deck 0 Flashcards
6to4
A protocol that provides unicast IPv6/ IPv4 connectivity between IPv6 sites and hosts across the IPv4 Internet
802.11
A family of protocols developed by the IEEE for wireless LAN communication between wireless devices or between wireless devices and a base station.
802.1X
An IEEE standard used to provide a port- based authentication mechanism over a LAN or wireless LAN.
AAR
(after-action report) A document that includes an analysis of security events and incidents that can provide insight into directions you may take to enhance security for the future.
ACL
(access control list) A security mechanism that specifies which objects in a system have which permissions.
Active Directory
The LDAP-based directory service from Microsoft that runs on Microsoft Windows servers.
AES
(Advanced Encryption Standard) A symmetric 128-, 192-, or 256-bit block cipher based on the Rijndael algorithm developed by Belgian cryptographers Joan Daemen and Vincent Rijmen and adopted by the U.S. government as its encryption standard to replace DES.
agile method
A software development method that focuses on iterative and incremental development to account for evolving requirements and expectations.
AI
(artificial intelligence) A scientific discipline that encompasses human-like intelligence exhibited by non-living machines.
ALE
(annual loss expectancy) The total cost of a risk to an organization on an annual basis.
Android fragmentation
The condition in which users are running many different versions of the Android operating system as a result of original equipment manufacturers (OEM) and mobile carriers manufacturing Android devices that cannot easily upgrade to the latest versions of the operating system.
application blacklist
A list of apps that are blocked from accessing a host or working with the host in some way. Apps not on the list are allowed.
application permissions
The process of a mobile application asking the user for specific access privileges to the operating system.
application sandboxing
An app security technique used to segregate an application from other applications and data on a system.
application security framework
A framework that can be embedded into standard software development processes to make it easier to apply security throughout the lifecycle.
application streaming
The process of a server providing a thin client with access to as little of an application’s resources as it needs to do its work.
application whitelist
A list of apps that are allowed to access a host or work with the host in some way. Apps not on the list are blocked.
application wrapping
The process of adding a layer of control over one or more apps on a device.
AppLocker
A feature of Active Directory environments that enables an administrator to restrict what software users can run on their systems.
ARO
(annual rate of occurrence) How many times per year a particular loss is expected to occur.
ASLR
(address space layout randomization) An operating system security technique that randomizes where components of a running process are placed in memory.
asset management
The process of maintaining a detailed record of technology resources for periodic review by network and security administrators.
attestation
The technique of verifying that only the individuals who need certain access privileges have those privileges. Attestation is also the process of verifying that no tampering has occurred in a system protected by a TPM.
augmented reality
Technology that modifies one’s view of physical reality by enhancing certain elements of an environment or incorporating new ones.
authentication
The process of validating a particular entity or individual’s identity
authorization
The process of determining what rights and privileges a particular entity has after the entity has been authenticated.
availability
The fundamental security goal of ensuring that computer systems operate continuously and that authorized persons can access data that they need
baiting
A social engineering attack in which an attacker plants physical media in an area where someone will find it and then promptly use it.
bare metal
The physical (non-virtual) hardware of a host.
BAS
(building automation system) A system that monitors and controls various operational resources in a building, including lighting systems, power systems, ventilation, alarms, plumbing, and miscellaneous physical security systems
baseband processor
A component in a mobile device that handles radio frequency communication other than that which uses Wi-Fi and Bluetooth
BCP
(business continuity planning) The process of defining how normal day-to-day business will be maintained in the event of a business disruption or crisis
bcrypt
A key derivation function based on the Blowfish cipher algorithm.
behavioral analytics
The process of identifying the way in which an entity acts, and then reviewing future behavior to see if it deviates from the norm.
BGP
(Border Gateway Protocol) A network protocol that exchanges routing and reachability information between edge routers across the Internet.
BIA
(business impact analysis) A document that identifies present organizational risks and determines the impact to ongoing, business- critical operations if such risks actualize.
big data
Data collections that are so large and complex that they are difficult for traditional database tools to manage.
BIOS
(Basic Input/Output System) A firmware interface that initializes hardware for an operating system boot.
bitcoin
The first and most prominent cryptocurrency.
bitcoin mining
The process of performing mathematical operations to discover new blocks in the bitcoin blockchain.
black box test
A penetration test in which the tester is given little to no information regarding the systems or network being tested.
black hole routing
A network security technique that drops traffic before it reaches its intended destination, and without alerting the source of this.
block cipher
A type of symmetric encryption algorithm that encrypts data one block at a time, often in 64- bit blocks. It is usually more secure, but is also slower, than stream ciphers.
block-level encryption
Technology that encrypts blocks of stored data in fixed sizes.
blockchain
A concept in which an expanding list of transactional records is secured using cryptography.
bluejacking
A wireless attack where an attacker sends unwanted Bluetooth signals from a smartphone, mobile phone, tablet, or laptop to other Bluetooth-enabled devices.
bluesnarfing
A wireless attack where an attacker gains access to unauthorized information on a wireless device by using a Bluetooth connection.
Bluetooth
A short-range wireless radio network transmission medium normally used to connect two personal devices, such as a mobile phone and a wireless headset.
BPA
(business partnership agreement) An agreement that defines how a business partnership will be conducted
brand damage
The devaluation of a company’s image after the company fails to meet customer expectations, especially if it mishandles personal information.
buffer overflow
A vulnerability that occurs when an application copies data into an allocated memory buffer that is not large enough to accommodate it.
BYOD
(bring your own device) An emerging phenomenon in which employees use their personal mobile devices in the workplace.
CA
(certificate authority) A server that can issue digital certificates and the associated public/ private key pairs
canary
In programming, a technique used to alert an app to the possible overwriting of a buffer and a resulting overflow condition
CASB
(cloud access security broker) A security gateway provided by SECaaS vendors that sits between the organization’s on-premises network and the cloud network, ensuring that traffic both ways complies with policy.
CBA
(cost–benefit analysis) The process of weighing the benefit of using a solution against the cost to implement, use, and maintain it.
CC
(Common Criteria) A set of standards developed by a group of governments working together to create a baseline of security assurance for a trusted operating system.
CERT
(computer emergency response team) A team of security professionals that provide incident response services to the private and public sectors.
certificate pinning
A method of trusting digital certificates that bypasses the CA hierarchy and chain of trust to minimize man-in-the-middle attacks.
certificate-based authentication
An authentication method in which identity is verified through the use of digital certificates.
chain of custody
The record of evidence handling from collection, to presentation in court, to disposal.
change monitoring
The process by which some mechanism watches a system for any alterations to a configured baseline, and then logs, audits, and alerts the proper personnel to this change.
CHAP
(Challenge Handshake Authentication Protocol) An encrypted remote access authentication method.
CIA triad
(confidentiality, integrity, availability) The three basic principles of security control and management. Also known as the information security triad or triple.
CIS
(Center for Internet Security) A non-profit organization that provides security resources and information to various industries
clickjacking
A web application attack in which an attacker tricks a client into clicking on a web page link that is different from where they had intended to go.
client-side processing
The set of activities performed within a browser or on a client computer as part of the interaction with the web application and data set for the application that are resident on the server.
CMDB
(configuration management database) A database that contains information on each component within an enterprise’s IT environment.
CMS
(content management system) A system that enables an enterprise to integrate documentation and other content into a centralized, easy-to-use solution
COBIT 5
(Control Objectives for Information and Related Technologies version 5) A framework for IT management and governance created by ISACA.
code review
An examination of the source code of an application to identify potential vulnerabilities.
code signing
A form of digital signature that guarantees that source code and application binaries are authentic and have not been tampered with.
cold boot attack
An attack in which an attacker with physical access to a computer with an encrypted disk tries to retrieve encryption keys after starting the computer from its off state.
collision resistance
A goal of strong hash functions that states that it should not be possible to produce two different plaintext input values that have the same resulting hash.
color team exercise
A method of simulating a threat scenario where personnel are divided into teams assigned a certain color, where each color has a specific meaning and defines the role that an individual tester will play during the simulation.
confidentiality
The fundamental security goal of keeping information and communications private and protected from unauthorized access.
configuration lockdown
The process of preventing configurations from being altered.
container-based virtualization
A method of virtualization that runs isolated systems inside individual containers on a host operating system.
content filtering
A technique that restricts what types of content a user is allowed to access.
context-aware authentication
An authentication method in which identity is verified based on various characteristics about the entity’s environment.
continuous monitoring and improvement
The technique of constantly evaluating an environment for changes so that new risks may be more quickly detected and business operations improved upon.
cookie hijacking
An attack in which an attacker takes over a session cookie by injecting malicious code into it.
cookie poisoning
An attack in which an attacker modifies the contents of a cookie to exploit web app vulnerabilities
COOP
(continuity of operations plan) The collection of processes that outlines how an organization will maintain operations if a major adverse event were to occur. Similar to a business continuity plan (BCP).
COPE
(corporate-owned, personally enabled) A mobile deployment model in which the organization chooses which devices they want employees to work with, while still allowing the employee some freedom to use the device for personal activities.
COSO
(Committee of Sponsoring Organizations of the Treadway Commission) An industry standard that provides guidance on a variety of governance-related topics including fraud, controls, finance, and ethics.
critical infrastructure
Resources that, if damaged or destroyed, would cause significant negative impact to the economy, public health and safety, or security of a society.
CRL
(certificate revocation list) A list of certificates that were revoked before their expiration date.
CRM
(customer relationship management) The process of enabling an organization to more easily work with customers and data about customers.
crowdsourcing
The act of outsourcing work and services to a group of people, such as an online community, who aren’t internal employees of the organization.
cryptocurrency
An alternative digital currency that is secured through cryptography, typically by using a blockchain.
cryptographic module
Any software or hardware solution that implements one or more cryptographic concepts, such as different encryption and decryption algorithms.
CSIRT
(cybersecurity incident response team) A collection of personnel who work together to identify and manage information security incidents.
CSP
(Cryptographic Service Provider) A cryptographic module that implements Microsoft’s CryptoAPI.
CVE
(Common Vulnerabilities and Exposures) A dictionary of vulnerabilities maintained by the MITRE Corporation
CVSS
(Common Vulnerability Scoring System) A risk management approach to quantifying vulnerability data and then taking into account the degree of risk to different types of systems or information.
CYOD
(choose your own device) A mobile deployment model in which the employee is essentially responsible for their device and may even be considered the owner of the device.
DAM
(database activity monitor) A database security utility that runs independently from the database and serves to monitor and report on activities.
data aggregation
The technique of mining various sources to collate information on individuals or organizations
data at rest encryption
A method of securing data while it is stored and not being actively used
data breach
A security incident that involves the unauthorized access of data stored in a secure location.
data in transit encryption
A method of securing data as it is exchanged between parties.
data in use encryption
A method of securing data that is currently being processed or temporarily stored in volatile memory.
data isolation
The technique of separating access and control of data from other users and services in the same system or environment.
data ownership
A concept in data management in which an individual (the owner) is ultimately responsible for that data.
data remnants
Leftover information on a storage medium even after basic attempts have been made to remove that data.
data sovereignty
The sociopolitical outlook of a nation concerning computing technology and information.
database encryption
Technology that encrypts the data stored in a database.
de facto standard
A standard that is accepted by the industry as a result of its early dominance in a marketplace that had previously seen a lack of standards.
de jure standard
A standard that has been confirmed by the appropriate standardizing bodies and is considered “official.”
de-perimeterization
The process of shifting, reducing, or removing some of the enterprise’s boundaries to facilitate interactions with the world outside of its domain.
deep learning
A type of machine learning that constructs knowledge as a hierarchy of layers, where complex classes of knowledge are defined in relation to simpler classes of knowledge in order to make more informed determinations about an environment.
deployment diagram
A map of the physical or logical arrangement of all nodes in a system, typically a network (that is, its topology).
deployment model
A framework for defining how a particular system will be put to use in an organization
DevOps
The practice of combining and integrating software development and systems operations.
Diameter
An authentication protocol that improves on RADIUS through failover and per-packet confidentiality.
digital certificate
An electronic document that associates credentials with a public key.
digital signature
A message digest that has been encrypted again with a user’s private key.
digital watermarking
A digital rights management (DRM) mechanism that uses steganographic techniques to embed data within media to enforce copyright protection.
direct object reference
In programming, a reference to the actual name of a system object that the application uses.
directory service
A centralized authentication system used to provide a consistent and scalable mechanism to control access to applications, services, and systems.
DLP
(data loss/leak prevention) A software solution that detects and prevents sensitive information in a system or network from being stolen or otherwise falling into the wrong hands.
DMZ
(demilitarized zone) A small section of a private network that is located behind one firewall or between two firewalls and made available for public access.
DNS
(Domain Name System) A type of directory service that presents a hierarchical naming system for entities connected to a network.
DNSSEC
(Domain Name System Security Extension) A set of specifications to provide an added level of security to DNS.
DOM-based attack
(Document Object Model-based attack) A cross-site scripting (XSS) attack in which an attacker takes advantage of a web app’s client- side implementation of JavaScript to execute their attack solely on the client.
DPI
(deep packet inspection) Technology that provides a view of the entire contents of a network packet’s payload
DRM
(digital rights management) Technology that attempts to control how digital content can and cannot be used after it is published.
dumpster diving
A social engineering attack in which an attacker reclaims important information by inspecting the contents of trash containers.
e-discovery
(electronic discovery) The process of identification, collection, analysis, and retention of electronic data for the discovery phase of litigation.
EAL
(Evaluation Assurance Level) A rating from 1 to 7 that states the level of secure features offered by an operating system as defined by the Common Criteria (CC)
EAP
(Extensible Authentication Protocol) A wireless authentication framework with various methods that define parameters used in authentication.
ECC
(elliptic curve cryptography) An asymmetric encryption technique that leverages the algebraic structures of elliptic curves over finite fields
EDR
(endpoint detection and response) Technology that enables security professionals to gain greater insights into advanced security threats that target endpoints or use endpoints as a vector in a larger attack.
EFS
(Encrypting File System) Microsoft Windows file encryption technology that targets files and folders on an NTFS file system architecture.
eFuse
Technology that can actively change the logic of a computer chip at will to mitigate performance issues and prevent downgrading of firmware.
endpoint
Any host that is exposed to another host in a communication channel.
enterprise resilience
The ability for an enterprise to adapt to changes that affect business operations, as well as its ability to evolve and meet future challenges with greater preparedness.
ERM
(enterprise risk management) The comprehensive process of evaluating, measuring, and mitigating the many risks that pervade an organization.
ERP
(enterprise resource planning) The process that enables an organization to monitor the day-to- day business operations of the enterprise and report on the status of various resources and activities
ESA
(enterprise security architecture) A framework for defining the baseline, goals, and methods used to secure a business
ESB
(enterprise service bus) Middleware software that enables integration and communication between applications throughout the enterprise
exception handling
The technique by which an application responds to unexpected errors.
exploitation framework
A tool that provides a consistent and reliable environment to create and execute exploit code against a target.
FDE
(full disk encryption) Technology that encrypts an entire storage drive at the hardware level.
FIM
(file integrity monitoring) The technique of evaluating operating system files and other data files to ensure that they have not been tampered with.
fingerprinting
The reconnaissance technique of determining the type of operating system and services a target uses by studying the types of packets and the characteristics of these packets during a communication session.
FIPS
(Federal Information Processing Standards) Computer-based standards developed by the U.S. government that apply to non-military government organizations and contractors.
FISMA
(Federal Information Security Management Act) A law enacted in 2002 that includes several provisions that require federal organizations to more clearly document and assess information systems security.
fuzzer
A tool that sends an application random input data to see if it will crash or expose a vulnerability.
fuzzing
An app security testing method that identifies vulnerabilities and weaknesses in applications by sending the application a range of random or unusual input data and noting any failures and crashes that result.
gap analysis
The process of identifying the difference between the current state of an environment and the desired state of that environment, and identifying the steps required to close that gap.
geofencing
Technology that creates a virtual boundary that can enable or disable functionality for a device if it is located in a particular area.
geotagging
The process of actively adding geographical identification metadata to an app or its data.
GLBA
(Gramm-Leach-Bliley Act) A law enacted in 1999 that deregulated banks, but also instituted requirements that help protect the privacy of an individual’s financial information that is held by financial institutions.
good governance
Processes that enable an organization to make the best possible decisions with respect to governance.
GPG
(GNU Privacy Guard) A free, open source version of PGP that provides the equivalent encryption and authentication services.
GRC
(governance, risk management, and compliance) A solution for monitoring these three security concepts as they are implemented in an enterprise.
HCI
(hyperconverged infrastructure) A converged infrastructure that virtualizes all IT components instead of relying on physical systems.
heuristic analytics
The process of identifying the way in which an entity acts in a specific environment and making decisions about the nature of the entity based on this.
homomorphic encryption
A form of encryption that protects data in use by enabling ciphertext input to produce a processing output that is the same as if the input had been in plaintext.
horizontal privilege escalation
An attack in which an attacker accesses or modifies specific resources that they are not entitled to, such as another user’s private information.
HSM
(hardware security module) A physical device that provides root of trust capabilities.
IA
(interoperability agreement) The general term for any document that outlines a business partnership or collaboration in which all entities exchange some resources while working together.
IaaS
(Infrastructure as a Service) A cloud service model in which the cloud service provides access to any or all infrastructure needs a client may have.
ICS
(industrial control system) Any system that enables users to control industrial and critical infrastructure assets.
identity federation
The practice of linking a single identity across multiple disparate identity management systems.
identity proofing
The process of verifying that identity characteristics and credentials are accurate and unique to the individual
identity propagation
The technique of replicating an authenticated identity through various processes in a system.
IETF
(Internet Engineering Task Force) An organization that develops Internet standards and publishes the Request for Comments (RFC).
IMA
(Integrity Measurement Architecture) An open source Linux subsystem and TPM-based method of verifying trusted computing.
INE
(inline network encryptor) A device that ensures the confidentiality and integrity of data in transit between networks and network segments.
information assurance
The concept of protecting information’s confidentiality, integrity, availability, authenticity, and non-repudiation.
IrDA
(Infrared Data Association) A set of protocols for wireless communication using infrared signals.
ISA
(interconnection security agreement) A type of business agreement that is geared toward the information systems of partnered entities to ensure that the use of inter-organizational technology meets a certain security standard.
ISATAP
(Intra-Site Automatic Tunnel Addressing Protocol) An IPv6 transition mechanism that transmits IPv6 packets between dual-stack nodes on top of an IPv4 network.
ISO
(International Organization for Standardization) An organization with global reach that promotes standards for many different industries.
ISO/IEC 27001
(International Organization for Standardization/International Electrotechnical Commission 27001) A standard model for information systems management practices.
IT governance
(information technology governance) A concept in which stakeholders ensure that those who govern IT resources are fulfilling objectives and strategies and creating value for the business.
ITIL
(Information Technology Infrastructure Library) A comprehensive IT management structure derived from recommendations originally developed by the United Kingdom Government’s Central Computer and Telecommunications Agency (CCTA).
key escrow
A method for backing up private keys to protect them while allowing trusted third parties to access the keys under certain conditions.
KPI
(key performance indicator) A quantifiable metric used to determine if a system or other asset is meeting the enterprise’s strategic and operational goals
KRI
(key risk indicator) A metric that measures how much risk a particular task or asset will bring to the organization.
MAB
(MAC Authentication Bypass) A mechanism that can determine whether or not a device supports 802.1X, and if it doesn’t, the port will send the device’s MAC address to the authentication server as credentials.
MAC
(message authentication code) Mathematical functions that verify both integrity and authenticity of messages.
MITRE Corporation
A non-profit organization that manages research and development centers that receive federal funding from entities like the DoD and NIST.
MOU
(memorandum of understanding) An informal business agreement that is not legally binding and does not involve the exchange of money.
MSA
(master service agreement) An agreement that lays the groundwork for any future business documents that two parties may agree to.
MSSP
(managed security service provider) An organization that provides SECaaS/managed security services.
MTBF
(mean time between failures) The rating on a device or component that predicts the expected time between failures.
MTD
(maximum tolerable downtime) The longest period of time a business can be inoperable without causing irrevocable business failure.
MTTF
(mean time to failure) The average time a device or component is expected to be in operation.
MTTR
(mean time to repair/replace/recover) The average time taken for a device or component to be repaired, replaced, or otherwise recovered from a failure.
NAC
(Network Access Control) The collected protocols, policies, and hardware that govern access on device network interconnections.
NIST 800 Series
(National Institute of Standards and Technology 800 Series) A U.S. government publication that focuses on implementing a wide range of cybersecurity practices.
NX bit
(no-execute bit) A security technique that creates an area in memory that cannot be executed by the operating system.
OAuth
A token-based authorization protocol that is often used in conjunction with OpenID.
OCSP
(Online Certificate Status Protocol) An HTTP- based alternative to a certificate revocation list that checks the status of certificates.
OLA
(operating-level agreement) A business agreement that outlines the relationship between divisions or departments in an organization.
PaaS
(Platform as a Service) A cloud service model in which the cloud service provides virtual systems, such as operating systems, to customers.
PAP
(Password Authentication Protocol) A remote access authentication service that sends user IDs and passwords as plaintext.
PBKDF2
(Password-Based Key Derivation Function 2) A key derivation function used in key stretching to make potentially weak cryptographic keys such as passwords less susceptible to brute force attacks.
PEAP
(Protected Extensible Authentication Protocol) An open standard that encapsulates EAP in an encrypted Transport Layer Security (TLS) tunnel.
PFS
(perfect forward secrecy) A characteristic of session encryption that ensures if a key used during a certain session is compromised, it should not affect data previously encrypted by that key.
PGP
(Pretty Good Privacy) A method of securing emails created to prevent attackers from intercepting and manipulating email and attachments by encrypting and digitally signing the contents of the email using public key cryptography.
pharming
A social engineering attack in which an attacker redirects a user’s request for a website to their own similar-looking, but fake, website.
qualitative analysis
A risk analysis method that uses descriptions and words to measure the likelihood and impact of risk.
quantitative analysis
A risk analysis method that is based completely on numeric values.
RADIUS
(Remote Authentication Dial-In User Service) A standard protocol for providing centralized authentication and authorization services for remote users.
RC4
The most used and well-known stream cipher
reflected attack
A cross-site scripting (XSS) attack in which an attacker crafts a malicious form or other request to be sent to a legitimate web server. The victim selects the malicious request and the script is sent to the server and reflected off it onto the victim’s browser.
regression testing
A testing method that evaluates whether or not changes in software have caused previously existing functionality to fail.
RFC
(Request for Comments) A collection of documents that detail standards and protocols for Internet-related technologies.
RFI
(request for information) The first phase in the contract requirement process, in which a company sends out notices to prospective vendors or contractors asking them for their experience and qualification in filling the business’s need for services or equipment.
RFP
(request for proposal) The second phase in the contract requirement process, in which a company asks prospective vendors or contractors for their proposed solutions to the business’s needs.
RFQ
(request for quote) The third phase in the contract requirement process, in which a company negotiates the financial details of their relationship with prospective vendors or contractors.
risk acceptance
The response of taking no additional action after identifying and analyzing a risk
risk analysis
The security process used for assessing risk damages that can affect an organization.
risk avoidance
The response of eliminating the source of a risk so that the risk is removed entirely.
risk exposure
The property that dictates how susceptible an organization is to loss.
risk management
The cyclical process of identifying, assessing, analyzing, and responding to risks.
risk mitigation
The response of reducing risk to fit within an organization’s risk appetite.
risk transference
The response of moving the responsibility of risk to another entity.
RPO
(recovery point objective) The longest period of time that an organization can tolerate lost data being unrecoverable.
RTBH
(remotely triggered black hole) An advanced black hole routing technique that alters routing tables to provide a more effective and granular means of mitigating DDoS traffic with minimal collateral damage.
RTO
(recovery time objective) The length of time it takes after an event to resume normal business operations and activities.
SaaS
(Software as a Service) A cloud service model in which the cloud service provides applications to users.
SCADA
(supervisory control and data acquisition) A type of industrial control system that typically monitors water, gas, and electrical assets, and can issue remote commands to those assets.
SCAP
(Security Content Automation Protocol) A framework developed by the National Institute of Standards and Technology (NIST) that automates the vulnerability management process, including identifying flaws in security configurations.
SCEP
(Simple Certificate Enrollment Protocol) A protocol that provides a scalable means to request and enroll digital certificates.
SDN
(software-defined networking) An approach to networking architecture that simplifies management by separating systems that control where traffic is sent from systems that actually forward this traffic to its destination
SECaaS
(Security as a Service) A cloud service model in which the cloud service shoulders the responsibility of building, maintaining, and hosting security technologies for a client.
Shibboleth
An identity federation method that provides single sign-on capabilities and enables websites to make informed authorization decisions for access to protected online resources.
SLA
(service-level agreement) A business agreement that outlines what services and support will be provided to a client.
SLE
(single loss expectancy) The financial loss expected from a single adverse event.
SMiShing
A phishing variant in which an attacker uses SMS messages to entice a victim.
SOX
(Sarbanes-Oxley Act) A law enacted in 2002 that dictates requirements for the storage and retention of documents relating to an organization’s financial and business operations.
spear phishing
A type of phishing attack in which an attacker targets a specific individual or institution
SPML
(Service Provisioning Markup Language) An XML-based authorization framework used primarily for automating and managing the provisioning of resources across networks and organizations
TCG
(Trusted Computing Group) An implementation of TPM that is used to verify trusted operating systems.
TCO
(total cost of ownership) The total cost of a solution beyond its acquisition cost, when all additional costs are factored in.
Teredo
A NAT traversal technology that enables IPv6 Teredo traffic to cross one or more NATs to access other Teredo hosts on the IPv4 Internet or the IPv6 Internet through a Teredo relay.
TOCTTOU
(time of check to time of use) A race condition vulnerability that occurs when there is a change between when an app checked a resource and when the app used the resource.
