Link to the home page.
Print from PDF version
 

Glossary of Security Acronyms and Terminology

AAMVA
American Association of Motor Vehicle Administrators
Acceptable Risk
A concern that is acceptable to responsible management, due to the cost and magnitude of implementing controls
Access Control
Procedures and controls that limit or detect access to critical information resources. This can be accomplished through software, biometrics devices, or physical access to a controlled space.
Access Control Policy
The set of rules that define the conditions under which an access may take place
Access Level
The hierarchical security level used to identify the sensitivity of data and the clearance or authorization of users
Accountability
The security objective that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports nonrepudiation, deterrence, fault isolation, intrusion detection, and after-action recovery and legal action.
ACL
Access Control List
ACLU
American Civil Liberties Union
AEA
Advanced Encryption Algorithm
AES
Advanced Encryption Standard
AFIS
Automated Fingerprint Identification System
AIS
Automated Information System
Algorithms
Complex mathematical formulae that are one component of encryption
Anonymizer
Anonymizer is a gateway to keep Web surfing anonymous and preserve privacy online when surfing the Web, sending e-mail, or posting to a newsgroup. By using the Anonymizer, any information and IP addresses that are collected will be false information. By hiding an IP address, one can eliminate the possibility of a DoS attack. See http://www.anonymizer.com.
ANSI
American National Standards Institute
Armored Virus
An armored virus tries to prevent analysts from examining its code. The virus may use methods to make tracing, disassembling, and reverse engineering its code more difficult.
APB
Advisory Policy Board
ASCII
American Standard Code for Information Interchange
Assurance
The grounds for confidence that an entity meets its security objectives
Audit
The independent examination of records and activities to ensure compliance with established controls, policy, and operational procedures and to recommend any indicated changes in controls, policy, or procedures
Audit Trail
A chronological record of system activities that is sufficient to enable the reconstruction and examination of the sequence of environments and activities surrounding or leading to an operation, procedure, or event in a security-relevant transaction from inception to results
Authentication
Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in a system
Authorization
The granting or denying of access rights to a user, program, or process
Authorized
A system entity or actor is granted the right, permission, or capability to access a system resource. See Authorization.
Availability
Timely, reliable access to data and information services for authorized users; protection against intentional or accidental attempts to perform unauthorized deletion of data or otherwise cause a denial of service or data
Backdoor
A feature built into a program by its designer which allows the designer special privileges that are denied to the normal users of the program. A back door in an EXE or COM program, for instance, could enable the designer to access special set-up functions.
Backup
A duplicate copy of data made for archiving purposes or for protecting against data loss. A backup is considered secure only if it is stored away from the original.
BIA
Business Impact Analysis
Binary
A numbering system based on twos (2s) rather than tens (10s). Each element has a digit value of either one (1) or zero (0) and is known as a bit.
Biometrics
Biometrics is the science and technology of measuring and statistically analyzing biological data. In information technology, biometrics usually refers to automated technologies for authenticating and verifying human body characteristics such as fingerprints, eye retinas and irises, voice patterns, facial patterns, and hand measurements.
Bit
See Binary.
Brute Force Attack
An attack in which each possible key or password is attempted until the correct one is found
C&A
Certification and Accreditation
CA
Certification Authority—An authority that issues and manages security credentials for a PKI
CA Privacy Root Key
Cryptographic key known only to the CA. It is used to verify user or server certificate requests (digitally signed certificates).
CAPI
Cryptographic Application Programming Interface
Carnivore
The Internet surveillance system developed by the Federal Bureau of Investigation to monitor the electronic transmissions of criminal suspects
CCITSE
Common Criteria for Information Technology Security Evaluation
CDL
Commercial Driver License
CERT®/CC
CERT® Coordination Center
Certificate
In cryptography, an electronic document binding some pieces of information together, such as a user's identity and public key. Certifying Authorities (CAs) provide certificates.
Certificate Owner
The person that has access to use the certificate. This access could be protected by a password, a smart card, or other device.
CFR
Code of Federal Regulations
Chief Information Officer (CIO)
The highest-level person responsible for policy concerning information systems and telecommunications systems
CHRI
Criminal History Record Information
CIP
Critical Infrastructure Protection
Cipher
An alternative term for an encryption algorithm
Ciphertext
Encrypted data
CIR
Centralized Information Repository
CIS
Center for Internet Security
CJIS
Criminal Justice Information Services
CKMS
Centralized Key Management System
Compromise
To access or disclose information without authorization
Computer Emergency Response Team (CERT®)
(1) The people who are responsible for coordinating the response to computer security incidents in an organization. (2) CERT® is one of the main agencies for Internet security formed by the Defense Advanced Research Projects Agency (DARPA) in 1988 to aid the Internet community in responding to computer security events, raise awareness of computer security issues, and conduct research aimed at improving security systems. See http://www.cert.org for more information.
Computer Security Incident Response Capability (CSIRC)
A set of policies and procedures defining security incidents and governing the actions to be taken when they occur
Confidentiality
Assurance that information is not disclosed to unauthorized persons, processes, or devices. Confidentiality covers data in storage, during processing, and while in transit.
Contingency Plan
A plan maintained for emergency response, backup operations, and postdisaster recovery for an AIS, to ensure availability of critical resources and to facilitate the continuity of operations in an emergency
Cookies
Blocks of text placed in a file on a computer's hard disk. Web sites use cookies to identify users who revisit the site.
Countermeasure
Any action, device, procedure, technique, or other measure that reduces a system's vulnerability to a threat
CPO
Chief Privacy Officer
Cracker
One who breaks security on an automated system
Critical Security Perimeters (CSPs)
Security-related information (e.g., cryptographic keys, authentication data such as passwords and PINs) appearing in plaintext or an otherwise unprotected form and whose disclosure or modification can compromise the security of a cryptographic module or the security of the information protected by the module
CRL
Certificate Revocation List
CRT
Central Response Team
Cryptography
The art and science of using mathematics to secure information and create a high degree of trust in the electronic realm
CSA
Computer Security Act of 1987
CSD
Computer Security Division
CSS
Card Scanning Service
CSIRTs
Computer Security Incident Response Teams
CSMA/CD
Carrier Sense Multiple Access/Collision Detect
CSO
Central Security Officer
CSRC
Computer Security Resource Center
CTA
Control Terminal Agency
CTO
Control Terminal Officer
DAC
Discretionary Access Control
DAC
Data Authentication Code—also known as a Message Authentication Code (MAC) in ANSI standards
DBMS
Database Management System
Decryption
The process of changing ciphertext into plaintext
Denial-of-Service (DoS)
This is an indirect attack to a site. Hackers are not trying to get into the site itself, but they are trying to keep everyone else from getting into the site.
DES
Data Encryption Standard
Dictionary Attack
A password-cracking technique that uses words in a dictionary to crack passwords
DID
Distributed Intrusion Detection
Digital Fingerprint
A number that is unique to a digital certificate, used to verify if a signature is valid
Digital Signature
The result of a cryptographic transformation of data that, when properly implemented, provides the services of origin authentication, data integrity, and signer nonrepudiation
Digital Timestamp
A record mathematically linking a document to a time and a date
Distributed Denial-of-Service (DDoS) Attacks
Hackers launch attacks by using several smaller network connections, making it harder to detect. DDoS can inundate the largest ISPs and consume all their bandwidth.
DMS
Defense Messaging System
DMZ
Demilitarized Zone, a network inserted as a "buffer zone" between a company's private, or trusted, network and the outside, nontrusted network
DSA
Digital Signature Algorithm—used by a signatory to generate a digital signature on data and by a verifier to verify the authenticity of the signature
DSO
District Security Officer
DSS
Digital Signature Standard
DSSV
Digital Signature Storage and Verification
EAL
Evaluation Assurance Level 4 as defined by the Common Criteria for Information Technology Security Evaluation (CCITSE). EALs provide a uniformly increasing scale which balances the level of assurance obtained with the cost and feasibility of acquiring that degree of assurance. There are seven hierarchically ordered EALs. The higher the EAL, the greater the degree of assurance.
E-mail Bombing
Flooding a site with enough mail to overwhelm its e-mail system. Used to hide or prevent receipt of e-mail during an attack or as retaliation against a site.
EAM
Extranet Access Management
ECC
Elliptic Curve Cryptosystem
EDI
Electronic Data Interchange
Encryption
The process of cryptographically converting plaintext electronic data to a form unintelligible to anyone except the intended recipient
EPIC
Electronic Privacy Information Center
ERB
Engineering Review Board
Expiration Date IEEE
All digital certificates should have an expiration date (Institute of Electrical and Electronics Engineers). A body that creates some cryptographic standards.
FAR
False Acceptance Rate
FBI
Federal Bureau of Investigation
FCC
Federal Communications Commission
File Viruses
Usually replace or attach themselves to COM and EXE files. They can also be files with the extensions SYS, DRV, BIN, OVL, DOC, VBS, SCR, and OVY.
FIPs
Fair Information Practices
FIPS
Federal Information Processing Standard
FIPS PUB
Federal Information Processing Standard Publication
Firewall
A system designed to prevent unauthorized accesses to or from a private network. Often used to prevent Internet users from accessing private networks connected to the Internet.
Firewall Boundary
A commonly used term referring to a security perimeter that is largely defined by the presence of one or more firewalls
FIRST
Forum of Incident Response and Security Teams. See http://www.first.org.
Footprinting
Also known as profiling, the process of obtaining data about a particular individual or company
FRR
False Rejection Rate
FTC
Federal Trade Commission
FTP
File Transfer Protocol, a means to exchange files across a network
GASSP
Generally Accepted System Security Principles
Gopher Protocol
Designed to allow a user to transfer text or binary files among computer hosts across networks
Hacking
Unauthorized use or attempts to circumvent or bypass the security mechanisms of an information system or network
"Hactivism"
Politically motivated attacks on publicly accessible Web pages or e-mail servers
HIDS
Host computer Intrusion Detection Systems
HTML
HyperText Markup Language, the mechanism used to create Web pages
I&A
Identification and Authentication
IAFIS
Integrated Automated Fingerprint Identification System
ICDAG
Interagency Confidentiality and Data Access Group
ICMP
Internet Control Message Protocol
IDIP
Intruder Detection and Isolation Protocol
IDWG
Intrusion Detection Working Group
IDXP
Intrusion Detection Exchange Protocol
IETF
Internet Engineering Task Force
III
Interstate Identification Index
IJIS
Integrated Justice Information Systems. See http://www.ijis.org.
IMAP
Internet Message Access Protocol
Insider Threat
A disgruntled insider with knowledge of the victim's system
Integrity
Preservation of the original quality and accuracy of data in written or electronic form
Intermediary
A program or set of programs that in some way evaluate, filter, modify, or otherwise interject some function between two end users or end-use programs such as a client/server. An example is the proxy server that most companies place between their internal Web users and the public Internet.
Intrusion Detection Systems (IDS)
Techniques that try to detect intrusion or unauthorized entry into a computer or network by observation of actions, security logs, or audit data. Intrusion detection is the discovery of break-ins or attempted break-ins either manually or via specific software systems that operate on logs or other information available on the network.
IP
Internet Protocol
IP Security (IPsec)
IPsec adds security features to the standard IP protocol to provide confidentiality and integrity services.
IP Spoofing
An attack where a hacker outside the network attempts to impersonate a computer from the trusted network
ISO
Information Security Officer
ISO
International Standards Organization
ISPs
Internet Service Providers
IT
Information Technology
ITMS
Information Technology Management Section
ITN
Identification Tasking and Networking
IWG
IJIS Industry Working Group. See http://www.ijis.org.
JISN
Justice Interconnection Services Network
JTF
Joint Task Force
KEA
Key Exchange Algorithm
Key
A series of numbers used by an encryption algorithm to transform plaintext data into encrypted data
Key Encrypting Key (KEK)
A cryptographic key that is used for the encryption or decryption of other keys
Key Escrow
The system of giving a piece of a key to each of a certain number of trustees such that the key can be recovered with the collaboration of all the trustees
Key Recovery
A secure means for backup and recovery of encryption key pairs
Key Serial Number
A 128-bit number associated with a certificate
Keyring File
A file that can house the certificate
Killer Packets
A method of disabling a system by sending Ethernet or IP packets that exploit bugs in the networking code to crash the system. See SYN Floods.
KMF
Key Management Facility
KTC
Key Translation Center
LAN
Local Area Network
LEIF
Law Enforcement Interconnecting Facilities
Lightweight Directory Access Protocol (LDAP)
A standardized way to connect with a directory that might hold passwords, addresses, public encryption keys, and other exchange-facilitating data
Local Registration Authority (LRA)
A person who evaluates and approves or rejects certificate applications on behalf of a CA
MAC
Mandatory Access Control or Message Authentication Code
MIME
Multipurpose Internet Mail Extensions
MISPC
Minimum Interoperability Specification for PKI Components
Misuse
Illicit activity that exploits system vulnerabilities or file access privileges
MIT
Massachusetts Institution of Technology
NAPs
Network Access Points
NASCIO
National Association of State Chief Information Officers
NAT
Network Address Translation
NCIC
National Crime Information Center
NCS
Network Control Software
NCSC
National Center for State Courts
NIAP
National Information Assurance Partnership
NIDS
Network Intrusion Detection System
NIPC
National Infrastructure Protection Center
NIST
National Institute of Standards and Technology. See http://www.nist.gov.
NLETS
National Law Enforcement Telecommunication System
NNTP
Network News Transfer Protocol, protocol for Usenet news distribution
Nonrepudiation
The cryptographic assurance that a message sender cannot later deny sending a message or that the recipient cannot deny receipt
NSA
National Security Agency. See http://www.nsa.gov.
NTIS
National Technical Information Service
OECD
Organization for Economic Cooperation and Development
OMB
Office of Management and Budget
Open Systems Interconnection (OSI)
Also known as the OSI reference model. This describes a standard for how messages should be transmitted between any two points in a network. The reference model defines seven layers that take place at each end of a communication.
ORI
Originating Agency Identifier
OSCA
Office of State Court Administrators
P3P
Platform for Privacy Preferences
Packet
A unit of data that is routed between an origin and a destination on the Internet
Password
A string of characters used to authenticate an identity or to verify access authorization
PDP
Privacy Design Principle
Personal/Person-Identifiable Information
Information about the characteristics or activities of an identifiable natural person, including information about individuals who may not be explicitly identified, but whose identity could be inferred from elements of the data. Sensitive data elements in existing databases can include name, address, social security number, ID numbers, and birth date.
Physical Security Policy
A document specifying the steps to take to protect the actual machines used to store and process sensitive or valuable data
PIA
Privacy Impact Assessment
PIN
Personal Identification Number
PKCS
Public Key Cryptography Standards
PKI
See Public Key Infrastructure.
Plaintext
Unencrypted (unenciphered) data
POC
Point-of-Contact
PP
Protection Profile
PPP
Point-to-Point Protocol
PPTP
Point-to-Point Tunneling Protocol
Pretty Good Privacy (PGP)
This set of standardized security procedures and algorithms provides authentication and privacy services and is most frequently used for secure e-mail. More information about PGP is available at http://www.pgp.com.
Privacy
The right of an entity (normally a person), acting on its own behalf, to determine the degree to which it will interact with its environment, including the degree to which the entity is willing to share information about itself with others
Privacy Seals
The seals of approval granted by organizations such as TRUSTe, BBBOnline, and WebTrust. The seals intend to demonstrate that a Web site has adopted appropriate policies to protect personal information and to assure individuals that they are visiting a Web site they can trust. Disclaimer—keep in mind that these seals are not monitored, and anyone can "stick" a seal on their Web site.
Private Key
The key of the public key pair that is not shared by its owner
PRNG
PseudoRandom Number Generator
Protected Resource
A target, access to which is restricted by an access control policy
Protocol
A set of rules (i.e., formats and procedures) for communications that computers use when sending signals between themselves
Public Key
The key of the public key pair that is widely shared, generally through a digital certificate
Public Key Cryptography
Cryptography based on methods involving a public key and a private key
Public Key Infrastructure (PKI)
An architecture which is used to bind public keys to entities, enable other entities to verify public key bindings, revoke such bindings, and provide other services critical to managing public keys
PVC
Permanent Virtual Circuits
RACF
Resource Access Control Facility
RBAC
Role-Based Access Control
RC2, RC4
Specific standardized block ciphers algorithms (Rivest Cipher or Ron's Code)
"Recreational Hackers"
Persons who crack into networks for the thrill of the challenge or for bragging rights in the hacker community
Registration Authority
A mechanism or person that, as part of a PKI, is involved in verifying and enrolling users
Release
Disclosure of documents (records) containing personal information to a third-party requester
Remote Access
Potential entry point for an attack that uses a war dialer and a password hacking tool to make login attempts
RFC
Request for Comments
Risk
An expectation of loss or threat that can be expressed as the probability that a particular threat (or set of threats) will exploit a particular vulnerability with particularly harmful results
Risk Analysis/Risk Assessment
The process of examining all risks, then ranking those risks by level of severity. Risk analysis involves determining what you need to protect, what you need to protect it from, and how to protect it.
Risk Management
The total process of identifying, controlling, and mitigating information technology-related risks; cost-benefit analysis; and the selection, implementation, testing, and security evaluation of safeguards. This overall system security review considers both effectiveness and efficiency, including impact on the mission/business and constraints due to policy, regulations, and laws.
RISS
Regional Information Sharing Systems
Router
A device or, in some cases, software in a computer that determines the next network point to which a packet should be forwarded toward its destination
RSA
Rivest-Shamir-Adelman public key encryption algorithm
Rules of Behavior
The rules that have been established and implemented concerning use of, security in, and acceptable level of risk for the system. Rules will clearly delineate responsibilities and expected behavior of all individuals with access to the system. Rules should cover such matters as work at home, dial-in access, connection to the Internet, use of copyrighted works, unofficial use of federal government equipment, assignment and limitation of system privileges, and individual accountability.
S-HTTP
Secure HyperText Transfer Protocol
S/MIME
Secure Multipurpose Internet Mail Extensions
S/WAN
Secure Wide Area Network
SAML
Security Assertion Markup Language
Security Assertion Markup Language (SAML)
An XML security standard for exchanging authentication and authorization information
Security Discipline
A set of subjects, their information objects, and a common security policy
Security Goal
To enable an organization to meet all mission/business objectives by implementing systems with due care and consideration of information technology (IT)-related risks to the organization, its partners, and its customers
Security Objectives
The five security objectives are integrity, availability, confidentiality, accountability, and assurance.
Security Policy
The statement of required protection of the information objects
Secure Socket Layer Protocol (SSL)
Invented by Netscape Communications, Inc. This protocol provides end-to-end encryption of application layer network traffic.
Secret Key
In secret-key cryptography, this is the key used both for encryption and decryption.
Sensitive Information
Information whose loss, misuse, or unauthorized access to or modification of could adversely affect the national interest or the conduct of federal programs or the privacy to which individuals are entitled
SHA-1
Cryptographic hash algorithm that is optimized for high-end processors and produces a 160-bit digest
Shoulder Surfing
Stealing passwords or PINs by looking over someone's shoulder
SLA
Service Level Agreement
Smart Card
A small plastic card with a microprocessor that can store information
SMTP
Simple Mail Transfer Protocol
Smurfing
The attacking of a network by exploiting Internet Protocol broadcast addressing and certain other aspects of Internet operations. Smurfing uses a program called Smurf and similar programs to cause the attacked part of a network to become inoperable.
SNA
Systems Network Architecture
Sniffer
A program to capture data across a computer network. Used by hackers to capture user names and passwords. Software tool that audits and identifies network traffic packets. It is also used legitimately by network operations and maintenance personnel to troubleshoot network problems.
Social Engineering
Subverting information system security by using nontechnical, social means
Spamming
Sending unsolicited e-mail
Standards
Conditions and protocols set forth to allow uniformity within communications and virtually all computer activity
SYN Floods
A method of disabling a system by sending more TCP SYN packets than its networking code can handle. See Killer Packets.
TOC
Technical and Operations Committee
Target of Evaluation
An information technology (IT) product or system and its associated administrator and user guidance documentation that is the subject of an evaluation
TCP
Transmission Control Protocol
TCP/IP
Transmission Control Protocol and Internet Protocol
Telnet Protocol
A communication protocol used to (possibly remote) log on to a computer host
Threat
An event or activity, deliberate or unintentional, with the potential for causing harm to an information technology (IT) system or activity
TRB
Technical Review Board
Trinoo
A Trojan horse used by hackers to launch a Distributed Denial-of-Service (DDoS) attack
Triple DES
A technique used to make Data Encryption Standard encryption stronger by applying the algorithm three times
Tripwires
A mechanism or tool that detects hack attacks and alerts someone, such as an administrator, about the attack
Trojan Horse
A computer program that appears to have a useful function but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program
UPS
Uninterruptible Power Source
USENET
An e-mail-based discussion system, originally supported by dial-up connections, now usually accessed via TCP/IP
VAN
Value-Added Network
VIN
Vehicle Identification Number
Virtual Private Network (VPN)
A collection of technologies that creates secure connections via nonsecure networks (such as the Internet)
Virus
A small program that inserts itself into another program when executed and generally produces a detrimental result
Vulnerability
A weakness in system security procedures, hardware, design, implementation, internal controls, technical controls, physical controls, or other controls that could be accidentally triggered or intentionally exploited and result in a violation of the system's security policy
WAN
Wide Area Network
War Dialer
A simple database and an automated modem script that dials every phone number in a group designated by the user. After it successfully connects with a modem tone, the war dialer will record the phone number in a database. The hacker can then review the database and select a likely target for a hack attempt.
Wireless Access Protocol (WAP)
A specification for a set of communication protocols to standardize the way that wireless devices, such as cellular telephones and radio transceivers, can be used for Internet access, including e-mail, the World Wide Web, newsgroups, and Internet Relay Chat (IRC). For more information on the following terms, see the links provided.

Protocol:
http://searchNetworking.techtarget.com/sDefinition/0,,sid7_gci212839,00.html

Wireless:
http://searchNetworking.techtarget.com/sDefinition/0,,sid7_gci213380,00.html

Internet Relay Chat:
http://searchWin2000.techtarget.com/sDefinition/0,,sid1_gci214040,00.html
Worm
A program that copies itself from system to system via the network
XML
Extensible Markup Language
Zeroization
A method of erasing electronically stored data by altering the contents of the data storage in order to prevent the recovery of the data