Scroll through this brief glossary of information security terms to learn some of the basic language.
Account Hijacking: A process by which an individual’s email account, computer account, or any other account associated with a computing device or service, including social media, is stolen or “hijacked” by a hacker through a phishing email scam or malware/spyware that collects selected information (e.g., user names, passwords, account numbers) and forwards it back to the hacker for use in future impersonation attempts. Also referred to as Email Account Compromise.
Authentication: The process that affirms an entity’s credentials, thus proving an identity. Different process or credentials may result in different levels of assurance in the identity.
Back Door: Hidden software or hardware mechanism used to get around security controls.
Backup: A process to copy electronic or paper based data in some form to be available if the original data is lost, destroyed, or corrupted. Backup is for used for recovery purposes only.
Business Email Compromise (BEC): An exploit in which the attacker gains access to a corporate email account or spoofs the owner’s identity to defraud the company or its employees, customers or partners of money. The attacker typically uses the identity of someone on the corporate network to trick the target(s) into sending money to the attacker’s account.
Card skimmers: A means of electronically capturing information from credit or debit card readers, such as ATMs.
Data Driven Attack: Malicious code that is embedded in seemingly safe data to break through firewalls.
Dictionary Attack: A decryption method that successively tries all similar words in a lengthy list.
Digital Certificate: An electronic identifier that establishes your credentials when doing business or other transactions on the Web. The certificate is issued by a certification authority (CA), and contains name, a serial number, expiration date, a copy of the certificate holder's public key, and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real.
Digital Signature: A tool used to provide the authentication of the sender of a message, as well as the origin of the message and identity of the sender. It is unique for every transaction and created with a private key.
Email Account Compromise (EAC): See Account Hijacking.
Encryption: The process of transforming data to an unintelligible form in such a way that the original data either cannot be obtained (one-way encryption) or cannot be obtained without using the inverse decryption process (two-way).
File Backup: Copying a file stored on disk or tape to another disk or tape, for protection if the active file is damaged.
File Recovery: The restoration of computer files using backup copies.
Firewall: Software or hardware designed to block unauthorized access to a computer or network.
Flash Drives: USB storage devices, usually small with deceptively large storage capacity.
Flooding: Insertion of a large volume of data that results in service denial.
Fraud: An intentional deception executed for personal gain or to damage another party.
Hacker: An individual who attempts to gain unauthorized access to an information system.
Identification: A unique representation of an entity throughout a system.
Identification Information: Information a financial institution obtains to identify a client (e.g., name, address, telephone number, and Social Security Number).
Malware: Any type of software capable of performing an unauthorized process on an information system. Also known as Malicious Code or Malicious Software.
Mobile Code: Software modules obtained from remote systems, transferred across a network, then downloaded and executed on a local system without the recipient's knowledge.
Multi-factor Authentication: A process by which more than one piece of information is required to verify user identity to allow access. Two-factor authentication requires two of three of the following: Something you have, something you know, something you are.
Packet: A data block that transmits the identities of the sending and receiving stations, error-control information, and message.
Passphrase: A unique phrase used as a password that is longer than a typical password; may contain spaces in between words, must have at least one number and special symbol such as: The r0ad to success is always under construction!
Password: A sequence of characters, used as a shared secret between two entities as part of a validation process.
Pharming: A practice in which malware (malicious code or software) is installed on a computer redirecting users via their saved favorites links from a legitimate website to a fraudulent website without their knowledge or consent for the purpose of obtaining personal and/or financial information.
Phishing: The act of contacting an individual, falsely claiming to be a legitimate entity, to defraud the individual into surrendering passwords, financial or personal information, or infecting the individual’s computer with malware to be used for identity theft. Delivery is typically carried out by email, although phone calls, voicemail, and text messaging may also be used.
Ponzi Scheme: A fraudulent investment that pays returns to investors from other investors' money, rather than any real profits.
Proxy: Software agent that performs a function on behalf of another application or system while hiding the details involved.
Replicator: Program that acts to produce copies of itself, such as a worm or virus.
Retro-virus: Virus that waits until all backup media is infected to prevent system from restoring.
Rootkit: Trojan Horse software that captures passwords and message traffic to and from a computer.
Security Control: A process or mechanisms intended to aid in preventing security compromises. Security controls may be preventive, detective, or corrective.
Sensitive Information: Any information, regardless of media or location that is classified as “Confidential”.
Signon / Logon: The process of confirming an entity’s claimed identity resulting in authorized entry to an information system or application.
Smishing: Smishing is a combination of the terms "SMS" and "phishing." It is similar to phishing, but refers to fraudulent messages sent over SMS (text messaging or other messaging applications) rather than email. It typically contains a link in the message that when clicked will download malware onto the user's mobile phone or other device.
Smurfing: Software that sends a large amount of repetitive information to your computer with the purpose of shutting down a home or business network.
Spoofing: Impersonating another person or computer, usually by providing a false email name, URL, domain name server, or IP address.
Spyware: Software that collects information without the user's informed consent.
Token: A small device with an embedded computer chip that can be used to store and transmit electronic information.
Two-factor Authentication: See Multi-factor Authentication.
User Identification (User ID, UID): Information (aka credential) that is used to uniquely identify or define attributes about an individual's or entity's identity.
Virus: Self-replicating, malicious code that attaches itself to an application program or other executable system component and leaves no obvious signs of its presence.
Vishing: Vishing (or voice phishing) is a "telephone" phishing tactic where individuals are tricked into divulging sensitive information, asked to visit a cleverly disguised malicious web site, or asked to call a phone number provided in a voicemail message. A vishing attack can be conducted by voicemail, landline, or mobile phone.
Voice Response Unit (VRU): An automated telephone information system that speaks to a caller using fixed menus and data extracted from databases in real time. The caller responds by pressing telephone digits or speaking words or short phrases.
Vulnerability: A flaw or weakness in computer systems, security procedures, internal controls, or design and implementation, which could be exploited to violate the system security policy. A weakness or deficiency at a facility, entity, venue, or that of a person.
Wide Area Network (WAN): A computer network that covers a broad area, and generally used to connect other networks.
Worm: An independent program that replicates across network connections, clogging networks as it spreads.