HP OSMS white paper: Security of Open Source Middleware Stacks
DMZ Demilitarized zone. A firewall configuration that secures local area networks (LANs).
exploits Tools and methods that prey upon a system's vulnerabilities. Viruses, worms, and
Trojans are the automation of exploits.
fingerprinting The unique information by which systems, components, OSs, and so on are
identifiable.
hacker A person interested in figuring out how things work by taking them apart and putting
them back together in different, interesting, and (hopefully) better ways.
hardening The process of securing a computer system through expert configuration, especially
to protect against attackers.
malware Software intentionally designed for a harmful purpose (portmanteau of "MALicious
softWARE”).
non-repudiation Concerning digital security, non-repudiation is proof that a message has been sent
or received. This is typically important in situations such as banking (and other
instances) where the initiation of a transaction must be verified as well as the proof
that the transaction was completed. In other words, non-repudiation of origin proves
the sending of data, and non-repudiation of delivery proves the reception of data.
PAM Pluggable Authentication Modules. A set of modules that enable the decoupling of
common security services from the components that need them. These modules
include, among other provisions, the ability to check for password strength and
account policies.
phishing The act of sending an e-mail falsely claiming to be an established, legitimate enterprise
in an attempt to obtain private information to be used for identity theft. The e-mail
directs recipients to visit a Web site where they are asked to update personal
information.
privilege
escalation
A system should grant users, or processes, only the privileges needed for the
immediate task. Some security flaws enable the escalation of privilege, which means
that a user or process obtains a higher-level permission allowing a malicious intruder
to circumvent the access controls that were set for the previous privilege level. Many
applications, including many server applications, require some root-level privileges.
If these privileges are compromised, these applications can allow an intruder full
root privileges.
risk A quantifiable assessment of security, represented by this pseudo-formula:
(Threat – Countermeasure) x Value ⇒ Risk
rootkit A set of software tools intended to conceal running processes, files, or system data,
thereby helping an intruder to maintain access to a system while avoiding detection.
security policy A declarative document that identifies computer systems and components that need
safeguarding and defines the degree to which they should receive protection, but
does not define how this is done.
signature The unique means by which you can identify an attack, virus, Trojan, or worm.
vulnerability A specific security flaw.
vulnerable A state in which a system or component is susceptible to an exploit or exposed to
security risk.
white list A set of items that are explicitly trusted. Items can be network addresses, users, e-mail
addresses, and so on.
zero day attack Attacks for which no signature exists.
Glossary 27