deck 0 Flashcards

1
Q

6to4

A

A protocol that provides unicast IPv6/ IPv4 connectivity between IPv6 sites and hosts across the IPv4 Internet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

802.11

A

A family of protocols developed by the IEEE for wireless LAN communication between wireless devices or between wireless devices and a base station.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

802.1X

A

An IEEE standard used to provide a port- based authentication mechanism over a LAN or wireless LAN.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

AAR

A

(after-action report) A document that includes an analysis of security events and incidents that can provide insight into directions you may take to enhance security for the future.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

ACL

A

(access control list) A security mechanism that specifies which objects in a system have which permissions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Active Directory

A

The LDAP-based directory service from Microsoft that runs on Microsoft Windows servers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

AES

A

(Advanced Encryption Standard) A symmetric 128-, 192-, or 256-bit block cipher based on the Rijndael algorithm developed by Belgian cryptographers Joan Daemen and Vincent Rijmen and adopted by the U.S. government as its encryption standard to replace DES.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

agile method

A

A software development method that focuses on iterative and incremental development to account for evolving requirements and expectations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

AI

A

(artificial intelligence) A scientific discipline that encompasses human-like intelligence exhibited by non-living machines.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

ALE

A

(annual loss expectancy) The total cost of a risk to an organization on an annual basis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Android fragmentation

A

The condition in which users are running many different versions of the Android operating system as a result of original equipment manufacturers (OEM) and mobile carriers manufacturing Android devices that cannot easily upgrade to the latest versions of the operating system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

application blacklist

A

A list of apps that are blocked from accessing a host or working with the host in some way. Apps not on the list are allowed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

application permissions

A

The process of a mobile application asking the user for specific access privileges to the operating system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

application sandboxing

A

An app security technique used to segregate an application from other applications and data on a system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

application security framework

A

A framework that can be embedded into standard software development processes to make it easier to apply security throughout the lifecycle.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

application streaming

A

The process of a server providing a thin client with access to as little of an application’s resources as it needs to do its work.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

application whitelist

A

A list of apps that are allowed to access a host or work with the host in some way. Apps not on the list are blocked.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

application wrapping

A

The process of adding a layer of control over one or more apps on a device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

AppLocker

A

A feature of Active Directory environments that enables an administrator to restrict what software users can run on their systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

ARO

A

(annual rate of occurrence) How many times per year a particular loss is expected to occur.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

ASLR

A

(address space layout randomization) An operating system security technique that randomizes where components of a running process are placed in memory.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

asset management

A

The process of maintaining a detailed record of technology resources for periodic review by network and security administrators.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

attestation

A

The technique of verifying that only the individuals who need certain access privileges have those privileges. Attestation is also the process of verifying that no tampering has occurred in a system protected by a TPM.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

augmented reality

A

Technology that modifies one’s view of physical reality by enhancing certain elements of an environment or incorporating new ones.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

authentication

A

The process of validating a particular entity or individual’s identity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

authorization

A

The process of determining what rights and privileges a particular entity has after the entity has been authenticated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

availability

A

The fundamental security goal of ensuring that computer systems operate continuously and that authorized persons can access data that they need

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

baiting

A

A social engineering attack in which an attacker plants physical media in an area where someone will find it and then promptly use it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

bare metal

A

The physical (non-virtual) hardware of a host.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

BAS

A

(building automation system) A system that monitors and controls various operational resources in a building, including lighting systems, power systems, ventilation, alarms, plumbing, and miscellaneous physical security systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

baseband processor

A

A component in a mobile device that handles radio frequency communication other than that which uses Wi-Fi and Bluetooth

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

BCP

A

(business continuity planning) The process of defining how normal day-to-day business will be maintained in the event of a business disruption or crisis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

bcrypt

A

A key derivation function based on the Blowfish cipher algorithm.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

behavioral analytics

A

The process of identifying the way in which an entity acts, and then reviewing future behavior to see if it deviates from the norm.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

BGP

A

(Border Gateway Protocol) A network protocol that exchanges routing and reachability information between edge routers across the Internet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

BIA

A

(business impact analysis) A document that identifies present organizational risks and determines the impact to ongoing, business- critical operations if such risks actualize.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

big data

A

Data collections that are so large and complex that they are difficult for traditional database tools to manage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

BIOS

A

(Basic Input/Output System) A firmware interface that initializes hardware for an operating system boot.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

bitcoin

A

The first and most prominent cryptocurrency.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

bitcoin mining

A

The process of performing mathematical operations to discover new blocks in the bitcoin blockchain.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

black box test

A

A penetration test in which the tester is given little to no information regarding the systems or network being tested.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

black hole routing

A

A network security technique that drops traffic before it reaches its intended destination, and without alerting the source of this.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

block cipher

A

A type of symmetric encryption algorithm that encrypts data one block at a time, often in 64- bit blocks. It is usually more secure, but is also slower, than stream ciphers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

block-level encryption

A

Technology that encrypts blocks of stored data in fixed sizes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

blockchain

A

A concept in which an expanding list of transactional records is secured using cryptography.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

bluejacking

A

A wireless attack where an attacker sends unwanted Bluetooth signals from a smartphone, mobile phone, tablet, or laptop to other Bluetooth-enabled devices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

bluesnarfing

A

A wireless attack where an attacker gains access to unauthorized information on a wireless device by using a Bluetooth connection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Bluetooth

A

A short-range wireless radio network transmission medium normally used to connect two personal devices, such as a mobile phone and a wireless headset.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

BPA

A

(business partnership agreement) An agreement that defines how a business partnership will be conducted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

brand damage

A

The devaluation of a company’s image after the company fails to meet customer expectations, especially if it mishandles personal information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

buffer overflow

A

A vulnerability that occurs when an application copies data into an allocated memory buffer that is not large enough to accommodate it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

BYOD

A

(bring your own device) An emerging phenomenon in which employees use their personal mobile devices in the workplace.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

CA

A

(certificate authority) A server that can issue digital certificates and the associated public/ private key pairs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

canary

A

In programming, a technique used to alert an app to the possible overwriting of a buffer and a resulting overflow condition

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

CASB

A

(cloud access security broker) A security gateway provided by SECaaS vendors that sits between the organization’s on-premises network and the cloud network, ensuring that traffic both ways complies with policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

CBA

A

(cost–benefit analysis) The process of weighing the benefit of using a solution against the cost to implement, use, and maintain it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

CC

A

(Common Criteria) A set of standards developed by a group of governments working together to create a baseline of security assurance for a trusted operating system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

CERT

A

(computer emergency response team) A team of security professionals that provide incident response services to the private and public sectors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

certificate pinning

A

A method of trusting digital certificates that bypasses the CA hierarchy and chain of trust to minimize man-in-the-middle attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

certificate-based authentication

A

An authentication method in which identity is verified through the use of digital certificates.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

chain of custody

A

The record of evidence handling from collection, to presentation in court, to disposal.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

change monitoring

A

The process by which some mechanism watches a system for any alterations to a configured baseline, and then logs, audits, and alerts the proper personnel to this change.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

CHAP

A

(Challenge Handshake Authentication Protocol) An encrypted remote access authentication method.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

CIA triad

A

(confidentiality, integrity, availability) The three basic principles of security control and management. Also known as the information security triad or triple.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

CIS

A

(Center for Internet Security) A non-profit organization that provides security resources and information to various industries

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

clickjacking

A

A web application attack in which an attacker tricks a client into clicking on a web page link that is different from where they had intended to go.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

client-side processing

A

The set of activities performed within a browser or on a client computer as part of the interaction with the web application and data set for the application that are resident on the server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

CMDB

A

(configuration management database) A database that contains information on each component within an enterprise’s IT environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

CMS

A

(content management system) A system that enables an enterprise to integrate documentation and other content into a centralized, easy-to-use solution

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

COBIT 5

A

(Control Objectives for Information and Related Technologies version 5) A framework for IT management and governance created by ISACA.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

code review

A

An examination of the source code of an application to identify potential vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

code signing

A

A form of digital signature that guarantees that source code and application binaries are authentic and have not been tampered with.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

cold boot attack

A

An attack in which an attacker with physical access to a computer with an encrypted disk tries to retrieve encryption keys after starting the computer from its off state.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

collision resistance

A

A goal of strong hash functions that states that it should not be possible to produce two different plaintext input values that have the same resulting hash.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

color team exercise

A

A method of simulating a threat scenario where personnel are divided into teams assigned a certain color, where each color has a specific meaning and defines the role that an individual tester will play during the simulation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

confidentiality

A

The fundamental security goal of keeping information and communications private and protected from unauthorized access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

configuration lockdown

A

The process of preventing configurations from being altered.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

container-based virtualization

A

A method of virtualization that runs isolated systems inside individual containers on a host operating system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

content filtering

A

A technique that restricts what types of content a user is allowed to access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

context-aware authentication

A

An authentication method in which identity is verified based on various characteristics about the entity’s environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

continuous monitoring and improvement

A

The technique of constantly evaluating an environment for changes so that new risks may be more quickly detected and business operations improved upon.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

cookie hijacking

A

An attack in which an attacker takes over a session cookie by injecting malicious code into it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

cookie poisoning

A

An attack in which an attacker modifies the contents of a cookie to exploit web app vulnerabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q

COOP

A

(continuity of operations plan) The collection of processes that outlines how an organization will maintain operations if a major adverse event were to occur. Similar to a business continuity plan (BCP).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q

COPE

A

(corporate-owned, personally enabled) A mobile deployment model in which the organization chooses which devices they want employees to work with, while still allowing the employee some freedom to use the device for personal activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
86
Q

COSO

A

(Committee of Sponsoring Organizations of the Treadway Commission) An industry standard that provides guidance on a variety of governance-related topics including fraud, controls, finance, and ethics.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
87
Q

critical infrastructure

A

Resources that, if damaged or destroyed, would cause significant negative impact to the economy, public health and safety, or security of a society.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
88
Q

CRL

A

(certificate revocation list) A list of certificates that were revoked before their expiration date.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
89
Q

CRM

A

(customer relationship management) The process of enabling an organization to more easily work with customers and data about customers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
90
Q

crowdsourcing

A

The act of outsourcing work and services to a group of people, such as an online community, who aren’t internal employees of the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
91
Q

cryptocurrency

A

An alternative digital currency that is secured through cryptography, typically by using a blockchain.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
92
Q

cryptographic module

A

Any software or hardware solution that implements one or more cryptographic concepts, such as different encryption and decryption algorithms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
93
Q

CSIRT

A

(cybersecurity incident response team) A collection of personnel who work together to identify and manage information security incidents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
94
Q

CSP

A

(Cryptographic Service Provider) A cryptographic module that implements Microsoft’s CryptoAPI.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
95
Q

CVE

A

(Common Vulnerabilities and Exposures) A dictionary of vulnerabilities maintained by the MITRE Corporation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
96
Q

CVSS

A

(Common Vulnerability Scoring System) A risk management approach to quantifying vulnerability data and then taking into account the degree of risk to different types of systems or information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
97
Q

CYOD

A

(choose your own device) A mobile deployment model in which the employee is essentially responsible for their device and may even be considered the owner of the device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
98
Q

DAM

A

(database activity monitor) A database security utility that runs independently from the database and serves to monitor and report on activities.

99
Q

data aggregation

A

The technique of mining various sources to collate information on individuals or organizations

100
Q

data at rest encryption

A

A method of securing data while it is stored and not being actively used

101
Q

data breach

A

A security incident that involves the unauthorized access of data stored in a secure location.

102
Q

data in transit encryption

A

A method of securing data as it is exchanged between parties.

103
Q

data in use encryption

A

A method of securing data that is currently being processed or temporarily stored in volatile memory.

104
Q

data isolation

A

The technique of separating access and control of data from other users and services in the same system or environment.

105
Q

data ownership

A

A concept in data management in which an individual (the owner) is ultimately responsible for that data.

106
Q

data remnants

A

Leftover information on a storage medium even after basic attempts have been made to remove that data.

107
Q

data sovereignty

A

The sociopolitical outlook of a nation concerning computing technology and information.

108
Q

database encryption

A

Technology that encrypts the data stored in a database.

109
Q

de facto standard

A

A standard that is accepted by the industry as a result of its early dominance in a marketplace that had previously seen a lack of standards.

110
Q

de jure standard

A

A standard that has been confirmed by the appropriate standardizing bodies and is considered “official.”

111
Q

de-perimeterization

A

The process of shifting, reducing, or removing some of the enterprise’s boundaries to facilitate interactions with the world outside of its domain.

112
Q

deep learning

A

A type of machine learning that constructs knowledge as a hierarchy of layers, where complex classes of knowledge are defined in relation to simpler classes of knowledge in order to make more informed determinations about an environment.

113
Q

deployment diagram

A

A map of the physical or logical arrangement of all nodes in a system, typically a network (that is, its topology).

114
Q

deployment model

A

A framework for defining how a particular system will be put to use in an organization

115
Q

DevOps

A

The practice of combining and integrating software development and systems operations.

116
Q

Diameter

A

An authentication protocol that improves on RADIUS through failover and per-packet confidentiality.

117
Q

digital certificate

A

An electronic document that associates credentials with a public key.

118
Q

digital signature

A

A message digest that has been encrypted again with a user’s private key.

119
Q

digital watermarking

A

A digital rights management (DRM) mechanism that uses steganographic techniques to embed data within media to enforce copyright protection.

120
Q

direct object reference

A

In programming, a reference to the actual name of a system object that the application uses.

121
Q

directory service

A

A centralized authentication system used to provide a consistent and scalable mechanism to control access to applications, services, and systems.

122
Q

DLP

A

(data loss/leak prevention) A software solution that detects and prevents sensitive information in a system or network from being stolen or otherwise falling into the wrong hands.

123
Q

DMZ

A

(demilitarized zone) A small section of a private network that is located behind one firewall or between two firewalls and made available for public access.

124
Q

DNS

A

(Domain Name System) A type of directory service that presents a hierarchical naming system for entities connected to a network.

125
Q

DNSSEC

A

(Domain Name System Security Extension) A set of specifications to provide an added level of security to DNS.

126
Q

DOM-based attack

A

(Document Object Model-based attack) A cross-site scripting (XSS) attack in which an attacker takes advantage of a web app’s client- side implementation of JavaScript to execute their attack solely on the client.

127
Q

DPI

A

(deep packet inspection) Technology that provides a view of the entire contents of a network packet’s payload

128
Q

DRM

A

(digital rights management) Technology that attempts to control how digital content can and cannot be used after it is published.

129
Q

dumpster diving

A

A social engineering attack in which an attacker reclaims important information by inspecting the contents of trash containers.

130
Q

e-discovery

A

(electronic discovery) The process of identification, collection, analysis, and retention of electronic data for the discovery phase of litigation.

131
Q

EAL

A

(Evaluation Assurance Level) A rating from 1 to 7 that states the level of secure features offered by an operating system as defined by the Common Criteria (CC)

132
Q

EAP

A

(Extensible Authentication Protocol) A wireless authentication framework with various methods that define parameters used in authentication.

133
Q

ECC

A

(elliptic curve cryptography) An asymmetric encryption technique that leverages the algebraic structures of elliptic curves over finite fields

134
Q

EDR

A

(endpoint detection and response) Technology that enables security professionals to gain greater insights into advanced security threats that target endpoints or use endpoints as a vector in a larger attack.

135
Q

EFS

A

(Encrypting File System) Microsoft Windows file encryption technology that targets files and folders on an NTFS file system architecture.

136
Q

eFuse

A

Technology that can actively change the logic of a computer chip at will to mitigate performance issues and prevent downgrading of firmware.

137
Q

endpoint

A

Any host that is exposed to another host in a communication channel.

138
Q

enterprise resilience

A

The ability for an enterprise to adapt to changes that affect business operations, as well as its ability to evolve and meet future challenges with greater preparedness.

139
Q

ERM

A

(enterprise risk management) The comprehensive process of evaluating, measuring, and mitigating the many risks that pervade an organization.

140
Q

ERP

A

(enterprise resource planning) The process that enables an organization to monitor the day-to- day business operations of the enterprise and report on the status of various resources and activities

141
Q

ESA

A

(enterprise security architecture) A framework for defining the baseline, goals, and methods used to secure a business

142
Q

ESB

A

(enterprise service bus) Middleware software that enables integration and communication between applications throughout the enterprise

143
Q

exception handling

A

The technique by which an application responds to unexpected errors.

144
Q

exploitation framework

A

A tool that provides a consistent and reliable environment to create and execute exploit code against a target.

145
Q

FDE

A

(full disk encryption) Technology that encrypts an entire storage drive at the hardware level.

146
Q

FIM

A

(file integrity monitoring) The technique of evaluating operating system files and other data files to ensure that they have not been tampered with.

147
Q

fingerprinting

A

The reconnaissance technique of determining the type of operating system and services a target uses by studying the types of packets and the characteristics of these packets during a communication session.

148
Q

FIPS

A

(Federal Information Processing Standards) Computer-based standards developed by the U.S. government that apply to non-military government organizations and contractors.

149
Q

FISMA

A

(Federal Information Security Management Act) A law enacted in 2002 that includes several provisions that require federal organizations to more clearly document and assess information systems security.

150
Q

fuzzer

A

A tool that sends an application random input data to see if it will crash or expose a vulnerability.

151
Q

fuzzing

A

An app security testing method that identifies vulnerabilities and weaknesses in applications by sending the application a range of random or unusual input data and noting any failures and crashes that result.

152
Q

gap analysis

A

The process of identifying the difference between the current state of an environment and the desired state of that environment, and identifying the steps required to close that gap.

153
Q

geofencing

A

Technology that creates a virtual boundary that can enable or disable functionality for a device if it is located in a particular area.

154
Q

geotagging

A

The process of actively adding geographical identification metadata to an app or its data.

155
Q

GLBA

A

(Gramm-Leach-Bliley Act) A law enacted in 1999 that deregulated banks, but also instituted requirements that help protect the privacy of an individual’s financial information that is held by financial institutions.

156
Q

good governance

A

Processes that enable an organization to make the best possible decisions with respect to governance.

157
Q

GPG

A

(GNU Privacy Guard) A free, open source version of PGP that provides the equivalent encryption and authentication services.

158
Q

GRC

A

(governance, risk management, and compliance) A solution for monitoring these three security concepts as they are implemented in an enterprise.

159
Q

HCI

A

(hyperconverged infrastructure) A converged infrastructure that virtualizes all IT components instead of relying on physical systems.

160
Q

heuristic analytics

A

The process of identifying the way in which an entity acts in a specific environment and making decisions about the nature of the entity based on this.

161
Q

homomorphic encryption

A

A form of encryption that protects data in use by enabling ciphertext input to produce a processing output that is the same as if the input had been in plaintext.

162
Q

horizontal privilege escalation

A

An attack in which an attacker accesses or modifies specific resources that they are not entitled to, such as another user’s private information.

163
Q

HSM

A

(hardware security module) A physical device that provides root of trust capabilities.

164
Q

IA

A

(interoperability agreement) The general term for any document that outlines a business partnership or collaboration in which all entities exchange some resources while working together.

165
Q

IaaS

A

(Infrastructure as a Service) A cloud service model in which the cloud service provides access to any or all infrastructure needs a client may have.

166
Q

ICS

A

(industrial control system) Any system that enables users to control industrial and critical infrastructure assets.

167
Q

identity federation

A

The practice of linking a single identity across multiple disparate identity management systems.

168
Q

identity proofing

A

The process of verifying that identity characteristics and credentials are accurate and unique to the individual

169
Q

identity propagation

A

The technique of replicating an authenticated identity through various processes in a system.

170
Q

IETF

A

(Internet Engineering Task Force) An organization that develops Internet standards and publishes the Request for Comments (RFC).

171
Q

IMA

A

(Integrity Measurement Architecture) An open source Linux subsystem and TPM-based method of verifying trusted computing.

172
Q

INE

A

(inline network encryptor) A device that ensures the confidentiality and integrity of data in transit between networks and network segments.

173
Q

information assurance

A

The concept of protecting information’s confidentiality, integrity, availability, authenticity, and non-repudiation.

174
Q

IrDA

A

(Infrared Data Association) A set of protocols for wireless communication using infrared signals.

175
Q

ISA

A

(interconnection security agreement) A type of business agreement that is geared toward the information systems of partnered entities to ensure that the use of inter-organizational technology meets a certain security standard.

176
Q

ISATAP

A

(Intra-Site Automatic Tunnel Addressing Protocol) An IPv6 transition mechanism that transmits IPv6 packets between dual-stack nodes on top of an IPv4 network.

177
Q

ISO

A

(International Organization for Standardization) An organization with global reach that promotes standards for many different industries.

178
Q

ISO/IEC 27001

A

(International Organization for Standardization/International Electrotechnical Commission 27001) A standard model for information systems management practices.

179
Q

IT governance

A

(information technology governance) A concept in which stakeholders ensure that those who govern IT resources are fulfilling objectives and strategies and creating value for the business.

180
Q

ITIL

A

(Information Technology Infrastructure Library) A comprehensive IT management structure derived from recommendations originally developed by the United Kingdom Government’s Central Computer and Telecommunications Agency (CCTA).

181
Q

key escrow

A

A method for backing up private keys to protect them while allowing trusted third parties to access the keys under certain conditions.

182
Q

KPI

A

(key performance indicator) A quantifiable metric used to determine if a system or other asset is meeting the enterprise’s strategic and operational goals

183
Q

KRI

A

(key risk indicator) A metric that measures how much risk a particular task or asset will bring to the organization.

184
Q

MAB

A

(MAC Authentication Bypass) A mechanism that can determine whether or not a device supports 802.1X, and if it doesn’t, the port will send the device’s MAC address to the authentication server as credentials.

185
Q

MAC

A

(message authentication code) Mathematical functions that verify both integrity and authenticity of messages.

186
Q

MITRE Corporation

A

A non-profit organization that manages research and development centers that receive federal funding from entities like the DoD and NIST.

187
Q

MOU

A

(memorandum of understanding) An informal business agreement that is not legally binding and does not involve the exchange of money.

188
Q

MSA

A

(master service agreement) An agreement that lays the groundwork for any future business documents that two parties may agree to.

189
Q

MSSP

A

(managed security service provider) An organization that provides SECaaS/managed security services.

190
Q

MTBF

A

(mean time between failures) The rating on a device or component that predicts the expected time between failures.

191
Q

MTD

A

(maximum tolerable downtime) The longest period of time a business can be inoperable without causing irrevocable business failure.

192
Q

MTTF

A

(mean time to failure) The average time a device or component is expected to be in operation.

193
Q

MTTR

A

(mean time to repair/replace/recover) The average time taken for a device or component to be repaired, replaced, or otherwise recovered from a failure.

194
Q

NAC

A

(Network Access Control) The collected protocols, policies, and hardware that govern access on device network interconnections.

195
Q

NIST 800 Series

A

(National Institute of Standards and Technology 800 Series) A U.S. government publication that focuses on implementing a wide range of cybersecurity practices.

196
Q

NX bit

A

(no-execute bit) A security technique that creates an area in memory that cannot be executed by the operating system.

197
Q

OAuth

A

A token-based authorization protocol that is often used in conjunction with OpenID.

198
Q

OCSP

A

(Online Certificate Status Protocol) An HTTP- based alternative to a certificate revocation list that checks the status of certificates.

199
Q

OLA

A

(operating-level agreement) A business agreement that outlines the relationship between divisions or departments in an organization.

200
Q

PaaS

A

(Platform as a Service) A cloud service model in which the cloud service provides virtual systems, such as operating systems, to customers.

201
Q

PAP

A

(Password Authentication Protocol) A remote access authentication service that sends user IDs and passwords as plaintext.

202
Q

PBKDF2

A

(Password-Based Key Derivation Function 2) A key derivation function used in key stretching to make potentially weak cryptographic keys such as passwords less susceptible to brute force attacks.

203
Q

PEAP

A

(Protected Extensible Authentication Protocol) An open standard that encapsulates EAP in an encrypted Transport Layer Security (TLS) tunnel.

204
Q

PFS

A

(perfect forward secrecy) A characteristic of session encryption that ensures if a key used during a certain session is compromised, it should not affect data previously encrypted by that key.

205
Q

PGP

A

(Pretty Good Privacy) A method of securing emails created to prevent attackers from intercepting and manipulating email and attachments by encrypting and digitally signing the contents of the email using public key cryptography.

206
Q

pharming

A

A social engineering attack in which an attacker redirects a user’s request for a website to their own similar-looking, but fake, website.

207
Q

qualitative analysis

A

A risk analysis method that uses descriptions and words to measure the likelihood and impact of risk.

208
Q

quantitative analysis

A

A risk analysis method that is based completely on numeric values.

209
Q

RADIUS

A

(Remote Authentication Dial-In User Service) A standard protocol for providing centralized authentication and authorization services for remote users.

210
Q

RC4

A

The most used and well-known stream cipher

211
Q

reflected attack

A

A cross-site scripting (XSS) attack in which an attacker crafts a malicious form or other request to be sent to a legitimate web server. The victim selects the malicious request and the script is sent to the server and reflected off it onto the victim’s browser.

212
Q

regression testing

A

A testing method that evaluates whether or not changes in software have caused previously existing functionality to fail.

213
Q

RFC

A

(Request for Comments) A collection of documents that detail standards and protocols for Internet-related technologies.

214
Q

RFI

A

(request for information) The first phase in the contract requirement process, in which a company sends out notices to prospective vendors or contractors asking them for their experience and qualification in filling the business’s need for services or equipment.

215
Q

RFP

A

(request for proposal) The second phase in the contract requirement process, in which a company asks prospective vendors or contractors for their proposed solutions to the business’s needs.

216
Q

RFQ

A

(request for quote) The third phase in the contract requirement process, in which a company negotiates the financial details of their relationship with prospective vendors or contractors.

217
Q

risk acceptance

A

The response of taking no additional action after identifying and analyzing a risk

218
Q

risk analysis

A

The security process used for assessing risk damages that can affect an organization.

219
Q

risk avoidance

A

The response of eliminating the source of a risk so that the risk is removed entirely.

220
Q

risk exposure

A

The property that dictates how susceptible an organization is to loss.

221
Q

risk management

A

The cyclical process of identifying, assessing, analyzing, and responding to risks.

222
Q

risk mitigation

A

The response of reducing risk to fit within an organization’s risk appetite.

223
Q

risk transference

A

The response of moving the responsibility of risk to another entity.

224
Q

RPO

A

(recovery point objective) The longest period of time that an organization can tolerate lost data being unrecoverable.

225
Q

RTBH

A

(remotely triggered black hole) An advanced black hole routing technique that alters routing tables to provide a more effective and granular means of mitigating DDoS traffic with minimal collateral damage.

226
Q

RTO

A

(recovery time objective) The length of time it takes after an event to resume normal business operations and activities.

227
Q

SaaS

A

(Software as a Service) A cloud service model in which the cloud service provides applications to users.

228
Q

SCADA

A

(supervisory control and data acquisition) A type of industrial control system that typically monitors water, gas, and electrical assets, and can issue remote commands to those assets.

229
Q

SCAP

A

(Security Content Automation Protocol) A framework developed by the National Institute of Standards and Technology (NIST) that automates the vulnerability management process, including identifying flaws in security configurations.

230
Q

SCEP

A

(Simple Certificate Enrollment Protocol) A protocol that provides a scalable means to request and enroll digital certificates.

231
Q

SDN

A

(software-defined networking) An approach to networking architecture that simplifies management by separating systems that control where traffic is sent from systems that actually forward this traffic to its destination

232
Q

SECaaS

A

(Security as a Service) A cloud service model in which the cloud service shoulders the responsibility of building, maintaining, and hosting security technologies for a client.

233
Q

Shibboleth

A

An identity federation method that provides single sign-on capabilities and enables websites to make informed authorization decisions for access to protected online resources.

234
Q

SLA

A

(service-level agreement) A business agreement that outlines what services and support will be provided to a client.

235
Q

SLE

A

(single loss expectancy) The financial loss expected from a single adverse event.

236
Q

SMiShing

A

A phishing variant in which an attacker uses SMS messages to entice a victim.

237
Q

SOX

A

(Sarbanes-Oxley Act) A law enacted in 2002 that dictates requirements for the storage and retention of documents relating to an organization’s financial and business operations.

238
Q

spear phishing

A

A type of phishing attack in which an attacker targets a specific individual or institution

239
Q

SPML

A

(Service Provisioning Markup Language) An XML-based authorization framework used primarily for automating and managing the provisioning of resources across networks and organizations

240
Q

TCG

A

(Trusted Computing Group) An implementation of TPM that is used to verify trusted operating systems.

241
Q

TCO

A

(total cost of ownership) The total cost of a solution beyond its acquisition cost, when all additional costs are factored in.

242
Q

Teredo

A

A NAT traversal technology that enables IPv6 Teredo traffic to cross one or more NATs to access other Teredo hosts on the IPv4 Internet or the IPv6 Internet through a Teredo relay.

243
Q

TOCTTOU

A

(time of check to time of use) A race condition vulnerability that occurs when there is a change between when an app checked a resource and when the app used the resource.