Looking for the definition of an information or IT security term? Browse through or search our vocabulary of key security expressions from «Access Control» to «Zero Day».

Search in glossary

Index

A

Access Control

Access control deals with the means to ensure that access to assets is authorized and restricted based on business and security requirements (ISO/IEC 27000). In ISO/IEC 27002 topics like user access management (access to information systems) as well as password, clean desk and clear screen policies are covered by access control.

Advanced Mail Tests

With advanced mail tests the email infrastructure is reviewed in regard to the effectiveness of used filters such as antivirus, antispam as well as uncommon file extensions.

Advanced Persistent Threat (APT)

An Advanced Persistent Threat (APT) is a cyber attack directed at businesses or political targets. It is usually launched by a group, such as a government, with both the means and the intent to persistently target a specific entity. The effort involved is usually very large to make the attack successful, to remain undetected and to ensure continued control. An example for an APT is the Stuxnet worm which was targeted at Iran's nuclear centrifuges.

Adware

Adware is software that displays advertisements next to its main functionality. The advertisements are often used for financing the software.

Anomaly

In the OSSTMM (Open Source Security Testing Methodology Manual), a de-facto standard for security tests, a flaw is the least serious security hole in the respective risk categorization. It is an unknown factor in the system, which a tester could not identify with the available information within the given time frame (example: unexpected response from a router).

Application Security Audit

An application security audit is an intensive, technical, unprivileged and privileged security test of an application and its associated components with a high percentage of manual testing and verification. Since unprivileged and privileged tests will be carried out, both the perspective of an outsider (e.g. hacker) and an insider are covered.

Attack Vector

An attack vector is the main path or means by which an attack reaches its target. Several types of attack vector classifications exist, commonly the following categories are listed: Buffer overflow, denial-of- service, password attacks, physical attacks, viruses, worms, etc.

Authentication

Authentication is the process of confirming the correctness of a claimed identity (SANS Institute).

Authorization

Authorization is the approval, permission, or empowerment for someone or something to do something (SANS Institute).

Availability

The property of information assets to be accessible and usable upon demand by an authorized entity (ISO/IEC 27000). The availability of information relies for example on backup and incident management processes.

B

Backdoor

A backdoor refers to a piece of software (often added by the developer) which enables the user to get access to the computer or a protected function of a program bypassing normal access restrictions. An example is a software (often secretly installed by a Trojan) allowing remote access to the computer system.

Black Box (Test Type)

IT security audits may be characterized according to the degree of information the testers and the administrators of the systems in scope have when the tests are carried out. Using the black-box approach, the testers do not have any knowledge about the systems to be tested prior to the audit. The objective is to assess vulnerabilities and to exploit them, simulating the perspective of a hacker who starts from scratch. This view reflects the definition of the BSI (M 5.150). In contrast, the OSSTMM equates the black-box test with a "double blind" test.

Black Hat (Test Type)

According to NIST SP 800-115, during a black hat test (or covert security test) the IT staff of the systems in scope are not informed about the tests (as opposed to a white hat test), but only upper management (or other relevant parties). This type of test is used for examining IT staff response to security incidents.

Blind (Test Type)

IT security audits may be characterized according to the degree of information the testers and the administrators of the systems in scope have when the tests are carried out. The OSSTMM defines blind as the audit type where the testers do not have any knowledge about the systems to be tested prior to the audit, whereas the administrators of the tested systems are fully aware of the security audit.

Brute-Force Attack

The brute-force attack is a very old type of attack on the user/password authentication where all kinds of character combinations are checked to guess a password. This is usually very time-consuming and triggers suspicious system behavior, which may be easily detected. A more advanced type of the brute-force attack is the dictionary attack. Instead of checking all character strings, only a specific set of words from a dictionary is used for the attack. This may considerably reduce the time needed to crack a password, but it may also result in a password not being found.

BSI-Grundschutz

BSI-Grundschutz is a collection of advisories for information security and is compatible with ISO 2700x released by the German "Bundesamt für Sicherheit in der Informationstechnik (BSI)". Available standards are: BSI-Standard 200-1 (Information Security Management Systems (ISMS)), BSI-Standard 200-2 (IT-Grundschutz Methodology), BSI-Standard 200-3 (Risk Management), BSI-Standard 100-4 (Business Continuity Management).

Buffer Overflow

A buffer overflow is triggered by coding errors. The program can thereby be made to write more data to a data structure (for example a buffer for temporary data storage) in the main memory (RAM) than it was meant to hold. The extra data can thus overwrite adjacent data structures and cause unwanted changes in the memory content or program flow. Buffer overflow problems usually occur only in programs which have been written in programming languages with direct memory access (e.g. C). A related issue is buffer over-read, where more data can be read than intended and thus internal information of the program becomes visible. An example of this variant is the so-called Heartbleed bug in OpenSSL.

C

Code Injection

A code injection vulnerability is about injecting program code into an application, which is then integrated and executed by the application. Depending on the type of vulnerability an attacker may manipulate the behavior of the application and inject program code, which may lead to a complete takeover of the system. Code injection is one of the most extensive and multi-faceted topics in the field of web security and provides many possibilities: SQL injection, Web script injection, OS command injection, SOAP injection, JSON injection, XPATH injection, etc.

Concern

In the OSSTMM (Open Source Security Testing Methodology Manual), a de-facto standard for security tests, a concern is the third most serious security hole (of a total of five) in the respective risk categorization. A concern is no direct threat, but an issue that is not in compliance with best practices (for example active, unnecessary network services).

Confidentiality

The property that information is not made available or disclosed to unauthorized individuals, entities, or processes (ISO/IEC 27000). To protect the confidentiality of information, access authorization or data encryption may be implemented.

Configuration Review

Review of the configuration of a certain object with the objective to identify potential for improvement as hardening is concerned as well as to uncover vulnerabilities.

Cookie

A cookie is a small text file which is stored on a local computer by a webserver and which contains data about the user's surfing habits (e.g. language settings or items in shopping cart). Cookies thus help to improve user experience, but may also track behavior and pass on information to third-party websites without the user's consent. Session-relevant information is also often stored in cookies, which may be exploited by hackers in attacks like session hijacking.

Crimeware

Malicious software generally used by criminal organizations designed to commit crimes aiming for financial returns.

CRLF Injection

CRLF injection is a specific way of injecting malicious code into an application. The main element of the attack is to inject "Carriage Return" (CR) and/or "Line Feed" (LF) characters into any kind of output. This injection is possible if a targeted application does not properly sanitize and neutralize all user-supplied data. One example of such an attack is "HTTP response splitting".

Cross-Site Request Forgery (CSRF)

This is a type of attack on a web application that does not properly check that requests are legitimate. An attacker can secretly execute actions in the name of a user by making the user visit a specially crafted page.

Cross-Site Scripting (XSS)

Cross-site scripting is a type of vulnerability which enables an attacker to inject a script into a web page. The script is indistinguishable from other contents on the page and therefore executed like any other scripts on the page by the browser. There are three different types of XSS vulnerabilities. They are reflected, persistent and DOM-based XSS.

Cyber Security

Cyber security (or IT security) deals with measures (organizational, technical, strategic, etc.) which help protect IT systems from damage or unauthorized access. Cyber security includes the security of devices (such as computers or smartphones), as well as applications and networks. Information security is an umbrella term which includes cyber security.

Cyber War

Cyber war, often also referred to as cyber warfare, covers all actions by a nation or organization to attack and penetrate another nation's or organization's systems or information networks. Commonly used techniques to achieve this are denial-of-service attacks or remotely controlled malware.

Cyber Warfare

See Cyber War

D

Demilitarized Zone (DMZ)

A DMZ is a computer network which exposes company services to another network, e.g. the internet. The hosts in the DMZ often have access to resources in the company internal network. However, they are separated by one or several firewalls to protect the company’s resources. The purpose of this is to offer services while protecting the internal resources as best as possible.

Denial-of-Service Attack

This attack is an attempt to render a website, computer, or network resource unavailable. This often happens by overloading the capacity of the target.

Dictionary Attack

Digital Forensics

Document Object Model (DOM)

The DOM is a platform-independent interface to access the objects of a document, often a web page. The objects can be held in a tree like structure.

DOM-Based Cross-Site Scripting (DOM-Based XSS)

The DOM-based XSS vulnerability allows embedding JavaScript code in a website. However, it does not do this via the web application on the server as with reflected XSS and persistent XSS, but exploits an error in the JavaScript of the application. The vulnerability is called DOM-based because client-side JavaScript has access to the Document Object Model (DOM) of a website and may thus access the respective URL.

Double Blind (Test Type)

IT security audits may be characterized according to the degree of information the testers and the administrators of the systems in scope have when the tests are carried out. According to the OSSTMM, in a double-blind audit the testers do not have any knowledge about the systems to be tested prior to the audit and the administrators of the tested systems are unaware of the security audit. The double-blind test type is the most realistic approach, but not the most efficient.

E

E-Mail Spoofing

E-Mail Spoofing denotes the creation and sending of email messages with a forged sender address.

Enumeration

Before an attack it is necessary to gather as much information as possible about the target system. This step is also known as “enumeration process” or “application mapping”. The goal of enumeration is to get a concrete idea of the structure of the application in order to optimally exploit technical, architectural as well as logical properties of the application for an attack.

Ethical Hacking

Ethical hacking refers to targeted hacking on the basis of a clearly defined assignment from the client to exploit technical, organizational und conceptual flaws. Ethical hacking is a classical «proof of concept» security test with the objective to detect design-based security weaknesses like suboptimal trusts between systems, flaws in a zone concept, or employee misconduct. In contrast to a penetration test or application security audit, the search for vulnerabilities stops once a security flaw has been found which can be exploited to meet the objective. Thus, ethical hacking does not entail a comprehensive, systematic search for all technical vulnerabilities.

Exploit

An exploit is a chunk of code or similar data that abuses a software vulnerability to make the program deviate from its normal correct execution. An attacker may for example gain control over the software or make it crash.

Exposure

In the OSSTMM (Open Source Security Testing Methodology Manual), a de-facto standard for security tests, an exposure is the fourth most serious security hole (of a total of five) in the respective risk categorization and deals with the divulgement of sensitive information, for example internal IP addresses may be visible, which may give attackers information about the architecture of the internal network.

F

Final Report

The final report of an IT security audit contains all results of the project incl. management summary, categorization of risks and recommended measures.

Firewall Rule Set Audit

An audit of the firewall rule set is an analysis of active and inactive firewall rules with the aim of identifying vulnerabilities and potential for improvement. The audit focuses, amongst others, on too broad, overlapping, insecure (e.g. using protocols such as telnet or FTP) and obsolete rules. In addition to this, firewall rule set processes (for example for the creation, modification and deletion of rules) may be reviewed.

Forensic Readiness

Technical and organizational preparations required to be optimally prepared for a forensic investigation of security incidents. Typical aspects are: Definition of the IT security organization (internal and external), logging type and depth, tool selection, training of involved staff and emergency drills.

Fraud Detection

Fraud detection involves the identification of risks using an internal control system. The goal is to recognize fraudulent activities.

G

Grey Box (Test Type)

IT security audits may be characterized according to the degree of information the testers and the administrators of the systems in scope have when the tests are carried out. The grey-box test type is usually the most popular approach for an IT security audit. The testers obtain partial information of the systems (e.g. the IP addresses) and the administrators are informed about the planned tests. This approach allows speeding up the audit by avoiding wasting precious project time.

H

Hardening

System hardening improves system security by reducing the attack surface. This can be achieved by removing unnecessary software, services and functionalities as well as by restricting user rights to a minimum.

HTML

HyperText Markup Language (HTML) is a markup language used to create web pages. It is one of the core technologies of the internet. HTML documents contain information for the user as well as instructions for the browser on how to display the information.

HTTP

HTTP stands for "Hypertext Transfer Protocol" and is the most widely used communication protocol in the WWW. It is a generic, stateless, clear-text protocol. It is a message-based protocol where a sender sends a request to a server which in turn replies with a response message. HTTP is specified in RFC2616.

HTTPS

The Hypertext Transfer Protocol Secure (HTTPS) uses TLS to allow authentication of the participating parties and protect the transmitted data against access and manipulation by third parties.

I

ICS (SCADA / DCS) Security Audit

ICS environments are for example used in the energy sector (power generation, pipelines, etc.), the waste management industry, in manufacturing, building automation and at airports.  ICS is short for for Industrial Control System, SCADA for Supervisory Control and Data Acquisition, DCS for Distributed Control System. A SCADA / DCS audit is an intensive, technical and/or conceptual, unprivileged and privileged security test of an ICS environment and its associated components.

Incident Response

Incident response is the reaction of an organization to an incident (see also security incident). Usually, this includes the correction of any damage which may have been caused as well as the definition and implementation of preventive measures to avoid that the same or a similar incident happens again.

Information Security

Information security deals with the preservation of confidentiality, integrity and availability of information. Additionally, other properties, such as authenticity, accountability, non-repudiation and reliability can also be covered (ISO/IEC 27000). Respective information can for example be available in electronic, printed or spoken form. IT security is a subcategory of information security.

Information Security Policy

The information security policy constitutes the highest level of all security policies. According to ISO/IEC 27000, a policy describes the "intentions and direction of an organization as formally expressed by its top management". The information security policy (according to ISO/IEC 27001) must support the purpose of the organization and should either include security objectives or provide a framework for establishing these objectives. Furthermore, it must make a commitment for the continual improvement of the ISMS (information security management system). According to the best practices of ISO/IEC 27002, the information security policy should define information security, describe principles for activities relating to information security and contain statements regarding the assignment of responsibilities as well as for handling deviations and exceptions.

Integrity

The property of information assets to be accurate (unaltered) and complete (ISO/IEC 27000). Data integrity checks, for example by checksum validation, may counteract intentional or unintentional corruption.

ISMS

The term "ISMS" is an abbreviation for "Information Security Management System" as described in ISO 27001. An ISMS, as any ISO Management System, is a framework which describes the set of steps required to meet the defined goals. It entails the respective objectives, roles and responsibilities, processes and procedures as well as related documentation.

ISO 27001

ISO 27001 is a standard of the International Organization for Standardization. It describes the requirements for an Information Security Management System (ISMS) and is comparable to other ISO management systems like ISO 9001 (quality management). ISO 27001 is the only standard of the ISO 2700X family for which a certification can be obtained. Annex A of the standard lists information security controls, which are further described in ISO 27002. ISO 27001 und ISO 27002 look at information security as a whole and do not only cover IT security, but also additional aspects such as physical security.

ISO 27002 Security Audit

An ISO 27002 security audit is a conceptual review based on the evaluation of questionnaires and/or interviews to determine the state of applicable controls of ISO 27002 (or Annex A of ISO 27001 respectively) with the aim of getting a 360 degree view on information security within an organization.

IT Forensics

IT forensics or digital forensics deals with the investigation and recovery of data on digital devices like computers, mobile phones, memory sticks, usually in the context of a criminal act, with the objective to identify and secure evidence (that could be used in court).

IT Security Roadmap

An IT security roadmap (or information security roadmap) defines a timetable and related IT security activities (or information security activities) to continually and sustainably increase security in the organization.

J

JavaScript

JavaScript is a programming language which is most frequently used to create scripts that run in the browser of the user. These scripts can generate and modify page contents, and extend interaction capabilities. Nowadays, JavaScript is sometimes also used on servers.

K

Kick-Off Meeting

The kick-off meeting is the initial meeting which marks the start of the IT security project and serves as a base to ensure that the audit is carried out successfully. In the kick-off meeting the project scope, schedule, organization and conditions, as well as the methodologies to be used will be discussed.

L

Least Privilege Principle

The Least Privilege Principle requires that a user, software component or other entity is only given the absolutely necessary rights to fulfill its purpose.

M

Malware

Malware is short for malicious software and denotes any kind of software that executes a function or exhibits a behavior which is not desired by the user. It is also an umbrella term for computer viruses, worms, adware and spyware.

Mobile App Penetration Test

A mobile app penetration test (also known as mobile application security audit or mobile application penetration test) is an intensive, unprivileged and privileged manual search for vulnerabilities in the operating system, in the basic services and in the application on a mobile device. In a mobile app security audit mobile applications for smartphones and tablets on various platforms such as Android, iOS, Windows Phone or BlackBerry OS among other things are tested according to the «OWASP Mobile Top 10» (version 2014) vulnerabilities.

N

Network Design Review

In a network design review, the network architecture and design is examined on the basis of client documentation with the objective to identify design-based vulnerabilities.

Network Tracing

Network tracing refers to the analysis of the network traffic between two objects with the aim of detecting protocol-based and general vulnerabilities as well as potential for improvement.

Non-Repudiation

The ability to prove the occurrence of a claimed event or action and its originating entities (ISO/IEC 27000).

O

OSI Reference Model

The OSI reference model (Open Systems Interconnection model) defines seven layers, which divide the communication between two end points in a telecommunication network: Layer 7: Application Layer, Layer 6: Presentation Layer, Layer 5: Session Layer, Layer 4: Transport Layer, Layer 3: Network Layer, Layer 2: Data Link Layer and Layer 1: Physical Layer. When thinking about security of an environment, all layers should be considered. Thus, physical security measures on layer 1 against threats such as equipment overheating may be as important as threats on other layers.

OSINT

OSINT is an abbreviation for "open source intelligence" and is commonly used in the secret services. OSINT means to gather, find and systematically organize information using public sources such as search engines, newspapers, social media or other public data. The "open source" in the name is not related to open source software.

OSSTMM

The OSSTMM (Open Source Security Testing Methodology Manual) is a de-facto standard for security tests. It was developed by the Institute for Security and Open Methodologies (ISECOM) and is continually being reviewed and modified by industry experts. The standard is freely available and contains, amongst others, a security testing methodology for all channels (Human, Physical, Wireless,Telecommunications, and Data Networks) and the Rules of Engagement which specify ethical guidelines for security tests. Security gaps are categorized into the five categories Vulnerability, Weakness, Concern, Exposure und Anomaly according to their severity.

OWASP

The «Open Web Application Security Project» (OWASP) is an open community which has the mission to develop, acquire, operate and maintain trustworthy web applications (see also OWASP Top 10 and OWASP Mobile Top 10).

OWASP Mobile Top 10

The «OWASP Mobile Top 10» (version 2016) includes a list of the most critical vulnerabilities in mobile applications: Improper Platform Usage, Insecure Data Storage, Insecure Communication, Insecure Authentication, Insufficient Cryptography, Insecure Authorization, Poor Code Quality, Code Tampering, Reverse Engineering, Extraneous Functionality.

OWASP Top 10

The «OWASP Top 10» (version 2017) includes a list of the most critical vulnerabilities in web applications: Injection, Broken Authentication, Sensitive Data Exposure, XML External Entities (XXE), Broken Access Control, Security Misconfiguration, Cross-Site Scripting (XSS), Insecure Deserialization, Using Components with Known Vulnerabilities, Insufficient Logging & Monitoring.

P

Partial Code Review

A partial code review is an analysis of programming code with the objective to detect design-based weaknesses, to identify vulnerabilities as well as to determine potential for improvement.

Patching

The deployment of a software patch which fixes a bug or another software problem, e.g. performance issues.

Path Traversal

Web applications often contain functions to read and write files. If these functions are buggy and an attacker can break out of the intended file directory this is called a "path traversal attack". Reading capabilities may allow an attacker to read critical data such as configuration files, passwords and databases. Write access may enable the creation or manipulation of web pages. In extreme cases system files could be overwritten.

PCI DSS

PCI DSS (Payment Card Industry Data Security Standard) is a data security standard of the card payment industry and is mandatory for all companies which manage payments with credit cards like Visa, MasterCard, American Express, etc. Amongst others, it is important for e-commerce providers which accept payments via credit card (online or by phone). Depending on the number of transactions with a specific card per year certain security requirements need to be fulfilled.

Penetration Test

A penetration test is an intensive, technical, usually unprivileged security test with a high percentage of manual testing and verification. In some cases privileged tests may be carried out when access information becomes available during the project.

Perfect Forward Secrecy (PFS)

To establish a secure communication channel, two parties often negotiate on a new session key for each new communication session. To secure this communication establishment phase long term keys may be used. PFS denotes the property of key-agreement protocols which generate a session key that is still secure even when the long term keys are exposed. The Diffie–Hellman key exchange may be used for this purpose.

Persistent Cross-Site Scripting (Persistent XSS)

Persistent XSS vulnerabilities are very similar to reflected XSS vulnerabilities. Both execute a JavaScript of an attacker in the context of a web application and thus allow access to information of the web application which is usually only available to the respective user. The difference between persistent XSS and reflected XSS consists of the fact that a user does not have to click on a crafted link anymore to be a victim of an attack. Persistent XSS makes it possible to permanently store JavaScript code in a website. If a user visits the respective website, the JavaScript is embedded in the website and executed by the browser.

Phishing

Phishing is the attempt to trick a user into submitting sensitive information such as passwords or banking information or transferring money. Phishing is often carried out using spoofed emails.

Privileged Test

Test with knowledge of valid access information like user ID and password, etc.

Q

Quality Assurance / Review

The final report of an IT security project should be reviewed with a focus on plausibility, correctness and grammar in the sense of the four eyes principle in order to achieve a high level of quality.

R

Redirection Attack

A web application has a redirection weakness if it takes user input without sufficient sanitization to redirect the user to another resource. This kind of weakness does not harm the application itself. However a phisher may use this to obscure the actual target of a link.

Reflected Cross-Site Scripting (Reflected XSS)

A reflected XSS vulnerability shows up when the server takes the content of a received parameter and directly embeds it into the HTML code of the response. If an attacker injects HTML or JavaScript code in the parameter, this code will be included and executed in the responded website. This is for example very common in error messages, where the “faulty” parameter is displayed again.

Reversal (Test Type)

IT security audits may be characterized according to the degree of information the testers and the administrators of the systems in scope have when the tests are carried out. The OSSTMM defines reversal as the audit type where the testers have full knowledge about the systems to be tested prior to the audit whereas the administrators of the tested systems are not aware of the security audit. The OSSTMM also refers to this type of test as Red Team exercise.

Reverse Engineering

Reverse engineering is the analysis of the security-related system behavior and functionality of a device or an executable application based on the black-box approach.

Risk Assessment Value (RAV)

The RAV is a measurement for the attack surface of an environment as defined by the OSSTMM (Open Source Security Testing Methodology Manual). It is a scale which describes the security level at a certain point in time (actual security). A RAV of a 100 (also sometimes referred to as 100% RAV) reflects the perfect balance between protection and attack points. Anything less is too few controls and therefore a greater attack surface.

S

Secure Software Development

The security of software should be one of the primary goals during software development. Security is needed in the whole development process, as defects arise on various levels of the application and are not only part of the program code. Defects may be found in: Architecture/design, application logic, program code, third-party libraries, deployment and configuration. For secure software development, guidelines should be established that contain important points as input and output validation.

Security Incident

A security incident is any provoked or unprovoked incident that increases the threat towards information security, for example an intrusion detection system crashing or the recognition of attack patterns like port scans.

Security Scan

A security scan is an automated, technical, unprivileged security test with some manual verification of detected vulnerabilities.

Session Fixation

If a web application does not change the session token of a user when he logs in an attacker may use this property for a session fixation attack. Hereby he tricks a victim into using a given session token to login. After the victim has logged in the attacker may use the known token to take over the victim’s session. This is a form of session hijacking.

Session Hijacking

In a session hijacking attack an attacker takes over the session of a victim. The attacker then may access the data of the victim and issue commands in the victim’s name (also see session fixation).

Spyware

Spyware is software which spies on the user or his/her data. This is usually done without the knowledge or consent of the user. The information is either transferred to the producer or used to display more targeted ads.

SQL Injection

SQL injection is one of the originators of code injection. This is about injecting SQL code into the application to manipulate database queries and to extract more information from the database or to selectively modify data records if applicable. A few years ago, SQL injection was the most frequent web application vulnerability of all. Increasing security awareness has made it less common although many countermeasures today may also be overcome. The high impact of SQL injection has however not been reduced.

SSL

See TLS

T

Tandem (Test Type)

IT security audits may be characterized according to the degree of information the testers and the administrators of the systems in scope have when the tests are carried out. The OSSTMM defines tandem as the audit type where the testers have full knowledge about the systems to be tested prior to the audit and the administrators of the tested systems are fully aware of the security audit. The OSSTMM also refers to this type of test as crystal box.

Test Types

IT security audits may be characterized according to the degree of information the testers and the administrators of the systems in scope have when the tests are carried out. Often, a distinction is made between the following test types: White box, grey box, black box, white hat, black hat, blind, double blind, tandem and reversal.

Test Vector

Depending on the scenario, different test vectors will apply for technical security audits: Remote testing (for example via Internet into the DMZ or via 3G/WLAN connection to a mobile device), within the DMZ, in the LAN / WAN, via interfaces. Tests carried out in the LAN / WAN may be conducted on-site or via remote access.

Threat

A threat is a potential cause of an unwanted incident, which may result in harm to a system or organization (ISO/IEC 27000). Threats may be triggered by human beings (intentionally or unintentionally) or may be caused by environmental factors. They may include things like theft (e.g. information theft), eavesdropping, information leakage, earthquakes and flooding.

TLS

Transport Layer Security (TLS) is a hybrid cryptographic protocol to provide secure communication over the internet. Cryptographic methods ensure that the instances that communicate with each other are those that they pretend to be and that the information to be exchanged cannot be read or manipulated by a third party. TLS provides a completely transparent communication channel for higher-level protocols. Existing application logic requires only minimal changes to be able to use secure communication this way. Examples of existing protocols, which use TLS as a secure tunnel are HTTPS, POPS and IMAPS. Early versions of TLS were called Secure Socket Layer (SSL), which is still widely used as a synonym for TLS.

Trojan

A Trojan is malicious software that executes functions not known to the user and conceals its true intent with functionality desired by the user. This could be a small game that deletes files in the background.

U

Unprivileged Test

Test without knowledge of valid access information like user ID and password, etc.

V

Virus

A Virus is a form of malware that installs itself automatically on a system and spreads to (infects) other media.

VoIP Audit

A VoIP audit is an intensive, unprivileged and privileged manual search for vulnerabilities in a Voice over IP infrastructure in the operating system and application, as well as on the level of protocols.

Vulnerability

A vulnerability is a weakness of an asset or control that can be exploited by one or more threats (ISO 27000, see also threat). In the OSSTMM (Open Source Security Testing Methodology Manual), a de-facto standard for security tests, a vulnerability is the most serious category of a flaw or error (of a total of five). It relates to the security mechanism which allows for privileged access to a certain infrastructure (for example software being vulnerable to a buffer-overflow, denial-of-service or XSS attack).

W

War Driving

Wardriving denotes driving around in a vehicle searching for wireless (computer) networks. This information can be used for mapping purposes or to detect inadequately secured networks, break into them and abuse them.

Weakness

In the OSSTMM (Open Source Security Testing Methodology Manual), a de-facto standard for security tests, a weakness is the second most serious security hole (of a total of five) in the respective risk categorization. A weakness is a flaw or error in the platform upon which the security mechanism is built (for example if passwords are sent unencrypted over HTTP).

Web Application Security Audit

A web application security audit or web application penetration test evaluates the security level of internet banking systems, online shops, SharePoint platforms, VoIP solutions, etc. The system in scope will usually be examined according to the «OWASP Top 10» security flaws by means of an intensive, unprivileged and privileged manual search for vulnerabilities in the operating system, in the basic services and in the web application itself.

White Box (Test Type)

IT security audits may be characterized according to the degree of information the testers and the administrators of the systems in scope have when the tests are carried out. The objective of the white-box test is to simulate an attack with insider information. The testers obtain all information of the systems to be audited in detail. This view reflects the definition of the BSI (M 5.150). In contrast, the OSSTMM equates the white-box test with a "double gray box" test (see also grey box).

White Hat (Test Type)

According to NIST SP 800-115, during a white hat test (or overt security test) the administrators of the systems in scope are informed about the tests (as opposed to a black hat test).

Windows Client Audit

A Windows client audit usually entails a privileged security audit of the client systems on the network, operating system and application level.

WLAN Audit

A WLAN audit is an intensive, unprivileged and privileged manual search for vulnerabilities in a WLAN network.

World Wide Web (WWW)

The World Wide Web is an information system of linked documents called web pages. The system is accessed over the Internet using a browser. The system contains various types of content including text, images, music and videos. The web was invented in 1989 by Tim Berners-Lee.

Worm

A worm is malicious software than can autonomously replicate itself and spread to other computers. Most often the spreading happens using a computer network.

X

XML

Extensible Markup Language (XML) is a markup language to encode data in a human- and machine-readable way. The aim was to create a simple universal format which can be used to transfer data across the internet.

Z

Zero Day

A zero-day vulnerability is a software flaw for which no official patch has yet been released. The expression "zero day" refers to the time the developers have had to fix the flaw, once the vulnerability has become known.