A formatted message describing a circumstance relevant to network security.
Alerts are often derived from critical audit events.
A software program designed to identify and remove a known or potential
An attempt to bypass security controls on a computer. The
attack may alter, release, or deny data. Whether an attack will succeed
depends on the vulnerability of the computer system and the effectiveness
of existing countermeasures.
A hole in the security of a computer system deliberately
left in place by designers or maintainers. Synonymous with trap door; a
hidden software or hardware mechanism used to circumvent security controls.
Generally speaking, bandwidth is directly proportional to the amount of
data transmitted or received per unit time. In digital systems, bandwidth
is proportional to the data speed in bits per second (bps). Thus, a modem
that works at 57,600 bps has twice the bandwidth of a modem that works at
Black hat is used to describe a hacker (or, if you
prefer, cracker) who breaks into a
computer system or network with malicious intent
A general synonym for crash, normally of software or
operating system failures.
This happens when more data is put into a buffer or holding
area than the buffer can handle. This is due to a mismatch in processing
rates between the producing and consuming processes. This can result in
system crashes or the creation of a back door
leading to system access.
An unwanted and unintended property of a program or piece of
hardware, especially one that causes it to malfunction.
Common Gateway Interface - CGI is the method that Web
servers use to allow interaction between servers and programs.
When a denial of service attack is aimed at the CGI
(common gateway interface), it is referred to as a CGI exploit. The CGI is
a standard way for a Web server to pass a Web user's request to an
application program and to receive data back to forward to the user.
It is part of the Web's HTTP protocol.
Allows for the creation of dynamic and interactive web
pages. They also tend to be the most vulnerable part of a web server
(besides the underlying host security).
A message given to a Web browser by a Web server. The
browser stores the message in a text file called cookie.txt. The message is
then sent back to the server each time the browser requests a page from the
A popular hacking
tool used to decode encrypted passwords. System administrators also use
Crack to assess weak passwords by novice users in order to enhance the
A person who breaks into a site through a computer's security. While basically
the same thing as a "Hacker", a Cracker is
sometimes considered to be more malicious and destructive.
The act of breaking into a computer system.
Crash - A sudden, usually drastic failure of a computer system.
The art of science concerning the principles, means, and
methods for rendering plain text unintelligible and for converting
encrypted messages into intelligible form.
A program that runs continuously and exists for the
purpose of handling periodic service requests that a computer system
expects to receive. The daemon program forwards the requests to other
programs (or processes) as appropriate. Each server of pages on the Web has
an HTTPD or Hypertext Transfer Protocol daemon that continually waits for
requests to come in from Web clients and their users.
A criminal or malicious hacker.
Defense Advanced Research Projects Agency.
Denial of Service
Denial of service would refer to illegal act to bring
a particular system down or to malfunction a system. There are various
types of DoS attacks, ie ping flood attack, smurf attack, syn attack
DMZ (de-militarized zone)
A network added between a protected
network and an external network in order to provide an additional layer of
security. Sometimes called a perimeter network.
Assuming the DNS name of another system by either corrupting the name
service cache of a victim system, or by compromising a domain name server
for a valid domain.
DSS (Digital Signature Standard
The Digital Signature Standard (DSS) is a cryptographic standard
promulgated by the National Institute of Standards and Technology (NIST) in
1994. It has been adopted as the federal standard for authenticating
electronic documents, much as a written signature verifies the authenticity
of a paper document.
Dump - An
undigested and large amount of information routed to an output device.
Usually it is a backup of computer files and data.
Occurs when an actual intrusive action has occurred but the system allows
it to pass as non-intrusive behavior.
Occurs when the system classifies an action as anomalous (a possible
intrusion) when it is a legitimate action.
The ability of a system or component to continue normal operation despite
the presence of hardware or software faults.
A system or combination of systems that enforces a boundary between two or
more networks. Gateway that limits access between networks in accordance
with local security policy. The typical firewall is an inexpensive
micro-based Unix box kept clean of critical data, with many modems and
public network ports on it, but just one carefully watched connection back
to the rest of the cluster.
Sending lots of text to the screen at once.
Gray hat describes a cracker (or,
if you prefer, hacker) who exploits a
security weakness in a computer system or product in order to bring the
weakness to the attention of the owners.
A person who enjoys exploring the details of computers and how to stretch
their capabilities. A malicious or inquisitive meddler who tries to
discover information by poking around. A person who enjoys learning the
details of programming systems and how to stretch their capabilities, as
opposed to most users who prefer to learn on the minimum necessary.
Unauthorized use, or attempts to circumvent or bypass the security
mechanisms of an information system or network.
A single computer or workstation; it can be connected to a network
A worm program (see: Worm) that was unleashed on the
Internet in 1988. It was written by Robert T. Morris as an experiment that
got out of hand.
Any set of actions that attempt to compromise the integrity,
confidentiality or availability of a resource.
An attack where the attacker impersonates a
trusted system by using its IP network address.
An attack where an active, established session is intercepted and taken
over by the attacker. May take place after authentication has occurred
which allows the attacker to assume the role of an already authorized user.
Local Area Network - A computer communications system limited to no more
than a few miles and using high-speed connections (2 to 100 megabits per
second). A short-haul communications system that connects ADP devices in a
building or group of buildings within a few square kilometers, including
workstations, front-end processors, controllers, switches, and gateways.
A piece of email containing live data intended to do malicious things to
the recipient's machine or terminal. Under UNIX, a letterbomb can also try
to get part of its contents interpreted as a shell command to the mailer.
The results of this could range from silly to denial of service.
Macro viruses are small programs written using the internal
programming language of a specific application program that replicate
within documents created by the application program. Common examples of
application programs that use macros include word processors such as Word
and spreadsheets such as Excel.
The mail sent to urge others to send massive amounts of email to a single
system or person, with the intent to crash the recipient's system.
Mailbombing is widely regarded as a serious offense.
Hardware, software, of firmware that is intentionally included in a system
for an unauthorized purpose; e.g. a Trojan horse
Open Systems Interconnection. A set of internationally accepted and openly
developed standards that meet the needs of network resource administration
and integrated network utility.
A block of data sent over the network transmitting the identities of the
sending and receiving stations, error-control information, and message.
Inspects each packet for user defined content, such as an IP address but
does not track the state of sessions. This is one of the least secure types
The successful unauthorized access to an automated system.
The description of a situation or set of conditions in which a penetration
could occur or of system events which in conjunction can indicate the
occurrence of a penetration in progress.
The portion of security testing in which the evaluators attempt to
circumvent the security features of a system. The evaluators may be assumed
to use all system design and implementation documentation, that may include
listings of system source code, manuals, and circuit diagrams. The
evaluators work under the same constraints applied to ordinary users.
PGP (Pretty Good Privacy)
A freeware program primarily for secure electronic mail.
An individual who combines phone phreaking with
An individual fascinated by the telephone system. Commonly, an individual
who uses his knowledge of the telephone system to make calls at the expense
The art and science of cracking the phone network.
Ping of Death
The use of Ping with a packet size higher than 65,507. This will cause a
denial of service.
Private Key Cryptography
An encryption methodology in which the encryptor and decryptor use the same
key, which must be kept secret. This methodology is usually only used by a
Any effort to gather information about a machine or its users for the
apparent purpose of gaining unauthorized access to the system at a later
Normally an Ethernet interface reads all address information and accepts
follow-on packets only destined for itself, but when the interface is in
promiscuous mode, it reads all information (sniffer),
regardless of its destination.
Agreed-upon methods of communications used by computers. A specification
that describes the rules and procedures that products should follow to
perform activities on a network, such as transmitting data. If they use the
same protocols, products from different vendors should be able to
communicate on the same network.
A firewall mechanism that replaces the IP address of a host on the internal
(protected) network with its own IP address for all traffic passing through
it. A software agent that acts on behalf of a user, typical proxies accept
a connection from a user, make a decision as to whether or not the user or
client IP address is permitted to use the proxy, perhaps does additional
authentication, and then completes a connection on behalf of the user to a
Public Key Cryptography
Type of cryptography in which the encryption process is publicly available
and unprotected, but in which a part of the decryption key is protected so
that only a party with knowledge of both parts of the decryption process
can decrypt the cipher text.
A study of vulnerabilities, threats, likelihood, loss or impact, and
theoretical effectiveness of security measures. The process of evaluating
threats and vulnerabilities, known and postulated, to determine expected
loss and establish the degree of acceptability to system operations.
An interconnection device that is similar to a bridge but serves packets or
frames containing certain protocols. Routers link LANs at the network
Rules Based Detection
The intrusion detection system detects intrusions by looking for activity
that corresponds to known intrusion techniques (signatures) or system
vulnerabilities. Also known as Misuse Detection.
Aspiring hackers who download files that automate attacks.
The lowest form of cracker;
script kiddies do mischief with scripts and programs written by others,
often without understanding the exploit. 2. People who cannot program,
tacky HTML pages. More generally, a script kiddie writes (or more likely
cuts and pastes) code without either having or desiring to have a mental
model of what the code does; someone who thinks of code as magical
incantations and asks only "what do I need to type to make this
A completely encrypted shell connection between two machines protected by a
super long pass-phrase.
Any act or circumstance that involves classified information that deviates
from the requirements of governing security publications. For example,
compromise, possible compromise, inadvertent disclosure, and deviation.
The set of laws, rules, and practices that regulate how an organization
manages, protects, and distributes sensitive information.
Security Policy Model
A formal presentation of the security policy enforced by the system. It
must identify the set of rules and practices that regulate how a system
manages, protects, and distributes sensitive information.
A denial of service attack in which an attacker spoofs the source address
of an echo-request ICMP (ping) packet to the broadcast address for a
network, causing the machines in the network to respond en masse to the
victim thereby clogging its network.
Sneaker - An
individual hired to break into computer systems to test their security.
A program to capture data across a computer network. Used by hackers to
capture user id names and passwords. Software tool that audits and
identifies network traffic packets. Is also used legitimately by network
operations and maintenance personnel to troubleshoot network problems.
To crash a program by overrunning a fixed-site buffer with excessively
large input data. Also, to cause a person or newsgroup to be flooded with
irrelevant or inappropriate messages.
Pretending to be someone else. The deliberate inducement of a user or a
resource to take an incorrect action. Attempt to gain access to an system
by pretending to be an authorized user. Impersonating, masquerading, and
mimicking are forms of spoofing.
SSL (Secure Sockets Layer)
A session layer protocol that provides authentication and confidentiality
When the SYN queue is flooded, no new connection can be opened.
Transmission Control Protocol/Internetwork Protocol. The suite of protocols
the Internet is based on.
A software tool for security which provides additional network logging, and
restricts service access to authorized hosts by service.
Allows an attacker, on a certain machine, to control any terminal session
that is in progress. An attack hacker can send and receive terminal I/O
while a user is on the terminal.
The means through which the ability or intent of a threat agent to
adversely affect an automated system, facility, or operation can be
manifest. A potential violation of security.
Methods and things used to exploit a vulnerability in an information
system, operation, or facility; fire, natural disaster and so forth.
In a packet-switching network, a unique packet that causes a report of each
stage of its progress to be sent to the network control center from each
visited system element.
An operation of sending trace packets for determining information; traces
the route of UDP packets for the local host to a remote host. Normally traceroute
displays the time and location of the route taken to reach its destination
A software tool for security. Basically, it works with a database that
maintains information about the byte count of files. If the byte count has
changed, it will identify it to the system security manager.
An apparently useful and innocent program containing additional hidden code
which allows the unauthorized collection, exploitation, falsification, or
destruction of data.
Troll - An
online message whose purpose is to attract responses and make the
responders look stupid. People who troll want to make you waste your time
responding to their pointless statements.
A program that can "infect" other programs by modifying them to
include a, possibly evolved, copy of itself.
Hardware, firmware, or software flow that leaves an AIS open for potential
exploitation. A weakness in automated system security procedures,
administrative controls, physical layout, internal controls, and so forth,
that could be exploited by a threat to gain unauthorized access to
information or disrupt critical processing.
Wide Area Network. A physical or logical network that provides capabilities
for a number of independent devices to communicate with each other over a
common transmission-interconnected topology in geographic areas larger than
those served by local area networks.
War Dialer - A cracking tool that calls a given list or range of
phone numbers and records those which answer to identify computer systems.
War driving is a relatively recent phenomenon, since
wireless networks started getting popular. Since most people that install a
wireless LAN don't bother to (or can't) dampen the signal enough that you
can't access it outside their building, it's easy to steal bandwidth. All
you have to do is get a laptop with a wireless card, install Aerosniff
(like a packet sniffer, but for wireless rather than for Ethernet), and
literally drive around town looking for areas with wireless traffic. Once
you find one, it's generally trivial to steal their bandwidth. Hence, war
Warez - Cracked versions of commercial software with their
copy-protection stipped off. Warez sites usually contain illegal, pirated
software or games.
White hat describes a hacker (or, if
you prefer, cracker) who identifies a
security weakness in a computer system or network but, instead of taking
malicious advantage of it, exposes the weakness in a way that will allow
the system's owners to fix the breach before it is can be taken advantage
by others (such as black hat
hackers.) Methods of telling the owners about it range from a simple phone
call through sending an e-mail note to a Webmaster or administrator all the
way to leaving an electronic "calling card" in the system that
makes it obvious that security has been breached.
Independent program that replicates from machine to machine across network
connections often clogging networks and information systems as it spreads.