test Flashcards
802.1X
802.1X (or EAP [Extensible Authentication Protocol]) is an authentication standard, developed to allow remote, wireless, and wired authentication to be centrally managed. A client device such as an access point passes authentication information to a RADIUS server on the wired network for validation. The authentication information could be a user name and password or could employ smart cards or tokens.
AAA,
Authentication, Authorization, and Accounting - the principal stages of security control. A resource should be protected by all three types of control.
Access Control
Creating one or more barriers around a resource such that only authenticated users can gain access. Each resource has an Access Control List (ACL) specifying what users can do. Resources often have different access levels (for example, being able to read a file or being able to read and edit it).
Account Expiration
Some user accounts may be created to allow only temporary access (for guest users, contractors, temporary staff, and so on). These accounts may be set to expire after a certain amount of time, eliminating the possibility that they will be forgotten about and act as possible system backdoors.
ACL (Access Control List)
The permissions attached to or configured on a network resource, such as folder, file, or firewall. The ACL specifies which subjects (user accounts, host IP addresses, and so on) are allowed or denied access and the privileges given over the object (read only, read/write, and so on).
Adware
Software that records information about a PC and its user. Adware is used to describe software that the user has acknowledged can record information about their habits. For example, an online store might record past purchases and display prominent advertisements to market new products based on the user’s purchase history.
AES (Advanced Encryption Standard)
Modern encryption suite providing symmetric encryption (the same key is used to encrypt and decrypt). AES is a very strong cipher with many applications, including being part of the WPA2 Wi-Fi encryption scheme.
ALE (Annual Loss Expectancy)
The amount that would be lost over the course of a year. This is determined by multiplying the SLE by the Annual Rate of Occurrence (ARO).
Algorithm
Any defined method of performing a process but in encryption, the term specifically refers to the technique used to encrypt a message. The strength of an algorithm depends to a large extent on the size of its key (the code that enables a message to be encrypted or decrypted). A minimum key size of 2048 bits is considered secure by NIST. There are a number of algorithms in use for different types of encryption. Some of the main technologies are SHA-1 and MD5 (hash functions), 3DES, AES, RC (Rivest Cipher), IDEA, Blowfish/Twofish, and CAST (used for symmetric encryption [where the same key is used to encrypt and decrypt]), and Diffie-Hellman, RSA, ElGamal, and ECC (used for asymmetric encryption, where two linked keys are used).
Antenna
Specially arranged metal wires that can send and receive radio signals. These are used for radio-based wireless networking. For WLANs, antennas are small and short-range (~45m [150 feet] indoor range) and generally send and receive in all directions (omni-directional). The antennas are built into the WLAN adapter or AP (in the case of portables the wires are often integrated into the chassis). More powerful directional antennae (such as the type used for receiving TV broadcasts) can be used for point-to-point connections (such as between buildings).
Anti-spam
Techniques to prevent a user being overwhelmed with spam (junk email). Spam can be blocked from reaching an organization using a mail gateway to filter messages. At the user level, software can redirect spam to a junk folder (or similar). Anti-spam filtering needs to balance blocking illegitimate traffic with permitting legitimate messages. Anti-spam techniques can also use lists of known spam servers (blacklists).
Anti-virus
Software capable of detecting and removing virus infections and (in most cases) other types of malware, such as worms, Trojans, rootkits, adware, spyware, password crackers, network mappers, DoS tools, and so on. Antivirus software works on the basis of both identifying malware code (signatures) and detecting suspicious behavior (heuristics). Anti-virus software must be kept up-to-date with the latest malware definitions and protect itself against tampering.
API (Application Programming Interface)
A library of programming utilities used, for example, to enable software developers to access functions of the TCP/IP network stack under a particular operating system.
Application Hardening
The basic steps in making an application secure (hardening) are to configure access control and permissions on the application data and functions and to set up a monitoring and maintenance program, so that events are logged and the application is patched against software exploits.
APT (Advanced Persistent Threat)
An attacker’s ability to obtain, maintain, and diversify access to network systems using exploits and malware.
ARP Poisoning
The Address Resolution Protocol (ARP) maps IP addresses to network interfaces (MAC addresses). ARP poisoning means injecting a false IP:MAC lookup into the victim’s ARP cache. This can be used to perform a variety of attacks, including DoS, spoofing, and Man-in-the-Middle.
Asymmetric Algorithm
An asymmetric cryptographic algorithm uses different keys (public and private; the keys are linked but the private key is not derivable from the public one). The most popular type of asymmetric cryptography (RSA) is based on the fact that factoring large numbers to discover whether they are prime (a number that is only divisible by itself and 1) is difficult. If there were a breakthrough in mathematics that made factoring large numbers less computationally intensive, the security of these cryptographic products would be broken. Elliptic Curve Cryptography (ECC) is a different means of creating key pairs such that it is easy to determine that the keys are linked but very difficult to determine one key from the other. The other advantage of ECC is that the algorithm is more efficient, allowing smaller keys to give the same level of security as larger RSA keys.
Attack Surface
Attack surface is the degree of exposure a network or piece of software has to attack. For example, the more ports a server has open or the more features installed under an OS, the greater the likelihood of an attacker finding a vulnerability.
Auditing
Windows and other operating systems provide the ability to track system and file access and usage and report this activity to a log file. The administrator can use this trail to track appropriate (or inappropriate) access of resources.
AUP (Acceptable Use Policy)
An acceptable use policy usually governs employees’ use of company equipment.
Authentication
A means for a user to prove their identity to a computer system. Authentication is implemented as either something you know (a user name and password), something you have (a smart card or key fob), or something you are (biometric information). Often, more than one method is employed (2-factor authentication).
Availability
Availability is the principle that something should not be so secure that it is completely inaccessible. A practical example is a password policy that forces users to adopt unsecure practices (such as writing their password on a post-it attached to their monitor). Another example is providing key recovery or escrow so that encrypted data can be recovered if the encryption key is lost or damaged. Availability also involves protecting a resource against loss or damage or DoS attacks.
Backdoor
A remote administration utility providing a means of configuring a computer. Remote admin software may be installed intentionally, in which case it must be properly secured. Backdoors may also be installed by malware.
Backup
Recovery of data can be provided through the use of a backup system. Most backup systems provide support for tape devices. This provides a reasonably reliable and quick mechanism for copying critical data. Different backup types (full, incremental, or differential) balance media capacity, time required to backup, and time required to restore.
Beaconing
A means for a network node to advertise its presence and establish a link with other nodes. Legitimate software and appliances do this but it is also associated with Remote Access Trojans (RAT) communicating with a Command & Control server.
Behavior-based Monitoring
Software that monitors a system for malware infection, intrusion detection, or performance may be configured to recognize baseline behavior and (conversely) alert the administrator to anomalous behavior. This usually works by compiling a statistical profile of expected behavior then configuring thresholds beyond which the system generates an alert (an anomaly). This sort of system requires expert tuning to minimize false negative and false positives.
BIA (Business Impact Analysis)
A risk assessment will identify a range of threats and for each significant threat perform a Business Impact Analysis (BIA) to determine the likelihood of the threat exploiting a vulnerability and the cost to the business should a vulnerability be exposed.
Big Data
Large stores of unstructured information. As well as volume, big data is often described as having velocity, as it may involve the capture and analysis of high bandwidth network links.
Biometric
Identifying features stored as digital data can be used to authenticate a user. Typical features used include facial pattern, iris, retina, or fingerprint pattern, and signature recognition. This requires the relevant scanning device, such as a fingerprint reader, and a database of biometric information (template).
Birthday Attack
A cryptographic function may produce collisions (where the function produces the same output for two different inputs). These may be connected to weak keys. The birthday paradox means that these collisions are less computationally intensive to attack than pure brute force (that is, you do not need to try every possible permutation to discover a weakness).
Blackhole
A blackhole is a means of mitigating DoS or intrusion attacks by dropping (discarding) traffic.
Bluejacking / Bluesnarfing
Bluetooth is a short-range radio-based connectivity protocol used by many peripherals, cell phones, and smartphones. Bluejacking refers to sending someone an unsolicited message or picture message using a Bluetooth connection; bluesnarfing refers to hijacking a Bluetooth device using some software exploit.
Botnet
A network of computers that have been compromised by Trojan / rootkit / worm malware. Providing the botnet can also subvert any firewalls between the controller (or “herder”) and the compromised computers (“zombies”), they can be remotely controlled and monitored using covert channels. The Internet contains botnets of many millions of computers and their exploitation (mostly to send spam or for identity theft) is a robust part of the “shadow” economy.
BPA (Business Partners Agreement)
While there are many ways of establishing business partnerships, the most common model in IT is the partner agreements that large IT companies (such as Microsoft and Cisco) set up with resellers and solution providers.
Buffer Overflow
Where a software program accepts input from the user, if the programmer has not created a routine to validate the input, it may be possible for an attacker to exploit this and overfill the program’s buffer (memory used by the program). This can allow the attacker to crash the system or execute arbitrary code (such as a virus).
Business Continuity Plan (BCP) / Continuity of Operations Plan (COOP)
A business continuity plan is designed to ensure that critical business functions demonstrate high availability and fault tolerance. Typically, this is achieved by allowing for redundancy in specifying resources. Examples include cluster services, RAID disk arrays, UPS. Business continuity plans should not be limited to technical elements however; they should also consider employees, utilities, suppliers, and customers. Associated with business continuity is the disaster recovery plan, which sets out actions and responsibilities for foreseen and unforeseen critical incidents.
BYOD (Bring Your Own Device)
Security framework and tools to facilitate use of personally-owned devices to access corporate networks and data.
CAC (Common Access Card)
An identity and authentication smart card produced for Department of Defense employees and contractors in response to a Homeland Security Directive.
CAN (Controller Area Network)
A serial network designed to allow communications between embedded programmable logic controllers.
CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart)
A CAPTCHA is an image of text characters or audio of some speech that is difficult for a computer to interpret. CAPTCHAs are used for purposes such as preventing “bots” from creating accounts on web forums and social media sites to spam them.
Captive Portal
Secondary authentication mechanism for open access points. On connecting, the user’s browser is redirected to a server to enter credentials (and possibly payment for access).
CAR (Corrective Action Report / Request)
A formal response setting out the plan to correct a defect in a system, such as a security vulnerability. This type of report or request may be implemented as part of a wider Failure Reporting, Analysis and Corrective Action System (FRACAS).
Certificate
A public key that has been certified by some agency, validating that the owner of the key is really who he says he is. This allows a sender to encrypt a message using the public key in the knowledge that only the recipient will be able to read it (using their linked private key). Certificates can also be used as proof of identity (for authentication or signing documents). Most certificates are based on the X.509 standard though PGP web of trust certificates are also popular.
Chain of Custody
Documentation attached to evidence from a crime scene detailing when, where, and how it was collected, where it has been stored, and who has handled it subsequently to collection.
CHAP (Challenge Handshake Authentication Protocol)
Authentication scheme developed for dial-up networks that uses an encrypted three-way handshake to authenticate the client to the server. The challenge-response is repeated throughout the connection (though transparently to the user) to guard against replay attacks.
CIRT (Cyber Incident Response Team) / CERT (Computer Emergency Response Team)
Team with responsibility for incident response. The CIRT must have expertise across a number of business domains (IT, HR, legal, and marketing for instance).
CIS (Center for Internet Security)
A not-for-profit organization (founded partly by SANS). It publishes the well-known “Top 20 Critical Security Controls” (or system design recommendations).
CISO (Chief Information Security Officer) / CIO (Chief Information Officer)
Typically the job title of the person with overall responsibility for information assurance and systems security.
Classification
Any significant data resource or documentation should be classified. In a mandatory access control system, information is formally classified with labels such as “Top Secret”, “Secret”, and “Confidential”. In a discretionary or role-based access control system, resources are classified using Access Control Lists. These show what permissions (or rights) given users or groups have on the resource. One of the critical points distinguishing access control models is how a resource’s classification can be changed. This will generally require some process of notification (at the very least, the change should be logged).
Cloud Computing
Any environment where software (Software as a Service and Platform as a Service) or computer / network resources (Infrastructure as a Service and Network as a Service) are provided to an end user who has no knowledge of or responsibility for how the service is provided. Cloud services provide elasticity of resources and pay-per-use charging models. Cloud access arrangements can be public, hosted private, or private (this type of cloud could be onsite or offsite relative to the other business units).
COBIT (Control Objectives for Information and Related Technologies)
An IT governance framework with security as a core component. COBIT is published by ISACA and is a commercial product, available through APMG International.
Code of Ethics
Professional behavior depends on basic ethical standards, such as honesty and fairness. Some professions may have developed codes of ethics to cover difficult situations; some businesses may also have a code of ethics to communicate the values it expects its employees to practice.
Comparative Strength of Algorithms
The choice of encryption algorithm is mostly driven by application (for example, symmetric encryption is the best choice for file or folder encryption for performance reasons). The basic measure of strength within an algorithm is the key size. Most current algorithms support key sizes of 128-bit or better. Most cryptography suites are open to independent analysis but this is no guarantee that they will remain secure indefinitely. It is also important to note that while an algorithm may be secure, its implementation in a particular product may not.
Configuration Baseline
Settings for services and policy configuration for a server operating in a particular application role (web server, mail server, file/print server, and so on). In Windows, the current configuration can be compared to the baseline defined in a security template using the Security Configuration and Analysis tool.
Continuous Security Monitoring
Typically, security is only seriously investigated after some sort of incident. Continuous security monitoring refers to a proactive approach to performing risk assessments, checking audit logs, and reviewing threat sources. This reduces risk but requires either a particularly sophisticated intrusion detection system or the manpower to review logs and other security metrics.
Cookie
Text file used to store information about a user when they visit a website. Some sites still use cookies to support user sessions. This type of site can be vulnerable to replay attacks, where an attacker obtains a user’s cookies and resends the session information.
Cryptographic Access Control
Cryptography is the basis of most “Something You Have” authentication systems. The user is given a smart card that stores a digital certificate issued to the user by a certificate authority. To authenticate, the user presents the card to the reader and inputs a PIN (which protects against use of a stolen card).
Cryptographic Algorithm
A cryptographic algorithm is a mathematical function that transforms plaintext into ciphertext in such a way that the plaintext cannot be recovered without knowledge of the appropriate key. A symmetric algorithm uses the same key for encrypting and decrypting; an asymmetric algorithm uses different keys (public and private; the keys are linked but one is not derivable from the other). A hashing algorithm is one-way only; once encrypted, the ciphertext cannot be decrypted.
Cryptographic Confidentiality
Cryptography can provide message confidentiality because the message can only be read by someone in possession of the correct key. The main problem with this is secure distribution of the key. Typically asymmetric encryption is used to distribute keys. As asymmetric algorithms are processor and memory intensive, they are not suitable for encrypting long messages.
Cryptographic Integrity and Authentication
It is often important to prove that a message has not been modified in transit and to confirm the identity of the sender. This can be done using a cryptographic digital signature. This is typically achieved using a hash function. If both sender and receiver use the same hash function on the same message, they should derive the same value (a message digest). The message digest is also encrypted using an asymmetric algorithm and the sender’s private key. The recipient uses the sender’s linked public key to decrypt the hash. This provides authentication, as only the sender (the possessor of the private key) could have encrypted the message in this way. This also provides non-repudiation (that is, the sender cannot deny creating and sending the message).
Cryptographic Standards
The most important set of standards governing cryptography are the PKIX RFCs for digital certificates and PKI. Many cryptographic applications have been developed from RSA’s PKCS. Cryptographic products may be certified by Common Criteria and FIPS.
CVE (Common Vulnerabilities and Exposures)
Scheme for identifying vulnerabilities developed by MITRE and adopted by NIST.
DAC (Discretionary Access Control)
Access control model where each resource is protected by an Access Control List (ACL) managed by the resource’s owner (or owners).
Data Emanation
Unless shielded, all electrical cabling “leaks” signals to some extent. However data emanation is more of a concern for wireless media, as the signals can be received for a considerable distance and shielding / containment is not a realistic option in most environments. Consequently, it is imperative that wireless communications use a strong encryption system.
Database
Most network applications utilize databases. Major database server products include Oracle, Microsoft SQL Server, IBM’s DB2 and Informix, and Sybase. Many databases are operated using Structured Query Language (SQL, pronounced “sequel”). The freeware MySQL database is a popular choice to provide database functionality on websites. Database engines are often subject to software exploits, and so should be kept patched. Database design, programming, and administration is complex and security should be considered as a critical requirement.
DBA (Database Administrator)
The IT role responsible for the configuration, management, and support of database applications.
Default Account
Default administrative and guest accounts configured on servers and network devices are possible points of unauthorized access. It is good practice to rename the Windows administrative account and on UNIX / Linux to leave the “root” system owner account unused.
DES (Data Encryption Standard)
Symmetric encryption protocol. DES and its replacement 3DES are considered weak in comparison with modern standards, such as AES.
DHCP (Dynamic Host Configuration Protocol) Server
A service that provides dynamic allocation of IP addresses to appropriately configured clients. It is important to monitor the network to ensure that only valid DHCP servers are running on the network.
dig (Domain Information Groper)
Tool for querying DNS server records.
Directory Services
Directory services provide general and security information (permissions) for network users and objects. Most directory services are based on the LDAP standard. The directory server is a critical point of failure for most networks; without it clients cannot log on. Most networks are configured with backup servers. It is also important to configure access control on the server to ensure that directory information can only be modified by authorized personnel.
Disaster Recovery Plan
A documented and resourced plan showing actions and responsibilities to be used in response to critical incidents. The recovery plan may also provide for practice exercises or drills for testing and to familiarize staff with procedures. As well as facilitating a smooth transition in the event of disaster, plans must stress the importance of maintaining secure systems.
Disposal
Disposal refers to both information security and environmental damage issues when decommissioning out-ofdate or used systems. A disposal policy should set out what information should be disposed of securely (for example, by shredding paper documents or CDs or by erasing magnetic media). Many PCs, components, and consumables can be disposed of through recycling schemes, reducing the pressure on landfill sites and minimizing the environmental impact of any toxic products used in their manufacture.
DLP (Data Loss Prevention)
Data Loss (or Leakage) Prevention (DLP) is software that can identify data that has been classified and apply “finegrained” user privileges to it (preventing copying it or forwarding by email for instance).
DMZ (Demilitarized Zone)
A private network connected to the Internet must be protected against intrusion from the Internet. However, certain services may need to be made publicly accessible from the Internet (web and email for instance). One solution is to put such servers in a DMZ. The idea of a DMZ is that traffic cannot pass through it. If communication is required between hosts on either side of a DMZ, a host within the DMZ acts as a proxy. It takes the request and checks it. If the request is valid, it re-transmits it to the destination. External hosts have no idea about what (if anything) is behind the DMZ. A DMZ is implemented using either two firewalls (screened subnet) or a single three-legged firewall (one with three network ports).
DNS (Domain Name System)
This industry standard name resolution system provides name to IP address mapping services on the Internet and large intranets.
DNS Harvesting
Using Open Source Intelligence (OSINT) to gather information about a domain (subdomains, hosting provider, administrative contacts, and so on).
DNS Servers
DNS allows for mapping of human-readable resource names to numerical IP addresses. DNS is a hierarchical, distributed database. DNS name servers host the database for domains for which they are authoritative. Root servers hold details of the top-level domains. DNS servers also perform queries or lookups to service client requests. The DNS protocol defines the mechanisms by which DNS servers and clients interact. The DNS protocol utilizes TCP/UDP port 53. It is essential to ensure that clients utilize a reliable DNS server, to prevent spoofing attacks. A DNS server also needs to be protected against footprinting, DoS, and cache pollution (poisoning) attacks.
Domain Name Kiting
There are various ways of exploiting the domain name registration process. Kiting refers to continually registering a name without having to pay for it. Tasting involves registering a domain temporarily to see how many “hits” it generates while hijacking and cybersquatting are means of occupying a domain of some trusted brand or company.
DoS (Denial of Service)
A network attack that aims to disrupt a service, usually by overloading it. A Distributed DoS (DDoS) attack uses multiple compromised computers (a “botnet” of “zombies”) to launch the attack.
Due Process
Due process is a term used in US and UK common law to require that people only be convicted of crimes following the fair application of the laws of the land. More generally, due process can be understood to mean having a set of procedural safeguards to ensure fairness. This principle is central to forensic investigation.
Dumpster Diving
A “social engineering” technique of discovering things about an organization (or person) based on what it throws away.
EAP (Extensible Authentication Protocol)
Framework for negotiating authentication methods, supporting a range of authentication devices. EAP-TLS uses PKI certificates, Protected EAP (PEAP) creates a TLS-protected tunnel between the supplicant and authenticator to secure the user authentication method, and Lightweight EAP (LEAP) is a password-based mechanism used by Cisco.
Embedded System
A computer system that is designed to perform a specific, dedicated function, such as a microcontroller in a medical drip or components in a control system managing a water treatment plant.
EMI (Electromagnetic Interference)
EMI sources (such as fluorescent lights, air conditioning, and power cables) can corrupt signals. Copper cabling and radio transmissions can be affected by EMI, though cable shielding can be employed in problem areas.
EMP (Electromagnetic Pulse)
A high intensity burst of electromagnetic radiation, such as that produced by a nuclear explosion or ElectroStatic Discharge (ESD).
Escalation
In terms of privilege management, escalation (or elevation) is where a user gains additional privileges without authorization. This may happen because the user is able to exploit the privilege management system design to change his or her privileges. It can also be a result of software exploits, which can crash the system and give the user administrative or root privileges.
ESN (Electronic Serial Number)
A number that uniquely identifies a mobile device, similar to a network adapter MAC address. ESNs have been replaced for CDMA-based devices by MEID (Mobile Equipment ID). GSM/UMTS/LTE devices are identified by an IMEI (International Mobile Station Equipment Identity).
Evil Twin
In an evil twin attack, the attacker creates a malicious wireless access point masquerading as a genuine one, enabling the attacker to harvest confidential information as users connect via the AP.
Extranet
A network of semi-trusted hosts, typically representing business partners, suppliers, or customers. Hosts must authenticate to join the extranet.
Failsafe / Failopen
An electronic lock requires a power source. If the power source fails, a lock can fail in one of two ways. Failsafe (or fail-secure) means that the door will be locked (and unlockable) while failopen means the door will be open.
False Positive / False Negative
Error in monitoring or identification technology that either reports an event as an incident when it is not (false positive) or does not report an event as an incident (false negative).
Firewall
Hardware or software that filters traffic passing into or out of a network (for example, between a private network and the Internet). A basic packet-filtering firewall works at Layers 3 and 4 (Network and Transport) of the OSI model. Packets can be filtered depending on several criteria (inbound or outbound, IP address, and port number). More advanced firewalls (proxy and stateful inspection) can examine higher layer information, to provide enhanced security.
First Responder
The critical first steps to take when a security incident is discovered. General staff should be trained to identify an incident and report it. The response to the incident will be governed by policy.
Flood Guard
A firewall or IPS that prevents DDoD attacks where multiple compromised “bots” attempt to deny network connectivity by flooding it with malicious packets. Another type of flood guard might be deployed to protect against broadcast loops in layer 2 (MAC) and layer 3 (IP) segments.
Forensics
The process of gathering and submitting computer evidence to trial. Digital evidence is latent, meaning that it must be interpreted. This means that great care must be taken to prove that the evidence has not been tampered with or falsified. The key points in collecting evidence are to record every step and action, to gather appropriate evidence, and to bag evidence. To preserve evidence correctly, it should be stored securely. Any investigation should be done on a copy of the digital files, not the originals. Each piece of evidence must be accompanied by a chain of custody form, detailing when, where, and how it was collected, where it has been stored, and who has handled it subsequently to collection.
FTK (Forensic Tool Kit)
Commercial digital forensics investigation management and utilities suite, published by AccessData.
FTP (File Transfer Protocol)
A protocol used to transfer files across the Internet. Variants include S(ecure)FTP and T(rivial)FTP. FTP utilizes ports 20 and 21.
Full Disk Encryption
Encryption of all data on a disk (including system files, temporary files, and the pagefile) can be accomplished via a supported OS, third-party software, or at the controller level by the disk device itself. Used with a strong authentication method, this mitigates against data theft in the event that the device is lost or stolen. The key used to encrypt the disk can either be stored on a USB stick or smart card or in a Trusted Platform Module.
Fuzzing
Fuzzing is a means of testing software input validation routines by inputting random or known malicious code. Fuzzing is also used in packet crafting to generate fake IP and MAC addresses.
Geotracking
Identifying the location of a mobile device through GPS, association with access points, or triangulation against cellular base stations.
Google Hacking
Using Google search operators to locate vulnerable web servers and applications.
GPS (Global Positioning System)
Means of determining a receiver’s position on the Earth based on information received from GPS satellites. The receiver must have line-of-sight to the GPS satellites.
Group Account
A group account is a collection of user accounts. These are useful when establishing file permissions and user rights because when many individuals need the same level of access, a group could be established containing all the relevant users. The group could then be assigned the necessary rights.
Group Policy
On a Windows domain, per-user and per-computer settings can be deployed through Group Policy Objects, attached to Active Directory containers such as domains and Organization Units. Group policy can be used to configure security settings such as password policy, account restrictions, firewall status, and so on.
Hardware Lock
Devices can be physically secured against theft using cable ties and padlocks. Some systems also feature lockable faceplates, preventing access to the power switch and removable drives.
Hardware Security Module
A Hardware Security Module (HSM) is an appliance for generating and storing cryptographic keys. This sort of solution may be less susceptible to tampering and insider threats than software-based storage.
Heuristic
Monitoring technique that allows dynamic pattern matching based on past experience rather than relying on preloaded signatures.
Hoaxes
Email, instant messaging, and website pop-ups are commonly used to spread hoax information, such as false virus or spyware alerts. Users should be trained to identify genuine sources of information.
Honeypot
A computer set up to entice attackers with the purpose of discovering attack strategies and weaknesses in the security configuration. A related term is honeynet, meaning a whole network set up to entice attackers.
HR Policy
Users are usually seen as the weak point of any security system. However, effective training and HR policies can use employees to strengthen security. Other security considerations for the HR department are coordinating secure recruitment and termination procedures. This means screening new employees through background checks, ensuring employees are set up with the correct privileges when they join or change job roles, and ensuring that privileges are revoked if the employee is fired or retires.
HTTP
The protocol (HyperText Transfer Protocol) used to provide web content to browsers. HTTP uses port 80. HTTPS provides for encrypted transfers, using SSL and port 443.
HVAC (Heating, Ventilation, Air Conditioning)
Building control systems maintain an optimum working environment for different parts of the building. The acronym HVAC (Heating, Ventilation, Air Conditioning) is often used to describe these services. For general office areas, this basically means heating and cooling; for other areas different aspects of climate control, such as humidity may be important.
ICMP (Internet Control Message Protocol)
Operates at layer 3 (Network) to report errors about the delivery of TCP/IP packets.
ICS (Industrial Control System)
A network managing embedded devices (computer systems that are designed to perform a specific, dedicated function).
Identification
Authentication identifies a particular user account to a computer system; identification (or enrollment) is the process by which a user account (and its credentials) is issued to the correct person.
IDS (Intrusion Detection System)
Software or security appliance designed to monitor network traffic (NIDS) or configuration files and logs on a host (HIDS) to record and detect unusual activity. Many systems can automatically take preventive action (Intrusion Prevention System [IPS]). Detection is either signature-based or anomaly-based (or both). IDS software typically requires a lengthy period of configuration and “training” to recognize baseline “normal” activity.
IIS (Internet Information Services)
Web server product shipped with Windows.
IM (Instant Messaging)
Real-time text communications products. IM also supports file exchange and remote desktop. Like email, communications are generally unencrypted and unauthenticated. IM can be difficult to block on private networks as most applications can work over HTTP.
Imaging
Copying the structure and contents of a physical disk device or logical volume to a single file, using a tool such as dd.
IMAP4 (Internet Message Access Protocol)
TCP/IP application protocol providing a means for a client to access email messages stored in a mailbox on a remote server. Unlike POP3, messages persist on the server after the client has downloaded them. IMAP also supports mailbox management functions, such as creating subfolders and access to the same mailbox by more than one client at the same time. IMAP4 utilizes TCP port number 143.
Implicit Deny
Implicit deny is a basic principle of security stating that unless something has explicitly been granted access it should be denied access. An example of this is firewall rule processing, where the last (default) rule is to deny all connections not allowed by a previous rule.
Incident Reporting
Employees are a vital component of an effective security and health and safety model. Company policy should set out the procedure for reporting incidents, such as who to contact and how quickly.
Incident Response Policy
Procedures and guidelines covering appropriate priorities, actions, and responsibilities in the event of security incidents. The stages will generally be notification, investigation, remediation, and follow-up. Incident response is often handled by a special group - the Computer Security Incident Response Team - made up of staff with both technical skills and decision making authority.
Input Validation
Where a program expects input from a user, good programming practice dictates that the user input should be validated before the program attempts any further processing of it. Failing to do this can leave the application vulnerable to buffer overflow and similar attacks.
Interception Proxy
Software that sits between a client and server (a Man-in-the-Middle) and allows requests from the client and responses from the server to be analyzed and modified. Examples include PortSwigger’s Burp Suite, OWASP’s Zed Attack Proxy (ZAP), and Vega.
Internet Content Filter
A software application or gateway that filters client requests for various types of Internet content (web, FTP, IM, and so on). The filtering software can work on the basis of keywords, URLs, time of day / total browsing time, and so on.
Internet Zone
A zone permitting anonymous access (or perhaps a mix of anonymous and authenticated access) by untrusted hosts over the Internet.
Intranet
A network of trusted hosts owned and controlled by the organization.
ipconfig
Command-line utility providing information about the IP configuration of a workstation.
IPsec
Layer 3 protocol suite providing security for TCP/IP. It can be used in two modes (transport, where only the data payload is encrypted, and tunnel, where the entire IP packet is encrypted and a new IP header added). IPsec can provide confidentiality and / or integrity. Encryption can be applied using a number of hash (MD5 or SHA) and symmetric (DES or AES) algorithms. Key exchange and security associations are handled by the Internet Key Exchange Protocol. Hosts can be authenticated by a shared secret, PKI, or Kerberos.
ISA (Interconnection Security Agreement)
Any federal agency interconnecting its IT system to a third-party must create an ISA to govern the relationship. An ISA sets out a security risk awareness process and commit the agency and supplier to implementing security controls.
ISO (International Organization for Standardization)
Develops many standards and frameworks governing the use of computers, networks, and telecommunications, including ones for information security (27000 series).
IV (Initialization Vector) Attack
Faults in the way that WEP implements the stream cipher used to encrypt traffic mean that the key can be recovered using cryptanalysis tools such as Aircrack given sufficient packets to analyze. Such tools can typically crack both 64-bit and 128-bit WEP encryption in a matter of minutes. WPA is not vulnerable to this attack (though weak passwords are still vulnerable to dictionary cracking).
Java
Programming language used to create web server applications (J2EE) and client-side applications (running in the Java VM).
JavaScript
Scripting language used to add interactivity to web pages and HTML-format email. JavaScript can also be used maliciously to exploit software vulnerabilities. It is possible to block scripts from running using browser security settings.