Table of contents:
























802.11 standard

The generic name of a family of protocols and standards used for wireless networking. These standards define the rules for communication. Some, such as 802.11i, are relatively new, whereas others, such as 802.11a, have been established for sometime.


802.11i standard

An amendment to the 802.11 standard. 802.11i uses Wi-Fi Protected Access (WPA) and Advanced Encryption Standard (AES) as a replacement for RC4 encryption.


Acceptable use policy (AUP)

A policy that defines what employees, contractors, and third parties can and cannot do with the organization's IT infrastructure and its assets. AUPs are common for access to IT resources, systems, applications, Internet access, email access, and so on.


Access control lists

An access control list (ACL) is a table or list stored by a router to control access to and from a network by helping the device determine whether to forward or drop packets that are entering or exiting it.


Access creep

Access creep is the result of employees moving from one position to another within an organization without losing the privileges of the old position and at the same time gaining the additional access privileges of the new position. Therefore over time, the employee builds up much more access than he should have.


Access point spoofing

The act of pretending to be a legitimate access point with the purpose of tricking individuals to pass traffic by the fake connection so that it can be captured and analyzed.



The traceability of actions performed on a system to a specific system entity or user.


Active fingerprint

An active method of identifying the operating system (OS) of a targeted computer or device that involves injecting traffic into the network.


Activity blocker

Alerts the user to out of the ordinary or dangerous computer operations, but also it can block their activity.


Address resolution protocol (ARP)

Protocol used to map a known Internet Protocol (IP) address to an unknown physical address on the local network. As an example, IPv4 uses 32-bit addresses, whereas Ethernet uses 48-bit media access control (MAC) addresses. The ARP process is capable of taking the known IP address that is being passed down the stack and using it to resolve the unknown MAC address by means of a broadcast message. This information is helpful in an ARP cache.


Ad hoc mode

An individual wireless computer in ad hoc operation mode on a wireless LAN (WLAN) can communicate directly to other client units. No access point is required. Ad hoc operation is ideal for small networks of no more than two to four computers.



A software program that automatically forces pop-up windows of Internet marketing messages to users' browsers on their workstation devices Adware is different from spyware in that adware does not examine a user's individual browser usage and does not examine this information on a user's browser.



A mathematical procedure used for solving a problem. Used for the encryption and decryption of information and data.


Annualized loss expectancy (ALE)

The ALE is an annual expected financial loss to an organization's IT asset because of a particular threat being realized within that same calendar year. Single loss expectancy (SLE) x annualized rate of occurrence (ARO) = ALE.


Anomaly detection

A type of intrusion detection that looks at behaviors that are not normal or within standard activity. These unusual patterns are identified as suspicious. Anomaly detection has the capability of detecting all kinds of attacks, including ones that are unknown. Its vulnerability is that it can produce a high rate of false positives.



A virus infection type that places the virus code at the end of the infected file.



An evaluation and/or valuation of IT assets based on predefined measurement or evaluation criteria. This typically requires an accounting or auditing firm to conduct an assessment, such as a risk or vulnerability assessment.



Anything of value owned or possessed by an individual or business.


Asymmetric algorithm

Uses a pair of different, but related cryptographic keys to encrypt and decrypt data.



A professional examination and verification performed by either an independent party or internal team to examine a company's accounting documents and supporting data. Audits conform to a specific and formal methodology and specify how an investigation is to be conducted with specific reporting elements and metrics being examined (such as a financial audit according to Public Accounting and Auditing Guidelines and Procedures).



A method that enables you to identify someone. Authentication verifies the identity and legitimacy of the individual to access the system and its resources. Common authentication methods include passwords, tokens, and biometric systems.



The process of granting or denying access to a network resource based on the user's credentials.



Ensures that the systems responsible for delivering, storing, and processing data are available and accessible as needed by individuals who are authorized to use the resources.



A piece of software that allows access to a computer without using the conventional security procedures. Backdoors are often associated with Trojans.


Back orifice

A backdoor program that Trojans the end user and allows the attacker the ability to remotely control the system.



A coding process used to encode data in some email applications. Because it is not true encryption, it can be easily broken.



A consistent or established base that is used to build a minimum acceptable level of security.



A method of verifying a person's identify for authentication by analyzing a unique physical attribute of the individual, such as a fingerprint, retinal scanning, or palm print.


Blackbox testing

The form of testing occurs when the tester has no knowledge of the target or its network structure.


Block cipher

An encryption scheme in which the data is divided into fixed-size blockseach of which is encrypted independently of the others.



Blowfish was designed as a replacement for DES or IDEA. Since its release in 1993, it has been gaining acceptance as a fast strong encryption standard. It takes a variable length key that can range from 32 to 448 bits.



The act of sending unsolicited messages, pictures, or information to a Bluetooth user.



The theft of information from a wireless device through Bluetooth connection.



An open standard for short-range wireless communications of data and voice between both mobile and stationary devices. Used in cell phones, PDAs, laptops, and other devices.



A heavy round post used to prevent automobiles from ramming buildings or breaching physical security.



A term used to describe robot-controlled workstations that are part of a collection of other robot-controlled workstations. These have been created with a Trojan for the purpose of starting up an IRC client and connecting to an IRC server. Once connected, these devices can launch huge amounts of spam or even cause a denial of service against the IRC server.


Brain virus

A boot sector virus. One of the first found in the wild. It is considered a boot sector virus and was transmitted by floppy disks.


Brute-force attack

A method of breaking a cipher or encrypted value by trying a large number of possibilities. Brute-force attacks function by working through all possible values. The feasibility of brute-force attacks depends on the key length and strength of the cipher and the processing power available to the attacker.



An amount of memory reserved for the temporary storage of data.


Buffer overflow

In computer programming, this occurs when a software application somehow writes data beyond the allocated end of a buffer in memory. Buffer overflows are usually caused by software bugs, lack of input validation, and improper syntax and programming, which opens or exposes the application to malicious code injections or other targeted attack commands.


Business continuity planning

A system or methodology to create a plan for how an organization will resume partially or completely interrupted critical functions within a predetermined time after a disaster or disruption occurs. The goal is to keep critical business functions operational.


Business impact analysis (BIA)

A component of the business continuity plan. The BIA looks at all the components that an organization relies on for continued functionality. It seeks to distinguish which are more crucial than others and requires a greater allocation of funds in the wake of a disaster.




A calamity or misfortune that causes the destruction of facility and data.


Certificate Authority (CA)

Used by Public Key Infrastructure (PKI) to issue public key certificates. The public key certificate verifies that the public key contained in the certificate actually belongs to the person or entity noted in the certificate. The CA's job is to verify and validate the owners identity.



A digital certificate is a file that uniquely identifies its owner. A certificate contains owner identity information and its owner's public key. Certificates are created by CAs.


Challenge handshake authentication protocol (CHAP)

A secure method for connecting to a system. CHAP is a form of authentication that functions by using an authentication agent, usually a network server, to send the client an ID value and a random value that is used only one time. Both the server and client share a predefined secret. The client concatenates the random value, which is usually called a nonce, the ID, and the secret and calculates a one-way hash using MD5. This resulting hash value is sent to the server, which builds the same string and compares the result with the value received from the client. If the values match, the peer is authenticated.



Plain text or cleartext is what you have before encryption, and ciphertext is the encrypted result that is scrambled into an unreadable form.


Clipping level

The point at which an alarm threshold or trigger occurs. As an example, a clipping level of three logon attempts might be set. After three attempted logons, you are locked out. Therefore, the clipping level was three.



In reverence to hacking, cloning relates to cell phones. Cell phone cloning occurs when the hacker copies the electronic serial numbers from one cell phone to another, which duplicates the cell phone.


Closed-Circuit Television (CCTV)

A system comprised of video transmitters that can feed the captured video to one or more receivers. Typically used in banks, casinos, shopping centers, airports, or anywhere that physical security can be enhanced by monitoring events. Placement in these facilities is typically at locations where people enter or leave the facility or at locations where critical transactions occur.


Closed system

A system that is not "open" and therefore, is a proprietary system. Open systems are those that employ modular designs, are widely supported, and facilitate multi-vendor, multi-technology integration.



CNAMES or Conical names are used in domain name service (DNS) and are considered an alias or nickname.


Cold site

A site that contains no computing-related equipment except for environmental support, such as air conditioners and power outlets, and a security system made ready for installing computer equipment.



In cryptography, these occur when a hashing algorithm, such as MD5, creates the same value for two or more different files. In the context of the physical network, collisions can occur when two packets are transmitted at the same time on a Ethernet network.


Combination locks

A lock that can be opened by turning dials in a predetermined sequence.


Computer emergency response team (CERT)

An organization developed to provide incident response services to victims of attacks, publish alerts concerning vulnerabilities and threats, and offer other information to help improve an organization's capability to respond to computer and network security issues.



Data or information is not made available or disclosed to unauthorized persons.


Confidentiality agreement

An agreement that employees, contractors, or third-party users must read and sign before being granted access rights and privileges to the organization's IT infrastructure and its assets.


Contingency planning

The process of preparing to deal with calamities and non-calamitous situations before they occur so that the effects are minimized.



A message or small amount of text from a website given to an individual's web browser on the workstation device. The workstation browser stores this text message in a text file. The message is sent back to the web server each time the browser goes to that website and is useful in maintaining state in what is otherwise a stateless connection.



The legal protection given to authors or creators that protects their expressions on a specific subject from unauthorized copying. It is applied to books, paintings, movies, literary works, or any other medium of use.


Corrective controls

Internal controls designed to resolve problems soon after they arise.


Covert channel

An unintended communication path that enables a process to transfer information in such a way that violates a system's security policy.



A term derived from "criminal hacker," indicating someone who acts in an illegal manner.


Criminal law

Laws pertaining to crimes against the state or conduct detrimental to society. These violations of criminal statues are punishable by law and can include monetary penalties and jail time.



The quality, state, degree, or measurement of the highest importance.


Crossover error rate (CER)

The CER is a comparison measurement for different bio-metric devices and technologies to measure their accuracy. The CER is the point at which False Acceptance Rate (FAR) and False Rejection Rate (FRR) are equal, or cross over. The lower the CER, the more accurate the biometric system.


Cryptographic key

The piece of information that controls the cryptographic algorithm. The key specifies how the cleartext is turned into ciphertext or vice versa. For example, a DES key is a 64-bit parameter consisting of 56 independent bits and 8 bits that are used for parity.



Data Encryption Standard (DES)

DES is a symmetric encryption standard that is based on a 64-bit block. DES uses the data encryption algorithm to process 64 bits of plaintext at a time to output 64-bit blocks of cipher text. DES uses a 56-bit key and has four modes of operation.


Defense in depth

The process of multilayered security. The layers can be administrative, technical, or logical. As an example of logical security, you might add a firewall, encryption, packet filtering, IPSec, and a demilitarized zone (DMZ) to start to build defense in depth.


Demilitarized zone (DMZ)

The middle ground between a trusted internal network and an untrusted, external network. Services that internal and external users must use are typically placed there, such as HTTP.


Denial of service (DoS)

The process of having network resources, services, and bandwidth reduced or eliminated because of unwanted or malicious traffic. This attack's goal is to render the network or system non-functional. Some examples include ping of death, SYN flood, IP spoofing, and Smurf attacks.



Destroying data and information or depriving information from the legitimate user.


Detective controls

Controls that identify undesirable events that have occurred.


Digital certificate

Usually issued by trusted third parties, a digital certificate contains the name of a user or server, a digital signature, a public key, and other elements used in authentication and encryption. X.509 is the most common type of digital certificate.


Digital signature

An electronic signature that can be used to authenticate the identity of the sender of a message. It is created by encrypting a hash of a message or document with a private key. The message to be sent is passed through a hashing algorithm; the resulting message digest or hash value is then encrypted using the sender private key.


Digital watermark

A technique that adds hidden copyright information to a document, picture, or sound file. This can be used to allow an individual working with electronic data to add hidden copyright notices or other verification messages to digital audio, video, or image signals and documents.



A natural or man-made event that can include fire, flood, storm, and equipment failure that negatively affects an industry or facility.


Discretionary access control (DAC)

An access policy that allows the resource owner to determine access.


Distributed denial of service (DDoS)

Similar to denial of service (DoS), except that the attack is launched from multiple, distributed agent IP devices.


Domain name system (DNS)

A hierarchy of Internet servers that translate alphanumeric domain names into IP addresses and vice versa. Because domain names are alphanumeric, it's easier to remember these names than IP addresses.



A Trojan horse or program designed to drop a virus to the infected computer and then execute it.


Due care

The standard of conduct taken by a reasonable and prudent person. When you see the term due care, think of the first letter of each word and remember "do correct" because due care is about the actions that you take to reduce risk and keep it at that level.


Due diligence

The execution of due care over time. When you see the term due diligence, think of the first letter of each word and remember "do detect" because due diligence is about finding the threats an organization faces. This is accomplished by using standards, best practices, and checklists.


Dumpster diving

The practice of rummaging through the trash of a potential target or victim to gain useful information.




The unauthorized capture and reading of network traffic or other type of network communication device.


Echo reply

Used by the ping command to test networks. The second part of an Internet Control Message Protocol (ICMP). Ping, officially a type 0.


Echo request

Makes use of an ICMP Echo request packet, which will be answered to using an ICMP Echo Reply packet. The first part of ICMP Ping, which is officially a type 8.


EDGAR database

EDGAR is the Electronic Data Gathering, Analysis and Retrieval System used by the Securities and Exchange Commission for storage of public company filings. It is a potential source of information by hackers.


Electronic Code Book (ECB)

A symmetric block cipher that is one of the modes of Data encryption standard (DES). ECB is considered the weakest mode of DES. When used, the same plain-text input will result in the same encrypted text output.


Electronic serial number

A unique ID number embedded in a cell phone by the manufacturer to minimize chance of fraud and to identify a specific cell phone when it is turned on and a request to join a cellular network is sent over the air.



The science of turning plain text into cipher text.


End user licensing agreement (EULA)

This is the software license that software vendors create to protect and limit their liability, as well as hold the purchaser liable for illegal pirating of the software application. The EULA typically contains language that protects the software manufacturer from software bugs and flaws and limits the liability of the vendor.


Enterprise vulnerability management

The overall responsibility and management of vulnerabilities within an organization and how that management of vulnerabilities will be achieved through dissemination of duties throughout the IT organization.


Ethical hack

A term used to describe a type of hack that is done to help a company or individual identify potential threats on the organization's IT infrastructure or network. Ethical hackers must obey rules of engagement, do no harm, and stay within legal boundaries.


Ethical hacker

A security professional who legally attempts to break in to a computer system or network to find its vulnerabilities.



The act of performing activities to avoid detection.



An attack on a computer system, especially one that takes advantage of a particular vulnerability that the system offers to intruders.


Exposure factor

This is a value calculated by determining the percentage of loss to a specific asset because of a specific threat. As an example, if a fire were to hit the Houston data center that has an asset value of $250,000, it is believed that there would be a 50% loss or exposure factor. Adding additional fire controls could reduce this figure.


Extensible authentication protocol

A method of authentication that can support multiple authentication methods, such as tokens, smart card, certificates, and onetime passwords.



Fail safe

In the logical sense, fail safe means the process of discovering a system error, terminating the process, and preventing the system from being compromised. In the physical realm, it could be that an electrical powered door relay remains in the locked position if power is lost.


False acceptance rate (FAR)

This measurement evaluates the likelihood that a biometric access control system will wrongly accept an unauthorized user.


False rejection rate (FRR)

This measurement evaluates the likelihood that a biometric access control system will reject a legitimate user.


Fast infection

A type of virus infection that occurs quickly.


First in First Out (FIFO)

A method of data and information storage in which the data stored for the longest time will be retrieved first.


File infector

A type of virus that copies itself into executable programs.



On some UNIX systems, finger identifies who is logged on and active and sometimes provides personal information about that individual.



Security system in hardware or software form that is used to manage and control both network connectivity and network services. Firewalls act as chokepoints for traffic entering and leaving the network, and prevent unrestricted access. Firewalls can be stateful or stateless.



The process of overloading the network with traffic so that no legitimate traffic or activity can occur.


Gap analysis

The analysis of the differences between two different states, often for the purpose of determining how to get from point A to point B; therefore, the aim is to look at ways to bridge the gap. Used when performing audits and risk assessments.


Gentle scan

A type of vulnerability scan that does not present a risk to the operating network infrastructure.


Graphical Identification and Authentication (GINA)

Used by Microsoft during the login and authentication process. GINA is a user-mode DLL that runs in the Winlogon process and that Winlogon uses to obtain a user's name and password or smart card PIN.


Graybox testing

Testing that occurs with only partial knowledge of the network or that is performed to see what internal users have access to.



Much like standards, these are recommendation actions and operational guides for users.


Hardware keystroke logger

A form of key logger that is a hardware device. Once placed on the system, it is hard to detect without a physical inspection. It can be plugged in to the keyboard connector or built in to the keyboard.



A mathematical algorithm used to ensure that a transmitted message has not been tampered with. A one-way algorithm which maps or translates one set of bits into a fixed length value that can be used to uniquely identify data.


Hashing algorithm

Hashing is used to verify the integrity of data and messages. A well-designed hashing algorithm examines every bit of the data while it is being condensed, and even a slight change to the data will result in a large change in the message hash. It is considered a one-way process.


Heuristic scanning

A form of virus scanning that looks at irregular activity by programs. As an example, a heuristic scanner would flag a word processing program that attempted to format the hard drive, as that is not normal activity.



An Internet-attached server that acts as a decoy, luring in potential hackers to study their activities and monitor how they are able to break in to a system.



Internet Assigned Number Authority (IANA)

A primary governing body for Internet networking. IANA oversees three key aspects of the Internet: top-level domains (TLDs), IP address allocation, and port number assignments. IANA is tasked with preserving the central coordinating functions of the Internet for the public good. Used by hackers and security specialists to track down domain owners and their contact details.


Identify theft

An attack in which an individual's personal, confidential, banking, and financial identify is stolen and compromised by another individual or individuals. Use of your social security number without your consent or permission might result in identify theft.



This term can be best defined as an attempt to identify the extent of the consequences should a given event occur.



The ability to deduce information about data or activities to which the subject does not have access.


Inference attack

This form of attack relies on the attacker's ability to make logical connections between seemingly unrelated pieces of information.


Information technology security evaluation criteria (ITSEC)

A European standard that was developed in the 1980s to evaluate confidentiality, integrity, and availability of an entire system.


Infrastructure mode

A form of wireless networking in which wireless stations communicate with each other by first going through an access point.


Initial sequence number (ISN)

A number defined during a Transmission Control Protocol (TCP) startup session. The ISN is used to keep track of how much information has been moved and is of particular interest to hackers, as the sequence number is used in session hijacking attacks.


Insecure computing habits

The bad habits that employees, contractors, and third-party users have accumulated over the years can be attributed to the organization's lack of security-awareness training, lack of security controls, and lack of any security policies or acceptable use policies (AUPs).



One of the three items considered part of the security triad; the others are confidentiality and availability. Integrity is used to verify the accuracy and completeness of an item.


Internet control message protocol (ICMP)

Part of TCP/IP that supports diagnostics and error control. ICMP echo request and ICMP echo reply are subtypes of the ICMP protocol used within the PING utility.


Intrusion detection

A key component of security that includes prevention, detection, and response. It is used to detect anomalies or known patterns of attack.


Intrusion detection system (IDS)

A network-monitoring device typically installed at Internet ingress/egress points used to inspect inbound and outbound network activity and identify suspicious patterns that might indicate a network or system attack from someone attempting to break in to or compromise a system.


Inverse SYN cookies

A method for tracking the state of a connection, which takes the source address and port, along with the destination address and port, and then through a SHA-1 hashing algorithm. This value becomes the initial sequence number for the outgoing packet.


ISO 17799

A comprehensive security standard that is divided into 10 sections. It is considered a leading standard and a code of practice for information security management.



Short for IP Security. An IETF standard used to secure TCP/IP traffic. It can be implemented to provide integrity and confidentiality.



Information technology. Information technology includes computers, software, Internet/intranet, and telecommunications.


IT asset

Information technology asset, such as hardware, software, or data.


IT asset criticality

The act of putting a criticality factor or importance value (Critical, Major, or Minor) in an IT asset.


IT asset valuation

The act of putting a monetary value to an IT asset.


IT infrastructure

A general term to encompass all information technology assets (hardware, software, data), components, systems, applications, and resources.


IT security architecture and framework

A document that defines the policies, standards, procedures, and guidelines for information security.


Key exchange protocol

A protocol used to exchange secret keys for the facilitation of encrypted communication. Diffie-Hellman is an example of a key exchange protocol.




An early file infector virus that only infected It didn't increase the size of the program, as it writes information in slack space. It is a destructive virus in that it destroys the disk when a counter reaches a specific number of infections.


Level I assessments

This type of vulnerability assessment examines the controls implemented to protect information in storage, transmission, or being processed. It involves no hands-on testing. It is a review of the process and procedures in place and focuses on interviews and demonstrations.


Level II assessments

This type of assessment is more in depth than a level I. Level II assessments include vulnerability scans and hands-on testing.


Level III assessments

This type of assessment is adversarial in nature and is also known as a penetration test or red team exercise. It is an attempt to find and exploit vulnerabilities. It seeks to determine what a malicious user or outsider could do if intent on damaging the organization. Level III assessments are not focused on documentation or simple vulnerable scans; they are targeted on seeking how hackers can break into a network.


Last in First Out (LIFO)

LIFO is a data processing method that applies to buffers. The last item in the buffer is the first to be removed.


Limitation of liability and remedies

A legal term that limits the organization from the amount of financial liability and the limitation of the remedies the organization is legally willing to take on.



MAC filtering

A method controlling access on a wired or wireless network by denying access to a device that has a MAC address that does not match a MAC address in a preapproved list.



An early example of an Apple-Mac virus. MacMag displays a message of universal peace when triggered.


Macro infector

A type of computer virus that infects macro files. I Love You and Melissa are both examples of macro viruses.


Man-in-the-middle attack

A type of attack in which the attacker can read, insert, and change information that is being passed between two parties, without either party knowing that the information has been compromised.


Man made threats

Threats that are caused by humans, such as hacker attack, terrorism, or destruction of property.


Mandatory access control (MAC)

A means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (such as clearance) of subjects to access information of such sensitivity.



A turnstile or other gated apparatus used to detain an individual between a trusted state and an untrusted state for authentication.


Master boot record infector

A virus that infects a master boot record.


The Matrix

A movie about a computer hacker who learns from mysterious rebels about the true nature of his reality and his role in the Matrix machine. A favorite movie of hackers!


Media access control (MAC)

The hard-coded address of the physical layer device that is attached to the network. In an Ethernet network, the address is 48-bits or 6-bytes long.



A hashing algorithm that produces a 128-bit output.



A set of documented procedures used for performing activities in a consistent, accountable, and repeatable manner.


Minimum acceptable level of risk

The stake in the ground that an organization defines for the seven areas of information security responsibility. Depending on the goals and objectives for maintaining confidentiality, integrity, and availability of the IT infrastructure and its assets, the minimum level of acceptable risk will dictate the amount of information security.


Moore's law

The belief that processing power of computers will double about every 18 months.


Multipartite virus

A virus that attempts to attack both the boot sector and executable files.


Natural threats

Threats posed by Mother Nature, such as fire, floods, and storms.



A backdoor Trojan that allows an attacker complete control of the victim's computer.


Network address translation (NAT)

A method of connecting multiple computers to the Internet using one IP address so that many private addresses are being converted to a single public address.


Network operations center (NOC)

An organization's help desk or interface to its end users in which trouble calls, questions, and trouble tickets are generated.


NIST 800-42

The purpose of this document is to provide guidance on network security testing. It deals mainly with techniques and tools used to secure systems connected to the Internet.



The act of not providing a reference to a source of information.



A system or method put in place to ensure that an individual cannot deny his own actions.



The National Security Agency (NSA) Information Security Assessment Methodology (IAM) is a systematic process used by government agencies and private organizations for the assessment of security vulnerabilities.



A standard UNIX, Linux, and Windows tool for querying name servers.


Null session

A Windows feature in which anonymous logon users can list domain usernames, account information, and enumerate share names.



One-time pad

An encryption mechanism that can be used only once, and this is, theoretically, unbreakable. One-time pads function by combining plain text with a random pad that is the same length as the plain text.


Open source

Open-source software is based on the GNU General Public License. Software that is open source is released under an open-source license or to the public domain. The source code can be seen and can be modified. Its name is a recursive acronym for "GNU's Not UNIX."


OS (Operating System) identification

The practice of identifying the operating system of a networked device through either passive or active techniques.



Packet filter

A form of stateless inspection performed by some firewalls and routers. Packet filters limit the flow of traffic based on predetermined access control lists (ACLs). Parameters, such as source, destination, or port, can be filtered or blocked by a packet filter.


Paper shredders

A hardware device used for destroying paper and documents by shredding to prevent dumpster diving.


Passive fingerprint

A passive method of identifying the operating system (OS) of a targeted computer or device. No traffic or packets are injected into the network; attackers simply listen to and analyze existing traffic.


Password authentication protocol (PAP)

A form of authentication in which clear-text usernames and passwords are passed.


Pattern matching

A method of identifying malicious traffic used by IDS systems. It is also called signature matching and works by matching traffic against signatures stored in a database.


Penetration test

A method of evaluating the security of a network or computer system by simulating an attack by a malicious hacker without doing harm and with the owner's consent.


Personal area networks

Used when discussing Bluetooth devices. Refers to the connection that can be made with Bluetooth between these various devices.



The act of misleading or conning an individual into releasing and providing personal and confidential information to an attacker masquerading as a legitimate individual or business. Typically, this is done by sending someone an email that requests the victim to follow a link to a bogus website.



A method of gaining unauthorized access into a facility by following an authorized employee through a controlled access point or door.


Ping sweep

The process of sending ping requests to a series of devices or to the entire range of networked devices.



A high-level document that dictates management intentions toward security.


Polymorphic virus

A virus capable of change and self mutation.



POP (Post Office Protocol) is a commonly implemented method of delivering email from the mail server to the client machine. Other methods include Internet Message Access Protocol (IMAP) and Microsoft Exchange.



Ports are used by protocols and applications. Port numbers are divided into three ranges including: Well Known Ports, Registered Ports, and the Dynamic and/or Private Ports. Well Known Ports are those from 01023. Registered Ports are those from 102449151, and Dynamic and/or Private Ports are those from 4915265535.


Port knocking

Port knocking is a defensive technique that requires users of a particular service to access a sequence of ports in a given order before the service will accept their connection.


Port redirection

The process of redirecting one protocol from an existing port to another.



A virus type that adds the virus code to the beginning of existing executables.


Preventative controls

Controls that reduce risk and are used to prevent undesirable events from happening.



The likelihood of an event happening.



A detailed, in-depth, step-by-step document that lays out exactly what is to be done and how it is to be accomplished.


Promiscuous mode

The act of changing your network adapter from its normal mode of examining traffic that only matches its address to examining all traffic. Promiscuous mode enables a single device to intercept and read all packets that arrive at the interface in their entirety; these packets may or may not have been destined for this particular target.


Proxy server

Proxy servers stand in place of, and are a type of, firewall. They are used to improve performance and for added security. A proxy server intercepts all requests to the real server to see if it can fulfill the requests itself. If not, it forwards the request to the real server.


Public key infrastructure (PKI)

Infrastructure used to facilitate e-commerce and build trust. PKI is composed of hardware, software, people, policies, and procedures; it is used to create, manage, store, distribute, and revoke public key certificates. PKI is based on public-key cryptography.




A Trojan program that infects Notepad.


Qualitative analysis

A weighted factor or non-monetary evaluation and analysis based on a weighting or criticality factor valuation as part of the evaluation or analysis.


Qualitative assessment

An analysis of risk that places the probability results into terms such as none, low, medium, and high.


Qualitative risk assessment

A scenariobased assessment in which one scenario is examined and assessed for each critical or major threat to an IT asset.


Quantitative analysis

A numerical evaluation and analysis based on monetary or dollar valuation as part of the evaluation or analysis.


Quantitative risk assessment

A methodical, step-by-step calculation of asset valuation, exposure to threats, and the financial impact or loss in the event of the threat being realized.



Redundant Array of Independent Disks (RAID)

A type of fault tolerance and performance improvement for disk drives that employ two or more drives in combination.


RAM resident infection

A type of virus that spreads through RAM.


Red team

A group of ethical hackers who help organizations to explore network and system vulnerabilities by means of penetration testing.



A symmetric encryption algorithm chosen to be the Advanced Encryption Standard (AES).



The exposure or potential for loss or damage to IT assets within that IT infrastructure.


Risk acceptance

An informed decision to suffer the consequences of likely events.


Risk assessment

A process for evaluating the exposure or potential loss or damage to the IT and data assets for an organization.


Risk avoidance

A decision to take action to avoid a risk.


Risk management

The overall responsibility and management of risk within an organization. Risk management is the responsibility and dissemination of roles, responsibilities, and accountabilities for risk in an organization.


Risk transference

Shifting the responsibility or burden to another party or individual.


Rogue access point

A 802.11 access point that has been set up by an attacker for the purpose of diverting legitimate users so that their traffic can be sniffed or manipulated.


Routing Information Protocol (RIP)

A widely used distance-vector protocol that determines the best route by hop count.


Role-based access control

A type of discretionary access control in which users are placed into groups to facilitate management. This type of access control is widely used by Microsoft Active Directory, Oracle DBMS, and SAP R/3.


Rule-based access control

A type of mandatory access control that matches objects to subjects. It dynamically assigns roles to subjects based on their attributes and a set of rules defined by a security policy.



Scope creep

This is the uncontrolled change in the project's scope. It causes the assessment to drift away from its original scope and results in budget and schedule overruns.


Script kiddie

The lowest form of cracker who looks for easy targets or well-worn vulnerabilities.


Security breach or security incident

The result of a threat or vulnerability being exploited by an attacker.


Security bulletins

A memorandum or message from a software vendor or manufacturer documenting a known security defect in the software or application itself. Security bulletins are typically accompanied with instructions for loading a software patch to mitigate the security defect or software vulnerability.


Security by obscurity

The controversial use of secrecy to ensure security.


Security controls

Policies, standards, procedures, and guideline definitions for various security control areas or topics.


Security countermeasure

A security hardware or software technology solution that is deployed to ensure the confidentiality, integrity, and availability of IT assets that need protection.


Security defect

A security defect is usually an unidentified and undocumented deficiency in a product or piece of software that ultimately results in a security vulnerability being identified.


Security incident response team (SIRT)

A team of professionals who usually encompasses Human Resources, Legal, IT, and IT Security to appropriately respond to critical, major, and minor security breaches and security incidents that the organization encounters.


Security kernel

A combination of software, hardware, and firmware that makes up the Trusted Computer Base (TCB). The TCB mediates all access, must be verifiable as correct, and is protected from modification.


Security workflow definitions

Given the defense-in-depth, layered approach to information security roles, tasks, responsibilities, and accountabilities, a security workflow definition is a flowchart that defines the communications, checks and balances, and domain of responsibility and accountability for the organization's IT and IT security staff.


Separation of duties

Given the seven areas of information security responsibility, separation of duties defines the roles, tasks, responsibilities, and accountabilities for information security uniquely for the different duties of the IT staff and IT security staff.


Service level agreements (SLAs)

A contractual agreement between an organization and its service provider. SLAs define and protect the organization with regard to holding the service provider accountable for the requirements as defined in an SLA.


Service Set ID (SSID)

The SSID is a sequence of up to 32 letters or numbers that is the ID, or name, of a wireless local area network and is used to differentiate networks.


Session splicing

Used to avoid detection by an Intrusion Detection System (IDS) by sending parts of the request in different packets.



A hashing algorithm that produces a 160-bit output. SHA-1 was designed by the National Security Agency (NSA) and is defined in RFC 3174.



The process of scanning for viruses on a standalone computer.


Shoulder surfing

The act of looking over someone's shoulder to steal their password, capturing a phone pin, card number, and other type of information as well.


Signature scanning

One of the most basic ways of scanning for computer viruses, it works by comparing suspect files and programs to signatures of known viruses stored in a database.


Simple Network Monitoring Protocol (SNMP)

An application layer protocol that facilitates the exchange of management information between network devices. The first version of SNMP, V1, uses well-known community strings of public and private. Version 3 offers encryption.


Single loss expectancy (SLE)

A dollar-value figure that represents an organization's loss from a single loss or loss of this particular IT asset.


Site survey

The process of determining the optimum placement of wireless access points. The objective of the site survey is to create an accurate wireless system design/layout and budgetary quote.


Smurf attack

A distributed denial of service (DDoS) attack in which an attacker transmits large amounts of Internet Control Message Protocol (ICMP) echo request (PING) packets to a targeted IP destination device using the targeted destination's IP source address. This is called spoofing the IP source address. IP routers and other IP devices that respond to broadcasts will respond back to the targeted IP device with ICMP echo replies, which multiplies the amount of bogus traffic.



A hardware or software device that can be used to intercept and decode network traffic.


Social engineering

The practice of tricking employees into revealing sensitive data about their computer system or infrastructure. This type of attack targets people and is the art of human manipulation. Even when systems are physically well protected, social engineering attacks are possible.


Software bugs or software flaws

An error in software coding or its design that can result in software vulnerability.


Software vulnerability standard

A standard that accompanies an organization's Vulnerability Assessment and Management Policy. This standard typically defines the organization's vulnerability window definition and how the organization is to provide software vulnerability management and software patch management throughout the enterprise.



The use of any electronic communication's medium to send unsolicited messages in bulk. Spamming is a major irritation of the Internet era.



The act of masking your identity and pretending to be someone else or another device. Common spoofing methods include Address Resolution Protocol (ARP), Domain Name Server (DNS), and Internet Protocol (IP). Spoofing is also implemented by email in what is described as phishing schemes.



Any software application that covertly gathers information about a user's Internet usage and activity and then exploits this information by sending adware and pop-up ads similar in nature to the user's Internet usage history.


Stateful inspection

An advanced firewall architecture that works at the network layer and keeps track of packet activity. Stateful inspection has the capability to keep track of the state of the connection. For example, if a domain name service (DNS) reply is being sent into the network, stateful inspection can check to see whether a DNS request had previously been sent, as replies only follow requests. Should evidence of a request not be found by stateful inspection, the device will know that the DNS packet should not be allowed in and is potentially malicious.



A cryptographic method of hiding the existence of a message. A commonly used form of steganography places information in pictures.


Stream cipher

Encrypts data typically one bit or byte at a time.


Symmetric algorithm

Both parties use the same cryptographic key.


Symmetric encryption

An encryption standard requiring that all parties have a copy of a shared key. A single key is used for both encryption and decryption.


SYN flood attack

A distributed denial of service (DDoS) attack in which the attacker sends a succession of SYN packets with a spoof address to a targeted destination IP device but does not send the last ACK packet to acknowledge and confirm receipt. This leaves half-open connections between the client and the server until all resources are absorbed, rendering the server or targeted IP destination device as unavailable because of resource allocation to this attack.


Synchronize sequence number

Initially passed to the other party at the start of the three-way TCP handshake. It is used to track the movement of data between parties. Every byte of data sent over a TCP connection has a sequence number.




A UDP-based access-control protocol that provides authentication, authorization, and accountability.


Target of engagement (TOE)

The TOE is a term developed for use with common criteria and is used by EC-Council to define the target of the assessment or pen test target.


TCP handshake

A three-step process computers go through when negotiating a connection with one another. The process is a target of attackers and others with malicious intent.



Any agent, condition, or circumstance that could potentially cause harm, loss, damage, or compromise to an IT asset or data asset.


Time-to-live (TTL)

A counter used within an IP packet that specifies the maximum number of hops that a packet can traverse. After a TTL is decremented to 0, a packet expires.



A small Trojan program that listens on port 777.



A way of tracing hops or computers between the source and target computer you are trying to reach. Gives the path the packets are taking.


Transmission control protocol (TCP)

Is one of the main protocols of the TCP/IP protocol suite.. It is used for reliability and guaranteed delivery of data.


Transient electromagnetic pulse emanation standard (TEMPEST)

A method of shielding equipment to prevent the capability of capturing and using stray electronic signals and reconstructing them into useful intelligence.


Trapdoor function

One-way function that describes how asymmetric algorithms function. Trapdoor functions are designed so that they are easy to compute in one direction but difficult to compute in the opposing direction. Trapdoor functions are useful in asymmetric encryption and examples include RSA and Diffie-Hellman



A Trojan is a program that does something undocumented which the programmer or designer intended, but that the end user would not approve of if he knew about it.


Trusted Computer Base (TCB)

All the protection mechanisms within a computer system. This includes hardware, firmware, and software responsible for enforcing a security policy.


Trusted computer system evaluation criteria (TCSEC)

U.S. Department of Defense (DoD) Trusted Computer System Evaluation Criteria, also called the Orange Book. TCSEC is a system designed to evaluate standalone systems that places systems into one of four levels: A, B, C, and D. Its basis of measurement is confidentiality.



The process of rolling through various electronic serial numbers on a cell phone to attempt to find a valid set to use.



A one-way gate or access control mechanism that is used to limit traffic and control the flow of people.



Uber hacker

An expert and dedicated computer hacker.


Uniform resource locator (URL)

The global address on the Internet and World Wide Web in which domain names are used to resolve IP addresses.


User datagram protocol (UDP)

A connectionless protocol that provides few error recovery services, but offers a quick and direct way to send and receive datagrams.



The willful destruction of property.


Videocipher II satellite encryption system

Encryption mechanism used to encrypt satellite video transmissions.


Virtual private network (VPN)

A private network that uses a public network to connect remote sites and users.



A computer program with the capability to generate copies of itself and thereby spread. Viruses require the interaction of an individual and can have rather benign results, flashing a message to the screen, or rather malicious results that destroy data, systems, integrity, or availability.


Virus hoax

A chain letter designed to trick you into forwarding to many other people warning of a virus that does not exist. The Good Times virus is an example.



The absence or weakness of a safeguard in an asset.


Vulnerability assessment

A methodical evaluation of an organization's IT weaknesses of infrastructure components and assets and how those weaknesses can be mitigated through proper security controls and recommendations to remediate exposure to risks, threats, and vulnerabilities.


Vulnerability management

The overall responsibility and management of vulnerabilities within an organization and how that management of vulnerabilities will be achieved through dissemination of duties throughout the IT organization.


War chalking

The act of marking on the wall or sidewalk near a building to indicate that wireless access is present.


War dialing

The process of using a software program to automatically call thousands of telephone numbers to look for anyone who has a modem attached.


War driving

The process of driving around a neighborhood or area to identify wireless access points.


Warm site

An alternative computer facility that is partially configured and can be made ready in a few days.



A security assessment of penetration test in which all aspects of the network are known.



An Internet utility that returns information about the domain name and IP address.


Wi-Fi Protected Access (WPA)

A security standard for wireless networks designed to be more secure than Wired Equivalent Privacy (WEP).


Wired Equivalent Privacy (WEP)

WEP is based on the RC4 encryption scheme. It was designed to provide the same level of security as that of a wired LAN. Because of 40-bit encryption and problems with the initialization vector, it was found to be insecure.



A self-replicating program that spreads by inserting copies of itself into other executable codes, programs, or documents. Worms typically flood a network with traffic and result in a denial of service.



A type of program used to bind a Trojan program to a legitimate program. The objective is to trick the user into running the wrapped program and installing the Trojan.


Written authorization

One of the most important parts of the ethical hack. It gives you permission to perform the tests that have been agreed on by the client.


Zone transfer

The mechanism used by domain name service (DNS) servers to update each other by transferring a Resource Record. IT should be a controlled process between two DNS servers, but is something that hackers will attempt to perform to steal the organization's DNS information. It can be used to map the network devices.


III Appendixes

Part I: Exam Preparation

The Business Aspects of Penetration Testing

The Technical Foundations of Hacking

Footprinting and Scanning

Enumeration and System Hacking

Linux and Automated Security Assessment Tools

Trojans and Backdoors

Sniffers, Session Hijacking, and Denial of Service

Web Server Hacking, Web Applications, and Database Attacks

Wireless Technologies, Security, and Attacks

IDS, Firewalls, and Honeypots

Buffer Overflows, Viruses, and Worms

Cryptographic Attacks and Defenses

Physical Security and Social Engineering

Part II: Final Review

Part III: Appendixes

Appendix A. Using the ExamGear Special Edition Software

Certified Ethical Hacker Exam Prep
Certified Ethical Hacker Exam Prep
ISBN: 0789735318
EAN: 2147483647
Year: 2007
Pages: 247
Authors: Michael Gregg © 2008-2020.
If you may any questions please contact us: