Information Security Definitions

This glossary explains the meaning of key words and phrases that information technology (IT) and business professionals use when discussing IT security and related software products. You can find additional definitions by visiting WhatIs.com or using the search box below.

Search Definitions
  • O

    one-time pad

    In cryptography, a one-time pad is a system in which a randomly generated private key is used only once to encrypt a message that is then decrypted by the receiver using a matching one-time pad and key.

  • one-time password (OTP)

    A one-time password (OTP) is an automatically generated numeric or alphanumeric string of characters that authenticates the user for a single transaction or login session.

  • one-time password token (OTP token)

    A one-time password token (OTP token) is a security hardware device or software program that is capable of producing a single-use password or PIN passcode.

  • online risk

    Online risk is the vulnerability of an organization's internal resources that arises from the organization using the Internet to conduct business.

  • Open Source Hardening Project

    The Open Source Hardening Project is an initiative of the United States Department of Homeland Security, created to improve the security of open source code. Because the infrastructure of the Internet, financial institutions and many other critcal systems in the U.S. run on open source software, the security of these applications is crucial... (Continued)

  • Open System Authentication (OSA)

    Open System Authentication (OSA) is a process by which a computer could gain access to a wireless network that uses the Wired Equivalent Privacy (WEP) protocol.

  • OpenAppID

    OpenAppID is an application-layer network security plugin for the open source intrusion detection system Snort.

  • Operation Phish Phry

    Operation Phish Phry is a cybercrime investigation carried out by the United States Federal Bureau of Investigation (FBI), the Los Angeles Electronic Crimes Task Force and Egyptian authorities.

  • operational risk

    Operational risk is the risk of losses caused by flawed or failed processes, policies, systems or events that disrupt business operations.

  • OPSEC (operations security)

    OPSEC (operations security) is a security and risk management process and strategy that classifies information, then determines what is required to protect sensitive information and prevent it from getting into the wrong hands.

  • Oracle Critical Patch Update (Oracle CPU)

    The Oracle Critical Patch Update (CPU) is an ongoing series of regularly issued fixes for security flaws in products made by or maintained by software giant Oracle Corp.

  • orphan account

    An orphan account, also referred to as an orphaned account, is a user account that can provide access to corporate systems, services and applications but does not have a valid owner.

  • out-of-band authentication

    Out-of-band authentication is a type of two-factor authentication that requires a secondary verification method through a separate communication channel along with the typical ID and password. Out-of-band authentication is often used in financial institutions and other organizations with high security requirements.

  • P

    PA-DSS (Payment Application Data Security Standard)

    Payment Application Data Security Standard (PA-DSS) is a set of requirements intended to help software vendors develop secure payment applications for credit card transactions.

  • PAN truncation (primary account number)

    PAN (primary account number) truncation is a technology that prevents most of the digits in a credit card, debit card or bank account number from appearing on printed receipts issued to customers... (Continued)

  • parameter tampering

    Parameter tampering is a type of web-based cyber attack in which certain parameters in a URL are changed without a user's authorization.

  • pass the hash attack

    A pass the hash attack is an exploit in which an attacker steals a hashed user credential and -- without cracking it -- reuses it to trick an authentication system into creating a new authenticated session on the same network.

  • passphrase

    A passphrase is a sentencelike string of words used for authentication that is longer than a traditional password, easy to remember and difficult to crack.

  • password

    A password is a string of characters used to verify the identity of a user during the authentication process.

  • password cracking

    Password cracking is the process of using an application program to identify an unknown or forgotten password to a computer or network resource.

  • password hardening

    Password hardening is any one of a variety of measures taken to make it more difficult for an intruder to circumvent the authentication process.

  • password salting

    Password salting is a technique to protect passwords stored in databases by adding a string of 32 or more characters and then hashing them.

  • passwordless authentication

    Passwordless authentication is a verification process that determines whether someone is, in fact, who they say they are without requiring the person to manually enter a string of characters.

  • Patch Tuesday

    Patch Tuesday is the unofficial name of Microsoft's monthly scheduled release of security fixes for the Windows operating system (OS) and other Microsoft software.

  • payload (computing)

    In computing, a payload is the carrying capacity of a packet or other transmission data unit.

  • PCI assessment

    A PCI assessment is an audit of the 12 credit card transaction compliance requirements required by the Payment Card Industry Data Security Standard.

  • PCI DSS (Payment Card Industry Data Security Standard)

    The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information.

  • PCI DSS 12 requirements

    PCI DSS 12 requirements is a set of security controls that businesses are required to implement to protect credit card data and comply with the Payment Card Industry Data Security Standard (PCI DSS).

  • PCI DSS 2.0

    PCI DSS 2.0 (Payment Card Industry Data Security Standard Version 2.0) is the second version of the Payment Card Industry Data Security Standard (PCI DSS).

  • PCI DSS 3.0

    PCI DSS 3.0 is the third major iteration of the Payment Card Industry Data Security Standard, a set of policies and procedures administered by the Payment Card Industry Security Standards Council (PCI SSC) to ensure the security of electronic payment data and sensitive authentication data.

  • PCI DSS compliance (Payment Card Industry Data Security Standard compliance)

    Payment Card Industry Data Security Standard (PCI DSS) compliance is adherence to the set of policies and procedures developed to protect credit, debit and cash card transactions and prevent the misuse of cardholders' personal information.

  • PCI DSS merchant levels

    Merchant levels are used by the payment card industry (PCI) to determine risk levels and determine the appropriate level of security for their businesses. Specifically, merchant levels determine the amount of assessment and security validation that is required for the merchant to pass PCI DSS assessment.

  • PCI gap assessment

    A PCI gap assessment is the identification, analysis and documentation of areas of non-compliance with the Payment Card Industry Data Security Standard (PCI DSS). PCI gap assessment is the first step for a merchant seeking to become PCI DSS-compliant.

  • PCI policy

    A PCI policy is a type of security policy that covers how an organization addresses the 12 requirements of the Payment Card Industry Data Security Standard (PCI DSS).

  • PCI QSA

    Payment Card Industry Qualified Security Assessor (PCI QSA) is a designation conferred by the PCI Security Standards Council to individuals it deems qualified to perform PCI assessments and consulting services

  • PCI Security Standards Council

    The PCI Security Standards Council is an organization created by the major credit card companies in an effort to better protect credit card holder data.

  • PEAP (Protected Extensible Authentication Protocol)

    PEAP (Protected Extensible Authentication Protocol) is a version of EAP, the authentication protocol used in wireless networks and Point-to-Point connections. PEAP is designed to provide more secure authentication for 802.11 WLANs (wireless local area networks) that support 802.1X port access control.

  • Pegasus malware

    Pegasus malware is spyware that can hack any iOS or Android device and steal a variety of data from the infected device, including text messages, emails, key logs, audio and information from installed applications, such as Facebook or Instagram.

  • pen testing (penetration testing)

    A penetration test, also called a pen test or ethical hacking, is a cybersecurity technique organizations use to identify, test and highlight vulnerabilities in their security posture.

  • personally identifiable information (PII)

    Personally identifiable information (PII) is any data that could potentially identify a specific individual.

  • pharming

    Pharming is a scamming practice in which malicious code is installed on a personal computer or server, misdirecting users to fraudulent websites without their knowledge or consent.

  • phishing

    Phishing is a form of fraud in which an attacker masquerades as a reputable entity or person in email or other communication channels.

  • phlashing

    Phlashing is a permanent denial of service (PDoS) attack that exploits a vulnerability in network-based firmware updates. Such an attack is currently theoretical but if carried out could render the target device inoperable... (Continued)

  • phreak

    A phreak is someone who breaks into the telephone network illegally, typically to make free long-distance phone calls or to tap phone lines.

  • physical security

    Physical security is the protection of personnel, hardware, software, networks and data from physical actions and events that could cause serious loss or damage to an enterprise, agency or institution.

  • PKI (public key infrastructure)

    PKI (public key infrastructure) is the underlying framework that enables entities -- users and servers -- to securely exchange information using digital certificates.

  • plaintext

    In cryptography, plaintext is usually ordinary readable text before it is encrypted into ciphertext or after it is decrypted.

  • Plundervolt

    Plundervolt is a method of hacking that involves depriving an Intel chip of power so that processing errors occur.

  • polymorphic virus

    A polymorphic virus is a harmful, destructive or intrusive type of malware that can change or 'morph,' making it difficult to detect with antimalware programs.

  • POODLE (Padding Oracle On Downgraded Legacy Encryption)

    POODLE (Padding Oracle On Downgraded Legacy Encryption) is a security flaw that can be exploited to conduct a man-in-the-middle attack that targets Web browser-based communication between clients and servers using Secure Sockets Layer (SSL) 3.0.

  • possession factor

    The possession factor, in a security context, is a category of user authentication credentials based on items that the user has with them, typically a hardware device such as a security token or a mobile phone used in conjunction with a software token.

  • post-quantum cryptography

    Post-quantum cryptography, also called quantum encryption, is the development of cryptographic systems for classical computers that are able to prevent attacks launched by quantum computers.

  • potentially unwanted program (PUP)

    A potentially unwanted program (PUP) is a program that may be unwanted, despite the possibility that users consented to download it.

  • Pretty Good Privacy (PGP)

    Pretty Good Privacy or PGP was a popular program used to encrypt and decrypt email over the internet, as well as authenticate messages with digital signatures and encrypted stored files.

  • principle of least privilege (POLP)

    The principle of least privilege (POLP) is a concept in computer security that limits users' access rights to only what are strictly required to do their jobs.

  • privacy impact assessment (PIA)

    A privacy impact assessment (PIA) is an analysis of how an individual's or groups of individuals' personally identifiable information is collected, used, shared and maintained by an organization.

  • private CA (private PKI)

    Private CA stands for private certification authority and is an enterprise specific CA that functions like a publicly trusted CA but is exclusively run by or for the enterprise.

  • private key

    A private key, also known as a secret key, is a variable in cryptography that is used with an algorithm to encrypt and decrypt data.

  • privilege creep

    Privilege creep is the gradual accumulation of access rights beyond what an individual needs to do his job. In IT, a privilege is an identified right that a particular end user has to a particular system resource, such as a file folder.

  • privilege escalation attack

    A privilege escalation attack is a type of network intrusion that takes advantage of programming errors or design flaws to grant the attacker elevated access to the network and its associated data and applications.

  • privileged access management (PAM)

    Privileged access management (PAM) is the combination of tools and technology used to secure, control and monitor access to an organization's critical information and resources.

  • privileged identity management (PIM)

    Privileged identity management (PIM) is the monitoring and protection of superuser accounts in an organization’s IT environments. Oversight is necessary so that the greater access abilities of super control accounts are not misused or abused. Unmanaged superuser accounts can lead to loss or theft of sensitive corporate information, or malware that can compromise the network.

  • probe

    In telecommunications generally, a probe is an action taken or an object used for the purpose of learning something about the state of the network.

  • promiscuous mode

    In computer networking, promiscuous mode is a mode of operation, as well as a security, monitoring and administration technique.

  • proof of concept (PoC) exploit

    A proof of concept (PoC) exploit is a non-harmful attack against a computer or network. PoC exploits are not meant to cause harm, but to show security weaknesses within software.

  • proxy firewall

    A proxy firewall is a network security system that protects network resources by filtering messages at the application layer.

  • public key

    In cryptography, a public key is a large numerical value that is used to encrypt data.

  • public key certificate

    A public key certificate is a digitally signed document that serves to validate the sender's authorization and name.

  • Public-Key Cryptography Standards (PKCS)

    Public-Key Cryptography Standards (PKCS) are a set of standard protocols, numbered from 1 to 15.

  • pure risk

    Pure risk refers to risks that are beyond human control and result in a loss or no loss with no possibility of financial gain.

  • Pwn2Own

    Pwn2Own is an annual hacking competition sponsored by security vendor TippingPoint and held at the CanSecWest security conference.

  • Q

    Qualified Security Assessor (QSA)

    A Qualified Security Assessor (QSA) is a person who has been certified by the PCI Security Standards Council to audit merchants for Payment Card Industry Data Security Standard (PCI DSS) compliance.

  • quantum cryptography

    Quantum cryptography is a method of encryption that uses the naturally occurring properties of quantum mechanics to secure and transmit data.

  • quantum key distribution (QKD)

    Quantum key distribution (QKD) is a secure communication method for exchanging encryption keys only known between shared parties.

  • quantum supremacy

    Quantum supremacy is the experimental demonstration of a quantum computer's dominance and advantage over classic computers by performing calculations that were previously impossible at unmatched speeds.

  • Quiz: Who Done IT? A Murder Mystery

    How to take the quiz: - After reading the question, click on the answer that you think is correct

  • R

    RADIUS (Remote Authentication Dial-In User Service)

    RADIUS (Remote Authentication Dial-In User Service) is a client-server protocol and software that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service.

  • ransomware

    Ransomware is a subset of malware in which the data on a victim's computer is locked -- typically by encryption -- and payment is demanded before the ransomed data is decrypted and access is returned to the victim.

  • RAT (remote access Trojan)

    A remote access Trojan (RAT) is a malware program that gives an intruder administrative control over a target computer. RATs are usually downloaded invisibly with a user-requested program -- such as a game -- or sent as an email attachment. Once the host system is compromised, the intruder may use it to distribute more RATs for a botnet.

  • registration authority (RA)

    A registration authority (RA) is an authority in a network that verifies user requests for a digital certificate and tells the certificate authority (CA) to issue it.

  • remote access

    Remote access is the ability for an authorized person to access a computer or network from a geographical distance through a network connection.

  • Report on Compliance (ROC)

    A Report on Compliance (ROC) is a form that must be completed by all Level 1 Visa merchants undergoing a PCI DSS (Payment Card Industry Data Security Standard) audit.

  • residual risk

    Residual risk is the risk that remains after efforts to identify and eliminate some or all types of risk have been made.

  • reverse brute-force attack

    A reverse brute-force attack is a type of brute-force attack in which an attacker uses a common password against multiple usernames in an attempt to gain access to a network.

  • Rijndael

    Rijndael (pronounced rain-dahl) is an Advanced Encryption Standard (AES) algorithm.

  • risk assessment

    Risk assessment is the identification of hazards that could negatively impact an organization's ability to conduct business.

  • risk avoidance

    Risk avoidance is the elimination of hazards, activities and exposures that can negatively affect an organization and its assets.

  • risk exposure

    Risk exposure is the quantified potential loss from business activities currently underway or planned.

  • risk map (risk heat map)

    A risk map (risk heat map) is a data visualization tool for communicating specific risks an organization faces.

  • risk profile

    A risk profile is a quantitative analysis of the types of threats an organization, asset, project or individual faces.

  • risk reporting

    Risk reporting is a method of identifying risks tied to or potentially impacting an organization's business processes.

  • risk-based authentication (RBA)

    Risk-based authentication (RBA) is a method of applying varying levels of stringency to authentication processes based on the likelihood that access to a given system could result in its being compromised. As the level of risk increases, the authentication process becomes more comprehensive and restrictive.

  • Robert Morris worm

    The Robert Morris worm is widely acknowledged as the first computer worm to be distributed across the Internet and the first computer virus to receive mainstream media attention.

  • Rock Phish

    Rock Phish is both a phishing toolkit and the entity that publishes the kit, either a hacker, or, more likely, a sophisticated group of hackers. While the authors of the kit remain anonymous, Rock Phish has become the most popular phishing kit available online, with some estimates suggesting that the kit is used for half of all phishing attempts.

  • role mining

    Role mining is the process of analyzing user-to-resource mapping data to determine or modify user permissions for role-based access control (RBAC) in an enterprise... (Continued)

  • role-based access control (RBAC)

    Role-based access control (RBAC) is a method of restricting network access based on the roles of individual users within an enterprise.

  • rootkit

    A rootkit is a program or a collection of malicious software tools that give a threat actor remote access to and control over a computer or other system.

  • Rowhammer

    Rowhammer is a vulnerability in commodity dynamic random access memory (DRAM) chips that allows an attacker to exploit devices with DRAM memory by repeatedly accessing (hammering) a row of memory until it causes bit flips and transistors in adjacent rows of memory reverse their binary state: ones turn into zeros and vice versa.

  • RSA algorithm (Rivest-Shamir-Adleman)

    The RSA algorithm (Rivest-Shamir-Adleman) is the basis of a cryptosystem -- a suite of cryptographic algorithms that are used for specific security services or purposes -- which enables public key encryption and is widely used to secure sensitive data, particularly when it is being sent over an insecure network, such as the internet.

  • What is risk analysis?

    Risk analysis is the process of identifying and analyzing potential issues that could negatively impact key business initiatives or projects.

SearchNetworking
SearchCIO
SearchEnterpriseDesktop
SearchCloudComputing
ComputerWeekly.com
Close