Information security glossary of terms

information security management glossary and glossary key information security terms
NathanBenett Profile Pic
NathanBenett,Germany,Researcher
Published Date:11-07-2017
Your Website URL(Optional)
Comment
Information Security Glossary Glossary The Information Security Glossary contains commonly used terms and acronyms – used in industry standards such as the ISO 27000 framework and other legislative instruments – as well as within the documentation prepared for the University on this topic. Multifactor Authentication involving two factors – something known (e.g. a password 2-factor or PIN) and something possessed (e.g. a token or smartcard) or a biometric attribute of Authentication the person being authenticated. Multifactor Authentication involving three factors – something known (e.g. a password 3-factor or PIN) and something possessed (e.g. a token or smartcard) and a biometric attribute Authentication of the person being authenticated. Section of the Nigerian penal code that was enacted to stop advance fee frauds 419 originating in that country. It is now a common term for this type of scam. A generic method of control designed to restrict access to an information asset, Access control permitting authorised access whilst preventing unauthorised access. Table relating types of user role (on one axis) to the IT systems, application functions Access matrix and/or classes of data (on the other axis), showing the types of access (rights) permitted within the body of the matrix. Ability of a user or program to interact with an information asset e. g. to read or write Access, Access rights, data, send messages over the network etc. Also the ability of a person to enter a Access permissions building, room, cupboard etc. cf. Permissions Unplanned, chance happening or occurrence, not intended as deli. berate. Security Accident, Accidental incidents mostly result from chance events or accidents. cf. Sabotage Generalised term for userID, credential, identity, subject or entity within a directory Account service, representing an individual, group, system, device, function, service, etc. May also be termed accurately as a principal. Ultimately answerable for the correct and thorough completion of a task or the Accountable, protection of information assets. Accountability cannot be delegated, cf. Responsible. Accountability Access Control List – specifies which entities, users or system processes are granted ACL access to objects, such as information assets, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation. See also Discretionary ACL and System ACL. Microsoft technology for interactive Web pages. Malicious ActiveX controls are ActiveX considered as malware as they may potentially compromise systems: if browser security settings allow, even unauthenticated (“unsigned”) ActiveX controls may access files on hard drives, for example. A system administrator, IT systems administrator, systems administrator, or sysadmin Administrator is a person with the responsibility to maintain and operate a computer system but may also refer to the elevated privileges associated with this role. Alternative generic account names, dependent upon the operating system, include root, toor, baron, avatar. See also Superuser, Root. Type of fraud in which the fraudster persuades a naïve victim to send money as Advance fee fraud „advance fees‟ supposedly to secure a payment or service which never materialises. Commonly known as a 419 scam. Annoying programs that display advertisements, offers, etc. Considered generally to be Adware a form of malware, adware is often installed without consent and has undesirable Information Security Glossary.docx - ISSUED - 12/12/2012 David Deighton, IT Services itsecuritycontacts.bham.ac.uk 1 / 22 Information Security Glossary effects that may compromise privacy. Advanced Encryption Standard – specification for the encryption of electronic data. AES AES uses a symmetric key where the same basic key is used for both encrypting and decrypting the data. Audio/visual warning that a critical condition requiring an urgent response (e. g. Alarm fire/smoke, intruder, flood) has occurred. See also Alert. Warning that a critical system event has occurred. Alerts generally require less urgent Alert responses than alarms and so are normally logged for later analysis and follow-up action. An operating system for mobile devices, specifically tablets and smartphones. Android® A person‟s ability to use systems and networks without disclosing their identity. A Anonymity form of privacy. Software designed to minimise the risk of malware by detecting, preventing and/or Antivirus removing various forms of malware infection such as viruses, worms, trojans, etc. May also control other potentially unwanted software designated by the University. An item that has value to the University, such as money, physical possessions, facilities Asset (machine or computer), people, environment and intangibles such as reputation See Cryptography Asymmetric The manifestation of a Threat. Attack The agent causing an attack (not necessarily human). Attacker The act of openly acknowledging the originator or owner of intellectual property to Attribution avoid claims of plagiarism and copyright abuse. Structured process of examination, review, assessment and reporting by one or more Audit competent people who are independent of the situation, system, process, function, etc. being audited. Chronological record of information documenting important events or stages in a Audit trail, Audit log business or IT process, such as the system security log, typically configured to record successful and failed logons, etc. Process by which an individual user, system or entity is positively identified by Authenticate, another, typically on the basis of something they know (e. g. a password) and Authentication sometimes something they have (e. g. a security token) or something they are (biometrics). The latter cases are sometimes referred-to as Strong Authentication or Two-Factor Authentication. The process of permitting access to a resource, system or asset. Authorise, Authorisation Permitted, accepted and/or agreed as being in the University's best interests. One of the three core elements of information security, along with confidentiality and Availability integrity. Availability concerns the requirement for information, IT systems, people and processes to be operational and accessible when needed. A representation of an individual, or system, maintained within, or linked to, an Avatar Identity and Access Management system (IAM). Avatars are used to represent an electronic identity – generally used for conferencing, gaming etc. A logical statement that is assumed to be true. In this context, a fundamental Axiom information security rule derived from the 39 control objectives defined in ISO/IEC 27002. Secret function or credential allowing hackers to access a system without proper Backdoor authorisation, bypassing most defences. Often includes keyloggers and rootkit functions. Information Security Glossary.docx ISSUED 12/12/2012 Page 2 / 22 Information Security Glossary Copy of data and/or programs from an IT system at a given point in time. Backups Backup provide the ability to restore a system to a known state following an incident. A social engineering attack in which physical media (such as a USB flash memory Baiting stick) containing malware is left in close proximity to a targeted organisation. Business Continuity Plan – enables one or more systems and/or business processes to BCP be recovered in the event of a disruptive event that has caused the systems or business processes to cease operation. The plan will cover one or more scenarios of potential disruption. A Disaster Recovery (DR) Plan is also a Business Continuity (BC) Plan, but is usually taken to refer to recovery of one or more IT systems or services as opposed to the BC Plan including wider business processes and manual procedures. Within the University, the term Local Resilience Plan is also in use, having the same meaning as Business Continuity Plan. Browser Helper Object – software component that is loaded and runs automatically BHO when the browser is launched. Malicious BHOs may incorporate malware such as spyware. Business Impact Assessment – a risk analysis process for reviewing the potential BIA impact of security incidents affecting IT systems supporting business critical processes, in order to determine the associated availability requirements. Measurable physical characteristic of a person, such as a fingerprint, iris pattern, retinal Biometric pattern, facial shape or voice pattern, which can be used as an authentication factor to positively identify a person. A cyber-attack incorporating a combination of attacks against different vulnerabilities. Blended Threat Wireless networking protocol intended for short-range use over a few metres. May be Bluetooth capable of unauthorised interception over longer distances. Short for „robot‟. Networked computer – often compromised using a trojan – under the Bot remote control of hackers. Also known as zombie. Networks of bots that may be used for illegal or nuisance activities such as spamming, Botnet carrying out DoS attacks or as launch pads for hacking other systems. Botnets comprising up to tens of thousands of compromised machines may be rented on the black market. Botnets are controlled via Command and Control (C&C) Servers. Form of information security incident normally occurring as a result of deliberate Breach action or inaction, as opposed to accidental causes. A web browser is a software application for retrieving, presenting, and traversing Browser information resources on the World Wide Web. An attack where a buffer in some software, is overwhelmed by adding more data than it Buffer Overflow is designed to hold, which ends up by allowing the attacker to run custom code. Attack Systems which have been classified as a result of a risk assessment to rate highly in Business Critical terms of the potential impact on the University‟s business (i. e. teaching, learning, research and administration) in the event of downtime, using criteria such as operational disruption, financial loss, damage to reputation, etc. Bring Your Own Device – where employees are allowed to use their own laptops and BYOD mobile devices at work. Trusted body or system that digitally signs and issues digital certificates to CA authenticated users or systems in a PKI. See Digital Certificate. Certificate Management process for proposing, reviewing and accepting or rejecting changes to a Change control process, system and/or the associated documentation. Information Security Glossary.docx ISSUED 12/12/2012 Page 3 / 22 Information Security Glossary The totality of activities used to control, direct and document changes to the University Change management and its associated IT systems, processes, etc. A static record or snapshot of the state of a computer system, program, database, etc. at Checkpoint one point in time to which the system may be rolled-back if necessary. See also Backup. Encoded/scrambled information which can be reconstituted into the corresponding Ciphertext, plaintext using a cryptographic algorithm and a key. Cyphertext Also known as a “UI redress attack” Click-jacking Multiple transparent or opaque layers (on a web page) trick the user into clicking on a button or link on a different page than the one they were intending. Thus, the attacker is “hijacking” clicks and routing them to other destination, most likely owned by a different application, domain, or both. Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker. Configuration Management Data Base – a repository of information related to CMDB configuration items (CI) in the IT infrastructure. University Code of Practice as defined in the University Regulations. Code of Practice Control that limits the severity of a control deficiency and prevents it from rising to the Compensating level of a significant deficiency or, in some cases, a material weakness. Although Control compensating controls mitigate the effects of a control deficiency, they do not eliminate the control deficiency. State of conformance with information security objectives, controls etc. defined Compliance internally by the University in policies, standards, codes of practice, etc. and/or externally by third parties (e. g. laws, industry regulations and contractual terms). Compliance tends to relate to meeting the legislative requirement although the differentiation is not strictly applied within the University. To undermine or attack. See Attack and Incident. Compromise Stakeholders‟ interest in an asset such as availability, reliability, security etc. Concern Class of information that is sensitive and therefore needs to be protected to a CONFIDENTIAL reasonable extent. It is intended for limited distribution within the University or to specially designated third parties, on a need-to-know („default deny‟) basis. See the Information Classification Standard 5 One of the three core elements of information security, along with availability and Confidentiality integrity. Confidentiality essentially concerns secrecy or privacy. The fundamental structural unit of a Configuration Management system. Examples: Configuration Item, individual requirements documents, hardware, software, models, plans, and people. CI A subset of change management activities specifically relating to changes to IT Configuration systems configurations, e. g. the implementation of new programs/hardware, new Management versions or altered parameters. Meeting the requirement of a management system (e.g. ISMS), generally to achieve a Conformance minimum standard for official accreditation. Inherently unexpected or unpredictable situation such as a physical disaster (a bomb, Contingency plane crash, flood or fire), a serious fraud, virus/worm outbreak etc. that other controls have failed to prevent. The outcome is contingent (dependent) on the exact nature of the incident and the situation at the time. Information Security Glossary.docx ISSUED 12/12/2012 Page 4 / 22 Information Security Glossary Pre-emptive approach for managing and organising resources to cope as well as Contingency plan possible with a contingency situation. Whereas the nature of the process to be followed during/after an incident depends on the specific situation, contingency plans support the efficient coordination and management of resources under any circumstances. An administrative, procedural, technical, physical or legal means of preventing or Control managing the impact upon an asset of an information security event or incident. The following types of control exist:  Preventative – prevents impact upon an asset.  Detective – detects impact upon an asset.  Reactive – reacts to impact on an asset, includes: o Corrective – actively reduces impact. o Recovery – restores an asset after impact. Controls may reduce information security threats or impacts, although most reduce vulnerabilities. Describes the anticipated business purpose or benefit of an information security Control objective control. Encapsulates the risk in business terms. Small text file sent by a website to a browser and later retrieved to track web browsing Cookie habits. With insecure browser settings, different sites may share the information in cookies, raising privacy issues. Technique to restrict the ability of users to access, use or manipulate software and other Copy protection information assets except on the original distribution media e. g. using a dongle or other forms of cryptography. Legal protection giving the originator/owner of original materials rights over the Copyright copying and use of the materials, for example through software licenses. A form of intellectual property rights. A control that repairs or reduces the impact on an asset. Corrective control Commercial Off The Shelf – refers to package as opposed to bespoke software, COTS typically distributed to the general public through retail outlets in shrink-wrapped packages with generic license agreements. Certification Practice Statement – a formal document defining a given PKI. CPS See Certification Practice Statement CPS Hacker with malicious intent who breaks into networks and systems without the Crack, Cracker, owners‟ permission or consent. Cracking Someone who modifies software to remove or disable copy protection and digital rights management features. A means to recover an encrypted password, or the software for this purpose. Something an entity, user or system presents to prove (authenticate) their true identity Credential e. g. a passport, password or security token. Certificate Revocation List – a published list of digital certificates that have been CRL revoked by the Certification Authority and are therefore invalid. See Certificate Revocation List CRL The practice of techniques for securing communication in the presence of third parties, Cryptography, i. e. to transform readable plaintext into unreadable ciphertext and vice versa. cryptographic, „crypto‟ Symmetric: the keys to encrypt and decrypt are the same; Asymmetric: the key used to encrypt the data differs (although is related to) the key to Information Security Glossary.docx ISSUED 12/12/2012 Page 5 / 22 Information Security Glossary decrypt. See Certificate, Private Key, Public Key, PKI Temporarily taking responsibility for an Asset. Custodianship Protection against the criminal or unauthorized use of electronic data, or the measures Cyber Security taken to achieve this. Criminal activity performed using computers and/or the Internet. Includes actions Cybercrime ranging from downloading illegal music to stealing from banks. Cybercrime also includes non-monetary offenses, such as creating and distributing malware or posting sensitive or restricted information publicly. Almost synonymous with Information Security but focussed on electronic Cybersecurity information assets and related threats, vulnerabilities and mechanisms. Discretionary Access Control List – an access control list (generally controlled by the DACL owner of an object) that specifies the access that particular users or groups have to the object The lowest level of abstraction that applies to information or the electronic Data representations of information held within a computer system. Data may be said to realise or implement information in a physical or electronic form. Form of malware that covertly collects information on Web users, for example secretly Data miner recording data submitted on electronic forms. Distributed Denial of Service – a type of DoS attack using multiple (numerous) DDoS attacking systems to amplify the amount of network traffic, thereby flooding and perhaps swamping the target systems or networks. Access control principle stating that information should only be withheld from Default allow individuals if it requires special protection. Also termed „need-to-withhold‟. Access control principle stating that information should only be released to Default deny authenticated individuals if they have a legitimate purpose or reason for using the information, and are authorised to do so. Also termed „need-to-know‟. Control principle whereby multiple overlapping or complementary „layers‟ of control Defence-in-depth are applied, all of which would have to be breached in order to impact the protected information assets. Control that detects impact on an asset. Detective control Form of malware which tries silently to connect to a premium rate phone number using Dialer the computer‟s modem. See also war dialer. File containing information about a user or system along with their public key plus a Digital certificate digital signature from the Certification Authority to authenticate the whole certificate. In cryptography, a public key certificate (also known as a digital certificate or identity certificate) is an electronic document which uses a digital signature to bind a public key with an identity – information such as the name of a person or an organisation, their address, and so forth. The certificate can be used to verify that a public key belongs to a specific entity. See PKI. See Digital signature Digital fingerprint Cryptographic hash of a message, constructed with the sender‟s private key, used to Digital signature „seal‟ the document thus revealing any subsequent changes, for integrity purposes, and authenticating it. A system that stores, organises and provides access to information regarding users, Directory entities or systems and their credentials. A Disaster Recovery (DR) Plan is a Business Continuity (BC) Plan, but is usually Disaster Recovery Information Security Glossary.docx ISSUED 12/12/2012 Page 6 / 22 Information Security Glossary taken to specifically refer to recovery of IT services. DR Optional, i. e. provided or used at someone‟s discretion. Refers to controls that are not Discretionary mandated by the information security architecture. A means of restricting access to objects based on the identity of subjects and/or groups Discretionary Access to which they belong. Control The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control). Control requiring the involvement of more than one individual to complete a business Division of process e. g. data entry performed by a member of staff with review and authorisation Responsibilities performed by a supervisor or manager. Normally reinforced by controlled access to the corresponding system functions. Reduces the possibility of fraud, barring collusion between the individuals, and data entry errors. Also known as separation or segregation of duties. De-Militarised Zone – a special network segment between the outer network perimeter DMZ and the inner University network, within which proxy servers and firewalls help to isolate the internal and external networks. Copy protection device used to „unlock‟ (allow access to) software for use on the Dongle particular computer into which it is plugged. Denial of Service – a type of information security incident in which availability is DoS impacted, for example by deliberately or accidentally overloading the system or network, thereby interfering with legitimate business processing. See also DDoS. Data Protection Officer, responsible under the Data Protection Act (DPA). DPO Disaster Recovery – arrangements to restore IT services supporting critical business DR functions, often from an alternate location, following a major incident affecting the D-R primary production systems and data. Digital Rights Management – technical controls using cryptography to permit or deny DRM certain types of use of Intellectual Property, according to the copyright owner‟s wishes. Access control technologies that are used by hardware manufacturers, publishers, copyright holders and individuals to limit the use of digital content and devices. The term is used to describe any technology that inhibits use of digital content that is not desired or intended by the content provider. The term does not generally refer to other forms of copy protection, which can be circumvented without modifying the file or device, such as serial numbers or keyfiles. Form of control requiring the actions of more than one person, for example when two Dual-control soldiers have to insert and simultaneously turn their keys in order to launch a missile. See Division of Responsibilities An electronic representation of an individual, or system, used for Authentication and Electronic Identity Access Control. A person may have more than one electronic identity. Electronic identities are usually maintained using an Identity and Access Management (IAM). See UserID. Enhanced access privilege. See privilege Elevated privileges Situation in which a competent support person is specifically authorised by Emergency management to modify a system directly, typically through a privileged emergency intervention credential, bypassing the normal system access controls and code migration processes in order to resolve an urgent production issue. Application of cryptography to make information unintelligible, i. e. translating Encryption plaintext into ciphertext using a prescribed algorithm and a key. Information Security Glossary.docx ISSUED 12/12/2012 Page 7 / 22 Information Security Glossary Temporary, approved relaxation of security policy requirements, provided that Exemption compensating controls are implemented (where possible). The person requesting an exemption (normally the owner) remains formally accountable for the residual risk resulting from non-compliance with policy. See waiver. Manual or automated process for transferring resilient IT services between redundant Failover equipment, campuses and/or network routes, improving availability. Concept used mainly in safety-critical or high-security system and process designs, Failsafe whereby a control failure leaves the system/process in an inherently safe or secure condition, even if that impairs availability. Copyright laws generally permit limited use of copyright materials without the Fair use copyright owner‟s explicit permission. Such fair use exceptions typically allow quoting and summarising of non-substantial parts of copyright materials and small-scale copying for research and educational purposes. Problem with information processing or communications systems including definite or Fault suspected security incident, system failure, program error/bug, malware/virus, other undesirable system operation, etc. Federal Information Processing Standards (FIPS) are US government security FIPS 140-2 standards issued by the National Institute of Standards and Technology (NIST) and the 140 series covers cryptography. FIPS 140-2 is a validation certificate issued by NIST that certifies compliance with the standards. Specialised router specifically configured as a gateway to control logical access to the Firewall attached network segments, nodes and devices. Software embedded in a hardware device, typically an EEPROM (Electrically Erasable Firmware Programmable Read Only Memory) chip. A computer‟s BIOS (Basic Input Output System) is an example: BIOS firmware normally checks the machine‟s hardware for faults and loads the boot loader part of the main operating system. Any malware in firmware is likely to have complete control of the system since it is inherently trusted by the operating system and other software. In terms of computer networks, flooding inundates or swamps a network or device. See Flood DoS. Free Open Source Software – free to use but usually still subject to a license. FOSS Theft or similar crime involving deliberate deception by a fraudster. Fraud Providing invalid, unexpected, or random data to the inputs of a computer program to Fuzz Testing, test its resilience to attack. See Penetration test. “Fuzzing” An account, or UserID, which is not attributed to an individual. See Service Account. Generic Account Comprises the entire management framework or structure for controlling and directing Governance the University, including information security and other controls. A generic, non-privileged account or security principal (including a group) with Guest minimal system access. Also called “nobody”. Originally, the term applied to someone who was obsessively fascinated by technology. Hacker, Hacking, In common use, hacker has gradually come to mean someone who deliberately breaks Hack into networks and systems although cracker is technically more accurate. Hacking, phreaking, or otherwise using technology to achieve a political or social goal. Hacktivism, Hacktivist Major hacktivist groups that have achieved notoriety include Anonymous and LulzSec. Tangible IT asset. Hardware has a financial book value, generally less than its Hardware replacement cost due to depreciation (wear and tear). Hardware typically has even greater value to its owner thanks to supporting/enabling important business processes. Information Security Glossary.docx ISSUED 12/12/2012 Page 8 / 22 Information Security Glossary Damage that can happen to an asset such as undesired exposure of stored information Harm or unavailability of a service. Harm is usually quantified as Impact. Characteristic value produced by passing a string or file through a so-called „one-way Hash encryption‟ function. The original string or file cannot be recreated with any certainty from the hash value but its validity can be verified by recalculating and comparing the hash against a previously calculated and securely stored hash value. Transactions that fail integrity or other checks are commonly flagged or placed in this Hold file special holding area for manual inspection, instead of being processed. Also known as a suspense file. Identity and Access Management – system that contains and manages electronic IAM identities including security-related data but also preferences and other relevant data. Type of fraud in which the fraudster falsely assumes the victim‟s identity, typically as a Identity theft prelude to stealing financial or other assets. Often involves theft or falsification of credentials used to assert the holder‟s identity. Changing the value of an asset by reducing its availability, integrity or confidentiality. Impact A measure or description of the effect or outcome of an incident. A measure of the seriousness of Harm. Describes malware that is being actively and widely exploited, as opposed to that In the wild which has only ever been seen in the laboratory or in very limited-scope incidents. “General release” Situation where an attack occurs and causes a business impact. Incident The use of unethical, illicit, surreptitious and often illegal “spying” techniques to Industrial espionage gather sensitive information from competitors, either directly or via common business partners or other third parties. An extreme form of competitive intelligence. A physical or virtual artefact containing data that realises information. This includes Information asset documents, emails, databases etc. Information itself is abstract but is instantiated in the form of information assets. The designated person held accountable for the proper protection of one or more Information Asset information assets such as business applications and data sets. They approve Owner appropriate information security controls for the assets, authorise access and monitor the effectiveness of the controls. The protection of confidentiality, integrity and availability of information in all its Information Security forms including electronic (see Cybersecurity) and physical. The complete set of information security controls limiting the risks associated with a Information Security given IT system or infrastructure. Should ideally be documented in the security design. Architecture Documentation describing the key information security risks, control objectives and Information Security controls required in a computer system, in other words the information security Design architecture. May comprise one or more dedicated security design documents or may be distributed across various system architecture, design, development and operations documents, policies, standards, guidelines, procedures, change records, etc. An information security event is an identified occurrence of a system, service or Information Security network state indicating a possible breach of information security policy or failure of Event safeguards, or a previously unknown situation that may be security relevant. A single or a series of unwanted or unexpected information security events that have a Information Security significant probability of compromising business operations or threatening information Incident security. The function responsible for day-to-day management of information security, Information Security managing technical, procedural and physical controls, systems, processes, standards Management etc. Led by the Information Security Officer. Information Security Glossary.docx ISSUED 12/12/2012 Page 9 / 22 Information Security Glossary The University‟s overarching policy defining the overall objectives and structure for Information Security information security management, also known as the ISMS. Policy Manual The preservation of confidentiality, integrity and availability of information. In Information Security, addition, other properties, such as authenticity, accountability, non-repudiation, and InfoSec reliability can also be involved. Information security threat arising from University members. Insider threat Property of completeness and accuracy of information. Protected through controls such Integrity as referential integrity, data entry validation, digital signatures, honesty, ethics and trust. One of the three core elements of information security, along with confidentiality and availability. Intellectual Property – proprietary information (typically) that legally belongs to IP someone and may be protected by IPR. Intellectual Property Rights – the rights of the legal owner of intellectual property (IP) IPR to determine how the information is used and/or copied by others, for example through software licensing/copyright, patent, trademark or contract law. Information Security management System – the overall management system ISMS comprising governance, policies, standards, procedures, guidelines, etc. through which information security is directed and controlled. 1. International Standards Organisation. ISO 2. Information Security Officer – responsible for Information Security at the University. A growing collection of ISMS international best practice standards being produced ISO/IEC 27000- under the auspices of a joint ISO/IEC committee. family (“ISO27k”) International standard “Specification for an Information Security Management ISO/IEC 27001:2005 System”, originally known as BS 7799 Part 2. This is the standard against which (“ISO 27001”) ISO/IEC 27002 users may choose to have their ISMS certified. International standard “Code of Practice for Information Security Management”, ISO/IEC 27002:2005 originally known as BS 7799 Part 1 and then ISO/IEC 17799. Proposes a reasonably (“ISO 27002”) comprehensive set of information security control objectives and a selection of best practice information security controls. Information Security Steering Group – the University oversight or governance ISSG committee responsible for Information Security. Department responsible for managing computing and telecommunications services to IT Services the University. Joint Academic Network – a private computer network dedicated to connecting all JANET further- and higher-education organisations in the UK, as well as the UK Research Councils. Database security/control method in which steps leading up to a commit point are Journaling saved temporarily until the commit is complete, enabling the sequence to be reversed or recreated if interrupted by an incident, for instance a power failure or coincident change. See Private Key, Public Key, PKI Key A data file which contains cryptographic or license keys. See also PKI. Keyfile Malware that secretly records the keystrokes. There are hardware and software Keylogger versions. Hardware keyloggers are inserted into the keyboard cable or connector where they may appear to be interference suppressors, or are fitted inside the keyboard or computer. Software keyloggers are typically installed by trojans. Information Security Glossary.docx ISSUED 12/12/2012 Page 10 / 22 Information Security Glossary Information security principle involving restrictions in the level of privileges, Least privilege permissions, capabilities or rights assigned to an individual person, function or system, consistent with their authorised and intended purpose. See Business Continuity Plan Local Resilience Plan Physical security device requiring a physical key, electronic key card, PIN code or Lock similar to release a door, etc. Also a database integrity control which essentially prevents simultaneous data changes being made by different computer processes or users. An historical record of events, recorded in a data file for subsequent review and Log analysis. Logs should be secured against unauthorised modification (tampering) or access (if confidential) and retained for as long as is necessary to complete the review and analysis, or according to legal and/or business requirements identified in the Information Retention Policy. See audit trail. Form of malware designed to lay dormant but self-activate at some point e. g. at a Logic bomb certain time (i. e. a time bomb), when a certain user logs in, when a particular combination of events occurs (e. g. the programmer is removed from the payroll) and cause some malicious action (e. g. shutdown the system, modify or delete data). Automated information security control protecting electronic information assets Logical access control (data/software, directories, disks, tapes etc.) against access by unauthorised users, programs or systems. Portmanteau of “malicious software” meaning programs written and circulated with Malware malicious intent such as viruses, worms, trojans, rootkits, logic bombs, etc. Access control by which the operating system constrains the ability of a subject or Mandatory Access initiator to access or generally perform a specific operation on an object or target. In Control practice, a subject is usually a process or thread; objects are constructs such as files, directories, TCP/UDP ports, shared memory segments, etc. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, an authorisation rule (enforced by the operating system) examines these security attributes and decides whether the access can take place. Any operation by any subject on any object will be tested against the set of authorisation rules (aka policy) to determine if the operation is allowed. Mandatory access schemas are generally applied at an organisational level compared with discretionary access which is specified by the information asset owner. Member of the University as defined in the University Regulations. Member Programs that transfer between systems and execute, performing specific functions Mobile code with little or no user interaction. MoSCoW Requirements prioritisation scheme:  M – must be met.  S – should be met if possible (high priority).  C – could be met in future if time and resources permit.  W – won‟t be met now but may be considered in the future. Form of user authentication in which different types of credential are required (e.g. a Multifactor secret password plus a security token plus a biometric). Multiple passwords recalled authentication and entered by single person do not qualify as multifactor authentication, whereas passwords recalled and entered by more than one person (one form of dual-control) do. Alternative name for the principle of default deny. Need-to-know Alternative name for the principle of default allow. Need-to-withhold Information Security Glossary.docx ISSUED 12/12/2012 Page 11 / 22 Information Security Glossary See Multifactor Authentication. N-factor Authentication Type of account intended for automated system activity and file ownership by Non-interactive computers, systems and applications, rather than by people. account Class of information that is not sensitive and therefore may be published or distributed OPEN externally. See the “Information Classification Standard” 5, also PUBLIC IT service interruption caused either by a planned activity (such as scheduled Outage maintenance) or an unplanned incident. Principal Account Number – the main account number on a payment or credit card as PAN defined in PCI-DSS. A secret phrase or saying that is either used directly as a long and hence strong Passphrase password, or is used to recall one (e. g. using initial letters of the words to a song or poem). A secret string of characters that should only be known by one person and can Password therefore be used to authenticate them. A type of credential. Legal protection for novel inventions that have been properly registered with the Patent relevant patent authorities. A form of IPR. The resultant (usually destructive) function of malware that performs unauthorised Payload activity, such as deleting or modifying files, etc. Payment Card Industry Data Security Standard – a commercial contract that the PCI-DSS University is party to through their activities relating to accepting credit and debit card payments. Officially authorised/sanctioned/requested test of the University‟s information security Penetration test controls by competent and trustworthy experts. The scope may include network, physical and/or other information security controls and specific systems or locations. The outermost physical and/or logical boundary around a collection of assets, such as Perimeter the network perimeter dividing the University‟s internal network from JANET, the Internet and other external networks. Information associated with an identifiable individual person. This term is explicitly Personal data, defined in national data protection laws with minor but important differences between personal information countries. The activity of a culture of people who study, experiment with, or explore Phreaking, Phreaker telecommunication systems, such as equipment and systems connected to public telephone networks. Personal Identification Number – a numeric password used on systems with numeric PIN keypads instead of full alphanumeric keyboards. PIN is often misused as a synonym for password Someone who commits piracy e. g. by making, using, selling or otherwise distributing Pirate illegal copies of copyright material, whether deliberately or inadvertently. Theft (copying and using) of another person‟s IP without properly acknowledging or Plagiarism attributing it to them. Information that a sender wishes to transmit to a receiver. cf. Ciphertext. Plaintext A University Policy as defined in the University Regulations. Policy Type of computer virus which changes (morphs or mutates) as it infects successive Polymorphic virus systems/files, making detection and disinfection challenging. Control that prevents impact on an asset. Preventative control Information Security Glossary.docx ISSUED 12/12/2012 Page 12 / 22 Information Security Glossary An entity that can be authenticated by a computer system and authorised for specific Principal functions. Security principals are generally individual users, groups, processes, services, devices, etc. See Account Fundamental or philosophical basis on which information security controls are based. Principle Often encapsulated by phrases such as „default deny‟, „defence in depth‟, „shared responsibility‟ and „least privilege‟. Right to confidentiality regarding sensitive information about individuals or groups. Privacy The secret member of a public-private key pair in an asymmetric cryptography system Private key or PKI. Attribute of certain accounts, principals, programs etc. that allows the users or Privilege, Privileged programs to bypass logical access controls and execute functions that are normally forbidden to ordinary (non-privileged) accounts, for example, data backups need to copy all the files to be backed up, even if they are not owned by the backup user. See Administrator, Root Whereas non-privileged user roles define minimal rights of access to networks, Privileged User Role systems and data for most users, Privileged User Roles define more powerful access rights that can bypass normal security controls and are therefore only allocated to highly trustworthy members with additional procedural and/or technical controls. Controlled directory or database containing human-readable source code files cf. Program Source program library. Library PSL Valuable and normally sensitive commercial information such as trade secrets, Proprietary customer lists and competitive information. See CONFIDENTIAL The non-secret member of a public-private key pair in an asymmetric cryptography Public key system or PKI, normally published within a digital certificate. Asymmetric cryptographic system using public and private key pairs. cf. Symmetric Public Key Infrastructure PKI Private VLAN that is isolated from others through the use of traffic encryption. PVLAN Remote Administration Tool – software that provides hackers with a back door into an RAT infected system to snoop or take control. Role Based Access Control – access control scheme whereby principals are granted RBAC certain system access rights according to the roles they are required to perform, the idea being that roles change less frequently than users. Control that reacts following impact upon an asset. Reactive control Control that restores an asset after impact. Recovery control Set of integrity controls incorporated into relational database management systems to Referential integrity help prevent inconsistencies, for example in the links between related tables. Dedicated console or management port giving privileged access for technical support Remote Diagnostic to a device such as a telephone exchange, server, storage subsystem, router, firewall, Port gateway etc. Capabilities granted or denied to principals by system managers, supervisors or Rights administrators. See Permissions and clarification section. The combination of the probability of an event and its consequences – the likelihood of Risk a Threat exploiting a Vulnerability and the resulting Impact upon Assets. Structured process for examining information security threats, vulnerabilities and Risk assessment, impacts relating to a given system or situation, in order to determine whether additional Risk analysis controls are required. The specific terms “risk assessment” or “risk analysis” may refer to different extents of examination („analysis‟ normally implies more depth). Information Security Glossary.docx ISSUED 12/12/2012 Page 13 / 22 Information Security Glossary The process of managing defined risks by mitigating them, accepting them or Risk management transferring them to third parties (e.g. insurance companies). The responsibility for performing specific behaviour. Role 1. See Administrator, Superuser Root 2. Gain root or superuser access (particularly to Android and Linux/Unix Hacker toolset typically containing trojans and utilities to take and keep control of a Rootkit compromised computer system. Often includes hacked versions of normal system programs with backdoors and other covert functions. Usually hidden deep in the system “kernel” or device drivers, hence hard to detect and eradicate. Recovery Point Objective – following a serious incident requiring the invocation of RPO disaster recovery arrangements, defines the point prior to which all data should have been restored (e. g. previous hour, previous working day, previous week etc.). Recovery Time Objective – defines the absolute maximum („worst case‟) acceptable RTO duration of non-availability of systems due to incidents, which therefore determines the corresponding need for suitable resilience and disaster recovery arrangements. Deliberate, wilful and unauthorised damage to IT facilities, systems, network Sabotage devices/connections, deletion, insertion or disclosure of data etc. in order to cause a Denial of Service or other impact. An architectural pattern where data or binary code is stored in a secure area to be Sandbox examined safely or protected from external access. Information security function responsible for administering userIDs, passwords, access Security to applications etc. Administration See Principal Security Principal Hardware device used as a credential, for example a smart card or key fob containing a Security token cryptographic processor and/or display. May also relate to the notional representation of a security principal or credential within a system. Software Engineering Institute a US federally funded body run by Carnegie Mellon SEI University (CMU). The externally visible functionality which is meaningful to the environment and is Service realised by systems or business behaviour. A generic, often privileged, account under which a background process runs. Service Account Information security principle stating that all members are collectively responsible for Shared responsibility maintaining adequate security measures. Mobile device combining the features of a phone with those of a personal digital Smartphone assistant PDA, such as media players, email, browsers, wireless connectivity, cameras, and also touch-sensitive screen technology. See Android, iOS A backup technique that creates a read-only copy of a file, usually by manipulating the Snapshot storage allocation mechanism within a file system so that changes are forced into new blocks of storage rather than updating in place. Service Oriented Architecture – a technical architecture consisting of cooperating SOA services where the implementation of the services is hidden from the consumers, whether people or systems. Hacking or Fraud technique or form of attack involving the manipulation of people Social engineering through a combination of deception and persuasive or assertive behaviour. May also be combined with other threats. Unsolicited email (generally sent in bulk and commercial in nature). Spam Information Security Glossary.docx ISSUED 12/12/2012 Page 14 / 22 Information Security Glossary A precisely targeted phishing attack, usually aimed at individuals or well-defined Spear phishing groups. Attempt by an unauthorised entity to gain access to a system by posing as an authorised Spoof, Spoofing user, i. e. impersonation Type of malware which covertly „spies‟ on the user, for example, sending information Spyware about the programs run, Websites visited or data submitted, to a remote system or user. A form of attack on a database driven web application in which the attacker executes SQL injection attack unauthorised SQL commands to exploit insecure code. Person who has a legitimate interest, or stake, in an Asset. Stakeholder Reference items that are relatively static and unchanging (e. g. bank account numbers) Standing data compared to more volatile user data (e. g. bank account balances). Virus that hides by intercepting disk access requests. When a basic antivirus program Stealth virus tries to search the disk, the virus conceals itself by removing or changing program names, file names etc. in the information fed to the antivirus program. See also rootkit. Special user account possessing unbounded elevated privileges, used for system Superuser administration. Depending on the operating system, the actual name of this account might be: root, administrator, avatar, supervisor, etc. Cryptography involving algorithms that use the same key for two different steps of the Symmetric algorithm (such as encryption/decryption, or signature creation/verification). (cryptography) Symmetric cryptography is sometimes called “secret-key cryptography”. See Administrator Sysadmin A collection of elements organised to accomplish a defined objective or Mission. The System term is recursive and may also refer to a component or a „system of systems‟. These elements include products (hardware, software, and firmware), processes, people, information, techniques and facilities. The mechanism that delivers a service to the customers. In contrast to the DACL, which specifies object access granted for listed trustees, System Access Microsoft describes the System Access Control List as a means to control how access Control List (SACL) to an object is audited. Files containing executables and data that are part of, or owned by, an operating System files system. Users and applications are usually blocked from accessing these files. IT Services technical standards, including security standards, referring to industry Technical standard standards, hardware, software etc. Computer environment comprising systems, networks, devices, data and supporting Test environment processes that are used for testing (checking and/or exercising) application systems prior to being released for use in production (cf. development). Independent person or external organisation not directly employed by the University. Third party A potential cause of harm to an asset. A Threat exploits a Vulnerability to Impact an Threat Asset. See logic bomb. Time bomb 1. Function that automatically suspends and password-locks a computer session after Timeout a certain time without user activity. 2. Also, an expiration time limit for a process. Contraction of “Trojan horse program” that may appear to the user to offer a useful Trojan function or to do nothing, but in fact contains hidden malicious functions, typically Information Security Glossary.docx ISSUED 12/12/2012 Page 15 / 22 Information Security Glossary allowing remote control of the system by hackers. A form of malware. An entry in an access control list to which permissions or rights are granted (or Trustee denied). See Discretionary ACL and System ACL. Simplest form of multifactor authentication, for example, requiring a password in Two Factor addition to the current value displayed on a security token in order to authenticate a Authentication user. (“2FA”) Not permitted, accepted or agreed by management as being in the University's best Unauthorised interests. An operating system; trademarked as UNIX, but within the University, a general term UNIX, Unix, Unx for one of its derivatives or any operating system which resembles it. Logical access rights are standardised by defining and assigning the minimal rights User Role necessary for users in certain job functions to perform their roles within the University (see also Privileged User Role). User Identifier – a label used to tag a user and their activities on an IT system so that UserID they may be controlled by logical access controls, recorded in log files etc. Also known as a username, logon name, account, credential, etc. Virtual Desktop Infrastructure – where the client application actually runs on a server VDI and the local device is just used as a „dumb‟ terminal showing an image of the application screen only. Computer program that self-replicates and automatically spreads between systems. Virus Usually contains a payload. A form of malware. Chain letter or social media spreading a false virus (malware) warning. Hoaxes can Virus hoax cause alarm and waste time but are not normally harmful, although some that advise users to delete, rename or replace files can cause problems (a form of social engineering). Virtual Local Area Network – a broadcast LAN domain containing one or more VLAN hardware devices, usually associated according to the specific ports on LAN switches to which they are connected (see also PVLAN). Virtual Private Networking – the application of cryptography to create a secure VPN “tunnel” between IT systems over an unsecured or untrustworthy network (such as the Internet). A weakness of an asset or group of assets that can be exploited by one or more Threats. Vulnerability Formal documented exemption from security requirements, including documentation Waiver of the circumstances, decision process/rationale, extent and compensating controls. Hacking or penetration testing software that automatically calls a range of phone War dialer numbers in an attempt to locate vulnerable modems, fax machines, voicemail systems etc. Tracking hyperlink within a Web page that refers the user‟s browser to a particular file Web bug on the Web, typically a tiny one-pixel image. When the user‟s browser reads the page, interprets the code and retrieves the file, the web server records the network access by the user‟s address in its log, potentially compromising the user‟s privacy. Cyber-attacks targeted specifically at senior executives and other high-profile targets. Whaling Networking program that exploits network connections to spread between systems and Worm often performs unauthorised functions such as sending unsavoury emails or spam, DoS attacks etc. A form of malware. A digital certificate of specified format, binding an entity to a public key. The X. 509 X. 509 Certificate standard was issued on 03 July 1988. Information Security Glossary.docx ISSUED 12/12/2012 Page 16 / 22 Information Security Glossary Cross Site Scripting – a web hacking technique in which websites with inadequate data XSS entry validation are made to return malware to a browser for execution (e. g. to manipulate or disclose their supposedly private cookies or other local data). Abbreviated to “XSS” to distinguish it from CSS: Cascading Style Sheet. A cyber attack against an unknown operating system or application vulnerability. Zero-day threat See bot. Zombie Ontology The ontology provides a basic set of concepts and relationships that can be used to reason about information security and upon which a controlled vocabulary may be constructed. Figure 1 Basic Ontology for Information Security Risk Analysis and Management Asset Business Anything that has value to the organisation or its customers, including physical assets, Object information, systems and people in their role as participants in a System. Attack Business An event that is a manifestation of a Threat to an Asset Object causes Association Attack causes Impact Concern Business Stakeholders interest in an Asset Object Control Business An administrative, procedural, technical, physical or legal means of preventing or Object managing the impact upon an asset of an information security event or incident. This can be: Preventative, Detective, Reactive (Corrective / Recovery). Controls may reduce information security threats or impacts, although most focus on vulnerabilities. Corrective Business A control that repairs or fixes the impact on an asset Object Control Detective Business Control that detects impact on an asset. Control Object Information Security Glossary.docx ISSUED 12/12/2012 Page 17 / 22 Information Security Glossary detects Association Detective Control detects Attack exploits Association Threat exploits Vulnerability exploits Association Vulnerability exploits Attack harms Association Impact harms Asset has Association Stakeholder has Concern has a Association Asset has a Vulnerability Impact Business Measure of harm or effect upon an Asset. Object in Association Concern in Asset Information Business An asset that contains information e.g. database, email, document, book. Object Asset manifests Association Threat manifests Attack People Business People viewed as 'human assets' for the purpose of risk analysis and management. Object Physical Asset Business Physical assets including land, buildings, vehicles Object Business Control that prevents impact on an asset. Preventative Control Object prevents Association Preventative Control prevents Attack Business Control that reacts following impact upon an asset. Reactive Control Object Recovery Business Control that restores an asset after impact. Control Object reduces Association Corrective Control reduces Impact reduces Association Control reduces likelihood Threat Reduce the likelihood of a Threat manifesting. likelihood restores Association Recovery Control restores Asset Business Stakeholder Interested party. Object System Business A combination of interacting elements organised to achieve a defined objective, Object including hardware, software, processes, people, information, techniques, facilities and any other type of Asset. Threat Business A person, situation or event (whether deliberate or accidental in nature) that is capable Object of exploiting a vulnerability to impact an asset. Vulnerability Business Weak or missing information security control, or an inherent weakness in an Asset. Object Information Security Glossary.docx ISSUED 12/12/2012 Page 18 / 22 Information Security Glossary Disambiguation Authentication vs. Authorisation Authentication is the process of verifying identity, or asserting that the entity is whom or what they claim to be. Authorisation is the method of granting access based on the confirmed identity. Authentication is performed at logon while Authorisation, sometimes referred-to as „access control‟, is granting access to resources after logon. Authentication is performed centrally while authorisation is usually the responsibility of individual applications. Malware, Virus, Trojan, Rootkit, Worm, etc. Malware is a contraction for “malicious software” although malware could encompass firmware and hardware. It is the general term applied to viruses, trojans, rootkits, spyware, adware, scareware, keyloggers, ransomware and crimeware, etc. Malware can also be known as a “computer contaminant” in a legal context. The first malware was a computer virus, i. e. a program that replicates itself and spreads accordingly. Worms are similar to viruses in that they self-replicate but they do not attach themselves to existing computer programs. Worms generally disrupt network operations, even if only by consuming excessive bandwidth, whereas viruses almost always corrupt or modify files on a target computer. Trojan horses, commonly called trojans, are programs that masquerade within other programs, causing unexpected (unwanted) results when executed. Rootkits are specialised trojans designed to subvert standard operating systems thus hiding their existence. Trojans now make up approximately 90% of all malware. In the industry, we have seen a transition in the last decade from “antivirus” to “antimalware” measures within the accompanying software marketing. Principles, Axioms, Policies, Standards, Guidelines The ISO27k Implementers Forum provides the following pyramidal representation of the relationship between these terms: Figure 2: ISO27k ISMS Documentation Pyramid The General Conditions of Use 1 together with the Information Security Policy 2, and other policies such as the Data Protection Policy 3, constitute the Information Security Policy Manual while the Information Security Policy Information Security Glossary.docx ISSUED 12/12/2012 Page 19 / 22 Information Security Glossary by itself is the Corporate Information Security Policy in terms of ISO27k. This scheme takes into account the special status of the General Conditions of Use as a Code of Practice as defined in the University Regulations. Standards, prepared by the Information Security Officer and ratified by the ISSG, define the requirements and rules pertaining to individual topics while procedures and guidelines will be issued by IT Services as and when appropriate. Security principles are rooted in the University‟s Enterprise Architecture Framework (EAF) and all IT projects are required to comply and state how compliance is achieved and justify exceptions. The principles are as follows: ID Principle Rationale SEC1 Accountability The University must maintain traceability and non- All user and system interactions and access to information repudiation of responsibility for access and changes must be attributable to authenticated (reliably identified) for legal and moral reasons. people, organisations or systems. SEC2 Reduce the possibility that users or systems will Least Privilege When allowing access to a resource, assign the minimum abuse the privileges granted them to make unforeseen necessary privileges to complete the job in hand. changes or gain unauthorised access. SEC3 No single security mechanism can be guaranteed Defend in Depth Do not rely on a single control but erect a succession of unbreakable, therefore good practice is to implement barriers that an intruder must overcome before gaining access. multiple overlapping controls where it is possible to do so. SEC4 Assume Insecure Communications Internal networks should be considered hostile Data is vulnerable while in transit and must be adequately environments for data and mitigated by protected to preserve its confidentiality, integrity and authentication, encryption and other controls. availability.. SEC5 Security should not be compromised by the release of No Security by Obscurity Security must be designed-in and not rely on hiding network diagrams, system specifications or CMDB. information. SEC6 Security controls should promote the availability of Transparency Controls should not impair the ability of the University to information subject to protection of its confidentiality function or unnecessarily restrict the availability of and integrity. information. Axioms are derived from these principles and incorporated into the security documents. Information Security Glossary.docx ISSUED 12/12/2012 Page 20 / 22