V

Validation – confirmation, through provision of objective evidence, that the requirements for a specific intended use or application have been fulfilled.

VAR – a value-added reseller.

Vector – in computing, this is the method that malware uses to propagate itself.

Verification – confirmation through the provision of objective evidence that specified requirements have been fulfilled.

Verified by Visa – see 3-D Secure.

Virtualisation – as ‘virtual’ usually means that the thing to which it refers isn’t real, the idea of virtualisation might seem odd. The term, however, refers to the emulation of operating systems and applications within a virtual environment, which itself may co-exist completely independently from other virtual environments on the same physical hardware. Virtualisation enables organisations to substantially reduce the hardware costs associated with running large server farms and, indeed, even with running small numbers of applications.

Virtual Private Networks (SSL, IPSEC) – a Virtual Private Network is an encrypted tunnel over a public network which provides privacy as good as that available on a private network. It consists of encrypted and authenticated logical (not physical) links across shared or public networks that are used to provide remote links to an organisational network. A VPN server within the organisational perimeter encrypts data sent to a VPN client outside the perimeter, and vice versa. See Internet Protocol Security and Secure Sockets Layer.

Virus – a virus is a piece of computer code that is designed to make your computer sick. Like biological viruses, it indiscriminately selects and infects those whose defences are weak or non-existent. Technically, a virus has at least two properties: it is a program capable of replicating, i.e. producing functional copies of itself, and it depends on a host file (a document or executable file, shared by e-mail or Instant Messenger) to carry each copy. It may or may not have a ‘payload’, the ability to do something funny or destructive or clever when it arrives.

• There are some 100,000 known viruses in the wild. These range from primitive bits of code written at the dawn of computing time, and from which almost all computers are now completely immune, to more destructive creatures like 2004’s MyDoom, Slammer, Sobig (with all its variants) and Bugbear. Up-to-date anti-virus software protects against all of these, without you ever having to know what they do or how they work.

• Viruses exploit software faults (vulnerabilities) to attack computers, and their payloads range from silly messages, to individual keys becoming inoperative, to the complete death of your computer.

• The same virus doesn’t always have the same name with every anti-virus vendor. This is very irritating and it reflects the fact that the same virus is usually discovered, analysed, reverse engineered and the appropriate anti-virus signature update produced by a number of competitive vendors working in parallel, each of them having allocated the virus their own version of the name.

• Most viruses attack Microsoft products, not just because Microsoft products are full of flaws (vulnerabilities) but because they are the most widely used computer software programs in the world, installed on more than 90% of desktops. Computer viruses spread by harvesting e-mail address books and forwarding themselves to everyone you know in an e-mail that is identified as having come from you – a good way of losing friends and business contacts.

• It’s not just Microsoft, though. All software has vulnerabilities, even the open source versions. Visit Bugtraq (www.securityfocus.com/archive/1) or CVE (http://cve.mitre.org/) to get a techie’s-eye view of the range of software vulnerabilities that can be exploited by virus and worm writers.

• And it’s not just workstations and computer networks that have virus challenges: increasingly, PDAs and cellphones are coming under attack and, as they too need to connect to the corporate network, they too need to be protected.

• Virus writers intend to exploit vulnerabilities in their target software and, as soon as a weakness is identified, the race is on to exploit it – and to see it off. The speed with which new viruses are developed is increasing – it is now only a matter of days between the announcement of a vulnerability and the appearance of the first virus exploiting it.

Virus hoax – there are people out there who think it’s dead funny to send e-mails to everyone they know, warning of a virus that isn’t one. Frankly, if a real or important new virus existed that you had to hear about from some acquaintance rather than from your anti-virus company, you’ve either chosen a very poor anti-virus supplier (if you have one at all) or you’re being hoaxed. If you’re reading this book, the chances are that it will be the latter. The website: http://vmyths.com is a good place to go if you really want to be sure that a message you’ve received is a hoax.

Virus writers – ‘people’ who write viruses; they should be taken outside and have unspeakable things done to them. Mostly, they are sad people who do it for fun and because they enjoy the challenge of writing clever code. Sometimes they do it out of loneliness, or because they want to have some impact on the world. They often work together and have online groups, websites and communities through which they share work and ideas. They also compete with one another and certainly their relationship with anti-virus companies is often extremely hostile. Virus toolkits are available online, so that anyone with limited code writing skills can also create a virus.

Vishing – this is the criminal use of social engineering techniques over a telephone system, often with features provided by VoIP, to gain access to personal and financial data. Do not provide sensitive personal information to anyone who phones you, however convincing they sound!

VoIP/VOB – Voice over IP/Voice over Broadband is a technology that enables voice-to-voice communication across the Internet.

VPNs – see Virtual Private Networks.

Vulnerability – a weakness of an asset or group of assets that can be exploited by a threat. * The alternative definition, from ISO27000, substitutes ‘control’ for ‘group of assets’ but is otherwise the same. There are regularly updated central stores of known technical vulnerabilities at Bugtraq (www.securityfocus.com/archive/1), CVE (Common Vulnerabilities and Exposures: http://cve.mitre.org/) and in the SANS Top Cyber Security Risks (SANS – SysAdmin, Audit, Network, Security) Institute.

Vulnerability assessment – this is the (usually automated) evaluation (or vulnerability scanning) of operating systems and applications to identify missing fixes for known problems, so that the necessary fixes can be installed and the systems made safe.

Vulnerability scanning – an automated process of scanning a network or a series of information assets to establish if they display any of the characteristics of known vulnerabilities.