Numbers

3DES—Triple Digital Encryption Standard. A symmetric algorithm used to encrypt data and provide confidentiality. It is a block cipher that encrypts data in 64-bit blocks. It was originally designed as a replacement for DES, and is still used in some applications, such as when hardware doesn’t support AES.
802.1X— A port-based authentication protocol, also known as IEEE 802.1X. An authentication protocol used in VPNs and wired and wireless networks. VPNs often implement it as a RADIUS server. Wired networks use it for port-based authentication. Wireless networks use it in Enterprise mode, and it often uses one of the EAP authentication protocols. Compare with EAP, PEAP, EAP-TLS, and EAP-TTLS.

A

AAA—Authentication, Authorization, and Accounting. AAA protocols are used in remote access systems. For example, TACACS+ is an AAA protocol that uses multiple challenges and responses during a session. Authentication verifies a user’s identification. Authorization determines if a user should have access. Accounting tracks a user’s access with logs.

ABAC—Attribute-based access control. An access control scheme. ABAC grants access to resources based on attributes assigned to subjects and objects. Compare with DAC, MAC, role-based access control, and rule-based access control.

acceptable use policy (AUP)— A policy defining proper system usage and the rules of behavior for employees. It will often describe the purpose of computer systems and networks, how users can access them, and the

access control vestibules—A physical security mechanism designed to control access to a secure area. An access control vestibule prevents tailgating. It is a room, or even a building, with two doors that creates a large buffer area between the secure and unsecured areas. This was previously known as a mantrap.

access point (AP)—A device that connects wireless clients to wireless networks. Sometimes called a wireless access point (WAP).

account audit—An audit that analyzes user accounts and assigned privileges. It identifies the privileges (rights and permissions) granted to users, and compares them against what the users need.

accounting—The process of tracking the activity of users and recording this activity in logs. One method of accounting is audit logs that create an audit trail.

ACE—Access Control Entry. Identifies a user or group that is granted permission to a resource. ACEs are contained within a DACL in NTFS.

ACK—Acknowledge. A packet in a TCP handshake. In a SYN flood attack, attackers send the SYN packet but don’t complete the handshake after receiving the SYN/ACK packet.

ACL—Access control list. Lists of rules used by routers and stateless firewalls. These devices use the ACL to control traffic based on networks, subnets, IP addresses, ports, and some protocols.

active reconnaissance—A penetration testing method used to collect information. It uses tools to send data to systems and analyzes responses, and gain knowledge on the target. Compare with passive reconnaissance.

address resolution protocol (ARP) poisoning—An attack that misleads systems about the actual MAC address of a system. ARP poisoning attacks can redirect traffic through an attacker’s system by sending false MAC address updates.

ad hoc—A connection mode used by wireless devices without an AP. When wireless devices connect through an AP, they are using infrastructure mode. Compare with WiFi Direct.

Advanced Encryption Standard (AES)—A symmetric algorithm used to encrypt data and provide confidentiality. AES is a block cipher, and it encrypts data in 128-bit blocks. It is quick, highly secure, and used in a wide assortment of cryptography schemes. It includes key sizes of 128 bits, 192 bits, or 256 bits.

advanced persistent threat (APT)—A group that has both the capability and intent to launch sophisticated and targeted attacks. A nation state (such as a foreign government) sponsored APTs.

AES—Advanced Encryption Standard. A symmetric algorithm used to encrypt data and provide confidentiality. AES is a block cipher, and it encrypts data in 128-bit blocks. It is quick, highly secure, and used in a wide assortment of cryptography schemes. It includes key sizes of 128 bits, 192 bits, or 256 bits.

AES-256—Advanced Encryption Standard 256 bit. AES sometimes includes the number of bits used in the encryption keys, and AES-256 uses 256-bit encryption keys.

affinity—A scheduling method used with load balancers. It uses the client’s IP address to ensure the client is redirected to the same server during a session.

agent—A NAC agent that is installed on a client. It checks the client for health and is sometimes called just an agent. Compare with agentless or dissolvable agent.

agentless—A NAC agent that runs on a client, but deletes itself later. It checks the client for health and is the same as a dissolvable client. Compare with permanent agent.

AH—Authentication Header. An option within IPsec to provide authentication and integrity. IPsec includes uses AH to provide authentication and integrity using HMAC. ESP provides confidentiality, integrity, and authentication using HMAC and AES or 3DES. AH is identified with protocol ID number 51. Compare with IPSec and ESP.

air gap—A physical security control that provides physical isolation. Systems separated by an air gap (a gap of air) don’t typically have any physical connections to other systems. Sometimes spelled as airgap.

ALE—Annualized (or annual) loss expectancy. The expected loss for a year. The ALE identifies the expected annual loss and is used to measure risk with ARO and SLE in a quantitative risk assessment. The calculation is SLE × ARO = ALE. Compare with SLE and ARO.

allow list—A list of applications that a system allows. Users are only able to install or run applications on the list. Sometimes referred to as a whitelist. Compare with block list and deny list.

annualized (or annual) loss expectancy (ALE)—The expected loss for a year. The ALE identifies the expected annual loss and is used to measure risk with ARO and SLE in a quantitative risk assessment. The calculation is SLE × ARO = ALE. Compare with SLE and ARO.

annualized (or annual) rate of occurrence (ARO)—The number of times a loss is expected to occur in a year. The ARO is used to measure risk with ALE and SLE in a quantitative risk assessment. The calculation is SLE × ARO = ALE. Compare with SLE and ALE.

anomaly—A variance from a baseline. Some intrusion detection and intrusion prevention systems detect attacks by comparing traffic against a baseline. It is also known as heuristic detection.

anonymization—A process that removes PII from a data set. The goal is to remove any data from a data set to ensure that data can’t be traced back to an individual. Ideally, anonymization is permanent, but if not done effectively, the process can be reversed. Compare with data masking, pseudo-anonymization, and tokenization.

anti-malware—Software that protects systems from viruses and other malware. It protects against most malware, including viruses, Trojans, worms, and more. Compare with antivirus.

antivirus—Software that protects systems from malware. Although it is called antivirus software, it protects against most malware, including viruses, Trojans, worms, and more. Compare with anti-malware.

Anything as a Service (XaaS)— A cloud computing model. X aaS refers to any cloud computing model not identified in IaaS, PaaS, or SaaS models. Compare to IaaS, PaaS, and SaaS.

AP—Access point. A device that connects wireless clients to wireless networks. Sometimes called a wireless access point (WAP).

API—Application programming interface. A software module or component. An API gives developers access to features or data within another application, service, or operating system. APIs or often used with web applications, Internet of Things (IoT) devices, and cloud-based services.

API attacks—Application programming interface attacks. Attacks on an API. API attacks attempt to discover and exploit vulnerabilities in APIs.

application programming interface (API)—A software module or component. An API gives developers access to features or data within another application, service, or operating system. APIs or often used with web applications, Internet of Things (IoT) devices, and cloud-based services.

application programming interface (API) attacks—Attacks on an API. API attacks attempt to discover and exploit vulnerabilities in APIs.

APT—Advanced persistent threat. A group that has both the capability and intent to launch sophisticated and targeted attacks. A nation state (such as a foreign government) sponsored APTs.

Argon2—A key stretching algorithm. Argon2 uses a password and salt that is passed through an algorithm several times. This thwarts rainbow table attacks. Compare with Bcrypt and PBKDF2.

ARO—Annualized (or annual) rate of occurrence. The number of times a loss is expected to occur in a year. The ARO is used to measure risk with ALE and SLE in a quantitative risk assessment. The calculation is SLE × ARO = ALE. Compare with SLE and ALE.

arp—A command-line tool used to show and manipulate the Address Resolution Protocol (ARP) cache. Compare with ARP.

ARP—Address Resolution Protocol. Resolves IPv4 addresses to MAC addresses. Compare with arp.

Address Resolution Protocol (ARP)—Resolves IPv4 addresses to MAC addresses. Compare with arp.

ARP poisoning—An attack that misleads systems about the actual MAC address of a system. ARP poisoning attacks can redirect traffic through an attacker’s system by sending false MAC address updates.

ASCII—American Standard Code for Information Interchange. Code used to display characters.

asset value—An element of a risk assessment. It identifies the value of an asset and can include any product, system, resource, or process. The value can be a specific monetary value or a subjective value.

asymmetric encryption—A type of encryption using two keys to encrypt and decrypt data. It uses a public key and a private key. Compare with symmetric encryption.

attestation—A process that checks and validates system files during the boot process. TPMs sometimes use remote attestation, sending a report to a remote system for attestation.

audit trail—A record of events recorded in one or more logs. When security professionals have access to all the logs, they can re-create the events that occurred leading up to a security incident.

AUP—Acceptable use policy. A policy defining proper system usage and the rules of behavior for employees. It will often describe the purpose of computer systems and networks, how users can access them, and the responsibilities of users when accessing the systems.

authentication—The process that occurs when a user proves an identity. Users often claim an identity with a username and prove the identity is theirs with a password.

authentication attributes—Attributes that are sometimes used with authentication factors. They include somewhere you are, something you can do, something you exhibit, and someone you know. Compare with somewhere you are, something you can do, something you exhibit, and someone you know.

authentication factors—The different methods used for authentication. The common authentication factors are something you know, such as a password or personal identification number (PIN), something you have, such as a smart card, a phone, or a USB token, and something you are, such as a fingerprint or other biometric identification. Compare with authentication attributes, something you know, something you have, and something you are.

authorization—The process of granting access to resources for users who prove their based on their proven identity. Users typically claim an identity with a username and prove their identity with a password.

availability—One of the three main goals of information security known as the CIA security triad. Availability ensures that systems and data are up and operational when needed. Compare with confidentiality and integrity.

B

backdoor—An alternate method of accessing a system. Malware often adds a backdoor into a system after it infects it.

background check—A check into a person’s history, typically to determine eligibility for a job.

banner grabbing—A method used to gain information about a remote system. It identifies the operating system and other details on the remote system.

BCP—Business continuity plan. A plan that helps an organization predict and plan for potential outages of critical services or functions. It includes disaster recovery elements that provide the steps used to return critical functions to operation after an outage. A BIA is a part of a BCP, and the BIA drives decisions to create redundancies such as failover clusters or alternate sites. Compare with BIA and DRP.

bcrypt—A key stretching algorithm. It is used to protect passwords. Bcrypt salts passwords with additional bits before encrypting them with Blowfish. This thwarts rainbow table attacks. Compare with Argon2 and PBKDF2.

BIA—Business impact analysis. A process that helps an organization identify critical systems and components that are essential to the organization’s success. It identifies various scenarios that can impact these systems and components, maximum downtime limits, and potential losses from an incident. The BIA helps identify RTOs and RPOs. Compare with BCP, BIA, DRP, RTO, and RPO.

BIND—Berkeley Internet Name Domain. BIND is DNS software that runs on Linux and Unix servers. Most Internet-based DNS servers use BIND.

BIOS—Basic Input/Output System. A computer’s firmware used to manipulate different settings such as the date and time, boot drive, and access password. UEFI is the designated replacement for BIOS. Compare with UEFI.

birthday attack—A password attack named after the birthday paradox in probability theory. The paradox states that for any random group of 23 people, there is a 50 percent chance that 2 of them have the same birthday.Get Certified Get Ahead

blockchain—A distributed, decentralized, public ledger. The word block refers to pieces of digital information (the ledger), and chain refers to a public database. Digital cryptocurrencies use blockchain technology.

block cipher—An encryption method that encrypts data in fixed-sized blocks. Compare with stream cipher.

block list— A list of applications that a system blocks or denies. Users are unable to install or run any applications on the list. Also called deny list. Compare with allow list.

Blowfish—A strong symmetric block cipher. It encrypts data in 64-bit blocks and supports key sizes between 32 and 448 bits. Compare with Twofish.

bluejacking—An attack against Bluetooth devices. It is the practice of sending unsolicited messages to nearby Bluetooth devices.

bluesnarfing—An attack against Bluetooth devices. Attackers gain unauthorized access to Bluetooth devices and can access all the data on the device.

bluebugging—An attack against Bluetooth devices. Attackers gain full access to the phone and installs a backdoor giving the attacker full access to the phone at any time. In addition to gaining full access to the phone, the attacker installs a backdoor.xml.

blue team—Personnel involved in cybersecurity readiness that are experts in defending systems. Compare with red team, purple team, white team and capture the flag.

bollards—Short vertical posts that act as a barricade. Bollards block vehicles but not people.

boot attestation—An entity verifies (or attests) that the boot files have not been modified. As an example, a TPM supports a secure boot attestation process by first verifying none of the boot files have changed.

boot integrity—Processes that verify the integrity of the boot process for a system. Compare with measured boot, boot attestation, and hardware root of trust.

bots and botnets—Software robots that function automatically. A botnet is a group of computers that are joined together. Attackers often use malware to join computers to a botnet and then use the botnet to launch attacks.

braindump—A list of questions and answers for exams. They rarely have explanations and often have incorrect answers. Braindump users are tricked into memorizing incorrect answers for questions after memorizing them. They think they’re ready for the live exam, but they often fail the exam repeatedly without understanding why.

Bridge Protocol Data Unit (BPDU) guard—A technology that detects false BPDU messages. False BPDU messages can indicate a switching loop problem and shut down switch ports. The BPDU guard detects false BPDU messages and blocks the BPDU attack.

bring your own device (BYOD)—A mobile device deployment model. A BYOD model allows employees to connect personally owned devices, such as tablets and smartphones, to a company network. Data security is often a concern with BYOD policies causing organizations to consider CYOD or COPE models. Compare with COPE and CYOD.

brute force—A password attack that attempts to guess a password. Online brute force attacks guess passwords of online systems. Offline attacks guess passwords contained in a file or database.

buffer overflow—An error that occurs when an application receives more input, or different input, than it expects. It exposes system memory that is normally inaccessible.

burning—A data sanitization process. Burning is typically performed within an incinerator. Compare with shredding, pulping, pulverizing, and degaussing.

business continuity plan (BCP)—A plan that helps an organization predict and plan for potential outages of critical services or functions. It includes disaster recovery elements that provide the steps used to return critical functions to operation after an outage. A BIA is a part of a BCP, and the BIA drives decisions to create redundancies such as failover clusters or alternate sites. Compare with BIA and DRP.

business impact analysis (BIA)—A process that helps an organization identify critical systems and components that are essential to the organization’s success. It identifies various scenarios that can impact these systems and components, maximum downtime limits, and potential losses from an incident. The BIA helps identify RTOs and RPOs. Compare with BCP, BIA, DRP, RTO, and RPO.

BYOD—Bring your own device. A mobile device deployment model. A BYOD model allows employees to connect personally owned devices, such as tablets and smartphones, to a company network. Data security is often a concern with BYOD policies causing organizations to consider CYOD or COPE models. Compare with COPE and CYOD.

C

CA—Certificate Authority. An organization that manages, issues, and signs certificates and is part of a PKI. Certificates are an essential part of asymmetric encryption, and they include public keys and details on the owner of the certificate and the CA that issued the certificate. Certificate owners share their public key by sharing a copy of their certificate. Compare with PKI.

CAPTCHA—Completely Automated Public Turing Test to Tell Computers and Humans Apart. Technique used to prevent automated tools from interacting with a website. Users must type in text often from a slightly distorted image.

captive portal—A technical solution that forces wireless clients using web browsers to complete a process before accessing a network. It is often used to ensure users agree to an acceptable use policy or pay for access.

capture the flag—A competition involving cybersecurity personnel. Capture the flag (CTF) events vary depending on who is hosting the event but typically involved red teams, blue teams, purple teams, and white teams. Compare with red team, blue team, purple team, and white team.

carrier unlocking—The process of unlocking a mobile phone from a specific cellular provider.

CASB—Cloud access security broker. A software tool or service that enforces cloud-based security requirements. It is placed between the organization’s resources and the cloud, monitors all network traffic, and can enforce security policies.

CBC—Cipher Block Chaining. A mode of operation used by some symmetric encryption ciphers. It uses an IV for the first block and each subsequent block is combined with the previous block.

CCMP—Counter Mode with Cipher Block Chaining Message Authentication Code Protocol. An encryption protocol based on AES and used with WPA2 for wireless security.

CCTV—Closed-circuit television. A detective control that provides video surveillance. Video surveillance provides reliable proof of a person’s location and activity. It is also a physical security control, and it can increase the safety of an organization’s assets.

CER—Canonical Encoding Rules. A base format for PKI certificates. They are ASCII encoded files. Compare with DER.

CERT—Computer Emergency Response Team. A group of experts who respond to security incidents.

certificate—A digital file used for encryption, authentication, digital signatures, and more. Public certificates include a public key used for asymmetric encryption.

Certificate Authority (CA)—An organization that manages, issues, and signs certificates and is part of a PKI. Certificates are an essential part of asymmetric encryption, and they include public keys and details on the owner of the certificate and the CA that issued the certificate. Certificate owners share their public key by sharing a copy of their certificate. Compare with PKI. share their public key by sharing a copy of their certificate.

certificate chaining—A process that combines all certificates within a trust model. It includes all the certificates in the trust chain from the root CA down to the certificate issued to the end user. Compare with certificate authority and intermediate CA.

certification revocation list (CRL)—A list of certificates that a Certificate Authority (CA) has revoked. Certificates are commonly revoked if they are compromised or issued to an employee who has left the organization. The CA that issued the certificate publishes a CRL, and a CRL is public.

certificate signing request (CSR)—A method of requesting a certificate from a CA. It starts by creating an RSA-based private/public key pair and then including the public key in the CSR. Most CAs require CSRs to be formatted using the Public-Key Cryptography Standards (PKCS) #10 specification.

chain of custody—A process that provides assurances that evidence has been controlled and handled properly after collection. Forensic experts establish a chain of custody when they first collect evidence.

change management—The process used to prevent unauthorized changes. Unauthorized changes often result in unintended outages.

CHAP—Challenge Handshake Authentication Protocol. An authentication mechanism where a server challenges a client. Compare with MS-CHAPv2 and PAP.

checksum—A type of a hash that is quick but not necessarily cryptographically secure. It is often used to validate the integrity of data. RAID-5 disks use checksum bits to verify that data on disks aren’t corrupt.

Choose your own device (CYOD)—A mobile device deployment model. Employees can connect their personally owned device to the network as long as the device is on a preapproved list. Note that the device is purchased by and owned by employees. Compare with BYOD and COPE.

CIA—Confidentiality, integrity, and availability. These three form the security triad. Confidentiality helps prevent the unauthorized disclosure of data. Integrity provides assurances that data has not been modified, tampered with, or corrupted. Availability indicates that data and services are available when needed.

CIO—Chief Information Officer. A “C” level executive position in some organizations. A CIO focuses on using methods within the organization to answer relevant questions and solve problems.

ciphertext—The result of encrypting plaintext. Ciphertext is not in an easily readable format until it is decrypted. Compare with plaintext.

clean desk space—A security policy requiring employees to keep their areas organized and free of papers. The goal is to reduce threats of security incidents by protecting sensitive data.

closed-circuit television (CCTV)—A detective control that provides video surveillance. Video surveillance provides reliable proof of a person’s location and activity. It is also a physical security control, and it can increase the safety of an organization’s assets.

cloud access security broker (CASB)—A software tool or service that enforces cloud-based security requirements. It is placed between the organization’s resources and the cloud, monitors all network traffic, and can enforce security policies.

cloud deployment models—Cloud model types that identify who has access to cloud resources. Public clouds are for any organization, and private clouds are for a single organization. Community clouds are shared among community organizations. A hybrid cloud is a combination of two or more clouds.

code reuse—Code reuse refers to reusing code instead of re-creating code that already exists. A primary benefit is that existing code has already been tested, while new code may introduce new bugs.

code signing—The process of assigning a certificate to code. The certificate includes a digital signature and validates the code.

cold site—An alternate location for operations. A cold site will have power and connectivity needed for activation, but little else. Compare with hot site and warm site.

collision—A hash vulnerability that can be used to discover passwords. A hash collision occurs when two different passwords create the same hash. A collision attack attempts to find two different passwords that create the same hash.

Common Vulnerabilities and Exposures (CVE)—A dictionary of publicly known security vulnerabilities and exposures.

compensating controls—Security controls that are alternative controls used when a primary security control is not feasible. Compare with preventive, detective, corrective, deterrent, and physical security controls.

confidential data—Data meant to be kept secret among a certain group of people. As an example, salary data is meant to be kept secret and not shared with everyone within a company.

confidentiality—One of the core goals of information security sometimes referred to as the CIA security triad. Confidentiality ensures that unauthorized entities cannot access data. Encryption and access controls help protect against the loss of confidentiality. Compare with availability and integrity.

containerization—A method used to isolate application and data in mobile devices. It isolates and protects the application, including any data used by the application. It is useful when using the BYOD model because the container can be encrypted without encrypting the user’s data.

containers—A method used to isolate services or applications in virtual machines. Container virtualization runs services or applications within isolated containers or application cells.

context-aware authentication—An authentication method using multiple elements to authenticate a user and a mobile device. It can include identity, geolocation, the device type, and more.

Continuity of operations planning (COOP)—Continuity of operations planning sites provide an alternate location for operations after a critical outage. A hot site includes personnel, equipment, software, and communication capabilities of the primary site with all the data up to date. A cold site will have power and connectivity needed for COOP activation, but little else. A warm site is a compromise between a hot site and a cold site. Compare with hot site, cold site, and warm site.

control diversity—The use of different security control types, such as technical controls, administrative controls, and physical controls. Compare with vendor diversity, technology diversity, and crypto diversity.

COOP—Continuity of operations planning. Continuity of operations planning sites provide an alternate location for operations after a critical outage. A hot site includes personnel, equipment, software, and communication capabilities of the primary site with all the data up to date. A cold site will have power and connectivity needed for COOP activation, but little else. A warm site is a compromise between a hot site and a cold site. Compare with hot site, cold site, and warm site.

COPE—Corporate-owned, personally enabled. A mobile device deployment model. The organization purchases and issues devices to employees. Compare with BYOD and CYOD.

corporate-owned, personally enabled (COPE)—A mobile device deployment model. The organization purchases and issues devices to employees. Compare with BYOD and CYOD.

corrective controls—Security controls that attempt to reverse the impact of a security incident. Compare with preventive, detective, deterrent, compensating, and physical security controls. Compare with preventive, detective, corrective, deterrent, compensating, and physical security controls.

CRL—Certification revocation list. A list of certificates that a Certificate Authority (CA) has revoked. Certificates are commonly revoked if they are compromised or issued to an employee who has left the organization. The CA that issued the certificate publishes a CRL, and a CRL is public.

crossover error rate—The point where the false acceptance rate (FAR) crosses over with the false rejection rate (FRR). A lower CER indicates a more accurate biometric system.

cross-site request forgery (XSRF)— A web application attack. Attackers use XSRF attacks to trick users into performing actions on websites, such as making purchases, without their knowledge. In some cases, it allows an attacker to steal cookies and harvest passwords.

cross-site scripting (XSS)— A web application vulnerability that allows attackers to inject scripts into webpages. Attackers use XSS to capture user information such as cookies. Input validation techniques on the server-side help prevent XSS attacks by blocking HTML and JavaScript tags. Many sites prevent the use of < and > characters to block cross-site scripting.

crypto diversity—Using different methods to protect cryptographic keys. Compare with control diversity, vendor diversity, and technology diversity.

cryptomalware—A type of ransomware that encrypts the user’s data.

CSF—Cybersecurity Framework. A framework that aligns with the RMF and can be used in the private sector. NIST SP 800-37, “Risk Management Framework for Information Systems and Organizations” is targeted toward federal government agencies. The CSF is an alternative that fits the private sector. It includes three components: the framework core, the framework implantation tiers, and the framework profiles.

CSR—Certificate signing request. A method of requesting a certificate from a CA. It starts by creating an RSA-based private/public key pair and then including the public key in the CSR. Most CAs require CSRs to be formatted using the Public-Key Cryptography Standards (PKCS) #10 specification.

CTM—Counter mode. A mode of operation used for encryption that combines an IV with a counter. The combined result is used to encrypt blocks.

CTO—Chief Technology Officer. A “C” level executive position in some organizations. CTOs focus on technology and evaluate new technologies.

custom firmware—Mobile device firmware other than the firmware provided with the device. People sometimes use custom firmware to root Android devices.

CVE—Common Vulnerabilities and Exposures. A dictionary of publicly known security vulnerabilities and exposures.

Cybersecurity Framework (CSF)—A framework that aligns with the RMF and can be used in the private sector. NIST SP 800-37, “Risk Management Framework for Information Systems and Organizations” is targeted toward federal government agencies. The CSF is an alternative that fits the private sector. It includes three components: the framework core, the framework implantation tiers, and the framework profiles.

cybersecurity resilience—A system’s ability to continue to operate even after an adverse event. Resilience is similar to availability. However, availability tries to keep systems operational 100 percent of the time, which isn’t possible. In contrast, resilience expects systems to have outages and seeks to restore the system to full operation as soon as possible after the outage. Compare with availability.

CYOD—Choose your own device. A mobile device deployment model. Employees can connect their personally owned device to the network as long as the device is on a preapproved list. Note that the device is purchased by and owned by employees. Compare with BYOD and COPE.

D

DAC—Discretionary access control. An access control scheme. All objects (files and folders) have owners, and owners can modify permissions for the objects. Compare with ABAC, MAC, role-based access control, and rule-based access control.

data at rest—Any data stored on media. It’s common to encrypt sensitive data-at-rest.

data bias—A risk associated with machine learning and AI-enabled systems. People write algorithms, and sometimes people inadvertently insert their bias into their code and data used by their code. As an example, the Correctional Offender Management Profiling for Alternative Sanctions (COMPAS) algorithm used in US court systems to predict recidivism reportedly produced twice as many false positives for black offenders (45%) than white offenders (23%). Compare with tainted data.

data controller—A GDPR data role. The data controller determines how and why personal data should be processed and typically delegates the data processing to a data processor.

data custodian/steward—A GDPR data role. The data custodian (sometimes called a data steward) performs routine daily tasks such as storing and backing up data.

data owner—A GDPR data role. The data owner is most responsible for protecting privacy and user rights for any data owned by an organization.

data processor—A GDPR data role. The data processor uses and manipulates data on behalf of the data controller.

data protection officer (DPO)—A GDPR data role. The DPO is responsible for ensuring the organization complies with all relevant laws and acts as an independent advocate for customer data.

Data Execution Prevention (DEP)—A security feature in some operating systems. DEP prevents an application or service from executing in memory regions marked as nonexecutable. DEP can block some malware.

data exfiltration—The unauthorized transfer of data outside an organization.

data in transit/motion—Any data sent over a network. It’s common to encrypt sensitive data in transit.

data in use—Any data currently being used by a computer. Because the computer needs to process the data, it is not encrypted while in use.

data loss prevention (DLP)— A group of technologies used to prevent data loss. End-point DLP systems can prevent users from copying or printing sensitive data. Network-based DLP systems monitor outgoing email to detect and block unauthorized data transfers and monitor data stored in the cloud.

data masking—Modifying the data to hide the original content. Data masking replaces data with other data that looks valid but is inaccurate. For example, Homer can be replaced with Fred. Data masking creates data sets that used for testing. Compare with anonymization, pseudo-anonymization, and tokenization.

data minimization—A principle requiring organizations to limit the information they collect and use. Compare with data retention.

data retention policy—A security policy specifying how long data should be kept or retained.

data sanitization—The process of destroying or removing all sensitive data from systems and devices. Data sanitization methods include burning, shredding, pulping, pulverizing, and degaussing.

data sovereignty—A term that refers to the legal implications of data stored in different countries. It is primarily a concern related to backups stored in alternate locations via the cloud.

DDoS—Distributed denial-of-service. An attack on a system launched from multiple sources. DDoS attacks consume a system’s resources resulting in resource exhaustion. DDoS attacks typically include sustained, abnormally high network traffic. Compare to DoS.

denial-of-service (DoS)—An attack from a single source. A DoS attack that attempts to disrupt the services provided by the attacked system. Compare to DDoS.

dead code—Code that is never executed or used. It is often caused by logic errors.

defense in depth—The use of multiple layers of security to protect resources. Control diversity and vendor diversity are two methods organizations implement to provide defense in depth.

degaussing—A data sanitization process. Degaussing removes data from magnetic media using a powerful electronic magnet. Degaussing is sometimes used to remove data from backup tapes or to destroy hard disks. Compare with burning, shredding, pulping, and pulverizing.

deny list— A list of applications that a system denies or blocks. Users are unable to install or run any applications on the list. Also called block list. Compare with allow list.

DEP—Data Execution Prevention. A security feature in some operating systems. DEP prevents an application or service from executing in memory regions marked as nonexecutable. DEP can block some malware.

DER—Distinguished Encoding Rules. A base format for PKI certificates. They are BASE64 binary encoded files. Compare with CER.

detective controls—Security controls that attempt to detect security incidents after they have occurred. Compare with preventive, corrective, deterrent, compensating, and physical security controls.

deterrent controls—Security controls that attempt to discourage individuals from causing a security incident. Compare with preventive, detective, corrective, compensating, and physical security controls.

DH—Diffie-Hellman. An asymmetric algorithm used to privately share symmetric keys. DH Ephemeral (DHE) uses ephemeral keys, which are re-created for each session. Elliptic Curve DHE (ECDHE) uses elliptic curve cryptography to generate encryption keys.

DHCP—Dynamic Host Configuration Protocol. A service used to dynamically assign TCP/IP configuration information to clients. DHCP is often used to assign IP addresses, subnet masks, default gateways, DNS server addresses, and much more.

DHCP snooping—A preventive measure used to prevent unauthorized DHCP servers. It is enabled on Layer 2 switch ports. When enabled, the switch only sends DHCP broadcast traffic (the DHCP discover message) to trusted ports.

DHE—Diffie-Hellman Ephemeral. An alternative to traditional Diffie-Hellman. Instead of using static keys that stay the same over a long period, DHE uses ephemeral keys, which change for each new session. Sometimes listed as EDH.

Dictionary attack—A password attack that uses a file of words and character combinations. The attack tries every entry within the dictionary file when trying to guess a password.

differential backup—A type of backup. A differential backup will back up all the data that has changed or is different since the last full backup. Compare with incremental backup.

Diffie-Hellman (DH)—An asymmetric algorithm used to privately share symmetric keys. DH Ephemeral (DHE) uses ephemeral keys, which are re-created for each session. Elliptic Curve DHE (ECDHE) uses elliptic curve cryptography to generate encryption keys.

dig—A Linux command-line tool. It is used to test DNS on Linux systems. Compare with nslookup.

digital signature—An encrypted hash of a message, encrypted with the sender’s private key. It provides authentication, non-repudiation, and integrity.

Digital Signature Algorithm (DSA)—The algorithm used to create a digital signature. A digital signature is an encrypted hash of a message. The sender’s private key encrypts the hash of the message to create the digital signature. The recipient decrypts the hash with the sender’s public key, and, if successful, it provides authentication, non-repudiation, and integrity. Authentication identifies the sender. Integrity verifies the message has not been modified. Non-repudiation is used with online transactions and prevents the sender from later denying he sent the email.

directory traversal attack—An attack that attempts to access a file or folder by entering the directory path. It is often used as part of an HTTP GET command. For example, the passwd file on Linux systems is within the ../etc/passwd path, and directory traversal attacks include some form of the ../etc/passwd path in the GET command.

disablement policy—A policy that identifies when administrators should disable user accounts. Accounts are disabled or deleted when an employee leave a company.

disassociation attack—An attack that removes wireless clients from a wireless network. It forces wireless clients to connect with an AP again and allows attackers to capture the authentication process.

disaster recovery plan (DRP)—A document designed to help a company respond to disasters, such as hurricanes, floods, and fires. It includes a hierarchical list of critical systems and often prioritizes services to restore after an outage. Testing validates the plan. The final phase of disaster recovery includes a review to identify any lessons learned and may include an update of the plan. Compare with BCP and BIA.

discretionary access control (DAC)—An access control scheme. All objects (files and folders) have owners, and owners can modify permissions for the objects. Compare with ABAC, MAC, role-based access control, and rule-based access control.

dissolvable agent—A NAC agent that runs on a client, but deletes itself later. It checks the client for health and is the same as agentless. Compare with permanent agent.

distributed denial-of-service (DDoS)—An attack on a system launched from multiple sources. DDoS attacks consume a system’s resources resulting in resource exhaustion. DDoS attacks typically include sustained, abnormally high network traffic. Compare to DoS.

DLL—Dynamic-link library. A compiled set of code that can be called from other programs.

DLL injection—An attack that injects a Dynamic Link Library (DLL) into memory and runs it. Attackers rewrite the DLL, inserting malicious code.

DLP—data loss prevention. A group of technologies used to prevent data loss. End-point DLP systems can prevent users from copying or printing sensitive data. Network-based DLP systems monitor outgoing email to detect and block unauthorized data transfers and monitor data stored in the cloud.

DMZ—demilitarized zone. A buffer zone between the Internet and an internal network. It allows access to services while segmenting access to the internal network. Internet clients can access the services hosted on servers in the DMZ, but the DMZ provides a layer of protection for the internal network. CompTIA is using the term screened subnet to replace DMZ. Compare with screened subnet.

DNS—Domain Name System. Used to resolve hostnames to IP addresses. DNS zones include records such as A records for IPv4 addresses, AAAA records for IPv6 addresses, and MX records to identify mail servers. DNS uses UDP port 53 for DNS client queries and TCP port 53 for zone transfers. Compare with DNS poisoning and pharming.

DNS poisoning—An attack that modifies or corrupts DNS results. DNSSEC helps prevent DNS poisoning.

DNSSEC—Domain Name System Security Extensions. A suite of extensions to DNS used to protect the integrity of DNS records and prevent some DNS attacks.

domain hijacking—An attack that changes the registration of a domain name without permission from the owner.

DoS—denial-of-service. An attack from a single source. A DoS attack attempts to disrupt the services provided by the attacked system. Compare to DDoS.

downgrade attack—A type of attack that forces a system to downgrade its security. The attacker then exploits the lesser security control.

DRP—disaster recovery plan. A document designed to help a company respond to disasters, such as hurricanes, floods, and fires. It includes a hierarchical list of critical systems and often prioritizes services to restore after an outage. Testing validates the plan. The final phase of disaster recovery includes a review to identify any lessons learned and may include an update of the plan. Compare with BCP and BIA.

DSA—Digital Signature Algorithm. The algorithm used to create a digital signature. A A digital signature is an encrypted hash of a message. The sender’s private key encrypts the hash of the message to create the digital signature. The recipient decrypts the hash with the sender’s public key, and, if successful, it provides authentication, non-repudiation, and integrity. Authentication identifies the sender. Integrity verifies the message has not been modified. Non-repudiation is used with online transactions and prevents the sender from later denying he sent the email.

dumpster diving—The practice of searching through trash looking for information from discarded documents. Shredding or burning papers helps prevent the success of dumpster diving.

dynamic-link library (DLL)—A compiled set of code that can be called from other programs.

E

EAP—Extensible Authentication Protocol. An authentication framework that provides general guidance for authentication methods. Variations include EAP-TLS, EAP-TTLS, and PEAP.

EAP-FAST—EAP-Flexible Authentication via Secure Tunneling. A Cisco-designed protocol sometimes used with 802.1X. EAP-FAST supports certificates, but they are optional. Compare with EAP, EAP-TLS, EAP-TTLS, and PEAP.

EAP-TLS—Extensible Authentication Protocol-Transport Layer Security. An extension of EAP sometimes used with 802.1X. This is one of the most secure EAP standards and is widely implemented. The primary difference between PEAP and EAP-TLS is that EAP-TLS requires certificates on the 802.1X server and on each of the wireless clients. Compare with EAP, EAP-TTLS, EAP-FAST, and PEAP.

EAP-TTLS—Extensible Authentication Protocol-Tunneled Transport Layer Security. An extension of EAP sometimes used with 802.1X. It allows systems to use some older authentication methods such as PAP within a TLS tunnel. It requires a certificate on the 802.1X server but not on the clients. Compare with EAP, EAP-TLS, EAP-FAST, and PEAP.

ECC—Elliptic curve cryptography. An asymmetric encryption algorithm commonly used with smaller wireless devices. It uses smaller key sizes and requires less processing power than many other encryption methods.

ECDHE—Elliptic Curve Diffie-Hellman Ephemeral. A version of Diffie-Hellman that uses ECC to generate encryption keys. Ephemeral keys are re-created for each session.

elasticity—The ability of a system to handle an increased workload by dynamically scaling up or scaling out as the need arise. A system may add more resources (such as more memory) when it suddenly experiences high demand. Scalability requires rebooting a server to add the resources, but elasticity dynamically adds the resources without rebooting the server. Compare with scalability.

electromagnetic interference (EMI)—Interference caused by motors, power lines, and fluorescent lights. EMI shielding prevents outside interference sources from corrupting data and prevents data from emanating outside the cable.

elliptic curve cryptography (ECC)—An asymmetric encryption algorithm commonly used with smaller wireless devices. It uses smaller key sizes and requires less processing power than many other encryption methods.

Elliptic Curve Diffie-Hellman Ephemeral (ECDHE)—A version of Diffie-Hellman that uses ECC to generate encryption keys. Ephemeral keys are re-created for each session.

embedded system—Any device that has a dedicated function and uses a computer system to perform that function. It includes a CPU, an operating system, and one or more applications.

EMI—Electromagnetic interference. Interference caused by motors, power lines, and fluorescent lights. EMI shielding prevents outside interference sources from corrupting data and prevents data from emanating outside the cable.

Encapsulating Security Protocol (ESP)—A part of IPsec that provides encryption. IPsec includes both AH and ESP. AH provides authentication and integrity using HMAC. ESP provides confidentiality, integrity, and authentication using HMAC and AES or 3DES. ESP is identified with protocol ID number 50.

encryption—A process that scrambles, or ciphers, data to make it unreadable. Encryption normally includes a public algorithm and a private key. Compare with asymmetric and symmetric encryption.

Enterprise—A wireless mode that uses an 802.1X server for security. It forces users to authenticate with a username and password. Compare with Open and PSK modes.

entropy—The randomness of a cryptographic algorithm. A higher level of randomness results in a higher level of security when using the algorithm. A lack of entropy results in a weaker algorithm and makes it much easier for the algorithm to be cracked.

ephemeral key—A type of key used in cryptography. Ephemeral keys have short lifetimes and are re-created for each session. In contrast, static keys are semi-permanent and stay the same over a long period of time.

error handling—A programming process that handles errors gracefully.

ESP—Encapsulating Security Protocol. A part of IPsec that provides encryption. IPsec includes both AH and ESP. AH provides authentication and integrity using HMAC. ESP provides confidentiality, integrity, and authentication using HMAC and AES or 3DES. ESP is identified with protocol ID number 50.

evil twin—A type of rogue AP. An evil twin has the same or similar SSID as a legitimate AP. Compare with rogue AP.

exit interview—An interview conducted with departing employees just before they leave an organization.

exploitation frameworks—Tools used to store information about security vulnerabilities. They are often used by penetration testers (and attackers) to detect and exploit software.

Extensible Authentication Protocol (EAP)—An authentication framework that provides general guidance for authentication methods. Compare with EAP-TLS, EAP-TTLS, EAP-FAST, and PEAP.

Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)—An extension of EAP sometimes used with 802.1X. This is one of the most secure EAP standards and is widely implemented. The primary difference between PEAP and EAP-TLS is that EAP-TLS requires certificates on the 802.1X server and on each of the wireless clients. Compare with EAP, EAP-TTLS, EAP-FAST, and PEAP.

Extensible Authentication Protocol-Tunneled Transport Layer Security (EAP-TTLS)—. An extension of EAP sometimes used with 802.1X. It allows systems to use some older authentication methods such as PAP within a TLS tunnel. It requires a certificate on the 802.1X server but not on the clients. Compare with EAP, EAP-TLS, EAP-FAST, and PEAP.

Extensible Markup Language (XML)—A language used by many databases for inputting or exporting data. XML uses formatting rules to describe the data.

extranet—The part of an internal network shared with outside entities. Extranets are often used to provide access to authorized business partners, customers, vendors, or others. Compare with intranet.

F

facial recognition— A biometric authentication system. Facial recognition systems identify people based on facial features.

factors of authentication—The different methods used for authentication. The common authentication factors are something you know, such as a password or personal identification number (PIN), something you have, such as a smart card, a phone, or a USB token, and something you are, such as a fingerprint or other biometric identification. Compare with authentication attributes, something you know, something you have, and something you are.

false acceptance—A biometric error. It indicates a biometric system incorrectly accepted an unknown user as if the user was known. If the biometric system was working correctly, it would result in a true acceptance.

false acceptance rate (FAR)—Also called the false match rate. A rate that identifies the percentage of times a biometric authentication system incorrectly indicates a match.

false negative—A security incident that isn’t detected or reported. As an example, a NIDS false negative occurs if an attack is active on the network, but the NIDS does not raise an alert. A false negative on a vulnerability scanner indicates a vulnerability exists, but the vulnerability scanner didn’t detect it.

false positive—An alert on an event that isn’t a security incident. As an example, a NIDS false positive occurs if the NIDS raises an alert but activity on the network is normal. A false positive on a vulnerability scanner indicates a vulnerability scanner detected a vulnerability, but a vulnerability doesn’t exist.

false rejection—A biometric error. It indicates a biometric system incorrectly rejected a valid user. If the biometric system was working correctly, it would result in a true acceptance. As an example, a NIDS false negative occurs if an attack is active on the network but the NIDS does not raise an alert. A false negative in a biometric system.

FAR—False acceptance rate. Also called the false match rate. A rate that identifies the percentage of times a biometric authentication system incorrectly indicates a match.

Faraday cage—A room or enclosure that prevents signals from emanating beyond the room or enclosure.

fault tolerance—The capability of a system to suffer a fault, but continue to operate. Said another way, the system can tolerate the fault as if it never occurred.

FDE—Full disk encryption. A method to encrypt an entire disk. Compare with SED.

federation—Two or more members of a federated identity management system. Used for single sign-on.

File Transfer Protocol (FTP)—Used to upload and download files to an FTP server. FTP uses TCP ports 20 and 21. Secure FTP (SFTP) uses SSH for encryption on TCP port 22. FTP Secure (FTPS) uses SSL or TLS for encryption.

File Transfer Protocol Secure (FTPS)—An extension of FTP that uses SSL to encrypt FTP traffic. Some implementations of FTPS use TCP ports 989 and 990.

fingerprint scanners—A biometric authentication system. Fingerprint scanners scan fingerprints for authentication.

firewall—A software or a network device used to filter traffic. Firewalls can be host-based (running as an application on a host) or network-based. Stateless firewalls filter traffic using rules within an ACL.

firmware OTA updates—Over-the-air updates for mobile device firmware that keep them up to date. These are typically downloaded to the device from the Internet and applied to update the device.

forward proxy server—A server used to forward requests for services such as HTTP or HTTPS. All internal clients send their outgoing requests to the proxy server, and the proxy server sends the requests to the Internet server. Proxy servers increase performance by caching web pages and can filter URLs. A forward proxy server is commonly called a proxy server. Compare with reverse proxy server.

framework—A structure used to provide a foundation. Cybersecurity frameworks typically use a structure of basic concepts and provide guidance to professionals on how to implement security.

FRR—False rejection rate. Also called the false nonmatch rate. A rate that identifies the percentage of times a biometric authentication system incorrectly rejects a valid match.

FTP—File Transfer Protocol. Used to upload and download files to an FTP server. FTP uses TCP ports 20 and 21. Secure FTP (SFTP) uses SSH for encryption on TCP port 22. FTP Secure (FTPS) uses SSL or TLS for encryption.

FTPS—File Transfer Protocol Secure. An extension of FTP that uses SSL to encrypt FTP traffic. Some implementations of FTPS use TCP ports 989 and 990.

full backup—A type of backup that backs up all the selected data. A full backup could be considered a normal backup.

full disk encryption (FDE)—A method to encrypt an entire disk. Compare with SED.

full tunnel—An encrypted connection used with VPNs. When a user is connected to a VPN, all traffic from the user is encrypted. Compare with split tunnel.

G

gamification—A training method that increases participation and interaction. Gamification intertwines game-design elements within user training methods. Some gamification techniques include a sense of competition, such as capture the flag competitions.

GCM—Galois/Counter Mode. A mode of operation used for encryption. It combines the Counter (CTM) mode with hashing techniques for data authenticity and confidentiality.

GDPR—General Data Protection Regulation. The GDPR is a European Union (EU) regulation that clarifies requirements to protect the personal data of anyone living in the EU. It also defines the roles of data owners, data controllers, data processors, data custodians or data stewards, and the data protection officer (DPO).

General Data Protection Regulation—A European Union (EU) regulation that clarifies requirements to protect the personal data of anyone living in the EU. It defines the roles of data owners, data controllers, data processors, data custodians or data stewards, and the data protection officer (DPO).

geofencing—A virtual fence or geographic boundary. It uses GPS to create the boundary. Apps can then respond when a mobile device is within the virtual fence.

geolocation—The location of a device identified by GPS. It can help locate a lost or stolen mobile device.

Global Positioning System (GPS)—A satellite-based navigation system that identifies the location of a device or vehicle. Mobile devices often incorporate GPS capabilities.

GPS—Global Positioning System. A satellite-based navigation system that identifies the location of a device or vehicle. Mobile devices often incorporate GPS capabilities.

GPS tagging—A process of adding geographical data to files such as pictures. It typically includes latitude and longitude coordinates of the location where the photo was taken, or the file was created.

group-based access control—A role-based access control method that uses groups as roles.

Guest account—A pre-created account in Windows systems. It is disabled by default.

H

hacktivist—An attacker who launches attacks as part of an activist movement or to further a cause.

hardware root of trust—A known secure starting point for an operating system. A TPM ships with a matched key pair used for encryption, and this key pair provides a hardware root of trust.

hardware security module (HSM)—A removable or external device that can generate, store, and manage RSA keys used in asymmetric encryption. High-volume e-commerce sites use HSMs to increase the performance of TLS sessions. Compare with TPM.

hash—A number created by executing a hashing algorithm against data, such as a file or message. Hashing is commonly used for integrity. Common hashing algorithms are MD5, SHA-3, and HMAC.

heat map—A graph that plots risks onto a graph or chart using color-coding. Compare with risk matrix.

heuristic/behavioral—A type of monitoring on intrusion detection and intrusion prevention systems. It detects attacks by comparing traffic against a baseline. It is also known as anomaly detection.

HIDS—Host-based intrusion detection system. Software installed on a system to detect attacks. A HIDS is used to monitor an individual server or workstation. It protects local resources on the host such as the operating system files, and in some cases, it can detect malicious activity missed by antivirus software. Compare with HIPS, NIDS, and NIPS.

high availability—A term that indicates a system or component remains available close to 100 percent of the time. Five nines indicates a system is up and operation 99.999 percent of the time. Compare with availability and resilience.

HIPS—Host-based intrusion prevention system. An extension of a host-based IDS. It is designed to react in real time to detect, and prevent, an attack in action. Compare with HIDS, NIDS, and NIPS.

HMAC—Hash-based Message Authentication Code. A hashing algorithm used to verify integrity and authenticity of a message with the use of shared secret. When used with TLS and IPsec, HMAC is combined with MD5 and SHA-1 as HMAC-MD5 and HMAC-SHA1, respectively.

HMAC-based One-Time Password (HOTP)—An open standard used for creating one-time passwords, similar to those used in tokens or key fobs. It combines a secret key and an incrementing counter, and then uses HMAC to create a hash of the result. HOTP passwords do not expire until they are used. Compare with TOTP.

hoax—A message, often circulated through email, that tells of impending doom from a virus or other security threat that simply doesn’t exist.

homomorphic encryption—A processes that allows data to remain encrypted while it is being processed. Most homomorphic encryption methods work best when data is stored and manipulated as integers.

honeyfile—A file designed to attract an attacker. As an example, a file named passwords.text might attract the attention of an attacker. It doesn’t contain valid passwords. Compare with honeypot and honeynet.

honeynet—A group of honeypots in a network. Honeynets are often configured in virtual networks. Honeypots within a honeynet have weakened security and are designed to attact attackers. Compare with honeypot and honeyfile.

honeypot—A server designed to attract an attacker. It typically has weakened security encouraging attackers to investigate it. Compare with honeyfile and honeynet.

host-based intrusion detection system (HIDS)— Software installed on a system to detect attacks. A HIDS is used to monitor an individual server or workstation. It protects local resources on the host such as the operating system files, and in some cases, it can detect malicious activity missed by antivirus software. Compare with HIPS, NIDS, and NIPS.

host-based intrusion prevention system (HIPS)—An extension of a host-based IDS. It is designed to react in real time to detect, and prevent, an attack in action. Compare with HIDS, NIDS, and NIPS. hot and cold aisles—A method commonly used in data centers to keep equipment cool. Cool air flows from the front of the cabinets to the back, making the front aisle cooler and the back aisle warmer.

HOTP—HMAC-based One-Time Password. An open standard used for creating one-time passwords, similar to those used in tokens or key fobs. It combines a secret key and an incrementing counter, and then uses HMAC to create a hash of the result. HOTP passwords do not expire until they are used. Compare with TOTP.

hot site—An alternate location for operations. A hot site typically includes everything needed to be operational within 60 minutes. Compare with cold site and warm site.

HSM—Hardware security module. A removable or external device that can generate, store, and manage RSA keys used in asymmetric encryption. High-volume e-commerce sites use HSMs to increase the performance of TLS sessions. Compare with TPM.

HTML—Hypertext Markup Language. Language used to create webpages. HTML documents are displayed by web browsers and delivered over the Internet using HTTP or HTTPS. It uses less-than and greater-than characters (< and >) to create tags. Many sites use input validation to block these tags and prevent cross-site scripting attacks.

HTTP—Hypertext Transfer Protocol. Used for web traffic on the Internet and in intranets. HTTP uses TCP port 80. HTTP is almost always encrypted with TLS and referred to as HTTPS.

HTTPS—Hypertext Transfer Protocol Secure. A protocol used to encrypt HTTP traffic. HTTPS encrypts HTTP traffic with TLS using TCP port 443.

HVAC—Heating, ventilation, and air conditioning. A physical security control that increases availability by regulating airflow within data centers and server rooms. They use hot and cold aisles to regulate the cooling, thermostats to ensure a relatively constant temperature, and humidity controls to reduce the potential damage from condensation.

Hypertext Markup Language (HTML)—Language used to create webpages. HTML documents are displayed by web browsers and delivered over the Internet using HTTP or HTTPS. It uses less-than and greater-than characters (< and >) to create tags. Many sites use input validation to block these tags and prevent cross-site scripting attacks.

I

IaaS—Infrastructure as a Service. A cloud computing model. IaaS allows an organization to rent access to hardware in a self-managed platform. Customers are responsible for keeping an IaaS system up to date. Compare to PaaS, SaaS, and XaaS.

ICMP—Internet Control Message Protocol. Used for diagnostics such as ping. Many DoS attacks use ICMP. It is common to block ICMP at firewalls and routers. If ping fails, but other connectivity to a server succeeds, it indicates that ICMP is blocked.

ICS—Industrial control system. A system that controls large systems such as power plants or water treatment facilities. A SCADA system typically controls an ICS. Compare with SCADA.

identification—The process that occurs when a user claims an identity, such as with a username. Users prove their identity with other credentials, such as with a password.

IDS—Intrusion detection system. A detective control used to detect attacks after they occur. A network-based IDS (NIDS) monitors a network, and a host-based IDS (HIDS) monitors a host. They both monitor for intrusions and provides ongoing protection against various threats. IDSs include sniffing capabilities. Many IDSs use numbering systems to identify vulnerabilities. Compare with IPS.

IEEE—Institute of Electrical and Electronics Engineers. IEEE is an international organization with a focus on electrical, electronics, and information technology topics. IEEE standards are well respected and followed by vendors around the world.

IEEE 802.1X—A port-based authentication protocol. An authentication protocol used in VPNs and wired and wireless networks. VPNs often implement it as a RADIUS server. Wired networks use it for port-based authentication. Wireless networks use it in Enterprise mode, and it often uses one of the EAP authentication protocols. Compare with EAP, PEAP, EAP-TLS, and EAP-TTLS.

ifconfig—A command-line tool. The ifconfig tool is used on Linux systems to show and manipulate settings on a network interface card (NIC). Sit is similar to ipconfig used on Windows systems.

IGMP—Internet Group Management Protocol. Used for multicasting. Computers belonging to a multicasting group have a multicasting IP address in addition to a standard unicast IP address.

IIS—Internet Information Services. A Microsoft Windows web server. IIS comes free with Microsoft Windows Server products. Linux systems use Apache as a web server.

IMAP4—Internet Message Access Protocol v4. Used to store email on servers and allow clients to manage their email on the server. IMAP4 uses TCP port 143. Secure IMAP4 uses TLS to encrypt IMAP4 traffic on TCP port 993.

impact—The magnitude of harm related to a risk. It is the negative result of an event, such as the loss of confidentiality, integrity, or availability of a system or data. Compare with likelihood of occurrence and qualitative risk assessment.

implicit deny—A rule in an ACL that blocks all traffic that hasn’t been explicitly allowed. The implicit deny rule is the last rule in an ACL.

incident—An adverse event or series of events that can negatively affect the confidentiality, integrity, or availability of an organization’s information technology (IT) systems and data. Sometimes referred to as a security incident. incident response. The process of responding to a security incident. Organizations often create an incident response plan that outlines the procedures to be used when responding to an incident.

incident response plan—A formal, coordinated plan that personnel can use when responding to an incident. It typically includes definitions of incident types, details on an incident response team, and team members’ roles and responsibilities.

incident response process—The phases of incident response. It includes preparation, identification, containment, eradication, recovery, and lessons learned.

incident response team—A group of experts who respond to security incidents. It includes employees with expertise in different areas.

incremental backup—A type of backup. An incremental backup backs up all the data that has changed since the last full or incremental backup. Compare with differential backup.

Infrastructure as a Service (IaaS)— A cloud computing model. IaaS allows an organization to rent access to hardware in a self-managed platform. Customers are responsible for keeping an IaaS system up to date. Compare to PaaS, SaaS, and XaaS.

initialization vector (IV)—An IV provides randomization of encryption keys to help ensure that keys are not reused. In an IV attack, the attacker uses packet injection to increase the number of packets to analyze and discovers the encryption key.

initialization vector (IV) attack—A wireless attack that attempts to discover the IV. Legacy wireless security protocols are susceptible to IV attacks.

injection attack—An attack that injects code or commands. Common injection attacks are dynamic link library (DLL) injection, command injection, and SQL injection, and XML injection attacks.

inline—A configuration that forces traffic to pass through a device. A NIPS is placed inline, allowing it to prevent malicious traffic from entering a network. Sometimes called in-band. Compare with out-of-band.

input validation—A programming process that verifies data is valid before using it. Input validation prevents many web-based attacks such as buffer overflow attacks, SQL injection attacks, and cross-site scripting attacks.

insider threat—An attacker who launches attacks from within an organization, typically as an employee.

integer overflow—An application attack that attempts to use or create a numeric value that is too big for an application to handle. Input handling and error handling thwart the attack.

integrity—One of the core goals of information security sometimes referred to as the CIA security triad. Integrity provides assurance that data or system configurations have not been modified. Audit logs and hashing are two methods used to ensure integrity. Compare with availability and confidentiality.

intermediate CA—intermediate certificate authority. A CA created by a root CA that can issue certificates and/or create child CAs that issue certificates. Compare with certificate authority and certificate chaining.

Internet Message Access Protocol v4 (IMAP4)—Used to store email on servers and allow clients to manage their email on the server. IMAP4 uses TCP port 143. Secure IMAP4 uses TLS to encrypt IMAP4 traffic on TCP port 993.

Internet of things (IoT)—The network of physical devices connected to the Internet. It typically refers to smart devices with an IP address, such as wearable technology and home automation systems.

intranet—An internal network. People use an intranet to communicate and share content with each other on an internal network. Compare with extranet.

IoT—Internet of things. The network of physical devices connected to the Internet. It typically refers to smart devices with an IP address, such as wearable technology and home automation systems.

IP—Internet Protocol. Used for addressing. Compare with IPv4 and IPv6.

ipconfig—A command-line tool. It is used on Windows systems to show the configuration settings on a NIC.

IPS—Intrusion prevention system. A preventive control that can stop an attack in progress. It is similar to an active IDS except that it’s placed inline with traffic. An IPS can actively monitor data streams, detect malicious content, and stop attacks in progress. It can be used internally to protect private networks, such as those holding SCADA equipment. Compare with IDS.

IPsec—Internet Protocol security. A suite of protocols used to encrypt data-in-transit. IPSec can operate in both Tunnel mode and Transport mode. IPsec is built into IPv6, but can also work with IPv4. Both versions support AH and ESP. AH provides authentication and integrity using HMAC, and ESP provides confidentiality, integrity, and authentication using HMAC and AES or 3DES. Compare with AH, ESP, tunnel mode, and transport mode.

IP spoofing—An attack that changes the source IP address. IP spoofing makes an attack appear as though it’s coming from a different source.

IPv4—Internet Protocol version 4. Identifies hosts using a 32-bit IP address. IPv4 is expressed in dotted decimal format with decimal numbers separated by dots or periods like this: 192.168.1.1.

IPv6—Internet Protocol version 6. Identifies hosts using a 128-bit address. IPv6 has a significantly larger address space than IPv4. IPsec is built in to IPv6 and can encrypt any type of IPv6 traffic.

iris scanners—A biometric system. Iris scanners scan the iris of an eye for authentication.

ISP—Internet Service Provider. A company that provides Internet access to customers.

IT—Information technology. Computer systems and networks used within organizations.

IV—Initialization vector. An IV provides randomization of encryption keys to help ensure that keys are not reused. In an IV attack, the attacker uses packet injection to increase the number of packets to analyze and discovers the encryption key.

J

jailbreaking—The process of modifying an Apple mobile device to remove software restrictions. It allows a user to install software from any third-party source. Compare with rooting.

jamming—A DoS attack against wireless networks. It transmits noise on the same frequency used by a wireless network.

job rotation—A process that ensures employees rotate through different jobs to learn the processes and procedures in each job. It can sometimes detect fraudulent activity.

K

KDC—Key Distribution Center. Also known as Ticket Granting Ticket (TGT) server. Part of the Kerberos protocol used for network authentication. The KDC issues timestamped tickets that expire.

Kerberos—A network authentication mechanism used with Windows Active Directory domains and some Unix environments known as realms. It uses a KDC to issue tickets.

kernel—The central part of the operating system. In container virtualization, guests share the kernel.

key escrow—The process of placing a copy of a private key in a safe environment. If the original key is lost, an organization can retrieve a copy of the key to access the data.

key exchange—A cryptographic method used to share cryptographic keys. asymmetric encryption uses key exchange to share a symmetric key.

keylogger—Software or hardware used to capture a user’s keystrokes. Keystrokes are stored in a file and can be manually retrieved or automatically sent to an attacker.

key stretching—A technique used to increase the strength of stored passwords. It adds additional bits (called salts) and can help thwart brute force and rainbow table attacks.

known environment test—A type of penetration test. Testers have full knowledge of the environment prior to starting the test. This was previously known as a white box test. Compare with unknown environment test and partially known environment test.

known plaintext—A cryptographic attack that decrypts encrypted data. In this attack, the attacker knows the plaintext used to create ciphertext. Compare with ciphertext and plaintext.

L

L2TP—Layer 2 Tunneling Protocol. Tunneling protocol used with VPNs. L2TP is commonly used with IPsec (L2TP/IPsec) and uses UDP port 1701.

labeling—The process of ensuring data is tagged clearly so that users know its classification. Labels can be physical labels, such as on backup tapes, or digital labels embedded in files.

Layer 2 Tunneling Protocol (L2TP)—Tunneling protocol used with VPNs. L2TP is commonly used with IPsec (L2TP/IPsec) and uses UDP port 1701.

LDAP—Lightweight Directory Access Protocol. A protocol used to communicate with directories such as Microsoft Active Directory. It identifies objects with query strings using codes such as CN=Users and DC=GetCertifiedGetAhead. LDAP uses TCP port 389. LDAP injection attacks attempt to access or modify data in directory service databases. Compare with LDAPS.

LDAPS—Lightweight Directory Access Protocol over SSL. A protocol used to encrypt LDAP traffic with TLS. While it has SSL in the name, TLS has replaced SSL. LDAPS is sometimes referred to as Lightweight Directory Access Protocol Secure. LDAPS encrypts transmissions with TLS over TCP port 636. Compare with LDAP.

least privilege—A security principle that minimizes privileges given to individuals. The lease privilege principle specifies that individuals and processes are granted only the rights and permissions needed to perform assigned tasks or functions, but no more.

legal hold—A court order to maintain data for evidence.

lightweight cryptography—Cryptography deployed to smaller devices. Many Internet of Things (IoT) devices use lightweight cryptography.

Lightweight Directory Access Protocol (LDAP)—A protocol used to communicate with directories such as Microsoft Active Directory. It identifies objects with query strings using codes such as CN=Users and DC=GetCertifiedGetAhead. LDAP uses TCP port 389. LDAP injection attacks attempt to access or modify data in directory service databases. Compare with LDAPS.

Lightweight Directory Access Protocol over SSL (LDAPS)—A protocol used to encrypt LDAP traffic with TLS. While it has SSL in the name, TLS has replaced SSL. LDAPS is sometimes referred to as Lightweight Directory Access Protocol Secure. LDAPS encrypts transmissions with TLS over TCP port 636. Compare with LDAP.

likelihood of occurrence—The probability that something will occur. It is used with impact in a qualitative risk assessment. Compare with impact and qualitative risk assessment.

load balancer—Hardware or software that balances the load between two or more servers. Load balancers add redundancy and fault tolerance and can help eliminate single points of failure.

logic bomb—A type of malware that executes in response to an event. The event might be a specific date or time, or a user action such as when a user launches a specific program.

loop prevention—Methods used to prevent switching loop or bridge loop problems. Both STP and RSTP prevent switching loops.

M

MAC—Mandatory Access Control. An access control scheme. MAC uses sensitivity labels assigned to objects (files and folders) and subjects (users). MAC restricts access based on a need to know. Compare with ABAC, DAC, role-based access control, and rule-based access control.

MAC—media access control. A 48-bit address used to identify network interface cards. It is also called a hardware address or a physical address. and is commonly displayed as six pairs of hexadecimal characters. Port security on a switch or an AP can limit access using MAC filtering.

MAC cloning attack—An attack that changes the source MAC address to impersonate an authorized system. When MAC filtering is used, attackers can discover the address of authorized MAC addresses, and change their address to bypass MAC filtering. This is sometimes called MAC spoofing.

MAC filtering—A form of network access control to allow or block access based on the MAC address. It is configured on switches for port security or on APs for wireless security.

MAC flooding—An attack against a switch that attempts to overload it. Most ports on a switch have only a single host connected to them, with only a single MAC address. A MAC flooding attack repeatedly spoofs the MAC address. If successful, the switch operates as a hub instead of as a switch.

malware—Malicious software. It includes a wide range of software that has malicious intent, such as viruses, worms, ransomware, rootkits, logic bombs, and more.

managerial controls— Security controls implemented via managerial or administrative or methods. They are typically documented in an organization’s security policy and focus on managing risk. Compare with technical and operational controls.

Mandatory Access Control (MAC)—An access control scheme. MAC uses sensitivity labels assigned to objects (files and folders) and subjects (users). MAC restricts access based on a need to know. Compare with ABAC, DAC, role-based access control, and rule-based access control.

mandatory vacation—A policy that forces employees to take a vacation. The goal is to deter malicious activity, such as fraud and embezzlement, and detect malicious activity when it occurs.

MD5—Message Digest 5. A hashing function used to provide integrity. MD5 creates 128-bit hashes, which are also referred to as MD5 checksums. A hash is simply a number created by applying the algorithm to a file or message at different times. Comparing the hashes verifies integrity. Experts consider MD5 cracked and discourage its use as a cryptographic hash. However, it is still used as a checksum in some situations.

MDM—Mobile device management. A group of applications and technologies used to manage mobile devices. MDM tools can monitor mobile devices and ensure they are in compliance with security policies.

measured boot—A process that verifies the integrity of the boot process. It completes these checks before allowing the user to interact with the system.

media access control (MAC) flooding—An attack against a switch that attempts to overload it. Most ports on a switch have only a single host connected to them, with only a single MAC address. A MAC flooding attack repeatedly spoofs the MAC address. If successful, the switch operates as a hub instead of as a switch.

Memorandum of understanding (MOU)—A type of agreement that defines the responsibilities of each party. Sometimes called a memorandum of agreement.

memory leak—An application flaw that consumes memory without releasing it. In extreme cases, the application can consume so much memory that the operating system crashes

Message Digest 5 (MD5)—A hashing function used to provide integrity. MD5 creates 128-bit hashes, which are also referred to as MD5 checksums. A hash is simply a number created by applying the algorithm to a file or message at different times. Comparing the hashes verifies integrity. Experts consider MD5 cracked and discourage its use as a cryptographic hash. However, it is still used as a checksum in some situations.

MMS—Multimedia Messaging Service. An extension of SMS. MMS allows users to include multimedia content such as pictures, short videos, audio, or even a slideshow of multiple images. Compare with SMS and Rich Communication Services.

Mobile device management (MDM)—A group of applications and technologies used to manage mobile devices. MDM tools can monitor mobile devices and ensure they are in compliance with security policies.

MS-CHAP—Microsoft Challenge Handshake Authentication Protocol. Microsoft implementation of CHAP. MS-CHAPv2 improves MS-CHAP by providing mutual authentication.

MS-CHAPv2—Microsoft Challenge Handshake Authentication Protocol version 2. Microsoft implementation of CHAP. MS-CHAPv2 provides mutual authentication. Compare with CHAP and PAP.

MTBF—Mean time between failures. Provides a measure of a system’s reliability and is usually represented in hours. The MTBF identifies the average (the arithmetic mean) time between failures. Higher MTBF numbers indicate a higher reliability of a product or system.

MTTF—Mean time to failure. The length of time you can expect a device to remain in operation before it fails. It is similar to MTBF, but the primary difference is that the MTBF metric indicates you can repair the device after it fails. The MTTF metric indicates that you will not be able to repair a device after it fails.

MTTR—Mean time to recover. Identifies the average (the arithmetic mean) time it takes to restore a failed system. Organizations that have maintenance contracts often specify the MTTR as a part of the contract.

multifactor authentication—A type of authentication that uses methods from more than one factor of authentication. Compare with something you know, something you have, and something you are.

Multimedia Message Service (MMS)—An extension of SMS. MMS allows users to include multimedia content such as pictures, short videos, audio, or even a slideshow of multiple images. Compare with SMS and Rich Communication Services.

N

NAC—Network access control. A system that inspects clients to ensure they are healthy. Healthy clients are granted access to the network, and unhealthy clients are redirected to a remediation network. Agents inspect clients, and agents can be permanent or dissolvable (also known as agentless). MAC filtering is a form of NAC.

NAT—Network Address Translation. A service that translates public IP addresses to private IP addresses and private IP addresses to public IP addresses.

National Institute of Standards and Technology (NIST)—NIST is a part of the U.S. Department of Commerce, and it includes an Information Technology Laboratory (ITL). The ITL publishes special publications related to security that are freely available to anyone. They can found at http://csrc.nist.gov/publications/PubsSPs.html.

NDA—Non-disclosure agreement. An agreement that is designed to prohibit personnel from sharing proprietary data. It can be used with employees within the organization and with outside organizations. It is commonly embedded as a clause in a contract.

Netcat (nc)—A command-line tool. Netcat is used to connect to remote systems.

netstat—A command-line tool. Netstat is used to show network statistics on a system.

network access control (NAC)—A system that inspects clients to ensure they are healthy. Healthy clients are granted access to the network, and unhealthy clients are redirected to a remediation network. Agents inspect clients, and agents can be permanent or dissolvable (also known as agentless). MAC filtering is a form of NAC.

Network Address Translation (NAT)—A service that translates public IP addresses to private IP addresses and private IP addresses to public IP addresses.

network-based intrusion detection system (NIDS)— A device that detects attacks and raises alerts. A NIDS is installed on network devices, such as routers or firewalls and monitors network traffic. It can detect network-based attacks.

network-based intrusion prevention system (NIPS)—A device that detects and stops attacks in progress. A NIPS is placed inline (also called in-band) with traffic so that it can actively monitor data streams, detect malicious content, and stop attacks in progress.

network interface card (NIC)—Provides connectivity to a network. A NIC is typically built into a circuit board and includes a connector, such as an RJ-45 connector.

network scanner—A tool used to discover devices on a network, including their IP addresses, their operating system, along with services and protocols running on the devices.

near field communication (NFC)—A group of standards used on mobile devices that allow them to communicate with other nearby mobile devices. Many credit card readers support payments using NFC technologies with a smartphone.

network interface card (NIC) teaming—A group of two or more network adapters acting as a single network adapter. NIC teaming provides increased bandwidth and load balancing capabilities.

NFC—Near field communication. A group of standards used on mobile devices that allow them to communicate with other nearby mobile devices. Many credit card readers support payments using NFC technologies with a smartphone.

NFC attack—An attack against mobile devices that use near field communication (NFC). NFC is a group of standards that allow mobile devices to communicate with nearby mobile devices.

NIC—Network interface card. Provides connectivity to a network. A NIC is typically built into a circuit board and includes a connector, such as an RJ-45 connector.

NIC teaming—Network interface card (NIC) teaming. A group of two or more network adapters acting as a single network adapter. NIC teaming provides increased bandwidth and load balancing capabilities.

NIDS—Network-based intrusion detection system. A device that detects attacks and raises alerts. A NIDS is installed on network devices, such as routers or firewalls and monitors network traffic. It can detect network-based attacks.

NIPS—Network-based intrusion prevention system. A device that detects and stops attacks in progress. A NIPS is placed inline (also called in-band) with traffic so that it can actively monitor data streams, detect malicious content, and stop attacks in progress.

NIST—National Institute of Standards and Technology. NIST is a part of the U.S. Department of Commerce, and it includes an Information Technology Laboratory (ITL). The ITL publishes special publications related to security that are freely available to anyone. They can found at http://csrc.nist.gov/publications/PubsSPs.html.

nmap—A command-line tool. Nmap is used to scan networks, and it is a type of network scanner.

nonce—A number used once. Cryptography elements frequently use a nonce to add randomness.

non-disclosure agreement (NDA)—An agreement that is designed to prohibit personnel from sharing proprietary data. It can be used with employees within the organization and with outside organizations. It is commonly embedded as a clause in a contract.

non-persistence—A method used in virtual desktops where changes made by a user are not saved. Most (or all) users have the same desktop. When users log off, the desktop reverts to its original state.

non-repudiation—The ability to prevent a party from denying an action. Digital signatures and access logs provide non-repudiation.

normalization—The process of organizing tables and columns in a database. Normalization reduces redundant data and improves overall database performance.

nslookup—A command-line tool. The nslookup tool is used to test DNS on Microsoft systems. Compare with dig.

NTLM—New Technology LAN Manager. A suite of protocols that provide confidentiality, integrity, and authentication within Windows systems. Versions include NTLM, NTLMv2, and NTLM2 Session.

NTP—Network Time Protocol. Protocol used to synchronize computer times.

0

OAuth—An open source standard used for authorization with Internet-based single sign-on solutions. Many companies such as Google, Facebook, PayPal, Microsoft, and Twitter support OAuth. Users can sign on with their account using one of these companies and gain access to other sites. OAuth focuses on authorization, not authentication, and RFC 6749, “The OAuth 2.0 Authorization Framework,” describes it.

obfuscation—An attempt to make something unclear or difficult to understand. Steganography methods use obfuscation to hide data within data. Sometimes referred to as camouflage.

OCSP—Online Certificate Status Protocol. An alternative to using a CRL. It allows entities to query a CA with the serial number of a certificate. The CA answers with good, revoked, or unknown.

offboarding—The process of removing an individuals access to an organization’s computing resources leaving the company. It also includes collecting any equipment (such as smartphones, tablets, or laptops), security badges, or proximity cards the organization issued to the employee. Compare with onboarding.

offline brute force password attack—A password attack against a database downloaded from a site. An offline attack can repeatedly guess passwords without ever getting locked out. Compare with online brute force password attack.

onboarding—The process of granting individuals access to an organization’s computing resources after being hired. It typically includes giving the employee a user account with appropriate permissions. Compare with offboarding.

online brute force password attack—A password attack against an online system. Online systems typically have account lockout capabilities, so online password attacks often use different methods (such as a spraying attack) to guess passwords. Compare with spraying attack and offline brute force password attack.

Online Certificate Status Protocol (OCSP)—An alternative to using a CRL. It allows entities to query a CA with the serial number of a certificate. The CA answers with good, revoked, or unknown.

on-path attack—A form of active interception or active eavesdropping. It uses a separate computer that accepts traffic from each party in a conversation and forwards the traffic between the two. An on-path attack is sometimes referred to as a man-in-the-middle or man-in-the-broser attack.

open—A wireless mode that doesn’t use security. Compare with Enterprise and PSK modes.

OpenID—An authentication standard maintained by the OpenID Foundation. An OpenID provider holds the user’s credentials and websites that support OpenID prompt users to enter their OpenID.

OpenID Connect (OIDC)—An open source standard used for identification on the Internet. It builds on OpenID and uses the OAuth 2.0 framework. OIDC uses a JavaScript Object Notation (JSON) Web Token (JWT), sometimes called an ID token.

open-source intelligence (OSINT)—A method of gathering data using public sources, such as social media sites and news outlets.

OpenSSL—An open source software library used with Transport Layer Security (TLS) and the legacy Secure Sockets Layer (SSL) protocols. Many Linux distributions include access to OpenSSL via the command line.

operational controls—Controls used to handle the day-to-day operations of an organization. Operational controls help an organization comply with the security policy, and people implement them. Compare with managerial and technical controls.

order of volatility—A term that refers to the order in which you should collect evidence. For example, data in memory is more volatile than data on a disk drive, so it should be collected first.

OSI—Open Systems Interconnection. The OSI reference model conceptually divides different networking requirements into seven separate layers.

OSINT—A method of gathering data using public sources, such as social media sites and news outlets.

out-of-band—A configuration that allows a device to collect traffic without the traffic passing through it. Sometimes called passive. Compare with inline.

P

P12—PKCS#12. A common format for PKI certificates. They are DER-based (binary) and often hold certificates with the private key. They are commonly encrypted.

P7B—PKCS#7. A common format for PKI certificates. They are CER-based (ASCII) and commonly used to share public keys.

PaaS—Platform as a Service. A cloud computing model. PaaS provides cloud customers with a preconfigured computing platform they can use as needed. PaaS is a fully managed platform, meaning that the vendor keeps the platform up to date with current patches. Compare with IaaS, SaaS and XaaS.

PAM—Privileged access management. A method of protecting access to privileged accounts. PAM implements the concept of just-in-time administration, giving users elevated privileges only when they need them and only for a limited time. PAM is sometimes called privileged account management.

PAP—Password Authentication Protocol. An older authentication protocol where passwords or PINs are sent across the network in cleartext. Compare with CHAP and MS-CHAPv2.

partially known environment test—A type of penetration test. Testers have some knowledge of the environment prior to starting the test. This was previously known as a gray box test. Compare with known environment test and unknown environment test.

passive reconnaissance—A penetration testing method used to collect information. It typically uses open-source intelligence. Compare with active reconnaissance.

pass the hash—A password attack that captures and uses the hash of a password. It attempts to log on as the user with the hash and is commonly associated with the Microsoft NTLM protocol.

password cracker—A tool used to discover passwords.

patch management—The process used to keep systems up to date with current patches. It typically includes evaluating and testing patches before deploying them.

PBKDF2—Password-Based Key Derivation Function 2. A key stretching algorithm technique that adds additional bits to a password as a salt. It helps prevent brute force and rainbow table attacks. Compare with Bcrypt and Argon2.

PDF—Portable Document Format. Type of file for documents. Attackers have embedded malware in PDFs.

PEAP—Protected Extensible Authentication Protocol. An extension of EAP sometimes used with 802.1X. PEAP provides an extra layer of protection for EAP and it is sometimes used with 802.1X. PEAP requires a certificate on the 802.1X server. Compare with EAP, EAP-TLS, EAP-TTLS, and EAP-FAST.

PEM—Privacy Enhanced Mail. A common format for PKI certificates. It can use either CER (ASCII) or DER (binary) formats and can be used for almost any type of certificates.

penetration testing—A method of testing targeted systems to determine if vulnerabilities can be exploited. Penetration tests are intrusive.

perfect forward secrecy—A characteristic of encryption keys ensuring that keys are random. Perfect forward secrecy methods generate random public keys for each session, and do not use deterministic algorithms.

permanent agent—A NAC agent that is installed on a client. It checks the client for health. Compare with agentless or dissolvable agent.

Personal Identity Verification card (PIV)—A specialized type of smart card used by U.S. federal agencies. It includes photo identification and provides confidentiality, integrity, authentication, and non-repudiation for the users. Compare with CAC.

Personally Identifiable Information (PII)—Information about individuals that can be used to trace a person’s identity, such as a full name, birth date, biometric data, and identifying numbers such as a Social Security number (SSN). Organizations have an obligation to protect PII and often identify procedures for handling and retaining PII in data policies such as encrypting it.

PFX—Personal Information Exchange. A common format for PKI certificates. It is the predecessor to P12 certificates.

pharming—A type of DNS poisoning attack. Pharming attacks redirect a website’s traffic to another website.

PHI—Personal Health Information. PII that includes health information.

phishing—The practice of sending spam to users with the purpose of tricking them into revealing personal information or clicking on a link. Phishing often includes malicious attachments or malicious links.

physical controls—Security controls that you can physically touch. Compare with preventive, detective, corrective, deterrent, and, compensating controls.

PII—Personally Identifiable Information. Information about individuals that can be used to trace a person’s identity, such as a full name, birth date, biometric data, and identifying numbers such as a Social Security number (SSN). Organizations have an obligation to protect PII and often identify procedures for handling and retaining PII in data policies such as encrypting it.

PIN—Personal identification number. A number known by a user and entered for authentication. PINs are often combined with smart cards to provide dual-factor authentication.

ping—A command-line tool. Ping is used to test connectivity with remote systems.

pinning—A security mechanism used by some websites to prevent website impersonation. Websites provide clients with a list of public key hashes. Clients store the list and use it to validate the website.

PIV—Personal Identity Verification card. A specialized type of smart card used by U.S. federal agencies. It includes photo identification and provides confidentiality, integrity, authentication, and non-repudiation for the users. Compare with CAC.

pivoting—Process of using various tools to gain additional information on a system or network. After escalating privileges, a penetration tester (or attacker) uses the exploited computer to gain additional information on other systems within the network.

PKI—Public Key Infrastructure. Group of technologies used to request, create, manage, store, distribute, and revoke digital certificates. Certificates include public keys along with details on the owner of the certificate, and on the CA that issued the certificate. Certificate owners share their public key by sharing a copy of their certificate. A PKI requires a trust model between CAs and most trust models are hierarchical and centralized with a central root CA.

plaintext—Text displayed in a readable format. Encryption converts plaintext to ciphertext, and plaintext is unencrypted. Compare with ciphertext.

Platform as a Service (PaaS)—A cloud computing model. PaaS provides cloud customers with a preconfigured computing platform they can use as needed. PaaS is a fully managed platform, meaning that the vendor keeps the platform up to date with current patches. Compare with IaaS, SaaS and XaaS.

playbooks—Used with SOAR. A automated response to a potential checklist. Playbooks are derived from runbooks. Compare with SOAR and runbooks.

pointer dereference—A programming practice that uses a pointer to reference a memory area. A failed dereference operation can corrupt memory and sometimes even cause an application to crash.

POP3—Post Office Protocol v3. Used to transfer email from mail servers to clients. POP3 uses TCP port 110 for unencrypted connections and TCP port 995 for encrypted connections

port mirror—A monitoring port on a switch. All traffic going through the switch is also sent to the port mirror.

port taps—Monitoring ports on a network device. IDSs use taps to capture traffic.

post-quantum cryptography—Cryptographic algorithms that are likely to be resistant to attacks from attackers using a quantum computer. NIST is expected to release a draft of selected standards by 2024.

posturing—A method of verifying a device complies with security policies. Some mobile device management (MDM) systems use device posturing to check the status of a device, such as the operating system version and whether the screen lock is enabled or not.

potentially unwanted programs (PUPs)—Software installed on users’ systems without their awareness or consent. Some of these unwanted programs are legitimate, but some are malicious, such as Trojans. Compare with spyware.

preshared key (PSK)—A secret shared among different systems. Wireless networks using WPA2 support Personal mode, where each device uses the same PSK. WPA3 uses a Simultaneous Authentication of Equals (SAE) instead of a PSK. Compare with Enterprise and Open modes.

preventive controls—Security controls that attempt to prevent a security incident from occurring. Compare with detective, corrective, deterrent, compensating, and physical security controls.

private data—Information about an individual that should remain private. Personally Identifiable Information (PII) and Personal Health Information (PHI) are two examples.

private key—Part of a matched key pair used in asymmetric encryption. The private key always stays private. Compare with public key.

privileged account—An account with elevated privileges, such as an administrator account.

privileged access management (PAM)—A method of protecting access to privileged accounts. PAM implements the concept of just-in-time administration, giving users elevated privileges only when they need them and only for a limited time. PAM is sometimes called privileged account management.

privilege escalation—The process of gaining elevated rights and permissions. Attackers and malware typically uses a variety of techniques to gain elevated privileges.

proprietary data—Data that is related to ownership. Common examples are information related to patents or trade secrets.

Protected Extensible Authentication Protocol (PEAP)—An extension of EAP sometimes used with 802.1X. PEAP provides an extra layer of protection for EAP and it is sometimes used with 802.1X. PEAP requires a certificate on the 802.1X server. Compare with EAP, EAP-TLS, EAP- TTLS, and EAP-FAST.

protocol analyzer—A tool used to capture network traffic. Both professionals and attackers use protocol analyzers to examine packets. A protocol analyzer can be used to view data sent in clear text.

proximity card readers—Devices that sense when proximity cards are close. They are often used by authorized personnel to open doors.

proximity cards—Small credit card-sized cards that activate when they are in close proximity to a proximity card reader. They are often used by authorized personnel to open doors.

proxy server— A server used to forward requests for services such as HTTP or HTTPS. All internal clients send their outgoing requests to the proxy server, and the proxy server sends the requests to the Internet server. Proxy servers increase performance by caching web pages and can filter URLs. A proxy server is commonly called a forward proxy server. Compare with reverse proxy server.

pseudo-anonymization—The process of replacing PII data with pseudonyms. The data set appears anonymous, but the owner of the data maintains a database that matches the pseudonyms back to the original data. Compare with anonymization, data masking, and tokenization.

PSK—Preshared key. A secret shared among different systems. Wireless networks using WPA2 support Personal mode, where each device uses the same PSK. WPA3 uses a Simultaneous Authentication of Equals (SAE) instead of a PSK. Compare with Enterprise and Open modes.

public data—Data that is available to anyone. It might be in brochures, in press releases, or on websites.

public key—Part of a matched key pair used in asymmetric encryption. The public key is publicly available. Compare with private key.

public ledgers—A record of transactions such as deposits and withdrawals. Blockchain uses public ledgers used to track transactions while keeping the transactions anonymous. Some ransomware transactions can be viewed by viewing the public ledgers, but the transactions are still anonymous. Compare with blockchain.

Public Key Infrastructure (PKI)—Group of technologies used to request, create, manage, store, distribute, and revoke digital certificates. Certificates include public keys along with details on the owner of the certificate, and on the CA that issued the certificate. Certificate owners share their public key by sharing a copy of their certificate. A PKI requires a trust model between CAs and most trust models are hierarchical and centralized with a central root CA.

pulping—A data sanitization process. Pulping is performed after shredding papers, and it reduces the shredded paper to a mash or puree. Compare with burning, shredding, pulverizing, and degaussing.

PUPs—Potentially unwanted programs. Software installed on users’ systems without their awareness or consent. Some of these unwanted programs are legitimate, but some are malicious, such as Trojans. Compare with spyware.

pulverizing— A data sanitization process. A process used to physically destroy items such as optical discs that can’t be erased by a degausser. Compare with burning, shredding, pulping, and degaussing.

purging—A data sanitization process. A general sanitization term indicating that all sensitive data has been removed from a device. Compare with burning, shredding, pulping, pulverizing, and degaussing.

purple team—Personnel involved in cybersecurity readiness that can join either a red team or a blue team. Compare with red team, blue team, white team and capture the flag.

push notification services—The services that send messages to mobile devices. Many mobile device applications push notification messages to users.

Q

qualitative risk assessment—A risk assessment that uses judgment to categorize risks. It is based on impact and likelihood of occurrence.

quantitative risk assessment—A risk assessment that uses specific monetary amounts to identify cost and asset value. It then uses the SLE and ARO to calculate the ALE.

quantum computing—Cryptography that uses quantum mechanical properties to perform cryptographic tasks.

quantum cryptography—An example of quantum computing. It uses quantum computing standards to create a cryptographic key.

R

RA—Recovery agent. A designated individual who can recover or restore cryptographic keys. In the context of a PKI, a recovery agent can recover private keys to access encrypted data, or in some situations, recover the data without recovering the private key. In some cases, recovery agents can recover the private key from a key escrow.

RADIUS—Remote Authentication Dial-In User Service. Provides central authentication for remote access clients. RADIUS uses symmetric encryption to encrypt the password packets, and it uses UDP by default. In contrast, TACACS+ encrypts the entire authentication process and uses TCP. RFC 3579 “RADIUS Support for EAP” supports encryption of the entire authentication process using TCP. Compare with TACACS+.

race condition—A programming flaw that occurs when two sets of code attempt to access the same resource. The first one to access the resource wins, which can result in inconsistent results.

RAID—Redundant array of inexpensive disks. Multiple disks added together to increase performance or provide protection against faults. RAID helps prevent disk subsystems from being a single point of failure. Compare with RAID-0, RAID-1, RAID-5, RAID-6, and RAID-10.

RAID-0—Disk striping. RAID-0 improves performance but does not provide fault tolerance.

RAID-1—Disk mirroring. RAID-1 uses two disks and provides fault tolerance.

RAID-5—Disk striping with parity. RAID-5 uses three or more disks and provides fault tolerance. It can survive the failure of a single drive.

RAID-6—Disk striping with parity. RAID-6 uses four or more disks and provides fault tolerance. It can survive the failure of two drives.

RAID-10—Disk mirroring with striping. RAID-10 combines the features of mirroring (RAID-1) and striping (RAID-0). The minimum number of drives in a RAID-10 is four, and a RAID-10 always has an even number of drives.

rainbow table—A file containing precomputed hashes for character combinations. Rainbow tables are used to discover passwords. PBKDF2, Bcrypt, and Argon2 thwart rainbow table attacks.

RAM—Random access memory. Volatile memory within a computer that holds active processes, data, and applications. Data in RAM is lost when the computer is turned off. Memory forensics analyzes data in RAM.

ransomware—A type of malware used to extort money from individuals and organizations. Ransomware typically encrypts the user’s data and demands a ransom before decrypting the data.

Rapid Spanning Tree Protocol (RSTP)—An improvement over STP. STP and RSTP protocols are enabled on most switches and protect against switching loops, such as those caused when two ports of a switch are connected together.

RAS—Remote Access Service. Provides access to an internal network from an outside source location using dial-up or a VPN.

RAT—Remote access Trojan. Malware that allows an attacker to take control of a system from a remote location. A RAT gives an attacker full control over a user’s system from a remote location over the Internet.

RDP—Remote Desktop Protocol. Used to connect to remote systems. Microsoft uses RDP in different services such as Remote Desktop Services and Remote Assistance. RDP uses either port TCP 3389 or UDP 3389.

real-time operating system (RTOS)—An operating system that reacts to input within a specific time. Many embedded systems include an RTOS.

reconnaissance—A penetration phase where testers gather information on a target. Compare with active reconnaissance and passive reconnaissance.

recovery agent (RA)—A designated individual who can recover or restore cryptographic keys. In the context of a PKI, a recovery agent can recover private keys to access encrypted data, or in some situations, recover the data without recovering the private key. In some cases, recovery agents can recover the private key from a key escrow.

recovery point objective (RPO)—A term that refers to the amount of data you can afford to lose by identifying a point in time where data loss is acceptable. It is often identified in a BIA. Compare with RTO.

recovery site—An alternate location for business functions after a major disaster. Compare with cold site, warm site, and hot site.

recovery time objective (RTO)—The maximum amount of time it should take to restore a system after an outage. It is derived from the maximum allowable outage time identified in the BIA. Compare with RPO.

red team—Personnel involved in cybersecurity readiness that are experts in attacking systems. Red team members emulate the techniques used by potential attackers. Compare with blue team, purple team, white team, and capture the flag.

redundancy—The process of adding duplication to critical system components and networks. Redunancy and fault-tolerance methods increase increase availability supporting resiliency.

redundant array of inexpensive disks (RAID)—Multiple disks added together to increase performance or provide protection against faults. RAID helps prevent disk subsystems from being a single point of failure. Compare with RAID-0, RAID-1, RAID-5, RAID-6, and RAID-10.

refactoring—A driver manipulation method. Developers rewrite the code without changing the driver’s behavior.

registration authority (RA)—An entity that can collect registration information for a certificate authority (CA). An RA never issues certificates, but instead only assists the CA. All CAs don’t use an RA. Compare with certificate authority.

remote access Trojan (RAT)—Malware that allows an attacker to take control of a system from a remote location. A RAT gives an attacker full control over a user’s system from a remote location over the Internet.

Remote Authentication Dial-In User Service (RADIUS)—Provides central authentication for remote access clients. RADIUS uses symmetric encryption to encrypt the password packets, and it uses UDP by default. In contrast, TACACS+ encrypts the entire authentication process and uses TCP. RFC 3579 “RADIUS Support for EAP” supports encryption of the entire authentication process using TCP. Compare with TACACS+.

Remote Desktop Protocol (RDP)—Used to connect to remote systems. Microsoft uses RDP in different services such as Remote Desktop Services and Remote Assistance. RDP uses either port TCP 3389 or UDP 3389.

remote wipe—The process of sending a signal to a remote device to erase all data. It is useful when a mobile device is lost or stolen.

replay attack—An attack where the data is captured and replayed. Attackers typically modify data before replaying it.

resilience—A system’s ability to continue to operate even after an adverse event. Resilience is similar to availability. However, availability tries to keep systems operational 100 percent of the time, which isn’t possible. In contrast, resilience expects systems to have outages and seeks to restore the system to full operation as soon as possible after the outage. Compare with availability.

resource exhaustion—The malicious result of many DoS and DDoS attacks. The attack overloads a computer’s resources (such as the processor and memory), resulting in service interruption.

retina scanners—A biometric authentication system. Retina scanners scan the retina of an eye for authentication. Some people object to using these scanners for authentication because they can identify medical issues and because you typically need to have physical contact with the scanner.

reverse proxy server—A server used to accept requests from the Internet and forward them to a Web server. It appears to clients as a web server but is forwarding the requests to the web server and serving the pages returned by the web server. Compare with forward proxy server.

RFI—Radio frequency interference. Interference from RF sources such as AM or FM transmitters. RFI can be filtered to prevent data interference, and cables can be shielded to protect signals from RFI.

RFID—Radio frequency identification. RFID methods are often used for inventory control.

RFID attacks—Attacks against radio-frequency identification (RFID) systems. Some common RFID attacks are eavesdropping, replay, and DoS.

Rich Communication Services (RCS)— An extension of SMS and MMS. RCS supports all of the features of MMS and adds a few additional features. If a system doesn’t support RCS, it can default to SMS or MMS. Compare with SMS and Multimedia Message Service.

risk—The possibility or likelihood of a threat exploiting a vulnerability resulting in a loss. Compare with threat and vulnerability.

risk assessment—A process used to identify and prioritize risks. It includes quantitative risk assessments and qualitative risk assessments. Compare with quantitative assessment and qualitative assessment.

risk management—The practice of identifying, monitoring, and limiting risks to a manageable level. It includes risk response techniques, qualitative risk assessments, and quantitative risk assessments.

Risk Management Framework (RMF)—A framework for identifying and managing risk. NIST published it as SP 800-37, “Risk Management Framework for Information Systems and Organizations.” It includes seven steps: prepare, categorizing information systems, select security controls, assess security controls, authorize information systems, monitor security controls.

risk matrix—A graph that plots risks onto a graph or chart. A risk matrix typically plots the likelihood of occurrence against the impact of a risk. Compare with heat map.

risk mitigation—The process of reducing risk by implementing security controls. Security controls reduce risk by reducing vulnerabilities associated with a risk or by reducing the impact of a threat.

risk register—A document listing information about known risks. It typically includes risk scores along with recommended security controls to reduce the risk scores.

risk response techniques—Methods used to manage risks. Common risk response techniques are accept, avoid, mitigate, transfer, and cybersecurity insurance.

RMF—Risk Management Framework. A framework for identifying and managing risk. NIST published it as SP 800-37, “Risk Management Framework for Information Systems and Organizations.” It includes seven steps: prepare, categorizing information systems, select security controls, assess security controls, authorize information systems, monitor security controls.

rogue AP—An unauthorized AP. It can be placed by an attacker or an employee who hasn’t obtained permission to do so. An evil twin is a special type of rogue AP with the same or similar SSIS as a legitimate AP.

ROI—Return of investment or return on investment. A performance measure used to identify when an investment provides a positive benefit to the investor. It is sometimes considered when evaluating the purchase of new security controls.

role-based access control—An access control scheme. Role-based access control uses roles based on jobs and functions to define access. It is often implemented with groups (providing group-based privileges) and uses a matrix as a planning document to match roles with the required privileges. Compare with ABAC, DAC, MAC, and rule-based access control.

root certificate—A PKI certificate identifying a root CA.

rooting—The process of modifying an Android device, giving the user root-level, or administrator, access. Compare with jailbreaking.

rootkit—A type of malware that has system-level access to a computer. Rootkits are often able to hide themselves from users and antivirus software.

ROT13—A substitution cipher that uses a key of 13. To encrypt a message, you would rotate each letter 13 spaces. To decrypt a message, you would rotate each letter 13 spaces.

router—A network device that connects multiple network segments together into a single network. They route traffic based on the destination IP address and do not pass broadcast traffic. Routers use ACLs.

RPO—Recovery point objective. A term that refers to the amount of data you can afford to lose by identifying a point in time where data loss is acceptable. It is often identified in a BIA. Compare with RTO.

RSA—Rivest, Shamir, and Adleman. An asymmetric algorithm used to encrypt data and digitally sign transmissions. It is named after its creators, Rivest, Shamir, and Adleman. RSA uses both a public key and a private key in a matched pair.

RSTP—Rapid Spanning Tree Protocol. An improvement over STP. STP and RSTP protocols are enabled on most switches and protect against switching loops, such as those caused when two ports of a switch are connected together.

RTO—Recovery time objective. The maximum amount of time it should take to restore a system after an outage. It is derived from the maximum allowable outage time identified in the BIA. Compare with RPO.

RTOS—Real-time operating system. An operating system that reacts to input within a specific time. Many embedded systems include an RTOS.

rule-based access control—An access control scheme. Rule-based access control is based on a set of approved instructions, such as an access control list, or rules that trigger in response to an event such as modifying ACLs after detecting an attack. Compare with ABAC, DAC, MAC, and role-based access control.

runbooks—Used with SOAR. A checklist of things to check in response to a suspected incident. Runbooks are used when creating playbooks. Compare with SOAR and playbooks.

S

SaaS—Software as a Service. A cloud computing model. SaaS provides applications over the Internet, such as webmail. The vendor is responsible for keeping the SaaS applications available and up-to-date. Compare with IaaS, PaaS and XaaS.

salt—A random set of data added to a password when creating the hash. PBKDF2, Bcrypt, and Argon2 are some protocols that use salts. These help thwart rainbow table attacks.

salting—The process of adding a random set of data to a password when creating the hash. PBKDF2, Bcrypt, and Argon2 are three protocols that use salts.

SAML—Security Assertions Markup Language. An XML-based standard used to exchange authentication and authorization information between different parties. SAML provides SSO for web-based applications.

SAN—Storage Area Network. A specialized network of high-speed storage devices.

sandboxing—The use of an isolated area on a system, typically for testing. Virtual machines are often used to test patches in an isolated sandbox. Application developers sometimes use sandboxes to create isolated systems for testing. Antivirus software uses sandboxes to check suspicious software before allowing it to run on a system.

sanitize—The process of destroying or removing all sensitive data from systems and devices. Data sanitization methods include burning, shredding, pulping, pulverizing, degaussing, purging, and wiping.

SCADA—Supervisory control and data acquisition. A system used to control an ICS such as a power plant or water treatment facility. Ideally, a SCADA is within an isolated network without direct access to the Internet. NIPS systems and VLANs provide a layer of protection for SCADA systems. Compare with ICS.

scalability—A system's ability to handle increased workload either by scaling up or by scaling out. Scaling up adds additional resources (such as more RAM) to a server, and scaling out adds additional servers. Compare with elasticity.

SCP—Secure Copy. Based on SSH, SCP allows users to copy encrypted files over a network. SCP uses TCP port 22.

screened subnet—A buffer zone between the Internet and an internal network. It allows access to services while segmenting access to the internal network. Internet clients can access the services hosted on servers in the screened subnet, but the screened subnet provides a layer of protection for the internal network. A screened subnet was previously known as a demilitarized zone (DMZ). Compare with DMZ.

screen filter—A physical security device used to reduce visibility of a computer screen. Screen filters help prevent shoulder surfing. script kiddie—An attacker with little expertise or sophistication. Script kiddies use existing scripts to launch attacks.

SDN—Software defined network. A method of using software and virtualization technologies to replace hardware routers. SDNs separate the data and control planes.

SDV—Software-defined visibility. Technologies used to view all network traffic. SDV technologies ensure that all cloud-based traffic is viewable and can be analyzed.

Secure Hash Algorithm (SHA)—A hashing function used to provide integrity. Versions include SHA-1, SHA-2, and SHA-3. SHA-1 is no longer approved for most cryptographic uses due to weaknesses. SHA-2 has four versions (Sha-256, SHA-512, SHA-224, and SHA-384). SHA-3 (previously known as Keccak) was selected as the next version after a public competition.

Secure/Multipurpose Internet Mail Extensions (S/MIME)—Used to secure email. S/MIME provides confidentiality, integrity, authentication, and non-repudiation. It can digitally sign and encrypt email, including the encryption of email at rest and in transit. It uses RSA, with public and private keys for encryption and decryption, and depends on a PKI for certificates.

Secure Orchestration, Automation, and Response (SOAR)—Tools used to automatically respond to low-level security events. Runbooks are the checklists used to create the automated responses and playbooks are the automated actions created from the runbooks. Compare with playbooks and runbooks.

Secure Real-time Transport Protocol (SRTP)—A protocol used to encrypt and provide authentication for Real-time Transport Protocol (RTP) traffic. RTP is used for audio/video streaming.

Secure Shell (SSH)—A protocol used to encrypt network traffic. SSH encrypts a wide variety of traffic such as SCP, SFTP, Telnet, and TCP Wrappers. SSH uses TCP port 22. SSH is a more secure alternative than Telnet when connecting to remote servers.

Secure Sockets Layer (SSL)—The predecessor to TLS. SSL is used to encrypt data in transit with the use of certificates.

Security Assertions Markup Language (SAML)—An XML-based standard used to exchange authentication and authorization information between different parties. SAML provides SSO for web-based applications.

security incident—An adverse event or series of events that can negatively affect the confidentiality, integrity, or availability of an organization’s information technology (IT) systems and data. Sometimes referred to as an incident.

Security information and event management (SIEM)—A system that provides a centralized solution for collecting, analyzing, and managing log data from multiple sources. Log collectors send logs to the SIEM system, and it aggregates the logs.

SED—Self-encrypting drive. A drive that includes the hardware and software necessary to encrypt a hard drive. SEDs include all the encryption circuitry built into the drive, and they automatically encrypt the drive without user action. Users typically enter credentials to decrypt and use the drive. Compare with FDE.

self-encrypting drive (SED)—A drive that includes the hardware and software necessary to encrypt a hard drive. SEDs include all the encryption circuitry built into the drive, and they automatically encrypt the drive without user action. Users typically enter credentials to decrypt and use the drive. Compare with FDE.

SELinux—Security-Enhanced Linux. An operating system platform that prevents malicious or suspicious code from executing on both Linux and Unix systems. It is one of the few operating systems that use the MAC model. Enforcing mode will enforce the SELinux policy and ignore permissions. Permissive mode does not enforce the SELinux policy but instead logs any access that would normally be blocked. Disabled mode does not enforce the SELinux policy and does not log anything related to the policy.

separation of duties—A security principle. The separation of duties principle prevents any single person or entity from controlling all the functions of a critical or sensitive process. It’s designed to prevent fraud, theft, and errors.

service account—An account used by a service or application.

service level agreement (SLA)—An agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels. Organizations use SLAs when contracting services from service providers such as Internet Service Providers (ISPs).

session hijacking—An attack that attempts to impersonate a user by capturing and using a session ID. Session IDs are stored in cookies.

Service Set Identifier (SSID)—The name of a wireless network. SSIDs can be set to broadcast so users can easily see the SSID. Disabling SSID broadcast hides it from casual users, but an attacker can discover it with a wireless sniffer. It’s recommended to change the SSID from the default name.

SFTP—SSH File Transfer Protocol. An extension of Secure Shell (SSH) used to encrypt FTP traffic. SFTP transmits data using TCP port 22. SFTP is sometimes referred to as secure FTP.

SHA—Secure Hash Algorithm. A hashing function used to provide integrity. Versions include SHA-1, SHA-2, and SHA-3. SHA-1 is no longer approved for most cryptographic uses due to weaknesses. SHA-2 has four versions (Sha-256, SHA-512, SHA-224, and SHA-384). SHA-3 (previously known as Keccak) was selected as the next version after a public competition.

shadow IT—Unauthorized systems or applications installed on a network. Users sometimes install systems without approval, often to bypass security controls. Shadow IT increases risks because these systems aren’t managed.

shimming—A driver manipulation method. It uses additional code to modify the behavior of a driver.

Simple Network Management Protocol, version 3 (SNMPv3)—Used to manage and monitor network devices such as routers or switches. SNMP agents report information via notifications known as SNMP traps or SNMP device traps. SNMP uses UDP ports 161 and 162.

single loss expectancy (SLE)—The monetary value of any single loss. It is used to measure risk with ALE and ARO in a quantitative risk assessment. The calculation is SLE × ARO = ALE. Compare with ALE and ARO.

shoulder surfing—The practice of looking over someone’s shoulder to obtain information, such as on a computer screen. A screen filter placed over a monitor helps reduce the success of shoulder surfing.

shredding—A method of destroying data or sanitizing media. Cross-cut paper shredders cut papers into fine particles. File shredders remove all remnants of a file by overwriting the contents multiple times.

sideloading—The process of copying an application package to a mobile device. It is useful for developers when testing apps, but can be risky if users sideload unauthorized apps to their device.

SIEM—Security information and event management. A system that provides a centralized solution for collecting, analyzing, and managing log data from multiple sources. Log collectors send logs to the SIEM system, and it aggregates the logs.

signature-based—A type of monitoring used on intrusion detection and intrusion prevention systems. It detects attacks based on known attack patterns documented as attack signatures.

SIM—Subscriber Identity Module. A small card that contains programming and information for small devices such as cell phones. The SIM card identifies what countries or networks the device will use.

simulation exercise—Functional exercises that allow personnel to test plans in a simulated operational environment. Personnel go through the actual steps of an exercise but in a simulated environment.

single point of failure (SPOF)—Any component whose failure results in the failure of an entire system. Elements such as RAID, failover clustering, UPS, and generators remove many single points of failure.

single sign-on (SSO)—Authentication method where users can access multiple resources on a network using a single account. SSO can provide central authentication against a federated database for different operating systems.

SLA—Service level agreement. An agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels. Organizations use SLAs when contracting services from service providers such as Internet Service Providers (ISPs).

SLE—Single loss expectancy. The monetary value of any single loss. It is used to measure risk with ALE and ARO in a quantitative risk assessment. The calculation is SLE × ARO = ALE. Compare with ALE and ARO.

smart card—A credit card-sized card that has an embedded microchip and a certificate. It is used for authentication in the something you have factor of authentication.

S/MIME—Secure/Multipurpose Internet Mail Extensions. Used to secure email. S/MIME provides confidentiality, integrity, authentication, and non-repudiation. It can digitally sign and encrypt email, including the encryption of email at rest and in transit. It uses RSA, with public and private keys for encryption and decryption, and depends on a PKI for certificates.

smishing—A mashup of SMS and phishing. The practice of sending spam to users via text.

SMS—Short Message Service. A basic text messaging service. Most mobile devices support SMS. Compare with Multimedia Message Service and Rich Communication Services.

SMTP—Simple Mail Transfer Protocol. Used to transfer email between clients and servers and between email servers and other email servers. SMTP uses TCP port 25.

snapshot—A copy of a virtual machine (VM) at a moment in time. If you later have problems with the VM, you can revert it to the state it was in when you took the snapshot. Some backup programs also use snapshots to create a copy of data at a moment in time.

SNMPv3—Simple Network Management Protocol. Used to manage and monitor network devices such as routers or switches. SNMP agents report information via notifications known as SNMP traps or SNMP device traps. SNMP uses UDP ports 161 and 162.

SOAR—Secure Orchestration, Automation, and Response. Tools used to automatically respond to low-level security events. Runbooks are the checklists used to create the automated responses and playbooks are the automated actions created from the runbooks. Compare with playbooks and runbooks.

SoC—System on chip. An integrated circuit that includes a computing system within the hardware. Many mobile devices include an SoC.

social engineering—The practice of using social tactics to gain information. Social engineers attempt to gain information from people, or get people to do things they wouldn’t normally do.

Software as a Service (SaaS)—A cloud computing model. SaaS provides applications over the Internet, such as webmail. The vendor is responsible for keeping the SaaS applications available and up-to-date. Compare with IaaS, PaaS, and XaaS.

software defined network (SDN)—A method of using software and virtualization technologies to replace hardware routers. SDNs separate the data and control planes.

software-defined visibility (SDV) —Technologies used to view all network traffic. SDV technologies ensure that all cloud-based traffic is viewable and can be analyzed.

solid state drive (SSD)—A drive used in place of a traditional hard drive. An SSD has no moving parts but instead stores the contents as nonvolatile memory. SSDs are much quicker than traditional hard drives.

someone you know— An authentication attribute. The someone you know attribute indicates that someone is vouching for you. Compare with somewhere you are, something you can do, something you exhibit, and authentication factors.

something you are—An authentication factor. The something you are factor of authentication uses biometrics, such as a fingerprint scanner. Compare with something you know and something you have.

something you can do— An authentication attribute. The something you can do attribute indicates action, such as gestures on a touch screen. Compare with somewhere you are, something you exhibit, someone you know, and authentication factors.

something you exhibit— An authentication attribute. The something you exhibit attribute indicates something someone wears, such as an identification badge. Compare with somewhere you are, something you can do, someone you know, and authentication factors.

something you have—An authentication factor. The something you have factor of authentication refers to something a user possesses, such as a smart card. Compare with something you know and something you are.

something you know—An authentication factor. The something you know factor of authentication refers to something a user knows, such as a password or PIN. Compare with something you have and something you are.

somewhere you are—An authentication attribute. The somewhere you are attribute identifies a user’s location using geolocation technologies. Compare with something you can do, something you exhibit, someone you know, and authentication factors.

spam—Unwanted or unsolicited email. Attackers often launch attacks using spam.

spam filter—A method of blocking unwanted email. By blocking email, it often blocks malware.

spam over Internet messaging (SPIM)—A form of spam using instant messaging. SPIM targets instant messaging users.

Spanning Tree Protocol (STP)—Protocol enabled on most switches that protects against switching loops. A switching loop is caused when two ports of a switch are connected together.

spear phishing—A targeted form of phishing. Spear phishing attacks attempt to target specific groups of users, such as those within a specific organization or even a single user.

SPIM—Spam over Internet Messaging. A form of spam using instant messaging. SPIM targets instant messaging users.

split tunnel—An encrypted connection used with VPNs. A split tunnel only encrypts traffic going to private IP addresses used in the private network. Compare with full tunnel.

SPOF—Single point of failure. Any component whose failure results in the failure of an entire system. Elements such as RAID, failover clustering, UPS, and generators remove many single points of failure.

spraying attack—A password attack that loops through a list of targeted user accounts. It picks a password and then tries it against each of the accounts in the list. These targeted user accounts can be on multiple systems. Once it gets through the list, it picks another password and loops through the list again. This bypasses account lockout policies because it takes a long time before it guesses a password for the same account again.

spyware—Software installed on users’ systems without their awareness or consent. Its purpose is often to monitor the user’s computer and the user’s activity. Compare with potentially unwanted programs.

SQL—Structured Query Language. Used by SQL-based databases, such as Microsoft SQL Server. Websites integrated with a SQL database are subject to SQL injection attacks. Input validation with forms and stored procedures help prevent SQL injection attacks. Microsoft SQL Server uses TCP port 1433 by default.

SRTP—Secure Real-time Transport Protocol. A protocol used to encrypt and provide authentication for Real-time Transport Protocol (RTP) traffic. RTP is used for audio/video streaming.

SSD—Solid state drive. A drive used in place of a traditional hard drive. An SSD has no moving parts but instead stores the contents as nonvolatile memory. SSDs are much quicker than traditional hard drives.

SSH—Secure Shell. A protocol used to encrypt network traffic. SSH encrypts a wide variety of traffic such as SCP, SFTP, Telnet, and TCP Wrappers. SSH uses TCP port 22. SSH is a more secure alternative than Telnet when connecting to remote servers.

SSH File Transfer Protocol (SFTP)—An extension of Secure Shell (SSH) used to encrypt FTP traffic. SFTP transmits data using TCP port 22. SFTP is sometimes referred to as secure FTP.

SSID—Service Set Identifier. The name of a wireless network. SSIDs can be set to broadcast so users can easily see the SSID. Disabling SSID broadcast hides it from casual users, but an attacker can discover it with a wireless sniffer. It’s recommended to change the SSID from the default name.

SSO—Single sign-on. Authentication method where users can access multiple resources on a network using a single account. SSO can provide central authentication against a federated database for different operating systems.

stapling—The process of appending a digitally signed OCSP response to a certificate. It reduces the overall OCSP traffic sent to a CA.

stateful firewall— A firewall that filters traffic based on the state of the traffic within a session. A stateful firewall inspects traffic and makes decisions based on the traffic context or state.

stateless firewall—A firewall that filters traffic based on the contents of each packet. Stateless firewalls filter traffic based on IP addresses, ports, and protocols.

steganography—The practice of hiding data within data. For example, it’s possible to embed text files within an image, hiding them from casual users. Other methods include hiding data with audio and video files. Steganography can obscure data to hide it.

Storage Area Network (SAN)—A specialized network of high-speed storage devices.

storage segmentation—A method used to isolate data on mobile devices. It allows personal data to be stored in one location and encrypted corporate data to be stored elsewhere.

stored procedures—A group of SQL statements that execute as a whole, similar to a mini-program. Developers use stored procedures to prevent SQL injection attacks.

STP—Spanning Tree Protocol. Protocol enabled on most switches that protects against switching loops. A switching loop is caused when two ports of a switch are connected together.

stream cipher—An encryption method that encrypts data as a stream of bits or bytes. Compare with block cipher.

Structured Query Language (SQL)—Used by SQL-based databases, such as Microsoft SQL Server. Websites integrated with a SQL database are subject to SQL injection attacks. Input validation with forms and stored procedures help prevent SQL injection attacks. Microsoft SQL Server uses TCP port 1433 by default.

Subscriber Identity Module (SIM)—A small smart card that contains programming and information for small devices such as cell phones. The SIM card identifies what countries or networks the device will use.

substitution cipher—An encryption method that replaces characters with other characters.

Supervisory control and data acquisition (SCADA)—Supervisory control and data acquisition. A system used to control an ICS such as a power plant or water treatment facility. Ideally, a SCADA is within an isolated network without direct access to the Internet. NIPS systems and VLANs provide a layer of protection for SCADA systems. Compare with ICS.

supply chain—All the elements required to produce and sell products and services. If the supply chain is disrupted, it impacts an organization’s ability to produce and sell products and services.

switch—A network device used to connect devices. Layer 2 switches send traffic to ports based on their MAC addresses. Layer 3 switches send traffic to ports based on their IP addresses and support VLANs.

symmetric encryption—A type of encryption using a single key to encrypt and decrypt data. Symmetric encryption is faster than asymmetric encryption Compare with asymmetric encryption.

SYN—Synchronize. The first packet in a TCP handshake. In a SYN flood attack, attackers send this packet, but don’t complete the handshake after receiving the SYN/ACK packet.

system on chip (SoC)—An integrated circuit that includes a computing system within the hardware. Many mobile devices include an SoC.

T

tabletop exercise—A discussion-based exercise where participants talk through an event while sitting at a table or in a conference room. It is often used to test business continuity plans (BCPs) and disaster recovery plans (DRPs).

TACACS+—Terminal Access Controller Access-Control System+. Provides central authentication for remote access clients and used as an alternative to RADIUS. TACACS+ uses TCP port 49. It encrypts the entire authentication process, compared with the default RADIUS, which only encrypts the password. It uses multiple challenges and responses. Compare with RADIUS.

tainted data—A risk associated with machine learning and AI-enabled systems. People write algorithms, and sometimes people inadvertently insert their bias into their code and data used by their code. As an example, the Correctional Offender Management Profiling for Alternative Sanctions (COMPAS) algorithm used in US court systems to predict recidivism reportedly produced twice as many false positives for black offenders (45%) than white offenders (23%). Compare with data bias.

tailgating—A social engineering attack where one person follows behind another person without using credentials. Access control vestibules help prevent tailgating.

TCO—Total cost of ownership. A factor considered when purchasing new products and services. TCO attempts to identify the cost of a product or service over its lifetime.

TCP—Transmission Control Protocol. Provides guaranteed delivery of IP traffic using a three-way handshake. Compare with UDP.

TCP/IP—Transmission Control Protocol/Internet Protocol. Represents the full suite of protocols used on the Internet and most internal networks.

tcpdump—A command-line protocol analyzer. Administrators use it to capture packets.

tcprelay—A command-line protocol tool. Tcpreplay is a suite of utilities used to edit packet captures and then send the edited packets over the network.

technical controls—Security controls implemented through technology . This includes hardware, software, and firmware technical controls. Compare with managerial and operational controls.

technology diversity—The practice of using different technologies to protect an environment Compare with control diversity, vendor diversity, and crypto diversity.

Terminal Access Controller Access-Control System+ (TACACS+)—Provides central authentication for remote access clients and used as an alternative to RADIUS. TACACS+ uses TCP port 49. It encrypts the entire authentication process, compared with the default RADIUS, which only encrypts the password. It uses multiple challenges and responses. Compare with RADIUS.

tethering—The process of sharing an Internet connection from one mobile device to another.

TFTP—Trivial File Transfer Protocol. Used to transfer small amounts of data with UDP port 69. In contrast, FTP is used to transfer larger files using TCP ports 20 and 21.

TGT—Ticket Granting Ticket. Used with Kerberos. A KDC (or TGT server) issues timestamped tickets that expire after a certain time period.

third-party app store—An app store other than the primary source for mobile device apps. It refers to an app store other than the App Store or Google Play for Apple and Android devices, respectively.

threat—Any circumstance or event that has the potential to compromise confidentiality, integrity, or availability. Compare with risk and vulnerability.

time-based logins—An account restriction that prevents users from logging on at certain times.

Time-based One-Time Password (TOTP)—An open standard used for creating one-time passwords, TOTP is similar to HOTP, but it uses a timestamp instead of a counter. One-time passwords created with TOTP expire after 30 seconds. Compare with HOTP.

time offset—An offset used by logs to provide consistency in timestamps. As an example, many logs use Greenwich Mean Time (GMT) for log entries, but a time offset needs to be applied to determine the local time for log entries.

TLS—Transport Layer Security. Used to encrypt data in transit. TLS is the replacement for SSL and like SSL, it uses certificates issued by CAs. HTTPS uses TLS to encrypt web sessions. VPNs can use TLS to encrypt VPN sessions. Several authentication protocols (such as PEAP, EAP-TLS, EAP-TTLS) use TLS to encrypt the authentication process. TLS requires a CA to issue certificates.

token—An authentication device or file. A hardware token is a physical device used in the something you have factor of authentication. A software token is a small file used by authentication services indicating a user has logged on.

tokenization—A practice of replacing sensitive data with a token which is a string of characters. Point of sale (POS) terminals use tokenization to replace credit card data with tokens. Only a third-party entity (such as the credit card processor) can convert the token into the original data (the credit card data in this example).

TOTP—Time-based One-Time Password. An open standard used for creating one-time passwords, TOTP is similar to HOTP, but it uses a timestamp instead of a counter. One-time passwords created with TOTP expire after 30 seconds. Compare with HOTP.

TPM—Trusted Platform Module. A hardware chip on the motherboard included on many newer laptops. A TPM includes a unique RSA asymmetric key, and when first used, creates a storage root key. TPMs generate and store other keys used for encryption, decryption, and authentication. TPM provides full disk encryption. Compare with HSM.

tracert—A command-line tool. It is used to trace the route between two systems.

Transport Layer Security (TLS)—Used to encrypt data in transit. TLS is the replacement for SSL and like SSL, it uses certificates issued by CAs. HTTPS uses TLS to encrypt web sessions. VPNs can use TLS to encrypt VPN sessions. Several authentication protocols (such as PEAP, EAP-TLS, EAP-TTLS) use TLS to encrypt the authentication process. TLS requires a CA to issue certificates.

Trivial File Transfer Protocol (TFTP)—Used to transfer small amounts of data with UDP port 69. In contrast, FTP is used to transfer larger files using TCP ports 20 and 21.

Trojan—Malware also known as a Trojan horse. A Trojan often looks useful, but is malicious.

Trusted Platform Module (TPM)—A hardware chip on the motherboard included on many newer laptops. A TPM includes a unique RSA asymmetric key, and when first used, creates a storage root key. TPMs generate and store other keys used for encryption, decryption, and authentication. TPM provides full disk encryption. Compare with HSM.

Twofish—A symmetric key block cipher. It encrypts data in 128-bit blocks and supports 128-, 192-, or 256-bit keys. Compare with Blowfish.

typo squatting—The purchase of a domain name that is close to a legitimate domain name. Attackers often try to trick users who inadvertently use the wrong domain name. Also called URL hijacking.

U

UAVs—Unmanned aerial vehicles. Flying vehicles piloted by remote control or onboard computers.

UDP—User Datagram Protocol. Used instead of TCP when guaranteed delivery of each packet is not necessary. UDP uses a best-effort delivery mechanism. Compare with TCP.

UEFI—Unified Extensible Firmware Interface. A method used to boot some systems and intended to replace Basic Input/Output System (BIOS) firmware. Compare with BIOS.

Uniform Resource Locator (URL) redirection—A technique used to redirect traffic to a different page or a different site.

uninterruptible power supply (UPS)—A battery backup system that provides fault tolerance for power and can protect against power fluctuations. A UPS provides short-term power to give the system enough time to shut down smoothly or transfer to generator power. Generators provide long-term power in extended outages.

unknown environment test—A type of penetration test. Testers have zero knowledge of the environment prior to starting the test. This was previously known as a black box test. Compare with known environment test and partially known environment test.

UPS—Uninterruptible power supply. A battery backup system that provides fault tolerance for power and can protect against power fluctuations. A UPS provides short-term power to give the system enough time to shut down smoothly or transfer to generator power. Generators provide long-term power in extended outages.

URI—Uniform Resource Identifier. Used to identify the name of a resource and always includes the protocol such as http://GetCertifiedGetAhead.com.

URL—Uniform Resource Locator. A type of URI. Address used to access web resources, such as http://GetCertifiedGetAhead.com. Pop-up blockers can include URLs of sites where pop-ups are allowed.

URL hijacking—The purchase of a domain name that is close to a legitimate domain name. Attackers often try to trick users who inadvertently use the wrong domain name. Also called typo squatting.

USB—Universal Serial Bus. A serial connection used to connect peripherals such as printers, flash drives, and external hard disk drives. Data on USB drives can be protected against loss of confidentiality with encryption. Attackers have spread malware through Trojans. USB On-The-Go (OTG). A cable used to connect mobile devices to other devices. It is one of many methods that you can use to connect a mobile device to external media.

use case—A methodology used in system analysis and software engineering to identify and clarify requirements to achieve a goal. For example, a use case of supporting confidentiality can help an organization identify the steps required to protect the confidentiality of data.

UTM—Unified threat management. A security appliance that combines multiple security controls into a single solution. UTM appliances can inspect data streams for malicious content and often include URL filtering, malware inspection, and content inspection components.

V

VDI—Virtualization Desktop Infrastructure. Virtualization software designed to reproduce a desktop operating system as a virtual machine on a remote server. Users can access VDI desktops from desktop PCs or mobile devices.

vendor diversity—The practice of implementing security controls from different vendors to increase security. Compare with control diversity, technology diversity, and crypto diversity.

version control—A method of tracking changes to software as it is updated.

Virtualization Desktop Infrastructure (VDI)—Virtualization software designed to reproduce a desktop operating system as a virtual machine on a remote server. Users can access VDI desktops from desktop PCs or mobile devices.

virtualization—A technology that allows you to host multiple virtual machines on a single physical system.

virtual local area network (VLAN)—A method of segmenting traffic. A VLAN can logically group several different computers together, or logically separate computers without regard to their physical location. It is possible to create multiple VLANs with a single switch. You can also create VLANs with virtual switches.

virtual machine (VM) escape—An attack that allows an attacker to access the host system from within a virtual machine. The primary protection is to keep hosts and guests up to date with current patches. Compare with virtual machine sprawl.

virtual machine (VM) sprawl—A vulnerability that occurs when an organization has VMs that aren’t properly managed. Unmanaged VMs are not kept up to date with current patches. Compare with virtual machine escape.

virtual private network (VPN)—Provides access to a private network over a public network such as the Internet. VPNs can provide access to internal networks for remote clients, or provide access to other networks via site-to-site VPNs.

virus—Malicious code that attaches itself to a host application. The host application must be executed to run, and the malicious code executes when the host application is executed.

vishing—A phishing attack using phones.Vishing attacks often use Voice over IP (VoIP) technologies.

VLAN—Virtual local area network. A method of segmenting traffic. A VLAN can logically group several different computers together, or logically separate computers without regard to their physical location. It is possible to create multiple VLANs with a single switch. You can also create VLANs with virtual switches.

VM—Virtual machine. A virtual system hosted on a physical system. A physical server can host multiple VMs as servers. Virtualization helps reduce the amount of physical equipment required, reducing overall physical security requirements such as HVAC and power.

Voice over IP (VoIP)—A group of technologies used to transmit voice over IP networks. Vishing is a form of phishing that sometimes uses VoIP.

voice recognition— A biometric authentication system. Voice recognition systems identify who is speaking using speech recognition.

VoIP—Voice over IP. A group of technologies used to transmit voice over IP networks. Vishing is a form of phishing that sometimes uses VoIP.

VPN—Virtual private network. Provides access to a private network over a public network such as the Internet. VPNs can provide access to internal networks for remote clients, or provide access to other networks via site-to-site VPNs.

vulnerability—A weakness. It can be a weakness in the hardware, the software, the configuration, or even the users operating the system. Compare with risk and threat.

vulnerability scanner—A tool used to detect vulnerabilities. A scan typically identifies vulnerabilities, misconfigurations, and a lack of security controls. It passively tests security controls.

W

WAF—Web application firewall—A firewall specifically designed to protect a web application. A WAF inspects the contents of traffic to a web server, can detect malicious content such as code used in a cross-scripting attack, and block it.

walkthrough exercise—workshops or orientation seminars that train team members about their roles and responsibilities. Walkthroughs familiarize personnel with an organization’s business continuity plans and their roles and responsibilities.

WAP—Wireless access point. A device that connects wireless clients to wireless networks. Sometimes called an access point (AP).

warm site—An alternate location for operations. A compromise between an expensive hot site and a cold site. Compare with cold site and hot site.

watering hole attack—An attack method that infects websites that a group is likely to trust and visit.

wearable technology—Smart devices that a person can wear or have implanted.

web application firewall (WAF)—A firewall specifically designed to protect a web application. A WAF inspects the contents of traffic to a web server, can detect malicious content such as code used in a cross-scripting attack, and block it.

whaling—A form of spear phishing that attempts to target high-level executives. When successful, attackers gain confidential company information that they might not be able to get anywhere else.

white team—Personnel involved in cybersecurity readiness Compare with red team, blue team, purple team, and capture the flag.

WiFi analyzers—A device used to identify activity on the wireless spectrum. WiFi analyzers are commonly used with site surveys. Compare with wireless scanner.

WiFi Direct—A standard that allows devices to connect without a wireless access point. Compare with ad hoc.

WiFi Protected Access 2 (WPA2)—Security protocol used to protect wireless transmissions. It supports CCMP for encryption, which is based on AES. It uses an 802.1X server for authentication in WPA2 Enterprise mode and a preshared key for WPA2 Personal mode, also called WPA2-PSK.

WiFi Protected Access 3 (WPA3)—Security protocol used to protect wireless transmissions. WPA3 is the newest wireless cryptographic protocol. It uses Simultaneous Authentication of Equals (SAE) instead of the PSK used with WPA2. SAE is based on the Diffie–Hellman key exchange.

WiFi Protected Setup (WPS)—Allowed users to easily configure a wireless network, often by using only a PIN. WPS brute force attacks can discover the PIN when used with WPA2.

wildcard certificate—A certificate that can be used for multiple domains with the same root domain. It starts with an asterisk.

wiping—The process of completely removing all remnants of data on a disk. A bit-level overwrite writes patterns of 1s and 0s multiple times to ensure data on a disk is unreadable.

wireless access point (WAP)—A device that connects wireless clients to wireless networks. Sometimes called an access point (AP).

wireless scanners—A network scanner that scans wireless frequency bands. Scanners can help discover rogue APs and crack passwords used by wireless APs. Sometimes called WiFi analyzers.

Wireshark—A free protocol analyzer. Wireshark is a windows-based application used to capture and analyze packets sent over a network.

worm—Self-replicating malware that travels through a network. Worms do not need user interaction to execute.

WPA—WiFi Protected Access. A legacy wireless security protocol. WPA2 and WPA3 have superseded WPA.

WPA2—WiFi Protected Access 2. Security protocol used to protect wireless transmissions. It supports CCMP for encryption, which is based on AES. It uses an 802.1X server for authentication in WPA2 Enterprise mode and a preshared key for WPA2 Personal mode, also called WPA2-PSK.

WPA3—WiFi Protected Access 3. Security protocol used to protect wireless transmissions. WPA3 is the newest wireless cryptographic protocol. It uses Simultaneous Authentication of Equals (SAE) instead of the PSK used with WPA2. SAE is based on the Diffie–Hellman key exchange.

WPS—WiFi Protected Setup. Allowed users to easily configure a wireless network, often by using only a PIN. WPS brute force attacks can discover the PIN when used with WPA2.

WPS attack—An attack against an AP. A WPS attack discovers the eight-digit WPS PIN and uses it to discover the AP passphrase. WPA3 is resistant to WPS attacks.

X

XaaS—Anything as a Service. A cloud computing model. X aaS refers to any cloud computing model not identified in IaaS, PaaS, or SaaS models. Compare to IaaS, PaaS, and SaaS.

XML—Extensible Markup Language. A language used by many databases for inputting or exporting data. XML uses formatting rules to describe the data.

XSRF—Cross-site request forgery. A web application attack. Attackers use XSRF attacks to trick users into performing actions on websites, such as making purchases, without their knowledge. In some cases, it allows an attacker to steal cookies and harvest passwords.

XSS—Cross-site scripting. A web application vulnerability that allows attackers to inject scripts into webpages. Attackers use XSS to capture user information such as cookies. Input validation techniques on the server-side help prevent XSS attacks by blocking HTML and JavaScript tags. Many sites prevent the use of < and > characters to block cross-site scripting.

Z

zero-day vulnerability—A vulnerability or bug that is unknown to trusted sources but can be exploited by attackers. Zero-day attacks take advantage of zero-day vulnerabilities.

zero trust—A network that doesn’t trust any devices by default. This helps reduce attacks by coming from compromised internal clients. Zero trust isn’t a technology, but instead, it’s a security model based on the principle of zero trust.