Acronyms Flashcards
FDE
Full-Disk Encryption - fully encrypts the hard drive on a computer
TPM
Trusted Platform Module - used for boot integrity
SDN
Software-Defined Networking - virtualized networking
DMZ
Demilitarized Zone - used to segment a network
CSR
Certificate Signing Request
CN
Common Name for a certificate for a system - typically the Fully Qualified Domain Name for a server
FQDN
Fully Qualified Domain Name
RFID
Radio Frequency Identification
CSO
Chief Security Officer
MDM
Mobile Device Management
DHCP
Dynamic Host Configuration Protocol
SSH
Secure Shell -secure protocol used to connect to command-line shells, and can be used to tunnel other protocols
TLS
Transport Layer Security
RBAC
Role-based Access Control - based on user’s position in the organization
MAC
Mandatory Access Control - permissions granted by security classifications
DAC
Discretionary Access Control - allows data owners to set permissions
ABAC
Attribute-based access control - considers various attributes such as location, time, computer, username, password, etc
SED
Self-encrypting drive
SIEM
Security Information and Event Management
XSS
Cross-site Scripting
UEM
Universal Endpoint Management - A universal endpoint management (UEM) tool can manage desktops, laptops, mobile devices, printers, and other devices. UEM tools often use applications deployed to mobile devices to configure and manage them
CASB
Cloud Access Security Broker
IPS
Intrusion Prevention System
IDS
Intrusion Detection System
NIPS
Network Intrusion Prevention System
NIDS
Network Intrusion Detection System
NTLM
New Technology LAN Manager - an older Windows authentication protocol
DMZ
De-militarized zone - provides limited access to public-facing servers for outside users, but blocks outside users from accessing systems inside the LAN.
VPC
Virtual datacenter?
CCMP
Counter Mode Block Chaining Message Authentication (CBC-MAC) Protocol, is AES-based, used by WPA2 to encapsulate traffic. Is the minimum acceptable encryption used by WPA3
CYOD
Choose Your Own Device - allows users to choose a device that is corporate-owned and paid for. Choices may be limited to a set of devices, or users may be allowed to choose essentially any device depending on the organization’s deployment decisions
BYOD
Bring Your Own Device
COPE
Corporate-Owned, Personally Enabled - provides devices to users that they can then use for personal use.
VDI
Virtual Desktop Infrastructure - used as an access layer for any security model where specialized needs or security requirements may require access to remote desktop or application services
WPS
Wi-fi Protected Setup
SSO
Single Sign-On
SAML
Security Assertion Markup Language - used by many identity providers to exchange authorization and authentication data with service providers
LDAP
Lightweight Directory Access Protocol
SSID
Service Set Identifier
RADIUS
Remote Authentication Dial-In User Service
VLAN
Virtual local area network - most often used to segment the internal network
TPM
Trusted Platform Module - a secure cryptoprocessor used to provide a hardware root of trust for systems. They enable secure boot and boot attestation capabilities and include a random number generator, the ability to generate cryptographic keys for specific uses, and the ability to bind and seal data used for processes the TPM supports.
NAC
Network Access Control
OTA
Over-the-air updates are used by cellular carriers as well as phone manufacturers to provide firmware updates and updated phone configuration data
MDM
Mobile Device Management
SAE
Simultaneous Authentication of Equals - used in WPA3 (wi-fi protocol) to improve on previous models - WPA3’s Personal mode replaces the pre-shared key mode found in WPA2 with simultaneous authentication of equals
ARP
Address Resolution Protocol
HIPS
host-based intrusion prevention system - can monitor network traffic to identify attacks, suspicious behavior, and known bad patterns using signatures
DLP
Data loss prevention - these tools allow sensitive data to be tagged and monitored so that if a user attempts to send it, they will be notified, administrators will be informed, and if necessary, the data can be protected using encryption or other protection methods before it is sent
-designed to protect data from being exposed or leaking from a network using a variety of techniques and technology
FTP
File Transfer Protocol
PSK
Pre-shared Key
SNMP
Simple Network Management Protocol - can provide information about the status and configuration of her network devices
SRTP
Secure version of the Real-Time Transport Protocol, used primarily for voice over IP (VoIP) and multimedia streaming or broadcast
ABAC
Attribute-based access control
UEFI
Unified Extensible Firmware Interface
BIOS
Basic input/output system
CHAP
Challenge Handshake Authentication Protocol - periodically has the client re-authenticate. This is transparent to the user but is done specifically to prevent session hijacking
PAP
Password Authentication Protocol - actually quite old
HSM
Hardware Security Module -provide many cryptographic functions, but they are not used for boot attestation (TPM). A physical device that safeguards and manages digital keys
OAuth
Open Authorization
TOTP
Time-based one-time passwords
HOTP
HMAC (hash-based message authentication code)-based one-time passwords
HMAC
Hash-based message authentication code
Xaas
Anything as a service
SCADA
Supervisory Control and Data Acquisition
TLS
Transport Layer Security - a reliable method of encrypting web traffic. It supports mutual authentication and is considered secure. Created in 1999 as the successor to SSL (secure sockets layer)
ECC
Elliptical-curve cryptography - faster than RSA-based cryptography because it can use a smaller key length to achieve levels of security similar to a longer RSA key (a 228-bit elliptical curve key is roughly equivalent to a 2,380-bit RSA key)
SAN
Storage Area Network
RAID
Redundant Array of Independent Drives (disks). RAID 0, 1, 3, 5, 10
IaaS
Infrastructure as a Service - provides the components of an entire network and systems infrastructure
PaaS
Platform as a Service provides the framework and underlying tools to build applications and services
- In the platform-as-a-service (PaaS) model, the consumer has access to the infrastructure to create applications and host them
SaaS
Software as a Service - the consumer has the ability to use applications provided by the cloud provider over the Internet. SaaS is a subscription service where software is licensed on a subscription basis
RFC
Request for Comment - how Internet protocols are defined and documented
PFS
Perfect Forward Secrecy - used to change keys used to encrypt and decrypt data, ensuring that even if a compromise occurs, only a very small amount of data will be exposed
DLL
Dynamic Linked Library
DBA
Database Administrator
CER
Crossover error rate - The crossover error rate (CER) is the point where the FAR (false acceptance rate) and the FRR (false rejection rate) cross over. CER provides a means of comparing biometric systems based on their efficiency, with a lower CER being more desirable
FAR
False acceptance rate in a biometric system
FRR
False rejection rate in a biometric system
MSSR
Managed Security Service Provider - an outside company that handles security tasks. Some or even all security tasks can be outsourced, including intrusion detection and prevention (IDS/IPS) management, security information and event management (SIEM) integration, and other security controls
UPS
Uninterruptible Power Supply
MTR
Maximum Time to Restore
API
Application Programming Interface
OWASP
Open Web Application Security Project - the de-facto standard for web application security
WAF
Web Application Firewall
BIA
Business Impact Analysis
DRP
Disaster Recovery Plan
PDU
Power distribution Unit
SED
Self-Encrypting Disk - automatic Full Disk Encryption
SDK
Software development kit
TOTP
Time-based One Time Password
NIC
Network Interface Card
RTOS
Realtime Operating System
IaC
Infrastructure as Code - the process of managing and provisioning computer data centers through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools
API
Application programming interface
CTR
Counter mode -makes a block cipher into a stream cipher by generating a keystream block using a non-repeating sequence to fill in the blocks. This allows data to be streamed instead of waiting for blocks to be ready to send
SAN
Subject Alternate Name - SAN, or Subject Alternate Name, certificate allows multiple hostnames to be protected by the same certificate
VIP
Virtual IP Address
UEFI
Unified Extensible Firmware Interface
NAT
Network Address Translation - NAT gateways allow internal IP addresses to be hidden from the outside, preventing direct connections to systems behind them. This effectively firewalls inbound traffic unless the gateway is set to pass traffic to an internal host when a specific IP, port, and protocol is used
Secure HTTP
Port 443
UTM
Unified Threat Management
DLP
Data Loss Prevention
HIPS
Host-based intrusion prevention system
IdP
identity provider
PEAP
Protected Extensible Authentication Protocol - relies on server-side certificates and relies on tunneling to ensure communications security
LEAP
Lightweight Extensible Authentication Protocol - uses WEP keys for its encryption and is not recommended due to security issues
EAP-TLS
EAP Transport Layer Security - requires certificates on both the client and server, consuming more management overhead
DNSSEC
Domain Name System Security Extensions - provides the ability to validate DNS data and denial of existence and provides data integrity for DNS
VDI
Virtual Desktop Infrastructure
PAM
Privileged Access Management (PAM) system
EDR
Endpoint detection and response
PEM
Privacy Enhanced Mail - the most common format issued by certificate authorities
DER
Distinguished Encoding Rules - a binary form of the ASCII text PEM format
NTP
Network Time Protocol
EV
Extended Validation certificates prove that the X.509 certificate has been issued to the correct legal entity. Additionally, only specific certificate authorities (CAs) can issue EV certificates
NG SWG
Next-generation (NG) secure web gateways (SWG) add additional features beyond those found in cloud access security brokers and next generation firewalls. While features can vary, they may include web filtering, TLS decryption to allow traffic analysis and advanced threat protection, cloud access security broker (CASB) features, data loss prevention (DLP), and other advanced capabilities
OCSP
Online Certificate Status Protocol
CRL
Certificate Revocation List
OCSP
Online Certificate Status Protocol
RA
registration authority - receives requests for new certificates as well as renewal requests for existing certificates
SRTP
Secure Real-Time Transport Protocol - used primarily for Voice over IP (VoIP) and multimedia streaming or broadcast. does not fully protect packets, leaving RTP headers exposed, potentially exposing information that might provide attackers with information about the data being transferred
AH
Authentication Header, protocol from IPSec - IPSec’s Authentication Header (AH) protocol does not provide data confidentiality because it secures only the header, not the payload. That means that AH can provide integrity and replay protection but leaves the rest of the data at risk
COOP
Continuity of Operations Planning
FEMA
Federal Emergency Management Agency
SIP
Session Initiation Protocol
CAM
Content-Addressable Memory - The Content-Addressable Memory (CAM) tables on switches contain a list of all the devices they have talked to and will give Naomi the best chance of identifying the devices on the network
SLA
Service level agreement - defines the level of service the customer expects from the service provider. The level of service definitions should be specific and measurable in each area
MOU
memorandum of understanding - a legal document that describes a mutual agreement between parties
ISA
interconnection security agreement - an agreement that specifies the technical and security requirements of the interconnection security requirements of the interconnection between organizations.
BPA
business partnership agreement - a legal agreement between partners. It establishes the terms, conditions, and expectations of the relationship between the partners
DPO
Data protection officer - required by the GDPR. They oversee the organization’s data protection strategy and implementation, and make sure that the organization complies with the GDPR
GDPR
General Data Protection Regulation - a standard for data privacy and security in the European Union (EU)
SPOF
Single Point of Failure
RTO
Recovery time objectives
RPO
Recovery point objective - specifies the allowable data loss. It is the amount of time that can pass during an interruption before the quantity of data lost during that period surpasses business continuity planning’s maximum acceptable threshold
MTBF
mean time between failures - the rating on a device or component that predicts the expected time between failures.
MTTR
Mean time to repair - the average time it takes for a failed device or component to be repaired or replaced
ARO
annual rate of occurrence - is the ratio of an estimated possibility that a threat will take place within a one-year time frame.
AUP
acceptable use policy - describes the limits and guidelines for users to make use of an organization’s physical and intellectual resources. This includes allowing or limiting the use of personal email during work hours.
BIA
Business Impact Analysis - helps to identify critical systems by determining which systems will create the largest impact if they are not available.
CIS
The Center for Internet Security - benchmarks provide recommendations for how to secure an operating system, application, or other covered technology
PCI-DSS
Payment Card Industry Data Security Standard - a security standard that is mandated by credit card vendors. The Payment Card Industry Security Standards Council is responsible for updates and changes to the standard
COPPA
Children’s Online Privacy Protection Act - a U.S. federal law
NDA
Nondisclosure agreements - are signed by an employee at the time of hiring, and they impose a contractual obligation on employees to maintain the confidentiality of information. Disclosure of information can lead to legal ramifications and penalties. NDAs cannot ensure a decrease in security breaches
SSAE
Standard for Attestation Engagements
MSA
master services agreement - establishes a business relationship under which additional work orders or other documentation describe the actual work that is done
TCP
Transmission Control Protocol - connection based protocol, slower but more reliable than UDP
UDP
User Datagram Protocol - connectionless protocol, faster than TCP, less reliable
IMAP4
Internet Message Access Protocol version 4
POP3
Post Office Protocol version 3
HTTP
Hypertext Transfer Protocol
HTTPS
Hypertext Transfer Protocol over SSL/TLS
SSL
Secure Sockets Layer
TLS
Transport Layer Security
DNS
Domain Name System
DNSSEC
Domain Name System Security Extensions
SMTP
Simple Mail Transfer Protocol
RC4
Rivest Cipher version 4
WEP
Wired Equivalent Privacy
WPA
Wi-fi Protected Access
WPA2
Wi-Fi Protected Access 2
AES
Advanced Encryption Standard
CCMP
Counter Mode/CBC-MAC Protocol - uses a 128-bit key, 128-bit block size, 48-bit initialization vectors
WPA3
Wi-Fi Protected Access Version 3
WPS
Wi-Fi Protected Setup
EAP
Extensible Authentication Protocol
EAP-TLS
Extensible Authentication Protocol Transport Layer Security
EAP-TTLS
Extensible Authentication Protocol Tunneled Transport Layer Security
PEAP
Protected Extensible Authentication Protocol
LEAP
Lightweight Extensible Authentication Protocol
EAP-FAST
Extensible Authentication Protocol - Flexible Authentication via Secure Tunneling
