CASP+ Glossary

Question 1

2 Step Verification

Answer 1

An authentication method that uses out of band mechanisms and generates a token serverside that is sent to the user to provide for verification. This might be an SMS message with a code, a phone call, a push notification to a mobile phone or email

Question 2

3D Printing

Answer 2

An emerging tech that uses special purpose printers that build 3D objects rather than printing on paper. Printing is done by adding layers on top of layers according to model using computer aided design (CAD) software. It allows for rapid design and the creation of just about anything

Question 3

802.1x

Answer 3

An authentication protocol that uses Extensible Authentication Protocol (EAP) for wireless, ethernet, or VPN gateway to provide authentication

Question 4

Access Control List (ACL)

Answer 4

A broad term that outlines how objects are allowed to interact with each other on a network or system. In networking, devices like switches or routers may grant or deny access based on their own ACLs. Similar to a firewall, it helps filters and route traffic

Question 5

Access Space Layout Randomization (ASLR)

Answer 5

A buffer overflow prevention control that makes it difficult to guess the memory locations of executables stored in memory

Question 6

Adversary Emulation

Answer 6

A discipline in cyber that involves using TTPs (tactics, techniques and procedures) of a specific threat actor in a realistic way to test current defenses

Question 7

Agile Model

Answer 7

In this approach to software development, an interative process is used to release well tested code in smaller blocks. Development is continuous. It is adaptive to allow for changes throughout the process. It focuses on rapid development, sometimes at the expense of security

Question 8

Air Gap

Answer 8

A host that is physically disconnected from any network so as to protect that network by being segmented from it (This is a form of segregation)

Question 9

Aircrack-ng

Answer 9

A suite of tools for assessing and analyzing WiFi. It is used to monitor, attack, test and crack WiFi networks

Question 10

Analytical Zone

Answer 10

A form of cloud based data zone where data is used for practical purposes

Question 11

Annual Loss Expectancy (ALE)

Answer 11

The total cost of all the single loss events that happen over the course of a year - added together. ALE = SLE x ARO

Question 12

Annual Rate of Occurrence (ARO)

Answer 12

The number of times in a year that a single loss event occurs

Question 13

Anonymization

Answer 13

A process that removes data that could be used to uniquely identify a person. It is a common requirement in compliance laws.

Question 14

AV Software

Answer 14

Software that detects and identifies malicious software on an endpoint. Originally, AV programs were signature based file scans that would detect viruses, but now they monitor when processes are launched, intercept them and look for signature matches

Question 15

API CASB Configuration

Answer 15

A configuration of CASB (Cloud Access Security Broker) where an API brokers connection between the cloud provider and the customer

Question 16

Application Virtualization

Answer 16

A client accesses an application hosted on a server. This usually occurs through a browser. It allows for specific apps to shared from a single server through a users browser

Question 17

Asset Reporting Format (ARF)

Answer 17

A SCAP Language that correlates reporting formats to device information

Question 18

Asset Value

Answer 18

Within Qualitative risk analysis, this is the value that a given asset is worth

Question 19

Attestation of Compliance

Answer 19

The set of policies, contracts and standards between two entities that have been designated as essential. It will identify how the relationship will be governed including how incidents will be reported and addressed, the use of independent auditors, data protection requirements and violation agreements

Question 20

Attribute Based Access Control (ABAC)

Answer 20

An access control method that is fine grained, as it utilizes a combination of any attributes to determine a users access level. Uses eXtensible Access Control Markup Language (XACML)

Question 21

Authentication Bypass

Answer 21

An attack that exploits how logins are received and processed by web applications. An example would be sending an SQL string rather than the login credentials the app is expecting

Question 22

AWS CloudTrail

Answer 22

An audit logging service for AWS apps

Question 23

AWS CloudWatch

Answer 23

A graphical reporting and analytics service that provides monitoring and alerting in AWS

Question 24

BGP/Route Hijacking

Answer 24

An attack that involves hijacking BGP routing. BGP is the routing protocol of the Internet. it is designed when security wasnt a consideration, so it depends on interconnected networks to truthfully and accurately maintain the routing tables

Question 25

Big Data

Answer 25

Data collections that are too big for traditional database tools to utilize. Ideally suited to AI as the larger dataset for AI to study, the more effective it will be

Question 26

Binwalk

Answer 26

A tool that can be used to inspect binary firmware image files to better understand what is inside the file itself

Question 27

Blob Storage

Answer 27

A cloud based storage model that supports the storage of large amounts of unstructured data. It is used to store archives and backups

Question 28

Block Cipher

Answer 28

An encryption where plaintext is separated into equal sized blocks, usually 128 bits in size. If there isnt enough data to fill a block, it is padded to make up the rest of the space. Each block is then encrypted based on the mode of operation being used

Question 29

Block Storage

Answer 29

A loud based storage model that supports high performance, transactional apps like databases

Question 30

Bootstrapping

Answer 30

A method of automation in a cloud deployment that involes automatically deploying instances

Question 31

BYOD

Answer 31

Bring your own device
A mobile device policy where employee owns the device, but the device must meet corporate specifications and allow auditing. With this type of policy, it is not as easy to fully secure devices as when they are corporately owned and issued by the co