Security IT Terms

Access Control List

Authentication

Multifactor authentication

Biometrics

NAC Network Access Control

Active Content

Data leak

Egress Scanning

Botnet

DDOS Distributed Denial of Service

Honeypot

Unified Threat Mangement

Endpoint security

Patch management

Virus

Penetration testing

White Hat hacker

Social Engineering

Spoofing

Proxy

Layered security

Access Control List

An Access Control List (ACL) is a mechanism to limit the use of sensitive computers, data, networks, applications or other resources based on a user’s identity and membership in specific groups.

ACL is a general term, rather than a specific product. Many types of software provide access control for different resources, at different levels. A desktop operating system, for example, lets a user log in, or not, depending on the rights that had already been given to that user within the computer’s access control list. In that case, the ACL could amount to the definitions within the user profiles listing who could only read data, who could read or write to a file, and which users are allowed to run a program on the PC.

Applications, both enterprise-class and those aimed at individuals or workgroups, have their own security mechanisms, as do computer servers, storage, networking equipment and so on. In each case there is a separate ACL attached to that unit’s security mechanism.

ACLs and unified security procedures are created using networked directories or security applications that allow a user to sign on once to “the network,” after which the directory or other mechanism takes over the task of access control for applications, servers and other resources.

Related terms:

Access rights

IT security

Filtering

Penetration testing

Data leak prevention

Related links:

Primer: Network Access Control

Network Access Control in the Channel

How To Adopt a 5-Layer Security Strategy

2 Screws, 1 Plastic Cover, How Many Airports Infiltrated?

Authentication

In computer security, authentication is the process of confirming the identity of a person, application or device in order to grant or prevent access to an information technology resource.

Authentication is most often done using the combination of a user name and password, although techniques using biometric data, such as fingerprints, are becoming more common for end users. Devices and applications typically use pre-shared unique identifying numbers they encrypt before using to prove their identity.

Once a user has been authenticated, or satisfied the security system that they are who they say they are, that identity data then goes to the software that manages access control so users can be granted the appropriate level of access to the network or systems.

Related terms:

Access control

Network access control

Audit control

Password

Related Links:

What Is Multifactor Authentication?

Whats New in Authentication Technologies for Online Transactions?

Two-Factor Authentication Still Strong

Multifactor authentication

In computer security, multifactor authentication is the process of using more than one type of evidence to confirm the identity of a person, application or device in order to grant or prevent access to an information technology resource.

Automatic teller machine cards are examples of multifactor authentication because they rely on a physical token with specific account information, but also require a password before a user can be authenticated.

Often described as “something you have and something you know,” multifactor authentication typically relies on a physical device or a pre-distributed electronic code, for initial identification; the second factor is a password that a user would know rather than carry. This method minimizes the chance of a thief gaining access to a bank account or other system simply by stealing a key card.

PC-based software, often a long, encrypted number that acts as a key in the authentication process, is usually considered to be part of a multifactor authentication process, but because there is no physical object present, some security experts dispute this.

Related terms:

Password

Voice identification

Authentication

Access control

Biometric security

Biometrics

Biometrics is the process of using human physical attributes to prove a user’s identity and give him or her access to an application, device or network. Using the unique patterns of blood vessel in the eyes has been a staple of science fiction movies and thrillers for years, but only recently have mainstream IT systems begun to use elements such as fingerprints for authentication. Some laptops ship with fingerprint readers as standard equipment, and they’re beginning to pop up on other mobile devices as well.

Biometrics work in the same way as passwords; once the user-provided information is entered, the information is compared against information on file, the security system verifies whether the user has permission to use that system and, if so, grants access. Fingerprints and other biometric targets are stored as image files and compared to image files that already exist in the system. Other biometric targets include voice, signature, face, iris, retina, vein patterns and voice. Of those, iris scanning has the lowest error rate, but fingerprint scanning has become popular due to its superior cost/benefit result.

Related terms:

Identity

False encryption rate

False acceptance rate

Equal error rate

Enrollment

Authentication

Access control

Network Access Control (NAC)

Network Access Control (NAC) is the process of securing a network to prevent unauthorized devices from connecting, and to ensure that devices with permission to connect can only do so after demonstrating they have not become a security risk.

Often used synonymously with Endpoint Security, NAC systems are concerned with devices and users that have legitimate rights on a network or system, but who operate disconnected and then return.

Laptops, PDAs, smartphones and other portable devices, which can be scanned, authenticated and configured to use network resources securely, can be infected or otherwise compromised while being used away from a secure network. Rather than allow a device infected with a computer virus or other security exploit, NAC software can allow a device limited access to resources on the network, until it has been scanned and certified as still secure.

Endpoint security makes the assumption that network or security managers will not be able to control the types of devices their users employ to get to computing resources and therefore have to find ways to secure the IT infrastructure against threats from relatively uncontrolled access devices.

Related terms:

Access control

Edge security

Authentication

Related links:

Primer: Network Access Control

NAC Attack: Todays Products Will Fail, Report Says

NAC Will Fill a Big IT Security Gap

Smaller Players Filling NAC Void

Active Content

Active content is any kind of programming code embedded in a Web page. Java, ActiveX and AJAX are all code-development mechanisms commonly embedded in Web pages to add scrolling images or text, present maps, games or other content.

When a Web browser makes a request to view the page, the program code downloads automatically and executes on the end-user’s machine. Because the intentions of the programmer and the functions of the active content aren’t obvious, active content is a frequent security risk.

Related terms:

Java

Active X

AJAX

Sandbox

Trojan Horse

Related links:

Microsoft Licenses Its Audio Watermarking Tools to Activated Content

Microsoft Still Suffers Insecurity Complex

Data leak

A data leak is the involuntary release of data from an organization or individual due to flaws in security procedures or the participation of those with legitimate access to the data. The term was derived from data leak prevention (DLP), a marketing term that became popular in 2006 to describe a variety of security mechanisms or products. Data leak has since come to mean any copying or access that leaves data a copy of the data in unauthorized hands.

Unlike access control, which focuses on preventing the illicit use of systems or data, DLP focuses on the data itself and ways to keep it from being misused. Intrusion detection systems, encryption, network access control, access control and other techniques are often included in the category DLP. The goal of all of them, as well as access control limitations that prevent data from being copied from its source to any but a few authorized destinations, is to keep data from making it through an organization’s egress points, Internet gateways, portable storage devices and any other way data can be removed from a company’s premises.

DLP products are also marketed as ways to prevent employees from copying sensitive data to laptops, thumb drives, MP3 players and other devices with substantial data storage capacity that might not otherwise attract the attention of security.

Related terms

Intrusion detection system (IDS)

Egress scanning

Egress content scanning

Access control

Endpoint security

Related links:

Security Vendor Brings Data Leak Prevention to IPv6

HIV Data Leak Spurs Security Restructuring at Drugmaker

New Report Chronicles the Cost of Data Leaks

Waiting for a Breach to Deploy Data Loss Prevention Can Prove Costly

Egress scanning

Egress scanning is the process of monitoring the datagoing through an organization’s Internet gateway in order to determine whether the company’s computers have become inadvertent participants in attacks on other Internet sites. Most of the focus in IT security is in preventing hackers and malware from entering a company’s networks or systems, but the volume and variety of malware is so great that few organizations are able to filter it all out.

Many categories of malware, a category that includes viruses, Trojan Horses and other small programs that are installed on a computer without the owner’s knowledge or consent, are designed to scan the victim’s machine for valuable data and send it over the Internet to the malware writer. Others are designed to take over a computer and allow it to be controlled from outside, usually to allow the perpetrator to use the machine to launch attacks on other machines.

Called ‘bots, computers that have been taken over by malware writers become part of an unauthorized network of sometimes thousands of computers that can launch massive attacks against other sites without the attack being traced back to the perpetrator.

Egress scanners monitor a company’s Internet gateway for outbound traffic that could indicate that computers inside the company had been compromised and were being remote-controlled into attacks that could leave their owners legally liable.

Related terms:

Access control

Data leak prevention

Botnet

Distributed Denial of Service (DDOS) attack

Related links:

PathControl Maps Best Egress Route

Remediation Software Automatically Detects Malware

Botnet

Botnet is a slang term referring to a network of computers that have been compromised by a virus, Trojan Horse or other malware, allowing the malware distributor to control the machines to launch attacks against other organizations.

Viruses or other malware arriving via email or direct transfer of infected files, copy themselves onto a user’s hard drive, grant themselves large amounts of control, and try to propagate themselves onto additional machines. Malware processes remain invisible to the process-monitoring tools typically available to users, so users may not even realize their computer has been infected.

Botnet malware uses the compromised computer’s Internet access to monitor; communication channels chosen by the perpetrator, usually specific Internet Relay Chat addresses or channels. The perpetrator can send commands to the botnet software, which could be installed on thousands or tens of thousands of computers, so they can act in concert to launch Distributed Denial of Service (DDOS) attacks, brute force password attacks or other exploits.

After the attack, botnets that have not been discovered remain dormant until the next set of commands is sent. Because it’s very difficult to track commands through IRC, and the malware itself is distributed indirectly, it’s extremely hard to track an attack back to the people responsible.

Originally used to launch exploits for bragging rights or personally motivated acts of online vandalism, botnets and botnet organizers are now often part of criminal networks that threaten attacks to extort money from victims, or take money from one organization to attack or harass another.

Related terms:

Distributed Denial of Service (DDOS)

Syn flood

Malware

Egress scanner

Anti-malware

Related links:

Video: Botnet Basics

MS06-040 Botnet Attack Reloaded

Keeping an Eye on Botnets

Police Raid Home of Suspected Botnet Ringleader

Hunt Intensifies for Botnet Command & Controls

Distributed Denial of Service (DDoS)

A distributed denial of service attack is a sudden flood of requests delivered to one computer or Web site, delivered by hundreds or thousands of computers connected to the Internet in different locations, with the intent of overloading the target computer and forcing it to shut down.

DDOS attacks are often delivered by botnets, unauthorized networks of hundreds or thousands of computers infected with malware that forces them to obey commands of the malware’s owner, delivered by covert means.

By using thousands of machines to attack without their owners’ knowledge, a malware writer is able to launch floods of requests so heavy that even the most powerful Web sites can be overwhelmed and have to shut down temporarily. Even when the site doesn’t have to shut down, traffic from a DDoS attack can blanket the victim so heavily that legitimate requests can’t get through.

Originally used to launch exploits for bragging rights or personally motivated acts of online vandalism, DDoS attacks from botnets and their organizers are now often part of criminal networks that threaten attacks to extort money from victims, or for competitive reasons.

Related terms:

Botnet

Malware

Virus

Organized crime

Firewall

Related links:

Anti-Spam Orgs Under DDoS Siege

DDoS Attack Knocks Out DoubleClick Ads

Spyware Critic Knocked Offline by DDoS Attack

DDoS Attacks for the Common Man

DDoS Attackers Raising the Bar

Hackers, Extortion Threats Shut Down Game Site

Worldwide Phishing Attacks May Stem from Few Sources

Honeypot

In computer security, a honeypot is a computer system or network deliberately exposed to attacks from hackers or other online sources in order to identify attacks and attackers without exposing a company’s critical data or systems.

Honeypots act as traps for attackers who believe they have broken into a sensitive system, allowing security managers to watch and record their techniques as the hackers try to take over control of the honey pot and use it to launch attacks against higher-priority targets.

Honeypots can also enhance security simply by diverting attacks away from critical servers and onto expendable machines, or by appearing to be the best target for spam attacks, diverting spam from legitimate email servers. Honey pots are configured as much as possible to look like real corporate servers, and to keep a cracking attempt contained within the honeypot system for as long as possible.

Honeypots can be individual servers, specific applications, unused IP addresses or network segments or other functional part of the IT infrastructure.

Related terms:

Malware

Hacker/Cracker

Intrusion detection system

Botnet

Related links:

Malware Honeypot Projects Merge

Honeypot Project: Unpatched Linux Systems Last Longer than Windows

Honeypot + Honeypot = Honeynet

HP Writes 'Good Worm'?

MS Researchers Tackle Automated Malware Classification

Unified Threat Management

Unified threat management (UTM) describes a category of firewall that includes a series of other functions as well as simple access control, including spam filters, intrusion detection, web content filtering and other functions.

By combining several major security functions that operate at the Internet gateway, UTM products reduce the number of products security managers have to keep updated and maintained. The term was invented by analysts at IDC in 2004.

Related terms:

Anti-spam

Firewall

Web filter

Network Address Translation (NAT)

Related links:

Wave of New Security Products Arrives at Interop

Firewalls Gain Strength as Main Line of Network Defense

Endpoint security

Endpoint security is the practice of installing security software on laptops, smartphones, PDAs and other mobile devices but keeping security policies and security management centralized.

Endpoint security approaches grew up out of the tendency of end users in an organization to use unsecured mobile devices to attach to protected corporate systems and applications, bypassing established security procedures. Endpoint security software provides anti-virus and other security functions on the mobile device itself. It also allows security managers to create a two-stage authentication process that lets users log in and get access to their data, but keeps any security risks isolated until the mobile device can be scanned and approved for full access.

Related links:

Network Access Control

Access control

Anti-virus

Related links:

TNC Endpoint Security Gains Traction

Security Seal for A/V-Network Interoperability

The 2008 Security Checklist

Smaller Players Filling NAC Void

Patch Management

Patch management is the process of downloading, installing, testing and verifying the efficacy of software updates designed to repair errors and plug security holes in software that has already been installed.

As security risks have increased, vendors have increased the pace with which they issue patches to counter new risks. Corporate IT departments often establish special teams within IT departments to gather and test patches before distributing them, and to gather inventory data showing what applications they run, in what divisions, and what patches have been, or need to be applied.

Virus

A computer virus is a small piece of self-installing, self-replicating software that is installed clandestinely on a victim’s computer for malicious purposes. The virus either carries with a malicious "payload" or downloads it after installation in order to corrupt data or applications, or allow a third party to control the infected machine covertly.

Viruses are so widespread on the Internet that everything from e-mail to applications to images to graphics files must be scanned for possible infections. Some viruses are created purely for vandalism; others are created for financial gain.

Related terms

Anti-virus

Infection

Botnet

Related links:

Instability and Modern Anti-Virus Software

Managed Security Plugs Law Firm`s Virus Holes

New Virus Attack Technique Bypasses Filters

Spam Trojan Installs Own Anti-Virus Scanner

Penetration testing

Penetration testing, or pen testing, is the process of probing or actively attacking a system to verify that the security is effective or to expose previously unidentified weaknesses. Penetration-testing teams use all available documentation on the systems involved as well as the newest hacking techniques or tools.

Related terms:

Hack attack

Hacker

Security exploit

Related links:

Pen Testing in the Palm of Your Hand

Core Updates Automated Pen Testing

White Hat hacker

White hat hackers are members or former members of the hacking community who are not involved in data theft or illicit computer intrusion, but who often work as penetration testers and computer security consultants, using their hacking background and skills to counter the illegal efforts of “black hat” hackers.

White hat penetration test teams, also known as sneakers, tiger teams or red teams, use all available documentation and hacking tools to try to break into a client’s systems in order to expose security holes so the client can close them.

Despite avowals of “ethical” hacking only, many mainstream security managers are suspicious of white-hats, even those they hire to improve their own security. Identifying with the hacker community brings with it a cachet outside corporate IT departments and government agencies, but has the opposite effect within them.

“Gray hat” and “brown hat” are both terms used to describe hackers whose activity falls on both sides of an ethical line.

Related terms:

Hacker

Cracker

Penetration testing

Security evaluation

Cybercrime

Related links:

Microsofts Blue Hat Shows Its Serious About Security

CIOs Learn Very Little From Security Audits

Putting a Face on Net Neutrality; Black Hat News

Vista, Rootkits Headline Hacker Confab

Social engineering

Social engineering is the term used to describe any technique that uses the carelessness or manipulation of users to get information a hacker needs successfully break into a secured computer system.

Techniques include pretending to be a legitimate user in a phone call o the targeted company, collecting printouts of potentially sensitive information from the trash, befriending legitimate users or IT specialists and squeezing sensitive information out of them, or even walking into a company pretending to be an employee and plugging a laptop into an unsecured network port.

Related terms

Hacking

Fraud

Related links

Spoofing

Spoofing is any process in which a person or computer system pretends to be another in order to get access to a secured system. Bypassing authentication procedures and displaying the same data a legitimate user or system would display allows hackers to, among other things, spoof an IP address in order to receive traffic that should have gone to the real address, spoof Web sites for the same reason, spoof humans by pretending to be someone else to get access.

Related Terms

Access control

Fraud

White hat hacker

Authentication

Related links:

Opera Battles Spoofing in Latest Beta Release

Internet Explorer Spoofing Vulnerability Found

Another IE Spoofing Hole Found

Microsoft Patches Spoofing Flaw in ISA Server

Proxy

In computer security, a proxy is a firewall security mechanism in which an end user or secure system sends email, data requests and other traffic to another computer, which acts as an intermediary, passing that traffic along to its original destination. The proxy remains exposed to the Internet and any potential risks, concealing the identity and location of end users or systems using it. That smokescreen makes it harder for hackers to target specific users or machines, but it also makes it difficult for Web sites to collect data on end users because the only identity they see is that of the proxy.

Related terms:

Firewall

Network Address Translation

Firewall

Identity management

Related links

Proxy Architecture Extends Microsoft IM Platforms Reach

Java Proxy Server Crack Can Let in Superuser Attackers

Proxy Architecture Extends Microsoft IM Platform's Reach

Layered security

In information technology, layered security is the tactic of using several different approaches to secure the same system so that if one system is bypassed, another can still halt any illicit attempts. Layers could include physical security to keep hackers from entering the building, perimeter security to keep risky traffic from entering the network, content filters that identify risky code once it begins operating inside the network, and an intrusion detection system to identify illicit activities within secured systems.

Related links

VOIP Security Requires Layered Approach, Experts Say

New Security Survival Guide: How to Layer a Solid Defense