Keyword Index and Glossary of Core Ideas: Difference between revisions

Index and Glossary of Core Ideas

Air-Gapped Network

Air gapping is a security measure that aisolates a secure network from unsecure networks physically, electrically and electromagnetically.

See also: Sneakernet

Antivirus

Software which attempts to identify and delete or isolate [[Glossary_of_Core_Ideas#Malware malware]. Antivirus software may use both a database containing signatures of known threats and heuristics to identify malware. Usually run as a background service to scan files and email copied to the protected system.

Black Hat

A black hat is a computer hacker who works to harm others (e.g., steal identities, spread computer viruses, install bot software).

See also: White Hat

Blacklist

A list of computers, IP addresses, user names or other identifiers to block from access to a computing resource.

See also: Whitelist

• Moore and Clayton
• Moore et. al.

Botnet

A portmanteau of robot and network.) Refers to networks of sometimes millions of infected machines that are remotely controlled by malicious actors. A single infected computer may be referred to as a zombie computer. The owners of the computer remotely controlled is often unaware of the infection. The owners of a botnet may use the combined network processing power and bandwidth to send SPAM, install malware and mount DDoS attacks or may rent out the botnet to other malicious actors.

References:

• Anderson
• Anderson et. al.
• Bauer and van Eeten
• Cetron and Davies
• Franklin et. al.
• Gandal
• Nye
• Shackelford
• Thomas and Martin

Casus Belli

The justification for going to war. From the Latin "casus" meaning "incident" or "event" and "belli" meaning "of war."

References:

• Bellovin
• Cornish

Civilian Participation

The involvement of non-military persons in warfare. While civilians have often provided support to the military in kinetic wars, in cyber warfare civilians are able to remotely participate in direct attacks against opponents. This raises complicated questions of law when the combatants are not uniformed military personnel.

References:

• Burstein
• Cornish et. al.
• Watts

Combatant Status

The legal status of combatants in warfare. Existing law distinguishes between uniformed military and civilian status.

References:

• Arora et. al.
• Watts

Computer Emergency Response Team

A group of experts brought together to deal with computer security issues. The Computer Emergency Response Team (CERT) mandate is to develop and promote best management practices and technology applications to “resist attacks on networked systems, to limit damage, and to ensure continuity of critical services.” (Software Engineering Institute 2008). CERT may be formed by governments to handle security at the national level or by academic institutions or individual corporations.

References:

• Arora et. al.
• Madnick et. al.

Computer Network Attack

Includes actions taken via computer networks to disrupt, deny, degrade, or destroy the information within computers and computer networks and/or the computers/networks themselves. Joint Doctrine for Information Operations JP 3-13 at I-9 (1998)

References:

• Cornish et. al.
• DoD
• GAO
• Gandal
• Watts

Communications Privacy Law

Laws which regulate access to electronic communications. In the United States, the Electronic Communications Privacy Act (ECPA) protects electronic communications while in transit and prohibits the unlawful access and disclosure of communication contents.

References:

• Burstein
• Johnson
• Nojeim
• Nye

COTS Software

Commercial Off The Shelf Software. Software that is prepackaged and sold as a commodity rather than custom written for a specific user/organization or purpose. Examples include operating systems, database management programs, email servers, application servers and office product suites. DoD at 18.

References:

• DoD

Credit Card Fraud

Theft of goods or services using false or stolen credit card information.

See Also: Shoulder Surfing

References:

• Epstein and Brown
• Franklin et. al.
• Moore and Clayton, 2, 3
• Moore et. al.
• Thomas and Martin

Crimeware

Software tools designed to aid criminals in perpetrating online crime. Refers only to programs not generally considered desirable or usable for ordinary tasks. Thus, while a criminal may use Internet Explorer in the commission of a [[#Cyber_Crime cybercrime], the Internet Explorer application itself would not be considered crimeware.

References:

• Computer Economics
• Bauer and van Eeten, 2
• Epstein and Brown
• Franklin et. al
• Gandal
• Kobayashi

Cyber Crime

In its broadest definition, cybercrime includes all crime perpetrated with or involving a computer. Symantec defines it as any crime that is committed using a computer or network, or hardware device. The computer or device may be the agent of the crime, the facilitator of the crime, or the target of the crime. The crime may take place on the computer alone or in addition to other locations. Symantec

References:

• Anderson et. al.
• Epstein and Brown
• Moore and Clayton
• Moore et. al.

Cyber Security as an Externality

Economists define externalities as instances where an individual or firm’s actions have economic consequences for others for which there is no compensation. One important distinction is between positive and negative externalities. Instances of the latter are most commonly discussed, such as the environmental pollution caused by a plant, which may have impacts on the value of neighboring homes. Important examples of positive externalities are so common in communications networks that there is a class of "network externalities. For instance, the simple act of installing telephone service to one additional customer creates positive externalities on everyone on the telephone network because they can now each reach one additional person. Several attributes of computer security suggest that it is an externality. Most importantly, the lack of security on one machine can cause adverse effects on another. The most obvious example of this is from electronic commerce, where credit card numbers stolen from machines lacking security are used to commit fraud at other sites.

References:

• Camp and Wolfram
• Gandal
• Powell

Cyber Security as a Public Good

In economics, a public good is a good that is non-rivalrous and non-excludable. Non-rivalry means that consumption of the good by one individual does not reduce availability of the good for consumption by others; and non-excludability that no one can be effectively excluded from using the good.

References:

• Kobayashi
• Powell

Cyber Terrorism

A criminal act perpetrated by the use of computers and telecommunications capabilities, resulting in violence, destruction and/or disruption of services to create fear by causing confusion and uncertainty within a given population, with the goal of influencing a government or population to conform to a particular political, social, or ideological agenda. FBI

References:

• Cetron and Davies
• DCSINT
• Gable
• Rollins and Wilson
• Shah
• Stohl

Cyber Warfare

Actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption. Clarke

References:

• Clarke
• Cornish
• DCSINT
• DoD
• Lan
• Shackelford
• Watts

Data Mining

The process of extracting hidden information and correlations from one or more databases or collections of data that would not normally be revealed by a simple database query.

References:

• Besunder

Department of Homeland Security

Cabinet level department of the United States assigned, inter alia, the task of protecting against terrorist threats and helping state and local authorities prepare for, respond to and recover from domestic disasters.

References:

• DoD
• GAO
• National Infrastructure Advisory Council

Digital Pearl Harbor

A cyberwarfare attack similar in scale and surprise to the 1941 attack on Pearl Harbor. The expression is often invoked by those who argue that a cyber-based attack is either imminent or inevitable and that by not being properly prepared, the United States will suffer significant and unnecessary losses.

References:

• Cetron and Davies
• Stohl

DDoS Attack

The disabling of a targeted website or Internet connection by flooding it with such high levels of Internet traffic that it can no longer respond to normal connection requests. Often mounted by directing an army of zombie computers (see botnet) to connect to the targeted site simultaneously. The targeted site may crash while trying to respond to an overwhelming number of connections requests or it may be disabled because all available bandwidth and/or computing resources are tied up responding to the attack requests.

References:

• Anderson
• Franklin. et. al
• DCSINT
• DoD
• Powell

Disclosure Policy

References:

• Arora et. al.
• Aviram and Tor
• Granick
• Moore and Clayton, 2, 3
• Moore et. al.

Distributed Denial of Service (DDoS)

See: DDoS Attack

Dumpster Diving

A method of obtaining proprietary, confidential or useful information by searching through trash discarded by a target.

Einstein

The operational name of the National Cybersecurity Protection System (NCPS). Cas created in 2003 by the United States Computer Emergency Readiness Team (US-CERT)14 in order to aid in its ability to help reduce and prevent computer network vulnerabilities across the federal government. The initial version of Einstein provided an automated process for collecting, correlating, and analyzing agencies’ computer network traffic information from sensors installed at their Internet connections. The Einstein sensors collected network flow records15 at participating agencies, which were then analyzed by US-CERT to detect certain types of malicious activity.

References:

• GAO

E.U. Cybersecurity

Discussions relating to cybersecurity of the European Union and of European Union states.

References:

• Anderson et. al.
• ENISA

Geneva Conventions

Four treaties and three additional protocols that regulates the conduct of hostilities between states and set the standards for humanitarian treatment of the victims of war.

See also: Laws of War

References:

• Watts

Hacker

Advanced computer users who spend a lot of time on or with computers and work hard to find vulnerabilities in IT systems. DCSINT

References:

• Epstein and Brown
• DCSINT
• DoD
• Johnson
• Thomas and Martin

Hacktivism

The nonviolent use of illegal or legally ambiguous digital tools in pursuit of political ends. These tools include web site defacements, redirects, denial-of-service attacks, information theft, web site parodies, virtual sit-ins, virtual sabotage, and software development. Samuel, A.

References:

• Cetron and Davies
• Stohl

Hacktivist

Combination of #Hacker hacker and activist. Individuals that have a political motive for their activities, and identify that motivation by their actions, such as defacing opponents’ websites with counter-information or disinformation.

See also: Hacktivism

References:

• DCSINT

Honeypot

A computer, network or other information technology resource set as a trap to attract attacks. Honeypots may be used to collect metrics (how long does it take for an unprotected system to be breached), to test defenses, to examine methods of attack or to catch attackers. A honeypot system may also be used to collect SPAM so it can be added to a blacklist.

References:

• Arora et. al.

Identity Fraud/Theft

The exploitation by malevolent third parties of unwarranted access to clients' or consumers' identities. Often the result of lax data security or privacy measures.

References:

• Computer Economics
• Johnson
• Moore and Clayton
• Moore et. al.
• Thomas and Martin

Information Asymetries

Information asymmetry deals with the study of decisions in transactions where one party has more or better information than the other. This creates an imbalance of power in transactions which can sometimes cause the transactions to go awry.

The software market suffers from the same information asymmetry. Vendors may make claims about the security of their products, but buyers have no reason to trust them. In many cases, even the vendor does not know how secure its software is. So buyers have no reason to pay more for protection, and vendors are disinclined to invest in it.

References:

• Anderson and Moore
• Anderson et. al.
• Aviram and Tor
• Granick
• Powell

Intelligence Infrastructure/Information Infrastructure

The network of computers and communication lines underlying critical services that American society has come to depend on: financial systems, the power grid, transportation, emergency services, and government programs. Information infrastructure includes the Internet, telecommunications networks, “embedded” systems (the built-in microprocessors that control machines from microwaves to missiles), and “dedicated” devices like individual personal computers. Council on Foreign Relations

References:

• Aloise
• Beard
• DoD
• Nye
• Perkins

Interdependencies

The inter-connections between supposedly independent but often interdependent systems.

See also: SCADA Systems

References:

• Aviram and Tor
• OECD
• Perkins
• Santos et. al.

International Humanitarian Law

That part of international law which seek, for humanitarian reasons, to limit the effects of armed conflict. It protects persons who are not or are no longer participating in the hostilities and restricts the means and methods of warfare. International humanitarian law is also known as the law of war or the law of armed conflict. International law is the body of rules governing relations between States. It is contained in agreements between States (treaties or conventions), in customary rules, which consist of State practise considered by them as as legally binding, and in general principles. ICRC

References:

• Beard
• Watts

Internet Relay Chat (IRC)

A method of real-time Internet communication often used by criminals to buy and sell purloined information such as credit card numbers and personal identity information. IRC chatrooms may be open or private.

References:

• Thomas and Martin

Internet Service Providers

A company that offers access to the Internet. Internet Service Providers may also provide add-on services such as web hosting, electronic mail, virus scanning, SPAM filtering, etc.

References:

• OECD

Keylogger

Software or hardware that monitors and logs the keystrokes a user types into a computer. The keylogger may store the key sequences locally for later retrieval or send them to a remote location. A hardware keylogger can only be detected by physically inspecting the computer for unusual hardware.

References:

• Computer Economics
• DCSINT
• Thomas and Martin

Lawfare

The use of international law to damage an opponent in a war without use of arms.

References:

• Beard

Laws of War

The body of law that define the legality of using armed force to resolve a conflict (jus ad bellum) and the laws that define the legality of the actual hostilities and related activities (jus in bello).

References:

• Beard
• Gable
• Nye
• Watts

Malware

A variety of computer software designed to infiltrate a user's computer specifically for malicious purposes. Includes, inter alia, computer virus software, botnet software, computer worms, spyware, trojan horses, crimeware and rootkits.

References:

• [[Critical_Infrastructure_Threats_and_Terrorism DCSINT]
• [[Mission_Impact_of_Foreign_Influence_on_DoD_Software DoD]
• [[2007_Malware_Report Computer Economics]
• [[Cybersecurity_in_the_Payment_Card_Industry Epstein and Brown]
• [[The_Underground_Economy Thomas and Martin]

National Cybersecurity Strategy (U.S.)

A comprehensive policy to secure America’s digital infrastructure as part of the Administrative Branch's Comprehensive National Cybersecurity Initiative. The goals of the policy are: to establish a front line of defense against current immediate threats; to defend against threats by enhancing U.S. counterintelligence capabilities and; to strengthen the future cybersecurity environment by expanding cyber education and redirecting research and development efforts to define and develop strategies to deter hostile or malicious activity in cyberspace.

References:

• [[Cyber_Security_and_Regulation_in_the_United_States Lewis]
• [[Cybersecurity:_Current_Legislation%2C_Executive_Branch_Initiatives%2C_and_Options_for_Congress Theohary and Rollins]
• [[Securing_Cyberspace_for_the_44th_Presidency Center for Strategic and International Studies]

National Security

Broadly refers to the requirement to maintain the survival of the nation-state through the use of economic, military and political power and the exercise of diplomacy. Wikipedia

References:

• [[Nuclear_Security Aloise]
• [[Cyberspace_and_the_National_Security_of_the_United_Kingdom Cornish et. al.]
• [[Mission_Impact_of_Foreign_Influence_on_DoD_Software DoD]
• [[Terrorist_Capabilities_for_Cyberattack:_Overview_and_Policy_Issues Rollins and Wilson]
• [[Cybersecurity:_Current_Legislation%2C_Executive_Branch_Initiatives%2C_and_Options_for_Congress Theohary and Rollins]

Notice and Take-down

Most commonly used to remove infringing web material under copyright law, a notice and take-down regime is a procedure by which an infringing web site is removed from a service provider's (ISP) network, or access to an allegedly infringing website, disabled. Websites violating copyright are subject to notice and take-down, as are phishing websites.

References:

• [[The_Impact_of_Incentives_on_Notice_and_Take-down Moore and Clayton]
• [[The_Economics_of_Online_Crime Moore et. al.]

Organized Crime

Groups having some manner of a formalized structure and whose primary objective is to obtain money through illegal activities. Such groups maintain their position through the use of actual or threatened violence, corrupt public officials, graft, or extortion, and generally have a significant impact on the people in their locales, region, or the country as a whole. FBI

References:

• [[Security_Economics_and_the_Internal_Market Anderson et. al]
• [[Cyberspace_and_the_National_Security_of_the_United_Kingdom Cornish et. al.]
• [[Cybersecurity_in_the_Payment_Card_Industry Epstein and Brown]
• [[An_Inquiry_into_the_Nature_and_Causes_of_the_Wealth_of_Internet_Miscreants Franklin et. al]
• [[The_Economics_of_Online_Crime Moore et. al.]

Outreach and Collaboration

Working across government and with the private sector to share information on threats and other data, and to develop shared approaches to securing cyberspace. CRS Report for Congress, at 6 (2009).

References:

• [[Overcoming_Impediments_to_Information_Sharing Aviram and Tor]
• [[Pricing_Security Camp and Wolfram]
• [[Introduction_to_Country_Reports ENISA]
• [[The_Price_of_Restricting_Vulnerability_Publications Granick]
• [[An_Economic_Analysis_of_the_Private_and_Social_Costs_of_the_Provision_of_Cybersecurity_and_other_Public_Security_Goods Kobayashi]
• [[Experiences_and_Challenges_with_Using_CERT_Data_to_Analyze_International_Cyber_Security Madnick et. al.]
• [[The_Consequence_of_Non-Cooperation_in_the_Fight_Against_Phishing Moore and Clayton]
• [[Cybersecurity:_Current_Legislation%2C_Executive_Branch_Initiatives%2C_and_Options_for_Congress Theohary and Rollins]

Password Weakness

Security threats caused by the use of easily guessable passwords which protect vital stores of confidential information stored online.

References:

• [[Cybersecurity%2C_Identity_Theft%2C_and_the_Limits_of_Tort_Liability Johnson]

Patching

References:

• [[Does_Information_Security_Attack_Frequency_Increase_With_Vulnerability_Disclosure Arora et. al.]

Phishing

The criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.

References:

• [[Security_Economics_and_the_Internal_Market Anderson et. al.]
• [[2007_Malware_Report Computer Economics]
• [[Examining_the_Impact_of_Website_Take-down_on_Phishing Moore and Clayton], [[The_Consequence_of_Non-Cooperation_in_the_Fight_Against_Phishing 2], [[The_Impact_of_Incentives_on_Notice_and_Take-down 3]
• [[The_Economics_of_Online_Crime Moore et. al.]

Privacy Law

Laws which regulate the protection of confidential personal information stored in private records or disclosed to a professional. Also includes laws which regulate the gathering of electronic data in which personal information is accumulated or misappropriated.

References:

• [[Best_Practices_for_Data_Protection_and_Privacy#Synopsis Besunder]

Risk Modeling

The creation of a model to estimate risk exposure, policy option efficacy and cost-benefit analysis of a particular threat and solution. See Soo Hoo, Kevin J.

References:

• [[Nothing_Ventured%2C_Nothing_Gained Geer and Conway]
• [[An_Economic_Analysis_of_the_Private_and_Social_Costs_of_the_Provision_of_Cybersecurity_and_other_Public_Security_Goods Kobayashi]
• [[Mission_Impact_of_Foreign_Influence_on_DoD_Software DoD]
• [[Making_the_Best_Use_of_Cybersecurity_Economic_Models Rue and Pfleeger]
• [[A_Framework_for_Linking_Cybersecurity_Metrics_to_the_Modeling_of_Macroeconomic_Interdependencies Santos et. al.]
• [[Metrics_for_Mitigating_Cybersecurity_Threats_to_Networks Schneidewind]

Research & Development

Research and development (R&D) addressing cyber security and information infrastructure protection.

References:

• [[Pricing_Security Camp and Wolfram]
• [[Toward_a_Safer_and_More_Secure_Cyberspace Commission on Improving Cybersecurity Research in the U. S.]
• [[Research_Agenda_for_the_Banking_and_Finance_Sector Financial Services Sector Coordinating Council for Critical Infrastructure Protection]
• [[Nothing_Ventured%2C_Nothing_Gained Geer and Conway]
• [[Hard_Problem_List INFOSEC Research Council]
• [[Cyber_Security_Research_and_Development_Agenda Institute for Information Infrastructure Protection]
• [[The_Need_for_a_National_Cybersecurity_Research_and_Development_Agenda Maughan]
• [[Hardening_The_Internet National Infrastructure Advisory Council]

SCADA Systems

SCADA stands for "supervisory control and data acquisition" and in the cybersecurity context usually refers to industrial control systems that control infrastructure such as electrical power transmission and distribution, water treatment and distribution, wastewater collection and treatment, oil and gas pipelines and large communication systems. The focus is on whether as these systems are connected to the public Internet they become vulnerable to a remote attack.

References:

• [[Cyber_Power Nye]
• [[A_Framework_for_Linking_Cybersecurity_Metrics_to_the_Modeling_of_Macroeconomic_Interdependencies Santos et. al.]
• [[Metrics_for_Mitigating_Cybersecurity_Threats_to_Networks Schneidewind]

Scareware

Software or web site that purports to be security software reporting a threat against a user's computer to convince the user to purchase unneeded software or install malware.

• [[2007_Malware_Report Computer Economics]
• [[The_Economics_of_Online_Crime Moore et. al.]

Script Kiddie

A derogatory term for a [[Glossary_of_Core_Ideas#Black_Hat Black Hat] who uses canned tools and programs to commit cyber crime without understanding how they work.

Shoulder Surfing

The process of obtaining passwords or other sensitive information by serendipitously watching an authorized user enter information into a computer system.

Sneakernet

Describes the transfer of data between computers or networks that are not physically, electrically or electromagnetically connected requiring information to be shared by physically transporting media contain the shared information from one computer to another. Initially described systems lacking the technology to network together, now usually refers to systems deliberately isolated for security reasons.

See also: [[Glossary_of_Core_Ideas#Air-Gapped_Network Air-Gapped Network]

Social Engineering

Conning a human into supplying passwords, computer access or other sensitive information by pretending to be a person with rights to the information or who the target believes they must surrender the information to.

References:

• [[Emerging_Threats_to_Internet_Security_-_Incentives%2C_Externalities_and_Policy_Implications Bauer and van Eeten]
• [[Cyber_Power Nye]
• [[The_Market_Consequences_of_Cybersecurity:_Defining_Externalities_and_Ways_to_Address_Them#Synopsis OECD] [[Cybersecurity_and_Economic_Incentives 2]

Social Network

A software application or website that allows a large group of users to interact with each other, often allowing the creation of online portals or identities to share with specific people or the online world at large.

Software Vulnerability

References:

• Arora et. al.
• Mission Impact of Foreign Influence on DoD Software
• Granick

SPAM

Unwanted or junk email usually sent indiscriminately in bulk selling illegal or near illegal goods or services. Even with low response rates and heavy filtering, SPAM can stil be economically viable because of the extremely low costs in sending even huge quantities of electronic messages. Commonly believed to be named after the Monty Python skit where the breakfast meat Spam overwhelms all other food choices.

References:

• [[The_Impact_of_Incentives_on_Notice_and_Take-down Moore and Clayton]
• [[The_Economics_of_Online_Crime Moore et. al.]
• [[The_Underground_Economy Thomas and Martin]

Sponsored Attacks

[[Glossary_of_Core_Ideas#Computer_Network_Attack Computer network attacks] commissioned by, supported by or carried out by a state or government.

Reverences:

• [[The_Government_and_Cybersecurity Bellovin]
• [[Mission_Impact_of_Foreign_Influence_on_DoD_Software DoD]

State Affiliation

Under the control or command of a recognized state or government.

References:

• [[Cyber_Security_and_Politically%2C_Socially_and_Religiously_Motivated_Cyber_Attacks#Full_Citation Cornish]
• [[Cyberspace_and_the_National_Security_of_the_United_Kingdom Cornish et. al.]
• [[Mission_Impact_of_Foreign_Influence_on_DoD_Software DoD]
• [[Cyber-Apocalypse_Now_-_Securing_the_Internet_Against_Cyberterrorism_and_Using_Universal_Jurisdiction_as_a_Deterrent Gable]
• [[Combatant_Status_and_Computer_Network_Attack Watts]

Tragedy of Commons

A situation, first described in an influential article written by ecologist Garrett Hardin for the journal Science, in 1968, in which multiple individuals, acting independently, and solely and rationally consulting their own self-interest, will ultimately deplete a shared limited resource even when it is clear that it is not in anyone's long-term interest for this to happen. The term can be applied to any issue related to the management of a shared resource, from energy to the public domain, to cybersecurity.

References:

• [[Why_Information_Security_is_Hard Anderson]
• [[Is_Cybersecurity_a_Public_Good Powell]

Transparency

A set of policies, practices and procedures that allow citizens to have accessibility, usability, informativeness, understandability and auditability of information and process held by centers of authority. Wikipedia

References:

• [[Overcoming_Impediments_to_Information_Sharing Aviram and Tor]
• [[Research_Agenda_for_the_Banking_and_Finance_Sector Financial Services Sector Coordinating Council for Critical Infrastructure Protection]

Trojan

[[Glossary_of_Core_Ideas#Malware Malware] which masquerades as some other type of program such as a link to a web site, a desirable image, etc. to trick a user into installing it. Named for the Ancient Greek Trojan Horse.

References:

• [[The_Economics_of_Online_Crime Moore et. al.]

Virtual Military Technologies

Warfare made possible by advances in remotely controlled or semiautomated military technologies which remove the operator from risk of harm while attacking an opponent.

References:

• [[Law_and_War_in_the_Virtual_Era Beard]
• [[Global_Cyber_Deterrence_Views_from_China Lan]

Virtual Warfare

See: [[Glossary_of_Core_Ideas#Virtual_Military_Technologies Virtual Military Technologies]

White Hat

A white hat is a computer [[Glossary_of_Core_Ideas#Hacker hacker] who works to find and fix computer security risks. White hat consultants are often hired to attempt to break into their client's network to see if all security holes have been addressed.

See also: [[Glossary_of_Core_Ideas#Black_Hat Black Hat]

Whitelist

A list of computers, IP addresses, user names or other identifiers to specifically allow access to a computing resource. Normally combined with a default "no-access" policy.

See also: [[Glossary_of_Core_Ideas#Blacklist Blacklist]

Worm

A type of malware that replicates itself and spreads to other computers through network connections.

References:

• [[Mission_Impact_of_Foreign_Influence_on_DoD_Software DoD]

Zero-Day Exploit

[[Glossary_of_Core_Ideas#Malware Malware] designed to exploit a newly discovered security hole unknown to the software developer. "Zero-day" refers to the amount of time a developer has between learning of a security hole and the time it becomes public or when [[Glossary_of_Core_Ideas#Black_Hat black hat] [[Glossary_of_Core_Ideas#Hacker hackers] find out about it and try to use the security hole for nefarious purposes.

References:

• [[Does_Information_Security_Attack_Frequency_Increase_With_Vulnerability_Disclosure Arora et. al.]
• [[Mission_Impact_of_Foreign_Influence_on_DoD_Software DoD]
• [[The_Price_of_Restricting_Vulnerability_Publications Granick]