Explore UAB

Colleges & Schools

Information Technology

Information Security Glossary of Terms



A

Access Control
Access Control ensures that resources are only granted to those users who are entitled to them.
Assurance (or Information Assurance)
Measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediate and enforces the security policy.
Auditing
The gathering of information and analysis of assets to ensure things such as policy compliance and security from vulnerabilities.
Authentication
The process of confirming the correctness of the claimed identity.
Authenticity
The validity and conformance of the original information.
Authorization
The approval, permission, or empowerment for someone or something to do something.
Authorization to Operate (ATO)
The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls. An ATO must be issued to a research organization before it can begin working with federal data associated with a grant or contract.
Authorizing Official (AO)
A senior (federal) official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.
Availability
Availability is the need to ensure that the business purpose of the system can be met and that it is accessible to those who need to use it.

B

Basic Authentication
Basic Authentication is the simplest web-based authentication scheme that works by sending the username and password with each request.
Botnet
A large number of compromised computers that are used to create and send spam or viruses or flood a network with messages as a denial of service attack.
Business Continuity Plan (BCP)
The plan for emergency response, backup operations, and post-disaster recovery steps that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation.
Business Impact Analysis (BIA)
An analysis that determines what levels of impact to a system are tolerable.

C

Card Processing Environment
The area of computer systems and networks that possess cardholder data or sensitive authentication data and those systems and segments that directly attach or support cardholder processing, storage, or transmission. Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the card processing environment.
Cardholder
Customer to whom a card is issued or individual authorized to use the card.
Cardholder Data
Any personally identifiable data associated with the cardholder, to include primary account number, cardholder name, expiration date, service code, address, social security number, card service verification code, or any other data stored on the magnetic stripe of the payment card.
Checksum
A value that is computed by a function that is dependent on the contents of a data object and is stored or transmitted together with the object, for the purpose of detecting changes in the data.
Cipher
A cryptographic algorithm for encryption and decryption.
Ciphertext
The encrypted form of a message being sent.
Confidentiality
Confidentiality is the need to ensure that information is disclosed only to those who are authorized to view it.
Configuration Control Board (CCB)
A group of qualified people with responsibility for the process of regulating and approving changes to hardware, firmware, software, and documentation throughout the development and operational life cycle of an information system.
Cookie
Data exchanged between an HTTP server and a browser (a client of the server) to store state information on the client side and retrieve it later for server use. An HTTP server, when sending data to a client, may send along a cookie, which the client retains after the HTTP connection closes. A server can use this mechanism to maintain persistent client-side state information for HTTP-based applications, retrieving the state information in later connections.

D

Data Aggregation
The ability to get a more complete picture of the information by analyzing several different types of records at once.
Data Custodian
The entity currently using or manipulating the data, and therefore, temporarily taking responsibility for the data.
Data Steward (Owner)
The entity having responsibility and authority for the data.
Data User
A person, organization entity, or automated process that accesses a system, whether authorized to do so or not.
Data Warehousing
The consolidation of several previously independent databases into one location.
Denial of Service
The prevention of authorized access to a system resource or the delaying of system operations and functions.
Dictionary Attack
An attack that tries all of the phrases or words in a dictionary, trying to crack a password or key. A dictionary attack uses a predefined list of words compared to a brute force attack that tries all possible combinations.
Disaster Recovery Plan (DRP)
A plan for the process of recovery of IT systems in the event of a disruption or disaster.
Due Care
Ensures that a minimal level of protection is in place in accordance with the best practice in the industry.
Due Diligence
The requirement that organizations must develop and deploy a protection plan to prevent fraud, abuse, and additional deploy a means to detect them if they occur.
Dumpster Diving
The process of obtaining passwords and corporate directories by searching through discarded media.

E

Encryption
Cryptographic transformation of data (called "plaintext") into a form (called "cipher text") that conceals the data's original meaning to prevent it from being known or used.
Event
Any observable occurrence in a system or network.
Exposure
A threat action whereby sensitive data is directly released to an unauthorized entity.

F

FERPA
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records.
File Transfer Protocol (FTP)
A TCP/IP protocol specifying the transfer of text or binary files across the network.
FIPS
Federal Information Processing Standard
Firewall
A logical or physical discontinuity in a network to prevent unauthorized access to data or resources.
FISMA
The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
Flooding
An attack that attempts to cause a failure in (especially, in the security of) a computer system or other data processing entity by providing more input than the entity can process properly.

G

Gateway
A network point that acts as an entrance to another network.
GLBA
The Gramm-Leach-Bliley Act (GLBA) requires companies that offer consumers financial products or services like loans, financial or investment advice, or insurance to explain their information-sharing practices to their customers and to safeguard sensitive data. Colleges and universities are also subject to some of the provisions of GLBA because they collect and maintain financial information about their students and others with whom they interact.

H

Hardening
The process of identifying and fixing vulnerabilities on a system.
HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is United States legislation that provides data privacy and security provisions for safeguarding medical information.
HTML (Hypertext Markup Language)
The set of markup symbols or codes inserted in a file intended for display on a World Wide Web browser page.
HTTP (Hypertext Transfer Protocol)
The protocol in the Internet Protocol (IP) family used to transport hypertext documents across an internet.
HTTPS
When used in the first part of a URL (the part that precedes the colon and specifies an access scheme or protocol), this term specifies the use of HTTP enhanced by a security mechanism, which is usually referred to as SSL. Note: Commonly called SSL, standard is TLS 1.2.
Hyperlink
In hypertext or hypermedia, an information object (such as a word, a phrase, or an image; usually highlighted by color or underscoring) that points (indicates how to connect) to related information that is located elsewhere and can be retrieved by activating the link.

I

Identity
The name by which something is known.
Incident
An adverse network event in an information system or network or the threat of the occurrence of such an event
Incident Handling
An action plan for dealing with intrusions, cyber-theft, denial of service, fire, floods, and other security-related events. It is comprised of a six step process: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.
Information
Any communication or representation of knowledge, such as facts, data, or opinions, in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.
Information Security
The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
Information Security (department)
Encompasses both the UAB Enterprise Information Security Office (EISO) and the UAB Health System Information Security (HSIS) Office. Depending on the operating environment of the UAB PCI Entity, Entities are required to report to one of the two Information Security Offices for evaluation and approval for the implementation and maintenance of their payment card processing environments.
Information System
A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
Information System Security Officer (ISSO)
Individual who is assigned responsibility for maintaining the appropriate operational security posture for an information system or program.
Integrity
The need to ensure that information has not been changed accidentally or deliberately, and that it is accurate and complete.
Internet Protocol (IP)
The method or protocol by which data is sent from one computer to another on the Internet
Internet Protocol Security (IPsec)
A developing standard for security at the network or packet processing layer of network communication.
Internet Standard
A specification, approved by the IESG and published as an RFC, that is stable and well-understood, is technically competent, has multiple, independent, and interoperable implementations with substantial operational experience, enjoys significant public support, and is recognizably useful in some or all parts of the Internet.
Intrusion Detection
A security management system for computers and networks. An IDS gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organization) and misuse (attacks from within the organization).
IP Address
A computer's inter-network address that is assigned for use by the Internet Protocol and other protocols. An IP version 4 address is written as a series of four 8-bit numbers separated by periods.
IP Flood
A denial of service attack that sends a host more echo request ("ping") packets than the protocol implementation can handle.
IP Forwarding
IP forwarding is an Operating System option that allows a host to act as a router. A system that has more than 1 network interface card must have IP forwarding turned on in order for the system to be able to act as a router.
IP Spoofing
The technique of supplying a false IP address.
IT-SP
Information Technology Security Plan; see System Security Plan

L

Least Privilege
The principle of allowing users or applications the least amount of permissions necessary to perform their intended function.

M

MAC Address
A physical address; a numeric value that uniquely identifies that network device from every other device on the planet.
Magnetic Stripe Data (Track Data)
Data encoded in the magnetic stripe used for authentication during transactions when the card is presented. Entities must not retain full magnetic stripe data subsequent to transaction authorization. Only the PAN, expiration date, name, and service code may be retained if needed for business purposes. Merchants – Authorized acceptors of payment cards for the purchase of goods, services, or information.
Malicious Code
Software (e.g., Trojan horse) that appears to perform a useful or desirable function, but actually gains unauthorized access to system resources or tricks a user into executing other malicious logic.
Malware
A generic term for a number of different types of malicious code.
Multi-factor Authentication
Authentication that requires users to produce multiple credentials to access a system. Credentials consist of something the user knows (UserID, Password), something the user has in their possession (smartcard, hardware token), or something the user is (biometric characteristic). To access a system, the user must produce at least two of the three credentials.

N

Network Address Translation (NAT)
It is used to share one or a small number of publicly routable IP addresses among a larger number of hosts. The hosts are assigned private IP addresses, which are then "translated" into one of the publicly routed IP addresses. Typically home or small business networks use NAT to share a single DLS or Cable modem IP address. However, in some cases NAT is used for servers as an additional layer of protection.
National Institute of Standards and Technology (NIST)
A unit of the US Commerce Department. Formerly known as the National Bureau of Standards, NIST promotes and maintains measurement standards. It also has active programs for encouraging and assisting industry and science to develop and use these standard
Netmask
32-bit number indicating the range of IP addresses residing on a single IP network/subnet/supernet. This specification displays network masks as hexadecimal numbers. For example, the network mask for a class C IP network is displayed as 0xffffff00. Such a mask is often displayed elsewhere in the literature as 255.255.255.0
Network Address Translation
The translation of an Internet Protocol address used within one network to a different IP address known within another network. One network is designated the inside network and the other is the outside.
Network Mapping
The compilation of an electronic inventory of the systems and the services on your network.
Network members
Acceptors of payment cards for the purchase of goods, services, or information that have been granted direct authorization to perform payment card transactions by the major credit card companies. Generally these include banking and financial institutions. Payment Application Data Security Standards (PA-DSS) – The Payment Card Industry Security Standards Council program established to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and to ensure their payment applications support compliance with the PCI DSS. Payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements.
Non-Repudiation
Non-repudiation is the ability for a system to prove that a specific user and only that specific user sent a message and that it hasn't been modified.

O

One-Way Encryption
Irreversible transformation of plaintext to cipher text, such that the plaintext cannot be recovered from the cipher text by other than exhaustive procedures even if the cryptographic key is known.
One-Way Function
A (mathematical) function, which is easy to compute the output based on a given input. However given only the output value it is impossible (except for a brute force attack) to figure out what the input value is.

P

Packet
A piece of a message transmitted over a packet-switching network. One of the key features of a packet is that it contains the destination address in addition to the data. In IP networks, packets are often called datagrams.
Packet Switched Network
A network where individual packets each follow their own paths through the network from one endpoint to another.
Partitions
Major divisions of the total physical hard disk space.
Password Authentication Protocol (PAP)
A simple, weak authentication mechanism where a user enters the password and it is then sent across the network, usually in the clear.
Password Cracking
The process of attempting to guess passwords, given the password file information.
Password Sniffing
Passive wiretapping, usually on a local area network, to gain knowledge of passwords.
Patch
A small update released by a software manufacturer to fix bugs in an existing program.
Patching
The process of updating software to a different version.
Payload
The actual application data a packet contains.
Payment Card Industry Data Security Standards (PCI DSS)
A multifaceted set of comprehensive requirements and security standards developed to enhance payment account data security, security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.
PCI Entity
Any UAB department, office, section, or affiliated association or group that has been approved to accept, process, transmit, or store credit card transactional or cardholder data as a member, merchant, or service provider operating on behalf of UAB, or in use of the UAB brand name.
Penetration
Gaining unauthorized logical access to sensitive data by circumventing a system's protections.
Penetration Testing
Security-oriented probing of computer systems or networks to seek out vulnerabilities that an attacker could exploit. Beyond probing for vulnerabilities, this testing may involve actual penetration attempts. The objective of a penetration test is to detect and identify vulnerabilities and suggest security improvements.
Permutation
Permutation keeps the same letters but changes the position within a text to scramble the message.
Personal Firewalls
Firewalls that are installed and run on individual computers.
Pharming
This is a more sophisticated form of MITM attack. A user’s session is redirected to a masquerading website. This can be achieved by corrupting a DNS server on the Internet and pointing a URL to the masquerading website’s IP. Almost all users use a URL like www.worldbank.com instead of the real IP (192.86.99.140) of the website. Changing the pointers on a DNS server, the URL can be redirected to send traffic to the IP of the pseudo website. At the pseudo website, transactions can be mimicked and information like login credentials can be gathered. With this the attacker can access the real www.worldbank.com site and conduct transactions using the credentials of a valid user on that website.
Protected health information (PHI)
Under US law is any information about health status, provision of health care, or payment for health care that is created or collected by a "Covered Entity" (or a Business Associate of a Covered Entity), and can be linked to a specific individual.
Phishing
The use of e-mails that appear to originate from a trusted source to trick a user into entering valid credentials at a fake website. Typically the e-mail and the web site looks like they are part of a bank the user is doing business with.
Personally Identifiable Information (PII)
Information which can be used to distinguish or trace the identity of an individual (e.g., name, social security number, biometric records, etc.) alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual (e.g., date and place of birth, mother’s maiden name, etc.).
Ping of Death
An attack that sends an improperly large ICMP echo request packet (a "ping") with the intent of overflowing the input buffers of the destination machine and causing it to crash.
Ping Scan
A ping scan looks for machines that are responding to ICMP Echo Requests.
Ping Sweep
An attack that sends ICMP echo requests ("pings") to a range of IP addresses, with the goal of finding hosts that can be probed for vulnerabilities.
Plaintext
Ordinary readable text before being encrypted into ciphertext or after being decrypted.
Plan of Action & Milestones (POA&M)
A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.
Port
An integer that uniquely identifies an endpoint of a communication stream. Only one process per machine can listen on the same port number.
Port Scan
A series of messages sent by someone attempting to break into a computer to learn which computer network services, each associated with a "well-known" port number, the computer provides. Port scanning, a favorite approach of computer cracker, gives the assailant an idea where to probe for weaknesses. Essentially, a port scan consists of sending a message to each port, one at a time. The kind of response received indicates whether the port is used and can therefore be probed for weakness.
Proprietary Information
Any information unique to a company and its ability to compete, such as customer lists, technical data, product costs, and trade secrets.
Protocol
A formal specification for communicating; an IP address the special set of rules that end points in a telecommunication connection use when they communicate. Protocols exist at several levels in a telecommunication connection.
Public Key / Public Key Encryption
The publicly-disclosed component of a pair of cryptographic keys used for asymmetric cryptography.
Public Key Infrastructure (PKI)
A PKI (public key infrastructure) enables users of a basically unsecured public network such as the Internet to securely and privately exchange data and money through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. The public key infrastructure provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificate

R

Reconnaissance
The phase of an attack where an attackers finds new systems, maps out networks, and probes for specific, exploitable vulnerabilities.
Registry
In Windows operating systems, the central set of settings and information required to run the Windows computer.
Risk
The product of the level of threat with the level of vulnerability. It establishes the likelihood of a successful attack.
Risk Assessment (RA)
The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses,and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.
Risk Averse
Avoiding risk even if this leads to the loss of opportunity. For example, using a (more expensive) phone call vs. sending an e-mail in order to avoid risks associated with e-mail may be considered "Risk Averse".
Risk Management
The program and supporting processes to manage information security risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, and includes: establishing the context for risk-related activities; assessing risk; responding to risk once determined; and monitoring risk over time.
Risk Management Framework (RMF)
A six-step process created by the National Institute of Standards and Technology, detailed in NIST Special Publication 800-37: Guide for Applying the Risk Management Framework to Federal Information Systems.
Risk Mitigation
Prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process.
Root
The administrator account in Unix systems.
Rootkit
A collection of tools (programs) that a hacker uses to mask intrusion and obtain administrator-level access to a computer or computer network.
Router
Routers interconnect logical networks by forwarding information to other networks based upon IP addresses.

S

Safety
The need to ensure that the people involved with the company, including employees, customers, and visitors, are protected from harm.
Secure Shell (SSH)
A program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another.
Security Assessment Report (SAR)
This deliverable is one of three key documents in the security authorization package developed for authorizing officials. The assessment report includes information from the assessor/auditor that is necessary to determine the effectiveness of the security controls employed within or inherited by the information system based upon the assessor’s findings.
Security Control
A safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements.
Security Policy
A set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources.
Senior Management
Persons in the positions of dean, chair, or division or program director, or persons specifically designated by a dean, chair, or division or program director, that make executive decisions and are authorized to accept risks for the administrative unit in the area of information security.
Sensitive Information
Sensitive information, as defined by the federal government, is any unclassified information that, if compromised, could adversely affect the national interest or conduct of federal initiatives.
Separation of Duties
The practice of dividing steps in a function among different individuals to keep a single individual from being able to subvert established processes.
Server
A system entity that provides a service in response to requests from other system entities called clients.
Session
A session is a virtual connection between two hosts by which network traffic is passed.
Session Hijacking
Take over a session that someone else has established.
Sniffer
A tool that monitors network traffic as it received in a network interface.
Sniffing
A synonym for "passive wiretapping."
Sensitive Areas
Any data center, server room, or area that houses systems that store, process, or transmit cardholder data. This excludes areas where only point-of-sale terminals are present, such as cashier areas in a campus retail store.
Sensitive Authentication Data
Security-related information that includes Card Validation Codes/Values, complete track data, PIN numbers and PIN blocks used to authenticate cardholders. Disclosure, modification, or destruction of this information could compromise the security of a cryptographic device or information system, or cardholder information could be used in a fraudulent transaction.
Service Code
The three or four-digit number on the magnetic stripe of a payment card that specifies acceptance requirements and limitations for a magnetic stripe read transaction.
Service Providers
Any business entity that is not a payment card brand network member or a merchant directly involved in the processing, storage, transmission, and switching of transaction data or cardholder information, or both. This includes companies that provide services to merchants, service providers, or members that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, intrusion detection systems and other services as well as hosting providers and other entities. Entities such as telecommunications companies that only provide communication links without access to the application layer of the communication link are excluded.
Social Engineering
A euphemism for non-technical or low-technology means - such as lies, impersonation, tricks, bribes, blackmail, and threats - used to attack information system
Spam
E-mail that is unsolicited and irrelevant to University business sent out in large quantities.
Sub Network
A separately identifiable part of a larger network that typically represents a certain limited number of host computers, the hosts in a building or geographic area, or the hosts on an individual local area network.
Subnet Mask
A subnet mask (or number) is used to determine the number of bits used for the subnet and host portions of the address. The mask is a 32-bit value that uses one-bits for the network and subnet portions and zero-bits for the host portion.
Strong Cryptography
General term to indicate cryptography that is extremely resilient to cryptanalysis.
Switch
A networking device that keeps track of MAC addresses attached to each of its ports so that data is only transmitted on the ports that are the intended recipient of the data.
System Owner (SO)
The official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system.
System Security Officer (SSO)
A person responsible for enforcement or administration of the security policy that applies to the system.
System Security Plan (SSP)
Formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements.
System-Specific Policy
A policy written for a specific system or device.

T

TCP/IP
A synonym for "Internet Protocol Suite;" in which the Transmission Control Protocol and the Internet Protocol are important parts. TCP/IP is the basic communication language or protocol of the Internet. It can also be used as a communications protocol in a private network (either an Intranet or an Extranet).
Threat
A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm.
Threat Assessment
A threat assessment is the identification of types of threats that an organization might be exposed to.
Threat Model
A tool used to describe a given threat and the harm it could to do a system if it has a vulnerability.
Threat Vector
The method a threat uses to get to the target.
Topology
The geometric arrangement of a computer system. Common topologies include a bus, star, and ring. The specific physical, i.e., real, or logical, i.e., virtual, arrangement of the elements of a network. Note 1: Two networks have the same topology if the connection configuration is the same, although the networks may differ in physical interconnections, distances between nodes, transmission rates, and/or signal types.
Transport Layer Security (TLS)
TLS and its predecessor, Secure Sockets Layer (SSL), both frequently referred to as "SSL", are cryptographic protocols that provide communications security over a computer network.
Trojan Horse
A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.
Tunnel
A communication channel created in a computer network by encapsulating a communication protocol's data packets in (on top of) a second protocol that normally would be carried above, or at the same layer as, the first one. Most often, a tunnel is a logical point-to-point link - i.e., an OSI layer 2 connection - created by encapsulating the layer 2 protocol in a transport protocol (such as TCP), in a network or inter-network layer protocol (such as IP), or in another link layer protocol. Tunneling can move data between computers that use a protocol not supported by the network connecting them.

U

UAB Enterprise
The University of Alabama at Birmingham, the University of Alabama at Birmingham Health System, University Hospital, The Kirklin Clinic, the University of Alabama Health Services Foundation, the UAB Health Centers, the Ophthalmology Services Foundation, and Callahan Eye Foundation Hospital.
UDP Scan
Scans that determine which UDP ports are open.
Uniform Resource Locator (URL)
The global address of documents and other resources on the World Wide Web. The first part of the address indicates what protocol to use, and the second part specifies the IP address or the domain name where the resource is located. For example, http://www.pcwebopedia.com/index.html.
Unprotected Share
In Windows terminology, a "share" is a mechanism that allows a user to connect to file systems and printers on other systems. An "unprotected share" is one that allows anyone to connect to it.
User
A person, organization entity, or automated process that accesses a system, whether authorized to do so or not.

V

Verification Code
The three or four digit value printed on the front or back of a payment card; Card Validation Code CVC2 (Mastercard), Card Verification Value CVV2 (VISA), Card Member ID (Discover), or the Card Identification Number CID (American Express).
Virtual Private Network (VPN)
A restricted-use, logical (i.e., artificial or simulated) computer network that is constructed from the system resources of a relatively public, physical (i.e., real) network (such as the Internet), often by using encryption (located at hosts or gateways), and often by tunneling links of the virtual network across the real network. For example, if a corporation has LANs at several different sites, each connected to the Internet by a firewall, the corporation could create a VPN by (a) using encrypted tunnels to connect from firewall to firewall across the Internet and (b) not allowing any other traffic through the firewalls. A VPN is generally less expensive to build and operate than a dedicated real network, because the virtual network shares the cost of system resources with other users of the real network.
Virus
A hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting - i.e., inserting a copy of itself into and becoming part of - another program. A virus cannot run by itself; it requires that its host program be run to make the virus active.
Vulnerability
A weakness in a system, application, or network that is subject to exploitation or misuse.
Vulnerability Management
The process surrounding vulnerability scanning, also taking into account other aspects such as risk acceptance, remediation etc. security risks.
Vulnerability scan
Scans used to identify vulnerabilities in operating systems, services, and devices that could be used by hackers to target an organization’s private network.

W

Web of Trust
The trust that naturally evolves as a user starts to trust other's signatures, and the signatures that they trust.
Web Server
A software process that runs on a host computer connected to the Internet to respond to HTTP requests for documents from client web browsers.
Wiretapping
The monitoring and recording of data that is flowing between two points in a communication system.
World Wide Web ("the Web", WWW, W3)
The global, hypermedia-based collection of information and services that is available on Internet servers and is accessed by browsers using Hypertext Transfer Protocol and other information retrieval mechanisms.
Worm
A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively.

Z

Zero Day
The "Day Zero" or "Zero Day" is the day a new vulnerability is made known. In some cases, a "zero day" exploit is referred to an exploit for which no patch is available yet. ("day one" - day at which the patch is made available).
Zero-day attack
A zero-day (or zero-hour or day zero) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or undisclosed to the software developer. Zero-day exploits (actual code that can use a security hole to carry out an attack) are used or shared by attackers before the software developer knows about the vulnerability.