Do You Speak Securitese? Five Security Terms You Should Know
Like many other topics we cover here at PCWorld, security has a language of its own. Listening to a group of security experts carry on a conversation, for instance, can be a frustrating experience for mere mortals. And sometimes, technical jargon seeps into everyday security news.
Knowing what the following five key security terms mean, however, can help you stay better informed about the threats around you.
Zero-day: You may occasionally hear software companies talk about “zero-day” flaws or exploits. The expression “zero-day” refers to any newly discovered software security flaw that has yet to be fixed by the software’s maker.
While conventional wisdom suggests that zero-day threats are something you should be seriously concerned about, not everyone is convinced: A recent report from Microsoft shows that very few major security threats actually take advantage of zero-day flaws. Still, you should keep your software up-to-date.
Remote code execution: This is another term that comes up often in security-update talk. Here’s an excerpt from the release notes for Microsoft’s October Patch Tuesday update: “The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.”
“Remote code execution” is a fancy way of saying that a cybercriminal could use a vulnerability to gain access to your computer from afar and run malware on it. Malware attacks that rely on remote code execution typically prey on bugs in Web browsers, image viewer applications, video and music players, PDF viewers, and so on.
As the Microsoft quote suggests, these bugs are usually triggered by Web pages (and image or video files) that criminals have specifically doctored to exploit a flaw. This is why you should avoid clicking links or opening email attachments that you weren’t expecting, even if that attachment is an image file or a PDF.
Sandboxing: One way to help protect against remote code execution is to employ what's called sandboxing. This technique isolates apps and other software processes in such a way that, even if attackers figure out a security hole in a piece of software, they can’t exploit it to install malware on your computer.
A notable example of software that uses sandboxing is Adobe Reader X: Since crooks commonly install malware on PCs through bugs in how Reader handles PDFs, the addition of sandboxing has greatly improved Reader’s security. Sandboxing won’t make software impervious to attack, but the technique will add another layer of security that can thwart many attempts.
SSL: If you’ve ever visited your bank’s website, or have gone shopping on Amazon, you may have noticed that a lock icon appears in your browser’s toolbar and that the Web address starts with “https” instead of “http.” This is SSL at work. SSL, which stands for Secure Socket Layer, is a way of securing the information being passed back and forth between you and the site you’re visiting. SSL encrypts the data as it passes from point to point on the Net, keeping it from prying eyes.
Most websites that handle sensitive information, such as banking and shopping sites, use SSL to keep your private information safe, but sites like Facebook, Gmail, and Twitter also give you the option to use SSL. For other sites, check your account settings to see whether this feature is available.
Certificates: Any website—including malicious ones—can use SSL, so the lock icon in your browser’s toolbar by itself does not mean that you’re safe.
Enter certificates. Briefly, a certificate is a digital document of sorts—an ID badge—that verifies a site’s identity. Certificates are typically issued by organizations called “certificate authorities,” and most are “signed,” which basically means that the certificate authority was able to verify the identity of the website in question. If a certificate isn’t signed, however, your browser will usually pop up a warning about it.
Like everything in security, though, a certificate isn’t a sure thing: In September, a hacker claimed to have broken into the computer systems of DigiNotar, a Dutch certificate authority; the breach resulted in the issuance of forged certificates that attackers might use to make malicious sites appear legitimate and secure.
If you want to learn more, security training company SANS offers a comprehensive glossary of security terms. Google’s “Good to Know” site is a great place to brush up on basic Internet security. And our Security Alert blog provides ongoing security news and information.