DAC: Discretionary Access Control
Discretionary Access Control (DAC) is an access control service that enforces a security policy based on the identity of system entities and their authorizations to access system resources. This includes setting permissions on files, folders and shared resources.

DACL: Discretionary access control list
Discretionary access control list (DACL) is the most common type of access control list (ACL) used to control access to computer and network resources.

Daemon
The Daemon program, often started at the time the system boots and runs continuously without intervention from any of the users on the system, forwards the requests to other programs (or processes) as appropriate. The term daemon is a Unix term. Many other operating systems provide support for daemons, though they're sometimes called other names. Windows, for example, refers to daemons and System Agents and services.

Data Aggregation
Data Aggregation is the ability to get a more complete picture of the information by collecting and analyzing several different types of records from various channels at once.

Data Custodian
A Data Custodian is the entity currently using or manipulating the data, and therefore, temporarily taking responsibility for the data.

Data Integrity
Data integrity, in terms of data and network security, is the assurance that information can only be accessed or modified by those authorized to do so. Measures taken to ensure integrity include controlling the physical environment of networked terminals and servers, restricting access to data, and maintaining rigorous authentication practices.

Data Key
In cryptography, a data key is a variable value that is applied to a string or block of text to encrypt or decrypt it. It is used to encrypt or decrypt data only and is not used to encrypt or decrypt other keys, as some encryption formulas call for.

Data Owner
A Data Owner is the entity having responsibility and authority for the data.

Data Mining
Data Mining is a technique used to analyze existing information, usually with the intention of pursuing new avenues for certain business goals.

Data Protection Act 1984/1998
The 'Data Protection Act 1984' (DPA) is a British Act of Parliament that provides a legal basis for the privacy and protection of data of UK citizens and businesses. Data disclosed by a party to another party may only be used for the specific purposes it was disclosed for. The data can only be kept for an appropriate length of time and must not be disclosed to other parties without consent of data owner. The Data Protection Act (1984) was subsequently amended (1998) to take account of the EC Data Protection Directive (1995). The Directive was an attempt to harmonize different European national laws across the whole EC.

Data Retention
Data retention is often used to describe the forced archiving of customers' e-mail details and web browsing history by ISPs for future investigation by government organizations when requested. Most countries are moving towards compulsory data retention on the basis that it will help in fighting against terrorism, pedophiles and organized crime, and the maintenance of national security.

Data Splitting
Data splitting is an approach to protecting sensitive data from unauthorized access by encrypting the data and storing different portions of a file on different servers.

DCS-1000
DCS-1000, formerly known as Carnivore, is a surveillance system used by the FBI for monitoring e-mail.

Data Warehousing
A Data Warehouse is a subject-oriented data repository designed to provide facility for getting quick, accurate, and often insightful information. A Data Warehouse integrates operational data from various sources into a single and consistent architecture that supports analysis and decision-making within the organization.

Datagram
Datagram, also called packet, is a self-contained, independent entity of data carrying sufficient information to be routed from the source to the destination computer without reliance on earlier exchanges between this source and destination computer and the transporting network. Datagrams or packets are the message units that the Internet Protocol deals with and that the Internet transports.

DDoS: Distributed Denial-of-Service Attack
On the Internet, a distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.

DEA: Data Encryption Algorithm
Data Encryption Algorithm (DEA) is symmetric block cipher, defined as part of the U.S. Government's Data Encryption Standard. DEA uses a 64-bit key, of which 56 bits are independently chosen and 8 are parity bits, and maps a 64-bit block into another 64-bit block.

Decapsulation
Decapsulation is the process of stripping off one layer's headers and passing the rest of the packet up to the next higher layer on the protocol stack.

Decipher
Decipher, also called decrypt, and decode, means to convert ciphertext into the original, unencrypted plaintext.

Decode
Decode means to unscramble a message in which text is transformed through the substitution of words or phrases, since, in this context, encoded messages are encrypted at the level of words or phrases.

Decrypt
Decrypt is actually a generic term, covering both the decode and decipher, that simply means to unscramble a message.

Decryption
Decryption is the process of transforming an encrypted message into its original plaintext.

Deep Packet Inspection
Deep Packet Inspection, also known as deep inspection, is a firewall technology similar to stateful packet inspection with some IDS signatures and some application protocol anomaly detection rules. In other words, a "Deep Inspection" firewall is going to provide all of the protections of a stateful firewall, plus signature checking for whatever signatures are loaded into it.

Defacement
Defacement is the method of modifying the content of a website in such a way that it becomes "vandalized" or embarrassing to the website owner.

Defamation Act, 1997 (UK)
Defamation Act, 1997 is a UK law in establishing company liability for information transferred via the Internet and other electronic means. Comparable laws are under consideration for wider European legislation.

Default ID or Default Password
Default ID or Default Password is the user ID and password contained in a system when first delivered and installed to enable initial access and confguration. Failure to eliminate or remove default IDs and passwords is a common vulnerability in many installations.

Defcon
Defcon, originally started in 1993, is a popular hackers’convention held each fall in Las Vegas. Defcon is one of the oldest continuous running hacker conventions around, and also one of the largest.

Defense In-Depth
Defense In-Depth is the approach of using multiple layers of security to guard against failure of a single security component.

DEK: Data Encryption Key
Data Encryption Key (DEK) is used for the encryption of message text and for the computation of message integrity checks (signatures).

Deniable Encryption
Deniable encryption is a type of cryptography that allows an encrypted text to be decrypted in two or more ways, depending on which decryption key is used. The use of two or more keys allows the sender, theoretically, to conceal or deny the existence of a controversial message in favor of a more benign decryption.

Deny
Deny is an action taken with an Access Control List (ACL) that implies that the packet is discarded.

Deperimeterization
In network security, deperimeterization is a strategy for protecting a company's data on multiple levels by using encryption and dynamic data-level authentication.

Depository
A depository is a file or set of files in which data is stored for the purpose of safekeeping or identity authentication.

DERA: Defence Evaluation and Research Agency
Defence Evaluation and Research Agency (DERA) is the research arm of the Ministry of Defence (MOD) of the United Kingdom.

DES: Data Encryption Standard
Data Encryption Standard (DES) is a long-standing US encryption standard with symmetric-key encryption method standardized by ANSI in 1981 as ANSI X.3.92. DES uses a 56-bit key and uses the block cipher method, which breaks text into 64-bit blocks and then encrypts them. There are 72 quadrillion or more possible encryption keys that can be used in this algorithm. Like other private key cryptographic methods, both the sender and the receiver must know and use the same private key.

DESX or DES-X
DES-X (or DESX) is a variant on the DES (Data Encryption Standard) block cipher intended to increase the complexity of a brute force attack using a technique called key whitening. The difference between DES and DESX is that, in DESX, the input plaintext is bitwise XORed with 64 bits of additional key material before encryption with DES and the output is also bitwise XORed with another 64 bits of key material.

DH: Diffie-Hellman
Diffie-Hellman (DH) algorithm is a key agreement algorithm published in 1976 by Whitfield Diffie and Martin Hellman. Diffie-Hellman does key establishment, not encryption. However, the key that it produces may be used for encryption, for further key management operations, or for any other cryptography. Diffie-Hellman is now part of the IPSec standard.

DHA: Directory Harvest Attack
A directory harvest attack (DHA) is an attempt to determine the valid e-mail addresses associated with an e-mail server so that they can be added to a spam database.

DHCP spoofing
DHCP spoofing is a type of attack on DHCP server to obtain IP addresses using spoofed DHCP messages. In the cases where the DHCP server is on a remote network, and an IP address is required to access the network, but since the DHCP server supplies the IP address, the requester is at an impasse. To supply access to the network, when the Pipeline receives a DHCP Discover packet (a request for an IP address from a PC on the network), it responds with a DHCP Offer packet containing the configured (spoofed) IP address and a renewal time, which is set to a few seconds. The requester then has access to the DHCP server and gets a real IP address. (Other variations exist in environments where the APP server utility is running.)

DHCP Starvation
A DHCP starvation attack works by broadcasting DHCP requests with spoofed MAC addresses. This is easily achieved with attack tools such as gobbler. If enough requests are sent, the network attacker can exhaust the address space available to the DHCP servers for a period of time. This is a simple resource starvation attack just like a SYN flood is a starvation attack. The network attacker can then set up a rogue DHCP server on his or her system and respond to new DHCP requests from clients on the network. Exhausting all of the DHCP addresses is not required to introduce a rogue DHCP server, though.

Dictionary Attack
Dictionary Attack is trying to crack a password or key that tries all of the phrases or words in a dictionary. The difference between a dictionary attack and a brute force attack is that it uses a predefined list of words compared to a brute force attack that tries all possible combinations.

Differential Cryptanalysis
Differential cryptanalysis is a type of attack that can be used against iterative block ciphers. It is basically a chosen plaintext attack where the difference between values (or keys) is used to gain some information about the system.

Diffie-Hellman
Diffie-Hellman algorithm is a key agreement algorithm published in 1976 by Whitfield Diffie and Martin Hellman. Diffie-Hellman does key establishment, not encryption. However, the key that it produces may be used for encryption, for further key management operations, or for any other cryptography.

Diffie-Hellman Key Agreement Standard
Diffie-Hellman Key Agreement Standard is a Public-Key Cryptography Standard (PKCS) that outlines the use of the Diffie-Hellman Key Agreement, a method of sharing a secret key between two parties. The secret key is used to encrypt ongoing data transfer between the two parties.

Diffie-Hellman Key Exchange
Diffie-Hellman Key Exchange is a public key cryptography protocol based on the Diffie-Hellman algorithm that allows two parties to establish a shared secret over insecure communications channels. Diffie-Hellman is used within Internet Key Exchange (IKE) to establish session keys. Diffie-Hellman is a component of Oakley key exchange.

Diffing
Diffing is a technique used by hackers that compares different versions of files to look for differences.

Digest Authentication
Digest Authentication allows a web client to compute MD5 hashes of the password to prove it has the password.

DigiCrime
DigiCrime is a Web site that humorously draws attention to information security issues.

Digital Certificate
A digital certificate is an electronic "credit card" that establishes your credentials when doing business or other transactions on the Web. It is issued by a certification authority. It contains your name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real.

Digital Envelope
A digital envelope is an encrypted message with the encrypted session key. The content encryption key in an encrypted form is prepared for the use of the recipient.

Digital Fingerprint
Digital Fingerprinting is a technology to protect multimedia from unauthorized redistribution. It embeds a unique ID into each user's copy, which can be extracted to help identify culprits when an unauthorized leak is found.

Digital Signature
A digital signature is a hash of a message that uniquely identifies the sender of the message and proves the message hasn't changed since transmission. Any recipient of the data can use the signature to verify the data's origin and integrity.

Digital Silhouettes
Digital Silhouettes is the trademarked name that Predictive Networks has given to user profiles that are established through gathered click stream data and artificial intelligence (AI) processes. The profile, or cybersignature, is built from a mathematical analysis of an individual's interests as well as their keyboard and mouse activity.

Digital forensics
Digital forensics is a field of science of applying digital technologies to legal questions arising from criminal investigations.

Digital watermarking
Digital watermarking is a technique which allows an individual to add hidden copyright notices or other verification messages to digital audio, video, or image signals and documents. Such hidden message is a group of bits describing information pertaining to the signal or to the author of the signal (name, place, etc.). The technique takes its name from watermarking of paper or money as a security measure. Digital watermarking is not a form of steganography, in which data is hidden in the message without the end user's knowledge, although some watermarking techniques have the steganographic feature of not being perceivable by human eyes.

DISA: Defense Information Systems Agency
The Defense Information Systems Agency (DISA) is a combat support agency responsible for planning, developing, fielding, operating, and supporting command, control, communications, and information systems that serve the needs of the President, Vice President, the Secretary of Defense, the Joint Chiefs of Staff, the Combatant Commanders, and the other Department of Defense (DOD) Components under all conditions of peace and war.

Disassembly
Disassembly is the process of taking a binary program and deriving the source code from it.

Disaster Recovery
Disaster Recovery is the process of recovery of IT systems in the event of a disruption or disaster.

Disruption
Disruption is a circumstance or event that interrupts or prevents the correct operation of system services and functions.

Distributed Scans
Distributed Scans use multiple source addresses to gather information of a target.

DITSCAP: Department of Defense Information Technology Security Certification and Accreditation Process
Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP) is a standardized approach for certifying the security of IT (information technology) systems.

DLL: Dynamic Link Library
The Dynamic Link Library (DLL) are files containing groups of often-used computer code which can be shared amongst many programs. This has several advantages: programmers who use library code do not need to keep reinventing the wheel; programs which invoke library code do not each need to include a copy of that code, making their files smaller; updates to library code can be applied in one place, rather than in many programs.

DMCA: Digital Millennium Copyright Act
The Digital Millennium Copyright Act (DMCA) was enacted into US law in 1998. It is supposedly to fulfill the requirements of the World Intellectual Property Organization (WIPO) but has the unqualified supports of the major companies in the software, film and music industries.

DMS: Defense Message System
The Defense Message System (DMS) is a secure X.400-based e-mail system developed by the United States government in conjunction with industry partners to ensure safety for critical operations. Essentially an enhanced version of various commercial e-mail products, DMS was developed for the United States Department of Defense (DoD).

DMZ: DeMilitarized Zone
In the computer network world, a DeMilitarized Zone (DMZ) is a part of a network separated from other systems by a Firewall which allows only certain types of network traffic to enter or leave. A DMZ or perimeter network is a network area (a subnetwork) that sits between an organisation's internal network and an external network, usually the Internet. For example, Public web servers might be placed in such a DMZ. With the DMZ approach, large companies with complex e-commerce Internet and extranet applications may have a two-tiered approach to firewall security. The point of a DMZ is that connections from the internal and the external network to the DMZ are permitted, whereas connections from the DMZ are only permitted to the external network---hosts in the DMZ may not connect to the internal network. This allows the DMZ's hosts to provide services to the external network while protecting the internal network in case intruders compromise a host in the DMZ.

DNS Attack
Domain Name System (DNS) attack, also called DNS Spoofing or DNS cache poisoning, is aiming to redirect users to potentially malicious web servers by changing the records used to convert domain names to numerical addresses, which is used as another way for online fraudsters to install aggressive advertising software, or adware, on victims' computers and redirect people to pay-per-click Web sites. The domain name system protocol is inherently vulnerable to this style of attack due to the weakness of 16-bit transaction IDs.

DNS Poisoning or DNS Cache Poisoning
Domain Name System (DNS) poisoning, also known as DNS cache poisoning or DNS attack, is the corruption of a domain name system table by replacing an Internet address with that of another, rogue address. When a Web user seeks the page with that address, the request is redirected by the rogue entry in the table to a different address.

DNS Spoofing
DNS Spoofing is a term used when a DNS server accepts and uses incorrect information from a host that has no authority giving that information. DNS spoofing is also called DNS Domain Name System (DNS) poisoning, also known as DNS cache poisoning or DNS attack.

DOI: Domain of Interpretation
Domain of Interpretation (DOI), a term in the IPSec ISAKMP/IKE, defines payload formats, exchange types, and conventions for naming security-relevant information such as security policies or cryptographic algorithms and modes.

DNS: Domain Name System
Domain Name System or Service (DNS) is a distributed Internet directory service. DNS is used mostly to translate between domain names (www.domainname.com) and IP addresses (123.123.123.123), and to control Internet email delivery. Most Internet services rely on DNS to work, and if DNS fails, web sites cannot be located and email delivery stalls.

Domain Hijacking
Domain Hijacking is an attack by which an attacker takes over a domain by first blocking access to the domain's DNS server and then putting his own server up in its place.

Domain Name
A domain name locates an organization or other entity on the Internet. For example, the domain name "www.javvin.com" locates an Internet address for "javvin.com" at Internet point 199.20.0.2 and a particular host server named "www". The "com" part of the domain name indicates the nature of the organization or entity. The "javvin" part of the domain name defines the organization or entity.

DomainKeys
DomainKeys is an anti-spam/phishing technology developed by Yahoo that uses a form of public key cryptography to authenticate the sender's domain. Today, the sender of an email can spoof the originating address so that recipients will think it came from someone else. The Domain Key technology enables the receiving end of e-mail to easily filter out emails in which the sender's stated address could not be authenticated as the actual address. Technically, mail servers generate a public/private key pair and sign outgoing messages with the private key, while publishing the public key as part of their DNS record. The signature can be used to confirm that the sender of the email has not been spoofed. The presence or lack of a signature can be used as part of the process of identifying spam.

Dongle
In computer networking, a dongle is a short network cable that joins a PCMCIA adapter to a network cable. A dongle is used as a security key and its purpose is to ensure that only authorized users can use certain software applications or data. Dongles typically attach to either a RJ-45 connector for Ethernet networking or an RJ-11 connector for dial-up networking. The term "dongle" also has become popular in USB networking, referring to the USB cable that extends from a USB peripheral.

DoS Attack: Denial-of-Service Attack
On the Internet, a denial of service (DoS) attack is an incident in which a user or organization is deprived of the services of a resource they would normally expect to have. Typically, the loss of service is the inability of a particular network service, such as e-mail, to be available or the temporary loss of all network connectivity and services.

DoS: Denial of Service
Denial of Service (Dos) is the prevention of authorized access to a system resource or the delaying of system operations and functions. DoS happens when network bandwidth or computational resource is exausted by authorized usage or by people launching DoS attacks.

Dot bug vulnerability
Dot bug vulnerability is a type of coding vulnerability, which involves being able to reveal source code to attackers. For example, by appending one or more dots to the end of an ASP URL under IIS 3.0, it was possible to view the ASP source code.

DPAPI: Data Protection API
Data Protection API(DPAPI) is an application programming interface (API) that is part of CryptoAPI on Microsoft Windows platforms.

Drive-by Hacking
Drive-by hacking means hacking or cracking the target's wireless LAN while outside of the target's offices in a car or behind some shrubs in the grounds.

Drive-by Spamming
Drive-by spamming is a variation of drive-by hacking in which the perpetrators gain access to a vulnerable wireless local area network (WLAN) and use that access to send huge volumes of spam. Using the drive-by method allows spammers to save themselves considerable bandwidth costs required to send that many messages legitimately, and makes it very difficult for anyone to trace the spam back to its source.

DRM: Digital Rights Management
Digital Rights Management (DRM) refers to the control of intellectual property, the enforcement of copyright in the digital world. It is based on this principle: creators have the right to be paid for the use of their creations; authors, musicians, actors, inventors all have the right to be paid for their work and to control its use.

DRP: Disaster Recovery Plan
Disaster Recovery Plan (DRP), also referred to as a business continuity plan (BCP) or business process contingency plan (BPCP), describes how an organization is to deal with potential disasters. A disaster recovery plan consists of the precautions taken so that the effects of a disaster will be minimized, and the organization will be able to either maintain or quickly resume mission-critical functions.

DSA: Digital Signature Algorithm
Digital Signature Algorithm (DSA) is an asymmetric cryptographic algorithm that produces a digital signature in the form of a pair of large numbers. The signature is computed using rules and parameters such that the identity of the signer and the integrity of the signed data can be verified.

DSniff
DSniff is a packet sniffer and set of traffic analysis tools written by Dug Song, a computer security researcher at the University of Michigan. Unlike tcpdump and other low-level packet sniffers, dSniff also includes tools that decode information (passwords, most infamously) sent across the network, rather than simply capturing and printing the raw data. Other tools included with the package include "sshmitm" and "webmitm", programs designed to intercept SSH version 1 communications and web traffic respectively with a man-in-the-middle attack, "msgsnarf", a program designed to intercept AOL Instant Messenger conversations, and "macof", a program designed to break poorly-designed Ethernet switches by flooding them with packets with bogus MAC addresses.

DSO exploit: Data Source Object Exploit
A data source object (DSO) exploit is a form of spyware that takes advantage of data binding to gain access to the hard drive of a computer connected to the Internet. Such spyware can be difficult to detect and eradicate, and if it is successfully removed, it often returns.

DSS: Digital Signature Standard
Digital Signature Standard (DSS) is the digital signature algorithm (DSA) developed by the U.S. National Security Agency (NSA) to generate a digital signature for the authentication of electronic documents. DSS was put forth by the National Institute of Standards and Technology (NIST) in 1994, and has become the United States government standard for authentication of electronic documents.

Dual Control
Dual control is a security procedure that requires two people (or possibly two processes or two devices) to cooperate in order to gain access to a system resource (data, files, devices). In its simplest form, it could be a door that requires separate keys, where each key is held by a different person.

Dual-Homed Gateway
Dual-homed gateway is a computer system with two network interfaces which is used to provide a secure point of control between two differing IP networks with two differing IP addresses. It is a gateway because it acts as a conduit for some or all traffic between the two networks. Examples thus include proxy servers and firewalls.

Due Care
Due Care ensures that a minimal level of protection is in place in accordance with the best practice in the industry.

Due Diligence
Due Diligence is the requirement that organizations must develop and deploy a protection plan to prevent fraud, abuse, and additionally deploy a means to detect them if they occur.

Dumb Network
A "dumb network" provides the physical interconnection between nodes but not much processing to support signaling. The Internet is often cited as a dumb network relative to the public switched telephone network(PSTN). The PSTN is considered an "intelligent network" because the intelligence required for operation is carried within the network, while the end devices (telephones) are simple devices. The Internet takes the opposite approach: the network simply transports packets of data and the end devices (computers, for example) contain the intelligence to process the data. This approach is sometimes referred to as "dumb network, smart devices."

DumpSec
DumpSec is a security tool that dumps a variety of information about a system's users, file system, registry, permissions, password policy, and services.

Dumpster Diving
Dumpster Diving is obtaining passwords and corporate directories by searching through discarded media.

Duress Feature
Duress Feature is silent "panic alarm" built into some access control systems. It would normally take the form of a secret code that could be added either before or at the end of an ID or password, and would cause a silent alarm to be sent to the system administrator or other officials. It would indicate that the user is under some form of duress, and is perhaps being forced to log on or gain entry against his or her free will.

Dynamic Key Derivation
Dynamic Key Derivation is a feature defined in the IEEE802.1x standard, which allows for the creation of per user session keys. WEP keys do not have to be kept at the client device or at the AP when using 802.1x. The WEP keys are dynamically created at the client for every session, thus making it more secure.

Dynamic Packet Filter
A dynamic packet filter is a firewall facility that can monitor the state of active connections and use this information to determine which network packets are allowed through the firewall. By recording session information such as IP addresses and port numbers, a dynamic packet filter can implement a much tighter security posture than a static packet filter.

Dynamic proxy
Dynamic proxy, also known as adaptive proxy, is an enhanced form of application-level gateway.

Dynamic Routing Protocol
Dynamic Routing Protocols allow network devices to learn routes. RIP and EIGRP are dynamic routing protocols which enable dynamic routing when routers talk to adjacent routers, informing each other of what networks each router is currently connected to. The routers must communicate using a routing protocol.