Information Security Glossary
Access Control: a physical or technical control (or system) to ensure authorized access and to prevent unauthorized access to resources, premises or systems to enforce business or security requirements. Examples include a lock to which only authorized personnel have the key, a swipe-card entry system, PIN controls on bank cards, file permissions on a server or any other means of controlling usage.
ActiveX: a set of technologies that allows software components to interact with one another in a networked environment, regardless of the language in which the components were created. ActiveX controls can be embedded in web pages to produce animation and other multimedia effects.
Advanced Persistent Threat (APT): an adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). The APT adversary pursues its objectives repeatedly over an extended period of time, adapts to the defender’s efforts to resist it, and is determined to maintain the level of interaction needed to execute its objectives.
Adware: a form of spyware that enters a computer from an internet download, it monitors the computer use, such as what Web sites are visited. Adware gets its name from launching numerous pop-up ads in the infected computer browser.
Algorithm: a sequence of steps needed to solve logical or mathematical problems. Certain cryptographic algorithms are used to encrypt or decrypt data files and messages and to sign documents digitally.
Anti-Virus Program: software designed to detect, and potentially eliminate, viruses before they have had a chance to wreak havoc within the system, as well as repair or quarantine files which have already been infected by virus activity.
Applet: is any miniature application transported over the internet, especially as an enhancement to a web page. Authors often embed applets within the HTML page as a foreign program type. Java applets are usually only allowed to access certain areas of the user's system - computer programmers often refer to this area as the sandbox.
Application/ business application: a collection of computer hardware, computer programs, databases, procedures and knowledge workers that work together to perform a related group of services or business processes.
Architecture: in the context of IT systems, as opposed to buildings, "architecture" describes the approach to designing and constructing systems, networks, applications or even information storage. A variety of formal methodologies are available to support information architecture development, and others exist to help develop security architecture.
Application Architecture: a graphical representation of a system showing the process, data, hardware, software and communications components of the system.
Audit logs: includes all types of event logs including (but not limited to) security, audit, application, access and network across all operating system platforms. Failing to produce an audit log means that the activities on the system are 'lost'.
Authentication: a security measure designed to verify the identity of a transmission, user, user device, entity, or data. For example, a user name and password authenticates a user.
Availability: assurance that the systems responsible for delivering, storing and processing information, and the information itself, are accessible and usable when needed, by those who need them, to support business functions. A goal of information security is to ensure availability.
Back Door: a back door is a feature programmers often build into programs to allow special privileges normally denied to users of the program. Often programmers build back doors so they can fix bugs. If hackers or others learn about a back door, the feature may pose a security risk.
Bandwidth: commonly used to mean the capacity of a communication channel to pass data through the channel in a given amount of time.
Blog: a web site where users regularly post up-to-date journal entries of their thoughts on any subject they choose. It is readable by anyone on the web.
Botnet: a collection of compromised computers that, although their owners are unaware of it, have been set up for malicious purposes such as sending spam or viruses to other computers on the Internet, or flooding a network with denial of service attacks. Any such computer is referred to as a zombie – in effect, a computer “robot” or “bot” that serves the wishes of a master Spam or virus originator. Botnets are often installed because the user responds to a fraudulent request received via e-mail, or opens an e-mail attachment.
Browser Hijacker: a type of spyware that allows the hacker to spy on the infected PC’s browsing activity, to deliver pop-up ads, to reset the browser homepage, and to redirect the browser to other unexpected sites.
Business Continuity Plan (BCP): the procedures and information necessary for the timely recovery of essential services, programs and operations, within a predefined timeframe. The BCP includes the recovery following an emergency or a disaster that interrupts an operation or affects service or program delivery.
CAPTCHA: a security technique that ensures that a human has made the transaction online rather than a computer. It is also known as "Automated Turing Tests" and was originally developed at Carnegie Mellon University. Random words or letters are displayed in a distorted fashion so that they can be deciphered by people, but not by software. This usually involves the use of graphic images of characters and numbers. Users are asked to type in what they see on screen to verify human involvement.
Card Skimmers: a means of electronically capturing information from credit or debit card readers, such as ATMs (automated teller machines) or other payment devices.
CISSP: stands for the highly specialized information security certification: Certified Information Systems Security Professional. This level of professional recognition or certification is offered by the International Information Systems Security Certification Consortium, Inc. and attests that an individual possesses a high level of skills and knowledge. The certification is recognized worldwide.
Clickjacking: also called clickjack or clickjack attack, it is a vulnerability that is used by an attacker to "collect" an infected user's clicks. The attacker can force the user to do all sort of things from adjusting the user's computer settings to unwittingly sending the user to Web sites that might have malicious code.
Cloud Computing: a term used in multiple different ways to describe the process of outsourcing computing to an external provider, normally one that offers massive shared online hosting facilities. Originally used to describe a grid-computing-style approach, it is now used to describe such technologies as virtual hosting, shared hosting, Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS) or even simply "the Internet". From an Information Security perspective, many of these approaches introduce challenging security issues (e.g. data separation and governance).
Compliance: the act or process of complying with policies, procedures, standards or mandatory controls or requirements.
Confidentiality, Integrity and Availability (CIA): a central goal of information security is to preserve the confidentiality, integrity and availability of an organisation's information. Loss of one or more of these attributes can threaten the continued existence of even the largest corporate entities.
Confidentiality: assurance that information is shared only among authorised persons or organisations. Breaches of confidentiality can occur when data is not handled in a manner adequate to safeguard the confidentiality of the information concerned. Such disclosure can take place by word of mouth, by printing, copying, e-mailing or creating documents and other data etc. The classification of the information should determine its confidentiality and hence the appropriate safeguards.
Configuration Management: is an information security concept that relates to establishing and maintaining settings and characteristics associated with the hardware and software of an information system. Foreknowledge, maintenance and monitoring of a system’s settings as a baseline is a fundamental information assurance concept. Any deviation from the known settings, unless properly authorized, is a potential security breach.
Credentials: for a BC government employee, credentials are their IDIR account - an abbreviation of their name, which in combination with their password provides a secure single sign-on that is unique to that individual.
Crimeware: malicious software that is covertly installed on computers and has the ability to ‘steal’ confidential information and send it back to cyber criminals. One form of crimeware is ransomware, which is software that denies access to a person’s files until they pay a ransom.
Cryptographic Keys: a piece of information that controls the operation of a cryptography algorithm. In encryption, a key specifies the particular transformation of data into encrypted data and the transformation of encrypted data into data during decryption. The cryptographic algorithm ensures that only someone with knowledge of the key can reproduce or reverse the transformation of data.
Cryptography: the discipline which embodies principles, means and methods for the transformation of data in order to hide its information content, prevent its undetected modification, or prevent its unauthorized use.
Cyber Attack: a technical attack against the Confidentiality, Integrity or Availability of systems, networks or telecommunications, usually for illegal purposes such as theft, espionage or destructive motives.
Cyber Crime: criminal activity taking place through exploitation of electronic mechanisms - a lucrative world‐wide illegal business, operating in “the Underground Economy”, it is no longer solely a hobby for individual hackers seeking new computer challenges. The threats posed by cyber criminals apply to work and home computers, and increasingly to mobile devices.
Cyber Security: information security, with a particular focus on interconnection and integration with untrusted internetworked systems.
Cyberwarfare: a general term describing ongoing offensive and defensive activity in the electronic realm of the Internet.
Data-Driven Attack: this form of attack takes place when malicious data is embedded in what appears to be a normal stream of data. When executed or otherwise processed, the malicious data causes unforeseen and often damaging events. An example might be maliciously-crafted PDF documents exploiting flaws in the Acrobat Reader causing arbitrary code to be executed on the user's machine.
Data Loss: the unauthorized use and or transmission of confidential information, it typically refers to information leaving the control of the owning organization, for example on portable devices or via email.
Data Loss Prevention (DLP): processes or automated systems designed to stop data loss.
Defense In-Depth: is the approach of using multiple layers of security to guard against failure of a single security component.
Denial of Service (DOS): the prevention of authorized access to a system resource or the delaying of system operations and functions. An overwhelming number of requests for services is sent to the target computer or device - so many requests for service are sent that the device is unable to respond in a timely manner, thus the function the server is supposed to perform is nullified. Physical harm to systems and people can result from the denial of a needed service.
Distributed-Denial-of-Service (DDoS) Attack: is one of the most harmful attacks that can be launched against an information infrastructure. The anatomy of a DDoS assault begins with the enlistment of a large number of computers (i.e. Zombies, bot armies, etc.) that have been co-opted by hackers or organized crime. Hundreds of thousands of computers can be directed against a particular computer network target. The intended target is simply overwhelmed and unable to respond to legitimate requests for service. The network or information resource is made unavailable by the sheer force of traffic.
Domain Name: an address of a network connection that identifies the owner of that address, e.g., www.microsoft.com identifies a Web server at Microsoft Corporation, which is a commercial organization.
Domain Name System (DNS): the domain name system (DNS) is the way that Internet domain names are located and translated into Internet Protocol addresses.
DTS (Desktop Terminal Service): remote access, for example, BC government employees with a DTS account can access their work files online from another location (such as their home).
Dumpster Diving: is obtaining personal or corporate information, account names and passwords by searching through discarded media. It includes searching for and removing items from waste receptacles or recycle containers, such as bank statements, credit card offers, or any other items deemed of value by the ‘diver’.
Encryption - Data Encryption Standard (DES): a widely-used method of data encryption using a private (secret) key. There are 72,000,000,000,000,000 (72 quadrillion) or more possible encryption keys that can be used. For each given message, the key is chosen at random from among this enormous number of keys. Like other private key cryptographic methods, both the sender and the receiver must know and use the same private key. Encryption is the cryptographic transformation of data (called "plaintext") into a form (called "cipher text") that conceals the data's original meaning to prevent it from being known or used.
End User License Agreement (EULA): is a legally binding contract between the developer or publisher of a software program or application and the purchaser of that software. Unlike the purchase of goods or services, the EULA is, as its name implies, a license agreement. In other words, the purchaser does not own the software, they merely have a right to use it in accordance with the licence agreement. During the install of package software, the purchaser is shown the contents of the EULA and is often required to scroll down through the EULA, at the bottom of which, one may Accept or Refuse the terms of the EULA. By enforcing the need to scroll through the EULA, a user would be unlikely to succeed in any action to deny acceptance of the terms of the EULA.
Exploit kit: a toolkit that automates the exploitation of vulnerable devices through vulnerabilities in the operating system, browser or program. These toolkits are often sold in the cyber criminal underground to those without significant cyber knowledge who can then operate as hackers.
Federated Identity: - A federated identity is a single user identity that can be used to access a group of web sites bound by the ties of federation. Without federated identity, users are forced to manage different credentials for every site they use. This collection of IDs and passwords becomes difficult to manage and control over time, offering inroads for identity theft. Federated identity management builds on a trust relationship established between an organization and a person.
File Sharing Software: software programs that allow users to share music and/or videos.
Firewall: hardware or software that prevents unauthorized access to data or resources while enabling the protected network to access networks outside of the firewall, and logs attempted intrusions.
Forensics: is a process that concentrates on gathering evidence in a systematic manner and establishing the attribution of a security incident. When applied to information technology, the process is deliberate, well-ordered and precise. The same would apply to any crime scene in which electronic devices, media and information is stored. Log-files pertaining to data packets that have traveled into and through computers and networks are examined, IP addresses are studied and data integrity is checked. The evidence that is gathered and stabilized can be used to prosecute individuals who attacked the system. Establishing a profile of the damage or breach that has occurred is essential.
Gateway: a network point that acts as an entrance to another network.
Hacker: is a person who creates and modifies computer software and hardware, including computer programming, administration, and security-related items. A truly skilled hacker can penetrate the security defences of large, sophisticated, computer systems to the core, and withdraw again, without leaving a trace of the activity. White Hat hackers perform hacking for legitimate reasons, e.g., IT security technicians and researchers testing their systems and the limits of systems. Black Hat hackers are those who perform clandestine hacking for malicious reasons.
Hacktivism: some groups of computer hackers are not motivated by financial gain and instead are driven by economic, political, or religious interests that generally go beyond their nation’s borders. Their actions are called hacktivism, which is a merger of hacker and political activism. Hacktivists infiltrate networks and put their talents to work for their beliefs by organizing computer attacks, including piracy, hijacking servers, and replacing homepages with ideological messages.
Hardware: includes (but not limited to) servers, desktop computers, printers, scanners, fax machines, photocopiers, multi-function devices, routers, communications and mobile equipment, cell phones, mobile devices, removable media.
Hijacking: describes several kinds of attacks where the attacker takes control of the session between a browser and a web server. A browser hijack often shows up when someone’s home page, the page they see when they open their browser, is not the one that they configured. A web page hijack is where the attacker manages to redirect the traffic from search engines. When someone does a search and clicks on a search result of interest, instead of reaching the legitimate site, they will reach the attacker’s web page.
Hoax: hoaxes transmitted via the Internet are not viruses but are often emails warning people about a virus or other malicious software program. These emails are successful because they are very manipulative and prey upon the trusting emotions of the victims. They can contain stories that are dramatic in impact and demand that the reader forward the email to many others. Some hoaxes cause as much trouble as viruses by causing massive amounts of unnecessary email.
Honey Pot: programs that simulate one or more network services that you designate on your computer's ports. An attacker assumes you are running vulnerable services that can be used to break into the machine. A honey pot can be used to log access attempts to those ports including the attacker's keystrokes, which could give advanced warning of a more concerted attack.
Identity Management (IDIM) or Identity and Access Management (IAM): identity and access management refers to all of the policies, processes, procedures and applications that help an organization manage access to information. Large organizations need to tie risk analysis and policy development to sophisticated applications that can help them empower employees, investors, customers, partners and many others. Specific concepts, standards and applications that help with identity and access management include authentication, user life-cycle maintenance, federated identity, single sign-on, provisioning and role based access control.
Identity Theft/ Identity Fraud: Identity theft is fraud. It occurs when someone else uses your personal information without your knowledge or consent to commit a crime. The fraud may involve using your credit card for a few transactions, selling your information in the underground economy, or actually setting up a separate identity that can involve taking out loans, buying homes, buying goods and services or travelling over a period of time, in your name and without your knowledge.
Inappropriate Use of Resources: any activity that violates acceptable computing use policies.
Information Classification Label: a designation indicating the information classification, e.g., “Public”, “Standard”, “High”. An information security classification system is one of the critical components of good information security practices, because it assists everyone involved in determining the value and sensitivity of information as well as the protective measures to be applied. Security categories for information are based on the impact to the business mission from loss of information confidentiality, integrity or availability.
Information Incident: an information incident is a single or a series of unwanted or unexpected events that threaten privacy or information security. Information incidents include the collection, use, disclosure, access, disposal, or storage of information, whether accidental or deliberate, that is not authorized by the business owner of that information. Information incidents include privacy breaches, whether accidental or deliberate, that is not authorized by the Freedom of Information and Protection of Privacy Act.
Information Incident Management Process: documentation of the structure, roles and responsibilities, process and procedures aimed to minimize the impact of an information incident, including reporting procedures and any required forms.
Information Management (IM): the function of managing information as an enterprise resource, including planning, organizing and staffing, and leading, directing and controlling information. This includes managing data as enterprise knowledge, managing technology as the enterprise technical infrastructure, and managing applications across business needs.
Information Security: involves protecting information, software, and equipment from problems relating to disclosure, modification, interruption and disposal. With the information itself, requirements for privacy, confidentiality, integrity and availability must also be addressed.
Information Security Architecture: a strategy that consists of layers of policy, standards and procedures and the way they are linked to create an environment in which security controls can be easily established.
Instant Messaging (IM) or Text Messaging: instant messaging rivals e-mail as the most popular form of online communication. IM allows users to relay messages to each other in real time for a "conversation" between two or more people. IM is also becoming the quickest new threat to network security. Because many IM systems have been slow to add security features, hackers have found IM a useful means of spreading viruses, spyware, phishing scams, and a wide variety of worms. Typically, these threats have infiltrated systems through attachments or contaminated messages.
Integrity: the characteristic of information being authentic, accurate and complete and the preservation of accuracy and completeness by protecting the information from unauthorized, unanticipated, or unintentional modification. The integrity of data is not only whether the data is 'correct', but whether it can be trusted and relied upon.
Intellectual Property: refers to the category of intangible (non-physical) property consisting primarily of rights related to copyrighted materials, trademarks, patents and industrial design.
International Organization for Standardization: is a group of standards bodies from approximately 130 countries whose aim is to establish, promote and manage standards to facilitate the international exchange of goods and services. (The term 'ISO' is not an acronym for the IOS, it is a word derived from the Greek word 'isos' which means 'equal', which is the root of the prefix 'iso-'.) The BC government’s Information Security Policy is based on ISO 27002:2005.
Intrusion Detection System (IDS): a security management system for computers and networks. An IDS gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organization) and misuse (attacks from within the organization). It provides the capability to review larger quantities of data, and generate reports and automated alerts as required.
Intrusion Prevention System: an automated system similar to an Intrusion Detection System but with the capability to react in real-time to block or prevent malicious or unwanted activity.
Keylogger: a hardware device or small program, sometimes called a keystroke logger or system monitor, that monitors each keystroke a user types on a specific computer keyboard (or an ATM or Interac/debit keypad), records everything that is typed (including passwords) and passes that information to outsiders (usually using Bluetooth or similar technology).
Macro: a series of instructions designed to simplify repetitive tasks within a program such as Microsoft Word, Excel, or Access. Macros execute when a user opens the associated file. Macros are in mini-programs and can be infected by viruses.
Malicious Code or Malware: is designed, employed, distributed, or activated with the intention of compromising the performance or security of information systems and computers, increasing access to those systems, disclosing unauthorized information, corrupting information, denying service, or stealing resources, without the informed consent of the computer user. It is also referred to as “malware” and includes computer viruses, worms, Trojan horses, rootkits, spyware, dishonest adware, and other unwanted software.
Mobile Code: multiplatform computer code that can be downloaded or transmitted across a network that runs automatically on a computer with little or no user interaction.
Mobile Devices: portable self-contained electronic devices, including portable computers (e.g., laptops and tablets), personal digital assistants (PDAs), smartphones, cell phones, and digital cameras.
Mobile Device Management: a plan for enforcing policies and maintaining the desired level of IT control across multiple platforms (e.g., BlackBerry, Apple, Android) for a range of products and services that enables organizations to deploy and support corporate applications to mobile devices, such as smartphones and tablets.
Multi-Factor Authentication: this combines authentication techniques together to form a stronger or more reliable level of authentication. This usually includes combining two or more of the following types: Secret - something the person knows, Token - something the person has, and Biometric - something the person is.
Non-repudiation: assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information.
Password or Passcode (or PIN): a password or its numerical form, sometimes called a passcode or PIN, is one of the simplest authentication methods. It is usually used with an identifier (account number or user name), as a shared secret between the person who wants access and the system that’s protected.
Patch: a small piece of software designed to fix problems with or update computer programs. The patch is an actual piece of object code that is inserted into (patched into) an executable program.
Payment Card Industry (PCI) Data Security Standard (DSS): is an industry regulation developed by VISA, MasterCard and other bank card distributors. It requires organizations that handle bank cards to conform to security standards and follow certain leveled requirements for testing and reporting. MasterCard markets the program as their Site Data Protection (SDP) Program and VISA markets it as their Cardholder Information Security Program (CISP). The Standards rely on the merchant banks to enforce them and they may do so with penalties for non-compliance and disclosures caused by non-compliance.
Peer-to-peer (P2P): P2P technology allows two computers on a network, typically called nodes, to communicate directly with each other without going through a centralized server. This is how malicious code and files can so easily be spread via P2P; they avoid going through the server that does the scan for the malicious code.
Penetration: gaining unauthorized logical access to sensitive data by circumventing a system's protections. Penetration Testing is used to test the external perimeter security of a network or facility.
Personal Information: any information that can personally identify you, such as your name, address, phone numbers, your schedule, Social Insurance Number, bank account number, credit card account numbers, family members’ names or friends’ names.
Pharming: a practice in which malicious code, such as a virus or other form of malware, redirects users from a legitimate website to a fraudulent one without their knowledge.
Phishing: a digital form of social engineering that uses authentic-looking, but fake, emails to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication and urging users to click on a link or open an attachment. These actions can result in downloading malware as well as identity theft.
Physical security: the application of control procedures as measures to prevent or deter attackers from accessing a facility, resource, or information. It can include items such as physical barriers to gaining access, electronic security and alarm systems, video monitoring, staffed security or other response.
Portable Storage Devices: are compact devices with storage capacity that can be attached to a computer and temporarily or permanently store data in an electronic format. Laptops and notebook computers, tablets and smartphones, removable hard drives, USB storage devices (flash drives, jump drives, memory sticks, memory cards, thumb drives, MP3 players, CDs, DVDs, tapes and diskettes are portable storage devices.
Privacy: is the practice of protecting our personal information, or those of our customers, from being accessed or given away, either by accident or from direct theft, to parties not authorized to view this information.
Privacy Impact Assessment (PIA): an assessment that is conducted to determine if a new enactment, system, project or program meets the requirement of Part 3 of the Freedom of Information and Protection of Privacy Act.
Privileged Users: users with permissions to alter access rights and structures of information systems. This includes (but is not limited to) system administrators, network administrators, database administrators, security administrators, web site administrators, system operators and network operators.
Proxy Server: a server that acts as an intermediary between a workstation user and the Internet so that the enterprise can ensure security, administrative control, and caching service. A proxy server is associated with or part of a gateway server that separates the enterprise network from the outside network and a firewall server that protects the enterprise network from outside intrusion.
Public-Key Infrastructure (PKI): is the infrastructure needed to support asymmetric cryptography. At a minimum, this includes the structure and services needed to do the following: Register and verify identities, Build and store credentials, Certify the credentials (issue digital certificates), Disseminate the public key, and Secure the private key and yet make it available for use. A PKI enables users of a basically unsecured public network such as the Internet to securely and privately exchange data and money through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. The public key infrastructure provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates.
QR (Quick Response) Code: a QR code is a type of two-dimensional (2D) barcode that can be read using a QR barcode reader or camera-enabled smartphone. It looks like a square with blotches inside and appears on posters, marketing materials and websites. QR Codes are a popular marketing tool because the barcode can store phone numbers, addresses, URLs and other details.
Radio Frequency Identification (RFID): uses radio waves to uniquely identify objects/ tags, that can be active, containing a power source, or passive, simply bouncing a signal using the energy of the RFID reader. Passive tags may be so small that they are hard to see. They are used in inventory control to uniquely identify each unit and can be read through most types of packaging. The fact that RFID can be so easily read at some distance, up to 30 feet for passive devices and much longer for active ones, has raised issues about privacy. RFID also is inserted under the skin to identify pets and link them to their medical records.
Remote Access: the act of using a remote access service to connect to the government network or government systems. It provides an effective way for mobile workers, telecommuters and non-government users on external networks to access the shared B.C. provincial government network (SPAN/BC). Access can be from a remote location or facility, or from within a local site but external to the particular resource accessed.
Risk: the potential that a given threat will exploit the vulnerability of an asset or group of assets to cause loss or damage to the assets. Risk is the product of the level of threat with the level of vulnerability. It establishes the likelihood of a successful attack.
Root Directory: in a computer's filing system on the hard disk, the root directory is the directory (or folder) from which all other directories will be created.
Rootkit: Trojan horse software that captures passwords and message traffic to and from a computer, a rootkit is a collection of tools (programs) that enables administrator-level access to a computer or computer network, and controls, attacks or gathers your information. They are used by a hacker to mask intrusion and obtain administrator-level access to a computer or computer network. Often running silently on computer systems and generally not detected by anti-virus or anti-spyware software.
SCADA: is an acronym that stands for “Supervisory Control and Data Acquisition. The protocols were mainly established to work with computers in industrial settings. The purpose of the system is to control processes such as the regulation of pumps, manufacturing equipment and other real-time sensors (i.e. on pipelines and temperature controls). Prior to the advent of the Internet this control structure was relatively safe. Today, however, the assurance data is less reliable and the communication between the computer and the process is mitigated over the Internet.
Security Awareness: the extent to which every member of an organization understands security and the levels of security appropriate to the organization, the importance of security and consequences of a lack of security, and their individual responsibilities regarding security. Includes a clearly and formally defined plan, structured approach, and set of related activities and procedures with the objective of realizing and maintaining a security-aware organizational culture.
Security Infrastructure: the complete set of information security-related systems, policies, standards, guidelines, procedures, resources and physical implementations of information security administration.
Security Policy: a set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources - a senior leadership directive that indicates the direction or intent of its established goals, and assign responsibilities for, addressing security risks to an organization. The B.C government has adopted the Information Security Policy which undergoes a regular review.
Security Threat and Risk Assessment (STRA): a component of a risk analysis specifically aimed at identifying security exposures, and the potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm.
Segregation of Duties: a method of working whereby tasks are apportioned between different members of staff in order to reduce the scope for error and fraud. For example, users who create data are not permitted to authorise processing; and systems development staff are not allowed to be involved with live operations. This approach will not eliminate collusion between members of staff in different areas, but is a deterrent. In addition, the segregation of duties provides a safeguard to the staff and contractors against the possibility of unintentional damage through accident or incompetence - 'what they are not able to do (on the system) they cannot be blamed for'.
Service Oriented Architecture (SOA): is a design or a plan that describes a theoretical software system. This architecture describes services that are discrete, re-useable and independent of the programming or networking environment where they are used. These services have simple interfaces and since they are tools-independent, can be used by many different service consumers.
Shoulder Surfing: the act of looking over a user's shoulder as they enter a password, this is one of the easiest ways of obtaining a password to breach system security. The practice is not restricted to office computers, public Internet cafés, or Wi-Fi access areas - it is used wherever passwords, PINs, or other ID codes are used. Shoulder surfing has also been used just to see if any information of interest can be obtained.
Social Engineering: is the practice of obtaining information or access by tricking legitimate innocent users. Social engineers use shoulder-surfing, in person conversation, telephone calls, email or text messages to obtain personal sensitive details, exploiting the natural tendency of a person to trust others. Generally, it is easier to take advantage of a person in this way, rather than trying to exploit computer security vulnerabilities.
Source Code: the actual program - as written by the programmer - which is compiled into machine code (object code) which the computer can understand. Source code is the intellectual property of the developer(s) and for many years commercial source code was never released to users, only licensed for use. Possession of Source Code is essential if an organisation is to maintain and/or modify the software without being reliant upon the original developer.
Spam: spam emails represent the vast majority of emails sent world-wide on any given day. Internet hoax emails are spam, as are mass marketing emails trying to sell goods at great prices that are counterfeit (e.g., prescription drugs without a prescription, designer goods such as purses, shoes and jewellery, and even anti-virus software and college diplomas). Spam emails almost always contain offers that are “too good to be true”, which should serve as a warning in itself.
Spoofing: impersonating another person or computer, usually by providing a false email name, URL, domain name server, or IP address. Attackers will change information in an e-mail header or in packets of information being sent over the Internet to make it look like the information came from another source. One of the more common methods used to get a person to open a mail message containing a virus or Trojan is to spoof the address that appears in the "from" field. Spoofing can also be done with phone numbers, caller identification (ID), and text numbers, using free technology available on the Internet.
Spyware: on the Internet, spyware is programming that is put into a person’s computer to secretly gather information about the user (such as what sites are visited) and relay it to advertisers or other interested parties. Spyware can be installed in a computer as a software virus or as the result of installing a new program on the computer.
SQL Injection: an input validation attack specific to database-driven applications, SQL code is inserted into application queries to manipulate the database.
SSL (Secure Sockets Layer): a standard, developed by Netscape Communications, for encrypting information and transmitting it over the Internet more securely. A secure site URL appears as https:, and the web page often has a small yellow lock symbol in the bottom bar.
SSL-VPN: although the Secure Sockets Layer (SSL) is a protocol designed specifically for web browsers to securely access web-based applications, the fact that it encrypts information and that it authenticates at least one of the parties, also makes it a Virtual Private Network (VPN).
Standards of Conduct: employees will exhibit the highest standards of conduct - their conduct must instill confidence and trust and not bring the BC Public Service into disrepute. The honesty and integrity of the BC Public Service demands the impartiality of employees in the conduct of their duties. The requirement to comply with these Standards of Conduct is a condition of employment.
Steganography: methods of hiding the existence of a message or other data. This is different than cryptography, which hides the meaning of a message but does not hide the message itself. An example of a steganographic method is "invisible" ink.
Threat Vector: the method a threat uses to get to the target.
Trojan Horse: a non-replicating program in which malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and do damage by installing a “backdoor”, allowing outsiders to access and control your computer. Some Trojan horses replace existing files with malicious versions, while others add another application to a computing device without overwriting existing files. They can be difficult to detect as they often appear to be providing a beneficial purpose.
Unauthorized Access: category of incident where an individual gains logical or physical access without permission to a network, system, application, data, or other resource.
User Identifier: is the unique personal identifier that is authorized to access the government's computer and information systems. Your IDIR account is your government User IDentifier which in combination with your password provides a secure single sign-on that is unique to you. It is essential that you protect your IDIR/password combination.
Virus: self-replicating, malicious code that attaches itself to an application program or other executable system component and distributes the copies of itself to other files, programs, or computing devices, but leaves no obvious signs of its presence. Viruses insert themselves into host programs and spread when the infected program is executed (e.g., opening a file, running a program, or clicking on a file attachment).
VOIP Security (Voice Over Internet Protocol): voice communications can be transmitted as data over the Internet in packets. A completely different set of infrastructure components are utilized than with traditional verbal communications. Many of the same challenges exist with the security of audio communications on the Internet as those that exist with the web and computer networks.
VPN (Virtual Private Network): using a public network - usually the Internet - to connect securely to a private network, such as a company's network is the basis of a VPN or virtual private network. Companies and organizations will use a VPN to communicate confidentially over a public network and to send voice, video or data. It is also an excellent option for remote workers and organizations with global offices and partners to share data in a private manner.
Vulnerability: a flaw or weakness in a process, design, implementation, control, system, or organization that could be triggered or intentionally exploited, resulting in a security incident or breach.
Wireless Local Area Network (LAN): a Local Area Network that uses wireless transmission media.
Worm: a computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively. Worms waste system and network resources and may damage systems by performing malicious acts such as installing backdoors and performing DoS attacks.
Zero Day: the zero-day attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or undisclosed to the software developer. Zero-day exploits (actual code that can use a security hole to carry out an attack) are used or shared by attackers before the software developer knows about the vulnerability.
Zombies: a zombie computer (often shortened as zombie) is a computer connected to the Internet that has been compromised by a hacker, a computer virus, or a trojan horse. Generally, a compromised machine is only one of many in a botnet, and will be used to perform malicious tasks of one sort or another under remote direction. Most owners of zombie computers are unaware that their system is being used in this way. Because the owner tends to be unaware, these computers are metaphorically compared to zombies.