GLOSSARY

3DES A symmetric encryption standard. It improves Data Encryption Standard (DES) by encrypting data in three passes with three separate keys. It was one of the standards evaluated by the National Institute of Standards and Technology (NIST) with Advanced Encryption Standard (AES), but was not selected. It is a slower and processor-intensive block cipher, but is still strong and used in some applications. It is also called triple DES and three DES.

3G Third generation of wireless technologies. 1G uses analog signals and 2G uses digital signals. 3G provides higher transfer speeds using digital technologies.

AAAs of security Authentication, authorization, and accounting. These three elements of security work together to ensure that only authorized entities have access to resources and that their access is recorded.

access controls Mechanisms used to restrict or control access to resources. They can be logical (implemented with technology) and implemented by the security kernel, or physical, such as a locked door or security guard. Access controls allow subjects access to objects, such as allowing a user’s access to a file. Some relevant access control models are Discretionary Access Control (DAC), Media Access Control (MAC), and Role-based Access Control (RBAC). Biba, Bell-LaPadula, and the Chinese Wall are specific MAC models.

accountability The ability of a system to track the activity of an individual. If a system can identify individual users, track their actions, and monitor their behavior, it provides accountability.

accounting Logs that track the activity of a user through monitoring. One method of accounting is audit logs that create an audit trail.

accreditation The process of formally declaring that the system is approved to operate. Accreditation comes after system certification.

Address Resolution Protocol (ARP) Protocol that resolves Internet Protocol (IP) addresses to Media Access Control (MAC) addresses. ARP is used on the data link layer of the Open Systems Interconnection (OSI) model.

Advanced Encryption Standard (AES) A strong, efficient symmetric encryption algorithm. The National Institute of Standards and Technology (NIST) selected it in 2002 as a replacement for Data Encryption Standard (DES) as the standard used by the U.S. government. AES has since been adopted in both the public and private sectors and is widely used today in many applications.

advanced persistent threat (APT) A highly sophisticated group of attackers who have the capability and intent to carry out successful attacks. Many governments are suspected of sponsoring groups known as APTs.

AIC security triad The three main goals of information security: availability, integrity, and confidentiality.

anomaly-based A method of detection used by intrusion detection systems (IDSs) and intrusion prevention systems (IPSs). The IDS/IPS attempts to document normal behavior in the form of a baseline. It then monitors the activity and constantly compares it to the baseline. If the current activity differs significantly from the baseline, the IDS/IPS will issue an alert on the activity.

antivirus (AV) software A primary method used to detect and prevent infections from malware. In addition to being able to detect and prevent infections, most AV software is also able to remove the malware, restore the file, or quarantine it.

armored virus A virus that uses code to make it difficult for AV researchers to reverse-engineer the code. Encryption and polymorphism are used as methods of armor.

asymmetric encryption A process of encrypting and decrypting data using two matched keys known as public and private keys. It is also known as public key cryptography. Anything encrypted with the public key can be decrypted only with the matching private key. Anything encrypted with the private key can be decrypted only with the matching public key. The private key is always kept private and never shared. The public key is freely shared and publicly available.

attribute In a database, a table column is an attribute. Data within the table is stored in rows, or tuples.

audit trail A record of events occurring on a system or network recorded in one or more logs. When you have access to all the logs, you are able to re-create the events that occurred leading up to an event and what actually occurred during an event.

authentication Proof of an identity that is established by providing credentials. There are three types or factors of authentication known as something you know (such as a username and password), something you have (such as a smartcard), and something you are (using biometrics).

authorization A process that provides access to resources through the assignment of permissions. This process starts with authentication; once users have been authenticated, authorization defines the resources that a user can access and the rights that a user can invoke.

availability One of the three main goals of information security known as the AIC security triad. It ensures that systems and data are up and operational when needed. The other two parts of the AIC triad are integrity and confidentiality.

backdoor Code that is embedded in an application and used to provide access to the application, the application’s code, or data via a covert method. It is also called a trapdoor.

baseline A known starting point. Baselines are an important element of configuration control and often implemented with images. If the baseline configuration is known, it’s relatively simple to check the system to determine whether the configuration has been modified from the baseline. Anomaly-based intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) also use baselines by first documenting normal behavior in the form of a baseline. The system then monitors the activity and constantly compares it to the baseline.

Bell-LaPadula model An access control model used to ensure confidentiality. It uses two primary rules: no read up and no write down. It is a Hierarchical State Machine model that supports Mandatory Access Control. Compare this to the Biba model.

Berkeley Internet Name Domain (BIND) A version of DNS software that runs on UNIX systems. It is freely available and runs on many DNS servers on the Internet.

Biba model An access control model used to ensure integrity that supports Mandatory Access Control (MAC). It uses two primary rules: no read down and no write up. Compare this to the Bell-LaPadula model.

biometrics Method of identifying unique characteristics of a person, such as a fingerprint or keystroke analysis. Biometrics are used to provide authentication using the “something you are” factor.

bit copy tools Software used to capture the contents of a drive without modifying the data. The copy is known as a forensic duplicate image and can be examined without affecting the original.

botnet A group of computers (called zombies) controlled by an attacker. The term botnet is derived from robot and network. The attacker manages a command control center and the computers in the botnet do the bidding of the attacker.

buffer overflow An error that can occur when a system receives more data than it expects and is unable to handle it gracefully. Attackers attempt to exploit buffer overflow errors and install malware on systems.

buffer overflow attack An attack on a system that has a buffer overflow vulnerability. Buffer overflow vulnerabilities can be reduced with input validation techniques and by keeping systems up to date.

bus Network configuration where all computing devices are connected directly to each other via a shared cable connection. Both ends of the bus must be terminated. If one of the terminators is not present or the cable is disconnected, communication with all devices on the bus stops.

business continuity plan (BCP) A written document that includes the processes and procedures to prevent mission-critical services from being interrupted or disrupted. A BCP includes disaster recovery elements used to restore the organization to fully functioning operations as quickly and efficiently as possible.

business impact analysis A part of a BCP. It identifies the impact to the organization if any business functions are lost due to any type of incident. It helps an organization identify what business functions are critical to continued operations by identifying the impact to the business if a business function stops.

certificate A file used for security purposes, such as authentication, encryption, protection of e-mail, and code signing. Certification authorities issue and manage certificates.

certification A process that evaluates, describes, and tests a system and all of the controls that are in place to mitigate risks to the system. After a system has been certified, a separate accreditation process formally approves the system to operate.

certification authority (CA) An entity that issues and manages certificates through their lifetimes. CAs can be public (such as VeriSign) or private within an organization. Public CAs sell and validate certificates and provide assurances to users that certificates are valid.

chain of custody A document that shows exactly where a piece of evidence is from the point it is collected until it is disposed. A chain of custody provides proof that evidence has been protected. If the chain-of-custody document is not present, the validity of the evidence can be questioned and its usefulness negated.

change control A process that ensures that changes are not implemented without authorization. A change control process gives experts an opportunity to examine the change for potential problems before the change is implemented. It is also called change management.

Chinese Wall model An access control model used to help prevent a conflict of interest. Data is classified based on conflict-of-interest classes. Users who have access to one class are denied access to data in conflicting classes. Also known as the Brewer-Nash model.

cipher text Data that is encrypted and not readable unless it can be decrypted into plaintext. Encryption techniques convert plaintext to cipher text.

cipher text attack A cryptanalysis attack. It is used when the attacker only has cipher text for analysis without any useful information about the plaintext data.

Clark-Wilson model An access control model used to ensure integrity; the model has stricter rules than the Biba model. These integrity rules enforce the principle of separation of duties.

clipping level A predetermined threshold level. An auditing system ignores events until it reaches the clipping level. Once the threshold is reached, the accounting system generates an alert.

code of ethics Statements and principles that individuals can use to guide their decisions and help in ethical dilemma situations. (ISC)²’s Code of Ethics includes a preamble and four canons describing ethical expectations from its certified practitioners. Candidates must commit to and abide by them to earn and keep the SSCP certification. Organizations can also use ethics statements for internal employees.

cold site An alternate location used in business continuity planning. A cold site is a building with a roof, running water, and electricity. It doesn’t include the necessary hardware, software, or personnel. In the event of an emergency, all of the resources must be moved to the cold site location, hooked up, and configured for operation.

command injection An attack that attempts to inject commands into an application. In some cases, a command injection attack can inject operating system commands that would normally be executed at the command line; in other cases, it injects code such as JavaScript or SQL statements. Input validation techniques help mitigate command injection attacks.

Common Criteria A framework used to evaluate systems formally known as Common Criteria for Information Technology Security Evaluation. It provides assurances that the specification, implementation, and evaluation of a system’s security has gone through a rigorous and standardized process.

confidentiality The objective of ensuring that data is not disclosed to unauthorized users. Access controls and encryption are used to protect against the loss of confidentiality. Confidentiality is one of the three main goals of information security known as the AIC security triad. The other two goals are availability and integrity.

configuration management A process that ensures that information about system configuration is available for any system and also helps ensure that similar systems are configured similarly.

control A means, method, action, technique, process, procedure, or device that reduces the vulnerability of a system or the possibility of a threat exploiting a vulnerability in a system. The terms controls, countermeasures, and safeguards are often used interchangeably.

countermeasure A means, method, action, technique, process, procedure, or device that reduces the vulnerability of a system or the possibility of a threat exploiting a vulnerability in a system. The terms controls, countermeasures, and safeguards are often used interchangeably.

cross site request forgery (CSRF or XSRF) An attack that results in websites executing unauthorized commands as if they were requested by a user. Attackers create specially crafted links and encourage users to click on the links. For example, attackers can send the links in phishing e-mails.

cross site scripting (CSS or XSS) An attack that attempts to inject HTML or JavaScript into a web page. After the attack, the code executes on a user’s system when the user visits the attacked website. Successful attacks sometimes allow attackers to read cookies and use this data to launch session hijacking attacks.

crossover error rate (CER) The point where the false accept rate (FAR) and the false reject rate (FRR) of a biometric system are equal or cross over. A lower CER indicates a better performing biometric system.

cryptanalysis The process of deciphering codes through analysis. Both attackers and researchers use cryptanalysis techniques. Researchers use cryptanalysis techniques to search for weaknesses in cryptography with the goal of improving cryptographic methods. Attackers search for weaknesses with the goal of exploiting them.

cryptography The science of using different methods and techniques to encrypt data so that it is not readable to others.

data at rest Any data that is in computer storage, such as on system hard drives, portable USB drives, flash drives, storage area networks, and backup tapes.

Data Encryption standard (DES) An older symmetric encryption standard using 56-bit keys. It has been broken and is rarely used anymore.

data in motion Any data being transmitted over a network (sometimes called data in transit). It includes data transmitted over an internal network using wired or wireless methods as well as data transmitted over the Internet.

data inference The ability of someone to gain knowledge by piecing together unclassified data to determine classified or secret information. It also includes the ability to gather large quantities of information and attempt to learn details of the information through deduction.

data loss prevention (DLP) Techniques used to monitor data usage and prevent the unauthorized use or transmission of sensitive data. Different types of DLP systems can monitor data in motion and data at rest.

database view A virtual table that provides access to specific columns in one or more tables. A view doesn’t hold any data but presents the data in the underlying table or tables. A database administrator can grant access to a view without granting access to a table to limit what a user can see and manipulate.

decryption The process of converting cipher text data into plaintext data. Data is encrypted to prevent loss of confidentiality. Compare to encryption.

deduplication The process of keeping only a single copy of a file on a system instead of multiple identical files. Deduplication saves storage space.

defense diversity A defense-in-depth strategy used when implementing a demilitarized zone (DMZ) by using firewalls from two separate vendors. Defense diversity with the DMZ firewalls provides an extra layer of protection for the internal network.

defense in depth A strategy that provides a layered approach to security. Instead of using one or two security controls, multiple controls are used. If one control fails, other controls continue to provide protection.

demilitarized zone (DMZ) A perimeter network used to host resources on the Internet (such as web servers, e-mail servers, or FTP servers). The DMZ provides a layer of protection for the resources that would not be available if they were placed directly on the Internet.

denial of service (DoS) An attack that attempts to prevent a system from answering legitimate requests from users, directly affecting the availability portion of the AIC triad. The attack is launched by a single system.

differential backup A type of backup used in full/differential backup strategies. Differential backups only back up data that has changed since the last full backup, without regard to any other differential backups.

digital signature A file used to provide authentication, integrity, and nonrepudiation security for e-mail. A digital signature is created by hashing an e-mail message and then encrypting the hash with the sender’s private key.

disaster recovery plan (DRP) A document used to provide an organization with a plan to restore critical operations after a disaster. The overall goal is to provide employees with clear-cut steps on what to do and the order of these steps.

Discretionary Access Control (DAC) model An access control model commonly used to control access for file systems, such as New Technology File System (NTFS) or Network File System (NFS). Objects (such as files and folders) are owned by users. Users have full control over the objects and can grant others access. DAC provides the most granular level of control. Other access control models are Mandatory Access Control (MAC) and Role-based Access Control (RBAC).

distributed denial of service (DDos) A DoS attack launched against a single system from multiple attackers. Botnets are often used in DDoS attacks.

Domain Name system (DNS) DNS provides name resolution services by resolving host names to IP addresses and IP addresses to hostnames. DNS uses port 53.

due care The practice of implementing security policies and practices to protect resources. Organizations are required by law to exercise due care or they can be found legally negligent.

due diligence The investigative steps that an organization takes prior to taking on something new, such as signing a contract or making a major purchase. An organization has an obligation to exercise due diligence to discover risks.

encryption The process of converting plaintext data into cipher text data to prevent loss of confidentiality. The process is reversed by decrypting the cipher text data with to create the original plaintext data. Compare to decryption.

Ethernet Local area network (LAN) standards defined by the IEEE 802.3 documents. It is the most widely used standard for LANs.

extranet An area of an organization’s network used to host resources via the Internet but only to trusted entities. An extranet is available via the Internet, but only to a specific target audience.

False accept rate (FAR) A type 2 biometric error. It refers to the percentage of times a biometric system falsely identifies an unknown user as a known user.

false positive A false indication of an attack or a vulnerability. Vulnerability scanners can give false positives indicating that a vulnerability exists even though it doesn’t. Similarly, intrusion detection systems can give an indication that a system is being attacked even when it isn’t.

False Reject Rate (FRR) A type 1 biometric error. It refers to the percentage of times a biometric system falsely rejects a known user and instead indicates that the user is unknown.

fault tolerance The practice of adding and maintaining redundancy for disks, servers, connections, and sites. Fault tolerance controls help eliminate outages from single points of failure by adding redundancies.

federated access A single sign-on (SSO) technology that allows users in different networks to access multiple systems after logging on once. The systems can be different operating systems owned and managed by different organizations.

file integrity checker An application that can verify that files have not been modified. In doing so, the application guards against a loss of integrity. File integrity checkers use hashing algorithms to capture hashes of files in a known good state. Later, they create hashes on the same file and compare the two hashes. If the file is unchanged, the hashes are the same, but if the file has been modified, the hashes are different.

firewall Software or hardware used to filter traffic into or out of a network. A firewall can be a dedicated physical device or an additional application running on a system such as a desktop computer.

first responder The first forensics-trained person on the scene of an information technology (IT) incident. It could be a highly trained forensics expert or a system administrator with only basic training. One of the primary responsibilities of a first responder is the preservation of the scene of the incident and all associated evidence.

foreign key In databases, a key in one table that points to a unique primary key in another table to create a relationship between the two tables.

forensics The science of examining and inspecting crime scenes for evidence. Computer forensics is the science of examining and inspecting computer systems for evidence about an event or crime.

guidelines Recommendations provided to members of an organization. Guidelines aren’t mandatory or authoritative in nature. Guidelines (and procedures) are derived from policies.

hardening The practice of making a system more secure from its default configuration. Hardening often includes removing or disabling unused protocols and services, changing defaults, keeping systems up to date, enabling firewalls, and using AV software.

hardware token A device held by a user that displays a number or a password that changes frequently, such as every 60 seconds. The number is synchronized with a server and used as a one-time password.

hashing The process of creating a hash (a number) by executing a hashing algorithm against a piece of data. As long as the original data is not changed, the hash will always be the same. You can execute the hashing algorithm on the file or message at one point to create a hash and then later execute the same hashing algorithm again. If the hashes are the same, the original data has not been modified and it has retained integrity.

heuristics-based detection A method of virus detection used to detect previously unknown viruses. Heuristics attempts to detect a virus based on its behavior.

honeypot A computer set up to entice would-be attackers. It is often configured with weak security so that an attacker can easily hack into it, and will usually have dummy data that has no use to the company.

host-based firewall A firewall that provides protection for a single host. Some operating systems include host-based firewalls running as additional software. Compare to network-based firewall.

host-based IDs (HIDs) An intrusion detection system (IDS) installed on an individual system, such as a server or workstation. It can only monitor activity on the host; it is not able to monitor overall network activity, as a network-based IDS (NIDS) does.

hot site An alternate location used in business continuity planning. A hot site includes all of the necessary resources to take over the operations of another location in a very short period of time, sometimes within minutes. It includes hardware such as servers and the network infrastructure, up-to-date data, and personnel to manage the functions of the alternate location.

identification The act of a user claiming to be a specific person by using that person’s username. If the user also has the credentials of the user (such as a password), the user can also authenticate to prove his or her identity.

identity management The process of managing accounts and access to resources. Provisioning includes creating accounts for users and granting appropriate privileges. Maintenance ensures that password policies and account policies are implemented and ensures that inactive accounts are disabled. Entitlement helps ensure that the principle of least privilege is enforced.

incident A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.

incident response The process of responding to an incident. Many organizations have formal procedures for responding to incidents.

incremental backup A type of backup used in full/incremental backup strategies. Incremental backups back up only data that has changed since the last full or incremental backup.

information rights management (IRM) Methods used to protect documents after they’ve been sent to an untrusted party. IRM can prevent recipients from forwarding, copying, modifying, printing, faxing, or pasting the content from a file.

Infrastructure-as-a-Service (IaaS) A type of cloud computing. This is also known as hardware-as-a-service and provides customers with hardware, such as servers, and infrastructure, such as routers or switches. Customers maintain all software on the hardware, but the provider owns and maintains the hardware. Compare to Software-asa-Service (Saas) and Platform-as-a-Service (PaaS).

input validation The process of checking data before using it within an application. Web applications use input validation to prevent different types of injection attacks, such as SQL injection or cross site scripting attacks. Input validation also helps prevent buffer overflow attacks.

integrity Certainty that data has not been altered. Hashing and audit logs are two methods used to ensure integrity. Integrity is one of the three main goals of information security known as the AIC security triad. The other two goals are availability and confidentiality.

Internet Protocol security (IPsec) A security protocol used to provide security for IP traffic traveling over a network. Authentication Header (AH) provides authentication between the systems, and verifies the integrity of the packets. Encapsulating Security Protocol (ESP) encrypts the data and also provides the same authentication services provided by AH.

intranet A network that is internal to an organization. An intranet has private IP addresses and clients within the intranet access the Internet with Network Address Translation (NAT), which translates private IP addresses to public and public IP addresses to private.

intrusion detection system (IDs) A system designed to provide protection for networks and hosts against attacks. The goal is to detect an attack as it’s occurring. Some IDSs are passive and will provide a notification of a potential attack, and other IDSs are active and will thwart the attack in progress.

intrusion prevention systems (IPs) An intrusion detection system (IDS) with two primary differences: first, an IPS is placed in line with the traffic; and second, it provides an active response.

job rotation The practice of moving employees between different jobs on a periodic basis. Job rotation is used as a security practice that can reduce the risk of fraud within a company. It is commonly combined with the security practice of separation of duties.

known Plaintext Attack A cryptanalysis attack used when the attacker has samples of both plaintext and cipher text data. For example, if an attacker has plain text from an encrypted message, the attacker can then use different methods to try to decrypt the cipher text to the known text. If the known text is decrypted, the same method can be used to decrypt similar data.

Layer 2 Tunneling Protocol (L2TP) A tunneling protocol used with some virtual private networks (VPNs). It combines the strengths of L2F and PPTP and is documented in RFC 2661. L2TP VPN traffic is commonly encrypted with IPsec (as L2TP/IPsec).

least privilege The practice or principle of giving users only the rights and privileges that they need to perform their job, and no more.

logic bomb Malicious code that will execute in response to an event such as a point in time or in response to specific actions.

malware Malicious software or malicious code. It includes any code or software that can be described as being harmful or destructive to computers, networks, or the computing environment as a whole. Some of the common malicious code types include viruses, worms, logic bombs, and Trojan horses.

Mandatory Access Control (MAC) model An access control model that provides the highest level of security; it is used by the U.S. military. Subjects and objects are assigned labels; subjects (such as users) are able to access objects (such as files) only when the labels match. Other access control models are Discretionary Access Control (DAC) and Role-based Access Control (RBAC). Examples of models that support Mandatory Access Control include Bell-LaPadula and Biba.

mandatory vacation A security policy designed to reduce fraud within an organization. A mandatory vacation policy requires employees to take a vacation outside of the workplace for a specified period, such as at least five consecutive workdays. The goal is to require someone else to perform the employee’s job functions, which increases the possibility of exposing any suspicious activities.

mantrap A security control designed to protect against piggybacking. It prevents more than one person from passing through at a time and ensures that each person uses credentials to gain entry.

maximum acceptable outage (MAO) The maximum amount of time a system can be down before critical business functions are affected. MAO is sometimes called maximum tolerable outage (MTO) or maximum tolerable period of disruption (MTPOD). The MAO helps an organization determine the recovery time objective (RTO).

Message Digest 5 (MD5) A hashing algorithm used for integrity. MD5 creates a 128-bit hash. It is widely used in applications, although it has been shown that it has vulnerabilities. The U.S. government considers it cryptographically broken, so it is not recommended for use in many government applications.

mobile code Code that can be transferred between systems without the user taking explicit action to install it. It can include script code such as JavaScript, compiled code such as Java applets or ActiveX controls, documents with embedded macros, or malware that executes from a USB flash drive when the user inserts the drive into a system.

multifactor authentication Authentication in which more than one factor is used. There are three factors of authentication: something you know, something you have, and something you are.

near field communication (NFC) Technology in smartphones that allows a user to transfer information to other devices by waving a smartphone close to the other device or tapping the other device. NFC can be used to make purchases with credit cards registered on the phone.

Network Address Translation (NAT) A protocol that translates private IP addresses to public and public IP addresses back to private. NAT is often installed on proxy servers or routers that are on the edge of the network (between the Internet and the intranet).

network-based firewall A firewall that provides protection for a network. Traffic to and from the network flows through the network-based firewall. Compare to a host-based firewall.

network-based IDs (NIDs) An intrusion detection system (IDS) that monitors the network traffic for any type of attack. It will typically have several nodes or agents stationed around the network connected to routers and possibly switches. Each of these nodes monitors the traffic and reports its findings to a NIDS management server.

non-promiscuous A mode used by a sniffer. In non-promiscuous mode, the sniffer will capture only data sent directly to or from the IP address of the computer running the sniffer.

nonrepudiation The practice of ensuring that a party cannot believably deny (or repudiate) taking an action. Nonrepudiation is enforced through audit logging and with digital signatures.

object A resource accessed by a subject. For example, if a user accesses a file, the user is the subject and the file is the object.

one-time password A password used only once. Hardware tokens use synchronous one-time passwords with a hardware device held by the user showing a one-time password as a number or password; the password changes often and is synchronized with a server.

Online Certificate status Protocol (OCSP) A method of validating certificates with a certification authority (CA). Clients send the serial number of a certificate to a server known as an OCSP responder. The OCSP responder identifies the health of the certificate (such as whether it has been revoked) in an OCSP response.

Open Systems Interconnection (OSI) Model A seven-layer model developed by the International Organization for Standardization (ISO) as a framework for connecting computers and networks together. The seven layers are physical (layer 1), data link (layer 2), network (layer 3), transport (layer 4), session (layer 5), presentation (layer 6), and application (layer 7).

packet filtering firewall A firewall that filters traffic by examining the contents of a packet. A packet filtering firewall can filter traffic based on IP addresses, subnet addresses, ports, some protocols, or any combination of these.

penetration test An assessment that starts with a vulnerability assessment. Instead of stopping after discovering vulnerabilities, a penetration test attempts to exploit the vulnerability.

personally identifiable information (PII) Information that can be used to personally identify an individual. Many laws mandate the protection of PII.

pharming An attack that redirects users to bogus websites. It manipulates one of the host name resolution methods so that the host name resolves to a different website.

phishing An attack in which attackers send e-mails with the goal tricking victims into clicking a link or providing sensitive information. The e-mail claims to be from a legitimate company and encourages the user to take an unsafe action.

piggybacking A social engineering tactic. Piggybacking occurs when someone passes through a controlled entry without providing credentials by following closely behind someone who has provided credentials.

plaintext Data that is not in an encrypted format. It is easily readable without any cryptographic or cryptanalysis techniques. Encryption techniques convert plaintext to cipher text.

Platform-as-a-Service (PaaS) A type of cloud computing. Users have access to an operating system hosted on hardware that they can use over the Internet. Users don’t have to purchase the hardware and software, and the cloud provider maintains it. Compare to Infrastructure as a Service (IaaS) and Software-as-a-Service (SaaS).

Point-to-Point Tunneling Protocol (PPTP) A tunneling protocol used with some virtual private networks (VPNs). It is defined in RFC 2637, and Microsoft uses its own version.

policy High-level documents used to provide guidance to members of an organization. A policy provides direction to employees and is authoritative in nature.

polymorphic virus A virus that has the ability to morph or mutate each time it is replicated to another machine or even each time it is run. When the virus mutates, it’s more difficult for antivirus (AV) software to detect it unless additional virus signatures are created to recognize the mutated version.

port scan attack A port scan attempts to detect what ports are open on a system as part of an overall fingerprinting attack. Open ports indicate which services are running on the system.

primary key A key used in databases. A primary key ensures that each row or tuple within a table is unique.

private IP address IP addresses that are used within an organization’s private network. Private IP addresses are formally defined in RFC 1918. Compare these to public IP address.

private key A key used with public key cryptography (asymmetric encryption). A private key is part of a matched pair (matched to a public key). A private key is kept private and not shared with other entities.

procedure Specific action steps to accomplish tasks. Procedures (and guidelines) are derived from policies.

promiscuous A mode used by a sniffer. In promiscuous mode, the sniffer captures all data that reaches the sniffer regardless of the IP address.

proxy server A server used as an intermediary, or proxy, for internal clients accessing Internet resources. The proxy server retrieves the web page on the client’s behalf and returns it to the client.

public IP address IP addresses that are used on the public Internet. Compare these to private IP address.

public key A key used with public key cryptography (asymmetric encryption). A public key is part of a matched pair (matched to a private key). A public key is freely shared and distributed within a certificate.

public key infrastructure (PKI) All the components necessary to create, manage, distribute, validate, and revoke certificates. A PKI is based on the X.509 protocol. The X.509 standard identifies many of the components and formats used by the PKI, certification authorities (CAs), and certificates.

qualitative analysis A risk assessment method that is subjective and often simply categorizes a risk using words such as “low,” “medium,” and “high.” Compare with quantitative analysis.

quantitative analysis A risk assessment method that uses numerical-based data such as monetary figures to identify the actual cost associated with a risk. Compare with qualitative analysis.

radio-frequency identification (RFID) A system used for identification, tracking, asset management, and inventory control. Products are “tagged” with an RFID tag, which is a small electronic device that marks the product. RFID readers can then read the tag to get information about the product.

ransomware Malware that describes itself as free antivirus software to trick users into downloading it. It is also called scareware.

RC4 A symmetric encryption standard. It is used successfully with Secure Sockets Layer (SSL) and HTTPS to encrypt traffic on the Internet. This standard is sometimes called Ron’s Code or Rivest’s Cipher after its inventor, Ron Rivest.

recovery point objective (RPO) A recovery term associated with backups and databases. It identifies the amount of data (in terms of time such as hours or days) that is acceptable to lose if a failure occurs. The RPO dictates the amount of resources needed to protect data to prevent loss in the case of a failure.

recovery time objective (RTO) The RTO is the maximum amount of time that can be taken to restore a system or process to operation. If a failure takes longer than the RTO to restore, then the mission is impacted. The maximum acceptable outage (MAO) helps an organization determine the RTO.

Remote Authentication Dial-In User Service (RADIUS) A service that provides centralized authentication, authorization, and accounting (AAA) for remote clients. Remote users are authenticated against a credential’s database, their account is checked to verify that they are authorized to use remote access, and their remote access activity is tracked in an accounting log.

residual risk The amount of risk that remains after steps have been taken to mitigate risk is residual risk. In other words, residual risk = total risk – mitigated risk.

risk The probability or likelihood of a threat exploiting a vulnerability, resulting in a loss. A threat is any activity that can be a possible danger. A vulnerability is a weakness, and a loss represents a negative event for an organization. The level of loss represents the impact.

risk assessment A point-in-time evaluation of potential risks. It looks at the current situation and then attempts to determine what risks exist and how to address them.

Role-based Access Control (RBAC) model An access control model that uses roles to determine access. Subjects (such as users) are placed into roles, and access to objects (such as files) is granted to the roles. Other access control models are Mandatory Access Control (MAC) and Discretionary Access Control (DAC).

rootkit A set of programs that can run on a system, largely undetected. It has root-level access to the system, similar to how a root-level administrator has full and complete control over a system.

RSA An algorithm used for encryption and decryption in public key cryptography. RSA uses large prime numbers (such as 1,024 or 2,048 bits) to create secure, matching public and private keys. Its strength lies in the fact that it’s computationally infeasible to factor the composite number created from these prime numbers as long as the prime numbers are sufficiently large.

safeguard A means, method, action, technique, process, procedure, or device that reduces the vulnerability of a system or the possibility of a threat exploiting a vulnerability in a system. The terms controls, countermeasures, and safeguards are often used interchangeably.

scareware Malware that describes itself as free antivirus software to trick users into downloading it. It is also called ransomware.

Secure Hashing Algorithm 1 (SHA-1) A hashing algorithm used for integrity. SHA-1 creates a 160-bit hash. It has been commonly used by U.S. government agencies such as the Department of Defense, although potential vulnerabilities were discovered in 2005.

Secure Hashing Algorithm 2 (SHA-2) A hashing algorithm used for integrity. SHA-2 is a hash of 224, 256, 384, or 512 bits. It is an improvement to SHA-1.

Secure/Multipurpose Internet Mail Extensions (S/MIME) The standard used to encrypt and digitally sign e-mail. Almost all e-mail applications that support encryption and digital signatures use S/MIME.

Secure Real-time Transport Protocol (SRTP) A security protocol that provides confidentiality, message authentication, and replay protection for audio and video traffic, including Voice over Internet Protocol (VoIP).

Secure Shell (SSH) A basic encryption protocol used to create a secure session between two computers. SSH is used to encrypt other protocol traffic such as File Transfer Protocol (FTP) (called Secure FTP [SFTP]) and Telnet traffic. SSH uses port 22.

Secure Sockets Layer (SSL) A popular encryption protocol used to encrypt different types of traffic. SSL is used to encrypt HTTP traffic (as HTTPS) and can also be used as a tunneling protocol for some virtual private network (VPN) traffic.

security policy A written document that provides the organization with a high-level view of the security goals of an organization. A security policy is authoritative in nature and provides direction for the creation of guidelines and procedures.

separation of duties A security principle that ensures that no single person has complete control over a process. When properly implemented, it can significantly reduce the risk of fraud within an organization.

session key A key used with symmetric encryption. It is sometimes called a symmetric key.

shoulder surfing The practice of attempting to gain information by looking over a user’s shoulder as he or she is entering data.

signature-based detection A method of virus detection used to detect known viruses. Viruses have specific characteristics used to identify them uniquely. The signature can be a unique characteristic such as a specific byte pattern within the virus. Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) can also use signatures to detect known attack methods.

Simple Mail Transfer Protocol (SMTP) A protocol used to send e-mail. SMTP is used to send e-mail from e-mail clients to an e-mail server. E-mail servers use SMTP both to send and receive e-mail between other SMTP servers.

single sign-on (SSO) The practice of allowing a subject (such as a user) to authenticate once and use the same credentials to access additional resources without authenticating again. This increases security because users have to remember only a single set of credentials and are thus less likely to write their credentials down. Federated access SSO systems allow users to access systems owned and managed by different organizations by logging on once using credentials recognized by the federated access system.

sniffer A protocol analyzer or packet sniffer. It is capable of capturing and analyzing packets that are transmitted over a network. A popular sniffer is Wireshark.

social engineering The practice of using primarily nontechnical means to get people to give up sensitive data or to perform actions they wouldn’t normally perform. A social engineer uses deception and fraud to trick or manipulate unsuspecting users.

Software-as-a-Service (SaaS) A type of cloud computing. Users access applications with a web browser over the Internet. Web-based e-mail is an example used by many people. Compare to Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS).

something you are One of the three factors of authentication. This factor includes the use of biometrics to authenticate an individual based on fingerprints, retina, and other facial characteristics, keystroke dynamics, and handwriting.

something you have One of the three factors of authentication. This factor includes items such as proximity cards, smart cards, hardware tokens, and identification badges.

something you know One of the three factors of authentication. This factor includes knowledge such as passwords, personal identification numbers, mother’s maiden name, or even personal information such as the name of your first pet.

spam Unsolicited commercial e-mail (UCE) and other unwanted electronic messages sent in bulk. Spam is most often associated with e-mail, but can also be delivered via other means, such as instant messaging. It usually includes advertisements, but can also be used in different types of attacks launched from botnets and phishing.

spam filter An e-mail scanner that attempts to detect and block unsolicited e-mail (spam). Spam filters can be installed on end-user systems and e-mail servers and at the boundary of the network to scan all traffic from the Internet.

spyware Software that can install itself on a user’s system without the user’s knowledge or consent. Spyware is considered a form of malware because it can cause so much damage to an individual.

SQL injection An attack that injects SQL code to read and manipulate databases. SQL injection attacks are mitigated with input validation techniques and stored procedures.

standard A proven norm or method. Standards are typically external to an organization but can influence the organization’s policies, guidelines, and procedures.

star Network configuration where all computing devices are connected to a central device, such as a hub or a switch. Most networks use a star configuration, with all of the devices connected to the central device with twisted pair cable.

stateful inspection firewall A firewall that filters traffic based on the state of existing connections. It identifies active connections as they are created and monitors the status of these connections in a state table within the firewall.

steganography The practice of hiding data within data. When used to hide data within files, it modifies the least significant bits of bytes within the files.

subject An entity that can access a resource referred to as an object. For example, if a user accesses a file, the user is the subject and the file is the object.

symmetric encryption A process of encrypting and decrypting data using a single key. Symmetric encryption algorithms are constant while the keys used to encrypt different sets of data are changed to prevent compromise. A popular symmetric encryption is Advanced Encryption Standard (AES).

TCP/IP Model A model developed by the Defense Advanced Research Projects Agency (DARPA). Some references list it with four layers (Application, Transport, Internet, and Link). Other references list it with five layers (Application, Transport, Network, Data Link, and Physical.

Terminal Access Controller Access Control System + (TACACS+) An alternative to RADIUS to provide centralized authentication, authorization, and accounting (AAA) services for remote clients. TACACS+ provides improvements over TACACS, and both TACACS and TACACS+ use port 49. Additionally, TACACS+ uses Transmission Control Protocol (TCP), where TACACS uses User Datagram Protocol (UDP).

threat Any activity that can be a possible danger. When a threat exploits a vulnerability, an organization can suffer losses.

token ring A network configuration where all computing devices are connected in a logical circle. Devices can transmit data onto the network only when they have a logical token that is passed from device to device.

Transmission Control Protocol (TCP) A connection-oriented protocol that provides guaranteed reliable communication for devices on a network. A three-way handshake establishes a TCP connection. TCP uses packet sequencing and the destination acknowledges every packet that it receives.

Transport Layer Security (TLS) The designated replacement for Secure Sockets Layer (SSL). It is based on SSL and is formally defined in RFC 5246. Some HTTPS sessions today are encrypted with TLS.

trapdoor Code embedded in an application used to provide access to the application, the application’s code, or its data via a covert method. It is also called a backdoor.

Trojan horse Malware that looks like one thing but is actually something different. Users are often tricked into installing the malware thinking that it will provide some benefit. When the application is installed, the Trojan horse also installs the malware.

tuple In a database, a tuple is a row in which data within the table is stored. Some database vendors call them rows, other vendors call them tuples. Similarly, some vendors refer to database table columns as attributes.

User Datagram Protocol (UDP) A connectionless protocol that uses a best effort to send data without verification. Instead of checking to see whether a connection exists with another system before sending data, it simply sends it. In comparison, Transport Control Protocol (TCP) is a connection-oriented protocol that ensures a connection exists before sending data. As an example, Trivial File Transport Protocol (TFTP) uses UDP, but FTP uses TCP.

virtual private network (VPN) A connection that provides access to a private network over a public network such as the Internet. VPNs use tunneling protocols (such as Point-to-Point Tunneling Protocol [PPTP] or Layer 2 Tunneling Protocol [L2TP]) to secure the traffic.

virus An application or a piece of code that causes unexpected and usually negative events on computers. One of the key characteristics of a virus is that the infected file must be executed for the virus to run.

Voice over Internet Protocol (VoIP) The different technologies used to transmit multimedia and voice communications over IP networks, including the Internet.

volatile RAM Any memory that requires power to hold the data. When a system is powered down, any data (including potential forensic evidence) within volatile RAM is lost.

vulnerability A weakness. It can be a weakness in a system, a configuration, a process, hardware, software, or any other aspect of a system. If a threat can exploit a vulnerability, an organization can suffer losses.

vulnerability assessment A process used to discover vulnerabilities. Vulnerability assessments can use technical tools to scan networks and systems for vulnerabilities. They can also include nontechnical means such as social engineering tactics to determine whether employees are susceptible to social engineering attacks.

warm site An alternate location used in business continuity planning. A warm site is a compromise between a cold site and a hot site. The organization makes compromises with costs and time.

well-known port Logical port numbers from 0 to 1,023 identified by the Internet Assigned Numbers Authority (IANA) to be used with specific Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) protocols. For example, HTTP uses port 80.

whitelisting An alternative to host intrusion detection system (HIDS) and host intrusion prevention system (HIPS). Instead of using a HIDS, a HIPS, and/or antivirus (AV) software to detect potentially malicious software, the application whitelist identifies approved software. Any software that attempts to run but is not on the list is blocked.

Wi-Fi Protected Access (WPA/WPA2) Wi-Fi-related security protocols. WPA was introduced as a replacement for Wired Equivalent Privacy (WEP) to secure wireless networks. WPA2 was created as a permanent replacement and is formalized as IEEE 802.11i. WPA and WPA2 can operate in either Personal or Enterprise mode. Personal mode uses a pre-shared key (PSK), and Enterprise mode uses an authentication server such as a Remote Dial-in User Authentication Service (RADIUS) or 802.1x server.

WiMAX Worldwide Interoperability for Microwave Access (WiMAX) is a standard based on IEEE 802.16. It provides broadband wireless access over a large metropolitan area, such as a city, with speeds comparable to wired broadband access.

Wired Equivalent Privacy (WEP) The first security algorithm used for 802.11 wireless networks. WEP has several security issues and has been deprecated in favor of WPA and WPA2. It should not be used.

worm Malware that travels over the network looking for systems to infect. Worms do not require any type of interaction to execute.

zero day exploit An attack that takes advantage of unpublished vulnerabilities. In some cases, the vendor knows about the exploit but has not released a patch yet. In either case, the vulnerability is not patched.