Term
| Access control list (ACL) |
|
Definition
| A list that encodes the rules stating which packets are to be allowed through a firewall and which are to be prohibited. |
|
|
Term
|
Definition
| Programs installed on the user’s computer without the user’s knowledge or permission that reside in the background and, unknown to the user, observe the user’s actions and keystrokes, modify computer activity, and report the user’s activities to sponsoring organizations. Most adware is benign in that it does not perform malicious acts or steal data. It does, however, watch user activity and produce pop-up ads. |
|
|
Term
|
Definition
| An encryption method whereby different keys are used to encode and to decode the message; one key encodes the message, and the other key decodes the message. Symmetric encryption is simpler and much faster than asymmetric encryption. |
|
|
Term
|
Definition
| The process whereby an information system approves (authenticates) a user by checking the user’s password. |
|
|
Term
|
Definition
| The use of personal physical characteristics, such as fingerprints, facial features, and retinal scans, to authenticate users. |
|
|
Term
| Certificate authority (CA) |
|
Definition
| Trusted, independent third-party company that supplies public keys for encryption. |
|
|
Term
|
Definition
| A remote processing center that provides office space, but no computer equipment, for use by a company that needs to continue operations after a disaster. |
|
|
Term
|
Definition
| Security problem in which users are not able to access an IS; can be caused by human errors, natural disaster, or malicious activity. |
|
|
Term
|
Definition
| A document supplied by a certificate authority (CA) that contains, among other data, an entity’s name and public key. |
|
|
Term
| Digital rights management (DRM) |
|
Definition
| Technology and products used to protect entertainment content. |
|
|
Term
|
Definition
| Encrypted message that uses hashing to ensure that plaintext messages are received without alteration. |
|
|
Term
|
Definition
| People who take computers with wireless connections through an area and search for unprotected wireless networks in an attempt to gain free Internet access or to gather unauthorized data. |
|
|
Term
|
Definition
| A synonym for phishing. A technique for obtaining unauthorized data that uses pretexting via email. The phisher pretends to be a legitimate company and sends email requests for confidential data, such as account numbers, Social Security numbers, account passwords, and so forth. Phishers direct traffic to their sites under the guise of a legitimate business. |
|
|
Term
|
Definition
| The process of transforming clear text into coded, unintelligible text for secure storage or communication. |
|
|
Term
|
Definition
| The use of digital rights management (DRM) technology to protect an organization’s documents. |
|
|
Term
|
Definition
| A computing device located between a firm’s internal and external networks that prevents unauthorized access to or from the internal network. A firewall can be a special-purpose computer or it can be a program on a general-purpose computer or on a router. |
|
|
Term
| Gramm-Leach-Bliley (GLB) Act |
|
Definition
| Passed by Congress in 1999, this act protects consumer financial data stored by financial institutions, which are defined as banks, securities firms, insurance companies, and organizations that provide financial advice, prepare tax returns, and provide similar financial services. |
|
|
Term
|
Definition
| Occurs when a person gains unauthorized access to a computer system. Although some people hack for the sheer joy of doing it, other hackers invade systems for the malicious purpose of stealing or modifying data. |
|
|
Term
|
Definition
| The process of taking extraordinary measures to reduce a system’s vulnerability. Hardened sites use special versions of the operating system, and they lock down or eliminate operating systems features and functions that are not required by the application. Hardening is a technical safeguard. |
|
|
Term
|
Definition
| A method of mathematically manipulating an electronic message to create a string of bits that characterize the message. |
|
|
Term
| Health Insurance Portability and Accountability Act (HIPAA) |
|
Definition
| The privacy provisions of this 1996 act give individuals the right to access health data created by doctors and other health-care providers. HIPAA also sets rules and limits on who can read and receive a person’s health information. |
|
|
Term
|
Definition
| A remote processing center run by a commercial disaster-recovery service that provides equipment a company would need to continue operations after a disaster. |
|
|
Term
|
Definition
| The process whereby an information system identifies a user by requiring the user to sign on with a user name and password. |
|
|
Term
|
Definition
| A firewall that sits inside the organizational network. |
|
|
Term
|
Definition
| A type of spoofing whereby an intruder uses another site’s IP address as if it were that other site. |
|
|
Term
|
Definition
| A system, developed at MIT, that authenticates users without sending their passwords across a computer network. It uses a complicated system of “tickets” to enable users to obtain services from networks and other servers. |
|
|
Term
|
Definition
| A control procedure whereby a trusted party is given a copy of a key used to encrypt database data. |
|
|
Term
|
Definition
| Viruses, worms, Trojan horses, spyware, and adware. |
|
|
Term
|
Definition
| Patterns that exist in malware code. Antimalware vendors update these definitions continuously and incorporate them into their products in order to better fight against malware. |
|
|
Term
|
Definition
| A bit string of a specific, fixed length that is produced by hashing and used to produce digital signatures. |
|
|
Term
| Packet-filtering firewall |
|
Definition
| A firewall that examines each packet and determines whether to let the packet pass. To make this decision, it examines the source address, the destination addresses, and other data. |
|
|
Term
|
Definition
| A firewall that sits outside the organizational network. It is the first device that Internet traffic encounters. |
|
|
Term
| Personal identification number (PIN) |
|
Definition
| A form of authentication whereby the user supplies a number that only he or she knows. |
|
|
Term
|
Definition
| A technique for obtaining unauthorized data that uses pretexting via email. The phisher pretends to be a legitimate company and sends an email requesting confidential data, such as account numbers, Social Security numbers, account passwords, and so forth. |
|
|
Term
|
Definition
| A technique for gathering unauthorized information in which someone pretends to be someone else. A common scam involves a telephone caller who pretends to be from a credit card company and claims to be checking the validity of credit card numbers. Phishing is also a form of pretexting. |
|
|
Term
|
Definition
| Federal law that provides protections to individuals regarding records maintained by the U.S. government. |
|
|
Term
|
Definition
| The “bottom line” of risk assessment; the likelihood of loss multiplied by the cost of the loss consequences (both tangible and intangible). |
|
|
Term
|
Definition
| The likelihood of an adverse occurrence. |
|
|
Term
|
Definition
| Any action, device, procedure, technique, or other measure that reduces a system’s vulnerability to a threat. |
|
|
Term
| Secure Socket Layer (SSL) |
|
Definition
| A protocol that uses both asymmetric and symmetric encryption. SSL is a protocol layer that works between Levels 4 (transport) and 5 (application) of the TCP–OSI protocol architecture. When SSL is in use, the browser address will begin with https://. The most recent version of SSI is called TLS. |
|
|
Term
|
Definition
| Management’s policy for computer security, consisting of a general statement of the organization’s security program, issue-specific policy, and system-specific policy. |
|
|
Term
|
Definition
| A systematic plan by which an organization addresses security issues; consists of three components: senior management involvement, safeguards of various kinds, and incident response. |
|
|
Term
|
Definition
| A plastic card similar to a credit card that has a microchip. The microchip, which holds much more data than a magnetic strip, is loaded with identifying data. Normally requires a PIN. |
|
|
Term
|
Definition
| A technique for intercepting computer communications. With wired networks, sniffing requires a physical connection to the network. With wireless networks, no such connection is required. |
|
|
Term
|
Definition
| When someone pretends to be someone else with the intent of obtaining unauthorized data. If you pretend to be your professor, you are spoofing your professor. |
|
|
Term
|
Definition
| Programs installed on the user’s computer without the user’s knowledge or permission that reside in the background and, unknown to the user, observe the user’s actions and keystrokes, modify computer activity, and report the user’s activities to sponsoring organizations. Malicious spyware captures keystrokes to obtain user names, passwords, account numbers, and other sensitive information. Other spyware is used for marketing analyses, observing what users do, Web sites visited, products examined and purchased, and so forth. |
|
|
Term
|
Definition
| An encryption method whereby the same key is used to encode and to decode the message. |
|
|
Term
|
Definition
| Safeguard that involves the hardware and software components of an information system. |
|
|
Term
| Transport Layer Security (TLS) |
|
Definition
| A protocol, using both asymmetric and symmetric encryption, that works between Levels 4 (transport) and 5 (application) of the TCP–OSI protocol architecture. TLS is the new name for a later version of SSL. |
|
|
Term
|
Definition
| Those things we don’t know. |
|
|
Term
|
Definition
| Occurs when unauthorized programs invade a computer system and replace legitimate programs. Such unauthorized programs typically shut down the legitimate system and substitute their own processing. |
|
|
Term
|
Definition
| An opening or a weakness in a security system. Some vulnerabilities exist because there are no safeguards or because the existing safeguards are ineffective. |
|
|
Term
| Wi-Fi Protected Access (WPA and WPA2) |
|
Definition
| An improved wireless security standard developed by the IEEE 802.11 committee to fix the flaws of the Wired Equivalent Privacy (WEP) standard. Only newer wireless hardware uses this technique. |
|
|
Term
| Wired Equivalent Privacy (WEP) |
|
Definition
| A wireless security standard developed by the IEEE 802.11 committee that was insufficiently tested before it was deployed in communications equipment. It has serious flaws. |
|
|
