PDA Logo.gif (6595 bytes)

Glossary of Computer & Security Terms


our services

about Peter Davis+Assoc.


security/audit info

Privacy Test

Security & Audit Tools


Security & Audit Products
Top Ten Security Links 
Security & Audit Checklists
Computer & Security
Security & Audit Bibliography
Search Page

legal info

privacy info

[0] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Y] [Z]


10 Mbps, baseband, in 185 meter segments, ThinWire, coaxial cable Ethernet.
10 Mbps, baseband, in 500 meter segments, ThickWire, coaxial cable Ethernet.
Baseband, in 1 kilometer segments, fibre optic Ethernet.
10 Mbps, baseband, unshielded, twisted pair (UTP) Ethernet.
100 Mbps, baseband, four pair, CAT 3 Ethernet.
IEEE standard specifying the Logical Link Control (LLC) sub layer, which defines services for the transmission of data between two stations at the data link layer of the OSI model.
IEEE standard specifying the Carrier Sense Multiple Access/Collision Detection method used by Ethernet.
IEEE standard specifying the token bus network access method used by ARCnet.
IEEE standard specifying the logical ring network using a token passing method used by token ring and IBM LANs.
IEEE standard specifying wireless local area networks (WLANs).  802.11b refers to an over-the-air connection with a wireless client and a base station or Wireless Access Point (WAP) or between two wireless clients.
[Back to top]


The ways and means you approach (physically), store or retrieve data, communicate with, and make use of any resource on a computer system.
Access Category
One of the classes whereto a user, a program or a process in a system may be assigned because of the resources or groups of resources that each user, program, or process is authorized to use.
Access Control Entry
An entry in an access control list (ACL). The entry contains a security ID (SID) and a set of access rights. A process with a matching security ID is either allowed access rights, denied rights, or allowed rights with auditing.
Access Control List
The part of a security descriptor that enumerates the protection (that is, permission) given to an object.
Access Control Mechanisms
Hardware or software features, operating procedures, management procedures, and various combinations of these designed to detect and prevent unauthorized access and to permit authorized access to a system.
Access Guidelines
Used here in the sense of guidelines for the modification of specific access rights. A general framework drawn up by the owner or custodian to instruct the data set security administrator on the degree latitude that exists for the modification of rights of access to a file without the specific authority of the owner or custodian.
Access List
A catalogue of users, programs, or processes and the specifications of access categories whereto each is assigned.
Access Period
A segment of time, generally expressed on a daily or weekly basis, when access rights prevail.
Access Right
A permission granted to a process to manipulate a particular object in a particular manner (for example, calling a service). Different object types support different access rights, which are stored in the object’s access control list (ACL).
Access Token
An object uniquely identifying a user who has logged on. An access token is attached to all the user’s processes and contains the user’s security ID (SID), the names of any groups to which the user belongs, any privileges the user owns, the default onwer of any objects the user’s processes create, and the default access control list (ACL) to be applied to any objects the user’s processes create.
Access Type
An access right to a particular device, program or file. For example, read, write, execute, append, allocate, modify, delete, create.
The ease with which information can be gotten.
Outcome from the lack of care or any situation where the result is negatively different from that intended.
The quality or state that enables violations or attempted violations of a system security to be traced to individuals who may then be held responsible.
Having no errors. Correct. Exact. Faithful. Precise. Proper. Right. True. Veracious. Vericidal.
The acronym for Access Control Entry. This contains a SID and the associated set of access control permissions for each object.
The acronym for Access Control List. This is the place where object permissions are kept. ACLs consist of access control entries.
Microsoft technology part of DCOM strategy.  Allows the downloading of binary executables or controls for execution on the client.  Replaces OLE.
A number or group of numbers uniquely identifying a network node within its network (or internetwork).
The acronym for Asymmetric Digital Subscriber Line, which is a broadband service delivering download rates of 1.5-1.9 Mbps and upload rates of 16-640 Kbps.
The Administrator is the person responsible for the operation of the network. The Administrator maintains the network, reconfiguring and updating it as the need arises. With Windows NT Server, it also is the default user account created during setup.
(1) An audible or visual alarm that signals an error or serves as a warning of some sort. (2) An asynchronous notification that one thread sends to another.
A step-by-step procedure, usually mathematical, for doing a specific function, e.g., a PIN verification algorithm or an encryption algorithm.
American Wire Gauge (AWG)
The adopted standard wire sizes, such as No. 12 wire and No. 14 wire. The larger the gauge number of the wire, the smaller the wire; therefore, a No. 14 wire is smaller than a No. 12 wire.
The acronym for Advanced Mobile Phone Service.  Basic cellular service in North and South America typically operating at 800 MHz and using FDMA transmission technology.  With AMPS, when a person grabs a segment of frequency for a call, nobody else can use that frequency.  Digital cellular technologies offer ways for carriers to allow more calls in a cell, using the same amount of bandwidth.
A system based on a continuous ratio, such as voltage or current values.
Analog Transmission
A communications scheme using a continuous signal, varied by amplification. Broadband networks use analog transmissions.
Analytical Attack
An attempt to break a code or cipher key by discovering flaws in its encryption algorithm. analytical attack An attempt to break a code or cipher key by discovering flaws in its encryption algorithm.
The acronym for American National Standards Institute, which sets standards for many technical fields.
Macintosh native protocol.
The user's communication with the installation. A software program or program package enabling a user to perform a specific job, such as word processing or electronic mail.
Application Program/Software
A program written for or by a user that applies to the user's work.
Application Programming Interface (API)
A set of routines that an application program uses to request and carry out lower-level services performed by the operating system.
Application System
A collection of programs and documentation used for an application.
The general design of hardware or software, including how they fit together.
ARCnet (Attached Resource Computer Network)
A local area network scheme developed by Datapoint.
The acronym for American Standard Code for Information Interchange pronounced "ASK-ee."
A language translator that converts a program written in assembly language into an equivalent program in machine language. The opposite of a disassembler.
Assembly Language
A low-level programming language in which individual machine-language instructions are written in a symbolic form that is easier to understand than machine language itself.
A method of data communications in which transmissions are not synchronized with a signal. Local area networks transmit asynchronously.
To log a workstation into a server. Also, to log a workstation into another file server while the workstation remains logged into the first.
The method used to commit security violations, such as masquerading and modification.
The difference in amplitude between a signal at transmission and at reception.
Audit Policy
Defines the type of security events logged for a domain or for an individual computer; determines what NT will do when the security log becomes full.
Audit Trail
A chronological record of system activities sufficient to enable the reconstruction, review, and examination of the sequence of environments and activities surrounding or leading to each event in the path of a transaction from its inception to the output of results.
The physical or mental power to perform an examination or verification of financial records or accounts.
The ability to detect and record security-related events, particularly any attempt to create, access, or delete objects. Windows NT uses security IDs (SIDs) to record which processes performed the action.
(1) To confirm that the object is what it purports being. To verify the identity of a person (or other agent external to the protection system) making a request. (2) The act of identifying or verifying the eligibility of a station, originator, or individual to access specific categories of information.
The act of identifying or verifying the eligibility of a station, originator, or individual to access specific categories of information.
The process that grants the necessary and sufficient permissions for the intended purpose.
To grant the necessary and sufficient permissions for the intended purpose.
Automated Security Monitoring
The use of automated procedures to ensure that the security controls implemented within a system are not circumvented.

[Back to top]


A central network cable system that connects other networks.
A background task or program runs while the user is doing something else. The most common example is a print spooler program. Used in contrast to foreground.
Background Processing
The action of completing tasks in the background.
(n) A copy of a disk or of a file on a disk. (v) To make a spare copy of a disk or of a file on a disk.
Backup Domain Controller
For Windows NT Server domains, refers to a computer that receives a copy of the domain's security policy and domain database and authenticates network logons.
Backup Procedures
The provisions you make made for recovering your data files and programs, and for the restart or replacement of your system after the occurrence of a system failure or of a disaster.
The range of frequencies available for signaling; the difference expressed in Hertz between the lowest and highest frequencies of a band. Or simplistically, the rate that a network can transfer data.
BASIC (Beginner's All-purpose Symbolic Instruction Code)
A high-level programming language that is easy to use. It is used mainly for microcomputers.
The processing of a group of related transactions or other items at planned intervals.
A unit of signaling speed. The speed in baud is the number of discrete conditions or events per second.
BDC (Backup Domain Controller)
A machine that is used to provide a degree of fault tolerance by maintaining a copy of the SAM.
A contraction of binary digit. The smallest unit of information that a computer can hold. The value of a bit (1 or 0) represents a simple two-way choice, such as yes or no, on or off, positive or negative, something or nothing.
To start up by loading the operating system into the computer. Starting up is often accomplished by first loading a small program which then reads a larger program into memory. The program is said to "pull itself up by its own bootstraps"—hence the term "bootstrapping" or "booting".
Boot Protocol (BOOTP)
A protocol used for remotely booting systems on the network.
Bps (bits per second)
A unit of data transmission rate.
A break in the system security that results in admittance of a person or program to an object.
A device used to connect LANs by forwarding packets addressed to other similar networks across connections at the Media Access Control data link level. Routers, which operate at the protocol level, are also called bridges.
A transmission system in which signals are encoded and modulated into different frequencies and then transmitted simultaneously with other signals.
A LAN data transmission scheme in which data packets are heard by all stations on the network.
Brute-Force Attack
A computerized trial-and-error attempt to decode a cipher or password by trying every possible combination. Also known as exhaustive attack.
A temporary holding area of the computer's memory where information can be stored by one program or device and then read at a different rate by another, for example, a print buffer. Also, the printer's random access memory (RAM), measured in kilobytes. Because computer chips can transfer data much faster than mechanical printer mechanisms can reproduce it, small buffers are generally inserted between the two, to keep the data flow in check.
An error in a program that prevents its working as intended. The expression reportedly comes from the early days of computing when an itinerant moth shorted a connection and caused a breakdown in a room-sized computer.
Bulletin Board System (BBS)
An electronic system that supports communication via modem among computers. Typically, a bulletin board system supports public and private electronic mail, uploading and downloading of public-domain files, and access to on-line databases. Large, commercial bulletin board systems, such as CompuServe and GEnie, can support many users simultaneously; smaller, local boards permit only one caller at a time.
A common connection. Networks that broadcast signals to all stations, such as Ethernet and ARCnet, are considered bus networks.
A unit of information having eight bits.

[Back to top]


Cabling System
The wiring used to connect networked computers together.
A Windows NT command-line program specific to Windows NT that allows you to modify user permissions by using the DOS command prompt or by placing them within a file and running that file. A handy utility to manage large numbers of changes.
A procedure established for identifying a terminal dialing into a computer system by disconnecting the calling terminal and reestablishing the connection by the computer system’s dialing the telephone number of the calling number.
Another name for board.
A list of files stored on a disk. Sometimes called a directory.
CD-ROM file system.
The acronym for Code Division Multiple Access.  The dominant PCS standard in North America, this spread-spectrum technology lets multiple callers share a segment of spectrum of frequencies.  Compare to FDMA and TDMA.
The acronym for Cellular Digital Packet Data.  A packet-based technology, which allows either 9.6 Kbps or 19.2 Kbps data rates over standard analog channels in the 800-900 MHz range, by finding and employing unused channels.
Central Processing Unit (CPU)
The "brain" of the computer; the microprocessor performing the actual computations in machine language.
The technical evaluation, made as part of and in support of the accreditation process, establishing the extent that a particular computer system or network design and implementation meet a specified set of security requirements.
An information transfer path within a system. May also refer to the mechanism by which the path is effected.
Letter, numerical, punctuation or any other symbol contained in a message.
Slang for a silicon wafer imprinted with integrated circuits.
Clear Text
Information that is in its readable state (before encryption and after decryption).
Complex Instruction Set Computer.
Subject to prescribed asset protection controls, including controls associated with classifications.
To assign a level of sensitivity and priority and, hence, security control to data.
Clear Text
Information that is in its readable state (before encryption and after decryption).
To quickly press and release the mouse button. For example, you often click an icon to start an application.
A computer that accesses shared network resources provided by another computer (a server). In a client/server database system, this is the computer (usually a workstation) that makes service requests.
A network system design in which a processor or computer designated as a server (file server, database server, and so on) provides services to other client processors or computers.
Also known as coaxial, this is a cable that consists of two wires running inside a plastic sheath, insulated from each other.
A garbled transmission resulting from simultaneous transmissions by two or more workstations on the same network cable.
Command Prompt
The window in NT that provides DOS-like capabilities, letting you enter commands that execute within that window.
Commit Bytes
The actual amount of memory that all the applications need at any given moment.
Communication Link
An electrical and logical connection between two devices. On a local area network, a communication link is the point-to-point path between sender and recipient.
Communication Program
A program that enables the computer to transmit data to and receive data from distant computers through the telephone system or some other communication system.
The breaking down of sensitive data into small, isolated blocks for reducing the risk to the data.
A language translator that converts a program written in a high-level programming language (source code) into an equivalent program in some lower-level language, such as machine language (object code) for later execution.
Having all or necessary parts.
The loss, misuse, or unauthorized disclosure of a data asset.
Computer Name
For Windows NT purposes, a unique name of up to 15 uppercase characters identifying a computer to the network. The name cannot be the same as any other computer or domain name in the network, and it cannot contain spaces.
An operating situation when a threat arises. The condition is necessary and desirable for operations.
A parameter showing the privacy of the information (used particularly in costing functions involving information that has a security classification or is considered proprietary or sensitive).
(1) The total combination of hardware components (central processing unit, video display device, keyboard, and peripheral devices) forming a computer system. (2) The software settings allowing various hardware components of a computer system to communicate with each other.
Configuration Registry
A database repository for information about a computer's configuration, for example, the computer hardware, the software installed on the system, and environment settings and other information entered by persons using the system.
Connect Time
The amount of time a user connects to the file server.
In Windows NT, a text-based window managed by the Win32 subsystem. Environment subsystems direct the output of character-mode applications to consoles.
Control Codes
Nonprinting computer instructions such as carriage return and line feed.
Control Program
A program designed to schedule and supervise the performance of data processing work by a computing system.
Control Set
In Windows NT, a complete set of parameters for devices and services in the HKEY_LOCAL_ MACHINE\SYSTEM key in the NT Registry.
Controlled Sharing
The scope or domain where authorization can be reduced to an arbitrarily small set or sphere of activity.
As used with Microsoft's Performance Monitor, the measurement of activity for a particular object, such as bytes read per second.
A malfunction caused by hardware failure or an error in the program.
Data with this preservation classification is essential to the organization's continued existence. The loss of such data would cause a serious disruption of the organization's operation.
A parameter indicating dependence of the organization on the information.
The unwanted transmission of a signal on a channel that interfaces with another adjacent channel. Signal interference created by emissions passing from one cable element to another.
The steps and operations performed, in converting messages (cipher) into plain text (clear) without initial knowledge of the key employed in the encryption algorithm.
Cryptographic System
The documents, devices, equipment, and associated techniques that are used as a unit to provide a single means of encryption (enciphering or encoding).
Transformation of plain text into coded form (encryption) or from coded form into plain text (decryption).
The field that includes both cryptoanalysis and cryptography.
Identifying or relating specifically to a customer of the organization.

[Back to top]


Impairment of the worth or usefulness of the information.
Processable information with the associated documentation. The input that a program and its instructions perform on and that determines the results of processing.
Data Base
(1) A collection of information organized in a form that can be readily manipulated and sorted by a computer user. (2) Short for database management system.
Database Management System
A software system for organizing, storing, retrieving, analyzing and modifying information in a database.
Data Base Server
A database server is the "back end" processor that manages the database and fulfills database requests in a client/server database system.
Data Contamination
A deliberate or accidental process or act that results in a change in the integrity of the original data.
Data-Dependent Protection
Protection of data at a level commensurate with the sensitivity level of the individual data elements, rather than with the sensitivity of the entire file that includes the data elements.
Data Diddling
Unauthorized alteration of data as it is entered or stored in a computer.
Data Integrity
Verified correspondence between the computer representation of information and the real-world events that the information represents. The condition of being whole, complete, accurate and timely.
Data Leakage
The theft of data or software.
Data Link Control (DLC)
A printer and host access protocol primarily used by PCs to communicate with IBM minicomputers and mainframes.
Data Protection
Measures to safeguard data from undesired occurrences that intentionally or unintentionally lead to modification, destruction or disclosure of data.
Data Security
Data security is the result achieved through implementing measures to protect data against unauthorized events leading to unintentional or intentional modification, destruction or disclosure of data.
Data Storage
The preservation of data in various data media for direct use by the system.
A colloquial term that means to find and correct an error or the cause of a problem or malfunction in a computer program. Usually synonymous with troubleshoot.
A utility program that allows a programmer to see what is happening in the microprocessor and in memory while another program is running.
To convert, by use of the appropriate key, cipher text (encoded, encrypted) into its equivalent plain text (clear).
Refer Decipher.
Dedicated File Server
A file server that is used as a user's workstation. The machine is devoted to file service.
A weakness in organization, administration, programs, or machines that results in the appearance of threats.
Actions intended to harm. The results of such deliberate actions might well be different from those expected by perpetrators or victims. For example, arson and vandalism.
To render an asset ineffective or useless, it is a recognizable loss, for example, the file must be recovered from backup storage or reconstituted.
A generic term for a computer subsystem, such as a printer, serial port, or disk drive. A device frequently requires its own controlling software, called a device driver.
Device Driver
A software component that enables a computer system to communicate with a device. For example, a printer driver is a device driver that translates computer data into a form understood by the intended printer. In most cases, the driver also manipulates the hardware to transmit the data to the device.
The acronym for Dynamic Host Configuration Protocol. This is a tool that allows dynamic IP address allocation, simplifying machine configuration in your network.
A system based on discrete states, typically the binary conditions of on or off.
Digital Transmission
A communications system that passes information encoded as pulses. Baseband networks use digital transmissions, as do microcomputers.
A pictorial, alphabetical, or chronological list of the contents of a disk. A directory is sometimes called a catalog. It is used by the operating system to keep track of the contents of the disk.
The act or an instance of revelation or exposure. A disclosure can be obvious, such as the removal of a tape from a library or it can be concealed, such as the retrieval of a discarded report by an outsider or disgruntled employee.
Discretionary Access Control (DAC)
The protection that the owner of an object applies to the object by assigning various access rights to various users or groups of users.
A data storage device in which data is recorded on a number of concentric circular tracks on magnetic medium.
Disk Drive
An electromechanical device that reads from and writes to disks. Two types of disk drives are in common use: floppy disk drives and hard disk drives.
Disk Mirroring
The procedure of duplicating a disk partition on two or more disks, preferably on disks attached to separate disk controllers so that data remains accessible when either a disk or a disk controller fails. Disk mirroring provides a measure of fault tolerance.
Disk Partition
A logical compartment on a physical disk drive. A single disk might have two or more logical disk partitions, each of which would be referenced with a different disk drive name.
Disk Striping
The procedure of combining a set of same-sized disk partitions residing on separate disks into a single volume, forming a virtual "stripe" across the disks. This fault-tolerance technique enables multiple I/O operations in the same volume to proceed concurrently.
A complete and accurate description and authorization of a transaction and each operation a transaction passes through. The written (can be automated) description of a system or program and how it operates.
A collection of computers that share a common domain database and security policy. Each domain has a unique name.
Domain Controller
The server that authenticates domain logons and maintains the security policy and the master database for a domain.
Domain Name
A name assigned to a domain.
Domain Name System, or Server (DNS)
A distributed database system that allows TCP/IP applications to resolve a host name into a correct IP address.
To quickly press and release the mouse button twice without moving the mouse. Double-clicking is a means of rapidly selecting and activating a program or program feature.
To transfer a file from a large computer or BBS to a personal computer. "Upload" is the opposite operation.
The acronym for Dial-Up Networking. Easy to confuse with RAS because it is the newer version of RAS and it performs the same function. We think it was renamed to provide some consistency with Windows 95 terms.
The concept of using two disk drives and two disk controllers to store data, one serving as primary and the other for backup purposes.
Dynamic Host Configuration Protocol (DHCP)
The protocol used by a server to dynamically allocate IP addresses on a network. Designed to allow networked hosts to access configuration information across the network, instead of having to be configured by hand directly.

[Back to top]


Unauthorized interception of data transmissions.
Enhanced Industry Standard Architecture. An older system data transfer bus architecture that was designed to manage 8-, 16- and 32-bit data transfers. Widely used; most expansion cards support this architecture.
A parameter indicating the sensitivity of an organization to public knowledge of the information.
Identifying or relating specifically to an employee of the organization.
The imitation of a computer system, performed by a combination of hardware and software, that allows programs to run between incompatible systems.
To convert plain text (clear) into unintelligible form by a cipher system.
See Encipher.
A network bringing all sites together through a communications medium.
Error Log
An audit trail of system warning messages displayed for the file server.
A local area network protocol developed by Xerox in 1973 and formalized in 1980. It is the most widely used network protocol.
Any significant occurrence in the system or in an application that requires users to be notified, or an entry to be added to a log.
Event Log Service
A service that records events in the system, security, and application logs.
Expected Lifetime
A parameter indicating the length of time the information is operative or has value to its owners.
A quantitative rating (in dollars per year) expressing the organization’s vulnerability to a given risk.
Extended Partition
Free space on a hard disk that is used to allow the disk to be further partitioned into logical partitions or drives.

[Back to top]


Fail Safe
The automatic termination and protection of programs or other processing operations when a hardware or software failure is detected in a system.
Fail Soft
The selective termination of affected non-essential processing when a hardware or software failure is detected in a system.
The name given to the DOS file system. FAT stands for file allocation table and refers to the method of managing the files and directories on the DOS system.
Fault Tolerance
A computer and operating system's capability to respond gracefully to catastrophic events, such as a power outage or hardware failure. Usually, fault tolerance implies the capability either to continue the system's operation without loss of data or to shut down the system and restart it, recovering all processing in progress when the fault occurred.
The acronym for Frequency Division Multiple Access.  Used with AMPS, FDMA is a method for coordinating radio traffic to prevent interference between users sharing frequencies.  Only one subscriber can access a given frequency at any time.  Compare to CDMA and TDMA.
Fiber-Optic Cable
A cable constructed using a thin glass or plastic core that conducts light rather than electrical signals.
A particular type or category of information in a database management program, for example, a variable. A location in a record where a particular type of data is stored. In other words, a field is a single unit of dats such as a name or address.
A single, named collection of related information stored on magnetic medium.
File Allocation Table (FAT)
A table or list maintained by some operating systems, such as MS-DOS, to keep track of the status of various segments of disk space used for file storage.
File Attribute
A restrictive label attached to a file that describes and regulates its use, for example, archive, hidden, read-only, and system.
File Server
A computer that provides network stations with controlled access to shareable resources.
File Size
The length of a file, typically given in bytes.
File System
In an operating system, the overall structure by which files are named, stored, and organized.
The process of setting up a drive space to allow an operating system to use the space. Each operating system, such as MAC, DOS, and NT, uses distinct file system formats, and a drive must be formatted in order for the system to be able to use it.
A deliberate deception perpetrated for unlawful or unfair gain.
File transfer protocol. A program that enables clients to transfer files between computers.
Fully Qualified Domain Name (FQDN)
The complete host name and domain name of a network host.

[Back to top]


A device that provides routing and protocol conversion among physically dissimilar networks and computers, for example, LAN to host, LAN to LAN, X.25, and SNA gateways. That is, a multihomed host used to route network traffic from one network to another. Also used to pass network traffic from one protocol to another.
To authorize.
The acronym for Global System for Mobile Communications.  A variant of TDMA, GSM is the closest thing to a world standard for cellular service.  A single-frequency cellular handset may work compatibly in Europe, Asia, India and Africa,  but not North America.
The acronym for Graphical user interface.

[Back to top]


A computer enthusiast; also, one who seeks to gain unauthorized access to computer systems.
A dialog between a user and a computer, a computer and another computer, a program and another program for identifying a user and authenticating his identity, through a sequence of questions and answers based on information either previously stored in the computer or supplied to the computer by the initiator of the dialog. Also, when used in context, it refers to the controlled movement of bits between a computer and a printer.
In computer terminology, the machinery that forms a computer system.
Hardware Abstraction Layer (HAL)
A dynamic link library that encapsulates platform-dependent code. Think of it as a layer of software provided by the hardware manufacturer that hides, or abstracts, hardware differences from higher layers of the Windows NT operating system. Different hardware looks alike to the operating system, thus removing the need to tailor the operating system to each and every hardware type.
Microsoft's Hardware Compatibility List. This is a list of all hardware that is certified to run with NT. You can find the list on the Internet at the following address: http://www.microsoft.com/isapi/hwtest/hcl.idc.
A measure of frequency or bandwidth. The same as cycles per second.
Hierarchical Database
A database organized in a treelike structure.
High Performance File System (HPFS)
The file system designed for OS/2 Version 1.2.
Host Computer
The computer that receives information from and sends data to terminals over telecommunication lines. It is also the computer that is in control in a data communication network. The host computer can be a mainframe computer, minicomputer, or microcomputer.
Host Name Resolution
The process of determining a network address when presented with a network host name and domain name, usually by consulting the Domain Name System.
The acronym for High Performance File System, provided by OS/2 operating systems. Files in this format can be read by NT.
(1) A device used on certain network topologies that modifies transmission signals, allowing the network to be lengthened or expanded with additional workstations. The hub is the central device in a star topology. (2) A computer that receives messages from other computers, stores them, and routes them to other computer destinations.

[Back to top]


I/O Device (input/output device)
A device that transfers information into or out of a computer. icon In graphical environments, a small graphics image displayed on-screen to represent an object that can be manipulated by the user; for example, a recycle bin can represent a command for deleting unwanted text or files.
The acronym for Integrated Drive Electronics, the older disk drive architecture that usually integrates directly with the disk drive instead of using a separate card.
The process that enables, generally using unique machine-readable names, recognition of users or resources as identical with those previously described to a system.
IEEE (Institute of Electrical and Electronic Engineers)
One of several groups whose members are drawn from industry and who attempt to establish industry standards. The IEEE 802 committee has published numerous definitive documents on local area network standards.
Includes input, output, software, data and all related documentation.
Information Pool
Consists of data designated as accessible by authorized individuals.
(1) To set to an initial state or value in preparation for some computation. (2) To prepare a blank disk to receive information by organizing its surface into tracks and sectors; same as format.
Input/Output (I/O)
The process by which information is transferred between the computer’s memory and its keyboard or peripheral devices.
An NT term relating to particular tasks in each object. Objects often have more than one instance, such as the Processor and its %Interrupt Time or %User Time or %Processor Time.
Freedom from errors.
A device or program that allows two systems or devices to communicate with each other. An interface provides a common boundary between the two systems, devices, or programs. Also, the cables, connectors, and electrical circuits allowing communication between computers and printers.
Interrupt Request Lines (IRQ)
Hardware lines over which devices can send signals to get the attention of the processor when the device is ready to accept or send information. Typically, each device connected to the computer uses a separate IRQ.
A user or another agent attempting to gain unauthorized access to the file server.
IP Address
A 32-bit network address that uniquely locates a host or network within its internetwork.
The acronym for Integrated Services Digital Network. A digital phone line that allows faster transmission speeds (128Kbps) than analog phone lines (56Kbps) speeds.
The acronym for Internet Service Provider, a firm that offers connections to the Internet for a fee.

[Back to top]


Instability of a signal for a brief period.
A combined run of one or more application programs that are automatically processed in sequence in the computer.

[Back to top]


The core of an operating system. The portion of the system that manages memory, files, and peripheral devices; maintains the time and date; launches applications; and allocates system resources.
In cryptography, a sequence of symbols that controls the operations of encryption and decryption.
Key Generation
The origination of a key or of a set of distinct keys.

[Back to top]


Least Privilege
A principle that users should be assigned only the access needed to perform their business functions.
Local Area Network (LAN)
A communications system using directly connected computers, printers, and hard disks allowing shared access to all resources on the network.
Local Security Authority (LSA)
An integral subsystem of the Windows NT security system. The LSA manages the local security policy and provides interactive user authentication services. It also controls the generation of audit messages and enters audit messages into the audit log file. Creates a security access token for each user accessing the system.
Logic Bomb
Malicious action, initiated by software, that inhibits the normal system functions; a logic bomb takes effect only when specified conditions occur.
Logical Access
Access to the information content of a record or field.
Logical File
Refers to the data that a file contains.
Logical Partition
A subpartition of an extended partition on a drive, commonly called a logical drive. See extended partition.
The process of accessing a file server or computer after physical connection has been established.
The process of identifying oneself to a computer after connecting to it over a communications line. During a logon procedure, the computer usually requests the user's name and a password. Also called login.

[Back to top]


The term used for very large computers that support thousands of users and huge databases.
(1) To assign a workstation drive letter to a server directory. (2) To translate a virtual address into a physical address.
Media Access Control (MAC)
Part of the physical layer of a network that identifies the actual physical link between two nodes.
A list of options from which users select.
Menu Option
An option on a menu that performs some action, prompts the user for additional information, or leads to another menu.
A general term referring to a small computer having a microprocessor. In this book, you can use the term interchangeably with personal computer.
A method of ensuring data replication using two hard drives that are connected to the same disk controller. Less robust than duplexing because of the shared controller. Otherwise, duplexing and mirroring can be considered to be essentially the same thing.
A modulator-demodulator. A device that lets computers communicate over telephone lines by converting digital signals into the phone system's analog signals and vice versa.
An asset is altered partly so the form or quality of it has been changed somewhat. A file can appear intact and may be perfectly usable, but it can contain erroneous information.
The use of automated procedures to ensure that the controls implemented within a system are not circumvented.
A computer that has more than one network card, either physically or logically. Often used as a router for connecting two networks.

[Back to top]


The necessity for access to, knowledge of, or possession of sensitive information to fulfill official duties. Responsibility for determining whether a person's duties require that he have access to certain information, and whether he is authorized to receive it, rests on the owner of the information involved and not on the prospective recipient.
NetBIOS Extended User Interface (NetBEUI)
A small, fast protocol that requires little memory but is not routable.
A collection of inter-connected, individually controlled computers, printers and hard disks, with the hardware and software used to connect them.
Network Adapter
A circuit board that plugs into a slot in a PC and has one or more sockets to which you attach cables. Provides the physical link between the PC and the network cable. Also called network adapter card, network card, and network interface card (NIC). network address A unique identifier of an entity on a network, usually represented as a number or series of numbers.
Network Basic Input/Output Operating System (NetBIOS)
A network file-sharing application designed for use with PC DOS personal computers, usually implemented under TCP/IP at the application layer.
Network Drive
An online storage device available to network users.
Network Interface Card
See network adapter.
Network Operating System
An operating system installed on a server in a local area network that coordinates the activities of providing services to the computers and other devices attached to the network.
Network Station
Any PC or other device connected to a network by means of a network interface board and some communications medium. A network station can be a workstation, bridge, or server.
A point of interconnection to a network. Normally, a point at which a number of terminals are located.
A 16-byte challenge issued by the authentication service.
NT File System (NTFS)
A file system designed for use with Windows NT. NTFS supports file system recovery and extremely large storage media.
An NT file system acronym for New Technology File System. The particular way data is stored on an NT system when chosen over the FAT file system.

[Back to top]


(1) A single runtime instance of a Windows NT defined object type containing data that can be manipulated only by use of a set of services provided for objects of its type. (2) Any piece of information, created by a Windows-based application with object linking and embedding capabilities, that can be linked or embedded into another document. (3) A passive entity that contains or receives data. Access to an object potentially implies access to the information it contains.
Object Handle
Includes access control information and a pointer to the object itself. Before a process can manipulate a Windows NT object, it first must acquire a handle to the object through the Object Manager.
Object Linking and Embedding (OLE)
A way to transfer and share information between applications.
State in which the printer or some other device is not ready to receive data.
Operating System
Software that controls the internal operations (housekeeping chores) of a computer system. Operating systems are specific to the type of computer used.
An employee or agent of the client who is assigned responsibility for making and communicating certain judgments and decisions regarding business control and selective protection of assets, and for monitoring compliance with specified controls.

[Back to top]


A generic term referring to any group of detailed computer programs necessary to achieve a general objective. For example, an accounts receivable package would include all programs necessary to record transactions in customer accounts, produce customer statements, and so forth.
A group of bits transmitted as a whole on a network.
The short term for packet assembler-dissembler used in X.25 technologies.
The act of moving data to disk when physical memory is full. A component of virtual memory.
Parallel Interface
A printer interface that handles data in parallel fashion, eight bits (one byte) at a time.
Parity Bit
A way of marking the eighth bit in a data byte so that 7-bit ASCII characters between 0 and 127 are sent and received correctly. There are three kinds of parity: odd, even, and none.
A portion of a physical disk that functions as though it were a separate unit.
Privileged information given to, or created by the user, which is entered into a system for authentication purposes. A protected word or secret character string used to authenticate the claimed identity of an individual, a resource or access type.
A 32-bit data transfer bus used in newer machines and generally faster than the older EISA bus. Most Intel-based machines built today support this standard.
The acronym for Personal Communication Service/System.  Refers to the 3 dominant digital cellular technologies operating in the 1.9 GHz band in North America: CDMA, GSM and TDMA.
Acronym for Primary Domain Controller. The machine that provides user authentication for the NT network.
A successful unauthorized access to a system.
Any device used for input/output operations with the computer’s central processing unit (CPU). Peripheral devices are typically connected to the microcomputer with special cabling and include such devices as modems and printers.
A particular form of allowed access, e.g., permission to READ as contrasted with permission to WRITE.
Physical Drive
The actual hardware that is set in the computer and used to store information. Often called the hard drive, C drive, or D drive after the letter assigned to it by the system.
Physical Security
Physical protection of assets achieved through implementing security measures.
A network application that uses UDP to verify reachability of another host on any internetwork.
Plain Text
Intelligible text or signals that have meaning and that can be read or acted upon without the application of any decryption.
A means of controlling devices on a line.
(1) A connection or socket used to connect a device to a computer, such as a printer, monitor, or modem. Information is sent from the computer to the device through a cable. (2) A communications channel through which a client process communicates with a protected subsystem. Ports are implemented as Windows NT objects.
Primary Domain Controller
For Windows NT Server domains, the server that authenticates domain logons and maintains the security policy and the master domain database.
The entity in a computer system to which authorizations are granted; thus, the unit of accountability in a computer system.
Print Queue
A shared storage area on the file server where the system sends every print job before sending to the print server or print device.
Print Server
Software that takes jobs from the print queue and sends them to the printer.
Your right to control or influence what information related to you may be collected and stored and by whom and to whom that information may be disclosed.
A means of protecting the use of certain system functions that can affect system resources and integrity. System managers grant privileges according to the user’s needs and deny them to restrict the user’s access to the system.
A systematic sequence of operations performed on data.
A set of characters at the beginning and end of a message that enables two computers to communicate with each other.

[Back to top]


A first-in/first-out data structure, used for managing requests to process data; for example, files to be printed.
Quid pro quo
Used in law for the giving of one valuable thing for another.

[Back to top]


The acronym for Remote Access Services. This is the NT 3.x version of Dial-Up Networking; it is used to connect machines together via telephone or other means.
A fundamental operation that results only in the flow of information from an object to a subject.
Read Access
Permission to read data.
A term used to describe information stored in such a way that it can be played back (read) but not changed (written).
A collection of related information (fields) that is treated as one unit within a file.
Recovery Cost
A parameter associated with restoring an organization to operate as before an event.
Networking software that accepts I/O requests for remote files, named pipes, or mail slots and then sends (redirects) them to a network server on another machine. Redirectors are implemented as file system drivers in Windows NT.
As used here, the database repository for information about the computer's configuration, including the hardware, installed software, environment settings, and other information.
Registry Editor
An application provided with Windows NT that allows users to view and edit entries in the Registry.
Remote Administration
Administration of one computer by an administrator located at another computer and connected to the first computer across the network.
A device that extends the range of a network cable segment. A hub is really just a multi-port repeater.
Request for Comments (RFC)
The official designation of the Internet standards documents.
In a system, any function, device, or data collection that may be allocated to users or programs.
Resource Sharing
The concurrent use of a resource by more than one user, job, or program.
To take away previously authorized access from some principal.
User capabilities given for accessing files and directories on a file server.
A network topology that connects each workstation in a circular fashion and sends the network signal in a unidirectional manner through the circle.
Acronym for Request For Comments, used by the Internet Advisory Board and IETF to set de facto standards.
Acronym for Reduced Instruction Set Computer.
The potential that a given threat has of occurring within a specific period. The potential for realization of unwanted, negative consequences of an event.
Risk Analysis
An analysis of system assets and vulnerabilities to establish an expected loss from certain events based on estimated probabilities of the occurrence of those events.
A Layer 3 device that connects two or more networks together. A router reads packets sent along the network and determines its correct destination.

[Back to top]


Randomly searching for valuable data in a computer’s memory or in discarded or incompletely erased magnetic media.
The acronym for Small Computer Standard Interface. Originally designed for the UNIX world, it is designed to handle high speeds and multiple devices, such as disk and tape drives.
Protection of all those resources that the client uses to complete its mission.
Security Account Manager (SAM)
A Windows NT protected subsystem that maintains the SAM database and provides an application programming interface (API) for accessing the database.
Security Descriptor
A data structure attached to an object that protects the object from unauthorized access. It contains an access control list (ACL) and controls auditing on the object.
Security ID (SID)
A unique name that identifies a logged-on user to the security system. Security IDs can identify one user or a group of users.
Security Policy
The set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information. For Windows NT, the security policies consist of the Account, User Rights, and Audit Policies, and they are managed using User Manager for Domains.
Security Reference Manager (SRM)
A Windows NT Server security subsystem that authenticates user logons and protects system resources.
A data classification category. Loss, misuse, or unauthorized disclosure of data with this protection classification would have a serious negative impact. Such an incident would be very harmful to the organization.
Sensitive Program
An application program whose misuse through unauthorized activity could lead to serious misappropriation or loss of assets.
The characteristic of a resource that implies its value or importance, and may include its vulnerability.
Serial Interface
An interface that handles data in serial fashion, one bit at a time.
A network device that provides services to client stations. Servers include file servers, disk servers and print servers.
Server Manager
An application used to view and administer domains, workgroups, and computers.
Share Name
The name of a shared resource.
Shared Directory
A directory where network users can connect.
Protective covering that eliminates electromagnetic and radio frequency interference.
A unique identifier maintained internally by NT that identifies a user or group of users to the system.
Small Computer System Interface (SCSI)
A standard used for connecting microcomputers to peripheral devices, such as hard disks and printers, and to other computers and local area networks.
A computer professional who seeks to test security by attempting to gain unauthorized access to computer systems.
The acronym for Simple Object Access Protocol.  Standard for linking Internet applications running on different platforms, using XML messages.
Programs and routines to be loaded temporarily into a computer system, for example, compilers, utilities, operating system and application programs.
As used in this book, a synonym for protocol.
A topology in which each node is connected to a central hub.
The combination of the user's access token and the program acting on the user's behalf. Windows NT uses subjects to track and manage permissions for the programs each user runs.
A menu below the main menu.
A physical or logical subdivision of a TCP/IP network; usually a separate physical segment that uses a division of the site's IP network address to route traffic within the organizational internetwork.
The network supervisor is the person responsible for the operation of the network. The network supervisor maintains the network, reconfiguring and updating it as the need arises.
System Integrity
The behaviour of hardware/software system that does the right things; further, it does these things right and does them when they are needed.

[Back to top]


Acronym for Transmission Control Protocol/Internet Protocol. This is the protocol suite that drives the Internet. Very basically, TCP handles the message details and IP manages the addressing. It is probably the most widely used network protocol in the world today.
The Trusted Computer System Evaluation Criteria.
The acronym for Time Division Multiple Access.  Method for dividing a single analog channel into a number of time slots and assigning each caller a distinct time slot within a given channel allowing more than one caller to use a channel at any time without interference.  GSM is a variant.  Compare to CDMA and FDMA.
The electronic transfer of information via telephone lines from computer to computer. See electronic mail; BBS; modem.
A program that allows terminal emulation for communicating between machines via TCP/IP.
A simpler version of the FTP program that operates using UDP/IP services.
One or more events that may lead to either intentional or unintentional modification, destruction or disclosure of data. An eventuality which, should it occur, would lead to an undesirable effect on the environment.
Token Ring
A network topology regulated by the passing of a token that governs the right to transmit.
The physical layout of the network cabling.
A set of operations that completes a unified task.
An abrupt change in voltage, of short duration.
Transmission-on/Transmission-off (X-ON/X-OFF)
A type of software handshaking.
A set of special instructions, originally created for testing and troubleshooting, that bypasses security procedures and allows direct access to a computer's operating system or to other software.
Trojan Horse
A program, purporting to do useful work, that conceals instructions to breach security whenever the software is invoked.
Trust Relationship
Links between domains that enable passthrough authentication, in which a user only has one user account in one domain yet can access the entire network. A trusting domain honors the logon authentications of a trusted domain.
Twisted Pair
A common type of wiring that uses two wires twisted together yet insulated from each other. Can be purchased shielded or unshielded.

[Back to top]


The User Datagram Protocol, an older protocol that does not offer good error detection or recovery. It is used by SNMP and TFTP, as well as the Network File System (NFS).
Unbounded Media
Media that use radio frequencies, microwaves, or other media to transmit data.
A fixed-width, 16-bit character encoding standard that is capable of representing all the world's scripts.
Used imprecisely to refer to the individual who is accountable for some identifiable set of activities in a computer system.
User Group
A computer club in which computer users exchange tips and information, publish a newsletter, support a local BBS, and listen to sales pitches from vendors at meetings. A meeting of like-minded individuals who practice information sharing, e.g., GUIDE, SHARE, DECUS, ISSA and ISACA.
User Manager
A Windows NT Workstation tool used to manage the security for a computer. Administers user accounts, groups, and security policies.
User Manager for Domains
A Windows NT Workstation Server tool used to manage the security for a domain or an individual computer. Administers user accounts, groups, and security policies.
User Rights Policy
Manages the assignment of rights to groups and user accounts.
Useful programs that you can rename, copy, format, delete, and otherwise manipulate files and volumes.

[Back to top]


Confirmation that the object is what it purports to be. Also, confirmation of the identity of a person (or other agent external to the protection system) making a request.
The acronym for Vendor  Independent Messaging, which is an e-mail API.
Virtual Memory
Combines the physical RAM available in the machine with disk space to simulate an environment in which you have more memory than you physically have in RAM. NT tries to assess what parts of memory are least likely to be used and pages this information out to the disk area until it is needed.
A program, usually a Trojan Horse, that copies itself into new databases and computers whenever the infected, parent program is invoked.
A storage device, such as a disk pack, mass storage system cartridge, or magnetic tape. For our purposes, diskettes, cassettes, mag cards, and the like are treated as volumes.
Volume Set
A collection of partitions possibly spread over several disk drives that has been formatted for use as if it were a single drive.
The cost that an organization would incur should an event happened.

[Back to top]


The acronym for Wide Area Network, or a network covering a wide geographical area, usually at a capacity less than those of a Local Area Network.
The acronym for Wireless Application Protocol.  WAP is a network-neutral protocol for sending data to and from WAP-enabled devices, such as cellular phone handsets.
The acronym for Wireless Equivalency Privacy, which is the encryption protocol used with 802.11b wireless networks.
A communications channel that has greater bandwidth than voice-grade lines.
Windows Internet Naming Service (WINS)
A service that translates Windows computer names (or NetBIOS names) to IP addresses.
Monitoring or recording data as it moves across a communications link; also known as traffic analysis.
The acronym for Wireless Markup Language, which is another subset of SGML.  Protocol used for scripting WAP pages.
In general, a powerful computer having considerable calculating and graphics capability. For Windows NT, computers running the Windows NT Workstation operating system are called workstations, as distinguished from computers running Windows NT Server, which are called servers.
A type of malware that consumes computer resources, e.g., CPU cycles or disk space.
Windows on Win32.
A fundamental operation that results only in the flow of data from a subject to an object.
Write Access
Permission to write an object.

[Back to top]


A protocol that allows you to route information through a packet-switching public data network, such as Datapac. An older technology, it operates at a top speed of 64Kbps, and it was designed for earlier days when telephone networks were less reliable than today.
ITU standard defining the format of electronic mail.
ITU standard defining directory services for naming and addressing.
The acronym for eXtensible Markup Language, which is a subset of SGML (Standard Generic Markup Language).

[Back to top]


[Back to top]


[Back to top]