Glossary

Access

The ability to read, write, modify, or use any of a company's system resources.



Access control

Prevention of unauthorized use of any of a company's system resources either externally (by an intruder) or internally (by an employee who should not have access).



Accountability

Ensuring that activities on supported systems can be traced to an individual who is held responsible for the integrity of the data.



Assurance

A level of confidence that the information-system architecture mediates and enforces the organization's security policy.



Audit trail

A documented record of events allowing an auditor (or security administrator) to reconstruct past system activities.



Authenticate

To verify the identity of a user, device, or any other system entity.



Authorization

Granting officially approved access rights to a user, process, or program in accordance with a company's security policy.



Back door

Code that is specifically written into applications or operating systems to allow unauthorized access. Also called a "trap door."



Bulletin board

Allows users from the Internet to write or read messages posted by other users and to exchange programs and files.



Compromise

Violation of a company's system security policy by an intruder that may result in the modification, destruction, or theft of data.



Computer crime

Any form of illegal act involving electronic information and computer equipment.



Computer fraud

A computer crime that an intruder commits to obtain money or something of value from a company. Often, all traces of the crime are covered up. Computer fraud typically involves modification, destruction, theft, or disclosure of data.



Confidentiality

Ensuring that sensitive data is limited to specific individuals (external and internal) or groups within an organization. The confidentiality of the information is based on the degree to which an organization must protect its information for example, registered, proprietary, or nonproprietary.



Conflict-of-interest escalation

A preset procedure for escalating a security incident if any members of the support or security teams are suspect.



Contingency plan

A security plan to ensure that mission-critical computer resources are available to a company in the event of a disaster (such as an earthquake or flood). It includes emergency response actions, backup operations, and postdisaster recovery.



Control

A protective action that a company takes to reduce its risk of exposure.



Countermeasure

An action that a company takes to reduce threats to a system. A countermeasure can be a hardware device, software package, procedure, and so on.



Data integrity

The assurance that a company's data has not been exposed to modification or destruction either by accident or from malicious acts.



Denial of service

An action or series of actions taken by an intruder that causes systems to be unavailable for their intended purpose.



Easy access

Breaking into a system with minimal effort by exploiting a well-known vulnerability, and gaining superuser access in less than 30 seconds (a piece of cake for an intruder).



Escalation

The procedure of reporting (and passing responsibility for resolving) a security breach to a higher level of command.

See also [Internal escalation]
See also [External escalation]
See also [Conflict-of-interest escalation]


External escalation

The process of reporting a security breach to an individual or group outside the department, division, or company in which it occurred. Once a problem is escalated, responsibility for resolving that problem is either accepted or shared with the party to whom the problem is escalated.



Extranet

An extension of a company's intranet to include systems outside the company. An extranet can be used to facilitate easy access to databases and other sources of information between the company and its customers and/or suppliers.

See also [Intranet]


Firewall

A security system that controls traffic flow between networks. Several configurations exist: filters (or screens), application relays, encryption, demilitarized zones (DMZ), and so on.



Hacker

A person with malicious intentions who gathers information on computer security flaws and breaks into computers without the system owners' permission.



Hacking

Exploiting system vulnerabilities to gain unauthorized access.



Identification

Recognizing users on a company's systems by using unique names.



Incident-response procedures

Formal, written procedures that detail the steps to be taken in the event of a major security problem, such as a break-in. Developing detailed incident-response procedures before the occurrence of a problem is a hallmark of a well-designed security system.



Internal escalation

The process of reporting a security breach to a higher level of command within the department, division, or company in which the breach occurred.



Internet

The largest collection of networks in the world.



Internet Service Provider(ISP)

The company through which an individual or organization receives access to the Internet. Typically, ISPs provide email service and home-page storage in addition to Internet access. Some ISPs also provide offsite data storage and backup services.



Intranet

A company's internal network.



ISP
See [Internet Service Provider]
Logic bomb

A program inserted into software by an intruder. A logic bomb lies dormant until a predefined condition is met; the program then triggers an unauthorized act.



Password cracker

A software program containing whole dictionaries that tries to match user passwords.



Password sniffer
See [Snooping tool]
Penetration

The act of gaining unauthorized access to a system.



Permissions

The authorized actions a subject can perform with an object (i.e., read, write, modify, or delete).



Point of Contact(POC)

The person or persons to whom users and/or system administrators should immediately report a break-in or suspected security breach. The POC is the information-systems equivalent of a 911 emergency line.



Privacy

The protection of a company's data from being read by unauthorized parties. Safeguards such as encryption can provide a level of assurance that the integrity of the data is protected from exposure.



Reliability

The probability that a system will adequately accomplish its tasks for a specific period of time, under the expected operating conditions.



Risk

The probability that a particular vulnerability of a system will be exploited, either intentionally or accidentally.



Risk analysis

A process that determines the magnitude of security risks. A risk analysis identifies controls that need improvement.



Security audit

An independent professional security review that tests and examines a company's compliance with existing controls, the results of which enable an auditor to recommend necessary changes in security controls, policies, and procedures.



Security procedures

A set of detailed instructions, configurations, and recommendations to implement a company's security policies.



Snapshot

A copy of what a computer's memory (primary storage, specific registers, etc.) contains at a specific point in time. Like a photograph, a snapshot can be used to catch intruders by recording information that the hacker may erase before the attack is completed or repelled.



Snooping tool

A program used by an intruder to capture passwords and other data.



Spoof

To gain access to a system by masquerading as an authorized user.



Threat

Any item that has the potential to compromise the integrity, confidentiality, and availability of data.



Tiger team

A group of professional security experts employed by a company to test the effectiveness of security by trying to break in.



Time bomb

A program inserted into software by an intruder that triggers when a particular time is reached or an interval has elapsed.



Trap door
See [Back door]
Virus

Code that is embedded into a computer program. When the program is executed, the viral code wakes up. Once active, a virus can replicate itself, post messages, destroy data, or degrade system performance.



Vulnerability

A particular weakness in a company's security policy, system design, installation, or controls that an intruder can exploit.



Worm

An independent program that moves through an address space, reproducing itself in a new location. A worm rapidly replicates itself and may cause a denial of service by overloading system resources.





IT Security. Risking the Corporation
IT Security: Risking the Corporation
ISBN: 013101112X
EAN: 2147483647
Year: 2003
Pages: 73

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net