GLOSSARY
802.1X standard An IEEE standard that defines the process of authenticating and authorizing users on a network before they’re allowed to connect.
access point (AP) A radio transceiver that connects to a network via an Ethernet cable and bridges a wireless network with a wired network.
ACK A TCP flag that acknowledges a TCP packet with SYN-ACK flags set.
Active Server Pages (ASP) A scripting language for creating dynamic Web pages.
active system An IDS or IPS that logs events, sends out alerts, and can interoperate with routers and firewalls.
ActiveX Data Objects (ADO) A programming interface for connecting a Web application to a database.
ad-hoc network A wireless network that doesn’t rely on an AP for connectivity; instead, independent stations connect to each other in a decentralized fashion.
Advanced Encryption Standard (AES) A symmetric block cipher standard from NIST that replaced DES. See also Data Encryption Standard (DES).
adware Software that can be installed without a user’s knowledge; its main purpose is to determine users’ purchasing habits.
algorithm A set of directions used to solve a problem.
amplitude The height of a sound wave; determines a sound’s volume.
anomaly detector A type of IDS that sends alerts on network traffic varying from a set baseline.
application-aware firewall A firewall that inspects network traffic at a higher level in the OSI model than a traditional stateful packet inspection firewall does.
assembly language A programming language that uses a combination of hexadecimal numbers and expressions to program instructions that are easier to understand than machine-language instructions.
asymmetric algorithm An encryption methodology that uses two keys that are mathematically related; also referred to as public key cryptography.
Asynchronous JavaScript and XML (AJAX) A Web development technique used for interactive Web sites, such as Facebook and Google Apps; this development technique makes it possible to create the kind of sophisticated interface usually found on desktop programs.
attack Any attempt by an unauthorized person to access, damage, or use resources of a network or computer system.
attack surface The amount of code a computer system exposes to unauthenticated outsiders.
authentication The process of verifying that the sender or receiver (or both) is who he or she claims to be; this function is available in asymmetric algorithms but not symmetric algorithms.
backdoor A program that an attacker can use to gain access to a computer at a later date. See also rootkit.
basic service area (BSA) The coverage area an access point provides in a wireless network.
basic service set (BSS) The collection of connected devices in a wireless network.
birthday attacks Attacks used to find the same hash value for two different inputs and reveal mathematical weaknesses in a hashing algorithm.
black box model A model for penetration testing in which management doesn’t divulge to IT security personnel that testing will be conducted or give the testing team a description of the network topology. In other words, testers are on their own.
block cipher A symmetric algorithm that encrypts data in blocks of bits. These blocks are used as input to mathematical functions that perform substitution and transposition of the bits, making it difficult for someone to reverse-engineer the mathematical functions that were used.
Blowfish A block cipher that operates on 64-bit blocks of plaintext, but its key length can be as large as 448 bits.
botnet A group of multiple computers, usually thousands, that behave like robots to conduct an attack on a network. The computers are called zombies because their users aren’t aware their systems are being controlled by one person. See also zombies.
branching A method that takes you from one area of a program (a function) to another area.
brute-force attack An attack in which the attacker uses software that attempts every possible combination of characters to guess passwords.
buffer overflow attack An exploit written by a programmer that finds a vulnerability in poorly written code that doesn’t check for a predefined amount of memory space use, and then inserts executable code that fills up the buffer (an area of memory) for the purpose of elevating the attacker’s permissions.
bug A programming error that causes unpredictable results in a program.
certificate A digital document that verifies whether two parties exchanging data over the Internet are really who they claim to be. Each certificate has a unique serial number and must follow the X.509 standard.
certification authority (CA) A third party, such as VeriSign, that vouches for a company’s authenticity and issues a certificate binding a public key to a recipient’s private key.
Certified Ethical Hacker (CEH) A certification for security testers designated by the EC-Council.
Certified Information Systems Security Professional (CISSP) Non-vendor-specific certification issued by the International Information Systems Security Certification Consortium, Inc. (ISC2).
channels Specific frequency ranges within a frequency band in which data is transmitted.
chipping code Multiple sub-bits representing the original message that can be used for recovery of a corrupted packet traveling across a frequency band.
cipher A key that maps each letter or number to a different letter or number.
ciphertext Plaintext (readable text) that has been encrypted.
class In object-oriented programming, the structure that holds pieces of data and functions.
closed ports Ports that aren’t listening or responding to a packet.
ColdFusion A server-side scripting language for creating dynamic Web pages; supports a wide variety of databases and uses a proprietary markup language known as CFML.
Common Gateway Interface (CGI) An interface that passes data between a Web server and a Web browser.
Common Internet File System (CIFS) A remote file system protocol that enables computers to share network resources over the Internet.
competitive intelligence A means of gathering information about a business or an industry by using observation, accessing public information, speaking with employees, and so on.
compiler A program that converts source code into executable or binary code.
computer security The security of stand-alone computers that aren’t part of a network infrastructure.
connectionless With a connectionless protocol, no session connection is required before data is transmitted. UDP and IP are examples of connectionless protocols.
connection-oriented protocol A protocol for transferring data over a network that requires a session connection before data is sent. In TCP/IP, this step is accomplished by sending a SYN packet.
conversion specifier Tells the compiler how to convert the value indicated in a function.
cookie A text file containing a message sent from a Web server to a user’s Web browser to be used later when the user revisits the Web site.
crackers Hackers who break into systems with the intent of doing harm or destroying data.
cryptanalysis A field of study devoted to breaking encryption algorithms.
data at rest Any data not moving through a network or being used by the OS; usually refers to data on storage media.
Data Encryption Algorithm (DEA) The encryption algorithm used in the DES standard; a symmetric algorithm that uses 56 bits for encryption. See also Data Encryption Standard (DES).
Data Encryption Standard (DES) A NIST standard for protecting sensitive but unclassified data; it was later replaced because the increased processing power of computers made it possible to break DES encryption.
demilitarized zone (DMZ) A small network containing resources that sits between the Internet and the internal network, sometimes referred to as a “perimeter network.” It’s used when a company wants to make resources available to Internet users yet keep the company’s internal network secure.
denial-of-service (DoS) attack An attack made to deny legitimate users from accessing network resources.
dictionary attack An attack in which the attacker runs a password-cracking program that uses a dictionary of known words or passwords as an input file against the attacked system’s password file.
digital signature A method of signing messages by using asymmetric encryption that ensures authentication and nonrepudiation. See also authentication and nonrepudiation.
distance-vector routing protocol A routing protocol that passes the routing table (containing all possible paths) to all routers on the network. If a router learns one new path, it sends the entire routing table again, which isn’t as efficient as a link-state routing protocol.
distributed denial-of-service (DDoS) attack An attack made on a host from multiple servers or computers to deny legitimate users from accessing network resources.
do loop A loop that performs an action and then tests to see whether the action should continue to occur.
domain controller A Windows server that stores user account information, authenticates domain logons, maintains the master database, and enforces security policies for a Windows domain.
drive-by download A type of attack in which Web site visitors download and install malicious code or software without their knowledge.
dumpster diving Gathering information by examining the trash that people discard.
dynamic Web pages Web pages that can change on the fly depending on variables, such as the date or time of day.
embedded operating system (OS) An operating system that runs in an embedded system; designed to be small and efficient, so it usually lacks some functions of general-purpose OSs. It can be a small program developed specifically for an embedded system or a stripped-down version of a general- purpose OS.
embedded system Any computer system that’s not a general-purpose PC or server.
encryption algorithm A mathematical formula or method for converting plaintext into ciphertext.
enumeration The process of connecting to a system and obtaining information such as logon names, passwords, group memberships, and shared resources.
ethical hackers Users who attempt to break into a computer system or network with the owner’s permission.
Extensible Authentication Protocol (EAP) An enhancement to PPP designed to allow an organization to select an authentication method.
filtered ports Ports protected with a network-filtering device, such as a firewall.
firewalls Hardware devices or software used to control traffic entering and leaving an internal network.
firmware Software residing on a chip.
footprinting Gathering information about a company before performing a security test or launching an attack; sometimes referred to as “reconnaissance.”
for loop A loop that initializes a variable, tests a condition, and then increments or decrements the variable.
Fping An enhanced Ping utility for pinging multiple targets simultaneously.
frequency The number of sound wave repetitions in a specified time; also referred to as cycles per second.
function A mini program within a main program that performs a particular task.
Global Information Assurance Certification (GIAC) An organization founded by the SANS Institute in 1999 to validate the skills of security professionals. GIAC certifications encompass many areas of expertise in the security field.
gray box model A hybrid of the black box and white box models for penetration testing. In other words, the company might give a tester some information about which OSs are running but not provide any network topology information (diagrams of routers, switches, intrusion detection systems, firewalls, and so forth).
hacker A user who attempts to break into a computer system or network without authorization from the owner.
hashing algorithm A function that takes a variable-length string or message and produces a fixed-length hash value, also called a message digest. See also message digest.
honeypot A computer placed on the network perimeter that contains information or data intended to lure hackers and distract them from legitimate network resources.
host-based IDSs/IPSs Software used to protect a critical network server or database server. The software is installed on the system you’re attempting to protect, just like installing antivirus software on a desktop system.
Hping An enhanced Ping utility for crafting TCP and UDP packets to be used in port-scanning activities.
infrared (IR) An area in the electromagnetic spectrum with a frequency above microwaves; an infrared signal is restricted to a single room or line of sight because IR light can’t penetrate walls, ceilings, or floors. This technology is used for most remote controls.
infrastructure mode The mode a wireless network operates in, whereby centralized connectivity is established with one or more APs. It’s the most common type of WLAN and differs from an ad-hoc network, which doesn’t require an AP.
initial sequence number (ISN) A number that keeps track of what packets a node has received.
Institute for Security and Open Methodologies (ISECOM) A nonprofit organization that provides security training and certification programs for security professionals.
Institute of Electrical and Electronics Engineers (IEEE) An organization that creates standards for the IT industry.
International Data Encryption Algorithm (IDEA) A block cipher that operates on 64-bit blocks of plaintext and uses a 128-bit key; used in PGP encryption software.
Internet Assigned Numbers Authority (IANA) The organization responsible for assigning IP addresses.
Internet Control Message Protocol (ICMP) The protocol used to send informational messages and test network connectivity.
intrusion detection systems (IDSs) Hardware or software devices that monitor network traffic and send alerts so that security administrators can identify attacks in progress and stop them.
intrusion prevention systems (IPSs) Network-based or host-based devices or software that go beyond monitoring traffic and sending alerts to actually block malicious activity they detect.
IP access lists A list of IP addresses, subnets, or networks that are allowed or denied access through a router’s interface.
key A sequence of random bits used in an encryption algorithm to transform plaintext into ciphertext, or vice versa.
keyloggers Hardware devices or software (spyware) that record keystrokes made on a computer and store the information for later retrieval.
keyspace The range of all possible key values contained in an encryption algorithm. See also key.
link-state routing protocol A routing protocol that uses link-state advertisements to send topology changes or new paths to other routers on the network. This method is efficient because only new information is sent, not the entire routing table.
looping The act of repeating a task.
macro virus A virus written in a macro programming language, such as Visual Basic for Applications.
malware Malicious software, such as a virus, worm, or Trojan program, used to shut down a network and prevent a business from operating.
Mandatory Access Control (MAC) An OS security mechanism that enforces access rules based on privileges for interactions between processes, files, and users; included in SELinux.
man-in-the-middle attack An attack in which attackers place themselves between the victim computer and another host computer, and then intercept messages sent from the victim to the host and pretend to be the host computer.
mathematical attack An attack in which properties of the encryption algorithm are attacked by using mathematical computations. Categories of this attack include ciphertext- only attack, known plaintext attack, chosen-plaintext attack, chosen-ciphertext attack, and side-channel attack.
message digest The fixed-length value that a hashing algorithm produces; used to verify that data or messages haven’t been changed.
Message Digest 5 (MD5) A 128-bit cryptographic hash function; still used, even though its weaknesses make finding collisions practical with only moderate computing power. Most useful for file integrity checking.
metropolitan area networks (MANs) The 802.16 standard defines the Wireless MAN Air Interface for wireless MANs and addresses the limited distance available for 802.11b WLANs. The most widely used implementation of wireless MAN technology is WiMAX. See also Worldwide Interoperability for Microwave Access (WiMAX).
Mobile Broadband Wireless Access (MBWA) The 802.20 standard, with a goal similar to mobile WiMAX; addresses wireless MANs for mobile users sitting in trains, subways, or cars traveling at speeds up to 150 miles per hour.
modulation A process that defines how data is placed on a carrier signal.
multifunction devices (MFDs) Peripheral networked devices that perform more than one function, such as printing, scanning, and copying.
multiple independent levels of security/safety (MILS) A type of OS (often embedded) certified to run multiple levels of classification (such as unclassified, secret, and top secret) on the same CPU without leakage between levels; used in the U.S. military for high-security environments and in organizations, such as those controlling nuclear power or municipal sewage plants, when separating privileges and functions is crucial.
narrowband A technology that uses microwave radio band frequencies to transmit data. The most popular uses of this technology are cordless phones and garage door openers.
Nessus Previously an open-source scanning tool; now licensed by Tenable Network Security. See OpenVAS.
NetBIOS Extended User Interface (NetBEUI) A fast, efficient protocol that allows transmitting NetBIOS packets over TCP/IP and various network topologies, such as token ring and Ethernet.
Network Address Translation (NAT) A basic security feature of a firewall used to hide the internal network from outsiders. Internal private IP addresses are mapped to public external IP addresses to hide the internal infrastructure from unauthorized personnel.
network-based IDSs/IPSs Devices that monitor traffic on network segments and alert security administrators of suspicious activity.
Network Basic Input Output System (NetBIOS) A Windows programming interface that allows computers to communicate across a LAN.
network protection system Any system designed specifically to protect networks or network devices from attacks; includes routers, firewalls, Web filters, network-based and host-based IPSs and IDSs, and honeypots.
network security The security of computers or devices that are part of a network infrastructure.
Nmap A security tool used to identify open ports and detect services and OSs running on network systems.
nonrepudiation The process of ensuring that the sender and receiver can’t deny sending or receiving the message; this function is available in asymmetric algorithms but not symmetric algorithms.
null session An unauthenticated connection to a Windows system.
Object Linking and Embedding Data Base (OLE DB) A set of interfaces enabling Web applications to access diverse database management systems.
Open Database Connectivity (ODBC) A standard database access method that allows a Web application to interact with a variety of database management systems.
OpenPGP The Internet public key encryption standard for PGP messages; can use AES, IDEA, RSA, DSA, and SHA algorithms for encrypting, authenticating, verifying message integrity, and managing keys. The most common free version is GNU Privacy Guard (GnuPG or GPG), and a commercial version that’s compliant with the OpenPGP standard is available.
open ports Ports that respond to ping sweeps and other packets.
Open Source Security Testing Methodology Manual (OSSTMM) This security manual developed by Peter Herzog has become one of the most widely used security-testing methodologies to date.
Open Web Application Security Project (OWASP) A not- for-profit foundation dedicated to fighting and finding Web application vulnerabilities.
OpenVAS A security tool for conducting port scanning, OS identification, and vulnerability assessments. A client computer (*nix or Windows) must connect to the server to perform the tests.
OSSTMM Professional Security Tester (OPST) An ISECOM- designated certification for penetration and security testers. See also Institute for Security and Open Methodologies (ISECOM).
packet monkeys A derogatory term for unskilled crackers or hackers who steal program code and use it to hack into network systems instead of creating the programs themselves.
passive systems IDSs that don’t take any action to stop or prevent a security event.
path-vector routing protocol A protocol that uses dynamically updated paths or routing tables to transmit packets from one autonomous network to another.
penetration test In this test, a security professional performs an attack on a network with permission from the owner to discover vulnerabilities; penetration testers are also called ethical hackers.
phishing A type of attack carried out by e-mail; e-mails include links to fake Web sites intended to entice victims into disclosing private information or installing malware.
PHP Hypertext Processor (PHP) An open-source server-side scripting language.
piggybacking A method attackers use to gain access to restricted areas in a company. The attacker follows an employee closely and enters the area with that employee.
Ping of Death attack A crafted ICMP packet larger than the maximum 65,535 bytes; causes the recipient system to crash or freeze.
ping sweep Pinging a range of IP addresses to identify live systems on a network.
plaintext Readable text that hasn’t been encrypted; also called cleartext.
port The logical component of a connection that identifies the service running on a network device. For example, port 110 is the POP3 mail service.
port scanning A method of finding out which services a host computer offers.
Pretty Good Privacy (PGP) A free e-mail encryption program that allows typical users to encrypt e-mails.
private key In a key pair, the secret key used in an asymmetric algorithm that’s known only by the key owner and is never shared. Even if the public key that encrypted a message is known, the owner’s private key can’t be determined.
privileged mode A mode on Cisco routers that allows administrators to perform full router configuration tasks; also called enable mode.
Protected EAP (PEAP) An authentication protocol that uses Transport Layer Security (TLS) to authenticate the server to the client but not the client to the server; only the server is required to have a digital certificate.
protocol A language used to transmit data across a network infrastructure.
pseudocode An English-like language for outlining the structure of a program.
public key In a key pair, the key that can be known by the public; it works with a private key in asymmetric key cryptography, which is also known as public key cryptography.
public key cryptography Also known as asymmetric key cryptography, an asymmetric algorithm that uses two mathematically related keys.
public key infrastructure (PKI) A structure consisting of programs, protocols, and security policies. PKI uses public key cryptography to protect data traversing the Internet.
rainbow table A lookup table of password hash values that enables certain programs to crack passwords much faster than with brute-force methods.
RC4 A stream cipher created by Ronald L. Rivest that’s used in WEP wireless encryption.
RC5 A block cipher created by Ronald L. Rivest that can operate on different block sizes: 32, 64, and 128 bits. The key size can reach 2048 bits.
real-time operating system (RTOS) A specialized embedded OS designed with algorithms aimed at multitasking and responding predictably; used in devices such as programmable thermostats, appliance controls, planes, and spacecraft.
red team A group of penetration testers who work together to break into a network.
Remote Procedure Call (RPC) An interprocess communication mechanism that allows a program running on one host to run code on a remote host.
replay attack An attack in which the attacker captures data and attempts to resubmit the data so that a device, such as a workstation or router, thinks a legitimate connection is in effect.
rootkit A program created after an attack for later use by the attacker; it’s usually hidden in the OS tools and is difficult to detect. See also backdoor.
Samba An open-source implementation of CIFS that allows *nix servers to share resources with Windows clients and vice versa.
script kiddies Similar to packet monkeys, a term for unskilled hackers or crackers who use scripts or programs written by others to penetrate networks.
Secure Hash Algorithm (SHA) The NIST standard hashing algorithm that’s much stronger than MD5 but has demonstrated weaknesses. For sensitive applications, NIST recommends not using SHA-1, and federal agencies are replacing it with longer digest versions, collectively called SHA-2.
Secure Multipurpose Internet Mail Extension (S/MIME) A public key encryption standard for encrypting and digitally signing e-mail. It can also encrypt e-mails containing attachments and use PKI certificates for authentication.
security appliance A device that combines multiple network protection functions, such as those performed by a router, a firewall, and an IPS, on the same piece of hardware.
security incident response team (SIRT) A team of security professionals with the main responsibility of responding to network attacks and security events.
security test In this test, security professionals do more than attempt to break into a network; they also analyze security policies and procedures and report vulnerabilities to management.
Server Message Block (SMB) A protocol for sharing files and printers and providing a method for client applications to read, write to, and request services from server programs in a network. SMB has been supported since Windows 95.
service set identifier (SSID) The name of a WLAN; can be broadcast by an AP.
session hijacking An attack on a network that requires guessing ISNs. See also initial sequence number (ISN).
shell An executable piece of programming code that creates an interface to an operating system for executing system commands.
shoulder surfing A technique attackers use; involves looking over an unaware user’s shoulders to observe the keys the user types when entering a password.
social engineering Using an understanding of human nature to get information from people.
spear phishing A type of phishing attack that targets specific people in an organization, using information gathered from previous reconnaissance and footprinting; the goal is to trick recipients into clicking a link or opening an attachment that installs malware.
spread spectrum In this technology, data is spread across a large-frequency bandwidth instead of traveling across one frequency band.
spyware Software installed on users’ computers without their knowledge that records personal information from the source computer and sends it to a destination computer.
SQL injection A type of exploit that takes advantage of poorly written applications. An attacker can issue SQL statements by using a Web browser to retrieve data, change server settings, or possibly gain control of the server.
stateful packet filters Filters on routers that record session-specific information in a file about network connections, including the ports a client uses.
stateless packet filters Filters on routers that handle each packet separately, so they aren’t resistant to spoofing or DoS attacks.
state table A file created by a stateful packet filter that contains information on network connections. See also stateful packet filters.
static Web pages Web pages that display the same information whenever they’re accessed.
station (STA) An addressable unit in a wireless network. A station is defined as a message destination and might not be a fixed location.
steganography The method of hiding data in plain view in pictures, graphics, or text.
stream cipher A symmetric algorithm that operates on plaintext one bit at a time.
substitution cipher A cipher that maps each letter of the alphabet to a different letter. The Book of Jeremiah was written by using a substitution cipher called Atbash.
supervisory control and data acquisition (SCADA) systems Systems used for equipment monitoring and automation in large-scale industries and critical infrastructure systems, such as power plants and air traffic control towers; these systems contain components running embedded OSs.
supplicant A wireless user attempting access to a WLAN.
symmetric algorithm An encryption algorithm that uses only one key to encrypt and decrypt data. The recipient of a message encrypted with a key must have a copy of the same key to decrypt the message.
SYN A TCP flag that signifies the beginning of a session.
SYN-ACK A reply to a SYN packet sent by a host.
SysAdmin, Audit, Network, Security (SANS) Institute Founded in 1989, this organization conducts training worldwide and offers multiple certifications through GIAC in many aspects of computer security and forensics.
Systems Management Server (SMS) This service includes detailed hardware inventory, software inventory and metering, software distribution and installation, and remote troubleshooting tools.
TCP flag The six flags in a TCP header are switches that can be set to on or off to indicate the status of a port or service.
testing A process conducted on a variable that returns a value of true or false.
three-way handshake The method the Transport layer uses to create a connection-oriented session.
Transmission Control Protocol/Internet Protocol (TCP/IP) The main protocol used to connect computers over the Internet.
Triple Data Encryption Standard (3DES) A standard developed to address the vulnerabilities of DES; it improved security, but encrypting and decrypting data take longer.
Trojan program A program that disguises itself as a legitimate program or application but has a hidden payload that might send information from the attacked computer to the creator or to a recipient located anywhere in the world.
User Datagram Protocol (UDP) A fast, unreliable Transport layer protocol that’s connectionless.
user mode The default mode on a Cisco router, used to perform basic troubleshooting tests and list information stored on the router. In this mode, no changes can be made to the router’s configuration.
virtual directory A pointer to a physical directory on a Web server.
virus A program that attaches itself to a host program or file.
virus signature file A file maintained by antivirus software that contains signatures of known viruses; antivirus software checks this file to determine whether a program or file on your computer is infected.
wardriving The act of driving around an area with a laptop computer that has a WNIC, scanning software, and an antenna to discover available SSIDs in the area.
Web bug A small graphics file referenced in an <IMG> tag, used to collect information about the user. This file is created by a third-party company specializing in data collection.
WebGoat A Web-based application designed to teach security professionals about Web application vulnerabilities.
while loop A loop that repeats an action a certain number of times while a condition is true or false.
white box model A model for penetration testing in which testers can speak with company staff and are given a full description of the network topology and technology.
Wi-Fi Protected Access (WPA) An 802.11i standard that addresses WEP security vulnerabilities in 802.11b; improves encryption by using Temporal Key Integrity Protocol (TKIP). See also Wired Equivalent Privacy (WEP).
Windows Software Update Services (WSUS) A free add-in component that simplifies the process of keeping Windows computers current with the latest critical updates, patches, and service packs. WSUS installs a Web-based application that runs on a Windows server.
Wired Equivalent Privacy (WEP) An 802.11b standard developed to encrypt data traversing a wireless network.
wireless LAN (WLAN) A network that relies on wireless technology (radio waves) to operate.
wireless network interface cards (WNICs) Controller cards that send and receive network traffic via radio waves and are required on both APs and wireless-enabled computers to establish a WLAN connection.
wireless personal area network (WPAN) A wireless network specified by the 802.15 standard; usually means Bluetooth technology is used, although newer technologies are being developed. It’s for one user only and covers an area of about 10 meters.
Worldwide Interoperability for Microwave Access (WiMAX) The most common implementation of the 802.16 MAN standard. See also metropolitan area networks (MANs).
worm A program that replicates and propagates without needing a host.
zombies Computers controlled by a hacker to conduct criminal activity without their owners’ knowledge; usually part of a botnet. See also botnet.
zone transfer A method of transferring records from a DNS server to use in analysis of a network.