Security+ (SY0-401) Terms

contingency plan

a plan that allows a business to keep running in the event of a disruption to vital resources

data policy

a policy dealing with some aspect of data (usage, destruction, retention, etc)

accountability statement

a policy that provides information to the reader about who to contact if a problem is discovered

AES

Advanced Encryption Standard - a FIPS publication that specifies a cryptographic algorithm for use by the US gov't

birthday attack

a probability method of finding a collision in a hash function

EAPOL

EAP (extensible authentication protocol) over LAN - the IEEE standard the defines port-based security for wireless network access control. it offers a means of authentication and defines the EAP over IEEE 802, and it is often known as 802.1x

FTPS

FTP over SSL - a secure form of FTP

802.1x

The IEEE standard that defines port-based security for wireless network access control

forward secrecy

a property of any key exchange system that ensures that if one key is compromised, subsequent keys will not also be compromised

active response

a response generated in real time

cipher

a (cryptographic) algorithm used to encrypt and decrypt data

AES256

a 256-bit implementation of the AES

full backup

a backup that copies all data to the archive medium

federation

a collection of computer networks that agree on standards of operation such as security standards

firewall

a combination of hardware and software that protects a network form attack by hackers who could gain access through public networks like the internet

full archival method

a concept that works on the assumption that any information created on any system is stored FOREVER

administrative control

a control implemented through administrative policies or procedures

application-level proxy

a device or software that recognizes application-specific commands and offers granular control over them

electronic wallet

a device that identifies you electronically in the same way as the cards you carry in your wallet

certificate

a digital entity that establishes who you are and is often used with e-commerce. it contains your name and other identifying data and usually includes the public key half of the pKI

backup plan

a documented plan governing backup situations - it can include alternate / secondary plans as well

disk striping with parity

a fault-tolerant solution of writing data across a number of disks and recording the parity on another (aka disk striping with a parity disk). in the event that any one disk fails, the data on it can be recreated by looking at the remaining data and computing parity to figure out the missing data

false positive

a flagged event that isn't really an event and has been falsely triggered

appliance

a freestanding device that operates in a largely self-contained manner

backup generator

a generator that can supply power in the event the primary provider is unable to deliver it

fibre channel

a high speed networking technology (solid definition)

dual-homed firewall

a host that resides on more than one network and possesses more than one network card

bastion host

a host with multiple network interface cards so that it can reside on multiple networks or subnets

ephemeral key

a key that exists only for that session

federated identity

a means of linking a user's identity with their privileges in a manner that can be used across business boundaries.

clustering

a method of balancing loads and providing fault tolerance

block cipher

a method of encryption that processes blocks of data rather than streams

bitlocker

a microsoft utility to encrypt a drive

cloud computing

a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources

alarm

a notification that an unusual condition exists an dshould be investigated

alert

a notification that an unusual condition exists and should be investigated

cryptanalyst

a person who does cryptanalysis

cryptographer

a person who participates in the study of cryptographic algorithms

cable lock

a physical security deterrent used to protect a computer by locking it to somthing

cold site

a physical site that can be used if the main site is inaccessible but lacks all the necessary resources to enable the organization to use it immediately. commonly plans call for turning to a cold site within a certain number of hours of destruction of the main site

cookie

a plain text file stored on your machine that contains information about you that's used by a server

disaster-recovery plan

a plan outlining the procedure by which data is recovered after a disaster

deception active response

a response that fools the attacker into thinking that the attack is succeeding while the system monitors the activity and potentially redirects the attacker to a system designed to be broken (honeypots)

backout

a reversion or roll back to a previous state from a change that had negative consequences

border router

a router used to translate from LAN to WAN framing

best practices

a set of rules governing basic operations

exception statement

a statement that differs from the norm

encryption key

a string of alphanumeric characters used to decrypt encrypted data

five nines availability

a system that is up & running 99.999% of the time or more

access control list

a table or file that specifies whether a user or group has access to a specific resource on a network

fuzzing

a technique of penetration testing that can include providing unexpected values as input to an application to make it crash

bridge trust model

a trust model in which a peer-to-peer relationship exists between the root CAs

buffer overflow

a type of DoS attack that occurs when more data is put into a buffer than it can hold

differential backup

a type of backup that includes only new files or files that have changed since the last backup. differential backups differ from incremental backups in that they don't clear the archive bit upon completion

authenticaode

a type of certificate technology that allows ActiveX components to be validated by a server

connection-oriented protocol

a type of communications between two hosts that have a previous session established for synchronizing sent data. the receiving host acknowledges the data. this allows for guaranteed delivers. TCP is connection oriented and UDP is not.

blowfish

a type of symmetric block cipher created by Bruce Schneier

CAST

a type of symmetric block cipher defined by RFC 2144

backup

a usable copy of data made to (removable) media and stored for later recovery

companion virus

a virus that creates a new program that runs in place of an expected program of the same name

armored virus

a virus that is protected in a way that makes disassembling it difficult - it is 'armored' against antivirus programs trying to understand or analyze its code

backup policy

a written policy detailing the frequency of backups and the location of the storage media

arbitrary code execution

accepting commands unrelated to a program and running them on the host machine within a shell or something along those lines

ARP

address resolution protocol - used to find the MAC (physical) address of a device with a known IP

acceptable use policies

agreed-upon principles set forth by a company to govern how the employees of that company may use resources like computers and the internet

ARP spoofing

aka ARP poisoning - faking your MAC address

captive portal

an AP that requires users to agree to some condition before that can use the network / internet

collusion

an agreement between individuals to commit fraud or deceit

asymmetric algorithm

an algorithm that uses two keys

cryptographic algorithm

an algorithm used to encrypt and decrypt data (aka cipher)

all-in-one appliance

an appliance that performs multiple functions

diffie-hellman key exchange

an asymmetric standard for exchanging keys. primarily used to send private keys over public networks.

digital signature

an asymmetrically encrypted signature whose sole purpose is to authenticate the sender

DNS poisoning

an attack method in which a daemon caches DNS reply packets which sometimes contain other information. the extra information can be scanned for data useful in a break in or MitM attack

ARP poisoning

an attack that convinces the network that the attacker's MAC address is the one associated with an allowed address so that traffic is wrongly sent to the attacker's machine

directory traversal attack

an attack that involves navigating to other directories an gaining access to files and directories that would otherwise be restricted

bot

an automated software program that collects information on the web. maliciously, a computer controlled by the red team

faraday cage

an electrically conductive wire mesh or other conductor woven into a cage that surrounds a room and prevents electromagnetic signals from entering or leaving

false negative

an event that should be flagged but isn't

full distribution

an information classification stating that the data classified is available to everyone

backdoor

an opening left in a program that allows additional access to data. typically, a backdoor is created for debugging with the intention of removing them before shipping the product. they can also be placed by malicious people.

ALE

annual loss expectancy - a calculation used to identify risks and calculate the expected loss each year [SLE (single loss expectancy) x ARO (annual rate of occurrence)]

ARO

annual rate of occurrence - a calculation of how often a threat will occur. if it happens every ten years it's .1 (10%)

AD-IDS

anomaly-based IDS - an IDS that works by looking for deviations from a pattern of normal network traffic

activity

any action a user undertakes (thanks)

event

any noticeable action or occurrence

attack

any unauthorized intrusion into the normal operations of a computer network. can either gain access to a system or any of its resources

XaaS

anything as a service - a cloud computing model that can work with a combination of other models: SaaS, IaaS, PaaS

API

application programming interface - an abstract interface to the services and protocols provided by an OS

ASR

attack surface reduction - minimizing the possibility of exploitation by reducing the amount of code and limiting potential damage

brute-force attack

attack that is pure trial and error trying all possible combonations

AH

authentication header - a header used to provide connectionless integrity and data origin authentication for IP datagrams and to provide protection against replays

ASR disk

automated system recover disk - a utility for Win 7+ for creating a copy of the configuration settings necessary to reach the present state after a 'disaster'

BCP

business continuity planning - a contingency plan that allows a business to keep running in the event of a disruption in vital resources

BIA

business impact analysis - a study of the possible impact if a disruption to the business's vital resources were to occur

CA

certificate authority - an issuer of digital certificates

CMP

certificate management protocol - a messaging protocol used between PKI entities (used in some PKI environments)

CPS

certificate practice statement - the principals and procedures employed in the issuing and managing of certificates

CRL

certificate revocation list - a list of certificate revocations that must be downloaded regularly

CHAP

challenge handshake authentication protocol - a protocol that challenges a system to verify identity. CHAP is an improvement over PAP (password authentication protocol) where one-way hashing is incorporated into a three-way handshake

CCTV

closed circuit tv - a surveillance system for physical access monitoring

community cloud

cloud delivery model in which the infrastructure is shared by organizations with something in common

CAC

common access control - a standard identification card used by the DoD and other employers. is is used for authentication and ideentification

CC

common criteria - a document of specs detailing security evaluation methods for IT products and systems

baselining

comparing performance to a historic metric

CSIRT

computer security incident response team - a formalized or ad-hod team you can call upon to respond to an incident after it arises

detective control

controls that are intended to identify and characterize an incident in progress (like sounding an alarm and telling the admin)

CCMP

counter mode with cipher block chaining messaging authentication code protocol - a wrapper that uses 128-bit AES encryption with a 48-bit initialization vector

CBF

critical business functions - functions on which the livelihood of the company depend

XSRF

cross-site request forgery - a form of web0based attack in which unauthorized commands are sent from a user that the website trusts

XSS

cross-site scripting - running a script routine on a user's machine from a website without their permission

DES

data encryption standard - the primary standard used in government and industry until it was replaced by AES

DLP

data loss prevention - ant systems that identify, monitor, and protect data to prevent it from unauthorized use, modification, or destruction

big data analysis

data that is too large to be dealt with by traditional database management means

control types

technical or administrative measures in place to assist with resource management

DMZ

demilitarized zone - an area for placing web and other servers outside the firewall. the purpose for doing so is not specifically to protect them but to protect the internal network (or protecting the app/db server)

DoS

denial-of-service - a type of attack that prevents any users from using a system

DAC

discretionary access control - a method of restricting access to objects based on the identity of the subjects or the groups to which they belong. the user can assign permissions to data and assets at their discretion

DDoS

distributed denial of service attack - a derivative of a DoS attack in which multiple hosts in multiple locations all focus on one target to reduce its availability to the public. usually done by compromised systems or botnets or a combination

DNS

domain name system - the network service used in TCP/IP networks that translates hostnames to IP addresses

DHCP

dynamic host configuration protocol - a protocol used in TCP/IP networks to send client configuration data (IP address, default gateway, subnet mask, DNS configs) to clients. it uses a four step process: discover, offer, request, acknowledgment

elasticity

dynamic provisioning of resources as needed

EMI

electromagnetic interference - the interference that can occur during the transmissions over copper cable because of EM energy outside of the cable. it results in a degraded signal.

ECC

elliptic curve cryptography - a type of public key cryptosystem that requires a shorter key length than many other cryptography systems (like RSA)

ESP

encapsulating security payload - a header used to provide a mix of security services in IP4 and IP6. ESP can be used alone or in combination with the IP authentication header (AH)

asymmetric encryption

encryption in which one key is used to encrypt (public) and another is used to decrypt (private)

EALs

evaluation assurance levels - a level of assurance, expressed as a numeric value, based on standards set by the CCRA (common criteria recognition agreement)

EAP

extensible authentication protocol - an authentication protocol used in wireless networks and point-to-point connections.

FIPS

federal information processing standard - a set of guidelines for US Federal government information systems

FCoE

fibre channel over ethernet - a networking protocol that is not routable at the IP layer and thus cannot work across large networks

FAT

file allocation table - microsoft's earliest filesystem

FTP

file transfer protocol - TCP/IP software that permit transferring files between computer systems and use cleartext passwords

compensating controls

gap controls that fill in the coverage between other types of vulnerability mitigation techniques

data disposal

getting rid of or destroying media that is no longer needed

HMAC

hash based message authentication code - a mechanism for message authentication using cryptographic hash functions

forensics

in terms of security, the act of looking at all the data at your disposal to try to figure out who gained unauthorized access an the extent of that access

code review

looking at all the custom-written code for any holes that may exist

banner grabbing

looking at the banner (header info) to find out about a system

dumpster diving

looking through trash for clues like passwords or usernames or something

certificate revocation

making a certificate invalid (ie in the wake of heartbleed)

change management

management included in the making of a change in the scope of any particular item

cloud bursting

moving the execution of an app to the cloud as needed (when traffic spikes)

grandfather, father, son method

one of the most popular methods of backup tape rotation. Three sets of tapes are rotated in this method. The most recent backup after the full backup is the Son. As newer backups are made, the Son becomes the Father, and the Father, in turn, becomes the Grandfather. At the end of each month, a full backup is performed on all systems. This backup is stored in an offsite facility for a period of one year. Each monthly backup replaces the monthly backup from the previous year. Weekly or daily incremental backups are performed and stored until the next full backup occurs. This full backup is then stored offsite, and the weekly or daily backup tapes are reused

control

processes or actions used to respond to situations or events

design review

reviewing the security design, including the ports and protocols used, the rules, segmentation, and access control

guidelines

rules, policies, or procedures that are advisory or nonmandatory

bluejacking

sending unsolicited messages over bluetooth

cold aisles

server room aisles that blow cold air from the floor

adware

software that gathers information to pass on to marketers or that intercepts personal data such as credit card numbers and makes them available to bad guys

antivirus software

software that identifies the presence of a virus and is capable of removing or quarantining it

disk striping

technology that enables writing data to multiple disks simultaneously in small portions called stripes. these stripes maximize use by having all of the read/write heads working constantly. different data is stored on each disk and isn't automatically duplicated (not fault tolerant)

disk mirroring

technology that keeps identical copies of data in two disks to prevent the loss of data if one disk fails

disk duplexing

technology that uses two controllers and two disks to keep identical copies of data to prevent the loss of data if one disk fails

application layer

the 7th & top layer of the OSI model that deals with how applications access the network and describes application functionality such as file transfer and messaging

DNS spoofing

the DNS server is given information about a name server that it thinks is legit when it isn't

fault tolerance

the ability to withstand a failure without losing data

dictionary attack

the act of attempting to crack passwords by testing them against a list of dictionary words.

escalation

the act of moving something up in priority. usually an issue is escalated to the next highest administrator

disaster recovery

the act of recovering data following a disaster that destroyed it.

fire suppression

the act of stopping a fire and preventing it from spreading

audit

the act of tracking resource usage by users

attack surface

the area of an application that is available to users. both those users who have been authenticated and those who have not

analyzer

the component or process that analyzes the data collected by the sniffer (in an IDS or something)

cryptography

the field of mathematics focused on encrypting and decrypting data

bluesnarfing

the gaining of unauthorized access through a bluetooth connection

access control

the means of giving or restricting user access to network resources

authentication

the means of verifying that someone is who they say they are

client

the part of a client-server network where the computing is usually done. in a typical setting the client uses the server for storage, backups, or security

access point

the point at which access to the network is accomplished

encryption

the process of converting data into a form that makes it less likely to be usable to anyone intercepting it if they can't decrypt it

encapsulation

the process of enclosing data in a packet

entrapment

the process of encouraging an attacker to perform an act even if they don't want to do it

enticement

the process of luring someone

hardening

the process of making certain that an entity is as secure as possible

failover

the process of reconstructing a system or switching over to other systems when a failure is detected

footprinting

the process of systematically identifying the network and its security posture (usually a passive process)

code escrow

the storage and conditions for release of source code provided by a vendor, partner, or other party

cryptanalysis

the study and practice of finding weaknesses in ciphers

administrator

the user who is accountable and responsible for the network

anomalies

variations from normal operations

guests

virtual machines running on a physical machine

gap in the wap

vulnerability possible when the interconnection between the WAP server and the internet is not encrypted and packets between devices may be intercepted