Electromagnetic signals that are emitted by an electronic device.
A hardware security module that connects to the microSD port on a device that has such a port.
Capability of software to gather information and make conclusions.
push notification services
Services that allow unsolicited messages to be sent by an application to a mobile device even when the application is not open on the device.
Communications Assistance for Law Enforcement Act (CALEA) of 1994
Act that requires telecommunications carriers and manufacturers of telecommunications equipment to modify and design their equipment, facilities, and services to ensure that they have built-in surveillance capabilities.
USB on the GO (USB OTG)
A specification first used in late 2001 that allows USB devices, such as tablets or smartphones, to act as either a USB host or a USB device.
An XSS attack in which the hacker stores the user input on the target server, such as in a database, in a message forum, a visitor log, a comment field, and so forth, and then a victim is able to retrieve the stored data from the web application without that data being made safe to render in the browser. Also called a stored or Type I attack.
security regression testing
A subset of regression testing that validates that changes have not reduced the security of the application or opened new weaknesses.
An enterprise security architecture framework that uses the six communication questions (What, Where, When, Why, Who, and How) that intersect with six layers (operational, component, physical, logical, conceptual, and contextual).
Device exposed directly to the Internet or to any untrusted network while screening the rest of the network from exposure.
Involves limiting the scope of an incident by leveraging existing segments of the network as barriers to prevent the spread to other segments.
A master/slave protocol used in building automation that uses port 50.
A door control that reads a proximity card from a short distance and is used to control access to a sensitive room.
Analysis that determines the susceptibility of a system to a particular threat/risk using decision rules or weighing methods.
field programmable gate array (FPGA)
A type of programmable logic device (PLD) that is programmed by blowing fuse connections on the chip or using an antifuse that makes a connection when a high voltage is applied to the junction. A PLD is an integrated circuit with connections or internal logic gates that can be changed through a programming process.
How the password will be structured.
single sign-on (SSO)
An environment in which a user enters his login credentials once and can access all resources in the network.
user and entity behavior analytics (UEBA)
A type of cybersecurity analysis that focuses on normal user activities and detects anomalous behavior when there are deviations from the norm.
Analyzing the entire memory content used by an application.
wireless key logger
Collects information and transmits it to the criminal via Bluetooth or Wi-Fi.
The process of using a programming tool to not only identify syntactic problems in code but also discover weaknesses that can lead to memory leaks and buffer overflows.
Internet Protocol Security (IPsec)
A suite of protocols used to create an encrypted connection.
Corner of the Diamond Model that describes a single victim or multiple victims.
Software code analysis done with the code executing.
Computer Fraud and Abuse Act (CFAA)
Affects any entities that engage in hacking of “protected computers,” as defined in the act.
Solutions have been developed by the organization that do not follow standards.
Occurs when math operations try to create a numeric value that is too large for the available space.
A segment of the communication path that an attack uses to access a vulnerability.
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
An e-mail authentication and reporting protocol that improves e-mail security within federal agencies.
A form of data hiding or masking in that it replaces a value with a token that is used instead of the actual value.
A botnet in which devices that can be reached externally are compromised and run server software that turns them into command and control servers for the devices that are recruited internally that cannot communicate with the command and control server operating externally.
A type of testing that determines the workload that an application can withstand.
Trusted Automated eXchange of Indicator Information (TAXII)
An application protocol for exchanging cyber threat information (CTI) over HTTPS.
Health Care and Education Reconciliation Act of 2010
Affects healthcare and educational organizations. This act increased some of the security measures that must be taken to protect healthcare information.
Evaluation of the technical system components.
advanced persistent threat (APT)
Threat from a highly organized attacker with significant resources that is carried out over a long period of time.
Designed to prevent access to sensitive information and encryption keys on a device.
Software analysis that is conducted without the software running.
A memory forensics tool that automates the process of extracting interesting data from volatile memory.
Computer Security Act of 1987
The first law to require a formal computer security plan. It was written to protect and defend the sensitive information in the federal government systems. Superseded in 2002 by the Federal Information Security Management Act (FISMA).
A process that steps though the code interactively.
business impact analysis (BIA)
Lists the critical and necessary business functions, their resource dependencies, and their level of criticality to the overall organization.
The applications on either end of the API are synchronized and protecting the integrity of the information that passes through the API. It also enables proper updating and versioning required in many environments.
forensic investigation suite
A collection of tools that are commonly used in digital forensic investigations.
NIST Cybersecurity Framework version 1.1
A framework that focuses exclusively on IT security.
digital rights management (DRM)
Used to control the use of digital content.
A command-line tool that can capture packets on Linux and Unix platforms.
A physical access control system that consists of a series of two doors with a small room between them. The user is authenticated at the first door and then allowed into the room. At that point, additional verification occurs.
public key infrastructure (PKI)
A collection of systems, software, and communication protocols that distribute, manage, and control public key cryptography.
Corner of the Diamond Model that describes the intent of the attack.
A group of technicians who acts as the network defense team during testing.
A scan that attempts to connect to every port on each device and report which ports are open, or “listening.”
Software as a Service (SaaS)
A cloud service model in which the vendor provides the entire solution, including the operating system, the infrastructure software, and the application.
Diamond Model of Intrusion Analysis
Intrusion analysis model that emphasizes the relationships and characteristics of four basic components: the adversary, capabilities, infrastructure, and victims.
annualized rate of occurrence (ARO)
The estimate of how often a given threat might occur annually.
A scripting language that supports procedure-oriented programming and object-oriented programming.
executable process analysis
Determines what process is using/taxing the CPU.
Peer-to-peer protocol used in building automation; uses port 1679.
The step in the intelligence cycle where information is shared with those responsible for designing security controls to address issues.
recovery time objective (RTO)
The shortest time period after a disaster or disruptive event within which a resource or function must be restored in order to avoid unacceptable consequences.
Intellectual property protection that ensures that proprietary technical or business information remains confidential. A trade secret gives an organization a competitive edge. Trade secrets include recipes, formulas, ingredient listings, and so on.
A type of password that includes only numbers.
Type 2 hypervisor
A hypervisor installed over an existing operating system. Examples include VMware Workstation and Oracle VM VirtualBox.
Economic Espionage Act of 1996
Affects companies that have trade secrets and any individuals who plan to use encryption technology for criminal activities.
A data destruction technique that makes the data unreadable even with advanced forensic techniques. From the Library of Matthias Boeker 676 Glossary of Key Terms
bring your own device (BYOD) policy
Policy designed to allow personal devices in the network.
memorandum of understanding (MOU)
Document that, while not legally binding, indicates a general agreement between the principals to do something together.
mobile device management (MDM)
A system that is used to control mobile device settings, applications, and other parameters when those devices are attached to the enterprise.
The latest version of the ISO/IEC 27002 standard that provides a code of practice for information security management.
Gramm-Leach-Bliley Act (GLBA) of 1999
Affects all financial institutions, including banks, loan companies, insurance companies, investment companies, and credit card providers.
EU Electronic Security Directive
Defines electronic signature principles.
A collection of features that are used to verify the integrity of the system and implement security policies, which together can be used to enhance the trust level of the complete system.
A type of control, usually a software or hardware component, that is used to restrict access.
Secure Shell (SSH)
An application protocol that is used to remotely log in to another computer using a secure tunnel.
A type of control that is in place to detect an attack while it is occurring.
An individual who attempts to break into secure systems without using the knowledge gained for any nefarious purposes.
A group of technicians who acts as the attacking force during testing.
hardware security module (HSM)
An appliance that safeguards and manages digital keys used with strong authentication and provides crypto processing.
multifactor authentication (MFA)
An authentication process that requires more than a single authentication factor.
software development life cycle (SDLC)
Provides a predictable framework of procedures designed to identify all requirements with regard to functionality, cost, reliability, and delivery schedule and ensure that each is met in the final solution.
call list/escalation list
A list of contact information for all individuals, such as first responders, who might need to be alerted during the investigation of an incident.
personal health information (PHI)
The medical records of individuals; also referred to as protected health information.
Software development practice whereby the work of multiple individuals is combined a number of times a day.
work product retention
Work done for and owned by the organization.
Encapsulating Security Payload (ESP)
IPsec component that provides all that AH does as well as data confidentiality.
An individual who attempts to break into secure systems to obtain knowledge about the systems and possibly use that knowledge to carry out pranks or commit crimes.
real-time operating system (RTOS)
A system designed to process data as it comes in, typically without buffer delays.
A feature that allows a switch to learn the MAC addresses of the devices currently connected to the port and convert them to secure MAC addresses (the only MAC addresses allowed to send on the port).
In the 802.1X framework, the centralized device that performs authentication.
Structured Threat Information eXpression (STIX)
An XML-based programming language that can be used to communicate cybersecurity data among those using the language.
Layer 2 Tunneling Protocol (L2TP)
Protocol that operates at Layer 2 of the OSI model. Like PPTP, L2TP can use various authentication mechanisms; however, L2TP does not provide any encryption. It is typically used with IPsec.
A development concept that grew out of the DevOps approach to software development that emphasizes security in all phases.
Process of collecting and analyzing indicators of compromise (IOCs).
Type 1 hypervisor
Virtualization software that is installed on hardware directly, which is why it is commonly called a bare metal hypervisor. A guest operating system runs on another level above the hypervisor. Examples include Citrix XenServer, Microsoft Hyper-V, and VMware vSphere.
How long a user can remain logged in.
exposure factor (EF)
The percentage value or functionality of an asset that will be lost when a threat event occurs.
The process of identifying and blocking as bad senders a list of unacceptable e-mail addresses, Internet addresses, websites, applications, or some other identifier. Occurs when a list of unacceptable e-mail addresses, Internet addresses, websites, applications, or some other identifier is configured as bad senders or as not allowed to send while allowing all others. See also whitelisting.
The process of checking all input for issues such as proper format and proper length.
A right granted to an individual or a company to protect the rights to an invention.
The process of gathering threat information.
A proactive threat hunting tactic in which a team works together to detect, identify, and understand advanced and determined threat actors. It is a new proactive approach to security that is offensive in nature rather than defensive, which has been common for security teams in the past.
A set of command-line tools for sniffing and attacking wireless networks.
mandatory access control (MAC)
Authentication system in which authorization is based on security labels.
A type of botnet in which all the zombies communicate directly with the command and control server, which is located outside the network.
Routing e-mail through another organization’s e-mail system. From the Library of Matthias Boeker Glossary of Key Terms 665
mean time between failures (MTBF)
The estimated amount of time a device will operate before a failure occurs.
Platform as a Service (PaaS)
Cloud service model in which the vendor provides the hardware platform or data center and the software running on the platform, including the operating systems and infrastructure software.
service-level agreement (SLA)
A document that specifies a service to be provided by a party, the costs of the service, and the expectations of performance.
wireless intrusion prevention system (WIPS)
A system that not only can alert you when any unknown device is in the area (APs and stations) but can take a number of actions.
risk assessment matrix
A table used to assess risks qualitatively.
automated malware signature creation
A method of identifying malware in which the AV software monitors incoming unknown files for the presence of malware and analyzes the file based on both classifiers of file behavior and classifiers of file content.
Federal Information Security Management Act (FISMA) of 2002
Requires all federal agencies to develop, document, and implement an agencywide information security program.
Defining the acceptable risk level the organization can tolerate and reducing the risk to that level.
The process of using a hashing algorithm to reduce a large document or file to a character string that can be used to verify the integrity of the file.
A data collection tool that allows you to use what are called longitudinal survey panels to track and monitor the cloud environment.
knowledge factor authentication
Authentication based on something committed to memory.
How long before a password can be reused.
A function in C++ that copies the C string pointed to by the source into the array pointed to by the destination, including the terminating null character (and stopping at that point). A function that has a reputation for issues. The issue is that if the destination is not long enough to contain the string, an overrun occurs.
Secure European System for Applications in a Multi-vendor Environment (SESAME)
A project that extended Kerberos’s functionality to fix Kerberos’s weaknesses. Uses both symmetric and asymmetric cryptography to protect interchanged data and uses a trusted authentication server at each host.
cross-site scripting (XSS)
An attack that occurs when an attacker locates a website vulnerability and injects malicious code into the web application.
Terminating an activity that causes a risk or choosing an alternative that is not as risky.
Injecting invalid or unexpected input (sometimes called faults) into an application to test how the application reacts.
A tool that can be used for answering NBT and LLMNR name requests.
Type of analysis that focuses on ensuring that confidential and private information is isolated from other information.
Sender Policy Framework (SPF)
An e-mail validation system that works by using DNS to determine whether an e-mail sent by someone has been sent by a host sanctioned by that domain’s administrator.
processor security extensions
A set of security-related instruction codes that are built into some modern central processing units (CPUs).
The process of taking something apart to discover how it works and perhaps to replicate it; retracing the steps in an incident, as seen from the logs.
A buffer overflow that occurs in the heap data area. Heap overflows are exploitable in a different manner to that of stack-based overflows.
The process of changing data into another form using code. Applied to output to prevent the inclusion of dangerous character types that might be inserted by malicious individuals.
Placing malware where it can be safely probed and analyzed.
Process in which the software and platform components have been identified, or “measured,” using cryptographic techniques.
A social engineering attack in which attackers try to learn personal information, including credit card information and financial data.
A debugger that has access to only the usermode space of the operating system.
Technique to protect mobile devices and the data they contain. Application wrappers (implemented as policies) enable administrators to set policies that allow employees with mobile devices to safely download an app, typically from an internal store.
In the context of intelligence sources, a description of the perceived integrity of any particular data.
lessons learned report
Lists and discusses what was learned about how and why the incident occurred and how to prevent it from occurring again.
Service Provisioning Markup Language (SPML)
An XML-based framework developed by the Organization for the Advancement of Structured Information Standards (OASIS).
A vulnerability scan performed from outside the organization’s network to assess the likelihood of an external attack.
SOC 1, Type 1 report
Service Organization Control report that focusess on the auditors’ opinion of the accuracy and completeness of the data center management’s design of controls.
An open standard and decentralized protocol by the nonprofit OpenID Foundation that allows users to be authenticated by certain cooperating sites.
Structured Query Language (SQL) injection
An attack that inserts, or “injects,” a SQL query as the input data from the client to the application.
web vulnerability scanner
A type of scanner used to assess the security of web applications.
A Ruby framework for assessing the security of a web application.
HIPAA Breach Notification Rule
Requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information (PHI).
How long a password will be valid.
A mechanism implemented in many devices or applications that gives the user who uses the backdoor unlimited access to the device or application.
remote terminal units (RTUs)
Industrial control system (ICS) components that connect to the sensors and convert sensor data to digital data, including telemetry hardware.
An attack that crafts a transparent page or frame over a legitimatelooking page that entices the user to click something.
denial-of-service (DoS) attack
An attack in which attackers flood a device with enough requests to degrade the performance of the targeted device.
active vulnerability scanner
A type of scanner that can take action to block an attack, such as block a dangerous IP address.
A formal process that rates identified vulnerabilities by the likelihood of their compromise and the impact of said compromise.
Security controls development framework that uses a process model to subdivide IT into four domains.
A technology developed by Cisco that is supported by all major vendors and can be used to collect and subsequently export IP traffic accounting information.
OWASP Zed Attack Proxy (ZAP)
An application that stands between the web server and the client and passes all requests and responses back and forth, while analyzing the information to test the security of the web application.
A type of control that specifies acceptable practice within an organization.
NIST SP 800-128
Provides guidance on implementing endpoint protection platforms (EPPs).
incident summary report
A document that summarizes the incident.
indicator of compromise (IOC)
Any activity, artifact, or log entry that is typically associated with an attack of some sort.
Protects the data traversing hardware buses. From the Library of Matthias Boeker Glossary of Key Terms 657
A type of malware that can spread without the assistance of the user.
Legal protection that ensures that a work that is authored is protected from any form of reproduction or use without the consent of the copyright holder.
John the Ripper
Password cracker that can work in Unix/Linux as well as macOS.
Server virtualization technique in which the kernel allows for multiple isolated user space instances.
A cloud-based vulnerability scanner.
Business Continuity Planning (BCP) committee
Performs vulnerability analysis and risk assessment.
security information and event management (SIEM)
A type of system that provides an automated solution for analyzing security events and data and deciding where the attention needs to be given.
NIST SP 800-53 Rev 4
A security controls development framework that divides the controls into three classes: technical, operational, and management.
An open source scanner developed from the Nessus code base, available as a package for many Linux distributions.
Type of malware that executes when a particular event takes place.
Involves embedding a logo or trademark in documents, pictures, or other objects.
web application firewall (WAF)
A firewall that applies rule sets to an HTTP conversation. These rule sets cover common attack types to which these session types are susceptible. Among the common attacks they address are cross-site scripting and SQL injections.
Cain and Abel
A well-known password cracking program.
The consideration and analysis of intelligence data from a perspective that combines multiple data sources and attempts to make inferences based on this data integration.
Entering a large number of spilled credentials automatically into websites until they are potentially matched to an existing account, which the attacker can then hijack for his or her own purposes.
A server that is used to access devices that have been placed in a secure network zone such as a DMZ.
An informal brainstorming session that encourages participation from business leaders and other key employees.
ownership factor authentication
Authentication based on something in your possession.
The areas to be included in a scan; determines the impact and is a function of how widespread the incident is.
software defined networking (SDN)
The decoupling of the control plane and data plane in networking by locating the logic of routers and switches into a central controller and locating simple data forwarding in the physical devices.
A group of technicians that referees the encounter between the red team and the blue team during testing.
Formal process for managing change.
Knowledge base of adversary tactics and techniques based on real-world observations. It is an open system, and attack matrices are created for various industries.
A term that applies to several technologies that follow the Secure Boot standard.
A process management development standard developed by the Office of Management and Budget in OMB Circular A-130.
The latest version of the 27001 standard, one of the most popular standards by which organizations obtain certification for information security. It provides guidance on ensuring that an organization’s information security management system (ISMS) is properly built, established, maintained, and continually improved.
An interception proxy produced by the Open Web Application Security Project (OWASP).
Occurs when someone has access to information at one level that allows her to infer information about another level.
near field communication (NFC)
A short-range type of wireless transmission that is used in payment cards such as Apple Pay and Google Pay.
Intermingling or mixing of data of one sensitivity or need-toknow level with that of another.
An attacker who takes advantage of a security loophole.
Internet Protocol Security (IPsec)
A protocol that provides encryption, data integrity, and system-based authentication.
Occurs when a pointer with a value of NULL is used as though it pointed to a valid memory area.
A type of firewall that resides on a single host and is designed to protect that host only.
Common Configuration Enumeration (CCE)
SCAP component; configuration best practice statements maintained by the National Institute of Standards and Technology (NIST).
USA PATRIOT Act
Affects law enforcement and intelligence agencies in the United States. Its purpose is to enhance the investigatory tools that law enforcement can use, including e-mail communications, telephone records, Internet communications, medical records, and financial records.
A constantly updating stream of indicators or artifacts derived from a source outside the organization.
rogue access point
An unauthorized AP connected to the organization’s wireless network that the organization does not control and manage.
The process of assembling or compiling units of information at one sensitivity level and having the resultant totality of data being of a higher sensitivity level than the individual components.
Altering data from its original state to protect it.
Internet of Things (IoT)
Refers to a system of interrelated computing devices, mechanical and digital machines, and objects that are provided with unique identifiers and the ability to transfer data over a network without requiring humanto- human or human-to-computer interaction.
Analysis that determines impact of the event.
A concept that uses a variety of technologies to prevent the processing of sensitive information or alternately to prevent any insecure actions on the part of the CPU or processor.
Instructions sent remotely to a mobile device that erase all the data, typically used when a device is lost or stolen.
registration authority (RA)
The entity in a PKI that verifies the requestor’s identity and registers the requestor.
programmable logic controllers (PLCs)
Industrial control system (ICS) components that connect to the sensors and convert sensor data to digital data; they do not include telemetry hardware.
A type of password that uses a mix of dictionary words, usually two that are unrelated.
A tool that can be used to scan for open ports and perform many other operations, including performing certain attacks.
Manage who is allowed to perform certain operations on an entire computer or within a domain, rather than a particular object within a computer.
A form that is used to describe the incident in detail.
An open framework, meant for sharing threat intelligence information in a machine-readable format.
Federal Intelligence Surveillance Act (FISA) of 1978
The first act to give procedures for the physical and electronic surveillance and collection of “foreign intelligence information” between “foreign powers” and “agents of foreign powers” and applied only to traffic within the United States. It was amended by the USA PATRIOT Act of 2001 and the FISA Amendments Act of 2008.
Health Insurance Portability and Accountability Act (HIPAA)
Legislation that specifies security protocols for all organizations that handle private health information (PHI).
The process of identifying and allowing as good senders a list of acceptable e-mail addresses, Internet addresses, websites, applications, or some other identifier.
A technique used to identify the passwords of domain users. Rather than targeting a single account as in a brute-force attack, it targets or “sprays” multiple accounts with the same password attempt.
Understanding and accepting the level of risk as well as the cost of damages that can occur.
incident command system (ICS)
Designed to provide a way to enable effective and efficient domestic incident management by integrating a combination of facilities, equipment, personnel, procedures, and communications operating within a common organizational structure.
endpoint detection and response (EDR)
A proactive endpoint security approach designed to supplement existing defenses.
Reading the machine code into memory and then outputting each instruction as a text string.
An RSS feed dedicated to the sharing of information about the latest vulnerabilities.
An attack in which the hacker inserts himself between instructions, introduces changes, and alters the order of execution of the instructions, thereby altering the outcome.
A description of the applicability of the data to a particular threat.
Placing a device or software in an environment separate from the balance of the network.
Extensible Access Control Markup Language (XACML)
A standard for an access control policy language using XML.
infrastructure as code (IaC)
Manages and provisions computer data centers through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools.
A description of how recent the data is.
A cloud deployment model in which a private organization implements a cloud in its internal enterprise, and that cloud is used by the organization’s employees and partners.
virtual local-area network (VLAN)
A logical subdivision of a switch that segregates ports from one another as if they were in different LANs.
A self-replicating program that infects software.
A variant of the service-oriented architecture (SOA) structural style that arranges an application as a collection of three loosely coupled services. The focus is on building single-function modules with well-defined interfaces and operations.
Extensible Markup Language (XML) attack
An attack that targets the use of XML in a website. In one example, it compromises the application that parses or reads and interprets the XML. If the XML input contains a reference to an external entity and is processed by a weakly configured XML parser, it can lead to the disclosure of confidential data, denial of service, server-side request forgery, and port scanning. This is called an XML external entity attack.
A free tool that runs on Windows, Linux, and Solaris that simply creates a bit-by-bit copy of the volatile memory on a system.
Both a package of tools called Reaver and a tool within the package called Reaver that is used to attack Wi-Fi Protected Setup (WPS).
Used to prevent a poisoning attack on the DHCP database.
A tool used in risk management to identify vulnerabilities and threats, assess the impact of those vulnerabilities and threats, and determine which controls to implement.
policy enforcement point (PEP)
An entity that protects the resource that the subject (a user or an application) is attempting to access in XACML.
virtual desktop infrastructure (VDI)
An infrastructure that hosts desktop operating systems within a virtual environment in a centralized server.
An attack that intercepts legitimate traffic between two entities.
Tracks your Internet usage in an attempt to tailor ads and junk e-mail to your interests.
Occurs when a scanner does not identity a vulnerability that actually exists.
code of conduct/ethics
Details standards of business conduct.
The process of removing all traces of a threat by overwriting the drive multiple times.
Internet Key Exchange (IKE)
An IPsec component that provides the authentication material used to create the keys exchanged by ISAKMP during peer authentication.
A vulnerability scanner that is dedicated to web servers.
Active Directory (AD)
Microsoft implementation of SSO. See also single sign-on (SSO).
A scan performed with administrator access.
A memory acquisition and analysis tool used with Windows systems.
Traffic that leaves a network at regular intervals.
Intellectual property protection that ensures that a symbol, a sound, or an expression that identifies a product or an organization is protected from being used by another organization.
Frameworks and methodologies that include security program development standards, enterprise and security architect development frameworks, security control development methods, corporate governance methods, and process management methods.
A standard that defines a framework for centralized port-based authentication.
Removing data from the media so that it cannot be reconstructed using normal file recovery techniques and tools.
Common Vulnerability Scoring System (CVSS)
A system of ranking vulnerabilities that are discovered based on pre-defined metrics.
A scan that uses ICMP to identify all live hosts by pinging all IP addresses in the known network.
XSS attack in which a web application immediately returns user input in an error message or search result, without that data being made safe to render in the browser, and without permanently storing the user provided data.
The Open Group Architecture Framework (TOGAF)
An enterprise architecture framework that helps organizations design, plan, implement, and govern an enterprise information architecture.
A type of scan that sets the FIN, PSH, and URG flags.
Trusted Platform Module (TPM)
A security chip installed on a computer’s motherboard that is responsible for protecting symmetric and asymmetric keys, hashes, and digital certificates.
A model that describes the stages of an intrusion.
A type of password that uses graphics as part of the authentication mechanism; also called CAPTCHA password.
An open source project that provides single sign-on (SSO) capabilities and allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.
Creating a bit-level image of the disk.
XSS attack in which the entire tainted data flow from source to sink takes place in the browser. The source of the data is in the DOM, the sink is also in the DOM, and the data flow never leaves the browser.
Threats of which we are not aware.
Dynamic ARP Inspection (DAI)
A security feature that intercepts all ARP requests and responses and compares each response’s MAC address and IP address information against the MAC–IP bindings contained in a trusted binding table.
A tangible or intangible asset to which the owner has exclusive rights.
policy decision point (PDP)
An entity that retrieves all applicable polices in XACML and compares the request with the policies.
Personal Information Protection and Electronic Documents Act (PIPEDA)
Affects how private-sector organizations collect, use, and disclose personal information in the course of commercial business in Canada.
Network architecture plane that carries user traffic; also known as the forwarding plane.
Removing unnecessary functions to reduce the attack surface.
Log that focuses on the operation of Windows applications. Events in this log are classified as error, warning, or information, depending on the severity of the event.
A scan that is series of TCP packets that contain a sequence number of 0 and no set flags.
passive vulnerability scanner
A type of scanner that cannot take action to block an attack, such as block a dangerous IP address.
recovery point objective (RPO)
The point in time to which the disrupted resource or function must be returned.
supervisory control and data acquisition (SCADA)
A system operating with coded signals over communication channels so as to provide control of remote equipment.
real user monitoring (RUM)
A monitoring method that captures and analyzes every transaction of every application or website user.
A technique that allows one process to gather information from another process or source and then customize a response using the data from the second process or source.
Simple Object Access Protocol (SOAP)
Protocol specification for exchanging structured information in the implementation of web services in computer networks.
Cipher that performs encryption by breaking the message into fixed-length units.
screened host firewall
A firewall that is between the final router and the internal network.
Attack Complexity (AC)
CVSS base metric that describes the difficulty of exploiting the vulnerability.
A type of control that prevents an attack from occurring.
A Sysinternals tool that enables you to look at the graph that appears in Task Manager and identify what caused spikes in the past, which is not possible with Task Manager alone.
A type of password that includes a mixture of upper- and lowercase letters, numbers, and special characters.
managerial (administrative type) controls
A type of control that is implemented to administer the organization’s assets and personnel and includes security policies, procedures, standards, baselines, and guidelines that are established by management.
Unified Extensible Firmware Interface (UEFI)
An open standard interface layer between the firmware and the operating system that requires firmware updates to be digitally signed.
The process of controlling an organization’s activities, processes, and operations.
virtual TPM (vTPM)
A software object that performs the functions of a TPM chip.
DomainKeys Identified Mail (DKIM)
Allows e-mail source verification by providing a method for validating a domain name identity that is associated with a message through cryptographic authentication.
service-oriented architecture (SOA)
An architecture that operates on the theory of providing web-based communication functionality without each application requiring redundant code to be written per application.
Occurs when a scanner correctly identifies a vulnerability.
A type of password that is a piece of information that can be used to verify an individual’s identity.
Provided when a backup component begins operation when the primary component fails.
The destroying of the media on which data resides.
Malware that monitors browsing habits for the purpose of ad targeting.
qualitative risk analysis
Risk analysis that does not assign monetary and numeric values to all facets of the risk analysis process.
A scripting language found on all Linux servers. It helps in text manipulation tasks.
network access control (NAC)
A service that goes beyond authentication of the user and includes examination of the state of the computer the user is introducing to the network when making a remote-access or VPN connection to the network.
Architecture where two firewalls are used, and traffic must be inspected at both firewalls before it can enter the internal network.
National Information Assurance Certification and Accreditation Process (NIACAP)
A standard set of activities and general tasks, along with a management structure, to certify and accredit systems that maintain the information assurance and security posture of a system or site.
Controller Area Network (CAN bus)
Designed to allow vehicle microcontrollers and devices to communicate with each other’s applications without a host computer.
A piece of software built into a larger piece of software that is in charge of performing some specific function on behalf of the larger system.
Internet Security Association and Key Management Protocol (ISAKMP)
An IPsec component that handles the creation of a security association for the session and the exchange of keys.
A scripting language that is great for web development.
Device present in the environment that you do not control.
employee privacy issues and expectation of privacy
Concept that organizations must give employees the proper notice of any monitoring that might be used.
static code analysis
Code analysis that is conducted without the code executing.
Allows for the dynamic real-time reprogramming of computer chips.
A protocol that can be used to collect logs from devices and store them in a central location called a Syslog server.
A process that ensures that all systems have been hardened to the extent that is possible and still provide functionality.
Drives that automatically encrypt the contents without user intervention.
asset value (AV)
Value of an asset. Multiplied by the exposure factor (EF) to calculate single loss expectancy (SLE).
remote code execution
A category of attack types distinguished by the ability of the hacker to get the local system (user system) to execute code that resides on another machine, which could be located anywhere in the world.
Queries that do not require input values or parameters.
A type of malware that installs a bot with the ability to connect back to the hacker’s computer. After that, his server controls all the bots located on these machines.
Passing on the risk to a third party, such as an insurance company.
Malware that is widely available for either purchase or by free download. It is not customized or tailored to a specific attack.
A measure of how freely data can be handled.
Authentication Header (AH)
IPsec component that provides data integrity, data origin authentication, and protection from replay attacks.
A software-defined networking storage method that allows pooling of storage capabilities and instant and automatic provisioning of virtual machine storage.
Occurs when a scanner identifies a vulnerability that does not exist.
An attack that attempts to place the hacker in the middle of an active conversation between two computers for the purpose of taking over the session of one of the two systems, thus receiving all data sent to that system.
Data Protection API (DPAPI)
API that lets you encrypt data using the user’s login credentials.
Point-to-Point Tunneling Protocol (PPTP)
Microsoft protocol based on PPP that uses built-in Microsoft Point-to-Point encryption and can use a number of authentication methods, including CHAP, MS-CHAP, and EAP-TLS.
An integrated circuit (also known as a “chip”) that integrates all components of a computer or other electronic system.
An attack that occurs when a guest OS escapes from its VM encapsulation to interact directly with the hypervisor.
One of the ways malicious individuals are able to access parts of a directory to which they should not have access.
One of the most widely used network packet sniffers.
Occurs when an area of memory of some sort is full and can hold no more information.
certificate revocation list (CRL)
A list of expired and revoked certificates.
standard word password
A type of password that consists of single words that often include a mixture of upper- and lowercase letters.
An attack that attempts to take advantage of the sequence of events that occurs as the system completes common tasks.
Part of a partition designated as security sensitive.
quantitative risk analysis
Risk analysis that assigns monetary and numeric values to all facets of the risk analysis process, including asset value, threat frequency, vulnerability severity, impact, and safeguard costs.
The process of sending the output of one function to another function as its input.
Isolating systems through the control of communications with the device.
Common Weakness Enumeration (CWE)
SCAP component; an identification scheme for design flaws in the development of software that can lead to vulnerabilities.
cross-site request forgery (CSRF)
An attack that exploits the website’s trust of the browser. The website thinks that the request came from the user’s browser and was actually made by the user.
data loss prevention (DLP)
Software that attempts to prevent data leakage.
cloud access security broker (CASB)
A software layer that operates as a gatekeeper between an organization’s on-premises network and the provider’s cloud environment.
Forensic technique used to identify a file when only fragments of data are available and no file system metadata is available.
A Linux command that is used is to convert and copy files.
user acceptance testing
Testing designed to ensure that security features do not make an application unusable from the user perspective.
Simple Certificate Enrollment Protocol (SCEP)
Protocol for provisioning certificates to network devices, including mobile devices.
A hash value encrypted with the sender’s private key.
Method of software analysis that follows prescribed procedures.
An endpoint device that is not under your control as administrator.
Older systems that may be less secure than newer systems.
Sets of data so large or complex that they cannot be analyzed by using traditional data processing applications.
Infrastructure as a Service (IaaS)
Cloud service model in which the vendor provides the hardware platform or data center, and the company installs and manages its own operating systems and application systems.
e-mail signature block
A set of information such as name, e-mail address, company title, and credentials that usually appears at the end of an e-mail.
The technique of sending packets of some sort to the network and then assessing responses.
Authentication method that requires all boot loader components (e.g., OS kernel, drivers) attest to their identity (digital signature) and the attestation is compared to the trusted list.
A type of firewall with three interfaces: one connected to the untrusted network, one connected to the internal network, and one connected to the DMZ.
The process of locating variables in the information that seem to be related.
A type of control that is part of the organizational security stance day to day.
The process of identification and mitigation of vulnerabilities.
A threat that has no known solution yet.
runtime data integrity check
The process that ensures the integrity of the peripheral memory contents during runtime execution.
Intelligence sources that are available to only a select audience.
The ability of a function or system to be recovered in the event of a disaster or disruptive event.
Network architecture plane that administers the router.
role-based access control (RBAC)
An authentication system in which users are organized by job role into security groups, which are then granted the rights and permissions required to perform that job.
certificate authority (CA)
The entity in a PKI that creates and signs digital certificates, maintains the certificates, and revokes them when necessary.
The process of architecting security features into the design of a system or set of systems.
NIST SP 800-57 Rev 5
Contains recommendations for key management and is published in three parts.
A conceptual design that attempts to provide a framework on which to implement security efforts.
Security Content Automation Protocol (SCAP)
A standard that the security automation community uses to enumerate software flaws and configuration issues.
Any device or application that acts as an intermediary for requests from clients seeking resources.
Corner of the Diamond Model that describes the set of systems an attacker uses to launch attacks.
intrusion prevention system (IPS)
A system that takes action when a security event occurs.
acceptable use policy (AUP)
A policy that is used to inform users of the actions that are allowed and those that are not allowed.
A process that involves identifying the live hosts on a network or in a domain namespace.
A transport layer protocol that provides encryption, server and client authentication, and message integrity.
A Windows command-line tool that contains more than 70 tools that can be used for both troubleshooting and security issues.
A live CD with which you can acquire evidence and make drive images without affecting the data on the host.
A type of scan that locates vulnerabilities in systems.
Forensic Toolkit (FTK)
A commercial toolkit that can scan a hard drive for all sorts of information.
The step in the intelligence cycle where data searching and organizing occurs.
Building Automation and Control Networks (BACnet) protocol
An application, network, and media access control (MAC) layer communications service. It can operate over a number of Layer 2 protocols, including Ethernet.
The process of deleting or masking personal identifiers, such as personal name from a set of data.
Sending e-mail that appears to come from someone else.
A type of firewall with two interfaces, one pointing to the internal network and another connected to the untrusted network.
Capability Maturity Model Integration (CMMI)
A comprehensive set of guidelines that address all phases of the software development life cycle (SDLC).
personally identifiable information (PII)
Any piece of data that can be used alone or with other information to identify a single person.
A program or rogue application that appears to or is purported to do one thing but actually does another when executed.
Payment Card Industry Data Security Standard (PCI DSS)
Standard that affects any organizations that handle cardholder information for the major credit card companies.
International accord that addresses minimum capital requirements, supervisory review, and market discipline of financial institutions.
synthetic transaction monitoring
A type of proactive monitoring that uses external agents to run scripted transactions against an application.
CVSS base metric that describes the disruption that might occur if the vulnerability is exploited.
Function as a Service (FaaS)
An extension of Platform as a Service (PaaS) that goes further and completely abstracts the virtual server from the developers. Charges are based not on server instance sizes but on consumption and executions.
A cloud deployment model in which a service provider makes resources available to the public over the Internet.
A cloud deployment model in which an organization provides and manages some resources in-house and has others provided externally via a public cloud.
A formal process or set of procedures for responding to cybersecurity incidents.
See radio frequency identification (RFID).
A type of control that is implemented to protect an organization’s facilities and personnel.
A master/slave protocol used in building automation that uses port 19999 when using Transport Layer Security (TLS) and port 20000 when not using TLS.
attribute-based access control (ABAC)
Authentication system that grants or denies user requests based on arbitrary attributes of the user and arbitrary attributes of the object, and environment conditions that may be globally recognized.
Analysis that examines information in the header of a packet.
Federal Privacy Act of 1974
Provides guidelines on collection, maintenance, use, and dissemination of PII about individuals that is maintained in systems of records by federal agencies.
Process models developed to help develop security skills.
A search technique that is used to look within a log file or data stream and locate any instances of that string.
virtual private cloud (VPC)
A cloud model in which a public cloud provider isolates a specific portion of its public cloud infrastructure to be provisioned for private use.
next-generation firewall (NGFW)
A category of devices that attempt to address traffic inspection and application awareness shortcomings of a traditional stateful firewall, without hampering the performance.
A link embedded in one website that leads to another site.
SOC 1, Type 2 report
Service Organization Control report that includes Type 1 and an audit on the effectiveness of controls.
Sarbanes-Oxley Act (SOX)
Also known as the Public Company Accounting Reform and Investor Protection Act of 2002, affects any organization that is publicly traded in the United States. It controls the accounting methods and financial reporting for the organizations and stipulates penalties and even jail time for executive officers.
insecure object reference
A process that occurs when a user has permission to use an application but is accessing information to which she should not have access.
Network architecture plane that carries signaling traffic originating from or destined for a router. This is the information that enables routers to share information and build routing tables.
A debugger that operates at ring 0.
A scan performed without administrator access.
A type of password that uses a long phrase. Because of the password’s length, it is easier to remember but much harder to attack.
ISO/IEC 27000 Series
A family of security program development standards providing guidance on how to develop and maintain an information security management system (ISMS).
Prevents any changes to the configuration of a device, even by users who formerly had the right to configure the device.
A type of algorithm that uses a private or secret key that must remain secret between the two parties. Each party requires a separate private key.
Occurs when the adequacy of a system’s overall security is accepted by management.
The theft of data from a device or network.
The process of adding geographical identification metadata to various media.
Electronic Communications Privacy Act (ECPA) of 1986
Affects law enforcement and intelligence agencies; extended government restrictions on wiretaps from telephone calls to include transmissions of electronic data by computer and prohibited access to stored electronic communications.
Analysis that focuses on the long-term direction in the increase or decrease in a particular type of traffic or in a particular behavior in the network.
A set of tools that a hacker can use on a computer after she has managed to gain access and elevate her privileges to administrator.
Device or software whose purpose is to inspect and control the type of traffic allowed.
one-time password (OTP)
A type of password that is used only once to log in to the access control system.
Relates to rights to control the sharing and use of one’s personal information.
CVSS base metric that describes the information disclosure that may occur if the vulnerability is exploited.
A legal requirement placed on an organization to maintain archived data for longer periods for legal proceedings.
Software that is transmitted across a network to be executed on a local system.
A backdoor account created by programmers to give someone full permissions in a particular application or operating system.
In the 802.1X framework, the device through which the supplicant is attempting to access the network.
A part of an operating system that cannot be compromised even when the operating system kernel is compromised, because the enclave has its own CPU and is separated from the rest of the system.
A type of password that provides a minimum level of security because the password never changes.
A router designed to accept and analyze attack traffic that can be used to draw traffic away from a target, to monitor worm traffic, or to monitor other malicious traffic.
Privileges Required (Pr)
A CVSS base metric that describes the authentication an attacker would need to get through to exploit the vulnerability.
annual loss expectancy (ALE)
The expected risk factor of an annual threat event. Calculated as the single loss expectancy (SLE) times the annualize rate of occurrence (ARO).
A device with no network connections and all access to the system must be done manually by adding and removing items with a flash drive or other external device.
CVSS base metric that describes the type of data alteration that might occur.
An industrial control system (ICS) component that connects RTUs and PLCs to control centers and the enterprise.
Roots of Trust (RoTs)
The foundation of assurance of the trustworthiness of a mobile device.
How long the password must be.
single loss expectancy (SLE)
The monetary impact of each threat occurrence. Calculated as the asset value (AV) times the exposure factor (EF).
A network logically separate from the intranet where resources that will be accessed from the outside world are made available to authenticated users. From the Library of Matthias Boeker
work recovery time (WRT)
The difference between the recovery time objective (RTO) and the maximum tolerable downtime (MTD), which is the remaining time that is left over after the RTO before reaching the MTD.
An attack where the target is overwhelmed with unanswered SYN/ ACK packets.
mean time to repair (MTTR)
The average time required to repair a single resource or function.
Method to make sure that you can release new changes to your customers quickly in a sustainable way. Continuous deployment goes one step further with every change that passes all stages of your production pipeline being released to your customers.
Process of placing physical identification numbers of some sort on all assets.
A general-purpose computing on graphics processing units (GPGPU)-based multi-hash cracker using a brute-force attack.
threat modeling methodology
A formal process that enables organizations to identify threats and potential attacks and implement the appropriate mitigations against these threats and attacks.
The process of exploiting a bug or weakness in an operating system to allow a user to receive privileges to which she is not entitled.
Online Certificate Status Protocol (OCSP)
An Internet protocol that obtains the revocation status of an X.509 digital certificate.
A process that attempts to reconstruct high-level language source code.
rooting or jailbreaking
Attaining root privileges on a smartphone.
corporate-owned, personally enabled (COPE)
A strategy in which an organization purchases mobile devices and users manage those devices.
U.S. Digital Millennium Copyright Act
Imposes criminal penalties on those who make available technologies whose primary purpose is to circumvent content protection technologies.
A set of instructions either execute in order and in entirety or the changes they make are rolled back or prevented Atomic operations in concurrent programming are program operations that run independently of any other processes (threads). Making the operation atomic consists of using synchronization mechanisms in order to make sure that the operation is seen, from any other thread, as a single, atomic operation. This increases security by preventing one thread from viewing the state of the data when the first thread is still in the middle of the operation.
Access rights granted or denied at the file, folder, or other object level.
characteristic factor authentication
Authentication based on something the person is.
intrusion detection system (IDS)
A system that creates a log of every security event that occurs.
A case (incident) management tool that offers built-in templates for specific types of investigations.
Common Vulnerabilities and Exposures (CVE)
SCAP component; list of vulnerabilities in published operating systems and applications software.
A cloud deployment model in which the cloud infrastructure is shared among several organizations from a specific group with common computing needs.
The concept that data stored in digital format is subject to the laws of the country in which the data is located.
Cryptographic technique that involves making a weak key stronger by increasing the time it takes to test each possible key.
A type of control that deters or discourages an attacker.
A type of control put into place to reduce the effect of an attack or other undesirable event.
Trusted Foundry program
A program that can help you exercise care in ensuring the authenticity and integrity of the components of hardware purchased from a vendor.
Using scripting languages to automate a process.
Representational State Transfer (REST)
A client/server model for interacting with content on remote systems, typically using HTTP.
A system that is configured to be attractive to hackers and to lure them into spending time attacking it while information is gathered about the attack.
Advanced Access Content System (AACS)
Protects Blu-ray and HD DVD content. Hackers have been able to obtain the encryption keys to this system.
maximum tolerable downtime (MTD)
The maximum amount of time that an organization can tolerate a single resource or function being down.
A tool that creates reports that list gaps found between the best practices of AWS as stated in CIS Amazon Web Services Foundations Benchmark 1.1.
A measure of the importance of the data.
Content Scrambling System (CSS)
Uses encryption to enforce playback and region restrictions on DVDs.
Search functions that help to locate the relevant information in log data.
Corner of the Diamond Model that describes the attacker intrusion tools and techniques.
sensitive personal information (SPI)
Refers to information that does not identify an individual, but is related to an individual and communicates information that is private or could potentially harm an individual should it be made public.
The step in the intelligence cycle where data is combed and analyzed to identify relevant pieces of information.
virtual private network (VPN)
A connection that allows external devices to access an internal network by creating an encrypted tunnel over the Internet.
Analysis that examines an entire packet, including the payload.
Secure Sockets Layer/Transport Layer Security encryption option for creating VPNs. It works at the application layer of the OSI model. It is used mainly to protect HTTP traffic or web servers.
Algorithms that use both a public key and a private or secret key. The public key is known by all parties, and the private key is known only by its owner.
A description of the correctness of the data.
radio frequency identification (RFID)
Object-tracking technology that uses radio frequency chips and readers to manage inventory
Common Platform Enumeration (CPE)
SCAP component; a NIST standardized method of describing methods for describing and classifying operating systems, applications, and hardware devices.
A type of control that is implemented after an event; also called a recovery control.
A measure of how essential an asset is to the organization’s business.
A proprietary network scanner developed by Tenable Network Security.
Occurs when a scanner correctly determines that a vulnerability does not exist.
A scan in which the scanner lacks administrative privileges on the device it is scanning.
Process of aligning your incident identification and incident response processes such that there is an element of automation built into your reaction to any specific issue.
A type of malware that prevents or limits users from accessing their systems. It is called ransomware because it forces its victims to pay a ransom through certain online payment methods.
A forensic tool that focuses on collecting evidence from smartphones.
Allows you to keep a port enabled for legitimate devices while preventing its use by illegitimate devices.
A scripting language that is used to work in the Linux interface.
A floor or minimum standard that is required.
In 802.1X, the user or device requesting access to the network.
Type of scan that sets the FIN bit only.
A vulnerability scan performed from inside the organization’s network to assess the likelihood of an insider attack.
A process whereby systems are fully vetted for potential issues from both a functionality and security standpoint.
Applying updates that fix security or functional issues.
Privilege escalation of an Apple device for the purpose of removing software restrictions imposed by Apple.
Sequencing of events based on certain parameters by using scripting and scripting tools.
The application of geographic limits to where a device can be used.
Attack Vector (AV)
CVSS base metric that describes how the attacker would exploit the vulnerability.
Using as a hotspot a device that has been made a member of the domain, allowing access to the organizational network to anyone using the hotspot.
Security Assertions Markup Language (SAML)
A security attestation model built on XML and SOAP-based services that allows for the exchange of authentication and authorization data between systems and supports federated identity management.
Functionality that is integrated into a program or a device.
An exploit framework used to assess and attack Amazon Web Services (AWS) cloud environments.
A type of control that is applied to mitigate the impact or likelihood of an attack; also called a countermeasure.
A suite of tools used for testing web applications.
The technique of capturing traffic and making educated assumptions from the traffic.
United States Federal Sentencing Guidelines of 1991
Provides guidelines to prevent sentencing disparities that existed across the United States.
A type of cipher that performs encryption on a bit-by-bit basis and uses keystream generators.
domain generation algorithm (DGA)
Algorithm that is used by attackers to periodically generate large numbers of domain names that can be used as rendezvous points with their command and control servers.
Intelligence sources that are available to all.
demilitarized zone (DMZ)
A network logically separate from the intranet where resources that will be accessed from the outside world are made available to unauthenticated users.
total attack surface
Comprises all of the points at which vulnerabilities exist. It is critical that the organization have a clear understanding of the total attack surface.
The process of storing keys with a third party to ensure that decryption can occur. From the Library of Matthias Boeker Glossary of Key Terms 669
Threats of which we are aware.
The process of breaking down software to discover how it works, perhaps who created it, and, in some cases, how to prevent the software from performing malicious activity.
An attack that occurs when the amount of data that is submitted is larger than the buffer can handle.
The process of discovering what is in the network along with any other pieces of information that might be helpful in a network attack or compromise.
A methodology designed to help guide security professionals.