- access control Allowing or denying use of a system, place or resource selectively. The traditional username/password login demonstrates the phases in access control. First, the user identifies themself by entering their username, then they authenticate that identity by entering the password, finally, the system grants or denies access on the basis of the provided information and the stored permissions.
- address masquerading Modifying the network address of a system in packet headers. Commonly used for hiding an organisation's internal resources behind a gateway. Unlike address spoofing, masquerading is not intended to disrupt; the gateway acts as an intermediary in the end-to-end communication. See Network Address Translation.
- address spoofing The creation of packets with a forged source address. This conceals the identity of the sender, and allows them to impersonate another system. Attackers spoof addresses for various purposes. It may be an attempt to break into the receiving system, by forging the address of a trusted system. Alternatively, the victim may be the system at the forged address, for example, in an amplification attack: the attacker sends a small message that triggers a much larger response, which, if course, is sent to the forged address. By repeating this many times, to different systems, the attacker causes a flood of large "responses" to the victim that they did not request and were not expecting. This constitutes a Distributed Denial of Service (DDoS) attack.
- anonymous
- anti-spam A system that protects against spam messages.
- anti-virus 防毒 A system that protects against computer viruses.
- asymmetric algorithm An encryption algorithm that uses two mathematically-linked keys, one to encrypt a message, and the other to decrypt it. Very important for the digital society. A user can keep one key secret, and publish the other (the public key), then, anyone can send them a secret message by using the public key to encrypt it. Only the user with the private key can decrypt the messages. Conversely, the user can sign a message by encrypting it with the private key, then anyone can confirm that they signed it by using the public key to decrypt the message. In practice, the procedures are more complex because there is a requirement to bind a public key to an identity (see PKI) and asymmetric algorithms tend to be much slower than symmetric algorithms, so session keys are used.
- authentication The act of confirming the identity of a person or system. In the tradition username/password login, the user is identifying themselves by the username, then they authenticate by proving they know the correct secret password, thus confirming their identity. There are three types or factors of authenticating information: something you know (e.g. a password), something you have (e.g. a door-key or bank card) and something you are (biometrics, e.g. a fingerprint).
- authorization Definition of an access policy.
- bastion host A special-purpose server designed to withstand attack, generally located outside the firewall or in the DMZ.
- biometric A characteristic or trait of a person.
- biometrics Identification of people by their characteristics or traits. Common examples of methods include fingerprints, facial recognition, iris and retina scanning. It can be used for identification or authentication, but authentication applications require a trusted reader.
- boot sector virus A computer virus that is designed to run as the computer boots up, stored in the boot sector of the storage medium (though some boot sector viruses store additional parts of the virus elsewhere on the medium). Boot sector viruses were the most common type of virus between 1989 and about 1995 when Windows 95 introduced new disc drivers that prevented DOS boot sector viruses propagating. However, the concepts of malware undermining operating system controls at the earliest stages and running automatically from removable media live on in rootkits and autorun viruses.
- brute force attack In cryptography, trying every key in turn to decrypt a message. In access control, trying every password in turn to gain access. The simplest and most time-consuming form of attack.
- certificate In PKI, an electronic document with a digital signature from a Certificate Authority that binds a public key to an identity.
- certificate authority In PKI, the entity that issues certificates. The Certificate Authority (CA) is a trusted third party. If the CA fails to correctly validate identities before signing a certificate then the trust model of the PKI breaks.
- cipher An algorithm for performing encryption or decryption.
- ciphertext A message that has been transformed to an unreadable form by a cipher.
- cleartext A message that can be read without any cryptographic processing. The term is used in descriptions of cryptography, for example, a cipher converts cleartext to ciphertext. Also used to describe when a system does not protect information by cryptography, for example, telnet transfers cleartext.
- confidentiality Done in secret. Confidentiality is one of the three core objectives of Information Security.
- cookie A small piece of information sent by a web server to be stored by the user's web browser that is sent back to the web server with each subsequent request. Cookies may be deleted at the end of a browsing session, or persist for many years. Cookies can be used for many purposes, including verifying that a user has logged in to tracking users' behaviour across multiple websites by third-party cookies. They have privacy implications.
- cracker Someone who breaks into computer systems. If this is done without permission, it is illegal. Used in technical communities to distinguish breaking-and-entering from the exploratory and enthusiast meaning of hacker, the term has failed to gain traction with the general public.
- cryptography The art of "secret writing", or how to keep information confidential. Once it was almost exclusively used by Governments and the military, nowadays it is an essential part of the Information Society.
- DDOS Distributed Denial of Service attack. A DOS attack where many systems attack the target system at the same time, so that the combined work overwhelms the target system.
- decryption The process of taking an encrypted message and producing cleartext.
- DES Data Encryption Standard
- digital signature Like a handwritten signature, a digital signature demonstrates that a document was approved by the signer. Digital signatures use an asymmetric algorithm so that only the holder of the private key could have created the signature. Generally used with PKI, so that the link between the key pair and an individual is certified by the CA, a trusted third party.
- disaster recovery The processes, policies and procedures for restoring a technological system to a working state after an incident.
- DoS Denial of Service attack. An attack that prevents legitimate use of a service, usually by overwhelming it with other work.
- education
- encryption The process of transforming cleartext to ciphertext.
- ESP Encapsulating Security Payload. A protocol in the IPsec protocol suite. It provides origin authenticity, integrity and confidentiality protection of packets.
- firewall A security system that controls network traffic, allowing and denying packets according to a pre-determined policy.
- hacker A person that strives for excellence in exploring systems and using them in innovative ways. Also used by the general public for a person that searches for weaknesses in computer systems and exploits them, a meaning that is differentiated here as cracker.
- hash An algorithm that transforms arbitrary data to data of a fixed length.
- hierarchical trust A trust model where all certificates are issued by the CA, a trusted third party.
- IETF Internet Engineering Task Force. An organisation that develops and promotes Internet standards.
- information security The processes, policies and procedures used to ensure the confidentiality, integrity and availability of information systems.
- integrity Whole and unblemished. Not changed in an unauthorised manner. Integrity is one of the three core objectives of Information Security.
- intrusion detection A system that monitors a network or system for malicious activities or policy violations and reports.
- ISAKMP Internet Security Association and Key Management Protocol. A protocol defined by RFC 2408 for establishing Security Associations (SA) and cryptographic keys in an Internet environment. Used in IPsec.
- Kerberos A computer network authentication protocol which works on the basis of 'tickets' to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.
- key A piece of information that determines the output of a cryptographic algorithm.
- key escrow An arrangement where encryption keys are kept so that an authorised third party can access the keys, and therefore the data they protect, in defined circumstances.
- legal
- message digest The output of a hash function for a message.
- newsletter
- OTP One-Time Password. A password that is only valid for a single use.
- packet filter The earliest type of firewall. Individual packets are inspected and rules are applied to allow or deny them.
- passphrase A longer, more complicated password. The name encourages the user to select a sequence of words instead of just one.
- PEM Privacy Enhanced Mail. A 1993 IETF proposal for securing email by public-key cryptography. Superseded by S/MIME.
- PGP Pretty Good Privacy. An encryption/decryption program created by Phil Zimmermann in 1991 based public-key cryptography and a web of trust.
- phishing
- phreaker A person who experimented with or exploited analog telecommunications systems.
- PKI Public-Key Infrastructure. A system to create, manage, store, use, distribute and revoke digital certificates, binding public keys to identities by means of certificates issued by a Certificate Authority.
- plaintext See cleartext.
- policy A principle to guide decisions to the desired outcome.
- port sweep A scan of multiple hosts for one port.
- privacy Keeping information about an individual person, or group of people, confidential.
- private key One half of the key pair used in an asymmetric algorithm, the private key is kept secret.
- public-key cryptosystem See asymmetric algorithm.
- RSA One of the first practicable public-key cryptosystems, developed by Ron Rivest, Adi Shamir and Leonard Adleman. RSA is their initials.
- S-HTTP Secure Hypertext Transfer Protocol. An obsolete and little-used alternative to HTTPS.
- S/MIME Secure Multi-Purpose Internet Mail Extension
- screening router A network router that performs packet filtering.
- secret key cryptosystem See symmetric algorithm.
- session key A single-use symmetric key used for encrypting all messages in one communication session.
- SKIP Simple Key management for Internet Protocols. A protocol developed by the IETF Security Working Group for the sharing of encryption keys, but superseded by IKE in IPsec.
- social engineering Using psychological tricks to manipulate people into revealing information or performing actions that should normally be forbidden by the security policy.
- spam Electronic messages that the recipient did not want or ask for. Often unwanted advertising or fraudulent messages.
- SSH Secure SHell. An encrypted network protocol, designed to replace commonly-used unencrypted (and therefore insecure) protocols including telnet, rsh, rcp and ftp.
- SSL Secure Sockets Layer
- static password A password that does not change between sessions, that is, not a OTP.
- symmetric algorithm An encryption algorithm that uses the same key for encryption and decryption.
- trojan A program with a hidden function that the user does not know about and would not want. Named after the Greek story of the fall of the city of Troy when the defenders take a wooden horse, containing enemy soldiers hidden, inside their city.
- trojan horse See trojan.
- virus A program that makes copies of itself.
- vulnerability A weakness that reduces a systems information security.
- X.509 ITU-T standard for a PKI and PMI. X.509 certificates are commonly used.
- Yui Kee 銳記 Yui Kee Computing is a company that provides information security products and services.