100 Flashcards
Agreed-upon principles set forth by a company to govern how the employees of that company may use resources such as computers and Internet access
acceptable use policies
The means of giving or restricting user access to network resources
access control
A table or data file that specifies whether a user or group has access to a specific resource on a computer or network
access control list (ACL)
The point at which access to a network is accomplished This term is often used in relation to a wireless access point (WAP)
access point (AP)
A policy that provides information to the reader about who to contact if a problem is discovered
accountability statement
A response generated in real time
active response
Any action a user undertakes
activity
Protocol used to map known IP addresses to unknown physical addresses
Address Resolution Protocol (ARP)
An attack that convinces the network that the attacker’s MAC address is the one associated with an allowed address so that traffic is wrongly sent to attacker’s machine
Address Resolution Protocol (ARP) poisoning
A control implemented through administrative policies or procedures
administrative control
The user who is accountable and responsible for the network
administrator
A Federal Information Processing Standards (FIPS) publication that specifies a cryptographic algorithm for use by the US government
Advanced Encryption Standard (AES)
More commonly known as ARP poisoning - this involves the MAC (Media Access Control) address of the data being faked
ARP spoofing
An algorithm that uses two keys
asymmetric algorithm
Encryption in which two keys must be used
asymmetric encryption
Any unauthorized intrusion into the normal operations of a computer or computer network
attack
The area of an application that is available to users—those who are authenticated and - more importantly - those who are not
attack surface
Minimizing the possibility of exploitation by reducing the amount of code and limiting potential damage
attack surface reduction (ASR)
The act of tracking resource usage by users
audit
The means of verifying that someone is who they say they are
authentication
A header used to provide connectionless integrity and data origin authentication for IP datagrams and to provide protection against replays
Authentication Header (AH)
A type of certificate technology that allows ActiveX components to be validated by a server
Authenticode
A utility used with Windows 7 and 8 for creating a copy of the configuration settings necessary to reach the present state after a disaster
Automated System Recovery (ASR) disk
An opening left in a program application (usually by the developer) that allows additional access to data
backdoor
A reversion - or roll back to a previous state - from a change that had negative consequences
backout
A usable copy of data made to media
backup
A generator that can supply power in the event the primary provider is unable to deliver it
backup generator
A documented plan governing backup situations
backup plan
A written policy detailing the frequency of backups and the location of storage media
backup policy
Looking at the banner - or the header information messages sent with data - to find out about a system(s)
banner grabbing
Comparing performance to a historic metric
baselining
A host with multiple network interface cards so that it can reside on multiple networks
bastion host
A set of rules governing basic operations
best practices
Data that is too large to be dealt with by traditional database management means
Big Data analysis
A probability method of finding collision in hash functions
birthday attack
A Microsoft utility used to encrypt a drive
BitLocker
A method of encryption that processes blocks of data rather than streams
block cipher
A type of symmetric block cipher created by Bruce Schneier
Blowfish
The sending of unsolicited messages over a Bluetooth connection
bluejacking
The gaining of unauthorized access through a Bluetooth connection
bluesnarfing
A router used to translate from LAN framing to WAN framing
border router
An automated software program (network robot) that collects information on the Web
bot
A trust model in which a peer-to-peer relationship exists among the root certificate authorities
bridge trust model
A type of attack that relies purely on trial and error and tries all possible combinations
brute-force attack
A type of denial-of-service (DoS) attack that occurs when more data is put into a buffer than it can hold - thereby overflowing it (as the name implies)
buffer overflow
A contingency plan that allows a business to keep running in the event of a disruption to vital resources
business continuity planning (BCP)
A study of the possible impact if a disruption to to a business’s vital resources were to occur
business impact analysis (BIA)
A physical security deterrent used to protect a computer
cable lock
An access point that requires users to agree to some condition before they use the network or Internet
captive portal
A type of symmetric block cipher defined by RFC 2144
CAST
A digital entity that establishes who you are and is often used with e-commerce
certificate
An issuer of digital certificates (which are then used for digital signatures or key pairs)
certificate authority (CA)
A messaging protocol used between PKI entities
Certificate Management Protocol (CMP
The principles and procedures employed in the issuing and managing of certificates
Certificate Practice Statement (CPS)
The act of making a certificate invalid
certificate revocation
A list of digital certificate revocations that must be regularly downloaded to stay current
certificate revocation list (CRL)
A protocol that challenges a system to verify identity
Challenge Handshake Authentication Protocol (CHAP)
Management included in the making of a change in the scope of any particular item
change management
An algorithm - also known as a cryptographic algorithm - used to encrypt and decrypt data
cipher
The part of a client-server network where the computing is usually done
client
A surveillance camera used for physical-access monitoring
closed-circuit television (CCTV)
Moving the execution of an application to the cloud on an as-needed basis
cloud bursting
A model for enabling ubiquitous - convenient - on-demand network access to a shared pool of configurable computing resources”
cloud computing
A method of balancing loads and providing fault tolerance
clustering
The storage and conditions for release of source code provided by a vendor - partner - or other party
code escrow
Looking at all custom written code for holes that may exist
code review
Server room aisles that blow cold air from the floor
cold aisles
A physical site that can be used if the main site is inaccessible (destroyed) but that lacks all the resources necessary to enable an organization to use it immediately
cold site
An agreement between individuals to commit fraud or deceit
collusion
A standard identification card used by the Department of Defense(DoD) and other employers
Common Access Card (CAC)
A document of specifications detailing security evaluation methods for IT products and systems
Common Criteria (CC)
Cloud delivery model in which the infrastructure is shared by organizations with something in common
community cloud
A virus that creates a new program that runs in place of an expected program of the same name
companion virus
Gap controls that fill in the coverage between other types of vulnerability mitigation techniques (where there are holes coverage - we compensate for them
compensating controls
A formalized or an ad hoc team you can call upon to respond to an incident after it arises
Computer Security Incident Response Team (CSIRT)
Type of communications between two hosts that have a previous session established for synchronizing sent data
connection-oriented protocol
A plan that allows a business to keep running in the event of a disruption to vital resources
contingency plan
Processes or actions used to respond to situations or events
control
Technical or administrative measures in place to assist with resource management
control types
A plain-text file stored on your machine that contains information about you (and your preferences) and is used by a server
cookie
A wrapper that uses 128-bit AES encryption with a 48-bit initialization vector
Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP)
Functions on which the livelihood of the company depends
critical business functions (CBF)
A form of web-based attack in which unauthorized commands are sent from a user that a website trusts
Cross-Site Request Forgery (XSRF)
Running a script routine on a user’s machine from a website without their permission
cross-site scripting (XSS)
The study and practice of finding weaknesses in ciphers
cryptanalysis
A person who does cryptanalysis
cryptanalyst
A person who participates in the study of cryptographic algorithms
cryptographer
An algorithm - also known as a cipher - used to encrypt and decrypt data
cryptographic algorithm
The field of mathematics focused on encrypting and decrypting data
cryptography
Getting rid of/destroying media no longer needed
data disposal
The primary standard used in government and industry until it was replaced by AES
Data Encryption Standard (DES)
Any systems that identify - monitor - and protect data to prevent it from unauthorized use - modification - or destruction”
data loss prevention (DLP)
A policy dealing with some aspect of data (usage - destruction - retention - etc
data policy
A response that fools the attacker into thinking that the attack is succeeding while the system monitors the activity and potentially redirects the attacker to a system that is designed to be broken
deception active response
An area for placing web and other servers outside the firewall
demilitarized zone (DMZ)
A type of attack that prevents any users—even legitimate ones— from using a system
denial-of-service (DoS)
Reviewing the security design - including examining the ports and protocols used - the rules - segmentation - and access control
design review
Controls that are intended to identify and characterize an incident in progress (for example - sounding the alarm and altering the administrator)
detective control
The act of attempting to crack passwords by testing them against a list of dictionary words
dictionary attack
A type of backup that includes only new files or files that have changed since the last full backup
differential backup
