Replace Acronyms with Words

When doing practice test questions, it’s best to read all acronyms as words instead of letters. As an example, read this sentence “Lisa is reviewing an organization’s BIA” as Lisa is reviewing an organization’s business impact analysis. Also, instead of reading the answers as letters, read them as words. If you see the following:

A. RPO

B. MTTR

C. MTBF

D. RTO

Read them as the following in your head:

A. Recovery point objective

B. Mean time to repair

C. Mean time between failures

D. Recovery time objective

If you forget what an acronym represents, come back here.

Numbers

3DES—Triple Digital Encryption Standard. A symmetric algorithm is used to encrypt data and provide confidentiality. It is a block cipher that encrypts data in 64-bit blocks. It was initially designed to replace DES and is still used in some applications, such as when hardware doesn’t support AES.

A

AAA—Authentication, Authorization, and Accounting. AAA protocols are used in remote access systems. For example, TACACS+ is an AAA protocol that uses multiple challenges and responses during a session. Authentication verifies a user’s identification. Authorization determines if a user should have access. Accounting tracks a user’s access with logs.

ABAC—Attribute-based access control. An access control scheme. ABAC grants access to resources based on attributes assigned to subjects and objects. Compare with DAC, MAC, role-based access control, and rule-based access control.

ACE—Access Control Entry. Identifies a user or group that is granted permission to a resource. ACEs are contained within a DACL in NTFS.

ACK—Acknowledge. A packet in a TCP handshake. In a SYN flood attack, attackers send the SYN packet but don’t complete the handshake after receiving the SYN/ACK packet.

ACL—Access control list. Lists of rules used by routers and stateless firewalls. These devices use the ACL to control traffic based on networks, subnets, IP addresses, ports, and some protocols.

address resolution protocol (ARP) poisoning—An attack that misleads systems about the actual MAC address of a system. ARP poisoning attacks can redirect traffic through an attacker’s system by sending false MAC address updates.

AES—Advanced Encryption Standard. A symmetric algorithm used to encrypt data and provide confidentiality. AES is a block cipher, and it encrypts data in 128-bit blocks. It is quick, highly secure, and used in a wide assortment of cryptography schemes. It includes key sizes of 128 bits, 192 bits, or 256 bits.

AES-256—Advanced Encryption Standard 256 bit. AES sometimes includes the number of bits used in the encryption keys, and AES-256 uses 256-bit encryption keys.

AH—Authentication Header. An option within IPsec to provide authentication and integrity. IPsec includes uses AH to provide authentication and integrity using HMAC. ESP provides confidentiality, integrity, and authentication using HMAC and AES or 3DES. AH is identified with protocol ID number 51. Compare with IPSec and ESP.

ALE—Annualized (or annual) loss expectancy. The expected loss for a year. The ALE identifies the expected annual loss and is used to measure risk with ARO and SLE in a quantitative risk assessment. The calculation is SLE × ARO = ALE. Compare with SLE and ARO.

AP—Access point. A device that connects wireless clients to wireless networks. Sometimes called a wireless access point (WAP).

API—Application programming interface. A software module or component. An API gives developers access to features or data within another application, service, or operating system. APIs are often used with web applications, Internet of Things (IoT) devices, and cloud-based services.

API attacks—Application programming interface attacks. Attacks on an API. API attacks attempt to discover and exploit vulnerabilities in APIs.

APT—Advanced persistent threat. A group that has both the capability and intent to launch sophisticated and targeted attacks. A nation state (such as a foreign government) sponsors APTs.

ARO—Annualized (or annual) rate of occurrence. The number of times a loss is expected to occur in a year. The ARO is used to measure risk with ALE and SLE in a quantitative risk assessment. The calculation is SLE × ARO = ALE. Compare with SLE and ALE.

ARP—Address Resolution Protocol. Resolves IPv4 addresses to MAC addresses. Compare with arp.

ARP poisoning—An attack that misleads systems about the actual MAC address of a system. ARP poisoning attacks can redirect traffic through an attacker’s system by sending false MAC address updates.

ASCII—American Standard Code for Information Interchange. Code used to display characters.

AUP—Acceptable use policy. A policy defining proper system usage and the rules of behavior for employees. It will often describe the purpose of computer systems and networks, how users can access them, and the responsibilities of users when accessing the systems.

B

BCP—Business continuity plan. A plan that helps an organization predict and plan for potential outages of critical services or functions. It includes disaster recovery elements that provide the steps used to return critical functions to operation after an outage. A BIA is a part of a BCP, and the BIA drives decisions to create redundancies such as failover clusters or alternate sites. Compare with BIA and DRP.

BIA—Business impact analysis. A process that helps an organization identify critical systems and components that are essential to the organization’s success. It identifies various scenarios that can impact these systems and components, maximum downtime limits, and potential losses from an incident. The BIA helps identify RTOs and RPOs. Compare with BCP, BIA, DRP, RTO, and RPO.

BIND—Berkeley Internet Name Domain. BIND is DNS software that runs on Linux and Unix servers. Most Internet-based DNS servers use BIND.

BIOS—Basic Input/Output System. A computer’s firmware that is used to manipulate different settings such as the date and time, boot drive, and access password. UEFI is the designated replacement for BIOS. Compare with UEFI.

BPDU guard—Bridge Protocol Data Unit guard. A technology that detects false BPDU messages. False BPDU messages can indicate a switching loop problem and shut down switch ports. The BPDU guard detects false BPDU messages and blocks the BPDU attack.

BYOD—Bring your own device. A mobile device deployment model. A BYOD model allows employees to connect personally owned devices, such as tablets and smartphones, to a company network. Data security is often a concern with BYOD policies causing organizations to consider CYOD or COPE models. Compare with COPE and CYOD.

C

CA—Certificate Authority. An organization that manages, issues, and signs certificates and is part of a PKI. Certificates are an essential part of asymmetric encryption, and they include public keys and details on the owner of the certificate and the CA that issued the certificate. Certificate owners share their public key by sharing a copy of their certificate. Compare with PKI.

CAPTCHA—Completely Automated Public Turing Test to Tell Computers and Humans Apart. Technique used to prevent automated tools from interacting with a website. Users must type in text often from a slightly distorted image.

CASB—Cloud access security broker. A software tool or service that enforces cloud-based security requirements. It is placed between the organization’s resources and the cloud, monitors all network traffic, and can enforce security policies.

CBC—Cipher Block Chaining. A mode of operation used by some symmetric encryption ciphers. It uses an IV for the first block, and each subsequent block is combined with the previous block.

CCMP—Counter Mode with Cipher Block Chaining Message Authentication Code Protocol. An encryption protocol based on AES and used with WPA2 for wireless security.

CCTV—Closed-circuit television. A detective control that provides video surveillance. Video surveillance provides reliable proof of a person’s location and activity. It is also a physical security control, and it can increase the safety of an organization’s assets.

CER—Canonical Encoding Rules. A base format for PKI certificates. They are ASCII encoded files. Compare with DER.

CERT—Computer Emergency Response Team. A group of experts who respond to security incidents.

CHAP—Challenge Handshake Authentication Protocol. An authentication mechanism where a server challenges a client. Compare with MS-CHAPv2 and PAP.

CIA—Confidentiality, integrity, and availability. These three form the security triad. Confidentiality helps prevent the unauthorized disclosure of data. Integrity provides assurances that data has not been modified, tampered with, or corrupted. Availability indicates that data and services are available when needed.

CIO—Chief Information Officer. A “C” level executive position in some organizations. A CIO focuses on using methods within the organization to answer relevant questions and solve problems.

COOP—Continuity of operations planning. Continuity of operations planning sites provide an alternate location for operations after a critical outage. A hot site includes personnel, equipment, software, and communication capabilities of the primary site with all the data up to date. A cold site will have power and connectivity needed for COOP activation, but little else. A warm site is a compromise between a hot site and a cold site. Compare with hot site, cold site, and warm site.

COPE—Corporate-owned, personally enabled. A mobile device deployment model. The organization purchases and issues devices to employees. Compare with BYOD and CYOD.

CRL—Certification revocation list. A list of certificates that a Certificate Authority (CA) has revoked. Certificates are commonly revoked if they are compromised or issued to an employee who has left the organization. The CA that issued the certificate publishes a CRL, and a CRL is public.

CSF—Cybersecurity Framework. A framework that aligns with the RMF and can be used in the private sector. NIST SP 800-37, “Risk Management Framework for Information Systems and Organizations” is targeted toward federal government agencies. The CSF is an alternative that fits the private sector. It includes three components: the framework core, the framework implantation tiers, and the framework profiles.

CSR—Certificate signing request. A method of requesting a certificate from a CA. It starts by creating an RSA-based private/public key pair and then including the public key in the CSR. Most CAs require CSRs to be formatted using the Public-Key Cryptography Standards (PKCS) #10 specification.

CTM—Counter mode. A mode of operation used for encryption that combines an IV with a counter. The combined result is used to encrypt blocks.

CTO—Chief Technology Officer. A “C” level executive position in some organizations. CTOs focus on technology and evaluate new technologies.

CVE—Common Vulnerabilities and Exposures. A dictionary of publicly known security vulnerabilities and exposures.

CYOD—Choose your own device. A mobile device deployment model. Employees can connect their personally owned device to the network as long as the device is on a preapproved list. Note that the device is purchased by and owned by employees. Compare with BYOD and COPE.

D

DAC—Discretionary access control. An access control scheme. All objects (files and folders) have owners, and owners can modify permissions for the objects. Compare with ABAC, MAC, role-based access control, and rule-based access control.

DDoS—Distributed denial-of-service. An attack on a system launched from multiple sources. DDoS attacks consume a system’s resources resulting in resource exhaustion. DDoS attacks typically include sustained, abnormally high network traffic. Compare to DoS.

DEP—Data Execution Prevention. A security feature in some operating systems. DEP prevents an application or service from executing in memory regions marked as nonexecutable. DEP can block some malware.

DER—Distinguished Encoding Rules. A base format for PKI certificates. They are BASE64 binary encoded files. Compare with CER.

DH—Diffie-Hellman. An asymmetric algorithm used to privately share symmetric keys. DH Ephemeral (DHE) uses ephemeral keys, which are re-created for each session. Elliptic Curve DHE (ECDHE) uses elliptic curve cryptography to generate encryption keys.

DHCP—Dynamic Host Configuration Protocol. A service used to dynamically assign TCP/IP configuration information to clients. DHCP is often used to assign IP addresses, subnet masks, default gateways, DNS server addresses, and much more.

DHCP snooping—Dynamic Host Configuration Protocol (DHCP) snooping. A preventive measure used to prevent unauthorized DHCP servers. It is enabled on Layer 2 switch ports. When enabled, the switch only sends DHCP broadcast traffic (the DHCP discover message) to trusted ports.

DHE—Diffie-Hellman Ephemeral. An alternative to traditional Diffie-Hellman. Instead of using static keys that stay the same over a long period, DHE uses ephemeral keys, which change for each new session. Sometimes listed as EDH.

DLL—Dynamic-link library. A compiled set of code that can be called from other programs.

DLL injection— Dynamic-link library injection. An attack that injects a Dynamic Link Library (DLL) into memory and runs it. Attackers rewrite the DLL, inserting malicious code.

DLP—data loss prevention. A group of technologies used to prevent data loss. End-point DLP systems can prevent users from copying or printing sensitive data. Network-based DLP systems monitor outgoing email to detect and block unauthorized data transfers and monitor data stored in the cloud.

DMZ—demilitarized zone. A buffer zone between the Internet and an internal network. It allows access to services while segmenting access to the internal network. Internet clients can access the services hosted on servers in the DMZ, but the DMZ provides a layer of protection for the internal network. CompTIA is using the term screened subnet to replace DMZ.

DNS—Domain Name System. Used to resolve hostnames to IP addresses. DNS zones include records such as A records for IPv4 addresses, AAAA records for IPv6 addresses, and MX records to identify mail servers. DNS uses UDP port 53 for DNS client queries and TCP port 53 for zone transfers. Compare with DNS poisoning and pharming.

DNS poisoning— Domain Name System poisoning. An attack that modifies or corrupts DNS results. DNSSEC helps prevent DNS poisoning.

DNSSEC—Domain Name System Security Extensions. A suite of extensions to DNS used to protect the integrity of DNS records and prevent some DNS attacks.

DoS—denial-of-service. An attack from a single source. A DoS attack attempts to disrupt the services provided by the attacked system. Compare to DDoS.

DRP—disaster recovery plan. A document designed to help a company respond to disasters, such as hurricanes, floods, and fires. It includes a hierarchical list of critical systems and often prioritizes services to restore after an outage. Testing validates the plan. The final phase of disaster recovery includes a review to identify any lessons learned and may include an update of the plan. Compare with BCP and BIA.

DSA—Digital Signature Algorithm. The algorithm used to create a digital signature. A digital signature is an encrypted hash of a message. The sender’s private key encrypts the hash of the message to create the digital signature. The recipient decrypts the hash with the sender’s public key, and, if successful, it provides authentication, non-repudiation, and integrity. Authentication identifies the sender. Integrity verifies the message has not been modified. Non-repudiation is used with online transactions and prevents the sender from later denying he sent the email.

E

EAP—Extensible Authentication Protocol. An authentication framework that provides general guidance for authentication methods. Variations include EAP-TLS, EAP-TTLS, and PEAP.

EAP-FAST—EAP-Flexible Authentication via Secure Tunneling. A Cisco-designed protocol sometimes used with 802.1X. EAP-FAST supports certificates, but they are optional. Compare with EAP, EAP-TLS, EAP-TTLS, and PEAP.

EAP-TLS—Extensible Authentication Protocol-Transport Layer Security. An extension of EAP sometimes used with 802.1X. This is one of the most secure EAP standards and is widely implemented. The primary difference between PEAP and EAP-TLS is that EAP-TLS requires certificates on the 802.1X server and on each of the wireless clients. Compare with EAP, EAP-TTLS, EAP-FAST, and PEAP.

EAP-TTLS—Extensible Authentication Protocol-Tunneled Transport Layer Security. An extension of EAP sometimes used with 802.1X. It allows systems to use some older authentication methods such as PAP within a TLS tunnel. It requires a certificate on the 802.1X server but not on the clients. Compare with EAP, EAP-TLS, EAP-FAST, and PEAP.

ECC—Elliptic curve cryptography. An asymmetric encryption algorithm commonly used with smaller wireless devices. It uses smaller key sizes and requires less processing power than many other encryption methods.

ECDHE—Elliptic Curve Diffie-Hellman Ephemeral. A version of Diffie-Hellman that uses ECC to generate encryption keys. Ephemeral keys are re-created for each session.

EMI—Electromagnetic interference. Interference caused by motors, power lines, and fluorescent lights. EMI shielding prevents outside interference sources from corrupting data and prevents data from emanating outside the cable.

ESP—Encapsulating Security Protocol. A part of IPsec that provides encryption. IPsec includes both AH and ESP. AH provides authentication and integrity using HMAC. ESP provides confidentiality, integrity, and authentication using HMAC and AES or 3DES. ESP is identified with protocol ID number 50.

F

FAR—False acceptance rate. Also called the false match rate. A rate that identifies the percentage of times a biometric authentication system incorrectly indicates a match.

FDE—Full disk encryption. A method to encrypt an entire disk. Compare with SED.

FRR—False rejection rate. Also called the false nonmatch rate. A rate that identifies the percentage of times a biometric authentication system incorrectly rejects a valid match.

FTP—File Transfer Protocol. Used to upload and download files to an FTP server. FTP uses TCP ports 20 and 21. Secure FTP (SFTP) uses SSH for encryption on TCP port 22. FTP Secure (FTPS) uses SSL or TLS for encryption.

FTPS—File Transfer Protocol Secure. An extension of FTP that uses SSL to encrypt FTP traffic. Some implementations of FTPS use TCP ports 989 and 990.

G

GCM—Galois/Counter Mode. A mode of operation used for encryption. It combines the Counter (CTM) mode with hashing techniques for data authenticity and confidentiality.

GDPR—General Data Protection Regulation. The GDPR is a European Union (EU) regulation that clarifies requirements to protect the personal data of anyone living in the EU. It also defines the roles of data owners, data controllers, data processors, data custodians or data stewards, and the data protection officer (DPO).

GPS—Global Positioning System. A satellite-based navigation system that identifies the location of a device or vehicle. Mobile devices often incorporate GPS capabilities.

GPS tagging—Global Positioning System tagging. A process of adding geographical data to files such as pictures. It typically includes latitude and longitude coordinates of the location where the photo was taken, or the file was created.

H

HIDS—Host-based intrusion detection system. HIDS is software installed on a system to detect attacks. A HIDS is used to monitor an individual server or workstation. It protects local resources on the host such as the operating system files, and in some cases, it can detect malicious activity missed by antivirus software. Compare with HIPS, NIDS, and NIPS.

HIPS—Host-based intrusion prevention system. An extension of a host-based IDS. It is designed to react in real time to detect, and prevent, an attack in action. Compare with HIDS, NIDS, and NIPS.

HMAC—Hash-based Message Authentication Code. A hashing algorithm used to verify integrity and authenticity of a message with the use of shared secret. When used with TLS and IPsec, HMAC is combined with MD5 and SHA-1 as HMAC-MD5 and HMAC-SHA1, respectively.

HOTP—HMAC-based One-Time Password. An open standard used for creating one-time passwords, similar to those used in tokens or key fobs. It combines a secret key and an incrementing counter, and then uses HMAC to create a hash of the result. HOTP passwords do not expire until they are used. Compare with TOTP.

HSM—Hardware security module. A removable or external device that can generate, store, and manage RSA keys used in asymmetric encryption. High-volume e-commerce sites use HSMs to increase the performance of TLS sessions. Compare with TPM.

HTML—Hypertext Markup Language. A language used to create webpages. HTML documents are displayed by web browsers and delivered over the Internet using HTTP or HTTPS. It uses less-than and greater-than characters (< and >) to create tags. Many sites use input validation to block these tags and prevent cross-site scripting attacks.

HTTP—Hypertext Transfer Protocol. Used for web traffic on the Internet and in intranets. HTTP uses TCP port 80. HTTP is almost always encrypted with TLS and referred to as HTTPS.

HTTPS—Hypertext Transfer Protocol Secure. A protocol used to encrypt HTTP traffic. HTTPS encrypts HTTP traffic with TLS using TCP port 443.

HVAC—Heating, ventilation, and air conditioning. A physical security control that increases availability by regulating airflow within data centers and server rooms. They use hot and cold aisles to regulate the cooling, thermostats to ensure a relatively constant temperature, and humidity controls to reduce the potential damage from condensation.

I

IaaS—Infrastructure as a Service. A cloud computing model. IaaS allows an organization to rent access to hardware in a self-managed platform. Customers are responsible for keeping an IaaS system up to date. Compare to PaaS, SaaS, and XaaS.

ICMP—Internet Control Message Protocol. Used for diagnostics such as ping. Many DoS attacks use ICMP. It is common to block ICMP at firewalls and routers. If ping fails, but other connectivity to a server succeeds, it indicates that ICMP is blocked.

ICS—Industrial control system. A system that controls large systems such as power plants or water treatment facilities. A SCADA system typically controls an ICS. Compare with SCADA.

IDS—Intrusion detection system. A detective control used to detect attacks after they occur. A network-based IDS (NIDS) monitors a network, and a host-based IDS (HIDS) monitors a host. They both monitor for intrusions and provides ongoing protection against various threats. IDSs include sniffing capabilities. Many IDSs use numbering systems to identify vulnerabilities. Compare with IPS.

IEEE—Institute of Electrical and Electronics Engineers. IEEE is an international organization with a focus on electrical, electronics, and information technology topics. IEEE standards are well respected and followed by vendors around the world.

IEEE 802.1X—A port-based authentication protocol. An authentication protocol used in VPNs and wired and wireless networks. VPNs often implement it as a RADIUS server. Wired networks use it for port-based authentication. Wireless networks use it in Enterprise mode, and it often uses one of the EAP authentication protocols. Compare with EAP, PEAP, EAP-TLS, and EAP-TTLS.

IGMP—Internet Group Management Protocol. Used for multicasting. Computers belonging to a multicasting group have a multicasting IP address in addition to a standard unicast IP address.

IIS—Internet Information Services. A Microsoft Windows web server. IIS comes free with Microsoft Windows Server products. Linux systems use Apache as a web server.

IMAP4—Internet Message Access Protocol v4. Used to store email on servers and allow clients to manage their email on the server. IMAP4 uses TCP port 143. Secure IMAP4 uses TLS to encrypt IMAP4 traffic on TCP port 993.

IoT—Internet of things. The network of physical devices connected to the Internet. It typically refers to smart devices with an IP address, such as wearable technology and home automation systems.

IP—Internet Protocol. Used for addressing. Compare with IPv4 and IPv6.

IPS—Intrusion prevention system. A preventive control that can stop an attack in progress. It is similar to an active IDS except that it’s placed inline with traffic. An IPS can actively monitor data streams, detect malicious content, and stop attacks in progress. It can be used internally to protect private networks, such as those holding SCADA equipment. Compare with IDS.

IPv4—Internet Protocol version 4. Identifies hosts using a 32-bit IP address. IPv4 is expressed in dotted decimal format with decimal numbers separated by dots or periods like this: 192.168.1.1.

IPv6—Internet Protocol version 6. Identifies hosts using a 128-bit address. IPv6 has a significantly larger address space than IPv4. IPsec is built into IPv6 and can encrypt any type of IPv6 traffic.

ISP—Internet Service Provider. A company that provides Internet access to customers.

IT—Information technology. Computer systems and networks used within organizations.

IV—Initialization vector. An IV provides randomization of encryption keys to help ensure that keys are not reused. In an IV attack, the attacker uses packet injection to increase the number of packets to analyze and discovers the encryption key.

K

KDC—Key Distribution Center. Also known as Ticket Granting Ticket (TGT) server. Part of the Kerberos protocol used for network authentication. The KDC issues timestamped tickets that expire.

L

L2TP—Layer 2 Tunneling Protocol. Tunneling protocol used with VPNs. L2TP is commonly used with IPsec (L2TP/IPsec) and uses UDP port 1701.

LDAP—Lightweight Directory Access Protocol. A protocol used to communicate with directories such as Microsoft Active Directory. It identifies objects with query strings using codes such as CN=Users and DC=GetCertifiedGetAhead. LDAP uses TCP port 389. LDAP injection attacks attempt to access or modify data in directory service databases. Compare with LDAPS.

LDAPS—Lightweight Directory Access Protocol over SSL. A protocol used to encrypt LDAP traffic with TLS. While it has SSL in the name, TLS has replaced SSL. LDAPS is sometimes referred to as Lightweight Directory Access Protocol Secure. LDAPS encrypts transmissions with TLS over TCP port 636. Compare with LPAP.

M

MAC—Mandatory Access Control. An access control scheme. MAC uses sensitivity labels assigned to objects (files and folders) and subjects (users). MAC restricts access based on a need to know. Compare with ABAC, DAC, role-based access control, and rule-based access control.

MAC—media access control. A 48-bit address used to identify network interface cards. It is also called a hardware address or a physical address. and is commonly displayed as six pairs of hexadecimal characters. Port security on a switch or an AP can limit access using MAC filtering.

MAC cloning attack—Media access control cloning attack. An attack that changes the source MAC address to impersonate an authorized system. When MAC filtering is used, attackers can discover the address of authorized MAC addresses and change their address to bypass MAC filtering. This is sometimes called MAC spoofing.

MAC filtering—Media access control filtering. A form of network access control to allow or block access based on the MAC address. It is configured on switches for port security or on APs for wireless security.

MAC flooding—Media access control flooding. An attack against a switch that attempts to overload it. Most ports on a switch have only a single host connected to them, with only a single MAC address. A MAC flooding attack repeatedly spoofs the MAC address. If successful, the switch operates as a hub instead of as a switch.

MD5—Message Digest 5. A hashing function used to provide integrity. MD5 creates 128-bit hashes, which are also referred to as MD5 checksums. A hash is simply a number created by applying the algorithm to a file or message at different times. Comparing the hashes verifies integrity. Experts consider MD5 cracked and discourage its use as a cryptographic hash. However, it is still used as a checksum in some situations.

MDM—Mobile device management. A group of applications and technologies used to manage mobile devices. MDM tools can monitor mobile devices and ensure they are in compliance with security policies.

MMS—Multimedia Messaging Service. An extension of SMS. MMS allows users to include multimedia content such as pictures, short videos, audio, or even a slideshow of multiple images. Compare with SMS and Rich Communication Services.

MS-CHAP—Microsoft Challenge Handshake Authentication Protocol. Microsoft implementation of CHAP. MS-CHAPv2 improves MS-CHAP by providing mutual authentication.

MS-CHAPv2—Microsoft Challenge Handshake Authentication Protocol version 2. Microsoft implementation of CHAP. MS-CHAPv2 provides mutual authentication. Compare with CHAP and PAP.

MTBF—Mean time between failures. Provides a measure of a system’s reliability and is usually represented in hours. The MTBF identifies the average (the arithmetic mean) time between failures. Higher MTBF numbers indicate a higher reliability of a product or system.

MTTF—Mean time to failure. The length of time you can expect a device to remain in operation before it fails. It is similar to MTBF, but the primary difference is that the MTBF metric indicates you can repair the device after it fails. The MTTF metric indicates that you will not be able to repair a device after it fails.

MTTR—Mean time to recover. Identifies the average (the arithmetic mean) time it takes to restore a failed system. Organizations that have maintenance contracts often specify the MTTR as a part of the contract.

N

NAC—Network access control. A system that inspects clients to ensure they are healthy. Healthy clients are granted access to the network, and unhealthy clients are redirected to a remediation network. Agents inspect clients, and agents can be permanent or dissolvable (also known as agentless). MAC filtering is a form of NAC.

NAT—Network Address Translation. A service that translates public IP addresses to private IP addresses and private IP addresses to public IP addresses.

NDA—Non-disclosure agreement. An agreement that is designed to prohibit personnel from sharing proprietary data. It can be used with employees within the organization and with outside organizations. It is commonly embedded as a clause in a contract.

NFC—Near field communication. A group of standards used on mobile devices that allow them to communicate with other nearby mobile devices. Many credit card readers support payments using NFC technologies with a smartphone.

NIC—Network interface card. Provides connectivity to a network. A NIC is typically built into a circuit board and includes a connector, such as an RJ-45 connector.

NIC teaming—Network interface card (NIC) teaming. A group of two or more network adapters acting as a single network adapter. NIC teaming provides increased bandwidth and load balancing capabilities.

NIDS—Network-based intrusion detection system. A device that detects attacks and raises alerts. A NIDS is installed on network devices, such as routers or firewalls and monitors network traffic. It can detect network-based attacks.

NIPS—Network-based intrusion prevention system. A device that detects and stops attacks in progress. A NIPS is placed inline (also called in-band) with traffic so that it can actively monitor data streams, detect malicious content, and stop attacks in progress.

NIST—National Institute of Standards and Technology. NIST is a part of the U.S. Department of Commerce, and it includes an Information Technology Laboratory (ITL). The ITL publishes special publications related to security that are freely available to anyone. They can found at http://csrc.nist.gov/publications/PubsSPs.html.

NTLM—New Technology LAN Manager. A suite of protocols that provide confidentiality, integrity, and authentication within Windows systems. Versions include NTLM, NTLMv2, and NTLM2 Session.

NTP—Network Time Protocol. Protocol used to synchronize computer times.

o

OAuth—An open source standard used for authorization with Internet-based single sign-on solutions. Many companies such as Google, Facebook, PayPal, Microsoft, and Twitter support OAuth. Users can sign on with their account using one of these companies and gain access to other sites. OAuth focuses on authorization, not authentication, and RFC 6749, “The OAuth 2.0 Authorization Framework,” describes it.

OCSP—Online Certificate Status Protocol. An alternative to using a CRL. It allows entities to query a CA with the serial number of a certificate. The CA answers with good, revoked, or unknown.

OIDC - OpenID Connect—An open source standard used for identification on the Internet. It builds on OpenID and uses the OAuth 2.0 framework. OIDC uses a JavaScript Object Notation (JSON) Web Token (JWT), sometimes called an ID token.

OpenID—An authentication standard maintained by the OpenID Foundation. An OpenID provider holds the user’s credentials and websites that support OpenID prompt users to enter their OpenID.

OSI—Open Systems Interconnection. The OSI reference model conceptually divides different networking requirements into seven separate layers.

OSINT—A method of gathering data using public sources, such as social media sites and news outlets.

P

P12—PKCS#12. A common format for PKI certificates. They are DER-based (binary) and often hold certificates with the private key. They are commonly encrypted.

P7B—PKCS#7. A common format for PKI certificates. They are CER-based (ASCII) and commonly used to share public keys.

PaaS—Platform as a Service. A cloud computing model. PaaS provides cloud customers with a preconfigured computing platform they can use as needed. PaaS is a fully managed platform, meaning that the vendor keeps the platform up to date with current patches. Compare with IaaS, SaaS and XaaS.

PAM—Privileged access management. A method of protecting access to privileged accounts. PAM implements the concept of just-in-time administration, giving users elevated privileges only when they need them and only for a limited time. PAM is sometimes called privileged account management.

PAP—Password Authentication Protocol. An older authentication protocol where passwords or PINs are sent across the network in cleartext. Compare with CHAP and MS-CHAPv2.

PBKDF2—Password-Based Key Derivation Function 2. A key stretching algorithm technique that adds additional bits to a password as a salt. It helps prevent brute force and rainbow table attacks. Compare with Bcrypt and Argon2.

PDF—Portable Document Format. Type of file for documents. Attackers have embedded malware in PDFs.

PEAP—Protected Extensible Authentication Protocol. An extension of EAP sometimes used with 802.1X. PEAP provides an extra layer of protection for EAP and it is sometimes used with 802.1X. PEAP requires a certificate on the 802.1X server. Compare with EAP, EAP-TLS, EAP-TTLS, and EAP-FAST.

PEM—Privacy Enhanced Mail. A common format for PKI certificates. It can use either CER (ASCII) or DER (binary) formats and can be used for almost any type of certificates.

PFX—Personal Information Exchange. A common format for PKI certificates. It is the predecessor to P12 certificates.

PHI—Personal Health Information. PII that includes health information.

PII—Personally Identifiable Information. Information about individuals that can be used to trace a person’s identity, such as a full name, birth date, biometric data, and identifying numbers such as a Social Security number (SSN). Organizations have an obligation to protect PII and often identify procedures for handling and retaining PII in data policies such as encrypting it.

PIN—Personal identification number. A number known by a user and entered for authentication. PINs are often combined with smart cards to provide dual-factor authentication.

PIV—Personal Identity Verification card. A specialized type of smart card used by U.S. federal agencies. It includes photo identification and provides confidentiality, integrity, authentication, and non-repudiation for the users. Compare with CAC.

PKI—Public Key Infrastructure. Group of technologies used to request, create, manage, store, distribute, and revoke digital certificates. Certificates include public keys along with details on the owner of the certificate, and on the CA that issued the certificate. Certificate owners share their public key by sharing a copy of their certificate. A PKI requires a trust model between CAs and most trust models are hierarchical and centralized with a central root CA.

POP3—Post Office Protocol v3. Used to transfer email from mail servers to clients. POP3 uses TCP port 110 for unencrypted connections and TCP port 995 for encrypted connections

PSK—Preshared key. A secret shared among different systems. Wireless networks using WPA2 support Personal mode, where each device uses the same PSK. WPA3 uses a Simultaneous Authentication of Equals (SAE) instead of a PSK. Compare with Enterprise and Open modes.

PUPs—Potentially unwanted programs. Software installed on users’ systems without their awareness or consent. Some of these unwanted programs are legitimate, but some are malicious, such as Trojans. Compare with spyware.

R

RA—Recovery agent. A designated individual who can recover or restore cryptographic keys. In the context of a PKI, a recovery agent can recover private keys to access encrypted data, or in some situations, recover the data without recovering the private key. In some cases, recovery agents can recover the private key from a key escrow.

RADIUS—Remote Authentication Dial-In User Service. Provides central authentication for remote access clients. RADIUS uses symmetric encryption to encrypt the password packets, and it uses UDP by default. In contrast, TACACS+ encrypts the entire authentication process and uses TCP.RFC 3579 “RADIUS Support for EAP” supports encryption of the entire authentication process using TCP. Compare with TACACS+.

RAID—Redundant array of inexpensive disks. Multiple disks added together to increase performance or provide protection against faults. RAID helps prevent disk subsystems from being a single point of failure. Compare with RAID-0, RAID-1, RAID-5, RAID-6, and RAID-10.

RAID-0—Disk striping. RAID-0 improves performance but does not provide fault tolerance.

RAID-1—Disk mirroring. RAID-1 uses two disks and provides fault tolerance.

RAID-5—Disk striping with parity. RAID-5 uses three or more disks and provides fault tolerance. It can survive the failure of a single drive.

RAID-6—Disk striping with parity. RAID-6 uses four or more disks and provides fault tolerance. It can survive the failure of two drives.

RAID-10—Disk mirroring with striping. RAID-10 combines the features of mirroring (RAID-1) and striping (RAID-0). The minimum number of drives in a RAID-10 is four, and a RAID-10 always has an even number of drives.

RAM—Random access memory. Volatile memory within a computer that holds active processes, data, and applications. Data in RAM is lost when the computer is turned off. Memory forensics analyzes data in RAM.

RAS—Remote Access Service. Provides access to an internal network from an outside source location using dial-up or a VPN.

RAT—Remote access Trojan. Malware that allows an attacker to take control of a system from a remote location. A RAT gives an attacker full control over a user’s system from a remote location over the Internet.

RDP—Remote Desktop Protocol. Used to connect to remote systems. Microsoft uses RDP in different services such as Remote Desktop Services and Remote Assistance. RDP uses either port TCP 3389 or UDP 3389.

RFI—Radio frequency interference. Interference from RF sources such as AM or FM transmitters. RFI can be filtered to prevent data interference, and cables can be shielded to protect signals from RFI.

RFID—Radio frequency identification. RFID methods are often used for inventory control.

RFID attacks— Radio frequency identification attacks. Attacks against radio-frequency identification (RFID) systems. Some common RFID attacks are eavesdropping, replay, and DoS.

RCS—Rich Communication Services. An extension of SMS and MMS. RCS supports all of the features of MMS and adds a few additional features. If a system doesn’t support RCS, it can default to SMS or MMS. Compare with SMS and MMS.

RMF—Risk Management Framework. A framework for identifying and managing risk. NIST published it as SP 800-37, “Risk Management Framework for Information Systems and Organizations.” It includes seven steps: prepare, categorizing information systems, select security controls, assess security controls, authorize information systems, monitor security controls.

rogue AP—Rogue access point. An unauthorized AP. It can be placed by an attacker or an employee who hasn’t obtained permission to do so. An evil twin is a special type of rogue AP with the same or similar SSIS as a legitimate AP.

ROI—Return of investment or return on investment. A performance measure used to identify when an investment provides a positive benefit to the investor. It is sometimes considered when evaluating the purchase of new security controls.

ROT13—A substitution cipher that uses a key of 13. To encrypt a message, you would rotate each letter 13 spaces. To decrypt a message, you would rotate each letter 13 spaces.

RPO—Recovery point objective. A term that refers to the amount of data you can afford to lose by identifying a point in time where data loss is acceptable. It is often identified in a BIA. Compare with RTO.

RSA—Rivest, Shamir, and Adleman. An asymmetric algorithm used to encrypt data and digitally sign transmissions. It is named after its creators, Rivest, Shamir, and Adleman. RSA uses both a public key and a private key in a matched pair.

RSTP—Rapid Spanning Tree Protocol. An improvement over STP. STP and RSTP protocols are enabled on most switches and protect against switching loops, such as those caused when two ports of a switch are connected together.

RTO—Recovery time objective. The maximum amount of time it should take to restore a system after an outage. It is derived from the maximum allowable outage time identified in the BIA. Compare with RPO.

RTOS—Real-time operating system. An operating system that reacts to input within a specific time. Many embedded systems include an RTOS.

S

SaaS—Software as a Service. A cloud computing model. SaaS provides applications over the Internet, such as webmail. The vendor is responsible for keeping the SaaS applications available and up-to-date. Compare with IaaS, PaaS and XaaS.

SAML—Security Assertions Markup Language. An XML-based standard used to exchange authentication and authorization information between different parties. SAML provides SSO for web-based applications.

SAN—Storage Area Network. A specialized network of high-speed storage devices.

SCADA—Supervisory control and data acquisition. A system used to control an ICS such as a power plant or water treatment facility. Ideally, a SCADA is within an isolated network without direct access to the Internet. NIPS systems and VLANs provide a layer of protection for SCADA systems. Compare with ICS.

SCP—Secure Copy. Based on SSH, SCP allows users to copy encrypted files over a network. SCP uses TCP port 22.

SDN—Software defined network. A method of using software and virtualization technologies to replace hardware routers. SDNs separate the data and control planes.

SDV—Software-defined visibility. Technologies used to view all network traffic. SDV technologies ensure that all cloud-based traffic is viewable and can be analyzed.

SED—Self-encrypting drive. A drive that includes the hardware and software necessary to encrypt a hard drive. SEDs include all the encryption circuitry built into the drive, and they automatically encrypt the drive without user action. Users typically enter credentials to decrypt and use the drive. Compare with FDE.

SELinux—Security-Enhanced Linux. An operating system platform that prevents malicious or suspicious code from executing on both Linux and Unix systems. It is one of the few operating systems that use the MAC model. Enforcing mode will enforce the SELinux policy and ignore permissions. Permissive mode does not enforce the SELinux policy but instead logs any access that would normally be blocked. Disabled mode does not enforce the SELinux policy and does not log anything related to the policy.

SFTP—SSH File Transfer Protocol. An extension of Secure Shell (SSH) used to encrypt FTP traffic. SFTP transmits data using TCP port 22. SFTP is sometimes referred to as secure FTP.

SHA—Secure Hash Algorithm. A hashing function used to provide integrity. Versions include SHA-1, SHA-2, and SHA-3. SHA-1 is no longer approved for most cryptographic uses due to weaknesses. SHA-2 has four versions (Sha-256, SHA-512, SHA-224, and SHA-384). SHA-3 (previously known as Keccak) was selected as the next version after a public competition.

shadow IT—Shadow information technology. Shadow IT refers to unauthorized systems or applications installed on a network. Users sometimes install systems without approval, often to bypass security controls. Shadow IT increases risks because these systems aren’t managed.

SIEM—Security information and event management. A system that provides a centralized solution for collecting, analyzing, and managing log data from multiple sources. Log collectors send logs to the SIEM system, and it aggregates the logs.

SIM—Subscriber Identity Module. A small card that contains programming and information for mobile devices such, as cell phones. The SIM card identifies what countries or networks the device will use.

SLA—Service level agreement. An agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels. Organizations use SLAs when contracting services from service providers such as Internet Service Providers (ISPs).

SLE—Single loss expectancy. The monetary value of any single loss. It is used to measure risk with ALE and ARO in a quantitative risk assessment. The calculation is SLE × ARO = ALE. Compare with ALE and ARO.

S/MIME—Secure/Multipurpose Internet Mail Extensions. Used to secure email. S/MIME provides confidentiality, integrity, authentication, and non-repudiation. It can digitally sign and encrypt email, including the encryption of email at rest and in transit. It uses RSA, with public and private keys for encryption and decryption, and depends on a PKI for certificates.

SMS—Short Message Service. A basic text messaging service. Most mobile devices support SMS. Compare with Multimedia Message Service and Rich Communication Services.

SMTP—Simple Mail Transfer Protocol. Used to transfer email between clients and servers and between email servers and other email servers. SMTP uses TCP port 25.

SNMPv3—Simple Network Management Protocol. Used to manage and monitor network devices such as routers or switches. SNMP agents report information via notifications known as SNMP traps or SNMP device traps. SNMP uses UDP ports 161 and 162.

SOAR—Secure Orchestration, Automation, and Response. Tools used to automatically respond to low-level security events. Runbooks are the checklists used to create the automated responses and

playbooks are the automated actions created from the runbooks. Compare with playbooks and runbooks.

SoC—System on chip. An integrated circuit that includes a computing system within the hardware. Many mobile devices include an SoC.

SPIM—Spam over Internet Messaging. A form of spam using instant messaging. SPIM targets instant messaging users.

SPOF—Single point of failure. Any component whose failure results in the failure of an entire system. Elements such as RAID, failover clustering, UPS, and generators remove many single points of failure.

SQL—Structured Query Language. Used by SQL-based databases, such as Microsoft SQL Server. Websites integrated with a SQL database are subject to SQL injection attacks. Input validation with forms and stored procedures help prevent SQL injection attacks. Microsoft SQL Server uses TCP port 1433 by default.

SRTP—Secure Real-time Transport Protocol. A protocol used to encrypt and provide authentication for Real-time Transport Protocol (RTP) traffic. RTP is used for audio/video streaming.

SSD—Solid state drive. A drive used in place of a traditional hard drive. An SSD has no moving parts but instead stores the contents as nonvolatile memory. SSDs are much quicker than traditional hard drives.

SSH—Secure Shell. A protocol used to encrypt network traffic. SSH encrypts a wide variety of traffic such as SCP, SFTP, Telnet, and TCP Wrappers. SSH uses TCP port 22. SSH is a more secure alternative than Telnet when connecting to remote servers.

SSID—Service Set Identifier. The name of a wireless network. SSIDs can be set to broadcast so users can easily see the SSID. Disabling SSID broadcast hides it from casual users, but an attacker can discover it with a wireless sniffer. It’s recommended to change the SSID from the default name.

SSL—Secure Sockets Layer. The predecessor to TLS. SSL was used to encrypt data in transit with the use of certificates but is deprecated now.

SSO—Single sign-on. Authentication method where users can access multiple resources on a network using a single account. SSO can provide central authentication against a federated database for different operating systems.

STP—Spanning Tree Protocol. Protocol enabled on most switches that protects against switching loops. A switching loop is caused when two ports of a switch are connected together.

SYN—Synchronize. The first packet in a TCP handshake. In a SYN flood attack, attackers send this packet, but don’t complete the handshake after receiving the SYN/ACK packet.

system on chip (SoC)—An integrated circuit that includes a computing system within the hardware. Many mobile devices include an SoC.

T

TACACS+—Terminal Access Controller Access-Control System+. Provides central authentication for remote access clients and used as an alternative to RADIUS. TACACS+ uses TCP port 49. It encrypts the entire authentication process, compared with the default RADIUS, which only encrypts the password. It uses multiple challenges and responses. Compare with RADIUS.

TCO—Total cost of ownership. A factor considered when purchasing new products and services. TCO attempts to identify the cost of a product or service over its lifetime.

TCP—Transmission Control Protocol. Provides guaranteed delivery of IP traffic using a three-way handshake. Compare with UDP.

TCP/IP—Transmission Control Protocol/Internet Protocol. Represents the full suite of protocols used on the Internet and most internal networks.

TFTP—Trivial File Transfer Protocol. Used to transfer small amounts of data with UDP port 69. In contrast, FTP is used to transfer larger files using TCP ports 20 and 21.

TGT—Ticket Granting Ticket. Used with Kerberos. A KDC (or TGT server) issues timestamped tickets that expire after a certain time period.

TLS—Transport Layer Security. Used to encrypt data in transit. TLS is the replacement for SSL and like SSL, it uses certificates issued by CAs. HTTPS uses TLS to encrypt web sessions. VPNs can use TLS to encrypt VPN sessions. Several authentication protocols (such as PEAP, EAP-TLS, EAP-TTLS) use TLS to encrypt the authentication process. TLS requires a CA to issue certificates.

TOTP—Time-based One-Time Password. An open standard used for creating one-time passwords, TOTP is similar to HOTP, but it uses a timestamp instead of a counter. One-time passwords created with TOTP expire after 30 seconds. Compare with HOTP.

TPM—Trusted Platform Module. A hardware chip on the motherboard included on many newer laptops. A TPM includes a unique RSA asymmetric key, and when first used, creates a storage root key. TPMs generate and store other keys used for encryption, decryption, and authentication. TPM provides full disk encryption. Compare with HSM.

U

UAVs—Unmanned aerial vehicles. Flying vehicles piloted by remote control or onboard computers.

UDP—User Datagram Protocol. Used instead of TCP when guaranteed delivery of each packet is not necessary. UDP uses a best-effort delivery mechanism. Compare with TCP.

UEFI—Unified Extensible Firmware Interface. A method used to boot some systems and intended to replace Basic Input/Output System (BIOS) firmware. Compare with BIOS.

UPS—Uninterruptible power supply. A battery backup system that provides fault tolerance for power and can protect against power fluctuations. A UPS provides short-term power to give the system enough time to shut down smoothly or transfer to generator power. Generators provide long-term power in extended outages.

URI—Uniform Resource Identifier. Used to identify the name of a resource and always includes the protocol such as http://GetCertifiedGetAhead.com.

URL—Uniform Resource Locator. A type of URI. Address used to access web resources, such as http://GetCertifiedGetAhead.com. Pop-up blockers can include URLs of sites where pop-ups are allowed.

URL hijacking— Uniform Resource Locator hijacking. The purchase of a domain name that is close to a legitimate domain name. Attackers often try to trick users who inadvertently use the wrong domain name. Also called typo squatting.

URL redirection—Uniform Resource Locator redirection. A technique used to redirect traffic to a different page or a different site.

USB—Universal Serial Bus. A serial connection used to connect peripherals such as printers, flash drives, and external hard disk drives. Data on USB drives can be protected against loss of confidentiality with encryption. Attackers have spread malware through Trojans. USB On-The-Go (OTG). A cable used to connect mobile devices to other devices. It is one of many methods that you can use to connect a mobile device to external media.

UTM—Unified threat management. A security appliance that combines multiple security controls into a single solution. UTM appliances can inspect data streams for malicious content and often include URL filtering, malware inspection, and content inspection components.

V

VDI—Virtualization Desktop Infrastructure. Virtualization software designed to reproduce a desktop operating system as a virtual machine on a remote server. Users can access VDI desktops from desktop PCs or mobile devices.

VLAN—Virtual local area network. A method of segmenting traffic. A VLAN can logically group several different computers together, or logically separate computers without regard to their physical location. It is possible to create multiple VLANs with a single switch. You can also create VLANs with virtual switches.

VM—Virtual machine. A virtual system hosted on a physical system. A physical server can host multiple VMs as servers. Virtualization helps reduce the amount of physical equipment required, reducing overall physical security requirements such as HVAC and power.

VM escape—Virtual machine escape. An attack that allows an attacker to access the host system from within a virtual machine. The primary protection is to keep hosts and guests up to date with current patches. Compare with virtual machine sprawl.

VM sprawl—Virtual machine sprawl. A vulnerability that occurs when an organization has VMs that aren’t properly managed. Unmanaged VMs are not kept up to date with current patches. Compare with virtual machine escape.

VoIP—Voice over IP. A group of technologies used to transmit voice over IP networks. Vishing is a form of phishing that sometimes uses VoIP.

VPN—Virtual private network. Provides access to a private network over a public network such as the Internet. VPNs can provide access to internal networks for remote clients, or provide access to other networks via site-to-site VPNs.

W

WAF—Web application firewall—A firewall specifically designed to protect a web application. A WAF inspects the contents of traffic to a web server, can detect malicious content such as code used in a cross-scripting attack, and block it.

WAP—Wireless access point. A device that connects wireless clients to wireless networks. Sometimes called an access point (AP).

WPA—WiFi Protected Access. A legacy wireless security protocol. WPA2 and WPA3 have superseded WPA.

WPA2—WiFi Protected Access 2. Security protocol used to protect wireless transmissions. It supports CCMP for encryption, which is based on AES. It uses an 802.1X server for authentication in WPA2 Enterprise mode and a preshared key for WPA2 Personal mode, also called WPA2-PSK.

WPA3—WiFi Protected Access 3. Security protocol used to protect wireless transmissions. WPA3 is the newest wireless cryptographic protocol. It uses Simultaneous Authentication of Equals (SAE) instead of the PSK used with WPA2. SAE is based on the Diffie–Hellman key exchange.

WPS—WiFi Protected Setup. Allowed users to easily configure a wireless network, often by using only a PIN. WPS brute force attacks can discover the PIN when used with WPA2.

WPS attack—An attack against an AP. A WiFi Protected Setup (WPS) attack discovers the eight-digit WPS PIN and uses it to discover the AP passphrase. WPA3 is resistant to WPS attacks.

X

XaaS—Anything as a Service. A cloud computing model. XaaS refers to any cloud computing model not identified in IaaS, PaaS, or SaaS models. Compare to IaaS, PaaS, and SaaS.

XML—Extensible Markup Language. A language used by many databases for inputting or exporting data. XML uses formatting rules to describe the data.

XSRF—Cross-site request forgery. A web application attack. Attackers use XSRF attacks to trick users into performing actions on websites, such as making purchases, without their knowledge. In some cases, it allows an attacker to steal cookies and harvest passwords.

XSS—Cross-site scripting. A web application vulnerability that allows attackers to inject scripts into webpages. Attackers use XSS to capture user information such as cookies. Input validation techniques on the server-side help prevent XSS attacks by blocking HTML and JavaScript tags. Many sites prevent the use of < and > characters to block cross-site scripting.