Numbers

802.11 standard The generic name of a family of protocols and standards used for wireless networking. These standards define the rules for communication. Some, such as 802.11i, are relatively new, whereas others, such as 802.11a, have been established for some time.

802.11i standard An amendment to the 802.11 standard. 802.11i uses Wi-Fi Protected Access (WPA2) and Advanced Encryption Standard (AES) as a replacement for RC4 encryption.

A

acceptable use policy (AUP) A policy that defines what employees, contractors, and third parties can and cannot do with the organization’s IT infrastructure and its assets. AUPs are common for access to IT resources, systems, applications, Internet access, email access, and so on.

access control list (ACL) A table or list stored by a router to control access to and from a network by helping the device determine whether to forward or drop packets that are entering or exiting it.

access point spoofing The act of pretending to be a legitimate access point with the purpose of tricking individuals into passing traffic via the fake connection so that it can be captured and analyzed.

accountability The traceability of actions performed on a system to a specific system entity or user.

active fingerprinting An active method of identifying the operating system (OS) of a targeted computer or device that involves injecting traffic into the network.

activity blocker Alerts the user to out of the ordinary or dangerous computer operations, but also can block their activity.

ad hoc mode A form of wireless networking in which wireless stations communicate with each other directly, without an access point. Ad hoc operation is ideal for small networks of no more than two to four computers. See also infrastructure mode.

Address Resolution Protocol (ARP) Protocol used to map a known Internet Protocol (IP) address to an unknown physical address on the local network. For example, IPv4 uses 32-bit addresses, whereas Ethernet uses 48-bit Media Access Control (MAC) addresses. The ARP process can take the known IP address that is being passed down the stack and use it to resolve the unknown MAC address by means of a broadcast message. This information is helpful in an ARP cache.

adware A software program that automatically forces pop-up windows of Internet marketing messages to users’ browsers. Adware differs from spyware in that adware does not examine a user’s individual browser.

algorithm A mathematical procedure used for solving a problem. Used for the encryption and decryption of information and data.

annualized loss expectancy (ALE) Annual expected financial loss to an organization’s IT asset because of a particular threat being realized within that same calendar year. Single loss expectancy (SLE) × annualized rate of occurrence (ARO) = ALE.

annual rate of occurrence (ARO) The expected rate of occurrence over the period of one year.

anomaly detection A type of intrusion detection that looks at behaviors that are not normal or within standard activity. These unusual patterns are identified as suspicious. Anomaly detection has the capability of detecting all kinds of attacks, including ones that are unknown. Its vulnerability is that it can produce a high rate of false positives.

appenders A virus infection type that places the virus code at the end of the infected file.

assessment An evaluation/valuation of IT assets based on predefined measurement or evaluation criteria. This usually requires an accounting or auditing firm to conduct an assessment, such as a risk or vulnerability assessment.

asset Anything of value owned or possessed by an individual or business.

asymmetric algorithm Uses a pair of different but related cryptographic keys to encrypt and decrypt data.

audit A professional examination and verification performed by either an independent party or internal team to examine a company’s accounting documents and supporting data. Audits conform to a specific and formal methodology and specify how an investigation is to be conducted with specific reporting elements and metrics being examined (such as an IT audit according to Generally Accepted Auditing Standards).

authentication A method that enables identification of an authorized person. Authentication verifies the identity and legitimacy of the individual to access the system and its resources. Common authentication methods include passwords, tokens, and biometric systems.

authorization The process of granting or denying access to a network resource based on the user’s credentials.

availability Ensures that the systems responsible for delivering, storing, and processing data are available and accessible as needed by individuals who are authorized to use the resources. One of the three elements of the CIA security triad, along with confidentiality and integrity.

B

backdoor A piece of software that allows access to a computer without using the conventional security procedures. Backdoors are often associated with Trojans.

Base64 A coding process used to encode data in some email applications. Because it is not true encryption, it can be easily broken.

baseline A consistent or established base that is used to build a minimum acceptable level of security.

biometrics A method of verifying a person’s identify for authentication by analyzing a unique physical attribute of the individual, such as a fingerprint, retina, or palm print.

black box testing The form of testing that occurs when the tester has no knowledge of the target or its network structure.

block cipher An encryption scheme in which the data is divided into fixed-size blocks (each of which is encrypted independently of the others).

Blowfish A symmetric-key block cipher designed as a replacement for DES or IDEA. Since its release in 1993, it has been gaining acceptance as a fast, strong encryption standard. It takes a variable-length key that can range from 32 to 448 bits.

bluejacking The act of sending unsolicited messages, pictures, or information to a Bluetooth user.

bluesnarfing The theft of information from a wireless device through Bluetooth connection.

Bluetooth An open standard for short-range wireless communications of data and voice between both mobile and stationary devices. Used in cell phones, tablets, laptops, and other devices.

botnet A collection of robot-controlled computers, called bots. Once connected, these devices can launch huge amounts of spam, can be used for illegal activity, or even be used to launch denial of service attacks.

Brain virus A boot sector virus transmitted by floppy disks. One of the first viruses found in the wild.

brute-force attack A method of breaking a cipher or encrypted value by trying a large number of possibilities. The feasibility of brute-force attacks depends on the key length and strength of the cipher and the processing power available to the attacker.

buffer An amount of memory reserved for the temporary storage of data.

buffer overflow In computer programming, occurs when a software application somehow writes data beyond the allocated end of a buffer in memory. Buffer overflows are usually caused by software bugs, lack of input validation, and improper syntax and programming, and they expose the application to malicious code injections or other targeted attack commands.

business continuity planning (BCP) A system or methodology to create a plan for how an organization will resume partially or completely interrupted critical functions within a predetermined time after a disaster or disruption occurs. The goal is to keep critical business functions operational.

business impact analysis (BIA) A component of the business continuity plan that looks at all the operations that an organization relies on for continued functionality. It seeks to distinguish which operations are more crucial than others and require a greater allocation of funds in the wake of a disaster.

C

catastrophe A calamity or misfortune that causes the destruction of facilities and data.

certificate See digital certificate.

certificate authority (CA) Used by public key infrastructure (PKI) to issue public key certificates. The public key certificate verifies that the public key contained in the certificate actually belongs to the person or entity noted in the certificate. The CA’s job is to verify and validate the owner’s identity.

cipher text The unreadable form of plain text or clear text after it has been encrypted.

clickjacking Using multiple transparent or opaque layers to induce users into clicking a web button or link on a page that they were not intending to be navigating or clicking. Clickjacking attacks are often referred to as UI redress attacks.

clipping level The point at which an alarm threshold or trigger occurs. For example, a clipping level of three logon attempts locks out a user after three unsuccessful attempts to log on.

cloning In the context of hacking, occurs when a hacker copies the electronic serial number (ESN) from one cell phone to another, which duplicates the cell phone.

closed-circuit television (CCTV) A system composed of video transmitters that can feed the captured video to one or more receivers. Typically used in banks, casinos, shopping centers, airports, or anywhere that physical security can be enhanced by monitoring events. Placement in these facilities is typically at locations where people enter or leave the facility or at locations where critical transactions occur.

closed system A system that is not “open” and therefore is a proprietary system. Open systems are those that employ modular designs, are widely supported, and facilitate multivendor, multitechnology integration.

cloud computing The practice of using remote servers, applications, and equipment hosted on the Internet by third-party providers.

CNAMES CNAMES are used in Domain Name Service (DNS); the CNAME record contains the aliases or nickname.

cold site A site that contains no computing-related equipment except for environmental support, such as air conditioners and power outlets, and a security system made ready for installing computer equipment.

collisions In cryptography, occur when a hashing algorithm, such as MD5, creates the same value for two or more different files. In the context of the physical network, collisions can occur when two packets are transmitted at the same time on an Ethernet network.

combination lock A lock that can be opened by turning dials in a predetermined sequence.

Common Weakness Enumeration (CWE) A universal online dictionary of software weaknesses maintained by the MITRE Corporation.

Common Vulnerabilities and Exposures (CVE) CERT-sponsored list of vulnerabilities and exposures.

Common Vulnerability Scoring System (CVSS) An industry standard that was created by security practitioners in the Forum of Incident Response and Security Teams (FIRST) to provide the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.

Computer Emergency Response Team (CERT) An organization developed to provide incident response services to victims of attacks, publish alerts concerning vulnerabilities and threats, and offer other information to help improve an organization’s capability to respond to computer and network security issues.

confidentiality Data or information is not made available or disclosed to unauthorized persons. One of the three elements of the CIA security triad, along with integrity and availability.

confidentiality agreement An agreement that employees, contractors, or third-party users must read and sign before being granted access rights and privileges to the organization’s IT infrastructure and its assets.

contingency planning The process of preparing to deal with calamities and noncalamitous situations before they occur so that the effects are minimized.

cookies A message or small amount of text that a website stores in a text file on the computer running the web browser used to visit the website. The message is sent back to the web server each time the browser goes to that website and is useful in maintaining state in what is otherwise a stateless connection.

copyright The legal protection given to authors or creators that protects their expressions on a specific subject from unauthorized copying. It is applied to books, paintings, movies, literary works, or any other medium of use.

covert channel An unintended communication path that enables a process to transfer information in a way that violates a system’s security policy.

cracker A term derived from criminal hacker, indicating someone who acts in an illegal manner.

criminal law Laws pertaining to crimes against the state or conduct detrimental to society. Violations of criminal statues are punishable by law, and punishments can include monetary penalties and jail time.

criticality The quality, state, degree, or measurement of the highest importance.

crossover error rate (CER) A comparison measurement for different biometric devices and technologies to measure their accuracy. The CER is the point at which false acceptance rate (FAR) and false rejection rate (FRR) are equal, or cross over. The lower the CER, the more accurate the biometric system.

cross-site scripting (XSS) A type of attack that could result in installation or execution of malicious code, account compromise, session cookie hijacking, revelation or modification of local files, or site redirection.

cross-site request forgery (CSRF or XSRF) Attacks that occur when unauthorized commands are transmitted from a user who is trusted by the application. CSRF is different from XSS because it exploits the trust that an application has in a user’s browser.

cryptographic key The piece of information that controls the cryptographic algorithm. The key specifies how the clear text is turned into cipher text or vice versa. For example, a DES key is a 64-bit parameter consisting of 56 independent bits and 8 bits that are used for parity.

crypter Software used to encrypt malware. Some crypters obscure the contents of the Trojan by applying an encryption algorithm. Crypters can use anything from AES, RSA, to even Blowfish, or they might use more basic obfuscation techniques, such as XOR, Base64 encoding, or even ROT13.

D

Data Encryption Standard (DES) A symmetric encryption standard (FIPS 46-3) that is based on a 64-bit block. DES uses the data encryption algorithm to process 64 bits of plain text at a time to output 64-bit blocks of cipher text. Even though the DES key is 64 bits in length, it has a 56-bit work factor and has four modes of operation.

defense in depth The process of multilayered security. The layers can be administrative, technical, or logical. As an example of logical security, you might add a firewall, encryption, packet filtering, IPsec, and a demilitarized zone (DMZ) to start to build defense in depth.

demilitarized zone (DMZ) The middle ground between a trusted internal network and an untrusted external network. Services that internal and external users must use are typically placed there, such as HTTP.

denial of service (DoS) The process of having network resources, services, and bandwidth reduced or eliminated because of unwanted or malicious traffic. The goal of a DoS attack is to render the network or system nonfunctional. Some examples include Ping of Death, SYN flood, IP spoofing, and Smurf attacks.

destruction Destroying data and information or permanently depriving information from the legitimate user.

detective controls Controls that identify undesirable events that have occurred.

dictionary attack An attack when a text file full of dictionary words is loaded into a password program and then run against user accounts located by the application. If simple passwords have been used, this might be enough to crack the code. These can be performed offline with tools like LCP and Hashcat, and they can be performed online with tools like Brutus and THC-Hydra.

digital certificate Usually issued by a trusted third party, such as a certificate authority, and contains the name of a user or server, a digital signature, a public key, and other elements used in authentication and encryption. X.509 is the most common type of digital certificate.

digital signature An electronic signature that can be used to authenticate the identity of the sender of a message. It is created by encrypting a hash of a message or document with a private key. The message to be sent is passed through a hashing algorithm; the resulting message digest or hash value is then encrypted using the sender’s private key.

digital watermark A technique that adds hidden copyright information to a document, picture, or sound file. This can be used to allow an individual working with electronic data to add hidden copyright notices or other verification messages to digital audio, video, or image signals and documents.

disaster A natural or man-made event, such as fire, flood, storm, or equipment failure, that negatively affects an industry or facility.

discretionary access control (DAC) An access policy that allows the resource owner to determine who is permitted access.

distributed denial of service (DDoS) Similar to denial of service (DoS), except that the attack is launched from multiple, distributed agent IP devices.

Domain Name Service (DNS) A hierarchy of Internet servers that translates alphanumeric domain names into IP addresses and vice versa. Because domain names are alphanumeric, they are easier for humans to remember than IP addresses.

dropper A Trojan horse or program designed to drop a virus to the infected computer and then execute it.

due care The standard of conduct of a reasonable and prudent person. When you see the term due care, think of the first letter of each word and remember “do correct,” because due care is about the actions that you take to reduce risk and keep it at that level.

due diligence The execution of due care over time. When you see the term due diligence, think of the first letter of each word and remember “do detect,” because due diligence is about finding the threats an organization faces. This is accomplished by using standards, best practices, and checklists.

dumpster diving The practice of rummaging through the trash of a potential target or victim to gain useful information.

dynamic analysis The act of analyzing software or programs while they are executing. Dynamic analysis also relates to the monitoring and analysis of computer activity and network traffic during malware analysis.

E

eavesdropping The unauthorized capture and reading of network traffic or other type of network communication.

echo reply Used by the ping command to test networks. The second part of an Internet Control Message Protocol (ICMP) ping, officially a type 0 that is sent in response to an echo request.

echo request Makes use of an ICMP echo request packet, which will be answered using an ICMP echo reply packet. The first part of an ICMP ping, officially a type 8.

EDGAR database The Electronic Data Gathering, Analysis, and Retrieval system used by the Securities and Exchange Commission (SEC) for storage of public company filings. It is a potential source of information for hackers who are targeting a public company.

Electronic Code Book (ECB) A symmetric block cipher that is one of the modes of Data Encryption Standard (DES). ECB is considered the weakest mode of DES. When used, the same plain-text input will result in the same encrypted-text output.

electronic serial number (ESN) A unique ID number embedded in a cell phone by the manufacturer to minimize the chance of fraud and to identify a specific cell phone when it is turned on and a request to join a cellular network is sent over the air.

encryption The science of turning plain text into cipher text.

end-user licensing agreement (EULA) The software license that software vendors create to protect and limit their liability and to hold the purchaser liable for illegal pirating of the software application. The EULA usually contains language that protects the software manufacturer from software bugs and flaws and limits the liability of the vendor.

enterprise vulnerability management The overall responsibility and management of vulnerabilities within an organization and how that management of vulnerabilities will be achieved through dissemination of duties throughout the IT organization.

ethical hack A type of hack that is done to help a company or individual identify potential threats on the organization’s IT infrastructure or network.

ethical hacker A security professional who legally attempts to break in to a computer system or network to find its vulnerabilities. Ethical hackers must obey rules of engagement, do no harm, and stay within legal boundaries.

evasion The act of performing activities to avoid detection.

evil twin An attack in which an attacker creates a rogue access point and configures it exactly the same as the existing corporate network.

exploit An attack on a computer system, especially one that takes advantage of a particular vulnerability that the system offers to intruders.

exposure factor (EF) This is a value calculated by determining the percentage of loss to a specific asset if a specific threat is realized. For example, if a fire were to hit the Houston data center that has an asset value of $250,000, it is believed that there would be a 50 percent loss or exposure factor. Adding additional fire controls could reduce this figure.

Extensible Authentication Protocol (EAP) A method of authentication that can support multiple authentication methods, such as tokens, smart cards, certificates, and one-time passwords.

F

false acceptance rate (FAR) This measurement evaluates the likelihood that a biometric access control system will wrongly accept an unauthorized user.

false rejection rate (FRR) This measurement evaluates the likelihood that a biometric access control system will reject a legitimate user.

fast infection A type of virus infection that occurs quickly.

file infector A type of virus that copies itself into executable programs.

finger On some UNIX systems, identifies who is logged on and active and sometimes provides personal information about that individual.

firewall Security system in hardware or software form that is used to manage and control both network connectivity and network services. Firewalls act as chokepoints for traffic entering and leaving the network, and prevent unrestricted access. Firewalls can be stateful or stateless.

flooding The process of overloading the network with traffic so that no legitimate traffic or activity can occur.

G

gap analysis The analysis of the differences between two different states, often for the purpose of determining how to get from point A to point B; therefore, the aim is to look at ways to bridge the gap. Used when performing audits and risk assessments.

gentle scan A type of vulnerability scan that does not present a risk to the operating network infrastructure.

gray box testing Testing that occurs with only partial knowledge of the network or that is performed to see what internal users have access to.

guidelines Recommended actions and operational guides for users. Much like standards but less stringent.

H

hash A mathematical algorithm used to ensure that a transmitted message has not been tampered with. A one-way algorithm that maps or translates one set of bits into a fixed-length value that can be used to uniquely identify data.

hashing algorithm Used to verify the integrity of data and messages. A well-designed hashing algorithm examines every bit of the data while it is being condensed, and even a slight change to the data will result in a large change in the message hash. It is considered a one-way process.

heuristic scanning A form of virus scanning that looks at irregular activity by programs. For example, a heuristic scanner would flag a word processing program that attempted to format the hard drive, because that is not normal activity.

honeypot An Internet-attached server that acts as a decoy, luring in potential hackers to study their activities and monitor how they are able to break in to a system. Similar is a honeynet, which is a collection of honeypot systems.

I

identify theft An attack in which an individual’s personal, confidential, banking, and financial identity is stolen and compromised by another individual or individuals. Use of your Social Security number without your consent or permission might result in identify theft.

impact assessment An attempt to identify the extent of the consequences if a given event occurs.

inference The ability to deduce information about data or activities to which the subject does not have access.

inference attack Relies on the attacker’s ability to make logical connections between seemingly unrelated pieces of information.

Infrastructure as a Service (IaaS) A cloud-based service that offers customers virtualized computing resources over the Internet such as firewalls, switches, and the like.

infrastructure mode A form of wireless networking in which wireless stations communicate with each other by first going through an access point. See also ad hoc mode.

initial sequence number (ISN) A number defined during a Transmission Control Protocol (TCP) startup session to keep track of how much information has been moved. The ISN is of particular interest to hackers, who use it in session hijacking attacks.

integrity The accuracy and completeness of an item. One of the three elements of the CIA security triad, along with confidentiality and availability.

Internet Assigned Numbers Authority (IANA) A primary governing body for Internet networking. IANA oversees three key aspects of the Internet: top-level domains (TLD), IP address allocation, and port number assignments. IANA is tasked with preserving the central coordinating functions of the Internet for the public good. IANA is used by hackers and security specialists to track down domain owners and their contact details.

Internet Control Message Protocol (ICMP) Part of TCP/IP that supports diagnostics and error control. ICMP echo request and echo reply are packets used in the ping utility.

intrusion detection A key component of security that includes prevention, detection, and response. It is used to detect anomalies or known patterns of attack.

intrusion detection system (IDS) A network or host-based monitoring device installed and used to inspect inbound and outbound traffic and activity and identify suspicious patterns that might indicate a network or system attack by someone attempting to break into or compromise a system.

inverse SYN cookies A method for tracking the state of a connection, which takes the source address and port, along with the destination address and port, and then through a SHA-1 hashing algorithm. This value becomes the initial sequence number (ISN) for the outgoing packet. Used in dealing with SYN flood attacks.

IPsec Short for IP Security, an IETF standard used to secure TCP/IP traffic. It can be implemented to provide integrity and confidentiality.

ISO/IEC 17799 A comprehensive security standard, divided into ten sections, that is considered a leading standard and a code of practice for information security management.

IT Short for information technology; encompasses computers, software, Internet/intranet, and telecommunications.

IT asset Information technology asset, such as hardware, software, or data.

IT asset criticality analysis The act of assigning a criticality factor or importance value (critical, major, or minor) to an IT asset.

IT asset valuation The act of assigning a monetary value to an IT asset.

IT infrastructure A general term to encompass all information technology assets (hardware, software, data), components, systems, applications, and resources.

IT security architecture and framework A document that defines the policies, standards, procedures, and guidelines for information security.

J–K

KARMA A man-in-the-middle attack that creates a rogue AP and enables an attacker to intercept wireless traffic. KARMA stands for Karma Attacks Radio Machines Automatically. A radio machine could be a mobile device, a laptop, or any Wi-Fi”“enabled device. In a KARMA attack scenario, the attacker listens for the probe requests from wireless devices and intercepts them to generate the same SSID for which the device is sending probes.

key exchange protocol A protocol used to exchange secret keys for the facilitation of encrypted communication. Diffie-Hellman is an example of a key exchange protocol.

keylogger (keystroke logger) A tool that an attacker uses to capture user keystrokes in a system to steal sensitive data (including credentials). There are two main types of keyloggers: keylogging hardware devices and keylogging software. A hardware (physical) keylogger is usually a small device that can be placed between a user’s keyboard and the main system. Software keyloggers are dedicated programs designed to track and log user keystrokes.

L

limitation of liability and remedies A legal clause in a contract that limits the organization’s financial liability and limits the remedies available to the other party.

M

MAC filtering A method of controlling access on a wired or wireless network by denying access to any device that has a MAC address that does not match a MAC address in a pre-approved list.

macro infector A type of computer virus that infects macro files. I Love You and Melissa are both examples of macro viruses.

mandatory access control (MAC) A means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (such as clearance) of subjects to access information of such sensitivity.

man-in-the-middle attack A type of attack in which the attacker can read, insert, and change information that is being passed between two parties, without either party knowing that the information has been compromised.

man-made threats Threats that are caused by humans, such as hacker attack, terrorism, or destruction of property.

master boot record infector A virus that infects a master boot record.

The Matrix A movie about a computer hacker who learns from mysterious rebels about the true nature of his reality and his role in the Matrix machine. A favorite movie of hackers!

MD5 A hashing algorithm that produces a 128-bit output.

media access control (MAC) address The hard-coded address of the physical layer device that is attached to the network. In an Ethernet network, the address is 48 bits (or 6 bytes) long.

methodology A set of documented procedures used for performing activities in a consistent, accountable, and repeatable manner.

Moore’s law The prediction that processing power of computers will double about every 18 months.

multipartite virus A virus that attempts to attack both the boot sector and executable files.

N

N-tier A model in which functions are physically separated based on which layer they reside (presentation, application, data management, and so on).

natural threats Threats posed by nature, such as fire, floods, and storms.

NetBus A backdoor Trojan that allows an attacker complete control of the victim’s computer.

Network Address Translation (NAT) A method of connecting multiple computers to the Internet using one IP address so that many private addresses are being converted to a single public address.

network operations center (NOC) An organization’s help desk or interface to its end users in which trouble calls, questions, and trouble tickets are generated.

NIST 800-42 The purpose of this document is to provide guidance on network security testing. It deals mainly with techniques and tools used to secure systems connected to the Internet. This document was superseded in 2008 by NIST SP 800-115, Technical Guide to Information Security Testing and Assessment.

nonattribution The act of not providing a reference to a source of information.

nonrepudiation A system or method put in place to ensure that an individual cannot deny his own actions.

Nslookup A standard UNIX, Linux, and Windows tool for querying name servers.

null session A Windows feature in which anonymous logon users can list domain usernames, account information, and enumerate share names.

O

one-time pad An encryption mechanism that can be used only once, and that is, theoretically, unbreakable. One-time pads function by combining plain text with a random pad that is the same length as the plain text.

open source Software released under an open source license, such as the GNU General Public License, or to the public domain. The source code is published and can be modified.

OS (operating system) identification The practice of identifying the operating system of a networked device through either passive or active techniques.

P

packers Similar to programs such as WinZip, Rar, and Tar in that they compress files. However, whereas compression programs compress files to save space, packers do this to obfuscate the activity of the malware. The idea is to prevent anyone from viewing the malware’s code until it is placed in memory. Packers serve a second valuable goal to the attacker in that they work to bypass network security protection mechanisms.

packet filtering A form of stateless inspection performed by some firewalls and routers. Packet filters limit the flow of traffic based on predetermined access control lists (ACLs). Parameters such as source, destination, or port can be filtered or blocked by a packet filter.

paper shredder A hardware device used for destroying paper and documents by shredding to prevent dumpster diving.

passive fingerprinting A passive method of identifying the operating system (OS) of a targeted computer or device. No traffic or packets are injected into the network; attackers simply listen to and analyze existing traffic.

Password Authentication Protocol (PAP) A form of authentication in which clear-text usernames and passwords are passed.

pattern matching A method used by intrusion detection systems (IDS) to identify malicious traffic. It is also called signature matching and works by matching traffic against signatures stored in a database.

penetration test A method of evaluating the security of a network or computer system by simulating an attack by a malicious hacker without doing harm and with the owner’s written consent.

personal-area network (PAN) Used when discussing Bluetooth devices. A network of two or more devices connected via Bluetooth.

phishing The act of misleading or conning an individual into releasing and providing personal and confidential information to an attacker masquerading as a legitimate individual or business. This is usually done by sending many emails that request the victim to follow a link to a bogus website. Closely associated with spear phishing, which is more targeted, and whaling, which targets CEOs or other high-ranking employees.

ping sweep The process of sending ping requests to a series of devices or to the entire range of networked devices.

Platform as a Service (PaaS) A cloud-based service that offers customers a platform on which to develop, run, and manage their applications and services. One advantage is that clients do not have to build and maintain their own infrastructure.

policy A high-level document that dictates management intentions toward security.

polymorphic virus A virus that is capable of change and self-mutation.

Post Office Protocol (POP) A commonly implemented method of delivering email from the mail server to the client machine. Other methods include Internet Message Access Protocol (IMAP) and Microsoft Exchange.

port knocking A defensive technique that requires users of a particular service to access a sequence of ports in a given order before the service will accept their connection.

port redirection The process of redirecting one protocol from an existing port to another.

ports Used by protocols and applications for communication. Port numbers are divided into three ranges: well-known ports, registered ports, and dynamic/private ports. Well-known ports are those from 0 to 1023, registered ports are those from 1024 to 49151, and dynamic/private ports are those from 49152 to 65535.

prependers A virus type that adds the virus code to the beginning of existing executables.

preventive controls Controls that reduce risk and are used to prevent undesirable events from happening.

probability The likelihood of an event happening.

procedure A detailed, in-depth, step-by-step document that lays out exactly what is to be done and how it is to be accomplished.

promiscuous mode Mode in which a network adapter examines all traffic, unlike normal mode, in which it examines only traffic that matches its address. Promiscuous mode enables a single device to intercept and read all packets that arrive at the interface in their entirety; these packets may or may not have been destined for this particular target.

proxy server A type of firewall that intercepts all requests to the real server to see whether it can fulfill the requests itself. If not, it forwards the request to the real server. Proxy servers are used to improve performance and add security.

public key infrastructure (PKI) Infrastructure used to facilitate e-commerce and build trust. PKI is composed of hardware, software, people, policies, and procedures; it is used to create, manage, store, distribute, and revoke public key certificates. PKI is based on public-key cryptography.

Q

qualitative analysis An evaluation and analysis based on a weighting or criticality factor valuation as part of the evaluation or analysis.

qualitative assessment An analysis of risk that places the probability results into terms such as none, low, medium, and high.

quantitative analysis A numeric evaluation and analysis based on monetary or dollar valuation as part of the evaluation or analysis.

quantitative risk assessment A methodical, step-by-step calculation of asset valuation, exposure to threats, and the financial impact or loss in the event of the threat being realized.

R

RAM resident infection A type of virus that spreads through RAM.

ransomware A type of malware that encrypts all files until a payment is made.

red team A group of ethical hackers who help organizations to explore network and system vulnerabilities by means of penetration testing.

redundant array of independent disks (RAID) A type of fault tolerance and performance improvement for disk drives that employs two or more drives in combination.

Rijndael A symmetric encryption algorithm chosen to be the Advanced Encryption Standard (AES).

risk The exposure or potential for loss or damage to IT assets within an IT infrastructure.

risk acceptance An informed decision to suffer the consequences of likely events.

risk assessment A process for evaluating the exposure or potential loss or damage to the IT and data assets for an organization.

risk avoidance A decision to take action to avoid a risk.

risk management The overall responsibility and management of risk within an organization. Risk management is the responsibility and dissemination of roles, responsibilities, and accountabilities for risk in an organization.

risk transference Shifting the responsibility or burden to another party or individual.

rogue access point An 802.11 access point that has been set up by an attacker for the purpose of diverting traffic of legitimate users so that it can be sniffed or manipulated.

role-based access control (RBAC) A type of discretionary access control in which users are placed into groups to facilitate management. This type of access control is widely used by Microsoft Active Directory, Oracle Database, and SAP ECC.

Routing Information Protocol (RIP) A widely used distance-vector protocol that determines the best route by hop count.

RSA Algorithm (RSA) An ubiquitous, asymmetric algorithm created by Dr Ronald Rivest, Dr. Adi Shamir, and Dr. Leonard Adleman.

rule-based access control A type of mandatory access control that matches objects to subjects. It dynamically assigns roles to subjects based on their attributes and a set of rules defined by a security policy.

S

script kiddie The lowest form of cracker who looks for easy targets or well-worn vulnerabilities.

security breach or security incident The result of a threat or vulnerability being exploited by an attacker.

security by obscurity The controversial and ill-advised use of secrecy to ensure security.

security controls Policies, standards, procedures, and guideline definitions for various security control areas or topics.

security countermeasure A security hardware or software technology solution that is deployed to ensure the confidentiality, integrity, and availability of IT assets that need protection.

security defect Usually an unidentified and undocumented deficiency in a product or piece of software that ultimately results in a security vulnerability being identified.

security incident response team (SIRT) A team of professionals who usually encompass Human Resources, Legal, IT, and IT Security to appropriately respond to critical, major, and minor security breaches and security incidents that the organization encounters.

security information and event management (SIEM) A combination of two previous technologies: security information management and security event management. This technology is used to provide real-time analysis of security logs generated in real time and includes a centralized location to store and process logs.

security kernel A combination of software, hardware, and firmware that makes up the trusted computer base (TCB). The TCB mediates all access, must be verifiable as correct, and is protected from modification.

security workflow definition A flowchart that defines the communications, checks and balances, and domain of responsibility and accountability for the organization’s IT and IT security staff in the context of a defense-in-depth, layered approach to information security roles, tasks, responsibilities, and accountabilities.

separation of duties Defines the roles, tasks, responsibilities, and accountabilities for information security uniquely for the different duties of the IT staff and IT security staff.

service level agreement (SLA) A contractual agreement between an organization and its service provider. An SLA protects the organization with regard to holding the service provider accountable for the requirements as defined in the SLA.

service-oriented architecture A methodology used to build an architecture that is based on the use of services.

service set ID (SSID) A sequence of up to 32 letters or numbers that is the ID, or name, of a wireless local-area network and is used to differentiate networks.

session splicing Used to avoid detection by an intrusion detection system (IDS) by sending parts of the request in different packets.

SHA-1 A hashing algorithm that produces a 160-bit output. SHA-1 was designed by the National Security Agency (NSA) and is defined in RFC 3174.

sheep dip The process of scanning for viruses on a standalone computer.

shoulder surfing The act of looking over someone’s shoulder to steal the person’s password, phone PIN, card number, or other type of information.

signature scanning One of the most basic ways of scanning for computer viruses; compares suspect files and programs to signatures of known viruses stored in a database.

Simple Network Management Protocol (SNMP) An application layer protocol that facilitates the exchange of management information between network devices. The first version of SNMP, v1, uses well-known community strings of public and private. Version 3 offers encryption.

single loss expectancy (SLE) An example of a quantitative risk assessment formula used to assess the single loss of an event. It is computed by the SLE = asset value (AV) times the exposure factor (EF).

site survey The process of determining the optimum placement of wireless access points. The objective of the site survey is to create an accurate wireless system design/layout and budgetary quote.

smurf attack A distributed denial of service (DDoS) attack in which an attacker transmits large amounts of Internet Control Message Protocol (ICMP) echo request (ping) packets to a targeted IP destination device using the targeted destination’s IP source address. This is called spoofing the IP source address. IP routers and other IP devices that respond to broadcasts will respond to the targeted IP device with ICMP echo replies, which multiplies the amount of bogus traffic.

sniffer A hardware or software device that can be used to intercept and decode network traffic.

social engineering The practice of tricking people into revealing sensitive data about their computer system or infrastructure. This type of attack targets people and is the art of human manipulation. Even when systems are physically well protected, social engineering attacks are possible.

Software as a Service (SaaS) A cloud-based service in which software or an application is hosted and maintained on a service provider’s systems. All that is needed is the customer data.

software bug or software flaw An error in software coding or its design that can result in software vulnerability.

software vulnerability standard A standard that accompanies an organization’s vulnerability assessment and management policy. This standard typically defines the organization’s vulnerability window and how the organization is to provide software vulnerability management and software patch management throughout the enterprise.

spamming The use of any electronic communications medium to send unsolicited messages in bulk. Spamming is a major irritation of the Internet era.

spoofing The act of masking your identity and pretending to be someone else or another device. Common spoofing methods include Address Resolution Protocol (ARP), Domain Name Server (DNS), and Internet Protocol (IP). Spoofing is also implemented by email in phishing schemes.

spyware Any software application that covertly gathers information about a user’s Internet usage and activity and then exploits this information by sending adware and pop-up ads similar in nature to the user’s Internet usage history.

stateful inspection An advanced firewall architecture that works at the network layer and keeps track of packet activity. Stateful inspection has the capability to keep track of the state of the connection. For example, if a Domain Name Service (DNS) reply is being sent into the network, stateful inspection can check to see whether a DNS request had previously been sent, because replies only follow requests. Should evidence of a request not be found by stateful inspection, the device will know that the DNS packet should not be allowed in and is potentially malicious.

static analysis The analysis of software that is performed without actually executing programs. Static analysis is different from dynamic analysis, which is analysis performed on programs while they are “running” or executing. Static analysis makes use of disassemblers and decompilers to format the data into a human-readable format. It is also a technique used in malware analysis.

steganography A cryptographic method of hiding the existence of a message. A commonly used form of steganography places information in pictures.

stream cipher Encrypts data typically 1 bit or 1 byte at a time.

symmetric algorithm Both parties use the same cryptographic key.

symmetric encryption An encryption standard requiring that all parties have a copy of a shared key. A single key is used for both encryption and decryption.

SYN flood attack A distributed denial of service (DDoS) attack in which the attacker sends a succession of SYN packets with a spoofed address to a targeted destination IP device but does not send the last ACK packet to acknowledge and confirm receipt. This leaves half-open connections between the client and the server until all resources are absorbed, rendering the server or targeted IP destination device unavailable because of resource allocation to this attack.

synchronize sequence number Initially passed to the other party at the start of the three-way TCP handshake. It is used to track the movement of data between parties. Every byte of data sent over a TCP connection has a sequence number.

T

target of evaluation (TOE) Term developed for use with Common Criteria and used by EC-Council to define the target of the assessment or pen test.

TCP handshake A three-step process computers go through when negotiating a connection with one another. The process is a target of attackers and others with malicious intent.

threat Any agent, condition, or circumstance that could potentially cause harm, loss, damage, or compromise to an IT asset or data asset.

Time To Live (TTL) A counter used within an IP packet that specifies the maximum number of hops that a packet can traverse. After a TTL is decremented to 0, a packet expires.

Tini A small Trojan program that listens on port 777.

traceroute A way of tracing hops or computers between the source and target computer you are trying to reach. Identifies the path the packets are taking.

Transmission Control Protocol (TCP) One of the main protocols of the TCP/IP protocol suite, used for reliability and guaranteed delivery of data.

trapdoor function A function that is easy to compute in one direction but difficult to compute in the opposite direction. Trapdoor functions are useful in asymmetric encryption and are included in algorithms such as RSA and Diffie-Hellman.

Trojan A program disguised as legitimate software but designed to covertly do something malicious or nefarious.

trusted computer base (TCB) All the protection mechanisms within a computer system. This includes hardware, firmware, and software responsible for enforcing a security policy.

Trusted Computer System Evaluation Criteria (TCSEC) Also called the Orange Book, a system designed by the Department of Defense (DoD) to evaluate standalone systems. It places systems into one of four levels: A, B, C, or D. Its basis of measurement is confidentiality.

tumbling The process of rolling through various electronic serial numbers on a cell phone to attempt to find a valid set to use.

U

uber hacker An expert and dedicated computer hacker.

uniform resource locator (URL) The global address on the Internet and World Wide Web in which domain names are used to resolve IP addresses.

User Datagram Protocol (UDP) A connectionless protocol that provides few error-recovery services but offers a quick and direct way to send and receive datagrams.

V

vandalism The willful destruction of property.

virtual private network (VPN) A private network that uses a public network to connect remote sites and users.

virus A computer program with the capability to generate copies of itself and thereby spread. Viruses require the interaction of an individual to activate and can have rather benign results, such as flashing a message to the screen, or rather malicious results that destroy data, systems, integrity, or availability.

virus hoax An email chain letter designed to trick the recipient into forwarding it to many other people to warn them of a virus that does not exist. The Good Times virus is an example.

vulnerability The absence or weakness of a safeguard in an asset.

vulnerability assessment A methodical evaluation of an organization’s IT weaknesses of infrastructure components and assets and how those weaknesses can be mitigated through proper security controls and recommendations to remediate exposure to risks, threats, and vulnerabilities.

vulnerability management The overall responsibility and management of vulnerabilities within an organization and how that management of vulnerabilities will be achieved through dissemination of duties throughout the IT organization.

W–Z

war chalking The act of marking on the wall or sidewalk near a building to indicate that wireless access is present.

war dialing The process of using a software program to automatically call thousands of telephone numbers to look for anyone who has a modem attached.

war driving The process of driving around a neighborhood or area using a wireless NIC, GPS, and mapping software to identify wireless access points.

warm site An alternative computer facility that is partially configured and can be made ready in a few days.

white box testing A security assessment or penetration test in which all aspects of the network are known.

Whois An Internet utility that returns information about the domain name and IP address.

Wi-Fi Protected Access (WPA) A security standard for wireless networks designed to be more secure than Wired Equivalent Privacy (WEP) and used as an interim replacement until WPA2 was released.

Wired Equivalent Privacy (WEP) Based on the RC4 encryption scheme and designed to provide the same level of security as that of a wired LAN. Because of 40-bit encryption and problems with the initialization vector, it was found to be insecure.

worm A self-replicating program that spreads by inserting copies of itself into other executable codes, programs, or documents. Worms typically flood a network with traffic and result in a denial of service.

wrapper A type of program used to bind a Trojan program to a legitimate program. The objective is to trick the user into running the wrapped program and installing the Trojan.

written authorization One of the most important parts of the ethical hack. It gives you permission to perform the tests that have been agreed on by the client.

zone transfer The mechanism used by Domain Name Service (DNS) servers to update each other by transferring a resource record. It should be a controlled process between two DNS servers but is something that hackers will attempt to perform to steal the organization’s DNS information. It can be used to map the network devices.