Posts - Integrating the
Model in the Real

1/13/09: Audit & Risk - Seeing the Forest from the Trees

9/4/08: Security ROI

6/28/08: Boise: A
Terrorist Target?

5/10/01: FFIEC Business
Continuity Planning

4/3/08: SOX 404 Audits

Glossary of Information Security Terms

If you can not find a definition, check one of these other for IS glossaries or try Wikipedia.

Click on a letter.


Access Control The process of determining what applications, functions or resources a user may do or access. For example, what entitlements are granted to the user: read only, input, update, delete, approve, etc. Does the user only have access to a specific application on a computer or do they have access to the operating system (Administrator or Root), security administration, the database, etc.?

Access Control List (ACL) An access control mechanism associated with an object, that identifies who (e.g. users, groups, roles) can access the object and with what kind of access (i.e. what operations they may perform).

Accountability The ability to associate positively the identity of a user with the time, method, and degree of access to a system and to the actions performed. See also "nonrepudiation".

ACL See Access Control List.

Authentication (1) The verification of the identity of a user, device, or other entity in a computer system, often a prerequisite to allowing access to resources in a system. 2) The verification of the integrity of data that have been stored, transmitted, or otherwise exposed to possible unauthorized modification.

Availability The requirement that systems and processes be accessible to customers and the business. Availability may be measured in time (i.e. available 24X7) or in terms of performance (i.e. a minimum number of concurrent users on the system, computer response time to queries, etc.) Example: a denial of service attack impacts availability. Availability is assured through the use of redundant systems, excess system capacity, secure system configurations, access controls, etc.

Basel II Accords International regulatory agreement requiring financial institutions to develop programs to measure and accurately predict operational risk losses and take appropriate reserves for operational losses's. Basel II provides a strong incentive for financial institutions to develop strong operational risk programs (including effective information security programs) to limit losses and the associated reserves.

Biometrics The use of specific physical attributes that reflect unique personal characteristics, such as a fingerprint, an eye blood vessel print or a voiceprint, to validate the identity of users.

BISO Business Information Security Officer

Bot Nets "Botnets," short for robot networks, are made up of home and business PCs that have been taken over by hackers and joined together to create remote-controlled networks.

Broadband A high-speed network connections used to access the Internet connections such as a cable modem or Digital Subscriber Line (DSL) line.

Brute Force Attack A sequential, systematic, exhaustive testing of all possible methods that can be used to break a security system. For example, if a criminal attempts to break into a person's account on a computer, they will need to obtain or guess that person's password. Using social engineering techniques, the criminal typically will try to guess the password based on the person's birth date, home address, pet's name, etc. If that fails, the criminal will move to a brute force attack by sequentially trying all possible passwords (i.e. aaa, aba, abb, abc, etc.) If done manually, the criminal will need to be persistent and be willing to waste an almost infinite amount of time, since the number of possible password combinations for a three character password (letters, numbers and punctuation) exceeds 300,000. The most efficient solution is to create a "password cracker" program that will automate the brute force attack. See Dictionary Attack.

Buffer Overflow A buffer is created by a program to store information until it is needed. For example, when you view a video on line you may notice that the program "buffers" enough of the video ahead of time so that when the video plays it doesn't stop every few seconds to wait for the the next stream of data. To cause an overflow error, a criminal sends the buffer more data than it is programmed to hold. If the buffer was designed properly, the extra data should be ignored or result in an error message. A poorly designed buffer lets the extra data "overflow" to the next buffer or memory area on the program. If you structure the overflow correctly, the extra data will execute commands on the system and allow the criminal to take over the program.

Business Continuity Planning The planning process for assuring the recovery, resumption, and maintenance of critical processes within an organization upon the occurrence of external event that disrupts operations. The Business Continuity Plan or BCP addresses the plan for emergency response, backup operations, and post-disaster recovery for the organization. BCP is synonymous with continuity of business (COB), backup, disaster and emergency plans. BCP's can be broken down into two major components:

  • An emergency recovery plan that addresses physical security steps to be taken in the early moments of a disaster (building evacuation, call trees, etc.)
  • A plan for the recovery of business operations once the physical security of the employees and the facility are addressed (contingency sites, backup and restore procedures, backup resources, etc.)

For a more detailed discussion of BCP's, see the FFIEC IT Examination Handbook on Business Continuity Planning.

CERT The CERT Coordination Center is a major reporting center at Carnegie Mellon University for security incidents that maintains extensive data on threats and vulnerabilities along with training materials (including advice for secure home computing). Their Web site insists that "CERT" is not an acronym.

CISO Chief Information Security Officer, individual responsible for the overall information security program for the enterprise.

Clean/Clear Desk Policy See Secure Workplace

Commercial-Off-The-Shelf (COTS) SOFTWARE Generally refers to computer products that are available to achieve a specific service, function, or application.

Confidentiality The ability to limit access to authorized individuals. Used interchangeably with privacy when referring to personal or customer data. Confidentiality is achieved through the use of access controls, encryption, "know-your-customer" procedures, etc.

Cookie A small file some Web sites place on users' computers to enable personalization of Web content (notice how your name always pops up when you revisit a Web site – that’s a cookie). Most cookies are harmless, but some that record Web surfing habits and personal information are considered spyware.

Cracker Some in the Internet community see hacking as a normal activity. To distinguish "benign" hacking from illegal actions, they use the term "cracker" to identify those hackers who conduct illegal activity.

Criticality Sometimes referred to as "impact" or "inherent risk" (the impact to the business before compensating controls, vulnerabilities, and threats are taken into account). The importance (High, Medium or Low) to the enterprise of an information asset in terms of its confidentiality, integrity and availability. See also Risk.

Cryptography The art of protecting information by transforming it (encrypting it) into an unreadable format called ciphertext.

DBA DataBase Administrator. The individual assigned to create and maintain a database (i.e. assigning security privileges, designing database tables and structures, optimizing performance, importing and exporting of data, etc.).

Denial of Service Any action or series of actions that prevent any part of a system from functioning in accordance with its intended purpose. This includes any action that causes unauthorized destruction, modification, or delay of service. Also interdiction. A service attack (or nonperformance by the service provider) whereby legitimate service customers (users, clients) are denied access to the service as defined by the quality-of-service agreement or expectation between the service provider and it customers.

Dictionary Attack A form of Brute Force Attack used to guess a password. The attack methodology is based on the assumption that most people, in order to easily remember their password, will create passwords that are derived from words. Dictionary Attacks are typically incorporated into automated password cracker programs. These programs are becoming increasingly sophisticated. For example, the dictionary password crackers may first use common words such as geographical locations or sports teams. Since some users try to obscure their passwords with numbers or capital letters (instead of redsox as a password, they use Red6Sox!), password crackers are programmed to also insert numbers, punctuation marks and capital letters in alternate positions within words.

Dynamic Password A password that is valid for one use only, also a one-time password. For example, a SafeWord card generates a new, unique password every time the user inputs a PIN. A SecureID card generates a new, unique password every 60 seconds.

Dynamic Password Token A device used to generate a dynamic password. See RSA's SecureID and Secure Computing's SafeWord.

Electronic Data Interchange (EDI) An electronic exchange standard sponsored by ANSI. EDI defines structures for business forms such as purchase orders, invoices, and shipping notices, providing a way for organizations to exchange business information. Also see EDI's more advanced successor Extended Markup Language (XML).

Encryption The translation of data into a secret code. See RSA's FAQ's on encryption for a good overview

End-To-End Encryption The process of changing readable information into cipher/encrypted information at its source and changing it back to readable text at its intended destination without any intermediate changes from ciphertext to readable text. "Source" and "destination" in this context are physical and/or logical environments in which the information is under the control of, and limited to authorized parties who have a need-to-know. Business units may determine whether the source and destination is a secure facility, data center, server or other computing device.

End User Computing (EUC) Desktop computing tools like Microsoft Access, Word or Excel.

Entitlement The privilege of complete or restricted access to an object, resource, or function. It is worthwhile to distinguish between the ability to "access" a system (i.e. you can log on), versus the "entitlement" privileges you may have within the application (i.e. you can read the data, but you can not update or delete it).

Federal Financial Institutions Examination Council (FFIEC) The FFIEC is a US interagency body that issues uniform principles, standards, and report forms for the federal examination of financial institutions. See the FFIEC Information Technology Examination Handbook.

File Transfer Protocol (FTP) The protocol that enables users to contact another computer on the Internet and transfer files to and from other computer systems. If you download files from an Internet site, you are probably using FTP. While FTP is a very useful tool, it does present several security challenges. If you want to let anyone upload or download files from your Internet site, you will typically use "Anonymous" FTP - you do not ask users to authenticate themselves. However, Anonymous FTP provides virtually no security. If you do want to control access to the FTP functionality on your site, you can create accounts for your users and assign them passwords. However, when the user logs on to your FTP site, the user's password will be sent over the Internet in clear text providing an opportunity for a criminal to monitor the data stream and steal the password. The better solution is Secure FTP which creates an encrypted session between the two computers.

Firewall A system designed to prevent unauthorized access to or from a private network. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

Framework The overall structure of an information security program. The IS Framework utilized on this Web site consists of four components:

  1. Assess - Determine what we need to protect.· Determine overall information security framework · Assess current practices and procedures· Classify data and assess business risk· Set baseline security practices
  2. Mitigate - Deploy security systems and processes.· Implement adequate controls to ensure confidentiality, integrity and availability of information.
  3. Monitor - Monitor systems to ensure security is adequate.· Review user activity on business systems to identify suspicious or illegal actions· Scan and monitor internal network and external connections
  4. Respond - Respond to breaches in security. · Implement practices and procedures to respond to threats or incidents· Establish an environment of continuous improvement

Freeware Copyrighted software that is available on public networks and bulletin boards at no cost.

Functional ID Generic accounts (for example, Root, Administrator) that are required by the operating system, system level software or utilized by automated processes and are associated with a group, function or role.

GLBA Gramm-Leach-Bliley Act or the Financial Services Modernization Act. Along with several provisions allowing financial service companies greater latitude in conducting business, the GLBA also implemented several requirements for privacy and information security.

Hacker Originally someone who enjoyed experimenting with hardware and software for purely innocent reasons. Nowadays, a hacker has come to mean someone who gains, or attempts to gain, unauthorized access to computer systems. However, the term is used interchangeably. On this Web site a hacker with evil intent is referred to as a "criminal".

HIPAA United States Health Insurance Portability and Accountability Act of 1996. HIPAA establishes requirements for the confidentiality of health care related information.

Honey Pot Typically refers to a site on the Internet that is intentionally created to attract and "trap" people who attempt to break into other Web sites. A Honey Pot is usually implemented with one or more common vulnerabilities or security holes that will pop up on vulnerability scans, along with intrusion detection systems that monitor access and identify the source of the breach. Variation - A "HoneyMonkey" is a computer, lacking one or more security patches, that runs an automated routine to surf the Web looking for sites that will infect the computer.

Identification The process that enables recognition of an entity by a system, generally by the use of unique machine-readable user names.

Impersonation The ability of a machine on a network to appear as if it is another machine. The synonym "spoofing" is often used within the hacker underground.

Incident A suspected or possible security breach to one or more information resources leading to either the:

  1. Loss of confidentiality,
  2. Destruction of data,
  3. Loss of system integrity, system degradation, or denial service;
  4. Loss of data integrity;
  5. Unauthorized use of corporation resources; or
  6. Other intrusions.

Information Assets Data on any media format created, processed and used by the business. Media formats may vary from paper copies (memos, letters, check stock, etc.); electronic files stored on hard drives, USB flash memory devices, CD's, DVD's, back-up tapes etc.; to voice mail. An alternate definition - Information that has value to the extent that it enables an entity to achieve goals and thus is an asset like people, money, and material.

Information Owner(ship) The responsibility of business management to classify data and to establish and document a process for the granting and denying of access to, and the distribution of information assets and resources.

Information Security The business and operational risk management responsibility to ensure that a process is in place to define, document, implement, monitor, and manage controls over the information assets for which the business has responsibility.

Information Security Administration (ISA) The management of security data: authentication data (user accounts, passwords), authorization data (entitlements, groups, roles), access control data, audit data, and encryption keys. Also includes operational issues, such as enforcing security policy, handling security alerts, and detecting and responding to intrusions. Also known as Security Administration.

Information Security Policy and Standards High level, enterprise requirements for the protection of business Information.

Information Security Officer (ISO) The person responsible for ensuring that information security is provided to and implemented within each business unit.

Infrastructure Computing and telecommunications equipment, software, processes, facilities, and people that provide the processing, storage, and transmission of data and information that support your businesses.

Inherent Risk The risk to the business before controls are taken into account. A wire transfer process typically has a high inherent risk since significant amounts of money are transferred through these systems. However, if the controls on these systems are adequate, the residual risk (the risk after controls are taken into account) may be medium or low.

Integrity The ability to ensure that information is accurate, reliable and correct and has not been subtly changed or tampered with by an unauthorized party. Integrity is achieved through the use of audit logs, change control, reconciliation reports, hashes or checksums, etc.

Intrusion Detection Method used for detecting system break-ins or break-in attempts either manually or via security software products.

Intrusion Detection System (IDS) A system used to detect unauthorized activity on a network or computer system. Typically an IDS will look for certain attack signatures (attempts to access unauthorized ports on firewalls, automated system scans, etc.) and set off alarms when they are detected.

IS Information Security.

ISO Information Security Officer

ISP Internet Service Provider - a company that provides access to the Internet for consumers and businesses.

Key Logger Software A form of spyware that logs each keystroke or other activity in a system. Such software can be used illicitly to gather credit card numbers, passwords and other sensitive information and transmit it to third parties. Key Logger Software is also used by corporations and law enforcement agencies to monitor suspicious activity.

Kiddy Scriptor See "Script Kiddy"

Local Area Network (LAN)A communications network that serves users within a confined geographical area. It is made up of servers, workstations, a network operating system, and a communications link.

Maker/Checker A dual-role model in which one person inputs a transaction or makes changes to sensitive data and a second person checks and authorizes the activity; the changes do not take effect until approved by the checker.

Malware Software designed to steal data from or disrupt computer systems. "Malware" is an abbreviated concatenation of "malicious" and "software" that refers to such programs as viruses, worms, trojan horses, spyware, keyloggers, etc. . Note, most people incorrectly lump together all forms of malicious software under the term "virus".

Need-to-Know The process of restricting a user’s access to only that information that the user “needs to know” in order to perform their assigned responsibilities.

Network A system of computers interconnected by communication links to share information and resources.

Non-Repudiation Automated functions that record who sent, received, or forwarded a message or who changed a record on a system. Non-repudiation prevents forgery and tampering, but does not guarantee delivery. See also "Accountability". Audit logs are often used to create a chain of accountability (non-repudiation) on a system. For example, if an unauthorized transaction occurs on a system, the audit log should demonstrate whose account was used to initiate the transaction - i.e. the account holder will not be able to "repudiate" their responsibility.

One-Time Password See dynamic password. A one time password can also be a password that is initially set for accessing the system, as long as the system automatically forces the user to change the password as soon as the user logs on (hence, the user can only use it “one time”). If a security administrator must communicate a password to the user (via email, voicemail, etc.), it is advisable to use a one-time password so that the administrator will not know the user's password once they log on to the system.

Operational Risk The risk of loss to the business from operations and technology functions based on the failure of people, processes or systems or from external events (fires, storms, earthquakes, etc.). Operation risk includes such disciplines as information security, business continuity planning, records management and operational controls.

Operating System The code or software that makes a computer or other electronic system work. Examples are UNIX, LINUX, Windows (NT, Windows 2000, XP, etc.), etc.

Password A secret series of characters that enable a user to access a file, computer, or program. Serves as a security measure against unauthorized access to data. See "Authentication". Note, the computer can only verify the legitimacy of the password, not the legitimacy of the user.

Password Cracker A program that tests the relative strength of passwords by sequentially guessing all possible combinations of letters or numbers. Password crackers can also use logical attacks based on words in the dictionary with modifications for randomly inserted numbers or special characters.

PDA Personal Digital Assistant such as a Palm Pilot, Treo or a BlackBerry. Basically any handheld computing device used to store personal information.

Personal Identification Number (PIN) Used in retail electronic applications, this business-defined security code identifies the customer effecting a transaction. PINs are most commonly used in ATM, point-of-sale (POS), and Home Banking systems to access accounts.

Personnel Security The procedures established to ensure that all personnel who have access to sensitive information have the required authority as well as appropriate clearances.

Pharming When you click on a link or select a Web site from your Favorites list, your browser is directed to one of the Domain Name Servers (DNS) on the Internet to translate the link into the specific IP address of the server that runs the Web site you want. Pharming is the exploitation of a vulnerability in the DNS server that allows a hacker to redirect traffic from a legitimate site to another web site. The hacker then sets up a fake page (see "Phishing" below) at the new address that will deceive people into handing over personal information like credit card and Social Security numbers.

Phishing form of illegal hacking where a criminal creates a fake Web site that masquerades as the home page of a popular Internet provider or financial institution and tries to deceive unsuspecting consumers to disclose personal information such as credit card numbers, passwords, social security numbers, etc. The criminal sends out e-mails directing the recipients to the spoofed Web site, where the visitors find instructions to update or confirm records by entering their bank and credit-card information, personal identification numbers and other confidential data.

Physical Security The application of physical barriers and control procedures as preventive measures or countermeasures against threats to resources and sensitive information. Door locks, guards, fire sprinklers and exit doors are examples of physical security measures.

PING Packet Internet Groper. A simple Internet utility or computer command used to check the connection with another site. When you “ping” a site, the computer repeatedly bounces a signal off the remote site and shows you how long it took to complete the round trip each time. If you get no returns at all, the site is either down or unreachable. If only a portion of the signals are returned, it indicates some trouble with the connection that will slow down performance.

Plain Text Any message that is not encrypted. Same as clear text.

Practices A control, methodology, or rule. For example, the following is a practice - Audit logs should be reviewed on a periodic basis. The specific steps required by the business to perform an audit log review are called "procedures".

Procedures 1) Locally developed detailed processes and task descriptions that ensure compliance with policy and standards. 2) A written description of a course of action to be taken to perform a given task. 3). The specific steps necessary to implement a "practice". For example, a procedure to review audit logs will have detailed requirements for what logs should be reviewed, when they should be reviewed, who should conduct the review, what items should be reviewed, and how issues should be reported.

Proxy Server A server that sits between a client application, such as a Web browser, and a real server. It intercepts all requests to the real server to see if it can fulfill the requests itself. If not, it forwards the request to the real server. Proxy servers can also be used to filter requests. For example, a company might use a proxy server to prevent its employees from accessing a specific set of Web sites.

Public Key Encryption An asymmetric cryptographic system that uses two keys - a public key known to everyone and a private or secret key known only to the recipient of the message. For data confidentiality, the sender encrypts a message with the receiver's public key, and the receiver decrypts it with his/her private key. For digital signatures, the public-key encryption process is reversed; the sender signs a message with his/her private key and the receiver (or any third party) verifies the signature with the sender's public key. An important element to the public key system is that the public and private keys are related in such a way that only the public key can be used to encrypt messages and only the corresponding private key can be used to decrypt them. Moreover, it is virtually impossible to deduce the private key if you know the public key.

Public-Key Infrastructure (PKI) A system of digital certificates, Certificate Authorities, and other registration authorities that verify and authenticate the validity of each party involved in an Internet transaction.

Pretty Good Privacy (PGP) A freeware encryption program for encrypting data files and/or e-mail messages on PCs and Macs. Also supported by Network Associates. Considered to be among the strongest encryption utilities available. PGP also has facilities for authentication, so that you can be sure a message was really sent by the person who it appears to be from, and non-repudiation to prevent someone from denying that they ever sent a message.

Recovery Point Objective (RPO) In Business Continuity Planning, the amount of data that can be lost for a particular process in an External Event without severely impacting the recovery of operations for an organization or the point in time in which systems and data must be restored.

Recovery Time Objective (RTO) The point in time after an External Event has disrupted business processes when the process must be resumed in order to avoid a significant impact to operations.

Rootkit A set of stealth software tools that a criminal installs on a computer. The tools manipulate the operating environment so that it is difficult to detect that the rootkit is running on the system. Once the rootkit is installed, the criminal can then use devices like keyloggers to monitor activity and record passwords, account numbers etc.

Router 1) A computer that determines the path of network traffic flow. The path selection is made based on information obtained from specific protocols that attempt to identify the shortest or best path, and other criteria. 2) A computer system in a network that stores and forwards data packets between LANs and WANs. Routers read the network address in a transmitted message and can make a decision on how to send the message based on the most expedient route.

Script Kiddies An inexperienced hacker with few technical skills. The phrase is used primarily to refer to adolescent boys (kiddies), with too much time on their hands and too much energy, who download malicious code (scripts) from hacker sites. Since they have minimal technical skills, they have little idea how to effectively run the scripts. But like a million monkeys sitting at a million typewriters, occasionally a script kiddy gets lucky and does some damage.

Secure Sockets Layer (SSL)A protocol developed by Netscape Communications (and later incorporated into a universal standard) that provides generic security services for TCP/IP applications just above the TCP protocol. SSL is most often used to authenticate and provide confidentiality for the World Wide Web.

Secure Workplace The processes and procedures applied by each business to ensure that the information processed and stored in the work environment is kept secure. Processes include the use of locked file rooms, offices and file cabinets, securing PC’s with screen saver passwords when left unattended, monitoring access to the office, removing sensitive information from bulletin boards and white boards when no longer needed, etc.

Security Information and Event Management (SIEM) See SIRT. Typically referred to as part of the manual and automated tools used to monitor processes and systems to detect security events.

Security Incident Response Team (SIRT) A Security Incident Response Team process is used to manage incidents, minimize the damage and exposure, bring the system(s) under control, and educate the organization about the lessons learned.

Segregation Of Duties The most fundamental control which limits opportunity and temptation, while increasing independent review. One individual should not control more than one aspect of a specific change, transaction or process. Ultimately one individual should review the work of another. See maker/checker.

Shareware Copyrighted software that is made available on public networks and bulletin boards free of charge on a trial basis. If a person likes a shareware program and decides to use it, he/she is obligated to pay a fee to the program's author.

Shoulder Surfing A social engineering technique where a someone looks over your shoulder while you type in a password on your computer or type in a calling card number on a telephone. It is a simple, non-technical, means of obtaining sensitive information in an unauthorized manner.

Single Sign-On The ability to login into multiple computers or servers with a single action and the entry of a single password. Especially useful where, for example, a user on a WAN requires access to a number of servers, plus perhaps a many or mainframe system as well. Although single sign-on makes the login process more convenient for the user, it does mean that the password becomes more valuable to a hacker because of the large number of systems it can access. For this reason we discourage the use of single sign-on systems, and, where there is no other realistic option, we recommend that passwords are guarded safely and changed regularly. Users must also be made fully aware of their responsibility for safeguarding their password.

Skimming The use of a device that can read the information stored on the magnetic stripes attached to credit cards, drivers’ licenses and passports. A thief uses a skimmer to harvest person information.

Smart Card A credit card sized device containing an embedded microprocessor that stores information and is used for identification or financial transactions. When inserted into a reader, it transfers data to and from a central computer. It is more secure than a magnetic strip card and can be programmed to self-destruct if the wrong password is entered too many times. As a financial transaction card, it can store transactions and maintain a bank balance.

Sniffers Electronic device that can capture electronic messages as they traverse the network.

Social Engineering The process of manipulating or deceiving another person or persons to divulge useful information (e.g., IDs, passwords, and information that may suggest a vulnerability).

SOX The Sarbanes-Oxley Act, which imposes extensive financial reporting requirements on businesses.

Spam Electronic junk mail or junk newsgroup postings. Most SPAM is unsolicited and varies from inappropriate content, to sales & diet offers, and “get rich quick” schemes.

Spoofing An attempt to gain access to a system by posing as an authorized user. Also impersonating, masquerading or mimicking.

Spyware Software that is usually installed on computers without the user’s knowledge that monitors computing habits, such as Web-surfing patterns, and transmits the information to third parties, sometimes without the explicit authorization or consent of the user.

Static Password A password that a user selects on introduction to a secured system and that changes relatively infrequently, usually not more than once a month. See “Dynamic Password”.

Steganography The process of hiding text within a graphical image file by encoding the text within a scattering of pixels. The key to effective steganography is in the choice of pixels, to ensure that the graphic does not appear to have been altered.

Strong Authentication The use of cryptography to protect the confidentiality and integrity of messages comprising the authentication protocol and subsequent interaction protocols, and it also protects from replay attacks.

Super User A Super User is a person who has rights to perform all functions on a system. Super Users can establish user accounts and entitlements; insert, update and delete files; and update the operating system. In effect, they can go anywhere on the system and do whatever they please. These users are typically created as Functional ID’s such as ADMIN (Administrator), SYSADMIN (System Administrator), DBA (Database Administrator), etc.

Suspicious Activity Reports (SARs)Reports required to be filed with the US Treasury Department whenever a financial institution observes certain types of suspicious activities, including certain crimes against the institution which result in financial loss, or attempts by depositors to avoid or evade the Currency Transaction Reporting Requirements.

Telephone Personal Identification Number (TPIN) A number (a form of PIN) used for authentication over the telephone.

Threat Threat is a person or force of nature that can "threaten" or cause damage to a business. In terms of people, a threat is measured on the basis of a combination of their motivation and ability. Most law enforcement agencies have definitions and ratings of threats. Examples of threats are:

  • Casual observer,
  • Kiddy scriptors/hackers,
  • Disgruntled employees,
  • Political activists,
  • Competitors,
  • Organized crime,
  • Terrorists,
  • Law enforcement agencies,
  • Government agencies and other governmental organizations.

This list is sorted on the basis of the resources that the threat agent can bring to bear. Users of this model should take into account the threat's motivation, numbers, capital and intellectual resource.

Threat Assessment Process to identifying potential security threats, both accidental and deliberate, that may affect assets, and estimating the likelihood of occurrence and the severity of impact.

Trojan or Trojan Horse A computer program with an apparent or actual useful function that contains additional (hidden) functions that surreptitiously exploit the legitimate authorizations of the invoking process to the detriment of security or integrity.

User Identification (User ID or UID) A unique set of alphanumeric characters used to access a computer system. It is used for system identification and typically with a password for verification.

Virus A computer program designed to attack other computers.

Voice Response Unit (VRU) In telephony, hardware or software that receives incoming calls by playing one or more prerecorded messages. The messages may require the caller to give additional information by touching buttons on a touch-tone keypad. The sequence of messages planned may be determined dynamically by this additional input.

Vulnerability A Vulnerability is a defect in a process or asset that creates the potential for loss or harm. Vulnerability measures the control deficiencies (defects) to determine a system's or process' level of exposure.

Vulnerability Assessment A measurement of vulnerability which includes the susceptibility of a particular system to a specific attack and the opportunities available to a threat agent to mount that attack.

Vulnerability Testing A process to identify vulnerabilities in applications or systems using such methods as ethical hacking, source code analysis, vulnerability scanning, etc.

War Dialer A program that dials one telephone number after another and records connections to any number that produces a modem connection tone. Those numbers can then be used as part of an attack to access computers connected to the modems. As Internet connections have evolved from phone to broadband based connectivity, the use of War Dialers has declined significantly.

Wide Area Network (WAN) A network that provides communication services to a geographic area larger than that served by a local area network.

Worm A program that changes and destroys data, but can also travel and trigger damage from computer to computer across a network (e.g., 1988 Morris Internet Worm).

Zero Day A new form of worm that spreads so rapidly that security professionals, anti-virus software and network filtering systems are unable to respond rapidly enough to stop the worm. Recent history shows an increasing rate of worm propagation to the point where a well designed worm can spread across the Internet within minutes. The primary threat from a Zero Day Worm is that highly malicious code could be included in the payload that would leave vast numbers of machines inoperable before a solution could be found.