See Triple-DES (3DES).

See IEEE 802.11.

Agreed-upon principles set forth by a company to govern how the employees of that company may use resources such as computers and Internet access.

The means of giving or restricting user access to network resources. This is usually accomplished through the use of an access control list (ACL).

A list of rights that an object has to resources in the network.

The act of being responsible for an item. The administrator is often accountable for the network and the resources on it.

A message confirming that a data packet was received. This occurs at the Transport layer of the OSI model.

See access control list (ACL).

The replacement for NT Directory Service (NTDS) that is included with Windows 2000. It acts similarly to NDS (Novell Directory Services), which is now known as eDirectory in NetWare 6, because it's a true X.500-based directory service.

A response generated in real time.

A technology implemented by Microsoft that allows customized controls, icons, and other features to increase the usability of web-enabled systems.

Protocol used to map MAC (physical) addresses to IP addresses.

A Federal Information Processing Standard (FIPS) publication that specifies a cryptographic algorithm for use by the U.S. government.

See Advanced Encryption Standard (AES).

A header used to provide connectionless integrity and data origin authentication for IP datagrams, and used to provide protection against replays.

See annual loss expectancy (ALE).

The series of steps/formula/process that is followed to arrive at a result.

A calculation that is used to identify risks and calculate the expected loss each year.

A calculation of how often a threat will occur. For example, a threat that occurs once every five years has an annualized rate of occurrence of 1/5, or 0.2.

The act of looking for variations from normal operations (anomalies) and reacting to them.

Authentication that doesn't require a user to provide a username, password, or any other identification before accessing resources.

The seventh layer of the OSI model. This layer deals with how applications access the network and describes application functionality, such as file transfers, messaging, and so on.

An abstract interface to the services and protocols provided by an operating system.

See annualized rate of occurrence (ARO).

See Address Resolution Protocol (ARP).

A table used by the ARP that contains a list of known TCP/IP addresses and their associated MAC addresses. The table is cached in memory so that ARP lookups don't have to be performed for frequently accessed TCP/IP and MAC addresses. See also Media Access Control (MAC), Transmission Control Protocol/Internet Protocol (TCP/IP).

Encryption in which two keys must be used (not one). One key is used to encrypt data, and the other is needed to decrypt the data. This is the opposite of symmetric encryption, where a single key serves both purposes.

The means of verifying that someone is who they say they are.

The time period during which a resource can be accessed. Many networks limit users' ability to access network resources to working hours, as a security precaution.

An opening left in a program application (usually by the developer) that allows additional access to data. Typically, these are created for debugging purposes and aren't documented. Before the product ships, the back doors are closed; when they aren't closed, security loopholes exist.

A copy of data made to removable media.

See Business Impact Analysis (BIA).

The science of identifying a person by using one or more of their features. This can be a thumbprint, a retina scan, or any other biological trait.

A probability method of finding similar keys in Message Digest 5 (MD5).

A type of symmetric block cipher created by Bruce Schneier.

Also known as the Master Boot Record (MBR). The first sector of the hard disk, where the program that boots the operating system resides. It's a popular target for viruses.

A type of attack that relies purely on trial and error.

A type of Denial of Service (DoS) attack that occurs when more data is put into a buffer than it can hold, thereby overflowing it (as the name implies).

A contingency planning process that will allow a business to keep running in the event of a disruption to vital resources.

A study of the possible impact if a disruption to a business's vital resources were to occur.

See certificate authority (CA).

A type of symmetric block cipher defined by RFC 2144.

A digital entity that establishes who you are and is often used with e-commerce. It contains your name and other identifying data.

An issuer of digital certificates (which are then used for digital signatures or key pairs).

Policies governing the use of certificates.

The principles and procedures employed in the issuing and managing of certificates.

The act of making a certificate invalid.

A list of digital certificate revocations that must be regularly downloaded to stay current.

A protocol that challenges a system to verify its identity. CHAP is an improvement over Password Authentication Protocol (PAP), in which one-way hashing is incorporated into a three-way handshake. RFC 1334 applies to both PAP and CHAP.

The part of a client/server network where the computing is usually done. In a typical setting, a client uses the server for remote storage, backups, or security (such as a firewall).

A server-centric network in which all resources are stored on a file server and processing power is distributed among workstations and the file server.

A method of balancing loads and providing fault tolerance.

A type of cabling used in computer networks.

The storage and conditions for release of source code provided by a vendor, partner, or other party.

A physical site that has all the resources necessary to enable an organization to use it if the main site is inaccessible (destroyed). Commonly, plans call for turning to a cold site within a certain number of hours after the loss of the main site.

An agreement between individuals to commit fraud or deceit.

A document of specifications detailing security evaluation methods for IT products and systems.

An older form of scripting that was used extensively in early web systems.

The act of ensuring that data remains private and no one sees it except for those expected to See it.

The administration of setting up and changing configurations.

Communications between two hosts that have no previous session established for synchronizing sent data. The data isn't acknowledged at the receiving end. This method can allow data loss. Within the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite, User Datagram Protocol (UDP) is used for connectionless communication.

Communications between two hosts that have a previous session established for synchronizing sent data. The receiving PC acknowledges the data. This method allows for guaranteed delivery of data between PCs. Within the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite, TCP is used for connection-oriented communication.

A plain-text file stored on your machine that contains information about you (and your preferences) for use by a database server.

See certificate practice statement (CPS).

See cyclical redundancy check (CRC).

See certificate revocation list (CRL).

The field of mathematics focused on encrypting and decrypting data.

An error-checking method in data communications that runs a formula against data before transmission. The sending station then appends the resultant value (called a checksum) to the data and sends it. The receiving station uses the same formula on the data. If the receiving station doesn't get the same checksum result for the calculation, it considers the transmission invalid, rejects the frame, and asks for retransmission.

See Discretionary Access Control (DAC).

A level of confidence that data won't be jeopardized and will be kept secret.

The second layer of the OSI model. It describes the physical topology of a network.

A unit of data sent over a network. A packet includes a header, addressing information, and the data itself.

See Distributed Denial of Service (DDoS) attack.

The process of converting encrypted data back into its original form.

The router to which all packets are sent when the workstation doesn't know where the destination station is or can't find the destination station on the local segment.

A method of placing web and other servers that serve the general public outside the firewall and, therefore, isolating them from internal network access.

A type of attack that prevents any users—even legitimate ones—from using the system.

See Dynamic Host Configuration Protocol (DHCP).

An attack that uses words from a database (dictionary) to test against passwords until a match is found.

A type of backup that includes only new files or files that have changed since the last full backup. Differential backups differ from incremental backups in that they don't clear the archive bit upon completion.

A standard for exchanging keys. This cryptographic algorithm is used primarily to send secret keys across public networks. The process isn't used to encrypt or decrypt messages; it's used only for the transmission of keys in a secure manner.

An electronic signature whose sole purpose is to authenticate the sender.

A network database that contains a listing of all network resources, such as users, printers, groups, and so on.

A network service that provides access to a central database of information containing detailed information about the resources available on the network.

The act of recovering data following a disaster that has destroyed the data.

The procedure by which data is recovered after a disaster.

A means of restricting access to objects based on the identity of subjects and/or groups to which they belong.

Technology that keeps identical copies of data on two disks to prevent the loss of data if one disk is damaged.

Technology that enables writing data to multiple disks simultaneously in small portions called stripes. These stripes maximize use by having all the read/write heads working constantly. Different data is stored on each disk and isn't automatically duplicated (this means disk striping in and of itself doesn't provide fault tolerance).

A fault-tolerance solution of writing data across a number of disks and recording the parity on another. In the event any one disk fails, the data on it can be re-created by looking at the remaining data and computing parity to figure out the missing data.

A derivative of a DoS attack in which multiple hosts in multiple locations all focus on one target. See Denial of Service (DoS) attack.

See demilitarized zone (DMZ).

See Domain Name Service (DNS).

Within the Internet, a group of computers with shared traits and a common IP address set. This can also be a group of networked Windows computers that share a single SAM database.

The network service used in TCP/IP networks that translates host names to IP addresses. See also Transmission Control Protocol/Internet Protocol (TCP/IP).

See Denial of Service (DoS) attack.

A host that resides on more than one network and possesses more than one physical network card.

Looking through trash for clues—often in the form of paper scraps—to users' passwords and other pertinent information.

A protocol used on a TCP/IP network to send client configuration data, including TCP/IP addresses, default gateways, subnet masks, and DNS configurations, to clients. See also default gateway, Domain Name Service (DNS), Transmission Control Protocol/Internet Protocol (TCP/IP).

A type of firewall used to accept or reject packets based on their contents.

Any type of passive attack that intercepts data in an unauthorized manner—usually in order to find passwords. Cable sniffing, wiretapping, and man-in-the-middle attacks are eavesdropping attacks.

See Elliptic Curve Cryptosystem (ECC).

See exposure factor (EF).

The interference that can occur during transmissions over copper cable due to electromagnetic energy outside the cable. The result is degradation of the signal.

A type of public key cryptosystem that requires a shorter key length than many other cryptosystems (including the de facto industry standard, RSA).

See electromagnetic interference (EMI).

A header used to provide a mix of security services in IPv4 and IPv6. ESP can be used alone or in combination with the IP Authentication Header (AH).

The process of translating data into signals that can be transmitted on a transmission medium.

The process of converting data into a form that makes it less likely to be usable to anyone intercepting it if they can't decrypt it.

A string of alphanumeric characters used to decrypt encrypted data.

The process of luring someone.

The process of encouraging an attacker to perform an act even if they don't want to do it.

An attempt to gain information about a network by specifically targeting network resources, users and groups, and applications running on the system.

A shared-media network architecture. It operates at the Physical and Data Link layers of the OSI model. As the media access method, it uses baseband signaling over either a bus or a star topology. The cabling used in Ethernet networks can be coax, twisted pair, or fiber optic.

See MAC address.

A calculation of how much data (or other assets) could be lost from a single occurrence. If all the data on the network could be jeopardized by a single attack, the exposure factor is 100 percent.

Web (or similar) services set up in a private network to be accessed internally and by select external entities, such as vendors and suppliers.

The process of reconstructing a system or switching over to other systems when a failure is detected.

A device that comes online when another fails.

A hot-site backup system in which the failover server is connected to the primary server. A heartbeat is sent from the primary server to the backup server. If the heartbeat stops, the fail-over system starts and takes over. Thus, the system doesn't go down even if the primary server isn't running.

A flagged event that isn't really an event and has been falsely triggered.

An electrically conductive wire mesh or other conductor woven into a "cage" that surrounds a room and prevents electromagnetic signals from entering or leaving the room through the walls.

The ability to withstand a fault (failure) without losing data.

A network that is up and running at least 99 percent of the time or that is down less than 8 hours a year.

A network that can recover from minor errors.

A TCP/IP protocol that permits the transferring of files between computer systems. Because FTP has been implemented on numerous types of computer systems, files can be transferred between disparate systems (for example, a personal computer and a minicomputer).

A combination of hardware and software that protects a network from attack by hackers who could gain access through public networks, including the Internet.

The process of systematically identifying a network and its security posture.

In terms of security, the act of looking at all the data at your disposal to try to figure out who gained unauthorized access and the extent of that access.

See File Transfer Protocol (FTP).

A backup that copies all data to the archive medium.

The process of agreeing to communicate and share data. Transmission Control Protocol (TCP) uses a three-way handshake to establish connections, and part of this process can be exploited by SYN attacks.

The process of making a system more secure by closing known holes and addressing known security issues.

The process of transforming characters into other characters that represent (but are not) the originals. Traditionally, the results are smaller and more secure than the original.

A single number used to represent the original piece of data.

See host-based IDS (H-IDS).

A clustering solution to provide resource reliability and availability.

See man-in-the-middle attack.

Typically, an e-mail message warning of something that isn't true, such as the outbreak of a new virus. The hoax can send users into a panic and cause more harm than the virus could.

A bogus system set up to attract and slow down a hacker.

Any network device with a Transmission Control Protocol/Internet Protocol (TCP/IP) network address.

An intrusion detection system that is host-based. The alternative is a network-based system.

Another word for a patch. When Microsoft rolls a number of hotfixes together, they become known as a service pack.

A location that can provide complete operations support within hours of a failure to minimize or eliminate downtime in the event of a disaster affecting a company's primary location.

See Hypertext Markup Language (HTML).

See Hypertext Transfer Protocol (HTTP).

See Hypertext Transfer Protocol (Secure).

A set of codes used to format text and graphics that will be displayed in a browser. The codes define how data will be displayed.

The protocol used for communication between a web server and a web browser.

A combination of HTTP with Secure Socket Layer (SSL) to make for a secure connection. It uses port 443 by default.

See Internet Control Message Protocol (ICMP).

An attack that occurs by triggering a response from the Internet Control Message Protocol (ICMP) when it responds to a seemingly legitimate maintenance request.

See intrusion detection system (IDS).

A family of protocols that provides for wireless communications using radio frequency transmissions.

See Internet Group Management Protocol (IGMP).

See instant messaging (IM).

See Internet Message Access Protocol (IMAP).

Any attempt to violate a security policy, a successful penetration, a compromise of a system, or any unauthorized access to information.

A type of backup in which only new files or files that have changed since the last full backup or the last incremental backup are included. Incremental backups clear the archive bit on files upon completion.

The process of determining what information is accessible to what parties and for what purposes.

Written policies detailing dissemination of information.

Immediate communication that can be sent back and forth between users who are currently logged on. From a security standpoint, there are risks associated with giving out information via IM that can be used in social engineering attacks; in addition, attachments can contain viruses.

See data integrity.

The process of covertly obtaining information not meant for you. Interception can be an active or passive process.

An algorithm that uses a 128-bit key. This product is similar in speed and capability to Data Encryption Standard (DES), but it's more secure. IDEA is used in Pretty Good Privacy (PGP).

The standards organization that developed the OSI model. This model provides a guideline for how communications occur between computers.

A global network made up of a large number of individual networks that are interconnected and use TCP/IP protocols. See also Transmission Control Protocol/Internet Protocol (TCP/IP).

A message and management protocol for Transmission Control Protocol/Internet Protocol (TCP/IP). The Ping utility uses ICMP. See also Ping, Transmission Control Protocol/Internet Protocol (TCP/IP).

A protocol used for multicasting operations across the Internet.

The network layer responsible for routing, IP addressing, and packaging.

A protocol with a store-and-forward capability. It can also allow messages to be stored on an e-mail server instead of downloaded to the client.

The protocol in the TCP/IP protocol suite responsible for network addressing and routing. See also Transmission Control Protocol/Internet Protocol (TCP/IP).

A company that provides access to the Internet for home and business computer users.

Web (or similar) services set up in a private network to be accessed internally only.

Tools that identify and respond to attacks using defined rules or logic. An IDS can be network-based or host-based.

An attack during which a hacker tries to gain access to a network by pretending their machine has the same network address as the internal network.

A programming language that allows access to system resources of the system running the script. These scripts can interface with all aspects of an operating system just like programming languages, such as the C language.

See Key Distribution Center (KDC).

An authentication scheme that uses tickets (unique keys) embedded within messages. It's named after the three-headed guard dog who stood at the gates of Hades in Greek mythology.

An organization/facility that generates keys for users.

An agency that stores keys for the purpose of law-enforcement access.

The temporary deferment of a key for a period of time (such as for a leave of absence).

See Layer 2 Tunneling Protocol (L2TP).

See local area network (LAN).

A tunneling protocol that adds functionality to Point-to-Point Protocol (PPP). This protocol was created by Microsoft and Cisco and is often used with virtual private networks (VPNs).

See Lightweight Directory Access Protocol (LDAP).

A set of protocols derived from X.500 that operate at port 389.

A network that is restricted to a single building, group of buildings, or even a single room. A LAN can have one or more servers.

Any code hidden within an application that causes something unexpected to happen based on some criteria being met. For example, a programmer could create a program that always makes sure his name appears on the payroll roster; if it doesn't, then key files begin to be erased.

A rule stating that in order to access the key server, if n number of administrators have the ability to perform a process, m number of those administrators must authenticate for access to occur.

A security policy wherein labels are used to identify the sensitivity of objects. When a user attempts to access the object, the label is checked to See if access should be allowed (that is, whether the user is operating at the same sensitivity level). This policy is mandatory because labels are automatically applied to all data (and can be changed only by administrative action), as opposed to discretionary policies that leave it up to the user to decide whether to apply a label.

See Media Access Control (MAC).

The unique address that is assigned to a Network Interface Card (NIC).

A software exploitation virus that works by using the macro feature included in many applications.

Any code that is meant to do harm.

An attack that occurs when someone/thing that is trusted intercepts packets and retransmits them to another party. This was also called TCP/IP hijacking in the past.

A device, such as a small room, that limits access to a few individuals. Mantraps typically use electronic locks and other methods to control access.

An attack focused on an encryption algorithm, the key mechanism, or any potential area of weakness in the algorithm.

The measure of the anticipated incidence of failure of a system or component.

The measurement of how long it takes to repair a system or component once a failure occurs.

Any storage medium.

A sublayer of the Data Link layer of OSI that controls the way multiple devices use the same media channel. It controls which devices can transmit and when they can transmit.

A common method of verifying integrity. The MAC is derived from the message and a key.

The signature area within a message.

An algorithm that creates a hash value. The hash value is also used to help maintain integrity. There are several versions of MD; the most common are MD5, MD4, and MD2.

A communications device that converts digital computer signals into analog tones for transmission over the telephone ystem and converts them back to digital upon reception.

The term employed any time more than one factor must be considered.

A method of information dissemination based on passing information only to those who need to know it.

A protocol used to transport Network Basic Input Output System (NetBIOS) traffic in a local area network (LAN).

A group of devices connected by some means for the purpose of sharing information or resources.

The native protocol of Windows PCs. It provides a 15-character naming convention for resources on the network. NetBIOS is a broadcast-oriented network protocol, in that all traffic is available to all devices in a local area network (LAN). The protocol can be transported over NetBIOS Extended User Interface (NetBEUI), Transmission Control Protocol/Internet Protocol (TCP/IP), or Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX).

A protocol that enables users to access files on remote computers as if the files were local.

A physical device that connects computers and other network equipment to the transmission medium.

The lowest level of the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite, which is responsible for placing and removing packets on the physical network.

The third layer of the OSI model, which is responsible for logical addressing and translating logical names into physical addresses. This layer also controls the routing of data from source to destination as well as the building and dismantling of packets. See also Open Systems Interconnect (OSI).

A device that has access to the signaling on the network cable.

An Intrusion Detection System (IDS) approach that attaches the system to a point in the network where it can monitor and report on all network traffic.

See Network File System (NFS).

See Network Interface Card (NIC).

The ability (by whatever means) to verify that data was seen by an intended party. It makes sure they received the data and can't repudiate (dispute) that it arrived.

Words added to values during authentication.

A model defined by the ISO to categorize the process of communication between computers in terms of seven layers. The seven layers are Application, Presentation, Session, Transport, Network, Data Link, and Physical. See also International Organization for Standardization (ISO).

See Open Systems Interconnect (OSI).

A way to transmit the encryption key by using a method other that the one used to transmit the data. The key is sent by letter, by courier, or by some other separate means.

The person responsible for the current existence of a resource.

A firewall technology that accepts or rejects packets based on their content.

The process of breaking messages into packets at the sending router for easier transmission over a wide area network (WAN).

See Password Authentication Protocol (PAP).

The process of breaking a network into smaller components that can be individually protected.

A type of intruder detection that logs all network events to a file for an administrator to view later.

A non-active response, such as logging. This is the most common type of response to many intrusions. In general, passive responses are the easiest to develop and implement.

One of the simplest forms of authentication. Authentication is accomplished by sending the username and password to the server and having them verified. Passwords are sent as clear text and, therefore, can be easily seen if intercepted. This is why whenever possible PAP shouldn't be used but should instead be replaced with Challenge Handshake Authentication Protocol (CHAP) or something stronger.

Attempting to enter a password by guessing its value.

A list of passwords that have already been used.

See port address translation (PAT).

See Pretty Good Privacy (PGP).

Control access measures used to restrict physical access to the server(s).

The first layer of the OSI model, which controls the functional interface. See also Open Systems Interconnect (OSI).

A TCP/IP utility used to test whether another host is reachable. An Internet Control Message Protocol (ICMP) request is sent to the host, which responds with a reply if it's reachable. The request times out if the host isn't reachable.

A large ICMP packet sent to overflow the remote host's buffer. This usually causes the remote host to reboot or hang.

Standard telephone service, as opposed to other connection technologies like DSL.

Network communication in which two devices have exclusive access to a network medium. For example, a printer connected to only one workstation is using a point-to-point connection.

A full-duplex line protocol that supersedes Serial Line Internet Protocol (SLIP). It's part of the standard Transmission Control Protocol/Internet Protocol (TCP/IP) suite and is often used in dial-up connections.

An extension to Point-to-Point Protocol (PPP) that is used in virtual private network (VPNs). An alternative to PPTP is Layer 2 Tunneling Protocol (L2TP).

An attribute of some viruses that allows them to mutate and appear differently each time they crop up. The mutations make it harder for virus scanners to detect (and react) to the viruses.

See Post Office Protocol (POP).

An opening that allows network data to pass through.

A means of translating between ports on a public and private network. Similar to network address translation (NAT) (which translates addresses between public and private).

An item (physical or software) that scans a server for open ports that can be taken advantage of. Port scanning is the process of sending messages to ports to See which ones are available and which ones aren't.

An e-mail access program that can be used to retrieve e-mail from an e-mail server.

See Plain Old Telephone Service (POTS).

See Point-to-Point Protocol (PPP).

See Point-to-Point Tunneling Protocol (PPTP).

The sixth layer of the OSI model, which is responsible for formatting data exchange, such as graphic commands, and converting character sets. This layer is also responsible for data compression, data encryption, and data stream redirection. See also Open Systems Interconnect (OSI).

A shareware implementation of RSA encryption.

A state of security in which information isn't seen by unauthorized parties without the express permission of the party involved.

A system that allows users to connect voice, data, pagers, networks, and almost any other application into a single telecommunications system. A PBX system allows an organization to be its own phone company.

The secret key of an asymmetric cryptography solution that must be kept secure. It is one of the keys in the public key private key pair.

The result when a user obtains access to a resource they wouldn't normally be able to access. This can be done inadvertently—by running a program with Set User ID (SUID) or Set Group ID (SGID) permissions—or by temporarily becoming another user (via su or sudo in Unix/Linux or RunAs in Windows 2000).

A mode wherein a Network Interface Card (NIC) intercepts all traffic crossing the network wire, not just the traffic intended for it.

A type of firewall that prevents direct communication between a client and a host by acting as an intermediary. See also firewall.

The shared key of an asymmetric cryptography solution that is freely distributed. It is one of the keys in the public key private key pair.

A two-key encryption system wherein messages are encrypted with a private key and decrypted with a public key.

An encryption system employing a key that is known to users beyond the recipient.

The byproduct of electrical processes, similar to electromagnetic interference (EMI). The major difference is that RFI is usually projected across a radio spectrum.

See Remote Authentication Dial-In User Service (RADIUS).

See Redundant Array of Independent (or Inexpensive) Disks (RAID).

See Remote Access Server (RAS).

See Role-Based Access Control (RBAC).

See Rivest Cipher 5 (RC5).

A configuration of multiple hard disks used to provide fault tolerance, should a disk fail. Different levels of RAID exist, depending on the amount and type of fault tolerance provided.

An organization that offloads some of the work from a certificate authority (CA). An RA system operates as a middleman in the process. The RA can distribute keys, accept registrations for the CA, and validate identities. The RA doesn't issue certificates; that responsibility remains with the CA.

A computer that has one or more modems installed to enable remote connections to the network.

A mechanism that allows authentication of dial-in and other network connections.

Any attack where the data is retransmitted repeatedly (often fraudulently or maliciously). In one such possibility, a user can replay a web session and visit sites intended only for the original user.

A document-creation process and a set of practices that originated in 1969 and is used for proposed changes to Internet standards.

The process of using an Internet Protocol (IP) address to find a domain name, rather than using a domain name to find an IP address (normal Domain Name Service [DNS]). PTR (pointer) records are used for the reverse lookup. Reverse DNS is often used to authenticate incoming connections.

The process of canceling credentials that have been lost or stolen (or are no longer valid). With certificates, this is accomplished with a certificate revocation list (CRL).

An evaluation of how much risk you and your organization are willing to take. An assessment must be performed before any other actions—such as how much to spend toward security in terms of dollars and manpower—can be decided.

A cipher algorithm created by Ronald Rivest (for RSA) and known for its speed. It works through blocks of variable sizes using three phases: key expansion, encryption, and decryption.

A type of control wherein the levels of security closely follow the structure of an organization. The role the person plays in the organization (accountant, salesperson, and so on) corresponds to the level of security access they have to data.

A device that connects two or more networks and allows packets to be transmitted and received between them. A router determines the best path for data packets from source to destination.

One of the providers of cryptography systems to industry and government. RSA stands for the initials of the three founders of RSA Security Inc.: Rivest, Shamir, and Adelman. RSA has been involved in Public Key Cryptography Standards (PKCS), and it maintains a list of standards for PKCS.

See Rule Set-Based Access Control (RSBAC).

An open-source access control framework for the Linux kernel that uses access control modules to implement Mandatory Access Control (MAC).

A set of rules used when creating a Java applet that prevents certain functions when the applet is sent as part of a web page.

A router that is in front of a server on the private network. Typically, this server does packet filtering on incoming traffic before allowing that traffic to reach the firewall/proxy server that services the internal network.

See private key.

A protocol developed by Visa and MasterCard for secure credit card transactions. The protocol is becoming an accepted standard by many companies. SET provides encrypted credit card numbers over the Internet, and it's most suited to transmissions of small amounts of data.

A one-way hash algorithm designed to ensure the integrity of a message.

A protocol used for secure communications between a web server and a web browser.

A replacement for rlogin in Unix/Linux that includes security. rlogin allowed one host to establish a connection with another with no real security being employed; SSH replaces it with slogin and digital certificates.

A protocol that secures messages by operating between the Application layer (HTTP) and the Transport layer.

A method of isolating a system from other systems or networks.

A set of policies designed to reduce the risk of fraud and prevent other losses in an organization.

An older protocol that was used in early remote access environments. SLIP was originally designed to connect Unix systems together in a dial-up environment, and it only supports serial communications.

A computer that provides resources to clients on the network.

A process that requires a workstation to authenticate against the server.

An agreement that specifies performance requirements for a vendor. This agreement may use Mean Time Between Failure (MTBF) and Mean Time To Repair (MTTR) as performance measures in the SLA.

An operating system update from Microsoft.

The key used between a client and a server during a session, which is agreed on during connection. This key is generated by encrypting the server's digital ID (after validity has been established). The key pair is then used to encrypt and verify the session key that is passed back and forth between client and server during the length of the connection.

The fifth layer of the OSI model. It determines how two computers establish, use, and end a session. Security authentication and network-naming functions required for applications occur here. The Session layer establishes, maintains, and breaks dialogs between two stations. See also Open Systems Interconnect (OSI).

See Secure Hash Algorithm (SHA).

A network cabling media that has a shield, similar to coax, wrapped over the wires.

See Secure Hypertext Transfer Protocol (S-HTTP).

An applet that doesn't run in the Java sandbox and has higher system access capabilities. Signed applets aren't usually downloaded from the Internet, but are provided by in-house or custom programming efforts.

A protocol for sending e-mail between SMTP servers.

The management protocol created for sending information about the health of the network to network-management consoles.

The cost of a single loss when it occurs. This loss can be a critical failure, or it can be the result of an attack.

A relationship between the client and the network wherein the client is allowed to log on one time, and all resource access is based on that logon (as opposed to needing to log on to each individual server to access the resources there).

Listening in on an existing wireless network using commercially available technologies.

See Serial Line Internet Protocol (SLIP).

See Simple Mail Transfer Protocol (SMTP).

A feature designed into many e-mail servers that allows them to forward e-mail to other e-mail servers.

An attack caused by pinging a broadcast to a number of sites with a false "from" address. When the hosts all respond to the ping, they flood the false "from" site with echoes.

A physical device that listens in on (sniffs) network traffic and looks for items it can make sense of. There is a legitimate purpose for these devices: Administrators use them to analyze traffic. However, when they're used by sources other than the administrator, they become security risks.

Examining the contents of network packets (or complete communications) surreptitiously. Also known as wiretapping, eavesdropping, packet sniffing, network sniffing, and so on.

See Simple Network Management Protocol (SNMP).

The process of looking through files in hopes of finding something interesting.

An attack that uses others by deceiving them.

The primary method used to communicate with services and applications such as the Web and Telnet.

An attack launched against applications and higher-level services.

Unwanted, unsolicited e-mail sent in bulk.

A momentary or instantaneous increase in power over a power line.

An attempt by someone or something to masquerade as someone else.

See Secure Shell (SSH).

See Secure Socket Layer (SSL).

Inspections that occur at all levels of the network and provide additional security using a state table that tracks every communications channel.

A network that has multiple routes to get from a source to a destination, allowing for higher speeds.

The key used when the same key encrypts and decrypts data.

A Denial of Service (DoS) attack in which the hacker sends a barrage of SYN packets. The receiving station tries to respond to each SYN request for a connection, thereby tying up all the resources. All incoming connections are rejected until all current connections can be established.

See Transmission Control Protocol (TCP).

An attack wherein the attacker intercepts session communication packets and then responds with a sequence number similar to the one used in the original session. The attack can either disrupt a session or hijack a valid session.

See Transmission Control Protocol/Internet Protocol. (TCP/IP)

An attack in which the attacker gains access to a host in the network and logically disconnects it from the network. The attacker then inserts another machine with the same Internet Protocol (IP) address onto the network.

A Denial of Service (DoS) attack that uses large packets and odd offset values to confuse the receiver and help facilitate a crash.

A protocol that functions at the Application layer of the OSI model, providing terminal emulation capabilities. See also Open Systems Interconnect (OSI).

An authentication system that allows credentials to be accepted from multiple methods, including Kerberos. The TACACS client/server process occurs in the same manner as the Remote Authentication Dial-In User Service (RADIUS) process.

Any perceivable risk.

A field in an Internet Protocol (IP) packet that indicates how many routers the packet can cross (hops it can make) before it's discarded. TTL is also used in Address Resolution Protocol (ARP) tables to indicate how long an entry should remain in the table.

See Transport Layer Security (TLS).

See Tracert.

The TCP/IP Traceroute command-line utility that shows the user every router interface a TCP/IP packet passes through on its way to a destination. See also Transmission Control Protocol/Internet Protocol (TCP/IP).

A section of a data packet that contains error-checking information.

The protocol found at the Host-to-Host layer of the Department of Defense (DoD) model. This protocol breaks data packets into segments, numbers them, and sends them in random order. The receiving computer reassembles the data so that the information is readable by the user. In the process, the sender and the receiver confirm that all data has been received; if not, it's re-sent. This is a connection-oriented protocol. See also connection-oriented.

The protocol suite developed by the Department of Defense (DoD) in conjunction with the Internet. It was designed as an internetworking protocol suite that could route information around network failures. Today it's the de facto standard for communications on the Internet.

The fourth layer of the OSI model. It's responsible for checking that data packets created in the Session layer are received error free. If necessary, it also changes the length of messages for transport up or down the remaining layers. See also Open Systems Interconnect (OSI).

A protocol whose purpose is to verify that secure communications between a server and a client remain secure. Defined in RFC 2246.

A block cipher algorithm used for encryption.

A protocol similar to FTP that doesn't provide the security or error-checking features of FTP. See also File Transfer Protocol (FTP).

Any application that masquerades as one thing in order to get past scrutiny and then does something malicious. One of the major differences between Trojan horses and viruses is that Trojan horses tend not to replicate themselves.

A list of objects that have been signed by a trusted entity. Also known as a certificate trust list (CTL).

See Time to Live (TTL).

The act of sending data across a public network by encapsulating it into other packets.

A process that uses two access methods as a part of authentication.

See User Datagram Protocol (UDP).

A way of identifying a document on the Internet. It consists of the protocol used to access the document and the domain name or IP address of the host that holds the document; for example, http://www.sybex.com.

A device that can provide short-term power, usually by using batteries.

The most common networking cable currently in use. UTP consists of several wires twisted around each other encased in a plastic coating, similar to telephone cable.

See Uniform Resource Locator (URL).

The person who is using a computer or network.

The protocol at the Host-to-Host layer of the Department of Defense (DoD) model, which corresponds to the Transport layer of the OSI model. Packets are divided into segments, given numbers, sent randomly, and put back together at the receiving end. This is a connectionless protocol. See also connectionless, Open Systems Interconnect (OSI).

A local area network (LAN) that allows users on different switch ports to participate in their own network separate from, but still connected to, the other stations on the same or connected switch.

A system that uses the public Internet as a backbone for a private interconnection (network) between locations.

A program intended to damage a computer system. Sophisticated viruses are encrypted; they hide in a computer and may not appear until the user performs a certain action or until a certain date.

See virtual private network (VPN).

See wide area network (WAN).

A site that provides some capabilities in the event of a disaster. The organization that wants to use a warm site will need to install, configure, and reestablish operations on systems that may already exist in the warm site.

An attack that looks for cipher holes.

A server that holds and delivers web pages and other web content using HTTP. See also Hypertext Transfer Protocol (HTTP).

See Wired Equivalent Privacy (WEP).

A network that crosses local, regional, and/or international boundaries.

A security protocol for 802.11b (wireless) networks that attempts to establish the same security for them as would be present in a wired network.

A wireless bridge used in a multipoint radio frequency (RF) network.

A local area network that employs wireless access points (WAPs) and clients using the 802.11b standard.

The security layer of the Wireless Applications Protocol (WAP). WTLS provides authentication, encryption, and data integrity for wireless devices.

See wireless local area network (WLAN).

An estimate of the amount of time and effort that would be needed to break a system.

A specific group of users or network devices, organized by job function or proximity to shared resources.

A computer that isn't a server but is on a network. Generally, a workstation is used to do work, whereas a server is used to store data or perform a network function.

A program similar to a virus. Worms, however, propagate themselves over a network. See also virus.

The standard implemented by the International Telecommunications Union (ITU), an international standards group, for directory services in the late 1980s. The standard was the basis for later models of directory structure, such as LDAP.

An area in a building where access is individually monitored and controlled.