Friday, 21 August 2009

Security Glossary

Check Back Here!

In any field there will be key terms, words and phrases, with specific technical definitions, often related to but usually distinct from their everyday applications. Here I have bundled together some of those from the security arena, along with miscellaneous other acronyms and terms used in this blog, for ease of reference from other articles.

This list will be updated periodically, so that any time you get referred back here, you can see the latest version.
  • ACL - Access Control List (commonly pronounced "ackle"). A table or data file specifying whether a user or group has access to a given resource (application, file, printer) on a computer or network; and the rights and privileges they have to it (read, write, execute, delete).
  • ASLR - Address Space Layout Randomization. Randomly arranging positions of key data areas (executable, libraries, heap, stack) in process address space. Hinders some attacks by making it more difficult to predict target addresses.
  • Asset - any valuable resource, e.g. database data, file system data, system resource.
  • Attack - any action designed to harm an asset.
  • Black Hat - The Black Hat Conference is a computer security conference, bringing together different people interested in information security.
  • BlueHat - a series of invitation-only security briefing conferences, hosted by Microsoft.
  • CIA - Confidentiality, Integrity, and Availability.
  • Cross-site scripting (XSS) - originally, injection of client-side script into pages viewed by other users; now refers to any method of code injection (ActiveX, Flash, Java, VBScript, or even pure HTML).
  • Cross-domain security - specification (e.g. enumeration, possibly involving wildcards) of the websites allowed access to a given site.
  • Countermeasure - any safeguard which addresses a threat, mitigating its risk.
  • Denial of Service (DoS) - an attack which attempts to overwhelm the target system by exhausting its resources, leaving its intended users without a service.
  • DEP - Data Execution Prevention. Prevent apps/services from executing code in non-executable memory areas (eg certain exploits which use buffer overflows to store code).
  • DSA - The Digital Signature Algorithm, a United States Federal Government standard for digital signatures.
  • ECDSA - The Elliptic Curve Digital Signature Algorithm, a widely used DSA cryptography method.
  • Exploit - see Attack.
  • Firewall - a device or a program which monitors and controls communications between computers.
  • Grant - to allow privileges or permissions to an entity.
  • Injection - the (usually unauthorised) addition of new code to an existing website, database, etc.
  • MAC - Message Authentication Code.
  • Malware - malicious software, created to exploit a vulnerability and compromise a computer, its software or data.
  • Mitigation - any strategy, technique or circumstance that reduces the threat posed by a vulnerability.
  • MSF-A+SDL - MSF is the Microsoft Solutions Framework; a set of principles, models, disciplines, concepts, and guidelines for delivering information technology solutions - including primarily applications, but also deployment, networking, and infrastructure projects. A is for Agile software development methodology. Finally for SDL, see below.
  • Permission - the ability to perform an activity on an asset.
  • Privilege - the ability to interact, at a given level of access, with an asset.
  • SDL - Security Development Lifecycle. Less generally, in this blog SDL usually refers to the Microsoft Security Development Lifecycle.
  • Spam - cooked meat, nice in sandwiches.
  • Spoof - an attack using a falsified source (e.g. an email "From" address, or a webpage) which appears to be a trusted third party.
  • STRIDE - Attack type taxonomy acronym: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege.
  • Threat - any potential occurrence (malicious or inadvertent) that could harm an asset.
  • Vuln(s) - abbreviation of vulnerability / vulnerabilities (below).
  • Vulnerability - any weakness which makes possible a threat to an asset.
  • WTF - Wednesdays, Thursdays and Fridays.
For general use, more extensive security glossaries can be found elsewhere; the SANS site is particularly good, and of course Microsoft has one too. But for the purposes of this series, I'm intending to keep this list up to date with the subset of security related technical terms that I happen to use. Please let me know if I miss one, mkay?

Latest update: 31
st March 2011.

No comments:

Post a Comment