Design Security Glossary

Security Glossary

Print this page

Access

Physical Access.
The process of obtaining use of a computer system, development tools, or direct access to a system and its components. For example by sitting down at a keyboard, or being able to enter specific area(s) of the organization where the main computer systems are located, or accessing system level hardware or in some cases even board level components.

Logical Access.
The process of being able to enter, modify, delete, or inspect records, designs, schematics, source code, and other data held on a computer system or device by means of providing an ID and password (if required). The view that restricting physical access relieves the need for logical access restrictions is misleading. Any organization, systems, or devices within a system with communications links to the outside world has a security risk of logical access.

Access Control: Access control refers to the rules and deployment of mechanisms that control access to information systems, and physical access to premises and systems. The entire subject of Information Security is based upon Access Control, without which Information Security cannot, by definition, exist.

Access Rights: The powers granted to users to create, change, delete, or simply view data and files within a system, according to a set of rules defined by IT and business management. It is not necessarily true that the more senior a person, the more power granted. For example, most logic design activity is performed at a relatively junior level, and it is not uncommon for senior management to not even have access rights to view schematic level data. There are very good Internal Control and Audit reasons for adopting this approach.

Accidental Damage: In relation to System and Device level Security, accidental damage refers to damage or loss that is caused as a result of a genuine error or misfortune. However, despite the genuine nature of the accident, such incidents can and should be prevented by awareness, alertness, and action.

AES: Advanced Encryption Standard. This is a state of the art algorithm developed by Rijndael and chosen by the United States National Institute of Standards and Technology on October 2, 2000. Although selected, it was not officially "approved" by the US Secretary of Commerce until Q2 2001.

ANSI: American National Standards Institute which is the main organization responsible for furthering technology standards within the USA. ANSI is also a key player with the International Standards Organization (ISO).

Antifuse FPGA: An FPGA based on a technology that utilizes amorphous silicon to make the interconnect. Antifuse FPGAs are one-time-programmable, live at power up, and secure.

Application: A computer system, program, or set of programs.

ASIC: Application-Specific Integrated Circuit. Typically a custom solution constructed to order for a specific application and function. Associated with significant barriers to entry that limit participation to high volume applications that can benefit from economies of scale.

Auditor: Person employed to independently verify the quality and integrity of the work that has been undertaken within a particular area, with reference to accepted procedures.

Authentication: Authentication refers to the verification of the authenticity of either a person or of data, e.g. a message may be authenticated to have been originated by its claimed source. Authentication techniques usually form the basis for all forms of access control to systems and data.

Authorization: The process whereby a person approves a specific event or action. In companies with access rights hierarchies it is important that audit trails identify both the creator and the authorizer of new or amended data. It is an unacceptably high risk situation for one to have the power to create new entries and then to authorize those same entries oneself.

Backup: The process whereby copies of computer or design files are taken in order to allow recreation of the original, should the need arise. A backup is a spare copy of a file, file system, design, schematic, or other resource for use in the event of failure or loss of the original.

Ideally the backup copies should be kept at a different site or in a fire safe. Although hardware may be insured against fire, the data on it is almost certainly neither insured nor easily replaced. Consequential loss policies to insure against data loss can be expensive, but are well worth considering.

Biometric Access Controls: Security Access control systems which authenticate (verify the identity of) users by means of physical characteristics, e.g. face, fingerprints, voice, or retina pattern.

Boeing Syndrome: The ultimate disaster scenario for contingency planning purposes. The name allegedly comes from a conference in which IT specialists, administrators, and planners were asked first to imagine that a Boeing 747 Jumbo fell out of the air onto their computer center (with the resulting complete loss of systems), and then asked to prepare a contingency/disaster recovery plan to keep their organization going in such circumstances. A very useful exercise - for all companies who often do not realize just how important their computer systems are to their continued existence as a viable business. Also useful for worst case scenario security planning. For example, what would happen if the code from my core component was posted in the public domain.

Boot-up: Slang. The act of initializing a system or configuring an FPGA. Typically associated with a time delay until the system is functional. This is the time when an SRAM-based FPGA is most vulnerable to having its contents captured. (see Configuration Device)

BS 7799: The British Standard for Information Security which was re-issued in 1999 in two parts. Part 1 is the Code of Practice for Information Security Management and Part 2 specifies the requirements for implementing Information Security in compliance with the Code of Practice. In October 2000, BS 7799 was elevated to become an International Standards Organization (ISO) standard - ISO 17799.

Business Assets: The term Business Assets, as it relates to Information Security, refers to any information upon which the organization places a measurable value. By implication, the information is not in the public domain and would result in loss, damage, or even business collapse, were the information to be lost, stolen, corrupted, or in any way compromised.

By identifying and valuing the business assets in an organization, and the systems that store and process them, an appropriate emphasis may be placed upon safeguarding those assets which are of higher value than those that are considered easily replaceable - such as information in the public domain.

CERT

The Computer Emergency Response Team is recognized as the Internet's official emergency team. It was established in the USA by the Defense Advanced Research Projects Agency (DARPA) in 1988 following the Morris computer Worm incident, which crippled approximately 10% of all computers connected to the Internet.

CERT is located at the Software Engineering Institute, a US government funded research and development center operated by Carnegie Mellon University, and focuses on security breaches, denial-of-service incidents, provides alerts and incident-handling and avoidance guidelines. CERT also covers hardware and component security deficiencies that may compromise existing systems.

CERT is also the publisher of Information Security alerts, training, and awareness campaigns. CERT may be found on the World Wide Web at www.cert.org.

Change Control: An internal control procedure by which only authorized amendments are made to the organization's software, hardware, network access privileges, or business process. This method usually involves the need to perform an analysis of the problem and for the results to be appended to a formal request prepared and signed by the senior representative of the area concerned. This proposal should be reviewed by management (or committee) prior to being authorized. Implementation should be monitored to ensure security requirements are not breached or diluted.

Checksum: Checksum is a technique whereby the individual binary values of a string of storage locations on your computer are totaled, and the total retained for future reference. On subsequent accesses, the summing procedure is repeated, and the total compared to the one derived previously. A difference indicates that an element of the data has changed during the intervening period. Agreement provides a high degree of assurance (but not total assurance) that the data has not changed during the intervening period.

A checksum is also used to verify that a network transmission has been successful. If the counts agree, it is safe to assume that the transmission was completed correctly.

A checksum also refers to the unique number that results by adding up every element of a pattern in a programmable logic design. Typically, either a four or eight digit hex number, it is a quick way to identify a pattern, since it is very unlikely two patterns will ever have the same checksum.

Cipher: A cipher is the generic term used to describe a means of encrypting data. In addition, the term cipher can refer to the encrypted text itself. Encryption ciphers will use an algorithm, which is the complex mathematical calculation required to 'scramble' the text, and a 'key.' Knowledge of the key will allow the encrypted data to be decrypted.

Clear Desk Policy: A policy of the organization, which directs all personnel to clear their desks at the end of each working day, and file everything appropriately. Desks should be cleared of all documents and papers, including the contents of the 'in' and 'out' trays! The purpose of the Clear Desk Policy is not simply to give the cleaners a chance to do their job, but to ensure that sensitive papers and documents are not exposed to unauthorized persons out of working hours.

Clear Screen Policy: A policy of the organization, which directs all users of screens or terminals to ensure that the contents of the screen are protected from prying eyes and other opportunistic breaches of confidentially. Typically, the easiest means of compliance is to use a screen saver that will engage, either on request, or after a specified time.

Clipper chip: A tamper-resistant VLSI chip designed by NSA for encrypting voice communications. It conforms to the Escrow Encryption Standard (EES) and implements the Skipjack encryption algorithm.

Cloning: The act of copying a design without making any changes. No understanding of the design or the ability to modify the design is required.

Communications Line: Within a communications network, the route by which data is conveyed from one point to another. Recently the term has started to be replaced by 'Communications Link' to reflect the fact that a growing number of small networks, even within the same building, are using radio ('wireless') communications rather than fixed cables.

Communications Network: A system of communications equipment and communication links (by line, radio, satellite, etc.) that enables computers to be separated geographically while remaining connected to each other.

Computer Viruses: Computer Viruses are pieces of programming code that have been purposely written to inflict an unexpected result upon an innocent victim. There are now approximately 50,000 viruses and their variants for which known cures or 'vaccines' are available.

Viruses are transmitted within other (seemingly) legitimate files or programs, the opening, or execution of which, causes the virus to run and to replicate itself within your computer system, as well as performing some sort of action. Such actions can be as harmless as causing characters to 'fall off' the screen (early DOS based virus in the 1980s), to the most malicious viruses which destroy data files and replicate themselves to everyone in your e-mail directory.

Researchers are now looking at another possible virus that targets systems using a reconfigurable FPGA. In this scenario, a hostile party could replace a valid bitstream with random bits or a self-replicating series of bits that would likely result in internal electrical conflicts that may destroy the device.

Confidentiality: Assurance that information is shared only among authorized persons or organizations. Breaches of confidentiality can occur when data is not handled in a manner adequate to safeguard the confidentiality of the information concerned. Such disclosure can take place by word of mouth, by printing, copying, e-mailing or creating documents and other data. The classification of the information should determine its confidentiality and hence the appropriate safeguards.

Configuration: The act of programming an SRAM-based FPGA at system power up to make it functional. Configuration requires the use of a configuration device, which is typically a PROM (see PROM) or other type of memory.

Contingency Planning: Contingency planning plans for the unexpected or for the possibility of circumstances changing. Contingency plans are individual plans associated with individual projects or programs.

A contingency plan is never expected to be executed; as a result, situations in which attention to detail and the budget allocation are clearly inadequate guarantee failure if it is executed.

As with any plan, it is essential to agree the 'trigger(s)' that will result in the plan coming into force and the subsequent 'chain of command' that will take over during that period.

Corrupt Data: Data that has been received, stored, or changed, so that it cannot be read or used by the program that originally created the data.

CPLD: Complex Programmable Logic Device. Usually a simple low density programmable logic solution. Typically contains macrocells that are interconnected through a central Global Routing Pool. This type of architecture provides moderate speed and predictable performance. Traditionally targeted towards low end consumer products.

Cracker

A cracker is either a piece of software (program) whose purpose is to 'crack' the code to a password, encryption key, or configuration bitstream; or 'cracker' refers to a person who attempts to gain unauthorized access to a computer system, hardware, or board level components. Such persons are usually ill intentioned and perform malicious acts of crime and vandalism.

Code breaking software. A piece of software designed to decipher a code, but used most often to crack a system. Given sufficient time, and sufficient computer power, ANY password can be broken - even one of 64 case-sensitive characters.
Illegal entry into a computer system. These individuals often have malicious intent and can have multiple tools for breaking into a system. The term was adopted circa 1985 by hackers in defense against journalistic misuse of 'hacker.'

Cryptography: The subject of cryptography is primarily concerned with maintaining the privacy of communications, and modern methods use a number of techniques to achieve this. Encryption is the transformation of data into another usually unrecognizable form. The only means to read the data is to de-crypt the data using a (secret) key, in the form of a secret character string, itself encapsulated within a pre-formatted (computer) file.

Cybercrime

Cybercrime is any criminal activity that uses network access to commit a criminal act. With the exponential growth of Internet connection, the opportunities for the exploitation of any weaknesses in Information Security are multiplying.

Cybercrime may be internal or external, with the former easier to perpetrate.

The term has evolved over the past few years since the adoption of Internet connection on a global scale with hundreds of millions of users. Cybercrime refers to the act of performing a criminal act using cyberspace (the Internet), as the communications vehicle. Some would argue that a cybercrime is not a crime as it is a crime against software and not against a person's person or property. However, while the legal systems around the world scramble to introduce laws to combat cybercriminals, two types of attack are prevalent:

Techno-crime. A pre-meditated act against a system or systems, with the express intent to copy, steal, prevent access, corrupt, or otherwise deface or damage parts or all of a computer system. The 24x7 connection to the Internet makes this type of cybercrime a real possibility to engineer from anywhere in the world; leaving few if any, 'finger prints.'
Techno-vandalism. These acts of 'brainless' defacement of websites, and/or other activities such as copying files and publicizing their contents publicly, are usually opportunistic in nature. Tight internal security, allied to strong technical safeguards, should prevent the vast majority of such incidents.

Data Encryption: Data encryption is a means of scrambling the data so that it can only be read by the person(s) holding the 'key' - a password of some sort. Without the 'key,' the cipher cannot be broken and the data remains secure. Using the key, the cipher is decrypted and the data is returned to its original value or state.

Each time one wishes to encrypt data, a key from the 72,000,000,000,000,000 possible key variations is randomly generated and used to encrypt the data. The same key must be made known to the receiver if they are to decrypt the data.

Decryption: The process by which encrypted data is restored to its original form in order to be understood/usable by another computer or person.

Denial of Service

Denial of service (DoS) attacks deny service to valid users trying to access a site. Consistently ranked as the single greatest security problem for IT professionals, DoS attack is an Internet attack against a website whereby a client is denied the level of service expected. In a mild case, the impact can be unexpectedly poor performance. In the worst case, the server can become so overloaded as to cause a crash of the system.

DoS attacks do not usually have theft or corruption of data as their primary motive and will often be executed by persons who have a grudge against the organization concerned. The following are the main types of DoS attack:

Buffer Overflow Attacks whereby data is sent to the server at a rate and volume that exceeds the capacity of the system, causing errors.

SYN Attack. This takes places when connection requests to the server are not properly responded to, causing a delay in connection. Although these failed connection will eventually time out, should they occur in volume, they can deny access to other legitimate requests for access.

Teardrop Attack. The exploitation of a features of the TCP/IP protocol whereby large packets of data are split into 'bite sized chunks,' with each fragment being identified to the next by an 'offset' marker. Later the fragments are supposed to be re-assembled by the receiving system. In the teardrop attack, the attacker enters a confusing offset value in the second (or later) fragment, which can crash the recipient's system.

Ping Attack. This is where an illegitimate 'attention request' or Ping is sent to a system, with the return address being that of the target host (to be attacked). The intermediate system responds to the Ping request but responds to the unsuspecting victim system. If the receipt of such responses becomes excessive, the target system will be unable to distinguish between legitimate and illegitimate traffic.

Viruses. Viruses are not usually targeted but where the host server becomes infected, it can cause a Denial of Service.

Physical Attacks. A physical attack may be little more than cutting the power supply, or perhaps the removal of a network cable.

DES (Data Encryption Standards): Definition 1) (DES) An unclassified crypto algorithm adopted by the National Bureau of Standards for public use.

Definition 2) A cryptographic algorithm for the protection of unclassified data, published in Federal Information Processing Standard (FIPS) 46. The DES, which was approved by the National Institute of Standards and Technology (NIST), is intended for public and government use.

DES ? is a data encryption standards for the scrambling of data to protect its confidentiality. It was developed by IBM in cooperation with the American National Security Agency and published in 1974. It has become extremely popular and, because it was thought to be so difficult to break, with 72,000,000,000,000,000 possible key variations, was banned from export from the USA. However, restrictions by the US Government on the export of encryption technology was lifted in 2000 to the countries of Europe and a number of other countries.

DES was cracked by researchers at MIT on November 8, 2001, when they showed that DES was susceptible to brute force attacks. Currently the industry has turned to Triple DES as a short term standard to secure transactions, though generally sluggish performance caused an outcry that resulted in a new standard. The NIST has since identified a new encryption scheme, known as AES or Rijndael as the heir apparent.

Disable: The process by which hardware or software is deliberately prevented from functioning in some way. For hardware, it may be as simple as switching off a piece of equipment, or disconnecting a cable. It is more commonly associated with software, particularly shareware or promotional software, which has been supplied to a user at little or no cost, to try before paying the full purchase or registration fee. Such software may be described as 'crippled' in that certain functions, such as saving or printing files, are not permitted. Some in-house development staff may well disable parts of a new program, so that the user can try out the parts that have been developed, while work continues on the disabled functions.

Disabling is also often used as a security measure. For example, the risk of virus infection through the use of infected floppy diskettes can be greatly reduced by disconnecting a cable within the PC, thereby disabling the floppy drive. Even greater protection is achieved by removing the drive altogether, thereby creating a diskless PC.

Dongle: A mechanical device used by software developers to prevent unlicenced use of their product. Typically, a dongle is a small connector plug, supplied with the original software package, which fits into a socket on a PC - usually a parallel port, also known generally as the LPT1 Printer port. Without the dongle present, the software will not run. Some older dongles act as a terminator, effectively blocking the port for any other use, but later versions have a pass-through function, allowing a printer to be connected at the same time. Even though the PC can still communicate with the printer, there have been problems with more recent printers, which use active two-way communications with the PC to notify printing status, ink levels, etc.

Encryption: The process by which data is temporarily re-arranged into an unreadable or unintelligible form for confidentiality, transmission, or other security purposes.

Fallback procedures: Fallback procedures are particular business procedures and measures, undertaken when events have triggered the execution of either a Business Continuity Plan or a Contingency Plan.

Firmware: A sort of 'halfway house' between hardware and software. Firmware often takes the form of a device that is attached to, or built into, a computer - such as a ROM chip - which performs some software function but is not a program in the sense of being installed and run from the computer's storage media.

Flash FPGA: An FPGA (See FPGA) that is based on Flash technology for controlling the switching of the interconnect. Flash-based FPGAs are nonvolatile, live on power-up, reprogrammable, and secure from reverse engineering or cloning.

FPGA: Field Programmable Gate Array. A very complex PLD. The FPGA usually has an architecture that comprises a large number of simple logic blocks, a number of input/output pads, and a method to make random connections between the elements.The largest fastest programmable logic devices with gate counts running into the millions.

These devices are user customizable and programmable on an individual device basis. Valued for their flexibility by designers.

Ghost: An identity that does not relate to a real person. It is not unknown for staff with the necessary IT skills to create a fictitious user with a password that allows that user to access the system with impunity, knowing that an audit trail will lead nowhere. Ghosts may also appear on the payroll, courtesy of a user who has the power to create new files in the personnel and payroll systems.

The creation of user profiles and the granting of logical access rights is a high security function and must be strictly monitored, preferably with dual controls for creation and authorization.

Hacker: An individual whose primary aim in life is to penetrate the security defenses of large, sophisticated, computer systems. A truly skilled hacker can penetrate a system right to the core and withdraw again without leaving a trace of the activity. Hackers are a threat to all computer systems that allow access from outside the organization's premises, and the fact that most 'hacking' is just an intellectual challenge should not allow it to be dismissed as a prank. Clumsy hacking can do extensive damage to systems even when such damage was not intentional.

Statistics suggest that the world's primary hacker target - the Pentagon - is attacked, on average, once every three minutes. How many of those attacks are from hackers and how many from Government Agencies, criminals, and terrorists, around the world is another question entirely.

HEX / Hexadecimal: Hexadecimal, or 'Hex' for short is a numbering system using base 16 (as opposed to the usual base 10). Hex is a useful way to express binary computer numbers in which a byte is normally expressed as having 8 bits; with 2 hex characters representing eight binary digits - aka a byte.

Identity Hacking

Posting on the Internet or Bulletin Board(s) anonymously, pseudonymously, or giving a completely false name/address/telephone with intent to deceive. This is a controversial activity, generating much discussion amongst those who maintain the internet sites. There are two cases in which problems can be caused for organizations:

a member of staff engages in such practices and is 'found out' by internet users, thereby associating the organization name with the activity.
a posting by an unrelated third party, pretending to be the organization, or a representative.

In either case, if such posts are abusive, or otherwise intended to stir up an argument, the likely result is a Flame Attack, or Mail Bombing.

Impact Analysis: As part of an Information Security Risk Assessment, you should identify the threats to your Business Assets and the impact such threats could have, if the threat resulted in a genuine incident.

Such analysis should quantify the value of the Business Assets being protected to decide on the appropriate level of safeguards.

Incursion: A penetration of the system by an unauthorized source. Similar to an intrusion, the primary difference is that incursions are classed as 'hostile.'

ISP (In-System Programming): The ability to program and reprogram an FPGA that is mounted on a circuit as part of a functional system. Flash and SRAM-based FPGA technologies support ISP.

Invasive Attack: An attack on a semiconductor to determine its functionality that requires physical entry to the part and renders the part non-functional. Typical methods include etching and FIB (Focused Ion Beam) intrusion.

Information Asset

An Information Asset is a definable piece of information, stored in any manner that is recognized as 'valuable' to the organization. The information that comprises an Information Asset, may be little more than a prospect name and address file; or it may be the plans for the release of the latest in a range of products to compete with competitors.

Irrespective of the nature of the information assets themselves, they all have one or more of the following characteristics:

They are recognized to be of value to the organization.
They are not easily replaceable without cost, skill, time, resources, or a combination.
They form a part of the organization's corporate identity, without which the organization may be threatened.
Their data classification would normally be Proprietary, Highly Confidential, or even Top Secret.

It is the purpose of Information Security to identify the threats against, the risks and the associated potential damage to, and the safeguarding of Information Assets.

Information Warfare / Infowar

Also cyberwar and netwar. Infowar is the use of information and information systems as weapons in a conflict in which the information and information systems themselves are the targets.

Infowar has been divided into three classes:

Individual Privacy
Industrial and Economic Espionage
Global information warfare, i.e. Nation State versus Nation State.

Most organizations will not need to be concerned over classes I and III, but clearly Class II is relevant to any organization wishing to protect its confidential information.

Intellectual Property (IP): Defined as creative, technical, and intellectual products. Often associated with custom circuit designs implemented in either ASIC or Programmable Logic architectures.

Intrusion: The technology equivalent of trespassing. An uninvited and unwelcome entry into a system by an unauthorized source. While Incursions are always seen as hostile, intrusions may well be innocent, having occurred in error.

Strong verification and security systems can minimize intrusions.

Malicious Code: Malicious code includes all and any programs (including macros and scripts) that are deliberately coded in order to cause an unexpected (and usually, unwanted) event on a PC or other system. However, whereas antivirus definitions ('vaccines') are released weekly or monthly, they operate retrospectively. In other words, someone's PC has to become infected with the virus before the antivirus definition can be developed. In May 2000, when the 'Love Bug' was discovered, although the antivirus vendors worked around the clock, the virus had already infected tens of thousands of organizations around the world, before the vaccine became available.

Mission Critical: Derived from military usage, the term is used to describe activities, processing, etc., that are deemed vital to the organization's business success and, possibly, its very existence.

Some major applications are described as being Mission Critical in the sense that, if the application fails, crashes, or is otherwise unavailable to the organization, it will have a significant negative impact upon the business. Although the definition will vary from organization to organization, such applications include accounts/billing, customer balances, computer controlled machinery and production lines, JIT ordering, and delivery scheduling.

Nondisclosure Agreement - NDA: A Nondisclosure Agreement (NDA) is a legally binding document that protects the confidentiality of ideas, designs, plans, concepts or other commercial material. Most often, NDAs are signed by vendors, contractors, consultants, and other non-employees who may come into contact with such material.

Noninvasive: An attack on a semiconductor to determine its functionality that does not require physical entry to the part. Types of attacks include varying voltage levels to gain access.

Non-Repudiation: For e-Commerce and other electronic transactions, including ATMs (cash machines), all parties to a transaction must be confident that the transaction is secure, that the parties are who they say they are (authentication), and that the transaction is verified as final. Systems must ensure that a party cannot subsequently repudiate (reject) a transaction. To protect and ensure digital trust, the parties to such systems may employ digital signatures, which will not only validate the sender, but will also 'time stamp' the transaction, so it cannot be claimed subsequently that the transaction was not authorized or not valid.

Nonvolatile: The characteristic of a device that does not lose its contents when its power is removed. Nonvolatile memory is useful in microcomputer circuits because it can provide instructions for a CPU as soon as the power is applied, before secondary devices, such as disk, can be accessed. Nonvolatile memory includes ROM, EPROM, and EEPROM.

Overbuilding: Unscrupulous Contract Manufacturers (CM) will overbuild on a program or contract and sell the excess on the gray market.

Penetration: Intrusion, trespassing, unauthorised entry into a system. Merely contacting system or using a keyboard to enter a password is not penetration, but gaining access to the contents of the data files by these or other means does constitute penetration.

Penetration Testing, is the execution of a testing plan, the sole purpose of which is to attempt to hack into a system using known tools and techniques.

Physical Security: Physical Protection Measures to safeguard the Organization's systems. Including, but not limited to, restrictions on entry to premises, restrictions on entry to computer department and Tank, locking/disabling equipment, disconnection, fire-resistant and tamper-resistant storage facilities, anti-theft measures, and anti-vandal measures.

PKI (Public Key Infrastructure): Where encryption of data is required, perhaps between the organization's internal networks and between clients and representatives, a means of generating and managing the encryption keys is required.

PKI is the use and management of cryptographic keys - a public key and a private key - for the secure transmission and authentication.

PROM: Programmable read-only memory. A semiconductor's memory device that provides read access only to its memory content. Other versions include UV PROM (Ultraviolet), which can be erased with UV light and EEPROM (electronically erasable), which can be erased electrically. PROMs are typically required to support an SRAM-based FPGA.

Resilience: Resilience refers to the ability of a computer, or system, to both withstand a range of load fluctuations and also to remain stable under continuous and or adverse conditions.

RSA: RSA stands for Rivest, Shamir, and Adleman, who are the developers of the public-key encryption and authentication algorithm. They also founders of RSA Data Security, which is now RSA Security www.rsasecurity.com.

The capability to use RSA security is incorporated within the browsers of both Microsoft and Netscape and other major corporate communication tools such as Lotus Domino® / Notes®.

The creation, use, and management of the public and private keys that are required for RSA security, use Public Key Infrastructure, or PKI.

Reverse Engineering: The act of examining a design to understand exactly how it works with the intent to copy the design. The design is then altered to differentiate it from the original design for the purpose of improving upon it or to prevent legal action because of the theft.

Security Breach: A breach of security occurs when a stated organizational policy or legal requirement regarding information security has been contravened. However, every incident suggesting that the confidentiality, integrity and availability of the information has been inappropriately changed can be considered a security incident. Every security breach will always be initiated via a security incident. Only if confirmed does it become a security breach.

Security Incident: A security incident is an alert to the possibility that a breach of security may be taking, or may have taken, place.

Shoulder Surfing: Looking over a user's shoulder as they enter a password. This is one of the easiest ways of obtaining a password to breach system security. The practice is not restricted to office computers, it is used wherever passwords, PINs, or other ID codes are used.

Skipjack: An NSA-developed encryption algorithm for the Clipper chip. The details of the algorithm are unpublished.

Smart Card: Smart cards look and feel like credit cards, but have one important difference: they have a 'programmable' microchip embedded. Their uses are extremely varied but, for information security, the are often used not only to authenticate the holder, but also to present the range of functions associated with that user's profile.

Smart Cards will often have an associated PIN number or password to provide a further safeguard. The main benefits of using Smart Cards is that their allocation can be strictly controlled, they are hard to forge and are required to be physically inserted into a 'reader' to initiate the authenticate process.

SRAM FPGA: FPGA (See FPGA) Utilizing SRAM (Static Random Access Memory) technology to make the interconnect. SRAM FPGAs are reprogrammable, volatile, and require a boot-up (see Boot-up) process to initialize. SRAM FPGAs are not secure.

Tamper resistant packaging: Often used in smart card systems tamper resistant packaging is designed to render electronics inoperable if the product is physically (invasively) attacked.

Techno Crime: Techno Crime is the term used by law enforcement agencies to denote criminal activity that uses (computer) technology, not as a tool to commit the crime, but as the subject of the crime itself. Techno Crime is usually pre-meditated and results in the deletion, corruption, alteration, theft, or copying of data on an organization's systems.

Techno Criminals will usually probe their prey system for weaknesses and will almost always leave an electronic 'calling card' to ensure that their pseudonym identity is known.

Techno Vandalism: Techno Vandalism is a term used to describe a hacker or cracker who breaks into a computer system with the sole intent of defacing and or destroying its contents. Techno Vandals can deploy 'sniffers' on the Internet to locate soft (insecure) targets and then execute a range of commands using a variety of protocols towards a range of ports.The best weapon against such attacks is a firewall which will hide and disguise your organization's presence on the Internet.

Virus: A virus is a form of malicious code and, as such it is potentially disruptive. It may also be transferred unknowingly from one computer to another. The term virus includes all sort of variations on a theme, including the nastier variants of macro-viruses, Trojans, and Worms, but, for convenience, all such programs are classed simply as 'virus.'

Viruses are a very real problem for both organisation and individual computer users. At the present time there are very few, if any, viruses that affect large computers, primarily because the programming languages that those systems use are not the same as those used to write virus code. Viruses, therefore are a problem primarily for users of PCs and servers.

As at January 2001, there were over 48,000 known viruses. Fortunately, the great majority of these are classed as 'rare' and usually appear only in virus research center files. However, that still leaves nearly 5,000 viruses, classed as 'common,' roaming the world's computer networks.

Volatile: Inability of an SRAM-based FPGA to maintain its configuration when power is removed.

http://www.actel.com/products/rescenter/security/