A Glossary of Key Security Terms
A procedure, formula or list of instructions that can be used to accomplish a task or to solve a problem. In mathematics and computer science, an algorithm is usually a procedure used to solve a recurring problem.
The process by which individuals and organizations verify each other's identity during the exchange of sensitive and confidential information. During Online Banking sessions, clients are usually authenticated using IDs and passwords. Clients can ensure that they are dealing with the party they intend to communicate with by examining the secured website's security certificate.
A software application that interfaces with the Internet and provides a way to locate, display and interact with web pages. Examples include Microsoft Explorer, Netscape, Safari and Firefox.
Devices that provide high-speed Internet access using cable television networks. Like DSL, cable modems offer continuous connection to the Internet without having to dial into an Internet Service Provider (ISP) each time you wish to connect to the Internet.
Temporary storage. For example, web pages you visit may be downloaded to your computer and stored in your web browser's cache, which is physically located on your computer’s hard drive. When you return to a recently visited web page, your web browser can retrieve it from the cache rather than from the web server where the page is hosted. This cuts down the retrieval time and helps minimize Internet traffic.
Certification Authority (CA)
A trusted third party that issues certificates that can be used by individuals or organizations to verify their identity or credentials. Certificates generally contain the certificate holder's name, their public key, an expiration date, a serial number and identifying information about the certification authority that issued the certificate, including their digital signature.
Any method used to turn plain text into an unreadable and meaningless form. Ciphertext is text that has been encoded into this unreadable form. This often involves the use of a mathematical formula to encode plain text into ciphertext and a key to decode the ciphertext.
A small text file containing a unique identification number that a website sends to your computer's web browser. When you visit a particular site, a cookie may be used to track the activities of your browser as well as provide you with a consistent, more efficient experience. There are two common types of cookies: persistent and non-persistent. Persistent cookies stay in the browser for long periods of time. Cookies cannot view or retrieve data from other cookies, nor can they capture files and data stored on your computer. Only the website that sends you cookies is able to read them.
This represents a set of mathematical techniques to encode information so that it can be stored and transmitted securely. A system for encrypting and decrypting data is called a cryptosystem. The system usually involves a mathematical equation or algorithm for combining the original data with one or more keys, numbers or strings of characters known only to the sender and recipient. The resulting encoded, unreadable data is known as ciphertext.
A digital stamp that uses encryption to certify where an electronic document came from. Digital certificates allow individuals or organizations to verify each other's identity online. They are issued by a certification authority and contain the name of the certificate holder, a serial number, expiration dates, a copy of the certificate holder's public key (used for encryption messages and digital signature) and the digital signature of the certificate-issuing authority so that the recipient can verify that the certificate is real.
Like a hand-written signature, this can be added to electronic documents or transactions to provide: authentication (proof that you are who you say you are); non-repudiation (proof that an exchange or transaction took place); and integrity (so that any attempt to alter information would be detected).
Digital Subscriber Line Technology (DSL)
Provides high-speed Internet connections over ordinary telephone lines. Like cable modems, DSL offers significantly better download and upload times than dial-up modems and provides "always-on" connection capability. DSL subscribers can use telephones and surf the Internet simultaneously because the technology separates the signals.
The process of scrambling or encrypting data into a form that cannot be read or understood by unauthorized individuals, ensuring its security during transmission over the Internet. Very similar to secret code, encryption changes data from readable to unreadable and back again using complex mathematical algorithms known as keys. It is not possible to convert encrypted data to unencrypted data without the corresponding key. The two most common levels of encryption, 40-bit and 128-bit, are both in use on popular web browsers.
Occurs when data flows from the web server (where the website is physically hosted) to the web browser without passing through any other servers. Information exchanged between the point of origin and the point of destination is encrypted to further ensure security.
A combination of industrial strength computer hardware and software designed to securely separate the Internet from internal web servers, computer systems, networks and databases. Firewalls keep unauthorized Internet traffic off a company's web server or computer network and can be set up to warn network managers if they detect intruder attempts.
In cryptography, a key is complex mathematical algorithm applied to plain data to produce encrypted data, or applied to encrypted data to produce the original information. The longer the key, the more difficult it is to decrypt the data should an unauthorized third party intercept it.
A blend of the words "malicious" and "software," malware includes computer viruses, worms, Trojan Horses, spyware and a multitude of other damaging and unwanted software. It is software that is designed to enter or damage a computer system, without the user's knowledge and/or informed consent.
Public Key Infrastructure (PKI)
Allows users to exchange sensitive information over the Internet in a secure and private manner using a public and private key pair that is obtained through a certification authority. The public key infrastructure uses a digital certificate to identify the individual attempting to decrypt data.
A software module that adds a specific functionality to the web browser. For example, plug-ins allow browsers to display various types of audio and video messages or popular Adobe Acrobat (PDF) files.
Public Key Encryption
This process uses a pair of private and public keys that are mathematically related for the encryption and decryption of data. The public key is made widely available to parties who want to communicate with the private key issuer/holder in a secure manner and it is the key used to encrypt the data. The private key is never shared and remains private to the issuer/holder of the public key and is used to decrypt the data.
Faults, defects or programming errors exploited by unauthorized intruders to enter computer networks or web servers from the Internet. As these holes or bugs become known, software publishers develop "patches,” "fixes" or "updates" users can download to fix the problems.
Secure Electronic Transaction (SET)
An open technical standard for the commerce industry developed by Visa and MasterCard to facilitate secure credit card payment transactions over the Internet. Digital Certificates are used throughout the transaction, verifying cardholder and merchant. SET may be used by software vendors, merchants, financial institutions, and others that pass SET compliance testing.
A plastic card about the size of a credit card with an embedded microchip where data and applications are stored. Information on Smart Cards can be updated after the card is issued. A smart card reader, a small device into which the smart card is inserted, is required to load data onto the card or read information from it.
Software programs that are installed on a user's computer without their knowledge to secretly gather information about the user. This software typically establishes an Internet connection with a third party, who may monitor a user's web surfing habits or engage in malicious monitoring such as stealing confidential information.
Secure Socket Layer (SSL)
This protocol was developed by Netscape Communications Corporation to provide a high level of security for Internet communications. SSL provides an encrypted communications session between your web browser and a web server. SSL helps verify that sensitive information (e.g. credit card numbers, account balances and other proprietary financial and personal data) sent over the Internet between your browser and a web server, remains confidential during online transactions.
Symmetric Key Encryption
Also known as Private Key Encryption, this uses the same private key shared by the sender and recipient for the encryption and decryption of data. A web browser will generate a new symmetric key each time it opens a secure connection.
A malicious program disguised as a useful or fun program. Trojan Horses are frequently transmitted as files attached to e-mail messages, can be downloaded from websites, and enter a computer via a USB or CD-ROM file. When you install the file, it appears as if nothing untoward has happened, but the Trojan Horse installs itself on your computer and may destroy files or create a "back door" entry point that allows an unauthorized individual to gain access to your computer.
A malicious program often designed as games, image files (JPEG) or screen savers. They are frequently transmitted as files attached to e-mail messages, can be downloaded from websites, and enter a computer via a USB or CD-ROM file. Some viruses do damage as soon as they are run inadvertently. Others remain dormant until a date predetermined by the virus creator, then come alive and destroy files or data. When run (clicked on to install the file or play the game), viruses frequently search the Microsoft Outlook address book and send themselves to some or all of the contacts in the address book without the user's knowledge. Known as self-propagation, this is how viruses often spread like wildfire across the Internet and corporate networks.
A malicious program that replicates itself over a computer network. It does not alter files but resides in active memory of the computer, invisible to the user, until uncontrolled replication causes a computer to slow down or shut down. By way of example, worms which gained widespread media attention are Code Red and Nimda. Code Red worm infected commercial servers by flooding them with large amounts of data. Nimda ("admin" spelled backwards) wreaked havoc in both home PCs and commercial network and web servers. Self-replicating worms generally use e-mail and infected websites to spread across the Internet and computer networks.