GLOSSARY
*-property Pronounced “star property,” this aspect of the Bell-LaPadula security model is commonly referred to as the “no-write-down” rule because it doesn’t allow a user to write to a file with a lower security classification, thus preserving confidentiality.
3DES Triple DES encryption—three rounds of DES encryption used to improve security.
802.11 See IEEE 802.11.
802.1X See IEEE 802.1X.
AAA See authentication, authorization, and accounting.
ABAC See attribute-based access control.
acceptable use policy (AUP) A policy that communicates to users what specific uses of computer resources are permitted.
access A subject’s ability to perform specific operations on an object, such as a file. Typical access levels include read, write, execute, and delete.
access control list (ACL) A list associated with an object (such as a file) that identifies what level of access each subject (such as a user) has—that is, what they can do to the object (such as read, write, or execute).
access controls Mechanisms or methods used to determine what access permissions subjects (such as users) have for specific objects (such as files).
access point Shorthand for wireless access point, an access point is the device that allows other devices to connect to a wireless network.
access tokens A token device used for access control—an example of something you have.
Active Directory The directory service portion of the Windows operating system that stores information about network-based entities (such as applications, files, printers, and people) and provides a structured, consistent way to name, describe, locate, access, and manage these resources.
Active Server Pages (ASP) Microsoft’s server-side script technology for dynamically generated web pages.
ActiveX A Microsoft technology that facilitates rich Internet applications and thus extends and enhances the functionality of Microsoft Internet Explorer. Like Java, ActiveX enables the development of interactive content. When an ActiveX-aware browser encounters a web page that includes an unsupported feature, it can automatically install the appropriate application so the feature can be used.
Address Resolution Protocol (ARP) A protocol in the TCP/IP suite specification used to map an IP address to a Media Access Control (MAC) address.
address space layout randomization (ASLR) A memory-protection process employed by operating systems (OSs) where the memory space is “block randomized” to guard against targeted injections from buffer-overflow attacks.
Advanced Encryption Standard (AES) The current U.S. government standard for symmetric encryption, widely used in all sectors.
Advanced Encryption Standard 256-bit (AES256) An implementation of AES using a 256-bit key.
advanced persistent threat (APT) A type of advanced threat where the actors desire long-term persistence in a system over short-term gain.
adware Advertising-supported software that automatically plays, displays, or downloads advertisements after the software is installed or while the application is being used.
AES See Advanced Encryption Standard.
AES256 See Advanced Encryption Standard 256-bit.
agile model A software development mode built around the idea of many small iterations that continually yield a “finished” product at the completion of each iteration.
airgap The forced separation of networks, resulting in a “gap” between systems. Communications across an airgap require a manual effort to move data from one network to another because no network connection exists between the two networks.
algorithm A step-by-step procedure—typically an established computation for solving a problem within a set number of steps.
annualized loss expectancy (ALE) How much an event is expected to cost the business per year, given the dollar cost of the loss and how often it is likely to occur. ALE = single loss expectancy × annualized rate of occurrence.
annualized rate of occurrence (ARO) The frequency with which an event is expected to occur on an annualized basis.
anomaly Something that does not fit into an expected pattern.
antispam Technology used to combat unsolicited junk e-mail, or spam.
antivirus (AV) Technology employed to screen for and block the execution of viruses and other malware.
application A program or group of programs designed to provide specific user functions, such as a word processor or web server.
application hardening The steps taken to harden an application by mitigating vulnerabilities and reducing the exploitable surface.
application programming interface (API) A set of instructions as to how to interface with a computer program so that developers can access defined interfaces in a program.
application service provider (ASP) A company that offers entities access over the Internet to applications and services.
application vulnerability scanner Technology used to scan applications for potential vulnerabilities and weaknesses.
APT See advanced persistent threat.
ARP See Address Resolution Protocol.
ARP backscatter The use of ARP scanning against a gateway device to detect the presence of a device behind the gateway or router.
ARP poisoning An attack characterized by changing entries in an ARP table to cause misdirected traffic.
Abstract Syntax Notation One (ASN.1) An interface description language for defining data structures that is used in telecommunications and computer networking asset Resources and information an organization needs to conduct its business.
asset value (AV) The value of an asset that is at risk.
asymmetric encryption Also called public key cryptography, this is a system for encrypting data that uses two mathematically derived keys to encrypt and decrypt a message—a public key, available to everyone, and a private key, available only to the owner of the key.
attribute-based access control (ABAC) An access control model built around a set of rules based on specific attributes.
auditability The property of an item that makes it available for verification upon inspection.
audit trail A set of records or events, generally organized chronologically, that records what activity has occurred on a system. These records (often computer files) are often used in an attempt to re-create what took place when a security incident occurred, and they can also be used to detect possible intruders.
auditing Actions or processes used to verify the assigned privileges and rights of a user, or any capabilities used to create and maintain a record showing who accessed a particular system and what actions they performed.
authentication The process by which a subject’s (such as a user’s) identity is verified.
authentication, authorization, and accounting (AAA) Three common functions performed upon system login. Authentication and authorization almost always occur, with accounting being somewhat less common.
Authentication Header (AH) A portion of the IPsec security protocol that provides authentication services and replay-detection ability. AH can be used either by itself or with Encapsulating Security Payload (ESP). Specific details can be found in RFC 2402.
authentication server (AS) A server used to perform authentication tasks.
Authenticode Microsoft code-signing technology used to provide integrity and attribution on software.
authority revocation list (ARL) A list of authorities that have had their certificates revoked.
authorization The function of determining what is permitted for an authorized user.
autoplay Technology employed to launch appropriate applications and play or display content on removable media when the media is mounted.
availability Part of the “CIA” of security. Availability applies to hardware, software, and data, specifically meaning that each of these should be present and accessible when the subject (the user) wants to access or use them.
backdoor A hidden method used to gain access to a computer system, network, or application. Often used by software developers to ensure unrestricted access to the systems they create. Synonymous with trapdoor.
backout planning The part of a configuration change plan where steps are devised to undo a change, even when not complete, to restore a system back to the previous operating condition.
backup Refers to copying and storing data in a secondary location, separate from the original, to preserve the data in the event that the original is lost, corrupted, or destroyed.
baseline A system or software as it is built and functioning at a specific point in time. Serves as a foundation for comparison or measurement, providing the necessary visibility to control change.
Basic Input/Output System (BIOS) A firmware element of a computer system that provides the interface between hardware and system software with respect to devices and peripherals. BIOS is being replaced by Unified Extensible Firmware Interface (UEFI), a more complex and capable system.
beacon frames A series of frames used in Wi-Fi (802.11) to establish the presence of a wireless network device.
Bell-LaPadula security model A computer security model built around the property of confidentiality and characterized by no-read-up and no-write-down rules.
best evidence rule A legal principle that supports a true copy as equivalent to the original.
BGP See Border Gateway Protocol.
Biba security model An information security model built around the property of integrity and characterized by no-write-up and no-read-down rules.
biometrics Used to verify an individual’s identity to the system or network using something unique about the individual, such as a fingerprint, for the verification process. Examples include fingerprints, retinal scans, hand and facial geometry, and voice analysis.
BIOS See Basic Input/Output System.
birthday attack A form of attack in which the attack needs to match not a specific item but just one of a set of items.
blacklisting The term used to describe the exclusion of items based on their being on a list (blacklist).
black-box testing A form of testing where the tester has no knowledge of the inner workings of a mechanism.
block cipher A cipher that operates on discrete blocks of data.
Blowfish A free implementation of a symmetric block cipher developed by Bruce Schneier as a drop-in replacement for DES and IDEA. It has a variable bit-length scheme from 32 to 448 bits, resulting in varying levels of security.
bluebugging The use of a Bluetooth-enabled device to eavesdrop on another person’s conversation using that person’s Bluetooth phone as a transmitter. The bluebug application silently causes a Bluetooth device to make a phone call to another device, resulting in the phone acting as a transmitter and allowing the listener to eavesdrop on the victim’s conversation in real time.
bluejacking The sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, tablets, or laptop computers.
bluesnarfing The unauthorized access of information from a Bluetooth-enabled device through a Bluetooth connection, often between phones, desktops, laptops, or tablets.
Bluetooth An RF technology used for short-range networking as well as to create personal area networks (PANs).
Border Gateway Protocol (BGP) The interdomain routing protocol implemented in Internet Protocol (IP) networks to enable routing between autonomous systems.
botnet A term for a collection of software robots, or bots, that runs autonomously, automatically, and commonly invisibly in the background. The term is most often associated with malicious software, but it can also refer to the network of computers using distributed computing software.
Brewer-Nash security model A security model defined by controlling read and write access based on conflict-of-interest rules. This model is also known as the Chinese Wall model, after the concept of separating groups through the use of an impenetrable wall.
bridge A network device that separates traffic into separate collision domains at the data layer of the Open System Interconnection (OSI) model.
bridge protocol data unit (BPDU) BPDUs are data messages that are exchanged across the switches within an extended LAN that uses a spanning tree protocol topology.
bring your own device (BYOD) A term used to describe an environment where users bring their personally owned devices into the enterprise and integrate them into business systems.
buffer overflow A specific type of software coding error that enables user input to overflow the allocated storage area and corrupt a running program.
Bureau of Industry and Security (BIS) In the U.S. Department of Commerce, BIS is the department responsible for export administration regulations that cover encryption technology in the United States.
bus topology A network layout in which a common line (the bus) connects devices.
business availability center (BAC) A software platform that allows the enterprise to optimize the availability, performance, and effectiveness of business services and applications.
business continuity plan (BCP) The plans a business develops to continue critical operations in the event of a major disruption.
business impact analysis (BIA) An analysis of the business assets (data, systems, and processes) to determine the criticality and prioritization of those assets in the event of a disaster or other negative event.
business partnership agreement (BPA) A written agreement defining the terms and conditions of a business partnership.
BYOD See bring your own device.
CA certificate A digital certificate identifying the keys used by a certificate authority.
cache The temporary storage of information before use, typically used to speed up systems. In an Internet context, cache refers to the storage of commonly accessed web pages, graphic files, and other content locally on a user’s PC or on a web server. The cache helps to minimize download time and preserve bandwidth for frequently accessed web sites, and it helps reduce the load on a web server.
Capability Maturity Model (CMM) A structured methodology helping organizations improve the maturity of their software processes by providing an evolutionary path from ad hoc processes to disciplined software management processes. Developed at Carnegie Mellon University’s Software Engineering Institute (SEI).
Capability Maturity Model Integration (CMMI) A trademarked process improvement methodology for software engineering. Developed at Carnegie Mellon University’s Software Engineering Institute (SEI).
CAPTCHA Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA) is software that is designed to require human ability to resolve, thus preventing robots from filling in and submitting web pages.
captive portal A website used to validate credentials before allowing access to a network connection.
centralized management A type of privilege management that brings the authority and responsibility for managing and maintaining rights and privileges into a single group, location, or area.
CERT See Computer Emergency Response Team.
certificate A cryptographically signed object that contains an identity and a public key associated with this identity. The certificate can be used to establish identity, analogous to a notarized written document.
certificate authority (CA) An entity responsible for issuing and revoking certificates. CAs are typically not associated with the company requiring the certificate, although they exist for internal company use as well (for example, Microsoft). This term also applies to server software that provides these services. The term certificate authority is used interchangeably with certification authority.
Certificate Enrollment Protocol (CEP) Originally developed by VeriSign for Cisco Systems to support certificate issuance, distribution, and revocation using existing technologies.
certificate path An enumeration of the chain of trust from one certificate to another tracing back to a trusted root.
certificate repository A storage location for certificates on a system so that they can be reused.
certificate revocation list (CRL) A digitally signed object that lists all of the current but revoked certificates issued by a given certification authority. This allows users to verify whether a certificate is currently valid even if it has not expired. A CRL is analogous to a list of stolen charge card numbers that allows stores to reject bad credit cards.
certificate server A server—part of a PKI system—that handles digital certificates.
certificate signing request (CSR) A structured message sent to a certificate authority requesting a digital certificate.
certification practices statement (CPS) A document that describes the policy for issuing digital certificates from a CA.
chain of custody Rules for documenting, handling, and safeguarding evidence to ensure no unanticipated changes are made to the evidence.
Challenge-Handshake Authentication Protocol (CHAP) Used to provide authentication across point-to-point links using the Point-to-Point Protocol (PPP).
change (configuration) management A standard methodology for performing and recording changes during software development and operation.
change control board (CCB) A body that oversees the change management process and enables management to oversee and coordinate projects.
Channel Service Unit (CSU) CSUs are used to link local area networks (LANs) into a wide area network (WAN) using telecommunications carrier services.
CHAP See Challenge-Handshake Authentication Protocol.
choose your own device (CYOD) A mobile device deployment methodology where each person chooses their own device type.
CIA of security Refers to confidentiality, integrity, and authorization—the basic functions of any security system.
cipher A cryptographic system that accepts plaintext input and then outputs ciphertext according to its internal algorithm and key.
cipher block chaining (CBC) A method of adding randomization to blocks, where each block of plaintext is XORed with the previous ciphertext block before being encrypted.
cipher feedback A method for introducing variation in a block cipher to mask repeating blocks of plaintext.
ciphertext Used to denote the output of an encryption algorithm. Ciphertext is the encrypted data.
CIRT See Computer Emergency Response Team.
Clark-Wilson security model A security model that uses transactions and a differentiation of constrained data items (CDIs) and unconstrained data items (UDIs).
closed-circuit television (CCTV) A private television system usually hardwired into security applications to record visual information.
cloud computing The automatic provisioning of on-demand computational resources across a network.
cloud service provider (CSP) Companies that offer cloud-based network services, infrastructures, or business applications.
coaxial cable A network cable that consists of a solid center core conductor and a physical spacer to the outer conductor, which is wrapped around it. Commonly used in video systems.
code injection An attack where unauthorized executable code is injected via an interface in an attempt to get it to run on a system.
code signing The application of digital signature technology to software for the purposes of integrity and authentication control.
cold site An inexpensive form of backup site that does not include a current set of data at all times. Using a cold site takes longer to get your operational system back up, but it is considerably less expensive than a warm or hot site.
collision Used in the analysis of hashing cryptography, a collision the property by which an algorithm will produce the same hash from two different sets of data.
collision attack An attack on a hash function in which a specific input is generated to produce a hash function output that matches another input.
collision domain An area of shared traffic in a network where packets from different conversations can collide.
Common Access Card (CAC) A smart card used to access federal computer systems. It also acts as an ID card.
Common Gateway Interface (CGI) An older, outdated technology used for server-side execution of programs on web sites.
Common Vulnerabilities and Exposures (CVE) A structured language (XML) schema used to describe known vulnerabilities in software.
Common Weakness Enumeration (CWE) A structured language (XML) schema used to describe known weakness patterns in software that can result in vulnerabilities.
complete mediation The principle that protection mechanisms should cover every access to every object.
Computer Emergency Response Team (CERT) Also known as a Computer Incident Response Team (CIRT), this group is responsible for investigating and responding to security breaches, viruses, and other potentially catastrophic incidents.
computer security In general terms, computer security involves the methods, techniques, and tools used to ensure that a computer system is secure.
computer software configuration item See configuration item.
concentrator A device used to manage multiple, similar networking operations, such as providing a VPN endpoint for multiple VPNs.
confidentiality Part of the CIA of security. Confidentiality refers to the security principle that information should not be disclosed to unauthorized individuals.
configuration auditing The process of verifying that configuration items are built and maintained according to requirements, standards, or contractual agreements.
configuration control The process of controlling changes to items that have been baselined.
configuration identification The process of identifying which assets need to be managed and controlled.
configuration item Data or software (or other asset) that is identified and managed as part of the software change management process. Also known as computer software configuration item.
configuration status accounting Procedures for tracking and maintaining data relative to each configuration item in the baseline.
confusion A principle that, when employed, makes each character of ciphertext dependent on several parts of the key.
content management system (CMS) A management system to manage the content for a specific system, such as a website.
content protection The protection of the header and data portion of a user datagram.
context protection The protection of the header of a user datagram.
contingency planning (CP) The act of creating processes and procedures that are used under special conditions (contingencies).
Continuity of Operations (COOP) Planning The creation of plans related to continuing essential business operations.
control A measure taken to detect, prevent, or mitigate the risk associated with a threat.
controller area network A bus standard for use in vehicles to connect microcontrollers.
cookie Information stored on a user’s computer by a web server to maintain the state of the connection to the web server. Used primarily so preferences or previously used information can be recalled on future requests to the server.
COOP See Continuity of Operations (COOP) Planning.
Corrective Action Report (CAR) A report used to document the corrective actions taken on a system.
corporate owned, personally enabled (COPE) A form of mobile device ownership/management.
Counter Mode (CTM) A technique used to cause a block cipher to emulate a stream cipher.
Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) An enhanced data cryptographic encapsulation mechanism based on the Counter Mode with CBC-MAC from AES and designed for use over wireless LANs.
countermeasure See control.
cracking A term used by some to refer to malicious hacking, in which an individual attempts to gain unauthorized access to computer systems or networks. See also hacking.
critical infrastructure Infrastructure whose loss or impairment would have severe repercussions on society.
CRC See cyclic redundancy check.
CRL See certificate revocation list.
cross-certification certificate A certificate used to establish trust between separate PKIs.
crossover error rate (CER) The point at which the false rejection rate and false acceptance rate are equal in a system.
cross-site request forgery (CSRF or XSRF) A method of attacking a system by sending malicious input to the system and relying on the parsers and execution elements to perform the requested actions, thus instantiating the attack. XSRF exploits the trust a site has in the user’s browser.
cross-site scripting (XSS) A method of attacking a system by sending script commands to the system input and relying on the parsers and execution elements to perform the requested scripted actions, thus instantiating the attack. XSS exploits the trust a user has for the site.
cryptanalysis The process of attempting to break a cryptographic system.
cryptographically random A random number that is derived from a nondeterministic source, thus knowing one random number provides no insight into the next.
cryptography The art of secret writing that enables an individual to hide the contents of a message or file from all but the intended recipient.
Cyber Observable eXpression (CybOX) A structured language (XML) for describing cybersecurity events at a granular level.
cyclic redundancy check (CRC) An error-detection technique that uses a series of two 8-bit block check characters to represent an entire block of data. These block check characters are incorporated into the transmission frame and then checked at the receiving end.
DAC See discretionary access control.
data aggregation A methodology of collecting information through the aggregation of separate pieces and analyzing the effect of their collection.
data encryption key (DEK) An encryption key whose function it is to encrypt and decrypt data.
Data Encryption Standard (DES) A private key encryption algorithm adopted by the government as a standard for the protection of sensitive but unclassified information. Commonly used in Triple DES (3DES), where three rounds are applied to provide greater security.
Data Execution Prevention (DEP) A security feature of an OS that can be driven by software, hardware, or both, designed to prevent the execution of code from blocks of data in memory.
data loss prevention (DLP) Technology, processes, and procedures designed to detect when unauthorized removal of data from a system occurs. DLP is typically active, preventing the loss of data, either by blocking the transfer or dropping the connection.
data service unit See channel service unit.
datagram A packet of data that can be transmitted over a packet-switched system in a connectionless mode.
decision tree A data structure in which each element in the structure is attached to one or more structures directly beneath it.
default deny The use of an overarching rule where, if not explicitly permitted, permission will be denied.
delta backup A type of backup that preserves only the blocks that have changed since the last full backup.
demilitarized zone (DMZ) A network segment that exists in a semi-protected zone between the Internet and the inner, secure, trusted network.
denial-of-service (DoS) attack An attack in which actions are taken to deprive authorized individuals from accessing a system, its resources, the data it stores or processes, or the network to which it is connected.
Destination Network Address Translation (DNAT) A one-to-one static translation from a public destination address to a private address.
DES See Data Encryption Standard.
DHCP See Dynamic Host Configuration Protocol.
diameter The base protocol that is intended to provide an authentication, authorization, and accounting (AAA) framework for applications such as network access or IP mobility. Diameter is a draft IETF proposal.
differential backup A type of backup that preserves only changes since the last full backup.
differential cryptanalysis A form of cryptanalysis that uses different inputs to study how outputs change in a structured manner.
Diffie-Hellman A cryptographic method of establishing a shared key over an insecure medium in a secure fashion.
Diffie-Hellman Ephemeral (DHE) A cryptographic method of establishing a shared key over an insecure medium in a secure fashion using a temporary key to enable perfect forward secrecy (PFS).
diffusion The principle that the statistical analysis of plaintext and ciphertext results in a form of dispersion, rendering one structurally independent of the other. In plain terms, a change in one character of plaintext should result in multiple changes in the ciphertext in a manner that changes in ciphertext do not reveal information as to the structure of the plaintext.
digital certificate See certificate.
Digital Forensics and Investigation Response (DFIR) Another name for the incident response process.
digital rights management (DRM) The control of user activities associated with a digital object via technological means.
digital sandbox The isolation of a program and its supporting elements from common operating system functions.
digital signature A cryptography-based artifact that is a key component of a public key infrastructure (PKI) implementation. A digital signature can be used to prove identity because it is created with the private key portion of a public/private key pair. A recipient can decrypt the signature and, by doing so, receive the assurance that the data must have come from the sender and that the data has not changed.
digital signature algorithm (DSA) A U.S. government standard for implementing digital signatures.
direct-sequence spread spectrum (DSSS) A method of distributing a communication over multiple frequencies to avoid interference and detection.
disaster recovery plan (DRP) A written plan developed to address how an organization will react to a natural or manmade disaster in order to ensure business continuity. Related to the concept of a business continuity plan (BCP).
discretionary access control (DAC) An access control mechanism in which the owner of an object (such as a file) can decide which other subjects (such as other users) may have access to the object, and what access (read, write, execute) these objects can have.
distinguished encoding rules (DER) A method of providing exactly one way to represent any ASN.1 value as an octet string.
distributed denial-of-service (DDoS) attack A special type of DoS attack in which the attacker elicits the generally unwilling support of other systems to launch a many-against-one attack.
diversity of defense The approach of creating dissimilar security layers so that an intruder who is able to breach one layer will be faced with an entirely different set of defenses at the next layer.
DNS kiting The creation and use of a DNS record during the payment grace period without paying for it.
DomainKeys Identified Mail (DKIM) An authentication system for e-mail designed to detect the spoofing of e-mail addresses.
Domain Name System/Server (DNS) The service that translates an Internet domain name (such as www.mheducation.com) into an IP address.
DMZ See demilitarized zone.
drive-by download attack An attack on an innocent victim machine where content is downloaded without the user’s knowledge.
DRP See disaster recovery plan.
DSSS See direct-sequence spread spectrum.
due care The standard used to determine the degree of care that a reasonable person would exercise under similar circumstances.
due diligence The reasonable steps a person or entity would take in order to satisfy legal or contractual requirements—commonly used when buying or selling something of significant value.
dumpster diving The practice of searching through trash to discover sensitive material that has been thrown away but not destroyed or shredded.
Dynamic Host Configuration Protocol (DHCP) An Internet Engineering Task Force (IETF) Internet Protocol (IP) specification for automatically allocating IP addresses and other configuration information based on network adapter addresses. DHCP enables address pooling and allocation as well as simplifies TCP/IP installation and administration.
dynamic link library (DLL) A shared library function used in the Microsoft Windows environment.
EAP See Extensible Authentication Protocol.
economy of mechanism The principle that designs should be small and simple.
electromagnetic interference (EMI) The disruption or interference of electronics due to an electromagnetic field.
electromagnetic pulse (EMP) The disruption or interference of electronics due to a sudden intense electromagnetic field in the form of a spike or pulse.
electronic code book (ECB) A block cipher mode where the message is divided into blocks, and each block is encrypted separately.
electronic serial number (ESN) A unique identification number embedded by manufacturers on a microchip in wireless phones.
elite hacker A hacker who has the skill level necessary to discover and exploit new vulnerabilities.
elliptic curve cryptography (ECC) A method of public-key cryptography based on the algebraic structure of elliptic curves over finite fields.
Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) A cryptographic method using ECC to establish a shared key over an insecure medium in a secure fashion using a temporary key to enable perfect forward secrecy (PFS).
Elliptic Curve Digital Signature Algorithm (ECDSA) A cryptographic method using ECC to create a digital signature.
Encapsulating Security Payload (ESP) A portion of the IPsec implementation that provides for data confidentiality with optional authentication and replay detection services. ESP completely encapsulates user data in the datagram and can be used either by itself or in conjunction with Authentication Headers for varying degrees of IPsec services.
enclave A section of a network that serves a specific purpose and is isolated by protocols from other parts of a network.
encryption The reversible process of rendering data unreadable through the use of an algorithm and a key.
Encrypting File System (EFS) A security feature of Windows, from Windows 2000 onward, that enables the transparent encryption/decryption of files on the system.
entropy The measure of uncertainty associated with a series of values. Perfect entropy equates to complete randomness, such that given any string of bits, there is no computation to improve guessing the next bit in the sequence.
ephemeral keys Cryptographic keys that are used only once after they are generated.
escalation auditing The process of looking for an increase in privileges, such as when an ordinary user obtains administrator-level privileges.
Ethernet The common name for the IEEE 802.3 standard method of packet communication between two nodes at Layer 2.
evidence The documents, verbal statements, and material objects admissible in a court of law.
evil twin A wireless attack performed using a second, rogue wireless access point designed to mimic a real access point.
eXclusive OR (XOR) Bitwise function commonly used in cryptography.
exposure factor (EF) A measure of the magnitude of loss of an asset. Used in the calculation of single loss expectancy (SLE).
eXtensible Access Control Markup Language (XACML) An open standard XML-based language used to describe access control.
Extensible Authentication Protocol (EAP) A universal authentication framework used in wireless networks and point-to-point connections. It is defined in RFC 3748 and has been updated by RFC 5247.
eXtensible Markup Language (XML) A text-based, human-readable data markup language.
fail-safe defaults The principle that when a system fails, the default failure state will be a safe state by design.
false acceptance rate (FAR) The rate of false positives acceptable to the system.
false negative The term used when a system makes an error and misses reporting the existence of an item that should have been detected.
false positive The term used when a security system makes an error and incorrectly reports the existence of a searched-for object. Examples include an intrusion detection system that misidentifies benign traffic as hostile, an antivirus program that reports the existence of a virus in software that actually is not infected, or a biometric system that allows access to a system to an unauthorized individual.
false rejection rate (FRR) The acceptable level of legitimate users rejected by the system.
fault tolerance The characteristics of a system that permit it to operate even when subcomponents of the overall system fail.
FHSS See frequency-hopping spread spectrum.
file system access control list (FACL) The implementation of access controls as part of a file system.
File Transfer Protocol (FTP) An application-level protocol used to transfer files over a network connection.
File Transfer Protocol Secure (FTPS) An application-level protocol used to transfer files using FTP over an SSL or TLS connection.
firewall A network device used to segregate traffic based on rules.
flood guard A network device that blocks flooding-type DoS/DDoS attacks, frequently part of an IDS/IPS.
footprinting The steps a tester uses to determine the range and scope of a system.
forensics (or computer forensics) The preservation, identification, documentation, and interpretation of computer data for use in legal proceedings.
free space Sectors on a storage medium that are available for the operating system to use.
frequency-hopping spread spectrum (FHSS) A method of distributing a communication over multiple frequencies over time to avoid interference and detection.
full backup A complete backup of all files and structures of a system to another location.
full disk encryption (FDE) The application of encryption to an entire disk, protecting all of the contents in one container.
fuzzing The use of large quantities of data to test an interface against security vulnerabilities. (Also known as fuzz testing.)
Galois Counter Mode (GCM) A mode of operation for symmetric key cryptographic block ciphers that has been widely adopted due to its efficiency and performance because it can be parallelized.
Generic Routing Encapsulation (GRE) A tunneling protocol designed to encapsulate a wide variety of network layer packets inside IP tunneling packets.
geo-tagging The metadata that contains location-specific information attached to other data elements.
globally unique identifier (GUID) A unique reference number used as an identifier of an item in a system.
Global Positioning System (GPS) A satellite-based form of location services and time standardization.
Gnu Privacy Guard (GPG) An application program that follows the OpenPGP standard for encryption.
GPG See Gnu Privacy Guard.
GPO See group policy object.
graphics processing unit (GPU) A chip designed to manage graphics functions in a system.
grey-box testing A form of testing where the tester has limited or partial knowledge of the inner workings of a system.
group policy The mechanism that allows for centralized management and configuration of computers and remote users in a Microsoft Active Directory environment.
group policy object (GPO) Stores the group policy settings in a Microsoft Active Directory environment.
hacker A person who performs hacking activities.
hacking The term used by the media to refer to the process of gaining unauthorized access to computer systems and networks. The term has also been used to refer to the process of delving deep into the code and protocols used in computer systems and networks. See also cracking.
hacktivist A hacker who uses their skills for political purposes.
hard disk drive (HDD) A mechanical device used for the storing of digital data in magnetic form.
hardening The process of strengthening a host level of security by performing specific system preparations.
hardware security module (HSM) A physical device used to protect but still allow the use of cryptographic keys. It is separate from the host machine.
hash A form of encryption that creates a digest of the data put into the algorithm. This algorithm is referred to as one-way algorithm because there is no feasible way to decrypt what has been encrypted.
hashed message authentication code (HMAC) The use of a cryptographic hash function and a message authentication code to ensure the integrity and authenticity of a message.
hash value See message digest.
hazard A situation that increases risk.
HDD See hard disk drive.
heating, ventilation, air conditioning (HVAC) The systems used to heat and cool air within a building or structure.
HIDS See host-based intrusion detection system.
hierarchical trust model A trust model that has levels or tiers of an ascending nature.
High Availability A system designed to provide assured availability.
highly structured threat A threat that is backed by the time and resources to allow virtually any form of attack.
HIPS See host-based intrusion prevention system.
HMAC-based One-Time Password (HOTP) A method of producing one-time passwords using HMAC functions.
honeynet A network version of a honeypot, or a set of honeypots networked together.
honeypot A computer system or portion of a network that has been set up to attract potential intruders, in the hope that they will leave the other systems alone. Because there are no legitimate users of this system, any attempt to access it is an indication of unauthorized activity and provides an easy mechanism to spot attacks.
host-based intrusion detection system (HIDS) A system that looks for computer intrusions by monitoring activity on one or more individual PCs or servers.
host-based intrusion prevention system (HIPS) A system that automatically responds to computer intrusions by monitoring activity on one or more individual PCs or servers, with the response being based on a rule set.
host security Security functionality that is present on a host system.
hotfix A set of updates designed to fix a specific problem.
hot site A backup site that is fully configured with equipment and data and is ready to immediately accept transfer of operational processing in the event of failure of the operational system.
HSM See hardware security module.
hub A network device used to connect devices at the physical layer of the OSI model.
hybrid trust model A combination of trust models, including mesh, hierarchical, and network.
Hypertext Markup Language (HTML) A protocol used to mark up text for use with HTTP.
Hypertext Transfer Protocol (HTTP) A protocol for transferring material across the Internet that contains links to additional material.
Hypertext Transfer Protocol over SSL/TLS (HTTPS) A protocol for transferring material across the Internet that contains links to additional material that is carried over a secure tunnel via SSL or TLS.
ICMP See Internet Control Message Protocol.
IDEA See International Data Encryption Algorithm.
identification The process of determining identity as part of identity management and access control. Usually performed only once, when the user ID is assigned.
Identity Provider (IdP) A system that creates, maintains, and manages identity information, including authentication services.
IEEE See Institute for Electrical and Electronics Engineers.
IEEE 802.11 A family of standards that describe network protocols for wireless devices.
IEEE 802.1X An IEEE standard for performing authentication over networks.
IETF See Internet Engineering Task Force.
IKE See Internet Key Exchange.
impact The result of a vulnerability being exploited by a threat, resulting in a loss.
implicit deny The philosophy that all actions are prohibited unless specifically authorized.
incident A situation that is different from normal for a specific circumstance.
incident response The process of responding to, containing, analyzing, and recovering from a computer-related incident.
incident response plan (IRP) The plan used in responding to, containing, analyzing, and recovering from a computer-related incident.
incremental backup A backup model where files that have changed since the last full or incremental backup are backed up.
Indicator of Compromise (IOC) A set of conditions or evidence that indicates a system may have been compromised.
industrial control system (ICS) The term used to describe the hardware and software that controls cyber-physical systems.
information criticality An assessment of the value of specific elements of information and the systems that handle it.
information security Often used synonymously with computer security, but places the emphasis on the protection of the information that the system processes and stores instead of the hardware and software that constitute the system.
information warfare The use of information security techniques, both offensive and defensive, when combating an opponent.
infrared (IR) A set of wavelengths past the red end of the visible spectrum used as a communication medium.
Infrastructure as a Service (IaaS) The automatic, on-demand provisioning of infrastructure elements, operating as a service. IaaS is a common element of cloud computing.
initialization vector (IV) A data value used to seed a cryptographic algorithm, providing for a measure of randomness.
instant messaging (IM) A text-based method of communicating over the Internet.
Institute for Electrical and Electronics Engineers (IEEE) A nonprofit, technical, professional institute associated with computer research, standards, and conferences.
intangible asset An asset for which a monetary equivalent is difficult or impossible to determine. Examples are brand recognition and goodwill.
integer overflow An error condition caused by the mismatch between a variable’s assigned storage size and the size of the value being manipulated.
integrity Part of the CIA of security, integrity is the security principle that requires that information is not modified except by individuals authorized to do so.
interconnection security agreement (ISA) An agreement between parties to establish procedures for mutual cooperation and coordination between them with respect to security requirements associated with their joint project.
intermediate distribution frame (IDF) A system for managing and interconnecting the telecommunications cable between end-user devices, typically workstations.
International Data Encryption Algorithm (IDEA) A symmetric encryption algorithm used in a variety of systems for bulk encryption services.
Internet Assigned Numbers Authority (IANA) The central coordinator for the assignment of unique parameter values for Internet protocols. The IANA is chartered by the Internet Society (ISOC) to act as the clearinghouse to assign and coordinate the use of numerous Internet protocol parameters.
Internet Control Message Protocol (ICMP) One of the core protocols of the TCP/IP protocol suite, used for error reporting and status messages.
Internet Engineering Task Force (IETF) A large international community of network designers, operators, vendors, and researchers, open to any interested individual concerned with the evolution of the Internet architecture and the smooth operation of the Internet. The actual technical work of the IETF is done in its working groups, which are organized by topic into several areas (such as routing, transport, and security). Much of the work is handled via mailing lists, with meetings held three times per year.
Internet Key Exchange (IKE) The protocol formerly known as ISAKMP/Oakley, defined in RFC 2409. IKE is a hybrid protocol that uses part of the Oakley and part of the Secure Key Exchange Mechanism for Internet (SKEMI) protocol suites inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. IKE is used to establish a shared security policy and authenticated keys for services that require keys (such as IPsec).
Internet Message Access Protocol Version 4 (IMAP4) One of two common Internet standard protocols for e-mail retrieval.
Internet Protocol (IP) The network layer protocol used by the Internet for routing packets across a network.
Internet Protocol Security (IPsec) A protocol used to secure IP packets during transmission across a network. IPsec offers authentication, integrity, and confidentiality services and uses Authentication Headers (AH) and Encapsulating Security Payload (ESP) to accomplish this functionality.
Internet Security Association and Key Management Protocol (ISAKMP) A protocol framework that defines the mechanics of implementing a key exchange protocol and negotiation of a security policy.
Internet service provider (ISP) A telecommunications firm that provides access to the Internet.
intrusion detection system (IDS) A system to identify suspicious, malicious, or undesirable activity that indicates a breach in computer security.
intrusion prevention system (IPS) A system for identifying suspicious, malicious, or undesirable activity that indicates a breach in computer security and responding automatically without specific human interaction.
IPsec See Internet Protocol Security.
ISA See interconnection security agreement.
ISAKMP/Oakley See Internet Key Exchange.
IT contingency plan (ITCP) The plan used to manage contingency operations in an IT environment.
jailbreaking The process of breaking iOS security features designed to limit interactions with the system itself. Commonly performed on iPhones to unlock features or break locks to carriers.
Kerberos A network authentication protocol designed by MIT for use in client/server environments.
key In cryptography, a sequence of characters or bits used by an algorithm to encrypt or decrypt a message.
key archiving The processes and procedures to make a secure backup of cryptographic keys.
key distribution center (KDC) A portion of the Kerberos authentication system.
key encrypting key (KEK) An encryption key whose function it is to encrypt and decrypt the data encryption key (DEK).
key escrow The process of placing a copy of cryptographic keys with a trusted third party for backup purposes.
key recovery A process by which lost keys can be recovered from a stored secret.
keyspace The entire set of all possible keys for a specific encryption algorithm.
key stretching A mechanism that takes what would be weak keys and “stretches” them to make the system more secure against brute-force attacks.
Layer 2 Tunneling Protocol (L2TP) A Cisco switching protocol that operates at the data link layer.
layered security The arrangement of multiple layers of defense; a form of defense in depth.
LDAP See Lightweight Directory Access Protocol.
least common mechanism The principle that protection mechanisms should be shared to the least degree possible among users.
least privilege A security principle in which a user is provided with the minimum set of rights and privileges needed to perform required functions. The goal is to limit the potential damage that any user can cause.
Lightweight Directory Access Protocol (LDAP) An application protocol used to access directory services across a TCP/IP network.
Lightweight Extensible Authentication Protocol (LEAP) A version of EAP developed by Cisco prior to 802.11i to push 802.1X and WEP adoption.
linear cryptanalysis The use of linear functions to approximate a cryptographic function as a means of analysis.
load balancer A network device that distributes computing across multiple computers.
local area network (LAN) A grouping of computers in a network structure confined to a limited area and using specific protocols, such as Ethernet for OSI Layer 2 traffic addressing.
local registration authority A registration authority (RA) that is part of a local unit or enterprise. It is typically only useful within the enterprise, but in many cases this can be sufficient.
logic bomb A form of malicious code or software that is triggered by a specific event or condition. See also time bomb.
loop protection The requirement to prevent bridge loops at the Layer 2 level, which is typically resolved using the Spanning Tree algorithm on switch devices.
Low-Water-Mark policy An integrity-based information security model derived from the Bell-LaPadula model.
MAC See mandatory access control or Media Access Control (MAC) address.
MAC filtering The use of Layer 2 MAC addresses to filter traffic to only authorized NIC cards.
malware A class of software designed to cause harm.
main distribution frame (MDF) Telephony equipment that connects customer equipment to subscriber carrier equipment.
managed service provider (MSP) A third party that manages aspects of a system under some form of service agreement.
mandatory access control (MAC) An access control mechanism in which the security mechanism controls access to all objects (files), and individual subjects (processes or users) cannot change that access.
man-in-the-middle (MITM) attack Any attack that attempts to use a network node as the intermediary between two other nodes. Each of the endpoint nodes thinks it is talking directly to the other, but each is actually talking to the intermediary.
master boot record (MBR) A strip of data on a hard drive in a Windows system that is meant to result in specific initial functions or identification.
maximum transmission unit (MTU) A measure of the largest payload that a particular protocol can carry in a single frame in a specific instance.
MD5 Message Digest 5, a hashing algorithm and a specific method of producing a message digest.
mean time between failure (MTBF) The statistically determined period of time between failures of the system.
mean time to failure (MTTF) The statistically determined time to device failure.
mean time to repair/recover (MTTR) A common measure of how long it takes to repair a given failure. This is the average time, and may or may not include the time needed to obtain parts.
Media Access Control (MAC) address The data link layer address for local network addressing.
memorandum of agreement (MOA) A document executed between two parties that defines in specific details some form of agreement.
memorandum of understanding (MOU) A document executed between two parties that describes in broad principles some form of agreement.
message authentication code (MAC) A short piece of data used to authenticate a message. See hashed message authentication code.
message digest The result of applying a hash function to data. Sometimes also called a hash value. See hash.
metropolitan area network (MAN) A collection of networks interconnected within a metropolitan area and usually connected to the Internet.
Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) A Microsoft-developed variant of the Challenge-Handshake Authentication Protocol (CHAP).
mitigate Action taken to reduce the likelihood of a threat occurring.
mobile device management (MDM) An application designed to bring enterprise-level functionality onto a mobile device, including security functionality and data segregation.
modem A modulator/demodulator that is designed to connect machines via telephone-based circuits.
Monitoring as a Service (MaaS) The use of a third party to provide security-monitoring services.
MS-CHAP See Microsoft Challenge-Handshake Authentication Protocol.
MTBF See mean time between failures.
MTTF See mean time to failure.
MTTR See mean time to repair.
multiple encryption The use of multiple layers of encryption to improve encryption strength.
multiple-factor authentication The use of more than one factor as proof in the authentication process.
multifunction device (MFD) A device, such as a printer, with multiple functions, such as printing and scanning.
Multimedia Message Service (MMS) A standard way to send multimedia messages to and from mobile phones over a cellular network
Multipurpose Internet Mail Extensions (MIME) A standard that describes how to encode and attach nontextual elements in an e-mail.
NAC See network access control or Network Admission Control.
NAP See Network Access Protection.
NAT See Network Address Translation.
National Institute of Standards and Technology (NIST) A U.S. government agency responsible for standards and technology.
NDA See nondisclosure agreement.
near-field communication (NFC) A set of standards and protocols for establishing a communication link over very short distances. NFC is used in mobile devices.
network access control (NAC) An approach to endpoint security that involves monitoring and remediating endpoint security issues before allowing an object to connect to a network.
Network Access Protection (NAP) A Microsoft approach to network access control.
Network Address Translation (NAT) A method of readdressing packets in a network at a gateway point to enable the use of local, nonroutable IP addresses over a public network such as the Internet.
Network Admission Control (NAC) The Cisco technology approach for generic network access control.
network-attached storage (NAS) The addition of storage to a system via a network connection.
network-based intrusion detection system (NIDS) A system for examining network traffic to identify suspicious, malicious, or undesirable behavior.
network-based intrusion prevention system (NIPS) A system that examines network traffic and automatically responds to computer intrusions.
Network Basic Input/Output System (NetBIOS) A system that provides communication services across a local area network.
network forensics The application of digital forensics processes to network traffic.
network interface card (NIC) A piece of hardware designed to connect machines at the physical layer of the OSI model.
network operating system (NOS) An operating system that includes additional functions and capabilities to assist in connecting computers and devices, such as printers, to a local area network.
network operations center (NOC) A control point from where network performance can be monitored and managed.
network segmentation The separation of a network into separate addressable segments to limit network traffic traversal to areas of limited scope.
network tap A connection to a network that allows sampling, duplication, and collection of traffic.
Network Time Protocol (NTP) A protocol for the transmission of time synchronization packets over a network.
network vulnerability scanner The application of vulnerability scanning to network devices to search for vulnerabilities at the network level.
New Technology File System (NTFS) A proprietary file system developed by Microsoft, introduced in 1993, that supports a wide variety of file operations on servers, PCs, and media.
New Technology LANMAN (NTLM) A deprecated security suite from Microsoft that provides authentication, integrity, and confidentiality for users. Because it does not support current cryptographic methods, it is no longer recommended for use.
Next-Generation Access Control (NGAC) One of the primary methods of implementing attribute-based access control (ABAC). The other method is the eXtensible Access Control Markup Language (XACML).
next-generation firewall Firewall technology based on packet contents as opposed to simple address and port information.
NFC See near-field communication.
NIC See network interface card.
NIST See National Institute of Standards and Technology.
nondisclosure agreement (NDA) A legal contract between parties detailing the restrictions and requirements borne by each party with respect to confidentiality issues pertaining to information to be shared.
nonrepudiation The ability to verify that an operation has been performed by a particular person or account. This is a system property that prevents the parties to a transaction from subsequently denying involvement in the transaction.
null session The way in which Microsoft Windows represents an unauthenticated connection.
Oakley protocol A key exchange protocol that defines how to acquire authenticated keying material based on the Diffie-Hellman key exchange algorithm.
object identifier (OID) A standardized identifier mechanism for naming any object.
object reuse Assignment of a previously used medium to a subject. The security implication is that before it is provided to the subject, any data present from a previous user must be cleared.
one-time pad An unbreakable encryption scheme in which a series of nonrepeating, random bits is used once as a key to encrypt a message. Because each pad is used only once, no pattern can be established, making traditional cryptanalysis techniques ineffective.
Online Certificate Status Protocol (OSCP) A protocol used to request the revocation status of a digital certificate. This is an alternative to certificate revocation lists.
Open Authorization (OAuth) An open standard for token-based authentication and authorization on the Internet.
open design The principle that protection mechanisms should not depend on secrecy of design for security.
open relay A mail server that receives and forwards mail from outside sources.
Open Vulnerability and Assessment Language (OVAL) An XML-based standard for the communication of security information between tools and services.
operating system (OS) The basic software that handles input, output, display, memory management, and all the other highly detailed tasks required to support the user environment and associated applications.
operational model of computer security The use of a model that structures security activities into prevention, detection, and response.
opt in The primary privacy standard in the EU, where a party must opt in to sharing; otherwise, the default option is not to share the information or give permission for other use.
opt out The primary privacy standard in the U.S., where a party must opt out of sharing; otherwise, the default option is to share the information and give permission for other use.
Orange Book The name commonly used to refer to the now outdated Department of Defense Trusted Computer Security Evaluation Criteria (TCSEC).
OVAL See Open Vulnerability and Assessment Language.
over the air (OTA) Referring to performing an action wirelessly.
P12 See PKCS #12
P2P See peer-to-peer.
PAC See Proxy Auto Configuration.
Packet Capture (PCAP) The methods and files associated with the capture of network traffic, in the form of binary files.
Padding Oracle on Downgraded Legacy Encryption (POODLE) A vulnerability in SSL 3.0 that can be exploited.
PAM See Pluggable Authentication Modules.
pan-tilt-zoom (PTZ) A term used to describe a video camera that supports remote directional and zoom control.
PAP See Password Authentication Protocol.
password A string of characters used to prove an individual’s identity to a system or object. Used in conjunction with a user ID, it is the most common method of authentication. The password should be kept secret by the individual who owns it.
Password Authentication Protocol (PAP) A simple protocol used to authenticate a user to a network access server.
Password-Based Key Derivation Function 2 (PBKDF2) A key derivation function that is part of the RSA Laboratories Public Key Cryptography Standards, published as IETF RFC 2898.
patch A replacement set of code designed to correct problems or vulnerabilities in existing software.
PBX See private branch exchange.
peer-to-peer (P2P) A network connection methodology involving direct connection from peer to peer.
peer-to-peer trust model A trust model built on actual peer-to-peer connection and communication to establish trust.
penetration testing A security test in which an attempt is made to circumvent security controls in order to exploit vulnerabilities and weaknesses. Also called a pen test.
perfect forward security (PFS) A property of a cryptographic system whereby the loss of one key does not compromise material encrypted before or after its use.
permissions Authorized actions a subject can perform on an object. See also access controls.
personal electronic device (PED) A term used to describe an electronic device, owned by the user and brought into the enterprise, that uses enterprise data. This includes laptops, tablets, and mobile phones, to name a few.
personal exchange format (PFX) A file format used when exporting certificates.
personal health information (PHI) Information related to a person’s medical records, including financial, identification, and medical data.
personal identity verification (PIV) Policies, procedures, hardware, and software used to securely identify federal workers.
personally identifiable information (PII) Information that can be used to identify a single person.
pharming The use of a fake web site steal a users credentials using social engineering techniques.
phishing The use of social engineering to trick a user into responding to something such as an e-mail to instantiate a malware-based attack.
phreaking Used in the media to refer to the hacking of computer systems and networks associated with the phone company. See also cracking.
physical security The policies, procedures, and actions taken to regulate actual physical access to and the environment of computing equipment.
PID See process identifier.
piggybacking A social engineering technique that involves following a credentialed person through a checkpoint to prevent having to present credentials—in other words, following someone through a door that requires a badge to open, effectively using their badge for entry.
PII See personally identifiable information.
ping sweep The use of a series of ICMP ping messages to map out a network.
PKCS #12 A commonly used member of the family of standards called Public-Key Cryptography Standards (PKCS) published by RSA Laboratories.
Plain Old Telephone Service (POTS) The term used to describe the old analog phone service and later the “landline” digital phone service.
plaintext In cryptography, a piece of data that is not encrypted. It can also mean the data input into an encryption algorithm that would output ciphertext.
Platform as a Service (PaaS) A third-party offering that allows customers to build, operate, and manage applications without having to manage the underlying infrastructure.
Pluggable Authentication Modules (PAM) A mechanism used in Linux systems to integrate low-level authentication methods into an API.
Point-to-Point Protocol (PPP) The Internet standard for transmission of IP packets over a serial line, as in a dial-up connection to an ISP.
Point-to-Point Protocol Extensible Authentication Protocol (PPP EAP) A standard method for transporting multiprotocol datagrams over point-to-point links.
Point-to-Point Protocol Password Authentication Protocol (PPP PAP) PAP is a PPP extension that provides support for password authentication methods over PPP.
Point-to-Point Tunneling Protocol (PPTP) The use of generic routing encapsulation over PPP to create a methodology used for virtual private networking.
Port Address Translation (PAT) The manipulation of port information in an IP datagram at a point in the network to map ports in a fashion similar to Network Address Translation’s change of network address.
port scan The examination of TCP and UDP ports to determine which are open and what services are running.
Post Office Protocol (POP) A standardized format for the exchange of e-mail.
pre-shared key (PSK) A shared secret that has been previously shared between parties and is used to establish a secure channel.
Pretty Good Privacy (PGP) A popular encryption program that has the ability to encrypt and digitally sign e-mail and files.
preventative intrusion detection A system that detects hostile actions or network activity and prevents them from impacting information systems.
privacy Protecting an individual’s personal information from those not authorized to see it.
privacy-enhanced electronic mail (PEM) An Internet standard that provides for the secure exchange of electronic mail using cryptographic functions.
privacy-enhancing technology Cryptographic protection mechanisms employed to ensure the privacy of information.
privacy impact assessment (PIA) The process and procedure of determining the privacy impact and subsequent risk of data elements and their use in the enterprise.
private branch exchange (PBX) A telephone exchange that serves a specific business or entity.
privilege auditing The process of checking the rights and privileges assigned to a specific account or group of accounts.
privilege management The process of restricting a user’s ability to interact with the computer system.
process identifier (PID) A unique identifier for a process thread in the operating system kernel.
Protected Extensible Authentication Protocol (PEAP) A protected version of EAP developed by Cisco, Microsoft, and RSA Security that functions by encapsulating the EAP frames in a TLS tunnel.
protected health information (PHI) Information that can disclose health-related items for an individual that must be protected in the system. Similar to personally identifiable information (PII), but related to health.
protocol analyzer A tool used by network personnel to identify packets and header information during network transit. The primary use is in troubleshooting network communication issues.
Proxy Auto Configuration (PAC) A method of automating the connection of web browsers to appropriate proxy services to retrieve a specific URL.
proxy server A server that acts as a proxy for individual requests and is used for performance and security purposes in a scalable fashion.
PSK See pre-shared key.
psychological acceptability The principle that protection mechanisms should not impact users, and if they do, the impact should be minimal.
PTZ See pan-tilt-zoom.
public key cryptography See asymmetric encryption.
public key infrastructure (PKI) Infrastructure for binding a public key to a known user through a trusted intermediary, typically a certificate authority.
qualitative risk assessment The process of subjectively determining the impact of an event that affects a project, program, or business. It involves the use of expert judgment, experience, or group consensus to complete the assessment.
quantitative risk assessment The process of objectively determining the impact of an event that affects a project, program, or business. It usually involves the use of metrics and models to complete the assessment.
RADIUS The Remote Authentication Dial-In User Service is a standard protocol for providing authentication services. It is commonly used in dial-up, wireless, and PPP environments.
RAID See redundant array of independent disks.
ransomware Malware that encrypts sensitive files and offers their return for a ransom.
rapid application development (RAD) A software development methodology that favors the use of rapid prototypes and changes as opposed to extensive advanced planning.
RAS See remote access service/server.
RBAC See rule-based access control or role-based access control.
RC4 stream cipher A stream cipher used in Transport Layer Security (TLS) and Wired Equivalent Privacy (WEP).
Real-time Blackhole List (RBL) A system that uses DNS information to detect and dump spam e-mails.
real-time operating system (RTOS) An operating system designed to work in a real-time environment.
Real-time Transport Protocol (RTP) A protocol for a standardized packet format used to carry audio and video traffic over IP networks.
Recovery Agent (RA) In Microsoft Windows environments, the entity authorized by the system to use a public key recovery certificate to decrypt other users’ files using a special private key function associated with the Encrypting File System (EFS).
recovery point objective (RPO) The amount of data that a business is willing to place at risk. It is determined by the amount of time a business has to restore a process before an unacceptable amount of data loss results from a disruption.
recovery time objective (RTO) The amount of time a business has to restore a process before unacceptable outcomes result from a disruption.
redundant array of independent disks (RAID) The use of an array of disks arranged in a single unit of storage for increasing storage capacity, redundancy, and performance characteristics. Formerly known as redundant array of inexpensive disks.
reference monitor A non-bypassable element of the kernel that processes and enforces all security interactions, including subject-object accesses.
registration authority (RA) The party in the PKI process that establishes the identity for the certificate authority to issue a certificate.
remote access server/service (RAS) A combination of hardware and software used to enable remote access to a network.
remote access Trojan (RAT) A form of malware designed to enable remote access to a system by an unauthorized party.
remotely triggered black hole (RTBH) A popular and effective filtering technique for the mitigation of denial-of-service attacks.
replay attack An attack where data is replayed through a system to reproduce a series of transactions.
repudiation The act of denying that a message was either sent or received.
residual risk Risks remaining after an iteration of risk management.
return on investment (ROI) A measure of the effectiveness of the use of capital.
reverse social engineering A social engineering attack pattern where the attacker prepositions themselves to be the person you call when you think you are attacked. Because you call them, your level of trust is higher.
RFID Radio-frequency identification is a technology used for remote identification via radio waves.
Ring policy Part of the Biba security model, this is a policy that allows any subject to read any object without regard to the object’s level of integrity and without lowering the subject’s integrity level.
RIPEMD A hash function developed in Belgium. The acronym expands to RACE Integrity Primitives Evaluation Message Digest, but this name is rarely used. The current version is RIPEMD-160.
risk The possibility of suffering a loss.
risk assessment or risk analysis The process of analyzing an environment to identify the threats, vulnerabilities, and mitigating actions to determine (either quantitatively or qualitatively) the impact of an event affecting a project, program, or business.
risk management Overall decision-making process of identifying threats and vulnerabilities and their potential impacts, determining the costs to mitigate such events, and deciding what actions are cost effective to take to control these risks.
Rivest, Shamir, Adleman (RSA) The names of the three men who developed a public key cryptographic system and the company they founded to commercialize the system.
rogue access point An unauthorized access point inserted into a network for allowing unauthorized wireless access.
role-based access control (RBAC) An access control mechanism in which, instead of the users being assigned specific access permissions for the objects associated with the computer system or network, a set of roles that the user may perform is assigned to each user.
rootkit A form of malware that modifies the OS in a system to change the behavior of the system.
router A network device that operates at the network layer of the OSI model.
RTP See Real-time Transport Protocol.
rule-based access control (RBAC) An access control mechanism based on rules.
runlevels In UNIX and Linux systems, runlevels indicate the type of state the system is in, from 0 (halted) to 6 (rebooting). Lower runlevels indicate maintenance conditions with fewer services running, whereas higher runlevels are normal operating conditions. Each UNIX variant employs the concept in the same manner, but the specifics for each runlevel can differ.
safeguard See control.
Safe Harbor A series of provisions to manage the different privacy policies between the U.S. and EU when it comes to data sharing.
SAN See storage area network.
sandboxing The concept of isolating a system and specific processes from the OS in order to provide specific levels of security.
SCADA See supervisory control and data acquisition.
SCEP See Simple Certificate Enrollment Protocol.
script kiddie A hacker with little true technical skill and hence who uses only scripts that someone else developed.
Secure Copy Protocol (SCP) A network protocol that supports secure file transfers.
Secure Development Lifecycle (SDL) model A process model that includes security function consideration as part of the build process of software in an effort to reduce attack surfaces and vulnerabilities.
Secure FTP A method of secure file transfer that involves the tunneling of FTP through an SSH connection. This is different from SFTP. See Secure Shell File Transfer Protocol.
Secure Hash Algorithm (SHA) A hash algorithm used to hash block data. The first version is SHA-1, with subsequent versions detailing hash digest length: SHA-256, SHA-384, and SHA-512.
Secure Hypertext Transfer Protocol (SHTTP) An alternative to HTTPS, in which only the transmitted pages and POST fields are encrypted. SHTTP has been rendered moot, by and large, by the widespread adoption of HTTPS.
Secure Key Exchange Mechanism for Internet (SKEMI) A protocol and standard for key exchange across the Internet.
Secure/Multipurpose Internet Mail Extensions (S/MIME) An encrypted implementation of the MIME (Multipurpose Internet Mail Extensions) protocol specification.
Secure Real-time Transport Protocol (SRTP) A secure version of the standard protocol for a standardized packet format used to carry audio and video traffic over IP networks.
Secure Shell (SSH) A set of protocols for establishing a secure remote connection to a computer. This protocol requires a client on each end of the connection and can use a variety of encryption protocols.
Secure Shell File Transfer Protocol (SFTP) A secure file transfer subsystem associated with the Secure Shell (SSH) protocol.
Secure Sockets Layer (SSL) An encrypting layer between the session and transport layers of the OSI model designed to encrypt above the transport layer, enabling secure sessions between hosts.
Security Assertion Markup Language (SAML) An XML-based standard for exchanging authentication and authorization data.
security association (SA) An instance of security policy and keying material applied to a specific data flow. Both IKE and IPsec use SAs, although these SAs are independent of one another. IPsec SAs are unidirectional and are unique in each security protocol, whereas IKE SAs are bidirectional. A set of SAs is needed for a protected data pipe, one SA per direction per protocol. SAs are uniquely identified by destination (IPsec endpoint) address, security protocol (AH or ESP), and security parameter index (SPI).
security baseline The end result of the process of establishing an information system’s security state. It is a known-good configuration resistant to attacks and information theft.
Security Content Automation Protocol (SCAP) A method of using specific protocols and data exchanges to automate the determination of vulnerability management, measurement, and policy compliance across a system or set of systems.
security controls A group of technical, management, or operational policies and procedures designed to implement specific security functionality. Access controls are an example of a security control.
security information event management (SIEM) The name used for a broad range of technological solutions for the collection and analysis of security-related information across the enterprise.
security kernel See reference monitor.
security through obscurity An approach to security using the mechanism of hiding information to protect it.
self-encrypting drive (SED) A data drive that has built-in encryption capability on the drive control itself.
Sender Policy Framework (SPF) An e-mail validation system designed to detect e-mail spoofing by verifying that incoming mail comes from a host authorized by the sender’s domain’s administrators.
separation (or segregation) of duties A basic control that prevents or detects errors and irregularities by assigning responsibilities to different individuals so that no single individual can commit fraudulent or malicious actions.
sequence number A number within a TCP segment for maintaining the correct order of TCP segments sent and received and thus conversation integrity.
server-side scripting The processing of scripts on the server side of an Internet connection to prevent client tampering with the process.
service level agreement (SLA) An agreement between parties concerning the expected or contracted uptime associated with a system.
service set identifier (SSID) Identifies a specific 802.11 wireless network. An SSID transmits information about the access point to which the wireless client is connecting.
shadow file The file that stores the encrypted password in a system.
shielded twisted-pair (STP) A physical network connection consisting of two wires twisted and covered with a shield to prevent interference.
shift cipher A cipher that operates by substitution, the replacement of one character for another.
Short Message Service (SMS) A form of text messaging over phone and mobile phone circuits that allows up to 160-character messages to be carried over signaling channels.
shoulder surfing A social-engineering technique where you observe another’s action, such as a password entry.
signature database A collection of activity patterns that have already been identified and categorized and that typically indicate suspicious or malicious activity.
Simple Certificate Enrollment Protocol (SCEP) A protocol used in public key infrastructure (PKI) for enrollment and other services.
Simple Mail Transfer Protocol (SMTP) The standard Internet protocol used to transfer e-mail between hosts.
Simple Mail Transfer Protocol Secure (SMTPS) The secure version of the standard Internet protocol used to transfer e-mail between hosts.
Simple Network Management Protocol (SNMP) A standard protocol used to manage network devices across a network remotely.
Simple Object Access Protocol (SOAP) An XML-based specification for exchanging information associated with web services.
Simple Security Rule The principle that states complexity makes security more difficult and hence values simplicity.
single loss expectancy (SLE) Monetary loss or impact of each occurrence of a threat. SLE = asset value × exposure factor.
single point of failure (SPoF) A single point whose failure can result in system failure.
single sign-on (SSO) An authentication process by which the user can enter a single user ID and password and then move from application to application or resource to resource without having to supply further authentication information.
slack space Unused space on a disk drive created when a file is smaller than the allocated unit of storage (such as a sector).
small computer system interface (SCSI) A protocol for data transfer to and from a machine.
smart cards A token with a chip to store cryptographic tokens. Because of the nature of smart cards, they are nearly impossible to copy or counterfeit.
SMS See Short Message Service.
smurf attack A method of generating significant numbers of packets for a DoS attack.
sniffer A software or hardware device used to observe network traffic as it passes through a network on a shared broadcast media.
sniffing The use of a software or hardware device (sniffer) to observe network traffic as it passes through a network on a shared broadcast media.
social engineering The art of deceiving another person so that they reveal confidential information. This is often accomplished by posing as an individual who should be entitled to have access to the information.
Software as a Service (SaaS) The provisioning of software as a service, commonly known as on-demand software.
software-defined networking (SDN) The use of software to act as a control layer separate from the data layer in a network to manage traffic.
software development kit (SDK) A set of tools and processes used to interface with a larger system element for programming changes to an environment.
software development lifecycle model (SDLC) The processes and procedures employed to develop software. Sometimes also called secure development lifecycle model when security is part of the development process.
solid state drive (SSD) A mass storage device, such as a hard drive, that is composed of electronic memory, as opposed to a physical device of spinning platters.
SONET See Synchronous Optical Network Technologies.
spam E-mail that is not requested by the recipient and is typically of a commercial nature. Also known as unsolicited commercial e-mail (UCE).
spam filter A security appliance designed to remove spam at the network layer before it enters e-mail servers.
spear phishing A form of targeted phishing where specific information is included to convince the recipient that the communication is genuine.
spim Spam sent over an instant messaging channel.
spoofing Making data appear to have originated from another source so as to hide the true origin from the recipient.
spyware Malware designed to spy on a user, typically recording information such as keystrokes for passwords.
SQL injection An attack against a SQL engine parser designed to perform unauthorized database activities.
SSD See solid state drive.
SSL stripping attack A specific type of man-in-the-middle attack against SSL.
steganography The use of cryptography to hide communications.
storage area network (SAN) A technology-based storage solution consisting of network-attached storage.
STP See shielded twisted-pair.
stream cipher An encryption process used against a stream of information, even bit by bit, as opposed to operations performed on blocks.
Structured Exception Handler (SEH) The process used to handle exceptions in the Windows OS core functions.
Structured Query Language (SQL) A language used in relational database queries.
structured threat A threat that has reasonable financial backing and can last for a few days or more. The organizational elements allow for greater time to penetrate and attack a system.
Structured Threat Information eXpression (STIX) A standard XML schema for describing and exchanging threat information.
Subject Alternative Name (SAN) A field on a certificate that identifies alternative names for the entity to which the certificate applies.
subnet mask The information that tells a device how to interpret the network and host portions of an IP address.
subnetting The creation of a network within a network by manipulating how an IP address is split into network and host portions.
Subscriber Identity Module (SIM) An integrated circuit or hardware element that securely stores the International Mobile Subscriber Identity (IMSI) and the related key used to identify and authenticate subscribers on mobile telephones.
substitution The switching of one value for another in cryptography.
supervisory control and data acquisition (SCADA) A generic term used to describe the industrial control system networks used to interconnect infrastructure elements (such as manufacturing plants, oil and gas pipelines, power generation and distribution systems, and so on) and computer systems.
switch A network device that operates at the data layer of the OSI model.
switched port analyzer (SPAN) A technology employed that can duplicate individual channels crossing a switch to another circuit.
symmetric encryption Encryption that needs all parties to have a copy of the key, sometimes called a shared secret. The single key is used for both encryption and decryption.
SYN flood A method of performing DoS by exhausting TCP connection resources through partially opening connections and letting them time out.
Synchronous Optical Network Technologies (SONET) A set of standards used for data transfers over optical networks.
systematic risk A form of risk that can be managed by diversification.
System on a Chip (SoC) The integration of complete system functions on a single chip for the purpose of simplifying construction of devices.
tangible asset An asset for which a monetary equivalent can be determined. Examples are inventory, buildings, cash, hardware, and software.
TCP Wrappers A host-based networking ACL system, used in some Linux systems to filter network access to Internet Protocol servers.
TCP/IP hijacking An attack where the attacker intercepts and hijacks an established TCP connection.
Telnet A network protocol used to provide cleartext, bidirectional communication over TCP.
TEMPEST The U.S. military’s name for the field associated with electromagnetic eavesdropping on signals emitted by electronic equipment. See also Van Eck phenomenon.
Temporal Key Integrity Protocol (TKIP) A security protocol used in 802.11 wireless networks.
Terminal Access Controller Access Control System+ (TACACS+) A remote authentication system that uses the TACACS+ protocol, defined in RFC 1492, and TCP port 49.
threat Any circumstance or event with the potential to cause harm to an asset.
threat actor The party behind a threat, although it may be a non-person, as in an environmental issue.
threat vector The method by which a threat actor introduces a specific threat.
three-way handshake A means of ensuring information transference through a three-step data exchange. Used to initiate a TCP connection.
ticket-granting server (TGS) The portion of the Kerberos authentication system that issues tickets in response to legitimate requests.
ticket-granting ticket (TGT) A part of the Kerberos authentication system that is used to prove identity when service tickets are requested.
Time-based One-Time Password (TOTP) A password that is used once and is only valid during a specific time period.
time bomb A form of logic bomb in which the triggering event is a date or specific time. See also logic bomb.
TKIP See Temporal Key Integrity Protocol.
token A hardware device that can be used in a challenge-response authentication process.
Transaction Signature (TSIG) A protocol used as a means of authenticating dynamic DNS records during DNS updates.
Transmission Control Protocol (TCP) The connection-oriented transport layer protocol for use on the Internet that allows segment-level tracking of a conversation.
Transport Layer Security (TLS) A replacement for SSL that is currently being used to secure communications.
transposition The rearrangement of characters by position as part of cryptographic operations.
trapdoor See backdoor.
Trivial File Transfer Protocol (TFTP) A simplified version of FTP used for low-overhead file transfers using UDP port 69.
Trojan A form of malicious code that appears to provide one service (and may indeed provide that service) but also hides another purpose. This hidden purpose often has a malicious intent. This code may also be referred to as a Trojan horse.
trunking The process of spanning a single VLAN across multiple switches.
Trusted Automated eXchange of Indicator Information (TAXII) An XML schema for the automated exchange of cyber-indicators between trusted parties.
trusted OS An OS that can provide appropriate levels of security and has mechanisms to provide assurance of security function.
Trusted Platform Module (TPM) A hardware chip to enable trusted computing platform operations.
tunneling The process of packaging packets so that they can traverse a network in a secure, confidential manner.
Unified Extensible Firmware Interface (UEFI) A specification that defines the interface between an OS and the hardware/firmware. This is a replacement to BIOS.
unified threat management (UTM) The aggregation of multiple network security products into a single appliance for efficiency purposes.
Uniform Resource Identifier (URI) A set of characters used to identify the name of a resource in a computer system. A URL is a form of URI.
Uniform Resource Locator (URL) A specific character string used to point to a specific item across the Internet.
uninterruptible power supply (UPS) A source of power (generally a battery) designed to provide uninterrupted power to a computer system in the event of a temporary loss of power.
Universal Serial Bus (USB) An industry-standard protocol for communication over a cable to peripherals via a standard set of connectors.
Universal Serial Bus On-the-Go (USB OTG) A USB standard that enables mobile devices to talk to one another without an intervening PC.
unmanned aerial vehicle (UAV) A remotely piloted flying vehicle.
unshielded twisted-pair (UTP) A form of network cabling in which pairs of wires are twisted to reduce crosstalk. Commonly used in local area networks (LANs).
unstructured threat A threat that has no significant resources or ability—typically an individual with limited skill.
unsystematic risk Risk that cannot be mitigated by diversification. Unsystematic risks can result in loss across all types of risk controls.
usage auditing The process of recording who did what and when on an information system.
user acceptance testing (UAT) The application of acceptance-testing criteria to determine fitness for use according to end-user requirements.
User Datagram Protocol (UDP) A protocol in the TCP/IP protocol suite for the transport layer that does not sequence its datagrams—it is “fire and forget” in nature.
user ID A unique alphanumeric identifier that identifies individuals when logging into or accessing a system.
UTP See unshielded twisted-pair.
vampire tap A tap that connects to a network line without the connection needing to be cut.
Van Eck phenomenon Electromagnetic eavesdropping through the interception of electronic signals emitted by electrical equipment. See also TEMPEST.
variable-length subnet masking (VLSM) The process of using variable-length subnets, creating subnets within subnets.
video teleconferencing (VTC) A business process of using video signals to carry audio and visual signals between separate locations, thus allowing participants to conduct a virtual meeting instead of traveling to a physical location. Modern videoconferencing equipment can provide very realistic connectivity when lighting and backgrounds are controlled.
Vigenère cipher A polyalphabetic substitution cipher that depends on a password.
virtual desktop environment (VDE) The use of virtualization technology to host desktop systems on a centralized server.
virtual local area network (VLAN) A broadcast domain inside a switched system.
virtual machine (VM) A form of a containerized operating system that allows a system to be run on top of another OS.
virtual private network (VPN) An encrypted network connection across another network, offering a private communication channel across a public medium.
virtual desktop infrastructure (VDI) The use of servers to host virtual desktops by moving the processing to the server and using the desktop machine as merely a display terminal. VDI offers operating efficiencies as well as cost and security benefits.
virus A form of malicious code or software that attaches itself to other pieces of code in order to replicate. Viruses may contain a payload, which is a portion of the code that is designed to execute when a certain condition is met (such as a certain date). This payload is often malicious in nature.
vishing Phishing over voice circuits, specifically voice over IP (VoIP).
voice over IP (VoIP) The packetized transmission of voice signals (telephony) over Internet Protocol.
vulnerability A weakness in an asset that can be exploited by a threat to cause harm.
WAP See Wireless Application Protocol.
war-dialing An attacker’s attempt to gain unauthorized access to a computer system or network by discovering unprotected connections to the system/network through the telephone system and modems.
war-driving The attempt by an attacker to discover unprotected wireless networks by wandering (or driving) around with a wireless device, looking for available wireless access points.
warm site A backup site, off premises, that has hardware but is not configured with data and will take some time to switch over to.
Wassenaar Arrangement A set of rules and regulations concerning dual-use technologies, including cryptography. These rules are related to arms trading and similar national security concerns and impact some cybersecurity elements.
web application firewall (WAF) A firewall that operates at the application level, specifically designed to protect web applications by examining requests at the application stack level.
WEP See Wired Equivalent Privacy.
whaling The targeting of high-value individuals, as in a social engineering attack.
white-box testing A form of testing where the tester has knowledge of the inner workings of a system.
whitelisting A listing of items to be allowed by specific inclusion. The opposite of blacklisting.
wide area network (WAN) A network that spans a large geographic region.
Wi-Fi Protected Access (WPA/WPA2) A modern protocol to secure wireless communications using a subset of the 802.11i standard.
Wi-Fi Protected Setup (WPS) A network security standard that allows easy setup of a wireless home network.
Wired Equivalent Privacy (WEP) An encryption scheme used to attempt to provide confidentiality and data integrity on earlier 802.11 networks.
wireless access point (WAP) A network access device that facilitates the connection of wireless devices to a network.
Wireless Application Protocol (WAP) A protocol for transmitting data to small handheld devices such as cellular phones.
wireless intrusion detection system (WIDS) An intrusion detection system established to cover a wireless network.
wireless intrusion prevention system (WIPS) An intrusion prevention system established to cover a wireless network.
Wireless Transport Layer Security (WTLS) The encryption protocol used on WAP networks.
worm An independent piece of malicious code or software that self-replicates. Unlike a virus, it does not need to be attached to another piece of code. A worm replicates by breaking into another system and making a copy of itself on this new system. A worm can contain a destructive payload but does not have to.
write blocker A specific interface for storage media that does not permit writing to occur to the device. This allows copies to be made without altering the device.
Write Once Read Many (WORM) A data storage technology where things are written once (permanent) and then can be read many times, as in optical disks.
X.500 The standard format for directory services, including LDAP.
X.509 The standard format for digital certificates.
XML See eXtensible Markup Language.
XSRF See cross-site request forgery.
XSS See cross-site scripting.
zero day A name given to a vulnerability whose existence is known, but not to the developer of the software; hence, it can be exploited before patches are developed and released.
zombie A machine that is at least partially under the control of a botnet.