Term | Definition |
802.1x | 802.1x—A port-based authentication protocol. For example, WPA2 Enterprise mode uses A ___ server (implemented as a RADIUS server). Enterprise mode requires an ___server. |
3DES | Triple Data Encryption Standard. A symmetric algorithm used to encrypt data and provide confidentiality. It is a block cipher that encrypts data in 64-bit blocks.Is still used in some applications, such as when hardware doesn’t support AES. |
AAA | ___ protocols are used in remote access systems. Authentication verifies a user’s identification. Authorization determines if a user should have access. Accounting tracks a user’s access with logs. |
ACE | Access Control Entry. Identifies a user or group that is granted permission to a resource. ACEs are contained within a DACL in NTFS. |
ACK | Acknowledge. A packet in a TCP handshake. In a SYN flood attack, attackers send the SYN packet, but don’t complete the handshake after receiving the SYN/ACK packet. |
ACL | Access control list. Routers and packet-filtering firewalls perform basic filtering using an ACL to control traffic based on networks, subnets, IP addresses, ports, and some protocols. In NTFS, a list of ACEs makes up the ACL for a resource |
AES | Advanced Encryption Standard. A symmetric algorithm used to encrypt data and provide confidentiality. It is a block cipher. It is highly secure, and used in a wide assortment of cryptography schemes. It can be 128 bits, 192 bits, or 256 bits. |
AES-256 | Advanced Encryption Standard 256 bit. AES sometimes includes the number of bits used in the encryption keys and AES-256 uses 256-bit encryption keys. Interestingly, Blowfish is quicker than AES-256. |
AH | Authentication Header. IPsec includes both AH and ESP. AH provides authentication and integrity using HMAC. ESP provides confidentiality, integrity, and authentication using HMAC, and AES or 3DES. AH is identified with protocol ID number 51. |
ALE | Annual (or annualized) loss expectancy. The ALE identifies the expected annual loss and is used to measure risk with ARO and SLE in a quantitative risk assessment. The calculation is SLE × ARO = ALE. |
AP | Access point, short for wireless access point (WAP). APs provide access to a wired network to wireless clients. Many APs support Isolation mode to segment wireless users from other wireless users. |
API | Application Programming Interface. A software module or component that identifies inputs and outputs for an application. |
APT | Advanced persistent threat. A group that has both the capability and intent to launch sophisticated and targeted attacks. |
ARO | Annual (or annualized) rate of occurrence. The ARO identifies how many times a loss is expected to occur in a year and it is used to measure risk with ALE and SLE in a quantitative risk assessment. The calculation is SLE × ARO = ALE. |
ARP | Address Resolution Protocol. Resolves IPv4 addresses to MAC addresses. ARP poisoning attacks can redirect traffic through an attacker’s system by sending false MAC address updates. NDP is used with IPv6 instead of ARP. |
ASCII | American Standard Code for Information Interchange. Code used to display characters. |
ASP | Application Service Provider. Provides an application as a service over a network. |
AUP | Acceptable use policy. An AUP defines proper system usage. It will often describe the purpose of computer systems and networks, how users can access them, and the responsibilities of users when accessing the systems. |
BAC | Business Availability Center. An application that shows availability and performance of applications used or provided by a business. |
BCP | Business continuity plan. A plan that helps an organization predict and plan for potential outages of critical services or functions. It includes disaster recovery elements that provide the steps used to return from critical failures. |
BIA | Business impact analysis identifies systems and components that are essential to the organization’s success. It identifies various scenarios that can impact these systems and components, maximum downtime limits, and potential losses from an incident. |
BIND | Berkeley Internet Name Domain. BIND is DNS software that runs on Linux and Unix servers. Most Internet-based DNS servers use BIND. |
BIOS | Basic Input/Output System. A computer’s firmware used to manipulate different settings such as the date and time, boot drive, and access password. UEFI is the designated replacement for BIOS. |
BPA | Business partners agreement. A written agreement that details the relationship between business partners, including their obligations toward the partnership. |
BYOD | Bring your own device. A policy allowing employees to connect personally owned devices, such as tablets and smartphones, to a company network. Data security is often a concern with BYOD policies and organizations often use VLANs to isolate mobile devices. |
CA | Certificate Authority. An organization that manages, issues, and signs certificates and is part of a PKI. Certificates are an important part of asymmetric encryption. Certificate owners share their public key by sharing a copy of their certificate. |
CAC | Common Access Card. A specialized type of smart card used by the U.S. Department of Defense. It includes photo identification and provides confidentiality, integrity, authentication, and non-repudiation for the users. It is similar to a PIV. |
CAN | Controller Area Network. A standard that allows microcontrollers and devices to communicate with each other without a host computer. |
CAPTCHA | Completely Automated Public Turing Test to Tell Computers and Humans Apart. Technique used to prevent automated tools from interacting with a web site. Users must type in text, often from a slightly distorted image. |
CAR | Corrective Action Report. A report used to document actions taken to correct an event, incident, or outage. |
CCMP | Counter Mode with Cipher Block Chaining Message Authentication Code Protocol. An encryption protocol based on AES and used with WPA2 for wireless security. It is more secure then TKIP, which was used with the original release of WPA. |
CCTV | Closed-circuit television. This is a detective control. Video surveillance provides reliable proof of a person’s location and activity. It is also a physical security control and it can increase the safety of an organization’s assets. |
CERT | Computer Emergency Response Team. A group of experts who respond to security incidents. Also known as CIRT, SIRT, or IRT. |
CHAP | Challenge Handshake Authentication Protocol. Authentication mechanism where a server challenges a client. More secure than PAP and uses PPP. MS-CHAPv2 is an improvement over CHAP and uses mutual authentication. |
CIA | Confidentiality, integrity, and availability, the security triad. Confidentiality helps prevent the unauthorized disclosure of data. Integrity provides assurances that data has not been modified. Availability indicates that data and services are available |
CIO | Chief Information Officer. A “C” level executive position in some organizations. A CIO focuses on using methods within the organization to answer relevant questions and solve problems. |
CIRT | Computer Incident Response Team. A group of experts who respond to security incidents. Also known as CERT, SIRT, or IRT. |
COOP | Continuity of operations planning sites provide an alternate location for operations after a critical outage. A hot site includes everything the primary site has with all the data up to date. A cold site will have power and connectivity but little else. |
CP | Contingency planning. Plans for contingencies in the event of a disaster to keep an organization operational. BCPs include contingency planning. |
CRC | Cyclical Redundancy Check. An error detection code used to detect accidental changes that can affect theintegrity of data. |
CRL | Certification revocation list. A list of certificates that a CA has revoked. Certificates are commonly revoked if they are compromised, or issued to an employee who has left the organization. |
CSR | Certificate signing request. A method of requesting a certificate from a CA. It starts by creating an RSA-based private/public key pair and then including the public key in the CSR. |
CSR | Control Status Register. A register in a processor used for temporary storage of data. |
CSU | Channel Service Unit. A line bridging device used with T1 and similar lines. It typically connects with a DSU as a CSU/DSU. |
CTO | Chief Technology Officer. A “C” level executive position in some organizations. CTOs focus on technology and evaluate new technologies. |
CVE | Common Vulnerabilities and Exposures (CVE). A dictionary of publicly known security vulnerabilities and exposures. |
DAC | Discretionary access control. An access control model where all objects have owners and owners can modify permissions for the objects (files and folders). Microsoft NTFS uses the DAC model. Other access control models are MAC and RBAC. |
DACL | Discretionary access control list. List of Access Control Entries (ACEs) in Microsoft NTFS. Each ACE includes a security identifier (SID) and a permission. |
DBA | Database administrator. A DBA administers databases on database servers. |
dBd | Decibels-dipole. Identifies the gain of an antenna compared with a type of dipole antenna. Higher dBd numbers indicate the antenna can transmit and receive over greater distances. |
dBi | Decibels-isotropic. Identifies the gain of an antenna and is commonly used with omnidirectional antennas. Higher numbers indicate the antenna can transmit and receive over greater distances. |
dBm | Decibels-milliwatt. Identifies the power level of the WAP and refers to the power ratio in decibels referenced to one milliwatt. Higher numbers indicate the WAP transmits the signal over a greater distance. |
DDoS | Distributed denial-of-service. An attack on asystem launched from multiple sources intended to make a computer’s resources or services unavailable to users. DDoS attacks typically include sustained, abnormally high network traffic. Compare to DoS. |
DEP | Data Execution Prevention. A security feature in some operating systems. It helps prevent an application or service from executing code from a nonexecutable memory region. |
DES | Digital Encryption Standard. An older symmetric encryption standard used to provide confidentiality. DES is a block cipher and it encrypts data in 64-bit blocks. DES uses 56 bits and is considered cracked. Use AES instead, or 3DES if the hardware doesn’t |
DHCP | Dynamic Host Configuration Protocol. A service used to dynamically assign TCP/IP configuration information to clients. DHCP is often used to assign IP addresses, subnet masks, default gateways, DNS server addresses, and much more. |
DHE | Data-Handling Electronics. Term used at NASA indicating electronic systems that handle data. |
DHE | Diffie-Hellman Ephemeral. An alternative to traditional Diffie-Hellman. Instead of using static keys that stay the same over a long period, DHE uses ephemeral keys, which change for each new session. Sometimes listed as EDH. |
DLL | Dynamic Link Library. A compiled set of code that can be called from other programs. |
DLP | Data loss prevention. A network-based DLP system can examine and analyze network traffic. It reduce the risk of internal users emailing sensitive data outside the company. End-point DLP systems can prevent users from copying or printing sensitive data. |
DMZ | Demilitarized zone. A buffer zone between the Internet and an internal network. It allows access to services while segmenting access to the internal network. The DMZ provides a layer of protection for the internal network. |
DNAT | Dynamic Network Address Translation. A form of NAT that uses multiple public IP addresses. In contrast, PAT uses a single public IP address. It hides addresses on an internal network. |
DNAT | Destination Network Address Translation. A form of NAT that changes the destination IP address for incoming traffic. It is used for port forwarding. |
DNS | Domain Name System. Used to resolve host names to IP addresses. DNS zones include records such as A records for IPv4 addresses and AAAA records for IPv6 addresses. DNS poisoning attacks attempt to modify or corrupt DNS data. |
DNSSEC | Domain Name System Security Extensions. A suite of specifications used to protect the integrity of DNS records and prevent DNS poisoning attacks. |
DoS | Denial-of-service. An attack from a single source that attempts to disrupt the services provided by the attacked system. Compare to DDoS. |
DRP | Disaster recovery plan. A document designed to help a company respond to disasters, such as hurricanes, floods, and fires. It includes a hierarchical list of critical systems and often prioritizes services to restore after an outage. |
DSA | Digital Signature Algorithm is an encrypted hash of a message. The sender’s private key encrypts the hash of the message to create the digital signature. The recipient decrypts the hash with the sender’s public key. |
DSL | Digital subscriber line. Improvement over traditional dial-up to access the Internet. |
DSU | Data Service Unit. An interface used to connect equipment to a T1 and similar lines. It typically connects with a CSU as a CSU/DSU. |