Glossary

== Numbers and Symbols ==

(star) Integrity Axiom ( Axiom)
An axiom of the Biba model that states that a subject at a specific classification level cannot write data to a higher classification level. This is often shortened to “no write up.”

(star) Security Property ( Property)
A property of the Bell–LaPadula model that states that a subject at a specific classification level cannot write data to a lower classification level. This is often shortened to “no write down.”

802.11i (WPA2)
An amendment to the 802.11 standard that defines a new authentication and encryption technique that is similar to IPsec. To date, no realworld attack has compromised a properly configured WPA2 wireless network.

802.1q
The IEEE standard that defines VLAN tagging. VLAN tagging is used by switches and bridges to manage traffic within and between VLANs.

802.1x
A form of wireless authentication protection that requires all wireless clients to pass a gauntlet of RADIUS or TACACS services before network access is granted.

1000BaseT
A form of twisted pair cable that supports 1000 Mbps or 1 Gbps throughput at 100 meter distances. Often called Gigabit Ethernet.

100BaseTX
Another form of twisted pair cable similar to 100BaseT. 100BaseTX is the most common form of Fast Ethernet.

10Base2
A type of coaxial cable. Often used to connect systems to backbone trunks. 10Base2 has a maximum span of 185 meters with maximum throughput of 10 Mbps. Also called thinnet. A legacy network connection technology not likely to be found in a modern network.

10Base5
A type of coaxial cable. Often used as a network’s backbone. 10Base5 has a maximum span of 500 meters with maximum throughput of 10 Mbps. Also called thicknet. A legacy network connection technology not likely to be found in a modern network.

10BaseT
A type of network cable that consists of four pairs of wires that are twisted around each other and then sheathed in a PVC insulator. Also called twisted pair.

== A ==

AAA services
An acronym seeming to refer to authentication, authorization, and accounting (or sometimes auditing). However, it actually refers to five elements: identification, authentication, authorization, auditing, and accounting.

abnormal activity
Any system activity that does not normally occur on your system. Also referred to as suspicious activity.

abstraction
The collection of similar elements into groups, classes, or roles for the assignment of security controls, restrictions, or permissions as a collective.

acceptable use policy (AUP)
A policy that defines a level of acceptable performance and expectation of behavior and activity for employees. Failure to comply with the policy may result in job action warnings, penalties, or termination.

acceptance testing
A form of testing that attempts to verify that a system satisfies the stated criteria for functionality and possibly also for security capabilities of a product. It is used to determine whether end users or customers will accept the completed product.

accepting risk
The valuation by management of the cost/benefit analysis of possible safeguards and the determination that the cost of the countermeasure greatly outweighs the possible cost of loss because of a risk.

access
The transfer of information from an object to a subject.

access aggregation
Collecting multiple pieces of nonsensitive information and combining it or aggregating it to learn sensitive information. Reconnaissance attacks often use access aggregation methods.

access control
The mechanism by which subjects are granted or restricted access to objects. It includes hardware, software, and organizational policies or procedures that identify and authenticate subjects, verify authorization to objects, and monitor or record access attempts.

access control list (ACL)
The column of an access control matrix that specifies what level of access each subject has over an object.

access control matrix
A table of subjects and objects that indicates the actions or functions that each subject can perform on each object. Each column of the matrix is an ACL. Each row of the matrix is a capability list.

access control types
Categories of access controls. Preventive controls attempt to prevent security incidents from occurring, detective controls attempt to discover incidents after they’ve occurred, and corrective controls attempt to correct any problems caused by detected incidents. Other control types include recovery, deterrent, directive, and compensation access controls. Controls are implemented using administrative, logical/technical, or physical means.

access tracking
Auditing, logging, and monitoring the attempted access or activities of a subject. Also referred to as activity tracking.

account lockout
An element of the password policy’s programmatic controls that disables a user account after a specified number of failed logon attempts. Account lockout is an effective countermeasure to bruteforce and dictionary attacks against a system’s logon prompt.

accountability (aka accounting)
The process of holding someone responsible (accountable) for something. In this context, accountability is possible if a subject’s identity and actions can be tracked and verified.

accreditation
The formal declaration by the Designated Approving Authority (DAA) that an IT system is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk.

ACID model
The letters in ACID represent the four required characteristics of database transactions: atomicity, consistency, isolation, and durability.

active content
Web programs that users download to their own computer for execution rather than consuming serverside resources.

active monitoring
Generating traffic on a network or against a system and monitoring the flow or response of the environment. It is using a false load or work to monitor the operations of a target. See synthetic monitoring.

ActiveX
Microsoft’s component object model (COM) technology used in web applications. ActiveX is implemented using any one of a variety of languages, including Visual Basic, C, C++, and Java.

ad hoc
A peer-to-peer wireless network connection between two (or more) individual systems without the need for a wireless base station.

Address Resolution Protocol (ARP)
A subprotocol of the TCP/IP protocol suite that operates at the Data Link layer (layer 2). ARP is used to discover the MAC address of a system by polling using its IP address.

addressing
The means by which a processor refers to various locations in memory.

administrative access controls
The policies and procedures defined by an organization’s security policy to implement and enforce overall access control. Examples of administrative access controls include hiring practices, background checks, data classification, security training, vacation history reviews, work supervision, personnel controls, and testing.

administrative law
Regulations that cover a range of topics from procedures to be used within a federal agency to immigration policies that will be used to enforce the laws passed by Congress. Administrative law is published in the Code of Federal Regulations (CFR).

administrative physical security controls
Security controls that include facility construction and selection, site management, personnel controls, awareness training, and emergency response and procedures.

admissible evidence
Evidence that is relevant to determining a fact. The fact that the evidence seeks to determine must be material (in other words, related) to the case. In addition, the evidence must be competent, meaning that it must have been obtained legally. Evidence that results from an illegal search would be inadmissible because it is not competent.

Advanced Encryption Standard (AES)
The encryption standard selected in October 2000 by the National Institute of Standards and Technology (NIST) that is based on the Rijndael cipher.

advanced persistent threat (APT)
An organized group of attackers who are highly motivated, skilled, and patient. They are often sponsored by a government, are focused on a specific target, and will continue attacking for a very long time until they achieve their goal.

advisory policy
A policy that discusses behaviors and activities that are acceptable and defines consequences of violations. An advisory policy discusses the senior management’s desires for security and compliance within an organization. Most policies are advisory.

adware
Software that uses a variety of techniques to display advertisements on infected computers. Commonly related to or linked to spyware.

agent
An intelligent code object that performs actions on behalf of a user. It typically takes initial instructions from the user and then carries on its activity in an unattended manner for a predetermined period of time, until certain conditions are met, or for an indefinite period.

aggregate functions
SQL functions, such as COUNT(), MIN(), MAX(), SUM(), and AVG(), that can be run against a database to produce an information set.

aggregation
A number of functions that combine records from one or more tables to produce potentially useful information.

agile software development
A set of software development approaches that eschew the rigid models of the past in favor of approaches that place an emphasis on the needs of the customer and on quickly developing new functionality that meets those needs in an iterative fashion.

alarm
A mechanism that is separate from a motion detector and triggers a deterrent, triggers a repellant, and/or triggers a notification. Whenever a motion detector registers a significant or meaningful change in the environment, it triggers an alarm.

alarm triggers
Notifications sent to administrators when a specific event occurs.

algorithm
A set of rules or procedures to perform on input data. Commonly related to cryptographic functions that dictate the permutations of encryption and decryption.

amplifier
See repeater.

analytic attack
An algebraic manipulation that attempts to reduce the complexity of a cryptographic algorithm. This attack focuses on the logic of the algorithm itself.

AND
The operation (represented by the ∧ symbol) that checks to see whether two values are both true.

annualized loss expectancy (ALE)
The possible yearly cost of all instances of a specific realized threat against a specific asset. The ALE is calculated using the formula ALE = single loss expectancy (SLE) * annualized rate of occurrence (ARO).

annualized rate of occurrence (ARO)
The expected frequency that a specific threat or risk will occur (in other words, become realized) within a single year. Also known as probability determination.

anomaly detection
See behavior based detection.

APIPA
See Automatic Private IP Addressing (APIPA).

applet
Code objects sent from a server to a client to perform some action. Applets are self contained miniature programs that execute independently of the server that sent them.

AppleTalk
A suite of protocols developed by Apple for networking of Macintosh systems, originally released in 1984. Support for AppleTalk was removed from the Apple operating system as of the 2009 release of Mac OS X v10.6.

Application layer
Layer 7 of the Open Systems Interconnection (OSI) model.

application level gateway firewall
A firewall that filters traffic based on the internet service (in other words, application) used to transmit or receive the data. Application level gateways are known as second generation firewalls.

application programming interfaces (APIs)
APIs allow application developers to bypass traditional web pages and interact directly with the underlying service through function calls. While offering and using APIs creates tremendous opportunities for service providers, it also poses some security risks. Developers must be aware of these challenges and address them when they create and use APIs.

ARP cache poisoning
An attack where an attacker inserts bogus information into the ARP cache (the local memory store of discovered IP to MAC relationships).

assembly language
A higher level alternative to machine language code. Assembly languages use mnemonics to represent the basic instruction set of a CPU but still require hardware specific knowledge.

asset
Anything within an environment that should be protected. The loss or disclosure of an asset could result in an overall security compromise, loss of productivity, reduction in profits, additional expenditures, discontinuation of the organization, and numerous intangible consequences.

asset valuation
A dollar value assigned to an asset based on actual cost and nonmonetary expenses, such as costs to develop, maintain, administer, advertise, support, repair, and replace; as well as other values, such as public confidence, industry support, productivity enhancement, knowledge equity, and ownership benefits.

asset value (AV)
A dollar value assigned to an asset based on actual cost and nonmonetary expenses.

assigning risk
See transferring risk.

assurance
The degree of confidence that security needs are satisfied. Assurance must be continually maintained, updated, and reverified.

asymmetric key
A form of cryptography that does not use symmetric keys. It either uses complex formulas to solve problems (such as Diffie Hellman to generate/exchange symmetric keys) or uses key pair sets to provide digital signatures and digital envelopes. This latter form is also known as public key cryptography.

asymmetric multiprocessing (AMP)
A form of multiprocessing where the processors are often operating independently of each other. Usually each processor has its own OS and/or task instruction set. Under AMP, processors can be configured to execute only specific code or operate on specific tasks (or vice versa, where specific code or tasks are allowed to run only on specific processors; this might be called affinity in some circumstances).

asynchronous dynamic password token
A token device that generates onetime passwords after the user enters a PIN in the token device. The PIN is provided by a server as a challenge, and the user enters the onetime password created by the token as the response.

asynchronous transfer mode (ATM)
A cell switching technology rather than a packet switching technology like Frame Relay. ATM uses virtual circuits much like Frame Relay, but because it uses fixed size frames or cells, it can guarantee throughput. This makes ATM an excellent WAN technology for voice and videoconferencing.

atomicity
One of the four required characteristics of all database transactions. A database transaction must be an “all-or-nothing” affair. If any part of the transaction fails, the entire transaction must be rolled back as if it never occurred.

attack
The exploitation of a vulnerability by a threat agent.

attacker
Any person who attempts to perform a malicious action against a system.

attenuation
The loss of signal strength and integrity on a cable because of the length of the cable.

attribute
A column within a table of a relational database.

Attribute Based Access Control (ABAC)
An advanced implementation of a rule based access control model that uses policies that include multiple attributes for rules. Many software defined networking applications use ABAC models.

audit
A methodical examination or review of an environment to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes.

audit trail
The records created by recording information about events and occurrences into a database or log file. Some common uses of audit trails include reconstructing an event, extracting information about an incident, and proving or disproving culpability.

auditing
The use of audit logs and monitoring tools to track activity. It can also refer to an inspection or evaluation of a specific process to determine whether an organization is following specific rules or guidelines.

auditor
The person or group responsible for testing and verifying that the security policy is properly implemented and the derived security solutions are adequate.

authentication
The process of verifying or testing that the identity claimed by a subject is valid.

Authentication Header (AH)
An IPsec protocol that provides authentication, integrity, and nonrepudiation.

authenticated scan
A security scanner is granted authenticated read-only access to the servers being scanned (typically via a user account) and can use this access to read configuration information from the target system and use that information when analyzing vulnerability testing results.

authentication factor
The item(s) presented by a subject to prove or verify their identity, such as passwords, token devices, smartcards, and biometrics.

authentication protocols
Protocols used to provide the transport mechanism for logon credentials.

Authentication Service (AS)
An element of the Kerberos Key Distribution Center (KDC).
The AS verifies or rejects the authenticity and timeliness of tickets.

authorization
A process that ensures that the requested activity or object access is possible given the rights and privileges assigned to the authenticated identity (in other words, subject).

Automatic Private IP Addressing (APIPA)
A feature of Windows that assigns an IP address to a system should DHCP address assignment fail. The IP address range used by APIPA is 169.254.0.0–169.254.255.255.

auxiliary alarm system
An additional function that can be added to either local or centralized alarm systems. The purpose of an auxiliary alarm system is to notify local police or fire services when an alarm is triggered.

availability
The assurance that authorized subjects are granted timely and uninterrupted access to objects.

awareness
A form of security teaching that is a prerequisite to training. The goal of awareness is to bring security into the forefront and make it a recognized entity for students/users.

== B ==

backbone distribution system
Provides wired connections between the equipment room and the telecommunications rooms, including cross floor connections.

backdoor or back door
Undocumented command sequences that allow individuals with knowledge of the backdoor to bypass normal access restrictions. Backdoors may be placed and left by the manufacturer or planted by hackers using exploits.

badges
Forms of physical identification and/or of electronic access control devices.

bandwidth on demand
A feature/benefit provided by service providers that allows clients to consume more bandwidth when needed and if the carrier network has the capacity. Such consumption is often charged at a much higher rate.

banner grabbing
Technique used by port scanners and other vulnerability scanners to identify the variant and version of a service running on a system by opening a connection to the service and reading the details provided on the welcome screen.

Base+Offset addressing
An addressing scheme that uses a value stored in one of the CPU’s registers as the base location from which to begin counting. The CPU then adds the offset supplied with the instruction to that base address and retrieves the operand from the computed memory location.

baseband
A communication medium that supports only a single communication signal at a time.

baseline
The minimum level of security that every system throughout the organization must meet. A baseline can be more than a security baseline. It can also be a performance baseline (used by behavior based IDSs) or a configuration baseline (used for configuration management).

basic input/output system (BIOS)
The operating system–independent primitive instructions that a computer needs to start up and load the operating system from disk. See also Unified Extensible Firmware Interface (UEFI).

basic rate interface (BRI)
An ISDN service type that provides two B, or data, channels and one D, or management, channel. Each B channel offers 64 Kbps, and the D channel offers 16 Kbps.

bcrypt
An example of a key stretching technology. It adds a salt to a password, making it more difficult for attackers to discover passwords using rainbow tables. Compare with Password Based Key Derivation Function 2 (PBKDF2).

beacon frame
A type of wireless network packet that broadcasts the presence of the wireless network by announcing the network’s SSID or network name.

behavior
In the context of object oriented programming terminology and techniques, the results or output from an object after processing a message using a method.

behavior based detection
An intrusion discovery mechanism used by IDS. Behavior based detection finds out about the normal activities and events on your system through watching and learning. Once it has accumulated enough data about normal activity, it can detect abnormal and possible malicious activities and events. Also known as statistical intrusion detection, anomaly detection, and heuristics based detection.

Bell–LaPadula model
A confidentiality focused security model based on the state machine model and employing mandatory access controls and the lattice model.

best evidence rule
A rule that states that when a document is used as evidence in a court proceeding, the original document must be introduced. Copies will not be accepted as evidence unless certain exceptions to the rule apply.

Biba model
An integrity focused security model based on the state machine model and employing mandatory access controls and the lattice model.

binary mathematics
The rules of computation of bits and bytes used by a computer. Also known as Boolean.

bind variable
A placeholder for SQL literal values, such as numbers or character strings.

biometric factors
Characteristics of any person that can be used to identify or authenticate the person. Physiological biometric methods include fingerprints, face scans, retina scans, iris scans, palm scans, hand geometry, and voice patterns. Behavioral biometric methods include signature dynamics and keystroke patterns.

biometrics
The use of human physiological or behavioral characteristics as authentication factors for logical access and identification for physical access.

birthday attack
An attack in which the malicious individual seeks to substitute a digitally signed communication with a different message that produces the same message digest, thereby maintaining the validity of the original digital signature. This is based on the statistical anomaly that in a room with 23 people, the probability of two of more people having the same birthday is greater than 50 percent.

bit flipping
The activity of changing a bit to its opposite value. A technique commonly used in fuzzing to slightly modify input data.

bit size
The number of binary digits or bits in a value, such as a key, block size, or hash value.

black box testing
A form of program testing that examines the input and output of a program without focusing on its internal logical structures.

black box
A device used to manipulate line voltages to steal long distance services.

blackout
A complete loss of power.

block cipher
A cipher that applies the encryption algorithm to an entire message block at the same time. Transposition ciphers are examples of block ciphers.

Blowfish
A block cipher that operates on 64 bit blocks of text and uses variable length keys ranging from a relatively insecure 32 bits to an extremely strong 448 bits.

bluebugging
An attack that grants hackers remote control over the features and functions of a Bluetooth device. This could include the ability to turn on the microphone to use the phone as an audio bug.

bluejacking
Hijacking a Bluetooth connection to eavesdrop or extract information from devices.

bluesnarfing
An attack that allows hackers to connect with your Bluetooth devices without your knowledge and extract information from them. This form of attack can offer attackers access to your contact lists, your data, and even your conversations.

Bluetooth (802.15)
A wireless standard commonly used to pair accessories to mobile phones or computers.

boot sector
The portion of a storage device used to load the operating system and the types of viruses that attack that process.

bot
An intelligent agent that continuously crawls a variety of websites retrieving and processing data on behalf of the user.

botmaster
The hacker who is in control of a botnet. Also called bot herder.

botnet
A collection of computers (sometimes thousands or even millions!) across the internet under the control of an attacker known as the botmaster.

bottom up approach
When the IT staff makes security decisions directly without input from senior management.

bounds
The limits to the memory and resources a process can access.

breach
The occurrence of a security mechanism being bypassed or thwarted by a threat agent.

Brewer and Nash model (aka Chinese Wall)
A security model designed to permit access controls to change dynamically based on a user’s previous activity (making it a kind of state machine model as well).

bridge
A network device used to connect networks with different speeds, cable types, or topologies that still use the same protocol. A bridge is a layer 2 device.

bridge mode
A form of wireless access point deployment that is used to link two wired networks together over a wireless bridged connection.

bring your own device (BYOD)
A policy allowing employees to connect their personally owned device to an organization’s network. While the devices are the property of their owners, organizational data stored on the devices is still an asset of the organization.

broadband
A communication medium that supports multiple communication signals simultaneously.

broadcast
A communications transmission to multiple but unidentified recipients.

broadcast address
The address that all devices within a given network grouping or container receive data on.

broadcast domain
A group of networked systems in which all other members receive a broadcast signal when one of the members of the group transmits it.

broadcast storm
A flood of unwanted Ethernet broadcast network traffic.

broadcast technology
A communication system based on or dependent on broadcasts rather than unicast signaling.

brouter
A network device that first attempts to route and then defaults to bridging if routing fails. A brouter is a legacy networking device that does not seem to have been manufactured since the mid 2000s. You are unlikely to encounter this device in a real world network, and it is unlikely to be mentioned on the exam.

brownout
A period of prolonged low voltage.

brute force
An attack pattern characterized by a mechanical series of sequential or combinatorial inputs utilized in an automated attempt to identify security properties (usually passwords) in a given system (see brute force attack).

brute force attack
An attack made against a system to discover the password to a known identity (in other words, username). A brute force attack uses a systematic trial of all possible character combinations to discover an account’s password.

buffer overflow
A vulnerability that can cause a system to crash or allow the user to execute shell commands and gain access to the system. Buffer overflow vulnerabilities are especially prevalent in code developed rapidly for the Web using CGI or other languages that allow unskilled programmers to quickly create interactive web pages.

business attack
An attack that focuses on illegally obtaining an organization’s confidential information.

business case
A documented argument or stated position in order to define a need to make a decision or take some form of action.

business continuity planning (BCP)
The assessment of a variety of risks to organizational processes and the creation of policies, plans, and procedures to minimize the impact those risks might have on the organization if they were to occur.

business impact analysis (BIA)
See business impact assessment (BIA).

business impact assessment (BIA)
An analysis that identifies the resources that are critical to an organization’s ongoing viability and the threats posed to those resources. It also assesses the likelihood that each threat will actually occur and the impact those occurrences will have on the business. Also known as business impact analysis (BIA).

== C ==

cable plant management policy
The policy governing the collection of interconnected cables and intermediary devices (such as cross connects, patch panels, and switches) that establish the physical network.

cache RAM
A process that takes data from slower devices and temporarily stores it in higher performance devices when its repeated use is expected.

Caesar cipher
A simple three position shifting monoalphabetic substitution cipher employed by Julius Caesar.

campus area network (CAN)
A network that spans a college, university, or multibuilding office complex.

candidate key
A subset of attributes, columns, or fields that can be used to uniquely identify any record in a table.

capability list
Each row of an access control matrix is a capability list. A capability list is tied to the subject; it lists valid actions that can be taken on each object.

capability table
A subject-focused table that identifies privileges assigned to subjects. It identifies the actions or functions that each subject can perform on each object.

captive portal
An authentication technique that redirects a newly connected wireless Web client to a portal access control page. The portal page may require the user to input payment information, provide logon credentials, or input an access code.

cardinality
The number of rows in a relational database.

CCE
See Common Configuration Enumeration (CCE).

CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol)
The designed replacement for WEP and TKIP/WPA. It implements AES (Advanced Encryption Standard) with a 128-bit key as a stream cipher.

cell suppression
The act of suppressing (or hiding) individual data items inside a database to prevent aggregation or inference attacks.

centralized access control
A form of access control in which authorization verification is performed by a single entity within a system. Compare to distributed access control.

centralized alarm system
An alarm system that signals a remote or centralized monitoring station when the alarm is triggered.

certificate
Endorsed copy of an individual’s public key that verifies their identity.

certificate authority (CA)
An agency that authenticates and distributes digital certificates.

certificate path validation (CPV)
Each certificate in a certificate path from the original start or root of trust down to the server or client in question is valid and legitimate.

certificate revocation list (CRL)
The list of certificates that have been revoked by a certificate authority before the lifetimes of the certificates have expired.

certification
The comprehensive evaluation, made in support of the accreditation process, of the technical and nontechnical security features of an IT system and other safeguards to establish the extent to which a particular design and implementation meet a set of specified security requirements.

chain of evidence
The process by which an object is uniquely identified in a court of law. Also known as the chain of custody.

Challenge Handshake Authentication Protocol (CHAP)
One of the authentication protocols used over PPP links. CHAP encrypts usernames and passwords.

change approval board (CAB)
A group that evaluates proposed changes before approving or denying implementation.

change management
A process that helps prevent unintended outages. Before personnel make a configuration change to a system, they submit a change request. Other personnel review the change. If approved, the change is tested, implemented, and documented.

channel service unit/data service unit (CSU/DSU)
A border connection device that converts LAN signals into the format used by the WAN carrier network, and vice versa.

checklist test
A process in which copies of the disaster recovery checklists are distributed to the members of the disaster recovery team for their review.

chief information security officer (CISO)
The leader of the InfoSec team who reports directly to senior management. See also chief security officer (CSO) and information security officer (ISO).

chief security officer (CSO)
This term is sometimes used as an alternative to CISO, but in many organizations the CSO position is a subposition under the CISO and focuses on physical security. See also information security officer (ISO) and chief information security officer (CISO).

Children’s Online Privacy Protection Act (COPPA)
A law in the United States that places specific demands on websites that cater to children or knowingly collect information from children.

chosen ciphertext attack
An attack in which the attacker has the ability to decrypt chosen portions of the ciphertext message.

chosen plaintext attack
An attack in which the attacker has the ability to encrypt plain text messages of their choosing and then analyze the ciphertext output of the encryption algorithm.

CIA Triad
The three essential security principles of confidentiality, integrity, and availability.

cipher
A system that hides the true meaning of a message. Ciphers use a variety of techniques to alter and/or rearrange the characters or words of a message to achieve confidentiality.

Cipher Block Chaining (CBC)
A process in which each block of unencrypted text is XORed with the block of ciphertext immediately preceding it before it is encrypted using the DES algorithm.

Cipher Feedback (CFB)
A mode in which the DES algorithm is used to encrypt the preceding block of ciphertext. This block is then XORed with the next block of plaintext to produce the next block of ciphertext.

ciphertext
A message that has been encrypted for transmission.

circuit-level gateway firewall
A firewall used to manage communication sessions between trusted partners. It operates at the Session layer (layer 5) of the OSI model.

CISO
See chief information security officer (CISO).

civil laws
Laws that form the bulk of the body of laws in the United States. They are designed to provide for an orderly society and govern matters that are not crimes but require an impartial arbiter to settle disputes between individuals and organizations.

Clark-Wilson model
A model that employs limited interfaces or programs to control and maintain object integrity.

class
In the context of object-oriented programming terminology and techniques, a collection of common methods from a set of objects that defines the behavior of those objects.

classification
A label that is applied to a resource to indicate its sensitivity or value to an organization and therefore designate the level of security necessary to protect that resource.

classification level
Another term for a security label. An assigned importance or value placed on objects and subjects.

clean power
Nonfluctuating pure power.

clearing
A method of sufficiently deleting media that will be reused in the same secured environment. Also known as overwriting.

click-wrap license agreement
A software agreement in which the contract terms are either written on the software box or included in the software documentation. During the installation process, you are required to click a button indicating that you have read the terms of the agreement and agree to abide by them.

clipping level
A threshold value used in violation analysis auditing. Crossing the clipping level triggers the recording of relevant event data to an audit log.

closed circuit television (CCTV)
A security system using video cameras and video recording devices.

closed head system
See wet pipe system.

cloud access security broker (CASB)
A security policy enforcement solution that may be installed on-premises, or it may be cloud based.

cloud computing
A concept of computing where processing and storage are performed elsewhere over a network connection rather than locally.

cloud shared responsibility model
The concept that when an organization uses a cloud solution, there is a division of security and stability responsibility between the provider and the customer.

cloud solution
The deployment concept where an organization contracts with a third-party cloud provider.

cloud storage
The idea of using storage capacity provided by a cloud vendor as a means to host data files for an organization.

clustering (or key clustering)
A weakness in cryptography where a plaintext message generates identical ciphertext messages using the same algorithm but different keys.

coaxial cable or coax
A cable with a center core of copper wire surrounded by a layer of insulation and then by a conductive braided shielding and finally encased in an insulation sheath. Coaxial cable is fairly resistant to EMI, has a low cost, and is easy to install.

COBIT
See Control Objectives for Information and Related Technology (COBIT).

code or codes
Cryptographic systems of symbols that represent words or phrases and are sometimes secret, but they are not necessarily meant to provide confidentiality. See also cipher.

code repository
Software development is a collaborative effort, and large software projects require teams of developers who may simultaneously work on different parts of the code. Code repositories act as a central storage point for developers to place their source code.

cognitive password
A variant of the password authentication factor that asks a series of questions about facts or predefined responses that only the subject should know.

cohesive (or cohesiveness)
An object is highly cohesive if it can perform a task with little or no help from other objects. Highly cohesive objects are not as dependent on other objects as objects with lower cohesion. Objects with higher cohesion are often better. Highly cohesive objects perform tasks alone and have low coupling.

cold sites
Standby facilities large enough to handle the processing load of an organization and with appropriate electrical and environmental support systems.

collision
A collision occurs when two systems transmit data at the same time onto a connection medium that supports only a single transmission path.

collision attack
See birthday attack.

collision domain
A group of networked systems that could cause a collision if any two (or more) of the systems in that group transmitted simultaneously.

collusion
An agreement between multiple people to perform an unauthorized or illegal action.

columnar transposition
A form of cryptographic transposition based on arranging plaintext in a form that generates columns; then the columns are extracted as the ciphertext.

commercial business/private sector classification
The security labels commonly employed on secure systems used by corporations. Common corporate or commercial security labels are confidential, proprietary, private, sensitive, and public.

committed information rate (CIR)
A contracted minimum guaranteed bandwidth allocation for a virtual circuit.

common access card (CAC)
A smartcard used by US government personnel that includes a picture and other information on the owner. It can be used as a badge and as a smartcard.

Common Body of Knowledge (CBK)
The areas of information prescribed by (ISC)2 as the source of knowledge for the CISSP exam.

Common Configuration Enumeration (CCE)
Security Content Automation Protocol (SCAP) component that provides a naming system for system configuration issues.

common mode noise
Electromagnetic interference (EMI) noise generated by the difference in power between the hot and ground wires of a power source or operating electrical equipment.

Common Object Request Broker Architecture (CORBA)
An international standard for distributed computing. CORBA enables code operating on a computer to locate resources located elsewhere on the network.

Common Platform Enumeration (CPE)
Security Content Automation Protocol (SCAP) component that provides a naming system for operating systems, applications, and devices.

Common Vulnerabilities and Exposures (CVE)
Security Content Automation Protocol (SCAP) component that provides a naming system for describing security vulnerabilities.

Common Vulnerability Scoring System (CVSS)
Security Content Automation Protocol (SCAP) component that provides a standardized scoring system for describing the severity of security vulnerabilities.

community cloud
A cloud deployment model that provides cloud based assets to two or more organizations. Maintenance responsibilities are shared based on who is hosting the assets and the service models.

companion virus
A variation of the file infector virus. A companion virus is a self-contained executable file that escapes detection by using a filename similar to, but slightly different from, a legitimate operating system file.

compartmentalized MAC environment
A type of Mandatory Access Control (MAC) environment where there is no relationship between one security domain and another. Each domain represents a separate isolated compartment. To gain access to an object, the subject must have specific clearance for its security domain.

compartmented security mode
A security mode in which systems process two or more types of compartmented information. All system users must have an appropriate clearance to access all information processed by the system but do not necessarily need to know all the information in the system.

compensation access control
A type of access control that provides various options to other existing controls to aid in the enforcement and support of a security policy.

competent
A distinction of evidence that means that the evidence must be obtained legally. Evidence that results from an illegal search would be inadmissible because it is not competent.

compiled language
A computer language that is converted into machine language before distribution or execution.

compiler
A programming tool that converts higher-level language code into an executable file designed for use on a specific operating system.

compliance testing
Another common usage of auditing. Verification that a system complies with laws, regulations, baselines, guidelines, standards, and policies is an important part of maintaining security in any environment.

Component Object Model (COM)
Microsoft’s standard for the use of components within a process or between processes running on the same system.

compromise
If system security has been broken, the system is considered compromised.

computer architecture
An engineering discipline concerned with the construction of computing systems from the logical level.

computer crime
Any crime that is perpetrated against or with the use of a computer.

Computer Fraud and Abuse Act
A US law written to exclusively cover computer crimes that cross state boundaries to avoid infringing on states’ rights.

computer incident response team (CIRT)
Another name for an emergency response team. The group of InfoSec workers who can respond to incidents and system problems.

Computer Security Act (CSA) of 1987
A US law that mandates baseline security requirements for all federal agencies.

computer security incident
A violation, or imminent threat of a violation, of a security policy or practice within the organization. Computer security incidents are the result of an attack, malware infection, or inappropriate usage by employees.

concealment
The act of hiding or preventing disclosure.

concentrator
See repeater.

conclusive evidence
Incontrovertible evidence that overrides all other forms of evidence.

concurrency
A security mechanism that endeavors to make certain that the information stored in a database is always correct or at least has its integrity and availability protected. Concurrency uses a “lock” feature to allow an authorized user to make changes and then “unlocks” data elements only after all changes are complete.

confidential
A government/military classification used for data of a confidential nature. Unauthorized disclosure of confidential data will have noticeable effects and cause damage to national security. This classification is used for all data between secret and unclassified classifications.

confidentiality
The assurance that information is protected from unauthorized disclosure and the defined level of secrecy is maintained throughout all subject-object interactions.

configuration management
The process of logging, auditing, and monitoring activities related to security controls and security mechanisms over time. This data is then used to identify agents of change, whether objects, subjects, programs, communication pathways, or even the network itself.

confinement (or confinement property)
The principle that allows a process to read from and write to certain memory locations and resources only. This is an alternate name for the * (star) Security Property of the Bell–LaPadula model.

confusion
Occurs when the relationship between the plaintext and the key is complicated enough that an attacker can’t just alter the plaintext and analyze the result in order to determine the key.

consistency
One of the four required characteristics of all database transactions (the other three are atomicity, isolation, and durability). All transactions must begin operating in an environment that is consistent with all of the database’s rules.

constrained interface
An access control used in applications that restricts what users can do or see based on their assigned privileges. Subjects with restricted privileges have limited access.

contamination
The result of mixing of data with a different classification level and/or need-to-know requirement.

content-dependent access control
A form of access control that restricts access to data based on the contents or payload of an object.

content-distribution networks (CDN) or content delivery networks
A collection of resource services deployed in numerous data centers across the internet in order to provide low latency, high performance, and high availability of the hosted content. CDNs provide the desired multimedia performance quality demanded by customers through the concept of distributed data hosts.

context-aware authentication
An authentication method often used by mobile device management (MDM) systems to identify mobile device users. It can include multiple elements such as the location of the user, the time of day, and the mobile device.

context-dependent access control
A form of access control based on the context or surroundings of an object.

continuity
A goal an organization can accomplish by having plans and procedures to help mitigate the effects a disaster has on its continuing operations and to speed the return to normal operations.

contractual license agreement
A written contract between the software vendor and the customer outlining the responsibilities of each.

control
The use of access rules or countermeasures to limit a subject’s access to an object.

Control Objectives for Information and Related Technology (COBIT)
A security concept infrastructure used to organize the complex security solution of companies. A framework that describes the common requirements that organizations should have in place surrounding their information systems.

control zone
The implementation of either a Faraday cage or white noise generation or both to protect a specific area in an environment; the rest of the environment is not affected.

controls gap
The difference between total risk and residual risk.

converged protocols
The merging of specialty or proprietary protocols with standard protocols, such as those from the TCP/IP suite. Some common examples of converged protocols include FCoE, MPLS, iSCSI, and VoIP.

COPE (company owned, personally enabled)
A mobile device policy where the organization purchases devices and provides them to employees.

Copper Distributed Data Interface (CDDI)
Deployment of FDDI using twisted-pair (in other words, copper) wires. This reduces the maximum segment length to 100 meters and is susceptible to interference.

copyright
Law that guarantees the creators of “original works of authorship” protection against the unauthorized duplication of their work.

corporate owned mobile strategy
The mobile device policy where the company purchases the mobile devices that can support security compliance with the security policy and provides them to employees.

corrective access control
An access control deployed to restore systems to normal after an unwanted or unauthorized activity has occurred. Examples of corrective access controls include alarms, mantraps, and security policies.

corrective controls
Instructions, procedures, or guidelines used to reverse the effects of an unwanted activity, such as attacks or errors.

cost/benefit analysis (aka cost/benefit calculation)
An evaluation to determine whether a safeguard actually improves security without costing too much.

countermeasures
Actions taken to patch a vulnerability or secure a system against an attack. Countermeasures can include altering access controls, reconfiguring security settings, installing new security devices or mechanisms, adding or removing services, and so on.

country code
A two-letter TLD used to associate an FQDN with a specific country, sovereign state, or dependent territory.

coupling
The level of interaction between objects. Lower coupling means less interaction. Lower coupling delivers better software design because objects are more independent. Lower coupling is easier to troubleshoot and update. Objects with low cohesion require lots of assistance from other objects to perform tasks and have high coupling.

covert channel
The means by which data can be communicated outside of normal, expected, or detectable methods.

covert storage channel
A channel that conveys information by writing data to a common storage area where another process can read it.

covert timing channel
A channel that conveys information by altering the performance of a system component or modifying a resource’s timing in a predictable manner.

CPE
See Common Platform Enumeration (CPE).

cracker
Malicious users intent on waging an attack against a person or system. Crackers may be motivated by greed, power, or recognition. Their actions can result in stolen property (data, ideas, and so on), disabled systems, compromised security, negative public opinion, loss of market share, reduced profitability, and lost productivity.

credential management system
A solution that provides a storage space for users to keep their credentials when single sign-on (SSO) isn’t available. Users can store credentials for websites and network resources that require a different set of credentials. The management system secures the credentials with encryption to prevent unauthorized access.

creeping privilege(s)
The accumulation of user account privileges over time as job roles and assigned tasks change. See also privilege creep.

crime prevention through environmental design (CPTED)
The concept of designing the structure of the physical environment and surroundings to influence individual decisions that potential offenders make before committing any criminal acts.

criminal law
Body of laws that the police and other law enforcement agencies enforce. Criminal law contains prohibitions against acts such as murder, assault, robbery, arson, theft, and similar offenses.

critical path analysis
A systematic effort to identify relationships between mission-critical applications, processes, and operations and all of the necessary supporting elements.

criticality
The level to which information is mission critical. The higher the level of criticality, the more likely the need to maintain the confidentiality of the information. High ­levels of criticality are essential to the operation or function of an organization.

criticality prioritization
The prioritization of mission-critical assets and processes during the creation of BCP/DRP.

cross-site request forgery (CSRF)
A web attack that leverages a trusted user to perform commands via the user’s browser against a vulnerable server. Also known as XSRF.

cross-site scripting (XSS)
A form of web application attack when a site contains some type of reflected input. Often exploited using script injection.

crossover error rate (CER)
The point at which the false acceptance rate (FAR) equals the false rejection rate (FRR). This is the point from which performance is measured in order to compare the capabilities of different biometric devices. Devices with lower CERs are more accurate than devices with higher CERs.

cryptanalysis
The study of methods to defeat codes and ciphers.

cryptographic key
Cryptographic keys provide the “secret” portion of a cryptographic algorithm used to encrypt and decrypt data.

cryptography
Algorithms applied to data that are designed to ensure confidentiality, integrity, authentication, and/or nonrepudiation.

cryptology
The combination of cryptography and cryptanalysis.

cryptosystem
System in which a shared secret key or pairs of public and private keys are used by communicating parties to facilitate secure communication.

cryptovariable
Another name for the key used to perform encryption and decryption activities.

CSRF
See cross-site request forgery (CSRF).

CSO
See chief security officer (CSO).

CSU/DSU
See channel service unit/data service unit.

custodian
A person who has been assigned or delegated the day-to-day responsibilities of classifying and labeling objects and properly storing and protecting objects. The custodian is typically the IT staff or the system security administrator.

CVE
See Common Vulnerabilities and Exposures (CVE).

CVSS
See Common Vulnerability Scoring System (CVSS).

cyber-physical
A term used to refer to devices that offer a computational means to control something in the physical world. In the past these might have been referred to as embedded systems, but the category of cyber-physical seems to focus more on the physical world results rather than the computational aspects. See Internet of Things (IoT).

cyclic redundancy check (CRC)
Similar to a hash total, a value that indicates whether a message has been altered or damaged in transit.

CYOD (choose your own device)
A mobile device policy that provides users with a list of approved devices from which to select the device to implement.

== D ==

darknet
An unused portion of network space used to monitor for network-based attacks and traffic.

data analytics
The science of raw data examination with the focus of extracting useful information out of the bulk information set. The results of data analytics could focus on important outliers or exceptions to normal or standard items, a summary of all data items, or some focused extraction and organization of interesting information.

data circuit-terminating equipment (DCE)
A networking device that performs the actual transmission of data over the Frame Relay as well as establishing and maintaining the virtual circuit for the customer.

data classification
Grouping data under labels for the purpose of applying security controls and access restrictions.

data controller
In the context of a data processor, as defined by EU data protection laws, the person or entity that controls processing of the data.

data custodian
The user who is assigned the task of implementing the prescribed protection defined by the security policy and upper management. The data custodian performs any and all activities necessary to provide adequate protection for data and to fulfill the requirements and responsibilities delegated to them from upper management.

Data Definition Language (DDL)
The database programming language that allows for the creation and modification of the database’s structure (known as the schema).

data dictionary
Central repository of data elements and their relationships. Stores critical information about data usage, relationships, sources, and formats.

data diddling
The act of making small changes to data, typically malicious in intent.

Data Encryption Standard (DES)
A standard cryptosystem proposed in 1977 for all government communications. DES and 3DES were superseded by Advanced Encryption Stan-dard (AES) in December 2001.

data extraction
The process of extracting elements of data from a large body of data to construct a meaningful representation or summary of the whole.

datagram
The combination of Transport layer UDP header and payload.

data hiding
The process of preventing data from being known by a subject.

Data Link layer
Layer 2 of the OSI model.

data loss prevention (DLP)
Systems that attempt to detect and block data exfiltration attempts.

Data Manipulation Language (DML)
The database programming language that allows users to interact with the data contained within the schema.

data mart
The storage facility used to secure metadata.

data mining
A technique or tool that allows analysts to comb through data warehouses and look for potential correlated information amid the historical data.

data owner
The person responsible for classifying information for placement and protection within the security solution.

data processor
The EU data protection law defines a data processor as “a natural or legal person which processes personal data solely on behalf of the data controller.”

data remanence
Data that remains on media after the data has been supposedly removed. Purging and sanitization methods attempt to ensure that all data is removed from media without any data remanence.

data steward
See data custodian.

data stream
Data from an application sent into a protocol stack. The data stream becomes the initial payload of the top layer protocol.

data terminal equipment (DTE)
A networking device that acts like a router or a switch and provides the customer’s network access to the Frame Relay network.

data warehouse
Large databases used to store large amounts of information from a variety of databases for use in specialized analysis techniques.

database
An electronic filing system for organizing collections of information. Most databases are organized by files, records, and fields.

database contamination
What happens when data or records of different values, classifications, security domains, and the like are commingled or mixed together. It can be a form of integrity and confidentiality violation.

database management system (DBMS)
An application that enables the storage, modification, and extraction of information from a database.

database partitioning
The act of dividing a database into smaller sections or individual databases; often employed to segregate content with varying sensitivity labels.

database vulnerability scanner
Database vulnerability scanners are tools that allow security professionals to scan both databases and web applications for vulnerabilities that may affect database security.

decentralized access control
System of access control in which authorization verification is performed by various entities located throughout a system.

decision support system (DSS)
An application that analyzes business data and presents it so as to make business decisions easier for users. DSS is considered an informational application more so than an operational application. Often a DSS is employed by knowledge workers (such as help desk or customer support) and by sales services (such as phone operators).

declassification
The process of moving a resource into a lower classification level once its value no longer justifies the security protections provided by a higher level of classification.

decrypting
The process of reversing a cryptographic algorithm that was used to encrypt a message.

dedicated mode
See dedicated security mode.

dedicated security mode
Mode in which the system is authorized to process only a specific classification level at a time. All system users must have clearance and a need to know that information.

deencapsulation
The process of stripping a layer’s header and footer from a PDU as it travels up the OSI model layers.

defense in depth
A layered approach to security. Multiple layers of security are implemented, requiring attackers to circumvent several security controls to be successful.

degaussing
The act of using a magnet to destroy data stored on magnetic media to prevent data leakage attacks or events. For modern large capacity drives, the strength of the magnetic field needed to sanitize the data is often sufficient to damage the drive itself.

degree
The number of columns in a relational database.

delegation
In the context of object-oriented programming, the forwarding of a request by an object to another object or delegate. An object delegates if it does not have a method to handle the message.

Delphi technique
An anonymous feedback and response process used to arrive at a group consensus.

delta rule
Also known as the learning rule. It is the feature of expert systems that allows them to learn from experience.

deluge system
Another form of dry pipe (fire suppression) system that uses larger pipes and therefore a significantly larger volume of water. Deluge systems are inappropriate for environments that contain electronics and computers.

denial of service (DoS)
A type of attack that prevents a system from processing or responding to legitimate traffic or requests for resources and objects.

deny risk
See reject risk.

detective access control
An access control deployed to discover unwanted or unauthorized activity. Examples of detective access controls include security guards, supervision of users, incident investigations, and intrusion detection systems (IDSs).

detective control
See detective access control.

deterrent access control
An access control that discourages violations of a security policy.

DevOps
The DevOps approach seeks to resolve issues of software development, quality assurance, and technology operations by bringing the three functions together in a single operational model. The word DevOps is a combination of Development and Operations, symbolizing that these functions must merge and cooperate to meet business requirements.

dictionary attack
An attack against a system designed to discover the password to a known identity (in other words, a username). In a dictionary attack, a script of common passwords and dictionary words is used to attempt to discover an account’s password.

differential backup
A type of backup that stores all files that have been modified since the time of the most recent full backup.

Diffie–Hellman algorithm
A key exchange algorithm useful in situations in which two parties might need to communicate with each other but they have no physical means to exchange key material and there is no public key infrastructure in place to facilitate the exchange of secret keys.

diffusion
Occurs when a change in the plaintext results in multiple changes spread throughout the ciphertext.

Digital Millennium Copyright Act
A law that establishes the prohibition of attempts to circumvent copyright protection mechanisms placed on a protected work by the copyright holder and limits the liability of Internet service providers when their circuits are used by criminals violating the copyright law.

digital rights management
A type of protection software that uses encryption to enforce copyright restrictions on digital media. Over the past decade, publishers attempted to deploy DRM schemes across a variety of media types including music, movies, and books.

digital signature
A method for assuring a recipient that a message truly came from the claimed sender and that the message was not altered while in transit between the sender and recipient.

Digital Signature Standard (DSS)
A standard that specifies that all federally approved digital signature algorithms must use a secure hashing function.

direct addressing
A process by which the CPU is provided with the actual address of the memory location to be accessed.

direct evidence
Evidence that proves or disproves a specific act through oral testimony based on information gathered through the witness’s five senses.

direct memory access (DMA)
A mechanism that allows devices to exchange data directly with real memory (RAM) without requiring assistance from the CPU.

Direct Sequence Spread Spectrum (DSSS)
A wireless technology that employs all of the available frequencies simultaneously in parallel.

directive access control
An access control that directs, confines, or controls the actions of subjects to force or encourage compliance with security policy.

directory service
A centralized database of resources available to the network, much like a telephone directory for network services and assets. Users, clients, and processes consult the directory service to learn where a desired system or resource resides.

disaster
An event that brings great damage, loss, or destruction to a system or environment.

disaster recovery plan
A document that guides the recovery efforts necessary to restore your business to normal operations as quickly as possible.

disaster recovery planning (DRP)
Term that describes the actions an organization takes to resume normal operations after a disaster interrupts normal activity.

discretion
In regard to confidentiality, an act of decision where an operator can influence or control disclosure to minimize harm or damage.

Discretionary Access Control
A mechanism used to control access to objects. The owner or creator of an object controls and defines the access other subjects have to it.

discretionary security property
Property that states that the system uses an access control matrix to enforce discretionary access control.

distance vector routing protocol
A routing protocol that maintains a list of destination networks along with metrics of direction and distance as measured in hops (in other words, the number of routers to cross to reach the destination).

distributed access control
A form of access control in which authorization verification is performed by various entities located throughout a system.

distributed architecture
A client/server model of networking where clients may be local or connected over WAN links, including VPNs and the internet.

Distributed Component Object Model (DCOM)
An extension of COM to support distributed computing. This is Microsoft’s answer to CORBA.

distributed control systems (DCS)
Industrial control system (ICS) units that are typically found in industrial process plans where the need to gather data and implement control over a large-scale environment from a single location is essential. An important aspect of DCS is that the controlling elements are distributed across the monitored environment, such as a manufacturing floor or a production line, while the centralized monitoring location sends commands out of those localized controllers while gathering status and performance data.

distributed data model
In a distributed data model, data is stored in more than one database but remains logically connected. The user perceives the database as a single entity, even though it consists of numerous parts interconnected over a network. Each field may have numerous children as well as numerous parents. Thus, the data mapping relationship is many-to-many.

distributed denial of service (DDoS)
A distributed denial of service occurs when the attacker compromises several systems to be used as launching platforms against one or more victims. The compromised systems used in the attack are often called slaves or zombies. A DDoS attack results in the victims being flooded with data from numerous sources.

distributed reflective denial of service (DRDoS)
DRDoS attacks take advantage of the normal operation mechanisms of key internet services, such as DNS and router update protocols. DRDoS attacks function by sending numerous update, session, or control packets to various Internet service servers or routers with a spoofed source address of the intended victim. A DRDoS attack can result in so much traffic that upstream systems are adversely affected by the sheer volume of data focused on the victim.

diversity of defense
See defense in depth.

DNS poisoning
The act of falsifying the DNS information used by a client to reach a desired system. Usually employed by planting false information into a zone file, caching DNS system, or a HOSTS file.

DNS spoofing
The act of altering or falsifying DNS information using a rogue DNS server to send false DNS replies in order to route or misdirect legitimate traffic.

DNSSEC (DNS Security)
A security improvement to the existing domain name system (DNS) infrastructure. The primary function of DNSSEC is to provide reliable authentication between devices during DNS operations. Each DNS server is issued a digital certificate, which is then used to perform mutual certificate authentication.

documentary evidence
Any written items brought into court to prove a fact at hand. This type of evidence must also be authenticated.

documentation review
The process of reading the exchange materials and verifying them against standards and expectations.

domain
1) A realm of trust or a collection of subjects and objects that share a common security policy. Each domain’s access control is maintained independently of other domains’ access control. This results in decentralized access control when multiple domains are involved. 2) An area of study for the CISSP exam.

domain hijacking or domain theft
The malicious action of changing the registration of a domain name without the authorization of the valid owner. This may be accomplished by stealing the owner’s logon credentials; using XSRF, session hijacking, or MitM; or exploiting a flaw in the domain registrar’s systems.

DREAD
A risk rating system designed to provide a flexible rating solution based on asking five main questions of each threat: damage potential, reproducibility, exploitability, affected users, and discoverability.

drive-by download
Code downloaded and installed on a user’s system without the user’s knowledge. Attackers sometimes modify code on legitimate websites to include drive-by downloads. They also host their own malicious websites and use phishing or redirection methods to get users to the malicious website.

dry pipe system
A fire suppression system that contains compressed air. Once suppression is triggered, the air escapes, which opens a water valve that in turn causes the pipes to fill and discharge water into the environment.

due care
The steps taken to ensure that assets and employees of an organization have been secured and protected and that upper management has properly evaluated and assumed all unmitigated or transferred risks.

due diligence
The extent to which a reasonable person will endeavor under specific circumstances to avoid harming other people or property.

dumb cards
Human-readable-only card IDs that usually have a photo and written information about the authorized bearer. Dumb cards are for use in environments where automated controls are infeasible or unavailable but security guards are practical.

dumpster diving
The act of digging through the refuse, remains, or leftovers from an organization or operation in order to discover or infer information about the organization.

durability
One of the four required characteristics of all database transactions (the other three are atomicity, consistency, and isolation). The concept that database transactions must be resilient. Once a transaction is committed to the database, it must be preserved. Databases ensure durability through the use of backup mechanisms, such as transaction logs.

dwell time
The length of time a key on the keyboard is pressed. This is an element of the keystroke dynamics biometric factor.

Dynamic Host Configuration Protocol (DHCP)
A protocol used to assign TCP/IP config-uration settings to systems upon bootup. DHCP uses UDP port 67 for server point-to-point response and port 68 for client request broadcast. DHCP supports centralized control and management of network addressing.

dynamic packet-filtering firewalls
A firewall that enables real-time modification of the filtering rules based on traffic content. Dynamic packet-filtering firewalls are known as fourth-generation firewalls.

dynamic passwords
Passwords that do not remain static for an extended period of time. Dynamic passwords can change on each use or at a regular interval, such as every 30 days.

dynamic testing
Evaluates the security of software in a runtime environment and is often the only option for organizations deploying applications written by someone else.

== E ==

eavesdropping
Another term for sniffing. However, eavesdropping can include more than just capturing and recording network traffic. Eavesdropping also includes recording or listening to audio communications, faxes, radio signals, and so on.

Economic Espionage Act of 1996
A law that states that anyone found guilty of stealing trade secrets from a US corporation with the intention of benefiting a foreign government or agent may be fined up to $500,000 and imprisoned for up to 15 years and that anyone found guilty of stealing trade secrets under other circumstances may be fined up to $250,000 and imprisoned for up to 10 years.

education
A detailed endeavor where students and users learn much more than they actually need to know to perform their work tasks. Education is most often associated with users pursuing certification or seeking job promotion.

egress monitoring
The process of monitoring outgoing traffic to detect and prevent data exfiltration, which is the unauthorized transfer of data outside the organization.

El Gamal
The explanation of how the mathematical principles behind the Diffie-Hellman key exchange algorithm could be extended to support an entire public key cryptosystem used for the encryption and decryption of messages.

elasticity
Refers to the flexibility of virtualization and cloud solutions to expand or contract based on need.

electromagnetic interference (EMI)
A type of electrical noise that can do more than just cause problems with how equipment functions; it can also interfere with the quality of communications, transmissions, and playback.

electronic access control (EAC)
A type of smart lock that uses a credential reader, an electromagnet, and a door closed sensor.

Electronic Code Book (ECB)
The simplest encryption mode to understand and the least secure. Each time the algorithm processes a 64-bit block, it simply encrypts the block using the chosen secret key. This means that if the algorithm encounters the same block multiple times, it produces the same encrypted block.

Electronic Communications Privacy Act (ECPA)
The law that makes it a crime to invade an individual’s electronic privacy. It protects against the monitoring of email and voicemail communications and prevents providers of those services from making unauthorized disclosures of their content.

electronic discovery (e-discovery)
In legal proceedings, each side has a duty to preserve evidence related to the case and, through the discovery process, share information with their adversary in the proceedings. This discovery process applies to both paper records and electronic records, and the electronic discovery (or e-discovery) process facilitates the processing of electronic information for disclosure.

electronic vaulting
A storage scenario in which database backups are transferred to a remote site in a bulk transfer fashion. The remote location may be a dedicated alternative recovery site (such as a hot site) or simply an offsite location managed within the company or by a contractor for the purpose of maintaining backup data.

electronically erasable PROM (EEPROM)
A storage system that uses electric voltages delivered to the pins of the chip to force erasure. EEPROMs can be erased without removal from the computer, giving them much greater flexibility than standard PROM and EPROM chips.

elliptic curve cryptography
A new branch of public key cryptography that offers similar security to established public key cryptosystems at reduced key sizes.

elliptic curve group
Each elliptic curve has a corresponding elliptic curve group made up of the points on the elliptic curve along with the point O, located at infinity. Two points within the same elliptic curve group (P and Q) can be added together with an elliptic curve addition algorithm.

emanations
Electromagnetic or radio frequency signals that may contain data that can be intercepted through eavesdropping on those signals.

embedded system
A computer implemented as part of a larger system. The embedded system is typically designed around a limited set of specific functions in relation to the larger product of which it’s a component. It may consist of the same components found in a typical computer system, or it may be a microcontroller (an integrated chip with on-board memory and peripheral ports).

employee
Often referred to as the user when discussing IT issues. See also user.

employment agreement
A document that outlines an organization’s rules and restrictions, security policy, and acceptable use and activities policies; details the job description; outlines violations and consequences; and defines the length of time the position is to be filled by the employee.

Encapsulating Security Payload (ESP)
An element of IPsec that provides encryption to protect the confidentiality of transmitted data but can also perform limited authentication.

encapsulation
The process of adding a header and footer to a PDU as it travels down the OSI model layers.

encrypt
The process used to convert a message into ciphertext.

encrypted virus
A virus that uses cryptographic techniques to avoid detection. In their outward appearance, they are quite similar to polymorphic viruses—each infected system has a virus with a different signature. However, they do not generate these modified signatures by changing their code; instead, they alter the way they are stored on the disk.

encryption
The art and science of hiding the meaning or intent of a communication from recipients not meant to receive it.

end user
See user.

endpoint security
The concept that each individual device must maintain local security whether or not its network or telecommunications channels provide or offer security. Sometimes this concept is expressed as “The end device is responsible for its own security.”

end-to-end encryption
An encryption algorithm that protects communications between two parties (in other words, a client and a server) and is performed independently of link encryption. An example of this would be the use of Privacy Enhanced Mail (PEM) to pass a message between a sender and a receiver. This protects against an intruder who might be monitoring traffic on the secure side of an encrypted link or traffic sent over an unencrypted link.

enrollment
The process of establishing a new user identity or authentication factor on a system. Secure enrollment requires physical proof of a person’s identity or authentication factor.

enterprise extended mode
The use of multiple wireless access points to support a single wireless network over a larger geographic area than could be supported by a single wireless access point.

entity
A subject or an object.

entrance facility
The entrance point to the building where the cable from the provider connects the internal cable plant, also known as the demarcation point.

equipment room
The main wiring closet for the building, often connected to or adjacent to the entrance facility.

erasable PROM (EPROM)
A PROM chip that has a small window through which the illumination of a special ultraviolet light causes the contents of the chip to be erased. After this process is complete, the end user can burn new information into the EPROM.

erasing
A delete operation against a file, a selection of files, or the entire media. In most cases, the deletion or erasure process removes only the directory or catalog link to the data. The actual data remains on the drive.

escalation of privilege
Any attack or exploit that focuses on increasing access of a user account from standard to administrative privileges.

Escrowed Encryption Standard
A failed government attempt to create a backdoor to all encryption solutions. The solution employed the Clipper chip, which used the Skipjack algorithm.

espionage
The malicious act of gathering proprietary, secret, private, sensitive, or confidential information about an organization for the express purpose of disclosing and often selling that data to a competitor or other interested organization (such as a foreign government).

Ethernet
A common shared media LAN technology.

ethical hackers
Those trained in responsible network security methodology, with a philosophy toward nondestructive and nonintrusive testing; ethical hackers attack security systems on behalf of their owners seeking to identify and document vulnerabilities so that they may be remediated before malicious hackers can exploit them. Ethical hackers use the same methods to test security that unethical ones do but report what they find rather than seek to turn them to their advantage.

ethical hacking
See penetration testing.

ethics
The rules that govern personal conduct. Several organizations have recognized the need for standard ethics rules, or codes, and have devised guidelines for ethical behavior. These rules are not laws but are minimum standards for professional behavior. They should provide you with a basis for sound, professional, ethical judgment.

evidence
In the context of computer crime, any hardware, software, or data that you can use to prove the identity and actions of an attacker in a court of law.

evil twin
An attack in which a hacker operates a false access point that will automatically clone, or twin, the identity of another access point based on a client device’s automatic request to reconnect to a known wireless network from its connection history.

excessive privilege(s)
More access, privilege, or permission than a user’s assigned work tasks dictate. If a user account is discovered to have excessive privilege, the additional and unnecessary benefits should be immediately curtailed.

exit interview
An aspect of a termination policy. The terminated employee is reminded of their legal responsibilities to prevent the disclosure of confidential and sensitive information.

expectation maximization (EM)
A data mining technique that develops models of normal user behavior based on a user’s affiliation with the organization, the distance between the data center and the user’s physical location, the day of the week, the hour of the day, and other attributes.

expert opinion
A type of evidence consisting of the opinions and facts offered by an expert. An expert is someone educated in a field and who currently works in that field.

expert system
A system that seeks to embody the accumulated knowledge of humankind on a particular subject and apply it in a consistent fashion to future decisions.

exposure
The condition of being exposed to asset loss because of a threat. Exposure involves being susceptible to the exploitation of a vulnerability by a threat agent or event.

exposure factor (EF)
The percentage of loss that an organization would experience if a specific asset were violated by a realized risk. Also known as loss potential.

Extensible Access Control Markup Language (XACML)
A markup language used to define access control policies within an XML format, and it commonly implements role-based access controls. It helps provide assurances to all members in a federation that they are granting the same level of access to different roles.

Extensible Configuration Checklist Description Format (XCCDF)
Security Content Automation Protocol (SCAP) component that provides a language for specifying security checklists.

Extensible Markup Language (XML)
A markup language that defines rules of document formatting and encoding that is both human and machine readable.

extranet
A cross between the internet and an intranet. An extranet is a section of an organization’s network that has been sectioned off so that it acts as an intranet for the private network but also serves information to a limited number of specific outsiders. Often access into an extranet from the internet requires a VPN connection. Extranets are often used in B2B applications, between customers and suppliers.

== F ==

face scan
An example of a biometric factor, which is a behavioral or physiological characteristic unique to a subject. A face scan is a process by which the shape and feature layout of a person’s face is used to establish identity or provide authentication.

fail-open
The response of a system to a failure so that it defaults to an “allow” posture.

fail-safe
The response of a system to a failure so that it defaults to a “deny” posture.

fail-secure
See fail-safe.

failover
Redirecting workload or traffic to a backup system when the primary system fails.

Fair Cryptosystems
A failed government attempt to create a backdoor to all encryption solutions. This technology used a segmented key that was divided among several trustees.

false acceptance rate (FAR)
Error that occurs when a biometric device is not sensitive enough and an invalid subject is authenticated. False acceptance is sometimes referred to as a false negative authentication or a Type II error.

false negative
Error that occurs when a vulnerability scanner misses a vulnerability and fails to alert the administrator to the presence of a dangerous situation.

false positive
The event that might trigger an alarm when a security scanner may not have enough information to conclusively determine that a vulnerability exists but still reports a vulnerability when there really is no problem. Also known as mistaking a benign issue as a malicious event.

false rejection rate (FRR)
Error that occurs when a biometric device is too sensitive and a valid subject is not authenticated. False rejection is sometimes referred to as a false positive authentication or a Type I error.

Family Educational Rights and Privacy Act (FERPA)
A specialized privacy bill that affects any educational institution that accepts any form of funding from the federal government (the vast majority of schools). It grants certain privacy rights to students older than the age of 18 and the parents of minor students.

Faraday cage
An enclosure that absorbs or blocks EM signals from entering or leaving the contained space.

fault
1) A momentary loss of power. 2) A failure or problem within a system, device, or process.

fault tolerance
The ability of a system to suffer a fault but continue to operate. Fault tolerance is achieved by adding redundant components such as additional disks within a redundant array of independent disks (RAID) or additional servers within a failover clustered configuration.

Federal Information Processing Standard 140 (FIPS-140)
FIPS-140 defines the hardware and software requirements for cryptographic modules that the US federal government uses.

Federal Information Security Management Act (FISMA)
A US law passed in 2002 that requires that federal agencies implement an information security program that covers the agency’s operations. FISMA also requires that government agencies include the activities of contractors in their security management programs.

Federal Sentencing Guidelines
A 1991 law that provides punishment guidelines for breaking federal laws.

feedback loop characteristic
The ability in the modern waterfall model that allows development to return to the previous phase to correct defects discovered during the subsequent phase.

fence
A perimeter defining device. Fences are used to clearly differentiate between areas that are under a specific level of security protection and those that are not. Fencing can include a wide range of components, materials, and construction methods.

Fibre Channel over Ethernet (FCoE)
A converged protocol used to encapsulate Fibre Channel communications over Ethernet networks. It typically requires 10 Gbps Ethernet in order to support the Fibre Channel protocol.

Fiber Distributed Data Interface (FDDI)
A high-speed token-passing technology that employs two rings with traffic flowing in opposite directions. FDDI is a legacy infrastructure concept that is mostly replaced by SDH and SONET today.

fiber optic
A cabling form that transmits light instead of electrical signals. Fiber optic cable can support throughputs of multiple terabits per second (Tbps) and lengths over 10,000 kilometers.

field
In a database, a field is a column or attribute of a table.

file infector virus
Virus that infects different types of executable files and triggers when the operating system attempts to execute them. For Windows based systems, these filenames end with .exe and .com.

filter(s)
A set of rules or restrictions commonly found on security devices, such as firewalls and proxies. Also known as rules and ACLs.

financial attack
A crime that is carried out to unlawfully obtain money or services.

fingerprints
The patterns of ridges on the fingers of humans. Often used as a biometric authentication factor.

firewall
A network device used to filter traffic. A firewall is typically deployed between a private network and a link to the internet, but it can be deployed between departments within an organization. Firewalls filter traffic based on a defined set of rules.

firmware
Software that is stored in a ROM chip.

flash memory
A derivative concept from EEPROM. It is a nonvolatile form of storage media that can be electronically erased and rewritten. The primary difference between EEPROM and flash memory is that EEPROM must be fully erased to be rewritten whereas flash memory can be erased and written in blocks or pages. The most common type of flash memory is NAND flash. It is widely used in memory cards, thumb drives, mobile devices, and SSD (solid state drives).

flight time
The length of time between key presses. This is an element of the keystroke dynamics form of biometrics.

flooding
An attack that involves sending enough traffic to a victim to cause a DoS. Also referred to as a stream attack.

footer
Information added by a protocol to the end of a payload received from a higher layer protocol.

foreign key
A primary key from another table used to cross-link or express relationships between the contents of two tables.

Fourth Amendment
An amendment to the US Constitution that prohibits government agents from searching private property without a warrant and probable cause. The courts have expanded their interpretation of the Fourth Amendment to include protections against wiretapping and other invasions of privacy.

fraggle
A form of denial-of-service attack similar to smurf, but it uses UDP packets instead of ICMP.

fragment
When a network receives a packet larger than its maximum allowable packet size, it breaks it up into two or more fragments. These fragments are each assigned a size (corresponding to the length of the fragment) and an offset (corresponding to the starting location of the fragment).

fragmentation attack
An attack that exploits vulnerabilities in the fragment reassembly functionality of the TCP/IP protocol stack.

frame
The combination of Data Link layer header, payload, and footer.

Frame Relay
A shared connection medium that uses packet-switching technology to establish virtual circuits for customers.

frequency
A measurement of the number of wave oscillations within a specific time identified using the unit Hertz (Hz), or oscillations per second. Radio waves have a frequency between 3 Hz and 300 GHz.

frequency analysis
A cryptographic analysis or attack that looks for repetition of letters in an encrypted message and compares that with the statistics of letter usage for a specific language, such as the frequency of the letters E, T, A, O, N, R, I, S, and H in the English language.

Frequency Hopping Spread Spectrum (FHSS)
An early implementation of the spread spectrum concept. This wireless access technology transmits data in a series while constantly changing the frequency in use.

full backup
A complete copy of data contained on the protected device on the backup media. This also refers to the process of making a complete copy of data, as in “performing a full backup.”

full-interruption tests
A disaster recovery test that involves shutting down operations at the primary site and shifting them to the recovery site.

full-knowledge teams
These possess a full body of knowledge of the operation, configuration, and utilization of hardware and software inventory prior to a security assessment or penetration test.

fully qualified domain names (FQDNs)
The human-friendly name of a system or resource that is associated with an IP address. An FQDN is composed of a hostname, a registered domain name, and a top-level domain name (TLD).

fuzz testing
A specialized dynamic testing technique that provides many different types of input to software to stress its limits and find previously undetected flaws. Fuzz testing software supplies invalid input to the software, either randomly generated or specially crafted to trigger known software vulnerabilities. The fuzz tester then monitors the performance of the application, watching for software crashes, buffer overflows, or other undesirable and/or unpredictable outcomes.

fuzzy logic
A computational technique designed to more closely approximate human thought patterns than the rigid mathematics of set theory or algebraic approaches that utilize “black-and-white” categorizations of data.

== G ==

Gantt chart
A type of bar chart that shows the interrelationships over time between proj-ects and schedules. It provides a graphical illustration of a schedule that helps to plan, coordinate, and track specific tasks in a project.

gate
A controlled exit and entry point in a fence.

gateway
A networking device that connects networks that are using different network protocols.

GDPR
See General Data Protection Regulation (GDPR).

General Data Protection Regulation (GDPR)
European Union law that provides a single, harmonized law covering data security and privacy.

generational fuzzing
A form of fuzzing that develops inputs based on models of expected inputs to perform the same task. This is also sometimes called intelligent fuzzing.

geotagging
Mobile devices with GPS support enable the embedding of geographical location in the form of latitude and longitude as well as date/time information on photos taken with these devices.

GNU Privacy Guard (GnuPG)
A free and open-source implementation of the OpenPGP standard. It is a free/open variation of the now commercial PGP product.

Goguen–Meseguer model
An integrity model based on predetermining the set or domain of objects that a subject can access.

Government Information Security Reform Act of 2000
Act that amends the US Code to implement additional information security policies and procedures.

government/military classification
The security labels commonly employed on secure systems used by the military. Military security labels range from highest sensitivity to low-est: top secret, secret, confidential, and unclassified (top secret, secret, and confidential are collectively known as classified).

Graham–Denning model
A security model focused on the secure creation and deletion of both subjects and objects.

Gramm–Leach–Bliley Act (GLBA)
A law passed in 1999 that eased the strict governmental barriers between financial institutions. Banks, insurance companies, and credit provid-ers were severely limited in the services they could provide and the information they could share with each other. GLBA somewhat relaxed the regulations concerning the services each organization could provide.

granular object control
A very specific and highly detailed level of control over the security settings of an object.

grid computing
A form of parallel distributed processing that loosely groups a significant number of processing nodes toward the completion of a specific processing goal.

ground
The wire in an electrical circuit that is grounded (that is, connected with the earth).

group
An access control management simplification mechanism similar to a role. Similar users are made members of a group. A group is assigned access to an object. Thus, all members of the group are granted the same access to an object. The use of groups greatly simplifies the administrative overhead of managing user access to objects.

grudge attack
Attack usually motivated by a feeling of resentment and carried out to damage an organization or a person. The damage could be in the loss of information or harm to the organization or a person’s reputation. Often the attacker is a current or former employee or someone who wishes ill will upon an organization.

guest OS
An OS operating in a virtual machine.

guideline
A document that offers recommendations on how standards and baselines are implemented. Guidelines outline methodologies, include suggested actions, and are not compulsory.

== H ==

hacker
Historically, a technology enthusiast who does not have malicious intent. Many authors and the media often use the term when they are actually discussing issues relating to crackers or criminal hackers.

halon
A fire-suppressant material that converts to toxic gases at 900 degrees Fahrenheit and depletes the ozone layer of the atmosphere and is therefore usually replaced by an alternative material.

hand geometry
A type of biometric control that recognizes the physical dimensions of a hand. This includes width and length of the palm and fingers. It can be a mechanical or image edge (in other words, visual silhouette) graphical solution.

handshake
A three-way process utilized by the TCP/IP protocol stack to set up connections between two hosts.

hardware
An actual physical device, such as a hard drive, LAN card, printer, and so on.

hardware security module (HSM)
A cryptoprocessor used to manage/store digital encryption keys, accelerate crypto operations, support faster digital signatures, and improve authentication.

hardware segmentation
A technique that implements process isolation at the hardware level by enforcing memory access constraints.

hash
A number known as a message digest generated from a hash function. Also see hash function.

hash function
The process of taking a full message and generating a unique output value derived from the content of the message. This value is commonly referred to as the message digest.

hash total
A checksum used to verify the integrity of a transmission. See also cyclic redundancy check (CRC).

hash value
A number that is generated from a string of text and that is substantially smaller than the text itself. A formula creates a hash value in such a way that it is extremely unlikely any other text will produce the same hash value.

Hashed Message Authentication Code (HMAC)
An algorithm that implements a partial digital signature—it guarantees the integrity of a message during transmission, but it does not provide for nonrepudiation.

header
Information added by a protocol to the front of a payload received from a higher layer protocol.

Health Information Technology for Economic and Clinical Health Act (HITECH)
In 2009, Congress amended HIPAA by passing the Health Information Technology for Economic and Clinical Health (HITECH) Act. This law updated many of HIPAA’s privacy and security requirements and was implemented through the HIPAA Omnibus Rule in 2013. One of the changes mandated by the new regulations is a change in the way the law treats business associates (BAs), organizations that handle protected health information (PHI) on behalf of a HIPAA covered entity. HITECH also introduced new data breach notification requirements.

Health Insurance Portability and Accountability Act (HIPAA)
A law passed in 1996 that made numerous changes to the laws governing health insurance and health maintenance organizations (HMOs). Among the provisions of HIPAA are privacy regulations requiring strict security measures for hospitals, physicians, insurance companies, and other organizations that process or store private medical information about individuals.

hearsay evidence
Evidence consisting of statements made to a witness by someone else outside of court. Computer log files that are not authenticated by a system administrator can also be considered hearsay evidence.

heartbeat sensor
A mechanism by which a communication pathway is either constantly or periodically checked with a test signal.

heart/pulse pattern
An example of a biometric factor, which is a behavioral or physiological characteristic that is unique to a subject. The heart/pulse pattern of a person is used to establish identity or provide authentication.

heuristics-based detection
See behavior-based detection.

hierarchical
A form of MAC environment. Hierarchical environments relate the various classification labels in an ordered structure from low security to medium security to high security. Each level or classification label in the structure is related. Clearance in a level grants the subject access to objects in that level as well as to all objects in all lower levels but prohibits access to all objects in higher levels.

hierarchical data model
A form of database that combines records and fields that are related in a logical tree structure. This is done so that each field can have one child or many or no children but each field can have only a single parent. Therefore, the data mapping relationship is one-to-many.

hierarchical MAC environment
A form of Mandatory Access Control (MAC) environment. Hierarchical environments relate various classification labels in an ordered structure from low security to medium security to high security. Each level or classification label in the structure is related. Clearance in a level grants the subject access to objects in that level as well as to all objects in all lower levels but prohibits access to all objects in higher levels. Compare with compartmentalized MAC environment and hybrid MAC environment.

High-Level Data Link Control (HDLC)
A layer 2 protocol used to transmit data over synchronous communication lines. HDLC is an ISO standard based on IBM’s SDLC. HDLC supports full-duplex communications, supports both point-to-point and multipoint connections, offers flow control, and includes error detection and correction.

high-level languages
Programming languages that are not machine languages or assembly languages. These languages are not hardware dependent and are more understandable by humans. Such languages must be converted to machine language before or during execution.

High-Speed Serial Interface (HSSI)
A layer 1 protocol used to connect routers and multi-plexers to ATM or Frame Relay connection devices.

hijack attack
An attack in which a malicious user is positioned between a client and server and then interrupts the session and takes it over. Often, the malicious user impersonates the client so they can extract data from the server. The server is unaware that any change in the communication partner has occurred.

hoax (aka virus hoax)
A form of social engineering attack that uses the specter of malicious code to trick users into damaging their own system.

honeynet/honeypot
A honeypot is an individual computer created to serve as a snare for intruders. An entire network created for this purpose is known as a honeynet. The honeynet/honeypot looks and acts like a legitimate system, but it is 100 percent fake. Honeynets/honeypots tempt intruders with unpatched and unprotected security vulnerabilities as well as hosting attractive, tantalizing, but faux data. Honeynets/honeypots are designed to grab an intruder’s attention and direct them into the restricted playground while keeping them away from the legitimate network and confidential resources.

horizontal distribution system
Provides the connections between the telecommunication room and work areas; often includes cabling, cross-connection blocks, patch panels, and supporting hardware infrastructure (such as cable trays, cable hangers, and conduits).

host-based IDS (HIDS)
An intrusion detection system (IDS) that is installed on a single computer and can monitor the activities on that computer. A host-based IDS is able to pinpoint the files and processes compromised or employed by a malicious user to perform unauthorized activity.

hosted solution
The deployment concept where the organization must license software and then operates and maintains the software.

hostile applet
Any piece of mobile code that attempts to perform unwanted or malicious activities.

HOSTS file
A static local file with DNS entries that are preloaded into a DNS cache when a system boots. HOSTS files predate query-based DNS.

hot site
A configuration in which a backup facility is maintained in constant working order, with a full complement of servers, workstations, and communications links ready to assume primary operations responsibilities.

hub
A network device used to connect multiple systems together in a star topology. Hubs repeat inbound traffic over all outbound ports. Hubs are a legacy networking device that you are unlikely to find in standard networks today.

hybrid attack
A form of password attack in which a dictionary attack is first attempted and then a type of brute-force attack is performed. The follow-up brute-force attack is used to add prefix or suffix characters to passwords from the dictionary in order to discover one-upped constructed passwords, two-upped constructed passwords, and so on.

hybrid cloud
A cloud model that includes a combination of two or more clouds. The clouds can be public, private, and/or community clouds.

hybrid MAC environment
A type of Mandatory Access Control (MAC) environment. A hybrid environment combines the hierarchical and compartmentalized concepts so that each hierarchical level can contain numerous subcompartments that are isolated from the rest of the security domain. A subject must have not only the correct clearance but also the need to know for the specific compartment to have access to the compartmentalized object. Compare with compartmentalized MAC environment and hierarchical MAC environment.

hyperlink spoofing
An attack used to redirect traffic to a rogue or imposter system or to simply divert traffic away from its intended destination, often through the malicious alteration of the hyperlink URLs in the HTML code of documents sent to clients.

Hypertext Transfer Protocol
The protocol used to transmit web page elements from a web server to web browsers (over the well known service TCP/UDP port address 80).

Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)
A standard that uses port 443 to negotiate encrypted communications sessions between web servers and browser clients.

hypervisor
The component of virtualization that creates, manages, and operates the virtual machines. Also known as a virtual machine monitor (VMM).

== I ==

identification
The process by which a subject professes an identity and accountability is initiated. The identification process can consist of a user providing a username, a logon ID, a PIN, or a smartcard or a process providing a process ID number.

identification card
A form of physical identification; generally contains a picture of the subject and/or a magnetic strip with additional information about a subject.

identity and access provisioning lifecycle
The creation, management, and deletion of accounts. Provisioning refers to granting accounts with appropriate privileges when they are created and during the lifetime of the account.

identity as a service or identity and access as a service (IDaaS)
A third-party service that provides identity and access management. IDaaS effectively provides SSO for the cloud and is especially useful when internal clients access cloud based software as a service (SaaS) applications.

Identity Theft and Assumption Deterrence Act
An act that makes identity theft a crime against the person whose identity was stolen and provides severe criminal penalties (up to a 15 year prison term and/or a $250,000 fine) for anyone found guilty of violating it.

ignore risk
Denying that a risk exists and hoping that by ignoring a risk it will never be realized.

immediate addressing
A way of referring to data that is supplied to the CPU as part of an instruction.

impersonation
The assumption of someone’s identity or online account, usually through the mechanisms of spoofing and session replay. An impersonation attack is considered a more active attack than masquerading.

implementation attack
This type of attack exploits weaknesses in the implementation of a cryptography system. It focuses on exploiting the software code, not just errors and flaws but methodology employed to program the encryption system.

implicit deny
A basic principle of access control. It ensures that access to an object is denied unless access has been explicitly granted to a subject.

inappropriate activities
Actions that may take place on a computer or over the IT infrastructure and that may not be actual crimes but are often grounds for internal punishments or termination. Some types of inappropriate activities include viewing inappropriate content, sexual and racial harassment, waste, and abuse.

incident
Any event that has a negative effect on the confidentiality, integrity, or availability of an organization’s assets.

incremental backup
A backup that stores only those files that have been modified since the time of the most recent full or incremental backup. This is also used to mean the process of creating such a backup.

indirect addressing
The memory address that is supplied to the CPU as part of the instruction and doesn’t contain the actual value that the CPU is to use as an operand. Instead, the memory address contains another memory address (perhaps located on a different page). The CPU then retrieves the actual operand from that address.

industrial control system (ICS)
A form of computer management device that controls industrial processes and machines. ICSs are used across a wide range of industries, including manufacturing, fabrication, electricity generation and distribution, water distribution, sewage processing, and oil refining. There are several forms of ICS, including distributed control systems (DCS), programmable logic controllers (PLC), and supervisory control and data acquisition (SCADA).

industrial espionage
The act of someone using illegal means to acquire competitive information.

inference
An attack that involves using a combination of several pieces of nonsensitive information to gain access to information that should be classified at a higher level.

inference engine
The second major component of an expert system that analyzes information in the knowledge base to arrive at the appropriate decision.

information flow model
A model that focuses on the flow of information to ensure that security is maintained and enforced no matter how information flows. Information flow models are based on a state machine model.

information hiding
Placing data and a subject at different security domains for the purpose of hiding the data from that subject.

information security officer (ISO)
Another potential term for the CISO, but this also can be used as a subposition under the CISO. A leading or managing position on the InfoSec team. See also chief security officer (CSO) and chief information security officer (CISO).

information security (InfoSec) team
The team or department responsible for security within an organization.

informative policy
A policy that is designed to provide information or knowledge about a specific subject, such as company goals, mission statements, or how the organization interacts with partners and customers. An informative policy is not enforceable.

infrastructure as a service (IaaS)
A cloud computing concept that can provide not just on demand operating solutions but complete outsourcing of IT infrastructure.

infrastructure mode
The wireless network configuration that uses a wireless base station to connect all wireless devices to the network and potentially to each other.

inherit (or inheritance)
In object oriented programming, inheritance refers to a class that has one or more of the same methods from another class. So when a method has one or more of the same methods from another class, it is said to have inherited them.

initialization vector (IV)
A nonce used by numerous cryptography solutions to increase the strength of encrypted data by increasing the randomness of the input.

input validation
Checking, scanning, filtering, or sanitizing input received from users (especially over the internet) before processing the received input.

inrush
An initial surge of power usually associated with connecting to a power source, whether primary or alternate/secondary.

instance
In object-oriented programming, an instance can be an object, example, or representation of a class.

instant messaging (IM)
Any mechanism that allows for real-time text based chat between two users located anywhere on the internet. Most IM utilities allow for file transfer, multimedia, voice and videoconferencing, and more. The term IM has fallen out of favor in the last decade in deference to newer terms such as as “online chat” or “real-time texting.”

Integrated Services Digital Network (ISDN)
A digital end-to-end communications mechanism. ISDN was developed by telephone companies to support digital communications over the same equipment and infrastructure that is used to carry voice communications. New installations of ISDN are unlikely as DSL, cable, and wireless based broadband solutions are faster and less expensive.

integrity
A state characterized by the assurance that modifications are not made by unauthorized users and authorized users do not make unauthorized modifications.

intellectual property
Intangible assets, such as secret recipes or production techniques.

interface testing
Interface testing assesses the performance of modules against the interface specifications to ensure that they will work together properly when all of the development efforts are complete.

intermediate distribution facilities
See wiring closet.

International Data Encryption Algorithm (IDEA)
A block cipher that was developed in response to complaints about the insufficient key length of the DES algorithm. IDEA operates on 64-bit blocks of plain/ciphertext, but it begins its operation with a 128-bit key.

International Organization for Standardization (ISO)
An independent oversight organization that defines and maintains computer, networking, and technology standards, along with more than 13,000 other international standards for business, government, and society.

Internet Key Exchange (IKE)
A protocol that provides for the secure exchange of crypto-graphic keys between IPsec participants.

Internet Message Access Protocol (IMAP)
A protocol used to transfer email messages from an email server to an email client.

Internet of Things (IoT)
The collection of devices that can communicate over the internet with each other or with a control console in order to affect and monitor the real world.

Internet Security Association and Key Management Protocol (ISAKMP)
A protocol that provides background security support services for IPsec.

Internet Small Computer System Interface (iSCSI)
A networking storage standard based on IP. This technology can be used to enable location independent file storage, transmission, and retrieval over LAN, WAN, or public internet connections. iSCSI is often viewed as a low-cost alternative to Fibre Channel.

Internetwork Packet Exchange (IPX)
IPX is the Network layer protocol of IPX/SPX. The IPX/SPX protocol suite was commonly used (although not strictly required to be used) on Novell NetWare networks in the 1990s.

interpreted languages
Programming languages that are converted to machine language one command at a time at the time of execution.

interrogation
Questioning a person suspected of crime. See also interview.

interrupt (IRQ)
A mechanism used by devices and components in a computer to get the attention of the CPU.

interview
Questioning a person to gather information to assist with a criminal investigation. In an interview, the person being questioned is not suspected of committing the crime. See also interrogation.

intranet
A private network that is designed to host the same information services found on the internet.

intrusion
The condition in which a threat agent has gained access to an organization’s infrastructure through the circumvention of security controls and is able to directly imperil assets. Also referred to as penetration.

intrusion detection
A specific form of monitoring both recorded information and real-time events to detect unwanted system access.

intrusion detection system (IDS)
A product that automates the inspection of audit logs and real-time system events. IDSs are generally used to detect intrusion attempts, but they can also be employed to detect system failures or rate overall performance.

IP header protocol field value
An element in an IP packet header that identifies the protocol used in the IP packet payload (usually this will be 6 for TCP, 17 for UDP, or 1 for ICMP, or any of a number of other valid routing protocol numbers).

IP Payload Compression (IPComp) protocol
A protocol that allows IPsec users to achieve enhanced performance by compression packets prior to the encryption operation.

IP probes
An attack technique that uses automated tools to ping each address in a range. Systems that respond to the ping request are logged for further analysis. Addresses that do not produce a response are assumed to be unused and are ignored.

IP Security (IPsec)
A standards-based mechanism for providing encryption for point-to-point TCP/IP traffic.

IP spoofing
The process by which a malicious individual reconfigures their system so that it has the IP address of a trusted system and then attempts to gain access to other external resources.

iris scans
An example of a biometric factor, which is a behavioral or physiological characteristic that is unique to a subject. The colored portion of the eye that surrounds the pupil is used to establish identity or provide authentication.

ISO
See information security officer (ISO).

isolation
A concept that ensures that any behavior will affect only the memory and resources associated with the process. Also the act of keeping something separated from others. Isolation can be used to prevent commingling of information or disclosure of information.

issue-specific security policy
A security policy that focuses on a specific network service, department, function, or other aspect that is distinct from the organization as a whole.

== J ==

jailbreak
Jailbreaking removes restrictions on iOS devices and permits root level access to the underlying operating system. It is similar to rooting a device running the Android operating system.

Java
A platform independent programming language developed by Sun Microsystems.

job description
A detailed document outlining a specific position needed by an organization. A job description includes information about security classification, work tasks, and so on.

job responsibilities
The specific work tasks an employee is required to perform on a regular basis.

job rotation
A means by which an organization improves its overall security by rotating employees among numerous job positions. Job rotation serves two functions. First, it provides a type of knowledge redundancy. Second, moving personnel around reduces the risk of fraud, data modification, theft, sabotage, and misuse of information.

== K ==

Keccak algorithm
In 2012, the federal government announced the selection of the Keccak algorithm as the SHA-3 standard.

Kerberos
A ticket-based authentication mechanism that employs a trusted third party to provide identification and authentication.

Kerckchoffs’s assumption/principle
The idea that all algorithms should be public but all keys should remain private. Kerckchoffs’s assumption or principle is held by a large number of cryptologists, but not all of them.

kernel
The part of an operating system that always remains resident in memory (so that it can run on demand at any time).

kernel proxy firewalls
A firewall that is integrated into an operating system’s core to provide multiple levels of session and packet evaluation. Kernel proxy firewalls are known as fifth-generation firewalls.

key
1) A secret value used to encrypt or decrypt messages. 2) A column, attribute, or field of a database.

key distribution center (KDC)
An element of the Kerberos authentication system. The KDC maintains all the secret keys of enrolled subjects and objects. A KDC is also a COMSEC facility that distributes symmetric crypto keys, especially for government entities.

key escrow system
A cryptographic recovery mechanism by which keys are stored in a database and can be recovered only by authorized key escrow agents in the event of key loss or damage.

keyspace or key space
The range of values that are valid for use as a key for a specific algorithm.

keystroke dynamics
A biometric factor that measures how a subject uses a keyboard by analyzing flight time and dwell time.

keystroke monitoring
The act of recording the keystrokes a user performs on a physical keyboard. The act of recording can be visual (such as with a video recorder) or logical/technical (such as with a capturing hardware device or a software program).

keystroke patterns
An example of a biometric factor, which is a behavioral or physiological characteristic that is unique to a subject. The pattern and speed of a person typing a passphrase is used to establish identity or provide authentication.

knowledge base
A component of an expert system, the knowledge base contains the rules known by an expert system and seeks to codify the knowledge of human experts in a series of “if/then” statements.

knowledge-based detection
An intrusion discovery mechanism used by IDS and based on a database of known attack signatures. The primary drawback to a knowledge-based IDS is that it is effective only against known attack methods.

known plaintext attack
An attack in which the attacker has a copy of the encrypted message along with the plaintext message used to generate the ciphertext (the copy). This greatly assists the attacker in breaking weaker codes.

KryptoKnight
A ticket-based authentication mechanism similar to Kerberos but based on peer-to-peer authentication.

== L ==

LAN extender
A remote access, multilayer switch used to connect distant networks over WAN links. This is a strange beast of a device in that it creates WANs, but marketers of this device steer clear of the term WAN and use only the terms LAN and extended LAN. The idea behind this device was to make the terminology easier to understand and thus make the device easier to sell than a more conventional WAN device grounded in complex concepts and terms.

land attack
A type of DoS attack. A land attack occurs when the attacker sends numerous SYN packets to a victim and the SYN packets have been spoofed to use the same source and destination IP address and port number as the victim’s. This causes the victim to think it sent a TCP/IP session opening packet to itself, which causes a system failure, usually resulting in a freeze, crash, or reboot.

lattice-based access control
A variation of nondiscretionary access controls. Lattice-based access controls define upper and lower bounds of access for every relationship between a subject and an object. These boundaries can be arbitrary, but they usually follow the military or corporate security label levels.

layer 1
The Physical layer of the OSI model.

layer 2
The Data Link layer of the OSI model.

layer 3
The Network layer of the OSI model.

layer 4
The Transport layer of the OSI model.

layer 5
The Session layer of the OSI model.

layer 6
The Presentation layer of the OSI model.

layer 7
The Application layer of the OSI model.

Layer 2 Forwarding (L2F)
A protocol developed by Cisco as a mutual authentication tunneling mechanism. L2F does not offer encryption.

Layer 2 Tunneling Protocol (L2TP)
A point-to-point tunnel protocol developed by combining elements from PPTP and L2F. L2TP lacks a built-in encryption scheme but typically relies on IPsec as its security mechanism.

layering
The use of multiple security controls in series to provide for maximum effectiveness of security deployment.

learning rule
See delta rule.

licensing
A contract that states how a product is to be used.

lifecycle assurance
An assessment of the trust or reliability of a product based on its concepts of design, architecture, creation, testing, and distribution. Ultimately, a judgment as to whether a product was designed with security as a central feature.

lighting
One of the most commonly used forms of perimeter security control. The primary purpose of lighting is to discourage casual intruders, trespassers, prowlers, and would be thieves who would rather perform their malicious activities in the dark.

link encryption
An encryption technique that protects entire communications circuits by creating a secure tunnel between two points. This is done by using either a hardware or software solution that encrypts all traffic entering one end of the tunnel and decrypts all traffic exiting the other end of the tunnel.

link state routing protocol
A routing protocol that maintains a topography map of all connected networks and uses this map to determine the shortest path to the destination.

local alarm systems
Alarm systems that broadcast an audible signal that can be easily heard up to 400 feet away. Additionally, local alarm systems must be protected from tampering and disablement, usually by security guards. In order for a local alarm system to be effective, there must be a security team or guards positioned nearby who can respond when the alarm is triggered.

local area network (LAN)
A network that is geographically limited, such as within a single office, building, or city block.

local cache
Anything that is temporarily stored on the client for future reuse. There are many local caches on a typical client, including ARP cache, DNS cache, and internet files cache.

log analysis
A detailed and systematic form of monitoring. The logged information is analyzed in detail to look for trends and patterns as well as abnormal, unauthorized, illegal, and policy violating activities.

logging
The activity of recording information about events or occurrences to a log file or database.

logic bomb
Malicious code objects that infect a system and lie dormant until they are triggered by the occurrence of one or more conditions.

logical access control
A hardware or software mechanism used to manage access to resources and systems and provide protection for them. They are the same as technical access controls. Examples of logical or technical access controls include encryption, smartcards, passwords, biometrics, constrained interfaces, access control lists, protocols, firewalls, routers, intrusion detection systems, and clipping levels.

logical topology
The logical operation of a network. It defines the arrangement and organization of devices as well as the means used to communicate to and with each other. Also known as signal topology.

logon credentials
The identity and the authentication factors offered by a subject to establish access.

logon script
A script that runs at the moment of user logon. A logon script is often used to map local drive letters to network shares, to launch programs, or to open links to often accessed systems.

loopback address
The IP address used to create a software interface that connects to itself via TCP/IP. The loopback address is handled by software alone. It permits testing of the TCP/IP protocol stack even if network interfaces or their device drivers are missing or damaged.

loss potential
See exposure factor (EF).

Low Water Mark Mandatory Access Control (LOMAC)
A loadable kernel module for Linux designed to protect the integrity of processes and data. It is an OS security architecture extension or enhancement that provides flexible support for security policies.

== M ==

M of N control
A protection measure that requires that a minimum number of agents (M) out of the total number of agents (N) work together to perform high-security tasks.

machine language
A programming language that can be directly executed by a computer.

macro viruses
A virus that utilizes crude technologies to infect documents created in the Microsoft Word environment.

mail-bombing
An attack in which sufficient numbers of messages are directed to a single user’s inbox or through a specific STMP server to cause a denial of service.

maintenance
The variety of tasks that are necessary to ensure continued operation in the face of changing operational, data processing, storage, and environmental requirements.

maintenance hook
Entry point into a system that only the developer of the system knows; also called backdoor.

malicious code
Code objects that include a broad range of programmed computer security threats that exploit various network, operating system, software, and physical security vulnerabilities to spread malicious payloads to computer systems.

malware
Malicious software is any script or program that performs an unwanted, unauthorized, or unknown activity on a computer system.

Mandatory Access Control (MAC)
An access control mechanism that uses security labels to regulate subject access to objects. Implementations include using a hierarchical MAC environment, a compartmentalized MAC environment, and a hybrid MAC environment.

mandatory vacations
A security policy that requires all employees to take vacations annually so their work tasks and privileges can be audited and verified. This often results in easy detection of abuse, fraud, or negligence.

man-in-the-middle attack
A type of attack that occurs when malicious users are able to position themselves between the two endpoints of a communication’s link. The client and server are unaware that there is a third party intercepting and facilitating their communication session.

man-made disasters
Disasters caused by humans, including explosions, electrical fires, terrorist acts, power outages, utility failures, hardware/software failures, labor difficulties, theft, and vandalism.

mantrap
A double set of doors that is often protected by a guard. The purpose of a man-trap is to contain a subject until their identity and authentication are verified.

masquerading
Using someone else’s security ID to gain entry into a facility or system.

massively parallel processing (MPP)
Technology used to create systems that house hundreds or even thousands of processors, each of which has its own operating system and memory/bus resources, which are linked together in order to work on a single primary task.

master boot record (MBR)
The portion of a hard drive or floppy disk that the computer uses to load the operating system during the boot process.

master boot record (MBR) virus
Virus that attacks the MBR. When the system reads the infected MBR, the virus instructs it to read and execute the code stored in an alternate location, thereby loading the entire virus into memory and potentially triggering the delivery of the virus’s payload.

maximum tolerable downtime (MTD) (aka maximum tolerable outage (MTO))
The maximum length of time a business function can be inoperable without causing irreparable harm to the business.

MD2 (Message Digest 2)
A hash algorithm developed by Ronald Rivest in 1989 to provide a secure hash function for 8-bit processors.

MD4
An enhanced version of the MD2 algorithm, released in 1990. MD4 pads the message to ensure that the message length is 64 bits smaller than a multiple of 512 bits.

MD5
The version of the MD algorithm released in 1991. MD5 processes 512-bit blocks of the message, using four distinct rounds of computation to produce a digest of the same length as the MD2 and MD4 algorithms (128 bits). Generally has been replaced by SHA-1 or other, more modern hashing algorithms.

mean time to failure (MTTF)
The length of time or number of uses a hardware or media component can endure before its reliability is questionable and it should be replaced.

Media Access Control (MAC) address
A 6-byte address written in hexadecimal. The first 3 bytes of the address indicate the vendor or manufacturer of the physical network interface. The last 3 bytes make up a unique number assigned to that interface by the manufacturer. No two devices on the same network can have the same MAC address.

media analysis
A branch of computer forensic analysis involving the identification and extraction of information from storage media.

meet-in-the-middle attack
An attack in which the attacker uses a known plaintext message. The plaintext is then encrypted using every possible key (k1), while the equivalent ciphertext is decrypted using all possible keys (k2).

memory
The main memory resources directly available to a system’s CPU. Primary memory normally consists of volatile random access memory (RAM) and is a high performance storage resource available to a system.

memory card
A device that can store data but cannot process it; often built around some form of flash memory.

memory page
A single chunk of memory that can be moved to and from RAM and the paging file on a hard drive as part of a virtual memory system.

memory protection
A core security component that must be designed and implemented into an operating system that is used to prevent an active process from interacting with an area of memory that was not specifically assigned or allocated to it.

memory-mapped I/O
A technique used to manage input/output between system components and the CPU.

message
The communications to or input for an object (in the context of object-oriented programming terminology and concepts).

message digest (MD)
A summary of a message’s content (not unlike a file checksum) produced by a hashing algorithm.

metadata
The results of a data mining operation on a data warehouse.

metamodel
A model of models. Because the spiral model encapsulates a number of iterations of another model (the waterfall model), it is known as a metamodel.

Metasploit
A vulnerability scanning and penetration testing tool used to exploit flaws in applications, computers, and networking systems.

methods
The actions or functions performed on input (messages) to produce output (behaviors) by objects in an object-oriented programming environment.

microcode
A term used to describe software that is stored in a ROM chip. Also called firmware.

middle management
See security professional.

military and intelligence attacks
Attacks that are launched primarily to obtain secret and restricted information from law enforcement or military and technological research sources.

MIME Object Security Services (MOSS)
An early communications standard that provides authenticity, confidentiality, integrity, and nonrepudiation for email messages. Has been abandoned in favor of other solutions, the most popular of which is PGP.

misuse case testing
A process used by software testers to evaluate the vulnerability of their software to known risks. Testers first enumerate the known misuse cases and then attempt to exploit those use cases with manual and/or automated attack techniques. Also known as abuse case testing.

mitigate risk
See reducing risk.

mitigated
The process by which a risk is reduced or removed.

mobile device management (MDM)
A software solution to the challenging task of managing the myriad mobile devices that employees use to access company resources. The goals of MDM are to improve security, provide monitoring, enable remote management, and support troubleshooting.

mobile sites
Nonmainstream alternatives to traditional recovery sites that typically consist of self-contained trailers or other easily relocated units.

modem
A traditional landline modem (modulator-demodulator) is a communications device that covers or modulates between an analog carrier signal and digital information in order to support computer communications of PSTN (public switched telephone network) lines. With the advancement of digital broadband communication technologies, the term modem is now often used to refer to the intermediary device between business or personal equipment and the broadband network (typically internet) carrier or service (such as DSL, cable, cellular/wireless/mobile, WiFi, ISDN, etc.), even when modulation and demodulation are not actually taking place.

modification attack
An attack in which captured packets are altered and then played against a system. Modified packets are designed to bypass the restrictions of improved authentication mechanisms and session sequencing.

module testing
Each independent or self-contained segment of code for which there exists a distinct and separate specification is tested independently of all other modules. Also known as component testing, this can be seen as a parent or superclass of unit testing.

modulo
The remainder value left over after a division operation is performed.

MONDEX
A type of electronic payment system and protocol designed to manage cash on smartcards.

monitoring
The activity of manually or programmatically reviewing logged information looking for specific information.

motion detector
A device that senses the occurrence of motion in a specific area.

motion sensor
See motion detector.

multicast
A communications transmission to multiple identified recipients.

multifactor authentication
Authentication that uses two or more factors of authentication. Multifactor authentication requires different factors (something you know, something you have, and something you are), not just multiple authentication methods in a single factor such as a password and a PIN, both in the something-you-know factor.

multilayer protocols
A protocol suite or collection that operates across multiple layers of the OSI model, typically using encapsulation. A common example is TCP/IP.

multilayered defense
See defense in depth.

multilevel mode
See multilevel security mode.

multilevel security mode
A system that is authorized to process information at more than one level of security even when all system users do not have appropriate clearances or a need to know for all information processed by the system.

multimedia collaboration
The use of various multimedia-supporting communication solutions to enhance distance collaboration. Collaboration occurs when people can work on a project together. Often, collaboration allows workers to work simultaneously as well as across different time frames. Collaboration can also be used for tracking changes and including multimedia functions. Collaboration can incorporate email, chat, VoIP, videocon-ferencing, use of a whiteboard, online document editing, real-time file exchange, versioning control, and other tools.

multipartite virus
A virus that uses more than one propagation technique in an attempt to penetrate systems that defend against only one method or the other.

multiprocessing
A technology that makes it possible for a computing system to harness the power of more than one processor to complete the execution of a single application.

multiprogramming
The pseudo-simultaneous execution of two tasks on a single processor coordinated by the operating system for the purpose of increasing operational efficiency. Multiprogramming is considered a relatively obsolete technology and is rarely found in use today except in legacy systems.

multiprotocol label switching (MPLS)
A high-throughput, high-performance network technology that directs data across a network based on short path labels rather than longer network addresses.

multistate
Term used to describe a system that is certified to handle multiple security levels simultaneously by using specialized security mechanisms that are designed to prevent information from crossing between security levels.

multitasking
A system handling two or more tasks simultaneously.

multithreading
A process that allows multiple users to use the same process without interfering with each other.

mutation fuzzing
A form of fuzzing that modifies known inputs to generate synthetic inputs that may trigger unexpected behavior. Also known as dumb fuzzing.

mutual assistance agreement (MAA)
An agreement in which two organizations pledge to assist each other in the event of a disaster by sharing computing facilities or other technological resources. Also known as reciprocal agreement.

== N ==

NAC
See network access control (NAC).

natural disaster
A disaster that is not caused by humans, such as earthquakes, mudslides, sinkholes, fires, floods, hurricanes, tornadoes, falling rocks, snow, rainfall, ice, humidity, heat, extreme cold, and so on.

near-field communication (NFC)
A standard that establishes radio communications between devices in close proximity. It lets you perform a type of automatic synchronization and association between devices by touching them together or bringing them within inches of each other. NFC is a derivative technology from RFID and is itself a form of field-powered or -triggered device.

need to know
The requirement to have access to, knowledge about, or possession of data or a resource in order to perform specific work tasks. A user must have a need to know in order to gain access to data or resources. Even if that user has an equal or greater security classification than the requested information, if they do not have a need to know, they are denied access.

negligence
Failure to exercise the degree of care considered reasonable under the circumstances, resulting in an unintended injury to another party.

Nessus
A vulnerability scanner.

NetBEUI
NetBEUI (NetBIOS Extended User Interface, also known as NetBIOS Frame protocol or NBF) is most widely known as a Microsoft protocol developed in 1985 to support file and printer sharing. Microsoft has enabled support of NetBEUI on modern networks by devising NBT (NetBIOS over TCP/IP). This in turn supports the Windows sharing protocol of SMB (Server Message Block), which is also known as CIFS (Common Internet File System). NetBEUI is no longer supported as a lower layer protocol; only its SMB and CIFS variants are still in use.

network access control (NAC)
A concept of controlling access to an environment through strict adherence to and enforcement of a security policy. The goals of NAC are to prevent/reduce zero-day attacks, enforce security policy compliance throughout the network, and use identities to perform access control.

Network Address Translation (NAT)
A mechanism for converting the internal private IP addresses found in packet headers into public IP addresses for transmission over the internet.

network analysis or network forensic analysis
A means of collecting and correlating information from disparate networked sources and producing as comprehensive a picture of network activity as possible.

network based IDS (NIDS)
An IDS installed onto a host to monitor a network. Network based IDSs detect attacks or event anomalies through the capture and evaluation of network packets.

network discovery scanning
A variety of techniques used to scan a range of IP addresses, searching for systems with open network ports. Network discovery scanners do not actually probe systems for vulnerabilities but provide a report showing the systems detected on a network and the list of ports that are exposed through the network and server firewalls that lie on the network path between the scanner and the scanned system.

Network layer
Layer 3 of the OSI model.

network monitoring
The act of monitoring traffic patterns to obtain information about a network.

network segmentation
See segmentation.

network topology (aka physical topology)
The physical layout and organization of computers and networking devices.

network vulnerability scanning
See vulnerability scan.

neural network
A system in which a long chain of computational decisions that feed into each other and eventually add up to produce the desired output is set up.

next generation firewall
See unified threat management (UTM).

NFC
See near field communication (NFC).

nmap
A penetration testing tool capable of performing port scans, ping sweeps, banner grabbing, network discovery, and more.

noise
A steady interfering disturbance.

nonce
A random number generator variable used in cryptography software; creates a new and unique value every time it is used, often based on a time-stamped seed value.

noncompete agreement (NCA)
A document that attempts to prevent an employee with special knowledge of secrets from one organization from working in a competing organization in order to prevent that second organization from benefiting from the worker’s special knowledge of secrets.

nondisclosure agreement (NDA)
A document used to protect the confidential information within an organization from being disclosed by a former employee. When a person signs an NDA, they agree not to disclose any information that is defined as confidential to anyone outside the organization. Often, violations of an NDA are met with strict penalties.

nondiscretionary access control
An access control mechanism that regulates subject access to objects by using roles or tasks.

noninterference model
A model loosely based on the information flow model. The noninterference model is concerned with the actions of one subject affecting the system state or actions of another subject.

non-IP protocols
Non-IP protocols are protocols that serve as an alternative to IP at the OSI Network layer (3). In the past, non-IP protocols were widely used. However, with the dominance and success of TCP/IP, non-IP protocols have become the purview of special purpose networks. The three most recognized non-IP protocols are IPX, AppleTalk, and NetBEUI.

nonrepudiation
A feature of a security control or an application that prevents the sender of a message or the subject of an activity or event from denying that the event occurred.

nonvolatile
See nonvolatile storage.

nonvolatile storage
A storage system that does not depend on the presence of power to maintain its contents, such as magnetic/optical media and nonvolatile RAM (NVRAM).

normal forms
Various levels of database organization designed to improve efficiency.

normalization
The database process that removes redundant data and ensures that all attributes are dependent on the primary key.

NOT
An operation (represented by the ¬ symbol) that reverses the value of an input vari-able. This function operates on only one variable at a time.

== O ==

OAuth
An open SSO standard designed to work with HTTP that allows users to log on with one account across multiple sites/locations.

object
A passive entity that provides information or data to subjects. An object can be a file, a database, a computer, a program, a process, a file, a printer, a storage media, and so on.

object linking and embedding (OLE)
A Microsoft technology used to link data objects into or from multiple files or sources on a computer.

object-oriented programming (OOP)
A method of programming that uses encapsulated code sets called objects. OOP is best suited for eliminating error propagation and mimick-ing or modeling the real world.

object-relational database
A relational database combined with an objectoriented programming environment.

OCSP
See Online Certificate Status Protocol (OCSP).

off-boarding
The removal of an employee’s identity from the identity and access manage-ment system once they have left the organization.

on-boarding
The process of adding new employees to the identity and access management system of an organization. The on-boarding process is also used when the role or position of an employee changes or when they are awarded additional levels of privilege or access.

onetime pad
An extremely powerful type of substitution cipher that uses a different key for each message. The key length is the same length as the message.

one-time password
A variant of dynamic passwords that is changed every time it is used.

one-upped constructed password
A password with a single character difference from its present form in a dictionary list.

one-way encryption
A mathematical function performed on passwords, messages, CRCs, and so on, that creates a cryptographic code that cannot be reversed.

one-way function
A mathematical operation that easily produces output values for each possible combination of inputs but makes it impossible to retrieve the input values. Public key cryptosystems are all based on some sort of one-way function.

Online Certificate Status Protocol (OCSP)
A real-time facility for verifying the validity of a digital certificate and confirming that it has not been revoked by the issuing certificate authority.

on-premise solution
The traditional deployment concept in which an organization owns the hardware, licenses the software, and operates and maintains the systems on its own usually within their own building.

OpenID
An open SSO standard maintained by the OpenID Foundation that can be used in conjunction with OAuth or on its own.

OpenID Connect
An internet based single sign-on solution. It operates over the OAuth protocol and can be used in relation to web services, cloud resources, and smart device apps.

open relays
An SMTP server that is configured to accept email messages from any source and will forward them on to their destination. Open relays are commonly hijacked by spammers and thus are mostly replaced with closed (i.e., internal use only) or authenticated (i.e., authenticate before use) relays.

open system authentication (OSA)
A connection scheme for wireless networks where no real authentication is required; as long as a radio signal can be transmitted between the client and WAP, communications are allowed.

Open Systems Interconnection (OSI) model
A standard model developed to establish a common communication structure or standard for all computer systems.

Open Vulnerability and Assessment Language (OVAL)
Security Content Automation Protocol (SCAP) component that provides a language for describing security testing procedures.

Open Web Application Security Project (OWASP)
A nonprofit security project focusing on improving security for online or web based applications.

operational plans
Short-term and highly detailed plans based on the strategic and tactical plans. Operational plans are valid or useful only for a short time. They must be updated often (such as monthly or quarterly) to retain compliance with tactical plans. Operational plans are detailed plans on how to accomplish the various goals of the organization.

operations security triple
The relationship between asset, vulnerability, and threat.

operator
See user.

opportunistic TLS for SMTP
This mechanism will attempt to set up an encrypted connection with every other email server in the event that it is supported; otherwise, it will downgrade to plaintext. Using opportunistic TLS for SMTP gateways reduces the opportunities for casual sniffing of email.

OR
An operation (represented by the ∨ symbol) that checks to see whether at least one of the input values is true.

organizational owner
See senior management/senior manager.

organizational security policy
A security policy that focuses on issues relevant to every aspect of an organization (or the whole of the organization).

Orthogonal Frequency Division Multiplexing (OFDM)
A wireless technology that employs a digital multicarrier modulation scheme that allows for a more tightly compacted transmission.

OSI model
See Open Systems Interconnection (OSI) model.

output feedback (OFB)
A mode in which the Data Encryption Standard XORs plaintext with a seed value. For the first encrypted block, an initialization vector is used to create the seed value. Future seed values are derived by running the DES algorithm on the preceding seed value. The major advantage of OFB mode is that transmission errors do not propagate to affect the decryption of future blocks.

OVAL
See Open Vulnerability and Assessment Language (OVAL).

overt channel
An obvious, visible, detectable, known method of communicating that is addressed by a security policy and subsequently controlled by logical or technical access controls.

overwriting
See clearing.

OWASP
See Open Web Application Security Project (OWASP).

owner
The person who has final corporate responsibility for the protection and storage of data. The owner may be liable for negligence if they fail to perform due diligence in establishing and enforcing security policy to protect and sustain sensitive data. The owner is typically the CEO, president, or department head.

ownership
The formal assignment of responsibility (i.e., making someone an owner) to an individual or group.

== P ==

package
In the context of the Common Criteria for information technology security evaluation, a package is a set of security features that can be added to or removed from a target system.

packet
A portion of a message that contains data and the destination address; also called a datagram. Typically located at the Network layer.

packet sniffing
The act of capturing packets from the network in hopes of extracting useful information from the packet contents.

padded cell
Similar to a honeypot. When an intruder is detected by an IDS, the intruder is transferred to a padded cell. The padded cell has the look and layout of the actual network, but within the padded cell the intruder can neither perform malicious activities nor access any confidential data. A padded cell is a simulated environment that may offer fake data to retain an intruder’s interest.

pairing
The connecting or linking of two devices over Bluetooth.

palm geography
An example of a biometric factor, which is a behavioral or physiological characteristic unique to a subject. The shape of a person’s hand is used to establish identity or provide authentication.

palm scan
An example of a physiological biometric factor, which is unique to a subject. It uses near-infrared light to measure vein patterns in the palm, which are as unique as fingerprints. Some palm scans identify the layout of ridges, creases, and grooves on a person’s palm to establish identity or provide authentication. See palm topography.

palm topography
An example of a biometric factor, which is a behavioral or physiological characteristic that is unique to a subject. The layout of ridges, creases, and grooves on a person’s palm is used to establish identity or provide authentication. This is the same as a palm scan and similar to a fingerprint.

parallel data systems or parallel computing
A computation system designed to perform numerous calculations simultaneously. Parallel data systems often go far beyond basic multiprocessing capabilities. They often include the concept of dividing up a large task into smaller elements and then distributing each subelement to a different processing subsystem for parallel computation. This implementation is based on the idea that some problems can be solved efficiently if they are broken into smaller tasks that can be worked on concurrently.

parallel run
A type of new system deployment testing in which the new system and the old system are run in parallel.

parallel tests
Testing that involves actually relocating personnel to an alternate recovery site and implementing site activation procedures.

parol evidence rule
A rule that states that when an agreement between parties is put into written form, the written document is assumed to contain all the terms of the agreement and no verbal agreements may modify the written agreement.

partial knowledge teams
Possess an incomplete account of organizational assets, including hardware and software inventory, prior to a penetration test. Thus, time must be spent in obtaining additional knowledge about the organization before test attacks can begin.

passive monitoring
Website monitoring technique that analyzes actual network traffic sent to a website by capturing it as it travels over the network or reaches the server.

passphrase
A string of characters usually much longer than a password. Once the passphrase is entered, the system converts it into a virtual password for use by the authentication process. Passphrases are often natural language sentences to allow for simplified memorization.

password
A string of characters entered by a subject as an authentication factor.

password authentication protocol (PAP)
A standardized authentication protocol for PPP. PAP transmits usernames and passwords in the clear. PAP offers no form of encryption; it simply provides a means to transport the logon credentials from the client to the authentication server.

Password Based Key Derivation Function 2 (PBKDF2)
An example of a key stretching technology. PBKDF2 uses a hashing operation, an encryption cipher function, or an HMAC operation (i.e., a symmetric key is used in the hashing process) on the input password, which is combined with a salt. This process is then repeated thousands of times.

password policy
The section of an organization’s security policy that dictates the rules, restrictions, and requirements of passwords. This can also indicate the programmatic controls deployed on a system to improve the strength of passwords.

password restrictions
The rules that define the minimal requirements of passwords, such as length, character composition, and age.

PASTA (Process for Attack Simulation and Threat Analysis)
A seven step threat modeling methodology.

patch management
Program that ensures that relevant patches are applied to systems. Ideally, patches are evaluated, tested, and deployed, and systems are audited to verify that the patches are applied and not removed.

patent
A governmental grant that bestows on an invention’s creator the sole right to make, use, and sell that invention for a set period of time.

pattern-matching detection
See knowledge-based detection.

PDU (protocol data unit)
The name of the network container at OSI layers 7, 6, and 5 (Application, Presentation, and Session).

peer-to-peer (P2P)
Networking and distributed application solutions that share tasks and workloads among peers.

peer-to-peer network
A network structure between individual devices without the need or use of a primary controlling entity or device.

penetration
See intrusion.

penetration testing
An activity used to test the strength and effectiveness of deployed security measures with an authorized attempted intrusion attack. Penetration testing should be performed only with the consent and knowledge of the management staff.

pepper
A number used to increase the security of salted passwords. While the salt is stored in the same database as the salted password, the pepper is stored somewhere else, such as within the application code or as a server configuration value.

period analysis
Examining a cryptographic text for patterns that repeat based on the length of the key. The key length is the period of the repetition. This is often a flaw or vulnerability of polyalphabetic substitution ciphers, which leads to a process of frequency analysis.

permanent virtual circuit (PVC)
A predefined virtual circuit that is always available for a Frame Relay customer.

personal identification number (PIN)
A number or code assigned to a person to be used as an identification factor. PINs should be kept secret.

personal identity verification (PIV)
A smartcard used by US government personnel that includes a picture and other information about the owner. It can be used as a badge and as a smartcard.

personally identifiable information (PII)
Any data item that can be easily and/or obviously traced back to the person of origin or concern.

personnel management
An important factor in maintaining operations security. Personnel management is a form of administrative control or administrative management.

pharming (also DNS pharming)
The malicious redirection of a valid website’s URL or IP address to a fake website that hosts a false version of the original valid site.

phishing
A form of social engineering that attempts to trick users into giving up sensitive information, opening an attachment, or clicking a link in response to an email. It is sent indiscriminately to a large number of users.

phone phreaking or phreaking
The process of breaking into telephone company computers to place free calls.

physical access control
A physical barrier deployed to prevent direct contact with systems. Examples of physical access controls include guards, fences, motion detectors, locked doors, sealed windows, lights, cable protection, laptop locks, swipe cards, dogs, CCTV, mantraps, and alarms.

physical controls for physical security
See physical access control.

Physical layer
Layer 1 of the OSI model.

physical topology
See network topology (aka physical topology).

piggybacking
The act of following someone through a secured gate or doorway without being identified or authorized personally.

ping
A utility used to troubleshoot a connection to test whether a particular IP address is accessible.

ping flood attack
An attack that repeatedly sends ping requests to a system. It can come from a single system as a DoS attack but is more often launched against a target by multiple systems in a DDoS attack.

ping-of-death attack
A type of DoS. A ping-of-death attack employs an oversized ping packet. Using special tools, an attacker can send numerous oversized ping packets to a victim. In many cases, when the victimized system attempts to process the packets, an error occurs, causing the system to freeze, crash, or reboot.

plain old telephone service (POTS)
Normal telephone service.

plaintext
A message that has not been encrypted.

platform as a service (PaaS)
The cloud computing concept of providing a computing platform and software solution stack as a virtual or cloud-based service. Essentially, it is the concept of paying for a service that provides all the aspects of a platform (i.e., operating system and complete solution package).

playback attack
See replay attack.

Point-to-Point Protocol (PPP)
A full-duplex protocol used for the transmission of TCP/ IP packets over various non-LAN connections, such as modems, ISDN, VPNs, Frame Relay, and so on. PPP is widely supported and is the transport protocol of choice for dial-up internet connections.

Point-to-Point Tunneling Protocol (PPTP)
An enhancement of PPP that creates encrypted tunnels between communication endpoints. PPTP is used on VPNs but is often replaced by L2TP.

policy
See security policy.

polyalphabetic substitution
A cryptographic transformation that encrypts a message using letter by letter conversion and multiple alphabets from different languages or countries.

polyinstantiation
The event that occurs when two or more rows in the same table appear to have identical primary key elements but contain different data for use at differing classification levels. Polyinstantiation is often used as a defense against some types of inference attacks.

polymorphic virus
A virus that modifies its own code as it travels from system to system. The virus’s propagation and destruction techniques remain the same, but the signature of the virus is somewhat different each time it infects a new system.

polymorphism
In the context of object-oriented programming terminology and concepts, the characteristic of an object to provide different behaviors based on the same message and methods owing to variances in external conditions.

port
A connection address within a protocol.

Port Address Translation (PAT)
A mechanism for converting the internal private IP addresses found in packet headers into public IP addresses and port numbers for transmission over the Internet. PAT supports a many-to-one mapping of internal to external IP addresses by using ports.

port isolation or private ports
Private VLANs that are configured to use a dedicated or reserved uplink port. The members of a private VLAN or a port isolated VLAN can interact only with each other and over the predetermined exit port or uplink port. A common implementation of port isolation occurs in hotels.

port scan
Software used by an intruder to probe all of the active systems on a network and determine what public services are running on each machine.

postmortem review
An analysis and review of an activity after its completion to determine its success and whether processes and procedures need to be improved.

Post Office Protocol (POP)
A protocol used to transfer email messages from an email server to an email client.

preaction system
A combination dry pipe/wet pipe system. The system exists as a dry pipe until the initial stages of a fire (smoke, heat, and so on) are detected and then the pipes are filled with water. The water is released only after the sprinkler head activation triggers are melted by sufficient heat. If the fire is quenched before the sprinklers are triggered, the pipes can be manually emptied and reset. This also allows for manual intervention to stop the release of water before sprinkler triggering occurs. Preaction systems are the most appropriate water based system for environments that include both computers and humans in the same locations.

premises wire distribution room
See wiring closet.

Presentation layer
Layer 6 of the OSI model.

pretexting
The practice of obtaining personal information under false pretenses. Often related to phishing and other social engineering attacks.

Pretty Good Privacy (PGP)
A public/private key system that uses the IDEA algorithm to encrypt files and email messages. PGP is not a standard but rather an independently developed product that has wide internet grassroots support. See also GNU Privacy Guard (GnuPG).

preventive access control
An access control deployed to stop an unwanted or unauthorized activity from occurring. Examples of preventive access controls include fences, security policies, security awareness training, and antivirus software.

preventive control
Any security mechanism, tool, or practice that can deter and mitigate undesirable actions or events.

primary authoritative name server
The DNS server that hosts the original zone file for the domain. This is the only DNS server where the zone file can be edited.

primary key
A specific key from the set of candidate keys that is used as the main differentiator between records. Every record must have a unique value in its primary key field.

primary memory
Storage that normally consists of volatile random access memory (RAM) and is a high performance storage resource available to a system.

Primary Rate Interface (PRI)
An ISDN service type that provides up to 23 B channels and one D channel. Thus, a full PRI ISDN connection offers 1.544 Mbps throughput, the same as a T1 line.

primary storage
The RAM that a computer uses to keep necessary information readily available.

principle of least privilege
An access control philosophy that states that subjects are granted the minimal access possible for the completion of their work tasks.

privacy
An element of confidentiality aimed at preventing personal or sensitive information about an individual or organization from being disclosed. Also refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed.

Privacy Act of 1974
A law that mandates that government agencies maintain only records that are necessary to conduct their business and destroy those records when they are no longer needed for a legitimate function of government. It provides a formal procedure for individuals to gain access to records the government maintains about them and to request that incorrect records be amended. The Privacy Act also restricts the way the federal government can deal with private information about individual citizens.

Privacy Enhanced Mail (PEM)
An email encryption mechanism that provides authentication, integrity, confidentiality, and nonrepudiation. PEM is a layer 7 protocol. PEM uses RSA, DES, and X.509.

private
A commercial business/private sector classification used for data of a private or personal nature that is intended for internal use only. A significant negative impact could occur for the company or individuals if private data is disclosed.

private branch exchange (PBX)
A sophisticated telephone system often used by organizations to provide inbound call support, extension-to-extension calling, conference calling, and voicemail. This can be implemented as a stand-alone phone system network or integrated with the IT infrastructure.

private cloud
A cloud deployment model that includes cloud based assets for a single organization. Organizations can create and host private clouds using their own resources. If so, the organization is responsible for all maintenance. However, an organization can also rent resources from a third party and split maintenance requirements based on the service model (SaaS, PaaS, or IaaS).

private IP addresses
The addresses defined in RFC 1918, which are not routed over the internet.

private key
A secret value that is used to encrypt or decrypt messages and is kept secret and known only to the user; used in conjunction with a public key in asymmetrical cryptography.

privilege creep
The undesired addition of user privileges as a user gains more privileges when changing jobs, but unneeded privileges are not renewed. It violates the principle of user privilege. See also creeping privilege(s).

privileged entity controls
See privileged operations functions.

privileged mode
The mode designed to give the operating system access to the full range of instructions supported by the CPU. Also known as kernel mode. See also protected mode.

privileged operations functions
Activities that require special access or privilege to perform within a secured IT environment. In most cases, these functions are restricted to administrators and system operators.

privileges
A combination of rights and permissions. Rights refer to actions a user can perform on a system such as changing the system time. Permissions refer to the level of access a user is granted to data such as read, write, modify, and delete.

proactive approach (aka defensive approach)
A means of threat modeling that takes place during early stages of systems development, specifically during initial design and specifications establishment. This method is based on predicting threats and designing in specific defenses during the coding and crafting process, rather than relying on post deployment updates and patches.

probability determination
See annualized rate of occurrence (ARO).

problem state
The state in which a process is actively executing.

procedure
In the context of security, a detailed step-by-step how-to document describing the actions necessary to implement a specific security mechanism, control, or solution.

process isolation
One of the fundamental security procedures put into place during system design. Basically, using process isolation mechanisms (whether part of the operating system or part of the hardware itself) ensures that each process has its own isolated memory space for storage of data and the actual executing application code itself.

processor
The central processing unit in a PC; it handles all functions on the system.

Program Evaluation Review Technique (PERT)
A project scheduling tool. It is a method used to judge the size of a software product in development and calculate the standard deviation (SD) for risk assessment. PERT relates the estimated lowest possible size, the most likely size, and the highest possible size of each component. PERT is used to direct improvements to project management and software coding in order to produce more efficient software. As the capabilities of programming and management improve, the actual produced size of software should be smaller.

programmable logic controllers (PLC)
Industrial control system (ICS) units that are effectively single-purpose or focused-purpose digital computers. They are typically deployed for the management and automation of various industrial electromechanical operations, such as controlling systems on an assembly line or a large scale digital light display.

programmable read-only memory (PROM)
A PROM chip that does not have its contents “burned in” at the factory as is done with standard ROM chips. Instead, special functionality is installed that allows the end user to burn in the contents of the chip.

proprietary
A form of commercial business/private sector confidential information. If proprietary data is disclosed, it can have drastic effects on the competitive edge of an organization.

protected mode
An alternate name for user mode. The less-powerful security domain of the Windows operating environment where user applications reside. User mode is distinct from kernel mode (also known as privileged mode). User mode offers restricted resources, indirect and limited access to hardware, and isolation between processes. See also privileged mode.

protection profile
From the common criteria for information technology security evaluation, the evaluation element in which a subject states its security needs.

protection rings
A security design that organizes code and components in an operating system (as well as applications, utilities, or other code that runs under the operating system’s control) into concentric rings, each having increasing or decreasing levels of capabilities and access.

protocol
A set of rules and restrictions that define how data is transmitted over a network medium (for example, twisted-pair cable, wireless transmission, and so on). Protocols make computer-to-computer communications possible.

protocol translator
A device or software that can translate between protocols. Typically able to move payloads between IP and IPX. Also known as a gateway.

proximity reader
A passive device, field powered device, or transponder that detects the presence of authorized personnel and grants them physical entry into a facility. The proximity device is worn or held by the authorized bearer. When they pass a proximity reader, the reader is able to determine who the bearer is and whether they have authorized access.

proxy
A mechanism that copies packets from one network into another. The copy process also changes the source and destination address to protect the identity of the internal or private network.

prudent man rule
Invoked by the Federal Sentencing Guidelines, the rule that requires senior officials to perform their duties with the care that ordinary, prudent people would exercise under similar circumstances.

pseudo flaws
A technique often used on honeypot systems and on critical resources to emulate well known operating system vulnerabilities.

public
The lowest level of commercial business/private sector classification. Used for all data that does not fit in one of the higher classifications. This information is not readily disclosed, but if it is, it should not have a serious negative impact on the organization.

public cloud
A cloud deployment model that includes assets available for any consumers to rent or lease and is hosted by an external cloud service provider (CSP). Service level agreements can be effective at ensuring that the CSP provides the cloud based services at an acceptable level to the organization.

public key
A value that is used to encrypt or decrypt messages and is made public to any user and used with a private key in asymmetric cryptography.

public-key cryptosystem/public-key cryptography
A subset of asymmetric cryptography based on the use of a key pair set consisting of a public key and a private key. Messages encrypted with one key from the pair can be decrypted only with the other key from the same pair.

public-key infrastructure (PKI)
A hierarchy of trust relationships that makes it possible to facilitate communication between parties previously unknown to each other.

purging
The process of erasing media so it can be reused in a less secure environment.

== Q ==

qualitative decision making
A decision making process that takes nonnumerical factors, such as emotions, investor/customer confidence, workforce stability, and other concerns, into account. This type of data often results in categories of prioritization (such as high, medium, and low).

qualitative risk analysis
Scenario oriented analysis using ranking and grading for exposure ratings and decisions.

quality assurance check
A form of personnel management and project management that oversees the development of a product. QA checks ensure that the product in development is consistent with stated standards, methods of practice, efficiency, and so on.

quantitative decision making
The use of numbers and formulas to reach a decision. Options are often expressed in terms of the dollar value to the business.

quantitative risk analysis
A method that assigns real dollar figures to the loss of an asset.

== R ==

radiation monitoring
A specific form of sniffing or eavesdropping that involves the detection, capture, and recording of radio frequency signals and other radiated communication methods, including sound and light.

radio frequency identification (RFID)
A technology that uses electromagnetic or electrostatic coupling in the radio frequency (RF) portion of the electromagnetic spectrum to identify a specific device. Each RFID tag includes a unique identifier, so that when a nearby antenna/transceiver actives the tag, it transmits that identifier back to the antenna where that value is recorded or used to trigger some kind of action. For example, most modern toll road systems use RFID devices that drivers attach to the windshield of their car, and each time a device is “read” by an antenna, the vehicle owner’s toll balance is incremented by the cost of that transit. RFID devices may also be used to track individuals (carrying tags), equipment (bearing tags), and so forth, within the premises of an enterprise for security monitoring.

radio frequency interference (RFI)
A type of noise that is generated by a wide number of common electrical appliances, including fluorescent lights, electrical cables, electric space heaters, computers, elevators, motors, electric magnets, and so on. RFI can affect many of the same systems EMI affects.

RADIUS
See Remote Authentication Dial-In User Service (RADIUS).

RAID
See Redundant Array of Independent Disks (RAID).

rainbow table
A database of precomputed hashes for guessed passwords. Rainbow tables are used in password attacks, and they can significantly reduce the time it takes to crack the password.

random-access memory (RAM)
Readable and writable memory that contains information the computer uses during processing. RAM retains its contents only when power is continuously supplied to it.

random access storage
Devices, such as RAM and hard drives, that allow the operating system to request contents from any point within the media.

reactive approach (aka adversarial approach)
A means of threat modeling that takes place after a product has been created and deployed. This deployment could be in a test or labora-tory environment or to the general marketplace. This technique of threat modeling is the core concept behind ethical hacking, penetration testing, source code review, and fuzz testing.

read-only memory (ROM)
Memory that can be read but cannot be written to.

ready state
The state in which a process is ready to execute but is waiting for its turn on the CPU.

real evidence
Items that can actually be brought into a court of law; also known as object evidence.

real memory
Typically the largest RAM storage resource available to a computer. It is normally composed of a number of dynamic RAM chips and therefore must be refreshed by the CPU on a periodic basis; also known as main memory or primary memory.

realized risk
The incident, occurrence, or event when a risk becomes a reality and a breach, attack, penetration, or intrusion has occurred that may or may not result in loss, damage, or disclosure of assets.

reasonableness check
The crafting and use of special test suites of data that exercise all paths of the software to the fullest extent possible and comparison of the results to the known correct expected outputs.

record
Contents of a table in a relational database.

record retention
The organizational policy that defines what information is maintained and for how long. In most cases, the records in question are audit trails of user activity. This may include file and resource access, logon patterns, email, and the use of privileges.

record sequence checking
Similar to hash total checking, but instead of verifying content integrity, it involves verifying packet or message sequence integrity.

recovery access control
A type of access control that is used to repair or restore resources, functions, and capabilities after a security policy violation.

recovery strategies
The practices, policies, and procedures to recover a business that include designating first responders to major incidents, performing critical follow up tasks, and obtaining insurance to reduce risk of financial loss.

recovery time objective (RTO)
See maximum tolerable downtime (MTD) (aka maximum tolerable outage (MTO)).

reducing risk
The implementation of safeguards and countermeasures. Also referred to as mitigating risk.

reduction analysis (aka decomposing)
The purpose of this task is to gain a greater understanding of the logic of the product as well as its interactions with external elements. Whether an application, a system, or an entire environment, it needs to be divided into smaller containers or compartments. Those might be subroutines, modules, or objects if focusing on software; computers, operating systems, and protocols if focusing on systems or networks; or departments, tasks, and networks if focusing on an entire business infrastructure. Each identified subelement should be evaluated in order to understand inputs, processing, security, data management, storage, and outputs. This is also sometimes referred to as decomposing the application, system, or environment.

redundant array of independent disks (RAID)
A storage device technology that uses multiple hard drives in unique combinations to produce a storage solution that provides better throughput as well as resistance to device failure.

redundant servers
A fault tolerant deployment option that provides for various server options in the event of a disaster, such as mirroring, electronic vaulting, remote journaling, database shadowing, and clustering.

reference monitor
A portion of the security kernel that validates user requests against the system’s access control mechanisms.

reference profile
The digitally stored sample of a biometric factor.

reference template
See reference profile.

referential integrity
Used to enforce relationships between two tables. One table in the relationship contains a foreign key that corresponds to the primary key of the other table in the relationship.

reflected input
When a vulnerable website is fed script commands through form fields in such a manner as to trick the site, the input is reflected back to a visitor as if it were original and legitimate content.

register
A limited amount of onboard memory in a CPU.

register address
The address of a register, which is a small memory location directly on the CPU. When the CPU needs information from one of those registers to complete an operation, it can simply use the register address (for example, “register one”) to access the information.

registration authority (RA)
A read-only version of a certificate authority that is able to distribute the CRL and perform certificate verification processes but is not able to create new certificates. An RA is used to share the workload of a CA.

regulatory policy
A policy that is required whenever industry or legal standards are applicable to your organization. This policy discusses the regulations that must be followed and outlines the procedures that should be used to elicit compliance.

reject risk
To deny that a risk exists or hope that by ignoring a risk, it will never be realized. It is an unacceptable response to risk. Also referred to as deny risk.

relational database
A database that consists of tables that contain a set of related records.

relationship
The association of information in tables of a relational database.

relevant
Characteristic of evidence that is applicable in determining a fact in a court of law.

Remote Authentication Dial-in User Service (RADIUS)
A service used to centralize the authentication of VPN connections. This includes legacy dial-up connections and broadband connections via the internet.

remote journaling
Transferring copies of the database transaction logs containing the transactions that occurred since the previous bulk transfer.

remote mirroring
Maintaining a live database server at the backup site. It is the most advanced database backup solution.

remote wipe
A mobile device security feature that can delete all data and possibly even configuration settings remotely.

repeater
A network device used to amplify signals on network cabling to allow for longer distances between nodes. Also known as a concentrator or amplifier.

replay attack
An attack in which a malicious user records the traffic between a client and server. The packets sent from the client to the server are then played back or retransmitted to the server with slight variations of the time stamp and source IP address (in other words, spoofing). In some cases, this allows the malicious user to restart an old communication link with a server. Also referred to as a playback attack.

residual risk
Risk that comprises specific threats to specific assets against which upper management chooses not to implement a safeguard. In other words, residual risk is the risk that management has chosen to accept rather than mitigate.

resource records
The individual entries in a zone file that define DNS values and relationships, such as an A or Address record that links an FQDN to an IPv4 address.

restricted interface model
A model that uses classification based restrictions to offer only subject specific authorized information and functions. One subject at one classification level will see one set of data and have access to one set of functions whereas another subject at a different classification level will see a different set of data and have access to a different set of functions.

retina scan
An example of a biometric factor, which is a behavioral or physiological characteristic that is unique to a subject. The blood vessel pattern at the back of the eyeball is used to establish identity or provide authentication.

Reverse Address Resolution Protocol (RARP)
A subprotocol of the TCP/IP protocol suite that operates at the Data Link layer (layer 2). RARP is used to discover the IP address of a system by polling using its MAC address.

reverse engineering
This is considered an unethical form of engineering. Programmers decompile code to understand all the intricate details of its functionality, especially when employed for the purpose of creating a similar, competing, or compatible product.

reverse hash matching
The process of discovering the original message that has been hashed by generating potential messages, hashing them, and comparing their hash value to the original. When H(M) = H(M’), then M = M’.

revocation
A mechanism that allows a PKI certificate to be canceled, effectively removing a user from the system.

RFC 1918
The public standard that defines public and private IP addresses.

Rijndael block cipher
A block cipher that was selected to replace DES. The Rijndael cipher allows the use of three key strengths: 128 bits, 192 bits, and 256 bits.

risk
The likelihood that any specific threat will exploit a specific vulnerability to cause harm to an asset. “Risk is an assessment based on value of the asset, the amount of potential damage, and the likelihood of the threat occurring.”

risk analysis
An element of risk management that includes analyzing an environment for risks, evaluating each risk as to its likelihood of occurring and cost of damage, assessing the cost of various countermeasures for each risk, and creating a cost/benefit report for safe guards to present to upper management.

risk avoidance
The process of selecting alternate options or activities that have less asso ciated risk than the default, common, expedient, or cheap option.

risk deterrence
The process of implementing deterrents to would be violators of security and policy.

risk framework
A guideline or recipe for how risk is to be assessed, resolved, and monitored.

risk management
A detailed process of identifying factors that could damage or disclose data, evaluating those factors in light of data value and countermeasure cost, and implementing cost-effective solutions for mitigating or reducing risk.

risk tolerance
The ability of an organization to absorb the losses associated with realized risks.

Rivest, Shamir, and Adleman (RSA)
A public key encryption algorithm named after Rivest, Shamir, and Adleman, its inventors.

Role Based Access Control (RBAC or role-BAC)
A form of nondiscretionary access controls that employs job function roles to regulate subject access to objects.

root
The administrator level of a system.

rooting
Rooting removes restrictions on Android devices and permits root level access to the underlying operating system. It is similar to jailbreaking a device running the iOS operating system.

rootkit
A specialized software package that allows hackers to gain expanded access to a system.

router
A network device used to control traffic flow on networks. Routers are often used to connect similar networks together and control traffic flow between them. They can function using statically defined routing tables or employ a dynamic routing system.

RSA
See Rivest, Shamir, and Adleman (RSA).

rule-based access control
A variation of mandatory access controls. A rule-based system uses a set of rules, restrictions, or filters to determine what can and cannot occur on the system, such as granting subject access, performing an action on an object, or accessing a resource. Firewalls, proxies, and routers are common examples of rule-based access control systems.

running key cipher
A form of cryptography in which the key is a designation of a changing source, such as the third page of the New York Times.

running state
The state in which a process is actively executing. This is another name for problem state.

== S ==

S/MIME
See Secure Multipurpose Internet Mail Extensions (S/MIME).

sabotage
A criminal act committed against an organization by a knowledgeable employee.

safe harbor
A regulatory mechanism that includes a set of Safe Harbor Principles. The seven principles are notice, choice, onward transfer, security, data integrity, access, and enforcement. The goal is to prevent unauthorized disclosure of information, handled by data processors and transmitted between data processors and the data controller. US companies can voluntarily opt into the program if they agree to abide by the seven principles and the requirements outlined in 15 frequently asked questions.

safeguard
Anything that removes a vulnerability or protects against one or more specific threats. Also referred to as a countermeasure.

sag
Momentary low voltage.

salami attack
An attack performed by gathering small amounts of data to construct something of greater value or higher sensitivity.

salt
A random number appended to a password before hashing to increase randomness and ensure uniqueness in the resulting stored hash value. This is also known as a cryptographic salt. Bcrypt and Password Based Key Derivation Function 2 (PBKDF2) are often used to add salts to passwords. Compare with pepper.

SAML
See Security Assertion Markup Language (SAML).

sampling
A form of data reduction that allows an auditor to quickly determine the important issues or events from an audit trail.

sandbox
A security boundary within which a Java applet executes.

sandboxing
A security technique that provides a security boundary for applications and prevents the application from interacting with other applications. Anti malware applications use sandboxing techniques to test unknown applications. If the application displays suspicious characteristics, the sandboxing technique prevents the application from infecting other applications or the operating system.

sanitization
Any number of processes that prepare media for destruction. Sanitization is the process that ensures that data cannot be recovered by any means from destroyed or discarded media. Sanitization can also be the actual means by which media is destroyed. Media can be sanitized by purging or degaussing without physically destroying the media.

scanning
Similar to casing a neighborhood prior to a burglary, it’s the process by which a potential intruder looks for possible entryways into a system. Scanning can indicate that illegal activity will follow, so it is a good idea to treat scans as incidents and to collect evidence of scanning activity.

SCAP
See Security Content Automation Protocol (SCAP).

scavenging
A form of dumpster diving performed electronically. Online scavenging searches for useful information in the remnants of data left over after processes or tasks are completed. This could include audit trails, log files, memory dumps, variable settings, port mappings, cached data, and so on.

scenario
In relation to risk assessment, it is a written description of a single major threat. The description focuses on how a threat would be instigated and what effects its occurrence could have on the organization, the IT infrastructure, and specific assets.

schema
The structure that holds the data that defines or describes a database. The schema is written using a Data Definition Language (DDL).

screen scraper or screen scraping
1) Remote control, remote access, or remote desktop– like services. 2) A technology that can allow an automated tool to interact with a human interface in order to parse the results to extract just the relevant information.

script kiddie
A malicious individual who doesn’t understand the technology behind security vulnerabilities but downloads ready-to-use software (or scripts) from the internet and uses them to launch attacks against systems.

scripted access
A method to automate the logon process with a script that provides the logon credentials to a system. It is considered a form of single sign-on.

SDH (Synchronous Digital Hierarchy)
See Synchronous Digital Hierarchy (SDH).

search warrant
A document obtained through the judicial system that allows law enforcement personnel to acquire evidence from a location without first alerting the individual believed to have perpetrated a crime.

seclusion
A means of storing something in an out-of-the-way location. This location can also provide strict access controls and can help enforce confidentiality protections.

secondary authoritative name servers
The DNS servers that distribute the load of DNS resolution. This server obtains a read-only copy of the zone file from the primary authoritative name server.

secondary evidence
A copy of evidence or an oral description of the contents of best evidence.

secondary memory
Magnetic/optical media and other storage devices that contain data not immediately available to the CPU.

secondary storage
Data repositories that include magnetic and optical media, such as tapes, disks, hard drives, and CD/DVD storage.

second tier attack
An assault that relies on information or data gained from eavesdropping or other similar data gathering techniques. In other words, it is an attack that is launched only after some other attack is completed.

secrecy
The act of keeping something a secret or preventing the disclosure of information.

secret
A government/military classification, used for data of a secret nature. Unauthor ized disclosure of secret data could cause serious damage to national security.

secure boot
A feature of Unified Extensible Firmware Interface (UEFI) that aims to pro tect the operating environment of the local system by preventing the loading or installing of device drivers or an operating system that is not signed by a preapproved digital certificate. Secure boot thus protects systems against a range of low level or boot level malware, such as certain rootkits and backdoors.

secure communication protocol
A protocol that uses encryption to provide security for the data transmitted by it.

secure electronic transaction (SET)
A security protocol for the transmission of transactions over the internet. SET is based on RSA encryption and DES. SET had the support of major credit card companies, such as Visa and Mastercard. However, it has mostly been abandoned in light of newer and more secure alternatives.

secure hash algorithm (SHA) [SHA-1, SHA-2, SHA-3]
A government standard hash function developed by the National Institute of Standards and Technology (NIST) and specified in an official government publication. SHA-1 creates a 160-bit hash value output. Members of the SHA-2 family create a range of hash value outputs: 224, 256, 384 or 512. SHA-3 was still in development at the time of this writing, but the Keccak algorithm has been selected for that emerging standard.

Secure HTTP (S-HTTP)
The second major protocol used to provide security on the World Wide Web.

Secure Multipurpose Internet Mail Extensions (S/MIME)
A protocol used to secure the transmission of email and attachments.

Secure Remote Procedure Call (SRPC)
An authentication service. SRPC is simply a means to prevent unauthorized execution of code on remote systems.

Secure Shell (SSH)
An end-to-end encryption technique. This suite of programs provides encrypted alternatives to common internet applications such as FTP, Telnet, and rlogin. There are two versions of SSH. SSH1 supports the DES, 3DES, IDEA, and Blowfish algorithms. SSH2 drops support for DES and IDEA but adds support for several other algorithms.

Secure Sockets Layer (SSL)
An encryption protocol developed by Netscape to protect the communications between a web server and a web browser.

security as a service (SECaaS)
A cloud provider concept in which security is provided to an organization through or by an online entity.

Security Assertion Markup Language (SAML)
An XML based convention for communication authentication and authorization details between security domains, often over web protocols. SAML is often used to provide a web based SSO solution.

security assessments
Comprehensive reviews of the security of a system, application, or other tested environment. During a security assessment, a trained information security professional performs a risk assessment that identifies vulnerabilities in the tested environment that may allow a compromise and makes recommendations for remediation, as needed.

security association (SA)
In an IPsec session, the representation of the communication session and process of recording any configuration and status information about the connection.

security audits
Evaluations performed with the purpose of demonstrating the effectiveness of controls to a third party. Security audits use many of the same techniques followed during security assessments but must be performed by independent auditors. The staff members who design, implement, and monitor controls for an organization have an inherent conflict of interest when evaluating the effectiveness of those controls.

security boundary
The line of intersection between any two areas, subnets, or environments that have different security requirements or needs.

Security Content Automation Protocol (SCAP)
Provides a common framework for discussion of security vulnerabilities and also facilitates the automation of interactions between different security systems.

security control
The safeguards or countermeasures used to address security vulnerabilities to reduce or manage risk.

Security Control Assessment (SCA)
The formal evaluation of a security infrastructure’s individual mechanisms against a baseline or reliability expectation.

security control baselines
A mandated set of security controls that provide a starting point for implementing security and ensure a minimum security standard.

security control framework
The formal structure of the security solution desired by the organization.

security development lifecycle (SDL)
A Microsoft security management process used to consider and implement security at each stage of a product’s development. This supports the motto of “Secure by Design, Secure by Default, Secure in Deployment and Communication” (also known as SD3+C).

security governance
The collection of practices related to supporting, defining, and directing the security efforts of an organization.

security ID
A form of physical identification; generally contains a picture of the subject and/or a magnetic strip with additional information about a subject.

security incident
See computer security incident.

security kernel
The core set of operating system services that handles all user/application requests for access to system resources.

security label
An assigned classification or sensitivity level used in security models to determine the level of security required to protect an object and prevent unauthorized access.

security management planning
The act of thoroughly and systematically designing procedural and policy documentation to reduce risk and then to maintain risk at an acceptable level for a given environment.

security mode
The US government has designated four approved security modes for systems that process classified information; see dedicated security mode, system high security mode, compartmented security mode, and multilevel security mode.

security perimeter
The imaginary boundary that separates the trusted computing base from the rest of the system.

security policy
A document that defines the scope of security needs of an organization, prescribes solutions to manage security issues, and discusses the assets that need protection and the extent to which security solutions should go to provide the necessary protection.

security professional
Trained and experienced network, systems, and security engineer who is responsible for following the directives mandated by senior management.

security role
The part an individual plays in the overall scheme of security implementation and administration within an organization.

security target
The evaluation element from the Common Criteria for information technology security evaluation in which a vendor states the security features of its product.

security tests
Security tests verify that a control is functioning properly. These tests include automated scans, tool assisted penetration tests, and manual attempts to undermine security. Security testing should take place on a regular schedule, with attention paid to each of the key security controls protecting an organization.

segment
The combination of Transport layer TCP header and payload.

segmentation
The act of subdividing a network into numerous smaller units. These smaller units, groupings, segments, or subnetworks (i.e., subnets) can be used to improve various aspects of the network. Segmentation can boost performance, reduce congestion, compartmentalize communication problems (such as broadcast storms), and provide security improvements through traffic isolation. Segments can be created by using switch based VLANs, routers, or firewalls (as well as combinations of all of these).

semantic integrity mechanisms
A common security feature of a DBMS. This feature ensures that no structural or semantic rules are violated. It also checks that all stored data types are within valid domain ranges, that only logical values exist, and that any and all uniqueness constraints are met.

Sender Policy Framework (SPF)
A SPAM and email abuse prevention technology that operates by checking that inbound messages originate from a host authorized to send messages by the owners of the SMTP origin domain.

senior management/senior manager
A person or group who is ultimately responsible for the security maintained by an organization and who should be most concerned about the protection of its assets. They must sign off on all policy issues, and they will be held liable for overall success or failure of a security solution. It is the responsibility of senior management to show prudent due care. Also referred to as organizational owner and upper management.

sensitive
A commercial business/private sector classification used for data that is more sensitive than public data. A negative impact could occur for the company if sensitive data is disclosed.

Sensitive But Unclassified (SBU)
A data classification label used for data that is for internal use or office use only. Often SBU is used to protect information that could violate the privacy rights of individuals.

sensitivity
In regard to biometric devices, the level at which the device is configured for scanning. In regard to confidentiality, it refers to the quality of information that could cause harm or damage if disclosed.

separation of duties and responsibilities
A common practice to prevent any single subject from being able to circumvent or disable security mechanisms. When core administration or high authority responsibilities are divided among several subjects, no one subject has sufficient access to perform significant malicious activities or bypass imposed security controls.

separation of privilege
The principle that builds on the principle of least privilege. It requires the use of granular access permissions—that is, different permissions for each type of privileged operation. This allows designers to assign some processes rights to perform certain supervisory functions without granting them unrestricted access to the system.

Sequenced Packet Exchange (SPX)
The Transport layer protocol of the IPX/SPX protocol suite from Novell.

sequential storage
Devices that require that you read (or speed past) all of the data physically stored prior to the desired location. A common example of a sequential storage device is a magnetic tape drive.

Serial Line Internet Protocol (SLIP)
An older technology developed to support TCP/IP communications over asynchronous serial connections, such as serial cables or modem dial-up.

service bureaus
Businesses that lease computer time through contractual agreements and provide all IT needs in the event of some disaster or business interruption that requires a disaster recovery plan or business continuity plan to be enacted. Also known as a cloud computing service.

service level agreement (SLA)
A contractual obligation to your clients that requires you to implement sound BCP practices. Also used to ensure acceptable levels of service from suppliers for sound BCP practices.

Service Organization Controls (SOC) Report
A report produced by an auditor that includes the results of security assessments of a cloud provider.

Service Provisioning Markup Language (SPML)
A markup language used with federated identity management systems to exchange user information for federated identity single sign-on purposes. It is derived from the Standard Generalized Markup Language (SGML), the Extensible Markup Language (XML), and the Generalized Markup Language (GML).

SESAME
A ticket based authentication mechanism similar to Kerberos.

session hijacking
An attack that occurs when a malicious individual intercepts part of a communication between an authorized user and a resource and then uses a hijacking technique to take over the session and assume the identity of the authorized user.

Session layer
Layer 5 of the OSI model.

shared key authentication (SKA)
A connection scheme for wireless networks that requires that some form of authentication must take place before network communications can occur. The 802.11 standard defines one optional technique for SKA known as WEP.

shielded twisted-pair (STP)
A twisted-pair wire that includes a metal foil wrapper inside the outer sheath to provide additional protection from EMI.

shoulder surfing
The act of gathering information from a system by observing the monitor or the use of the keyboard by the operator.

shrink-wrap license agreement
A license written on the outside of software packaging. Such licenses get their name because they commonly include a clause stating that you acknowledge agreement to the terms of the contract simply by breaking the shrink-wrap seal on the package.

side-channel attack
A passive, noninvasive attack to observe the operation of a device. Side-channel attacks are used against smartcards. Common side-channel attacks are power monitoring attacks, timing attacks, and fault analysis attacks.

signature based detection
The process used by antivirus software to identify potential virus infections on a system.

signature dynamics
When used as a biometric, the use of the pattern and speed of a person writing their signature to establish identity or provide authentication.

Simple Integrity Axiom (SI Axiom)
An axiom of the Biba model that states that a subject at a specific classification level cannot read data with a lower classification level. This is often shortened to “no read down.”

Simple Key Management for IP (SKIP)
An encryption tool used to protect sessionless datagram protocols.

Simple Mail Transfer Protocol (SMTP)
The primary protocol used to move email messages from clients to servers and from server to server.

Simple Security Property (SS property)
A property of the Bell–LaPadula model that states that a subject at a specific classification level cannot read data with a higher classification level. This is often shortened to “no read up.”

simulation tests
A test in which disaster recovery team members are presented with a scenario and asked to develop an appropriate response. Some of these response measures are then tested. This may involve the interruption of noncritical business activities and the use of some operational personnel.

single loss expectancy (SLE)
The cost associated with a single realized risk against a specific asset. The SLE indicates the exact amount of loss an organization would experience if an asset were harmed by a specific threat. SLE = asset value ($) * exposure factor (EF).

single point of failure
Any element of an infrastructure—such as a device, service, protocol, or communication link—that would cause total or significant downtime if compromised, violated, or destroyed, affecting the ability of members of your organization to perform essential work tasks.

single sign-on (SSO)
A mechanism that allows subjects to authenticate themselves only once to a system. With SSO, once subjects are authenticated, they can freely roam the network and access resources and services without being rechallenged for authentication.

single state
Systems that require the use of policy mechanisms to manage information at different levels. In this type of arrangement, security administrators approve a processor and system to handle only one security level at a time.

single use passwords
A variant of dynamic passwords that are changed every time they are used.

site survey
A formal assessment of wireless signal strength, quality, and interference using a RF signal detector.

Skipjack
Associated with the Escrowed Encryption Standard, an algorithm that operates on 64-bit blocks of text. It uses an 80-bit key and supports the same four modes of operation supported by DES. Skipjack was proposed but never implemented by the US government. It provides the cryptographic routines supporting the Clipper and Capstone high speed encryption chips designed for mainstream commercial use.

sliding windows
The ability of TCP to dynamically alter its transmission window size based on link reliability.

smart card or smartcard
Credit card sized ID, badge, or security pass that has a magnetic strip, bar code, or integrated circuit chip embedded in it. Smartcards can contain information about the authorized bearer that can be used for identification and/or authentication purposes.

smart devices
A range of mobile devices that offer the user a plethora of customization options, typically through installing apps, and may take advantage of on device or in the cloud artificial intelligence (AI) processing.

smurf attack
A type of DoS. A smurf attack occurs when an amplifying server or network is used to flood a victim with useless data.

snapshot
A backup of a virtual machine.

sniffer attack
Any activity that results in a malicious user obtaining information about a network or the traffic over that network. A sniffer is often a packet capturing program that duplicates the contents of packets traveling over the network medium into a file. Also referred to as a snooping attack.

sniffing
A form of network traffic monitoring. Sniffing often involves the capture or duplication of network traffic for examination, recreation, and extraction.

sniping
Using an automated agent to submit a last second bid on an online auction.

snooping attack
See sniffer attack.

social engineering
A skill by which an unauthorized person gains the trust of someone inside an organization and encourages the victim to make a change to the IT system in order to grant the attacker access. It can also be used as a means to trick a victim into disclosing information to the attacker.

socket
Another name for a port.

software analysis
Conducting forensic reviews of applications or the activity that takes place within a running application.

software as a service (SaaS)
A cloud computing concept that provides on-demand online access to specific software applications or suites without the need for local installation.

software defined networks (SDN)
A unique approach to network operation, design, and management. The concept is based on the theory that the complexities of a traditional network with on device configuration (i.e., routers and switches) often force an organization to stick with a single device vendor, such as Cisco, and limit the flexibility of the network to changing physical and business conditions. SDN aims at separating the infrastructure layer (i.e., hardware and hardware based settings) from the control layer (i.e., network services of data transmission management).

software escrow arrangement
A tool used to protect a company against the failure of a software developer to provide adequate support for its products or against the possibility that the developer will go out of business and no technical support will be available for the product.

software IP encryption (swiPe)
A layer 3 security protocol for IP. It provides authentication, integrity, and confidentiality using an encapsulation protocol.

SONET (Synchronous Optical Network)
See Synchronous Optical Network (SONET).

spam
The term describing unwanted email, newsgroup, or discussion forum messages. Spam can be as innocuous as an advertisement from a well-meaning vendor or as malignant as floods of unrequested messages with viruses or Trojan horses attached.

spamming attacks or spamming
Sending significant amounts of spam to a system in order to cause a DoS or general irritation, consume storage space, or consume bandwidth and processing capabilities.

spear phishing
A form of phishing that targets a specific group of individuals.

spike
Momentary high voltage.

split DNS
Deploying a DNS server for public use and a separate DNS server for internal use. All data in the zone file on the public DNS server is accessible by the public via queries or probing.

split knowledge
A combination of separation of duties and two man control. The basic idea is that the information or privilege required to perform an operation is divided among multiple users. This ensures that no single person has sufficient privileges to compromise the security of the environment.

SPML
See Service Provisioning Markup Language (SPML).

spoofing
The act of replacing the valid source and/or destination IP address and node numbers with false ones.

spoofing attack
Any attack that involves spoofed or modified packets.

spread spectrum
A means or method of communication that occurs over multiple frequencies at the same time.

spyware
Software that monitors your actions and transmits important details to a remote system that spies on your activity. Sometimes used for malicious and illicit purposes, such as identity theft or account takeover.

SQL injection
An attack against vulnerable web applications where a hacker submits SQL database expressions and script code in order to bypass authentication and interact directly with the DBMS or underlying operating system.

sqlmap
An open source database vulnerability scanner.

SRTP (Secure Real-Time Transport Protocol, or Secure RTP)
A security improvement over the Real-Time Transport Protocol (RTP) that is used in many Voice over IP (VoIP) communications. SRTP aims to minimize the risk of VoIP DoS through robust encryption and reliable authentication.

SSAE 16 and SSAE 18
Auditing standard to be used by auditors performing assessments of controls at service organizations. SSAE 16 was applicable until May 1, 2018; then it was replaced by SSAE 18. Thus, the current CISSP exam might refer to either SSAE 16 or 18 depending upon when they finalized the exam questions.

stand alone mode
A wireless network that uses a wireless access point to connect wireless clients together but does not offer any access to a wired network.

standard operating procedure (SOP)
See procedure.

standards
Documents that define compulsory requirements for the homogenous use of hardware, software, technology, and security controls. They provide a course of action by which technology and procedures are uniformly implemented throughout an organization. Standards are tactical documents that define steps or methods to accomplish the goals and overall direction defined by security policies.

state
A snapshot of a system at a specific instance in time.

state machine model
A system that is designed so that no matter what function is performed, it is always a secure system.

stateful inspection firewall
A firewall that evaluates the state or the context of network traffic. By examining source and destination address, application usage, source of origin, and relationship between current packets with the previous packets of the same session, stateful inspection firewalls are able to grant a broader range of access for authorized users and activities and actively watch for and block unauthorized users and activities. Stateful inspection firewalls are known as third generation firewalls.

stateful NAT
The ability or means by which NAT maintains information about the communication sessions between clients and external systems. NAT operates by maintaining a mapping between requests made by internal clients, a client’s internal IP address, and the IP address of the internet service contacted.

static packet filtering firewall
A firewall that filters traffic by examining data from a message header. Usually the rules are concerned with source, destination, and port addresses. Static packet filtering firewalls as known as first generation firewalls.

static password
A password that does not change over time or that remains the same for a significant period of time.

static system or static environment
A set of conditions, events, and surroundings that don’t change. In theory, once understood, a static environment doesn’t offer new or surprising elements. A static IT environment is any system that is intended to remain unchanged by users and administrators. The goal is to prevent or at least reduce the possibility of a user implementing change that could result in reduced security or functional operation.

static testing
Evaluates the security of software without running it by analyzing either the source code or the compiled application.

static token
A physical means to provide identity, usually not employed as an authentication factor. Examples include a swipe card, a smartcard, a floppy disk, a USB RAM dongle, or even something as simple as a key to operate a physical lock.

station set identifier (SSID)
The name of a wireless network that each wireless client must know in order to communicate with the host access point.

statistical attack
This type of attack exploits statistical weaknesses in a cryptosystem, such as such as floating point errors or an inability to produce random numbers. It attempts to find vulnerabilities in the hardware or operating system hosting the cryptography application.

statistical intrusion detection
See behavior based detection.

stealth virus
A virus that hides itself by tampering with the operating system to fool anti-virus packages into thinking that everything is functioning normally.

steganography
The act of embedding messages within another message, commonly used within an image or a WAV file.

stop error
The security response of an operating system, such as Windows, when an application performs an illegal operation, such as accessing hardware or modifying/accessing the memory space of another process.

stopped state
The state in which a process is finished or must be terminated. At this point, the operating system can recover all memory and other resources allocated to the process and reuse them for other processes as needed.

storage segmentation
A device management technique used to artificially compartmentalize various types or values of data on a storage medium. On a mobile device, the device manufacturer and/or the service provider may use storage segmentation to isolate the device’s OS and preinstalled apps from user installed apps and user data. Some mobile device management systems further impose storage segmentation in order to separate company data and apps from user data and apps.

store and forward device
A networking device that uses a memory buffer to store packets until they can be forwarded onto a slower network segment.

strategic plan
A long term plan that is fairly stable. It defines the organization’s goals, mission, and objectives. A strategic plan is useful for about five years if it is maintained and updated annually. The strategic plan also serves as the planning horizon.

stream attack
A type of DoS. A stream attack occurs when a large number of packets are sent to numerous ports on the victim system using random source and sequence numbers. The processing performed by the victim system attempting to make sense of the data will result in a DoS. Also referred to as flooding.

stream ciphers
Ciphers that operate on each character or bit of a message (or data stream) one character/bit at a time.

streaming audio
An audio transmission that is being presented to the end user as it is received based on an ongoing transmission from the provider/server. Streaming media is commonly served over the internet either in real time (i.e., live) or on demand.

streaming video
A video transmission that is being presented to the end user as it is received based on an ongoing transmission from the provider/server. Streaming media is commonly served over the internet either in real time (i.e., live) or on demand.

STRIDE
A Microsoft threat categorization scheme composed of spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.

strong password
A password that is resistant to dictionary and brute force attacks.

Structured Query Language (SQL)
The standard language used by relational databases to enter and extract the information stored in them.

structured walkthrough
A type of disaster recovery test, often referred to as a “table top exercise,” in which members of the disaster recovery team gather in a large conference room and role play a disaster scenario.

subject
An active entity that seeks information about or data from passive objects through the exercise of access. A subject can be a user, a program, a process, a file, a computer, a database, and so on.

subpoena
A court order that compels an individual or organization to surrender evidence or to appear in court.

substitution cipher
Cipher that uses an encryption algorithm to replace each character or bit of the plaintext message with a different character, such as a Caesar cipher.

supervisor state (or supervisory state)
The state in which a process is operating in a privileged, all access mode.

supervisory control and data acquisition (SCADA)
An ICS unit that can operate as a stand alone device, be networked together with other SCADA systems, or be networked with traditional IT systems. Most SCADA systems are designed with minimal human interfaces. Often, they use mechanical buttons and knobs or simple LCD screen interfaces (similar to what you might have on a business printer or a GPS navigation device). However, networked SCADA devices may have more complex remote control software interfaces.

supervisory mode
Mode in which processes at layer 0 run. Layer 0 is the ring where the operating system itself resides.

supply chain
The concept that most computers, devices, networks, and systems are not built by a single entity but by a series of organizations and entities.

surge
Prolonged high voltage.

Sutherland model
An integrity model that focuses on preventing interference in support of integrity.

swIPe
See software IP encryption (swIPe).

switch
A network device that is an intelligent hub because it knows the addresses of the systems connected on each outbound port. Instead of repeating traffic on every outbound port, a switch repeats only traffic out of the port on which the destination is known to exist. Switches offer greater efficiency for traffic delivery, create separate broadcast and collision domains, and improve the overall throughput of data.

Switched Multimegabit Data Service (SMDS)
A connectionless network communication service. SMDS provides bandwidth on demand. SMDS is a preferred connection mechanism for linking remote LANs that communicate infrequently.

switched virtual circuit (SVC)
A virtual circuit that must be rebuilt each time it is used; similar to a dial-up connection.

symmetric key
An algorithm that relies on a “shared secret” encryption key that is distributed to all members who participate in communications. This key is used by all parties to both encrypt and decrypt messages.

symmetric multiprocessing (SMP)
A type of system in which the processors share not only a common operating system but also a common data bus and memory resources. The collection of processors also works collectively on a single task, code, or project.

SYN flood attack
A type of DoS attack. A SYN flood attack is waged by not sending the final ACK packet, which breaks the standard three-way handshake used by TCP/IP to initiate communication sessions.

Synchronous Data Link Control (SDLC)
A layer 2 protocol employed by networks with dedicated or leased lines. SDLC was developed by IBM for remote communications with SNA systems. SDLC is a bit oriented synchronous protocol.

Synchronous Digital Hierarchy (SDH)
A fiber optic based high speed networking standard defined by the International Telecommunications Union (ITU). Similar to SONET. SDH and SONET are mostly hardware or physical layer standards defining infrastructure and line speed requirements. SDH and SONET use synchronous time division multiplexing (TDM) to high speed duplex communications with minimal need for control and management overhead. See also Synchronous Optical Network (SONET).

synchronous dynamic password token
Token used in a token device that generates passwords at fixed time intervals. Time interval tokens require that the clock of the authentication server and the token device be synchronized. The generated password is entered by the subject along with a PIN, passphrase, or password.

Synchronous Optical Network (SONET)
A fiber optic based high speed networking standard defined by the American National Standards Institute (ANSI). Similar to SDH. SONET and SDH are mostly hardware or physical layer standards defining infrastructure and line speed requirements. SDH and SONET use synchronous time division multiplexing (TDM) to high speed duplex communications with minimal need for control and management overhead.

synthetic monitoring
Website monitoring technique that performs artificial transactions against a website to assess performance. See active monitoring.

synthetic transactions
Scripted transactions with known expected results. The testers run the synthetic transactions against the tested code and then compare the output of the transactions to the expected state. Any deviations between the actual and expected results represent possible flaws in the code and must be further investigated.

system call
A process by which an object in a less trusted protection ring requests access to resources or functionality by objects in more trusted protection rings.

system compromise
A situation in which the security of a system has been breached. Also known as a security breach, security compromise, intrusion, or violation.

system high mode
See system high security mode.

system high security mode
Mode in which systems are authorized to process only information that all system users are cleared to read and have a valid need to know. Systems running in this mode are not trusted to maintain separation between security levels, and all information processed by these systems must be handled as if it were classified at the same level as the most highly classified information processed by the system.

system resilience
The ability of a system to maintain an acceptable level of service during an adverse event. It relies on fault-tolerant components and also effective intrusion detection and intrusion prevention systems.

system specific security policy
A security policy that focuses on individual systems or types of systems and prescribes approved hardware and software, outlines methods for locking down a system, and even mandates firewall or other specific security controls.

== T ==

table
The main building block of a relational database; also known as a relation.

TACACS
See Terminal Access Controller Access Control System (TACACS).

tactical plan
A midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan. A tactical plan is typically useful for about a year. It often prescribes and schedules the tasks necessary to accomplish organizational goals.

Take-Grant model
A model that employs a directed graph to dictate how rights can be passed from one subject to another or from a subject to an object. Simply put, a subject with the grant right can grant another subject or another object any other right they possess. Likewise, a subject with the take right can take a right from another subject.

task based
An access control methodology in which access is granted based on work tasks or operations.

TCP model
A network protocol conceptual model that was derived from TCP/IP. Also known as the DARPA model and the DoD model. The TCP model has four layers as opposed to the OSI model’s seven. Those four layers from the bottom up are Link, Internet, Host-to-Host, and Process.

TCP wrapper
An application that can serve as a basic firewall by restricting access based on user IDs or system IDs.

teardrop attack
A type of DoS. A teardrop attack occurs when an attacker exploits a bug in an operating system. The bug exists in the routines used to reassemble fragmented packets. An attacker sends numerous specially formatted fragmented packets to the victim, which causes the system to freeze or crash.

technical access control
The hardware or software mechanisms used to manage access to resources and systems and provide protection for those resources and systems. Examples of logical or technical access controls include encryption, smartcards, passwords, biometrics, constrained interfaces, access control lists, protocols, firewalls, routers, IDEs, and clipping levels. The same as logical access control.

technical physical security controls
Security controls that use technology to implement some form of physical security, including intrusion detection systems, alarms, CCTV, monitoring, HVAC, power supplies, and fire detection and suppression.

telecommunications room
Serves the connection needs of a floor or a section of a large building by providing space for networking equipment and cabling systems. It also serves as the interconnection point between the backbone distribution system and the horizontal distribution system. This is also known as the wiring closet.

telephony
The collection of methods by which telephone services are provided to an organization or the mechanisms by which an organization uses telephone services for either voice and/or data communications. Traditionally, telephony included POTS or PSTN services combined with modems. However, this has expanded to include PBX, VoIP, and VPN.

TEMPEST
The study and control of electronic signals produced by various types of electronic hardware, such as computers, televisions, phones, and so on. Its primary goal is to prevent EM and RF radiation from leaving a strictly defined area so as to eliminate the possibility of external radiation monitoring, eavesdropping, and signal sniffing.

Terminal Access Controller Access Control System Plus (TACACS+)
A commercial proprietary alternative to RADIUS owned by Cisco. There are three versions of TACACS: the original TACACS, XTACACS (extended TACACS), and TACACS+. TACACS integrates the authentication and authorization processes. XTACACS keeps the authentication, authorization, and accounting processes separate. TACACS+ improves XTACACS by adding two-factor authentication. TACACS+ is the most commonly used of the three.

terrorist attacks
Attacks that differ from military and intelligence attacks in that the purpose is to disrupt normal life, whereas a military or intelligence attack is designed to extract secret information.

test data method
A form of program testing that examines the extent of the system testing to locate untested program logic.

testimonial evidence
Evidence that consists of the testimony of a witness, either verbal testimony in court or written testimony in a recorded deposition.

thicknet
See 10Base5.

thin client
A term used to describe a workstation that has little or no local processing or storage capacity. A thin client is used to connect to and operate a remote system.

thinnet
See 10Base2.

third-party audit
An audit conducted by, or on behalf of, another organization, such as a regulatory authority.

third-party governance
The system of oversight that may be mandated by law, regulation, industry standards, or licensing requirements.

threat
A potential occurrence that may cause an undesirable or unwanted outcome for an organization or a specific asset.

threat agents or threat actor
People, programs, hardware, or systems that intentionally exploit vulnerabilities.

threat events
Accidental exploitations of vulnerabilities.

threat modeling
The process of identifying, understanding, and categorizing potential threats. It attempts to identify a potential list of threats to valuable assets, along with an analysis of the threat.

thrill attack
An attack launched by crackers with few true skills. The main motivation behind thrill attacks is the “high” of getting into a system.

throughput rate
The rate at which a biometric device can scan and authenticate subjects. A rate of about six seconds or faster is required for general acceptance of a specific biometric control.

ticket
An electronic authentication factor used by the Kerberos authentication system.

ticket granting service (TGS)
An element of the Kerberos authentication system. The TGS manages the assignment and expiration of tickets. Tickets are used by subjects to gain access to objects.

time of check (TOC)
The time at which a subject checks on the status of an object.

time of check to time of use (TOCTOU)
A timing vulnerability that occurs when a program checks access permissions too far in advance of a resource request.

time of use (TOU)
The time at which the decision is made by a subject to access an object.

time slice
A single chunk or division of processing time.

token
See token device.

token device
A password generating device that subjects must carry with them. Token devices are a form of a “something you have” (Type 2) authentication factor.

token ring
A token passing LAN technology.

top down approach
Upper, or senior, management is responsible for initiating and defining policies for the organization.

top secret
The highest level of government/military classification. Unauthorized disclosure of top secret data will cause exceptionally grave damage to national security.

topology
The physical layout of network devices and connective cabling. The common network topologies are ring, bus, star, and mesh.

total risk
The amount of risk an organization would face if no safeguards were implemented. Threats * vulnerabilities * asset value = total risk.

trade secret
Intellectual property that is absolutely critical to a business and would cause significant damage if it were disclosed to competitors and/or the public.

trademark
A registered word, slogan, or logo used to identify a company and its products or services.

traffic analysis
A form of monitoring in which the flow of packets rather than the actual content of packets is examined. Also referred to as trend analysis.

training
The task of teaching employees to perform their work tasks and to comply with the security policy. All new employees require some level of training so they will be able to properly comply with all standards, guidelines, and procedures mandated by the security policy.

transferring risk
Placing the cost of loss from a realized risk onto another entity or organization, such as purchasing insurance. Also referred to as assigning risk.

transparency
The characteristic of a service, security control, or access mechanism that ensures that it is unseen by users. Transparency is often a desirable feature for security controls. The more transparent a security mechanism is, the less likely a user will be able to circumvent it or even be aware that it exists.

transient
A short duration of line noise disturbance.

transitive trust
The concept that if A trusts B and B trusts C, then A inherits trust of C through the transitive property, which works like it would in a mathematical equation: if A = B, and B = C, then A = C. Transitive trust is a serious security concern because it may enable bypassing of restrictions or limitations between A and C, especially if A and C both support interaction with B.

Transmission Control Protocol (TCP)
A connection-oriented protocol located at layer 4 of the OSI model.

transmission error correction
A capability built into connection- or session- oriented protocols and services. If it is determined that a message, in whole or in part, was corrupted, altered, or lost, a request can be made for the source to resend all or part of the message.

transmission logging
A form of auditing focused on communications. Transmission logging records the details about source, destination, time stamps, identification codes, transmission status, number of packets, size of message, and so on.

transmission window
The number of packets transmitted before an acknowledge packet is sent.

transparency
A characteristic of a service, security control, or access mechanism that is unseen by users. Transparency is often a desirable feature for security controls.

Transport layer
Layer 4 of the OSI model.

Transport Layer Security (TLS)
Based on SSL technology, TLS incorporated many security enhancements and was eventually adopted as a replacement for SSL in most applications. Early versions of TLS supported downgrading communications to SSL v3.0 when both parties did not support TLS. However, in 2011 TLS v1.2 dropped this backward compatibility. As with SSL, TLS uses TCP port 443.

transport mode
A mode of IPsec when used in a VPN. In transport mode, the IP packet data is encrypted but the header of the packet is not.

transposition cipher
Cipher that uses an encryption algorithm to rearrange the letters of a plaintext message to form the ciphertext message.

trap door
Undocumented command sequence that allows software developers to bypass normal access restrictions.

traverse mode noise
EMI noise generated by the difference in power between the hot and neutral wires of a power source or operating electrical equipment.

trend analysis
See traffic analysis.

Trike
A threat modeling methodology that focuses on a risk based approach instead of depending upon the aggregated threat model used in STRIDE and DREAD.

Triple DES (3DES)
A standard that uses three iterations of DES with two or three different keys to increase the effective key strength to 112 bits.

Trojan horse
A malicious code object that appears to be a benevolent program, such as a game or simple utility that performs the “cover” functions as advertised but also carries an unknown payload, such as a virus.

trust
A security bridge established to share resources from one domain to another. A trust is established between two domains to allow users from one domain to access resources in another. Trusts can be one-way only, or they can be two-way.

trusted computing base (TCB)
The combination of hardware, software, and controls that form a trusted base that enforces your security policy.

trusted path
Secure channel used by the TCB to communicate with the rest of the system.

Trusted Platform Module (TPM)
A cryptoprocessor chip on a mainboard used to store and process cryptographic keys for the purposes of a hardware supported/implemented hard drive encryption system.

trusted recovery process
On a secured system, a process that ensures the system always returns to a secure state after an error, failure, or reboot.

trusted system
A secured computer system.

tunnel mode
A mode of IPsec when used in a VPN. In tunnel mode, the entire IP packet is encrypted and a new header is added to the packet to govern transmission through the tunnel.

tunneling
A network communications process that protects the contents of protocol packets by encapsulating them in packets of another protocol.

tuple
A record or row in a database.

turnstile
A form of gate that prevents more than one person at a time from gaining entry and often restricts movement in one direction.

twisted-pair
See 10BaseT.

two factor authentication
Authentication that requires two different factors of authentication. Compare with multifactor authentication.

Type 1 authentication factor
Something you know, such as a password, personal identification number (PIN), combination lock, passphrase, mother’s maiden name, or favorite color.

Type 2 authentication factor
Something you have, such as a smartcard, ATM card, token device, or memory card.

Type 3 authentication factor
Something you are, such as fingerprints, voice print, retina pattern, iris pattern, face shape, palm topology, or hand geometry.

Type 1 error
See false rejection rate (FRR).

Type 2 error
See false acceptance rate (FAR).

Type I hypervisor
A native or bare metal hypervisor. In this configuration, there is no host OS; instead, the hypervisor installs directly onto the hardware where the host OS would normally reside.

Type II hypervisor
A hosted hypervisor. In this configuration, a standard regular OS is present on the hardware, and then the hypervisor is installed as another software application.

== U ==

UEFI See Unified Extensible Firmware Interface (UEFI).

UltraViolet EPROMs (UVEPROMs)
A type of EPROM that can be erased using an ultra-violet light.

unauthenticated scan
A form of vulnerability scan that tests the target systems without having passwords or other special information that would grant the scanner special privileges. This allows the scan to run from the perspective of an attacker but also limits the ability of the scanner to fully evaluate possible vulnerabilities.

unclassified
The lowest level of government/military classification. Used for data that is neither sensitive nor classified. Disclosure of unclassified data does not compromise confidentiality, and it doesn’t cause any noticeable damage.

underflow
This error happens when the write buffer of the drive empties during the writing process, which causes an error on the media, rendering it useless.

unicast
A communications transmission to a single identified recipient.

Unified Extensible Firmware Interface (UEFI)
A replacement or improvement to the basic input/output system (BIOS) that provides support for all of the same functions as BIOS with many improvements, such as support for larger hard drives (especially for booting), secure boot, faster boot times, enhanced security features, and even the ability to use a mouse when making system changes (BIOS was limited to keyboard control only).

unified threat management (UTM)
A security device that includes traditional functions of a firewall such as packet filtering and stateful inspection. It is able to perform packet inspection techniques, allowing it to identify and block malicious traffic. It can filter malware using definition files and/or whitelists and blacklists. It also includes intrusion detection and/or intrusion prevention capabilities. Also known as next generation firewall.

Uniform Computer Information Transactions Act (UCITA)
A federal law designed for adoption by each of the 50 states to provide a common framework for the conduct of computer related business transactions.

uninterruptible power supply (UPS)
A type of self-charging battery that can be used to supply consistent clean power to sensitive equipment. A UPS functions by taking power in from the wall outlet, storing it in a battery, pulling power out of the battery, and then feeding that power to whatever devices are connected to it. By directing current through its battery, it is able to maintain a consistent clean power supply.

unit testing
A method of testing software. Each unit of code is tested independently to discover any errors or omissions and to ensure that it functions properly. Unit testing should be performed by the development staff.

unshielded twisted-pair (UTP)
A twisted-pair wire that does not include additional EMI protection. Most twisted-pair wiring is UTP.

upper management
See senior management/senior manager.

USA Patriot Act of 2001
An act implemented after the September 11, 2001, terrorist attacks. It greatly broadened the powers of law enforcement organizations and intelligence agencies across a number of areas, including the monitoring of electronic communications.

user
Any person who has access to the secured system. A user’s access is tied to their work tasks and is limited so they have only enough access to perform the tasks necessary for their job position (in other words, principle of least privilege). Also referred to as an end user and employee.

User Datagram Protocol (UDP)
A connectionless protocol located at layer 4 of the OSI model.

user mode
The basic mode used by the CPU when executing user applications.

== V ==

VAST (Visual, Agile, and Simple Threat)
A threat modeling concept based on Agile project management and programming principles.

VENONA
One of the major intelligence successes of the United States resulted when cryptanalysts broke a top secret Soviet cryptosystem, i.e., VENONA, that relied on the use of onetime pads.

Vernam cipher
A device that implements a 26 character modulo 26 substitution cipher. It functions as a onetime pad.

view
A client interface used to interact with a database. The view limits what clients can see and what functions they can perform.

Vigenère cipher
A polyalphabetic substitution cipher.

violation analysis
A form of auditing that uses clipping levels.

virtual desktop infrastructure (VDI)
A VDI provides users with a desktop hosted on a server. Users can typically access the desktop from any device including desktop computers and mobile devices. Virtual desktops can be persistent (meaning that they retain changes made by the user) or nonpersistent (meaning that the desktop reverts to its original state after the user logs off). It is sometimes called a virtual desktop environment (VDE).

virtual machine
A software simulation of a computer within which a process executes. Each virtual machine has its own memory address space, and communication between virtual machines is securely controlled.

virtual memory
A special type of secondary memory that is managed by the operating system in such a manner that it appears to be real memory.

virtual mobile infrastructure (VMI)
A virtualization system for mobile devices where the operating system of a mobile device is virtualized on a central server.

virtual private network (VPN)
A network connection established between two systems over an existing private or public network. A VPN provides confidentiality and integrity for network traffic through the use of encryption.

virtual private network (VPN) protocol
The protocols, such as PPTP, L2TP, and IPsec, that are used to create VPNs.

virtualization
A technology used to host one or more operating systems within the memory of a single host computer. This mechanism allows virtually any OS to operate on any hardware. It also allows multiple operating systems to work simultaneously on the same hardware.

virus
The oldest form of malicious code objects that plague cyberspace. Once they are in a system, they attach themselves to legitimate operating system and user files and applications and normally perform some sort of undesirable action, ranging from the somewhat innocuous display of an annoying message on the screen to the more malicious destruction of the entire local filesystem.

virus decryption routine
In an encrypted virus, a short segment of code that contains the cryptographic information necessary to load and decrypt the main virus code stored else where on the disk.

virus hoax
See hoax.

vishing
A form of phishing that uses Voice over IP (VoIP) to trick users. It will often spoof the caller’s actual phone number by fooling the caller ID system.

VLAN
A logical network segmentation implemented on switches and bridges to manage traffic. Multiple VLANs can be hosted on the same switch but are isolated as if they are separate physical networks. Only through a routing function, often provided by a multi layer switch, can cross VLAN communications occur. VLANs function like physical network segments.

VLAN hopping
The ability to make network traffic jump between VLANs through an abuse of IEEE 802.1Q VLAN tagging known as double encapsulation.

VM escaping
An abuse or attack that occurs when software within a guest OS is able to breach the isolation protection provided by the hypervisor to violate the container of other guest OSs or to infiltrate a host OS.

Voice over IP (VoIP)
A network service that provides voice communication services by transporting the voice traffic as network packets over an IP network.

voice pattern
An example of a biometric factor, which is a behavioral or physiological characteristic that is unique to a subject. The speech, tone, modulation, and pitch patterns of a person’s voice are used to establish identity or provide authentication.

volatile
See volatile storage.

volatile storage
A storage medium, such as RAM, that loses its contents when power is removed from the resource.

voluntary surrender
The act of willingly handing over evidence.

vulnerability
A weakness. It can be due to the existence of a flaw, loophole, oversight, error, limitation, frailty, or susceptibility in the IT infrastructure or any other aspect of an organization. It can also be the result of the absence of a safeguard or countermeasure or a weakness in a protection measure.

vulnerability analysis
A process used to identify vulnerabilities, or weaknesses. It can include both technical means, such as vulnerability scans, and nontechnical means, such as an evaluation or inspection of existing data on threats and vulnerabilities.

vulnerability management
A program used to detect weaknesses within an organization. Vulnerability scans and vulnerability assessments are two common elements of a vulnerability management program. Vulnerability scans are technical scans performed regularly, and vulnerability assessments are normally combined with a risk assessment.

vulnerability scan
A test performed on a system to find weaknesses in the security infrastructure. Vulnerability scans automatically probe systems, applications, and networks looking for weaknesses that may be exploited by an attacker. The scanning tools used in these tests provide quick point and click tests that perform otherwise tedious tasks without requiring manual intervention.

vulnerability scanners
A software tool used to test systems and networks for known security issues, such as unpatched systems. Both attackers and security administrators use vulnerability scanners.

== W ==

wait state
The state in which a process is ready to execute but is waiting for an operation such as keyboard input, printing, or file writing to complete.

war chalking
A type of geek graffiti that some wireless hackers used during the early years of wireless (1997–2002). It’s a way to physically mark an area with information about the presence of a wireless network.

war dialing
The act of using a modem to search for a system that will accept inbound connection attempts.

war driving
The act of using a radio wave signal detector or a wireless network detector to locate wireless networks.

warm site
A middle ground between hot sites and cold sites for disaster recovery specialists. A warm site always contains the equipment and data circuits necessary to rapidly establish operations but does not typically contain copies of the client’s data.

warning banners
Messages used to inform would be intruders or attempted security policy violators that their intended activities are restricted and that any further activities will be audited and monitored. A warning banner is basically an electronic equivalent of a no trespassing sign.

watermarking
The process of digital watermarking hides information within a file that is known only to the file’s creator. If someone later creates an unauthorized copy of the content, the watermark can be used to detect the copy and (if uniquely watermarked files are provided to each original recipient) trace the offending copy back to the source.

web application firewall
An Application layer firewall configured specifically to protect against web based attacks and exploitations.

web bot
Agents that continuously crawl a variety of websites retrieving and processing data on behalf of the user.

webcasting
A form of media distribution occurring over the internet (in contrast to more traditional means such as over-the-air or cable TV broadcasts and radio stations). Can also include and is related to videocasting, audiocasting, podcasting, netcasting, internet television, and IP TV.

web vulnerability scanning
See vulnerability scan.

well known ports
The first 1,024 ports of TCP and UDP. They are usually assigned to commonly used services and applications.

wet pipe system
A fire suppression system that is always full of water. Water discharges immediately when triggered by a fire or smoke. Also known as a closed head system.

whaling
A form of phishing that targets specific high level executives such as CEOs and presidents.

white box
Device used to control the phone system. A white box is a dual tone multifrequency (DTMF) generator (that is, a keypad).

white noise
The activity of broadcasting false traffic at all times to mask and hide the presence of real emanations.

wide area network (WAN)
A network or a network of LANs that is geographically diverse. Often dedicated leased lines are used to establish connections between distant components.

Wi-Fi Protected Access (WPA)
An early alternative to WEP based on a secret passphrase and employing the LEAP and TKIP crypto systems. It is attackable through passphrase guessing.

Wi-Fi Protected Setup (WPS)
A security standard for wireless networks. It is intended to simplify the effort involved in adding new clients to a well secured wireless network. It operates by autoconnecting the first new wireless client to seek the network once the administrator triggered the feature by pressing the WPS button on the base station.

WiMax (802.16)
A wireless standard that defines citywide wireless access technologies. This standard has yet to be widely deployed.

Wired Equivalent Privacy (WEP)
A form of encrypted authentication that employs RC4. WEP supports only one-way authentication from client to WAP. WEP is considered insufficient for security because of several deficiencies in its design and implementation.

wired extension mode
A wireless network configuration where the wireless access point acts as a connection point to link the wireless clients to the wired network.

Wireless Application Protocol (WAP)
A functioning industry driven protocol stack that allows users through their WAP capable devices, such as mobile phones, to communicate over a carrier’s network with the internet.

wireless networking (802.11)
A form of networking that uses radio waves as the connection medium following the 802.11 standard. Often called Wi-Fi.

wiring closet
The room where the networking cables for a whole building or just a floor are connected to other essential equipment, such as patch panels, switches, routers, LAN extenders, backbone channels, and so on. More technical names for wiring closet include premises wire distribution room and intermediate distribution facilities.

work function or work factor
A way of measuring the strength of a cryptography system by measuring the effort in terms of cost and/or time. Usually the time and effort required to perform a complete brute force attack against an encryption system is what the work function rating represents. The security and protection offered by a cryptosystem is directly proportional to the value of the work function/factor.

worm
A form of malicious code that is selfreplicating but is not designed to impose direct harm on host systems. The primary purpose of a worm is to replicate itself to other systems and gather information. Worms are usually very prolific and often cause a denial of service because of their consumption of system resources and network bandwidth in their attempt to selfreplicate.

== X ==

X.25
An older WAN protocol that uses carrier switching to provide end-to-end connections over a shared network medium.

XCCDF
See Extensible Configuration Checklist Description Format (XCCDF).

XML
See Extensible Markup Language (XML).

XOR
A function that returns a true value when only one of the input values is true. If both values are false or both values are true, the output of the XOR function is false.

XSRF
See cross-site request forgery (CSRF).

== Z ==

zero day exploit
An attack on a system that exploits vulnerabilities that are unknown to others. Typically, it indicates that a vulnerability known to one or more attackers isn’t known to the vendor. In some cases the vendor may know about the vulnerability but hasn’t written or released a patch for the vulnerability yet.

zero knowledge proof
A concept of communication whereby a specific type of information is exchanged but no real data is exchanged. Good examples of this idea are digital signatures and digital certificates.

zero knowledge teams
These possess only primary information about an organization during a security assessment or penetration test.

zombie
A system compromised by a botnet agent that is mindlessly performing actions under the remote control of a remote attacker.

zone file
The collection of resource records or details about the specific domain.

zone transfer
A DNS communication between DNS servers that transfers all or part of a domain’s zone file that typically occurs over TCP and is initiated on port 53.

zzuf
A software testing tool that automates the process of mutation fuzzing by manipulating input according to user specifications.