21 CFR Part 11 A title in the Code of Federal Regulations that deals with U.S. Food and Drug Administration (FDA) guidelines on electronic records and signatures. This title requires industries that fall under FDA regulation to implement controls such as audits, audit trails, electronic signatures, and policies for software and systems that process electronic data.

802.1x An IEEE standard, which addresses authentication for Layer 2 (bridges and switches) devices when communicating on a network; a protocol that provides a framework for implementing authentication on a network.

Access The ability of a subject and an object to interact.

Access control The process or mechanism of granting or denying use of a resource; typically applied to users or generic network traffic.

Access control entry (ACE) An element of the access control list.

Access control list (ACL) A list of security policies that is associated with an object.

Access mask In Windows-based systems, a value that specifies the rights that are allowed or denied in an access control entry (ACE) of an access control list (ACL).

Accounting As part of AAA, provides the ability of a system to collect statistics on networks or users for auditing and billing purposes. Accounting enables the tracking of systems usage, start and stop times of resources, and number of packets, as well as other metrics that identify what was used and for how long.

Active Directory The directory service for Microsoft Windows Server. Active Directory stores information about objects on the network and makes this information available for authorized systems administrators and users. It gives network users access to permitted resources anywhere on the network using a single sign-on process. It also provides systems administrators with an intuitive hierarchical view of the network and a single point of administration for all network objects.

Advanced Encryption Standard (AES) A symmetric encryption algorithm that serves as an approved standard for encrypting U.S. government data.

Algorithm A process that performs a sequence of operations.

Americans with Disabilities Act (ADA) Regulation including provisions ensuring that everyone has equal access to public accommodations, regardless of any disability they might have.

Analysis and reporting The penultimate stage in a penetration test, where the testing team analyzes the gathered data and writes a report for the organization once the penetration test is complete.

Annual rate of occurrence (ARO) The number of times per year you expect a compromise to occur.

Annualized loss expectancy (ALE) The total cost per year of the threat under assessment. ALE is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO).

Application Layer Provides services for an application program to ensure effective communication.

Asset value The relative value, either in monetary terms or in overall impact, of the resource being protected by the access control system.

Asymmetric cryptography Encryption approach that uses a pair of keys for each user: a public key and a private key.

Assessment Documenting rules, procedures, and guidelines to be tested against a system.

Asymmetric encryption A type of encryption in which an encryption key (the public key) is used to encrypt a message and another encryption key (the private key) is used to decrypt the message.

Attacker Someone trying to compromise information or data.

Attribute-based access control (ABAC) Access control policy where the policy is a function of a subject’s characteristics.

Audit trail A series of events gleaned from parsed log file reports over a period of time.

Authentication The process of confirming the identity of a user. Also, ensuring that a sender and recipient are who they say they are.

Authentication factor A way of confirming the identity of a subject. The three authentication factors are something you know, something you have, and something you are.

Authentication Header (AH) An IPSec authentication protocol that is used to prove the identity of the sender and ensure the data has not been tampered with.

Authentication server The server that validates requests for network access, using the RADIUS or EAP protocols.

Authentication service The service provided through Kerberos that identifies users on a computer system. The authentication service is part of the Key Distribution Center.

Authentication, Authorization, and Accounting (AAA) Network services that provide security through a framework of access controls and policies, enforcement of policies, and information needed for billing purposes.

Authenticator A message that is part of the Kerberos authorization process and is composed of the client ID and timestamp.

Authorization The decision to allow or deny a subject access to an object. After a user has been authenticated, for example, authorization determines if the user has the rights to perform specific actions on the network or system.

Automated testing The use of software to control the execution of a test suite.

Availability Ensuring a system is accessible when needed.

Automatic declassification The process for U.S. government documents over 25 years old. Unless they meet strict criteria, documents are automatically declassified after the department that owns the documents reviews them. The documents are moved to the publicly accessible shelves of the national archives.

Backdoor A hole in system or network security placed deliberately, either by system designers or attackers. A way of quickly bypassing normal security measures.

Baseline A normal level of measurement.

Bell-LaPadula Model A model that defines basic principles of access controls.

Best practice A documented method or system of achieving a specific result in an effective, efficient manner. Best practices generally take lessons learned from individuals or groups so that others can complete similar tasks in a more efficient manner.

Binary large object (BLOB) A collection of binary data stored in a relational database.

Biometrics An authentication system based on physical characteristics or behavioral tendencies of an individual.

Blacklist A list of known malicious behaviors that should be automatically denied.

Blue team In a penetration test, the blue team consists of IT staff who defend against the penetration testers. They are generally aware that a penetration test is happening, but do not know what methods the penetration testers will use.

Bollards Short vertical posts designed to control traffic and prevent vehicular attacks on a building.

Boundary conditions The outermost extremes of test conditions.

Breach A confirmed event that compromises the confidentiality, integrity, or availability of information.

Bring Your Own Device (BYOD) policies Allows users to access corporate systems and data using personally owned devices.

Bugtraq An industry mailing list provided by Symantec that reports new vulnerabilities as they are discovered.

Business continuity The ability of an organization to maintain critical functions during and after a disaster.

Business to business (B2B) Activities that occur between two or more businesses.

Business to customer (B2C) Activities that occur between a business and a customer.

California Identity Theft Statute Requires a business operating in California to notify customers when it has reason to believe that personal information has been disclosed through unauthorized access.

Card holder unique identification (CHUID) A unique number that identifies an individual in possession of a smart card.

Certificate authority (CA) An entity, usually a trusted third party, that issues digital certificates.

Certificate Practice Statement (CPS) A formal statement that provides details on the business processes used by the CA to verify the identity of certificate owners prior to issuing the certificate, revoking digital certificates, renewing expired certificates, and other certificate practices.

Certificate revocation list (CRL) The certificate authorities’ list of invalid certificates.

Challenge Handshake Authentication Protocol (CHAP) Provides authentication over a PPP link.

Child object An object that inherits certain characteristics, such as access controls, from a parent object.

Children’s Internet Protection Act (CIPA) A U.S. law passed in 2000. It requires schools and libraries receiving E-Rate funds to filter some Internet content. The primary purpose is to protect minors from obscene or harmful content.

Classification scheme A method of organizing sensitive information into various access levels.

Clean-up The last stage in the penetration test, where the testing team has the responsibility to undo any changes it made to the environment once the test is complete.

Clearance The level of information an individual is authorized to access.

Cleartext Information that has no cryptographic protection applied to it.

Cloud services Applications or IT services delivered over the Internet rather than in a typical client/server model on a local area network. Yahoo Mail, Google Docs, and Mozy online backup are examples of cloud services.

Code injection An attack in which malicious code is introduced into an application. This type of attack is possible because of lax input validation in the target application.

Commercial off-the-shelf (COTS) Commercially available hardware or software that is available for immediate use in an enterprise environment.

Common Access Card (CAC) The smart card authentication devices used by the U.S. Government in military organizations.

Common Criteria Abbreviation of Common Criteria for Information Technology Security Evaluation.

Common Criteria for Information Technology Security Evaluation ISO/IEC 15408 standard for computer security.

Communications Assistance for Law Enforcement Act (CALEA) A law requiring that telecommunications carriers and equipment makers take steps to facilitate the electronic surveillance activities of law enforcement agencies.

Compartmentalization The practice of keeping sensitive functions separate from nonsensitive ones.

Complete mediation Approach in which access control decisions are not cached for later use. Each attempt to access an object should be verified.

Compromise Unauthorized access and release of information.

Computer Fraud and Abuse Act (CFAA) A federal criminal statute designed to protect electronic data from theft.

Confidential information This is the lowest level of sensitivity in the U.S. government classification scheme. Confidential information would damage security if it was disclosed. This information may be handled only by personnel with security clearance, may not be disclosed to the public, and must be disposed of in a secure manner.

Confidentiality Ensuring that only the intended recipient can read the data.

Control A technical, physical, or administrative process designed to reduce risk.

Controlled Unclassified Information (CUI) Information that has not been classified by the U.S. government but is pertinent to the national interests of the United States or to the important interests of entities outside of the federal government or under law or policy requires protection from unauthorized disclosure, special handling safeguards, or prescribed limits on exchange or dissemination.

Cost of impact What an organization would lose if an asset were unavailable. For example, a particular organization might lose $50,000 per hour in lost productivity if its internal network went down.

Cost of replacement What it would cost an organization to replace an asset if it were stolen or compromised.

Counter Mode Cipher Block Chaining Message Authentication Protocol (CCMP) Encryption approach used in the WPA2 standard to provide strong security.

Credentials Used to control access to resources.

Crossover error rate (CER) The point at which Type I errors and Type II errors in an access control system are equal.

Cryptography Used to protect data so that it cannot be easily read or understood.

Cryptosystem The hardware or software system that transforms the cleartext into ciphertext.

Data at rest (DAR) Stored data. The data may be in archival form on tape or optical disc, on a hard disk, or sitting in a system’s buffers.

Data Encryption Standard (DES) encryption A method of scrambling data for security purposes. Published in 1974, it has since been broken and is no longer considered highly secure.

Data in motion (DIM) Data as it travels from one place to another, such as over a network.

Data Link Layer Network components that interconnect network nodes or hosts.

Declassification The process used to move a classified document into the public domain.

Default deny The base assumption of any access control mechanism should be that the access is denied unless it was explicitly authorized.

Defense-in-depth strategy The approach of using multiple layers of security to protect against a single point of failure.

Delegated access rights Access rights that are given to a user by the owner of an object.

Denial of service (DoS) attack An attack against a system that limits it from doing the tasks it is intended to do.

Diffie-Hellman key exchange A protocol or an algorithm allowing two users to exchange a secret key over unsecure communications.

Digital certificate A data structure used to bind an authenticated individual to a public key.

Digital Millennium Copyright Act (DMCA) A U.S. copyright law that enacts criminal penalties for breaking or distributing technology designed to break digital rights management technologies.

Directory information Information about a student that an educational institution may release without the written consent of the student. Directory information includes a student’s name, address, phone number, e-mail address, dates of attendance, degree earned, enrollment status, and field of study.

Disaster recovery Refers to efforts to bring an organization back online after a natural or manmade disaster.

Discretionary access control (DAC) An access control system where rights are assigned by the owner of the resource in question.

Discretionary access control list (DACL) Controls access to an object.

Disgruntled employee An employee who is angry or dissatisfied, usually with some aspect of his or her employment.

Domain administrator A user with full rights over all computers in a Windows domain.

Domain Validated (DV) Certificates that confirm that the certificate was issued to someone controlling the DNS domain included in the certificate.

Dual conditions One of two aspects in separation of privileges. They are most often implemented through two-stage authentication methods, which require both a biometric scan or token device and a password to grant access.

EAP with Flexible Authentication via Secure Tunneling (EAP-FAST) Proprietary Cisco implementation of EAP authentication that provides mutual authentication but does not use certificates.

EAP with Message Digest 5 (EAP-MD5) A type of EAP that uses the outdated MD5 hash protocol and is no longer recommended for use.

EAP with Transport Layer Security (EAP-TLS) A type of EAP that uses certificate-based authentication in conjunction with the standard TLS protocol and is a strong, secure authentication choice.

EAP with Tunneled Transport Layer Security (EAP-TTLS) A type of EAP that uses TLS to provide network authentication.

Economy of mechanism Access control mechanisms should be as simple as possible, using as few components and procedures as necessary to meet the requirements.

Electronic protected health information (EPHI) Information about an individual’s health care stored in an electronic format.

Elliptic Curve Cryptosystem (ECC) Provides a stronger cryptographic result with a shorter key.

Encapsulated Security Payload (ESP) Authentication and encryption protocol for IPSec that encrypts Internet Protocol (IP) packets and ensures their integrity.

Encryption The process of applying an algorithm to cleartext (or plaintext) data, resulting in a ciphertext.

Explicitly delegated rights Access rights that are actively given to a user by an object owner.

Exposure factor (EF) The expected amount of damage that an asset would incur if a risk materialized; normally described as a percentage.

Extended TACACS (XTACACS) A client/server protocol developed in 1990 by Cisco; an extension of TACACS.

Extended Validation (EV) Certificates that provide the strongest degree of trust, verifying the physical presence of the certificate subject.

Extensible Authentication Protocol (EAP) A framework enabling multiple authentication mechanisms over various connections.

Failure to capture rate The percentage of an individual’s authentication attempts that fail because the system is unable to obtain the information necessary to make an authentication decision; also known as failure to acquire rate.

Failure to enroll rate The percentage of failed attempts to create a sample data set for an individual, divided by the total number of attempts to enroll users.

False acceptance rate The percentage of imposters that will be recognized as authorized users.

False negative Occurs when an intrusion detection system overlooks anomalous activity.

False positive Occurs when an intrusion detection system labels normal activity as anomalous.

False rejection rate The percentage of attempts by legitimate users that are rejected by the system.

Family Educational Rights and Privacy Act (FERPA) An act of Congress to protect the privacy of education records. It applies to all educational institutions receiving funding from the U.S. Department of Education.

Federal Information Security Modernization Act (FISMA) Legal standard that sets forth security requirements for all federal government agencies.

Federation An approach where one organization depends on the identity information provided by another organization.

FOIA request See Freedom of Information Act request.

Forest The outermost boundary of an Active Directory service. A forest may contain several domains.

Freedom of Information Act (FOIA) A law enacted in 1966. It states that any person has a right of access to federal agency records, and that federal agency records must be made available to the public unless they are specifically exempt from public release.

Freedom of Information Act request An attempt by a member of the general public to get a document declassified. The act allows for full or partial disclosure of the document; if the owning organization refuses the request, the decision can be appealed in a judicial review.

Gap analysis The process of identifying the difference between reality—the current state of an organization’s IT infrastructure—and the organization’s security goals.

Generic Routing Encapsulation (GRE) A tunneling protocol that encapsulates packets inside Internet Protocol (IP) tunnels.

Get out of jail free card The authorization memo, signed by a member of upper management, that states that a penetration test has been authorized and exactly what methods the test will include. Every member of a penetration testing team should carry a copy of this memo at all times to avoid misunderstandings with security and law enforcement.

Gramm-Leach-Bliley Act (GLBA) An act of Congress that allowed banks, investment firms, and insurance companies to consolidate. It also introduced some consumer protections, such as requiring credit agencies to provide consumers with one free credit report per year.

Group A collection of users with similar access needs.

Guideline A collection of suggestions and best practices relating to a standard or procedure. A guideline doesn’t necessarily need to be met but compliance is strongly encouraged.

Hackers People who break into a computer system without a legitimate right to obtain data or information.

Hardening The process by which vulnerabilities are addressed to create a secure system.

Hash salt Random data that are used as the basis for an encryption algorithm. The randomness of these data provides an additional layer of security to the encryption.

Health Information Technology for Economic and Clinical Health (HITECH) Act Expanded and updated the civil and criminal penalties for HIPAA violations and requires notification if any breach occurs causing the disclosure of PHI.

Health Insurance Portability and Accountability Act (HIPAA) Legislation passed in 1996 that protects the privacy and accessibility of healthcare information.

Heightened access The ability of an attacker to log into a system under one level of access and exploit a vulnerability to gain a higher level of access.

History-based access control (HBAC) A kind of contextual access control, which takes the past and present activity of the user into account when making access control decisions.

Homeland Security Presidential Directive 12 (HSPD 12) A standard issued in August of 2007 to enforce the standardization of security identification credentials for government employees and contractors. This standard covers both physical and logical access to government resources.

Host discovery The process of scanning the network to find out which Internet Protocol (IP) addresses are attached to vulnerable resources.

Human machine interface (HMI) Place where the operator views the data that are received and processed. The HMI is connected to a database that gathers information from the RTUs.

Human nature The sum of qualities and traits shared by all humans.

Hypertext Transfer Protocol Secure (HTTPS) Secure protocol for use in encrypted web communications. Integrates Transport Layer Security (TLS) with the Hypertext Transfer Protocol (HTTP).

Identification The process by which a subject or object identifies itself to the access control system. In the case of users, identification uniquely distinguishes an individual. In most cases, identification needs to be provided prior to authenticating the user.

Identification mode The mode in which a biometric system compares live data with a database of known samples and returns one or more matching user profiles.

Identity and access management (IAM) The process that combines identity management (allows people to confirm that a person is who they claim to be (authentication)) and access control (allows people to restrict their activities to authorized actions (authorization)) together.

Identity as a Service (IDaaS) Outsourcing professional service to manage the access control implementation and maintain complex technical infrastructures.

Identity management The process of creating, maintaining, and revoking user accounts and providing the mechanisms used to authenticate users.

Identity provider The organization that provides the accounts in a federated identity system.

Identity-based access control (IBAC) Access control decisions made by the system are based on the identity of the user.

Implicitly delegated rights Rights that are inherited or otherwise passively assigned.

Industrial control system (ICS) A mechanism used to control the output of a specific industrial process.

Information availability Ensures that information is available to authorized users when they need it.

Information confidentiality Ensures that private or sensitive information is not disclosed to unauthorized individuals.

Information integrity Ensures that data have not been accidentally or intentionally modified without authorization.

Input control Dictates how users can interact with data and devices that introduce new data into a system.

Integration testing The process of testing how individual components function together as a complete system.

Integrity Ensuring that the data has not been altered.

Internet Key Exchange (IKE) Provides identification to communication partners via a secure connection.

Internet Layer Provides services for connecting network resources across network domains.

Internet Protocol Security (IPSec) A protocol that secures IP communications by authenticating and encrypting each IP packet.

Internet Security Association and Key Management Protocol (ISAKMP) A protocol that provides the framework for the negotiation of algorithms, protocols, modes, and keys for IKE.

Intrusion detection system (IDS) A combination of hardware and software used to analyze network traffic passing through a single point on the network. It is designed to analyze traffic patterns to find suspicious activity.

Intrusion prevention system (IPS) A combination of a firewall and an IDS. An IPS is designed to analyze network traffic patterns and react in real time to block suspicious activity.

Intrusive testing methods Security testing methods that exploit possible vulnerabilities to prove their existence and potential impact.

IP tunneling Used to create secure pathways for data through a public network.

Kerberos Provides a means of verifying identities of computer systems on an unprotected network. Kerberos is designed to provide strong authentication for client/server applications by using secret-key cryptography.

Key archival Retaining a key that has been terminated. A copy is kept in a key storage for validating data that was protected by the original key.

Key distribution Moving encryption keys from one point to another with two stages: initial and subsequent.

Key Distribution Center (KDC) The service or server that acts as both the ticket granting service and the authentication service.

Key generation The initial creation of encryption keys.

Key recovery Restoring an encryption key after a failure has occurred to key storage.

Key storage Storing the encryption keys after they are distributed.

Key termination The destruction of encryption keys because they have reached the end of their life cycle or because a key has been compromised in some fashion.

Key usage When encryption keys are in a production environment and being used for email, file transfers, secure connections, and so on.

Keyspace The range of values that construct a cryptosystem key.

LAN Manager (LM) hash The method used to store passwords of up to 15 characters in Windows operating systems prior to Windows Vista.

Layer 2 Tunneling Protocol (L2TP) Sets up a point-to-point connection between two computer systems that can be transmitted over multiple types of networks.

Least astonishment Security mechanisms should be as nonintrusive as possible, providing security while minimizing disruption to user activity.

Least common mechanism The mechanisms used by different classes of users should be separated to the extent possible.

Least privilege The principle in which a subject—whether a user, application, or other entity—should be given the minimum level of rights necessary to perform legitimate functions.

Least user access (LUA) Requires that users commonly log into workstations under limited user accounts.

Lightweight Directory Access Protocol (LDAP) Protocol used for the exchange of directory service information.

Lightweight EAP (LEAP) A Cisco proprietary protocol used primarily on wireless networks.

Linux A popular open-source operating system that is widely used in server environments.

Linux Intrusion Detection System (LIDS) A patch to the Linux kernel and a set of administrative tools that attempt to enhance security.

Load testing A way of measuring how software will perform with an average number of users, as well as how it will perform under extreme load conditions.

Local area network (LAN) A network connecting computers and other assets in a small, physical location such as an office, home, or school.

Malware Any form of malicious software, including viruses, Trojan horses, and spyware.

Mandatory access control (MAC) An access control system where rights are assigned by a central authority.

Mandatory declassification review Instigated when an individual attempts to get a document declassified. After the review request has been filed, the owning organization must respond with approval, denial, or the inability to confirm or deny the existence or nonexistence of the document. If the request is denied, the requester can appeal to the interagency security classification appeals board.

Media Access Control (MAC) address A unique identifier assigned to every piece of hardware on a network.

Message Digest 5 (MD5) An algorithm that applies a hash function to a message, creating a 128-bit message digest. This algorithm is used to ensure the data has not been changed in any manner.

Minimization of implementation The mechanisms used by different classes of users should be separated to the extent possible.

Mitigation plans Detailed plans about how to mitigate the vulnerabilities and risks described in the vulnerability assessment and threat assessment.

MS-CHAP Microsoft’s version of the CHAP protocol, which is used only in Microsoft-centric applications and comes in two different versions: MS-CHAPv1 and MS-CHAPv2.

Multifactor authentication The identification process that involves multiple ways of confirming the identity of the subject.

Multilayered access control The combination of more than one access control method to secure a single resource.

Multilayered approach An approach that offers a reasonable overall level of security by implementing a set of complementary and overlapping security controls.

Multilevel security (MLS) system A system that allows the computer system to simultaneously process information of different classification levels and ensures that a subject with the correct clearance can only access the information at his or her authorization level.

Multiple single level (MSL) environments A system that does not allow different classification levels to commingle. A separate system should be used for each classification level.

Need to know A major component in accessing sensitive information. It requires that the requester must also establish a justifiable need to see the information, and access should be granted only if the information is essential for the requester’s official duties.

Nessus A proprietary security scanner developed by Tenable Network Security. It is network-centric with Web-based consoles and a central server.

Network access control (NAC) The use of policies within a network infrastructure to limit access to resources until the system proves that it has complied with the policy. Sometimes referred to as network admission control.

Network access server (NAS) Provides a service to dial-in users. This server allows a computer system to connect to the network through either a phone line or the Internet.

Nmap An open source port scanning and host detection utility. Nmap stands for Network Mapper.

Nonintrusive testing methods Security testing methods that do not exploit possible vulnerabilities.

Nonrepudiation The concept of ensuring an originator cannot refute the validity of a statement or document.

Normalization The process of translating log files from various systems into a common format.

North American Electric Reliability Council (NERC) Created in 1968 to ensure that the North American energy network is secure, adequate, and reliable. IT security is mostly concerned with the creation of guidelines for strong access controls and processes.

NTLM hash A challenge-response authentication protocol used by NT servers when using the Server Message Block (SMB) protocol.

OAKLEY A protocol that allows computer systems to exchange key agreement over an insecure network.

Object 1. Anything that is passively acted upon by a subject. 2. The resource to which a subject desires access. Common objects are data, networks, and printers.

Online Certificate Status Protocol (OCSP) A method for live, interactive verification of a certificate’s status.

Open design The security of an access control mechanism should not depend upon the secrecy of its design or the secrecy of details of its implementation, which is the opposite of security through obscurity.

Open Systems Interconnection (OSI) Reference Model Divides the network infrastructure into seven layers.

Open Vulnerability Assessment Scanner (OpenVAS) A free security scanning tool published under the GNU General Public License (GPL).

OpenID Connect An alternative to SAML that works in a similar manner from the end user’s perspective.

Orange Book Orange-covered book that is part of the “Rainbow Series” published by the U.S. Department of Defense.

Organization Validated (OV) Certificates that verify the identity of the business named on the certificate in addition to domain validation (DV).

Organizational unit (OU) A logical structure that allows you to organize users, computers, and other objects into separate units for administrative purposes.

Organization-based access control (OrBAC) A kind of access control that applies differing policies based on the user’s organizational membership.

Output control Dictates how users can interact with the output of data, either to a screen, printer, or another device.

Parent object An object from which other objects inherit various properties, including access controls.

Parsing The process of translating and reformatting raw log files into useful reports.

Passphrase A phrase or sentence used in place of a password. Passphrases are often used as mnemonic devices to help remember complex passwords.

Pass-the-hash attack Attack where the attacker gains access to hashed passwords and uses them to move laterally across the network.

Password A secret combination of characters known only to the subject.

Password Authentication Protocol (PAP) A data-link protocol that provides authentication over PPP.

Password cracking Guessing or deciphering passwords.

Password hash A password that is stored in its encrypted form.

Payment Card Industry Data Security Standard (PCI DSS) The contractual obligation that requires that companies handling credit cards comply with a rigid set of security controls, including specific provisions surrounding access controls.

Penetration attempt The stage after vulnerability detection in the penetration test, which asks testers to use a variety of methods and tools to gain unauthorized access to systems and networks.

Penetration testing The act of simulating an attack on an organization’s resources to assess an infrastructure’s true vulnerability. A penetration test simulates an actual attack. Penetration testers use a variety of methods including social engineering, software hacking, and physical intrusion.

Perimeter security Any method that restricts access to a defined area, such as a military base, corporate campus, infrastructure facility, or office building.

Personally identifiable information (PII) Any information that can be used to identify, locate, or contact a specific individual. Also includes any information that can be combined with other information to piece together a specific individual’s identity. A Social Security number is an example of PII. Several laws and regulations specify that PII must be protected.

Phishing Creating legitimate-looking websites or e-mails that trick a user into entering sensitive information such as passwords, Social Security numbers, or credit card numbers.

Physical security The process of ensuring that no one without the proper credentials can physically access resources.

Piggybacking Refers to when employees regularly hold open doors and allow each other to enter without swiping their ID badge, which may cause an information leak.

Point-to-Point Protocol (PPP) A protocol for communication between two computers. Typically, the connection from the client to the server is over a telephone line.

Point-to-Point Tunneling Protocol (PPTP) A protocol that sets up a point-to-point connection between two computer systems over an Internet Protocol (IP) network.

Policy 1. A document that describes specific requirements or rules that must be met in a given area. 2. A formal statement of management intent regarding the business practices of an organization. A policy is binding upon all affected individuals.

Port scan detector Software that monitors network ports to detect a port scan attack. These attacks are usually the precursor to a more serious attack.

Port scanning A technique designed to probe a network’s open ports looking for a weakness.

Pretexting A technique where the attacker lies about his or her own identity or intent in order to persuade the victim to reveal sensitive information.

Prioritization Regarding log files, the process of determining which log files and/or entries are important and may require action versus which are less important or informational only.

Privacy impact assessment (PIA) A comprehensive process for determining the privacy, confidentiality, and security risks associated with the collection, use, and disclosure of personal information. It also describes the measures used to mitigate, and if possible, eliminate identified risks.

Private key The encryption key that is held privately by the user.

Probability of occurrence The likelihood that an attack will occur.

Procedures A defined series of steps or actions for achieving an objective or result. For example, a defined workflow used to enforce policies is considered a procedure or a set of procedures. Procedures are often written to ensure that tasks are completed in the same way each time, preventing unexpected problems.

Process control system (PCS) A mechanism used to control the output of a specific process.

Programmable logic controller (PLC) A programmable electronic device used in industrial automation to provide logic and sequencing controls for machinery.

Protected EAP (PEAP) Similar to EAP-TTLS, which uses TLS to provide network authentication but differs in technical implementation details.

Protected health information (PHI) Any information that concerns health status, health care, or any payment for health care that can be linked to the individual. This is interpreted very broadly and includes all of an individual’s medical record and payment history.

Psychological acceptability Security mechanisms should be as nonintrusive as possible, providing security while minimizing disruption to user activity.

Public key A public key is used to communicate with the private key. This key is publicly available.

Public key infrastructure (PKI) A framework that consists of programs, procedures, and security policies that employs public key cryptography and the X.509 standard (digital certificates). It is a hybrid system of symmetric and asymmetric key algorithms.

Qualitative risk assessment A method of risk assessment that assigns a subjective label (usually “high,” “medium,” and “low”) to a risk scenario.

Quantitative risk assessment A method of risk assessment that assigns a dollar value to every data point.

Radio Frequency Identification (RFID) badge An ID badge with an embedded radio frequency identification chip. This chip can store information about the badge holder, such as authentication information and security access levels.

Red team In a penetration test, the red team consists of penetration testers who have been given some background knowledge of the infrastructure.

Registration authority (RA) An entity that is responsible for the registration and initial authentication of certificate subscribers.

Relational database (RDB) A database that stores data in tables and provides for relationships between various data.

Relational database management system (RDBMS) The system stores the claim files and the pricing information.

Remote access server (RAS) A server that provides an authentication service for users that are dialing into a network or accessing it from the Internet.

Remote Authentication Dial In User Service (RADIUS) A client/server protocol that provides authentication, authorization, and accounting for a remote dial-in system.

Remote terminal unit (RTU) A microprocessor-controlled electronic device that interfaces with objects in the physical world to a distributed control system or SCADA system by transmitting telemetry data to the system and/or altering the state of connected objects based on control messages received from the system.

Retina A graphically intensive vulnerability scanner.

Risk The probability that a particular threat will exploit an IT vulnerability causing harm to an organization. Risk is measured in terms of probability and consequence.

Risk acceptance Simply accepting the risks and doing what you need to do anyway.

Risk assessment The process of identifying and prioritizing risk.

Risk avoidance Choosing to avoid an activity that carries some element of risk.

Risk mitigation A strategy that combines attempts to minimize the probability and consequences of a risk situation.

Risk transference Shifting responsibility for a risk to a third party.

Risk-adaptive access control (RAdAC) Policy changes dynamically based on the risk environment.

Role Allow you to generalize and separate a subject’s function from its identity.

Role-based access control (RBAC) Access control system where rights are assigned based on a user’s role rather than his or her identity.

Root The superuser in Linux and UNIX systems.

RSA asymmetric encryption algorithm A public key cryptosystem based on factoring large numbers that are a product of two prime numbers.

Rule-based access control (RuBAC) Policy defined by a set of rules determined by the system administrator.

Sandbox A security mechanism for isolating programs running in a shared environment.

Sarbanes-Oxley (SOX) Act Created to protect investors by improving the accuracy and reliability of corporate financial disclosures. SOX accomplishes this by strengthening existing penalties and making corporate officers personally responsible for the disclosures.

Secret Information that would cause serious damage to national security if disclosed. This is the most common national security classification level.

Secret key Key used to encrypt and decrypt messages.

Security Assertion Markup Language (SAML) An XML-like markup language that allows web applications to pass a security token for user identification.

Security association (SA) Records the configuration the computer systems need to support an IPSec connection.

Security identifier (SID) A variable that identifies a user, group, or account.

Security information and event management (SIEM) system A software package that centralizes and normalizes log files from a variety of applications and devices.

Security through obscurity The security of an access control mechanism should depend on the secrecy of its design or the secrecy of details of its implementation, which is the opposite of open design.

Self-signed certificates Issued when CAs are internal to an organization, which allows the organization to have complete control over the distribution and life of the certificate.

Sensitive information Information that is not widely known or available.

Separation of privileges The practice of dividing essential steps of a task between multiple individuals.

Separation of responsibilities Authentication system in which two conditions must be met in order for access to be granted. If one condition is met but not the other, access is denied.

Service level agreement (SLA) An agreement between an organization and a third party that describes availability levels, security protection levels, and response times to a breach.

Service provider The organization that depends on those identities in a federated identity system.

Service set identifier (SSID) An access point’s ID on a wireless LAN.

Shadow password An encrypted password database used in Unix and Linux operating systems.

Shared secret Something only the subject and the authentication system know. A shared secret can be a piece of data that is known only to the parties that are communicating with one another. A shared secret is used for encryption.

Simplicity of design Access control mechanisms should be as simple as possible, using as few components and procedures as necessary to meet the requirements.

Simultaneous Authentication of Equals (SAE) Secure password-based key exchange mechanism used in the WPA3 wireless standard.

Single loss expectancy (SLE) The cost you expect to incur in one loss incident.

Single sign-on (SSO) A method of access control that allows a user to log on to a system and gain access to other resources within the network via the initial logon. SSO helps a user avoid having to log on multiple times and remember multiple passwords for various systems.

Single-factor authentication The act of identifying a user as authentic with a single authentication factor.

Smart card An ID badge or other card with an embedded RFID chip that stores basic identification and authentication information.

Social engineering The use of manipulation or trickery to convince authorized users to perform actions or divulge sensitive information to an attacker.

Software as a Service (SaaS) A model of software distribution. Instead of simply selling an application, a SaaS vendor hosts the applications and offers access for a small subscription fee.

Spear phishing A phishing attack targeted at specific, usually high-level individuals within an organization.

Standard A collection of requirements that must be met by anyone who performs a given task or works on a specific system.

Subject The user, network, system, process, or application requesting access to a resource.

Super Administrator A user with full rights on a system.

Super user do (sudo) A command that allows an administrator to run processes as root without actually logging in under the root account in a Linux or UNIX system.

Supervisory control and data acquisition (SCADA) process control systems Systems utilized to monitor and control telecommunications, water and waste control, energy, and transportation among other industries and utilities.

Supplicant Software running on the client that wishes to connect to the network that interfaces with the 802.1x environment.

Symmetric encryption A form of encryption where the sender and the receiver use the same key for encrypting and decrypting an object.

System access control list (SACL) A system-created access control list that handles the information assurance aspect of access controls.

Systematic declassification Any document that is less than 25 years old but of significant importance to the historic record of the United States can be reviewed for early declassification. Once identified, these documents go through the same procedures as automatically declassified documents.

Tailgating Refers to when one person uses the successful authentication of another to gain access to a facility.

Target Any system or network that contains valuable data and has attracted the notice of the hacker.

Temporal Key Integrity Protocol (TKIP) Encryption used for WLANs.

Terminal Access Controller Access Control System (TACACS) A remote access client/server protocol that provides authentication and authorization capabilities to users that are accessing the network remotely. It is not a secure protocol.

Terminal Access Controller Access Control System Plus (TACACS+) A remote access client/server protocol. It is a Cisco proprietary protocol and provides authentication, authorization, and accounting.

Threat A potential attack on a system.

Threat assessment The process that deals with the potential for weaknesses within the existing infrastructure to be exploited.

Three-factor authentication The act of identifying a user as authentic with three authentication factors.

Ticket-Granting Service (TGS) A server or service that is authorized to issue tickets to the client after the client has already received a Ticket-Granting Ticket. A Ticket-Granting Service verifies the user’s identity using the Ticket-Granting Ticket and issues the ticket for the desired service. A ticket-granting service is part of the Key Distribution Center.

Tiger team In a penetration test, a tiger team is composed of testers who are given no knowledge of the infrastructure and are attacking a target that is unaware of their existence until the attack is made.

Token Something the subject has that no one else does. Smart cards and challenge-response devices are commonly used tokens.

Tool A technical method or control used to complete a task or achieve a goal, such as enforcing policies.

Top Secret The highest level of information sensitivity in the National Security classification scheme; it is defined as any information that would cause grave damage to national security if disclosed.

Trade secrets Information that is a kind of valuable asset and if disclosed, could harm the controlling organization.

Transparency Being open and honest about the infrastructure. Not hiding any data from the users.

Transport Layer Methods and protocols for encapsulating application data.

Transport Layer Security (TLS) A secure protocol that supports a number of different cryptographic algorithms, relying on digital certificates and public key encryption.

Two-factor authentication The act of identifying a user as authentic with two authentication factors.

Two-person control The concept that two authorized individuals must be available to approve any sensitive activity.

Type I error A false rejection in a biometric access control system.

Type II error A false acceptance in a biometric access control system.

Unclassified information Information that has not otherwise been assigned a sensitivity level under the national security classification scheme; unclassified information is generally subject to public release under the Freedom of Information Act (FOIA).

Unicast The sending of messages to a single network destination. The opposite of unicast is broadcast, where data are sent to all network destinations.

Uninterruptable power supply (UPS) A device that supplies backup power to servers and other devices.

Unit testing A method of testing that ensures that a specific function or module works as designed.

UNIX A multi-processing, multi-user family of operating systems originally developed by Bell Laboratories. Most often used for servers.

Verification mode The mode in which a biometric system makes a simple one-to-one comparison and returns a binary result.

Virtual private network (VPN) A system that uses a public network (usually the Internet) to transmit private data securely. Users on a VPN can exchange data and share resources as if they were directly connected via a LAN.

Vulnerability An unintended weakness in a system’s design that makes it possible for attackers to take control of a system, access resources to which they are not authorized, or damage the system in some way.

Vulnerability detection The stage after information gathering in the penetration test, which helps the team choose specific attack vectors and target systems during the penetration attempt.

Ward A metal projection in a warded lock that must line up with the grooves on the key in order to unlock.

Whitelist A list of known approved behaviors that should be automatically allowed.

Wide area network (WAN) A network that connects several smaller networks. For example, a large corporation with offices in New York, Chicago, and Los Angeles might have a LAN in each local office and then connect those three LANs via a wide area network.

Wireless mesh networks A networking scheme based on a distributed network mesh topology. Each node in the network connects to multiple nodes; each node also acts as a router for the nodes it connects to, allowing traffic to hop along multiple paths to a destination.

World Intellectual Property Organization (WIPO) A group of 188 nations that have signed treaties to protect intellectual property across national borders.