C

Cache – this is the section of a computer’s memory which retains recently accessed data in order to speed up repeated access to the same data. If the data on the Web has altered since you last visited it, you may need to refresh the page to see the new data, otherwise you will only see what is stored in the cache.

Can-Spam – the US Act against spam.

CAP – Certification and Accreditation Professional. The CAP credential, awarded by (ISC)², is specifically designed for security professionals involved in certification and accreditation. This qualification supports those formalising processes used to assess risk and establish security requirements, as well as ensuring information systems possess security appropriate for their level of exposure to potential risk. See (ISC)².

CBK – Common Body of Knowledge – a term which is widely used in different disciplines to describe an agreed collection of knowledge about a subject. It is often, therefore, the subject of individual certification tests and exams.

C:cure – a framework designed by the UK Department of Trade and Industry to support the implementation of BS7799-2 (an early version of ISO27001) in the early days of the accredited certification scheme. This framework was available from 1997 to 2000, when it was withdrawn.

CDPA – see Copyright Designs and Patents Act.

CEH – Certified Ethical Hacker. The CEH programme certifies individuals in the specific discipline of ethical hacking from a vendor-neutral perspective. The Certified Ethical Hacker certification will fortify the application knowledge of security officers, auditors, security professionals, site administrators, and anyone who is concerned about the integrity of the network infrastructure.

Cellphones – see Mobile phones.

CE marking – indicates conformity with European safety requirements as laid down in EU regulatory standards.

CEN – the European Committee for Standardisation is a private, non-profit organisation whose mission is to provide an efficient infrastructure for the development, maintenance and distribution of coherent sets of standards and specifications.

CENELEC – a non-profit technical organisation, composed of the National Electrotechnical Committees of 29 European countries.

CERT – the Computer Emergency Response Team is the Internet emergency response team formed by the US Defence Advanced Research Projects Agency (DARPA).

Certificate – this is an encrypted file that contains information to identify a user or server.

Certificate authority (CA) – a CA is a trusted third party who will issue a digital certificate to attest the authenticity of an organisation’s public key. The CA will review the credentials of any organisation that wants a digital certificate before issuing it. This review will include the Dun and Bradstreet number or Articles of Incorporation (in the UK) and a thorough background check to ensure that the organisation is what it claims to be. The CA may be a secure server on the network (the single trust model) or an external third party organisation recognised by many (the multi-party trust model). The keys used are either 40-bit or 128-bit.

Certificate in Information Security Principles – the key ISO27001-based ISEB qualification.

Certification – the process through which a certification body confirms that a product, process or service conforms to a specific standard or specification. For example, an organisation becomes certificated to ISO27001:2005.

Certification body – see Third party certification body.

CESG – the information assurance (IA) arm of the UK’s Government Communications Headquarters (GCHQ). CESG offers a range of products and services including technical consultancy and advice, policy documentation, product evaluation and training, primarily to UK government and the armed forces, the wider public sector, and industries forming part of the ‘critical national infrastructure’.

Challenge-response – is a technique for fighting spam which requires a new sender to prove legitimacy to the recipient by entering a code on a website.

Change control – is the process and procedures to identify, document, review, and authorise any changes to software, documents, projects, etc.

Change record – a record containing details of which configuration items are affected, and how they are affected, by an authorised change. ****

CHAP – the Challenge Handshake Authentication Protocol is a method of authentication between a server and a client.

Chat rooms – are virtual rooms, on the Web, in which users can chat (normally by typing) in real time.

CHECK IT Health Check – to become a CHECK Team Leader you must pass the CHECK Service Assault Course (CSAC) which is a rigorous assessment designed to assess IT security consultants against a skill set baseline of practical penetration testing. The CSAC can only be taken by security professionals working for a CHECK-approved service provider.

Chrome – Google’s browser.

CIA – in the information security world, this is usually represented in a hyphenated form: C-I-A. It doesn’t refer to a well-known security agency. The acronym is for Confidentiality – Integrity – Availability. The CISSP CBK (2^nd Edition) says that ‘a common thread among all good information security objectives is that they address at least one (if not all three) of [these] core security principles’. International standards, on the other hand, recommend that an ISMS should address ALL three.

Cipher – a cryptographic algorithm used for encryption or decryption.

CIS – the Center for Internet Security is a standard setter for secure configuration of systems connected to the Internet; see website at: www.cisecurity.org.

CISA – Certified Information Systems Auditor. CISA is a certification for information systems (IS) audit, control and security professionals. It recognises an individual’s achievements in conducting information system audits. Candidates looking to gain the CISA certification must sit an examination, submit evidence of a minimum of five years’ IS auditing, security or control work and agree to abide by ISACA’s Code of Professional Ethics. See also ISACA.

CISM – Certified Information Security Manager. The CISM certification programme is for experienced information security managers and those with information security management responsibilities. It is for security professionals who manage, design, oversee and/or assess an enterprise’s information security. The CISM certification promotes international practices and provides executive management with assurance that those earning the designation have the required experience and knowledge to provide effective security management and consulting services.

CISMP – Certificate in Information Security Management Principles. This ISEB qualification, which is based on ISO27001, provides a base level of knowledge for individuals who are thinking of moving into a security or security-related function. It also offers an opportunity to those for whom security responsibility is already part of their day-to-day role to enhance or refresh their knowledge.

CISSP – Certificate for Information System Security Professional. The CISSP certification, awarded by (ISC)², provides information security professionals with an objective measure of competence and a globally recognised standard of achievement. The CISSP credential suits mid- and senior-level managers who are working towards or have already attained positions as CISOs, CSOs or Senior Security Engineers. See (ISC)².

CLAS – the CESG Listed Adviser Scheme, CLAS, is a partnership linking the information assurance knowledge of the CESG with the expertise and resources of the private sector. CLAS consultants are approved to provide information assurance advice on systems processing protectively marked information up to, and including, ‘secret’. The scheme is particularly relevant to consultants dealing with UK government clients.

Classification system – a system where information assets are classified and clearly marked according to their sensitivity, confidentiality, value, importance, etc.

Client – a computer that uses a server or a network service for something that it cannot do on its own.

Cloaking bags – are bags that are designed to block WiFi and Bluetooth signals and which can protect ‘always one’ cellphones and PDAs from signal leakage or hijacking.

Cloud, the – the Internet is increasingly referred to as the Cloud, from the cloud drawings that are often used in network maps to identify the networking regions beyond the digital borders of a given network.

Cloud computing – the delivery of services from web servers and data centres linked to the Internet, both of which are usually owned and managed by third parties who specialise. See also SaaS and SaaP.

CMDB – see Configuration management database.

CObIT – Control Objectives for Information Technology is a proprietary control framework owned by ISACA, which contains a wide-range of information technology controls, including information security controls. It is currently in version 4.1 and is due for an update in late 2010. It is widely deployed as part of an organisation’s framework for assuring the general technology controls that underpin its financial processes.

CoCo – a Code of Connection sets out the specific requirements with which an entity must comply if it wishes to connect to another entity’s network. Wellknown CoCos in the UK include the government secure network and the NHS backbone.

Code of Practice – provides guidance and uses words like ‘should’ to indicate that compliance is not mandatory. It sets out what should be in an ISMS rather than how it should be designed. Organisations can choose controls from this code of practice or anywhere else, provided the requirements of the specification are met.

Combined Code – this replaces and refines the earlier requirements of the Cadbury and Greenbury reports on corporate governance and directors’ remuneration. It came into force for all listed companies for year ends after December 1998. The Combined Code requires directors of listed companies to annually review all their controls, ‘including financial, operational, compliance and risk management’.

‘Commercial in confidence’ – this is a classification level for information. It is not clear what purpose it serves, other than to highlight to someone who receives it that it may have value on the black market. An information security classification system needs to be simple, practical and coherent.

Common Criteria (CC) – the ‘CC defines a set of IT requirements of known validity which can be used in establishing security requirements for prospective products and systems’. The official CC website is at www.commoncriteriaportal.org.

Compact disc – a data version of a CD which can store data.

Compartmentalisation – is the concept of an internally secure network designed with a number of co-operating sub-networks and light firewalls and routers.

Compliance – a positive answer to the question: ‘Is what is taking place in line with the pre-specified requirements for what should take place?’ Hence, non-compliance and compliance monitoring. Compliance is often used in a legal context.

Computer Misuse Act 1990 – the Act was designed to set up provisions for securing computer material against unauthorised access or modification. The Act basically outlaws, within the UK, hacking and the introduction of computer viruses.

Computer security – ensuring that the physical hardware, the computer, is secure, is part of the overall job of ensuring that all the information is secure. Computer security is just a part of the whole job. See also Information security.

Confidentiality – with ‘availability’ and ‘integrity’, one of the three key legs of an Information Security Management System. The CISSP CBK (2^nd Edition) describes confidentiality as ‘efforts made to prevent unauthorised disclosure of information to those who do not have the need, or right, to see it’. There are a couple of very similar formal definitions, below.

Confidentiality – information that is not made available or disclosed to unauthorised individuals, entities or processes. #

Confidentiality – ensuring that information is accessible only to those authorised to have access. **

Configuration – how the components of a computer or a network are set up.

Configuration item – a component of an infrastructure or an item which is, or will be, under the control of configuration management. **** Configuration items may vary widely in complexity, size and type, ranging from an entire system, including all hardware, software and documentation, to a single module or a minor hardware component.

Configuration management database – this is a database containing all the relevant details of each configuration item and details of the important relationships between them. ****

Conformance – fulfilment of a requirement. A positive answer to the question: ‘Is what is taking place in line with the pre-specified requirements for what should take place?’ Hence, non-conformance and conformance monitoring. Conformance is often used in a non-legal context.

Control – a means of managing risk, including policies, procedures, guidelines, practices or organisational structures, which can be administrative, technical, management or legal in nature; also used as a synonym for safeguard or countermeasure (# and *). According to the CISSP CBK (2^nd Edition), there are seven main categories of control:

1. Directive: specify what is acceptable.
2. Deterrent: discourage violations of directives.
3. Preventive: as it says, they prevent a security incident.
4. Compensating: substitute for the loss of primary controls and mitigate risk to an acceptable level.
5. Detective: signal a warning when another control has been breached.
6. Corrective: remedy circumstances, mitigate damage, restore controls.
7. Recovery: restore conditions to normal after a security incident.

There are also three main types of control:

1. Administrative: policies and procedures within a management system.
2. Technical (logical): electronic controls in hardware and software that primarily manage access to information assets.
3. Physical: controls that protect people, premises and environment.

Control objective – a risk treatment plan objective, a statement describing what is to be achieved by implementing (one or more of a number of) controls. #

Control standard – the level to which it has been decided that a risk must be controlled; this is usually determined by balancing the cost of the control, the likelihood of the risk, and its potential impact, to determine how much should be invested in controlling it. This cost of control (which should not exceed the likely cost of the impact) is translated into a standard against which the effectiveness of the control can be assessed.

Cookie – this is a small data file that a website stores on a surfer’s computer and which contains information about the user (e.g. user preferences) that is relevant to the user’s experience of the website.

Copyright Designs and Patents Act 1988 (CDPA) – this is a complex and difficult area for any organisation that deals in intellectual property and appropriate professional advice should be taken from a firm that specialises in it.

Corrective action – is action to eliminate the cause of a detected non-conformity or other undesirable situation (ISO9000:2005).

Covert channels – are those channels installed, usually by software developers, in order to simplify the process of getting back into a piece of code, in order to amend it. These channels can be exploited by hackers.

CPU – the central processing unit drives your computer.

Crackberry – the descriptive term sometimes applied to a BlackBerry by the spouse of a BlackBerry user, who is apparently unable to get through more than a couple of minutes without checking the BlackBerry for new e-mail.

Crackers – hackers who break into computer systems specifically to steal data or cause damage. Hackers like to say that crackers break in, but that hackers get permission first and will publish their discoveries. Hence: crack and cracking.

Crash – this is what software sometimes does; see Blue screen.

Credit cards – pieces of plastic that enable people to get into debt; they are also essential for online shopping. See also Payment card.

Credit reports – summary of financial information about consumers, assembled on the basis of information filed with credit reporting companies, primarily by lenders.

Crime – see Cybercrime.

Critical – ‘having a decisive importance in the success or failure of something’ (OED, Concise, 11th edn).

Critical infrastructure – this is the construct of foundation systems and services that citizens and businesses rely on for their health, safety and wellbeing. Telecommunications, transportation, energy and banking services are part of the critical infrastructure, which is often privately-owned but which governments believe that citizens expect them to protect.

Cross-site request forgery – CSRF is an attack which, in effect, enables an attacker to masquerade as a legitimate user and gain access to everything that the legitimate user is authorised to access.

Cross-site scripting – one of the most prevalent vulnerabilities in web applications, which can enable an attacker to input code directly into your server such that website visitors will find their browsers executing malicious script as if it came from your website.

Cryptography – the art of protecting information by encrypting it.

CSIA – The Central Sponsor for Information Assurance has now been re-named the IS&A (Information Security and Assurance) and is a unit of the UK Government’s Cabinet Office. It works with partners in the public and private sectors, as well as its international counterparts, to help safeguard the UK’s IT and telecommunications services. The IS&A provides a central focus for information assurance in the UK.

CVE – Common Vulnerabilities and Exposures – the website at www.cve.mitre.org (funded by the US Department of Homeland Security) holds a dictionary of ‘standardised names for vulnerabilities and other information security exposures, with the aim of standardising the names for all publicly known vulnerabilities and security exposures’. It is not a database and would normally be used in conjunction with a vulnerability database like Bugtraq (www.securityfocus.com). CVE is publicly available and free to use. You should therefore assume that cybercriminals use it.

CVV – the Card Verification Value code – is the three digit number that appears in the signature strip on the reverse of a payment card (on Amex Cards, it is a four digit number on the front). The CVV is entered by a cardholder when completing an online transaction, in order to verify that, even though this is technically a ‘card not present’ transaction, the payment card is physically present at the time of the transaction. The PCI DSS says that the CVV code may never be stored online. As cybercriminals become more effective, so the value of the CVV precaution is declining. See also 3D-secure.

CWE – Common Weakness Enumeration – is a community-developed dictionary of software weakness types, available at http://cwe.mitre.org.

Cybercrime – any form of illegal activity that takes place in cyberspace. The UK’s Computer Misuse Act 1990 made it an offence for anyone to access a computer without authorisation, to modify the contents of a computer without authorisation, or to facilitate (allow) such activity to take place. It identified sanctions for such activity, including fines and imprisonment. Other countries have taken similar action to identify and create offences that should enable law enforcement bodies to deal with computer misuse.

Cyberslacking – timewasting using the Internet.

Cyberspace – another term for the digital world, as opposed to the analogue one.

Cyberterrorism – terrorist activities in cyberspace.

Cybertrust – cyberspace is still an inherently untrustworthy realm, in which it is not possible for buyers and sellers to physically establish one another’s bona fides. Methods of establishing cybertrust are therefore essential for effective e-commerce.

Cyberwar – war in cyberspace, conducted by the military equivalents of hackers, spammers and virus writers.