Glossary

accounting

The tracking of users' access to resources primarily for billing purposes.



active detection

Involves some action taken by the intrusion-detection system in response to a suspicious activity or an intrusion (in essence, it is reactive detection).



algorithm

A set of sequenced steps that are repeatable. In encryption, the algorithm is used to define how the encryption is applied to data.



asset

A company resource that has value.



asymmetric algorithms

A pair of key valuesone public and the other privateused to encrypt and decrypt data. Only the holder of the private key can decrypt data encrypted with the public key, which means anyone who obtains a copy of the public key can send data to the private key holder in confidence. Only data encrypted with the private key can be decrypted with the public key; this provides proof of identity, ensures nonrepudiation, and provides the basis for digital signatures.



attribute certificate

A digital certificate that binds data items to a user or system by using a name or public key certificate.



auditing

The tracking of users' access to resources primarily for security purposes.



authenticated header ( AH )

A component of the IPSec protocol that provides integrity, authentication, and anti-replay capabilities.



authentication

The process of identifying users.



authorization

The process of identifying what a given user is allowed to do.



availability

Ensures any necessary data is available when it is requested .



back door

A method of gaining access to a system or resource that bypasses normal authentication or access control methods .



biometrics

Authentication based on some part of the human anatomy ( retina , fingerprint , voice, and so on).



block cipher

Transforms a message from plaintext (unencrypted form) to ciphertext (encrypted form) one piece at a time, where the block size represents a standard chunk of data that is transformed in a single operation. Block ciphers also normally take prior encryption activity into account (called block chaining or feedback modes ) to further strengthen the encryption they provide. (Adapted from www. counterpane .com/crypto-gram-0001.html . )



business continuity plan

A plan that describes a long- term systems and services replacement and recovery strategy, designed for use when a complete loss of facilities occurs. A business continuity plan prepares for automatic failover of critical services to redundant offsite systems.



centralized key management

Involves a Certificate Authority generating both public and private key pairs for a user and then distributing them to the user.



certificate

Also known as a digital certificate , a certificate represents a unique way of establishing user identity and credentials to enable the conducting of business or other transactions online. Generally , digital certificates originate from a Certificate Authority (CA), which can be private (such as when a company or organization creates its own CAs) or public (such as when an individual, a company, or an organization obtains a digital certificate from a public CA such as those operated by GE or VeriSign). Typically, a digital certificate contains the holder's name, a serial number, expiration dates, a copy of the holder's public key (which can then be used to encrypt messages), and a digital certificate from the issuing authority to demonstrate its validity. Some digital certificates conform to the X.509 standard; numerous public registries of such certificates are maintained on the Internet and act as clearinghouses for such information.



Certificate Authority ( CA )

A system that issues, distributes, and maintains currency information about digital certificates. Such authorities can be private (operated within a company or an organization for its own use) or public (operated on the Internet for general public access).



Certificate Enrollment Protocol ( CEP )

A proprietary Cisco protocol that allows Cisco IOSbased routers to communicate with Certificate Authorities.



Certificate Management Protocol ( CMP )

A protocol used for advanced PKI management functions. These functions include certificate issuance, exchange, invalidation , revocation, and key commission.



certificate policy

A statement that governs the usage of digital certificates.



Certificate Practice Statement ( CPS )

A document that defines the practices and procedures a CA uses to manage the digital certificates it issues.



certificate revocation

The act of invalidating a digital certificate.



Certificate Revocation List ( CRL )

A list generated by a CA that enumerates digital certificates that are no longer valid and the reasons they are no longer valid.



certificate suspension

The act of temporarily invalidating a certificate while its validity is being verified .



chain of custody

The documentation of all transfers of evidence from one person to another, showing the date, time, and reason for transfer, as well as the signatures of both parties involved in the transfer. Chain of custody also refers to the process of tracking evidence from a crime scene to the courtroom.



change management

A formal engineering discipline, change management describes the well-documented process for tracking and controlling changes to systems, as well as their design data and documentation, through agreed upon procedures and timelines . In security, this term indicates that a formal process to schedule, implement, track, and document changes to policies, configurations, systems, and software is employed in an organization.



Challenge Handshake Authentication Protocol ( CHAP )

A widely used authentication method in which a hashed version of a user's password is transmitted during the authentication process (instead of sending the password itself). Using CHAP, a remote access server transmits a challenge string, to which the client responds with a message digest (MD5) hash based on the challenge string and the user's password. Upon receipt, the remote access server repeats the same calculation and compares that value to the value it was sent; if the two values match, the client credentials are deemed authentic . CHAP was created for use with dial-up networking and is commonly used with PPP-encapsulated Windows remote access services. (Adapted from www.microsoft.com/technet/prodtechnol/winxppro/proddocs/auth_chap.asp.)



cipher

A method for encrypting text, the term cipher is also used to refer to an encrypted message (although the term ciphertext is preferred).



code escrow

The process of placing application source code in the care of some trusted third party. In the event of a disagreement , the dissolution of the development company, or a failure to perform on the part of the software programmers, the code can be released to the purchasing company.



code of ethics

A formal list of rules governing personal and professional behavior that is adopted by a group of individuals or organizations. Many security certifications, including Security+, require their holders to adhere to a code of ethics that's designed to foster ethical and legal behavior and discourage unethical or illegal behavior.



cold site

A remote site that has electricity, plumbing, and heating installed, ready for use when enacting disaster recovery or business continuity plans. At a cold site, all other equipment, systems, and configurations are supplied by the company enacting the plan; therefore, basic facilities that are ready to receive necessary systems and equipment are the hallmarks of a cold site.



confidentiality

Involves a rigorous set of controls and classifications associated with sensitive information to ensure that such information is neither intentionally nor unintentionally disclosed.



cross-certification

When two or more CAs choose to trust each other and issue credentials on each other's behalf .



cryptographic module

Any combination of hardware, firmware, or software that implements cryptographic functions such as encryption, decryption, digital signatures, authentication techniques, and random number generation.



decentralized key management

Key management that occurs when a user generates a public and private key pair and then submits the public key to a Certificate Authority for validation and signature.



degaussing

A method of removing recorded magnetic fields from magnetic storage media by applying strong cyclic magnetic pulses , thereby erasing the content and making the media unreadable.



demilitarized zone ( DMZ )

Also called the free-trade zone or neutral zone , a DMZ is an area in a network that allows limited and controlled access from the public Internet. A DMZ often hosts a corporation's Web and File Transfer Protocol (FTP) sites, email, external Domain Name Service (DNS) servers, and the like. The network segment for a DMZ usually sits between an internal corporate network and the public Internet, with firewalls on either side. Also, the border router (which defines the boundary between what a corporation or organization controls and the public Internet) normally sits between the DMZ and the public Internet, with a corporate or organizational firewall between the DMZ and internal network segments.



denial of service and distributed denial of service ( DoS/DDoS )

A type of attack that denies legitimate users access to a server or services by consuming sufficient system resources or network bandwidth or by rendering a service unavailable. The difference between a DoS and a DDoS attack is in the point(s) of origination: A DoS attack typically originates from a single system, whereas a DDoS attack originates from multiple systems simultaneously (thereby causing even more extreme consumption of bandwidth and other resources).



dictionary attack

An attack in which software is used to compare hashed data, such as a password, to a word in a hashed dictionary. This is repeated until matches are found in the hash, with the goal being to match the password exactly to determine the original password that was used as the basis of the hash.



digital certificate

A formatted document that includes the user's public key as well as the digital signature of the Certificate Authority (CA) that has authenticated her. The digital certificate can also contain information about the user, the CA, and attributes that define what the user is allowed to do with systems she accesses using the digital certificate.



digital signature

A hash encrypted to a private key of the sender that proves user identity and authenticity of the message. Signatures do not encrypt the contents of an entire message. Also, in the context of certificates, a digital signature uses data to provide an electronic signature that authenticates the identity of the original sender of the message or data.



disaster recovery plan ( DRP )

A plan outlining actions to be taken in case a business is hit with a natural or manmade disaster.



Discretionary Access Control ( DAC )

A distributed security method that allows users to set permissions on a per-object basis. The NTFS permissions used in Windows NT, 2000, and XP/.NET use DAC.



distributed computing

A procedure in which multiple computers are networked and common sections of a larger task are distributed to the members of the group to process the larger task to complete that task more quickly.



dry-pipe fire suppression

A sprinkler system with pressurized air in the pipes. If a fire starts, there is a slight delay as the pipes fill with water. This system is used in areas where wet-pipe systems might freeze.



due care

Assurance that the necessary steps are followed to satisfy a specific requirement, which can be an internal or external requirement, as in an agency regulation.



electromagnetic emanation ( EME )

A condition of electronic equipment in which electrons leak from cables and the equipment itself. These emanations can possibly be picked up and reconstructed.



Elliptic Curve Cryptography ( ECC )

A method in which elliptic curve equations are used to calculate encryption keys for use in general-purpose encryption.



encryption algorithm

A mathematical formula or method used to scramble information before it is transmitted over unsecure media. Examples include RSA, DH, IDEA, Blowfish, MD5, and DSS/DSA.



environment

The physical conditions that affect and influence growth, development, and survival. Used in the security field to describe the surrounding conditions of an area to be protected.



escalation

The upward movement of privileges when using network resources or exercising rights (such as moving from read permissions to write).



evidence

Any hardware, software, or data that can be used to prove the identity and actions of an attacker.



Extensible Markup Language ( XML )

Like HTML, this flexible markup language is based on standards from the World Wide Web Consortium at www.w3.org. Unlike HTML, XML can be used to generate standard or fully customized content-rich Web pages, documents, and applications. XML is used to provide widely accessible services and data to end users, exchange data among applications, and capture and represent data in a large variety of custom and standard formats. Numerous standard XML applications are security related, including the Security Assertion Markup Language (SAML), XML Signatures, XML Encryption, various XML key-handling applications, and the Extensible Access Control Markup Language (XACML). See xml.coverpages.org for more information on this topic and related standards.



extranet

A special internetwork architecture wherein a company's or organization's external partners and customers are granted access to some parts of its intranet and the services it provides in a secure, controlled fashion.



Faraday cage

A metal enclosure used to conduct stray EMEs (electromagnetic emissions) to ground, thereby eliminating signal leakage and the ability of external monitors or detectors to "read" network or computer activity. A Faraday cage can be very small or encompass an entire building, and it is generally used only when security concerns are extremely high (as in national defense, classified areas, or highly sensitive commercial environments).



Federal Information Processing Standard ( FIPS )

A standard created by the United States government for the evaluation of cryptographic modules. It consists of four levels that escalate in their requirement for higher security levels.



firewall

A hardware device or software application designed to filter incoming or outgoing traffic based on predefined rules and patterns. Firewalls can filter traffic based on protocol uses, source or destination addresses, and port addresses, and they can even apply state-based rules to block unwanted activities or transactions. For an excellent source of information on this topic, see Matt Curtin and Marcus Ranum's Internet Firewalls FAQ at www.interhack.net/pubs/fwfaq.



forensics

As related to security, forensics is the process of analyzing and investigating a computer crime scene after an attack has occurred and of reconstructing the sequence of events and activities involved in such an attack.



guideline

Specific information on how standards should be implemented. A guideline is generally not mandatory, thus acting as a kind of flexible rule used to produce a desired behavior or action. A guideline allows freedom of choice on how to achieve the behavior.



hash value

The resultant output or data generated from an encryption hash when applied to a specific set of data. If computed and passed as part of an incoming message and then recomputed upon message receipt, such a hash value can be used to verify the received data when the two hash values match.



hashing

A methodology used to calculate a short, secret value from a data set of any size (usually for an entire message or for individual transmission units). This secret value is recalculated independently on the receiving end and compared to the submitted value to verify the sender's identity.



honeypot

A decoy system designed to attract hackers. A honeypot usually has all its logging and tracing enabled, and its security level is lowered on purpose. Likewise, such systems often include deliberate lures or bait, in hopes of attracting would-be attackers who think there are valuable items to be attained on these systems.



hot site

A site that is immediately available for occupation if an emergency arises. It typically has all the necessary hardware and software loaded and is available 24/7.



incident

Any violation, or threatened violation, of a security policy.



incident response

A clear action plan on what each response team member needs to do and when it has to be done in the event of an emergency or a security incident.



integrity

Involves a monitoring and management system that performs integrity checks and protects systems from unauthorized modifications to data, system, and application files. Normally, performing such checks requires access to a prior scan or original versions of the various files involved. When applied to messages or data in transit, integrity checks rely on calculating hash or digest values before and after transmission to ensure nothing changed between the time the data was sent and the time it was received.



Internet Key Exchange ( IKE )

A method used in the IPSec protocol suite for public key exchange, security association parameter negotiation, identification, and authentication.



intranet

A portion of the Information Technology infrastructure that belongs to and is controlled by the company in question.



intrusion-detection system ( IDS )

A sophisticated network-protection system designed to detect attacks in progress but not to prevent potential attacks from occurring (although many IDSs can trace attacks back to an apparent source; some can even automatically notify all hosts through which attack traffic passes that they are forwarding such traffic). IDSs can be used to monitor network communication patterns networkwide (in which case, they're called network intrusion-detection systems , or NIDSs ) or on a per-host basis (in which case, they're called host intrusion-detection systems , or HIDSs ). IDSs are equally good at detecting internal intrusions or attacks as they are external ones.



IP Security ( IPSec )

Used for encryption of TCP/IP traffic, IP Security provides security extensions to the version of TCP/IP known as IPv4. IPSec defines mechanisms to negotiate encryption between pairs of hosts that want to communicate with one another at the Internet Protocol (IP) layer and can therefore handle all host-to-host traffic between pairs of machines. IPSec manages special relationships between pairs of machines, called security associations , and these govern which types of IPSec protocols are used, which types of keys are used, how they're exchanged, and how long such keys and security associations can last. For a good IPSec overview, visit www.networkmagazine.com/article/DCM20000509S0082; for information about IPSec RFCs and standards, see www.ietf.org/html. charters /ipsec-charter.html.



Kerberos

A specific type of authentication developed at MIT, Kerberos takes its name from the three-headed beast that guards the gates of Hell in Greek mythology. Kerberos defines a set of authentication services, as defined in RFC 1510, and includes three protocols of particular importance: (1) the Authentication Service (AS) Exchange protocol, which enables a key distribution center (KDC) to grant clients a logon session key and the ticket-granting ticket (TGT) used to access other services Kerberos controls; (2) the Ticket-Granting Service (TGS) Exchange protocol, used to distribute service session keys and tickets for such services; and (3) the Client/Server (CS) Exchange protocol, which clients use to send a ticket to request a ticket for access to some specific service. For a good overview of Kerberos and a description of how Kerberos works with Windows, look up Knowledge Base Article Q217098 at www.microsoft.com/technet.



key escrow

Key escrow is a policy in which the Certificate Authority retains a copy of the private key it generates for the user for future use. This is most often used to allow an organization to access data that was encrypted by an employee using the private key.



key exchange

A technique in which a pair of keys is generated and then exchanged between two systems (typically a client and server) over a network connection to allow a secure connection to be established between them.



Layer 2 Tunneling Protocol ( L2TP )

A technology used with VPN to establish a communication tunnel between communicating parties over unsecure media. L2TP permits a single logical connection to transport multiple protocols between a pair of hosts. L2TP is a member of the TCP/IP protocol suite and is defined in RFC 2661; a framework for creating Virtual Private Networks that uses L2TP appears in RFC 2764.



Lightweight Directory Access Protocol ( LDAP )

A TCP/IP protocol that allows client systems to access directory services and related data. Examples of services that work with LDAP include the Windows 2000 Active Directory and Novell Directory Services (NDS), but LDAP works with any X.500-compliant directory service. In most cases, LDAP is used as part of management or other applications or in browsers to access directory services information. LDAP is defined in RFCs 1777 and 2559; numerous other RFCs address specific aspects of LDAP behavior or capabilities or define best practices for its use.



logic bomb

A piece of software designed to do damage at a predetermined point in time or in response to some type of condition (for example, "disk is 95 percent full") or event (for example, some particular account logs in or some value the system tracks exceeds a certain threshold).



M of N Control

The process of backing up private key material across multiple systems or devices.



man in the middle

An attack in which a hacker attempts to intercept data in a network stream and then inserts her own data into the communication with the goal of disrupting or taking over communications. The term itself is derived from the insertion of a third partythe proverbial "man in the middle"between two parties engaged in communications.



Mandatory Access Control ( MAC )

A centralized security method that doesn't allow users to change permissions on objects.



mantrap

A two-door configuration in a building or office that can lock unwanted individuals in a secured area, preventing them from entering other areas or even from exiting wherever it is they're being held.



message

The content and format a sender chooses to use to communicate with some receiver across a network, an intranet, an extranet, or the Internet.



message digest

The output of an encryption hash that's applied to some fixed-size chunk of data. A message digest provides a profound integrity check because even a change to one bit in the target data also changes the resulting digest value. This explains why digests are included so often in network transmissions.



mutual authentication

A situation in which a client provides authentication information to establish identity and related access permissions with a server and in which a server also provides authentication information to the client to ensure that illicit servers cannot masquerade as genuine servers.



Network Address Translation ( NAT )

TCP/IP protocol technology that maps internal IP addresses to one or more external IP addresses through a NAT server of some type. NAT enables the conservation of public IP address space by mapping private IP addresses used in an internal LAN to one or more external public IP addresses to communicate with the external world. NAT also provides address-hiding services (thereby denying outsiders access to "real" or private internal IP addresses), thus adding both security and simplicity to network addressing.



Online Certificate Status Protocol ( OCSP )

A protocol defined by the IETF that is used to validate digital certificates issued by a CA.



passive detection

A method of intrusion detection that has an IDS present in the network in a silent fashion; it does not interfere with communications in progress.



pattern matching

A network-analysis method that uses a central box on the network. This approach compares each individual packet against a database of signatures (formats of packets known to be dangerous, offensive, or recognizable as parts of known attacks or vulnerability exploits). The inherent weakness in this method is that such patterns must be known (and definitions in place) before they can be used to recognize attacks or exploits. Therefore, similar to virus signature files, attack pattern files (also called signatures ) must be present to be useful.



plenum

The space in a building between a false (drop) ceiling and the true ceiling or roof above. The plenum is typically used to run light fixtures and wiring, but it's also defined as a return air space in most building codes (which is why the coating on cables run through such space must be fire retardant and nontoxic when burned).



Point-to-Point Tunneling Protocol ( PPTP )

A TCP/IP technology used to create Virtual Private Network (VPN) or remote access links between sites (usually from one server to another) or for remote access (usually from a remote client to a local communications server). PPTP is the work of a vendor group that includes Microsoft, 3Com, and Copper Mountain Networks. It is generally regarded as less secure than L2TP and is used less frequently for that reason. PPTP is described in RFC 2637.



policy

A broad statement of views and positions . A policy states high-level intent with respect to a specific area of security and is more properly called a security policy . Security policies typically address how passwords are to be constructed and used, how various classes of data should be classified, which access controls apply, and which job roles can be granted remote access to a network. The formulation of a security policy generally occurs after a risk analysis has been performed, represents an organization's formal attempts to describe how security works, and is applied in its IT systems and services.



Pretty Good Privacy ( PGP )

A shareware encryption technology for communications that utilizes both public and private encryption technologies to speed up encryption without compromising security. Also available in commercial product form, PGP products offer personal and enterprise-level encryption services of many kinds; visit www.pgp.com for more information.



private key

A piece of data generated by an asymmetric algorithm that's used by the host to encrypt data. A matching public key can be used to decrypt data encrypted with the private key; this technique makes digital signatures and nonrepudiation possible. Likewise, anyone with access to the public key can encrypt data that only the private key holder can decrypt and read; this technique enables you to send information over public networks that only a designated recipient can read.



privilege management

The process of controlling users and their capabilities on a network.



probability

Used in risk assessment, probability measures the likelihood or chance that a threat will actually exploit some vulnerability.



procedure

A procedure specifies how policies will be put into practice in an environment (that is, it provides necessary how-to instructions).



Public Branch Exchange ( PBX )

A telephone switch used on a company's or organization's premises to create a local telephone network. Using a PBX obviates the need to order numerous individual phone lines from a telephone company and permits PBX owners to offer advanced telephony features and functions to their users.



public key

A piece of data generated by an asymmetric algorithm distributed to the public for general use. Access to a public key provides tangible evidence of the identity of the corresponding private key holder because it can be used to decrypt information that only the private key holder can encrypt. Equally important, a public key can be used to encrypt information that only the private key holder can decrypt, thereby permitting messages to remain confidential and unreadable to any other user who does not possess a copy of the recipient's private key.



Public Key Infrastructure ( PKI )

A paradigm that encompasses Certificate Authorities and X.509 certificates used with public encryption algorithms to distribute, manage, issue, and revoke public keys. Of course, such a system also includes mechanisms to manage corresponding private keys for individual key holders. Public Key Infrastructures typically also include registration authorities to issue and validate requests for digital certificates, a certificate-management system of some type, and a directory in which certificates are stored and can be accessed. Together, all these elements make up a PKI.



receiver

The party that receives a message from its sender.



Remote Authentication Dial-In User Services ( RADIUS )

An Internet protocol, described in RFC 2138, used for remote access services. It conveys user authentication and configuration data between a centralized authentication server (also called a RADIUS server ) and a remote access server (RADIUS client) to permit the remote access server to authenticate requests to use its network access ports. Users present the remote access server (RADIUS client) with credentials, which are in turn passed to the RADIUS server for authentication. If a user's access request is granted, the RADIUS server provides authorization and configuration information that the remote access server uses to establish a connection with that user; if a user's access request is denied , the connection with that user is terminated . In many ways, RADIUS offers a basic alternative to TACACS+, the Terminal Access Controller Access Control System described in RFC 1492.



replay

An attack that involves capturing valid traffic from a network and then retransmitting that traffic at a later time to gain unauthorized access to systems and resources.



risk

The potential that a threat might exploit some vulnerability.



role

A defined behavior for a user or group of users based on some specific activity or responsibilities (for example, a tape backup administrator is usually permitted to back up all files on one or more systems; that person might or might not be allowed to restore such files, depending on the local security policies in effect).



Role-Based Access Control ( RBAC )

A security method that combines both MAC and DAC. RBAC uses profiles. Profiles are defined for specific roles within a company and then users are assigned to such roles. This facilitates administration in a large group of users because when you modify a role and assign it new permissions, those settings are automatically conveyed to all users assigned to that role.



rollback

A process used to undo changes or transactions when they do not complete, when they are suspected of being invalid or unwanted, or when they cause problems.



round

A selection of encrypted data that is split into two or more blocks of data. Each block of data is then run through an encryption algorithm that applies an encryption key to each block of data individually, rather than applying encryption to the entire selection of data in a single operation.



router

A device that connects multiple network segments and routes packets between them. Hardware routers run proprietary configurable software, and network operating systems often include routing functionality as well. Routers split broadcast domains.



Secure Hypertext Transfer Protocol ( HTTPS or S-HTTP )

An Internet protocol that encrypts individual messages used for Web communications rather than establishing a secure channel, like in SSL/TLS. S-HTTP supports choices among multiple security policies, various key-management techniques, and encryption algorithms through a per-transaction negotiation mechanism.



Secure Multipurpose Internet Mail Extensions ( S/MIME )

An Internet protocol governed by RFC 2633 and used to secure email communications through encryption and digital signatures for authentication. It generally works with PKI to validate digital signatures and related digital certificates.



Secure Shell ( SSH )

A protocol designed to support secure remote login, along with secure access to other services across an unsecure network (for example, inherently unsecure services such as Telnet and FTP may be nevertheless used when those protocols are tunneled within a Secure Shell session). SSH includes a secure Transport layer protocol that provides server authentication, confidentiality (encryption), and integrity (message digest functions), along with a user-authentication protocol and a connection protocol that runs on top of the user-authentication protocol.



Secure Sockets Layer ( SSL )

An Internet protocol originally created at Netscape Corporation that uses connection-oriented, end-to-end encryption to ensure that client/server communications are confidential (encrypted) and meet integrity constraints (message digests). SSL operates between the HTTP Application layer protocol and a reliable Transport layer protocol (usually TCP). Because SSL is independent of the Application layer, any application protocol can work with SSL transparently . SSL can also work with a secure Transport layer protocol, which is why the term SSL/TLS appears frequently.

See also [Transport Layer Security]


Security Association ( SA )

A method in IPSec that accounts for individual security settings for IPSec data transmission.



security baseline

Defined in a company's or organization's security policy, a security baseline is a specific set of security-related modifications to and patches and settings for systems and services in use that underpins technical implementation of security.



sender

The party that originates a message.



sequence number

A counting mechanism in IPSec that increases incrementally each time a packet is transmitted in an IPSec communication path . It protects the receiver from replay attacks.



service-level agreement ( SLA )

A contract between two companies or a company and individual that specifies, by contract, a level of service to be provided by one company to another. Supplying replacement equipment within 24 hours of loss of that equipment or related services is a simple example of an SLA.



shielded twisted pair ( STP )

A form of twisted pair cabling that incorporates a metallic braid or foil shield in its construction, thereby making it more resistant to magnetic and radio interference (and also more expensive) than unshielded twisted pair cabling (UTP).



Simple Network Management Protocol ( SNMP )

A UDP-based Application layer Internet protocol used for network management, SNMP is governed by RFCs 2570 and 2574. In converting management information between management consoles (managers) and managed nodes ( agents ), SNMP implements configuration and event databases on managed nodes that can be configured to respond to interesting events by notifying network managers.



single sign-on ( SSO )

The concept or process of using a single logon authority to grant users access to resources on a network regardless of what operating system or application is used to make or handle a request for access. The concept behind the term is that users need to authenticate only once and can then access any resources available on a network.



smartcard

A credit cardsized device that contains an embedded chip. On this chip, varying and multiple types of data can be stored, such as a driver's license number, medical information, passwords or other authentication data, and even bank account data.



sniffer

A hardware device or software program used to capture and analyze network data in real time. Because such a device can typically read and interpret all unencrypted traffic on the cable segment to which it is attached, it can be a powerful tool in any competent hacker's arsenal.



social engineering

The process of using human behavior to attack a network or gain access to resources that would otherwise be inaccessible. Social engineering is a term that emphasizes the well-known fact that poorly or improperly trained individuals can be persuaded, tricked, or coerced into giving up passwords, phone numbers , or other data that can lead to unauthorized system access, even when strong technical security measures can otherwise prevent such access. User education and well-documented policies (for example, stating that no passwords should ever be given by telephone under any circumstances) are the only remedies that can foil attacks based on this technique.



spoofing

A technique for generating network traffic that contains a different (and usually quite specific) source address from that of the machine actually generating the traffic. Spoofing is used for many reasons in attacks: It foils easy identification of the true source; it permits attackers to take advantage of existing trust relationships; and it deflects responses to attacks against some (usually innocent) third party or parties.



standard

This term is used in many ways. In some contexts, it refers to best practices for specific platforms, implementations , OS versions, and so forth. Some standards are mandatory and ensure uniform application of a technology across an organization. In other contexts, a standard might simply describe a well-defined rule used to produce a desired behavior or action. In this case, a standard sets out specific actions for achieving a desired behavior or result.



switch

A hardware device that manages multiple, simultaneous pairs of connections between communicating systems. In some cases, a switch is used as a network concentrator that splits traditionally flat network segments into dedicated communication links (microsegmentation). Likewise, switches split collision domains, but switches can also provide greater aggregate bandwidth between pairs or groups of communicating devices because each switched link normally gets exclusive access to available bandwidth. Therefore, switches often improve overall performance as well as provide logical network segmentation and collision domain management capabilities.



symmetric encryption

An encryption technique in which a single encryption key is generated and used to encrypt data. This data is then passed across a network. After that data arrives at the recipient device, the same key used to encrypt that data is used to decrypt it. This technique requires a secure way to share keys because both the sender and receiver use the same key (also called a shared secret because that key should be unknown to third parties).



TACACS+

An enhanced version of Terminal Access Controller Access Control System. Whereas TACACS+ is TCP based, the original TACACS is a UDP-based authentication and access control Internet protocol governed by RFC 1492. In either implementation, TACACS recognizes three classes of devices: a network access server, an authentication server, and a remote terminal from which access requests originate. When a client requests access, a remote terminal passes an identifier and a password (or other authentication data that might originate from a smartcard, a security token-passing device, a biometric device, or even a multifactor authentication system) to the remote access server. In turn, the remote access server passes that information to an authentication server for validation. If the authentication server validates the credentials, the request is allowed to proceed; if it does not, the access request is denied.



TCP/IP hijacking

A process used to steal an ongoing TCP/IP session for the purposes of attacking a target computer. Essentially, hijacking works by spoofing network traffic so it appears to originate from a single computer, when in actuality, it originates elsewhere. Hijacking also depends on guessing or matching packet sequence numbers or other data so that the other party in the communication doesn't realize another computer has taken over an active communications session.



TEMPEST

A code word used by the United States government to describe a set of standards and specifications for reducing emanations from electronic equipment, thereby reducing vulnerability to eavesdropping. This term is sometimes (and incorrectly) expanded as an acronym for "test for electromagnetic propagation and evaluation for secure transmissions" or "telecommunications electronics material protected from emanating spurious transmissions," but this terminology is apocryphal or historical rather than real (visit www.acronymfinder.com for more information). Although this term has military origins, it is now used mostly in civilian circles; in military nomenclature , the replacement term is EMSEC (an abbreviation for emissions security ). Whatever source one might seek for this term, it always refers to limiting leakage of electronic signals from equipment to stop their unwanted monitoring.



threat

A danger to a computer network or system (for example, a hacker or virus represents a threat).



token

Also known as a security token , this is a hardware- or software-based system used for authentication wherein two or more sets of matched devices or software generate matching random passwords with a high degree of complexity. Thus, a token-based security device presents a complex password or security token that is difficult to guess within a short period of time. Then, it enhances that security by changing the token on a regularly scheduled basis to limit the size of any data set encrypted with a single password or token. Finally, because token-based security systems also require their users to supply an additional password or personal identification number, such systems also qualify as two-factor authentication systems.



Transport Layer Security ( TLS , or sometimes TLSP)

An end-to-end encryption protocol originally specified in ISO Standard 10736 that provides security services as part of the Transport layer in a protocol stack. More commonly, however, TLS refers to an Internet protocol defined in RFC 2246 that is also called TLSP. Because this TLS is based on and similar to SSL version 3.0, it is really misnamed because it operates at the Application layer, not the Transport layer.



Trojan horse

Software that is hidden inside other software commonly used to infect systems with viruses, worms, or remote control software. Similar to the famous exploit that Odysseus perpetrated during the Trojan wars, a software Trojan horse represents itself as offering some type of capability or functionality when it also includes some means to destroy or take over systems on which it is installed.



unshielded twisted pair ( UTP )

A type of cabling in which pairs of wires are twisted around one another to improve transmission and interference susceptibility characteristics. UTP is used extensively in wiring LANs.



virtual local area network ( VLAN )

A software technology that allows for the grouping of network nodes connected to one or more network switches into a single logical network. By permitting logical aggregation of devices into virtual network segments, VLANs offer simplified user management and network resource access controls for switched networks.



Virtual Private Network ( VPN )

A popular technology that supports reasonably secure, logical, private network links across some unsecure public network infrastructure, such as the Internet. VPNs reduce Public Switched Telephone Network (PSTN) costs by eliminating calls or requiring only local calls to be placed to an Internet service provider (ISP). VPNs are also more secure than traditional remote access because they can be encrypted. Finally, because VPNs support tunneling (the hiding of numerous types of protocols and sessions within a single host-to-host connection), they also support multiple connections that use the same wire.



virus

A piece of (usually) malicious code that's normally disguised as something legitimate or innocuous (for example, an email attachment that purports to be a picture or a document file) that causes unexpected or unwanted events to occur. The defining characteristic of a virus is that it spreads to other computers by design; although some viruses also damage the systems on which they reside, not all viruses inflict damage. Viruses can spread immediately upon reception or implement other unwanted actions, or they can lie dormant until a trigger in their code causes them to become active. Viruses usually belong to one of three classes: file infectors, which attach themselves to executable files of some type; system or boot sector infectors, which infect key system files or boot areas on hard disks or removable media; and macro viruses, which infect applications such as Microsoft Word to implement their actions. The hidden code a virus executes is called its payload .



vulnerability

A weakness in hardware or software that can be used to gain unauthorized or unwanted access to or information from a network or computer.



warm site

A backup site that has some of the equipment and infrastructure necessary for a business to begin operating at that location. Typically, companies or organizations bring their own computer systems and hardware to a warm site, but that site usually already includes a ready-to-use networking infrastructure and also might include reliable power, climate controls, lighting, and Internet access points.



wet-pipe fire suppression

A sprinkler system with pressurized water in its pipes. If a fire starts, the pipes release water immediately and offer the fastest and most effective means of water-based fire suppression.



Wired Equivalent Privacy ( WEP )

A security protocol used in IEEE 802.11 wireless networking, WEP is designed to provide security equivalent to that found in regular wired networks. This is achieved by using basic symmetric encryption to protect data sent over wireless connections so that sniffing of wireless transmissions doesn't produce readable data and so that drive-by attackers cannot access a wireless LAN without additional effort and attacks.



Wireless Transport Layer Security ( WTLS )

WTLS defines a security level for applications based on the Wireless Application Protocol (WAP). As its acronym indicates, WTLS is based on Transport layer security (TLS) but has been modified to work with the low-bandwidth, high-latency, and limited processing capabilities found in many wireless networking implementations. WTLS also provides authentication, data integrity, and confidentiality mechanisms, all based on encryption methods using shared 56- or 128-bit symmetric keys.



worm

A special type of virus designed primarily to reproduce and replicate itself on as many computer systems as possible, a worm does not normally alter files but rather remains resident in a computer's memory. Worms typically rely on access to operating system capabilities that are invisible to users. Often worms are detected by their side effects (unwanted consumption of system resources, diminished system performance, or reprioritization of normal system tasks ) rather than by overt behavior. Antivirus software is a key ingredient in preventing infection from worms, as it is with other types of viruses.



X.500 directory

A standard that regulates global, distributed directory services databases, it's also known as a white pages directory (because lookup occurs by name, rather than by job role or other categorized information, as in a yellow pages type of system). For a detailed overview of X.500, search on that term at searchnetworking.techtarget.com.



X.509 digital certificate

A digital certificate that uniquely identifies a potential communications party or participant. Among other things, an X.509 digital certificate includes a party's name and public key, but it can also include organizational affiliation , service or access restrictions, and a host of other access- and security-related information.



XML Access Control Language ( XACL )

An XML application that allows granular access controls within XML-generated Web pages, documents, or other XML-generated applications. XACL is designed to browse and update XML documents securely on a per-element basis. For more information on this topic, visit xml.coverpages.org and search on XACL.





Security+ Exam Cram 2 (Exam SYO-101)
Security+ Certification Exam Cram 2 (Exam Cram SYO-101)
ISBN: 0789729105
EAN: 2147483647
Year: 2005
Pages: 162

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net