Glossary

Abuse of Privilege - When a user performs an action that they should not have, according to organisational policy or law.

Access Control List - Rules for packet filters (typically routers) that define which packets to pass and which to block.

ACL - An abbreviation for Access Control List.

Anti-Virus - A software or hardware solution designed to identify and remove malware.

Authentication - The process of determining the identity of a user that is attempting to access a system.

Authentication Token - A portable device used for authenticating a user. Authentication tokens operate by challenge/response, time-based code sequences, or other techniques. This may include paper-based lists of one-time passwords.

Authorisation - The process of determining what types of activities are permitted. Usually, authorisation is in the context of authentication: once you have authenticated a user, they may be authorised different types of access or activity.

Challenge/Response - An authentication technique whereby a server sends an unpredictable challenge to the user, who computes a response using some form of authentication token.

Cryptographic Checksum - A one-way function applied to a file to produce a unique fingerprint of the file for later reference. Checksum systems are a primary means of detecting file system tampering on Unix.

Demilitarised Zone (DMZ) - This refers to a part of the network that is neither part of the internal network nor directly part of the Internet. Typically, this area is used for external facing applications that will accept connections from the Internet.

Desktop Firewall- Sometimes called a Personal Firewall - Similar to conventional firewall but on a much smaller scale designed specifically for endpoints. Used to control network traffic to and from a computer based on a security policy.

Data Loss Prevention (DLP) - These products are to help organisations reduce the risk of sensitive data leaving the company through accidental or malicious means, the solution can either be host based, network based or a mixture of the two.

DNS - An abbreviation for Domain Name System.

DNS spoofing - Assuming the DNS name of another system by either corrupting the name service cache of a victim system, or by compromising a domain name server for a valid domain.

Domain Name System - A general-purpose distributed, replicated, data query service chiefly used on Internet for translating hostnames into Internet addresses. Also, the style of hostname used on the Internet, though such a name is properly called a fully qualified domain name. DNS can be configured to use a sequence of name servers, based on the domains in the name being looked for, until a match is found.

Dual Homed Gateway - A dual homed gateway is a system that has two or more network interfaces, each of which is connected to a different network. In firewall configurations, a dual homed gateway usually acts to block or filter some or all of the traffic trying to pass between the networks.

Encrypting Router - See Tunnelling Router and Virtual Network Perimeter.

File and Folder Encryption - Instead of encrypting a full hard drive, specific folders can be encrypted which users can put sensitive data into, or all specific files types that come from a particular application can be encrypted.

Firewall - A system or combination of systems that enforces a boundary between two or more networks.

Full Disk Encryption or Endpoint Encryption - Designed for endpoints, usually mobile devices. The whole hard drive is encrypted and some form of password or token is needed to access the disk and to load the operating system.

Host-based Security - The technique of securing an individual system from attack. Host based security is operating system and version dependent.

Insider Attack - An attack originating from inside a protected network.

Intrusion Prevention System (IPS) - A device that monitors network traffic and system activities for malicious behaviour and can block this undesired traffic. Intrusion prevention can come in two forms - Host based IPS (HIPS) were the IPS software is installed on an endpoint and will only protect that endpoint, and network based IPS (NIPS) which will monitor all network traffic to all endpoints.

IP Hijacking - An attack whereby an active, established, session is intercepted and co-opted by the attacker. IP Splicing attacks may occur after an authentication has been made, permitting the attacker to assume the role of an already authorised user. Primary protections against IP Splicing rely on encryption at the session or network layer.

IP Splicing - An attack whereby an active, established, session is intercepted and co-opted by the attacker. IP Splicing attacks may occur after an authentication has been made, permitting the attacker to assume the role of an already authorised user. Primary protections against IP Splicing rely on encryption at the session or network layer.

IP Spoofing - An attack whereby a system attempts to illicitly impersonate another system by using its IP network address.

Local Area Network (LAN) - A data communications network which is geographically limited (typically to a 1 km radius) allowing easy interconnection of terminals, microprocessors and computers within adjacent buildings.

Log Processing - How audit logs are processed, searched for key events, or summarised.

Log Retention - How long audit logs are retained and maintained.

Man in the Middle Attack - A method of snooping secure web sessions, whereby an attacker presents a certificate to a client accessing a secure site, thereby acting as a proxy and having visibility into secure traffic. This method is now the most common way for legitimate security products to carry out HTTPS inspection.

Network Access Control( NAC) - A product that restricts access to endpoints that do not meet a set policy. For example an endpoint that doesn't have the latest virus definitions and operating system patches can be denied access to the organisations network and instead pushed to a separate quarantine network for remediation, once the issues have been resolved it will be allowed back on the organisations general network.

NetBIOS - An applications programming interface (API) which activates network operations on IBM PC compatibles running under Microsoft's DOS. It is a set of network commands that the application program issues in order to transmit and receive data to another host on the network. The commands are interpreted by a network control program or network operating system that is NetBIOS compatible.

Network-Layer Firewall - A firewall in which traffic is examined at the network protocol packet layer.

Perimeter-based Security - The technique of securing a network by controlling access to all entry and exit points of the network.

Policy - Organisation-level rules governing acceptable use of computing resources, security practices, and operational procedures.

Protocol - A standard procedure for regulating data transmission between computers.

Proxy - An agent that acts on behalf of a user. Typical proxies accept a connection from a user, make a decision as to whether or not the user or client IP address is permitted to use the proxy, perhaps does additional authentication, and then completes a connection on behalf of the user to a remote destination.

Remote Procedure Call (RPC) - A protocol which allows a program running on one host to cause code to be executed on another host without the programmer needing to explicitly code for this. RPC is an easy and popular paradigm for implementing the client-server model of distributed computing. An RPC is initiated by the caller (client) sending request message to a remote system (the server) to execute a certain procedure using arguments supplied. A result message is returned to the caller. There are many variations and subtleties in various implementations, resulting in a variety of different (incompatible) RPC protocols.

Screened Host - A host on a network behind a screening router. The degree to which a screened host may be accessed depends on the screening rules in the router.

Screened Subnet - A subnet behind a screening router. The degree to which the subnet may be accessed depends on the screening rules in the router.

Screening Router - A router configured to permit or deny traffic based on a set of permission rules installed by the administrator.

Server Message Block (SMB) - A client/server protocol that provides file and printer sharing between computers. In addition SMB can share serial ports and communications abstractions such as named pipes and mail slots. SMB is similar to remote procedure call (RPC) specialised for file system access.

Session Stealing - See IP Splicing.

Social Engineering - An attack based on deceiving users or administrators at the target site. Social engineering attacks are typically carried out by telephoning users or operators and pretending to be an authorised user, to attempt to gain illicit access to systems.

Transmission Control Protocol (TCP) - A protocol developed for the internet to get data from one network device to another.

Trojan Horse - A software entity that appears to do something normal but which, in fact, contains a trapdoor or attack program.

Tunnelling Router - A router or system capable of routing traffic by encrypting it and encapsulating it for transmission across an untrusted network, for eventual de-encapsulation and decryption.

Virtual Network Perimeter - A network that appears to be a single protected network behind firewalls, which actually encompasses encrypted virtual links over untrusted networks.

Virtual Private Network (VPN) - The use of encryption in the lower protocol layers to provide a secure connection through an otherwise insecure network, typically the Internet. VPNs are generally cheaper than real private networks using private lines but rely on having the same encryption system at both ends. The encryption may be performed by firewall hardware or software or possibly by routers.

Virus - A replicating code segment that attaches itself to a program or data file. Viruses may or may not contain attack programs or trapdoors.

Worm - A standalone program that, when run, copies itself from one host to another, and then runs itself on each newly infected host.