Access Control System
The system ensures that resources are only granted to those users who are entitled to them.
It's simply an action to forging an address. One example is IP spoofing.
It refers to the use of management procedures and mechanisms to prevent unauthorised access to a system.
Adware is software that displays advertising banners while the program is running. A lot of adware is also spyware.
Advanced Encryption Standard (AES) Algorithm
AES algorithm is an encryption algorithm based on Rijndael algorithm, with key sizes of 128, 192, or 256 bits to operate on a 128-bit block. The algorithm described by AES is a symmetric-key algorithm, meaning the same key is used for both encryption and decryption. AES supersedes Data Encryption Standard (DES) and is currently used worldwide.
Anti-virus Software is computer software that is designed to stop computer viruses, eliminate computer viruses, and/or recover data affected by computer viruses.
A system used to restrict access to services or functions across a firewall boundary.
A relative measure of confidence in the quality of a credential. The assurance level ranges from level 1 (little or no confidence) to level 4 (very high degree of confidence).
Two different keys are used with one for encryption and the other for decryption. The decryption key cannot be derived from the encryption key.
Audit trail is defined as a chronological record of system activities to enable the reconstruction and examination of the sequence of events and/or changes in an event.
A process or method to identify and to prove the identity of a user/party who attempts to send message or access data. Message authentication refers to a process used to prove the integrity of specific information.
A portable device operates by using challenge/response, time sequence, or other techniques in order to authenticate a user.
A process to grant rights to a person for accessing data or using specific information resources.
A condition in which information or processes are reasonably accessible and used by an authorised party including timely and critical operations.
A backdoor is a tool installed after a compromise to give an attacker easier access to the compromised system around any security mechanisms that are in place.
Use of measurable physiological characteristics to authenticate a user such as fingerprints or facial characteristics.
A botnet is a large number of compromised computers that are used to create and send spam or viruses or flood a network with messages as a distributed denial of service attack.
Brute Force Attack
Brute force attack is a technique used to break an encryption or authentication system by trying all possibilities.
An attack exploits a process to read in data beyond the boundary of a fixed-length buffer, with an aim to overwrite computer memory by a carefully crafted data and execute privilege instructions in an unintended way.
Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA)
CAPTCHA is a type of challenge-response test used in computing as an attempt to ensure that the response is generated by a human being. It is to protect websites against bots by generating and grading tests that humans can pass but current computer programs cannot.
Centralised Identity Management
Centralised identity management is a model of identity management in which the same identifier and credential are used by each service provider.
Certification Authority (CA)
A trusted authority or party that issue and revoke digital certificates to a person or an organisation for proofing of identity in an electronic transaction.
A management mechanism includes tasks of storage, dissemination, publication, revocation and suspension of certificates.
Certificate pinning restricts which digital certificates are considered valid to control the risk of CA compromise, or Man-in-the-middle attacks. Clients connecting to that certificate pinning enabled server will treat all other certificates as invalid and refuse to make an HTTPS connection.
A server which performs the certification process of public keys.
Challenge / Response
An authentication technique used by a system/server to authenticate a user. A server usually sends an unpredictable challenge (a set of numbers or letters) to the user, and the client/user will then compute a response using some special form of authentication token.
A value that is computed by a function that is dependent on the contents of a data object and is stored or transmitted together with the object, for the purpose of detecting changes in the data.
A scrambled / cryptic content derived from plaintext using an encryption algorithm.
Code Injection Attack
An attack technique to introduce code into a computer program or system to form an unexpected action. The attack is usually accomplished by taking advantage of an un-enforced or loosely implemented input validation process.
A violation of a security policy in which an unauthorised access to a system, disclosure or loss of sensitive information may be resulted.
Confidentiality is the need to ensure that information is disclosed only to those who are authorised to view it.
Control Objectives for Information and related Technology (COBIT)
The Control Objectives for Information and related Technology (COBIT) is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.
An individual with malicious intent who attempts to gain unauthorised access to other’s system.
A set of claims used to prove the identity of a client. They contain an identifier for the client and a proof of the client's identity, such as a password. They may also include information, such as a signature, to indicate that the issuer certifies the claims in the credential.
Cross Site Scripting
Cross site scripting is a flaw in web application that allows the execution of scripts in the victim's browser to hijack user sessions, deface websites, and possibly introduce computer worms, etc.
Cryptography is the art of keeping messages secret by using different methods. It normally deals with all aspects of secure messaging, authentication, digital signatures, and electronic money.
The reverse process of encryption in which encoded messages or ciphertext is decoded from its protected, scrambled form into original plaintext so that they can be easily readable.
Defence-in-Depth is the approach of using multiple layers of security to guard against failure of a single security component.
Reduce magnetic flux density to zero by applying a reversing magnetic field, in order to permanently remove data from a magnetic storage medium, such as a tape or disk. It is also called demagnetising.
Denial of Service (DoS)
An attacker attempts to prevent legitimate users from accessing information or services. Examples of such attacks are SYN flood, Ping O death, packet flooding and Ping flooding.
Detective controls are used to identify undesirable events that have occurred.
Dictionary attack is a technique used to break an encryption or authentication system by trying words that can be found in a dictionary.
A digital certificate is a form of electronic record that serves as an identification of who you are in conducting online transactions. The certificate usually contains information such as user's public key, name and email address.
Under the public key infrastructure (PKI) technology, a digital signature is derived by applying a mathematical function to compute the electronic message and the signer's private key. Recipients can verify the integrity, authenticity, and non-repudiation of the electronic message by checking the digital signature with the use of the sender's public key. Under the Electronic Transactions Ordinance (Cap. 553) (ETO), electronic or digital signatures have the same legal status as paper-based signatures.
Discretionary Access Control (DAC)
Discretionary Access Control (DAC) is an authorisation mechanism in which users own the objects under their control, and the granting and revoking of access control privileges are left to the discretion of individual users.
Distributed Denial of Service (DDoS) Attack
An attack using multiple computers to launch denial-of-service (DoS) attacks at the same time against a targeted system.
Domain Name System (DNS)
DNS resolves human-memorable domain names and hostnames into the corresponding Internet Protocol (IP) addresses.
Domain Name System (DNS) Spoofing
The DNS spoofing compromises the domain name server which resolve the domain name to an incorrect IP address and diverting traffic to another computer (often the attacker's).
Domain Name System Security Extensions (DNSSEC)
DNSSEC was designed to protect the Internet from certain attacks, such as DNS cache poisoning. It is a set of extensions to DNS, which provide: a) origin authentication of DNS data, b) data integrity, and c) authenticated denial of existence.
Drive-by attack is used by attackers who construct URL(s) embedded with malicious scripts in a website, where the users are tricked to click on the URL allowing the embedded script running on their web browsers and resulting in more malignant attacks (such as downloading a Trojan Horse or sending cookie information to the attacker).
Eavesdropping is simply listening to a private conversation which may reveal information which can provide access to a facility or network.
A process to encode the contents of message so as to hide it from outsiders. That is, it is a process of scrambling and transforming data from an easily readable and understandable format (plaintext) into an unintelligible format that seems to be useless and not readily understandable (ciphertext).
A program that allows attackers to automatically break into a system.
An alert that incorrectly indicates that malicious activity is occurring.
Members of a federation system depend on each other to authenticate their respective users and vouch for their access to services offered by other members of the federation.
A firewall is a system or combination of systems that helps to prevent outsiders from obtaining unauthorised access to internal information resources. The firewall enforces the access control policy, i.e. permit or deny, between two networks. It provides a single point where access control and audit can be imposed.
In computer security, a hacker is someone with a strong interest in understanding and manipulating computer systems, and specialises in work with the security mechanisms for these systems. Nowadays, it is most commonly used by the mass media to refer to a person who maliciously uses computer knowledge to gain unauthorised access and cause damage to computers and data.
This is a hardware device that contains a protected cryptographic key that cannot be exported.
Hardening is a process to secure a system, including an operating system or servers such as web servers, by removing the unnecessary system components, disabling unnecessary services, tightening the system configurations, etc.
A function that maps a bit string of arbitrary length to a fixed length bit string. Approved hash functions satisfy the following properties:
1) One-Way. It is computationally infeasible to find any input that maps to any prespecified output.
2) Collision Resistant. It is computationally infeasible to find any two distinct inputs that map to the same output.
1) One-Way. It is computationally infeasible to find any input that maps to any prespecified output.
2) Collision Resistant. It is computationally infeasible to find any two distinct inputs that map to the same output.
This is a technique for assessing the probability that a file contains a computer virus or other forms of malware.
This usually consists of an email message warning recipients about a new and terribly destructive virus. It ends by suggesting that the reader should warn his or her friends and colleagues, perhaps by simply forwarding the original message to everyone in their address book. The result is a rapidly growing proliferation of pointless emails that can increase to such an extent that they overload systems.
A honeypot is a decoy system put on a network as bait for attackers. The attackers believe the honeypot is a legitimate system and attack on it, without being known that their activities are being monitored.
In a honeynet, a network of honeypots is connected to imitate an actual or fictitious network. It appears to attackers that many different types of applications are available on several different platforms.
An organisation that issues identity credentials to individuals, and validates those credentials when presented by a user attempting to access a protected resource. An identity Provider may be a government agency, an academic institution, or a commercial business, such as a bank.
Incident Response Plan
The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of an incident, such as a malicious cyber attacks, against an organisation’s information system(s).
Official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal.
Information Security Management Systems (ISMS)
ISMS is a set of policies concerned with information security management or IT related risks. The governing principle behind an ISMS is that an organisation should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk.
To generate information or data about a file that can be used to verify the integrity of the file at a later time.
Injection flaw is a flaw in web application that allows an attacker to trick the web application into executing unintended commands or into changing system data.
Integrity is the need to ensure that information has not been changed accidentally or deliberately, and that it is accurate and complete.
Intrusion Detection System (IDS)
IDS detects the break-ins or attempts to attack via the use of software systems which operate on the network. It often combines the network monitoring with real-time capture and analysis in order to identify for attacks.
Intrusion Prevention System (IPS)
IPS helps to detect if there is an attack happening on the network. IPS also provides active response to stop the source of attacks or to minimise the impact of the attacks.
IP Security (IPsec)
IPsec provides interoperable, high quality and cryptographically based security services for traffic at the IP layer, such as authenticity, integrity, confidentiality and access control to each IP packet.
The process of storing, managing or distributing keys to authorised parties.
Keylogger is a device or program that captures activities from an input device. Malicious people can make use of keyloggers to capture personal information being input into a computer system.
Least Privilege Principle
Least privilege principle is a concept in internal control that includes restricting a user's access (e.g. to data files, to processing capability, or to peripherals) or type of access (e.g. read, write, execute, delete) to the minimum necessary to perform his or her duties.
A piece of code left within a computing system with the intent of it executing when some condition occurs. The logic bomb could be triggered by a change in a file, by a particular input sequence to the program, or at a particular time or date. Logic bombs get their name from malicious actions that they can take when triggered.
A mail bomb is the sending of a massive amount of email to a specific person or system. A huge amount of mail may simply fill up the recipient's disk space on the server or, in some cases, may be too much for a server to handle and may cause the server to stop functioning.
Malicious code refers to computer viruses, worms, spyware, Trojan Horses and other undesirable software. Attack made by using such software is to cause disruption either by deleting files, sending emails, or rendering the host system inoperable.
Malware (malicious software) is a generic term for a number of different types of malicious code. Malware can be used to compromise normal computer functions, steal data, obtain unauthorised access, and form a botnet to launch organised attack.
Man in the Middle (MITM) Attack
A man-in-the-middle attack (MITM) is an attack in which an attacker sits between two parties (the sender and receiver), captures and modify the communication messages of the two parties, and then sends the modified messages to the two parties.
A system entity illegitimately poses as (assumes the identity of) another entity.
It is a process by which data is irreversibly removed from media or the media is permanently destroyed.
A compact representative of a message that is created by a cryptographic algorithm. It changes with the original message.
Authentication using two or more factors. Factors include: (i) something you know (e.g. password/PIN); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric).
The necessity for access to, knowledge of, or possession of specific information required to carry out official duties. The need-to-know criterion is used in security procedures that require a custodian of sensitive information, prior to disclosing the information to someone else, to establish that the intended recipient has proper authorisation to access the information.
Network-based scanner is installed on a single machine that scans a number of other hosts on the network. It helps detect critical vulnerabilities such as mis-configured firewalls, vulnerable web servers, risks associated with vendor-supplied software, and risks associated with network and systems administration.
Capturing and examining data packets carried on a network.
The ability to provide proof of the origin such that the sender cannot deny sending the message, and the recipient cannot deny the receipt of the message.
A password which is generated and used only once for authentication, and will not be reused in next authentication.
A type of filtering to permit or deny network traffic based on the data source, destination, service or protocol of the data packets.
A private and unique series of numbers or letters which enable a user to gain access to a system or service. A passphrase is a longer password.
A patch is a program that upgrades software to a different version, or repairs bug/vulnerability of software.
Payment Card Industry (PCI) Data Security Standard (DSS)
Payment Card Industry (PCI) Data Security Standard (DSS) is a standard developed by PCI Standards Council to enhance payment account data security. The standard consists of 12 core requirements, which include security management, policies, procedures, network architecture, software design and other critical measures.
Penetration testing is used to test the external perimeter security of a network or facility.
Personal Identification Number (PIN)
An alphanumeric code or password used to authenticate an identity or to gain access to a system resource.
An attack redirects users to a bogus website such as fraudulent websites or proxy servers, typically through DNS server hijacking or poisoning.
Phishing is a kind of social engineering attack that tricks legitimate users into revealing private details, such as e-banking login names and passwords by using e-mails or fraudulent websites.
A message text or data that is freely readable and understandable by anyone.
A type of virus that changes its telltale code segments so that it "looks" different from one infected file to another, thus making detection more difficult.
A port scanning activity is a series of messages sent by someone attempting to break into a computer to learn which computer network services, each associated with a "well-known" port number, the computer provides. Port scanning, a favourite approach of computer cracker, gives the assailant an idea where to probe for weaknesses. Essentially, a port scan consists of sending a message to each port, one at a time. The kind of response received indicates whether the port is used and can therefore be probed for weakness.
A data file storing a mathematical key which is assigned and known only to a single individual, used for creating digital signature and decrypting messages previously encrypted by the sender, using the recipient’s own public key.
The account for a user having access to system control, monitoring, or administration functions.
A server that acts as an intermediary between a workstation user and the Internet so that the enterprise can ensure security, administrative control, and caching service.
Asymmetric cryptography involves a pair of cryptographic keys for each user. The component that can be made publicly known is the public key.
Public Key Infrastructure (PKI)
A PKI (public key infrastructure) enables users of a basically unsecured public network such as the Internet to securely and privately exchange data and money through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. The public key infrastructure provides for a digital certificate that can identify an individual or an organisation and directory services that can store and, when necessary, revoke the certificates. It often includes services and protocols for managing the public keys through the use of Certification Authority.
Anyone (or any application) that relies on someone's identity as represented by their credential.
Denial by an entity involved in a communication / transaction that s/he has participated in the activity.
It refers to devices introduced into the network that are not authorised.
Role-based Access Control (RBAC)
Role-based access control (RBAC) is an authorisation mechanism in which access decisions are based on the roles that individual users have as part of an organisation.
A collection of tools or programs that a hacker uses to mask intrusion and obtain administrator-level access to a computer or computer network. It often refers to that of malicious intent without going through proper authorisation and/or authentication processes.
Unsolicited email which is deceptive and deliberately fraudulent in nature, leading to infection by viruses, identity theft, or even financial loss if instructions described in the messages are followed.
Secure Sockets Layer (SSL)
Secure Sockets Layer (SSL) is a protocol designed to enable encrypted, authenticated communications across the Internet. It is a security layer between the application and transport layers, which protects the application-layer protocols such as HTTP and is transparent to application developers or users. It provides privacy, authentication and message integrity.
A security assertion is a statement about the identity of a user that is supported by the trust established at the receiving site on the issuer of the assertion.
It is any event that could pose a threat to the availability, integrity and confidentiality of an information system.
A top-level directive statement that guide and determine decisions concerning security in a system.
Security Risk Assessment
Security Risk Assessment can be defined as a process of evaluating security risks, which are related to the use of information technology. It can be used as a baseline for showing the amount of change since the last assessment, and how much more changes are required in order to meet the security requirements.
Segregation of Duties
Segregation of duties is a concept in internal control that requires critical functions to be divided into steps among different individuals so as to prevent a single individual from subverting a critical process.
It allows a client to identify that it is communicating with the target party, not a malicious third party.
Service Set Identifier (SSID)
Service Set Identifier (SSID) is a configurable identification that allows wireless clients to communicate with an appropriate access point. With proper configuration, only clients with the correct SSID can communicate with access points.
Take over a session that someone else has established.
A session key is a symmetric key which encrypts a message or session, in order to protect data during transmission. It is created at the beginning of a communications session.
Shoulder attack is an attack in which attacker might be able to observe what one types and hence steal the password by direct observation by looking over one’s shoulder, or indirect monitoring by using a camera when one types in his password.
Single Sign-On (SSO)
Single sign-on is an access control mechanism that requires a user to login only once and be authenticated automatically by all other service providers.
A tamper-resistant card with a chip storing an encrypted password or the private key which makes it difficult to be sniffed or stolen by the intruder.
An act using social interactions such as lie, play acting or verbal wordings to trick legitimate users for secrets of the systems such as the user lists, user passwords and network architecture.
This is a copy of software with a cryptographic key installed in the user's computer, PDA or smartphone. The cryptographic key is normally encrypted and stored on some storage media, and authentication requires entry of password or biometrics to activate the token.
Spam refers to bulk unsolicited electronic messages sent in the form of e-mail, fax or short messages, etc. regardless of whether the recipients have given any consent to receive such or even after the recipients have requested not to receive such any more.
Spammer is a person who sends spam messages.
Spyware is software that secretly forwards information about a user's online activities to third parties without the user's permission.
An SSL VPN allows users to connect to the VPN devices using their Web browsers. The SSL (Secure Sockets Layer) protocol or TLS (Transport Layer Security) protocol is used to encrypt the traffic between the Web browser and the SSL VPN device.
A branch of cryptography involving algorithms that use the same key for encryption and decryption.
Third-party Mail Relay
A mail relay that configured in a manner that people from third-party, who are not local users, can send email through this email server.
A potential violation of security that may cause harm to an organisation and its assets.
A time mark or notation that indicates the date and the time of an action / event.
There are two types of token, hard token and soft token. Hard token is a hardware device that contains a protected cryptographic key that cannot be exported. Soft token is a copy of software with a cryptographic key installed in the user's computer, PDA or smartphone. The cryptographic key is normally encrypted and stored on some storage media, and authentication requires entry of password or biometrics to activate the token.
A software which pretends to provide legitimate function, but actually carries malicious function exploiting legitimate authorisations of a person who invokes the program.
A computer virus is a block of executable code that would replicate itself by attaching to other files or replacing another program.
Specific strings of binary code in most viruses (except polymorphic ones) that allow antivirus software to identify the virus. New viruses contain new signatures, which is why it is essential to keep signature files up to date.
Vishing is a type of phishing attack that targeted VoIP. It can be used by the attacker to steal the identities or money of the victim.
A flaw or weakness in a system that could be exploited by intruders to violate the security policy.
Vulnerability scanner is software that assesses security vulnerabilities in networks or host systems and produces scan results.
Wardriving is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle using a portable device.
Web Application Firewall
According to the Web Application Security Consortium, a web application firewall (WAF) is an intermediary device, sitting between a web client and a web server, analysing messages at application layer for violations in the programmed security policy.
Change of the content (usually the main page) of a website with some messages by intruder or by virus.
Wi-Fi Protected Access (WPA)
Wi-Fi Protected Access (WPA) is a wireless security protocol designed to address and fix the known security issues in WEP. WPA provides users with a higher level of assurance that their data will remain protected by using Temporal Key Integrity Protocol (TKIP) for data encryption. 802.1x authentication has been introduced in this protocol to improve user authentication. WPA has been superseded by WPA2.
Wi-Fi Protected Access 2 (WPA2)
Wi-Fi Protected Access 2 (WPA2) is a wireless security protocol, based on IEEE 802.11i, in which only authorised users can access their wireless with the features of supporting stronger cryptography (Advanced Encryption Standard, AES), stronger authentication control (Extensible Authentication Protocol, EAP), key management, replay attack protection and data integrity.
Wi-Fi Protected Access 3 (WPA3)
Wi-Fi Protected Access 3 (WPA3) is a new wireless security standard built on WPA2 but brings new features to enhance Wi-Fi security for more robust authentication, enhanced cryptographic strength, while maintaining resiliency of mission critical networks.
Wired Equivalent Privacy (WEP)
Wired Equivalent Privacy Protocol (WEP) is a basic security feature of IEEE 802.11 standard that was intended to provide confidentiality over a wireless network by encrypting information sent over the network. After the key-scheduling flaw was found in the WEP, it is now considered to be fully broken because the WEP key can be cracked in minutes with the aid of automated tools.
A worm is a program that spreads over network. Unlike a virus, worm does not attach itself to a host program.
An attack exploiting a newly discovered vulnerability appears before the release of the corresponding patch by the software vendor.
A computer attached to the Internet that has been compromised by intruder with computer viruses or Trojan Horses and manipulated without the knowledge of the computer owner. The computer is usually used to perform malicious attacks such as denial of service attack under remote control.