Principles of Information Security 5th Edition Chapter 2
distributed denial-of-service (DDoS) attack
A DoS attack in which a coordinated stream of requests is launched against a target from many locations at the same time using bots or zombies.
cross-site scripting (XSS)
A Web application fault that occurs when an application running on a Web server inserts commands into a user's browser session and causes information to be sent to a hostile server.
integer bug
A class of computational error caused by methods that computers use to store and manipulate integer numbers; this bug can be exploited by attackers.
service level agreement (SLA)
A document or part of a document that specifies the expected level of service form a service provider.
TCP hijacking
A form of man-in-the-middle attack whereby the attacker inserts himself into TCP/IP-based communications.
pretexting
A form of social engineering in which the attacker pretends to be an authority figure who needs information to confirm the target's identity, but the real object is to trick the target into revealing confidential information.
phishing
A form of social engineering in which the attacker provides what appears to be a legitimate communication (usually e-mail), but it contains hidden or embedded code that redirects the reply to a third-party site in an effort to extract personal or confidential information.
advance-fee fraud (AFF)
A form of social engineering, typically conducted via e-mail, in which an organization or some third party indicates that the recipient is due an exorbitant amount of money and needs only a small advance fee or personal banking information to facilitate the transfer.
man-in-the-middle
A group of attacks whereby a person intercepts a communications stream and inserts himself in the conversation to convince each of the legitimate parties that he is the other communications partner.
script kiddie
A hacker of limited skill who uses expertly written software to attack a system.
cyberterrorist
A hacker who attacks systems to conduct terrorist activities via networks or Internet pathways.
professional hacker
A hacker who conducts attacks for personal financial benefit or for a crime organization or foreign government.
cracker
A hacker who intentionally removes or bypasses software copyright protection designed to prevent unauthorized duplication or use.
phreaker
A hacker who manipulates the public telephone system to make free calls or disrupt services.
hacktivist
A hacker who seeks to interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.
expert hacker
A hacker who uses extensive knowledge of the inner workings of computer hardware and software to gain unauthorized access to systems and information.
brownout
A long-term decrease in electrical power availability.
surge
A long-term increase in electrical power availability.
blackout
A long-term interruption (outage) in electrical power availability.
Trojan horse
A malware program that hides its true nature and reveals its designed behavior only when activated.
virus hoax
A message that reports the presence of a nonexistent virus or work and wastes valuable time as employees share the message.
threat agent
A person or other entity that may cause a loss in an asset's value.
hacker
A person who accesses systems and information without authorization and often illegally.
threat
A potential risk of an asset's loss of value.
vulnerability
A potential weakness in an asset or its defensive control system(s).
novice hacher
A relatively unskilled hacker who uses the work of expert hackers to perform attacks.
packet monkey
A script kiddie who uses automated exploits to engage in denial-of-service attacks.
sag
A short-term decrease in electrical power availability.
spike
A short-term increase in electrical power availability, also known as a swell.
fault
A short-term interruption in electrical power availability.
packet sniffer
A software program or hardware appliance that can intercept, copy, and interpret network traffic.
database security
A subset of information security that focuses on the assessment and protection of information stored in data repositories like database management systems and storage media.
rainbow table
A table of hash values and their corresponding plain text values that can be used to look up password values if an attacker is able to steal a system's encrypted password file.
spoofing
A technique for gaining unauthorized access to computers using a forged or modified source IP address to give the perception that messages are coming form a trusted host.
virus
A type of malware that is attached to other executable programs. When activated, it replicates and propagates itself to multiple systems, spreading by multiple communications vectors.
worm
A type of malware that is capable of activation and replication without being attached to an existing program.
boot virus
A type of virus that targets the boot sector or Master Boot Record (MBR) of a computer system's hard drive or removable storage media.
macro virus
A type of virus written in a specific macro language to target applications that use the language.
dictionary password attack
A variation of the brute force password attack that attempts to narrow the range of possible passwords guessed by using a list of common passwords and possibly including attempts based on the target's personal information.
memory-resident virus
A virus that is capable of installing itself in a computer's operating system, starting when the computer is activated, and residing in the system's memory even after the host application is terminated.
non-memory-resident virus
A virus that terminates after it has been activated, infected its host system, and replicated itself.
exploit
A vulnerability that can be used to cause a loss to an asset.
buffer overrun (or buffer overflow)
An application error that occurs when more data is sent to a program buffer than it is designed to handle.
command injection
An application error that occurs when user input is passed directly to a compiler or interpreter without screening for content that may disrupt or compromise the intended function.
mail bomb
An attack designed to overwhelm the receiver with excessive quantities of e-mail.
denial-of-service (DoS) attack
An attack that attempts to overwhelm a computer target's ability to handle incoming communications, prohibiting legitimate users from accessing those systems.
brute force password attack
An attempt to guess a password by attempting every possible combination or characters and numbers in it.
bot
An automated software program that executes certain commands when it receives a specific input.
10.3 password rule
An industry recommendation for password structure and strength that specifies passwords should be at least 10 characters long and contain at least one uppercase letter, one lowercase letter, one number, and one special character.
penetration tester
An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems.
availability disruption
An interruption in service, usually from a service provider, which causes an adverse event within an organization.
attack
An ongoing act against an asset that could result in a loss of its value.
spear phishing
Any highly targeted phishing attack.
spyware
Any technology that aids in gathering information about people or organizations without their knowledge.
cracking
Attempting to reverse-engineer, remove, or bypass a password or other access control protection, such as the copyright protection on software.
data security
Commonly used as a surrogate for information security, data security is the focus of protecting data or information in its various states - at rest (in storage), in processing, and in transmission (over network).
malware
Computer software specifically designed to perform malicious or unwanted actions.
information
Data that has been organized, structured, and presented to provide additional insight into its context, worth, and usefulness.
rooting
Escalating privileges to gain administrator-level control over a computer system. Typically associated with Android OS smartphones.
jailbreaking
Escalating privileges to gain administrator-level control over a smartphone operating system.
cyberwarfare
Formally sanctioned offensive operations conducted by a government or state against information or systems of another government or state.
data
Items of fact collected by an organization.
polymorphic threat
Malware (a virus or worm) that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for preconfigured signatures.
information extortion
The act of an attacker or trusted insider who steals information from a computer system and demands compensation for its return or for an agreement not to disclose the information.
mean time to diagnose (MTTD)
The average amount of time a computer repair technician needs to determine the cause of a failure.
mean time to repair (MTTR)
The average amount of time a computer repair technician needs to resolve the cause of a failure through replacement or repair of a faulty unit.
mean time between failure (MTBF)
The average amount of time between hardware failures, calculated as the total amount of operation time for a specified number of units divided by the total number of failures.
mean time to failure (MTTF)
The average amount of time until the next hardware failure.
competitive intelligence
The collection and analysis of information about an organization's business competitors through legal and ethical means to gain business intelligence and competitive advantage.
industrial espionage
The collection and analysis of information about an organization's business competitors, often through illegal or unethical means, to gain an unfair competitive advantage.
intellectual property (IP)
The creation, ownership, and control of original ideas as well as the representation of those ideas.
shoulder surfing
The direct, covert observation of individual information or system use.
information asset
The focus of information security; information that has value to the organization, and the systems that store, process, and transmit the information.
theft
The illegal taking of another's property, which can be physical, electronic, or intellectual.
Domain Name System (DNS) cache poisoning
The intentional hacking and modification of a DNS database to redirect legitimate traffic to illegitimate locations.
uptime
The percentage of time a particular service is available.
downtime
The percentage of time a particular service is not available.
social engineering
The process of using social skills to convince people to reveal access credentials of other valuable information to an attacker.
pharming
The redirection of legitimate user Web traffic to illegitimate Web sites with the intent to collect personal information.
privilege escalation
The unauthorized modification of an authorized or unauthorized system user account to gain advanced access and control over system resources.
trespass
Unauthorized entry into the real or virtual property of another party.
spam
Undesired e-mail, typically commercial advertising transmitted in bulk.
adware
malware intended to provide undesired marketing and advertising, including popups and banners on a user's screen.
noise
the presence of additional and disruptive signals in network communications or electrical power delivery.
software piracy
the unauthorized duplication, installation, or distribution of copyrighted computer software, which is a violation of intellectual property.
