ACCESS CONTROLS- is a way of limiting access to a system or to physical or virtual

resources. In computing, access control is a process by which users are granted access
and certain privileges to systems, resources or information.
ACCOUNTING RECORDS- manual or computerized records of assets and liabilities,
monetary transactions; various journals, ledgers, and supporting documents (such as
agreements, checks, invoices, vouchers), which an organization is required to keep for
certain number of years
ADVISORY SERVICES- a range of consulting services provided by Certified Public
Accountants (CPA) and other financial advisors to businesses and high net worth
individuals who require specialized advice on capital formation, cash flow and wealth
management
APPLICATION CONTROLS- a security practice that blocks or restricts unauthorized
applications from executing in ways that put data at risk. The control functions vary
based on the business purpose of the specific application, but the main objective is to
help ensure the privacy and security of data used by and transmitted between
applications.
ATTEST SERVICE- a consulting service in which a CPA expresses a conclusion about
the reliability of a written statement that is the responsibility of someone else
AUDIT OBJECTIVE- is when in obtaining evidence in support of financial statement
assertions, the auditor develops specific audit objectives in light of those assertions. For
example, an objective related to the completeness assertion for inventory balances is
that inventory quantities include all products, materials, and supplies on hand.
AUDIT OPINION- a written statement describing an auditor's independent, unbiased
and qualified evaluation of the accuracy and completeness of a company's financial
statements and practices, as well as an evaluation of a company's compliance with
Generally Accepted Accounting Principles (GAAP).
AUDIT PLANNING- major part of audit works for both internal and external audit and it
is happen before any others audit activities. Auditors are required to prepare proper
audit plan to ensure that all audit risks are identified and correct audit strategy are
deployed to detect all risks concerned
AUDIT PROCEDURE- are the process that auditors perform to obtain audit evidences
which enable them to make conclusion on the audit objective set and express their
opinion
AUDIT RISK- also known as residual risk, is the chance that financial statements will
be issued with materials errors even though they have been reviewed by an auditor and
approved.
AUDITING- a systematic, independent and documented process for obtaining audit
evidence [records, statements of fact or other information which are relevant and
verifiable] and evaluating it objectively to determine the extent to which the audit
criteria [set of policies, procedures or requirements] are fulfilled. Several audit methods
may be employed to achieve the audit purpose.
COMPLETENESS- relates to whether all transactions that occurred during the period
have been recorded. For example, if a client fails to record a valid revenue transaction,
the revenue account will be understated. The completeness assertion is more focused on
expense and liability accounts.
COMPUTER- ASSISTED AUDITING TOOLS AND TECHNIQUES (CAATTs)- tool which
is used by the auditors. This tool facilitates them to make search from the irregularities
from the given data. With the help of this tool, the internal accounting department of
any firm will be able to provide more analytical results. These tools are used throughout
every business environment and also in the industry sectors too. With the help of
Computer Assisted Audit Techniques, more forensic accounting with more analysis can be
done. Its really a helpful tool that helps the firm auditor to work in an efficient and
productive manner
CONTROL ACTIVITIES- management policies and procedures applied in (1) achieving a
firm's objectives, (2) protection of its assets, and (3) measurement of its performance
CONTROL ENVIRONMENT- actions, policies, values, and management styles that
influence, and set the tone of, a firm's day-to-day activities.
COMPUTER FRAUD- any act using computers, the Internet, Internet devices, and
Internet services to defraud people, companies, or government agencies of money,
revenue, or Internet access. Illegal computer activities include phishing, social
 engineering, viruses, and DDoS attacks are some examples used to disrupt service or
gain access to another's funds
CONTROL RISK- Probability of loss arising from the tendency of internal control
systems to lose their effectiveness over time, and thus expose (or fail to prevent
exposure of) the assets they were instituted to protect
CORRECTIVE CONTROLS- Coupled with preventive and detective controls, corrective
controls help mitigate damage once a risk has materialized. An organization can
document its policies and procedures, enforcing them by means of warnings and
employee termination when appropriate.
COSO(COMMITTEE OF SPONSORING ORGANIZATIONS)- is a joint initiative to
combat corporate fraud. It was established in the United States by five private sector
organizations, dedicated to guide executive management and governance entities on
relevant aspects of organizational governance, business ethics, internal control,
enterprise risk management, fraud, and financial reporting. COSO has established a
common internal control model against which companies and organizations may assess
their control systems. COSO is supported by five supporting organizations, including
the Institute of Management Accountants (IMA), the American Accounting Association
(AAA), the American Institute of Certified Public Accountants (AICPA), the Institute of
Internal Auditors (IIA), and Financial Executives International (FEI).
DETECTION RISK- the chance that an auditor will not find material misstatements
relating to an assertion in an entity's financial statements through substantive tests and
analysis. Detection risk is the risk that the auditor will conclude that no material errors
are present when in fact there are.
DETECTIVE CONTROLS- type of internal control mechanism intended to find problems
within a company's processes. Detective control may be employed in accordance with
many different goals, such as quality control, fraud prevention and legal compliance.
FOREIGN CORRUPT PRACTICES ACT OF 1977 (FCPA)- a United States law passed in
1977 which prohibits U.S. firms and individuals from paying bribes to foreign officials in
furtherance of a business deal and against the foreign official's duties. The FCPA places
no minimum amount for a punishment of a bribery payment. The Foreign Corrupt
Practices Act also specifies required accounting transparencyguidelines.
GENERAL CONTROLS- are the policies and procedures to assure proper operation of
computer systems, including controls over network operations, software acquisition and
maintenance, and access security.
INDEPENDENCE- independence of the internal auditor or of the external auditor from
parties that may have a financial interest in the business being audited. Independence
requires integrity and an objective approach to the audit process.
INFORMATION TECHNOLOGY (IT)- set of tools, processes, and methodologies (such as
coding/programming, data communications, data conversion, storage and retrieval,
systems analysis and design, systems control) and associated equipment employed to
collect, process, and present information. In broad terms, IT also includes office
automation, multimedia, and telecommunications.
INHERENT RISK- the risk posed by an error or omission in a financial statement due to
a factor other than a failure of control. In a financial audit, inherent risk is most likely
to occur when transactions are complex, or in situations that require a high degree of
judgment in regards to financial estimates. This type of risk represents a worst-case
scenario because all controls have failed.
INTERNAL AUDITING- an independent, objective assurance and consulting activity
designed to add value and improve an organization's operations.
INTERNAL CONTROL SYSTEM- any action taken by an organization to help enhance
the likelihood that the objectives of the organization will be achieved. The definition of
internal control has evolved as different internal control models have been developed.
MANAGEMENT ASSERTION- are claims made by members of management regarding
certain aspects of a business. The concept is primarily used in regard to the audit of a
company's financial statements, where the auditors rely upon a variety of assertions
regarding the business
MONITORING- is an on-going process usually directed by management to ensure
processes are working as intended. Monitoring is an effective detective control within a
process
PDC CONTROL MODEL- a server in a Windows NT network that maintains a read-write
directory of user accounts and security information. The PDC authenticates usernames
 and passwords when members log into the network. Members only have to log into one
domain to access all resources in the network.
PRESENTATION AND DISCLOSURE- assertions embodied in the financial statements,
as used by the auditor to consider the different types of potential misstatements that
may occur it includes Occurrence and rights and obligations Completeness
Classification and understandability Accuracy and valuation
PREVENTIVE CONTROLS- are designed to keep errors or irregularities from occurring
in the first place. They are built into internal control systems and require a major effort
in the initial design and implementation stages.
REASONABLE ASSURANCE- the level of confidence that the financial statements are
not materially misstated that an auditor, exercising professional skill and care, is
expected to attain from an audit.
RIGHTS AND OBLIGATIONS- addresses the assertion of whether the entity holds or
controls the rights to assets included on the financial statements, and that liabilities are
obligations of the entity.
RISK ASSESSMENT- the identification, evaluation, and estimation of the levels of risks
involved in a situation, their comparison against benchmarks or standards, and
determination of an acceptable level of risk.
SARBANES- OXLEY ACT OF 2002- act passed by U.S. Congress in 2002 to protect
investors from the possibility of fraudulent accounting activities by corporations. The
SOX Act mandated strict reforms to improve financial disclosures from corporations and
prevent accounting fraud. The SOX Act was created in response to accounting
malpractice in the early 2000s, when public scandals such as Enron Corporation, Tyco
International plc, and WorldCom shook investor confidence in financial statements and
demanded an overhaul of regulatory standards.
SEGREGATION OF DUTIES- an internal control designed to prevent error and fraud by
ensuring that at least two individuals are responsible for the separate parts of any task.
SoD involves breaking down tasks that might reasonably be completed by a single
individual into multiple tasks so that no one person is solely in control.
STATEMENT ON AUDITING STANDARDS NO. 109 (SAS109)- establishes financial
accounting and reporting standards for the effects of income taxes that result from an
enterprise's activities during the current and preceding years. It requires an asset and
liability approach for financial accounting and reporting for income taxes. This
Statement supersedes FASB Statement No. 96, Accounting for Income Taxes, and
amends or supersedes other accounting pronouncements listed in Appendix D.
SUBSTANTIVE TEST- an audit procedure that examines the financial statements and
supporting documentation to see if they contain errors. These tests are needed as
evidence to support the assertion that the financial records of an entity are complete,
valid, and accurate
SUPERVISION- monitoring and regulating of processes, or delegated activities,
responsibilities, or tasks.
TEST OF CONTROLS- an audit procedure to test the effectiveness of a control used by
a client entity to prevent or detect material misstatements. Depending on the results of
this test, auditors may choose to rely upon a client's system of controls as part of their
auditing activities
TRANSACTION AUTHORIZATION- the practice within the banking industry of verifying
electronic transactions initiated with a debit card or credit card and holding this
balance as unavailable until either the merchant clears the transaction
VALUATION OR ALLOCATION- the process of determining the current worth of an
asset or a company; there are many techniques used to determine value. An analyst
placing a value on a company looks at the company's management, the composition of
its capital structure, the prospect of future earnings and market value of assets.
VERIFICATION PROCEDURE- auditing process in which auditor satisfy himself with
the actual existence of assets and liabilities appearing in the Statement of Financial
position
 CENTRALIZED DATA PROCESSING- processing of all the data concerned with a given
activity at one place, usually with fixed equipment within one building.
COMPUTER OPERATIONS- an elementary operation that a computer is designed and
built to perform
CORE COMPETENCY- the main strengths or strategic advantages of a business,
including the combination of pooled knowledge and technical capacities that allow a
business to be competitive in the marketplace. Theoretically, a core competency should
allow a company to expand into new end markets as well as provide a significant benefit
to customers. It should also be hard for competitors to replicate.
DATA CONVERSIONS- deals with changes required to move or convert data from one
physical environment format to that of another, like moving data from one electronic
medium or database product onto another format.
DATA LIBRARY- a collection of numeric and/or geospatial data sets for secondary use
in research. A data library is normally part of a larger institution (academic, corporate,
scientific, medical, governmental, etc.) established for research data archiving and to
serve the data users of that organisation. The data library tends to house local data
collections and provides access to them through various means (CD-/DVD-ROMs or
central server for download)
DISASTER RECOVERY PLAN- a documented process or set of procedures to recover
and protect a business IT infrastructure in the event of a disaster. Such a plan,
ordinarily documented in written form, specifies procedures an organization is to follow
in the event of a disaster.
DISTRIBUTED DATA PROCESSING- a computer-networking method in which multiple
computers across different locations share computer-processing capability. This is in
contrast to a single, centralized server managing and providing processing capability to
all connected systems.
EMPTY SHELL- a similar type of disaster recovery service that provides office space, but
the customer provides and installs all the equipment needed to continue operations. A
cold site is less expensive, but it takes longer to get an enterprise in full operation after
the disaster.
FAULT TOLERANCE- machine, equipment or system that has the ability to recover
from a catastrophic failure without disrupting its operations. A fault tolerant computer
system relies on technologies such as disk mirroring and redundant controllers. It also
includes several redundant processors monitoring each other under a 'voting system' so
that if one processor fails, the other(s) will shut it down, call for human help, and
continue data processing by taking over its load. Under more secure schemes, the entire
system is duplicated (often at a remote location) to provide full backup in case the
primary computer is destroyed.
INADEQUATE DOCUMENTATION- able to fulfil a need or requirement without being
abundant, outstanding, etc
INFORMATION TECHNOLOGY GOVERNANCE- the processes that ensure the effective
and efficient use of IT in enabling an organization to achieve its goals. ... ITDG is a
business investment decision-making and oversight process, and it is a business
management responsibility.
IT OUTSOURCING- the use of external service providers to effectively deliver IT-enabled
business process, application service and infrastructure solutions for business
outcomes.
MIRRORED DATA CENTER- a cost in making any economic trade when
participating in a market.[1]
In Transaction Costs, Institutions and Economic Performance (1992), Douglass C.
North argues that institutions, understood as the set of rules in a society, are key
in the determination of transaction costs. In this sense, institutions that facilitate
low transaction costs, boost economic growth.[2]
MUTUAL AID PACT- an agreement among emergency responders to lend assistance
across jurisdictional boundaries. This may occur due to an emergency response that
exceeds local resources, such as a disaster or a multiple-alarm fire.
RECOVERY OPERATIONS CENTER-
REDUNDANT ARRAYS OF INDEPENDENT DISKS- a data storage virtualization
technology that combines multiple physical disk drive components into a single logical
unit for the purposes of data redundancy, performance improvement, or both.
 SPECIFIC IT ASSETS- use of a capital good to a narrow purpose. Asset specificity
applies to capital designed to have a single function, or labor trained to perform a single
task, and has its limited uses because of some inherent restriction on other possible
uses. The more specific an asset, the lower its potential resale value or redeployability.
Companies may be reluctant to invest in such assets in a poor or uncertain economy.
When a company purchases a highly specific asset, this purchase is considered a sunk
cost, since the asset will likely not be saleable or useable for purposes other than its
intended purchase.
TRANSACTION COST ECONOMICS- a central theory in the field of Strategy. It
addresses questions about why firms exist in the first place (i.e., to minimize
transaction costs), how firms define their boundaries, and how they ought to govern
operations
 ACCESS CONTROL LIST- a list of access control entries (ACE). Each ACE in an ACL
identifies a trustee and specifies the access rights allowed, denied, or audited for that
trustee. The security descriptor for a securable object can contain two types of ACLs: a
DACL and a SACL.
ACCESS TOKEN- an opaque string that identifies a user, app, or Page and can be used
by the app to make graph API calls.
ADVANCE ENCRYPTION STANDARD- a symmetric-key algorithm, meaning the same
key is used for both encrypting and decrypting the data. In the United States, AES was
announced by the NIST as U.S. FIPS PUB 197 (FIPS 197) on November 26, 2001.
ALGORITHM- a procedure or formula for solving a problem, based on conductiong a
sequence of specified actions. A computer program can be viewed as an elaborate
algorithm. In mathematics and computer science, an algorithm usually means a small
procedure that solves a recurrent problem
APPLICATION-LEVEL FIREWALL- a firewall where one application-level (i.e., not
kernel) process is used to forward each session that an internal user makes to a
network resource on the public network.
BOTNETS- a collection of internet-connected devices, which may include PCs, servers,
mobile devices and internet of things devices that are infected and controlled by a
common type of malware. Users are often unaware of a botnet infecting their system.
CAESAR CIPHER- also known as a shift cipher, is one of the simplest forms of
encryption. It is a substitution cipher where each letter in the original message (called
the plaintext) is replaced with a letter corresponding to a certain number of letters up or
down in the alphabet.
CALL-BACK DEVICE- requires the dial-in user to enter a password and be identified.
The system then breaks the connection to perform user authentication.
CERTIFICATION AUTHORTY- an entity that issues digital certificates. A digital
certificate certifies the ownership of a public key by the named subject of the certificate.
COMPILER- a program that translates source code into object code. The compiler
derives its name from the way it works, looking at the entire piece of source code and
collecting and reorganizing the instructions. Thus, a compiler differs from an
interpreter, which analyzes and executes each line of source code in succession, without
looking at the entire program. The advantage of interpreters is that they can execute a
program immediately. Compilers require some time before an executable program
emerges. However, programs produced by compilers runmuch faster than the same
programs executed by an interpreter.
DATA COLLISSION- the result of simultaneous data packet transmission between two
or more network domain devices or nodes. Data collision packets break into fragments
and retransmitted.
DATA ENCRYPTION STANDARD- a symmetric-key block cipher published by the
National Institute of Standards and Technology (NIST). DES is an implementation of a
Feistel Cipher. It uses 16 round Feistel structure.
DEEP PACKET INSPECTION- an advanced method of packet filtering that functions at
the Application layer of the OSI (Open Systems Interconnection) reference model. The
use of DPI makes it possible to find, identify, classify, reroute or block packets with
specific data or code payloads that conventional packet filtering, which examines only
packet headers, cannot detect.
DENIAL OF SERVICE ATTACKS- a security event that occurs when an attacker takes
action that prevents legitimate users from accessing targeted computer systems, devices
or other network resources.
DIGEST- a fixed size numeric representation of the contents of a message, computed by
a hash function. A message digest can be encrypted, forming a digital signature.
DIGITAL CERTIFICATE- use a cryptographic technology called public-key cryptography
to sign data and to verify the integrity of the certificate itself. Public key cryptography is
a system based on pairs of keys called public key and private key.
DIGITAL ENVELOPE- a secure electronic data container that is used to protect a
message through encryption and data authentication. A digital envelope allows users to
encrypt data with the speed of secret key encryption and the convenience and security
of public key encryption.
DIGITAL SIGNATURE- a mathematical technique used to validate the authenticity and
integrity of a message, software or digital document.
 DISCRETIONARY ACCESS PRIVILEGES- a type of access control defined by the
Trusted Computer System Evaluation Criteria "as a means of restricting access to
objects based on the identity of subjects and/or groups to which they belong.
DISTRIBUTED DENIAL OF SERVICE- occurs when multiple systems flood the
bandwidth or resources of a targeted system, usually one or more web servers. Such an
attack is often the result of multiple compromised systems (for example, a botnet)
flooding the targeted system with traffic.
ECHO CHECK- a quality check and error-control technique for data transferred over a
computer network or other communications link, in which the data received is stored
and also transmitted back to its point of origin, where it is compared with the original
data.
EDE3- the EDE part tells you to use the specific variant of 3DES (everyone uses by
default anyway) where you encrypt with key 1, decrypt with key 2, and then encrypt
again with key 3 (which is usually the same as key 1). The (minor) advantage of that
mode is interoperability with DES: Set all three keys the same and you just spend a lot
of time doing single DES. Not that anyone would, these days. Even 3DES is only
interesting for compatibility with existing systems. Newer ciphers are faster and more
secure, as far as anyone publicly admits to knowing.
ELECTRONIC DATA INTERCHANGE- the electronic interchange of business
information using a standardized format; a process which allows one company to send
information to another company electronically rather than with paper. Business entities
conducting business electronically are called trading partners.
EEE3- three DES encryptions with three different keys
ENCRYPTION- the conversion of electronic data into another form, called ciphertext,
which cannot be easily understood by anyone except authorized parties.
EVENT MONITORING- the process of collecting, analyzing, and signaling event
occurrences to subscribers such as operating system processes, active database rules
as well as human operators.
FIREWALL- a network security system, either hardware- or software-based, that uses
rules to control incoming and outgoing network traffic. A firewall acts as a barrier
between a trusted network and and an untrusted network. A firewall controls access to
the resources of a network through a positive control model. This means that the only
traffic allowed onto the network is defined in the firewall policy; all other traffic is
denied.
HEIRARCHICAL TOPOLOGY- iterative algorithms for creating networks which are able
to reproduce the unique properties of the scale-free topology and the high clustering of
the nodes at the same time. These characteristics are widely observed in nature, from
biology to language to some social networks.
INTERNET RELAY CHAT- an application layer protocol that facilitates communication
in the form of text. The chat process works on a client/server networking model. IRC
clients are computer programs that a user can install on their system
INTERPRETER- a computer program that directly executes, i.e. performs, instructions
written in a programming or scripting language, without previously compiling them into
a machine language program.
INTRANETS- a private network that is contained within an enterprise. It may consist of
many interlinked local area networks and also use leased lines in the wide area
network. Typically, an intranet includes connections through one or more gateway
computers to the outside Internet. The main purpose of an intranet is to share company
information and computing resources among employees. An intranet can also be used
to facilitate working in groups and for teleconferences.
INTRUSION PREVENTION SYSTEM- a network security/threat prevention technology
that examines network traffic flows to detect and prevent vulnerability exploits.
Vulnerability exploits usually come in the form of malicious inputs to a target
application or service that attackers use to interrupt and gain control of an application
or machine. Following a successful exploit, the attacker can disable the target
application (resulting in a denial-of-service state), or can potentially access to all the
rights and permissions available to the compromised application.
IP BROADCAST ADDRESS- a logical address at which all devices connected to a
multiple-access communications network are enabled to receive datagrams. A message
sent to a broadcast address is typically received by all network-attached hosts, rather
than by a specific host.
 IP SPOOFING- the creation of Internet Protocol (IP) packets with a false source IP
address, for the purpose of hiding the identity of the sender or impersonating another
computing system.
KEY- a variable value that is applied using an algorithm to a string or block of
unencrypted text to produce encrypted text, or to decrypt encrypted text. The length of
the key is a factor in considering how difficult it will be to decrypt the text in a given
message.
KEYSTROKE MONITORING- a type of surveillance technology used to monitor and
record each keystroke typed on a specific computer's keyboard. Keylogger software is
also available for use on smartphones, such as Apple's iPhone and Android devices.
LINE ERROR- depending on the length data travels, outside influences like sound
waves or electrical signals can disrupt the flow of data in a computer system. This may
be the result of the conductors that transmit the data across computers or software
systems.
LOG-ON PROCEDURE- two requests are made from the individual trying to gain access:
a preauthorized account (or user) name and a preset password. On a computer system
used by more than one individual, the logon procedure identifies the authorized users
and the protocols of users' access time.
MESSAGE SEQUENCE NUMBERING- generated at the sending end of the channel and
is incremented by one before being used, which means that the current sequence
number is the number of the last message sent. This information can be displayed
using DISPLAY CHSTATUS (see MQSC reference). The sequence number and an
identifier called the LUWID are stored in persistent storage for the last message
transferred in a batch. These values are used during channel start-up to ensure that
both ends of the link agree on which messages have been transferred successfully.
MESSAGE TRANSACTION LOG- a history of actions executed by a database
management system used to guarantee ACID properties over crashes or hardware
failures. Physically, a log is a file listing changes to the database, stored in a stable
storage format.
MULTILEVEL PASSWORD CONTROL- enables you to assign different authentication
levels to the applications that it protects. You can then map these authentication levels
to specific authentication plugins. You may, for example, configure a highly sensitive
application to require a user certificate and a less sensitive application to require a user
name and password.
NETWORK-LEVEL FIREWALL- make decisions based on the source and destination
addresses and ports in IP packets. This basic form of firewall protection is really no
more than a simple sorting algorithm. Generally they enable you to have some control
through the use of access lists. Packet filtering can also often be performed by other
network devices such as routers and is generally what you get when you download free
firewall software.
NETWORK TOPOLOGY- the arrangement of a network, including its nodes and
connecting lines. There are two ways of defining network geometry: the physical
topology and the logical (or signal) topology.
ONE-TIME PASSWORD- a password that is valid for only one login session or
transaction, on a computer system or other digital device.
OPERATING SYSTEM- system software that manages computer hardware and software
resources and provides common services for computer programs. All computer
programs, excluding firmware, require an operating system to function.
OPERATIONG SYSTEM SECURITY- the process of ensuring OS integrity,
confidentiality and availability. OS security refers to specified steps or measures used to
protect the OS from threats, viruses, worms, malware or remote hacker intrusions.
PARITY CHECK- a bit added to a string of binary code to ensure that the total number
of 1-bits in the string is even or odd. Parity bits are used as the simplest form of error
detecting code. There are two variants of parity bits: even parity bit and odd parity bit.
PASSWORD- a string of characters used to verify the identity of a user during the
authentication process. Passwords are typically used in conjuncture with a username;
they are designed to be known only to the user and allow that user to gain access to a
device, application or website. Passwords can vary in length and can contain letters,
numbers and special characters. Other terms that can be used interchangeably are
passphrase for when the password uses more than one word, and passcode and
 passkey for when the password uses only numbers instead of a mix of characters, such
as a personal identification number.
PING- a basic Internet program that allows a user to verify that a particular IP address
exists and can accept requests. Ping is used diagnostically to ensure that a host
computer the user is trying to reach is actually operating. Ping works by sending an
Internet Control Message Protocol (ICMP) Echo Request to a specified interface on the
network and waiting for a reply. Ping can be used for troubleshooting to test
connectivity and determine response time.
POLLING- the process where the computer or controlling device waits for an external
device to check for its readiness or state, often with low-level hardware. For example,
when a printer is connected via a parallel port, the computer waits until the printer has
received the next character.
PRIVATE KEY- a variable that is used with an algorithm to encrypt and decrypt code.
Quality encryption always follows a fundamental rule: the algorithm doesn't need to be
kept secret, but the key does. Private keys play important roles in both symmetric and
asymmetric cryptography.
PUBLIC KEY ENCRYPTION- an encryption scheme that uses two mathematically
related, but not identical, keys - a public key and a private key. Unlike symmetric key
algorithms that rely on one key to both encrypt and decrypt, each key performs a
unique function. The public key is used to encrypt and the private key is used to
decrypt.
PUBLIC KEY INFRASTRUCTURE- a set of roles, policies, and procedures needed to
create, manage, distribute, use, store, and revoke digital certificates and manage public-
key encryption.
REQUEST-RESPONSE TECHNIQUE- one of the basic methods computers use to
communicate with each other, in which the first computer sends a request for some
data and the second computer responds to the request. Usually, there is a series of
such interchanges until the complete message is sent; browsing a web page is an
example of requestresponse communication. Requestresponse can be seen as a
telephone call, in which someone is called and they answer the call.
REUSABLE PASSWORD- presents a substantial security risk, since an attacker need
only compromise a single site in order to gain access to other sites the victim uses. This
problem is exacerbated by also reusing usernames, and by websites requiring email
logins, as it makes it easier for an attacker to track a single user across multiple sites.
Password reuse can be avoided or minimused by using mnemonic techniques, writing
passwords down on paper, or using a password manager.
RING TOPOLOGY- a network topology in which each node connects to exactly two other
nodes, forming a single continuous pathway for signals through each node - a ring.
Data travels from node to node, with each node along the way handling every packet.
RSA (RIVEST-SHAMIR-ADLEMAN)- one of the first practical public-key cryptosystems
and is widely used for secure data transmission. In such a cryptosystem, the encryption
key is public and differs from the decryption key which is kept secret. In RSA, this
asymmetry is based on the practical difficulty of factoring the product of two large prime
numbers, the factoring problem. RSA is made of the initial letters of the surnames of
Ron Rivest, Adi Shamir, and Leonard Adleman, who first publicly described the
algorithm in 1978. Clifford Cocks, an English mathematician working for the UK
intelligence agency GCHQ, had developed an equivalent system in 1973, but it was not
declassified until 1997
SCREENING ROUTER- the basic component of most firewalls. A screening router can
be a commercial router or a host-based router with some kind of packet-filtering
capability. Typical screeing routers have the ability to block traffic between networks or
specific hosts, on an IP port level.
SERVER- a computer program that provides services to other computer programs (and
their users) in the same or other computers. The computer that a server program runs
in is also frequently referred to as a server. That machine may be a dedicated server or
used for other purposes as well.
SMURF ATTACK- a distributed denial-of-service attack in which large numbers of
Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed
source IP are broadcast to a computer network using an IP broadcast address.
 SYCHRONIZE-ACKNOWLEDGE (SYN-ACK)- used to indicate the start a TCP session. A
FIN is used to indicate the termination of a TCP session. The ACK bit is used to indicate
that that the ACK number in the TCP header is acknowledging data.
SYN FLOOD ATTACK- a form of denial-of-service attack in which an attacker sends a
succession of SYN requests to a target's system in an attempt to consume enough server
resources to make the system unresponsive to legitimate traffic.
SYSTEM AUDIT TRAILS- maintain a record of system activity both by system and
application processes and by user activity of systems and applications. In conjunction
with appropriate tools and procedures, audit trails can assist in detecting security
violations, performance problems, and flaws in applications. This bulletin focuses on
audit trails as a technical control and discusses the benefits and objectives of audit
trails, the types of audit trails, and some common implementation issues.
TOKEN PASSING- a channel access method where a signal called a token is passed
between nodes to authorize that node to communicate.
TRIPLE-DES ENCRYPTION- officially the Triple Data Encryption Algorithm (TDEA or
Triple DEA), is a symmetric-key block cipher, which applies the Data Encryption
Standard (DES) cipher algorithm three times to each data block.
TROJAN HORSE- a malicious computer program which is used to hack into a computer
by misleading users of its true intent. It works in systems background and performs
harmful actions there. Having it installed on a system means a great security risk for
one's PC and all the data, which is stored on it
VIRUS- designed to spread from host to host and has the ability to replicate itself.
Similarly, in the same way that viruses cannot reproduce without a host cell, computer
viruses cannot reproduce and spread without programming such as a file or document.
WORM- a standalone malware computer program that replicates itself in order to
spread to other computers. Often, it uses a computer network to spread itself, relying on
security failures on the target computer to access it. Worms almost always cause at
least some harm to the network, even if only by consuming bandwidth, whereas viruses
almost always corrupt or modify files on a targeted computer.
ZOMBIE- a computer connected to the Internet that has been compromised by a
hacker, computer virus or trojan horse program and can be used to perform malicious
tasks of one sort or another under remote direction. Botnets of zombie computers are
often used to spread e-mail spam and launch denial-of-service attacks (DOS attacks).
Most owners of "zombie" computers are unaware that their system is being used in this
way. Because the owner tends to be unaware, these computers are metaphorically
compared to fictional zombies. A coordinated DDoS attack by multiple botnet machines
also resembles a "zombie horde attack", as depicted in fictional zombie films.
CHAPTER 1
cHAPTER 2
CHAPTER 3
 PRELIM
REQUIREMENT

ANGELOU Y. LIRA
JULY 18, 2017