Internet. Firewalls can be used to detect, prevent, or mitigate certain types of network attack. See also application level gateway, proxy server.

firmware
computer programs and data stored in hardware--typically in read-only memory (ROM) or programmable read-only memory (PROM)--such that the programs and data cannot be dynamically written or modified during execution of the programs. An important exception is flash EEPROM which can be rewritten in some circumstances. See also BIOS.

FIRST
see Forum of Incident Response and Security Teams

flaw hypothesis methodology
a systems analysis and penetration technique in which specifications and documentation for the system are analyzed and then flaws in the system are hypothesized. The list of hypothesized flaws is then prioritized on the basis of the estimated probability that a flaw exists and, assuming a flaw does exist, on the ease of exploiting it, and on the extent of control or compromise it would provide. The prioritized list is used to direct a penetration attack against the system. This is similar to scenario based planning.

flow control
see information flow control

forensic programming
originally from the field of computer virus research, forensic programming involves the analysis of code for evidence of intent, program identity, or authorship. Outside of virus research, forensic is often referred to as code analysis, although code analysis may be limited to analysis of source code, whereas forensic programming frequently deals with object code when object code is the only evidence available. One of the major divisions of digital forensics.

formal access approval
documented approval by a data owner to allow access to a particular category of information

formal proof
a complete and convincing mathematical argument, presenting the full logical justification for each proof step, for the truth of a theorem or set of theorems

formal security policy model
a mathematically precise statement of a security policy. To be adequately precise, such a model must represent the initial state of a system, the way in which the system progresses from one state to another, and a definition of a "secure" state of the system. To be acceptable as a basis for a TCB, the model must be supported by a formal proof that if the initial state of the system satisfies the definition of a "secure" state and if all assumptions required by the model hold, then all future states of the system will be secure. Some formal modeling techniques include: state transition models, denotational semantics models, and algebraic specification models. See Bell-La Padula model and security policy model.

Formal Top-Level Specification (FTLS)
a top-level specification that is written in a formal mathematical language to allow theorems showing the correspondence of the system specification to its formal requirements to be hypothesized and formally proven

formal verification
the process of using formal proofs to demonstrate the consistency between a formal specification of a system and a formal security policy model (design verification) or between the formal specification and its high level program implementation (implementation verification)

*Forum of Incident Response and Security Teams (FIRST)
an international consortium of CSIRTs (Computer Security Incident Response Teams) that work together to handle computer security incidents and promote preventive activities. FIRST was founded in 1990 and, as of September 1999, had nearly 70 members spanning the globe. Its attempts to provide members with technical information, tools, methods, assistance, and guidance; coordinate proactive liaison activities and analytical support; encourage development of quality products and services; improve national and international information security for government, private industry, academia, and the individual; and enhance the image and status of the CSIRT community.

forward secrecy
for a key agreement protocol based on asymmetric cryptography, the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the private keys is compromised in the future. The term "perfect forward secrecy" is frequently used in this regard, but is not defined precisely. The term "public-key forward secrecy" (suggested by Hilarie Orman) is probably more accurate, but, because of the various terms using the phrase "forward secrecy" it is the phrase defined in this glossary. There are also discussions of "backward" security, but there does not seem to be agreement on whether this refers to a weakening of a private key if the derived session key is compromised, or if a compromise of one session key weakens session keys used previously. Symmetric systems probably do not have any similar property, since compromise of the key compromises the entire system.

freeware
freeware is software to which the author or developer still retains copyright (unlike public domain) but for the use of which there is no charge (unlike shareware or commercial software). There are sometimes restrictions on the use or distribution of freeware. See also open source.

front-end security filter
a security filter, which could be implemented in hardware or software, that is logically separated from the remainder of the system to protect the system's integrity

ftp
ftp has little to do with security at all, it has just come to be such a very common term among those who work on the Internet that we use it a number of times without ever defining it. ftp (almost always written in lower case: despite the fact that it is an acronym the usage stems from the fact that UNIX programs are generally lower case) is the file transfer protocol of the Internet: the way to copy files between computers. It is often used as a verb, as in "Where do I find the latest copy of DISKSECURE?" "Oh, you can ftp it from urvax." A computer set up to provide files for all callers from anywhere on the Internet is known as an "ftp site": more commonly now called an anonymous ftp site, since most sites do not require the use of an established account. See anonymous login.

full backup
a backup process that makes a copy of all data and/or software on a system, or such a copy. A full backup is the only item needed for complete system restoration, but takes the longest to perform. See also differential backup, incremental backup.

full disclosure
an extreme form of vulnerability disclosure which holds that information about any vulnerability should be released to the general public with no restrictions. Full disclosure may also hold that announcements of vulnerabilities should be accompanied by working exploit code, possibly demonstrating the most dangerous possible exploit. While full disclosure is sometimes advocated by members of the security research community, the AV virus research community has always held that notification of the existence of viruses is desireable, but distribution of exploit code (working viruses) is to be extremely limited.

functional testing
the segment of security testing in which the advertised security mechanisms of the system are tested, under operational conditions, for correct operation

-G-

generic
1) activity monitoring and change detection software, since they look for viral-like activity rather than specific virus signatures, are often referred to as generic antivirals. Heuristic scanners are often included since they are a special case of activity monitors.
2) a virus scan string which matches more than one virus. The usefulness of generic signatures is sometimes questioned.
3) the use of error recovery or heuristic techniques for disinfection.

germ
like bacterium, this is another term for a viral program which does not directly attach to programs. Usage obscure.

goat
see bait

granularity
an expression of the relative size of a data object; e.g., protection at the file level is considered coarse granularity, whereas protection at record or field level is considered to be of a finer granularity

guard
a processor that provides a filter between two disparate systems operating at different security levels or between a user terminal and a data base to filter out data that the user is not authorized to access

guest login
see anonymous login

-H-

hacker
originally the term meant one who was skilled in the use of computer systems, particularly if that skill was aquired in an exploratory manner. Later, the term evolved to be applied to those, skilled or unskilled, who break security systems. Actually, you can determine people's level of technical expertise by how they use the term. Someone who uses hacker as meaning expert is someone who really does advanced technical work. Someone who uses hacker as a bad guy may have a technical background of some type, or a technical job, but usually is nowhere near the "cutting edge."

hacktivism
system penetration or corruption with a political or social intent. The term is considered slang, and is not carefully defined, but is generally acceptable.

handshaking procedure
a dialogue between two entities (e.g., a user and a computer, a computer and another computer, or a program and another program) used for identification and authentication of the entities to one another

hardcopy
information or data in some fixed media. Hardcopy generally refers to a medium that it difficult to modify, and usually in human-readable form, such as printout on paper. Hardcopy may be the preferred form of backup in cases where the data may need to outlast the lifetime of certain forms of storage technology. Hardcopy is also usually preferred in many situations for evidentiary purposes, especially in regard to presentation in courts of law.

hash
see digest

hash function
an algorithm that computes a value based on a data object (such as a message or file; usually variable-length; possibly very large), thereby mapping the data object to a smaller data object (the hash result) which is usually a fixed-size value. A checksum is a very simplistic hash function. A 'good' hash function is such that the results of applying the function to a set of values in the domain will be evenly distributed (and apparently at random) over the range. The kind of hash function needed for security applications is called a cryptographic hash function, an algorithm for which it is computationally infeasible to find either (a) a data object that maps to a pre-specified hash result (the "one-way" property) or (b) two data objects that map to the same hash result (the "collision-free" property).

hash result
the output of a hash function, also known as a hash value. The output produced by a hash function upon processing a message or file.

help desk
the most common name for that person or office in an organization where users are directed for technical support or assistance. Help desk personnel should receive at least basic security education and training, since they will likely receive the first reports of anomalies that may indicate an attack or other security problem.

heuristic
in antiviral terms, the examination of program code for functions known to be associated with viral activity. In most cases this is similar to activity monitoring but without actually executing the program; in other cases, code is run under some type of emulation. There has also been a heuristic disinfection program which attempted to remove viral infections by examination of unknown code. In more general computing discussions, heuristic may have a meaning similar to algorithm, or it may relate to shortcuts to solutions taken on the basis of a "best guess." Thus a dictionary attack may be seen as a heuristic type of brute force attack.

heuristic scanner
an antiviral program which attempts to detect new or unknown viruses or malware by the examination of program code for functions known to be associated with viral or malicious activity.

Hierarchical Development Methodology
a methodology for specifying and verifying the design programs written in the Special specification language. The tools for this methodology include the the Boyer-Moore theorem prover and the Feiertag information flow tool.

hijacking
an attack whereby an active, established, session is intercepted and used by the attacker

HMAC
a keyed hash (RFC 2104) that can be based on any iterated cryptographic hash. The goals of HMAC are to use available cryptographic hash functions without modification (particularly functions that perform well in software and for which software is freely and widely available), to preserve the original performance of the selected hash without significant degradation, to use and handle keys in a simple way, to have a well-understood cryptographic analysis of the strength of the mechanism based on reasonable assumptions about the underlying hash function, and to enable easy replacement of the hash function in case a faster or stronger hash is found or required. There does not appear to be an official expansion for the acronym HMAC. It may be similar to Hash-keyed Message Authentication Code: the title of the RFC is "Keyed Hashing for Message Authentication."

hoax
literally, of course, a joke, fraud, or other form of spoofing. The term hoax has developed a specific technical meaning in virus research in reference to a form of chain letter, carrying a false warning of a non-existent virus. Originally (1988) referred to in the research community as a metavirus, this type of activity was more widely seen in the late 1990s in the "Good Times," "Penpals," "Budweiser Frogs," "Jesus Loves You," and "SULFNBK.EXE" hoaxes. Hoaxes are characterized by a lack of technical detail and valid contact information, references to false authorities, warnings of extreme damage that the putative virus will cause, all upper case "SHOUTING" and exclamation marks in the text, and frequently statements that the virus is too new or spreading too rapidly for legitimate virus researchers to know anything about. The one universal factor in hoaxes is the attempt to have the reader forward the message to all friends, relatives, and contacts, which is, of course, the viral component: the hoax message uses the user to retransmit and spread. Recent writings about hoaxes often make use of the term "meme," using the expression first coined by Richard Dawkins (in the book "The Selfish Gene," and derived from the word mimeme in order to sound more like gene) for a unit of cultural transmission or imitation. The word meme has come to be used as a sort of stand alone or quantum idea, and therefore has led to the use of the phrase "meme virus" to mean a kind of idea virus.

honeypot
a system, or portion of a system, deliberately established to be enticing to an intruder or system cracker. Honeypots generally have additional functionality and intrusion detection systems built into them in order to gather information on the intruders. See also entrapment.

host-based security
the technique of securing an individual system from attack. Host-based security is operating system and version dependent.

host to front-end protocol
a set of conventions governing the format and control of data that are passed from a host to a front-end machine

hot site
a standby site fully comfigured with compatible computer and communications equipment, ready to operate as soon as data can be loaded. Other than fully redundant operation, the highest level provided for in a disaster recovery plan. Compare with cold site.

https
when used as the protocol specifier in the first part of a URL this term indicates the use of HTTP enhanced by Secure Sockets Layer (SSL). It should not be confused with S-HTTP (Secure HTTP).

hybrid encryption
an application of cryptography that combines two or more encryption algorithms, particularly a combination of symmetric and asymmetric encryption. Asymmetric algorithms require more computation than equivalently strong symmetric ones. Thus, asymmetric encryption is not normally used for data confidentiality except in distributing symmetric keys in applications where the key data is usually short compared to the data it protects. Probably the most widely known example of a hybrid system is PGP.

Hybris
most specialists would probably define Hybris as a worm rather than a virus, since it sends copies of itself as email attachments. Hybris will generally come in a message with a coy indication that the attachment is pornography. The attachment is often named with an .SCR extension. The extension is traditionally used to indicate screen savers, but the file format is the same as any normal executable Windows program. The notable feature of Hybris is that, when active, it checks for replacement and upgrade modules on the alt.comp.virus newsgroup. Other viruses, such as Loveletter, have attempted to establish such a modular extension function, but Hybris extended the concept further, and used an anonymous communications facility.

-I-

IBM compatible
originally, hardware compatible with IBM mainframe systems, later hardware and/or software compatible with IBM mainframes or minicomputers. In the 1980s, the phrase came to be associated with compatibility with ISA and MS-DOS (and later Windows) systems.

ICMP flood
a denial of service attack that sends a host more ICMP (Internet Control Message Protocol) echo request ("ping") packets than the protocol implementation can handle

identification
the process that enables recognition of an entity by a system, generally by the use of unique machine-readable user names

impersonation
synonymous with spoofing

in the clear
not encrypted, see cleartext and plaintext

*in the wild
initially a jargon reference to those viruses which have been released into, and successfully spread in, the normal computer user community and environment. It is used to distinguish those viral programs which are written and tested in a controlled research environment, without escaping, from those which are uncontrolled in the wild or in the field. (The term "itw" is sometimes laso used, or "ItW" in specific reference to the list of common viruses known as the WildList.) The term is now also being used to refer to vulnerabilities discovered and exploited by attackers before being discovered by defenders or researchers.

incident
an occurrence that has been assessed as having an adverse effect on the security or performance of a system. Note that this definition is somewhat vague, particularly in regard to the level of assessment. Those from a law enforcement background tend to see incidents in terms of attacks with (potentially) identifiable intruders. Those from a systems administration or support background tend to see an incident as any anomaly in the system which might affect performance or service.

incident response
the reaction, generally by a pre-designated team, to a detrimental incident. At this time, incident response literature is primarily concerned with the collection and preservation of evidence in a manner appropriate for presentation in a court of law.

incomplete parameter checking
a system design flaw that results when all parameters have not been fully anticipated for accuracy and consistency, thus making the system vulnerable to penetration

incremental backup
a backup process that copies only data or changes since the last backup of any type, or such a copy. Incremental backup is the fastest form of backup, but restoration of the system requires not only the last full backup, but every incremental backup since. See also differential backup.

individual accountability
the ability to associate positively the identity of a user with the time, method, and degree of access to a system

infectable
an object to which virus code can attach or become associated with, in such a manner that invocation of the object will also invoke the virus

infection
a condition where virus code has become attached to or associated with an object or system, in such a manner that invocation of the object or system will also invoke the virus. An infection, on a given system, does not take place until a virus has become active, reproduced, or made a change to the system. A user or system may receive a virus as a file transfer, virus infected piece of software, or email attachment, and not necessarily become infected. So long as a user does not invoke the virus, or a worm does not find a specific vulnerability to exploit, the infected file may remain dormant on the system, without the system itself becoming infected. However, a system may also be considered infected if the virus has either placed itself in a situation such that the operating system will activiate it during a common occurrence (such as at boot time) or if a user is likely to call an infected, and commonly used, program. See also disinfection.

information flow control
a procedure to ensure that information transfers within a system are not made from a higher security level object to an object of a lower security level. See covert channel, simple security property, star property (*-property). Synonymous with data flow control and flow control.

information system security
Measures and controls that protect a system against denial of service and unauthorized (accidental or intentional) disclosure, modification, or destruction of systems and data. System security includes consideration of all hardware and/or software functions, characteristics and/or features; operational procedures, accountability procedures, and access controls at the central computer facility, remote computer, and terminal facilities; management constraints; physical structures and devices; and personnel and communication controls needed to provide an acceptable level of risk for the system and for the data and information contained in the system. It includes the totality of security safeguards needed to provide an acceptable protection level for a system and for data handled by a system.

Information System Security Officer (ISSO)
the person responsible to the Designated Approving Authority for ensuring that security is provided for and implemented throughout the life cycle of a system from the beginning of the concept development plan through its design, development, operation, maintenance, and secure disposal

initialization vector (IV)
a sequence of random bytes appended to the front of the plaintext before encryption by a block cipher, or used as a part of the first step in a block cipher procedure that uses some form of chaining. Use of the initialization vector eliminates the possibility of having the initial ciphertext block the same for any two messages. The concepts of challenge/response, initialization vector, nonce, and salt, are closely related. Challenge/response is generally used in regard to password and authentication schemes, initialization vector to block ciphers, nonce to short, automated network messages, and salt to password storage. Also known as initialization value.

infector
a program, not itself infected, that will place a virus in memory and render it active, without writing the virus to disk. Seldom used in antivirus research. See dropper.

insider attack
an attack involving an employee or other trusted individual, generally one with a higher than normal level of access

integrity
sound, unimpaired or perfect condition. Integrity is one of the three pillars of security.

integrity checking
see change detection

interdiction
see denial of service

internal security controls
hardware, firmware, and software features within a system that restrict access to resources (hardware, software, and data) to authorized subjects only (persons, programs, or devices)

*International Data Encryption Algorithm (IDEA)
a symmetric block cipher that uses a 128-bit key and operates on 64-bit blocks

*Internet Protocol security (IPsec)
(1) the name of the IETF working group that is specifying a security architecture (RFC 2401) and protocols to provide security services for Internet Protocol traffic.
(2) a collective name for that architecture and set of protocols. Note that the letters "sec" are lower-case. The IPsec architecture specifies (a) security protocols (AH and ESP, the Authentication Header and Encapsulating Security Payload), (b) security associations (what they are, how they work, how they are managed, and associated processing), (c) key management (IKE), and (d) algorithms for authentication and encryption. The set of security services include access control service, connectionless data integrity service, data origin authentication service, protection against replays (detection of the arrival of duplicate datagrams, within a constrained window), data confidentiality service, and limited traffic flow confidentiality.

*Internet Security Association and Key Management Protocol (ISAKMP)
an Internet IPsec protocol (RFC 2408) to negotiate, establish, modify, and delete security associations, and to exchange key generation and authentication data, independent of the details of any specific key generation technique, key establishment protocol, encryption algorithm, or authentication mechanism.

Internet Worm
also known as the UNIX Worm after the operating system it used, or the Morris Worm after the author, or, very specifically, the Internet/Morris/UNIX Worm, or sometimes simply the Wor, as the only one to be so capitalized. Launched in November of 1988, it spread to some three to four thousand machines connected to the Internet, wasting CPU cycles and clogging mail spools. It affected mail traffic (in particular) on the Internet as a whole for a few days and is probably the viral program most widely known to the general public prior to Michelangelo, Melissa, Loveletter, and Code Red.

intrusion
attacks or attempted attacks from outside the security perimeter of a system

*intrusion detection system (IDS)
an automated system for alerting operators to a penetration or other contravention of a security policy. Some intrusion detection systems may also have means for responding to a penetration by shutting down access or gathering more information on the intruder. See also anomaly detection and network forensics.

IP spoofing
an attack whereby an active, established, session is intercepted and co-opted by the attacker. IP spoof attacks may occur after an authentication has been made, permitting the attacker to assume the role of an already authorized user. Primary protections against IP spoofing rely on encryption at the session or network layer. Also known as IP hijacking or IP splicing.

IPSec
see Internet Protocol security

*ISA
Industry Standard Architecture, the name given by IBM to the basic structure of the IBM PC and XT computers, those referred to at the time as IBM or PC compatible. The designation is commonly held to apply to computers based on Intel 8088/8086/80x86/Pentium family processors, interrupt-based BIOS boot programming, and the associated bus, which is actually what ISA referred to, and is, ironically, the part of the machine which has undergone the greatest change. The ability of these computers to run the Microsoft MS-DOS and Windows operating systems, as well as the use of Intel CPUs, has also led to the use of the term Wintel, although this architecture is also the most popular platform for those using the Linux operating system. The term does not have any specific security meanings, and is included here solely because Wintel computers play such a large factor in the overall computing environment that a number of system-specific details must be mentioned in this document.

Wintel is probably the more recognizable term, and ISA is really not completely accurate to describe architecture as it currently stands. On the other hand, Wintel is slang. On balance, I probably could have chosen to define either. So why choose ISA rather than Wintel as the entry to be fully defined? In the end, probably because it came first in the alphabet.

ISAKMP
see Internet Security Association and Key Management Protocol

ISC2
International Information Systems Security Certification Consortium (IISSCC), group responsible for the Certified Information Systems Security Professional (CISSP) designation. The group is generally abbreviated ISC2, or (ISC)2, or (ISC)^2, which are all usable in text or email, or, most properly, (ISC)2, which cannot be represented in printable, text-only, characters. The organization has a Web site at www.isc2.org.

isolation
the containment of subjects and objects in a system in such a way that they are separated from one another, as well as from the protection controls of the operating system

ISSA
Information Systems Security Association, non-profit society for security professionals. The organization has a Web site at www.issa.org, and has many local chapters.

-J-

Jerusalem
one of the earliest MS-DOS file infector viruses known to be in the wild. Originally discovered and probably written in Israel. Originally known as the Israeli virus, it has also been called PLO, Friday the 13th, and 1813. Still one of the most widespread of file infecting viral programs and widely used as a template for the development of variant viral strains. joke program see prank

-K-

Kerberos
a single sign-on system that uses symmetric key encryption via a ticket-oriented mechanism

key
data used in cryptosystems to perform encryption. Sometimes called a cryptovariable.

key length
since most modern encryption algorithms are mathematically based, the length of keys is a major determining element in the strength of an algorithm, or the work factor involved in breaking a cryptographic system. See also key space.

key management
the process of handling and controlling cryptographic keys and related material (such as initialization values) during their life cycle in a cryptographic system, including ordering, generating, distributing, storing, loading, escrowing, archiving, auditing, and destroying the material.

key pair
in an asymmetric encrypttionsystem, a private, or confidential, key and its (mathematically) related public key. See also private key, public key.

key space
the range of possible values of a cryptographic key, or the number of distinct transformations supported by a particular cryptographic algorithm. Key space is actually a better determinant of cryptograhic strength than simple key length.

keyed hash
a cryptographic hash or digest in which the mapping to a hash result is varied by a second input parameter that is a cryptographic key. If the input data object is changed, a new hash result cannot be correctly computed without knowledge of the secret key. Thus, the secret key protects the hash result so it can be used as a checksum even when there is a threat of an active attack on the data.

kit
usually used to refer to a program used to produce a virus from a menu or a list of characteristics. Use of a virus kit involves no skill on the part of the user. Fortunately, most virus kits produce easily identifiable code. Packages of antiviral utilities are sometimes referred to as tool kits, occasionally leading to confusion of the terms.

known-plaintext attack
a cryptanalysis technique in which the analyst tries to determine the key from knowledge of some plaintext- ciphertext pairs, although the analyst may also have other clues, such as the knowing the cryptographic algorithm.

-L-

latency
a situation where a system may be penetrated but some time may elapse between the penetration and further activity. This term is generally used in connection with malware such as viruses and worms. A virus with a long latent period may have time to reproduce and spread further before an overt payload renders detection likely. On the other hand, since viruses in the wild are regularly detected within hours of release, a latent period may simply ensure that the virus is eliminated before it has a chance to trigger.

latent flaw
a vulnerability unintentionally introduced during development, before it has been discovered by either attackers or the developer, researchers, or users. Although this term refers to the flaw itself, it is most commonly used in terms of discussions of of disclosure in terms of the period between the release of a product for use, and the discovery of the vulnerability.

lattice model
a security model for information flow control in a system, based on the lattice that is formed by the finite security levels in a system and their partial ordering. A lattice is a finite set together with a partial ordering on its elements such that for every pair of elements there is a least upper bound and a greatest lower bound.

*Layer 2 Tunneling Protocol (L2TP)
an Internet client-server protocol that combines aspects of PPTP and L2F and supports tunneling of PPP over an IP network or over frame relay or other switched network: it is a type of virtual private network. PPP can in turn encapsulate any OSI layer 3 protocol. Thus, L2TP does not specify security services; it depends on protocols layered above and below it to provide any needed security.

least privilege
the principle that requires that each subject be granted the most restrictive set of privileges needed for the performance of authorized tasks. The application of this principle limits the damage that can result from accident, error, or unauthorized use.

Lehigh
one of the first MS-DOS virus programs, this only infected copies of the COMMAND.COM program. It is thought to have been isolated to the campus of Lehigh University where it was discovered, but most researchers and vx boards have copies. The limited use of bootable MS-DOS diskettes makes it unlikely that the virus would successfully spread if re-released.

limited access
synonymous with access control

limited disclosure
a form of vulnerability disclosure which holds that information about the vulnerability to the general public should be restricted in some manner, possibly being limited to announcements of the existence of the loophole, actions to be taken to restrict possible exploits, the existence of vendor patches, and so forth. Most often restrictions are recommended in regared to the existence and distribution of exploit code. The term is not well defined or agreed to in general usage, and should be defined where used. Sometimes also restricted disclosure.

link
th virus related term link is not used very widely and is used in a variety of ways. Amiga and Atari users talk about a link virus as a file infector. Some others use link to refer to a system virus or cluster virus.

list-oriented
a computer protection system in which each protected object has a list of all subjects authorized to access it. Compare ticket-oriented.

lock-and-key protection system
a protection system that involves matching a key or password with a specific access requirement

logic bomb
a resident computer program that triggers the perpetration of an unauthorized act when particular states of the system are realized. a This may be a section of code, pre-programmed into a larger program, which waits for some trigger event to perform some damaging function. A virus may contain a logic bomb as a payload. Logic bombs which trigger on time events are sometimes known as time bombs, although this usage is not favored.

login
the act of a system entity gaining access to a session in which the entity can use system resources; usually accomplished by providing a user name and password to an access control system that authenticates the user.

loophole
an error of omission or oversight in software or hardware that permits circumventing the system security policy. Compare trap door or maintenance hook.

*Loveletter
a script email virus that used Outlook and Windows Script Host. The virus spread itself as an email with an attachment called LOVE-LETTER-FOR-YOU.TXT.vbs. The filename was an interesting piece of social engineering, in that people were supposed to notice the .TXT and think the file was only a text file, and obviously were not supposed to notice the .vbs, the real extension that identifies the file as a script. Initially the virus was widely referred to as the "Love Bug," but the more correct Loveletter or Love-Letter are now most common. Since Loveletter did not attach to other files, it is technically a worm.

-M-

MacMag
an early Macintosh virus known also as Brandow, after the instigator (the publisher of the MacMag magazine), and Peace, after the message payload. MacMag has the dubious distinction of being the first virus known to have infected commercial software.

macro virus
a macro is a small piece of programming in a simple language, used to perform a simple, repetitive function. Microsoft's Word Basic and VBA macro languages can include macros in data files, and have sufficient functionality to write complete viruses. Macro viruses therefore broke the long-held belief that viruses only infected executable files, and data files were safe. Script viruses are similar in that they contain their own source code, although a macro virus is embedded in the data file, and a script virus is generally a standalone object.

magnetic remanence
a measure of the magnetic flux density remaining after removal of the applied magnetic force. Refers to any data remaining on magnetic storage media after removal of the power. Used both to assess the stability of magnetic media and to assess the likelihood of traces of data remaining after being deleted or overwritten.

mail storm
a condition where many redundant messages are generated and sent, generally resulting from automated mail handling (such as vacation auto-responders replying to automatic forwarding mailing lists). Most modern mail systems have capabilities for dealing with common causes of mail storms.

mailbomb
n. excessively large volume of email (typically many thousands of messages) or one large message sent to a user's e-mail account, for the purpose of crashing the system, or preventing genuine messages from being received
v. to send a mailbomb

maintenance hook
special instructions in software to allow easy maintenance and additional feature development. These are not clearly defined during access for design specification. Hooks frequently allow entry into the code at unusual points or without the usual checks, so they are a serious security risk if they are not removed prior to live implementation. Maintenance hooks are special types of trap doors.

malicious
a virus known to carry an intentionally damaging payload which will erase or corrupt files or data. It is felt by many antiviral researchers that all viral programs carry the potential for unintentional damage since all viral programs change the target environment, and therefore the term malicious virus is assumed to be redundant. See also benign.

malicious logic
hardware, software, or firmware that is intentionally included in a system for an unauthorized purpose; e.g., a trojan horse

malware
a collective term including the many varieties of deliberately malicious software, that is, software written for the purpose of causing incovenience, destruction, or the breaking of security policies or provisions. Malware is generally considered to include programs such as DDoS clients (or zombies), logic bombs, RATs, trojan horses, viruses, and worms. Malware is generally not considered to include unintentional problems in software, such as bugs, or deliberately written software that is not intended to do harm, such as pranks.

man-in-the-middle
a form of active wiretapping attack in which the attacker intercepts and selectively modifies communicated data in order to masquerade as one or more of the entities involved in a communication association. Similar to hijacking. For example, suppose Alice and Bob try to establish a session key by using the Diffie-Hellman algorithm without data origin authentication service. A "man in the middle" could (a) block direct communication between Alice and Bob and then (b) masquerade as Alice sending data to Bob, (c) masquerade as Bob sending data to Alice, (d) establish separate session keys with each of them, and (e) function as a clandestine proxy server between them in order to capture or modify sensitive information that Alice and Bob think they are sending only to each other.

mandatory access control (MAC)
a means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity. Compare discretionary access control.

masquerading
synonymous with spoofing

*master boot record (MBR)
on ISA or Wintel computers, the first physical (not logical) sector on the hard drive. The programming on this sector is called by the BIOS as part of the boot process, and the record also contains data about the structure of the hard drive in the partition table. See also boot record, boot sector, system boot record.

MBR
see master boot record

media virus
a virus which catches the attention of the public, and particularly the media, generally out of all proportion to its significance

meet in the middle
a specific form of cryptanalytic attack in which the attacker uses known-plaintext and the corresponding ciphertext to do both encryption and decryption in order to determine a multi-part key

Melissa
a type of Microsoft Word macro virus that also used functions in the Microsoft Outlook email program in order to spread itself very successfully and quickly. Technically, the Melissa code was not a macro, but a VBA (Visual Basic for Applications) script. Melissa is not considered a script virus since it was contained in a document.

meme virus
see hoax

memory resident virus
a virus that stays in memory after it executes and infects other files when certain conditions are met. In contrast, non memory resident viruses, called direct action, are active only while an infected application runs.

message digest
see digest

metavirus
see hoax

Michelangelo
a "descendent" of the Stoned boot sector/MBR virus, this program carries a damaging payload which triggers when the computer is booted on March 6th, the birthdate of the Renaissance painter and sculptor. First discovered in early 1991, the virus gained notoriety during the "Michelangelo scare" leading up to March of 1992. Although considered by many to have been media hype, the attention generated did disclose many thousands and possibly millions of infections prior to March 6th which were disinfected and therefore never triggered. Michelangelo did survive 1992 and struck again in subsequent years, in some countries being the most widely reported virus as late as 1996.

Millennium Bug
see Y2K

mimicking
synonymous with spoofing

modes of operation
a description of the conditions under which a system functions, based on the sensitivity of data processed and the clearance levels and authorizations of the users. Four modes of operation are authorized:

(1) Dedicated Mode A system is operating in the dedicated mode when each user with direct or indirect individual access to the system, its peripherals, remoteterminals, or remote hosts, has all of the following:

a. A valid personnel clearance for all information on the system.

b. Formal access approval for, and has signed nondisclosure agreements for all the information stored and/or processed (including all compartments, subcompartments and/or special access programs).

c. A valid need-to-know for all information contained within the system.

(2) System-High Mode A system is operating in the system-high mode when each user with direct or indirect access to the system, its peripherals, remote terminals, or remote hosts has all of the following:

a. A valid personnel clearance for all information on the system.

b. Formal access approval for, and has signed nondisclosure agreements for all the information stored and/or processed (including all compartments, subcompartments, and/or special access programs).

c. A valid need-to-know for some of the information contained within the system.

(3) Compartmented Mode A system is operating in the compartmented mode when each user with direct or indirect access to the system, its peripherals, remote terminals, or remote hosts, has all of the following:

a. A valid personnel clearance for the most restricted information processed in the system.

b. Formal access approval for, and has signed nondisclosure agreements for that information to which he/she is to have access.

c. A valid need-to-know for that information to which he/she is to have access.

(4) Multilevel Mode A system is operating in the multilevel mode when all the following statements are satisfied concerning the users with direct or indirect access to the system, its peripherals, remote terminals, or remote hosts:

a. Some do not have a valid personnel clearance for all the information processed in the system.

b. All have the proper clearance and have the appropriate formal access approval for that information to which he/she is to have access.

c. All have a valid need-to-know for that information to which they are to have access.

Morris Worm
see Internet Worm

MtE
the most widely used abbreviation for the polymorphic or mutation engine written by the virus author known as Dark Avenger. Not a virus itself, this is a section of code which can be attached to any virus, giving the virus polymorphic features. Also known, less widely, as DAME (Dark Avenger's Mutation Engine).

MTX
a multipartite virus that reproduces both by sending itself as an email message, and by infecting program files. MTX will take control of the Internet connection of an infected machine, and seeks to bar access to many antiviral Web sites.

multilevel device
a device that is used in a manner that permits it to simultaneously process data of two or more security levels without risk of compromise. To accomplish this, sensitivity labels are normally stored on the same physical medium and in the same form (i.e., machine-readable or human-readable) as the data being processed.

multilevel secure
a class of system containing information with different sensitivities that simultaneously permits access by users with different security clearances and needs-to-know, but prevents users from obtaining access to information for which they lack authorization

multilevel security mode
see modes of operation

multipartite
formerly a viral program which would infect both boot sector/MBRs and files. Now used to refer to a virus which will infect multiple types of objects, or which reproduces in multiple ways.

multiple access rights terminal
a terminal that may be used by more than one class of users; for example, users with different access rights to data

multiuser mode of operation
a mode of operation designed for systems that process sensitive unclassified information in which users may not have a need-to-know for all information processed in the system. This mode is also for microcomputers processing sensitive unclassified information that cannot meet the requirements of the stand-alone mode of operation.

mutating virus
see polymorphic

mutual suspicion
the state that exists between interacting processes (subsystems or programs) in which neither process can expect the other process to function securely with respect to some property. Also describes the expected behaviour of individuals in any group of Famous Security Experts.

-N-

National Computer Security Assessment Program
a program designed to evaluate the interrelationship of empirical data of computer security infractions and critical systems profiles, while comprehensively incorporating information from the CSTVRP. The assessment is supposed to build threat and vulnerability scenarios that are based on a collection of facts from relevant reported cases. US government and military.

National Computer Security Center (NCSC)
originally named the DoD Computer Security Center, the NCSC is responsible for encouraging the widespread availability of trusted computer systems throughout the US Federal Government

National Security Decision Directive 145 (NSDD 145)
signed by US President Reagan on 17 September l984, this directive is entitled "National Policy on Telecommunications and Automated Information Systems Security." It provides initial objectives, policies, and an organizational structure to guide the conduct of national activities toward safeguarding systems that process, store, or communicate sensitive information; establishes a mechanism for policy development; and assigns implementation responsibilities.

National Telecommunications and Information Systems Security Advisory Memoranda/Instructions (NTISSAM, NTISSI)
NTISS Advisory Memoranda and Instructions provide advice, assistance, or information of general interest on telecommunications and systems security to all applicable US federal departments and agencies. NTISSAMs/NTISSIs are promulgated by the US National Manager for Telecommunications and Automated Information Systems Security and are recommendations rather than legislation.

National Telecommunications and Information System Security Directives (NTISSD)
NTISS Directives establish national-level decisions relating to NTISS policies, plans, programs, systems, or organizational delegations of authority. NTISSDs are promulgated by the Executive Agent of the Government for Telecommunications and Information Systems Security, or by the Chairman of the NTISSC when so delegated by the Executive Agent. NTISSDs are binding upon all federal departments and agencies. US government and military.

need to know
the necessity for access to, knowledge of, or possession of specific information required to carry out official duties. Using a play on the phrases "need to know" and "need to know, now," a British mailing list, NTKnow, collects news items of interest to the stereotypical computer geek, but takes greatest delight in any instance of government, "official," or corporate actions detrimental to networking and computing, particularly in relation to security.

network forensics
collection and analysis of evidence of intrusion or malfeasance from network activity and data. Closely related to intrusion detection systems and one of the major divisions of digital forensics.

network front end
a device that implements the necessary network protocols, including security-related protocols, to allow a computer system to be attached to a network

Nimda
based on the earlier Code Red worm or virus, and possibly programmed by the same author(s), Nimda corrected earlier errors and refined the targetting algorithms. It also extended the variety of ways that it traveled and the type of infection mechanisms used, bringing multipartite technology to server worms.

no-lone zone
a room or other space to which no person may have unaccompanied access and that, when occupied, is required to be occupied by two or more appropriately authorized persons

nonce
a randomly generated value used to defeat replay attacks. The concepts of challenge/response, initialization vector, nonce, and salt, are closely related. Challenge/response is generally used in regard to password and authentication schemes, initialization vector to block ciphers, nonce to short, automated network messages, and salt to password storage.

*nonrepudiation
a property of a system or service that provides protection against false denial of involvement in a communication. Although more properly written as "non-repudiation," the non-hyphenated version is more prevalent in actual usage.

NSDD 145
see National Security Decision Directive 145

nVIR
an early Macintosh virus, the source code for which was inadvertently published electronically. Shortly thereafter, two versions were found in the wild.

-O-

object
a passive entity that contains or receives information. Access to an object potentially implies access to the information it contains. Examples of objects are: records, blocks, pages, segments, files, directories, directory trees, and programs, as well as bits, bytes, words, fields, processors, video displays, keyboards, clocks, printers, and network nodes.

object reuse
the reassignment and reuse of a storage medium (e.g., page frame, disk sector, magnetic tape) that once contained one or more objects. To be securely reused and assigned to a new subject, storage media must contain no residual data (magnetic remanence) from the object(s) previously contained in the media.

ohnosecond
that minuscule fraction of time between hitting the "send" button and realizing that you have just posted your private key to alt.script-kiddies - modified from RFC 2828

on-access scanner
a real-time virus scanner that scans disks and files automatically and often in the background. An on-access scanner scans files for viruses as the computer accesses the files. Previously known as a resident scanner.

on-demand scanner
a virus scanner the user starts manually, or invoked on certain conditions or a regular schedule. Most on-demand scanners allow the user to set various configurations and to scan specific files, folders or disks. Previously known as a manual scanner.

one-time pad
an encryption system based on a series of keys, each of which is used only once. Given certain limits on the length of the key in relation to the length of the message, and the use of a secure channel for transmission of the pad, one-time pads are considered unbreakable.

one-time password
an authentication token meant to be used for a single instance, and then discarded

one way encryption
irreversible transformation of plaintext to ciphertext, such that the plaintext cannot be recovered from the ciphertext by other than exhaustive procedures even if the cryptographic key is known. One-way encryption may seem odd, but it does have legitimate uses, such as storage of passwords.

onion routing
a technique for anonymizing routing, and therefore making traffic analysis and tracing more difficult. The packets transiting a chain of onion routers (from among the group in existence in the public network) have encrypted headers, and are passed from one to another before being sent to the eventual destination. Each router has the task of encrypting the socket connections and to act in turn as a proxy in the chain. The concept is similar to that used by the cyhperpunks remailers for anonymous email communications.

open security environment
an environment that includes those systems in which at least one of the following conditions holds true: (l) Application developers (including maintainers) do not have sufficient clearance or authorization to provide an acceptable presumption that they have not introduced malicious logic. (2) Configuration control does not provide sufficient assurance that applications are protected against the introduction of malicious logic prior to and during the operation of system applications.

open source
a software development philosophy based on the premise that the source code for softare must be made available to the user, and that restrictions cannot be made on the users modification of the code, so long as the user is also bound by the same proviso. There are some disagreements about the precise use of open source, but it is generally seen as being akin but not equal to both public domain software and freeware. However, open source software is also seen as a viable commercial model. Compare with shareware.

operation restrictor
similar to an activity monitor, an operation restrictor not only alerts the user to unusual or dangerour computer operations, but actually restricts them. Also known as activity blocker or behaviour blocker.

Operations Security (OPSEC)
an analytical process by which the U.S. Government and its supporting contractors can deny to potential adversaries information about capabilities and intentions by identifying, controlling, and protecting evidence of the planning and execution of sensitive activities and operations.

Orange Book
alternate name for the US DoD Trusted Computer Security Evaluation Criteria, given because of the colour of the cover of the printed manual. The books in this series are collectively known as the Rainbow books because of the various colours used for covers.

out of band
transfer of information using a channel that is outside or separate from the channel that is normally used. Out of band mechanisms are often used to distribute shared secrets (e.g., a symmetric key) or other sensitive information items (e.g., a root key) that are needed to initialize or otherwise enable the operation of cryptography or other security mechanisms. In addition, the transfer of command information on the same channels as other data can lead to security problems, such as happened with older phone systems where trunk access and other controls were transmitted by tones within the voice band. See also covert channel.

*output feedback (OFB)
a block cipher mode that modifies electronic codebook mode to operate on plaintext segments of variable length less than or equal to the block length. This mode operates by directly using the algorithm's previously generated output block as the algorithm's next input block (i.e., by "feeding back" the output block) and combining (exclusive OR-ing) the output block with the next plaintext segment (of block length or less) to form the next ciphertext segment.

overt channel
a path within a computer system or network that is designed for the authorized transfer of data. Compare covert channel.

overwrite procedure
a process or stimulation to change the state of a bit or other data. See magnetic remanence.

-P-

packet filter
one of the simplest and earliest forms of a firewall, a packet filter accepts or rejects traffic based on source and destination addresses, and possibly the type of traffic

padding
a string of random data, typically added to plaintext in a block cipher when the last plaintext block is short, or the original data contains long strings of null data

pagejacking
a contraction of "Web page hijacking". A masquerade attack in which the attacker copies a home page or other material from the target server, rehosts the page on a server the attacker controls, and causes the rehosted page to be indexed by the major Web search services, thereby diverting browsers from the target server to the attacker's server. This practice is infrequent, and usage of this term is rare. This term should not be confused with other forms of Web diversion.

partitioned security mode
a mode of operation wherein all personnel have the clearance but not necessarily formal access approval and need to know for all information contained in the system. Not to be confused with compartmented security mode (see modes of operation).

password
a protected/private character string used to authenticate an identity

password attack
an attempt to obtain or decrypt a legitimate user's password. Attackers can use password dictionaries, cracking programs, and password sniffers in password attacks. Defense against password attacks is rather limited but usually consists of a password policy including a minimum length, unrecognizable words, and frequent changes. See also dictionary attack, password sniffing.

password sniffing
the use of a network sniffer program to capture passwords as they cross a network. The network could be a local area network, or the Internet itself. The sniffer can be hardware or software. Most sniffers are passive and only log passwords. The attacker must then analyze the logs later.

patch
a quick modification of a program, which is sometimes a temporary fix until the problem can be solved more thoroughly. Patches have two relations to security. A security vulnerability or loophole in a system may be fixed with a patch. However, because patches are not always subject to rigorous systems development procedures, they may also introduce vulnerabilities and loopholes into a system.

payload
a destructive or security-breaking activity, usually considered separately from its delivery mechanism, which may be a trojan horse, virus, or other means of transmission or emplacement. Payloads may be simple messages, or may be logic bombs, trap doors, or other functions. See also malware.

PC compatible
see ISA

penetration
the successful act of bypassing the security mechanisms of a system

penetration signature
the characteristics or identifying marks that may be produced by a penetration. This signature may be used in intrusion detection systems.

penetration study
a study to determine the feasibility and methods for defeating controls of a system

penetration testing
the portion of security testing in which the evaluators attempt to circumvent the security features of a system. The evaluators may be assumed to use all system design and implementation documentation, which may include listings of system source code, manuals, and circuit diagrams. The evaluators work under the same constraints applied to ordinary users.

perfect forward secrecy
see forward secrecy

perimeter-based security
the technique of securing a network or system by controlling access to all entry and exit points

periods processing
the processing of various levels of sensitive information at distinctly different times. Under periods processing, the system must be purged of all information from one processing period before transitioning to the next when there are different users with differing authorizations.

permission
a description of the type of authorized interactions a subject can have with an object. Examples include: read, write, execute, add, modify, and delete. Sometimes referred to as privilege or rights.

persistent storage
any storage medium that remains intact when the power to it is disconnected. Also known as non-volatile storage.

personnel security
the procedures established to ensure that all personnel who have access to sensitive information have the required authority as well as appropriate clearances

*PGP
a widely used and highly regarded encryption program using a hyprid symmetric/ asymmetric encyrption system and a non-hierarchical web of trust certification model. Many versions exist, including commercial, international, and open source. Not all versions are compatible in all functional areas.

phreak
those who are interested in breaking into or otherwise manipulating the telephone system are referred to (and refer to themselves) as "phone phreaks", using the punning variant spelling. This is generally shortened to phreaks in common usage. The act of manipulating the phone system is known as phreaking.

physical control
see controls

physical security
the application of physical barriers and control procedures as preventive measures or countermeasures against threats to resources and sensitive information

piggyback
gaining unauthorized access to a system via another user's legitimate connection. See between-the-lines entry.

ping of death
an attack that sends an improperly large ICMP echo request packet (a "ping") with the intent of overflowing the input buffers of the destination machine and causing it to crash

ping sweep
an attack that sends ICMP echo requests ("pings") to a range of IP addresses, with the goal of finding hosts that can be probed for vulnerabilities

PKI
Public Key Infrastructure, a framework established to issue, maintain, and revoke public key certificates accommodating a variety of security technologies

plaintext
the original, or extracted, message, before the process of encryption or after the process of decryption. Generally also known as cleartext. However, technically plaintext can be ciphertext that was the output of a prior stage in multiple stage encryption, whereas cleartext is always assumed to be intelligible to anyone.

policy
organizational-level rules governing acceptable use of computing resources, security practices, and guiding development of operational procedures

polymorphic
pertaining to techniques that use some system of changing the form of a virus on each infection to try and avoid detection by signature scanning software. (The Greek roots literally mean "many forms.) Less sophisticated systems are referred to as self-encrypting.

port scan
an attack that sends client requests to a range of server port addresses on a host, with the goal of finding an active port and exploiting a known vulnerability of that service

prank
software which appears to cause problems or damage, but which, in fact, does not. In a sense the inverse of the trojan horse. Books and programs are now being sold which perform these "stupid computer tricks." May cause heart problems, but no erasure of data. (It is, however, sometimes difficult to draw a hard and fast line between pranks and malware. Pranks generally cause some denial of service, but hopefully only for a short time.)

Preferred Products List (PPL)
a list of commercially produced equipments that meet TEMPEST and other requirements prescribed by the US National Security Agency. This list is included in the NSA Information Systems Security Products and Services Catalogue, issued quarterly and available through the Government Printing Office.

Pretty Good Privacy
see PGP

preventative control
see controls

preventive control
see controls

print suppression
eliminating the displaying of characters in order to preserve their secrecy; e.g., not displaying the characters of a password as it is keyed at the input terminal

privacy
the concept of privacy is one that is very difficult to nail down. Technically it is often defined as the condition of being isolated from view, or secret. Those more concerned with social aspects generally speak of the ability to control information about oneself. Some definitions are:
The right of an entity (normally a person), acting in its own behalf, to determine the degree to which it will interact with its environment, including the degree to which the entity is willing to share information about itself with others.
The right of individuals to control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed.
You should not use this term as a synonym for confidentiality, which is a different concept. Privacy is a reason for security rather than a kind of security. For example, a system that stores personal data needs to protect the data to prevent harm, embarrassment, inconvenience, or unfairness to any person about whom data is maintained, and to protect the person's privacy. For that reason, the system may need to provide data confidentiality service. See also anonymity.

private key
term often used to refer either to the shared key in a symmetric encryption system, or the confidential part of the key pair used in an asymmetric system

privilege
see permission

privileged instructions
a set of instructions (e.g., interrupt handling or special computer instructions) to control features (such as storage protection features) that are generally executable only when the automated system is operating in the executive state

probe
a device or program used to gather information about a system or its users

procedural security
synonymous with administrative security

process
a program in execution. See domain and subject.

proprietary
refers to information (or other property) that is owned by an individual or organization and for which the use is restricted by that entity

protection philosophy
an informal description of the overall design of a system that delineates each of the protection mechanisms employed. A combination, appropriate to the evaluation class, of formal and informal techniques is used to show that the mechanisms are adequate to enforce the security policy.

protection ring
one of a hierarchy of privileged modes of a system that gives certain access rights to user programs and processes authorized to operate in a given mode. This term is now commonly applied to operating modes of the Intel Pentium processor, and the Windows NT and 2000 operating systems, although the later usage may not be fully consistent with earlier definitions.

protection-critical portions of the TCB
those portions of the TCB whose normal function is to deal with the control of access between subjects and objects. Their correct operation is essential to the protection of the data on the system.

protocol
a set of rules and formats, semantic and syntactic, that permits entities to exchange information

proxy server
a computer attached to two or more networks, providing service to more than one client or server as if to a single machine. Most often used to connect multiple machines on a local area network to a public network such as the Internet. Often used as a type of firewall since the proxy server can be hardened, and attacks will be directed against the proxy server rather than the actual servers behind it. See also application level gateway and compare with packet filter.

pseudo flaw
an apparent loophole deliberately implanted in an operating system program as a trap for intruders. See also honeypot and entrapment.

pseudo random
the generation of random numbers is very important to operations related to cryptography. As Robert R. Coveyou has said, "[t]he generation of random numbers is too important to be left to chance." If, for example, keys are not chosen at random, then key choice may be determinable, and thus the cryptographic system may be compromised. However, it is not possible to produce truly random numbers with a program. The great John Louis von Neumann himself stated "[a]nyone who considers arithmetical methods of producing random numbers is, of course, in a state of sin." (The Dilbert cartoon strip made a profound observation on October 25, 2001, when, in response to a random number generator that produced only nines, Dilbert asked if it was truly random, and was told "That's the problem with randomness. You can never be sure.") Therefore, extensive efforts are put into creating functions that randomize input, and include as input event data; such as system clock times, time sequences between keystrokes, and even electronic noise; is order to obtain data that is as random as possible for use in cryptographic systems.

public domain
a legal term which carries the same meaning in regard to software which it does in the field of literature. Software in the public domain may be used by anyone, for any purpose, in any manner, without restriction. This term is often used carelessly to refer to freeware, which requires no payment, but for which the author still assumes copyright and control, and shareware, which does, in fact, require payment for continued use. See also commerical, open source.

public key
sometimes used to refer generically to asymmetric encryption systems, but more properly referring to the non-confidential portion of a key pair in asymmetric systems

public key forward secrecy
see forward secrecy

Public Law 100-235 (P.L. 100-235)
also known as the Computer Security Act of 1987, this US law creates a means for establishing minimum acceptable security practices for improving the security and privacy of sensitive information in federal computer systems. This law assigns to the National Institute of Standards and Technology responsibility for developing standards and guidelines for federal computer systems processing unclassified data. The law also requires establishment of security plans by all operators of federal computer systems that contain sensitive information.

purge
the removal of sensitive data from a system, system storage device, or peripheral device with storage capacity, at the end of a processing period. This action is performed in such a way that there is assurance proportional to the sensitivity of the data that the data may not be reconstructed. A system must be disconnected from any external network before a purge. After a purge, the medium can be declassified by observing the review procedures of the respective agency.

-Q- This document contains no entries beginning with the letter Q.

-R-

rabbit
a virus which generates multiple copies of itself without attaching to other programs. Generally, this type of attack is a denial of service based upon excessive use of disk or memory space or CPU cycles. Usage rare.

RADIUS
see Remote Authentication Dial-In User Service

remap
to make a software or configuration data modification that redirects system associations. The extent of remapping can vary widely. ANSI bombs can be used to remap the keyboard, in order to invoke a payload command with a single keystroke. Other remapping may involve changes to network routing tables that may redirect the user from a trusted site to an unknown site. In a sense, the classic man-in-the-middle attack is a form of remapping.

*RAT (Remote Access Trojan)
a program designed to provide access to, and control over, a network- attached computer from a remote computer or location, in effect providing a backdoor. Interestingly, RATs are often described, by their creators, as "Remote Administration Tools" in an attempt to present them as legitimate utility software. The distinction between valid remote tools and RATs generally lies in the provisions for RATs to be installed without the direct knowledge of the user or operator of the computer to be controlled, and additional functions to announce the installation of the RAT, and the address of the computer being controlled, to public venues such as Usenet newsgroups and IRC (Internet Relay Chat).

Rainbow Series
Sometimes known as the Rainbow Books, a set of more than 30 technical and policy documents with colored covers, issued by the US government's NCSC, that discuss in detail the TCSEC and provide guidance for meeting and applying the criteria

random
in mathematics, random means "unpredictable". A sequence of values is called random if each successive value is obtained merely by chance and does not depend on the preceding values of the sequence, and a selected individual value is called random if each of the values in the total population of possibilities has equal probability of being selected. In cryptography and other security applications, random means not only unpredictable, but also "unguessable". When selecting data values to use for cryptographic keys, the requirement is for data that an adversary has a very low probability of guessing or determining. See pseudo-random.

read
a fundamental operation that results only in the flow of information from an object to a subject

read access
permission to read information

real-time scanner
see on-access scanner

recovery control
see controls

recovery procedures
the actions necessary to restore a system's computational capability and data files after a system failure. See also business continuity plan, disaster recovery plan.

redundancy
duplication of system components (such as hard drives, power sources, or processors), information (such as backup copies of software or archived files), or personnel intended to increase the reliability or availability of service and/or decrease the risk of information loss

reference monitor
an access control concept that refers to an abstract machine that mediates all accesses to objects by subjects

reference validation mechanism
an implementation of the reference monitor concept. A security kernel is a type of reference validation mechanism.

Registry
see Windows Registry

reliability
the probability of a given system performing its mission adequately for a specified period of time under the expected operating conditions. Reliablity is generally considered as availability with the addition of the expectation of proper outcomes from processing: a sort of cumulative availability.

remediation
deliberate precautionary measures undertaken to improve the reliability, availability, and survivability of critical assets and/or infrastructures, particularly with regard to specific known vulnerabilities and threats. Remediation is a part of risk management and is closely allied to the concept of a safeguard or countermeasure.

Remote Access Trojan
see RAT

*Remote Authentication Dial-In User Service (RADIUS)
an Internet protocol (RFC 2138) for carrying dial-in users' authentication information and configuration information between a shared, centralized authentication server (the RADIUS server) and a network access server (the RADIUS client) that needs to authenticate the users of its network access ports. A user of the RADIUS client presents authentication information to the client, and the client passes that information to the RADIUS server. The server authenticates the client using a shared secret value, then checks the user's authentication information, and finally returns to the client all authorization and configuration information needed by the client to deliver service to the user.

replay attack
an attack in which a valid data transmission is maliciously or fraudulently repeated, either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack

replicate
in general, copying or reproduction. In virus research, the term replicate, or sometimes reproduction, is often used to distinguish the clandestine copying action done by a virus from the normal and deliberate duplication performed by the user.

repudiation
denial by a system entity that was involved in an association (especially an association that transfers information) of having participated in the relationship. See accountability, nonrepudiation.

resident
a program which stays in the memory of the computer while other programs are running, waiting for a specific trigger event. Accessory software is often of this type, as is activity monitoring and resident or on-access virus scanning software. Viral programs often attempt to "go resident," and so this is one of the functions an activity monitor may check. Also known as "memory resident" and, in MS-DOS circles, TSR (Terminate and Stay Resident). The Microsoft Windows equivalent is a VxD or service, while the Novell Netware version is NLM (Netware Loadable Module). UNIX resident programs are generally known as daemons, although their is a tendency to restrict this usage to network server software.

residual risk
the portion of risk that remains after security measures have been applied. The risk of a given vulnerability after the application of specific safeguards.

residue
data left in storage after processing operations are complete, but before degaussing or rewriting has taken place

resource encapsulation
the process of ensuring that a resource not be directly accessible by a subject, but that it be protected so that the reference monitor can properly mediate accesses to it.

restricted area
any area to which access is subject to special restrictions or controls for reasons of bounds in a partitioned computer, more generically used to describe any type of malicious or buggy software: a program which, because of a bug in programming, interferes with normal system operation. The damage caused by a rogue is unintentional. Used primarily in mainframe circles and now relatively rare.

reverse engineer
to determine the internal workings of a system from externally available indications of function

risk
an expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result

risk analysis
Also known as risk assessment, a process that systematically identifies valuable system resources and threats to those resources, quantifies loss exposures (i.e., loss potential) based on estimated frequencies and costs of occurrence, and (optionally) recommends how to allocate resources to countermeasures so as to minimize total exposure. The analysis lists risks in order of cost and criticality, thereby determining where countermeasures should be applied first. It is usually financially and technically infeasible to counteract all aspects of risk, and so some residual risk will remain, even after all available countermeasures have been deployed.

risk management
the process of identifying, controlling, and eliminating or minimizing uncertain events that may affect system resources

ROM
read only memory. A static memory type used to hold programming, regardless of power conditions. Primarily used for the "boot strap" programming for microcomputers. Until recently this memory has been non-writable in normal operation and so, safe from virus and other attacks, but this may change with the recent promotion and use of "flash" EEPROMs.

root authority
the certification authority (CA) at the top of a CA hierarchy

root kit
a script, set of scripts, or package of modified system programs used for gaining unauthorized root privileges (or equivalent supervisory powers) on a compromised system. Also rootkit.

RSA
an asymmetric cryptographic algorithm named for its 1977 inventors, Ron Rivest, Adi Shamir, and Leonard Adleman. RSA uses exponentiation modulo the product of two large prime numbers. The difficulty of breaking RSA is believed to be equivalent to the difficulty of factoring integers that are the product of two large prime numbers of approximately equal size.

-S-

safeguard
any protective measure or control that is prescribed to meet the security requirements specified for a system. Safeguards may include but are not necessarily limited to: hardware and software security features, operating procedures, accountability procedures, access and distribution controls, management constraints, personnel security, and physical structures, areas, and devices. Also sometimes specifically called security safeguards.

salami
an apocryphal story of a program which takes advantage of very active systems to make incremental changes. The usual tale is of a banking system which syphons fractions of a penny at a time into the programmer's account. In spite of the lack of evidence for the existence of attacks of this type, increasing numbers of security books make reference to it.

salt
random data added to small amounts of information, such as passwords or session keys, prior to encryption in order to make dictionary attacks (a type of brute force attack) more difficult or time consuming. When used, salt is generally placed in front of the encrypted data. The concepts of challenge/response, initialization vector, nonce, and salt, are closely related. Challenge/response is generally used in regard to password and authentication schemes, initialization vector to block ciphers, nonce to short, automated network messages, and salt to password storage.

sandbox
a security model providing that code or programs from untrusted sources can be run in an environment that restrict potentially dangerous activities and functions. Originally arising from and applied to the Java language applet system, it may now refer also to the general concept.

sanitize
to delete sensitive data from a file, a device, or a system; or modify data so as to be able to downgrade its classification level

scan string
see signature

scanner
1) a program which reads the contents of a file looking for code known to exist in specific virus programs. Also referred to as known virus scanning (KVS).
2) in network situations, a program which examines computers and network systems examining configurations and looking for security vulnerabilities. This type of program can be used by both defenders and attackers. SATAN (Security Administrators Tool for Analysing Networks) is this type of scanner.

scavenging
searching through object residue to acquire unauthorized data

Scores
a Macintosh virus which seems to have been written with intent to cause problems for a specific company and software program. Because one of the most widely published reports of infection was from an office at NASA, it has also been referred to by that name.

screened subnet
an isolated subnet created behind a screening router to protect the private network. The degree to which the subnet may be accessed depends on the screening rules in the router.

screening router
a router configured to permit or deny traffic using filtering techniques based on a set of permission rules installed by the administrator. A component of many firewalls usually used to block traffic between the network and specific hosts on an IP port level. Geenrally considered the lowest form of a firewall, it is used when speed or network performance is the major decision criteria.

script virus
it is difficult to make a strong distinction between script and macro programming languages, but generally a script virus is a standalone object, contained in a text file or email message. A macro virus is generally contained in a data file, such as a Microsoft Word document.

sector virus
see cluster virus

secure configuration management
the set of procedures appropriate for controlling changes to a system's hardware and software structure for the purpose of ensuring that changes will not lead to violations of the system's security policy

*Secure Sockets Layer (SSL)
an Internet protocol (originally developed by Netscape Communications, Inc.) that uses connection-oriented end-to-end encryption to provide data confidentiality service and data integrity service for traffic between a client and a server, and that can optionally provide peer entity authentication between the client and the server. SSL is layered below HTTP and above a reliable transport protocol (TCP). SSL is independent of the application it encapsulates, and any higher level protocol can layer on top of SSL transparently. SSL has two layers: (a) SSL's lower layer, the SSL Record Protocol, is layered on top of the transport protocol and encapsulates higher level protocols. (b) SSL's upper layer provides asymmetric cryptography for server authentication (verifying the server's identity to the client) and optional client authentication (verifying the client's identity to the server), and also enables them to negotiate a symmetric encryption algorithm and secret session key (to use for data confidentiality) before the application protocol transmits or receives data. A keyed hash provides data integrity service for encapsulated data.

secure state
a condition in which no subject can access any object in an unauthorized manner

secure subsystem
a subsystem that contains its own implementation of the reference monitor concept for those resources it controls. However, the secure subsystem must depend on other controls and the base operating system for the control of subjects and the more primitive system objects.

security architecture
a plan and set of principles that describe (a) the security services that a system is required to provide to meet the needs of its users, (b) the system elements required to implement the services, and (c) the performance levels required in the elements to deal with the threat environment. A complete system security architecture includes administrative security, communication security, computer security, emanations security, personnel security, and physical security. A complete security architecture needs to deal with both intentional, intelligent threats and accidental kinds of threats. See also security policy.

security association
(1) a relationship established between two or more entities to enable them to protect data they exchange. The relationship is used to negotiate characteristics of protection mechanisms, but does not include the mechanisms themselves.
(2) in IPsec usage, a simplex (uni-directional) logical connection created for security purposes and implemented with either AH or ESP (but not both). The security services offered by a security association depend on the protocol selected, the IPsec mode (transport or tunnel), the endpoints, and the election of optional services within the protocol. A security association is identified by a triple consisting of (a) a destination IP address, (b) a protocol (AH or ESP) identifier, and (c) a Security Parameter Index.

security audit
an independent review and examination of a system's policy, records, and activities to determine the adequacy of system controls, ensure compliance with established security policy and procedures, detect breaches in security services, and recommend any changes that are indicated for countermeasures. The basic audit objective is to establish accountability for system entities that initiate or participate in security-relevant events and actions. Thus, means are needed to generate and record security audit information and to review and analyze the audit trail to discover and investigate attacks and security compromises.

security by obscurity
a term used, usually perjoratively, to refer to the practice of attempting to secure a system by failing to publish information about it, in the hope that nobody will be able to figure out how it works

security critical mechanisms
those security mechanisms whose correct operation is necessary to ensure that the security policy is enforced

security evaluation
an evaluation done to assess the degree of trust or assurance that can be placed in systems for the secure handling of sensitive information. One type, a product evaluation, is an evaluation performed on the hardware and software features and assurances of a computer product from a perspective that excludes the application environment. The other type, a system evaluation, is done for the purpose of assessing a system's security safeguards with respect to a specific operational mission and is a major step in the certification and accreditation process.

security fault analysis
a security analysis, usually performed on hardware at gate level, to determine the security properties of a device when a hardware fault is encountered

security features
the security-relevant functions, mechanisms, and characteristics of system hardware and software. Security features are a subset of system security safeguards.

security filter
a trusted subsystem that enforces a security policy on the data that pass through it

security flaw
an error of commission or omission in a system that may allow protection mechanisms or safeguards to be bypassed. See also loophole.

security flow analysis
a security analysis performed on a formal system specification that locates potential flows of information within the system

security kernel
the hardware, firmware, and software elements of a TCB that implement the reference monitor concept. It must mediate all accesses, be protected from modification, and be verifiable as correct.

security label
a piece of information that represents the security level of an object.

security level
the combination of a hierarchical classification and a set of nonhierarchical categories that represents the sensitivity of information

security measures
elements of software, firmware, hardware, or procedures that are included in a system for the satisfaction of security specifications or security policy

security perimeter
the boundary where security controls are in effect to protect assets

security policy
the set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information

security policy model
a formal presentation of the security policy enforced by the system. It must identify the set of rules and practices that regulate how a system manages, protects, and distributes sensitive information. See Bell-La Padula model and formal security policy model.

security range
the highest and lowest security levels that are permitted in or on a system, system component, subsystem or network

security requirements
the types and levels of protection necessary for equipment, data, information, applications, and facilities to meet security policy

security requirements baseline
a description of minimum requirements necessary for a system to maintain an acceptable level of security

security safeguards
see safeguard

security specifications
a detailed description of the safeguards required to protect a system

security test and evaluation
an examination and analysis of the security safeguards of a system as they have been applied in an operational environment to determine the security posture of the system

security testing
a process used to determine that the security features of a system are implemented as designed. This includes hands-on functional testing, penetration testing, and verification.

self-extracting files
a file that contains software to decompress part of itself into one or more parts when executed. Software authors and distributors often use this file type to transmit files and software via the Internet since the compressed files conserve disk space, reduce download time, and do not require the end user to obtain decompression programs. Although popular with neophyte Internet users because it does not require separate de-archiving programs, it presents a number of potential security vulnerabilities. Since compression provides a form of encryption, self-extracting files may hide viruses and other malware. In addition, many self-extracting formats contain functions to execute files immediately after extraction.

self-garbling virus
see polymorphic

sensitive information
any information, the loss, misuse, modification of, or unauthorized access to, could affect the specific interest of the enterprise. US government and military entities have specific regulations in this regard.

sensitivity label
a piece of information that represents the security level of an object. Sensitivity labels are used by the TCB as the basis for mandatory access control decisions.

separation of duties
the practice of dividing the steps in a system function among different individuals, so as to keep a single individual from subverting the process

shareware
software which is distributed widely, usually maade available on anonymous download servers and Web sites. Users are encouraged to "try before you buy," but users who continue to use the software are supposed to pay for the programs. The honour system of distribution reduces overhead costs, and shareware is generally cheaper than commercial software. See also freeware, open source, public domain.

shell scrap object
a Microsoft file format, one of the many that may include executable content. The shell scrap file extensions, .SHS and .SHB, will not display in normal Windows file dialogue boxes and the Windows Explorer unless a change is made to the Registry.

shrink wrap
the plastic film used to protect the packaging of commercial software. "Shrink wrapped software" is often used as a synonym for commercial software. Many people feel shrink wrap is some kind of protection, guarantee, or warranty. It isn't.

signature
a distinctive pattern used to detect a virus infection or system penetration (see intrusion detection system). In virus detection the signature may be a fixed string of bytes, known as a scan string, although it may be more complex and algorithmically based. System penetration signatures are generally more complex, and may involve comparison of data from a number of forms of audit and logging. See scanner.

simple security condition
see simple security property

simple security property
a Bell-La Padula security model rule allowing a subject read access to an object only if the security level of the subject dominates the security level of the object. In other words, you can read a file if your level is equal to or higher than that of the file. Synonymous with simple security condition.

single-level device
a device that is used to process data of only a single security level at any one time

single sign-on
a system or procedure whereby a user is authenticated once, and thereafter has access to a number of disparate systems

smurfing
a denial of service attack exploiting IP broadcast addressing and ICMP ping packets to cause flooding. A smurf program builds a network packet that appears to originate from another address, that of the "victim", either a host or an IP router. The packet contains an ICMP ping message that is addressed to an IP broadcast address, i.e., to all IP addresses in a given network. The echo responses to the ping message return to the victim's address. The goal of smurfing may be either to deny service at a particular host or to flood all or part of an IP network.

sniffer
a program that monitors network traffic. Attackers use sniffers to capture data transmitted via a network. See password sniffing.

social engineering
attacking or penetrating a system by tricking or subverting operators or users, rather than by means of a technical attack. More generally, the use of fraud, spoofing, or other social or psychological measures to get legitimate users to break security policy.

SOCKS
an Internet protocol (RFC 1928) that provides a generalized proxy server that enables client-server applications--such as telnet, ftp, and HTTP; running over either TCP or UDP--to use the services of a firewall. SOCKS is layered under the application layer and above the transport layer. When a client inside a firewall wishes to establish a connection to an object that is reachable only through the firewall, it uses TCP to connect to the SOCKS server, negotiates with the server for the authentication method to be used, authenticates with the chosen method, and then sends a relay request. The SOCKS server evaluates the request, typically based on source and destination addresses, and either establishes the appropriate connection or denies it.

Software Development Methodologies
methodologies for specifying and verifying design programs for system development

software security
general purpose (executive, utility or software development tools) and applications programs or routines that protect data handled by a system

software system test and evaluation process
a process that plans, develops and documents the quantitative demonstration of the fulfillment of all baseline functional performance, operational and interface requirements.

spam
(1) (v) to indiscriminately send unsolicited, unwanted, irrelevant, or inappropriate messages, especially commercial advertising in mass quantities. In sufficient volume, spam can cause denial of service.
(2) (n) electronic "junk mail"
Yes, the term spam, used in reference to masses of unwanted email or newsgroup postings, does derive from SPAM the canned meat. There is an opinion that says the term was used because spam pretends to be information in the same way that SPAM pretends to be ... well, Hormel are good sports about the neologistic appropriation of their tradename, so we won't belabour the point, beyond noting that the same speculation also makes an analogy between nonsense-content and fat- content. Hormel says, "We do not object to use of this slang term [spam] to describe [unsolicited commercial email (UCE)], although we do object to the use of our product image in association with that term. Also, if the term is to be used, it should be used in all lower-case letters to distinguish it from our trademark SPAM, which should be used with all uppercase letters."

The more commonly accepted derivation is that the term derives from a Monty Python sketch involving a restaurant where the menu items contain increasing amounts of SPAM, and the Viking clientele eventually drown out all dialogue by singing about "SPAM, SPAM, SPAM, SPAM, SPAM, SPAM, SPAM, SPAM" in a kind of conversational denial of service. Hormel themselves note this in a page at www.spam.com/ci/ci_in.htm.

(And where did Monty Python get the idea for the sketch? Well, Hormel also claims the honour of the world's first commercial radio jingle. You can hear it, as a UNIX .au format audio file, by going to their "SPAM in Time" page for the 1930s at www.spam.com/it/it_30frame.htm. You'll have to enable JavaScript to click on the link for the jingle, but the danger is almost worth it. Listen for yourself and see if you think there is a similarity between the jingle and the Viking's song ...)

spawning
see companion virus

spoofing
an attempt to gain access to a system by posing as an authorized user. Synonymous with impersonating, masquerading, or mimicking.

spyware
a type of malware that reports on the contents, status, or operation of the computer to a remote system or user. Generically this could be almost any type of information gathering software. More specifically, it usually refers to modules or functions in software that reports to the author, publisher, or service provider of an otherwise legitimate system. Spyware ranges from functions that report on version levels to the host system, through packages that report the presence of other software from the same manufacturer, through systems that gather information on all software installed including those from competing vendors, all the way to modules that report on the user's Web surfing. Justifications proposed for spyware include the need to ensure versions are kept up to date in order to provide proper service, concerns about software piracy, concerns about use for illegal or unacceptable purposes, and the gathering of marketing information. See also adware, cookie, and web bug.

standalone, shared system
a system that is physically and electrically isolated from all other systems, and is intended to be used by more than one person, either simultaneously (e.g., a system with multiple terminals) or serially, with data belonging to one user remaining available to the system while another user is using the system (e.g., a personal computer with nonremovable storage media such as a hard disk). US government and military.

standalone, single-user system
a system that is physically and electrically isolated from all other systems, and is intended to be used by one person at a time, with no data belonging to other users remaining in the system (e.g., a personal computer with removable storage media such as a floppy disk). US government and military.

star property
see *-property

Star Trek attack
an attack that penetrates your system where no attack has ever gone before - RFC 2828

State Delta Verification System
a system designed to give high confidence regarding microcode performance by using formulae that represent isolated states of a computation to check proofs concerning the course of that computation. US government and military.

state variable
a variable that represents either the state of the system or the state of some system resource

stateful inspection
a form of firewall somewhat more advanced than a screening router, in which filtering is based on the contents of a sequence of packets, rather than a single packet

stealth
various technologies used by viral programs to avoid detection on disk. At least one virus has been named "Stealth" by its author, but the term properly refers to the technology, and not a particular virus.

steganography
the activity of concealing a message by hiding the fact that that communication is happening. Steganography is often referred to as "hiding in plain sight." Classical steganography systems depend on keeping the encoding system secret, but modern steganography is detectable only if secret information is known, e.g. a secret key. However, because of their invasive nature, most steganography systems leave detectable traces within a medium's characteristics. This allows an eavesdropper to detect media that has been modified, revealing that secret communication is taking place. Although the secrecy of the information is not degraded, its hidden nature may be revealed, defeating the main purpose of steganography.

stepanography
writing a secret message on the back of a duck - APP

Stoned
an extremely successful MS-DOS virus, in terms of the number of copies made and systems infected. A BSI of MBR type, it has, like most successful viral programs, been used as a template for numerous other viral strains, including Michelangelo.

storage object
an object that supports both read and write accesses

stream cipher
a cipher that serially encrypts data, one bit at a time. Compare with block cipher.

Subcommittee on Automated Information Systems Security (SAISS)
US regulation NSDD-145 authorizes and directs the establishment, under the NTISSC, of a permanent Subcommittee on Automated Information Systems Security. The SAISS is composed of one voting member from each organization represented on the NTISSC.

Subcommittee on Telecommunications Security (STS)
US regulation NSDD-145 authorizes and directs the establishment, under the NTISSC, of a permanent Subcommittee on Telecommunications Security. The STS is composed of one voting member from each organization represented on the NTISSC.

subject
an active entity, generally in the form of a person, process, or device, that causes information to flow among objects or changes the system state. Technically, a process/domain pair.

subject security level
a subject's security level is equal to the security level of the objects to which it has both read and write access. A subject's security level must always be dominated by the clearance of the user with which the subject is associated.

super-user
a user with full and unrestricted access to all apsects and resources of the system. Frequently referred to, particularly in UNIX circles where it is the name of the privilged account, as root, hence root kit.

supervisor state
synonymous with executive state

symmetric key encryption
symmetric key encryption, otherwise known as private key encryption, uses the same, private, key for encryption and decryption, the key being shored between the two parties to the communication. Symmetric key systems do not require a public key infrastructure, as does asymmetric key encryption, but does require key exchange via a secure channel.

SYN flood
a denial of service attack that sends a host more TCP SYN packets (request to synchronize sequence numbers, used when opening a connection) than the protocol implementation can handle

system boot record
on ISA or Wintel computers the first logical (not physical) sector of the master hard drive, or the first physical sector on a floppy diskette. The programming in the system boot record is called by the programming in the master boot record and points to the files needed to continue the boot process for the specific operating system being run. See also boot record, boot sector, master boot record.

System Development Methodologies
methodologies developed through software engineering to manage the complexity of system development. Development methodologies include software engineering aids and high-level design analysis tools.

system high security mode
see modes of operation

system virus
a virus which redirects system pointers and information in order to infect a file without actually changing the infected program file. This is a type of stealth technology. In MS-DOS, often referred to as a FAT or cluster virus. In Windows, system infectors usually make changes to the Windows Registry.

system integrity
the quality that a system has when it performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system

system low
the lowest security level supported by a system at a particular time or in a particular environment

System Security Officer (SSO)
see Information System Security Officer

system virus
sometimes used as a synonym for cluster virus, sometimes used to refer to a virus that makes changes to system structures such as the MS Windows Registry or program search paths

Systems Security Steering Group
the senior US government body established by NSDD-145 to provide top-level review and policy guidance for the telecommunications security and automated information systems security activities of the US Government. This group is chaired by the Assistant to the President for National Security Affairs and consists of the Secretary of State, Secretary of Treasury, the Secretary of Defense, the Attorney General, the Director of the Office of Management and Budget, and the Director of Central Intelligence.

-T-

tampering
an unauthorized modification that alters the proper functioning of an equipment or system in a manner that degrades the security or functionality it provides

tarpit
the term is used for three slightly related means of delaying and disrupting unwanted behaviour. A group in Germany used the term "teergrube" to refer to a mail transfer agent that uses SMTP continuation lines to hold a mail connection open for long periods of time in order to disrupt spamming (http://www.iks-jena.de/mitarb/lutz/usenet/teergrube.en.html). The term is also used to describe throttling of the number of connections a computer can make in order to reduce the spread of worms. There is also a product that uses the term tarpit to refer to a single machine that emulates a large number of non-existent machines in a kind of honeypot configuration in order to provide delaying camouflage to divert an intruder.

TCSEC
see DoD Trusted Computer System Evaluation Criteria

technical attack
an attack that can be perpetrated by circumventing or nullifying hardware and software protection mechanisms, rather than by subverting system personnel or other users. Contrast with social engineering.

technical control
see controls

technical vulnerability
a hardware, firmware, communication, or software flaw that leaves a computer processing system open for potential exploitation, either externally or internally, thereby resulting in risk for the owner, user, or manager of the system.

TEMPEST
the study and control of spurious electronic signals emitted by electrical equipment, particularly in regard to the use of those emissions as a covert channel

template
a file containing a Microsoft Word macro. Traditionally, templates are named with a .DOT extension, while documents have a .DOC extension, but either file can actually have any extension, or none. Technically, a Word document cannot contain a macro, but a template file can contain data. Therefore, .DOC files infected with macro viruses are templates, not documents. The user, of course, cannot tell the difference. (This technology modified with the release of Microsoft Office 2000.)

*Terminal Access Controller Access Control System (TACACS)
a UDP-based authentication and access control protocol (RFC 1492) in which a network access server receives an identifier and password from a remote terminal and passes them to a separate authentication server for verification. TACACS uses centralized authentication servers and serves not only network access servers but also routers and other networked computing devices. TACACS+ is a TCP-based protocol that improves on TACACS and XTACACS by separating the functions of authentication, authorization, and accounting and by encrypting all traffic between the network access server and authentication server. It is extensible to allow any authentication mechanism to be used with TACACS+ clients.

terminal identification
the means used to uniquely identify a terminal to a system

threat
any circumstance or event with the potential to cause harm to a system in the form of destruction, disclosure, modification of data, and/or denial of service. Threat is the broadest category in a classification becoming more specific as it moves through vulnerability, exploit, and attack.

threat agent
a method used to exploit a vulnerability in a system, operation, or facility, or an entity generating such and exploit

threat analysis
the examination of all actions and events that might adversely affect a system or operation

threat monitoring
the analysis, assessment, and review of audit trails and other data collected for the purpose of searching out system events that may constitute violations or attempted violations of system security. See also intrusion detection system.

three pillars
the three basic aspects of security are considered to be confidentiality, integrity, and availability, often referred to by the mnemonic CIA. As with almost any aspect of security, even the "three pillars" ae subject to debate: some would say that there are only two (integrity is a "special case" of availability) while others argue for additional factors.

ticket-oriented
a computer protection system in which each subject maintains a list of unforgeable bit patterns, called tickets, one for each object the subject is authorized to access. Compare list-oriented.

time bomb
sometimes used to refer to a logic bomb which triggers on a time event

time dependent password
a password that is valid only at a certain time of day or during a specified interval of time

TOAST
this acronym was first used by Padgett Peterson to refer to antiviral software which makes extravagant claims, or where a company spends more on advertising than on development. The origin was a product which advertised itself as, "The Only Antivirus Software That Won't Be Obsolete By The Time You Finish Reading This Ad."

token
an authentication tool, a device utilized to hold key or authentication values, or calculate, and possibly send and receive, responses to challenges during the user authentication process. Tokens may be small, hand-held hardware devices similar to pocket calculators or credit cards.

top-level specification
a nonprocedural description of system behavior at the most abstract level; typically, a functional specification that omits all implementation details

TPE
Trident Polymorphic Engine. Another version of the "mutation engine" type of function (see MtE) but done by a different group.

traffic analysis
inference of information from observable characteristics of data flow(s), even when the data is encrypted or otherwise not directly available. Such characteristics include the identities and locations of the source(s) and destination(s), and the presence, amount, frequency, and duration of occurrence. Also, analysis of pizza deliveries to the Pentagon.

traffic padding
the generation of spurious instances of communication, spurious data units, and/or spurious data within data units, intended to defeat traffic analysis. (The CIA orders pizza even when nothing is going on.)

tranquility
a security model rule stating that the security level of an object cannot change while the object is being processed by a system. Also, a state never achieved by a security practitioner.

trap door
see backdoor

trigger
in regard to viruses and other malware, most commonly refers to the event, or code waiting for an event, that stimulates the activity of the payload. In special cases, may also refer to the event or code that causes reproduction or replication of the virus, if the virus does not seek out suitable targets upon activation.

*triple DES (3DES)
any of a number of variations on the DES block cipher symmetric algorithm. One of the most widely used forms encrypts plain text with one key, decrypts the resulting ciphertext with a second key (which, because the key is different, does not actually decrypt the data but re- encrypts it in a different way), and finally encrypts the result of the second operation with the first key again. Double DES, without the third phase, is subject to an attack known as "meet in the middle," which attempts decryptions from both sides until a match appears. The pattern of encryption/decryption/encryption also provides for compatibility with single DES, if only one key is used.

trojan horse
a program which either pretends to have, or is described as having, a (beneficial) set of features but which, either instead, or in addition, contains a damaging payload. Often the functions surreptitiously exploit the legitimate authorizations of the invoking process or user to the detriment of security or integrity. The extent of the pretence and damage can vary widely. Most frequently the usage is shortened to trojan. There is little agreement on whether the term should be capitalized, or how, but the most common usage tends to be "trojan horse" and "trojan," sometimes justified by the fact that the "Trojan Horse" should properly refer to what happened at Troy, although probably merely because techies do not like using the shift key if they don't have to. "Trojan" generally refers to a name brand of prophylactic.

trojanize
to modify an existing program to include an unwanted or negative payload

Trusted Computer System Evaluation Criteria
see DoD Trusted Computer System Evaluation Criteria

trusted computer system
a system that employs sufficient hardware and software assurance measures to allow its use for simultaneous processing of a range of sensitive or classified information.

Trusted Computing Base (TCB)
the totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination of which is responsible for enforcing a security policy. A TCB consists of one or more components that together enforce a unified security policy over a product or system. The ability of a TCB to enforce correctly a unified security policy depends solely on the mechanisms within the TCB and on the correct input by system administrative personnel of parameters (e.g., a user's clearance level) related to the security policy. The term Trusted Computing Base is now often applied to parts of Windows NT or 2000, regardless of certification or configuration, and Windows usage in this regard is very confused between the operating system kernel, basic services running before user logon, and the Winlogon.exe program itself.

trusted distribution
a trusted method for distributing the TCB hardware, software, and firmware components, both originals and updates, that provides methods for protecting the TCB from modification during distribution and for detection of any changes to the TCB that may occur

trusted identification forwarding
an identification method used in networks whereby the sending host can verify that an authorized user on its system is attempting a connection to another host. The sending host transmits the required user authentication information to the receiving host. The receiving host can then verify that the user is validated for access to its system. This operation may be transparent to the user. See also single sign-on, Kerberos.

trusted path
a mechanism by which a person at a terminal can communicate directly with the TCB. This mechanism can only be activated by the person or the TCB and cannot be imitated by untrusted software.

trusted process
a process whose incorrect or malicious execution is capable of violating system security policy

trusted software
the software portion of the TCB

TSR
"Terminate and Stay Resident." See resident.

tunnelling
techniques which involved the tracing of the system interrupts to the final programming. Used by both viral and antiviral programs to detect or disable opposing programs.

tunneling router
a router or system capable of routing traffic by encrypting it and encapsulating it for transmission across an untrusted network, for eventual de-encapsulation and decryption

two-factor authentication
authentication based on at least two of the three types: something a user knows, is, or has. In order to access a system the user must demostrate both factors.

-U-

untrusted process
a process that has not been evaluated or examined for adherence to the secuity policy. It may include incorrect or malicious code that attempts to circumvent the security mechanisms.

user
person or process accessing a system either by direct connections (i.e., via terminals), or indirect connections (i.e., prepared input data or receive output that is not reviewed for content or classification by a responsible individual). Considered by many experts to be the entity responsible for the greatest range of security problems.

user ID
a unique symbol or character string that is used by a system to identify a specific user

user profile
patterns of a user's activity that can be used to detect changes in normal routines

-V-

variant
a modified version of a virus. Usually produced on purpose by the virus author or another person amending the virus code. If changes to the original are small, most anti-virus products will also detect variants. However, if the changes are large, the variant may go undetected by anti-virus software.

verification
the process of comparing two levels of system specification for proper correspondence (e.g., security policy model with top-level specification, top-level specification with source code, or source code with object code). This process may or may not be automated.

viral
having the features of a virus, particularly self-reproduction

*virtual private network (VPN)
a restricted-use, logical (i.e., artificial or simulated) computer network that is constructed from the system resources of a relatively public, physical (i.e., real) network (such as the Internet), often by using encryption (located at hosts or gateways), and often by tunneling links of the virtual network across the real network

virus
a self-replicating and propagating program, usually operating with some form of input from the user, although generally the user is unaware of the intent of the virus. Often considered to be a self-propagating trojan horse, composed of a mission component, a trigger component, and a self-propagating component. A final definition has not yet been agreed upon by all researchers. A common definition is, "a program which modifies other programs to contain a possibly altered version of itself." This definition is generally attributed to Fred Cohen, although Dr. Cohen's actual definition is in mathematical form. Another possible definition is, "an entity which uses the resources of the host (system or computer) to reproduce itself and spread, without informed operator action."

vulnerability
a weakness in system security procedures, system design, implementation, internal controls, and so forth, that could be exploited to violate system security policy; the possibility of an exploit or exposure to a threat, specific to a given platform

vulnerability analysis
the systematic examination of systems in order to determine the adequacy of security measures, identify security deficiencies, and provide data from which to predict the effectiveness of proposed security measures

vulnerability assessment
a measurement of vulnerability which includes the susceptibility of a particular system to a specific attack and the opportunities available to a threat agent to mount that attack

vx
an abbreviated reference to the "Virus eXchange" community; those people who consider it proper and right to write, share, and release viral programs, including those with damaging payloads. Probably originated by Sara Gordon who has done extensive studies of the virus exchange and security breaking community and who has an aversion to using the SHIFT key.

-W-

wannabe
an individual who "wants to be" accorded a higher status than they actually hold or rate. Frequently seen in areas of the black hat communities, where warez d00dz wannabe virus writers, virus writers wannabe script kiddiez, and script kiddiez wannabe crackers, and crackers wannabe hackers.

warchalking
similar to wardriving, warchalking generally involves walking around with a portable computer and wireless card. When a network is detected a chalk mark is made on a wall or sidewalk indicating the existence of the network and the level of security.

wardialling
using a program to repeatedly dial numbers, usually in a sequential range, to determine which ones responded with modem tones. Generally of greater importance in the days when modems were the primary means of remote communications with computers. Modems are still generally left unsecured or poorly secured.

wardriving
driving around an area (generally a business or light industrial area) with a portable computer (laptop or haldheld) equipped with a wireless network card and detecting wireless netowrk access points. Usually wardriving systems are also equipped with GPS capability and software such as NetStumbler to determine security or encryption levels. A number of groups use collected information to produce maps showing accessible networks and their level of security.

warhead
see payload

web bug
a web bug is a link on a given Web page or embedded in an email message that contains a link to a different Web site and therefore passes a call, and information, unknown to the user, to a remote site. Most commonly a web bug is either invisible or unnoticeable (typically it is one pixel in size) in order not to alert the user to its presence. See also adware, cookie, and spyware.

web of trust
a PKI technique used in PGP for building a file of validated public keys by making personal judgments about being able to trust certain people to be holding properly certified keys of other people

wild, in the
see in the wild

Wild, In the (ItW)
a specific reference to those viruses formally mentioned in the WildList. The capitalization is in distinction to viruses found in the wild but not mentioned in the WildList.

Windows Registry
a database holding system startup, configuration, security, and file association information in Microsoft Windows 9x, Me, NT, and 2000 systems. This is the central respository of all such information, replacing the old CONFIG.SYS, AUTOEXEC.BAT, and .INI files (although those files do still exist, adn are sometimes used). The Registry is an enormous object, often holding megabytes of data, and difficult to search. It is now being used to start viruses at boot time, without placing the viruses in identifiable startup directories. Viruses affecting the Registry can be seen as system infectors, although changing the Registry is much easier than the programming that the old MS-DOS system infectors had to use.

Windows Script Host (WSH)
a language similar to Visual Basic for Application (VBA) and Visual Basic Script (VBScript) that will run scripts on certain Windows systems. The LoveLetter virus was a Windows script virus and used WSH.

Wintel
see ISA

white hat
in an attempt to avoid debates about "good" hackers versus "bad" hackers versus "crackers" versus phone phreaks versus virus writers versus vxers, the security community has taken to describing those who attempt to explore security solely from the perspective of defence as the "white hats." The term originates from old American western genre movies where the "good guys" always wore white hats. See also black hat.

work factor
an estimate of the effort or time needed by a potential penetrator with specified expertise and resources to overcome a protective measure. Often applied to cryptanalysis.

worm
a self-reproducing program which is distinguished from a virus by copying itself without being attached to a program file, or which spreads over computer networks, particularly via email. Originally used (by Shoch and Hupp) to specify a distributed type of network program with many segments.

Worm
"the" worm, the Internet/Morris/UNIX Worm of November, 1988

write
a fundamental operation that results only in the flow of information from a subject to an object

write access
permission to write to an object

-X-

XOR
exclusive OR. A Boolean operation that yields true only if one of its operands are true and the other is false. If both operands are the same (either True or False), the operation yields false. Because the operation is bitwise, and reversal if performed twice with the same operand, XOR is frequently used for simple encryption, or as a part of encryption processes.

-Y,Z-

Y2K
a reference to the situation when the year changed from 1999 to 2000, and teh concern that time-sensitive systems using two digit year date fields would fail, or behave unpredictably, when that happened. Aside from the massive exercise in retrofitting systems, a major security concern was that the urgent redevelopment and patching of large numbers of systems would create loopholes and vulnerabilities. It should be noted that, due to the patching practice known as windowing, an unknown number of systems may still be vulnerable to failure as they reach the end of their windowing range.

zine
an electronically distributed newsletter or magazine. The term is now widely used for all kinds of electronic journals, but initially referred to periodic compilations of security breaking techniques distributed by black hat groups.

zombie
a specialized type of backdoor or remote access program designed as the agent, or client (middle layer) component of a DDoS (Distributed Denial of Service) network. Once a zombie is installed on a computer, it identifies itself to a master computer, and then waits for instructions from the master computer. Upon receipt of instructions from the master computer, a number of zombie machines will send attack packets to a target computer. Zombie may refer to the control program run to control one of the middle layer computers, or it may refer to a computer so controlled. See also backdoor, DDoS, RAT.

zoo
jargon reference to a set of virus programs of known characteristics used to test antiviral software

 

 

Back to SafeIT Inc. - Main

 

Copyright SafeIT Inc., 2004. All rights Reserved.