Information Security Glossary

View PDF

A | B | C | D | E | F | G | H | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z

Access Controls: 1. In security lingo, access control refers to the practice of granting only authorised individuals access to a resource (e.g., building, room, application, system and / or data.). Generally access controls provide the essential services of authentication, authorization, and accountability where authentication validates an individual before permitting access to a resource, authorization defines the user privileges and responsibilities with respect to a resource and accountability tracks and records what a individual did while using the resource. 2. The process of limiting a user?s right to use network resources based on positively identifying the user and allowing them specific use rights for information and network assets.

Accountability: a process that traces activities to a responsible source. Typically, accountability mechanisms track and record who, what, when, how, and sometimes why an individual or process accessed and / or made changes to data or a resource.

ActiveX: A loosely defined set of technologies developed by Microsoft for sharing information among different applications.

Anti-Spyware: refers to computer programs that are designed to detect and remove spyware from computers. Some of the more robust anti-spyware programs attempt to block spyware by preventing the installation of these programs on computers.

Anti-Virus: 1. A software program designed to identify and remove a known or potential computer virus. 2. Refers to computer programs that attempt to identify, thwart and eliminate computer viruses and other malicious software (malware). Antivirus software typically uses two different techniques to accomplish this:

Application Server: See server

Authentication: 1. a process or service to identity and verify an individual. 2. a systematic way for establishing proof of identity between two or more entities, such as users and hosts. Authentication is often a prerequisite to allowing access to network resources.

Authorization: defines an individual?s’ rights and permissions to a resource. At WVU formal authorization occurs before an individual is granted access to a resource and is typically granted by the assignment of an (1) electronic account for use of computer resources, (2) an access card or card to enter buildings, floors, or rooms, (3) a procurement card for business purchases, etc. Another layer of authorization occurs after an individual or process successfully logs into a computer system. This authorization relies on the roles and the responsibilities granted a formal authorization to determine what an individual can do while using a particular resource.

Availability: Ensuring that information systems and necessary data are available for use when they are needed.

Top

Backdoor Programs: A back door is ‘secret’ access route into a system. Backdoor programs are computer programs that use this method to gain access to systems. Examples include viruses and/or Trojan horses which jeopardize network security and attempt to give malicious users access to a computer.

Backup: To create a copy of data as a precaution against the loss or damage of original data. Most users backup some of their files to disks or CDs, while most businesses utilize automatic backup software to make regular copies of some or all of the data contained on their computer networks.

Bandwidth: In computer networks, bandwidth is the amount of data that can be carried from one point to another in a given time period (usually a second).

Bit: Acronym for BInary digiT. The smallest unit of storage/size measurement. This measurement could apply to storage media size, or software program size.

Broadband: A broadband connection is a high-capacity, high-speed internet/network connection.

Bug: A programming error in a software program that can have unwanted side effects.

Business Limited (WVU Term): refers to data that is restricted to internal University use or use by University business partners. Due to internally or externally imposed constraints, access to this class of data requires a business need to know. The loss, corruption or unauthorized disclosure of this data may negatively impact the credibility and reputation of the University, its employees, students or business partners. It may also result in financial and operational losses. Business limited data includes, but is not limited to the WVUID, ability to display/use the WVU logo, content on Intranet pages, employer portion of payroll deductions, work schedules, etc.

Byte: Unit of storage measurement in computers. A byte is a single character. Also, a bite is 8 bits.

Top

Cipher Text: The result of encrypting characters using an algorithm (complex mathematical calculation) to ‘scramble’ the text. Cipher text is unreadable until it is decrypted.

Clear Text: Data sent across the network, or stored on a computer in a clearly readable format. Anyone with a sniffer program can simply eavesdrop on the network or computer and read the data in this format.

Client: A client is a computer that receives data from or is controlled by another computer, called a server.

Communications Server: See server

Competitors: (WVU Term) may try to learn about development projects and retrieve customer lists.

Computer Virus: See virus

Confidential: 1. refers to the most sensitive data that the University collects and maintains. Consequently, it is intended for strict internal use. Due to legal or other internally or externally imposed constraints, access to confidential data requires specific authorization and a need to know. The loss, corruption, or unauthorized disclosure of this data may result in a violation of federal or state laws or regulations, University policies and/or contracts. It may also result in substantial damage to the University?s credibility and reputation, as well as significant financial and operational losses. Confidential data includes, but is not limited to protected health information, Social Security Number, driver?s license number, and certain individual financial information (such as credit card numbers, bank account numbers, or credit history). Proprietary information, trade secrets and intellectual property data will be managed with the same level of protection as confidential data. 2. A characteristic of data that relates to how well it has been kept from unauthorized disclosure. Data that is confidential has only been accessed by authorized individuals.

Crack: a hacking program used to break the encryption of password files, to help a hacker gain unauthorized access to systems.

Cracker: A malicious hacker.

Top

Database: A database is a collection of information that is organized so that it can easily be accessed, managed, and updated.

Database Server: See server

Data Center: A data center is a facility used to store a large amount of electronic equipment, typically computers and communications equipment.

Data Transmission: The electronic transfer of information from a sending device to a receiving device.

Day Extenders: Individuals who work in traditional office by the day, but go home to work at night and weekends.

Default Password: Standard password incorporated into software or hardware by the manufacturer which is used to access the product for the first time.

Denial of Service: See DOS

Digital Subscriber Line: Digital Subscriber Line (DSL) is technology to that allows voice and high speed data transport over ordinary copper telephone lines.

Disgruntled Former Employees: These are employees who left the company with a grievance. They often times look for ways to ?get back? at the company.

Distribution List: A distribution list is a central email address that forwards messages to other addresses specified in the list.

DOD Data Erasure Standards: the Department of Defense Data Erasure Standards prescribe approaches for completely removing data and data remnants from computer storage media, particularly computer hard drives. These Standards refer to a process called File wiping. The file wiping process includes the overwriting a file/data, sometimes multiple times, to ensure its total deletion. Wiping a file is akin to shredding a document using a paper shredder. File wiping is the recommended data erasure technique, because files are not entirely deleted using most operating systems? default delete function. Typically, standard delete function consists of marking the space occupied by the file as free and updating file indexing system, leaving the actual file contents intact on the physical medium. If the file system continues to be used, eventually this space will be assigned to other files and overwritten. However, if the file system has not been used intensively since the file was deleted, recovery or forensic tools have a good likelihood of retrieving deleted data in part or in whole by accessing the medium at low level.

DOS: denial of service is a type of attack on computer systems and networks designed to prevent access to information or interrupt the use of systems. DOS attacks often clog networks with so much traffic that authorized users cannot get through, or slow down network speeds so drastically that authorized data cannot be transmitted. Examples of some common types of DOS attack are SYN flood, Ping of Death, ICMP Nuke, smurf IP attack, finger bomb, and may others.

DSL: See Digital Subscriber Line.

Dumpster Diving: The act of looking through an organization or individual?s trash cans, dumpsters, or other collections of refuse to find any kind of useful information (like telephone lists, username, passwords, network diagrams, personal information about employees, etc.).

Top

Electronic Account / Electronic Computer Account: a mechanism that allows individuals to identify themselves to a computer system or other entity for the purpose of accounting, security, logging or resource management. Most WVU electronic accounts consist of a user name or user id, and a password. However, some accounts require additional information, such a biometric entry, a card or second password /code, or the correct answer to a secret security question.

Electronic Protected Health Information (ePHI): is any protected health information (PHI) which is created, stored, transmitted, or received electronically. Protected Health Information (PHI) under HIPAA refers to any information that identifies an individual and relates to at least one of the following:

Information is deemed to identify an individual if it includes either the individual’s name or any other information that could enable anyone determine the individual’s identity. Identifiers
Data are ?individually identifiable? if they include any of the 18 types of identifiers, listed below, for an individual or for the individual’s employer or family member, or if the provider or researcher is aware that the information could be used, alone or in combination with other information, to identify an individual:

The ?e? in ePHI includes any medium used to store, transmit, or receive PHI electronically. Some examples include, but are not limited to:

Email Client: An application from which users can create, send, and/or read email messages.

Encryption: 1. The process of obscuring data to make it unreadable without special knowledge. Encryption involves the transformation of plaintext or clear text into cipher text. In theory, the cipher text can only be deciphered and read by individuals who have knowledge of the encryption algorithm and / or other information that permits the individual to decode the encrypted data. 2. Process of converting data from an easily understandable form to what appears to be random, useless gibberish, using mathematical processes that are difficult or impossible to duplicate without the knowledge of how the encryption was accomplished.

Top

Fax Server: See server

File Server: See server

File Transfer: The process of moving data from one computer to another on a network.

File Wiping: is the process of overwriting a file, sometimes multiple times, to ensure its total deletion to ensure that all data and data remnants are removed. Wiping a file is akin to shredding a document using a paper shredder.

Firewall: 1. A hardware or software component that is used to filter data and communications. Some forms of firewalls protect network components, while others are limited to protecting one computer or laptop. 2. Software or hardware components that restrict access between a protected network and the Internet, or between other sets of networks, to block unwanted use or abuse.

Top

Game Server: See server

Gigabyte: A gigabyte is a measure of computer data storage capacity and is “roughly” a billion bytes. A gigabyte is 2 to the 30th power, or 1,073,741,824 in decimal notation.

Top

Hacker: An individual(s) who uses technical methods and social engineering techniques to gain access to computer systems without authorization, or to cause damage to systems and information. Some hackers claim to be benign, and simply want to understand the technical characteristics of the systems they hack; sometimes differentiated from a cracker.

HIPPA: Acronym for Healthcare Industry Portability and Accountability Act. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. The AS provisions also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation’s health care system by encouraging the widespread use of electronic data interchange in the US health care system. Reference: Electronic Protected Health Information (ePHI)

HTTP: Acronym for HyperText Transfer Protocol is a method by which information may be transferred over the web by following a set of standard rules (called protocol) for communication and displaying of html (web) pages.

Top

IM: See Instant Messaging

Information Broker: an individual that sells information at a price whether or not the information was received legitimately. For instance, you are an individual that would like information on a competitor; you would go to an information broker with that request. They will set up the collection (again legitimately or not) and then sell the obtained information to you.

Information Resources: Information resources include numerous forms of data as well as the software, hardware, systems, facilities, and personnel that support the collection, recording, processing, storage, retrieval, presentation, and transmission of information.

Instant Messaging (IM): IM software, such as AOL Instant Messenger, IRC (Internet Relay Chat), ICQ (I Seek You), and MSN messenger, lets you connect and communicate in real time over the internet.

Integrity: Data integrity is the assurance that data can only be accessed and altered by those authorized to do so.

Intrusion Detection Software (IDS): Intrusion Detection Systems are complex software programs which detect break-in attempts by reviewing information located on a network.

I S³PACE: Acronym for Information Security, Services and Systems Promoting Awareness, Communication and Education. This group is an information security collaborative who are promoting information security practices throughout the University. Units currently participating in the collaborative include the Information Security Program, Financial Systems, Office of Information Technology, Student Affairs and Web Services.

Top

Top

Top

Least Privilege Principle: a security principle that requires each individual or process to be granted the most restrictive set of privileges need for the performance of authorized job duties or tasks. The application of this principle limits the damage that can result from accident, error or unauthorized access and/or use of a resource. The least privilege principle is sometimes referred to as ?need to know? principle.

LMS – Acronym for Learning Management System

Top

Malicious code: Malicious code is any code added, changed or removed from a software system in order to intentionally cause harm or subvert the intended function of the system. Traditional examples of malicious code include viruses, worms, and Trojan Horses.

Malware: is software designed to infiltrate or damage a computer system without the owner’s knowledge and / or consent. It is a blend of the words “malicious” and “software”. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.

Mobile Device (or Mobile Technology Device): refers to any device that is used to carry and/or transport data from one location to another. Common mobile devices include, but are not limited to, laptops, BlackBerry devices, cell phones, personal digital assistants (PDAs), Universal Serial Bus (USB) drives (also called jump drives or thumb drives), Compact Discs (CDs), other disks and portable drives.

Top

Need to Know: See the Least Privilege Principle.

Network: A configuration of communications equipment and communication links by network cabling or satellite, which enables computers and their terminals to be geographically separated, while still connected to each other.

Network Drive: a central repository ( typically server or computer storage media) that is designed to house files, software and other items.

Top

Top

Pass-Phrase: Similar to a password, except a pass-phrase uses a combination of multiple words and numeric values. For example Sunny2Day.

Password Cracking: The process of using specialized tools to break the encryption of passwords on a computer or to otherwise break the security features of password authentication.

Patch: in computing, a patch is a small piece of software designed to update or fix problems with a computer program or application. This includes fixing errors (bugs), improving usability, performance and / or security.

Payment Card Industry (PCIDSS)

PBX ? Private Branch Exchange: refers to the privately owned circuit switch that serves as a branch of the switching equipment found at the central exchange office of the telephone company.

PDA ? Personal Digital Assistant: small hand held computer. PDAs use many of the same applications that laptops use, such as spreadsheets, and word processing. Some PDAs allow you to connect to the internet to browse the web or download email.

Phreakers: Telephone fraudsters are called ?phreakers?. They use various methods to obtain telephone services without paying for them; they also use telephone scams for financial gain. Many of the methods used by phreakers involve social engineering rather than skills.

Piggy-backing: Another way for strangers to gain access to a facility. Piggybacking happens when people are entering through a door that requires a key-card or electronic pass to open. Someone entering right behind you after you?ve displayed your badge or key-card is a ?piggy-backer?.

Proprietary Information: Proprietary Information is private information developed and exclusively owned by an individual or company. This information is not known by others nor is it a part of a public domain.

Protected Health Information(PHI): See Electronic Protected Health Information for a detailed description of PHI. PHI refers to any form of protected health information.

Public: refers to data that is available to the entire University community and the public. Generally, the unauthorized disclosure of public data would not have an adverse impact on the University, its employees, students, or business partners. However, unauthorized changes could potentially impair and/or impact the availability and/or integrity of public data. Some examples of public data include course syllabi, content on Internet Web pages, seating templates for athletic events, etc.

Top

Top

Remote Worker: See telecommuter

Removable Storage: Computer storage media, such as disks, tapes, CDs etc., that can easily be removed from a computer and moved to another location or used in another computer.

Replicate/Replication: is the process of duplicating data from one database to another.

Top

SANS: System Administration Network Security

Script Kiddie ? person who aspires to be a hacker/cracker but has limited knowledge or skills related to computer systems penetration/usually associated with young teens who collect and use simple malicious programs obtained from the internet. ?Ankle Biter?

Scripting Languages: Scripting languages are computer programming languages, which are used to accomplish specific purposes; for example, controlling the processing of information between two computers. Common scripting languages include; Java, JavaScript, and Active X.

Secure Sockets Layer: See SSL

Secure Virtual Private Tunnels: See VPN

Server: 1. A server is a computer that organizes the communication and exchange of data with other computers over a network. Servers can be used to supply services such as email, web browsing, and access to a file on a local network or Internet. 2. In information technology, a server is a computer system that provides services to other computing systems?called clients?over a network. Some examples of server types include:

Smart Card: About the size of a credit card, a smart card is a plastic card with an embedded microchip that can be loaded with data, used for telephone calling, electronic cash payments and other computer applications.

Sniffer ? A utility that monitors and can intercept network transmission from one computer to another.

Sniffing ? This is the monitoring of network traffic using a sniffer. It can be done legitimately by network administrators to analyze network performance and/or usage or it can be used for malicious purposes by hackers to intercept and capture information being transmitted.

Social Engineering ? process of extracting sensitive or confidential information from poorly trained or unaware users, and using the information to gain access to computer networks.
Social engineering attacks rely on psychological truisms like the tendency of people to answer direct questions they do not expect, or the tendency of people to help someone that seems to be in distress. Hackers often employ this technique to gather information.

Spam ? unsolicited email?electronic junk mail.

Spyware: is a broad category of software designed to intercept data or take partial control of a computer’s operation without the informed consent of that machine’s owner or user. While intercepting data, spyware can collect many different types of information about a user. More benign forms of spyware attempt to track what types of websites a user visits and send this information to an advertisement agency. The more malicious versions try to record what a user types to try to intercept passwords, credit card numbers or other information. Yet other versions simply launch popup advertisements. 2. Programs that have the ability to scan systems or monitor activity and relay information to other computers or locations in cyberspace. Among the information that may be actively or passively gathered and disseminated by Spyware: passwords, log-in details, account numbers, personal information, individual files or other personal documents.

Standalone Server: See server

Strong Password: are passwords that follow formulation and complexity rules, such as minimum length requirements, number and character composition, prohibition of dictionary words, enforcement of expiration dates and other techniques that make it difficult for unauthorized users to guess or derive.

SSL (Secure Sockets Layer): Secure Sockets Layer (SSL) allows for mutual authentication between a client and server and the establishment of an authenticated and encrypted connection.

Top

Technology Resource: includes numerous forms of devices that support the collection, recording, processing, storage, retrieval, presentation, and transmission of information. Some examples include, but are not limited to, computers, laptops, cell phones, PDAs, electronic card readers, data storage devices and media, etc.

Telecommuter: someone who works in a home office, sales people who are constantly ?on the road?, and support people who reside at a customer site.

Trojan Horse ? program disguising itself as something other than what it is. For example a game downloaded from the internet secretly sends out data from your computer. It has hidden features that do unknown or unauthorised things.

Top

University Applications and Systems: includes, but is not limited to GroupWise mail, the Library Voyager system, MAP/ORACLE financials and human resource system, MIX student communication portal, STAR/BANNER student system, VISTA , and University E-Commerce) as well as departmental sponsored applications/systems (Web pages, databases and others).

User Account: A user account contains information about a user, including an account name, a password and a set of access permissions for networked resources

Top

.vbs ? File extension of visual basic scripting files.

Virtual Private Network: ? See VPN.

Virus: 1. Program that is able to replicate itself into other programs or host files. It may cause your computer to display a message, delete files on your computer pr insert malicious or damaging information. 2. A self-replicating computer program written to alter the way a computer operates, without the permission or knowledge of the user. Though the term is commonly used to refer to a range of malware, a true virus must replicate itself, and must execute itself. While viruses can be intentionally destructive?destroying data, for example?some viruses are benign or merely annoying.

Virus Definitions: Virus definition files are offered by software vendors to update protection against the latest viruses, worms, Trojan Horses and other security risks.

VPN (Virtual Private Network): 1. Virtual Private Networks (VPNs) allow private use of a public network. They enable mobile computers and other devices to connect to a company?s private network. 2. A private communications network often used within a company, or by several companies or organizations, to communicate confidentially over a publicly accessible network. The tunnels protect the data from unauthorized access during data transmission.

Vulnerability: A flaw or weakness in the design, implementation, internal controls or procedures of an information system which could be exploited to gain unauthorized access to information or disrupt critical processing.

Top

Web Server: See server

WiFi: Short for ?Wireless Fidelity?: WiFi refers to certain types of high-frequency wireless local area networks based on specific industry standards (IEEE 802.11b).

Wireless: Radio-based systems that allow transmission of information without a physical connection, as opposed to transmission systems, which require a physical connection, such as, copper wire or optical fiber.

Worm ? distributes itself across computers taking advantage of existing features of computer programs. Worms may also contain a virus that could destroy information on your computer.

Top

Top

Top

Top