Glossary D Flashcards
DAC (discretionary access control)
Access control model where each resource is protected by an Access Control List (ACL) managed by the resource’s owner (or owners).
data at rest
Information that is primarily stored on specific media, rather than moving from one medium to another.
data breach
When confidential or private data is read, copied, or changed without authorization. Data breach events may have notification and reporting requirements.
data controller
In privacy regulations, the entity that determines why and how personal data is collected, stored, and used.
data custodian
An individual who is responsible for managing the system on which data assets are stored, including being responsible for enforcing access control, encryption, and backup/recovery measures.
data exfiltration
The process by which an attacker takes data that is stored inside of a private network and moves it to an external network.
data exposure
A software vulnerability where an attacker is able to circumvent access controls and retrieve confidential or sensitive data from the file system or database.
data governance
The overall management of the availability, usability, and security of the information used in an organization.
data in processing
Information that is present in the volatile memory of a host, such as system memory or cache.
data in transit
Information that is being transmitted between two hosts, such as over a private network or the Internet. Also known as data in motion.
data masking
A deidentification method where generic or placeholder labels are substituted for real data while preserving the structure or format of the original data.
data minimization
In data protection, the principle that only necessary and sufficient personal information can be collected and processed for the stated purpose.
data owner
A senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of an information asset.
data processor
In privacy regulations, an entity trusted with a copy of personal data to perform storage and/or analysis on behalf of the data collector.
data remnant
Leftover information on a storage medium even after basic attempts have been made to remove that data. Also known as remnant.
data sovereignty
In data protection, the principle that countries and states may impose individual requirements on data collected or stored within their jurisdiction.
data steward
An individual who is primarily responsible for data quality, ensuring data is labeled and identified with appropriate metadata and that data is collected and stored in a format and with values that comply with applicable laws and regulations.
DCHP snooping
A configuration option that enables a switch to inspect DHCP traffic to prevent MAC spoofing.
dd command
Linux command that makes a bit-by-bit copy of an input file, typically used for disk imaging.
DDoS attack (distributed denial of service attack)
An attack that uses multiple compromised hosts (a botnet) to overwhelm a service with request or response traffic.
dead code
Code in an application that is redundant because it will never be called within the logic of the program flow.
deauthentication/disassociation
Spoofing frames to disconnect a wireless station to try to obtain authentication data to crack.
deception and disruption
Cybersecurity resilience tools and techniques to increase the cost of attack planning for the threat actor.
default account
Default administrative and guest accounts configured on servers and network devices are possible points of unauthorized access.
defense in depth
A security strategy that positions the layers of network security as network traffic roadblocks; each layer is intended to slow an attack’s progress, rather than eliminating it outright
degaussing
The process of rendering a storage drive inoperable and its data unrecoverable by eliminating the drive’s magnetic charge.
deidentification
In data protection, methods and technologies that remove identifying information from data before it is distributed.
deprovisioning
The process of removing an application from packages or instances.
DER (distinguished encoding rules)
The binary format used to structure the information in a digital certificate.
DER (distinguished encoding rules)
The binary format used to structure the information in a digital certificate.
DER (distinguished encoding rules)
The binary format used to structure the information in a digital certificate.
DER (distinguished encoding rules)
The binary format used to structure the information in a digital certificate.
detective control
A type of security control that acts during an incident to identify or record that it is happening.
deterrent control
A type of security control that discourages intrusion attempts.
DH (Diffie-Hellman)
A cryptographic technique that provides secure key exchange
DHCP spoofing (Dynamic Host Configuration Protocol spoofing)
An attack in which an attacker responds to a client requesting address assignment from a DHCP server.
Diamond Model
A framework for analyzing cybersecurity incidents.
dictionary attack
A type of password attack that compares encrypted passwords against a predetermined list of possible password values.
differential backup
A backup type in which all selected files that have changed since the last full backup are backed up.
DiffServ
The Differentiated Services Code Point (DSCP) field is used to indicate a priority value for a layer 3 (IP) packet to facilitate Quality of Service (QoS) or Class of Service (CoS) scheduling.
digital signature
A message digest encrypted using the sender’s private key that is appended to a message to authenticate the sender and prove message integrity.
directory service
A network service that stores identity information about all the objects in a particular network, including users, groups, servers, client computers, and printers.
directory traversal
An application attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory.
diversity
Cybersecurity resilience strategy that increases attack costs by provisioning multiple types of controls, technologies, vendors, and crypto implementations.
DLP (data loss/leak prevention)
A software solution that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks.
DMZ (demilitarized zone)
A segment isolated from the rest of a private network by one or more firewalls that accepts connections from the Internet over designated ports.
DNAT (destination network address translation)
NAT service where private internal addresses are mapped to one or more public addresses to facilitate Internet connectivity for hosts on a local network via a router.
DNS hijacking (Domain Name System hijacking)
An attack in which an attacker modifies a computer’s DNS configurations to point to a malicious DNS server.
DNS poisoning (Domain Name System poisoning)
A network-based attack where an attacker exploits the traditionally open nature of the DNS system to redirect a domain name to an IP address of the attacker’s choosing.
DNSSEC (Domain Name System Security Extensions)
A security protocol that provides authentication of DNS data and upholds DNS data integrity.
domain hijacking
A type of hijacking attack where the attacker steals a domain name by altering its registration information and then transferring the domain name to another entity. Sometimes referred to as brandjacking.
DoS attack (denial of service attack)
Any type of physical, application, or network attack that affects the availability of a managed resource.
downgrade attack
A cryptographic attack where the attacker exploits the need for backward compatibility to force a computer system to abandon the use of encrypted messages in favor of plaintext messages.
DPO (data privacy officer)
Institutional data governance role with responsibility for compliant collection and processing of personal and sensitive data.
DRP (disaster recovery plan)
A documented and resourced plan showing actions and responsibilities to be used in response to critical incidents.
DSA (Digital Signature Algorithm)
public key encryption standard used for digital signatures that provides authentication and integrity verification for messages.
dump file
File containing data captured from system memory.
dumpster diving (Dumpster)
The social engineering technique of discovering things about an organization (or person) based on what it throws away.
