Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Glossary of Key Terms

21 CFR Part 11: A title in the Code of Federal Regulations that deals with Food and Drug Administration (FDA) guidelines on electronic records and signatures. This title requires industries that fall under FDA regulation to implement controls such as audits, audit trails, electronic signatures, and policies for software and systems that process electronic data.

A

Access: The ability of a subject and an object to interact.
Access control: The process or mechanism of granting or denying use of a resource; typically applied to users or generic network traffic.
Access control entry (ACE): An element of the access control list.
Access control list (ACL): A list of security policies that is associated with an object.
Access mask: In Windows-based systems, a value that specifies the rights that are allowed or denied in an access control entry (ACE) of an access control list (ACL).
Accounting: As part of AAA, provides the ability of a system to collect statistics on networks or users for auditing and billing purposes. Accounting enables the tracking of systems usage, start and stop times of resources, and number of packets, as well as other metrics that identify what was used and for how long.
Active Directory: The directory service for Microsoft Windows Server. Active Directory stores information about objects on the network and makes this information available for authorized systems administrators and users. It gives network users access to permitted resources anywhere on the network using a single sign-on process. It also provides systems administrators with an intuitive hierarchical view of the network and a single point of administration for all network objects.
Algorithm: A process that performs a sequence of operations.
Annual rate of occurrence (ARO): The number of times per year we can expect a compromise to occur.
Annualized loss expectancy (ALE): The total cost per year of the threat under assessment. ALE is calculated by multiplying the SLE by the ARO.
Application layer: Provides services for an application program to ensure effective communication.
Asset value: The relative value, either in monetary terms or in overall impact, of the resource being protected by the access control system.
Assessment: Documenting rules, procedures, and guidelines to be tested against a system.
Asymmetric encryption: A type of encryption in which an encryption key (the public key) is used to encrypt a message, and another encryption key (the private key) is used to decrypt the message.
Attacker: Someone trying to compromise information or data.
Audit trail: A series of events gleaned from parsed log file reports over a period of time.
Authentication: The process of confirming the identity of a user. Also, ensuring that a sender and recipient are who they say they are.
Authentication factor: A way of confirming the identity of a subject. The three authentication factors are "something you know," "something you have," and "something you are."
Authentication Header (AH): An IPSec authentication protocol that is used to prove the identity of the sender and ensure the data has not been tampered with.
Authentication service: The service provided through Kerberos that identifies users on a computer system. The authentication service is part of the Key Distribution Center.
Authentication, Authorization, and Accounting (AAA): Network services that provide security through a framework of access controls and policies, enforcement of policies, and information needed for billing purposes.
Authenticator: A message that's part of the Kerberos authorization process and is composed of the client ID and timestamp.
Authorization: The decision to allow or deny a subject access to an object. After a user has been authenticated, for example, authorization determines if the user has the rights to perform specific actions on the network or system.
Automated testing: The use of software to control the execution of a test suite.
Automatic declassification: The process for U.S. government documents over 25 years old. Unless they meet strict criteria, documents are automatically declassified after the department that owns the documents reviews them. The documents are moved to the publicly accessible shelves of the national archives.

B

Backdoor: A hole in system or network security placed deliberately either by system designers or attackers. A way of quickly bypassing normal security measures.
Baseline: A normal level of measurement.
Bell-LaPadula Model: A model that defines basic principles of access controls.
Best practice: A documented method or system of achieving a specific result in an effective efficient manner. Best practices generally take lessons learned from individuals or groups so that others can complete similar tasks in a more efficient manner.
Binary large objects (BLOBs): A collection of binary data stored in a relational database.
Biometrics: An authentication system based on physical characteristics or behavioral tendencies of an individual.
Blacklist: A list of known malicious behaviors that should be automatically denied.
Blue team: In a penetration test, the blue team consists of IT staff who defend against the penetration testers. They are generally aware that a penetration test is happening, but do not know what methods the penetration testers will use.
Bollards: Short vertical posts designed to control traffic and prevent vehicular attacks on a building.
Boundary conditions: The outermost extremes of test conditions.
Breach: A confirmed event that compromises the confidentiality, integrity, or availability of information.
Bugtraq: An industry mailing list provided by Symantec that reports new vulnerabilities as they are discovered.
Business continuity: The ability of an organization to maintain critical functions during and after a disaster event.
Business to business (B2B): Activities that occur between two or more businesses.
Business to customer (B2C): Activities that occur between a business and a customer.

C

California Identity Theft Statute: Requires a business operating in California to notify customers when it has reason to believe that personal information has been disclosed through unauthorized access.
Card holder unique identification (CHUID): A unique number that identifies an individual in possession of a smart card.
Certificate authority (CA): An entity, usually a trusted third party, that issues digital certificates.
Certificate revocation list (CRL): The certificate authorities list of invalid certificates.
Challenge Handshake Authentication Protocol (CHAP): Provides authentication over a PPP link.
Child objects: Objects that inherit certain characteristics, such as access controls, from a parent object.
Children's Internet Protection Act (CIPA): A U.S. law passed in It requires schools and libraries receiving E-Rate funds to filter some Internet content. The primary purpose is to protect minors from obscene or harmful content.
Classification scheme: A method of organizing sensitive information into various access levels.
Clear text: Information that has no cryptographic protection applied to it.
Clearance: The level of information an individual is authorized to access.
Cloud services: Applications or IT services delivered over the Internet rather than in a typical client/ server model on a local area network. Yahoo Mail, Google Docs, and Mozy online backup are examples of cloud services.
Code injection: An attack in which malicious code is introduced into an application. This type of attack is possible because of lax input validation in the target application.
Commercial off-the-shelf (COTS): Products that are easily available to anyone.
Common Criteria: ISO/IEC 15408 standard for computer security.
Compartmentalization: The practice of keeping sensitive functions separate from non-sensitive ones.
Compromise: Unauthorized access and release of information.
Computer Fraud and Abuse Act (CFAA): A federal criminal statute designed to protect electronic data from theft.
Confidential information: This is the lowest level of sensitivity in the U.S. government classification scheme. Confidential information would damage security if it was disclosed. This information may be handled only by personnel with security clearance, may not be disclosed to the public, and must be disposed of in a secure manner.
Confidentiality: Ensuring that only the intended recipient can read the data.
Confidentiality agreement: Legally binding agreement that prevents two or more parties from revealing private information obtained while dealing with one another. Another name for a non-disclosure agreement.
Controlled Unclassified Information (CUI): Information that has not been classified by the U.S. government but is pertinent to the national interests of the United States or to the important interests of entities outside the federal government or under law or policy requires protection from unauthorized disclosure, special handling safeguards, or prescribed limits on exchange or dissemination.
Cost of attainment: What it costs an organization to obtain or create an asset originally.
Cost of impact: What an organization would lose if an asset were unavailable. For example, a particular organization might lose $50,000 per hour in lost productivity if its internal network went down.
Cost of replacement: What it would cost an organization to replace an asset if it were stolen or compromised.
Countermeasure: An action taken to counter another action.
Credentials: Used to control access to resources.
Crossover error rate (CER): The point at which Type I errors and Type II errors in a biometric access control system are equal.
Cryptography: Used to protect data so that it cannot be easily read or understood.
Cryptosystem: The hardware or software system that transforms the clear text into ciphertext.

D

Data at rest (DAR): Stored data. The data may be in archival form on tape or optical disc, on a hard disk, or sitting in a system's buffers.
Data dictionary: A document that defines every data element and database table in a piece of software.
Data Encryption Standard (DES) encryption: A method of scrambling data for security purposes. Published in 1974, it has since been broken and is no longer considered highly secure.
Data in motion (DIM): Data as it travels from one place to another, such as over a network.
Data-link layer: Network components that interconnect network nodes or hosts.
Declassification: The process used to move a classified document into the public domain.
Defense-in-depth strategy: The approach of using multiple layers of security to protect against a single point of failure.
Delegated access rights: Access rights that are given to a user by the owner of an object.
Denial of service (DoS) attack: An attack against a system that limits it from doing the tasks it is intended to do.
Diffie-Hellman key exchange: A protocol or an algorithm allowing two users to exchange a secret key over unsecure communications.
Digital certificate: A data structure used to bind an authenticated individual to a public key.
Digital Millennium Copyright Act (DMCA): A U.S. copyright law that enacts criminal penalties for breaking or distributing technology designed to break digital rights management technologies.
Directory information: Information about a student that an educational institution may release without the written consent of the student. Directory information includes a student's name, address, phone number, e-mail address, dates of attendance, degree earned, enrollment status, and field of study.
Discretionary access control (DAC): An access control system where rights are assigned by the owner of the resource in question.
Discretionary access control list (DACL): Controls access to an object.
Disgruntled employee: An employee who is angry or dissatisfied, usually with some aspect of their employment.
Domain administrator: A user with full rights over all computers in a Windows domain.

E

Electronic protected health information (EPHI): Information about an individual's health care stored in an electronic format.
Elliptic Curve Cryptosystem (ECC): Provides a stronger cryptographic result with a shorter key.
Encapsulated Security Payload (ESP): Authentication and encryption protocol for IPSec that encrypts Internet Protocol (IP) packets and ensures their integrity.
Encryption: The process of applying an algorithm to clear-text (or plain-text) data, resulting in a ciphertext.
Explicitly delegated rights: Access rights that are actively given to a user by an object owner.
Extensible Authentication Protocol (EAP): A framework enabling multiple authentication mechanisms over various connections.

F

Failure to enroll rate: The percentage of failed attempts to create a sample data set for an individual, divided by the total number of attempts to enroll users.
False acceptance rate: The percentage of imposters that will be recognized as authorized users.
False negative: Occurs when an intrusion detection system overlooks anomalous activity.
False positive: Occurs when an intrusion detection system labels normal activity as anomalous.
False rejection rate: The percentage of attempts by legitimate users that are rejected by the system.
Family Educational Rights and Privacy Act (FERPA): An act of Congress to protect the privacy of education records. It applies to all educational institutions receiving funding from the U.S. Department of Education.
Forest: The outermost boundary of an Active Directory service. A forest may contain several domains.
Freedom of Information Act (FOIA): A law enacted in 1966. It states that any person has a right of access to federal agency records, and that federal agency records must be made available to the public unless they are specifically exempt from public release.
Freedom of Information Act request: An attempt by a member of the general public to get a document declassified. The act allows for full or partial disclosure of the document, if the owning organization refuses the request the decision can be appealed in a judicial review.

G

Gap analysis: The process of identifying the difference between reality—the current state of an organization's IT infrastructure—and the organization's security goals.
Generic Routing Encapsulation (GRE): A tunneling protocol that encapsulates packets inside Internet Protocol (IP) tunnels.
Get out of jail free card: The authorization memo, signed by a member of upper management, that states that a penetration test has been authorized and exactly what methods the test will include. Every member of a penetration testing team should carry a copy of this memo at all times to avoid misunderstandings with security and law enforcement.
Gramm-Leach-Bliley Act (GLBA): An act of Congress that allowed banks, investment firms, and insurance companies to consolidate. It also introduced some consumer protections, such as requiring credit agencies to provide consumers with one free credit report per year.
Group: A collection of users with similar access needs.
Guideline: A collection of suggestions and best practices relating to a standard or procedure. A guideline doesn't necessarily need to be met but compliance is strongly encouraged.

H

Hardening: The process by which vulnerabilities are addressed to create a secure system.
Hash salt: Random data that is used as the basis for an encryption algorithm. The randomness of this data provides an additional layer of security to the encryption.
Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009: Expanded and updated the civil and criminal penalties and requires notification if any breach causing the disclosure of PHI occurs.
Health Insurance Portability and Accountability Act (HIPAA): Legislation passed in 1996 that protects the privacy and accessibility of health care information.
Heightened access: The ability of an attacker to log into a system under one level of access and exploit a vulnerability to gain a higher level of access.
Heuristics: A problem-solving system that uses a set of rules to select the best answer available. In virus scanning, heuristics refers to an algorithm that uses a set of rules that is constantly revised based on feedback to determine whether a given file contains a virus.
Homeland Security Presidential Directive 12 (HSPD 12): A standard issued in August 2007 to enforce the standardization of security identification credentials for government employees and contractors. This standard covers both physical and logical access to government resources.
Host discovery: The process of scanning the network to find out which Internet Protocol (IP) addresses are attached to interesting resources.
Human machine interface (HMI): Place where the operators views the data that is received and processed. The HMI is connected to a database that gathers information from the RTUs.
Human nature: The sum of qualities and traits shared by all humans.

I

Identification: The process by which a subject or object identifies itself to the access control system. In the case of users, identification uniquely distinguishes an individual. In most cases, identification needs to be provided prior to authenticating the user.
Identification mode: The mode in which a biometric system compares live data to a database of known samples and returns one or more matching user profiles.
Implicitly delegated rights: Rights that are inherited or otherwise passively assigned.
Information availability: Ensures that information is available to authorized users when they need it.
Information confidentiality: Ensures that private or sensitive information is not disclosed to unauthorized individuals.
Information integrity: Ensures that data has not been accidentally or intentionally modified without authorization.
Input control: Dictates how users can interact with data and devices that introduce new data into a system.
Integration testing: The process of testing how individual components function together as a complete system.
Integrity: Ensuring the data has not been altered.
Internet Key Exchange (IKE): Provides identification to communication partners via a secure connection.
Internet layer: Provides services for connecting network resources across network domains.
Internet Protocol Security (IPSec): A protocol that secures IP communications by authenticating and encrypting each IP packet.
Internet Security Association and Key Management Protocol (ISAKMP): A protocol that provides the framework for the negotiation of algorithms, protocols, modes, and keys for IKE.
Intrusion detection: See Intrusion detection system (IDS).
Intrusion detection system (IDS): A combination of hardware and software used to analyze network traffic passing through a single point on the network. It is designed to analyze traffic patterns to find suspicious activity.
Intrusion prevention system (IPS): A combination of a firewall and an IDS. An IPS is designed to analyze network traffic patterns and react in real time to block suspicious activity.
Intrusive testing methods: Security testing methods that exploit possible vulnerabilities in order to prove their existence and potential impact.
IP tunneling: Used to create secure pathways for data through a public network.

K

Kerberos: Provides a means of verifying identities of computer systems on an unprotected network. Kerberos is designed to provide strong authentication for client/server applications by using secret-key cryptography.
Key Distribution Center (KDC): The service or server that acts as both the ticket granting service and the authentication service.
Keyspace: The range of values that construct a cryptosystem key.

L

LAN Manager (LM) hash: The method used to store passwords up to 15 characters in Windows operating systems prior to Windows Vista.
Layer 2 Tunneling Protocol (L2TP): Sets up a point-to-point connection between two computer systems that can be transmitted over multiple types of networks.
Least privilege: The principle in which a subject—whether a user, application, or other entity—should be given the minimum level of rights necessary to perform legitimate functions.
Least user access (LUA): Requires that users commonly log into workstations under limited user accounts.
Lightweight Directory Access Protocol (LDAP): An application layer protocol for querying and modifying directory services running under Transmission Control Protocol/Internet Protocol (TCP/IP).
Linux Intrusion Detection System (LIDS): A patch to the Linux kernel and a set of administrative tools that attempt to enhance security.
Load testing: A way of measuring how software will perform with an average number of users, as well as how it will perform under extreme load conditions.
Local area network (LAN): A network connecting computers and other assets in a small, physical location such as an office, home, or school.

M

Malware: Any form of malicious software, including viruses, Trojan horses, and spyware.
Mandatory access control (MAC): An access control system where rights are assigned by a central authority.
Mandatory declassification review: Instigated when an individual attempts to get a document declassified. After the review request has been filed, the owning organization must respond with approval, denial, or the inability to confirm or deny the existence or nonexistence of the document. If the request is denied, the requester can appeal to the interagency security classification appeals board.
Media Access Control (MAC) address: A unique identifier assigned to every piece of hardware on a network.
Message Digest 5 (MD5): An algorithm that applies a hash function to a message, creating a 128-bit message digest. This algorithm is used to ensure the data has not been changed in any manner.
Multilayered access control: The combination of more than one access control method to secure a single resource.

N

Nessus: A proprietary security scanner developed by Tenable Network Security. It is network-centric with Web-based consoles and a central server.
Network access control (NAC): The use of policies within a network infrastructure to limit access to resources until the system proves that it has complied with the policy. Sometimes referred to as network admission control.
Network access server (NAS): Provides a service to dial-in users. This server allows a computer system to connect to the network through either a phone line or the Internet.
Network Information Service (NIS): A service that provides information to all systems on a network.
NIS+: A distributed network information service developed by Sun Microsystems. It contains key information about the systems and the users on the network.
Nmap: An open source port scanning and host detection utility. Nmap stands for Network Mapper.
Nondisclosure agreement (NDA): Legally binding agreement that prevents two or more parties from revealing private information obtained while dealing with one another.
Nonintrusive testing methods: Security testing methods that do not exploit possible vulnerabilities.
Non-repudiation: The concept of ensuring an originator cannot refute the validity of a statement or document.
Normalization: The process of translating log files from various systems into a common format.
North American Electric Reliability Council (NERC): Created in 1968 to ensure that the North American energy network is secure, adequate, and reliable. IT security is mostly concerned with the creation of guidelines for strong access controls and processes.
NTLM hash: A challenge-response authentication protocol used by NT servers when using the Server Message Block (SMB) protocol.

O

OAKLEY: A protocol that allows computer systems to exchange key agreement over an insecure network.
Object: 1. Anything that is passively acted upon by a subject. 2. The resource to which a subject desires access. Common objects are data, networks, and printers.
Open systems interconnection (OSI) reference model: Divides the network infrastructure into seven layers.
Orange Book: Orange-covered book that is part of the "Rainbow Series" published by the U.S. Department of Defense.
Organizational unit (OU): A logical structure that allows you to organize users, computers, and other objects into separate units for administrative purposes.
Output control: Dictates how users can interact with the output of data, either to a screen, printer, or another device.

P

Parent object: An object from which other objects inherit various properties including access controls.
Parsing: The process of translating and reformatting raw log files into useful reports.
Passphrase: A phrase or sentence used in place of a password. Passphrases are often used as mnemonic devices to help remember complex passwords.
Password: A secret combination of characters known only to the subject.
Password Authentication Protocol (PAP): A data-link protocol that provides authentication over PPP.
Password cracking: Guessing or deciphering passwords.
Password hash: A password that is stored in its encrypted form.
Penetration testing: The act of simulating an attack on an organization's resources to assess an infrastructure's true vulnerability. A penetration test simulates an actual attack. Penetration testers use a variety of methods including social engineering, software hacking, and physical intrusion.
Perimeter security: Any method that restricts access to a defined area, such as a military base, corporate campus, infrastructure facility, or office building.
Personally identifiable information (PII): Any information that can be used to identify, locate, or contact a specific individual. Also includes any information that can be combined with other information to piece together a specific individual's identity. A Social Security number is an example of PII. Several laws and regulations specify that PII must be protected.
Phishing: Creating legitimate-looking Web sites or e-mails that trick a user into entering sensitive information such as passwords, Social Security numbers, or credit card numbers.
Physical security: The process of ensuring that no one without the proper credentials can physically access resources.
Point-to-Point Protocol (PPP): A protocol for communication between two computers. Typically, the connection from the client to the server is over a telephone line.
Point-to-Point Tunneling Protocol (PPTP): A protocol that sets up a point-to-point connection between two computer systems over an Internet Protocol (IP) network.
Policy: 1. A document that describes specific requirements or rules that must be met in a given area. 2. A formal statement of management intent regarding the business practices of an organization. A policy is binding upon all affected individuals.
Port scan detector: Software that monitors network ports to detect a port scan attack. These attacks are usually the precursor to a more serious attack.
Port scanning: A technique designed to probe a network's open ports looking for a weakness.
Prioritization: Regarding log files, the process of determining which log files and/or entries are important and may require action versus which are less important or informational only.
Privacy impact assessment (PIA): A comprehensive process for determining the privacy, confidentiality, and security risks associated with the collection, use, and disclosure of personal information. It also describes the measures used to mitigate, and if possible, eliminate identified risks.
Private: A general category that describes information an organization wants to keep internally.
Private key: The encryption key that is held privately by the user.
Probability of occurrence: The likelihood that an attack will occur.
Procedures: A defined series of steps or actions for achieving an objective or result. For example, a defined workflow used to enforce policies is considered a procedure or a set of procedures. Procedures are often written to ensure that tasks are completed in the same way each time, preventing unexpected problems.
Process control system (PCS): A mechanism used to control the output of a specific process.
Programmable logic controller (PLC): A programmable electronic device used in industrial automation to provide logic and sequencing controls for machinery.
Proprietary: Any information that a company derives a competitive advantage from. Marketing data, formulas, customer lists, salary structure, test results, and software source code are some examples of proprietary information. This information may be shared with outside organizations with the expectation of confidentiality, usually enforced with a nondisclosure agreement. Often used interchangeably with trade secrets, but covers a wider range of information and is not as well legally defined.
Protected health information (PHI): Any information that concerns health status, health care, or any payment for health care that can be linked to the individual. This is interpreted very broadly and includes all of an individual's medical record and payment history.
Pseudocode: A high-level abstraction of code used to outline the steps in an algorithm.
Public key: A public key is used to communicate with the private key. This key is publicly available.
Public key infrastructure (PKI): A framework that consists of programs, procedures, and security policies that employs public key cryptography and the X.509 standard (digital certificates). It is a hybrid system of symmetric and asymmetric key algorithms.

Q

Qualitative risk assessments: A method of risk assessment that assigns a subjective label (usually "high," "medium," and "low") to a risk scenario.
Quantitative risk assessment: A method of risk assessment that assigns a dollar value to every data point.

R

Radio Frequency Identification (RFID) badge: An ID badge with an embedded radio frequency identification chip. This chip can store information about the badge holder, such as authentication information and security access levels.
Red team: In a penetration test, the red team consists of penetration testers who have been given some background knowledge of the infrastructure.
Registration authority (RA): An entity that is responsible for the registration and initial authentication of certificate subscribers.
Relational database (RDB): A database that stores data in tables and provides for relationships between various data.
Remote access server (RAS): A server that provides an authentication service for users that are dialing into a network or accessing it from the Internet.
Remote Authentication Dial In User Service (RADIUS): A client/server protocol that provides authentication, authorization, and accounting for a remote dial-in system.
Remote terminal unit (RTU): A microprocessor-controlled electronic device that interfaces with objects in the physical world to a distributed control system or SCADA system by transmitting telemetry data to the system and/or altering the state of connected objects based on control messages received from the system.
Restricted: Any information that a corporation wants to limit access to. It's usually accessible only to a small group of individuals.
Retina: A graphically intensive vulnerability scanner.
Risk: The probability that a particular threat will exploit an IT vulnerability causing harm to an organization. Risk is measured in terms of probability and consequence.
Risk acceptance: Simply accepting the risks and doing what you need to do anyway.
Risk assessment: The process of identifying and prioritizing risk.
Risk avoidance: Choosing to avoid an activity that carries some element of risk.
Risk mitigation: A strategy that combines attempts to minimize the probability and consequences of a risk situation.
Risk transference: Shifting responsibility for a risk to a third party.
Role: Allow you to generalize and separate a subject's or user's function from its identity.
Role-based access control (RBAC): Access control system where rights are assigned based on a user's role rather than his or her identity.
Root: The superuser in Linux and UNIX systems.
RSA asymmetric encryption algorithm: A public key cryptosystem based on factoring large numbers that are a product of two prime numbers.

S

Sandbox: A security mechanism for isolating programs running in a shared environment.
Sarbanes-Oxley (SOX) Act of 2002: Created to protect investors by improving the accuracy and reliability of corporate financial disclosures. SOX accomplishes this by strengthening existing penalties and making corporate officers personally responsible for the disclosures.
Secret: Information that would cause serious damage to national security if disclosed. This is the most common national security classification level.
Secret key: Key used to encrypt and decrypt messages.
Security association (SA): Records the configuration the computer systems need to support an IPSec connection.
Security identifier (SID): A variable that identifies a user, group, or account.
Security information and event management (SIEM) system: A software package that centralizes and normalizes log files from a variety of applications and devices.
Sensitive: Information that could cause harm to the organization if it is compromised through exposure or alteration. Bonus and salary information is an example.
Sensitive information: Information that is not widely known or available.
Separation of duties: The practice of dividing essential steps of a task between multiple individuals.
Separation of responsibilities: Authentication system in which two conditions must be met in order for access to be granted. If one condition is met but not the other, access is denied.
Service level agreement (SLA): An agreement between an organization and a third party that describes availability levels, security protection levels, and response times to a breach.
Service set identifier (SSID): An access point's ID on a wireless LAN.
Shadow password: An encrypted password database used in Unix and Linux operating systems.
Shared secret: Something only the subject and the authentication system know. A shared secret can be a piece of data that is known only to the parties that are communicating with one another. A shared secret is used for encryption.
Single loss expectancy (SLE): The cost incurred in one loss incident.
Single sign-on (SSO): A method of access control that allows a user to log on to a system and gain access to other resources within the network via the initial logon. SSO helps a user avoid having to log on multiple times and remember multiple passwords for various systems.
Single-factor authentication: The act of identifying a user as authentic with a single authentication factor.
Smart card: An ID badge or other card with an embedded RFID chip that stores basic identification and authentication information.
Social engineering: The use of manipulation or trickery to convince authorized users to perform actions or divulge sensitive information to an attacker.
Software as a Service (SaaS): A model of software distribution. Instead of simply selling an application, a SaaS vendor hosts the applications and offers access for a small subscription fee.
Spear phishing: A phishing attack targeted at specific, usually high-level, individuals within an organization.
Standard: A collection of requirements that must be met by anyone who performs a given task or works on a specific system.
Subject: The user, network, system, process, or application requesting access to a resource.
Super Administrator: A user with full rights on a system.
Super user do (sudo): A command that allows an administrator to run processes as root without actually logging in under the root account in a Linux or UNIX system.
Supervisory Control and Data Acquisition (SCADA) process control systems: Systems utilized to monitor and control telecommunications, water and waste control, energy, and transportation among other industries and utilities.
Symmetric encryption: A form of encryption where the sender and the receiver use the same key for encrypting and decrypting an object.
System access control list (SACL): A system-created access control list that handles the information assurance aspect of access controls.
Systematic declassification: Any document that is less than 25 years old but of significant importance to the historic record of the United States can be reviewed for early declassification. Once identified, these documents go through the same procedures as automatically declassified documents.

T

Target: Any system or network that contains valuable data and has attracted the notice of the hacker.
Temporal Key Integrity Protocol (TKIP): Encryption used for WLANs.
Terminal Access Controller Access Control System (TACACS): A remote access client/server protocol that provides authentication and authorization capabilities to users that are accessing the network remotely. It is not a secure protocol.
Terminal Access Controller Access Control System Plus (TACACS+): A remote access client/server protocol. It is a Cisco proprietary protocol and provides authentication, authorization, and accounting.
Threat: A potential attack on a system.
Three-factor authentication: The act of identifying a user as authentic with three authentication factors.
Ticket-granting service: A server or service that is authorized to issue tickets to the client after the client has already received a ticket granting ticket. A ticket-granting service verifies the user's identity using the ticket-granting ticket and issues the ticket for the desired service. A ticket-granting service is part of the Key Distribution Center.
Tiger team: In a penetration test, a tiger team is comprised of testers who are given no knowledge of the infrastructure, and are attacking a target that is unaware of their existence until the attack is made.
Token: Something the subject has that no one else does. Smart cards and challenge-response devices are commonly used tokens.
Tool: A technical method or control used to complete a task or achieve a goal, such as enforcing policies.
Top Secret: The highest level of information sensitivity in the National Security classification scheme; it is defined as any information that would cause grave damage to national security if disclosed.
Trade secret: Information that an organization holds that is not generally known to the public and provides economic benefits to the organization from maintaining its secrecy. A trade secret is a special case of proprietary information.
Transparency: Being open and honest about the infrastructure. Not hiding any data from the users.
Transport layer: Methods and protocols for encapsulating application data.
Two-factor authentication: The act of identifying a user as authentic with two authentication factors.
Two-person control: The concept that there must be two authorized individuals available to approve any sensitive activity.
Type I error: A false rejection in a biometric access control system.
Type II error: A false acceptance in a biometric access control system.

U

Unclassified information: Information that has not been deemed sensitive enough to warrant classified status by the U.S. government.
Unicast: The sending of messages to a single network destination. The opposite of unicast is broadcast, where data to sent to all network destinations.
Uninterruptable power supply (UPS): A device that supplies backup power to servers and other devices.
Unit testing: A method of testing that ensures that a specific function or module works as designed.
UNIX: A multi-processing, multi-user family of operating systems originally developed by Bell Laboratories. Most often used for servers.

V

Verification mode: The mode in which a biometric system makes a simple one to one comparison and returns a binary result.
Virtual local area network (VLAN): Allows network managers to segment resources into local area networks despite geographical distance. For example, if a work group's office space was reallocated and the individuals in the group were reassigned to new offices spread across the building, a VLAN could be created to allow them the same resource sharing abilities they had when their offices were located in a geographically small area.
Virtual private network (VPN): A system that uses a public network (usually the Internet) to transmit private data securely. Users on a VPN can exchange data and share resources as if they were directly connected via a LAN.
Vulnerability: An unintended weakness in a system's design that makes it possible for attackers to take control of a system, access resources to which they are not authorized, or damage the system in some way.

W

Ward: A metal projection in a warded lock that must line up with the grooves on the key in order to unlock.
Whitelist: A list of known approved behaviors that should be automatically allowed.
Wide area network (WAN): A network that connects several smaller networks. For example, a large corporation with offices in New York, Chicago, and Los Angeles might have a LAN in each local office, and then connect those three LANs via a wide area network.
Wireless mesh networks: A networking scheme based on a distributed network mesh topology. Each node in the network connects to multiple nodes; each node also acts as a router for the nodes it connects to allowing traffic to hop along multiple paths to a destination.
World Intellectual Property Organization (WIPO): A group of 188 nations that have signed treaties to protect intellectual property across national borders.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Glossary of Key Terms

Create new playlist

Sign In

Sign Up

Glossary of Key Terms

A

B

C

D

E

F

G

H

I

K

L

M

N

O

P

Q

R

S

T

U

V

W

Table of Contents for
Glossary of Key Terms