Access control The process or mechanism of granting or denying use of a resource; typically applied to users or generic network traffic.

Acceptable use policy (AUP) The structured document that outlines what is permitted to do and view when using company equipment and computers.

Access control list (ACL) Mechanism defining traffic or an event to apply an authorization control of allow or deny against. Often used interchangeably with the terms rule and filter in relation to firewalls. An ACL focuses on controlling a specific user or client’s access to a protocol or port.

Active hub A device that consolidates wiring so that a single cable can attach to a server and includes the capability to regenerate the signal to decrease latency and increase the distance the signal can be sent.

Active threat A form of threat that takes some type of initiative to seek out a target to compromise. These can be hackers, intruders, or automated worms. In any case, an active threat seeks out vulnerable targets. If you do not have reasonable security measures and the active threat discovers your system, you might be at risk for a compromise.

Advanced persistent threat (APT) A network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The purpose of such an attack is to steal data, not to damage the network or organization. Sectors with high-value information, such as national defense, manufacturing, and the financial industry, are commonly the target of such attacks.

Adware Unwanted software that displays advertisements. Often linked with spyware.

Agent A malicious software program distributed by a hacker to take over control of a victim’s computers. Also known as a bot or a zombie. Agents are commonly used to construct botnets.

Aggregation Collecting disparate log information from various systems and locations into one location.

Alert A notification from a firewall that a specific event or packet was detected. Alerts notify administrators of events that may need real-time human response or attention.

Algorithm A set of rules and procedures, usually mathematical in nature. Algorithms can define how the encryption and decryption processes operate. Often very complex, many algorithms are publicly known; anyone can investigate and analyze the strengths and weaknesses of an algorithm.

Alternate data stream (ADS) A feature added to the NTFS file system to support files from POSIX, OS/2, and Macintosh. ADS supports multiple resource forks for file objects. Hackers use ADS to hide files.

Annualized loss expectancy (ALE) The calculation of the total loss potential across a year for a given asset and a specific threat. ALE calculations are part of risk assessment. ALE = SLE × ARO.

Annualized rate of occurrence (ARO) A probability prediction based on statistics and historical occurrences on the likelihood of how many times in the next year is a threat going to cause harm. ARO is used in the ALE calculation.

Anomaly-based detection A form of intrusion detection system/intrusion prevention system (IDS/IPS) based on a defined normal, often defined using rules similar to firewall rules. All traffic or events that fail to match defined normal are considered anomalies and potentially malicious.

Anonymity The ability for a network or system user to remain unknown. A number of tools and techniques provide anonymity when connected to a network, although the underlying network protocols make true anonymity very difficult.

Anti-forensics A series of tools and techniques used to prevent forensic examination from identifying an attack or attacker.

Antivirus scanner A software program that identifies the unique characteristics of malware (known as a virus signature) to detect and prevent infection of computer components.

Appliance A hardware product that is dedicated to a single primary function. The operating system or firmware of the hardware device is hardened, and its use is limited to directly and exclusively supporting the intended function. Firewalls, routers, and switches are typical appliances.

Appliance firewall A hardened hardware firewall.

Application firewall A type of firewall that filters on a specific application’s content and session information.

Application gateway See application firewall.

Application Layer (Layer 7) The top or seventh layer of the OSI model. This layer is responsible for enabling communications with host software, including the operating system. The Application Layer is the interface between host software and the network protocol stack. The subprotocols of this layer support specific applications or types of data.

Application proxy See application firewall.

Arbitrary code execution An exploit that allows a hacker to run any command line function on a compromised system. Buffer overflow attacks and SQL injection attacks can often allow arbitrary code execution.

ARP spoofing The falsification of ARP replies to trick the requestor into sending frames to a system other than its intended destination.

Asset Anything you use in a business process to accomplish a business task.

Asset value (AV) The cumulative value of an asset based on both tangible and intangible values. AV supports the SLE calculation.

Asymmetric cryptography A means of encoding and decoding information using related but different keys for each process. A key used to encode cannot decode, and vice versa. Cryptography is based on algorithms that use either key pairs or some other special mathematical mechanism. Asymmetric cryptography that uses key pairs is commonly known as public key cryptography. Different keys serve different purposes. Different keys are used by different members of the communication session. Some systems use something different from keys altogether.

Attack surface Portions of a software system that unauthenticated users can run.

Attacking The act of targeting a computer or network and using available means to gain information or access to the system.

Auditing Act of conducting an audit. Auditing can be the action of a system that is recording user activity and system events into an audit log. Auditing can also be the action of an auditor who checks for compliance with security policies and other regulations.

Auditor Either an outside consultant or an internal member of the information technology staff. The auditor performs security audits, confirms that auditing is sufficient, and investigates audit trails produced by system auditing. In the case of regulatory compliance, auditors should be external and independent of the organization under audit.

Authentication The process of confirming the identity of a user. Also known as logon.

Authentication, authorization, and accounting (AAA) Programs used to control access to computer resources, enforce policies, audit usage, and provide billing information. Examples include RADIUS, TACACS, 802.1x, LDAP, and Active Directory.

Authentication Header (AH) A protocol that provides integrity protection for packet headers and data, as well as user authentication.

Authenticity The security service of the combination of authentication and access control (authorization) that provides either the identity of the sender of a message or controls who is the receiver of a message.

Authorization Defining what users are allowed and not allowed to do; also known as access control.

Availability When a system is usable for its intended purpose. The security service that supports access to resources in a timely manner. If availability becomes compromised, a denial of service is taking place.

Avalanche effect A common feature of hash algorithms. This effect ensures that small changes in the input data produce large changes in the outputted hash value. A single binary digit change in a file should produce a clearly recognizable difference in the resultant hash value.

Backdoor Unauthorized access to a system. A backdoor is any access method or pathway that circumvents access or authentication mechanisms.

Backup The process of making copies of data onto other storage media. The purpose of a backup is to protect against data loss by having additional on-site or off-site copies of data that can be restored when necessary.

Banner A message sent by a service in response to a valid or invalid query. A banner can confirm that communication is functioning properly or announce an error. Some banners disclose the product name and version number of the service.

Banner grabbing The act of capturing or extracting banners from services. Hackers often perform banner grabbing after port scanning to learn which service is active on a port.

Bastion host A firewall positioned at the initial entry point where a network interfaces with the Internet. It serves as the first line of defense for the network; also known as a sacrificial host.

Bastion host OS A system designed, built, and deployed specifically to serve as a frontline defense for a network.

Behavioral-based detection A form of IDS/IPS detection based on a recording of real-world traffic as a baseline for normal. All traffic or events that fail to match the normal baselines are considered abnormal and potentially malicious.

Bidirectional A type of ring topology that requires two connections to each device to provide redundancy.

Blacklist A type of filtering in which all activities or entities are permitted, except for those on the blacklist; also known as a block list.

Border sentry A description often applied to firewalls positioned on network zone transitions or gateway locations.

Bot A malicious software program distributed by hackers to take over control of victims’ computers. Also known as agent or zombie. Bots are commonly used to construct botnets.

Botnet A compromised system controlled by a hacker.

Botnet army A network of zombie/bot/agent–compromised systems controlled by a hacker.

Bottleneck Any restriction on the performance of a system. Can be caused by a slower component or a pathway with insufficient throughput. A bottleneck causes other components of system to work slower than their optimum rate.

Breach Any compromise of security. Any violation of a restriction or rule whether caused by an authorized user or an unauthorized outsider.

Bricking The process of making a device nonfunctional, either intentionally or unintentionally (such as when applying a patch that goes bad).

Bridge A network device that forwards traffic between networks based on the MAC address of the Ethernet frame. A bridge forwards only packets whose destination address is on the opposing network.

Bring Your Own Device (BYOD) A policy of allowing or even encouraging employees, contractors, and others to connect their own computers, smartphones, and other devices to their organization’s networks. BYOD can save expenses and afford employees more autonomy, but it can also compromise security.

Brouter A device that combines a bridge and a router. Also known as a bridging router.

Brute-force password attack A form of password or encryption key cracking attack that tries all possible valid combinations from a defined set of possibilities (e.g., a set of characters or hex values). Brute-force attacks will eventually generate a valid solution given enough time, assuming the hacker uses the correct set of possibilities.

Buffer A memory area that is designated to receive input for processing.

Buffer overflow A condition in which a memory buffer exceeds its capacity and extends its contents into adjacent memory; often used as an attack against poor programming techniques or poor software quality control. Hackers can inject more data into a memory buffer than it can hold, which may result in the additional data overflowing into the next area of memory. If the overflow extends to the next memory segment designated for code execution, a skilled attacker can insert arbitrary code that will execute with the same privileges as the current program. Improperly formatted overflow data may also result in a system crash.

Bump-in-the-stack A term for a firewall that is implemented via software.

Bump-in-the-wire A term for a firewall that is a separate hardware implementation.

Bus topology A linear arrangement of computers and peripherals.

Business continuity plan A plan to maintain the mission-critical functions of the organization in the event of a problem that threatens to take business processes offline. The goal of business continuity planning is to prevent the interruption of business tasks, even with a damaged environment and reduced resources.

Business task Any activity necessary to meet an organization’s long-term goals. Business tasks are assigned to employees and other authorized personnel via their job descriptions.

Bypass deployment A configuration deploying a VPN without a firewall to filter traffic to the VPN.

Caching Retention of Internet content by a proxy server. Various internal clients may access this content and provide it to subsequent requesters without the need to retrieve the same content from the Internet repeatedly.

California Consumer Privacy Act (CCPA) Legislation that went into effect January 2020 requiring companies to protect consumer information stored on their systems.

Centralized logging system A technique of storing or copying log events to a centralized logging server. This mechanism is used to create a redundant copy of all log files in a single warehousing location. A common example of this is syslog.

Certificate Authority (CA) A trusted third-party entity that issues digital certificates to verify and validate identities of people, organizations, systems, and networks digitally.

Change management An process for managing and tracking changes to systems or network configurations.

Channel A communication pathway, circuit, or frequency dedicated or reserved for a specific transmission.

Chip creep The slow movement of a chip out of its socket or solder points because of expansion and contraction caused by extreme temperature fluctuations.

Chokepoint Similar to a bottleneck, but deliberately created within a network infrastructure. A chokepoint is a controlled pathway through which all traffic must cross. At this point, filtering to block unwanted communication or monitoring can occur.

Ciphertext The seemingly random and unusable output from a cryptographic function applied to original data. Ciphertext is the result of encryption. Decryption converts ciphertext back into plaintext.

Circuit A logical connection between a client and a resource server. May exist at Layer 3, 4, or 5 of the OSI model. Also known as a session or a state.

Circuit firewall A filtering device that allows or denies the initial creation of a circuit, session, or state, but performs no subsequent filtering on the circuit once established.

Circuit proxy See circuit firewall.

Client A host on a network. A client is the computer system, which supports user interaction with the network. Users employ a client to access resources from the network. Users can also employ a client generically as any hardware or software product to access a resource. For example, standard e-mail software is a client.

Client/server network A form of network where certain computers are designated as “servers” to host resources shared with the network. The remaining computers are designated as “clients” to enable users to access shared resources. Most client/server networks employ directory services and single sign-on. Also known as a domain.

Client-to-server VPN A VPN created between a client and a server either within the same local network or across a WAN link or intermediary network to support secure client interaction with the services of a resource host. Also known as a host-to-host VPN.

Clipper chip A chipset developed and promoted by the U.S. government as an encryption device to be adopted by telecommunications companies for voice transmission. It was announced in 1993 and was discontinued in 1996.

Closed source A type of software product that is precompiled and whose source code is undisclosed.

Cluster A logical division of data composed of one or more sectors on a hard drive. A cluster is the smallest addressable unit of drive storage, usually 512, 1,024, 2,048, or 4,096 bytes, depending on the logical volume size.

Cold calling A tactic of pursuing and extracting information for the purpose of making a sale or performing a social engineering attack. A cold call presupposes little or no knowledge of the person answering the phone. It requires the caller to be able to pick up on vocal and word clues, be knowledgeable about human nature, and adapt quickly to changes in conversation.

Command shell A software interface with a system that allows code execution. A command shell is often the focus of an attack. If a hacker gains access to a command shell, he or she can perform arbitrary code execution. Also known as a terminal window or a command prompt. For example, in Windows, the command shell prompt is usually “C:>”.

Commercial firewall A firewall product designed for larger networks. Usually, a commercial firewall is a hardware device.

Common Gateway Interface (CGI) script The Common Gateway Interface (CGI) is a standard that defines how web server software can delegate the generation of webpages to a console application. Such applications are known as CGI scripts. They can be written in many programming languages, although scripting languages are often used.

Compliance Ensuring adherence to applicable laws or regulatory requriements.

Compliance audit A detailed and thorough review of the deployed security infrastructure compared with the organization’s security policy and any applicable laws and regulations.

Compression Removal of redundant or superfluous data or space to reduce the size of a data set. Compression consumes less storage space and increases the speed of data transmission.

Concentrator See smart hub.

Confidentiality The security service of preventing access to resources by unauthorized users, while supporting access to authorized users.

Containment Isolation of traffic or communication to prevent further escalation.

Content filtering A form of filtering that focuses on traffic content. Application proxies perform most content filtering.

Contract worker An outsider brought into an organization to work on a temporary basis. Contracted workers can be consultants, temporary workers, seasonal workers, contractors, or even day-laborers. Contracted workers potentially represent a greater risk than regular, full-time regular employees because they might lack loyalty, not see the company as worthy of protection, might not be accountable after a project ends, and so on.

Cookie filter A cookie is a small text file used by web browsers and servers to track web sessions. A cookie filter blocks the sending and receiving of cookies. Blocking cookies can reduce some threats of session tracking and identify theft, but can also disable many web-based services, such as online purchasing.

Corporate firewall An appliance firewall placed on the border or edge of an organization’s network.

Correlation A relationship between log files using statistical measures.

Cost/benefit analysis The final equation of risk analysis to assess the relative benefit of a countermeasure against the potential annual loss of a given asset exposed to a specific threat.

Countermeasure An action undertaken to minimize a threat or thwart progression of a negative event.

Covert channel An unknown, secret pathway of communication. Covert channels can be timing or storage-based.

Cross-site scripting (XSS) The malicious insertion of scripting code onto a vulnerable website. The results of an XSS attack can include the corruption of the data on the website or identity theft of the site’s visitors.

Cryptography The art and science of hiding information from unauthorized third parties. Cryptography is divided into two main categories: encryption and decryption.

Customer premise equipment (CPE) A customer premise equipment–based VPN. This VPN is also known as a VPN appliance.

Data analytics Statistics and other tools used to apply understanding to data such as log files.

Data leakage prevention (DLP) A distributed data protection technology that leverages deep analysis, context evaluation, and rules configured from a central console to ensure that confidential information remains secure while in use, in transit, and at rest.

Data Link Layer (Layer 2) The second layer of the OSI model responsible for physical addressing (MAC addresses) and supporting the network topology, such as Ethernet.

Data sovereignty Data is subject to the laws of the country where it is stored.

Database-based detection A form of IDS/IPS detection based on a collection of samples, patterns, signatures, and so on stored in a database of known malicious traffic and events. All traffic or events that match an item in the database are considered abnormal and potentially malicious. Also known as signature, knowledge, and pattern-matching based detection.

DDoS mitigator A device that inspects traffic entering a network.

Dead-man switch A form of auto-initiation switch that triggers when the ongoing prevention mechanism fails. Common dead-man switches include firewalls and hand grenades. If the firewall stops functioning, the connection is severed. If a person dies while holding a live grenade, the safety latch opens and the grenade explodes.

Decryption The process of converting cipher text back into plain text.

Dedicated connection A network connection that is always on and available for immediate transmission of data. Most leased lines are dedicated connections.

Dedicated leased line See dedicated connection and leased line.

Deduplication Elimination of duplicate notifications pertaining to the same incident or device rule when aggregating logs from several devices.

De-encapsulation The action of processing the contents of a header, removing that header, and sending the remaining payload up to the appropriate protocol in the next higher layer in the OSI model.

Default allow A security stance that allows all communications except those prohibited by specific deny exceptions; also known as allow by default.

Default deny A security stance that blocks all access to all resources until a valid authorized explicit exception is defined.

Defense in depth A tactic of protection involving multiple layers or levels of security components. Based on the idea that multiple protections create a cumulative effect that will require an attacker to breach all layers, not just one.

Demilitarized zone (DMZ) A type of perimeter network used to host resources designated as accessible by the public from the Internet.

Denial of service (DoS) attack A form of attack that attempts to compromise availability. DoS attacks are usually of two types: flaw exploitation and flooding. DDoS (distributed denial of service) often involves the distribution of robots, zombies, or agents to thousands or millions of systems that are then used to launch a DoS attack against a primary target.

Deny by default/allow by exception A security stance that prevents all communications, except those enabled by specific allow exceptions. Also known as default deny.

Desktop virtualization Separates the personal computer environment from the physical machine by using a client/server model.

Detection Identification of breach attempts prior to, during, or after access.

Deterrence The use of security to make a target less appealing.

Deterrent A form of security defense that focuses on discouraging a perpetrator with disincentives such as physical harm, social disgrace, or legal consequences. A deterrent can also be a defense that is complex or difficult to overcome, such as strong encryption, multifactor authentication, or stateful inspection filtering.

Dialer A rogue program that automatically dials a modem to a predefined number. Sometimes this is to auto-download additional malware to the victim or to upload stolen data from the victim. In other cases, the dialer calls premium rate telephone numbers to rack up massive long-distance charges.

Dictionary password attack A form of password or encryption key-cracking attack that uses a preconstructed list of potential passwords or encryption keys.

Digital certificate An electronic proof of identity issued by a certificate authority (CA). A digital certificate is an entity’s public key encoded by the CA’s private key.

Digital envelope A secure communication based on public key cryptography that encodes a message or data with the public key of the intended recipient.

Digital signature A public key cryptography–based mechanism for proving the source (and possibly integrity) of a signed dataset or message. A digital signature uses the private key of a sender. Not the same as a “digitized signature,” which is a digital image of handwriting.

Direct Access A Microsoft solution that can be used as an alternative to a traditional VPN.

Directory service A network service that maintains a searchable index or database of network hosts and shared resources. Often based on a Domain Name System (DNS). An essential service of large networks.

Disaster recovery plan A plan to restore the mission-critical functions of the organization once they have been interrupted by an adverse event. The goal of disaster recovery planning is to return the business to functional operation within a limited time to prevent the failure of the organization due to the incident.

Disgruntled employee A worker who feels wronged by his or her employer and who may take malicious, unethical, potentially illegal actions to exact revenge on the organization.

Distributed denial of service (DDoS) attack An attack that uses multiple remotely controlled software agents disseminated across the Internet. Because the denial of service attack comes from multiple machines simultaneously, it is “distributed.” DDoS attacks can include flooding, spam, eavesdropping, interception, MitM, session hijacking, spoofing, packet manipulation, distribution of malware, hosting phishing sites, stealing passwords, cracking encryption, and more.

Distributed LAN A LAN whose components are in multiple places that are interconnected by WAN VPN links.

Diversity of defense An approach to security similar to defense in depth, in that it supports multiple layers; it is unlike it, in that it uses a different security mechanism at each, or most, of the layers.

DNS poisoning A form of exploitation in which the data on a DNS server is falsified so subsequent responses to DNS resolution queries are incorrect. DNS poisoning can wage man-in-the-middle attacks.

DNS spoofing A form of exploitation in which unauthorized or rogue DNS server responds to DNS queries with false, spoofed resolutions. DNS poisoning can wage man-in-the-middle attacks.

Domain A client/server network managed by a directory service.

Domain Name System (DNS) A network service that resolves fully qualified domain names (FQDNs) into their corresponding IP address. DNS is an essential service of most networks and their directory services.

Domain registration The information related to the owners and managers of a domain name accessed through domain registrar’s websites and whois lookups. A domain registration might include a physical address, people’s names, e-mail addresses, and phone numbers. This information is useful in waging social engineering attacks.

Downtime Any planned or unplanned period when a network service or resource is not available. Downtime can be caused by attack, hardware failure, or scheduled maintenance. Most organizations strive to minimize downtime through security and system management.

Dual-homed firewall A firewall that has two network interfaces. Each network interface is located in a unique network segment. This allows for true isolation of the segments and forces the firewall to filter all traffic moving from one segment to another.

Dumb hub See hub

Dumpster diving A type of reconnaissance in which an attacker examines an organization’s trash or other discarded items to learn internal or private information. The results of dumpster diving are often used to wage social engineering attacks.

Dynamic packet filtering The process of automatically created temporary filters. In most cases, the filters allow inbound responses to previous outbound requests. Also called stateful inspection.

Eavesdropping The act of listening in on digital or audio conversations. Network eavesdropping usually requires a sniffer, protocol analyzer, or packet-capturing utility. Eavesdropping may be able to access unencrypted communication, depending on where it occurs.

Edge router A router positioned on the edge of a private network. Usually an edge router is the last device owned and controlled by an organization before an ISP or telco connection.

Education The third and highest level of obtaining security knowledge that leads to career advancement. Security education is broad and not necessarily focused on specific job tasks or assignments. More rigorous than awareness or training.

Egress filtering Filtering traffic as it attempts to leave a network, which can include monitoring for spoofed addresses, malformed packets, unauthorized ports and protocols, and blocked destinations.

Electronic Privacy Information Center (EPIC) A public interest research group in Washington, D.C., established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and Constitutional values in the information age. It pursues a wide range of activities, including privacy research, public education, conferences, litigation, publications, and advocacy. It maintains two of the world’s most popular privacy sites—epic.org and privacy.org—and publishes the online EPIC Alert every two weeks with information about emerging privacy and civil liberties issues.

Electrostatic discharge (ESD) Static-electric discharge that can damage equipment.

Encapsulating Security Payload (ESP) The second core IPSec security protocol; it can perform authentication to provide integrity protection, although not for the outermost IP header.

Encapsulation The process of enclosing or encasing one protocol or packet inside another protocol or packet. Also known as “tunneling.” Encapsulation allows for communications to cross intermediary networks that might be incompatible with the original protocol. Encapsulation is distinct from encryption, but many encapsulation protocols include encryption.

Encryption The process of converting original data into a chaotic and unusable form to protect it from unauthorized third parties. Decryption returns the data back to its original, usable form.

Encryption key The mathematical formula solution that will decrypt a file.

Enumeration The process of discovering sufficient details about a potential target to learn about network or system vulnerabilities. Enumeration often starts with operating system identification, followed by application identification, then extraction of information from discovered services.

Eradication Fixing vulnerabilities. Usually performed during recovery.

Ethical hacking Also known as penetration testing, the application of hacking techniques with good intentions.

Exploit An attack tool, method, or technique a hacker uses to take advantage of a known vulnerability or flaw in a target system.

Exposure factor (EF) The potential amount of harm from a specific threat stated as a percentage. Used in the calculation of SLE.

Extranet A type of perimeter network used to host resources designated as accessible to a limited group of external entities, such as business partners or suppliers, but not by the public. Often, access to an extranet requires the use of a virtual private network or VPN, especially when access originates from the Internet.

Extranet VPN A VPN used to grant outside entities access into a perimeter network; used to host resources designated as accessible to a limited group of external entities, such as business partners or suppliers, but not the general public.

Fail-closed A failure response resulting in no access as the device or port is closed.

Fail-open A failure response resulting in open and unrestricted access or communication.

Fail-safe A failure response resulting in a secured or safe level of access or communication.

Fail-secure A failure response resulting in a secured or safe level of access or communication.

Fair queuing A technique of load balancing that operates by sending the next transaction to the firewall with the least current workload.

Fallback attack The process of using alternate attacks when the initial attack fails to provide access to a system or network.

False negative An event that does not trigger an alarm but should have, due to the traffic or event actually being abnormal and/or malicious. This is the unwanted nondetection of a malicious event.

False positive An event that triggers an alarm but should not have, due to the traffic or event actually being benign. This is the unwanted false alarm that wastes time and resources pursuing a nonmalicious event.

Family Educational Rights and Privacy Act (FERPA) A federal law that protects the privacy of student information.

File encryption A form of security protection that protects individual files by scrambling the contents in such a way as to render them unusable by unauthorized third parties.

File Transfer Protocol (FTP) A protocol and a data exchange system commonly used over TCP/IP networks, including the Internet, but which is unencrypted and performs authentication and data transfer in plaintext.

Filter A written expression of an item of concern (protocol, port, service, application, user, IP address) and one or more actions to take when the item of concern appears in traffic. A filter expresses the intention to block or deny unwanted items of concern. Also known as a rule or ACL.

Filtering The process of inspecting content against a set of rules or restrictions to enforce allow-and-deny operations on that content. Firewalls and other security components use filtering.

Firewalking A hacking technique used against static packet filtering firewalls to discover the rules or filters controlling inbound traffic.

Firewall A network security device or host software that filters communications, usually network traffic, based on a set of predefined rules. Unwanted content is denied, and authorized content is allowed. Also known as a sentry device.

Flaw exploitation attack A form of DoS that uses a software specific exploit to cause the interruption of availability. Once you apply the appropriate patch, the system is no longer vulnerable to this particular exploit.

Flooding An attack, usually resulting in a DoS, in which hackers direct massive amounts of traffic toward a target to fully consume available bandwidth or processing capabilities.

Footprinting The act of researching and uncovering information about a potential attack target; also known as reconnaissance.

Fragmentation This occurs when a dataset is too large for maximum supported size of a communication container, such as a segment, packet, or frame. The original dataset divides into multiple sections or fragments for transmission across the size-limited medium, then reassembles on the receiving end. Fragmentation can sometimes corrupt or damage data or allow outsiders to smuggle malicious content past network filters.

Fragmentation attack An attack based on the abuse of fragmentation.

Frame The collection of data at the Data Link Layer (Layer 2) of the OSI model, defined by the Ethernet IEEE 802.3 standard, that consists of a payload from the Network Layer (Layer 3) to which an Ethernet header and footer have been attached.

Fully qualified domain name (FQDN) A complete Internet host name including a top-level domain name, a registered domain name, possibly one or more subdomain names, and a host name. Examples include: www.itttech.edu and maps.google.com. A DNS is used to resolve FQDNs into IP addresses.

Fuzzing tool Hacking and testing utilities that use a brute force technique to craft packets and other forms of input directed toward the target. Fuzzing tools place stress on a system, pushing it to react improperly, to fail, or to reveal unknown vulnerabilities.

Gateway An entrance or exit point to a controlled space. A firewall is often positioned at a gateway of a network to block unwanted traffic.

Gateway-to-gateway VPN A VPN model used to connect offices together, such as a main office and a remote office. It is also referred to as a site-to-site VPN.

General-purpose OS An operating system such as Windows, Linux, Mac OS, or UNIX, which can support a wide variety of purposes and functions, but which, when used as a bastion host OS, must be hardened and locked down.

General Data Protection Regulation (GDPR) A European Union regulation to protect citizen’s privacy and information.

Governance, risk, and compliance (GRC) A concept of applying security technologies in alignment with law and regulatory requirements.

Gramm-Leach-Bliley Act (GLBA) Legal regulation concerning financial institutions to protect customer information.

Graphical user interface (GUI) An interface using icons (pictures) instead of menus.

Hacker A person who performs hacking. Modern use of this term now implies malicious or criminal intent by the hacker, although criminals are more correctly known as “crackers.” An “ethical hacker” obtains the permission of the owner of a system before hacking.

Hacking The act of producing a result not intended by the designer of a system. Hackers may perform such acts out of curiosity or malice. Malicious hacking is known as “cracking,” but many people typically call all these actions “hacking,” regardless of intent.

Hacktivism Politically or socially motivated hacking, seen by activists as a form of civil disobedience in the interest of free speech and human rights, but seen by its opponents as a form of cyberterrorism.

Hairpinning A process by which malicious code can enter from a nonsecure network and make a hairpin—or sharp—turn. It can enter a secure network with little or no trouble because it is entering from a secure and verified endpoint. Hairpinning is a particular issue for organizations whose work-at-home employees want to connect to both an unsecure network and a VPN at the same time.

Hardening The process of securing or locking down a host against threats and attacks. This can include removing unnecessary software, installing updates, and imposing secure configuration settings.

Hardware address The physical address assigned to a network interface by the manufacturer. Also known as the MAC address.

Hardware firewall An appliance firewall. A hardened computer product that hosts firewall software exclusively.

Hardware VPN A dedicated device hosting VPN software. Also known as an appliance VPN. Hardware VPNs can connect hosts and/or networks.

Hash algorithm A set of mathematical rules and procedures that produces a unique number from a dataset. See hash or hash value and hashing.

Hash or hash value The unique number produced by a hash algorithm when applied to a dataset. A hash value verifies the integrity of data.

Hashing The process of verifying data integrity. Hashing uses hash algorithms to produce unique numbers from datasets, known as hash values. If before-and-after hash values are the same, the data retain integrity.

Header The additional data added to the front of a payload at each layer of the OSI model that includes layer-specific information.

Health Insurance Portability and Accountability Act (HIPAA) Legal protection for healthcare records that went into effect in 1996.

Hierarchical File System (HFS) A storage device file system developed by Apple Inc. for use on Macintosh computers. HFS supports multiple resource forks for file objects.

High availability Percentage of time when a service or device is available; the higher the number, the better.

Hijacking This attack occurs when a hacker uses a network sniffer to watch a communications session to learn its parameters. The hacker then disconnects one of the session’s hosts, impersonates the offline system, and then begins injecting crafted packets into the communication stream. If successful, the hacker takes over the session of the offline host, while the other host is unaware of the switch.

HITECH This 2009 Act expanded HIPAA with more specific requirements for computers and electronic records.

Honeynet A collection of multiple honeypots in a network for the purposes of luring and trapping hackers.

Honeypot A closely monitored system that usually contains a large number of files that appears to be valuable or sensitive, and serves as a trap for hackers. A honeypot distracts hackers from real targets, detects new exploitations, and learns the identities of hackers.

Host A node that has a logical address assigned to it, usually an IP address. This typically implies that the node operates at and/or above the Network Layer. This would include clients, servers, firewalls, proxies, and even routers. The term excludes switches, bridges, and other physical devices such as repeaters and hubs. In most cases, a host either shares or accesses resources and services from other hosts.

Host firewall A software firewall installed on a client or server.

Host VPN A VPN endpoint located on a host client or server. A host VPN relies on either a native feature of the operating system or a third-party application.

Host-to-gateway VPN A VPN model where the remote client connects to the VPN server to gain access to the internal network.

Host-to-host VPN A VPN created between two individual hosts across a local or intermediary network. Host-to-host VPNs are also known as client-to-server, remote-to-office, or remote-to-home VPNs.

Host-to-site VPN A VPN created between a host and a network across a local or intermediary network. Also known as a remote access VPN.

HOSTS file A static file on every IP-enabled host where FQDN-to-IP address resolutions can be hard-coded.

Hot standby router protocol (HSRP) A proprietary standard that allows configuration of a pair of Cisco VPNs for fail-over performance.

Hub A device that concentrates wired connections so only one cable connects to the next device.

Hybrid attack A form of password or encryption key-cracking attack that combines dictionary attacks with brute-force attacks. A dictionary list provides seed values to a brute-force attack tool that makes modifications to the seed value. A very effective attack against users who mistakenly believe that changing a few characters or adding a few characters to a base password is actually improving the password’s strength. For example, hybrid attacks may combine dictionary words with a digit or two to increase the likelihood of obtaining a successful result.

Hybrid VPN A form of VPN establishing a secure VPN over trusted VPN connections.

ICMP redirect An announcement message sent to hosts to adjust the routing table. ICMP type 5 messages are known as redirects. Hackers can use ICMP redirects to perform man-in-the-middle or session hijacking attacks.

Identity and access management (IAM) The security discipline that enables the right individuals to access the right resources at the right times consistent with organizational policy.

Identity proofing The act of authentication. Confirming the identity of a user or host.

IDS insertion An attack that exploits the nature of a network-focused IDS to collect and analyze every packet to trick the IDS into thinking an attack took place when it actually has not. The common purpose of IDS injection attacks is to trick signature- or pattern-matching detection of malicious network events.

In-band management A common method of data collection on a network.

Incident response planning A predefined procedure to react to security breaches to limit damage, contain the spread of malicious content, stop compromise of information, and promptly restore the environment to a normal state.

Information Technology Infrastructure Library (ITIL) A set of concepts and practices that provide detailed descriptions and comprehensive checklists, tasks and procedures for common IT practices. The Security Management section is based on the ISO 27002 standard.

Ingress filtering Filtering traffic as it attempts to enter a network. This can include monitoring for spoofed addresses, malformed packets, unauthorized ports and protocols, and blocked destinations.

In-line proxy A device usually installed between the firewall and the web server to filter requests.

Insertion attack An exploit-based on the introduction of unauthorized content or devices to an otherwise secured infrastructure. Three common insertion-based attacks include SQL injection, IDS insertion, and rogue devices.

Instant messaging (IM) A form of near real-time text communication. Also known as chat, IRC, and SMS messaging.

Intangible cost and value Costs or values not directly related to budgetary funds. They can include but are not limited to research and development, marketing edge, competition value, first to market, intellectual property, public opinion, quality of service, name recognition, repeat customers, loyalty, honesty, dependability, assurance, reliability, trademarks, patents, privacy, and so on.

Integrated Services Digital Network (ISDN) A set of communications standards for simultaneous digital transmission of voice, video, data, and other network services over the traditional circuits of the public switched telephone network.

Integrity The security service of preventing unauthorized changes to data.

Intentional electromagnetic interference (IEMI) The result of an intentional discharge made to damage or destroy electronic equipment, ranging from cell phones to computers and servers.

Interception attack Any attack that positions the attacker in line with a session between a client and server. Such attacks typically allow the hacker to eavesdrop and manipulate the contents of the session. Also known as a man-in-the-middle attack.

Intermediary network Any network, network link, or channel located between the endpoints of a VPN; often the Internet.

Internal personnel Any worker or person who is physically present within the building or who has authorization to remotely connect into the network. Internal personnel are the most common cause of security violations.

Internet Assigned Numbers Authority (IANA) The entity responsible for global coordination of IP addressing, DNS root, and other Internet protocol resources.

Internet Control Message Protocol (ICMP) A commonly used protocol found in the Network Layer (Layer 3). ICMP rides as the payload of an IP packet. ICMP supports network health and testing. Commonly abused by hackers for flooding and probing attacks.

Internet Engineering Task Force (IETF) The standards body for Internet-related engineering specifications.

Internet Key Exchange v2 (IKEv2) The second and latest version of the IKE protocol.

Internet of Things (IoT) Devices that can be connected and accessed via the Internet.

Internet Protocol (IP) A protocol standard for communicating over the Internet.

Internet Protocol Security (IPSec) A protocol designed to secure communication.

Internet Protocol version 4 (IPv4) A protocol used for identifying unique addresses for computers and networks using dot delineated format. Because of the limit of potential addresses, this protocol is superseded by IPv6.

Internet Protocol version 6 (IPv6) An addressing protocol not bound by the mathematical limit of IPv6.

Internet Relay Chat (IRC) A real-time text communication system. Hackers commonly use IRC as a way to communicate anonymously and control botnets.

Internet Service Provider (ISP) The vendor that provides Internet access to a home or business.

Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX) A legacy protocol developed by Novell for their NetWare networking product. Mostly replaced by TCP/IP.

Intrusion detection system (IDS) A security mechanism to detect unauthorized user activities, attacks, and network compromise. An IDS can respond in a passive manner through alerts and logging or in an active manner by disconnecting an offending session.

Intrusion prevention system (IPS) A security mechanism to detect and prevent attempts to breach security.

IP address The temporary logical address assigned to hosts on a network. An IP address is managed and controlled at the Network Layer (Layer 3) of the OSI model by IP (Internet Protocol). IPv4 addresses are 32-bit addresses presented in human-friendly dotted-decimal notation. IPv6 addresses are 128-bit address presented in a special hexadecimal grouping format.

IP Multimedia Subsystem (IMS) An architectural framework for delivering IP multimedia services; IMS would carry packet communications in all known forms over wireless or landline, everything from traditional telephony to video on demand (VoD).

IPchains The firewall capability built into most Linux distributions.

IPSec IP protocol encryption services extracted from IPv6 to be used as an add-on component for IPv4. IPSec provides tunnel mode and transport mode encrypted Network Layer connections between hosts and/or networks.

ISO image A drive image that can be used to install software or store files.

Kernel panic A known issue in FreeBSD where the system freezes and stops processing instructions. This is similar to the Microsoft “blue screen.”

Key The unique number used to guide an algorithm in the encryption and decryption process. A valid key must be within the keyspace of an algorithm.

Key exchange The cryptographic function ensuring that both endpoints of a commutation have the same symmetric key. Key exchange occurs by simultaneous key generation or with a digital envelope.

Key pair The set of associated keys including a public key and a private key used by public key cryptography. Only the public key can decrypt data encrypted by the private key, and vice versa.

Keyspace The range of valid keys used by an algorithm. Keyspace is the bit length of the keys supported by the algorithm.

Keystroke logger Malware that records all keyboard input and transmits the keystroke log to a hacker.

Knowledge-based detection A form of IDS/IPS detection based on a collection of samples, patterns, signatures, and so on stored in a database of known malicious traffic and events. All traffic or events that match an item in the database is considered abnormal and potentially malicious. Also known as signature, database, and pattern-matching–based detection.

LAN-to-LAN VPN A VPN between two networks over an intermediary network; also known as WAN VPN and site-to-site VPN.

Layer 2 Forwarding (L2F) Protocol An early communications protocol that competed with Point-to-Point Tunneling Protocol.

Layer 2 Tunneling Protocol (L2TP) An older protocol largely replaced by IPSec and SSL/TLS-based VPNs in production environments, but still in use in some older environments.

Leased line A network communications line leased from an ISP or telco service. A leased line is usually a dedicated line between network locations or to the Internet.

Leetspeak A somewhat secret form of communication or language that hackers use based on replacing letters with numbers, symbols, or other letters that somewhat resemble the original characters. For example, “elite” becomes “eleet” and then becomes “31337.”

Load balancer A system or device (hardware or software) that takes the load coming into a set of servers and ensures that the load is balanced between or among the servers.

Load balancing A network traffic management technique to spread the workload or traffic levels across multiple devices to maintain availability, uptime, and high performance at wire speed.

Local area network (LAN) A network confined to a limited geographic distance. Generally, a LAN is comprised of segments that are fully owned and controlled by the host organization as opposed to using lines leased from telcos.

Log A log is a recording or notation of activities. Many security services, applications, and network resources automatically create a log of all events. Also known as an event log or a log file.

Logging The act of creating or recording events into a log. Similar to auditing and monitoring.

Logic bomb Malware that acts like an electronic land mine. Once a hacker places a logic bomb in a system, it remains dormant until a triggering event takes place. The trigger can be a specific time and date, the launching of a program, the typing of a specific keyword, or accessing a specific URL. Once the trigger occurs, the logic bomb springs its malicious event on the unsuspecting use.

Logical address A temporarily assigned address given to a host. IP address is a common example of a logical address. Most logical addresses exist at the Network Layer (Layer 3) of the OSI model.

Logical topology The way computers appear to behave versus how those computers are actually connected.

Loophole An unexpected way around a defense or a policy.

MAC spoofing The act of a hacker changing the MAC address of their network interface. Commonly used to bypass MAC filtering on a wireless access point by impersonating a valid client.

Malicious code Any software that was written with malicious intent. Administrators use antivirus and anti-malware scanners to detect and prevent malicious code (also known as malware) from causing harm within a private network or computer.

Management interface The command line or graphical interface used to control and configure a device. Often accessible through a console (CON) port on the device or through a logical interface across the network.

Man-in-the-middle (MitM) attack This attack occurs when a hacker is positioned between a client and a server, and the client is fooled into connecting with the hacker computer instead of the real server. The attack performs a spoofing attack to trick the client. As a result, the connection between the client and server is proxied by the hacker. This allows the hacker to eavesdrop and manipulate the communications.

Maximum Transmission Unit (MTU) The largest amount of data that a datagram can hold based on the limitations of the networking devices managing a given segment. As an MTU changes across a communication path, a datagram may be fragmented to comply with the MTU restriction.

Mean time between failures (MTBF) A rating on some hardware devices expressing the average length of time between significant failures.

Mean time to failure (MTTF) A rating on some hardware devices expressing the average length of time until the first significant failure is likely to happen.

Media Access Control (MAC) address The physical address assigned to a network interface by the manufacturer. The MAC address is a 48-bit binary address presented in as hexadecimal pairs separated by colons. The first half of a MAC address is known as the Organizationally Unique Identifier (OUI) or vender ID; the last half is the unique serial number of the NIC.

Mesh topology A network layout with increased redundancy and usually significantly increased set-up costs.

Metacharacter A character that has a special meaning assigned to it and is recognized as part of a scripting or programming language. Metacharacters should be filtered, escaped, or blocked to prevent script injection attacks. Escaping metacharacters is a programmatic tactic to treat all characters as basic ASCII, rather than as something with special meaning or purpose.

Mission-critical The state or condition of an asset or process vitally important to the long-term existence and stability of an organization. If a mission-critical element is interrupted or removed, it often results in the failure of the organization.

MITRE The MITRE Corporation is a not-for-profit organization chartered to work in the public interest. It sponsors a vulnerability research, cataloging, and information organization: http://cve.mitre.org/.

Mobile code A form of software transmitted to and executed on a client. Hackers can use mobile code for malicious purposes.

Mobile IP A standard communications protocol designed to let mobile device users move from one network to another while maintaining a permanent IP address; this concept is also known as IP mobility. Mobile IP for IPv4 is described in RFC 5944. Mobile IPv6, designed to work with next generation of the Internet Protocol, is covered in RFC 6275.

Modeling The process of simulating and testing a new concept, design, programming, technique, and so forth before deployment into a production environment. Modeling often occurs before piloting.

Modem A device used to connect a computer or network to the Internet.

Monitoring The act of watching for abnormal or unwanted circumstances. Commonly used interchangeably with logging and auditing.

Monkey-in-the-middle attack Another term for man-in-the-middle attack.

Multifactor authentication Authentication that requires multiple valid proofs of identity used in simultaneous combination.

National Information Infrastructure (NII) The product of the High Performance Computing and Communication Act of 1991. It was a telecommunications policy buzzword, which was popularized during the Clinton administration under the leadership of Vice President Al Gore. It was a proposed advanced, seamless web of public and private communications networks, interactive services, interoperable hardware and software, computers, databases, and consumer electronics to put vast amounts of information at users’ fingertips.

National Institute of Standards and Technology (NIST) NIST is a nonregulatory federal agency within the U.S. Department of Commerce; its mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology. As part of its mission, the NIST performs vulnerability research, cataloging, and information distribution: http://nvd.nist.gov/.

National Security Agency (NSA) The National Security Agency/Central Security Service (NSA/CSS) is a cryptologic intelligence agency of the U.S. government, administered as part of the U.S. Department of Defense. It is responsible for the collection and analysis of foreign communications and foreign signals intelligence, which involves cryptanalysis. It is also responsible for protecting U.S. government communications and information systems from similar agencies elsewhere, which involves cryptography.

Native firewall A firewall within an operating system or hardware device placed there by the vendor or manufacturer. Can also include firewalls not necessarily installed by default, but which you can add to a system through an update or patch installation.

Network access control (NAC) A mechanism that limits access or admission to a network based on the security compliance of a host.

Network address translation (NAT) A service that converts between internal addresses and external public addresses. This conversion is performed on packets as they enter or leave the network to mask and modify the internal client’s configuration. The primary purpose of NAT is to prevent internal IP and network configuration details from being discovered by external entities, such as hackers.

Network Layer (Layer 3) The third layer of the OSI model. This layer is responsible for logical addressing (IP addresses) and routing traffic.

Network News Transfer Protocol (NNTP) The protocol used by the USENET message service. USENET is a persistent message service that allows anyone to post and read messages from over 100,000 named, categorized, topical newsgroups.

Network security The collection of security components assembled in a network to support secure internal and external communications. Network security depends upon host security. Network security operates to protect the network as a whole, rather than as individual systems.

New Technology File System (NTFS) A file format developed by Microsoft commonly used on Windows systems. NTFS offers file security, large volume size, large file size, and alternate data streams (ADS).

Next-generation firewall (NGFW) A device offering more than traditional firewall capabilities such as packet inspection.

Nmap A network mapping tool that performs network scanning, port scanning, OS identification, and other types of network probing. Nmap is available at http://www.insecure.org/.

Node Any device on the network that can act as the endpoint of a communication. This includes clients, servers, switches, routers, firewalls, and anything with a network interface that has a MAC address. A node is a component that can receive communication with, rather than one that communication only through or across. For example, network cables and patch panels are not nodes.

Nonauthenticating query service Any communication exchange that does not verify the identity of the endpoints of a communication and accepts any properly formed response as valid. DNS and ARP are common examples. Hackers can easily spoof such a service.

Nondedicated connection A network connection not always on and available for immediate transmission of data. A connection must be established through a negation process before the channel is open and ready for data transmission. Dial-up, ISDN, and DSL lines are nondedicated connections.

Nonrepudiation A security service that ensures that a sender cannot deny sending a message. This service can be provided by public key cryptography, typically through a digital signature.

One-time pad A form of cryptography in which each encryption key is used once before being discarded. Keys are pseudorandom and never repeat. Key length must match message length, so that each character is encrypted with a unique key character.

One-way function A mathematical operation performed in one direction relatively easily; reversing the operation is impossible—or nearly so.

Open source A type of software product that may or may not be precompiled and whose source code is freely disclosed and available for review and modification.

Open Systems Interconnection (OSI) Reference Model A standard conceptual tool used to discuss protocols and their functions. The OSI model has seven layers. Each layer can communicate with its peer layer on the other end of a communication session. While the OSI model helps to discuss protocols, most protocols are not in full compliance with it.

Open VPN A brand of VPN used in demonstration of the topics in this textbook.

Opportunistic hacker A person who takes advantages of unique or abnormal situations to perform malicious actions, but who would not initiate such actions otherwise.

Optical carrier (OC) A form of network carrier line, often leased or dedicated, which uses fiber optic cables for very high-speed connections. An OC-1 connection supports a throughput of 51.84 Mbps.

OS/2 A multi-tasking operating system developed jointly by Microsoft and IBM. First released in 1987, it lost nearly its entire market share to Windows after the two companies ceased collaboration in 1990. IBM discontinued support in 2006.

Out-of-band communication A method of communication through an alternative route, mechanism, or pathway than the current one employed (the current communication is known as “in band”). Commonly used as a technique for secured data exchange or verification of an identity.

Packet The collection of data at the Network Layer (Layer 3) of the OSI model. It consists of the payload from the Transport Layer (Layer 4) above and the Network Layer header. IP packets are a common example.

Padded cell Specialized host used to place an attacker into a system where the intruder cannot do any harm.

Partition A logical division of a hard drive that can be formatted with a file system.

Passive hub See hub

Passive threat Any harmful code or site that depends upon the user’s actions to be accessed or activated. If users never visit an infected site or do not perform the risky activity, the threat never reaches them. A passive threat is similar to a virus in that it depends upon the activity of the user to activate, infect, and spread.

Patch management The procedure of watching for the release of new updates from vendors, testing the patches, obtaining approval, then overseeing the deployment and implementation of updates across the production environment.

Payload The nonheader component of a PDU/segment/packet/frame. The payload is the data received from the layer above that includes the above layer’s header and its payload.

Payment Card Industry Data Security Standard (PCI DSS) An industry standard for secure storage of credit card holder information and transaction-processing.

Penetration testing See ethical hacking

Permission An ability to interact with a resource that is granted or denied to a user through some method of authorization or access control, such as access control lists (ACLs).

Personal firewall Typically, a software host firewall installed on a home computer or network client. Can also refer to SOHO hardware firewalls, such as those found on DSL and cable modems and wireless access points.

Phishing An attack that seeks to obtain information from a victim by presenting false credentials or luring victims to an attack site. Phishing can occur face to face, over the phone, via e-mail, on a website, or through IM.

Physical address The hardware address assigned to a network interface by the manufacturer. Also known as the MAC address.

Physical Layer (Layer 1) The bottom or first layer of the OSI model. This layer converts data into transmitted bits over the physical network medium.

Physical topology The way computers and devices are connected in a network.

Piloting Using a new service, device, configuration, software, and so on to a limited number of testing hosts before rolling out the new component to the entire production environment. Piloting often occurs after modeling. Also called beta testing.

Ping sweep A network scan that sends ICMP type 8 echo requests to a range of IP addresses to obtain ICMP type 0 echo responses. A ping sweep can discover active systems and identify the IP addresses in use.

Playback attack See replay attack.

Point-to-Point Protocol (PPP) A protocol commonly used in establishing a direct connection between two networking nodes.

Point-to-Point Tunneling Protocol (PPTP) An early proprietary protocol from Microsoft.

Pop-up blocker A software tool that prevents or restricts websites from automatically opening additional tabs or windows without the user’s consent. These additional windows are known as pop-ups or pop-unders. Pop-ups are commonly used as methods of advertising, as well as elements in social engineering and distribution of malicious code.

Port address translation (PAT) An extension to network address translation (NAT) that permits multiple devices on a local area network (LAN) to be mapped to a single public IP address.

Port-based network access (admission) control (PNAC) A form of network access control or admission control (NAC) used on individual network access devices, such as firewalls, VPN gateways, and wireless routers, to offload authentication to a dedicated authentication server/service. Only after valid authentication are communications with or across the network device allowed.

Port forwarding The function of routing traffic from an external source received on a specific predefined IP address and port combination (also known as a socket) to an internal resource server. Also known as reverse proxy and static NAT.

Port number The addressing scheme used at the Transport Layer (Layer 4) of the OSI model. There are 65,535 ports, each of which can—in theory—support a single simultaneous communication.

Port scanning A network scan that sends various constructions of TCP or UDP packets to determine the open or closed state of a port. Tools such as nmap are used to perform port scanning.

Post Office Protocol (POP) An Application Layer protocol used by e-mail clients to receive messages from an e-mail server. The default TCP/IP port is 110, and it does not encrypt communications. The companion SMTP protocol sends messages to an e-mail server.

Presentation Layer (Layer 6) The sixth layer of the OSI model translates the data received from host software into a format acceptable to the network. This layer also performs this task in reverse for data coming from the network to host software.

Prevention The use of safeguards to thwart exploitation or compromise.

Principle of least privilege The guideline that all users should be granted only the minimum level of access and permission required to perform their assigned job tasks and responsibilities.

Privacy Keeping information about a network or system user from being disclosed to unauthorized entities. While typically focused on private information like a Social Security number, medical records, credit card number, or cellular phone number, privacy concerns extend to any data that represents personally identifiable information (also known as PII).

Private branch exchange (PBX) A type of business telephone network. PBX systems allow for multiple phone extensions, voice mailboxes, and conference calling. PBX systems require specialized equipment. PBX systems are largely being replaced by VOIP (Voice over IP) solutions.

Private IP address The ranges of IP addresses defined in RFC 1918 for use in private networks that are not usable on the Internet.

Private key The key of the public key cryptography key pair that is kept secret and used only by the intended entity. The private key decodes information encoded with its associated public key, encrypting information that can be decrypted only by its associated public key. This process validates the identity of the originator and creates a digital signature.

Privilege An increased ability to interact with and modify the operating system and desktop environment granted or denied to a user through some method of authorization or access control, such as user rights on a Windows system.

Privilege escalation The act of obtaining a higher level of privilege or access for a user account or a session. A tactic employed by hackers once they intrude into a network through the compromise of a normal user account.

Professional hacker A criminal whose objective is to compromise IT infrastructures. Whether operating as individuals, offering mercenary hacking services, or functioning as members of a criminal ring, professional hackers focus time and energy on becoming effective cyber attackers. A professional hacker is someone who contracts out his or her hacking skills to others.

Proprietary OS An operating system built exclusively to run on a bastion host device. Most appliance firewalls employ a proprietary operating system.

Protocol converter See gateway

Protocol Data Unit (PDU) The collection of data at the Session, Presentation, and Application layers (Layers 5–7) of the OSI model.

Proxy attack See man-in-the-middle attack.

Proxy manipulation An attack in which a hacker modifies the proxy settings on a client to redirect traffic to another system, such as the hacker’s own machine. The hacker may host a proxy server in addition to eavesdropping and manipulating the redirected traffic.

Proxy server A network service that acts as a “middle man” between a client and server. A proxy can hide the identity of the client, filter content, perform NAT services, and cache content.

Pseudo random number generator (PRNG) The mechanism of computer systems that produces partially random numbers using a complex algorithm and a seed value that is usually time-based. Computers are currently unable to produce true random numbers, and a PRNG approximates randomness.

Public IP address Any address that is valid for use on the Internet. This excludes specially reserved addresses such as loopback (127.0.0.1–127.255.255.255), RFC 1918 addresses, and the Windows APIPA addresses (169.254.0.0–169.254.255.255). Organizations lease public addresses from an Internet Service Provider (ISP).

Public key The key of the public key cryptography key pair that is shared with other entities with whom the holder of the private key wishes to correspond. The public key decodes messages encoded with its associated private key, originates messages that only the holder of the associate private key can decrypt, and creates digital envelopes.

Public key cryptography A subset of asymmetric cryptography based on the use of key pair sets. Public key cryptography uses public and private keys to create digital envelopes and digital signatures.

Public key infrastructure (PKI) A combination of several cryptographic components to create a real-world solution that provides secure communications, storage, and identification services. Commonly uses symmetric encryption, asymmetric/public key encryption, hashing, and digital certificates. In most cases, when PKI refers to authentication, digital certificates are used as credentials.

Public network Any network that is accessible by entities from outside an organization. Most often, use of this term implies the Internet, but many other public networks exist.

Punch panel A type of hub.

Punchdown block A type of hub.

Pwned A “leetspeak” word derived from a common IRC typo of “owned.” Used to mean hacking and taking over control of a computer or network.

Ransomware A type of malware that encrypts a device drive until a ransom is paid.

Rainbow tables Precompiled lists of hashed passwords used in attacks.

Reconnaissance The act of learning as much as possible about a target before attempting attacks. Reconnaissance consists of collecting data about the target from multiple sources online and offline. Effective reconnaissance is done covertly, without tipping off the target about the research. Reconnaissance can also be called footprinting, discovery, research, and information-gathering.

Recreational hacker Someone who enjoys exploring and learning about computer technology; he or she may put an organization’s network at risk by bringing in unapproved software, experimenting on the network, or just trying an exploit to “see if it works.”

Redundancy The feature of network design that ensures the existence of multiple pathways of communication. The purpose is to prevent or avoid single points of failure.

Redundant array of independent disks (RAID) A disk set management technology that gains speed and fault tolerance. RAID can provide some protection against hard drive failure, but it does not protect against software or data compromises, such as virus infection.

Regional Internet Registry (RIR) The five regional organizations that oversee and monitor the allocation and registration of IP addresses (both IPv4 and IPv6). RIR consists of American Registry for Internet Numbers (ARIN), RIPE Network Coordination Center (RIPE NCC), Asia-Pacific Network Information Centre (APNIC), Latin American and Caribbean Internet Address Registry (LACNIC), and African Network Information Centre (AfriNIC).

Rekeying The process of triggering the generation of a new symmetric encryption key and secure exchange of that key. Rekeying can take place based on time, idleness, volume, randomness, or election.

Remote access A communications link that enables access to network resources using a wide area network (WAN) link to connect to a geographically distant network. In effect, remote access creates a local network link for a system not physically local to the network. Over a remote access connection, a client system can technically perform all the same tasks as a locally connected client, with the only difference being the speed or the bandwidth of the connection.

Remote access server (RAS) A network server that accepts inbound connections from remote clients. Also known as a network access server (NAS).

Remote access VPN Another name for host-to-site VPN.

Remote control The ability to use a local computer system to remotely take control of another computer over a network connection. Often used for remote technical assistance.

Remote Desktop Connector (RDC) A built-in application in Remote Desktop Protocol (RDP).

Remote Desktop Protocol (RDP) A proprietary Microsoft protocol that provides a GUI.

Remote-to-home VPN A VPN used to connect a remote or mobile host into a home computer or network. Also known as a host-to-host VPN.

Remote-to-office VPN A VPN used to connect a remote or mobile host into office network workstation. Also known as a host-to-host VPN.

Repeater A type of hub that rebuilds the signal received through a bit-by-bit process.

Replay attack This attack occurs when a hacker uses a network sniffer to capture network traffic and then retransmits that traffic back on to the network at a later time. Replay attacks often focus on authentication traffic in the hope that retransmitting the same packets that allowed the real user to log into a system will grant the hacker the same access.

Request for comments (RFC) A document that defines or describes computer and networking technologies. These documents are published by the Internet Engineering Task Force, the standards body for Internet engineering specifications. RFCs exist for hardware, operating systems, protocols, security services, and much more.

Resources Any data item or service available on a computer or network accessible by a user to perform a task.

Response Action taken in the event of an attack or unexpected actin on a system or network.

Return on investment (ROI) A business evaluation technique to determine whether an investment will earn back equivalent or greater benefit within a specific time.

Reverse caching A means of providing faster access to static content for external users accessing internal web servers.

Reverse proxy The function of routing traffic from an external source received on a specific predefined IP address and port combination (also known as a socket) to an internal resource server. Also known as port forwarding and static network address translation (NAT).

RFC 1918 addresses IP addresses that, by convention, are not routed outside a private or closed network.
Class A: 10.0.0.0–10.255.255.255;
Class B: 172.16.0.0–172.31.255.255;
Class C: 192.168.0.0–192.168.255.255

Ring topology A topology that uses a closed cabling scheme.

Risk The likelihood or potential for a threat to take advantage of a vulnerability and cause harm or loss. Risk is a combination of an asset’s value, exposure level, and rate of occurrence of the threat. A goal of security is to recognize, understand, and eliminate risk.

Risk assessment Risk assessment is the process of examining values, threat levels, likelihoods, and total cost of compromise versus the value of the resource and the cost of the protection. This involves the use of values and calculations, such as AV, EF, SLE, ARO, ALE, and the cost/benefit equation.

Risk management Performing risk assessment, and then acting on the results to reduce or mitigate risk. Often risk assessment establishes a new security policy and then aids in revising it over time.

Rogue access point An access point set up and configured by a hacker to fool users into connecting with it. The hacker may then use the connection to carry out an attack such as a man-in-the-middle attack.

Rogue device insertion Physical attack where an imposter device is inserted into a network and connected to the network either wired or wirelessly.

Rogue DHCP A false DHCP server providing IP addresses to networked devices.

Role A collection of tasks and responsibilities defined by a security policy or job description for an individual essential productivity or security position.

Root cause The actual cause of a problem, often buried behind several symptoms that appear to be causes.

Rootkit A form of malware that hackers can upload and deploy on a target system. It often replaces multiple components of the host operating system with altered code.

Round-robin A form of load balancing that hands out tasks in a repeating nonpriority sequence.

Route The pathway communication travels within a wired network.

Router A network device responsible for directing traffic toward its stated destination along the best-known current available path.

Router access control list A tool used to limit network access and traffic while increasing network performance.

RRDool A round-robin database tool intended to handle time-series data like network bandwidth, temperatures, CPU load, and so on. The data are stored in a round-robin database (circular buffer); thus, the system storage footprint remains constant over time.

Rule A written expression of an item of concern (protocol, port, service, application, user, IP address) and one or more actions to take when the item of concern appears in traffic. Also known as a filter or ACL.

Rule set The list of rules on a firewall (or router or switch) that determine which traffic is and is not allowed to cross the filtering device. Most rule sets employ a first-match-apply-action process.

Sacrificial host A firewall positioned at the initial entry point where a network interfaces with the Internet serving as the first line of defense for the network. Also known as a bastion host.

Sarbanes-Oxley (SOX) Act A federal requirement enacted in 2002 to protect investors by requiring publically traded companies to validate controls and financial data.

Scalability The ability of a product or service to provide adequate performance across changes in size, load, scope, or volume.

Scaling Changing the size of a network by making it larger or smaller.

Scanning The act of probing a network using custom crafted packets. Scanning can determine the IP addresses in use and whether ports are open or closed. The tool nmap can be used to perform scanning.

Screening router A router that can perform basic static packet-filtering services, in addition to routing functions. A screening router is the predecessor of modern firewalls.

Script kiddie A new, inexperienced, or ignorant hacker who uses prebuilt attack tools and scripts instead of writing his or her own or customizing existing ones. Even though a derogatory term in the hacker community, “script kiddie” still describes a serious threat to network security.

Sector A subdivision of computer storage medium that represents a fixed size of user-accessible data. Magnetic disks typically have 512-byte sectors; optical disks have 2,048-byte sectors. When a device is formatted, sectors are grouped into clusters.

Secure Shell (SSH) A network protocol that allows data exchange using a secure channel between two networked devices. It is used primarily on GNU/Linux- and UNIX-based systems to access shell accounts. SSH was a replacement for Telnet and other insecure remote shells, which send information, notably passwords, in plaintext, rendering them susceptible to packet analysis. The encryption used by SSH provides confidentiality and integrity of data over an insecure network, such as the Internet.

Secure Sockets Layer (SSL) A security protocol that operates at the top of the Transport Layer (Layer 4) and resides as the payload of a TCP session. Netscape designed SSL in 1997 for secure web e-commerce, but it can encrypt any traffic above the Transport Layer. It uses public key certificates to identify the endpoints of session and uses symmetric encryption to protect transferred data. SSL v3.0 is the last version of SSL; TLS is replacing SSL.

Secured VPN A VPN that uses encryption to protect the confidentiality of its transmissions.

Security assessment The judging, testing, and evaluation of a deployed security solution.

Security awareness Knowledge of industry-specific vulnerabilities, known threats, and ways to avoid lapses in security.

Security goal Desired outcome for application of security practices and inclusion of tools and techniques.

Security Information and Event Management (SIEM) A toolset for collecting relevant information from multiple systems and aggregating it for decision making.

Security objective Sets of stated purposes or targets for network security activity. Standard objectives are confidentiality, integrity, and availability. Objectives are generally more oriented toward achieving or maintaining the goals, such as ensuring the confidentiality of resources.

Security policy A written document prescribing security goals, missions, objectives, standards, procedures, and implementations for a given organization. Also identifies which assets need protection based on their value.

Security stance An organization’s filtering configuration; in essence, its answer to the question, “What should be allowed and what should be blocked?”

Security Technical Implementation Guides (STIG) A security guideline, procedure, or recommendation manual.

Security through obscurity A form of security based on hiding details of a system, or creating convolutions that are difficult to understand. Such strategies do not usually resist a persistent attack; they are used when true security is poorly understood or the perceived threat is insufficient to overcome the obscure methodology. For example, proprietary source encryption algorithms can be labeled security through obscurity, as no forum for peer review or for formal testing exists to examine whether the methodology is cryptographically sound.

Segment The collection of data at the Transport Layer (Layer 4) of the OSI model. It consists of the payload from the Session Layer (Layer 5) above and the Transport Layer header. TCP segments are a common example. (Note: UDP segments are called datagrams, as they are connectionless, rather than connection-oriented).

Senior management The individual or group of highest controlling and responsible authority within an organization. Ultimately, the success or failure of network security rests with senior management.

Separation of duties An administrative rule whereby no single individual possesses sufficient rights to perform certain actions. Achieved by dividing administrative-level tasks and powers among compartmentalized administrators.

Server A host on a network. A server is the computer system that hosts resources accessed by users from clients.

Service level agreement (SLA) A contractual commitment by a service provider or support organization to its customers or users.

Session A logical connection between a client and a resource server. May exist at Layer 3, 4, or 5 of the OSI model; also known as a circuit or a state.

Session hijacking When a hacker is able to take over a connection after a client has authenticated with a server. To perform this attack, a hacker must eavesdrop on the session to learn details, such as the addresses of the session endpoints and the sequencing numbers. With this information, the hacker can desynchronize the client, take on the client’s addresses, and then inject crafted packets into the data stream. If the server accepts the initial false packets as valid, then the session has been hijacked.

Session Layer (Layer 5) The fifth layer of the OSI model. This layer manages the communication channel, known as a session, between the endpoints of the network communication. A single transport layer connection between two systems can support multiple simultaneous sessions.

Shell code The content of an exploit to be executed on or against a target system.

Signature The unique characteristics of malware (known as a virus signature) to detect and prevent infection of computer components.

Signature-based detection A form of IDS/IPS detection based on a collection of samples, patterns, signatures, and so on stored in a database of known malicious traffic and events. All traffic or events that match an item in the database are considered abnormal and potentially malicious. Also known as database, knowledge, and pattern-matching–based detection.

Simple Mail Transfer Protocol (SMTP) An Application Layer protocol used by e-mail clients to send messages to an e-mail server and is also used to relay messages between e-mail servers. The default TCP/IP port is 25, and it does not encrypt communications. The companion POP protocol receives messages from an e-mail server.

Single-factor authentication The use of only a single element of validation or verification to prove the identity of a subject. Considered much weaker than multifactor authentication.

Single loss expectancy (SLE) The calculation of the loss potential across of a single incident for a given asset and a specific threat. SLE calculations are part of risk assessment. SLE = AV × EF.

Single point of failure Any element of a system or network infrastructure, which is the primary or only pathway through which a process occurs. The compromise of such an element could result in system failure. Network design should avoid single points of failure by including redundancy and defense in depth.

Single sign-on (SSO) A network security service that allows a user to authenticate to an entire domain through a single client logon process. All domain members will accept this single authentication. Local authorization is used to control access to individual resources. Such a single authentication can be more complex, since multiple logons for each individual server are not required.

Site-to-site VPN A VPN used to connect networks. Also known as a LAN-to-LAN VPN and WAN VPN.

Slack space The unused portion of the last cluster allocated to a stored file. It may contain remnants of prior files stored in that location. Hackers can hijack slack space to create hidden storage compartments.

Slideware An industry term referring to any product that appears in a vendor’s PowerPoint slide deck, but is not yet available in one of its products; also sometimes known as “vaporware.”

Smart hub See active hub

Sniffer A software utility or hardware device that captures network communications for investigation and analysis. Also known as packet analyzer, network analyzer, and protocol analyzer.

Social engineering The craft of manipulating people into performing tasks or releasing information that violates security. Social engineering relies on telling convincing lies to manipulate people or taking advantage of the victim’s desire to be helpful.

Socket The combination of an IP address and a port number as a complete address.

Software firewall A host firewall installed on a client or server.

Software VPN A VPN crafted by software rather than hardware. Software VPN may be a feature of the operating system or a third-party application.

SOHO (small office, home office) Any small network, workgroup, or client/server, deployed by a small business, a home-based business, or just a family network in a home.

Solid-state drive (SDD) A drive that eliminates many of the problems associated with magnetic drives by moving and restoring the data on the drive.

Source routing bridge A type of bridge where routing occurs based on the use of a discovery frame that travels the network to determine possible paths to the destination.

Spam Unwanted and often unsolicited messages. Spam is not technically malicious software, but spam can have a serious negative effect on IT infrastructures through sheer volume. Estimates vary, but spam may represent up to 95 percent of all e-mail (which implies that for every legitimate e-mail, there are up to 19 unrelated spam e-mails.)

Split tunnel A VPN connection that allows simultaneous access to the secured VPN link and unsecured access to the Internet across the same connection.

Spoofing The falsification of information. Often spoofing is the attempt to hide the true identity of a user or the true origin of a communication.

Spyware An advancement of keystroke logging to monitor and record many other user activities. Spyware varies greatly, but it can collect a list of applications launched, URLs visited, e-mail sent and received, chats sent and received, and names of all files opened. It can also record network activity, gather periodic screen captures, and even recordings from a microphone or web cam. Can be linked with adware.

SQL injection A form of website/application attack in which a hacker submits SQL expressions to cause authentication bypass, extraction of data, planting of information, or access to a command shell.

Star topology A network layout with an independent cable to each device.

State A logical connection between a client and a resource server. May exist at Layer 3, 4, or 5 of the OSI model. Also known as a session or a circuit.

Stateful inspection The process of automatically tracking sessions or states to allow inbound responses to previous outbound requests. Also called dynamic packet filtering.

Static electricity discharge (SED) A sudden and momentary electric current, usually of high voltage and low amperage, that flows between two objects. Commonly caused by low humidity environments. Humans, polyester, and plastics are prone to static buildup. SED can damage most computer components.

Static NAT The static coding of a translation pathway across a NAT service. Also known as port forwarding and reverse proxy.

Static packet filtering A method of filtering using a static or fixed set of rules to filter network traffic. The rules can focus on source or destination IP address, source or destination port number, IP header protocol field value, ICMP types, fragmentation flags, and IP options. Static packet filtering is therefore mainly focused on the Network Layer (Layer 3), but it can also include Transport Layer (Layer 4) elements. Static packet filtering focuses on header contents and does not examine the payload of packets or segments.

Subnetting A logical networking technique that breaks IP addresses into smaller subsets, thus extending the available IP address pool or allowing for network segmentation.

Sunk cost Time, money, and effort already spent on a project, event, or device. In economics, sunk costs are irrelevant to future decisions. Emotionally, however, people often use sunk costs as a rationalization to continue failing processes or procedures.

Switch A device that provides network segmentation through hardware. Across a switch, temporary dedicated electronic communication pathways are created between the endpoints of a session (such as a client and server). This switched pathway prevents collisions. Additionally, switches allow the communication to use the full potential throughput capacity of the network connection, instead of 40 percent or more being wasted by collisions (as occurs with hubs).

Symmetric cryptography Cryptography based on algorithms that use a single shared secret key. The same key encrypts and decrypts data, and the same key must be shared with all communication partners of the same session.

Synchronous dynamic random access memory (SDRAM) Dynamic random access memory (DRAM) that has a synchronous interface. Traditionally, dynamic random access memory (DRAM) has an asynchronous interface, which means that it responds as quickly as possible to changes in control inputs. SDRAM has a synchronous interface, meaning that it waits for a clock signal before responding to control inputs and is therefore synchronized with the computer’s system bus.

Syslog A standard for forwarding messages from a client device to a centralized server.

Systems Network Architecture (SNA) A legacy networking protocol developed by IBM commonly used to support communications between mainframes. Mostly replaced by TCP/IP.

Tangible costs and values Costs or values directly related to budgetary funds. They can include, but are not limited to: purchase, license, maintenance, management, administration, support, utilities, training, troubleshooting, hardware, software, updates/upgrades, and so forth.

Telco Short for telecommunications company or corporation. Used to refer to any company that sells or leases WAN connection services, whether wired or wireless.

Telecommuting The act of working from a home, remote, or mobile location while connecting into the employer’s private network, often using a VPN.

Telnet A protocol and a service used to remotely control or administer a host through a plaintext command line interface.

Terminal services A modern form of legacy thin-client operation. A thin-client software utility connects to a central terminal server, which simulates remote control. A terminal service system can support multiple simultaneous terminal client connections. When terminal services are in use, the client workstation coverts to thin-client status. All operations of storage and processing then take place on the terminal server.

Terminator A hardware device used on a network with bus topology to stop signals from bouncing.

Thin-client computing A legacy terminal concept used to control mainframes. Thin clients had no local processing or storage capability. Modern thin clients simulate these limitations and perform all operations on the terminal server, remote control server, or thin-client server.

Threat Any potential harm to a resource or node on the network. Threats can be natural or artificial, caused by mother nature or man, or by the result of ignorance or malicious intent. Threats originate internally and externally.

Time synchronization A benefit of SIEM that manages the disparity between system clocks on.

Token In a ring network, the token controls traffic on the network cable by determining which systems can send information onto the line.

Topology The arrangement and means of connection of computers and peripherals in a network.

Traceroute A computer network tool used to show the route taken by packets across an IP network. An IPv6 variant, traceroute6, is also widely available.

Traffic congestion The problem when too much data crosses a network segment. This results in reduced throughput, increased latency, and lost data.

Training The second level of knowledge distribution offered by an organization to educate users about job task–focused security concerns. Training is more rigorous than awareness, but less rigorous than education.

Transmission Control Protocol (TCP) The connection-oriented protocol operating at the Transport Layer (Layer 4) of the OSI model.

Transmission Control Protocol (TCP)/Internet Protocol (IP) The suite commonly used for network and Internet traffic that uses the best of both protocols.

Transparent bridge A bridge where LANs are connected and each device is unaware that the bridge is on the network.

Transparent proxy A proxy most often installed immediately between the firewall and a web server.

Transport Layer (Layer 4) The fourth layer of the OSI model. This layer formats and handles data transportation. This transportation is independent of and transparent to the application.

Transport Layer Security (TLS) A security protocol that operates at the top of the Transport Layer (Layer 4) and resides as the payload of a TCP session. It uses public key certificates to identify the endpoints of session and uses symmetric encryption to protect transferred data. TLS 1.0 is the replacement for SSL 3.0.

Transport mode encryption A form of encryption also known as point-to-point or host-to-host encryption. Transport mode encryption protects only the payload of traffic and leaves the header in plain-text original form.

Trapdoor A form of unauthorized access to a system. A trapdoor is any access method or pathway that circumvents access or authentication mechanisms. Also known as a backdoor.

Triple-homed firewall A firewall that has three network interfaces. Each network interface is located in a unique network segment. This allows for true isolation of the segments and forces the firewall to filter all traffic traversing from one segment to another.

Trojan horse A mechanism of distribution or delivery more than a specific type of malware. The Trojan horse embeds a malicious payload within a seemingly benign carrier or host program. When the host program is executed or otherwise accessed, the malware is delivered. The gimmick of a Trojan horse is the act of fooling someone (a type of social engineering attack) into accepting the Trojan program as safe.

Trust Confidence in the expectation that others will act in your best interest, or that a resource is authentic. On computer networks, trust is the confidence that other users will act in accordance with the organization’s security rules and not attempt to violate stability, privacy, or integrity of the network and its resources.

Trusted Platform Module (TPM) A dedicated microchip found on some motherboards that host and protect the encryption key for whole hard drive encryption.

Trusted third party A mechanism of authentication using a third entity known and trusted by two parties. The trusted third party allows the two communicating parties, who were originally strangers to each other, to establish an initial level of inferred trust.

Trusted VPN A VPN whose components are wholly owned by the organization it serves.

Tunnel-mode encryption A form of encryption also known as site-to-site, LAN-to-LAN, gateway-to-gateway, host-to-LAN, and remote access encryption. Tunnel-mode encryption performs a complete encapsulation of the original traffic into a new tunneling protocol. The entire original header and payload are encrypted and a temporary link or tunnel header guides the data across the intermediary network.

Tunneling The act of transmitting a protocol across an intermediary network by encapsulating it in another protocol. See encapsulation.

Two-factor authentication A method of proving identity using two different authentication factors. Authentication factors are something you know, something you have, or something you are. Examples include a smart card (something you have) with a PIN (something you know); a biometric device (something you are) coupled with a password (something you know); or a proximity card (something you have) that activates a fingerprint reader (something you are).

Unidirectional In a ring network the token only moves one way around the ringed cable.

Unified threat management (UTM) The deployment of a firewall as an all-encompassing primary gateway security solution. The idea behind UTM is a single device can be designed to perform firewall filtering; IPS, antivirus scanning; anti-spam filtering; VPN endpoint hosting; content filtering; load-balancing; detailed logging; and potentially other security services, performance enhancements, or extended capabilities.

Uninterrupted power supply (UPS) A power conditioning device that provides battery support to allow for logical closing of computer programs and powering down of the system in the event of a power loss.

Universal participation The principle that for an organization’s security policy to be effective, everyone must be forced to work within it and follow its rules.

Unpartitioned space The area on a storage device not contained within a partition. Unpartitioned space is not directly accessible by the OS.

Upstream filtering The management of traffic by a firewall or other filtering device located one or more hops away (upstream) from a private network.

URL injector Malware that replaces URLs in HTTP GET requests for alternative addresses. These injected URLs cause a different webpage to appear in the browser than the one requested by the user’s request. These replaced webpages could be advertisement sites, generate traffic to falsify search engine optimization (SEO), or lead to fake or spoofed sites.

User Datagram Protocol (UDP) The connectionless protocol operating at the Transport Layer (Layer 4) of the OSI model.

Virtual firewall A variety of firewall and firewall-like concepts using software to perform firewall activities.

Virtual local area network (VLAN) A logical network created from devices on different LANs that function on the same network.

Virtual private network (VPN) A mechanism to establish a secure remote access connection across an intermediary network, often the Internet. This allows inexpensive insecure links to replace expensive security links. VPNs allow for cheap long-distance connections established over the Internet. Both endpoints need only a local Internet link. The Internet itself serves as a “free” long-distance carrier. VPNs employ encapsulation and tunneling protocols, such as IPSec.

Virtual Router Redundancy Protocol (VRRP) An industry-standard protocol using two VPN hardware units to provide redundancy for the connection.

Virus Malware that needs a host object to infect. Most viruses infect files, such as executables; device drivers; DDLs; system files; and sometimes even document, audio, video, and image files. Some viruses infect the boot sector of a storage device, including hard drives, floppies, optical discs, and USB drives. Viruses are spread through the actions of users, and spread file-to-file (compare to worms).

VPN appliance A hardware VPN device.

VPN concentrator A VPN that decrypts information coming from a remote user over the Internet, and it encrypts information sent back over the Internet to the remote user.

VPN fingerprinting A technique used by an attacker to identify the vendor and, in some cases, the software version of a VPN server.

Vulnerability A weakness or flaw in a host, node, or any other infrastructure component that a hacker can discover and exploit. Security management aims to discover and eliminate such vulnerabilities.

Vulnerability management The technology and business processes used to identify, track, and mitigate known weaknesses on hosts within a computing environment.

Vulnerability scanning A form of investigation that aims at checking whether or not a target system is subject to attack based on a database of tests, scripts, and simulated exploits.

WAN VPN A VPN between two networks over an intermediary network. Also known as LAN-to-LAN VPN and site-to-site VPN.

Wardialing A method of discovering active modems by dialing a range of phone numbers.

Wardriving A method of discovering wireless networks by moving around a geographic area with a detection device.

Weakest link A security stance based on a repeating process of locating the least secure element of an infrastructure, securing it, and then identifying a new weakest link and securing it.

Whitelist A type of filtering concept where the network denies all activities except for those on the white list. Also known as an “allow list” or “permissions list.”

Windows Defender Firewall The software firewall available in Microsoft Windows 10.

Whois A tool used to view domain registration information. Whois is a command-line function of Linux and Unix, but it is also a tool on most domain registrar websites.

Whole hard drive encryption The process of encrypting an entire hard drive rather than just individual files. In most cases, whole hard drive encryption provides better security against unauthorized access than file encryption, because it encrypts temporary directories and slack space.

Wide area network (WAN) A network not limited by any geographic boundaries. A WAN network can span a few city blocks, reach across the globe, and even extend into outer space. A distinguishing characteristic of a WAN is its use of leased or external connections and links. Often, telcos own these external connections.

Wire speed The maximum communication or transmission capability of a network segment. Often used to describe a network device’s ability to perform tasks on traffic, while being able to maintain overall network transmission speeds without introducing delay, lag, or latency.

Wired topology A physical connection of computers and devices using wires to transmit communication traffic.

Wireless topology A connection of computers and devices that uses wireless transmissions (through the air) to transmit communication traffic.

Workgroup A form of networking where each computer is a peer. Peers are equal to each other in terms of how much power or controlling authority any one system has over the other members of the same workgroup. All workgroup members are on equal footing because they can manage their own local resources and users, but not those of any other workgroup member.

Worm Malware that does not need a host object; instead, a worm is a self-sustaining program in its own right. Worms are designed around specific system flaws. The worm scans other systems for this flaw and exploits the flaw to gain access to another victim. Once hosted on another system, the worm seeks to spread itself by repeating the process. Worms can act as carriers to deposit other forms of malicious code as they multiply and spread across networked hosts.

Wrapper A tool used to create Trojan horses by embedding malware inside a host file or program.

Write-once read-many (WORM) A form of storage device that can be written to once, but once written cannot be electronically altered. Examples include DVD-R, WORM tapes, and WORM hard drives.

Zero-day exploit New and previous unknown attacks for which are there no current specific defenses. “Zero day” refers to the newness of an exploit, which may be known in the hacker community for days or weeks. When such an attack occurs for the first time, defenders are given zero days of notice (hence the name.) Such attacks usually exploit previously unidentified system flaws.

Zeroization The process of purging a storage device by writing zeros to all addressable locations on the device. A zeroized device contains no data remnants that other users could potentially recover.

Zombie A malicious software program distributed by a hacker to take over control of a victim’s computer. Also known as a bot or an agent. Zombies are commonly used to construct botnets (or zombie armies).

Zombie army A network of zombie/bot/agent-compromised systems controlled by a hacker. The network consists of the bots, agents, or zombies that intercommunicate over the Internet. Another term for botnet.

Zombie array See zombie army

Zone of risk Any segment, subnet, network, or collection of networks that represent a certain level of risk. The higher the risk, the higher the security need to protect against that risk. The less risk of a zone, the lower security need because fewer threats exist, or existing threats are less harmful. The flip side of risk zones is zones of trust.

Zone of trust Any segment, subnet, network, or collection of networks that represent a certain level of trust. Highly trusted zones require less security, while low trusted zones require more security. The flip side of trust zones is zones of risk.