A-Z of terms used in Information Security
- Acceptable Use Policy (AUP) - Definition of what a user can and cannot do when using IT resources.
- Access controls - Mechanisms and policies that restrict or permit access to IT resources.
- Access Control List (ACL) - A set of permissions for users or groups of users that determine who can access specific resources.
- Active Directory - A hierarchical database holding information used to manage a group of computers (domain). It enables services including central authentication and authorization, and allows network administrators to assign policies, deploy software and apply critical updates to computers in the domain.
- Administrator Account - An IT account with enhanced privileges allowing greater ability to access and change data associated with other accounts and modify the operation of a system or application.
- Adware - Advertising supported software that presents or downloads advertising material to a computer after installation.
- Advanced Encryption Standard (AES) - A standard symmetric encryption algorithm aimed to replace the Data Encryption Standard (DES).
- Anti virus software - Software tools for detecting and removing viruses.
- App - Software designed to help users perform specific tasks (application).
- Astroturfing - Generating & publishing positive, anonymous reviews to inflate your brand/company on the Internet.
- Audit Trail - A date and time stamped record of the usage of a system to allow monitoring. Audit trails can help to establish information security breaches.
- Authentication - The verification procedure for checking a user's claimed identity (username).
- Authorisation - see Permissions.
- Back Door - An access point into a program/system that is hidden. Back doors are usually intentionally created by a programmer for maintenance purposes but if compromised they can present a security risk allowing unauthorised users or software to gain entry and cause damage.
- Baseline Security - A method of choosing security measures based upon the experience of similar organisations that are accepted to be well-run.
- Biometrics - The use of physical characteristics to check a person's identity, eg. voice recognition, fingerprint scanning, retina or iris scanning.
- Bitlocker - Full disk encryption feature developed by Microsoft designed to protect data by providing encryption for entire volumes using at least a 128 bit key.
- Blacklist - Basic access control mechanism that allows everyone access, except for the members of the black list (i.e. list of denied accesses); Opposite is a Whitelist.
- Bluejacking - Sending of unsolicited messages over Bluetooth.
- Bluesnarfing - Unauthorised access (hacking) of information from a wireless device through a Bluetooth connection.
- Bot - Software applications that run automated tasks over the Internet.
- Botnet - Collection of bots that run autonomously and automatically.
- Buffer - A part of memory or storage that is used temporarily by a computer to hold data that is awaiting processing.
- Bug - Flaw, error, failure or fault in an IT system or program that produces an incorrect or unexpected result.
- Business Continuity Planning - Reliable measures for protection of critical business operations from the effects of loss, damage, unexpected occurences etc., eg. backups, replacement hardware etc.
- Business Impact - The effect on a business in terms of finance, reputation or functioning that could result from a security breach.
- CAPS (CESG Assisted Products Scheme) - UK Government run scheme by its Technical Assurance Agency (CESG) that provides evaluation of cryptographic products to ensure they meet rigorous standards.
- Clone - A replica of the original, in this context it refers to credit card cloning where the card has been copied illegally to purchase goods without the owner’s consent.
- Cloud Computing - On-demand, chargeable services and applications offered over the Internet which can include computing, software, and data storage and access. These are offered from data centres collectively referred to as the 'cloud', representing the collective and intangible nature of the Internet as well as its broad reach. End-user knowledge of the physical location and configuration of the system that delivers the service or application is not required.
- Code Breaking - Seeking to access or obtain protected or encrypted information by disabling or circumventing the security measures designed to protect it.
- Computer Misuse Act (CMA) - UK legislation that makes it illegal to access or modify electronically held data in an unauthorised manner.
- Confidentiality - One of the cornerstones of information security meaning that data must only be accessed by those authorised to see it.
- Confidential Information - information which if improperly disclosed or lost could cause harm or distress. This includes personal data as defined by the Data Protection act and other valuable or sensitive information not in the public domain.
- Cookie - A file that is created by some web sites on a web browsing computer when a user visits their web site. The file permits the storage of preferences for the particular web site visited.
- Cracking - Same as Code Breaking.
- Credentials (authentication) - A username and other information, such as a password, that is required to identify a user.
- Cryptography - The technique of scrambling and unscrambling of information in order to ensure it can only be unscrambled and accessed by those authorised to do so.
- Data Protection Act 1998 (DPA) - UK legislation that outlines how personal data must be handled through complying with 8 principles. ICO web pages on the Data Protection Act
- Data Protection Officer - An individual responsible for compliance with the Data Protection Act at any organisation that processes personal data.
- Decrypt / Decryption - The unencryption or unscrambling of data.
- Denial of Service (DoS) - Deliberately or accidentally preventing access to a service, process, data source, etc. from a single or limited number of sources.
- Digital Signature - The addition of an electronic mark to data to validate its content and originator.
- Distributed Denial of Service (DDoS) - Deliberately (given that there is usually a malicious intent behind such attacks it is highly unlikely to be accidental) preventing access to a service, process, data source, etc. from multiple sources.
- Dumpster Diving - This is when a person will go through somebody else’s rubbish to obtain personal or other useful information to mount an attack or impersonate the victim.
- EEA - European Economic area - Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Republic of Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, The Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, UK. (Note: not Switzerland).
- Encryption - Scrambling or coding information to prevent it being accessed by unauthorised people but accessible to those who are authorised.
- Federal Information Processing Standard (FIPS) 140-2 - USA standard for accrediting cryptographic modules, and a number of encryption products bear this certificate to prove that they have been through a rigorous accreditation process.
- FIPS 140-1 - An older version of FIPS 140-2. Developed in 1994.
- FIPS 140-2 - See Federal Information Processing Standard.
- Firewall - Hardware or software that provides secure access between networks and protects against unauthorised access.
- File Transfer Protocol (FTP) - Protocol method used for the transfer of data between computers on a network.
- Flooding - Swamping a service with requests (either accidentally or maliciously) which causes the service to fail.
- Freedom of Information Act 2000 (FoI) - UK legislation that provides a public right of access to recorded information held by public authorities. Overseen by the Information Commissioner’s Office (ICO). ICO web pages on the Freedom of Information Act
- Hacker - A person who seeks out vulnerabilities in a IT system, process, application or service in order to exploit it in some way e.g. to compromise information/resources for personal gain or kudos (i.e. not all hackers are malicious some are labeled ‘security researchers’ and highlight vulnerabilities before they can be exploited by otherwise motivated individuals).
- Hardware Encryption - See Encryption.
- Harass - To annoy persistently with the aim of producing distress or damage. Can be undertaken through electronic communication or means aimed at individual or organisation.
- Host - A computer connected to a network.
- Hot-fixes - A temporary quick fix to a crucial problem with a program.
- ICO - See Information Commissioner’s Office.
- Identity Theft - Much touted phrase used in the media to describe individuals having some (or all) of their personal details compromised i.e. bank account details.
- Information Commissioner’s Office (ICO) - UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. ICO Website
- Information Security - Generic term for the protection of information/data, which has historically centered on the confidentiality, integrity and availability of the information/data.
- Integrity - In the information security context integrity refers to the safeguarding of the accuracy and completeness of the information/data.
- Internet Protocol (IP) Address - The network address or individual identity of a computer.
- Junk Mail - Unsolicited communications advertising a product or services. Known as "spam" when in electronic form.
- Key - A series of characters used in encryption to provide access to a resource.
- Key-logging - This refers to the technique of capturing users input into IT systems and is normally achieved by the surreptitious installation of a key-logging device or by running a malicious, hidden program (normally installed/downloaded by a Trojan) which records keystrokes.
- Key Management - This is an important element of the cryptographic/encryption process and describes how encryption keys (asymmetric or symmetric) are used and their supporting processes.
- Key Strength - This refers to the length of characters that the cryptographic/encryption key uses to secure the information/data. This will often be shown as multiples of 256 bits i.e. 512, 1024, etc.
- Log - A list of events that have occurred on a computer system. Logs may be used to assist recovery, in the event of a problem, or to spot suspicious activity.
- Macro Virus - A computer virus that is embedded within wordprocessed document or spreadsheet that will activate when the file is opened.
- Malware - Generic term given to malicious software (hence mal~ware) that encompasses viruses, Trojans, worms, etc.
- Man-In-The-Middle - This is a type of attack either impersonates a ‘trusted’ element in the traffic flow from point A to point B, or surreptitiously includes an unseen element with both having the same aim to capture/intercept/alter/eavesdrop/etc. the traffic contents.
- Network - The infrastructure of connections between a set of computers.
- "Norton/Symantec GDisk32" - A program which securely deletes all data on a local disk.
- Operating System - The software that allows a computer to function and run programs.
- Password - Secret characters known only to a user that, when entered in combination with a username, identifies them to a computer system.
- Patch - An update to a program to provide minor additional functionality or to fix a problem.
- Permissions - Details of which resources users or groups have access to and the level of access to those resources.
- Personal Data - Information relating to a living individual who can be identified from that information, or from a combination of that information and other information in the possession of, or likely to come into the possession of, the data controller (i.e. the University). Personal data can include expressions of opinion and intention.
- PIN - A numeric password.
- Pharming - Redirection of a website to another illegitimate ‘bogus’ one, with the intention to steal user details i.e. passwords, bank account information, etc.
- Phishing - The action of falsifying an identity with a view to convincing users to share their information in order to commit fraud.
- Pretty Good Privacy (PGP) - An encryption program designed to protect information/data from unauthorised access.
- Privileges - See Permissions.
- Processing - Obtaining, recording, holding, retrieving, consultation, disclosure, and destruction of information. Defined by the Data Protection Act as any action performed using personal data.
- Proxy - A system or program acting as an intermediary between a client/user and a server. This can reduce the data load on a server and provide security functions such as blocking or filtering unwanted or unauthorised data (e.g. viruses, spam etc).
- Registry - An internal database within Windows that contains configuration settings.
- Remote Access - The connection of a device through a network to access programs and information held elsewhere on that network.
- Risk Assessment - A means to establish the likelihood and impact of a given threat.
- Routing - How information is transferred between computers on a network.
- Scam - Any means that attempts to defraud or mislead an individual and gain their confidence or obtain information that they are not entitled to.
- Secure Sockets Layer (SSL) - The main way that computers securely connect to web services, used extensively for on-line banking, shopping, etc. on the Internet (shown by a gold padlock in the bottom right hand corner of the web page).
- Security Updates - An update to a program to reinforce security measures and protect against new or evolving security threats.
- Sensitive Information - Information of high value or confidentiality, which if lost or compromised would result in notable damage or distress. Sensitive personal data is a subset of personal data as defined by the Data Protection Act.
- Server - A computer that acts as a central store for data and programs on a network and provides control of their access.
- Session - Time of which an established connection is made.
- Simple Mail Transfer Protocol (SMTP) - A protocol used to exchange email messages.
- Smart Card - A card containing a chip with authentification information which is usually used for identification purposes.
- Smartphone - A mobile phone featuring advanced computing ability and connectivity as well as portable media capabilities, making it more of a portable computer than a traditional mobile phone.
- Sniffing - Snooping on network traffic.
- Social Engineering - Generic term given to the act of manipulating people into performing actions or divulging personal information (bank account details)
- Software Encryption - See Encryption.
- Spam - Unsolicited emails that attempt to direct users to websites containing malware, divulge personal details or download unauthorized/malicious software.
- Spoofing - Where a person or service successfully masquerades as another in order to obtain increased privileges or access to information or information systems.
- Spyware - Malicious software designed to take control of a computer without consent.
- SQL Injection - Exploitation of a computer bug that is caused by processing invalid data.
- Structured Query Language (SQL) - A language to interrogate database systems.
- Transmission Control Protocol/Internet Protocol (TCP/IP) - An internet communication protocol.
- Trojan Horse - A virus-like program that when run causes unexpected or undesirable effects.
- Update - An update to a program to provide significant additional functionality or to fix significant problems.
- Username - A sequence of characters that uniquely identifies a user. It is normally used with a password, or PIN to provide authentication.
- Virtual Private Network (VPN) - A secure network that connects over an insecure public network.
- Viruses - Malicious software programs that can copy themselves and infect other computers on a peer to peer basis.
- Vishing - Phishing by voicemail.
- Whitelist - This details programs/applications/websites/etc. that are trusted and are allowed to run.
- Wi-Fi/Wireless Network - A method by which computers or other devices communicate with a wireless access point to provide network functionality without wires between them.
- Worms - Malicious software programs that can copy themselves and infect other computers without any user intervention.
X Y Z