ACL (access control list): A method of keeping in check the internet traffic that attempts to flow through a given hub, router, firewall, or similar device. Access control is often accomplished by creating a list specifying the IP addresses and/or ports from which permitted traffic can come. The device stops any traffic coming from IP addresses or ports not on the ACL.
Address space probe: An intrusion technique in which a hacker sequentially scans IP addresses, generally as the information-gathering prelude to an attack. These probes are usually attempts to map IP address space as the hacker looks for security holes that might be exploited to compromise system security.
Agent: A computer program that reports information to another computer or allows another computer access to the local system. Agents can be used for good or evil. Many security programs have agent components that report security information back to a central reporting platform. However, agents can also be remotely controlled programs hackers use to access machines.
AH (authentication header): An IPsec header used to verify that the contents of a packet have not been modified while the packet was in transit.
Alias: A shortcut that enables a user to identify a group of hosts, networks, or users under one name. Aliases are used to speed user authentication and service configuration. For example, in configuring a firewall, a user can set up the alias “Law School” to include the IP addresses of every network user in a university’s law school.
Auto-partitioning: A feature on some network devices that isolates a node within the workgroup when the node becomes disabled, so as not to affect the entire network or group.
Backdoor: A design fault, planned or accidental, that allows the apparent strength of the design to be easily avoided by those who know the trick.
Block cipher: A procedure that translates plain text into coded text, operating on blocks of plain text of a fixed size (usually 64 bits). Every block is padded out to be the same size, making the encrypted message harder to guess.
Blocked port: A security measure in which a specific port is disabled, stopping users outside the firewall from gaining access to the network through that port. The ports commonly blocked by network administrators are the ports most commonly used in attacks.
Botnet: A collection of computers that are infected with small bits of code (bots) that allow a remote computer to control some or all of the functions of the infected machines. The botmaster who controls the infected computers has the ability to manipulate them individually, or collectively as bot armies that act in concert. Botnets are typically used for disreputable purposes, such as Denial of Service attacks, click fraud, and spam.
Certificate: An electronic document attached to someone’s public key by a trusted third party, which attests that the public key belongs to a legitimate owner and has not been compromised. Certificates are intended to help you verify that a file or message actually comes from the entity it claims to come from.
Certificate authority (CA): A trusted third party (TTP) who verifies the identity of a person or entity, then issues digital certificates vouching that various attributes have a valid association with that entity.
CHAP (Challenge Handshake Authentication Protocol): A type of authentication where the person logging in uses secret information and some special mathematical operations to come up with a number value. The server he or she is logging into knows the same secret value and performs the same mathematical operations. If the results match, the person is authorized to access the server. One of the numbers in the mathematical operation is changed after every login, to protect against an intruder secretly copying a valid authentication session and replaying it later to log in.
: An attack performed through web browsers, taking advantage of poorly written web applications. Cross-site scripting attacks can take many forms. One common form is for an attacker to trick a user into clicking on a specially crafted, malicious hyperlink. The link appears to lead to an innocent site, but the site is actually the attacker’s and includes embedded scripts. What the script does is up to the attacker; commonly, it collects data the victim might enter, such as a credit card number or password. The malicious link itself might also collect the victim’s cookie data.
CVE-compatible: Common Vulnerabilities and Exposures (CVE) is a list of standardized names for vulnerabilities and other information security exposures, whose aim is to standardize the names for all publicly known vulnerabilities and security exposures. “CVE-compatible” means that a tool, web site, database, or service uses CVE names in a way that allows it to cross-link with other repositories that use CVE names.
DES (Data Encryption Standard): A commonly used encryption algorithm that encrypts data using a key of 56 bits, which is considered fairly weak given the speed and power of modern computers.
Dictionary attack: An attempt to guess a password by systematically trying every word in a dictionary as the password. This attack is usually automated, using a dictionary of the hacker’s choosing, which might include both ordinary words and jargon, names, and slang.
DMZ (Demilitarized Zone): A partially protected zone on a network, not exposed to the full fury of the internet, but not fully behind the firewall. This technique is typically used on parts of the network that must remain open to the public (such as a web server) but must also access trusted resources (such as a database). The point is to allow the inside firewall component, guarding the trusted resources, to make certain assumptions about the impossibility of outsiders forging DMZ addresses.
DNS spoofing: An attack technique where a hacker intercepts your system’s requests to a DNS server in order to issue false responses as though they came from the real DNS server. Using this technique, an attacker can convince your system that an existing web page does not exist, or respond to requests that should lead to a legitimate web site, with the IP address of a malicious web site.
Domain name hijacking: An attack technique where the attacker takes over a domain by first blocking access to the victim domain’s DNS server, then putting up a malicious server in its place.
Failover: A configuration that allows a secondary machine to take over in the event of a stoppage in the first machine, thus allowing normal use to return or continue.
Fail-shut mode: A condition in which a firewall blocks all incoming and outgoing network traffic in the event of a firewall failure. This is the opposite of fail-open mode, in which a firewall crash opens all traffic in both directions.
IP spoofing: The act of inserting a false (but ordinary-seeming) sender IP address into the “From” field of an internet transmission’s header in order to hide the actual origin of the transmission. There are few, if any, legitimate reasons to perform IP spoofing; the technique is usually one aspect of an attack.
Packet filtering: Controlling access to a network by analyzing the headers of incoming and outgoing packets, and letting them pass or halting them based on rules created by a network administrator. A packet filter allows or denies packets depending on where they are going, from whom they are sent, or what port they use. Packet filtering is one technique, among many, for implementing security firewalls.
PKI (Public Key Infrastructure)
: A system of digital certificates, Certificate Authorities, and other registration authorities that verify the validity of each party involved in an internet transaction. The intent is to establish a trusted relationship between the parties. PKI is necessary and foundational for certificate-based Virtual Private Networks.
Probe: A type of hacking attempt characterized by repetitious, sequential access attempts. For example, a hacker might try to probe a series of ports in search of one that is open, or one might probe a range of IP addresses in search of a responsive computer.
Public key cryptography: Cryptography in which a public and private key pair is used, encrypting the data at the sender’s end and decrypting it at the receiver’s end. Because the data are encrypted while they travel the public internet, no additional security is needed—the data can safely use public networks without loss of confidentiality.
Session hijacking: An intrusion technique whereby a hacker sends a command to an already existing connection between two machines, in order to wrest control of the connection away from the machine that initiated it. The hacker’s goal is to gain access to a server while bypassing normal authentication measures.
Session key: The secret (symmetric) key used to encrypt each set of data on a transaction basis. A different session key is used for each communication session.
Social engineering attack: An attack that does not depend on technology as much as it depends upon tricking or persuading an individual to divulge privileged information to the attacker, usually unknowingly.
Spoofing: Altering data packets to falsely identify the originating computer. Spoofing is generally used when a hacker wants to make it difficult to trace where the attacks are coming from.
SSID (Service Set Identifier): A unique string, up to 32 characters, that serves as the name of a wireless local area network (WLAN). Because a SSID differentiates one network from another, multiple wireless networks can function even when their ranges overlap. In an open network, the access point broadcasts the SSID. You can configure your wireless access point (WAP) not to broadcast the SSID, so that users trying to join the network must already know the network name.
SSL (Secure Sockets Layer): A protocol for transmitting private documents over the internet, often used by eCommerce sites (among others). SSL works by using a private key to encrypt data transferred over an SSL connection.
Triple-DES (3DES): A cryptographic algorithm using three keys (rather than one or two). Triple DES is simply another mode of DES operation, where the DES algorithm is applied three times on the data to be encrypted, using a different key each time.
Tunnel: In Virtual Private Networks, an encrypted connection between sites. Only the originator and the receiver of the message see it in its clear state. Any hacker trying to intercept the message en route gets nothing but a scrambled mess. Because the path of a VPN message has “light” (clear text) at each end but “darkness” (obscurity) at all the between-points, it is called, metaphorically, a VPN tunnel.
WPA (Wi-Fi Protected Access): A data encryption specification for 802.11 wireless networks. Wireless networks rely on radio waves, which broadcast in all directions. Any device within range of a wireless access point could eavesdrop upon its transmissions. WPA encrypts wireless data so that an eavesdropper intercepts gibberish, while authorized endpoints receive clear, decrypted data. WPA replaces WEP, a weaker wireless encryption standard that attackers can readily break.