List of Security Terms
Advanced Persistent Threat
Advanced persistent threat (APT) usually refers to a group, such as a government, with both the capability and the intent to persistently and effectively target a specific entity. The term is commonly used to refer to cyber threats, in particular that of Internet-enabled espionage using a variety of intelligence gathering techniques to access sensitive information, but applies equally to other threats such as that of traditional espionage or attack. Other recognized attack vectors include infected media, supply chain compromise, and social engineering. Individuals, such as an individual hacker, are not usually referred to as an APT because they rarely have the resources to be both advanced and persistent even if they are intent on gaining access to, or attacking, a specific target.
An anonymous proxy, or an anonymizer, is a tool that attempts to make activity on the Internet untraceable. It is a proxy server computer that acts as an intermediary and privacy shield between a client computer and the rest of the Internet. It accesses the Internet on the user's behalf, protecting personal information by hiding the client computer's identifying information. Attackers can use anonymous proxies to protect themselves while they attempt to infiltrate and steal data.
A blacklist is list of items, such as usernames or IP addresses, that are denied access to a certain system or protocol. When a blacklist is used for access control, all entities are allowed access, except those listed in the blacklist. The opposite of a blacklist is a whitelist, which denies access to all items, except those included in the list. Blacklists have several applications in computing: Web servers often include a blacklist that denies access from specific IP addresses or ranges of IPs, for security purposes. Firewalls may use a blacklist to deny access to individual users, systems located in certain regions, or computers with IPs within a certain subnet mask. Spam filters often include blacklists that reject certain e-mail addresses and specific message content. Programmers may implement blacklists within programs to prevent certain objects from being modified. Since blacklists deny access to specific entities, they are best used when a limited number of items need to be denied access. When most entities need to be denied access, a whitelist approach is more efficient.
Bogons are bogus IP addresses. Bogon is also an informal name for an IP packet on the public Internet that claims to be from an area of the IP address space reserved, but has not yet allocated or delegated by the Internet Assigned Numbers Authority (IANA) or a delegated Regional Internet Registry (RIR). The areas of unallocated address space are called the bogon space. Many ISPs and end-user firewalls filter and block bogons, because they have no legitimate use, and usually are the result of accidental or malicious misconfiguration.
An Internet bot, also known as web robot, or simply bot, is a software application that runs automated tasks over the Internet. Since bots are often used to allow attackers to gain complete control over an affected computer, they are typically considered a type of malware. Attackers are able to access affected computers and activate them to execute denial-of-service or host phishing attacks against websites, or send out spam email messages. Typically, bots are used for web spidering, in which an automated script fetches, analyzes, and files information from web servers at many times the speed of a human. Owners of such affected computers are often unaware, but the bots cause the affected computers to slow down, display mysterious messages, and crash frequently.
Botnet (also see Bot)
A botnet is a collection of bots communicating with other similar programs in order to perform tasks. These tasks can be as mundane as keeping control of an Internet Relay Chat (IRC) channel, or they can function as malware, adware or spyware. Botnets are often utilized by attackers for purposes such as distributed denial-of-service attacks, creation or misuse of SMTP mail relays for spam, click fraud, mining bitcoins, spamdexing, and the theft of application serial numbers, login IDs, and financial information such as credit card numbers. Some botnets might have a few hundred or a couple thousand computers, but others have tens and even hundreds of thousands of affected computers at their disposal.
Darklist (see also Blacklist)
Norse Corporation uses the term Darklist, which the company defines as the "the world's first comprehensive blacklist of the Internet's highest risk IPs. "Norse" Darklist is an extensive black list, composed of a live, continuously updated list of the highest risk IPs on the Internet, enabling organizations to protect their network from external bad actors. Darklist provides a Norse IPQ risk score for each IP, and a risk category (such as "botnet" or "TOR proxy") to provide context to the score. Darklist can be integrated into customers' SIEMs or other security solutions for alerting on high-risk connections, forensics, and advanced threat notification.
Data Loss Prevention
Data loss prevention is simply protecting one" data from being compromised. It involves utilizing systems that are designed to detect potential data breach and data ex-filtration transmissions, and prevent them by monitoring, detecting and blocking sensitive data while it is in-use (endpoint actions), in-motion (network traffic), and at-rest (data storage).
Deep Packet Inspection
Deep Packet Inspection (DPI) is a form of computer network packet filtering that examines the payload of a packet as it passes an inspection point, searching for protocol non-compliance, viruses, spam, intrusions, or defined criteria. This is done to decide whether the packet may pass, if it needs to be routed to a different destination, alerted on, or if it will simply be used for the purpose of collecting statistical information.
Defense in Depth
Defense in depth is an information assurance concept in which multiple layers of security controls are placed throughout an information technology system. Its intent is to provide redundancy in the event that a security control fails, or vulnerability is exploited. The information assurance use of the term "defense in depth" assumes more than merely the deployment of technical security tools; it also implies policy and operations planning, user training, physical access security measures, direct information assurance, and personnel involvement in dealing with attempts to gain unauthorized access to information resources.
Denial-of-Service Attack (see also Bot)
In computing, a denial-of-service (DoS) is an attack sent by one person or bot that attempts to make a machine or network resource, usually a server or host, unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service, or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.
Distributed Denial-of-Service (see also Denial of Service Attack)
A distributed denial-of-service (DDoS) is an attack sent by two or more persons or bots that attempts to make a machine or network resource, usually a server or host, unavailable to its intended users. One common method of attack involves saturating the target machine with external communications requests, so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable. Such attacks usually lead to a server overload.
Firewall, Packet Filtering
Firewall, Packet Filtering: A packet filtering firewall examines each packet that crosses the firewall and tests the packet according to a set of rules that the user sets up. If the packet passes the test, it is allowed to pass. If the packet does not pass, it is rejected. Packet filters work by inspecting the source and destinations IP and Port addresses contained in each TCP packet. However packet filtering contains a number of flaws that hackers can exploit.
Firewall, Stateless (see also Packet Filtering)
A stateless firewall is a firewall that treats and tests each network frame (or packet) in isolation. Thus, it both examines and tests each packet individually. Like all firewalls, if the packet passes the test, it is allowed to pass. If the packet does not pass, it is rejected.
Firewall, Stateful (see also Stateful Inspection)
A stateful firewall filters packets by looking at them in groups rather than individually. It keeps track of which packets have passed through the firewall and can detect patterns that indicate unauthorized access. In some cases the firewall may hold on to the packets as they arrive until the firewall gathers enough information to make a decision about which packets should be authorized or rejected.
Firewall, Deep Packet Inspection (see also Deep Packet Inspection)
A DPI firewall filters packets by thoroughly examining each payload of a packet as it passes through the firewall, searching for protocol non-compliance, viruses, spam, intrusions, or other defined criteria to determine whether the packet should be accepted or rejected.
A honey pot is a trap set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honey pot consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain valuable information.
Intrusion Detection System
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations, and produces reports to a management station. Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system. Intrusion detection systems are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. In addition, IDSs can be used to identify problems with security policies, document existing threats, and deter individuals from violating security policies.
Intrusion Prevention System (see also Intrusion Detection System)
Intrusion prevention systems (IPS) are network security appliances that monitor network and/or system activities for malicious activity, log information about this activity, attempt to block/stop it, and report it. Intrusion prevention systems are considered extensions of intrusion detection systems because they both monitor network traffic and/or system activities for malicious activity. Unlike intrusion detection systems, intrusion prevention systems are placed in-line and are able to actively prevent/block intrusions that are detected. More specifically, IPS can take such actions as sending an alarm, dropping the malicious packets, resetting the connection and/or blocking the traffic from the offending IP address.
Layered Security (see also Defense in Depth)
Layered security, also known as layered defense, describes the practice of combining multiple mitigating security controls to protect resources and data. Layered security utilizes multiple layers of defense that resist rapid penetration by an attacker, continuously hindering their ability to penetrate the defenses, while raising the opportunity for detection. As the incursion progresses, progress is slowed until it is halted as a delaying tactic used to buy time to bring security resources to bear to deal with a malicious security cracker's activities.
Malware, short for malicious software, is software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of code, scripts, active content, and other software. 'Malware' is a general term used to refer to a variety of forms of hostile or intrusive software. The majority of active malware threats are usually worms or trojans rather than viruses. Software such as anti-virus, anti-malware, and firewalls are relied upon by users at home, small and large organizations around the globe to safeguard against malware attacks which helps in identifying and preventing the further spread of malware in the network.
The man-in-the-middle attack (often abbreviated as MITM, MitM, MIM, MiM, MITMA) is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. A man-in-the-middle attack can succeed only when the attacker can impersonate each endpoint to the satisfaction of the other — it is an attack on mutual authentication (or lack thereof).
A packet analyzer (also known as a network analyzer, protocol analyzer or packet sniffer) is a computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network or part of a network. As data streams flow across the network, the packet analyzer captures each packet and, if needed, decodes the packet's raw data, showing the values of various fields in the packet, and analyzes its content according to the appropriate RFC or other specifications.
Packet Capture (see also Packet Analyzer)
Packet capturing is the process of intercepting and logging online data traffic. When traffic is captured, either the entire contents of packets can be recorded, or the headers can be recorded without recording the total content of the packet. The captured information is decoded from raw digital form into a human-readable format that permits users to easily review the exchanged information.
Security Information and Event Management
Security Information and Event Management (SIEM) is a term for software and services combining security information management (SIM) and security event manager (SEM). SIEM technology provides real-time analysis of security alerts generated by network hardware and applications. SIEM is sold as software, appliances or managed services, and is also used to log security data and generate reports for compliance purposes. Examples include SIEM products from the following companies: Symantec, Splunk, NetIQ, Tenable, Tripwire, and Trustwave.
Signature-based Security Control
Signature-based IDS monitors packets in the network, and compares them with pre-configured and pre-determined attack patterns, known as signatures.
SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
Stateful inspection, also referred to as Dynamic Packet Filtering, is a security feature that can monitor the state of active connections and use this information to determine which network packets to allow through the firewall. By recording session information such as IP addresses and port numbers, a dynamic packet filter can implement much tighter security than a static packet filter.
A tarpit is a service on a computer system (usually a server) that purposefully delays incoming connections using TCP congestion packets. The technique was developed as a defense against a computer worm, and the idea is that network abuses such as spamming or broad scanning are less effective, and therefore less attractive, if they take too long. Tarpitting can be an effective defense against attackers. It is possible to tie up all of the attacking threads, and nodes using the congestion packets, significantly dropping the packet transmission rate to 1 very small packet every 4.5 minutes per endpoint. This is especially effective against DDoS, and Worms, assuming that the endpoint is using a compliant TCP stack (which is highly probable). It is effective because the attacking application relies on the host" TCP stack, which will comply with a congestion packet. Replacing a host "TCP stack is a complicated process, and therefore not usually done because hackers focus on simple, low overhead, highly efficient techniques.
The Onion Router
The Onion Router (TOR) originally referred to the free software for enabling online anonymity and resistance to censorship. Today, TOR or "onion routing," simply refers to layers of encryption, nested like the layers of an onion, used to anonymize communication. TOR encrypts the original data, including the destination IP address, multiple times and sends it through a virtual circuit comprising successive, randomly selected TOR relays. Each relay decrypts a layer of encryption to reveal only the next relay in the circuit in order to pass the remaining encrypted data on to it. The final relay decrypts the innermost layer of encryption and sends the original data to its destination without revealing, or even knowing, the source IP address. Since the routing of the communication is partly concealed at every hop in the TOR circuit, this method eliminates any single point at which the communication can be de-anonymized through network surveillance that relies upon knowing its source and destination.
Trojan horse attacks
A Trojan horse, or Trojan, in computing is a non-self-replicating type of malware program containing malicious code that, when executed, carries out actions determined by the nature of the Trojan, typically causing loss or theft of data, and possible system harm. Computer Trojans often employ a form of social engineering, presenting themselves as routine, useful, or interesting programs in order to persuade victims to install them on their computers. A Trojan often acts as a backdoor, contacting a controller which can then have unauthorized access to the affected computer. The Trojan and backdoors are not themselves easily detectable, but if they carry out significant computing or communications activity may cause the computer to run noticeably slowly. Malicious programs are classified as Trojans if they do not attempt to inject themselves into other files (computer virus) or otherwise propagate themselves (worm). A computer may host a Trojan via a malicious program a user is duped into executing (often an e-mail attachment disguised to be unsuspicious, e.g., a routine form to be filled in) or by drive-by download.
A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. Unlike a computer virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth.
A zero-day (or zero-hour or day zero) threat is an attack that exploits a previously unknown vulnerability in a computer application, one that developers have had no time to address and patch.
Regulatory, Compliance and Audit Terms
The Cyber Observable Expression (CYBOX) is a standardized schema for the specification, capture, characterization, and communication of events or stateful properties that are observable in all system and network operations. A wide variety of cyber security use cases rely on such information including event management/logging, malware characterization, intrusion detection/prevention, incident response, and digital forensics. CYBOX aims to provide a common structure and content types for addressing cyber observables across this wide range of use cases to improve consistency and interoperability.
The Financial Industry Regulatory Authority, Inc. (FINRA) is a private corporation that acts as a self-regulatory organization (SRO), a non-governmental organization that performs financial regulation of member brokerage firms and exchange markets. The government agency which acts as the ultimate regulator of the securities industry, including FINRA, is the Securities and Exchange Commission.
The Federal Information Security Management Act of 2002 (FISMA) is a United States federal law enacted in 2002. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. FISMA requires agency program officials, chief information officers, and inspectors general to conduct annual reviews of the agency's information security program and report the results to Office of Management and Budget (OMB). OMB uses this data to assist in its oversight responsibilities and to prepare this annual report to Congress on agency compliance with the act.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects health insurance coverage for workers and their families when they change or lose their jobs. It also required the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. The administrative simplification provisions also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system.
The Internet Assigned Numbers Authority (IANA) is a department of ICANN, a nonprofit private American corporation, which oversees global IP address allocation, autonomous system number allocation, root zone management in the Domain Name System (DNS), media types, and other Internet Protocol-related symbols and numbers.
PCI (see also PCI DSS)
The Payment Card Industry (PCI) denotes the debit, credit, prepaid, e-purse, ATM, and POS cards and associated businesses. The term is sometimes more specifically used to refer to the Payment Card Industry Security Standards Council, an organization with the goal of managing the ongoing evolution of the Payment Card Industry Data Security Standard.
PCI DSS (see also PCI)
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards. Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure. The PCI Security Standards Council offers robust and comprehensive standards and supporting materials to enhance payment card data security. These materials include a framework of specifications, tools, measurements and support resources to help organizations ensure the safe handling of cardholder information at every step. The keystone is the PCI Data Security Standard (PCI DSS), which provides an actionable framework for developing a robust payment card data security process -- including prevention, detection and appropriate reaction to security incidents. The latest version is https://www.pcisecuritystandards.org/security_standards/.
The Sarbanes–Oxley Act of 2002 (Sarbox or SOX), is a United States federal law that set new or enhanced standards for all U.S. public company boards, management and public accounting firms. As a result of SOX, top management must now individually certify the accuracy of financial information. In addition, penalties for fraudulent financial activity are much more severe. Also, SOX increased the independence of the outside auditors who review the accuracy of corporate financial statements, and increased the oversight role of boards of directors.
The Structured Threat Information Expression (STIX) is a collaborative effort to develop a standardized, structured language to represent cyber threat information. The STIX framework intends to convey the full range of potential cyber threat data elements and strives to be as expressive, flexible, extensible, automatable, and human-readable as possible. All interested parties are welcome to participate in evolving STIX as part of its collaborative community.
The Trusted Automated Exchange of Indicator Information (TAXII) defines a set of services and message exchanges that, when implemented, enable sharing of actionable cyber threat information across organization and product/service boundaries. TAXII, through its member specifications, defines concepts, protocols, and message exchanges to exchange cyber threat information for the detection, prevention, and mitigation of cyber threats. TAXII is not specific information sharing initiative or application and does not attempt to define trust agreements, governance, or other non-technical aspects of cyber threat information sharing. Instead, TAXII empowers organizations to achieve improved situational awareness about emerging threats, enabling organizations to share the information they choose with the partners they choose.
Tools, Languages and Other Terms
A comma/character-separated values file (CSV file for short) stores tabular data (numbers and text) in plain-text form. Plain text means that the file is a sequence of characters, with no data that has to be interpreted as binary numbers.
Border Gateway Protocol (BGP) is a standardized exterior gateway protocol designed to exchange routing and reachability information between autonomous systems on the Internet. The protocol is often classified as a path vector protocol, but is sometimes also classed as a distance vector routing protocol. The Border Gateway Protocol makes routing decisions based on paths, network policies and/or rule-sets configured by a network administrator. The Border Gateway Protocol plays a key role in the overall operation of the Internet and is involved in making core routing decisions. The Border Gateway Protocol is currently the most widely used exterior gateway protocol by Internet service providers because BGP allows for fully decentralized routing.
Pull-based web threats are often referred to as "drive-by" threats by experts (and more commonly as "drive-by downloads" by journalists and the general public), since they can affect any website visitor. Cybercriminals infect legitimate websites, which unknowingly transmit malware to visitors or alter search results to take users to malicious websites. Upon loading the page, the user" browser passively runs a malware downloader in a hidden HTML frame (IFRAME) without any user interaction.
Internet Relay Chat (IRC) is a system that facilitates transfer of messages in the form of text. The chat process works on a client/server model of networking. IRC clients are computer programs that a user can install on their system. These clients are able to communicate with chat servers to transfer messages to other clients. It is mainly designed for group communication in discussion forums, called channels, but also allows one-to-one communication via private message as well as chat and data transfer, including file sharing.
Jason is a platform for the development of multi-agent systems. An extension of the AgentSpeak agent-oriented programming language is used to program the behavior of individual agents. Jason is developed in Java and allows the customization of most aspects of an agent or a multi-agent system. It comes as a plugin for either jEdit or Eclipse, and different infra-structures for the deployment of a multi-agent system, for example using JADE or SACI as an agent-based distributed system middleware.
Java is a computer programming language that is concurrent, class-based, object-oriented, and specifically designed to have as few implementation dependencies as possible. It is intended to let application developers "write once, run anywhere" (WORA), meaning that code that runs on one platform does not need to be recompiled to run on another. Java applications are typically compiled to bytecode (class file) that can run on any Java virtual machine (JVM) regardless of computer architecture.
Machine-readable data is data or metadata which is in a format that can be understood by a computer. There are two types of machine-readable date: human-readable data that is marked up so that it can also be read by machines (ex; microformats, RDFa), and data file formats intended principally for machines (ex; RDF, XML, JSON).
PHP is a server-side scripting language designed for web development but also used as a general-purpose programming language. PHP code is interpreted by a web server with a PHP processor module, which generates the resulting web page: PHP commands can be embedded directly into an HTML source document rather than calling an external file to process data. It has also evolved to include a command-line interface capability and can be used in standalone graphical applications. Public Key Infrastructure: A public key infrastructure (PKI) enables users of a basically unsecure public network such as the Internet to securely and privately exchange data and money through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. The public key infrastructure provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates. Although the components of a PKI are generally understood, a number of different vendor approaches and services are emerging. A list of references about PKI standards development is available here.
Public Key Infrastructure
A public key infrastructure (PKI) enables users of a basically unsecure public network such as the Internet to securely and privately exchange data and money through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. The public key infrastructure provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates. Although the components of a PKI are generally understood, a number of different vendor approaches and services are emerging. A list of references about PKI standards development is available at http://www.oasis-pki.org/resources/techstandards.
Python is a widely used general-purpose, high-level programming language. Its design philosophy emphasizes code readability, and its syntax allows programmers to express concepts in fewer lines of code than would be possible in languages such as C. The language provides constructs intended to enable clear programs on both a small and large scale. Python supports multiple programming paradigms, including object-oriented, imperative and functional programming or procedural styles. It features a dynamic type system and automatic memory management and has a large and comprehensive standard library. Like other dynamic languages, Python is often used as a scripting language, but is also used in a wide range of non-scripting contexts.
SNORT (see also Intrusion Prevention System)
Snort is a free and open source network intrusion prevention system (IPS) and network intrusion detection system (IDS). Snort's open source network-based intrusion detection system has the ability to perform real-time traffic analysis and packet logging on IP networks. Snort performs protocol analysis, content searching, and content matching. These basic services have many purposes including application-aware triggered quality of service, to de-prioritize bulk traffic when latency-sensitive applications are in use. The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans.
Splunk captures, indexes and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards and visualizations. Splunk aims to make machine data accessible across an organization and identifies data patterns, provides metrics, diagnoses problems and provides intelligence for business operation. Splunk is a horizontal technology used for application management, security and compliance, as well as business and web analytics.