Pass4Sure study Guide
SMTP (Simple Mail Transfer Protocol)
A communications protocol that enables sending email from a client to a server or between servers.
Mandatory Access Control (MAC)
A means of restricting access to data based on varying degrees of security requirements for information contained in the objects and the corresponding security clearance of users or programs acting on their behalf.
Discretionary Access Control (DAC)
A means of restricting access to objects based on the identity of subjects and/or groups to which they belong.
Cross-Site Request Forgery (CSRF or XSRF)
A method of attacking a system by sending malicious input to the system and relying upon the parsers and execution elements to perform the requested actions, thus instantiating the attack. XSRF exploits the trust a site has in the user's browser.
SNMP (Simple Network Management Protocol)
An Application-layer protocol used to exchange information between network devices.
Rule-Based Access Control
An access control model that based on a list of predefined rules that determine what accesses should be granted
Role-Based Access Control (RBAC)
An access control model that bases the access control authorizations on the roles (or functions) that the user is assigned within an organization
Cross-Site Scripting (XSS)
An attack that injects scripts into a Web application server to direct attacks at clients.
SMTPS (Simple Mail Transfer Protocol Secure)
An encrypted version of SMTP. It can be encrypted with TLS or SSL and uses port 465 by default.
Challenge Handshake Authentication Protocol (CHAP)
An older three-way authentication handshake that is accomplished during the initial authentication and may be repeated anytime after the link has been established.
Extensible Authentication Protocol (EAP)
Extensible Authentication Protocol (EAP) is an authentication protocol that provides support for a wide range of authentication methods, such as smart cards, certificates, one-time passwords, public keys, etc. It is an extension to Point-to-Point Protocol (PPP), which allows the application of arbitrary authentication mechanisms for the validation of a PPP connection.
key excrow
Key escrow (also known as a "fair" cryptosystem) is an arrangement in which the keys needed to decrypt encrypted data are held in escrow so that, under certain circumstances, an authorized third party may gain access to those keys.
Certificate Chaining
Linking several certificates together to establish trust between all the certificates involved.
Certificate stapling
OCSP stapling is a method for quickly and safely determining whether or not an SSL certificate is valid. It allows a web server to provide information on the validity of its own certificates rather than having to request the information from the certificate's vendor.
Certificate pinning
Pinning is the process of associating a host with their expected X509 certificate or public key. Once a certificate or public key is known or seen for a host, the certificate or public key is associated or 'pinned' to the host.
Protected Extensible Authentication Protocol (PEAP)
Protected Extensible Authentication Protocol. PEAP provides an extra layer of protection for EAP. PEAP-TLS uses TLS to encrypt the authentication process by encapsulating and encrypting the EAP conversation in a Transport Layer Security (TLS) tunnel. Since TLS requires a certificate, PEAP-TLS requires a certification authority (CA) to issue certificates.
Secure Multipurpose Internet Mail Extensions (S/MIME)
S/MIME, or Secure/Multipurpose Internet Mail Extensions, is a technology that allows you to encrypt your emails. S/MIME is based on asymmetric cryptography to protect your emails from unwanted access
Credentialed Scan
Scan in which the scanning computer has an account on the computer being scanned that allows the scanner to do a more thorough check looking for problems that can not be seen from the network.
Password Authentication Protocol (PAP)
The oldest and most basic form of authentication and also the least safe because it sends all passwords in cleartext.
Command Injection Attack
When input is used in the construction of a command that is subsequently executed by the system with the privileges of the Web server