3DES (Triple DES):
An enhancement to the original DES algorithm that uses multiple keys to encrypt plaintext. Officially known as the Triple Data Encryption Algorithm (TDEA or Triple DEA). See also Data Encryption Standard (DES).
3G:
The first widely used standard for digital mobile communications used in cellular networks.
4G:
See Long-Term Evolution (LTE).
5G:
The fifth generation of mobile communications protocols used in cellular networks, using higher bandwidths than 4G.
AAA:
Shorthand for authentication, authorization, and accountability controls.
abstraction:
A process that involves viewing an application from its highest-level functions, which makes lower-level functions abstract.
acceptance testing:
The verification of proper functionality of a software program or system. See also user acceptance testing (UAT).
access card.
See key card.
access control:
The capability to permit or deny the use of an object (a passive entity, such as a system or file) by a subject (an active entity, such as a person or process).
access control list (ACL):
Lists the specific rights and permissions assigned to a subject for a given object.
access management:
The life cycle process concerned with the management of user access to information and systems.
Access Matrix Model:
Provides object access rights (read/write/execute or R/W/X) to subjects in a DAC system. An access matrix consists of ACLs and capability lists. See also access control list (ACL) and discretionary access control (DAC).
accountability:
The capability of a system to associate users and processes with their actions.
accreditation:
Official, written approval for the operation of a specific system in a specific environment, as documented in a certification report.
accumulation of privileges:
See aggregation (2).
acquisition:
(1) The process of purchasing another organization. (2) The process of purchasing information systems hardware or software. (3) The process of obtaining data from an external source.
active assailant:
Any situation in which a person is threatening to harm others at a workplace or other location where people are gathered.
active-active:
A clustered configuration in which all the nodes in a system or network are load-balanced, synchronized, and active. If one node fails, the other nodes continue providing services seamlessly.
active-passive:
A clustered configuration in which only one node in a system or network is active. If the primary node fails, a passive node becomes active and continues providing services, usually after a short delay.
Address Resolution Protocol (ARP):
The network protocol used to query and discover the MAC address of a device on a LAN.
address space:
A range of discrete addresses allocated to a network host, device, disk sector, or memory cell.
administrative controls:
The policies and procedures that an organization implements as part of its overall information security strategy.
administrative laws:
Legal requirements passed by government institutions that define standards of performance and conduct for major industries (such as banking, energy, and health care), organizations, and officials.
Advanced Encryption Standard (AES):
A block cipher based on the Rijndael cipher, which replaced DES. See also Data Encryption Standard (DES).
Advanced Evolved High Speed Packet Access (HSPA+):
Two mobile protocols that extended the performance of 3G networks. See also 3G.
after-action review (AAR):
A post-incident review of incident response to identify potential improvements in detection or response.
agreement.
See contract.
aggregation:
(1) A database security issue that describes the act of obtaining information classified at a high sensitivity level by combining other items of low-sensitivity information. (2) The unintended accumulation of access privileges by people who transfer from role to role in an organization over time.
Agile:
A software development methodology known for its iterative approach to the development of a system.
Agile Maturity Model (AMM):
A framework for measuring the maturity of Agile software development processes and practices. See also Agile, maturity model.
air gap:
The process of placing components on separate networks, or of removing network connectivity from specific components, to prevent communication between specific components.
analytic attack:
An attack on a cryptosystem that uses algebraic manipulation in an attempt to reduce the complexity of the algorithm.
Annualized Loss Expectancy (ALE):
A standard, quantifiable measure of the impact that a realized threat will have on an organization’s assets. ALE is determined by the formula Single Loss Expectancy (SLE) × Annualized Rate of Occurrence (ARO) = ALE. See also Single Loss Expectancy (SLE) and Annualized Rate of Occurrence (ARO).
Annualized Rate of Occurrence (ARO):
The estimated annual frequency of occurrence for a specific threat or event.
anonymization:
An irreversible deidentification procedure in which specific identifiers that relate personal information to a specific person are removed. See also deidentification and pseudonymization.
antivirus software:
Software that’s designed to detect and prevent computer viruses and other malware from entering and harming a system.
applet:
A component in a distributed environment (various components are located on separate systems) that’s downloaded into and executed by another program, such as a web browser.
application firewall:
A firewall that inspects OSI Layer 7 content to block malicious content from reaching or leaving an application server. See also web application firewall (WAF).
Application Layer (OSI model):
Layer 7 of the OSI model. See also Open Systems Interconnection (OSI) model.
Application Layer (TCP/IP model):
Layer 4 of the TCP/IP model. See also TCP/IP model.
application-level firewall:
See application firewall.
application penetration test:
A penetration test of a software application. See also penetration test.
application programming interface (API):
A specification for input data and output data for a nonhuman interface in an information system.
application scan:
An automated test used to identify weaknesses in a software application.
application software:
Computer software that a person uses to accomplish a specific task.
application whitelisting:
A mechanism used to control which applications are permitted to execute on a system. See also whitelisting.
archive:
In a public key infrastructure, an archive is responsible for long-term storage of archived information from the Certificate Authority. See also Certificate Authority (CA) and public key infrastructure (PKI).
artificial intelligence (AI):
The ability of a computer to interact with and learn from its environment and to automatically perform actions without being explicitly programmed.
asset:
A resource, process, product, system, or program that has some value to an organization and therefore must be protected. Assets can be hard goods, such as computers and equipment, but can also be information, programs, and intellectual property.
asset classification:
Policy that defines sensitivity levels, hardening standards, and handling procedures for assets at each level.
asset inventory:
The process of tracking assets in an organization.
asset valuation:
The process of assigning a financial or relative value to an organization’s information assets.
asymmetric key system (or asymmetric algorithm; public key):
A cryptographic system that uses two separate keys: one key to encrypt information and a different key to decrypt information. These key pairs are known as public and private keys.
Asynchronous Transfer Mode (ATM):
A very high-speed, low-latency, packet-switched communications protocol.
Attached Resource Computer NETwork (ARCNET):
An early physical LAN cabling standard that is no longer in common use.
attack surface reduction:
The effort to reduce the number of systems, devices, and components that are potentially exploitable.
attack tree:
A diagram that depicts types of attacks and their progression.
attribute-based access control (ABAC):
An access control model in which a subject is granted access to an object based on subject attributes, object attributes, and environmental considerations.
audit:
The independent verification of any activity or process.
audit trail:
The auxiliary records that document transactions and other events.
authenticated scan:
A vulnerability scan that attempts to log in to a device, system, or application during its search for exploitable vulnerabilities.
authentication:
The process of verifying a subject’s claimed identity in an access control system.
authentication bypass:
Any attack on a system that attempts to gain access to the system without providing authentication credentials.
Authentication Header (AH):
In Internet Protocol Security, a protocol that provides integrity, authentication, and nonrepudiation. See also Encapsulating Security Payload (ESP) and Internet Protocol Security (IPsec).
authority to operate (ATO):
Formal approval to use a new or changed system in a production environment.
authorization (or establishment):
The process of defining and granting the rights and permissions granted to a subject (what you can do).
automatic controls:
Controls that are not performed manually.
automatic external defibrillator (AED):
A portable defibrillator that can be used by untrained personnel to diagnose and treat arrhythmia, otherwise known as a heart attack.
autonomous system number (ASN):
An identifier used to assign publicly accessible network address space to organizations.
availability:
The process of ensuring that systems and data are accessible to authorized users when they need it.
backdoor:
Malware that enables a person to bypass normal authentication to gain access to a compromised system. See also malware.
background check:
The process of verifying a person’s professional, financial, and legal history, usually in connection with employment.
backup:
The process of making copies of critical information in the event of a later event that results in the loss of that information.
baseline:
A process that identifies a consistent basis for an organization’s security architecture, taking into account system-specific parameters, such as different operating systems.
Bell-LaPadula model:
A formal confidentiality model that defines two basic properties: the simple security property (ss property) and star property (* property). See also simple security property (ss property) and star property (* property).
best evidence:
Original, unaltered evidence, which is preferred by the court over secondary evidence. See also best evidence rule and evidence.
best evidence rule:
As defined in the Federal Rules of Evidence; states that “to prove the content of a writing, recording, or photograph, the original writing, recording, or photograph is (ordinarily) required.” See also evidence.
Biba model:
A formal integrity model that defines two basic properties: the simple integrity property and star integrity property (*-integrity property). See also simple integrity property and star integrity property (*-integrity property).
biometrics:
Any of various means used, as part of an authentication mechanism, to verify the identity of a person. Types of biometrics used include fingerprints, palm prints, signatures, retinal scans, voice scans, and keystroke patterns.
birthday attack:
A type of attack that attempts to exploit the probability of two messages using the same hash function and producing the same message digest. See also hash function.
black-box testing:
A security test wherein the tester has no previous knowledge of the system being tested. See also dynamic application scanning tool (DAST).
blacklisting:
A mechanism that explicitly blocks access based on the presence of an item in a list. See also whitelisting.
blackout:
A complete loss of electric power.
block cipher:
An encryption algorithm that divides plaintext into fixed-size blocks of characters or bits and then uses the same key on each fixed-size block to produce corresponding ciphertext.
Bluetooth:
A wireless technology standard for data exchange over short distances between fixed and mobile devices.
bollard:
A post used to divert traffic from a building, area, or road.
bot:
A target computer that is infected by malware and is part of a botnet. See also botnet and malware.
breach:
An action resulting in unauthorized disclosure of confidential information or damage to a system.
breach attack simulation:
A type of penetration test in which defenses and incident response are tested.
bridge:
A network device that forwards packets to other networks.
bring your own device (BYOD):
A mobile device policy that permits employees to use their personal mobile devices in the workplace for work-related and personal business.
broadcast:
A type of network protocol whereby packets are sent from a source to every node on a network.
broken windows theory:
A theory that suggests that broken windows, trash, and other visible signs of physical damage and neglect invite criminal elements and result in further criminal activity.
brownout:
Prolonged drop in voltage from an electric power source, such as a public utility.
brute-force attack:
A type of attack in which the attacker attempts every possible combination of letters, numbers, and characters to crack a password, passphrase, encryption key, or personal identification number.
buffer (or stack) overflow attack:
A type of attack in which the attacker enters an out-of-range parameter or intentionally exceeds the buffer capacity of a system or application to effect a denial of service (DoS) attack or exploit a vulnerability.
Building Security In Maturity Model (BSIMM):
A maturity model for benchmarking software development processes.
bus:
A network topology in which all devices are connected to a single cable.
business continuity plan (BCP):
A set of procedures to be followed in the event of a business interruption to ensure the continuation of critical business processes.
business impact analysis (BIA):
A risk analysis that, as part of a business continuity plan, describes the impact on business operations that the loss of various IT systems would impose.
California Consumer Privacy Act (CCPA):
A state law that defines privacy rights and consumer protections for California residents.
California Privacy Rights Act (CPRA):
A state law that amends the CCPA.
Caller ID:
The protocol used to transmit the calling party’s telephone number to the called party’s telephone equipment during the establishment of a telephone call.
Caller ID spoofing:
The use of a device or service to alter the Caller ID of an outgoing call, used by callers to impersonate others for the purpose of perpetrating fraud. See also Caller ID.
Capability Maturity Model Integration (CMMI):
A maturity model for software development and other IT practices, including information security.
card key:
See key card.
Center for Internet Security Critical Security Controls (CIS CSC):
A cybersecurity controls framework.
certification:
A formal methodology that uses established evaluation criteria to conduct comprehensive testing and documentation of information system security safeguards, both technical and nontechnical, in a given environment.
Certificate Authority (CA):
In a public key infrastructure, the CA issues certificates, maintains and publishes status information and Certificate Revocation Lists, and maintains archives. See also public key infrastructure (PKI).
chain of custody (or chain of evidence):
Procedures that provide accountability and protection for evidence throughout that evidence’s entire life cycle.
Challenge-Handshake Authentication Protocol (CHAP):
A remote access control protocol that uses a three-way handshake to authenticate both a peer and a server. See also three-way handshake.
change management:
The formal business process that ensures that all changes made in a system are properly requested, reviewed, approved, tested, and implemented.
Children's Online Privacy Protection Act (COPPA):
A U.S. law protecting information about children under the age of 13.
choose your own device (CYOD):
A mobile device policy that permits employees to select their preferred mobile device from a list of devices that have been approved by the organization.
chosen plaintext attack:
An attack technique in which the cryptanalyst selects the plaintext to be encrypted and then analyzes the resulting ciphertext.
C-I-A:
Confidentiality, integrity, and availability.
cipher:
A cryptographic transformation.
ciphertext:
A plaintext message that has been transformed (encrypted) into a scrambled message that’s unintelligible.
ciphertext-only attack:
A method of cryptanalysis in which the attacker has access only to ciphertext.
circuit-switched network:
Any of several telecommunications network designs that provide a dedicated physical circuit path between endpoints.
circumstantial evidence:
Relevant facts that can’t be directly or conclusively connected to other events but about which a reasonable inference can be made. See also evidence.
civil (or tort) law:
Legal codes that address wrongful acts committed against a person or business, either willfully or negligently, resulting in damage, loss, injury, or death. Unlike criminal law, U.S. civil law cases are determined based on a preponderance of evidence, and punishments are limited to fines.
Clark-Wilson model:
A formal integrity model that addresses all three goals of integrity (preventing unauthorized users from making any changes, preventing authorized users from making unauthorized changes, and maintaining internal and external consistency) and identifies special requirements for inputting data.
classification:
The process of assigning a security label to a document that defines how the document should be handled.
closed system:
A system that uses proprietary hardware and/or software that may not be compatible with other systems or components. See also open system.
cloud:
Internet-based network, computing, and application infrastructure available on demand.
cloud access security broker (CASB):
Systems used to enforce policy regarding the use of cloud-based resources.
cluster:
A system or network configuration containing multiple redundant nodes for resiliency. See also active-active and active passive.
clustering (or key clustering):
Generating identical ciphertext messages from a plaintext message by using the same encryption algorithm but different encryption keys.
coaxial cable:
A network medium consisting of a single solid-wire core that is surrounded by an insulation layer and a metal foil wrap.
COBIT:
Formerly Control Objective for Information and Related Technologies. An IT controls and process framework developed by ISACA (formerly Information Systems Audit and Control Association).
code of ethics:
A formal statement that defines ethical behavior in a given organization or profession.
code review:
The examination of source code to identify defects.
coercion:
Compelling a person to provide evidence involuntarily through intimidation, trickery, or bribery.
cold site:
An alternative computer facility that has electricity, heating, air conditioning, and ventilation but no computer equipment onsite. See also hot site, reciprocal site, and warm site.
collision:
(1) A network event in which two nodes simultaneously transmit frames. (2) An event in which two different messages produce the same message digest.
collision domain:
A portion of a network that would receive broadcast packets sent from one of its nodes.
common vulnerability scoring system (CVSS):
An industry-standard method for determining the severity of a vulnerability identified by a vulnerability scan, penetration test, or other means.
Common Criteria:
An international effort to standardize and improve existing European and North American information systems security evaluation criteria.
common law:
A legal system, originating in medieval England, based on custom and judicial precedent.
community cloud:
As defined by the National Institute of Standards and Technology, a cloud infrastructure “provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns.” See also cloud.
compensating controls:
Controls that are implemented as an alternative to other preventive, detective, corrective, deterrent, or recovery controls.
compensatory damages:
Actual damages to the victim, including attorney/legal fees, lost profits, and investigative costs.
compliance:
Conformance to rules, including laws, regulations, standards, policies, and legal agreements.
compliance risk:
Any risk identified that is a consequence of failing to comply with a policy, law, regulation, or other legal obligation.
Computer Incident Response Team (CIRT) or Computer Emergency Response Team (CERT):
A team that comprises people who are properly trained in incident response and investigation.
concealment cipher:
A technique of hiding a message in plain sight. The key is knowing where the message lies.
concentrator:
See hub.
conclusive evidence:
Incontrovertible and irrefutable … you know, a smoking gun. See also evidence.
confidentiality:
The concept that information and functions should be accessed only by authorized subjects.
confidentiality agreement:
See nondisclosure agreement (NDA).
configuration management:
The process of recording all changes to information systems.
configuration management database (CMDB):
A repository that is used to store all configuration changes made to an information system.
container:
An isolated instance in a running operating system in which a software application is executed.
containerization:
A method of virtualization in which several isolated operating zones are created in a running operating system so that application programs and data can execute independently within their respective containers.
content-distribution network (CDN):
A system of distributed servers that delivers cached web pages and other static content to a user from the nearest geographic location to the user. Also known as a content delivery network.
continuing professional education (CPE):
Training classes and other activities that further a person’s skills and knowledge in a profession.
Continuity of Operations Planning (COOP):
Disaster recovery planning and business continuity planning blended into a single coordinated activity.
continuous improvement:
Intentional practices that result in the gradual improvement of people, processes, and technology.
continuous integration and continuous deployment (CI/CD):
A development and operations environment supported by automation such that changes to application source code and infrastructure configuration are built, integrated, and deployed automatically.
continuous monitoring:
Real-time or near-real-time examination of a process or system. See also monitoring.
contract:
A legally binding document, signed by two or more parties, that describes rights and duties.
control:
A safeguard or countermeasure that helps prevent or mitigate a security risk.
control assessment:
An examination of a control to determine its effectiveness.
control framework:
An organized collection of controls.
control self-assessment (CSA):
An activity wherein a control owner is prompted to assert the effectiveness of a control, usually through answering questions and submitting evidence.
controller:
See data controller.
copyright:
A form of legal protection granted to the author(s) of “original works of authorship,” both published and unpublished.
corporate owned personally enabled (COPE):
A practice of issuing computing devices to employees when personal use, in addition to business use, is permitted.
corrective controls:
Controls that remedy violations and incidents or improve existing preventive and detective controls.
corroborative evidence:
Evidence that supports or substantiates other evidence presented in a legal case. See also evidence.
corroborative inquiry:
An audit technique in which auditors ask other personnel about a particular control to see whether their responses align with those of control owners.
countermeasure:
A device, control, or action required to reduce the impact or probability of a security incident.
covert channel:
An unintended communications path, which may be a covert storage channel or a covert timing channel.
crime prevention through environmental design (CPTED):
A philosophy for the inclusion of security and physical design of defensible spaces.
criminal law:
Defines crimes committed against society, even when the actual victim is a business or person. Criminal laws are enacted to protect the general public. Unlike civil cases, U.S. criminal cases are decided when a party is guilty beyond a reasonable doubt. Punishments may include fines, incarceration, and even execution.
criticality assessment (CA):
The part of a business impact analysis that ranks the criticality of business processes and IT systems. See also business impact analysis (BIA).
Crossover Error Rate (CER):
In biometric access control systems, the point at which the FRR equals the FAR, stated as a percentage. See also False Accept Rate (FAR; or Type II Error) and False Reject Rate (FRR; or Type I Error).
cross-site request forgery (CSRF):
An attack in which an attacker attempts to trick a victim into clicking a link to perform an action that the victim would not otherwise perform.
cross-site scripting (XSS):
An attack in which an attacker attempts to inject client-side script into web pages viewed by other intended victims.
cryptanalysis:
The science of deciphering ciphertext without using the cryptographic key.
cryptocurrency:
A form of digital currency, such as Bitcoin, that uses encryption to control the creation of currency and verify the transfer of funds independent of a central bank or authority.
cryptography:
The techniques and algorithms used for encrypting and decrypting information, such as a private message, to protect its confidentiality, integrity, and/or authenticity.
cryptologist:
A practitioner of cryptology.
cryptology:
The science that encompasses both cryptography and cryptanalysis.
cryptomining:
Computer processing to validate cryptocurrency transactions, resulting in a financial reward for the owner of the computer performing the processing.
cryptoperiod:
The length of time for which a specific encryption key is authorized for use.
cryptosystem:
The hardware or software components that transform plaintext into ciphertext (encrypts) and back into plaintext (decrypts).
cryptovariable (or key):
A secret value applied to a cryptographic algorithm. The strength and effectiveness of the cryptosystem is largely dependent on the secrecy and strength of the cryptovariable.
culpable negligence:
A legal term that may describe an organization’s failure to follow a standard of due care in the protection of its assets and thereby expose the organization to a legal claim. See also due care.
custodian:
A person who has day-to-day responsibility for protecting information assets.
cutover test:
See full interruption test.
cybercrime:
Any criminal activity in which computer systems or networks are targeted or used as tools.
Cybersecurity Maturity Model Certification (CMMC):
An assessment program for evaluating the security of service providers providing services to U.S. government agencies.
data carrier equipment (DCE):
A device used to establish, maintain, and terminate communications between a data source and its destination in a network. See also data terminal equipment (DTE).
data classification:
Policy that defines sensitivity levels and proper handling procedures for data at each level and in various handling scenarios.
data collection:
The process of receiving data from a subject.
data controller:
An organization that directs the storage and processing of information, as defined by the General Data Protection Regulation and other privacy laws.
data destruction:
Any means used to remove data from a storage medium.
data discovery:
Tools that scan stored data on systems to determine the presence of specific types of data.
data encapsulation:
In networking, the wrapping of protocol information from the OSI model layer immediately above in the data section of the layer immediately below. See also Open Systems Interconnection (OSI) model.
data encryption key (DEK):
An encryption key used to encrypt and decrypt data. See also key encryption key (KEK).
Data Encryption Standard (DES):
A commonly used symmetric key algorithm that uses a 56-bit key and operates on 64-bit blocks. See also Advanced Encryption Standard (AES).
Data Link Layer:
Layer 2 of the OSI network model. See also Open Systems Interconnection (OSI) model.
data loss prevention (DLP):
An application or device used to detect or prevent the unauthorized storage or transmission of sensitive data.
data maintenance:
Any activity where data is being reviewed, updated, corrected, or discarded.
Data Over Cable Service Interface Specification (DOCSIS):
A communications protocol for transmitting high-speed data over an existing TV cable system.
data processor:
As defined by the General Data Protection Regulation, an organization or entity that processes information at the direction of a data controller. See also General Data Protection Regulation (GDPR).
data protection officer (DPO):
A person responsible for the development and management of a data privacy program, as directed by the European General Data Privacy Regulation and other privacy laws. See also General Data Protection Regulation (GDPR).
data recovery:
The process of retrieving data from backup media in the event of an error or malfunction.
data remanence:
Residual data that remains on storage media or in memory after the data has been deleted.
data retention:
The activities supporting an organization’s effort to retain specific sets and types of data for minimum and/or maximum periods.
data subject:
An identifiable natural person.
data terminal equipment (DTE):
A device that communicates with a DCE in a network. See also data carrier equipment (DCE).
data warehouse:
A special-purpose database used for decision support or research purposes.
database management system (DBMS):
Restricts access by different subjects to various objects in a database.
datagram:
The protocol data unit for the User Datagram Protocol. See also protocol data unit (PDU), User Datagram Protocol (UDP).
deciphering:
See decryption.
decryption:
The process of transforming ciphertext into plaintext.
deep packet inspection (DPI):
An advanced method of examining and managing network traffic.
defense in depth:
The principle of protecting assets by using layers of dissimilar mechanisms.
Defense Information Technology Security Certification and Accreditation Process (DITSCAP):
A program that formalizes the certification and accreditation process for U.S. Department of Defense information systems.
deidentification:
Any procedure through which specific identifiers about a data subject are removed or replaced. See also anonymization, masking, and pseudonymization.
deluge:
A type of water-based fire suppression in which large amounts of water are sprayed into an area.
Deming cycle:
The conceptual life cycle model that consists of Plan, Do, Check, Act.
demonstrative evidence:
Evidence that is used to aid the court’s understanding of a legal case. See also evidence.
denial of service (DoS):
An attack on a system or network with the intention of making the system or network unavailable for use.
design review:
An examination of the design of a system to ensure it complies with policies, standards, and secure practices.
destructware:
Malware that functions similar to ransomware, except that the attacker has no intention of extracting a ransom payment and, therefore, no decryption key is available to recover the encrypted data.
detective controls:
Controls that are intended to identify violations and incidents.
deterrent controls:
Controls that are intended to discourage violations.
DevOps:
The culture and practice of improved collaboration between software developers and IT operations.
DevSecOps:
The integration of security practices within DevOps. See also DevOps.
Diameter:
The successor protocol to RADIUS for remote authentication. See also Remote Authentication Dial-In User Service (RADIUS).
dictionary attack:
A focused type of brute-force attack in which a predefined word list is used. See also brute-force attack.
Diffie-Hellman:
A key-exchange algorithm based on discrete logarithms.
digital certificate:
A certificate that binds an identity with a public encryption key.
digital forensics:
The science of conducting a computer incident investigation to determine what has happened.
digital rights management (DRM):
A tool or technique used to enforce the use, modification, and distribution of software or data.
digital signature:
A cryptographic method used to verity the authenticity and integrity of a message.
Digital Signature Standard (DSS):
Published in Federal Information Processing Standard (FIPS) 186-1, DSS specifies two acceptable algorithms in its standard: The RSA Digital Signature Algorithm and the Digital Signature Algorithm (DSA). See also NIST and Rivest, Shamir, Adleman (RSA).
digital subscriber line (xDSL):
A high-bandwidth communications protocol delivered over analog telecommunications voice lines.
digital watermarking:
A technique used to verify the authenticity of an image or data. A watermark may be conspicuous or hidden.
direct evidence:
Oral testimony or a written statement based on information gathered through the witness’s five senses that proves or disproves a specific fact or issue. See also evidence.
disaster:
Any natural or human-made event that may cause the interruption of business operations.
disaster recovery plan (DRP):
A set of procedures to be followed in the event of a business interruption to ensure the recovery of critical assets and information systems.
discovery sampling:
A sampling technique in which an auditor selects additional samples to find a single exception.
discretionary access control (DAC):
An access policy determined by the owner of a file or other resource. See also mandatory access control (MAC) system.
distributed denial of service (DDoS):
An attack in which the attacker initiates simultaneous denial-of-service attacks from many systems.
Distributed Network Protocol (DNP3):
A set of communications protocols used between components in process automation systems (such as public utilities).
distribution frame:
(1) A room in which telephone and data cabling is terminated. (2) The componentry used for terminating telephone and data cabling. See also main distribution frame (MDF), intermediate data frame (IDF).
DNS cache poisoning:
A type of attack, also known as DNS spoofing, that exploits vulnerabilities in DNS to divert Internet traffic away from legitimate destination servers to fake servers. See also Domain Name System (DNS).
DNS hijacking:
An attack technique used to redirect DNS queries away from legitimate DNS servers. See also Domain Name System (DNS).
documentary evidence:
Evidence that is used in legal proceedings, including originals and copies of business records, computer-generated and computer-stored records, manuals, policies, standards, procedures, and log files. See also evidence.
domain:
A collection of users, computers, and resources that have a common security policy and single administration.
domain homograph attack:
A type of spoofing attack in which the attacker uses similar-looking keyboard characters to deceive computer users about the actual remote system they are communicating with, such as by replacing a Latin O with a Cyrillic O in a website address.
Domain Name System (DNS):
A hierarchical, decentralized directory service database that converts domain names to IP addresses for computers, services, and other computing resources connected to a network or the Internet.
domain name system security extensions (DNSSEC):
Specifications for securing certain kinds of information provided by DNS as used on IP networks.
drift:
The gradual change in a system’s configuration from an established baseline or standard.
drop:
See voltage drop.
drug screen:
A test for the presence of drugs and controlled substances, usually as a part of pre-employment screening. See also background check.
dry pipe:
A fire suppression system in which sprinkler pipes are not filled with water until fire suppression is necessary. See also wet pipe.
due care:
The steps that an organization takes to implement security best practices.
due diligence:
The prudent management and execution of due care.
dumpster diving:
The process of examining garbage with the intention of finding valuable goods or information.
duress alarm:
A hidden alarm trigger that personnel can use to summon help in an emergency.
dwell time:
The elapsed time between the onset of a security incident and the organization’s realization that an incident has occurred (or is occurring).
dynamic application scanning tool (DAST):
A tool used to identify vulnerabilities in a software application that works by executing the application and attempts various means to compromise the application.
dynamic password:
A password that changes at some regular interval or event.
east–west traffic:
Network communications between systems within a network.
eavesdropping:
Listening to network traffic to obtain content or learn more about communications.
edge computing:
A method used to optimize cloud computing by processing data at the edge of the network, near the source of the data.
egress monitoring:
Any practice of monitoring outbound traffic to discover potential intrusion or data leakage.
electric generator:
A machine used to generate electricity locally in the event of interruption of electric utility power.
electromagnetic interference (EMI):
Electrical noise generated by the different charges among the three electrical wires (hot, neutral, and ground) and can be common-mode noise (caused by hot and ground) or traverse-mode noise (caused by hot and neutral).
electronic protected health-care information (ePHI):
Any patient related health information as defined by HIPAA. See also Health Insurance Portability and Accountability Act (HIPAA).
electrostatic discharge (ESD):
A sudden flow of electricity between two objects.
emanations:
Unintentional emissions of electromagnetic or acoustic energy from a system.
emergency power off (EPO):
A switch that can be used to remove electric power from nearby equipment in case of fire or electric shock.
employment agreement:
A legal agreement between an employer and employee that stipulates the terms and conditions of employment.
employment candidate screening:
See background check.
employment termination:
The cessation of employment for one or more employees in an organization.
encapsulation:
The process of layering protocol information at different levels of a protocol stack.
Encapsulating Security Payload (ESP):
A protocol that provides confidentiality (encryption) and limited authentication. See also Authentication Header (AH) and Internet Protocol Security (IPsec).
encryption:
The process of transforming plaintext into ciphertext.
end of life (EOL):
A date after which hardware or software product is considered to be unviable.
end of support (EOS):
A date after which a product manufacturer no longer supports a hardware or software product.
end-to-end encryption:
A process by which packets are encrypted at the original encryption source and decrypted only at the final decryption destination.
endpoint:
A general term referring to a desktop computer, laptop or notebook computer, or mobile device.
Enhanced Mobile Broadband (eMBB):
A standard used in 5G mobile communications.
enticement:
Luring someone toward certain evidence after that person has already committed a crime.
entitlement:
Access rights assigned to employees based on job title, department, or other established criteria.
entrapment:
Encouraging someone to commit a crime that the person may have had no intention of committing.
ephemeral account:
See just-in-time (JIT) access.
escalation of privilege:
An attack technique in which the attacker uses some means to bypass security controls to attain a higher privilege level on the target system.
Escrowed Encryption Standard (EES):
Divides a secret key into two parts and places those two parts into escrow with two separate, trusted organizations. Published by NIST in FIPS PUB 185 (1994). See also NIST.
espionage:
The practice of spying or using spies to obtain proprietary or confidential information.
Ethernet:
A common bus-topology network transport protocol.
ethics:
Professional principles and duties that guide decisions and behavior. See also code of ethics.
e-vaulting:
The practice of backing up data to a cloud-based data storage provider.
event management:
The life cycle process concerned with the receipt, logging, and alerting of security and operational events in a system or environment.
evidence:
Information obtained in support of an investigation or incident.
evidence life cycle:
The various phases of evidence, from initial discovery to its final disposition. The evidence life cycle has the following five stages: collection and identification; analysis; storage, preservation, and transportation; presentation in court; and return to victim (owner).
Exclusive Or (XOR):
A binary operation applied to two input bits. If the two bits are equal, the result is zero. If the two bits are not equal, the result is one.
exigent circumstances:
If probable cause exists and the destruction of evidence is imminent or human lives are at stake, property or people may be searched and/or evidence may be seized by law enforcement personnel without a search warrant.
exploit:
(1) Software or code that takes advantage of a vulnerability in an operating system (OS) or application and causes unintended behavior in the OS or application, such as privilege escalation, remote control, or denial of service. (2) Action taken by a subject, system, or program that uses a vulnerability to gain illicit access to an object.
exposure factor (EF):
A measure, expressed as a percentage, of the negative effect or impact that a realized threat or event would have on a specific asset.
Extensible Authentication Protocol (EAP):
A remote access control protocol that implements various authentication mechanisms, including MD5, S/Key, generic token cards, and digital certificates. Often used in wireless networks.
facilities classification policy:
Policy that defines sensitivity levels and protection controls for work locations at each classification level.
Fagan inspection:
A structured process that is used to find defects in design documents, specifications, and source code.
fail closed:
A control failure that results in all accesses being blocked.
fail open:
A control failure that results in all accesses being permitted.
fail securely:
A concept similar to fail closed and fail open that dictates that the failure of a system or control should result in the system or control being in a secure state.
failover:
A failure mode in which the system automatically transfers processing to a hot backup component, such as a clustered server, if a hardware or software failure is detected.
fail-safe:
A failure mode in which program execution is terminated and the system is protected from compromise if a hardware or software failure is detected.
fail-soft (or resilient):
A failure mode in which certain noncritical processing is terminated and the computer or network continues to function in a degraded mode, if a hardware or software failure is detected.
False Accept Rate (FAR; or Type II Error):
In biometric access control systems, the percentage of unauthorized users who are incorrectly granted access. See also Crossover Error Rate (CER) and False Reject Rate (FRR; or Type I Error).
False Reject Rate (FRR; or Type I Error):
In biometric access control systems, the percentage of authorized users who are incorrectly denied access. See also Crossover Error Rate (CER) and False Accept Rate (FAR; or Type II Error).
fault:
Momentary loss of electric power.
fault injection:
Any of several techniques used to test a system to see how it will behave under stress.
fault-tolerant:
A system that continues to operate after the failure of a computer or network component.
Federal Information Processing Standard (FIPS):
Standards and guidelines published by the U.S. National Institute of Standards and Technology (NIST) for federal computer systems. See also NIST.
Federal Privacy Act of 1974:
A U.S. law requiring the protection of personal information by U.S. government agencies.
Federal Risk and Authorization Management Program (FedRAMP):
The required process for U.S. federal government agencies when procuring cloud-based services.
federated identity management (FIM):
A system whereby multiple organizations share a common identity management system.
federation of identity (FIdM):
The standards, technologies, and tools used to facilitate the portability of identity across separately managed organizations.
fence:
See security fence.
Fiber Distributed Data Interface (FDDI):
A star topology, token-passing, network transport protocol.
fiber optic cable:
A network medium consisting of glass or plastic strands that carry light signals.
Fibre Channel over Ethernet (FCoE):
A communications protocol that encapsulates Fibre Channel frames over 10 Gigabit Ethernet (or faster) networks.
fiduciary:
A person in a legal or moral position of trust and sound management, such as a company board member.
firewall:
A device or program that controls traffic flow between networks.
first aid:
Techniques used to treat injuries to personnel prior to receiving medical care.
forensics (or computer forensics):
The science of conducting a computer crime investigation to determine what’s happened and who’s responsible for what’s happened. One major component of computer forensics involves collecting legally admissible evidence for use in a computer-crime case.
fourth-party risk:
A concern within third-party risk management in which third-party service organizations employ their own third parties, thereby increasing risk.
frame:
The protocol data unit of the Ethernet protocol. See also protocol data unit (PDU), Ethernet.
frame relay (FR):
A packet-switched network protocol used to transport WAN communications.
fraud:
Any deceptive or misrepresented activity that results in illicit personal gain.
full interruption test:
A test of a disaster recovery or business continuity plan in which contingency procedures and systems are used to conduct live business transactions.
functional requirements:
The required visible characteristics of a program or system.
fuzzing:
A software testing technique in which many different combinations of input strings are fed to a program in an attempt to elicit unexpected behavior.
gaming:
Using a system for a purpose other than its intended purpose.
gateway:
A system, connected to a network that performs any real-time translation or interface function, such as a system that converts Microsoft Exchange email to Lotus Notes email.
General Data Protection Regulation (GDPR):
A law that strengthens data protection for European Union (EU) citizens and addresses the export of personal data outside the EU.
geographic diversity:
A characteristic of electric utility and telecommunication facilities in which two or more connections to a facility are available.
geolocation:
Any technique used to determine the location of a device.
Global Positioning System (GPS):
A U.S. government-owned global system of satellites that provide geolocation and time information to GPS receivers anywhere on or near Earth that has an unobstructed line of sight to four or more GPS satellites.
goals:
Specific milestones that an organization hopes to accomplish.
golden-ticket attack:
An attack on a Kerberos system in which an attacker is able to forge valid ticket granting tickets and use them to access network resources.
governance:
Policies and processes that ensure that executive management is fully informed and in control of some aspect of an organization.
Gramm-Leach-Bliley Act (GLBA):
A U.S. law that defines privacy requirements for customers of financial services institutions.
guard dog:
A trained canine that is accompanied by a security guard as part of an active work area protection plan.
guest:
(1) An instantiation of an operating system within a virtual environment. See also virtualization. (2) A visitor to a commercial work facility.
guidelines:
Similar to standards but considered to be recommendations rather than requirements.
hacker:
Formerly a term describing a computer hobbyist; now commonly used to refer to a person with criminal intent who breaks into computers and networks.
hacktivist:
A person who attacks organizations’ systems based on ideological motivations.
hardening:
Changing the architecture and/or configuration of a system to make it more resistant to attack.
hardening standard:
A written document describing security configuration settings for applicable systems.
hardware:
The physical components in a computer system.
hash function:
A mathematical function that creates a unique representation of a larger set of data (such as a digest). Hash functions are often used in cryptographic algorithms and to produce checksums and message digests. See also message digest.
Health Information Technology for Economic and Clinical Health (HITECH) Act:
A U.S. federal act that expanded the use of health-care information systems and of privacy requirements protecting healthcare information.
Health Insurance Portability and Accountability Act (HIPAA):
A U.S. federal act that addresses security and privacy requirements for medical systems and information.
hearsay evidence:
Evidence that isn’t based on the witness’s personal, firsthand knowledge but was obtained through other sources.
hearsay rule:
Under the Federal Rules of Evidence, hearsay evidence is normally not admissible in court. Computer evidence is an exception to the hearsay rule.
heat detector:
A device that is used to detect heat from a fire.
heating, ventilation, and air conditioning (HVAC):
Environmental controls that ensure that temperature and humidity remain within acceptable levels.
heterogeneous environment:
A systems environment that consists of a variety of types of systems. See also homogeneous environment.
hextel:
Thirty-two hexadecimal numbers grouped into eight blocks of four decimal digits.
high availability (HA):
A system’s architecture and design that ensures a higher degree of availability than that of an individual system.
high-performance computing (HPC):
The use of supercomputers for solving problems requiring large quantities of computation.
High-Speed Serial Interface (HSSI):
A point-to-point WAN connection protocol.
homogeneous environment:
A systems environment that consists largely of one type of system. See also heterogeneous environment.
honeynet:
A large deployment of honeypots, also referred to as a honeyfarm. See also honeypot.
honeypot:
A decoy system deployed by a security administrator to discover the attack methods of potential hackers.
host-based intrusion detection system (HIDS):
An intrusion detection system designed to detect intrusions through examination of activities on a host system. See also intrusion detection system.
hot site:
A fully configured alternative computer facility that has electrical power, HVAC, and functioning file/print servers and workstations. See also cold site, reciprocal site, and warm site.
hub:
A network device used to connect several LAN devices. Also known as a concentrator.
human–machine interface (HMI):
Features of a system or device designed to interact with a person, in which information is entered via switches, buttons, keys, microphones, or cameras, and/or information imparted to a user via a display, sound, or touch.
hybrid cloud:
As defined by the National Institute of Standards and Technology, a cloud infrastructure composed of “two or more distinct cloud infrastructures (private, community, or public).”
hybrid risk analysis:
Risk analysis that combines quantitative and qualitative risk analysis techniques.
Hypertext Transfer Protocol (HTTP):
An application protocol used to transfer data between web servers and web browsers.
Hypertext Transfer Protocol Secure (HTTPS):
The HTTP protocol encrypted with SSL or TLS. See also Hypertext Transfer Protocol.
hypervisor:
In a virtualized environment, the supervisory program that controls allocation of resources and access to communications and peripheral devices. See also virtualization.
identification:
The means by which a user claims a specific, unproven identity to a system. See also authentication.
identity and access management (IAM):
The processes and procedures that support the life cycle of people’s identities and access privileges in an organization.
identity as a service:
A centralized, usually external service provider that provides tools for user identification.
identity management (IdM):
The processes and procedures that support the life cycle of people’s identities in an organization.
improper authentication:
See authentication bypass.
inactivity timeout:
A mechanism that locks, suspends, or logs off a user after a predetermined period of inactivity.
indicators of compromise (IOCs):
An artifact observed on a network or in an operating system that is likely to be associated with a breach attempt.
industrial control system (ICS):
Systems and devices used to monitor and/or control industrial machinery.
inference:
The ability of users to figure out information about data at a sensitivity level for which they’re not authorized.
information custodian (or custodian):
The person who has day-to-day responsibility for managing and protecting information assets.
information flow model:
A lattice-based model in which each object is assigned a security class and value, and their direction of flow is controlled by a security policy.
information owner (or owner):
The person who decides who’s allowed access to a file and what privileges are granted.
information security continuous monitoring (ISCM):
The ongoing awareness of information security, vulnerabilities, and threats in support of organizational risk management decisions.
information security management system (ISMS):
A set of processes and activities used to manage an information security program in an organization. ISMS is defined in ISO/IEC 27001.
Information Technology Security Evaluation Criteria (ITSEC):
Formal evaluation criteria that address confidentiality, integrity, and availability for an entire system.
infrastructure as code:
The concept that the infrastructure underlying a software application, including operating systems and database management systems, is part of the systems development and release process.
Infrastructure as a Service (IaaS):
A cloud-based environment in which customers implement various types of virtual machines, including server operating systems and network devices.
injection attack:
An attack against a system involving the use of malicious input.
inquiry:
An audit technique in which an auditor interviews personnel to learn how a process or system is used.
inrush:
Initial electric power surge experienced when electrical equipment is turned on.
inspection:
An audit technique in which an auditor examines an information system, business process documentations, or business records.
Institute of Electrical and Electronics Engineers (IEEE):
A technical professional organization that develops technical standards and promotes the advancement of technology.
integrated development environment (IDE):
A software program used by developers to compose, debug, test, and run software programs.
integrated product team (IPT):
A multidisciplinary team with the mission of designing, developing, and managing an information system.
Integrated Services Digital Network (ISDN):
A low-bandwidth communications protocol that operates over analog telecommunications voice lines.
integration test:
A test of software components to ensure that they work together properly.
integrity:
A concept that safeguards the accuracy and completeness of information and processing methods, and ensures that modifications to data aren’t made by unauthorized users or processes; unauthorized modifications to data aren’t made by authorized users or processes; and data is internally and externally consistent, meaning that a given input produces an expected output.
intellectual property:
Includes patents, trademarks, copyrights, and trade secrets.
interface testing:
Tests that are performed on application programming interfaces and other human and nonhuman interfaces.
Intermediate distribution frame (IDF):
(1) A room in which telephone and data cabling for one floor or portion of building is terminated. (2) The componentry used for terminating telephone and data cabling. See also distribution frame, main data frame (MDF).
International Electrotechnical Commission (IEC):
A standards organization that defines and publishes international standards for electrical, electronic, and related technologies.
International Organization for Standardization (ISO):
An international body for creating standards. ISO is derived from the Greek word isos, meaning “equal.”
International Telecommunications Union (ITU):
A United Nations agency responsible for coordinating worldwide telecommunications operations and services.
Internet:
The worldwide, publicly accessible network that connects the networks of organizations.
Internet Assigned Numbers Authority (IANA):
The organization that assigns AS numbers to organizations. See also autonomous system number (ASN).
Internet Control Message Protocol (ICMP):
An Internet protocol used to transmit diagnostic messages.
Internet Control Message Protocol (ICMP) flood:
An attack in which a large number of ICMP packets are sent to a target network in an attempt to incapacitate the network.
Internet Engineering Task Force (IETF):
An international, membership-based, not-for-profit organization that develops and promotes voluntary Internet standards.
Internet Key Exchange (IKE):
A set of protocols used to establish a security association between systems using the IPsec protocol. See also security association, Internet Protocol Security.
Internet Layer:
Layer 2 of the TCP/IP model. See also TCP/IP model.
Internet of Things (IoT):
The network of physical, connected objects embedded in electronics, operating systems, software, sensors, and network connectivity.
Internet Protocol (IP):
The Open Systems Interconnection (OSI) Layer 3 protocol that’s the basis of the modern Internet.
Internet Protocol version 4 (IPv4):
The original and still widely used Layer 4 protocol that is the basis of the Internet and most organizations’ internal networks.
Internet Protocol version 6 (IPv6):
The replacement of IPv4 that provides a larger address space and additional functionality to provide security, multimedia support, plug and play, and backward compatibility with IPv4.
Internet Protocol Security (IPsec):
An Internet Engineering Task Force open-standard virtual private network protocol for secure communications over local area networks, wide area networks, and public Internet Protocol–based networks.
Internet Relay Chat (IRC):
An Application Layer protocol that facilitates communication in text form using a client-server network.
Internet Security Association and Key Management Protocol (ISAKMP):
An Internet key exchange protocol.
Internet Small Computer Systems Interface (iSCSI):
A communications protocol that enables the SCSI protocol to be sent over LANs, WANs, or the Internet. See also Small Computer Systems Interface (SCSI).
Internetwork Packet Exchange (IPX):
A network packet-oriented protocol that’s the basis for Novell Netware networks. IPX is analogous to IP.
interprocess communication (IPC):
Any of several mechanisms through which separate processes can communicate.
intrusion detection system (IDS):
A hardware or software application that detects and reports on suspected network or host intrusions.
intrusion prevention system (IPS):
A hardware or software application that both detects and blocks suspected network or host intrusions.
investigation:
A study and analysis of an event, including the identification of evidence, to determine the facts related to the event.
IT Infrastructure Library (ITIL):
An industry standard of IT service management processes.
iteration:
See sprint.
JavaScript:
A high-level, dynamic, lightweight interpreted programming language used to make web pages interactive and provide online programs.
job description:
A formal description of a position’s roles and responsibilities.
job rotation:
The practice of moving employees from one position to another for cross-training and security reasons.
judgmental sampling:
A sampling technique in which individual items are chosen by the auditor.
just-in-time (JIT) access:
A procedure in which temporary, granular access to an application or resource is granted when needed to perform a specific task or function.
Kerberos:
A ticket-based authentication protocol, in which tickets are used to identify users, developed at the Massachusetts Institute of Technology.
key card:
A type of building or room access control in which personnel wave a key card (also known as an access card) in front of a key card reader to unlock a door.
key change:
The practice of replacing an encryption key in a cryptosystem.
key clustering:
An occurrence where the encryption of a single plaintext message using two different encryption keys results in the same ciphertext.
key control:
Safeguards and procedures for protecting an encryption key.
key disposal:
The practice of securely disposing an encryption key so that it cannot be recovered.
key distribution:
The practice of moving an encryption key from the point of generation to the point of use and storage.
key encryption key (KEK):
An encryption key used to encrypt and decrypt data encryption keys. See also data encryption key (DEK).
key escrow:
The practice of storing an encryption key with a third party in the event that the original encryption key is lost.
key generation:
The practice of creating a new encryption key.
key installation:
The act of placing an encryption key in a cryptosystem.
key logging:
The practice of recording keystrokes, usually for illicit purposes, such as acquiring user IDs, passwords, and other confidential information.
key management:
Practices and procedures used to manage encryption keys.
key performance indicator (KPI):
A measurable value that evaluates how successful an organization is in achieving a specific objective or activity.
key risk indicator (KRI):
A metric used to indicate the level of risk associated with a particular activity or course of action.
key vault:
A centralized vault that securely stores shared account credentials.
keyspace:
The range of all possible values for an encryption key.
known-plaintext attack:
An attack technique in which the cryptanalyst has a given plaintext message and the resulting ciphertext.
latency:
The time required for an operation to complete.
lattice-based access controls:
A method for implementing mandatory access controls in which a mathematical structure defines greatest lower-bound and least upper-bound values for a pair of elements, such as subject and object.
Layer 2 Forwarding Protocol (L2F):
A virtual private network protocol similar to Point-to-Point Tunneling Protocol.
Layer 2 Tunneling Protocol (L2TP):
A virtual private network protocol similar to Point-to-Point Tunneling Protocol and Layer 2 Forwarding Protocol.
least privilege:
A principle requiring that a subject is granted only the minimum privileges necessary to perform an assigned task.
Li-Fi:
A wireless communication technology that uses light to transmit data.
Lightweight Directory Access Protocol (LDAP):
An Internet Protocol and data storage model that supports authentication and directory functions.
link encryption:
Packet encryption and decryption at every node along the network path; requires each node to have separate key pairs for its upstream and downstream neighbors.
Link Layer:
Layer 1 of the TCP/IP model. See also TCP/IP model.
live forensics:
Techniques used to gather forensic information from a running system.
load balancer:
A device that routes incoming messages to a pool of one or more destinations.
log review:
The examination of a system or event log.
logic bomb:
A program, or portion thereof, designed to perform some malicious function when a predetermined circumstance occurs. See also malware.
Long-Term Evolution (LTE):
A mobile telecommunications protocol for IP communications over cellular networks.
machine learning (ML):
A method of data analysis that enables computers to analyze a data set and automatically perform actions based on the results without being explicitly programmed.
main distribution frame (MDF):
(1) A room in which telephone and data cabling for an entire building is terminated. (2) The componentry used for terminating telephone and data cabling. See also distribution frame, intermediate data frame (IDF).
maintenance hook:
A backdoor that allows a software developer or vendor to bypass access control mechanisms to perform maintenance. These backdoors are often well known and pose a significant security threat if not properly secured.
malware:
Malicious software that typically damages, takes control of, or collects information from a computer. This classification of software broadly includes viruses, worms, ransomware Trojan horses, logic bombs, spyware, and (to a lesser extent) adware.
managed security service (MSS):
Security-related services provided by a service provider, typically involving monitoring or management of information systems.
management review:
Activities whereby management reviews a program or process.
mandatory access control (MAC) system:
A type of access control system in which the access policy is determined by the system rather than by the owner. See also discretionary access control (DAC).
man-in-the-middle attack:
A type of attack in which an attacker intercepts messages between two parties and forwards a modified version of the original message.
mandatory vacation:
A practice by some organizations that requires each worker to take at least one vacation (usually, an entire week) at least once per year to provide the organization opportunities to detect fraud.
mantrap:
A physical access control method consisting of a double set of locked doors or turnstiles to prevent tailgating. See also bollard and sally port.
manual controls:
Controls that are not performed automatically and, therefore, require human action.
marking:
Affixing a human-readable classification label on a document, device, or data storage object. See also tagging.
mashup:
A web application employing content from multiple sources and displayed through a single user interface.
masking:
A technique used to conceal the contents of data.
Massive Machine-Type Communications (mMTC):
A standard used in 5G mobile communications.
maturity model:
A technique used to assess the maturity of an organization and the capability of its processes.
maximum tolerable downtime (MTD):
An extension of a criticality assessment that specifies the maximum period of time that a given business process can be inoperative before experiencing unacceptable consequences. See also criticality assessment.
maximum tolerable outage (MTO):
The maximum period of time that a given business process can be operating in emergency or alternative processing mode.
maximum tolerable period of disruption (MTPD):
See maximum tolerable downtime (MTD).
mean time between failures (MTBF):
The amount of time, usually measured in hours, that a component is expected to continuously operate before experiencing a failure.
media controls:
Controls that are used to manage information classification and physical media.
meet-in-the-middle attack:
A type of attack in which an attacker encrypts known plaintext with each possible key on one end, decrypts the corresponding ciphertext with each possible key, and then compares the results in the middle.
memory leak:
A software defect that results in a program’s continuing to allocate memory.
mesh:
A network design in which all nodes are connected to all other nodes.
message digest:
A condensed representation of a message that is produced by using a one-way hash function. See also hash function.
metropolitan area network (MAN):
A network that extends across a large area, such as a city.
microsegmentation:
Techniques used to isolate groups of systems or individual systems using network access controls such as firewalls.
microservices:
Software-based services running on various systems in a distributed environment.
mission statement:
A statement that defines an organization’s (or organizational unit’s) reason for existence.
mobile app:
An application that runs on a mobile device and has the capability to interact with the user, communicate over the Internet, and store data locally.
mobile code:
A software architecture in which code is moved from a repository to a system for execution.
mobile device:
A general term encompassing devices such as smartphones, tablets, phablets, and wearables that run operating systems such as iOS, Android, and Windows 10.
mobile device management (MDM):
Software used to manage the administration of mobile devices such as smartphones, phablets, and tablets.
monitoring:
Activities that verify processes, procedures, and systems.
monoalphabetic substitution:
A cryptographic system that uses a single alphabet to encrypt and decrypt an entire message.
MoSCoW (Must have, Should have, Could have, Won’t have) method:
A prioritization method used to classify the importance of requirements in a business project.
multicast:
A type of network protocol whereby packets are sent from a source to multiple destinations.
multifactor authentication:
Any authentication mechanism that requires two or more of the following factors: something you know, something you have, or something you are.
multiprotocol label switching (MPLS):
An extremely fast method of forwarding packets through a network by using labels inserted between Layer 2 and Layer 3 headers in the packet.
Multipurpose Internet Mail Extensions (MIME):
An IETF standard that defines the format for messages that are exchanged between email systems over the Internet. See also IETF.
National Computer Security Center (NCSC):
A U.S. government organization within the National Security Agency that is responsible for evaluating computing equipment and applications that are used to process classified data.
National Information Assurance Certification and Accreditation Process (NIACAP):
Formalizes the certification and accreditation process for U.S. government national security information systems.
National Institute of Standards and Technology (NIST):
A federal agency within the U.S. Department of Commerce that is responsible for promoting innovation and competitiveness through standards, measurement science, and technology.
near-field communications (NFC):
A wireless communications protocol that operates over distances of up to 4 centimeters.
need to know:
Status defines the essential information a person needs to perform their assigned job function.
NetBIOS:
A TCP/IP protocol that allows applications to communicate over a network.
Network Access Layer:
Layer 1 of the TCP/IP model. See also TCP/IP model.
network address translation (NAT):
The process of converting internal, privately used addresses in a network to external, public addresses.
network-based intrusion detection system (NIDS):
An intrusion detection system designed to detect intrusions through examination of network traffic. See also intrusion detection system.
network file system (NFS):
A TCP/IP protocol used to provide access to file systems on remote computers.
network function virtualization (NFV):
The practice of implementing network devices as virtual machines instead of hardware-based systems.
Network Layer:
Layer 3 of the OSI model. See also Open Systems Interconnection (OSI) model.
network penetration test:
A penetration test that targets systems and network devices on a network. See also penetration test.
network sprawl:
A phenomenon wherein virtual network elements are created, generally without approval or with limited planning and control, in an environment such as the cloud.
next-generation firewall (NGFW):
A network security platform that fully integrates traditional firewall and network intrusion prevention capabilities with other advanced security functions that provide deep packet inspection for complete visibility, accurate application, content, and user identification, and granular policy-based control. See also deep packet inspection (DPI), intrusion prevention system (IPS).
noncompete agreement:
A legal agreement in which an employee agrees not to accept employment in a competing organization.
nondisclosure agreement (NDA):
A legal agreement in which one or more parties agrees to refrain from disseminating confidential information related to other parties.
nonfunctional requirements:
The characteristics of a program or system that are not apparent to an end user.
noninterference model:
Ensures that the actions of different objects and subjects aren’t seen by, and don’t interfere with, other objects and subjects on the same system.
nonrepudiation:
The inability for a user to deny an action; their identity is positively associated with that action.
north–south traffic:
Network communications between systems within a network and systems outside the network.
Oakley Key Exchange Protocol:
A key agreement protocol implemented by Cisco in ISAKMP to facilitate Diffie-Hellman Key Exchange.
obfuscation:
A technique in which data is scattered, rearranged, or hidden to make it more difficult to identify and exploit.
object:
A passive entity, such as a system or file.
object reuse:
The process of protecting the confidentiality of objects that are reassigned after initial use. See also Trusted Computer System Evaluation Criteria (TCSEC).
objectives:
Specific milestones that an organization wants to perform to meet its goals. See also goals.
observation:
An audit technique in which an auditor passively observes activities performed by personnel or information systems.
on-premises:
Information systems, applications and data that is physically located in an organization’s own information processing center.
one-time pad:
A cryptographic keystream that can be used only once.
one-time password:
A password that’s valid for only one login session.
one-way function:
A problem that’s easy to compute in one direction but not in the reverse direction.
open message format:
A message encrypted in an asymmetric key system by using the sender’s private key. The sender’s public key, which is available to anyone, is used to decrypt the message. This format guarantees the message’s authenticity. See also secure and signed message format, secure message format.
open source:
A software licensing methodology wherein source code is freely available.
open system:
A vendor-independent system that complies with an accepted standard, which promotes interoperability among systems and components made by different vendors. See also closed system.
Open Systems Interconnection (OSI) model:
The seven-layer reference model for networks. The layers are Physical, Data Link, Network, Transport, Session, Presentation, and Application.
Open Web Application Security Project (OWASP):
A not-for-profit organization dedicated to web application security.
OpenID Connect (OIDC):
A standards-based authentication protocol built on the OAuth framework.
operating system (OS):
Software that controls computer hardware and resources and facilitates the operation of application software. See also application software.
operational level agreement (OLA):
An agreement specifying operational support parameters between support groups in an organization. See also service-level agreement (SLA).
operational technology (OT):
Network and computing infrastructure supporting industrial control systems or supervisory control and data acquisition environments.
opt-in:
A choice made by a data subject to desires that an organization include the data subject in its uses of personal information. Commonly, this means inclusion in marketing campaigns.
opt-out:
A choice made by a data subject who desires that an organization discontinue specific uses of the data subject’s personal information. Commonly, this means removal from marketing campaigns.
optical disk:
Media such as CD-ROM and DVD-ROM used to read and write information.
Orange Book:
See Trusted Computer System Evaluation Criteria (TCSEC).
outsourcing:
The use of an external organization (third party) to perform some aspect of business operations.
over the top (OTT):
A term describing cloud-based media services such as videoconferencing, texting, and “television” content, bypassing telecommunications and cable operators.
owner:
A person in an organization who’s responsible for management of an asset, including classification, handling, and access policy.
packet:
The protocol data unit of the Internet Protocol. See also protocol data unit (PDU), Internet Protocol (IP).
packet-filtering firewall:
A type of firewall that examines the source and destination addresses of an incoming packet, and then either permits or denies the packet based on an ACL. See also access control list (ACL).
packet sniffing:
A type of attack in which an attacker uses a sniffer to passively capture network packets and analyze their contents.
packet-switched network:
Any of several telecommunications network technologies in which packets transport data between sender and receiver.
parallel test:
A test of a business continuity or disaster recovery plan in which contingency procedures are performed in parallel with normal procedures.
parity bit:
A technique used to detect errors in a bit pattern.
pass the hash:
An authentication-bypass attack on a system in which the attacker authenticates with stolen NTLM or LanMan hashes instead of plaintext passwords.
passphrase:
A string of characters consisting of multiple words that a subject provides to an authentication mechanism to authenticate to a system. See also password.
password:
A string of characters (a word or phrase) that a subject provides to an authentication mechanism to authenticate to a system.
Password Authentication Protocol (PAP):
A remote access control protocol that uses a two-way handshake to authenticate a peer to a server when a link is initially established.
password cracking:
An attack in which an attacker has been able to obtain password hashes and attempts to crack the hashes to obtain plaintext passwords.
patch:
A corrective fix for a program or system to correct a defect.
patch management:
The use of procedures and tools to apply patches to target systems.
patent:
As defined by the U.S. Patent and Trademark Office, “the grant of a property right to the inventor.”
Payment Card Industry Data Security Standard (PCI DSS):
A standard set of requirements developed for the protection of personal data related to credit, debit, and cash card transactions.
peer review:
Any instance in which a worker checks the work performed by another. See also code review.
pen tester:
A person who performs a penetration test.
penetration test:
A test involving automated and manual techniques that is used to identify potential software vulnerabilities. Also known as pen testing.
performance management:
The life cycle process concerned with the measurement and management of information processing resources.
permutation cipher:
See transposition cipher.
personally identifiable information (PII):
Information (such as name, address, Social Security number, birthdate, place of employment, and so on) that can be used on its own or with other information to identify, contact, or locate a person.
personal identification number (PIN):
A numeric-only passcode, usually used when only a numeric keypad (versus an alphanumeric keyboard) is available. See also password.
pharming:
A phishing attack that targets a specific organization. See also phishing.
phishing:
A social-engineering cyberattack technique widely used in identity-theft crimes. An email, purportedly from a known legitimate business (typically, financial institutions, online auctions, retail stores, and so on), requests the recipient to verify personal information online at a forged or hijacked website. See also pharming and spear phishing.
phone tap.
See wiretap.
physical controls:
Controls that ensure the safety and security of the physical environment.
physical evidence:
See real evidence.
Physical Layer:
Layer 1 of the OSI model. See also Open Systems Interconnection (OSI) model.
physical penetration test:
An evaluation of physical security controls in the form of an attack simulation.
plain old telephone system (POTS):
A slang term for analog telephone service.
plaintext:
A message in its original readable format or a ciphertext message that’s been properly decrypted (unscrambled) to produce the original readable plaintext message.
Plan, Do, Check, Act:
See Deming cycle.
Platform as a Service (PaaS):
A cloud-based environment in which customers can implement applications within a software ecosystem.
plenum:
The space between a false ceiling and the actual ceiling in a building.
Point-to-Point Protocol (PPP):
A protocol used in Remote Access Service servers to encapsulate Internet Protocol packets and establish dial-in connections over serial and Integrated Services Digital Network links.
Point-to-Point Tunneling Protocol (PPTP):
A virtual private network protocol designed for individual client–server connections.
policy:
A formal high-level statement of an organization’s objectives, responsibilities, ethics and beliefs, and general requirements and controls.
port scan:
A test used to determine which Transmission Control Protocol/Internet Protocol and User Datagram Protocol service ports on a system are active. See also Transmission Control Protocol (TCP), Internet Protocol (IP), User Datagram Protocol (UDP).
power surge:
See surge.
pre-action:
A type of water-based fire suppression system that is a hybrid of dry pipe and wet pipe. See also dry pipe, wet pipe.
Presentation Layer:
Layer 6 of the OSI model. See also Open Systems Interconnection (OSI) model.
preventive controls:
Controls that are intended to prevent unwanted events.
printer steganography:
A technique in which printers include a hidden (barely visible) machine identification code on every page of printed matter, which permits the identification of an individual printer.
privacy:
In information security, the protection and proper handling of personal information.
private branch exchange (PBX):
A system for managing telephones and telephone communications in a business environment.
private cloud:
As defined by the National Institute of Standards and Technology, a cloud infrastructure “provisioned for exclusive use by a single organization comprising multiple consumers.” See also cloud.
private key cryptography:
A cryptographic method that requires parties to exchange a secret key to communicate.
private network address:
Addresses on TCP/IP networks that are not routable on the Internet and are used for private, internal networks.
privilege creep:
See aggregation (2).
privilege escalation:
See escalation of privilege.
privileged access management (PAM):
(1) Business processes and procedures concerning the provisioning of privileged credentials to administrative personnel. (2) Tools used to manage privileged credentials and privileged access to systems and devices.
privileged entity controls:
The mechanisms that provide and monitor privileged access to hardware, software, and data.
procedures:
Detailed instructions about how to implement specific policies and meet the criteria defined in standards.
process isolation:
An operating system feature whereby different user processes are unable to view or modify information related to other processes.
processor:
See data processor.
promiscuous mode:
A setting on a network adapter that passes all network traffic to the associated device for processing, not just traffic that is specifically addressed to that device. See also sniffing.
Protected Extensible Authentication Protocol (PEAP):
An open standard used to transmit authentication information in a protected manner.
protected health information (PHI):
Any information about health status, provisioning of health care, or payment for health care collected by a covered entity (such as a health-care provider or insurance company) that can be linked to a specific person.
protection domain:
Prevents other programs or processes from accessing and modifying the contents of an address space that has already been assigned to an active program or process.
protection rings:
A security architecture concept that implements multiple domains that have increasing levels of trust near the center.
protocol data unit (PDU):
The unit of data used at a particular layer of a communications protocol.
provisioning:
(1) The act of creating a user account on a system or network. (2) The act of applying configuration changes to a system or network device.
proximate causation:
An action taken or not taken as part of a sequence of events that result in negative consequences.
proxy server:
A system that transfers data packets from one network to another.
prudent-man rule:
A rule under the Federal Sentencing Guidelines that requires senior corporate officers to perform their duties in good faith, in the best interests of the enterprise, and with the care and diligence that ordinary, prudent people in a similar position would exercise in similar circumstances.
pseudonymization:
An irreversible deidentification procedure whereby a specific identifier is replaced by other values to make it less identifiable to the original data subject. See also anonymization and de-identification.
public cloud:
As defined by the National Institute of Standards and Technology, a cloud infrastructure “provisioned for open use by the general public.” See also cloud.
public key cryptography:
A cryptographic method that permits parties to communicate without exchanging a secret key in advance.
public key infrastructure (PKI):
A system that enables secure e-commerce through the integration of digital signatures, digital certificates, processes, procedures, and other services necessary to ensure confidentiality, integrity, authentication, nonrepudiation, and access control.
punitive damages:
Determined by a jury and intended to punish the offender.
qualitative risk analysis:
A risk analysis that expresses risks and costs in qualitative terms versus quantitative terms (such as high, medium, and low). See also risk analysis.
quality of service (QoS):
The ability to prioritize various types of voice and data traffic based on operational needs such as response time, packet loss, and jitter.
quantitative risk analysis:
A risk analysis that includes estimated costs. See also risk analysis.
quantum computing:
An emerging computing processor design that uses the properties of quantum states to perform computation.
quarantine:
A general term referring to the process of isolating a resource for security reasons.
race condition:
A situation in which two programs, processes, or threads are accessing or manipulating a resource as though they are doing so exclusively, thereby leading to an unexpected outcome.
radio frequency (RF) emanations:
Unintentional emissions of electromagnetic energy from a system.
radio frequency interference (RFI):
Electrical noise caused by electrical components, such as fluorescent lighting and electric cables.
rainbow table:
A database of hashes and their corresponding passwords.
ransomware:
Malware that encrypts files on a target system and demands a ransom payment, usually cryptocurrency, to retrieve the key to decrypt the files. A permutation of ransomware also threatens to publish the plaintext data. See also malware and cryptocurrency.
read-through:
See tabletop.
real (or physical) evidence:
Tangible objects from the actual crime, such as the tools or weapons used and any stolen or damaged property. See also evidence.
reciprocal site:
An alternative computer facility with systems that can be used in an emergency. See also cold site, hot site, warm site.
recovery controls:
Controls that restore a process or system to its pre-event state.
recovery point objective (RPO):
The maximum period of time in which data may be lost if a disaster occurs.
recovery time objective (RTO):
The period of time in which a business process must be recovered (during a disaster) to ensure the survival of the organization.
Red Book:
See Trusted Computer System Evaluation Criteria (TCSEC).
Reduced-Instruction-Set-Computing (RISC):
A microprocessor instruction set architecture that sues a smaller, simpler instruction set than Complex-Instruction-Set-Computing, which makes RISC more efficient. See also Complex-Instruction-Set-Computing (CISC).
reduction analysis:
A step in threat modeling designed to reduce duplication of effort.
redundancy:
Multiple systems, nodes, or network paths that provide the same functionality for resiliency and availability in the event of failure.
redundant array of independent disks (RAID):
A collection of one or more hard drives in a system for purposes of improved performance or reliability.
reference monitor:
An abstract machine (a theoretical model for a computer system or software program) that mediates all access to an object by a subject.
referential integrity:
A property of a database management system in which all data relationships (such as indexes, primary keys, and foreign keys) are sound.
Registration Authority (RA):
In a public key infrastructure, the RA is responsible for verifying certificate contents for the Certificate Authority. See also Certificate Authority (CA), public key infrastructure (PKI).
remediation:
Corrective action taken to resolve an issue identified in an assessment.
remote access:
The capability for a user in a remote location to establish a logical connection to a private internal network.
Remote Access Service (RAS):
A remote access protocol typically used over dial-up facilities.
Remote Authentication Dial-In User Service (RADIUS):
An open-source, User Datagram Protocol–based client–server protocol used to authenticate remote users.
remote backup:
A backup operation in which the target backup media is located in a remote location. See also e-vaulting.
Remote Desktop Protocol (RDP):
A proprietary Microsoft protocol used to connect to another computer over a network connection.
Remote Procedure Call (RPC):
A TCP/IP network protocol used to direct the execution of application code on another computer.
repeater:
A device that boosts or retransmits a signal to extend the range of a wired or wireless network.
reperformance:
An audit technique in which an auditor performs tasks or transactions on their own to see whether the results are correct.
replay attack:
An attack on a system in which an attacker is able to replay captured data such as login credentials in an attempt to break in o the system.
replication:
The process of copying data transactions from one system to another.
repo:
See repository (2).
repository:
(1) In a public key infrastructure, a system that accepts certificates and Certificate Revocation Lists from a Certificate Authority and distributes them to authorized parties. See also Certificate Authority (CA), public key infrastructure (PKI). (2) In a software development environment, a system used to store software source code.
requirements:
A list of one or more required characteristics of a system, generally used as a guide to later design and development phases.
resilience:
The ability of a process or system to continue operation despite various harmful effects.
restricted algorithm:
A cryptographic algorithm that must be kept secret to provide security of a cryptosystem.
retention:
The period of time (whether a minimum or maximum) that an organization will retain documents and business records.
retention schedule:
A policy that defines retention requirements for various types of business records.
Reverse Address Resolution Protocol (RARP):
A protocol used by diskless workstations to query and discover their own IP addresses by using machine addresses (known as a media access control, or MAC, address).
Rijndael:
The encryption algorithm used by the Advanced Encryption Standard. See also Advanced Encryption Standard (AES).
ring:
A network topology in which all devices are connected to a closed loop.
risk acceptance:
Accepting a risk or residual risk as is, without mitigating or transferring it.
risk analysis:
A method used to identify and assess threats and vulnerabilities in a business, process, system, or activity as part of a risk assessment. See also risk assessment.
risk appetite:
The highest level of risk that an organization will accept.
risk assessment:
A study of risks associated with a business process, information system, work facility, or other object of study.
risk assignment (or transference):
See risk transfer.
risk avoidance:
Eliminating risk through discontinuation of the activity related to the risk.
risk-based access control:
A process wherein an information system presents authentication challenges that are commensurate with the user’s security profile (such as geolocation and device type).
risk identification:
The process of examining assets, threats, and vulnerabilities that result in knowledge of a risk.
risk management:
The process life cycle that includes risk assessment and risk treatment.
risk mitigation:
Reducing risk to a level that’s acceptable to an organization.
risk reduction:
Mitigating risk by implementing the necessary security controls, policies, and procedures to protect an asset.
risk tolerance:
The variation from risk appetite that an organization is willing to accept.
risk transfer:
Transferring the potential loss associated with a risk to a third party, such as an insurance company.
risk treatment:
The formal decision-making process for the management of identified risks.
Rivest, Shamir, Adleman (RSA):
A key transport algorithm based on the difficulty of factoring a number that’s the product of two large prime numbers.
role-based access control (RBAC):
A method for implementing discretionary access controls in which access decisions are based on group membership, according to organizational or functional roles.
rootkit:
Malware that provides privileged (root-level) access to a computer. See also malware.
rotation of duties:
See job rotation.
router:
A network device that forwards packets between separate networks.
routing protocol:
A network protocol used by routers to communicate information about internetwork connections, facilitating proper routing of packets toward their destinations.
RSA:
See Rivest, Shamir, Adleman.
rubber hose attack:
An attack on a cryptosystem in which the attacker uses coercion to compel the owner of a cryptosystem to relinquish the encryption key.
rule-based access control:
A method for applying mandatory access control by matching an object’s sensitivity label and a subject’s sensitivity label to determine whether access should be granted or denied. See also role-based access control.
safeguard:
A control or countermeasure implemented to reduce the risk or damage associated with a specific threat.
sag:
A short drop in voltage.
sally port:
A secure, controlled entrance to a facility.
salvage:
In disaster recovery planning, the operations performed to repair or replace damaged facilities and equipment.
sampling:
Any of several techniques in which individual items are selected for examination during an audit.
sandbox:
A mechanism for isolating a program or system.
Sarbanes-Oxley (SOX):
A U.S. law that attempts to prevent fraudulent accounting practices and errors in U.S. public corporations and mandates data retention requirements.
scan:
A technique used to identify vulnerabilities in a system or network, usually by transmitting data to it and observing its response.
screen saver:
An image or pattern that appears on a display, usually as part of an inactivity timeout. See also inactivity timeout.
screening router:
A firewall architecture that consists of a router that controls packet flow through the use of access control lists. See also access control list (ACL), firewall.
script injection:
An attack in which the attacker injects script code in the hope that the code will be executed on a target system.
script kiddie:
A person who does not have any programming or hacking skills but uses scripts, malware, exploits, and other hacking tools developed by others to attack an endpoint or network.
Scrum:
A common implementation of the Agile systems-development methodology.
search warrant:
A signed court order that permits law enforcement to search for and seize specific evidence.
secondary evidence:
A duplicate or copy of evidence, such as a tape backup, screen capture, or photograph. See also evidence.
secret key cryptography:
See symmetric key cryptography.
secure access service edge (SASE):
An identity-based collection of cloud-based systems to protect endpoints.
secure and signed message format:
A message encrypted in an asymmetric key system by using the recipient’s public key and the sender’s private key. This encryption method protects the message’s confidentiality and guarantees the message’s authenticity. See also open message format, secure message format.
secure by default:
A principle of architecture and engineering that requires system settings and options be set to secure defaults.
secure by deployment:
A principle of architecture and engineering that ensures the protection of the implementation process and results in a secure system.
secure by design:
A principle of architecture and engineering that promotes the integration of security concepts and features into the design of a system.
Secure Hypertext Transfer Protocol (S-HTTP):
An Internet protocol that provides a method for secure communications with a webserver. S-HTTP is now considered to be obsolete. See also Hypertext Transfer Protocol (HTTP) and Hypertext Transfer Protocol Secure (HTTPS).
Secure Key Exchange Mechanism (SKEME):
A key exchange mechanism developed by IBM in the 1990s.
secure message format:
A message encrypted in an asymmetric key system by using the recipient’s public key. Only the recipient’s private key can decrypt the message. This encryption method protects the message’s confidentiality. See also open message format, secure and signed message format.
Secure Shell (SSH):
A secure character-oriented protocol that’s a secure alternative to telnet and RSH. See also telnet.
Secure Sockets Layer (SSL):
A deprecated Transport Layer protocol that provides session-based encryption and authentication for secure communication between clients and servers on the Internet. See also Transport Layer Security (TLS).
Security Assertion Markup Language (SAML):
An XML-based, open-standard data format for exchanging authentication and authorization credentials between organizations.
Security Association (SA):
In IPsec, one-way connection between two communicating parties. See also IPsec.
security awareness:
The process of providing basic security information to users in an organization to help them make prudent decisions regarding the protection of the organization’s assets.
security control assessment:
An examination of one or more security controls in an organization.
security engineering:
A subspecialty of engineering that focuses on security design and operations.
security fence:
A fence designed to prevent and deter unauthorized people from approaching a work or storage location.
security gate:
A movable gate that prevents the entrance of unauthorized personnel at a work location.
security guard:
A trained person who provides deterrent and protective services at a work location.
security information and event management (SIEM):
A system that provides real-time collection, analysis, correlation, and presentation of security logs and alerts.
security kernel:
The combination of hardware, firmware, and software elements in a Trusted Computing Base that implements the reference monitor concept. See also Trusted Computing Base (TCB).
security modes of operation:
Designations for U.S. military and government computer systems based on the need to protect secrets stored within them. The modes are Dedicated, System High, Multi-Level, and Limited Access.
security operations center (SOC):
A facility that provides information security monitoring, assessment, defense, and remediation for enterprise compute and network resources, including on-premises and cloud environments.
security orchestration, automation, and response (SOAR):
A set of capabilities that enables automated action and response when specific types of events occur. A SOAR platform is most often integrated into a security information and event management system to enable automated response when specific types of security events occur. See also security information and event management system (SIEM).
Security Parameter Index (SPI):
In IPsec, a 32-bit string used by the receiving station to differentiate between the Security Associations terminating on that station. The SPI is located within the Authentication Header or Encapsulating Security Payload. See also IPSec, Security Association (SA), Authentication Header (AH), Encapsulating Security Payload (ESP).
security perimeter:
The boundary that separates the Trusted Computing Base from the rest of the system. See also Trusted Computing Base (TCB).
security policy:
Formal policy that specifies expected behavior regarding the protection and use of information.
security posture:
The level of risk in an organization based on its security practices.
segregation of duties:
See separation of duties.
Sensitive but Unclassified (SBU):
A U.S. government data classification level for information that’s not classified but requires protection, such as private or personal information.
sensitivity label:
In a mandatory access control–based system, a subject’s sensitivity label specifies that subject’s level of trust, whereas an object’s sensitivity label specifies the level of trust required for access to that object. See also mandatory access control (MAC) system.
separation of duties (SoD):
A concept that ensures that no single person has complete authority for and control of a critical system or process.
Serial Line Internet Protocol (SLIP):
An early Point-to-Point Protocol used to transport Internet Protocol over dial-up modems. PPP is more commonly used for this purpose.
serverless computing:
A cloud-services model in which software container instances are presented to customers for the execution of software.
service-level agreement (SLA):
Formal minimum performance standards for systems, applications, networks, or services.
service set identifier (SSID):
The name used to uniquely identify a Wi-Fi network.
session:
An individual user’s dialogue, or series of interactions, with an information system.
session hijacking:
Similar to a man-in-the-middle attack, except that the attacker impersonates the intended recipient instead of modifying messages in transit. See also man-in-the-middle attack.
Session Initiation Protocol (SIP):
A TCP/IP protocol used to transport voice and video communications over a network.
Session Layer:
Layer 5 of the OSI model. See also Open Systems Interconnection (OSI) model.
session management:
A mechanism in an application that tracks and enforces separate user sessions.
shared responsibility matrix:
A chart that specifies the parties that are responsible for various aspects of information security.
Shift Security Left:
The concept of introducing security earlier in a development life cycle process. See also DevSecOps.
Short Message Service (SMS):
A protocol for sending short text messages over mobile telecommunications networks.
shoulder surfing:
A social engineering technique that involves looking over someone’s shoulder to obtain information such as passwords or account numbers.
side-channel attack:
An attack on a system in which any of several system characteristics are observed in an attempt to obtain its secrets.
simulation:
A facilitated walk-through of a disaster recovery plan, business continuity plan, or incident response plan wherein the proceedings of a disaster or intrusion are scripted to provide validation and learning for participants.
simple integrity property:
A state in which a subject can’t read information from an object that has a lower integrity level than the subject (no read down, or NRD). See also Biba model.
Simple Key Management for Internet Protocols (SKIP):
A protocol used to share encryption keys.
Simple Mail Transport Protocol (SMTP):
A protocol used to transport email messages between email servers.
Simple Mail Transport Protocol over TLS:
A protocol used to transport email messages between email servers with encryption. See also Secure Sockets Layer/Transport Layer Security (SSL/TLS).
simple security property (ss property):
A state in which a subject can’t read information from an object that has a higher sensitivity label than the subject (no read up, or NRU). See also Bell-LaPadula model.
gain access to a system
what you know, what you have, or what you are.
single-key cryptography:
See symmetric key system.
Single Loss Expectancy (SLE):
Asset value × exposure factor (EF). A measure of the loss incurred from a single realized threat or event, expressed in dollars. See also exposure factor (EF).
single sign-on (SSO):
A system that allows a user to present a single set of log-on credentials, typically to an authentication server, which then transparently logs the user on to all other enterprise systems and applications for which that user is authorized.
SKIP:
See Simple Key Management for Internet Protocols (SKIP).
small computer systems interface (SCSI):
A set of standards for communications between computers and peripheral devices, usually hard drives.
smartphone:
See mobile device.
smishing:
The practice of sending phishing messages through Short Message Service. See also phishing.
smoke detector:
A device that detects the early products of combustion.
sniffing:
The practice of intercepting communications for usually covert purposes. See also packet sniffing.
social engineering:
An attack method that employs techniques such as dumpster diving, shoulder surfing, and ruses designed to trick workers into providing information or system access.
socket:
A logical endpoint on a system or device used to communicate over a network to another system or device (or even on the same device).
software:
Computer instructions that enable the computer to accomplish tasks. See also application software, operating system (OS).
Software as a Service (SaaS):
As defined by the National Institute of Standards and Technology, “the capability provided to the consumer to use the provider’s applications running on a cloud infrastructure.”
Software Assurance Maturity Model (SAMM):
A maturity model for software development.
software bill of materials (SBOM):
The inventory of source code components for a given system.
software configuration management (SCM):
The practice of tracking and controlling changes in software programs, including source code.
software-defined networking (SDN):
A computer networking approach that abstracts higher-level network functionality from the underlying physical infrastructure.
software-defined security:
A security model in which security functions are defined and controlled by software.
software-defined wide area networking (SD-WAN):
The use of software-defined networking in a wide-area network.
software development life cycle (SDLC):
The business-level process used to develop and maintain software. See also systems development life cycle (SDLC).
software escrow agreement:
A legal agreement between a software manufacturer and its customer(s) wherein the software manufacturer will maintain a copy of its original software source code with a third-party software escrow company. In the event that the software manufacturer ceases to operate as a going concern (or other events defined in the software escrow agreement), the software escrow company will release the original source code to the customers that are party to the software escrow agreement.
source code:
Human-readable machine instructions that are the basis of system and application software.
source code repository:
A system used to store, manage, and protect application or system software source code.
source code review:
See code review.
spam (or Unsolicited Commercial Email [UCE]):
Junk email, which currently constitutes about 85 percent of all worldwide email.
spear phishing:
A phishing attack that’s highly targeted, such as at a particular organization or part of an organization. See also phishing.
spike:
A momentary rush of electric power.
SPIM:
Spam that is delivered via instant messaging.
SPIT:
Spam that is delivered via Internet telephony.
spoofing:
A technique used to forge TCP/IP packet information or email header information. In network attacks, IP spoofing is used to gain access to systems by impersonating the IP address of a trusted host. In email spoofing, the sender address is forged to trick an email user into opening or responding to an email (which usually contains a virus or spam).
sprint:
A short interval, usually two weeks, during which a development team develops features during a systems development project.
SQL injection:
A type of attack wherein the attacker injects SQL commands into a computer input field in the hope that the SQL command will be passed to the database management system.
stand-alone power system (SPS):
An off-the-grid electricity system for generation, storage, and regulation, which is used in facilities that are not equipped with an electricity distribution system.
standards:
Specific, mandatory requirements that further define and support high-level policies.
star:
A network topology in which all devices are directly connected to a central hub or concentrator.
star integrity property (*-integrity property):
A state in which a subject can’t write information to an object that has a higher integrity level than the subject (no write up, or NWU). See also Biba model.
star property (* property):
A state in which a subject can’t write information to an object that has a lower sensitivity label than the subject (no write down, or NWD). See also Bell-LaPadula model.
state attack:
An attack in which the attacker attempts to steal other users’ session identifiers to access a system by using the stolen session identifier.
state machine model:
An abstract model in which a secure state is defined and maintained during transitions between secure states.
stateful inspection firewall:
A type of firewall that captures and analyzes data packets at all levels of the Open Systems Interconnection model to determine the state and context of the data packet and whether it’s to be permitted access to the network.
static application scanning tool (SAST):
A tool used to identify vulnerabilities in a software application that works by examining the application’s source code in search for exploitable vulnerabilities.
static password:
A password that’s the same for each login.
statistical attack:
An attack on a cryptosystem through exploitation of a statistical weakness.
statistical sampling:
A sampling technique in which individual items are chosen at random.
statutory damages:
Mandatory damages determined by law and assessed for violating the law.
steganography:
The art of hiding the very existence of a message, such as in a picture.
stream cipher:
An encryption algorithm that operates on a continuous stream of data, typically bit by bit.
Stream Control Transmission Protocol (SCTP):
A TCP/IP Layer 4 message-oriented protocol that provides for proper message sequencing and congestion control. See also Transmission Control Protocol (TCP), User Datagram Protocol (UDP).
strong authentication:
See multifactor authentication.
Structured Query Language (SQL):
A computer language used to manipulate data in a database management system.
subject:
An active entity, such as a person or a process.
substitution cipher:
Ciphers that replace bits, characters, or character blocks in plaintext with alternative bits, characters, or character blocks to produce ciphertext.
supervisor mode:
A level of elevated privilege, usually intended for only system administration use. See also user mode.
Supervisory Control and Data Acquisition (SCADA):
An industrial automation system that operates with coded signals over communication channels to provide remote control of equipment. See also industrial control system (ICS).
supply chain risk management (SCRM):
Activities that identify and analyze risks associated with suppliers and other third parties. See also third-party risk management (TPRM).
surge:
A prolonged rush of electric power.
surge protector:
A device that protects electronic equipment from power surges and spikes.
surge suppressor:
See surge protector.
switch:
An intelligent hub that transmits data only to individual devices on a network, rather than all devices (in the way that hubs do). See also hub.
Switched Multimegabit Data Service (SMDS):
A high-speed, packet-switched, connectionless-oriented, datagram-based technology available over public switched networks.
symmetric key system (or symmetric algorithm, secret key, single key, private key):
A cryptographic system that uses a single key to both encrypt and decrypt information.
Synchronous Optical Networking (SONET):
A telecommunications carrier-class protocol used to communicate digital information over optical fiber.
synthetic transaction:
A mechanized transaction executed on a system or application to determine its ability to perform transactions properly.
system access control:
A control that prevents a subject from accessing a system unless the subject can present valid credentials.
system hardening.
See hardening.
system high mode:
A state in which a system operates at the highest level of information classification.
system test (software development):
A test of all the modules of an application or program. See also unit test.
systems development life cycle (SDLC):
The business-level process used to develop and maintain information systems. See also software development life cycle (SDLC).
tabletop (review):
A group review of a disaster recovery plan, business continuity plan, or incident response plan.
tactics, techniques, and procedures (TTPs):
An approach to cyber threat intelligence that analyzes the patterns and methods of a threat actor or group of threat actors to develop more effective security responses.
tagging:
Applying a machine-readable classification label on a document, device, or data storage object. See also marking.
Take-Grant model:
A security model that specifies the rights that a subject can transfer to or from another subject or object.
tape library:
A hardware system consisting of magnetic tape read and write equipment, as well as robotics to position individual tape volumes in read/write drives.
TCP/IP model:
A four-layer networking model, originally developed by the U.S. Department of Defense.
technical (or logical) controls:
Hardware and software technology used to implement a control.
technical debt:
The extent of an organization’s use of unsupported hardware and software and the effort required to perform upgrades to systems and applications.
telnet:
A deprecated network protocol used to establish a command line interface on another system over a network. See also Secure Shell (SSH).
Terminal Access Controller Access Control System (TACACS):
A User Datagram Protocol–based access control protocol that provides authentication, authorization, and accounting.
termination:
See employment termination.
test coverage analysis:
A measurement of the percentage of objects that have been included in a test.
texting:
See Short Message Service (SMS).
Third Generation Partnership Project (3GPP):
The consortium of standards organizations that develop mobile telecommunications protocols and standards.
third party:
An organization to which some portion of business operations are outsourced. See also outsourcing, third-party risk management (TPRM).
third-party risk management (TPRM):
Activities and analysis to identify third parties and the risks associated with their use. See also supply chain risk management (SCRM).
threat:
Any natural or human-made circumstance or event that can have an adverse or undesirable impact, whether minor or major, on an organizational asset.
threat analysis:
The study of an identified threat and its potential impact on an asset.
threat hunting:
The proactive search for indicators of compromise in a network or system.
threat intelligence:
Any human- or machine-readable information about known intrusion techniques.
threat modeling:
A systematic process used to identify likely threats, vulnerabilities, and countermeasures for a specific application and its potential abuses during the design phase of the application (or software) development life cycle.
three-way handshake:
The method used to establish and tear down network connections in the Transmission Control Protocol.
token:
A hardware device used in two-factor authentication.
Token Ring:
A star-topology network transport protocol.
trade secret:
Proprietary or business-related information that a company or person uses and has exclusive rights to.
trademark:
As defined by the U.S. Patent and Trademark Office, a trademark is “any word, name, symbol, or device, or any combination, used, or intended to be used, in commerce to identify and distinguish the goods of one manufacturer or seller from goods manufactured or sold by others.”
transborder data flow:
The transfer of electronic data across national borders.
transient:
A momentary electrical line noise disturbance.
transitive trust:
The phenomenon where a user inherits access privileges established in a domain environment.
Transmission Control Protocol (TCP):
A connection-oriented network protocol that provides reliable delivery of packets over a network.
Transport Layer (OSI model):
Layer 4 of the OSI model. See also Open Systems Interconnection (OSI) model.
Transport Layer (TCP/IP model):
Layer 3 of the TCP/IP model. See also TCP/IP model.
Transport Layer Security (TLS):
An OSI Layer 4 (Transport) protocol that provides session-based encryption and authentication for secure communication between clients and servers on the Internet. See also Open Systems Interconnection (OSI) model.
transposition cipher:
Ciphers that rearrange bits, characters, or character blocks in plaintext to produce ciphertext.
trap door:
A feature within a program that performs an undocumented function (usually a security bypass, such as an elevation of privilege).
triple DES (3DES):
A variation of the Data Encryption Standard algorithm.
Trojan horse:
A program that purports to perform a given function but actually performs some other (usually malicious) function. See also malware.
trust but verify:
A concept in which a policy or control is examined for effectiveness.
trusted computer system:
A system that employs all necessary hardware and software assurance measures and meets the specified requirements for reliability and security.
Trusted Computer System Evaluation Criteria (TCSEC):
Commonly known as the Orange Book, a formal systems evaluation criteria developed for the U.S. Department of Defense by the National Computer Security Center as part of the Rainbow Series.
Trusted Computing Base (TCB):
The total combination of protection mechanisms within a computer system — including hardware, firmware, and software — that are responsible for enforcing a security policy.
Trusted Network Interpretation (TNI):
Commonly known as the Red Book (of the Rainbow Series), addresses confidentiality and integrity in trusted computer/communications network systems. See also Trusted Computer System Evaluation Criteria (TCSEC).
trusted path:
A direct communications path between the user and the Trusted Computing Base that doesn’t require interaction with untrusted applications or operating system layers.
Trusted Platform Module (TPM):
A hardware module in a computer that performs cryptographic functions.
trusted recovery:
Safeguards to prevent the disclosure of information during the recovery of a system after a failure.
twinaxial cable:
A network medium consisting of two solid wire cores that are surrounded by an insulation layer and a metal foil wrap.
twisted-pair cable:
A network medium consisting of four to eight twisted pairs of insulated conductors.
two-factor authentication:
An authentication method that requires two ways of proving identity. See also multifactor authentication.
Ultra Reliable and Low Latency Communication (URLLC):
A standard used in 5G mobile communications.
unauthenticated scan:
A vulnerability scan that does not log in to a device, system, or application during its search for exploitable vulnerabilities.
unicast:
A type of network protocol whereby packets are sent from a source to a single destination node.
Unified Communications as a Service (UCaaS):
The use of cloud-based PBX and VoIP systems.
unified threat management (UTM):
A security appliance that integrates various security features such as firewall, antimalware, and intrusion prevention capabilities into a single platform.
uninterruptible power supply (UPS):
A device that provides continuous electrical power, usually by storing excess capacity in one or more batteries.
unit test:
A test performed on an individual source code module.
USA PATRIOT Act (Uniting [and] Strengthening America [by] Providing Appropriate Tools Required [to] Intercept [and] Obstruct Terrorism Act of 2001):
A U.S. law that expands the authority of law enforcement agencies for the purpose of combating terrorism.
user:
A person who has access to information and/or information systems.
user acceptance testing (UAT):
Testing of systems and applications by end users so that they can verify correct functionality; also, the environments in which such testing takes place.
user and entity behavior analytics (UEBA):
A process used to detect malicious activity and potential breaches or intrusions by creating a baseline of normal user and entity activity and analyzing anomalies.
user behavior analytics (UBA):
See user and entity behavior analytics (UEBA).
User Datagram Protocol (UDP):
A network protocol that doesn’t guarantee packet delivery or the order of packet delivery over a network.
user entitlement:
The data access privileges that are granted to an individual user.
user mode:
A level of privilege, usually intended for ordinary users. See also supervisor mode.
Vernam cipher:
See one-time pad.
version control:
The tracking of a system or data set for the purpose of recording changes.
virtual desktop infrastructure (VDI):
A desktop operating system running within a virtual machine on a physical host server.
virtual extensible local area network (VxLAN):
An extension of VLAN capabilities for use in large networks.
virtual local area network (VLAN):
A logical network that resides within a physical network.
virtual machine:
An instantiation of an operating system running within a hypervisor.
virtual private network (VPN):
A private network used to communicate privately over public networks. VPNs typically use encryption and encapsulation to protect and simplify connectivity.
virtual tape library (VTL):
A disk-based storage system that is used like a magnetic tape library system in backup and restore operations. See also tape library.
virtualization:
The practice of running one or more separate, isolated operating system “guests” within a computer system.
virtualization (or VM) sprawl:
The rapid creation of virtual machines without proper security and operations controls.
virus:
A set of computer instructions whose purpose is to embed itself within another computer program to replicate itself. See also malware.
Voice over Internet Protocol (VoIP):
Telephony protocols that are designed to transport voice communications over TCP/IP networks.
Voice over Long-Term Evolution (VoLTE):
A protocol used for voice calls over Long-Term Evolution telecommunications networks using smartphones.
Voice over Misconfigured Internet Telephone (VOMIT):
A tool used to intercept voice calls on VoIP networks.
Voice over Wi-Fi (VoWiFi):
A protocol used for voice calls over Wi-Fi networks.
voltage drop:
A decrease in electric voltage, typically from a public utility.
vulnerability:
The absence or weakness of a safeguard in an asset, which makes a threat potentially more harmful or costly, more likely to occur, or likely to occur more frequently.
vulnerability assessment:
The use of tools and techniques to identify vulnerabilities in an application, information system, facility, business process, or other object of study.
vulnerability management:
The life cycle process used to identify and remediate vulnerabilities in information systems.
vulnerability scan:
The use of an automated tool or technique to identify vulnerabilities in a target system or network.
vulnerability scanning tool:
A software program designed to scan a device, system, or application to identify exploitable vulnerabilities.
walk-through:
(1) A facilitated review of a process or procedure. (2) An audit activity. See inquiry.
wardialing:
A brute-force attack that uses a program to automatically dial a large block of phone numbers (such as an area code), searching for vulnerable modems or fax machines.
wardriving:
A brute-force attack that involves driving around looking for vulnerable wireless networks.
warm site:
An alternative computer facility that’s readily available and equipped with electrical power, heating, air conditioning, ventilation, and computers but not fully configured. See also cold site, hot site, reciprocal site.
waterfall:
The software development process in which each phase is performed independently and in sequence.
watering-hole attack:
An attack on browsers in which malware is installed on a web server and downloaded to users’ browsers.
web application firewall (WAF):
A device used to protect a web server from web application attacks such as script injection and buffer overflow.
web content filter:
A system or application that permits and blocks Internet access to websites based on a defined policy.
wet pipe:
A fire suppression system in which sprinkler pipes are always filled with water. See also dry pipe.
whaling:
The practice of sending phishing messages to targeted executives in an organization.
white-box testing:
A security test in which the tester has complete knowledge of the system being tested. See also static application security testing (SAST).
whitelisting:
A mechanism that explicitly permits access based on the presence of an item in a list.
Wideband Code Division Multiple Access (W-CDMA):
A mobile wireless communications standard that is a part of the 3G group of standards. See also 3G.
Wi-Fi:
A technology used for wireless local area networking with devices based on the IEEE 802.11 standards. See also Institute of Electrical and Electronics Engineers (IEEE).
Wi-Fi Calling:
A protocol used to transport smartphone telephone calls over Wi-Fi networks.
Wi-Fi Protected Access (WPA):
A means of encrypting communications over 802.11 networks.
Wired Equivalent Privacy (WEP):
A means of encrypting communications; specifically, 802.11/Wi-Fi networks. WEP is obsolete.
wireless intrusion detection system (WIDS):
A network intrusion detection system that focuses on wireless networks.
Wireless LAN (WLAN):
See Wi-Fi.
wiretap:
Any technique to overhear or record a telephone conversation.
wiring closet:
See distribution frame.
work factor:
The difficulty (in terms of time, effort, and resources) of breaking a cryptosystem.
work from home (WFH):
A work model in which an employee spends most work hours at their residence and performs their work duties remotely.
worker:
An all-inclusive term that includes full and part-time employees, temporary employees, contractors, consultants, and others in an organization who have access to workplaces or information systems.
worm:
Malware that usually has the capability to replicate itself from computer to computer without the need for human intervention. See also malware.
X.25:
The first wide-area, packet-switching network.
XML (Extensible Markup Language):
A human- and machine-readable markup language.
zero trust (ZT):
A security and systems architecture approach in which systems, endpoints, or people are considered to be untrusted or unverifiable.
Zigbee:
A collection of high-level communication protocols for use in small, low-power personal area networks and smart home automation.