APPENDIX A
Glossary

3DES
Also known as Triple DES, 3DES is a block cipher encryption algorithm that employs symmetric keys. It applies the DES algorithm three times to each block.

A

AAA protocol
Authentication, Authorization, and Accounting that uses different link layer protocols such as PPP and authenticates using PAP or CHAP.
access codes
Numerical sequence, typically four numbers long that identifies the authorized client(s) or user(s). Once properly authenticated, access codes may arm, disarm, or access the security system for other features.
access control
Security precautions that ensure resources are granted only to those users who are entitled to them.
access control gate
An opening in a wall or fence that functions as a passageway between two open spaces (as opposed to a door, which provides access into or between enclosed spaces).
access control list
A list that controls access to a network segment via whitelisting or blacklisting.
access control policy
The method by which an access control list is generated.
Acknowledge (ACK)
Part of the second and third (final) step of the Three-Way Handshake of the TCP/IP protocol. This part of the segment acknowledges the request for synchronization.
Active Directory
A directory service provided by Microsoft that handles domain management, which includes authentication, authorization, certificate management, and more.
Active RFID tags
These self-powered tags provide a longer range but are much more expensive. Active Radio Frequency Identifier tags transfer identifying information by way of electromagnetic fields.
ActiveX
A Microsoft utility that enables web applications to build extended, interactive features and functionality in the browser. ActiveX automatically downloads without involving the user, which creates a potential security vulnerability that can be used by crackers to embed malicious code in hacked websites.
Adaptive Frequency Hopping Spread Spectrum (AFHSS)
The Bluetooth specification implements this in the license-free 2.4GHz range to provide security and avoid crowded frequency ranges, by hopping between previously divided subfrequencies.
Address Resolution Protocol (ARP) spoofing attacks
An attack where the attacker sends fake ARP messages to associate their MAC address with the IP address of another user. Once the association has been established, messages directed to that address will be diverted to the attacker. The attacker can then use information obtained from the intercepted messages to mount other types of attacks, such as DoS or man-in-the-middle attacks.
Address Space Layout Randomization (ASLR)
This is a technique used to prevent or lessen the impacts of buffer overflow attacks.
administrative tools
These tools include programs designed to control the usage of the computer’s memory, administer and optimize hard-disk-drive usage, configure OS services running on the computer, control the hardware/OS handoff during startup, and troubleshoot operating system problems.
Adobe Reader
Adobe’s PDF software. Exploits may lead to arbitrary code execution, sandbox bypassing, or simple denial-of-service usually through memory corruption.
Advanced Encryption Standard (AES)
A block-level encryption algorithm that uses symmetric keys. Announced by NIST in 2001, it has been adopted by the United States government and supersedes DES.
Advanced Persistent Threats
These threats target very specific and very secure systems over a continuous period of time.
adware
Unwanted, unsolicited advertising usually displayed in web browsers.
algorithm
As related to computer security, an algorithm is code used to alter a message so that unauthorized people cannot read it.
analog camera
A camera that requires a separate coaxial cable to connect to a monitor or to the recording device. Analog cameras are susceptible to quality degradation of the information being transmitted.
Android
An operating system that was developed for use with tablet and smart phone devices. It primarily uses touchscreen gestures for operation and control. It is currently the most popular mobile operating system in use.
annunciators
An alarm system device that signals the operating condition of the system by sound, light, or other indication.
anomaly analysis
This analysis system applies statistical analysis techniques to the data stream in order to determine whether it is “normal” or “anomalous” at any given time.
anomaly-based IDS/IDPS
Intrusion-detection systems that use anomaly analysis to detect and prevent unauthorized access to a network.
anonymous proxy
A proxy server that provides client anonymity by concealing the original IP address.
antispyware
Programs that defend against spyware by either detecting and then removing the spyware and/or blocking it in the first place.
antivirus
Programs that defend against computer viruses by either detecting and then removing them and/or blocking them in the first place.
Apple OS X
The Apple operating system, which is Unix-based.
Apple’s Time Machine
Apple’s backup software application.
appliance-based virtualization
These are closed storage management systems that are placed between the user network and the storage network.
application-level encryption
One method of applying encryption at the application level, providing a broader security standard.
application packages
These operate as extensions of the operating system. Depending on the type of operating system being used, an application program may directly control some system resources, such as printers and network interfaces, while the operating system lends fundamental support in the background. In more advanced systems, the operating system supplies common input, output, and disk management functions for all applications in the system.
application servers
Servers configured to provide a specific role in the organization’s business activities provided for the organization’s internal users.
Application Service Provider (ASP)
The ancestor of modern cloud computing. An enterprise that provides application-based services to paying customers across a network.
Application zone
A delegated zone defined by the usage of applications within an Intranet environment. The zone is created by use of firewalls, routers, and switches.
asset
Something of value can be tangible—e.g., a flash drive or intangible such as the data on said flash drive.
asymmetric keys
Used in encryption algorithms, defined by two keys; one key is used for encryption and another key is used for decryption.
asymmetrical (out-of-band) virtualization
The virtualization device is installed outside the actual data path between the network and the storage system.
attack surface
The sum of the different opportunities for being attacked.
attenuation
A measure of how much signal loss occurs as the information moves across a transport medium such as a fiber optic cable.
audit entries
Items added to the security log when an audited event occurs.
audit event log files
These are where the audit entries are stored.
audit policy
This defines the types of events that will be monitored and added to the system’s security logs.
audit trail
A record of a user’s computer usage.
auditing
A form of accounting that is a preplanned monitoring method to evaluate or determine if problems exist within a specific area.
authentication
The process of determining that someone is who they say they are.
Authentication, Authorization, and Accounting (AAA)
A framework that network administrators can use to control access, enforce security policies, and track usage.
Authentication Header (AH)
A protocol used by IPsec to prevent packet changes in transport. This provides integrity and authentication.
Authentication Server (AS)
A server whose function is to provide network users with authentication.
authentication system
A network system used to provide authentication.
authoritative
A server that provides definitive answers to DNS queries rather than from a cache or by requesting that information from another name server.
authorization
The resources that a user has permission to access, and what actions they can perform.
authorized
Being recognized as a person who has the right to access an asset.
automated access control
A design feature that requires authentication of the identity of a user attempting to access a security zone or computer system from a distant location.
automated provisioning
Similar to Rule-Based Access Control, this is a method where a rule is the basic element. The rule defines what operations can perform be performed.
Autorun
A featured that automatically runs executable programs found on removable media devices as soon as it detects the presence of the media in the drive or reader. This feature provides a very serious security threat because malware programs located on the media will run automatically and infect the host device.

B

backup media
This is what the data backups are stored on—e.g., DVD-Rs.
backup policy
A policy that defines what to back up, when to back up, and where to store the backups. Also includes who has authorization over the backups and how they are made.
bandwidth
This is the media’s total ability to carry data at a given instance.
barriers
These impede the ability of an intruder to advance from the outer perimeter to the interior region.
Basic Input/Output System (BIOS)
The program that boots up the computer and controls input and output operations.
bastion host
A bastion host is located in the DMZ and may be a firewall, a router, a server, or a group of computers that are not protected behind another firewall, but that have direct access to the Internet.
beacon frames
These let nearby clients know what networks they are broadcasting.
beacon interval
This determines the amount of time between beacon frames.
biometric solutions
Using the unique physical features of a person, fingerprints, voiceprints, and/or retinal scans to provide identification and authentication.
biometrics
These are access control mechanisms that use human physical characteristics to verify individual identities.
BitLocker
A native utility on some newer, high-end Windows OS versions that provides full disk-level encryption.
black hat hacker
An individual who possesses extensive programming skills and uses them for the purpose of breeching or bypassing network security structures for malicious or criminal purposes.
blacklisting
When access is denied only to users matching given criteria.
blacklists
Lists of users who are untrusted.
block cipher
A cipher that applies an algorithm to a block of data, rather than a single bit at a time.
Blowfish
A block-level encryption algorithm that uses symmetric-key encryption.
Bluebugging
A type of Bluetooth attack where a hacker can gain total control over the device if it is left discoverable.
Bluejacking
This is the act of sending unsolicited messages to Bluetooth devices that are set to be automatically discoverable.
Bluesnarfing
This is running special software on a nearby Bluetooth device that requests information from the mobile device.
Bluetooth
A wireless networking specification for personal area networks (PANs) that meshes together personal devices including PDAs, cell phones, digital cameras, PCs, notebooks, and printers.
boot files
These take over control of the system hardware from the ROM BIOS during start-up. They bring the OS kernel files into RAM memory so they can be used to control the operation of the system.
booter services
Services that perform DOS attacks for a price.
bot herder
The unauthorized person in control of a botnet.
botnet
A large collection of zombies, or bots, controlled by a bot herder.
bots (zombie computers)
PCs controlled by an unauthorized person.
bring-your-own-device (BYOD)
Authorizing the use of an employee’s own device instead of providing one, for business-related activities.
broadcast storm
This is when broadcast traffic is rebroadcast by every network device, eventually causing traffic delivery failure. This can quickly overload switches and routers and overwhelm a network.
broadcast traffic
This is sending messages to all possible destinations on a network.
Browser Exploitation Framework (BeEF)
A notable open-source penetration testing tool that focuses on web-borne attacks through a web browser.
brute-force attack
This is where the attacker systematically guesses the key based on a known list or a predictive mathematical scheme. This can involve hundreds and thousands of attempts.
buffer overflow
An anomaly where a program overruns the buffer boundary, thereby resulting in erratic behavior, memory access errors, and/or system crashes. The system is effectively disabled to the point where the user cannot use it.
buffer overflow attack
Causing a system to have a buffer overflow.
bus topology
The nodes, or stations, of the network connect to a central communication link.
Business-to-Business (B2B)
Network channels that organizations use to conduct secure transactions with other trusted organizations.
Business-to-Customer (B2C)
This is a specialized DMZ that’s used by an organization to communicate with their customers.
bypass mode
A mode available for many alarm systems designed to let someone through the alarm area without triggering the alarm.
bypassing
Turning off or disabling a sensor, device, or an entire zone without affecting the rest of the system.

C

cabinetry
Specialized furniture used to secure physical computing assets.
cache poisoning
When an attacker establishes a rogue DNS server and then uses that server to feed false information back to the primary DNS server, thereby poisoning the primary DNS server’s cached resources.
caching device
A device that stores certain data for quicker responses to future requests.
caching servers
Using cached web pages, a proxy server will serve already-accessed web pages placed in its cache to requesting clients without requiring outside access to the Internet.
caching web proxies
Local servers that cache (store) web resources for quicker access.
camera deployment strategy
Determining where security cameras will be placed.
candela
A measure of foot-candles.
cantenna
A home-built tin-can waveguide antenna that can amplify Wi-Fi signals.
certificate chain
This is the list of certificates starting with the root certificate, followed by each subsequent certificate, where the issuer or signer of one certificate is the subject of the next.
Challenge-Handshake Authentication Protocol (CHAP)
An authentication method using a three-way handshake (syn, syn-ack, ack) to identify remote clients.
Charged Coupled Device (CCD)
A surveillance camera technology featuring high-resolution, low-operating light requirements, less temperature dependence, and high reliability.
chokepoint
A place where people or other traffic must pass through a portal—such as a gate, doorway, hallway, or access street/road—that may lead to a single point of failure.
chroot
A Linux-based command that adjusts the root directory location of a currently running process. May also be used for creating and managing multiple virtualized copies of an operating system.
cipher
In cryptography, a cipher is the algorithm used to encrypt data.
cipher locks
Locks that operate by unlocking magnetic door locks when the correct programmed code is entered by the user on the cipher lock keypad.
ciphertext
The text of any data after it has been encoded by a cryptographic key.
Cisco Discovery Protocol (CDP) attacks
The CDP protocol enables Cisco devices to communicate with other Cisco devices to exchange information. Attackers can use this protocol to gather information about the switches and other network devices running CDP on the network.
cleartext
Stored or transmitted data that has not been encrypted.
clickjacking attack
This attack employs deceptive frame techniques to trick the user into clicking on their content rather than the intended content.
client-server
This is a number of users using multiple workstations that has the data stored on a server.
client/server network
Where dependent workstations, referred to as clients, operate in conjunction with a dedicated master computer called a server.
closed-circuit television (CCTV)
Electronic security and surveillance technology that often provides real-time monitoring of exterior and interior residential areas. The signals produced from a CCTV system are not publicly distributed.
cloud-based services
Clouds are hosted services with special client application software that extends the users’ desktops or mobile files and data storage to an Internet service.
cloud computing
Utilizing remote, networked, servers for resources. These resources may include data storage, data processing, and others, thereby reducing the hardware needs of a local machine.
coaxial cable
A transmission cable consisting of two conductors insulated from one another and enclosed in a polyethylene jacket.
Common Criteria for Informational Security Evaluation (Common Criteria or CC)
This establishes Evaluation Assurance Levels that can be used to certify equipment reliability or assure levels of security. The greater the organizational security need, the higher the specific EAL value should be for any given network hardware or software asset.
Common Internet File System (CIFS)
A network protocol developed to provide shared access to files and devices, along with network communications.
Common Platform Enumeration (CPE)
This is a standardized method of describing and identifying operating systems, hardware devices, and application classes on a network.
Common Vulnerabilities and Exposures (CVE)
This is a system for referencing publicly known vulnerabilities. Maintained by MITRE Corporation and backed by the US Department of Homeland Security.
Common Vulnerability Scoring System (CVSS)
This is a system for scoring vulnerabilities from CVE, making it easier to understand the associated risks.
communication media
The hardware, firmware, and software used to physically store and/or transport the data information that exits and enters computers. This media includes magnetic, optical, or floptical disks, tapes, and drives, either internal or removable.
Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA)
These are generally a form input request for a word, phrase, random characters and numbers, or a simple request to perform a simple test that cannot easily be automated.
complexity
As it relates to passwords, it is the combination of the length, width, and depth of an input.
Conficker
This worm targeted thumb drives and would automatically execute as soon as it was connected to a live USB port.
Confidentiality, Integrity, and Availability (CIA)
This is the classic model of information security.
connectivity devices
Devices used to create network connections, including hubs, switches, and routers.
contingency planning
Planning for disasters/emergencies before they happen.
controller
The controller is responsible for taking the input information, comparing that information to a predetermined condition or a reference, making decisions about what action should be taken, and finally sending corrective error signals to the final element, which adjusts the manipulated variable.
cookie poisoning
An attacker steeling a cookie, altering it, and then sending the altered cookie back as an attack vector.
cookie theft
An attacker acquiring unauthorized access to a site by obtaining a cookie.
cookies
These are small files that web servers send to web browsers when their pages are accessed.
copper cabling
One of the primary physical transport mediums for network data transfer.
crackers
These individuals break computer security in order to gain access to software without purchasing.
cracking
Utilizing software that would guess at passwords in loops until access is granted.
CRAM-MD5
Email authentication system that transfers passwords in a hashed form.
credential harvesting
Any method used to collect another user’s authentication information.
cross-site scripting (XSS)
An attack method that allows the injection of client-side script into a web page that may be used by other, unsuspecting, users.
crypt
The original encryption utility included with older versions of Unix.
cryptography
The procedures, processes, and techniques used to convert data into secret code.
CryptoLocker
This is a ransomware Trojan.
cryptology
The study of cryptography.
current loop
The amount of electrical current flowing between a zone’s two connection points.
Cyber Kill Chain®
This is a process that was developed by Lockheed Martin to address attacks from threats considered Advanced Persistent Threats (APT).
cyber security policy
The company’s security policy explains the overall requirements needed to protect an organization’s network data and computer systems.
cyber warfare
A virtual conflict that involves politically motivated attacks on an adversary’s IT or ICS networks.
cybercriminals
These individuals are typically motivated by greed and seek financial gain. This group of hackers is probably the most notable hacker type, as they tend to generate the most notice.
cybersecurity
This is securing physical access to property, systems, and equipment ports while securing intangible assets including electronic, optical, and informational access to the system’s data and controls.
cyberterrorists
These individuals are typically not motivated by money, but rather by furtherance of a political agenda or ideology. The goal is to cause harm and chaos to the general public.

D

daemon
This is a standard, default user/group that has privilege to execute programs (background processes) that run without direction from the user.
data concentrators
These are used to group multiple smart meters together and aggregate their data transmissions for delivery to the utility servers in the central office.
data diode
A device that creates a one-way connection between networks or network segments that possess different security classifications.
data encoding
The process of converting data into a format used for transmission and storage.
Data Encryption Standard (DES)
A symmetric-key algorithm used for the encryption of data.
Data Execution Prevention (DEP)
A sandboxing scheme that isolates a given program to a specific memory region to protect the rest of the system from potential attack.
data in motion
The process of data that is being transmitted through a wired or wireless network.
data in use
Data that is in the process of being created, updated, retrieved, or deleted.
Data Segmentation for Privacy (DS4P)
Creates constraints to standards for meaningful use, consistent with federal and state privacy policies and regulations. In other words, it tries to clarify how to apply the standards in a way that is consistent with the intent of the regulation. DS4P supports a secret exchange of EHRs and privacy annotations applied to documents, messages, atomic data, and metadata.
deadband
Also known as a neutral zone or dead zone, a deadband is a band of inactivity above and below the set point of IPC.
deauthentication flood attack
This involves an attacker sending a deauthentication packet to an access point, which in turn removes any previously authenticated devices connected to it.
decrypt
Using the relevant key to unlock the scrambled ciphertext into plaintext so that it might be understood.
decryption
The process of converting previously encrypted data back to its original form.
decryption key
The key used to decrypt a secret code.
deep packet inspection (DPI)
Examining the actual data in a TCP/IP packet searching for signs of viruses, spam, and other defined threats to determine whether or not the packet should be forwarded.
default user accounts
As it applies to Microsoft, the accounts provided on every new installation of the Windows OS.
defense-in-depth
A defense strategy that includes a number of different overlapping security mechanisms, which potentially minimizes the effects of a single mechanism being overcome by an attacker.
demilitarized zone (DMZ)
The DMZ is a separate perimeter network that isolates the secure intranet from the outside world, yet enables public access to outward facing dedicated resources.
Denial of Service (DoS)
Attacks designed to overuse a host, server, or network resource to the point where it functionally ceases to provide its services.
desktop/single user
This is a single computer, possibly shared by a small group of users.
detection-specific audit records
Records generated to provide specific information about desired actions or events. These actions or events can be based on operating system activities, application events, or security events.
Dynamic Host Configuration Protocol (DHCP) server
A server that uses the network protocol to distribute network parameters such as IP addresses.
Dynamic Host Configuration Protocol (DHCP) snooping
A security technology built into an operating system to filter and block ingress (incoming) DHCP server messages that are deemed unacceptable.
dictionary attack
A systematic, brute-force attack using every word in a dictionary as a password for a given username.
digital cameras
These convert the images they detect directly into digital signals that can easily be transmitted to and manipulated by digital computing devices.
digital certificates
These are digital verifications that the sender of an encrypted message is who they claim to be.
digital IP device
Any digital device that can be identified by an IP address and, therefore, can be accessed by a network.
Digital Video Recorder (DVR)
The preferred type of recording system (rather than VCRs) for surveillance cameras. DVR technology for CCTV permits images to be transferred to disk, lessening the negative impact of poor quality video storage media.
direct-attached storage
This technique employs additional disk drive storage devices that are attached directly to the DVR via USB or eSATA connections.
directory harvest attacks (DHAs)
A spammer simply guesses email addresses at a domain and then connects to the email server of that domain. Any addresses that are not rejected are considered valid.
directory traversal
As it relates to an attack, directory traversal exploits poorly secured software applications to access files that should not be accessible. This is done by traversing to a higher level folder or directory.
Discretionary Access Control (DAC)
Configurations where the user has the discretion to decide who has access to their objects and to what extent.
discretionary access control list (DACL)
A list of rights that an object or user has to a specific resource within a network.
disk-level encryption
Involves using technology to encrypt an entire disk structure. This technique offers value in that it protects everything on the disk from unauthorized access, including the operating system files and structure.
disk operating system (DOS)
A collection of programs that run in the background and control overall computer operation.
distorting proxy
A proxy server that hides or modifies your IP address and related information.
Distributed Denial of Service (DDoS) attacks
Involve multiple remote systems being used to simultaneously perform a mass DoS attack on the targeted resource.
distributed IDS systems
Local hosts attached to a network have their own IDS modules installed. Additionally, there is an IDS management module installed on a network server that coordinates the flow of information to and from the individual local IDS modules.
Distributed Reflection and Amplification Denial of Service (DRDoS)
The attacker uses a relatively small botnet in a distributed attack on reflection servers that redirect the queries they receive, making it appear as though the reflection server is the actual source.
distributions
Linux-speak for versions.
diversion
This is a tactic intended to distract an individual from monitoring something. Typically, diversions are created so that an attacker can either view sensitive information without being seen or gain entry into a secure area without being questioned.
DNS RRL (DNS Response Rate Limiting)
A mitigation attempt that limits the rate at which authoritative servers respond to large volumes of queries.
docking stations
Accessories designed for use with portable computing devices. The primary function of the docking station is to enable portable users to travel with their portable devices, yet still employ full-size peripheral and connectivity devices when they are in the office environment.
documentation
Official material that provides a record or evidence.
domain
A computer environment where all of the members of the network share a common directory database and are organized into various levels. The domain is identified by a unique name and is administered as a single unit having common rules and procedures.
domain controller
A centralized server that controls the objects, rules, and procedures of a domain.
Domain Name System (DNS) servers
These contain DNS databases (*.dns files) that are used to resolve computer names to IP addresses. These servers also contain mappings between Fully Qualified Domain Names and the IP addresses they represent.
Domain User and Group accounts
User and Group accounts that are defined with a domain environment.
Double Encapsulation VLAN Hopping attack
This attack results in two headers being added (double tagged) to the original frame. One of the tags represents the target’s VLAN ID, while the other is the VLAN ID of the attacker’s switch. When the packet hits the attacker’s switch, the first tag is stripped out but the second tag remains with the packet. The packet is then forwarded to the target’s switch, which reads the tag and forwards the packet to the target host.
downstream interface
The interface that allows traffic to enter a network from the Internet.
dual-firewall DMZ
Firewalls are positioned on each side of the DMZ to filter traffic moving between the intranet and the DMZ as well as between the DMZ and the Internet. These firewalls are used to route public traffic to the DMZ and internal network traffic to the intranet.
Dynamic ARP Inspection (DAI)
A configuration feature that is designed to thwart MITM attacks. DAI uses the DHCP snooping database to check and validate ARP requests to prevent ARP spoofing attacks.
Dynamic Host Configuration Protocol (DHCP)
This is commonly used to define a range of IPs that can be dynamically leased to the requesting external IP address for a preconfigured length of time.
dynamic trunking protocol (DTP) request
An attacker sends a request to a network switch that would configure the attacker’s port as a trunk connection.
dynamic variable
This physical parameter can change spontaneously from external influences or internal influences.

E

eCryptfs
A built-in package that the major Linux operating systems possess, which provides file system–level encryption services. This level of encryption enables the encryption service to be applied at the individual file or directory without significant disk management overhead.
egress
The action of leaving a place, whether physically or logically.
electric deadbolts
Electronically operated locks used in securing a closed door.
electronic signatures
A technique used to validate the authenticity of an individual, usually attached to an electronic document, indicating the sender’s intent or agreement.
email servers
Email servers are client/server application servers used to receive and store electronic mail messages in individual mailboxes, even when users are not actually logged directly onto the network.
EMV chip-and-PIN technology
This technology adds extra layers of payment card protection for customers.
Encapsulating Security Payloads (ESP)
This offers origin authentication as well as encryption. ESP encrypts and encapsulates the entire TCP/UDP datagram within an ESP header that does not include any port information.
Encrypting File System (EFS)
The Window’s file- and folder-level encryption service.
encryption
Encrypting data involves taking the data (plaintext) and processing it with a key code (cipher) that defines how the original version of the data has been manipulated (ciphertext).
encryption key
The key or algorithm used to convert plaintext to ciphertext, and vice versa.
enterprise networks
A computer network designed to support medium and large numbers of users for business to interconnect its activities and share resources.
entropy
Any lack of predictability and order, leaving to a degree of uncertainty.
entry delay
A delay that a security zone can be configured with that gives those entering the premises time to access an internal security panel to deactivate an alarm before it activates.
enumerate
Establishing a map of any network or determining what devices and hosts can be found.
eSATA
External SATA (Serial AT Attachment), or eSATA, ports are physical interfaces that link eSATA-compatible devices with the system’s internal SATA bus.
escort
Someone charged with controlling the movement of one or more visitors.
Ethernet
This is the dominant transmission media force in hardware and electrical signaling interfacing as well as for providing media access control.
Ettercap
A free and open source software tool used to perform a number of network and security analyses.
EV certificates
Extended Validation (EV) certificates require verification of an individual by a Certificate Authority. These are typically used on sites that are using SLL/TLS.
exclusion
This is a method, device, or system security professionals use to forbid, prohibit, or remove access to excluded assets.
eXecute Disable (XD) bit
A feature built into microprocessor hardware to protect certain areas of memory that contain specific blocks of instruction code, such as the kernel.
exFAT
Microsoft’s extended File Allocation Table file system for flash memory devices.
exit delay
A time delay on the activation of a security system to give an individual time to leave the premises without triggering the alarm.
exploits
Software programs or tools designed to take advantage of particular vulnerabilities or flaws in a computer system.
export-grade encryption
This was created to be good enough, yet still allow the NSA to decrypt communication outside the United States. The NSA lifted this export requirement in the late 1990s, but those cipher suites have remained in both client and server libraries.
Ext#
The ext# series of Extended File Systems are the primary file management systems designed for the Linux kernel. Ext2 is also widely used in SD cards and other flash-based storage devices.
extensible
Signifies when something can be expanded without bounds. As it applies to software, future growth is taken into consideration, allowing the system to function normally.
extranet
An intranet structure that grants limited access to authorized outside users, such as corporate business partners. In other words, a partially private, partially public network structure.

F

F2FS
Samsung’s Flash-Friendly File System (version 2) is an open-source Linux file system for flash storage devices.
fail-safe
Also known as fail-secure, it is a method that responds to certain types of failures in a way that will cause minimum harm to personnel or devices.
fail-secure
Also known as fail-safe, it is a method that responds to certain types of failures in a way that will cause minimum harm to personnel or devices.
fail-soft
This mode will terminate any nonessential processing when a hardware or software failure occurs.
false negative
This is a report that produces an incorrect rejection of the individual, thereby locking them out of a facility or security area to which they should have access.
false positive
This is a report that incorrectly authenticates the individual, which could lead to providing access to equipment or data to which this person should not have access. Of the two types of authentication failure, this is the most significant in that it could grant access to malicious people.
Fiber Optic cabling
Plastic or glass cable designed to carry digital data in the form of light pulses.
field of view
Also known as field of vision, field of view is the extent a given surveillance camera can see.
file- and folder-level encryption
Encryption applied to individual files and folders. File- and folder-level encryption tools enable users to encrypt files stored on their drives using keys only the designated user (or an authorized recovery agent) can decode. This prevents theft of data by those who do not have the password or a decoding tool.
file and print servers
These provide employees with quick access to shared applications, folders, specific files, and networked printers.
FileVault
This is the disk-level-based data encryption service included with the Apple OS X operating systems.
fire brigade
These cyber attacks are a type of session hijacking that involves intercepting or sniffing and modifying communication between users.
fire detection and reporting system
A standalone fire alarm system used by larger organizations.
fire detection sensors
Sensors that detect the presence of fire by using heat and/or smoke sensors.
firewall rules
The rules by which a firewall determines what communication will be filtered.
firewalls
These devices usually consist of some combination of hardware and software used to protect a private network from unauthorized access by way of the Internet. This is accomplished by limiting security exposures, enforcing the organization’s security policy, defining rules for filtering, and sometimes logging or monitoring activity.
FireWire
Similar to a USB cable, FireWire provides a connection on which up to 63 devices can be daisy-chained. This interface standard was first deployed with Apple products.
firmware
As opposed to software and hardware, firmware is permanent software that has been programmed into read-only memory.
fisheye lens
An ultra wide-angle lens that forgoes straight-line perspective for the purpose of viewing a larger area. Images from a fisheye lens are often distorted near the edges.
fixed focal length lens
Lenses whose focal length is fixed and cannot be adjusted like common zoom lenses.
foot-candle
A measure of luminance (or light intensity) used by the lighting industry.
Fraggle attack
A Denial of Service attack, much like a Smurf attack, where the attacker sends spoofed UDP packets to a broadcast address in a network.
frame
A digital data transmission unit that contains indicators informing of the beginning and ends of blocks of data.
FTP server
A centralized server, with specialized software, that manages file sharing and storing. Requires the use of the File Transfer Protocol.

G

gate
An opening in a wall or fence. Typically refers to a passageway between two open spaces (as opposed to a door, which provides access into or between enclosed spaces). Like doors, gates can be used to control access by presenting a barrier across the perimeter’s passageway.
gateway
A device that interfaces a network with another network.
gateway device
A gateway device is often a router, but could also be a switch, a modem, an access point, or even a Voice over Internet Protocol (VoIP) adapter.
GEOM-Based Disk Encryption (GBDE)
A block device-layer disk-level encryption system.
glass breakage detection
A sensor that detects breaking glass. They come in two types. The vibration type is mounted on the glass or on a nearby wall. Acoustical or sound discriminators sense the sound of breaking glass.
graphical user interface (GUI)
A type of interface that allows the user to interact with graphical icons and visual interpretations, as opposed to text-based interfaces.
grayware
Software applications that may not have malware assigned to them, yet still contain undesirable functions.
group accounts
A collective set of users who use the same criteria for permissions. Used for ease of management.
guests
This default group typically has minimized access to the system, and all of its members share the same user profile. The Guest user account is automatically a member of this group.

H

hacker
An individual who uses their skills in computers to gain unauthorized access to data and resources.
hardening
The process of making any device (hardware and software) more secure. Often involves many steps and procedures, while taking into account acceptable usability.
hardware firewall device
A device specifically and solely designed to operate as a firewall.
hardware ports
An interface between various computer and networking devices.
hardware token
Also known as a security token, a hardware token is a physical device that can provide authentication.
hash table
Also known as a hash map, a hash table is a lookup table that maps keys to values using a hash function that converts the keys into hash values.
Hierarchical File Systems
These are proprietary Apple file systems developed as the primary file system for their Macintosh line of computers using MAC OS. It is also used in Apple’s line of iPod music devices.
Home Area Network (HAN)
A specialized LAN made up of automated electrical device controllers, usually within or in close proximity of a home.
honey pots
A honey pot is a decoy server, network device, or network segment designed to attract attackers away from the real network. This is accomplished by providing attackers with relatively easy access to decoy systems on the network and hiding truly critical systems.
host address
The portion of the IP address that defines the identity of a device.
host-based authentication
This form of authentication relies on information (such as MAC addresses and hostnames) to authenticate to a network, as opposed the user’s credentials.
host-based IDS (HBIDS)
An intrusion-detection system that is installed on and protects a single system.
Hypertext Transfer Protocol (HTTP)
This is the main web application protocol.
hypervisor
The hypervisor is a virtual operating platform (similar to a virtual operating system) that hosts other guest operating systems.

I

Icinga
An open source network-monitoring application.
ICMP
The Internet Control Message Protocol is commonly used to test connectivity to a network from a device.
identity proofing
The process in which a particular individual is associated and verified with an existing identity.
identity theft
Obtaining, by subterfuge, a person’s various pieces of identification, usually for financial gain.
IEEE-1394
The FireWire bus specification.
illegal
Contrary to the law.
in-band
This virtualization scheme has the appliance located in a direct path between the storage servers and the disk farm. This configuration eliminates the need to install appliance-related software on each server, as required by an out-of-band configuration.
Information and Communications Technology (ICT)
A blanket term that encompasses any communication device or application.
informative references
Documents that contain specific standards, guidelines, and practices from various organizational security stake holders to accomplish the goals of the functions, categories, and subcategories listed.
infrastructure security
The physical security initiatives applied to providing security for the basic physical and organizational structures needed for the operation of an enterprise, an organization, or society.
ingress
The right of an individual to enter a property.
inherited access
Nonexplicit access, usually granted due to being part of a group.
inner perimeter
This perimeter typically involves physical barriers such as walls, doors, and windows—either exterior or interior, depending on the context of the outer perimeter.
input devices
A device that is used to introduce information into electronic devices.
Input/Output (I/O) controller
The part of a smart meter responsible for providing physical connectivity compatibility between the other system components and the outside world.
insider threat
This type of threat exists inside the network, usually as an employee.
intangible asset
Any nonphysical asset, defined as having a use greater than one year.
intangible property security
This involves securing property that is not physical in nature, such as patents and trademarks.
interior security
This is the innermost level of infrastructure security and involves monitoring the area inside the inner perimeter.
interior sounders
These are designed to operate at maximum sound levels to frighten an intruder into making a fast exit.
Internet Assigned Numbers Authority (IANA)
The organization that oversees the allocation of IP addresses to ISPs.
Internet Engineering Task Force (IETF)
The main standards body of Internet protocols, such as TCP/IP.
Internet gateways
Routers that are used to connect a network to always-on, broadband Internet connections.
Internet Key Exchange (IKE)
The protocol used to set up a security association in IPsec.
Internet of Things (IoT)
The network composed of any physical object that has network connectivity and can communicate with other objects to collect and exchange data.
Internet Protocol Security (IPsec)
An open standard commonly used in VPNs that actually employs a suite of protocols for encrypting and authenticating IP communications.
Internet zone
This zone includes all networks (including the Internet) that are not controlled by an individual or organization. As such, the content can be public, or it can be confidential data that belongs to trusted partners or customers.
interoperability
The ability for devices made by one company to interface with the related devices of another company.
intranet
A local or restricted network within the realm of a single organization.
intruders
Unauthorized people who gain access to an asset to which they do not have access rights.
intrusion detection and reporting system
The collective components of a basic, commercial security system.
Intrusion Detection and Prevention System (IDPS)
Designed to monitor the system (local computer or network environment), log key events, policy violations, report them, and prevent them as directed.
Intrusion Detection System (IDS)
These systems are designed primarily to monitor the system (local computer or network environment), log key events and policy violations, and report them as directed.
iOS
This is Apple’s mobile operating system designed to support Apple’s line of iPhones and iPads. While iOS shares many structures with OS X, it is not compatible with OS X applications.
IP address
A unique string of numbers that identifies each device that communicates using the Internet Protocol, over a network.
IP address spoofing
The process of using a forged source IP address to create IP packets for the purpose of concealing an identity.
IP-based
Any device that has an IP address and relies on wireless communications or traditional network cabling for communication.
IP-based notification
Notifying a monitoring station via an IP network, such as the Internet, concerning an alarm condition.
IP blocking
A form of security that blocks a specific IP, or range of IPs, from establishing a connection.
IP cameras
Digital IP (Internet Protocol) devices that have IP addresses that can be connected directly to a network, or to the Internet, rather than directly to a host controller or computer.
IP header manipulation
A technique used to change the information contained in the header portion of an IP or TCP network packet in order to conceal one’s identity over a network.
IPsec
A protocol suite to establish secure communications. IPsec employs AH and ESP to authenticate and encrypt each IP packet.
IPv4
IPv4 addresses exist in the numeric format of XXX.YYY.ZZZ.AAA. Each address consists of four 8-bit fields separated by dots (.).
IPv6
IPv6 is a newer IP addressing protocol developed to cope with the anticipated shortage of available IPv4 addresses in the future. Under IPv6, the IP address has been extended to 128 bits and has a hexadecimal format, separated by colons (:).
ISO 15408
The Common Criteria for Information Technology Security Evaluation international standard.
ISO 2700xx
A group of ISO information security management systems standards designed to provide management with explicit information security control.
isolation
Physical or logical segmentation used to isolate or separate parts of a network.

J

jamming
An intentionally transmitted stream of arbitrary noise on the same frequency that a device or network operates on.
JavaScript
An object-oriented programming language, often used in web browsers to create interactive websites.
JFFS2
The Android default Journal Flash File System (version 2). This FS version replaced the YAFFS2 (Yet Another Flash File System) as the default Android flash file system used in earlier kernel versions.
journaling file system
A file system that keeps track of changes in a circular log file, referred to as a journal, before committing them to the file system.

K

Kerberos
A network authentication protocol that involves a trusted third-party Ticket Granting Server (TGS) to authenticate client/server interaction.
kernel files
The fundamental logic files of the operating system responsible for interpreting commands obtained from software programs for the central processing unit.
key
Having ownership of a key signifies that the entity either possesses or knows the information required to gain access to a given asset.
keyfob
A wireless keychain device that can be used to lock, unlock, and alarm a device.
keypad
Input devices that are typically equipped with a set of numerical push buttons. Keypads are used to program, control, and operate various access controls and management devices.
keys
As it relates to cryptography, cryptographic keys are data strings used to encrypt or decrypt information. Encryption keys can be based on a secret string that is known only to the software that encrypts and decrypts the data, or may be randomly generated. It could also be a combination of known and random factors.
KillerBee
Framework for exploiting ZigBee and other 802.15.4 networks. KillerBee offers sniffing, packet decoding, and manipulation, as well as injection techniques.

L

latency
The delay of an input system to the desired output.
laws
The system of rules that a country or community recognizes to regulate the associated members.
Layer 7 attacks
A type of DDoS attack that focuses on the application layer and generally targets specific areas of a website in hopes of exhausting resources.
least privilege
Under the principle of least privilege, users are granted only the levels of access required to perform their specific job roles.
legal
Actions permitted by the law.
Lightweight Directory Access Protocol (LDAP)
An application protocol used for queries and modifying items in directory service providers. LDAP offers a single login system that can lead to access to many services.
Linux
This is a freely distributed, open-source operating system based on Unix.
Local Area Networks (LANs)
Networks that exist in a relatively confined geographical area (e.g., a room or building).
local firewall
A firewall that is designed and implemented only on the host.
lock
Any device or technique used to restrict access to an asset.
locked condition monitoring
Locked monitoring is a feature that allows the security supervisor to confirm that a door is locked. In addition to monitoring the locked status of a door or gate, the condition monitoring system can also provide details as to how long and during what time periods the door or gate has remained locked.
lockout policy settings
These enable administrators to enact password policies that prevent attackers from repeatedly trying to access the system via brute-force attacks.
logic bomb
A logic bomb is computer code that, much like other malware, is attached to a legitimate program. The code sits idle until a specific logical event is concluded, after which a harmful effect may occur.
logical perimeter
An established virtual boundary that involves computing and control systems, networks, and the Internet.
logjam attack
A security vulnerability that targets the Diffie-Hellman key exchange, convincing the connection to use DHE Export ciphers.
lux rating
Lux is a measure of the amount of light that falls on an object. One lux is approximately the amount of light falling on one square meter from one candle measured from one meter away.

M

MAC address
Media Access Control (MAC) addresses are unique identifiers for every device attached to a network. These addresses are typically assigned to the devices by their manufacturers and stored in their firmware.
MAC address filtering
A filtering technique that requires the manual entering of static MAC addresses into the CAM or specifying the maximum number of devices allowed on a port.
MAC address table
Switches collect MAC address information to keep track of the devices attached to them. As they interact with those devices, they record their MAC information in an onboard memory structure called a MAC address table.
MAC duplicating attacks
In a MAC duplicating or MAC cloning attack, the attacker updates their own MAC address with the target’s MAC address. This causes the switch to forward traffic to both locations.
MAC flooding
A technique used to compromise the security of network switches. An attacker connected to a switch port floods the switch interface with a large number of fake MAC addresses, causing the switch to broadcast the frames.
MAC learning and discovery
As connectivity devices interact with other devices connected to their physical ports, they read message headers to acquire the sending and receiving device MAC addresses and record them in the CAM along with their port information.
MAC spoofing
A technique used to change a factory-assigned MAC address of a device on a network.
magnetic contact switches
Consisting of a two-part magnetic switch, one piece of the sensor is a magnet while the other side is a switching mechanism that is sensitive to a magnetic field. The switch portion is mounted on the fixed structure (frame) of the barrier. Wires from the switch are routed to the security system’s control panel.
magnetic stripe card
This is a physical credit-card-like device that contains authentication information in the form of magnetically coded spots on a magnetic stripe. The cardholder uses the information on the card to access physical spaces or assets by passing the stripe on the card through a magnetic card reader.
malicious proxy servers
These are proxy servers that are used for various purposes including malware delivery, ad injection, and simple information gathering. While these proxy servers may not pass on your IP address, they will know your IP address and could use this information for other purposes.
malware
A term used to describe any number of intrusive software programs, designed to be malicious in nature.
man-in-the-middle (MITM) attacks
Man-in-the-middle attacks involve an attacker creating links to two or more victims so they can intercept messages moving between them.
managed switches
Devices have programmable management functions built into them that enable administrators to configure them for a specific network environment.
Mandatory Access Control (MAC)
A type of access control that utilizes the operating system to establish which users or groups may access files, folders, and other resources.
masquerade attack
An attack that involves an attacker assuming the identity of another system.
MDK3
A penetration testing tool used to exploit common 802.11 protocol weaknesses.
mesh network
In this decentralized topology, each node relays data for the network.
metadata
This defines information about data. The term is used to describe all data that might be considered secondary to the purpose of the record. Typically, metadata is thought of as automatically generated, often embedded, data that is created by the information system to supplement or even validate the record.
Metasploit
One of the most popular open-source penetration testing frameworks available. It is commonly used to identify and validate network vulnerabilities, including simulating attacks that prey on human vulnerabilities.
microcontroller
A small computer located on a single integrated circuit.
Microsoft Network Monitor
A network packet analyzer that can help view traffic flows and troubleshoot network problems.
mid-tier servers
Servers that act between the highly secure database layer and the less secure presentation layer. Servers in this tier are responsible for controlling application functionality and moving data between the other two layers.
monitors
Video display systems similar to computer displays or televisions, used to observe or record a process.
motion detector
A device that detects moving objects, often integrated in a infrastructure security system.
multifactor authentication (MFA)
A method of access control that requires at least two of the following: knowledge, possession, inherence.

N

Nagios
One of the most well-known network monitoring tools that helps to ensure systems, applications, and processes.
National Institute of Standards and Technology (NIST)
The federal technology agency responsible for development of the Cyber Security Frameworks, Medical Device Security, and Guide to Industrial Control System (ICS) Security guides.
native audit records
Event records generated by a host machine in most modern multiuser operating systems.
natural access control
Using natural design elements, such as structures and landscaping, to guide people as they enter and exit spaces.
Need-to-Know policy
Similar to a Separation of Duties policy, it limits the employee’s knowledge of the entire network system.
network
A group of system, people, and devices that can connect and operate with each other.
network address
An identifier that defines the network in any given system.
Network Address Translation (NAT)
The translation of an IP address used in one network to an IP address known within another network.
network administrator
In network environments, administrators are responsible for implementing the organization’s security policies. These policies should be designed to reflect the three objectives associated with the classic model of information: confidentiality, integrity, and availability (CIA).
network analyzer
Also referred to as a packet sniffer. Penetration testers use these tools to listen to network traffic, looking for items such as passwords and usernames sent across the network in a plaintext mode, or sensitive information such as credit card or other financial information.
Network-Attached Storage (NAS)
A virtualized storage system that provides both storage and a file system structure within a network.
network bridge
A piece of hardware that connects multiple network segments.
network connectivity devices
Any device that has connectivity purposes, such as routers, hubs, switches, and bridges.
Network File System
Enables client computers to access files across a network. It is used primarily in Unix OS versions, but is also supported in Microsoft Windows and Apple’s MAC OSs.
network firewall
A firewall that performs security on an entire network by granting or rejecting access to specific traffic flows between trusted and untrusted networks.
network hardening
All processes and techniques involved in securing a network.
network interface adapter
Also known as a network interface controller (NIC), it is hardware that allows a device to connect to a network.
network monitoring tools
Any tool that can be used to ensure that servers or other devices are up and running appropriately.
Network Operating Systems (NOS)
Operating systems designed to run on specialized server computers that function as the center of a client/server network environment.
network packet
A unit of data that is routed on a network.
network segmentation
The process of separating or splitting a network into one or more subnetworks, resulting in each being its own network segment.
network servers
Specialized computers designed to operate efficiently in a multiuser, multiprocessor, multitasking environment. Typically, they employ multiple processors and large disk drive arrays; they support the network in its operations, authentication, and processes.
network topologies
Layer 1: Physical (or logical) connection strategies that fall into four basic configurations: Star, Bus, Ring, and Mesh.
network virtualization
The process of creating a software-based administrative entity, utilizing hardware and software network resources, along with network functionality.
network vulnerability scanner
Used to scan a network for different types of common vulnerabilities, such as system misconfigurations and default password usage.
Nikto
An open-source web server scanner that can identify issues on a web server.
nmap
A popular security scanner tool that enumerates networks.
No eXecution (NX) bit
NX-bit technology is used to separate areas of memory into regions for distinct uses. For example, a section of memory can be set aside exclusively for storing processor instruction code, while another section can be marked only for storage of data.
NTFS permissions
New Technology File System permissions are those that can set parameters for operations, which users can perform on a designated file or folder.

O

OAuth
An authentication protocol that allows applications to act on the behalf of a user without sharing passwords.
octet
A grouping of eight, typically referring to eight bits of data.
Open Checklist Interactive Language (OCIL)
A defined framework for expressing a set of nonautomatable security checks.
open/close conditions
The state, or condition, of an alarm sensor indicated as open being off and closed being tripped.
open systems interconnection (OSI) model
The primary networking model that defines and characterizes the communication functions in a network environment.
Open Vulnerability and Assessment Language (OVAL)
This is a security community standard for communicating security information such as configuration, vulnerabilities, patch levels, and more. OVAL is essentially a group of XML schemas that describe a language to provide the details needed to assess a network resource for security vulnerabilities.
OpenVAS
The Open Vulnerability Assessment System is an open-source framework of several services and tools that provide vulnerability scanning and management.
operating system (OS)
The software programs designed to control and coordinate the operation of the computer system, including scheduling tasks, executing applications, and controlling peripherals.
operators
Humans who operate or supervise a process.
out-of-band
The virtualization device is installed outside the actual data path between the network and the storage system.
outer perimeter
The first line of defense in a given area or boundary, which can be physical or logical in nature.
overlay networks
This is when a network is built on top of another, physical or underlay, network.
overview
This camera viewpoint generally covers a wide field of view, such as over a parking lot or warehouse floor.
owner
The rightful possessor of an asset.
owning group
Linux permission term that refers to a group of users who collectively have access to data.
owning user
Linux permission term that refers to an individual who has control and access over data.

P

packet
A unit of data that can be carried and transferred by a packet-switched network.
packet analyzer
Also known as a packet sniffer, it is a computer program used to analyze network traffic.
packet filtering
The process of passing or blocking network packets based on their source/destination addresses, logical ports, or protocols.
packet-filtering firewall
Firewalls configured with packet-filtering rules to allow or deny client access based on factors such as their source address, destination address, or port number.
packet-sniffing attacks
Attackers use packet sniffers to listen to network traffic looking for items, such as passwords and usernames, sent across the network in a plaintext mode, or sensitive information such as credit card or other financial information.
pagers
Mobile RF devices that receive messages and signal their user.
pairing process
The process of connecting two Bluetooth devices together.
panning
Traversing a camera left and right; tilting, inclining, or declining a camera up and down.
passageway
An enclosed path from one room/area to another; it is often a chokepoint.
passive controls
Controls that are in place, but are not adjusted based on any action.
passive infrared (PIR) detectors
PIR detectors use a lens mechanism in the sensor housing to detect any change in infrared energy across the horizontal sectors covered by the sensor. This type of detector is insensitive to stationary objects but reacts to rapid changes that occur laterally across the field of view.
Passive RFID tags
Tags that are powered by the electromagnetic energy transmitted from the RFID reader and allow for authentication.
passphrase
A sequence of words or text used to control access, much like a password; however, generally longer in the number of characters.
password
A secret word or random string used as an authentication tool.
password attack
Any password attempt that successfully authenticates through a password prompt without originally knowing the correct password.
Password-Authenticated Key Agreement (PAKE)
An interactive method for two or more entities to establish cryptographic keys based on one entity’s knowledge of a password.
Password Authentication Protocol (PAP)
Used with PPP, it is an authentication protocol that utilizes passwords.
password capturing
A technique used to view and save (capture) a password as it is transferred for authentication.
password cracking
The process of attempting to recover passwords from stored data or data in transit, for the purpose of later use.
password encryption
The process of taking a standard password and applying an algorithm to it in such a way as to make it meaningless to sniffers, crackers, or other eavesdroppers.
password management policy
A policy put into place to manage the passwords of users in a networked environment.
password managers
Software applications that store and organize a user’s passwords.
Patch Tuesdays
Microsoft’s primary patch release day.
patches
General improvements to a given operating system or application that has been released for distribution. Many patches and updates are purely cosmetic and convenient add-on features, while others are critical security upgrades designed in response to a particular virus, discovered threat, or weakness.
PathPing
A utility, found on many Windows systems, that combines the ping and traceroute command-line tools.
Payment Card Industry Data Security Standard (PCI-DSS)
This standard requires the use of firewalls and other security concepts, such as network segmentation, to ensure that all stored credit card information is securely stored both physically and electronically.
peer-to-peer network
This is where each computer is attached to the network in a ring or bus fashion and is equal to the other units on the network.
perimeter area inputs
These include sensors at every perimeter opening including doors, windows, garage doors and windows, and doors to crawl spaces.
permissions
Defined privileges and authorization on specific data and assets.
persistent cookie
Also known as a permanent cookie, a cookie that will remain on the computer hard drive until the specified expiration date is reached.
personal area networks (PANs)
A type of network that combines personal devices such as PDAs, cell phones, digital cameras, PCs, notebooks, and printers.
pharming
A type of malicious activity that redirects an unsuspecting user to a forged website, in hopes obtaining personal information.
phishing
A social engineering technique that attempts to acquire sensitive information, usually login credentials or credit card data, by masquerading as a trustworthy organization. These attacks generally involve emails that direct the user to a bogus website that looks legitimate.
physical-intrusion-detection system
Any device whose purpose is to detect and signal intrusions, including motion sensors, card readers, cameras, and alarms.
physical security
Any process or device that is concerned with protecting physical boundaries and property.
physical topology
The placement of the various components of a network, including network cables and devices.
piconet
Up to eight devices can be grouped together to form a piconet, a small Bluetooth network.
PING
A network utility used to evaluate the ability to reach another IP host. The PING utility will send Internet Control Message Protocol (ICMP) request packets to the target host and wait for a response measuring the trip time and any packet loss.
ping flood attack
A simple DoS attack where an attacker overwhelms a victim with ICMP Echo Request (ping) packets.
pinhole lens
A lens that’s a very small hole, possibly made by a pin, that forces the light into parallel lines to create a clear image.
plugins
Adding new features to existing software applications, such as search engines and antivirus functions, these script controls are similar to ActiveX controls but cannot be executed outside of a web browser.
Point-of-Sale (POS)
The hardware and software used in a retail transaction.
Point of Sales (POS) terminals
Intelligent and networked terminals used for the time and place where a retail transaction takes place.
policies
The rules and procedures adopted by an individual or business.
polyinstantiation
In this database management solution, an additional server is configured to act as a third party between users and the database server. The mid-level server acts as an interpreter and guardian that limits database access to only authorized users and only to requested database files.
port-based VLAN
A range of ports on an Ethernet switch that are defined as a network segment.
port scan
The process of probing or scanning a server, client, or host for open ports.
port scanner
A software application that performs the probing of a network device, for open ports.
portal system
A web-based interface to a portion of the HCP communication system.
Poseidon POSIX (Portable Operating System Interface)
This is a set of interoperability standards developed to standardize variations of Unix and Unix-like operating systems. POSIX-compliant systems (Unix, Linux, and Apple OS X systems) support some type of ACL for managing traditional Unix file access permissions.
Power over Ethernet (PoE)
Power is provided through the UTP network cable, rather than from a dedicated power supply, for each intelligent device.
pressure mats
A type of sensor that can be placed under rugs, in hallways, or on stair treads. They react and alarm due to pressure from footsteps activating the alarm.
Pretty Good Privacy (PGP)
A widely used Unix encryption tool. This tool does both private and public key encryption/decryption and offers a very strong method to secure data.
Privacy Rule
The Privacy Rule is intended to limit the circumstances in which an individual’s protected health information may be used or disclosed.
private key
In cryptography, it is an encryption/decryption key known only to the specified recipient.
Private VLAN (PVLAN) attacks
PVLAN attacks involve an attacker sending packets into a PVLAN that contain a destination IP address of a targeted computer and a MAC address of the PVLAN router. The switch sees the destination MAC address and forwards the packet to the router’s switch port (a promiscuous port type that can communicate with any port). The router in turn directs the packet to the targeted host.
privilege escalation
The act of exploiting a vulnerability that enables an unauthenticated user to gain elevated administrative access.
privilege management
Through the privilege management policy, an administrator is provided with guidelines as to how the organization’s privileges should be implemented. As discussed in previous chapters, access control privileges can be role-based (RBAC), discretionary (DAC), or mandatory (MAC).
procedures
Often used to enforce policies, procedures are an established way of performing an action.
profile-based anomaly-detection systems
Systems that use mathematical algorithms to monitor normal data traffic and develop a profile of rules that describe what normal traffic for that system looks like. The profile developed reflects evaluations of users’ past behaviors and is configured to signal when deviations from these behaviors reach a certain level (or threshold).
programmable zone
A zone can be programmed to encompass a single point of protection, such as a motion detector, or multiple points can be combined into a single zone.
promiscuous mode
The operation of a network device able to listen or capture traffic moving through a medium, but not sourced from or targeted to that device.
protocols
A set of rules that governs how communications are conducted across a network. In order for devices to communicate with each other on the network, they must all use the same network protocols.
promiscuous port
A port configured to be able to communicate with any other port, usually in a VLAN instance.
proxy-filtering firewalls
Servers configured to filter out unwanted packets. During this filtering process, each packet is disassembled, evaluated, and reassembled, making this type of connection significantly slower than other firewall types.
proxy server
A server that acts as a barrier, as it allows clients to make indirect network connections that are routed through a proxy.
psychological engineering
Using psychology and human weaknesses, hackers can craft many different attacks that trick people into believing what they want them to believe and giving up important information that they would not normally give out.
public key
A cryptographic key that can be obtained and used by anyone to encrypt messages intended for a particular user.
public key certificates
Digital verifications that the sender of an encrypted message is who they claim to be.
public-key cryptography
Also known as asymmetric cryptography, it incorporates a public key and a private key (or secret key) for encryption and decryption purposes.
Public Key Encryption (PKE)
This encryption technique employs two keys to ensure the security of the encrypted data: a public key and a private key. The public key (known to everyone) is used to encrypt the data, and the private or secret key (known only to the specified recipient) is used to decrypt it.
Public Key Infrastructure (PKI)
This infrastructure supports the distribution of public keys and certificates to enable trusted connections and secure data exchange based on the information from the CA.
public switched telephone network (PSTN)
Also referred to as the Plain Old Telephone Service (POTS), these systems use physical cabling to interconnect and transmit voice grade signals between a sender and a receiver.
purging
The process of separating and deleting inactive records within a database.

Q

Quality of Service (QoS)
Allows for the prioritization and differential treatment of network traffic based on special rules or policies. A common use for QoS is to ensure that a VoIP phone system will always have enough bandwidth for phone service, regardless of how busy the network is.

R

race condition attack
A race condition exists when an attacker exploits the timing of consecutive events in a multiuser/multitasking environment to insert malicious code into the system between the events.
radio frequency identification (RFID)
RFID systems utilize self-powered RFID tags that can be used as beacons to track location or authenticate proximity.
rainbow tables
Pregenerated tables that contain millions of passwords that have already been hashed, used to compare for the purpose of cracking passwords.
ResearchKit
An open-source software framework made by Apple, intended specifically for medical research. Ease of application creation and use provides researchers and developers alike the opportunity to revolutionize medical studies.
reflection servers
Used in DDoS attacks, forged echo requests are sent out and the echo replies are aimed toward the victim.
regress
As it relates to security, the term is used to describe the legal right to reenter a property.
remote access control
A design feature that requires authentication of the identity of a user attempting to access a security zone or computer system from a distant location.
remote access monitoring
Systems that are used to notify supervisory security personnel when an event or incident has occurred.
Remote Authentication Dial-In User Service (RADIUS)
A network protocol that provides centralized AAA protocol (Authentication, Authorization, and Accounting).
remote control access
A design feature that works with remote monitoring systems to monitor, control, and supervise doors, gates, and conveyances from a distance.
Remote Desktop Connection (RDC)
Uses the Remote Desktop Protocol (RDP) to provide a user with a GUI-based interface to connect to another computer over a network.
Remote Desktop Services (RDS)
Formally known as Terminal Services, RDS is a component that allows a user the ability to take control of a remote computer over a network.
remote monitoring
Monitoring or the measurement of devices from a remote location or control room.
remote notification systems
When an alarm condition exists, this set of systems will coordinate and inform the appropriate parties.
Remote Telemetry Unit (RTU)
Small intelligent control units deployed at selective locations within a process, or set of processes, to gather data from different sensors and deliver commands to control relay outputs.
repeater
A network hardware device that extends the range and reach of a network.
replay attack
A network attack where a recorded transmission is replayed or delayed by an attacker to gain access.
Request for Comments (RFC)
These are notes submitted by anyone to the Internet Engineering Task Force (IETF), the main standards organization for the Internet.
rerouting attack
A network attack that attempts to redirect (reroute) traffic from a valid destination to a false one.
resolution
The number of pixels displayed or within a camera sensor.
reverse proxy server
A server that handles public requests for web resources and then forwards them to one or more of the servers.
right
A legal privilege or permission granted to someone, or some group, by some recognized source of authority.
ring topology
A network topology that connects devices in a circular fashion, in which each node is connected to exactly two other nodes.
risk
Defined as the potential loss of an object of value. It can also be expressed as an intentional interaction with uncertainty. Risk can also be calculated as a quantity that can be communicated to the organization’s internal and external stake holders.
Role-Based Access Control (RBAC)
An access control method that uses job roles to differentiate permissions and privileges.
rootkit
A type of software designed to gain administrative control of a computer system while remaining undetected. Normally, the purpose is to enable malicious operations to occur on a target computer without the knowledge of its users or system administrators. Rootkits can occur in hardware or software by going after the BIOS, boot loader, OS kernel, and sometimes applications or libraries.
router flood attacks
Routers are vulnerable to flood attacks designed to consume all or a significant part of their resources, thereby rendering them nonfunctional. Router resources commonly targeted include onboard memory, processor operation, and internal bus bandwidth.
routers
Network connectivity devices that, unlike switches, can forward information across different network segments. This gives routers the ability to join different networks together through a process known as routing.
routing
The process of selecting the best path for transmitting data over a network or between networks.
routing protocol
A set of rules used by routers to determine appropriate paths in which data should be transmitted.
routing table
A database where routers store and update routing information.
rule
To move packets through the device, a rule must be explicitly created on the device to forward (or map) the desired protocol port to a private IP address and port in the local area network.
Rule-Based Access Control (RBAC)
Also known as automated provisioning, a rule is the basic element of a role. The rule defines what operations the role can perform.
rule-based anomaly detection
This detection method analyzes audit records to generate rules based on past usage patterns to generate a rules set. The system then monitors the traffic looking for patterns that do not match the rules created.
rule sets
Used to control what types of information can move between security zones. These rules are normally based on data source and destination information, data type, or data content.

S

sanitize
Making data on an HDD unrecoverable, either by overwriting the data multiple times and/or physically destroying the drive so that it cannot be reassembled.
script
A list of commands able to be executed without user interaction.
Secure Remote Password (SRP)
A protocol that is an augmented form of PAKE, designed to work around existing patents.
Secure Shell (SSH)
An encrypted network protocol for secure client-server connections. Designed to replace insecure shell protocols such as Telnet, SSH employs public-key cryptographic authentication.
Secure Sockets Layer (SSL)
A protocol for managing both authentication and communication between clients and servers, using both a public key and a private key. SSL uses the sockets method to exchange data between client and server program, usually as a website and a browser.
security
The science, technique, and art of establishing a system of exclusion and inclusion of individuals, systems, media, content, and objects.
security administrator
In networked environments, administrators are responsible for implementing the organization’s security policies. These policies should be designed to reflect the three objectives associated with the classic model of information security: confidentiality, integrity, and availability (CIA).
Security Associations (SAs)
The establishment of shared attributes between two network devices in order to support a secure connection.
security baseline
This baseline defines the minimum security requirements necessary to protect the confidentiality, integrity, and availability (CIA) of the organization’s information systems, along with the data processed, stored, and transmitted by those systems.
Security Content Automation Protocol (SCAP)
A method of using various open standards for evaluating vulnerabilities and measuring the potential impact of those vulnerabilities.
security patches
Updates issued for the specific purpose of correcting an observed weakness to prevent exploitation of a vulnerability.
security policy
Documentation stating how security should be implemented at each level. Businesses and organizations develop comprehensive security policies that define who is authorized to access different assets and what they are allowed to do with those assets when they do access them.
segregated
In a network, a physical or logical separation. Often used to separate individuals, data, and other assets.
server
A centralized computer or computer program that manages resources on a network.
server administrator
An individual who is responsible for the design, implementation, and maintenance of the server.
Server Message Block (SMB)
Also known as Common Internet File System, this network protocol was developed to provide shared access to files and devices, along with network communications.
server rooms
Secured rooms where servers are protected.
service pack
Major Windows updates and/or collections of many individual Windows updates.
session cookie
Stored in temporary memory, this cookie is erased when the web browser is closed.
Session Replay attack
This attack involves the attacker stealing a user’s session ID, then gaining access to do anything an authorized user would be able to do on a given website.
side channel attack
An attacker on one virtual machine obtains private key information from another virtual machine running on that same physical server.
signature analysis
Incoming and outgoing traffic are compared to a database of stored specific code patterns (signatures), which have been identified as malicious threats.
signature-based IDS/IDPS
These systems work by looking for specific patterns in content, known as signatures. If a known bad pattern is detected, then the appropriate actions can be taken to protect the host.
single authentication
Authentication that requires the possession of only one form of verification. This represents the lowest level of security available.
single firewall DMZ
A network DMZ that has a lone firewall associated with it.
siren
An audible enunciator, made to be very loud.
smart card
Card device that often resembles magnetic stripe cards. They typically contain information about their owners, such as their passwords, personal identification numbers (PINs), network keys, digital certificates, and other PII that can be used in the authentication process.
smart phone applications
Applications that run specifically on mobile devices, such as tablets and phones.
Smurf amplifiers
A computer network that lends its usefulness to amplify the effects of a Smurf attack.
Smurf attack
A DDoS attack that floods a victim with ICMP reply packets. This attack builds on the ping flood attack by adding a reflective property. This reflective property is created by using more participants, known as Smurf amplifiers, in the attack.
Snort
An open source, cross-platform intrusion-detection system that provides real-time traffic analysis, packet logging, and protocol analysis, as well as active detection for worms, port scans, and vulnerability exploit attempts.
social engineering
Using psychological manipulation is a nontechnical method to exploit human interactions in hopes of circumventing normal security.
Social Engineering Toolkit (SET)
Used in penetration testing, this Linux software package can be used to perform advanced attacks against a target.
socket
One endpoint of a two-way communication. A socket is bound to a port number.
soft targets
Devices that are vulnerable to disruption because they have little or no built-in security features and few options for adding security features. If they can be accessed directly or virtually, they can easily be manipulated.
softphone
A software program that enables a user to make telephone calls over the Internet.
software exploitation
Cyber attacks designed to take advantage of vulnerabilities or weaknesses in software products, operating systems, and applications.
software-defined networking (SDN)
An approach to computer networking that analyzes the connection between any two nodes and can filter that connection based on a defined policy.
software firewall
Firewalls that are installed on a host computer, much like any other application.
SolarWinds
This software is a commercial network performance-monitoring product. It can be used to monitor uptime, performance, traffic flow, and utilization; it offers a plethora of reporting, graphing, and notification options.
spanning-tree attack
If packets are circulated just between the Layer 2 switches in this type of topology, their Time-To-Live (TTL) field never gets decremented—instead, continuing to loop through the redundant links. This creates a broadcast storm that floods the network with traffic.
spanning-tree Protocol (STP)
This protocol provides loop-free, redundant links for switches in multiple path networks. It accomplishes this by configuring switch ports so they forward or block traffic depending on the type of segment to which they are connected.
spear phishing
Whereas phishing attacks are sent to a broad range of targets seemingly at random, spear-phishing attacks target a specific organization or individual within that organization to attempt to gain unauthorized access to confidential data. Spear-phishing attacks are more likely to be conducted by attackers who are seeking large financial gain, industry secrets, or military information.
spoof
Any form of forging a false identity, thereby gaining access to assets.
spoofing attacks
These attacks are based on changing a device’s MAC or IP address to change its apparent identity.
spyware
A software program that monitors the system’s operation and collects information such as usernames, passwords, credit card numbers, and other PII.
SQL injection
A technique malicious users employ to manipulate SQL input fill boxes on web pages. In particular, the SQL literate hacker will input valid SQL commands through the field boxes that cause the SQL database to reveal information other than what the input was created to do.
SSH tunneling
Creates a secure connection between a remote host and a local device or computer, through which unencrypted traffic can be transferred through an encrypted channel.
star topology
This logical layout where all the nodes are connected in branches that eventually lead back to a central unit. Nodes communicate with each other through the central unit.
stateful packet-filtering firewalls
These firewalls collect network connection information and maintain dynamic state tables that are used for subsequent connections, enabling ports to be opened and closed when defined against packet filtering rules.
stateless packet-filtering firewalls
Acting more as an ACL, they do not keep track of the state of a connection between two computers; however, they compare packets against filtering rules.
Storage Area Networks (SANs)
A network-based storage system that appears to the host machine as a locally attached.
stream cipher
A symmetric-key cipher that converts each plaintext character one at a time.
subnet
A segregated network that is ultimately part of a larger network.
super cookies
Third-party cookies that are harder to remove than other types of cookies. Many of them do not use the traditional cookie storage methodology, but rather use local browser HTML5 database storage or even Adobe Flash data storage.
supervisory password
Used to establish a password that can be employed to access the CMOS setup utility.
suPHP
A tool for executing PHP scripts with the permission of the owner.
switch-based virtualization
This is implemented through the managed switches used to connect the SAN devices together. These devices also sit between the user and storage networks but may employ different techniques to provide storage management functions.
switch port stealing
A technique used to alter the direction of switch traffic, causing a switch to send traffic intended for another recipient to an attacker.
switches
Network connectivity devices that function at Layer 2 of the OSI model. They are designed to connect network devices together to form a local area network, forwarding packets based on destination addresses.
symmetric key
A cryptographic algorithm will use the same key to perform both encryption and decryption.
SYN flood
A form of Denial of Service attack, where an attacker takes advantage of the TCP handshake that uses SYN and ACK messages to establish a reliable connection between two hosts.

T

tagged packet
A packet that has a VLAN ID inserted into the packet header, in order to identify the VLAN to which the packet belongs.
tangible assets
Any physical assets.
tangible property security
Classically known as physical security, which consists of protecting physical boundaries and property.
TCP segment
The Transmission Control Protocol accepts data, divides it into sections, and then adds a TCP header to the data, creating a TCP segment.
TCP/IP
A suite of protocols, primarily the Transmission Control Protocol (TCP) and the Internet Protocol (IP), which form the basic and most important protocols of the Internet model.
TCP window size
The maximum size of received data that can be buffered at a time, on the receiving side of a TCP connection.
teardrop attack
A type of DoS attack where fragmented packets are sent to a target system. Older operating systems had bugs in their TCP/IP reassembly mechanisms that caused the fragmented packets to overlap and crash the host.
telephoto lens
A lens with a longer focal length, providing a magnified view.
Telnet
An application client-server protocol that can establish a connection between a computer (or device) to any remote Telnet server.
territorial reinforcement
This employs structures, systems, and devices to prevent unauthorized entry and creates a clear difference between what is public and private.
threat
The potential to perform actions, with the intent to inflict pain, injury, damage, or other hostile action.
threat agent
Indicates an individual, group, or device that has the knowledge and intent to establish an attack.
threat vector
A common security term that refers to a method an attacker may employ to get to a desired target.
threshold-based anomaly-detection systems
These IDS systems are designed to track the number of occurrences of specific events over time, and then generate an intrusion warning if the number of events exceeds a predetermined number.
time of check to time of use (TOCTOU)
This condition exists when an operating system creates a temporary file. During the time between which the OS checks to see if a file exists and when it actually writes the file, the attacker executes a program to save a malicious code package using the file name of the temp file.
time-of-day settings
Most automated access control systems base decisions about valid or invalid entry requests, also called transactions, on preconfigured time of day settings.
time of use (TOU)
A type of electrical billing schedule that assigns higher costs to energy consumed during certain times of the day and seasons of the year.
top-level domain (TLD)
The highest level domain preceding the rightmost dot (.), as defined in the Domain Name System of the Internet. TLDs are generally divided between commercial and country-specific.
Top Secret
Usually the highest level of a three-tiered security clearance.
topology
A physical and/or logical definition of a network connection structure.
TRACEROUTE
This networking utility will display the route (path) packets travel from one IP to another.
tracking cookies
Nonmalicious text files placed on a host computer, designed to track a user’s web browsing habits.
transparent proxy
This proxy server communicates on the behalf of a host machine, without modifying requests, as opposed to most proxy services. A transparent proxy is typically not something the user is even aware they are using.
Transport Layer Security (TLS)
A successor to the SSL protocol, TLS is a protocol used to ensure privacy between communicating applications.
Trojans
Malware that appears to be a legitimate application so that users will be tricked into using them. Although they function and work properly, they have malicious code that initiates when the application is launched.
TrouSerS
An open-source daemon that controls all of the communications with the TPM through a single module.
trunk
A communication link designated to handle and combine multiple traffic signals, often to other network devices, for the purpose of consolidating physical port usage.
Trusted Platform Module (TPM): Many computer motherboard designs include a built-in microchip called a Trusted Platform Module (TPM) that is used to store cryptographic information, such as the encryption key (also known as start-up key).
Trusted VPNs
These VPN’s do not use cryptographic tunneling but rather trust the underlying network to handle security beyond authentication.
TrustedGrub
This Linux module is capable of detecting and supporting TPM functionality in Linux systems. It is a downloadable extension of the Grub bootloader that has been modified for this purpose.
tunneling
Allows remote users to securely connect to internal resources after establishing an Internet connection. This is accomplished by securing the data in motion using data transfer encryption.
two-factor authentication
A process that requires two differing factors to grant authorization, based on what you know, what you have, and what you know.
two-man control
Requires that two users must review and approve each other’s work in order to complete a project. Although this may not be practical for many tasks, it offers a high level of security for those tasks where it is implemented.

U

UDP flood attack
A DoS attack, similar to a ping flood attack, that uses User Datagram Protocol packets.
unauthorized
Any user or device that does not have permission to access a network or asset.
unauthorized access
An individual gains access to a service, application, network, or device without owning proper credentials.
unicast
Communication between a single sender and a single receiver or a network.
unidirectional security gateways
Used to create a one-way connection between networks, or network segments, that possess differing security classifications.
unified threat management (UTM) devices
Security appliances that feature gateway, antivirus, firewall, and intrusion prevention and detection services within a single product.
Universal Disk Format (UDF)
An open, vendor-neutral file system for data storage in a wide range of media.
Universal Plug and Play (UPnP)
A zero-configuration network architecture that brings a certain amount of compatibility between different brands and types of network hardware. While primarily intended to help the unskilled home networker, UPnP is supported by some nonconsumer hardware manufacturers as well.
Universal Serial Bus (USB)
The most popular hardware port found in modern personal computers is the Universal Serial Bus (USB) port. This high-speed serial interface has been developed to provide a fast, flexible method of attaching up to 127 peripheral devices to the computer.
Unix
The Unix line of operating systems provide a modular, multitasking, multiuser OS environment originally developed to run on main frame and mini-computers. Proprietary versions of the Unix OS include several BSD (Berkley Software Distribution) variations, along with Apple’s OSX and iOS operating systems and Google’s Android OS.
Unix File System
The first file structure designed for the original Unix operating system, and it is still in use with Unix and its derivatives. The structure of this file system standard presents a unified tree structure beginning at a main director known as the root (/).
unlocked condition monitoring
The condition monitoring system can record and signal each time a specific gate or door is unlocked (granting access), indicating and recording which type of access was granted.
unmanaged switches
Plug and Play (PnP) devices that do not include any options for user configuration. These tend to be low price units, intended for use in residential and small office settings.
untagged packet
A packet that does not have a VLAN ID inserted into the packet header.
update
A service pack, or patch, that improves the reliability, security, or attractiveness of an operating system. The most reliable source of operating system updates is the OS manufacturer. Some updates may make the OS more convenient, but it may not necessarily be more secure.
UPnP AV
Universal Plug and Play – Audio Visual. This was released to support consumer media devices such as TVs, home audio systems, cameras, and other digital media devices.
upstream interface
The interface allowing traffic to transfer in the direction from client to server, or client to Internet.
user password
This BIOS option enables administrators to establish passwords that users must enter during the startup process to complete the boot process and gain access to the operating system.
utility files
Programs that permit the user to manage system resources, troubleshoot the system, and configure the system.

V

varifocal lens
Optical assemblies containing several movable elements, to permit changing of the effective focal length (EFL) of a surveillance camera. Unlike a zoom lens, a variable focal lens requires refocusing with each change. If it has a varifocal lens, and it can focus at multiple millimeter settings based on the user’s preference.
VBScript
Another scripting language that is unique to Microsoft Windows Internet Explorer. VBScript is similar to JavaScript, but it is not as widely used in websites because of limited compatibility with other browsers.
video surveillance system
An important element of most commercial security systems. The system employs cameras for prevention and recovery.
videocassette recorders (VCRs)
CCTV has traditionally been recorded using videocassette recorders (VCRs); such systems tend to be highly labor intensive.
virtual access control lists (VACLs)
Access lists that filter traffic entering the VLANs, as well as filter traffic moving between members of the VLANs.
virtual LAN (VLAN)
Software configured network that is segregated at the data link layer.
Virtual Private Network (VPN)
Remote users can connect to a private network over a public network, such as the Internet, and then authenticate and perform tasks on the private network as if they were connected directly. It enables users to communicate between another device across a public network, as if it were a private network, ensuring security.
viruses
Malware programs designed to replicate and spread within a local computer environment. This most often happens when users download programs from the Internet or open email attachments.
VLAN hopping attacks
These attacks, also known as Switch Spoofing Attacks, involve an attacker sending a dynamic trunking protocol (DTP) request to a switch to configure the attacker’s port as a trunk connection. Once configured, this connection routes all traffic in the VLANS to the attacker.
VLAN Management Policy Server (VMPS)
VMPS is used to dynamically assign VLANs based on MAC addresses. It is based on the Cisco VQP protocol for client/server exchanges and is vulnerable to attack because it is an unauthenticated protocol that runs under UDP.
VLAN Trunking Protocol attacks
These attacks target Cisco’s layer-2 VLAN Trunking Protocol (VTP). This protocol provides automated ISL/802.1Q trunk configuration between switches across an entire network so they can share packets. The automated nature of VTP provides access to all of the network’s VLAN by default. It can be used to add or remove a VLAN from the network. This makes switches with the trunk ports vulnerable to attack.
voice recognition
Applications that utilize the voice and speech patterns of a user to perform a variety of actions.
vulnerability
Any weakness that may allow an attacker access to network assets.
vulnerability emulators
Training simulators for penetration testing.
vulnerability scanners
Database-driven tools designed to search computers for known vulnerabilities that have been identified and added to the database. They are designed to assess computer, systems, networks, and applications.

W

web browser
A software application that provides the retrieval, presentation, and traversing of resources on the Internet.
web proxy
A computer or server that functions on behalf of a host, or network of hosts, that are accessing the web.
web server
Enterprises employ web servers to host web pages that advertise their organization on the Internet. These are frontend servers that deal directly with the Internet.
engineering tactics.
whitelisting
The process of permitting only the users who match some criteria or authentication.
whitelists
Registries of users who are trusted to have specific privileges, services, or access to an asset.
wide angle lens
A lens that provides the ability to see a wider image in confined areas, as opposed to other standard lens types.
Wide Area Networks (WANs)
Networks distributed over a wide geographical area.
Wi-Fi
Wireless Fidelity (Wi-Fi) is a wireless network technology that provides electronic devices the access to connect to a LAN.
WiGLE
An online database that users use and contribute to, to track and log wireless network information.
WiMAX
Worldwide Interoperability for Microwave Access (WiMAX) is a broadband wireless access standard designed to provide Internet access across large geographic areas, such as cities, counties, and in some cases countries.
Wired Equivalent Privacy (WEP)
A security protocol designed to provide security to a wireless LAN.
Wireless Access Point (WAP)
A network connectivity device that allows wireless clients to connect to a wired network.
wireless networks
Any network that is connected, not using a traditional cabling scheme. It connects computer nodes together using high-frequency radio waves. The IEEE organization oversees a group of wireless networking specifications under the IEEE-802.xx banner.
Wireshark
A mature, open-source, and cross-platform network protocol analyzer. One of the most well-known protocol analyzers, and it supports nearly every protocol.
worms
Sometimes referred to as network viruses, these malware programs are circulated through a network connection. Worms search for vulnerabilities to exploit in an application, and once the worm has taken advantage of the vulnerability, it seeks to replicate to another computer on the network.

Z

zero day attack
An attack that exploits a zero day vulnerability.
zero day vulnerability
A vulnerability unknown to the product vendor and, therefore, no patch is available to mitigate the effects.
Z-Force
A packet interception and injection tool, used to compromise and exploit Z-Wave AES encryption.
ZigBee
This standard is a wireless, mesh-networked PAN protocol that provides for a 10-meter communication range with data transfer rates at 250 Kbps. The ZigBee standard has been embraced by the smart home automation and industrial controls communities, as well as several areas of the smart grid consortium.
ZigBee Alliance
An open, nonprofit association working to develop new ZigBee standards.
zombies
Infected computers that can be placed under the remote control of a malicious user. Zombies can be used to create Denial of Service attacks that flood targeted networks. Computers are often infected and become a zombie by way of viruses, worms, and Trojans.
zooming
A function of a telescopic lens to get a closer view.
Z-Wave
A wireless communication standard created to support communication between devices in the home automation market. It was designed for simple monitoring and control as well as interdevice wireless communication.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset