Glossary
A
access control Access control is the process of granting, preventing, or revoking access to an object.
access point A wireless access point provides connectivity between the distribution network and the wireless client.
accounting Accounting is the process of auditing and monitoring user operations on a resource.
ACL Stateful and traditional firewalls can analyze packets and judge them against a set of predetermined rules called access control lists (ACLs). They inspect the following elements within a packet: source address, destination address, source port, destination port, and protocol. ACLs are typically configured in firewalls, but they also can be configured in network infrastructure devices such as routers, switches, wireless access controllers (WLCs), and others.
action The result from a selector triggering on a match.
alert log Records errors such as a startup, shutdown, space errors, and so on.
AMP Advanced malware protection—a Cisco solution for detecting and mitigating malware in the corporate network.
antivirus and antimalware The terms antivirus and antimalware are generally used interchangeability to indicate software that can be used to detect and prevent the installation of computer malware and in some cases quarantine affected computers or eradicate the malware and restore the operation of the system.
asset Anything that has value for the organization. In simple terms an asset can be any organization resource, including personnel, hardware, software, building, and data.
asset classification In information security, refers to the process of classifying an asset or data based on the potential damage a breach to the confidentiality, integrity, or availability of that data could cause.
asset handling In information security, refers to procedures and technologies that allow the secure storage, use, and transfer of an asset.
asset inventory The collection and storage of information about assets, such as, location, security classification, and owner.
asset management In information security, refers to policies, processes, and technologies to manage and protect organization assets during their lifecycle.
asset ownership The process of assigning an owner to an asset. Each asset within the organization needs an owner. The owner is responsible for the security of the asset during its lifecycle.
asymmetric algorithms Encryption algorithms that use two different keys: a public key and a private key. Together they make a key pair.
attribute-based access control ABAC is an access control model where the access decision is based on the attributes or characteristics of the subject, object, and environment.
authentication The process of proving the identity of an entity.
authorization The process of providing access to a resource with specific access rights.
autonomous access point Access points that implement both real-time and management functions. These are autonomous and thus work in a standalone mode. Each AP needs to be configured singularly.
B
backdoor A piece of malware or configuration change that allows an attacker to control the victim’s system remotely. For example, a backdoor can open a network port on the affected system so that the attacker can connect and control the system. A backdoor application can be installed by the attacker either to allow future access or to collect information to use in further attacks.
block cipher A symmetric key cipher that operates on a group of bits called a block. A block cipher encryption algorithm may take a 64-bit block of plaintext and generate a 64-bit block of ciphertext. With this type of encryption, the same key is used to encrypt and decrypt.
botnet A collection of compromised machines that the attacker can manipulate from a command and control (CnC) system to participate in a DDoS, send spam emails, or perform other illicit activities.
buffer overflow Occurs when a program or software puts more data in a buffer than it can hold or when a program tries to put data in a memory location past a buffer. This is done so that data outside the bounds of a block of allocated memory can corrupt other data or crash the program or operating system. In a worst-case scenario, this can lead to the execution of malicious code. There is a wide variety of ways buffer overflows can occur and, unfortunately, there are many error-prone techniques often used to prevent them.
C
certificate authority A system that generates and issues digital certificates to users and systems.
change Any modification, addition, or removal of an organizational resource, for example, of a configuration item. A common categorization includes Standard, Emergency and Normal change.
change management Change management is concerned with all policies, processes, and technologies that handle a change on an asset lifecycle.
child process A process created by some other process during runtime.
Classless Inter Domain Routing (CIDR) IP address assignment that uses prefix notation to determine the network prefix. This allows for more flexible IP address allocation compared to a classless schema.
clientless VPN Provides remote access services without requiring a host client. Typically this is based on providing access to a secure network segment also known as a “sandbox.”
collision domain A network link or section that is shared between the transmitting and receiving stations. When multiple stations transmit information at the same time, a collision occurs due to the overlapping signal over the transport mechanism (example radio frequencies or wire). A typical example of a collision domain is a shared Ethernet bus.
Common Vulnerabilities and Exposures (CVE) A dictionary of vulnerabilities and exposures in products and systems maintained by MITRE. A CVE-ID is the industry standard method to identify vulnerabilities.
Common Vulnerability Scoring System (CVSS) An industry standard used to convey information about the severity of vulnerabilities.
Configuration Item (CI) An identifiable part of the system that is the target of the configuration control process.
configuration management A process concerned with all policies, processes, and technologies used to maintain the integrity of the configuration of a given asset.
configuration management database A database that stores configuration items and configuration records.
Configuration Record A collection of attributes and relationship of a configuration item.
connectionless communication A type of communication that does not require a communication channel to be established before data is transmitted or an acknowledgement is sent from the receiving station. UDP is an example of a protocol using connectionless communication.
connection-oriented communication A type of communication that requires a communication channel to be established before data is transmitted. TCP is an example of a connection-oriented protocol.
CSRF Cross-site request forgery is a vulnerability that forces an end user to execute malicious steps on a web application. This is typically done after the user is authenticated to the application. CSRF attacks generally target state-changing requests, and the attacker cannot steal data because he or she has no way to see the response to the forged request. CSRF attacks are generally combined with social engineering when carried out.
D
daemon A process that runs in the background.
Diffie-Hellman A key agreement protocol that enables two users or devices to authenticate each other’s preshared keys without actually sending the keys over the unsecured medium.
digital certificate A digital entity used to verify that a user is who he or she claims to be, and to provide the receiver with the means to encode a reply. Digital certificates also apply to systems, not just individuals.
directory Repository used by an organization to store information about users, systems, networks, etc. Information stored in directories can be used with the purpose of identifying and authenticating users, as well to apply security policies and authorization.
Directory Service Directory Services use directories to provide an organization with a way to manage identity, authentication, and authorization services.
discretionary access control DAC is an access control model where the access decision and permission are decided by the object owner.
DLP Data loss prevention is a software or cloud solution for making sure that corporate users do not send sensitive or critical information outside the corporate network.
DNS tunneling Attackers can encapsulate chucks of data into DNS packets to steal sensitive information such as PII information, credit card numbers, and much more.
Domain Name System Includes an architecture and protocol that enable several functions. The most important function is the resolution of IP addresses provided a fully qualified domain name (FQDN).
downloader A piece of malware that downloads and installs other malicious content from the Internet to perform additional exploitation on an affected system.
Dynamic Host Configuration Protocol (DHCP) A protocol used to assign IP addresses dynamically to devices.
dynamic MAC address learning A mechanism that helps populate the MAC address table. When a switch receives an Ethernet frame on a port, it notes the source MAC address and inserts an entry in the MAC address table, marking that MAC address as reachable from that port.
dynamic memory allocation A program that allocates memory at runtime.
E
Enterprise Mobile Management (EMM) Includes policies, processes and technologies to allow the secure management of mobile devices. Technologies that enable BYOD, Mobile Device Management (MDM), and Mobile Applications Management (MAM) are examples of areas covered by an organization EMM.
Ethernet Ethernet is a protocol used to provide transmission and services for physical and data link layers, and it is described in the IEEE 802.3 standards collection. Ethernet is part of the larger IEEE 802 standards for LAN communication. Another example of IEEE 802 standards is 802.11, which covers wireless LANs.
Ethernet broadcast domain A broadcast domain is formed by all devices connected to the same LAN switches. Broadcast domains are separated by network layer devices such as routers. An Ethernet broadcast domain is sometimes also called a subnet.
exploit A malicious program designed to “exploit” or take advantage of a single vulnerability or set of vulnerabilities. An exploit can be software or a sequence of commands that takes advantage of a vulnerability in order to cause harm to a system or network.
F
facility The application or process that submits the log message.
Federated SSO A further evolution of a single sign-on (SSO) model within one organization is a model where a user could authenticate once and then has access to resources across multiple organizations, which are not managed under the same IAM system.
fiber A unit of execution that is manually scheduled by an application.
file permissions Used to assign access rights for the owner of the file, members of the group of related users, and everybody else.
fork A command that creates child processes.
full duplex In full duplex mode, two devices can transmit simultaneously because there is a dedicated channel allocated for the transmission. Because of that, there is no need to detect collisions or to wait before transmitting. Full duplex is called “collision free” because collisions cannot happen.
G
group A set of permissions for one or more users grouped together.
H
half duplex In half duplex mode, two Ethernet devices share a common transmission medium. The access is controlled by implementing Carrier Sense Multiple Access with Collision Detection (CSMA/CD). With CSMA/CD, a device has the ability to detect whether there is a transmission occurring over the shared medium.
handle An abstract reference value to a resource.
hashing algorithm An algorithm used to verify data integrity.
heap Memory set aside for dynamic allocation, meaning where you put data on the fly.
HeapAlloc Allocates any size of memory that is requested, meaning it allocates by default
hives Hierarchal folders within the Windows registry.
host-based intrusion prevention system An HIPS is a specialized software that interacts with the host operating system to provide access control and threat protection. In most cases, it also includes network detection and protection capabilities on the host network interface cards. If there is no prevention capabilities but the system can only detect threats, it is referred to as a host-based intrusion detection system (HIDS).
I
identification The process of providing identity to the access control policy enforcer.
Identity and Access Management (IAM) A collection of policies, processes, and technology to manage identity, authentication, and authorization to organization resources.
init process The first process during the boot sequence.
IKE IPsec uses the Internet Key Exchange (IKE) protocol to negotiate and establish secured site-to-site or remote-access VPN tunnels. IKE is a framework provided by the Internet Security Association and Key Management Protocol (ISAKMP) and parts of two other key management protocols—namely, Oakley and Secure Key Exchange Mechanism (SKEME).
IKEv1 vs. IKEv2 IKEv1 Phase 1 has two possible exchanges: main mode and aggressive mode. There is a single exchange of a message pair for IKEv2 IKE_SA. IKEv2 has a simple exchange of two message pairs for the CHILD_SA. IKEv1 uses an exchange of at least three message pairs for Phase 2.
information or data owner The person who maintains ownership and responsibility over a specific piece or subset of data. Part of the responsibility of this role is to determine the appropriate classification of the information, ensure that the information is protected with controls, to periodically review classification and access rights, and to understand the risk associated to the information he or she owns. Together with senior management, the information or data owner holds the responsibility for the security on the asset.
Internet protocol The most used Layer 3 protocol. It comes in two versions: IPv4 and IPv6.
IP address A 32-bit (IPv4) or 128-bit (IPv6) identifier used to allow two devices to communicate at Layer 3 using IP.
IP address resolution Defines the methods for a host to find the Ethernet MAC address provided for an IP address. For IPv4, this is done using ARP. IPv6 uses NDP instead.
IPS An intrusion prevention system is a network security appliance or software technology that inspects network traffic to detect and prevent security threats and exploits.
ITU-T X.500 A collection of standards including information on directories organization and protocols to access the information within the directories.
J
job object Processes grouped together to be managed as a unit.
K
key logger A piece of malware that captures the user’s keystrokes on a compromised computer or mobile device. It collects sensitive information such as passwords, PINs, personal identifiable information (PII), credit card numbers, and more.
L
LAN bridge Unlike a LAN hub, which just regenerates a signal, a LAN bridge typically implements some frame-forwarding decision based on whether or not a frame needs to reach a device on the other side of the bridge.
LAN hub The role of the LAN hub or repeater is uniquely to regenerate a signal and transmit it to all its ports. This type of topology is a typical half duplex transmission mode and, as in the case of an Ethernet bus, defines a single collision domain.
LAN switch A device that allows multiple stations to connect in full duplex mode. This creates a separate collision domain for each of the ports, so collisions cannot happen.
LDAP Lightweight Directory Access Protocol is based on X.500 and maintains the same directory structure and definition. It simplifies the directory queries and it has been designed to work with the TCP/IP stack.
lightweight access point A LAP is an access point that implements only the real-time functions and works together with a management device called a wireless LAN controller (WLC), which provides the management functions. The communication between LAPs and the WLC is done using the control and provision of wireless access point (CAPWAP).
local area network LAN describes a collection of devices, protocols, and technologies that are operating and located nearby each other. It can be wired if cables are used to connect devices or wireless if the communication occurs over radio waves.
log parser A versatile tool that provides universal query access to text-based data.
logic bomb A type of malicious code that is injected into a legitimate application. An attacker can program a logic bomb to delete itself from the disk after it performs the malicious tasks on the system. Examples of these malicious tasks include deleting or corrupting files or databases and executing a specific instruction after certain system conditions are met.
logs collection The process of collecting and organizing logs for analysis. A log collector is a software which is able to receive logs from multiple sources and in some cases offers storage capabilities and logs analysis functionality.
M
MAC address To transmit a frame, Ethernet uses source and destination addresses. The Ethernet addresses are called MAC addresses, or Extended Unique Identifiers (EUI) in the new terminology, and they are either 48 bits (MAC-48 or EUI-48) or 64 bits (MAC-64 or EUI-64) if we consider all MAC addresses for the larger IEEE 802 standard.
MAC address table A table that keeps the link between a MAC address and the physical port of the switch where frames for that MAC address should be forwarded.
mailer and mass-mailer worm A type of worm that sends itself in an email message. Examples of mass-mailer worms are Loveletter.A@mm and W32/SKA.A@m (a.k.a. the Happy99 worm), which sends a copy of itself every time the user sends a new message.
Malloc A standard C and C++ library function that allocates memory to a process using the C runtime heap.
mandatory access control MAC is an access control model where the access decision is enforced by the access policy enforcer (for example, the operating system). MAC uses security labels.
Microsoft Windows service A long-running executable application that operates in its own Windows session.
Mobile Device Management (MDM) MDM manages the deployment, operations, and monitoring of mobile devices used to access organization resources. It is used to enforce organizational security policy on mobile devices.
multilayer switch A switch that integrates Layer 3 functionality.
N
NetFlow NetFlow is a Cisco technology that provides comprehensive visibility into all network traffic that traverses a Cisco-supported device. NetFlow is used as a network security tool because its reporting capabilities provide nonrepudiation, anomaly detection, and investigative capabilities. As network traffic traverses a NetFlow-enabled device, the device collects traffic flow information and provides a network administrator or security professional with detailed information about such flows.
NetFlow provides detailed network telemetry that can be used to see what is actually happening across the entire network. You can use NetFlow to identify DoS attacks, quickly identify compromised endpoints and network infrastructure devices, and monitor network usage of employees, contractors, and partners. NetFlow is also often used to obtain network telemetry during security incident response and forensics.
network address translation NAT is often used by firewalls; however, other devices such as routers and wireless access points provide support for NAT. By using NAT, the firewall hides the internal private addresses from the unprotected network, and exposes only its own address or public range. This enables a network professional to use any IP address space as the internal network.
network-based intrusion prevention system An NIPS is a specialized networking device deployed at important network segments that has visibility into all traffic entering or exiting a segment. NIPS has prevention capabilities, that is, is able to prevent a threat to reach the target. If there is only detection capabilities then the system is called network-based intrusion detection system (NIDS).
network firewall A firewall that provides key features used for perimeter security. The primary task of a network firewall is to deny or permit traffic that attempts to enter or leave the network based on explicit preconfigured policies and rules. Firewalls are often deployed in several other parts of the network to provide network segmentation within the corporate infrastructure and also in data centers.
O
One Time Password A password, randomly generated, that can be used only once.
orphan process A child process that’s permitted to continue on its own after its parent process is terminated.
orphan symlink A symlink pointing to nothing because the file that it references doesn’t exist anymore.
OSI model The Open System Interconnection (OSI) model is an alternative to the TCP/IP model proposed by ISO. It is organized in layers, each describing a different function of a communication or computing device. While it is much more complete then the TCP/IP model, it is also more complex.
P
Password Management Collection of processes, policies, and technologies that help an organization and users to improve the security of their password authentication systems. It includes policies and technologies around password creation, password storage, and password reset.
Patch Management The process of identifying, acquiring, installing, and verifying patches for products and systems.
peer-to-peer (P2P) communication The distributed architecture that “divides tasks” between participant computing peers. In a P2P network, the peers are equally privileged, which is why it’s called a “peer-to-peer” network of nodes.
Penetration Assessment Also called Pen test, it is used to test an exploit of a vulnerability. Besides trying to exploit known vulnerabilities, penetration test may also be able to find unknown vulnerabilities in a system.
pivoting Also known as island hopping, pivoting means to attack other systems on the same network.
priority Indicates the level of importance of the message.
private IP address An address that cannot be routed over the Internet.
process A running instance of a program.
protocol misinterpretation attack An attack where protocols are manipulated to confuse security devices from properly evaluating traffic.
R
rainbow table The concept of a rainbow table is that the attacker computes possible passwords and their hashes in a given system and puts the results into a lookup table called a “rainbow table.” This allows an attacker to just get a hash from the victim system and then just search for that hash in the rainbow table to get the plaintext password. To mitigate rainbow table attacks, you can disable LM hashes and use long and complex passwords.
ransomware A type of malware that compromises a system and then often demands a ransom from the victim to pay the attacker in order for the malicious activity to cease or for the malware to be removed from the affected system.
remote access VPN Connects a remote host to a trusted network.
Request For Change (RFC) A formal request for a change that usually includes the high level description of the change, the reason for the change, and other information.
resource exhaustion attack An attack that consumes the resources necessary to perform an action.
role-based access control RBAC is an access control model where the access decision is based on the role or function of the subject.
rootkit A set of tools used by an attacker to elevate his privilege to obtain root-level access in order to completely take control of the affected system.
router A router or IP gateway is a Layer 3 device that performs packet routing. It has two or more interfaces connected to a network segment—either a LAN segment or a WAN segment. Although a router is usually classified as Layer 3, most of modern routers implement all layers of the TCP/IP model; however, their main function is to route packets at Layer 3.
routing protocol A protocol that allows the exchange of information about an IP packet forwarding path. If the protocol operates within the organization boundary, it is called an interior gateway protocol (IGP); if it operates between organizations, it is called an exterior gateway protocol (EGP). Most common IGP routing protocols are based on three models: Distance Vector, Link-State, and Hybrid. The most common IGPs are RIPv2 (RIPng for IPv6), OSPFv2 and v3, EIGRP (with IPv6), and IS-IS. The most common EGP is BGP.
routing table A routing table or routing database is somewhat similar to a MAC address table. A routing table contains two main pieces of information: the destination IP or network and the next-hop IP address, which is the IP address of the next device where the IP packet should be sent.
S
Secure Shell (SSH) Encrypts traffic between a client and SSH server and uses public-key cryptography to authenticate the remote computer and permit it to authenticate the user.
Security baseline configuration A set of attributes and configuration items related to a system which has been formally reviewed and approved. It can be changed only with a formal change process.
Security Information and Event Manager (SIEM) A specialized device or software for security event management. It typically includes logs collection, normalization, aggregation and correlation capabilities, and built-in reporting.
selector Monitors for one or more facility and level combinations and, when triggered, performs some action.
session log Tracks changes made on managed hosts during a web-based system manager session.
Single Sign-On (SSO) An authentication system that allows users to authenticate with only one system and only once to get access to organization resources.
site-to-site VPN Connects one or more hosts over a secure connection.
spammer An attacker who uses the type of malware whose sole purpose is to send unsolicited messages with the primary goal of fooling users into clicking on malicious links or replying to emails or such messages with sensitive information. The attacker seeks to perform different types of scams with the main objective being to make money.
SQL injection An attack where the attacker inserts or “injects” a SQL query via the input data from the client to the application or database. An attacker can exploit SQL injection vulnerabilities in order to read sensitive data from the database, modify or delete database data, execute administration operations on the database, and even issue commands to the operating system.
stack Memory set aside as spare space for a thread of execution.
stateless address auto configuration (SLAAC) A method of IPv6 address configuration.
static memory allocation When a program allocates memory at compile time.
subject/object A subject is defined as any active entity that requests access to a resource, also called the object. The subject usually performs the request on behalf of a principal. An object is defined as the passive entity that is, or contains, the information needed by the subject.
symlink Any file that contains a reference to another file or directory.
symmetric algorithm An encryption algorithm that uses the same key to encrypt and decrypt the data.
T
tcpdump An open source packet capture utility.
TCP/IP model A layered model at the base of most of the modern communication networks.
thread A basic unit an operating system allocates process time to.
thread pool A group of worker threads that efficiently execute asynchronous callbacks for the application.
threat Any potential danger to an asset. If a vulnerability exists but has not yet been exploited or, more importantly, it is not yet publicly known, the threat is latent and not yet realized. If someone is actively launching an attack against your system and successfully accesses something or compromises your security against an asset, the threat is realized. The entity that takes advantage of the vulnerability is known as the malicious actor, and the path used by this actor to perform the attack is known as the threat agent or threat vector.
threat actor An individual or group of individuals that performs an attack or is responsible for a security incident that impacts or has the potential of impacting an organization or individual.
threat log A log that triggers when an action matches one of the security profiles attached to a security rule.
Tor Tor is a free tool that enables its users to surf the Web anonymously. Tor works by “routing” IP traffic through a free, worldwide network consisting of thousands of Tor relays. It then constantly changes the way it routes traffic in order to obscure a user’s location from anyone monitoring the network. Tor’s name was created from the acronym for the original software project name, “The Onion Router.”
Tor exit node Basically the last Tor node or the “gateway” where the Tor encrypted traffic “exits” to the Internet.
traffic fragmentation attack A method of avoiding detection by breaking up a single Internet Protocol or IP datagram into multiple smaller size packets.
traffic substitution and insertion attack Substituting the payload data with data in a different format but with the same meaning, with the goal of being ignored due to not being recognized by the security device.
traffic timing attack An attack in which the attacker performs actions slower than normal while not exceeding thresholds inside the time windows the detection signatures use to correlate different packets together.
transaction log Records all transactions that occur.
transport protocol socket A socket that’s a combination of three pieces of information: the host IP address, a port number, and the transport layer protocol. The first two items are sometimes grouped together under the notion of “socket address.”
Trojan horse A type of malware that executes instructions, determined by the nature of the Trojan, to delete files, steal data, or compromise the integrity of the underlying operating system. Trojan horses typically use a form of social engineering to fool victims into installing such software on their computers or mobile devices. Trojans can also act as backdoors.
trunk A connection between two switches using a VLAN.
V
variable-length subnet mask (VLSM) An IP address schema that uses a variable-length prefix or subnet mask to improve efficiency in the IP address allocation.
virtual address space The virtual memory used by processes.
VirtualAlloc A specialized allocation of OS virtual memory that allocates straight into virtual memory via reserved blocks.
virtual private network (VPN) Used to hide or encode something so that the content is protected from unwanted parties.
virus Malicious software that infects a host file or system area to perform undesirable actions such as erasing data, stealing information, and corrupting the integrity of the system. In numerous cases, the virus multiplies again to form new generations of itself.
VLAN A virtual LAN is a virtually separated subnet created on a switch. The switch uses a VLAN ID to tag traffic and keep the broadcast domain separated.
vulnerability An exploitable weakness in a system or its design. Vulnerabilities can be found in protocols, operating systems, applications, hardware, and system designs. Vulnerabilities abound, with more discovered every day.
vulnerability management The process of identifying, analyzing, prioritizing, and remediating vulnerabilities in software and hardware.
vulnerability scanner Software that can be used to identify vulnerabilities on systems.
W
war driving This is a methodology used by attackers to find wireless access points wherever they may be. The term war driving comes from the fact that the attacker can just drive around and get a huge amount of information over a very short period of time.
Windows Management Instrumentation (WMI) A scalable system management infrastructure that was built around a single consistent, standards-based, extensible, object-oriented interface.
Windows process permission User authentication data that is stored in a token and used to describe the security context of all processes associated with the user.
Windows registration A hierarchical database used to store information necessary to configure the system for one or more users, applications, and hardware devices requested, meaning it allocates by default.
wireless LAN A LAN that uses radio frequency as its medium.
Wireshark An open source packet capture sniffer.
worm A virus that replicates itself over the network, infecting numerous vulnerable systems. In most occasions, a worm will execute malicious instructions on a remote system without user interaction.
X
XSS A type of web application vulnerability where malicious scripts are injected into legitimate and trusted websites. An attacker can launch an attack against an XSS vulnerability using a web application to send malicious code (typically in the form of a browser-side script) to a different end user. XSS vulnerabilities are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. There are several types of XSS vulnerabilities: reflected, stored, and so on.
Z
zombie process A terminated process that releases its associated memory and resources but still remains in the entry table.