S

A control or countermeasure implemented to reduce the risk or damage associated with a specific threat.

Short drop in voltage.

A U.S. government data classification level for information that’s not classified but requires protection, such as private or personal information.

A technique used to identify vulnerabilities in a system, usually by transmitting data to it and observing its response.

A firewall architecture that consists of a router that controls packet flow through the use of ACLs. See also ACL, Firewall.

A duplicate or copy of evidence, such as tape backup, screen capture, or photograph.

A message encrypted in an asymmetric key system using the recipient’s public key and the sender’s private key. This protects the message’s confidentiality and guarantees the message’s authenticity. See also Open message format, Secure message format.

A message encrypted in an asymmetric key system using the recipient’s public key. Only the recipient’s private key can decrypt the message. This protects the message’s confidentiality. See also Open message format, Secure and signed message format.

The process of providing basic security information to users in an organization, in order to aid them in making prudent decisions regarding the protection of the organization’s assets.

The combination of hardware, firmware, and software elements in a Trusted Computing Base (TCB) that implements the reference monitor concept. See also TCB.

Designations for U.S. military and government computer systems based upon the need to protect secrets stored within them. Modes are Dedicated, System High, Multi-Level, and Limited Access.

The boundary that separates the Trusted Computing Base (TCB) from the rest of the system. See also TCB.

See Separation of duties and responsibilities.

In a MAC-based system, a subject’s sensitivity label specifies its level of trust, whereas an object’s sensitivity label specifies the level of trust required for access. See also MAC.

A concept that ensures that no single individual has complete authority and control of a critical system or process.

Formal minimum performance standards for systems, applications, networks, or services.

A ticket-based authentication protocol similar to Kerberos, with additional security enhancements. See also Kerberos.

Similar to a man-in-the-middle attack except that the attacker impersonates the intended recipient instead of modifying messages in transit. See also Man-in-the-middle attack.

Developed by MasterCard and Visa to provide secure e-commerce transactions by implementing authentication mechanisms while protecting the confidentiality and integrity of cardholder data.

An Internet protocol that provides a method for secure communications with a Web server.

A protocol used to share encryption keys.

An early point-to-point protocol for transporting IP over dial-up modems. PPP is more commonly used for this purpose.

A high-speed, packet-switched, connectionless-oriented, datagram-based technology available over public switched networks.

Provides confidentiality and authentication for e-mail using the RSA asymmetric key system, digital signatures, and X.509 digital certificates. See also RSA.

A Denial of Service attack whereby the attacker sends forged ICMP echo request packets into a network with the intention of having large numbers of nodes on the network sending ICMP echo replies to the target system. See also Denial of Service.

The practice of intercepting communications for usually covert purposes.

A low-tech attack method employing techniques such as dumpster diving and shoulder-surfing.

Computer instructions that enable the computer to accomplish tasks. See also Operating System, Application Software.

The business-level process used to development and maintain software.

SONET. See Synchronous Optical Network.

Spam (also known as Unsolicited Commercial E-mail or UCE): Junk e-mail that currently constitutes about 85 percent of all worldwide e-mail.

A phishing attack that is highly targeted, for example at a particular organization or part of an organization. See also Phishing.

Momentary rush of electric power.

Spam over instant messaging.

Spam over Internet telephony.

A technique used to forge TCP/IP packet information or e-mail header information. In network attacks, IP spoofing is used to gain access to systems by impersonating the IP address of a trusted host. In e-mail spoofing, the sender address is forged to trick an e-mail user into opening or responding to an e-mail (usually a virus or spam).

A form of malware that is installed on a user’s computer, usually without his or her knowledge, often for the purpose of collecting information about a user’s Internet usage or for taking control of their computer. Spyware increasingly includes keystroke loggers and Trojan horses.

A secure character-oriented protocol that is a secure alternative to Telnet and rsh. See also Telnet.

A Transport layer protocol that provides session-based encryption and authentication for secure communication between clients and servers on the Internet.

Allows a user to present a single set of logon credentials, typically to an authentication server, which then transparently logs the user on to all other enterprise systems and applications for which that user is authorized.

Specific, mandatory requirements that further define and support higher-level policies.

A network topology where all devices are directly connected to a central hub or concentrator.

A secure state is defined and maintained during transitions between secure states.

A type of firewall that captures and analyzes data packets at all levels of the OSI model to determine the state and context of the data packet and whether it is to be permitted.

A password that’s the same for each logon.

Mandatory damages determined by law and assessed for violating the law.

The art of hiding the very existence of a message; for example, in a picture.

An encryption algorithm that operates on a continuous stream of data, typically bit-by-bit.

A means of authentication that requires two or more independent means for identification. See also Two-Factor authentication.

An active entity such as an individual or process.

Ciphers that replace bits, characters, or character blocks in plaintext with alternate bits, characters, or character blocks to produce ciphertext.

A level of elevated privilege, usually intended for system administration use only. See also User mode.

Prolonged rush of electric power.

An intelligent hub that transmits data only to individual devices on a network, rather than all devices as hubs do. See also Hub.

A cryptographic system that uses a single key to both encrypt and decrypt information.

An attack where the attacker sends large volumes of TCP SYN packets to a target system. This is a type of Denial of Service attack. See also Denial of Service.

A carrier-class protocol used to communicate digital information over optical fiber.

A control that prevents a subject from accessing a system unless the subject can present valid credentials.

A system that operates at the highest level of information classification.