GLOSSARY 3DES Triple DES encryption—three rounds of DES encryption used to improve security 802.11 A family of standards that describe network protocols for wireless devices 802.1X An IEEE standard for performing authentication over networks acceptable use policy (AUP) A policy that communicates to users what specific uses of computer resources are permitted access A subject’s ability to perform specific operations on an object, such as a file Typical access levels include read, write, execute, and delete access control Mechanisms or methods used to determine what access permissions subjects (such as users) have for specific objects (such as files) access control list (ACL) A list associated with an object (such as a file) that identifies what level of access each subject (such as a user) has—what they can to the object (such as read, write, or execute) Active Directory The directory service portion of the Windows operating system that stores information about network-based entities (such as applications, files, printers, and people) and provides a structured, consistent way to name, describe, locate, access, and manage these resources ActiveX A Microsoft technology that facilitates rich Internet applications, and therefore extends and enhances the functionality of Microsoft Internet Explorer Like Java, ActiveX enables the development of interactive content When an ActiveX-aware browser encounters a web page that includes an unsupported feature, it can automatically install the appropriate application so the feature can be used 613 CompTIA Security+ All-in-One Exam Guide, Third Edition 614 Address Resolution Protocol (ARP) A protocol in the TCP/IP suite specification used to map an IP address to a Media Access Control (MAC) address adware Advertising-supported software that automatically plays, displays, or downloads advertisements after the software is installed or while the application is being used algorithm A step-by-step procedure—typically an established computation for solving a problem within a set number of steps annualized loss expectancy (ALE) How much an event is expected to cost the business per year, given the dollar cost of the loss and how often it is likely to occur ALE = single loss expectancy × annualized rate of occurrence annualized rate of occurrence (ARO) expected to occur on an annualized basis anomaly The frequency with which an event is Something that does not fit into an expected pattern application A program or group of programs designed to provide specific user functions, such as a word processor or web server ARP asset See Address Resolution Protocol Resources and information an organization needs to conduct its business asymmetric encryption Also called public key cryptography, this is a system for encrypting data that uses two mathematically derived keys to encrypt and decrypt a message—a public key, available to everyone, and a private key, available only to the owner of the key audit trail A set of records or events, generally organized chronologically, that record what activity has occurred on a system These records (often computer files) are often used in an attempt to re-create what took place when a security incident occurred, and they can also be used to detect possible intruders auditing Actions or processes used to verify the assigned privileges and rights of a user, or any capabilities used to create and maintain a record showing who accessed a particular system and what actions they performed authentication verified The process by which a subject’s (such as a user’s) identity is authentication, authorization, and accounting (AAA) Three common functions performed upon system login Authentication and authorization almost always occur, with accounting being somewhat less common Glossary 615 Authentication Header (AH) A portion of the IPsec security protocol that provides authentication services and replay-detection ability AH can be used either by itself or with Encapsulating Security Payload (ESP) Refer to RFC 2402 availability Part of the “CIA” of security Availability applies to hardware, software, and data, specifically meaning that each of these should be present and accessible when the subject (the user) wants to access or use them backdoor A hidden method used to gain access to a computer system, network, or application Often used by software developers to ensure unrestricted access to the systems they create Synonymous with trapdoor backup Refers to copying and storing data in a secondary location, separate from the original, to preserve the data in the event that the original is lost, corrupted, or destroyed baseline A system or software as it is built and functioning at a specific point in time Serves as a foundation for comparison or measurement, providing the necessary visibility to control change BGP See Border Gateway Protocol biometrics Used to verify an individual’s identity to the system or network using something unique about the individual, such as a fingerprint, for the verification process Examples include fingerprints, retinal scans, hand and facial geometry, and voice analysis BIOS The part of the operating system that links specific hardware devices to the operating system software Blowfish A free implementation of a symmetric block cipher developed by Bruce Schneier as a drop-in replacement for DES and IDEA It has a variable bit-length scheme from 32 to 448 bits, resulting in varying levels of security bluebugging The use of a Bluetooth-enabled device to eavesdrop on another person’s conversation using that person’s Bluetooth phone as a transmitter The bluebug application silently causes a Bluetooth device to make a phone call to another device, causing the phone to act as a transmitter and allowing the listener to eavesdrop on the victim’s conversation in real life bluejacking The sending of unsolicited messages over Bluetooth to Bluetoothenabled devices such as mobile phones, PDAs, or laptop computers bluesnarfing The unauthorized access of information from a Bluetooth-enabled device through a Bluetooth connection, often between phones, desktops, laptops, and PDAs CompTIA Security+ All-in-One Exam Guide, Third Edition 616 Border Gateway Protocol (BGP) The interdomain routing protocol implemented in Internet Protocol (IP) networks to enable routing between autonomous systems botnet A term for a collection of software robots, or bots, that run autonomously and automatically and, commonly, invisibly in the background The term is most often associated with malicious software, but it can also refer to the network of computers using distributed computing software buffer overflow A specific type of software coding error that enables user input to overflow the allocated storage area and corrupt a running program Bureau of Industry and Security (BIS) In the U.S Department of Commerce, the department responsible for export administration regulations that cover encryption technology in the United States Business Continuity Planning (BCP) The plans a business develops to continue critical operations in the event of a major disruption cache The temporary storage of information before use, typically used to speed up systems In an Internet context, refers to the storage of commonly accessed web pages, graphic files, and other content locally on a user’s PC or a web server The cache helps to minimize download time and preserve bandwidth for frequently accessed web sites, and it helps reduce the load on a web server Capability Maturity Model (CMM) A structured methodology helping organizations improve the maturity of their software processes by providing an evolutionary path from ad hoc processes to disciplined software management processes Developed at Carnegie Mellon University’s Software Engineering Institute centralized management A type of privilege management that brings the authority and responsibility for managing and maintaining rights and privileges into a single group, location, or area CERT See Computer Emergency Response Team certificate A cryptographically signed object that contains an identity and a public key associated with this identity The certificate can be used to establish identity, analogous to a notarized written document certificate revocation list (CRL) A digitally signed object that lists all of the current but revoked certificates issued by a given certification authority This allows users to verify whether a certificate is currently valid even if it has not expired CRL is analogous to a list of stolen charge card numbers that allows stores to reject bad credit cards Glossary 617 certification authority (CA) An entity responsible for issuing and revoking certificates CAs are typically not associated with the company requiring the certificate, although they exist for internal company use as well (such as Microsoft) This term is also applied to server software that provides these services The term certificate authority is used interchangeably with certification authority chain of custody Rules for documenting, handling, and safeguarding evidence to ensure no unanticipated changes are made to the evidence Challenge Handshake Authentication Protocol (CHAP) Used to provide authentication across point-to-point links using the Point-to-Point Protocol (PPP) change (configuration) management A standard methodology for performing and recording changes during software development and operation change control board (CCB) A body that oversees the change management process and enables management to oversee and coordinate projects CHAP See Challenge Handshake Authentication Protocol CIA of security Refers to confidentiality, integrity, and authorization, the basic functions of any security system cipher A cryptographic system that accepts plaintext input and then outputs ciphertext according to its internal algorithm and key ciphertext Used to denote the output of an encryption algorithm Ciphertext is the encrypted data CIRT See Computer Emergency Response Team closed circuit television (CCTV) A private television system, usually hardwired in security applications to record visual information cloud computing The automatic provisioning of computational resources on demand across a network cold site An inexpensive form of backup site that does not include a current set of data at all times A cold site takes longer to get your operational system back up, but it is considerably less expensive than a warm or hot site collisions Used in the analysis of hashing cryptography, it is the property by which an algorithm will produce the same hash from two different sets of data Computer Emergency Response Team (CERT) Also known as a Computer Incident Response Team (CIRT), this group is responsible for investigating and responding to security breaches, viruses, and other potentially catastrophic incidents CompTIA Security+ All-in-One Exam Guide, Third Edition 618 computer security In general terms, the methods, techniques, and tools used to ensure that a computer system is secure computer software configuration item See configuration item confidentiality Part of the CIA of security Refers to the security principle that states that information should not be disclosed to unauthorized individuals configuration auditing The process of verifying that configuration items are built and maintained according to requirements, standards, or contractual agreements configuration control The process of controlling changes to items that have been baselined configuration identification The process of identifying which assets need to be managed and controlled configuration item Data and software (or other assets) that are identified and managed as part of the software change management process Also known as computer software configuration item configuration status accounting Procedures for tracking and maintaining data relative to each configuration item in the baseline cookie Information stored on a user’s computer by a web server to maintain the state of the connection to the web server Used primarily so preferences or previously used information can be recalled on future requests to the server countermeasure See security control Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) An enhanced data cryptographic encapsulation mechanism based upon the counter mode with CBC-MAC from AES, designed for use over wireless LANs cracking A term used by some to refer to malicious hacking, in which an individual attempts to gain unauthorized access to computer systems or networks See also hacking CRC See Cyclic Redundancy Check CRL See Certificate Revocation List cross-site request forgery (CSRF or XSRF) A method of attacking a system by sending malicious input to the system and relying upon the parsers and execution elements to perform the requested actions, thus instantiating the attack XSRF exploits the trust a site has in the user’s browser Glossary 619 cross-site scripting (XSS) A method of attacking a system by sending script commands to the system input and relying upon the parsers and execution elements to perform the requested scripted actions, thus instantiating the attack XSS exploits the trust a user has for the site cryptanalysis The process of attempting to break a cryptographic system cryptography The art of secret writing that enables an individual to hide the contents of a message or file from all but the intended recipient Cyclic Redundancy Check (CRC) An error detection technique that uses a series of two 8-bit block check characters to represent an entire block of data These block check characters are incorporated into the transmission frame and then checked at the receiving end DAC See Discretionary Access Control Data Encryption Standard (DES) A private key encryption algorithm adopted by the government as a standard for the protection of sensitive but unclassified information Commonly used in triple DES, where three rounds are applied to provide greater security Data Execution Prevention A security feature of an OS that can be driven by software, hardware, or both, designed to prevent the execution of code from blocks of data in memory Data Loss Prevention (DLP) Technology, processes, and procedures designed to detect when unauthorized removal of data from a system occurs DLP is typically active, preventing the loss, either by blocking the transfer or dropping the connection datagram A packet of data that can be transmitted over a packet-switched system in a connectionless mode decision tree A data structure in which each element is attached to one or more structures directly beneath it demilitarized zone (DMZ) A network segment that exists in a semi-protected zone between the Internet and the inner secure trusted network denial-of-service (DoS) attack An attack in which actions are taken to deprive authorized individuals from accessing a system, its resources, the data it stores or processes, or the network to which it is connected DES See Data Encryption Standard DHCP See Dynamic Host Configuration Protocol CompTIA Security+ All-in-One Exam Guide, Third Edition 620 DIAMETER The DIAMETER base protocol is intended to provide an authentication, authorization, and accounting (AAA) framework for applications such as network access or IP mobility DIAMETER is a draft IETF proposal Diffie-Hellman A cryptographic method of establishing a shared key over an insecure medium in a secure fashion digital signature A cryptography-based artifact that is a key component of a public key infrastructure (PKI) implementation A digital signature can be used to prove identity because it is created with the private key portion of a public/private key pair A recipient can decrypt the signature and, by doing so, receive the assurance that the data must have come from the sender and that the data has not changed digital signature algorithm (DSA) implementing digital signatures A United States government standard for direct-sequence spread spectrum (DSSS) A method of distributing a communication over multiple frequencies to avoid interference and detection disaster recovery plan (DRP) A written plan developed to address how an organization will react to a natural or manmade disaster in order to ensure business continuity Related to the concept of a business continuity plan (BCP) discretionary access control (DAC) An access control mechanism in which the owner of an object (such as a file) can decide which other subjects (such as other users) may have access to the object, and what access (read, write, execute) these objects can have distributed denial-of-service (DDoS) attack A special type of DoS attack in which the attacker elicits the generally unwilling support of other systems to launch a many-against-one attack diversity of defense The approach of creating dissimilar security layers so that an intruder who is able to breach one layer will be faced with an entirely different set of defenses at the next layer Domain Name Service (DNS) The service that translates an Internet domain name (such as www.mcgraw-hill.com) into IP addresses DRP See disaster recovery plan DSSS See direct-sequence spread spectrum dumpster diving The practice of searching through trash to discover material that has been thrown away that is sensitive, yet not destroyed or shredded Glossary 621 Dynamic Host Configuration Protocol (DHCP) An Internet Engineering Task Force (IETF) Internet Protocol (IP) specification for automatically allocating IP addresses and other configuration information based on network adapter addresses It enables address pooling and allocation and simplifies TCP/IP installation and administration EAP See Extensible Authentication Protocol electromagnetic interference (EMI) The disruption or interference of electronics due to an electromagnetic field elliptic curve cryptography (ECC) A method of public-key cryptography based on the algebraic structure of elliptic curves over finite fields Encapsulating Security Payload (ESP) A portion of the IPsec implementation that provides for data confidentiality with optional authentication and replaydetection services ESP completely encapsulates user data in the datagram and can be used either by itself or in conjunction with Authentication Headers for varying degrees of IPsec services Encrypted File System (EFS) A security feature of Windows, from Windows 2000 onward, that enables the transparent encryption/decryption of files on the system escalation auditing The process of looking for an increase in privileges, such as when an ordinary user obtains administrator-level privileges evidence The documents, verbal statements, and material objects admissible in a court of law exposure factor A measure of the magnitude of loss of an asset Used in the calculation of single loss expectancy (SLE) Extensible Authentication Protocol (EAP) A universal authentication framework used in wireless networks and point-to-point connections It is defined in RFC 3748 and has been updated by RFC 5247 false positive Term used when a security system makes an error and incorrectly reports the existence of a searched-for object Examples include an intrusion detection system that misidentifies benign traffic as hostile, an antivirus program that reports the existence of a virus in software that actually is not infected, or a biometric system that allows system access to an unauthorized individual FHSS See frequency-hopping spread spectrum File Transfer Protocol (FTP) over a network connection An application-level protocol used to transfer files CompTIA Security+ All-in-One Exam Guide, Third Edition 622 firewall A network device used to segregate traffic based on rules File Transfer Protocol Secure (FTPS) An application-level protocol used to transfer files over a network connection, which uses FTP over a SSL or TLS connection flood guard A network device that blocks flooding-type DOS/DDOS attacks, frequently part of an IDS/IPS forensics (or computer forensics) The preservation, identification, documentation, and interpretation of computer data for use in legal proceedings free space Sectors on a storage medium that are available for the operating system to use frequency-hopping spread spectrum (FHSS) A method of distributing a communication over multiple frequencies over time to avoid interference and detection Generic Routing Encapsulation (GRE) A tunneling protocol designed to encapsulate a wide variety of network layer packets inside IP tunneling packets hacking The term used by the media to refer to the process of gaining unauthorized access to computer systems and networks The term has also been used to refer to the process of delving deep into the code and protocols used in computer systems and networks See also cracking hash A form of encryption that creates a digest of the data put into the algorithm These algorithms are referred to as one-way algorithms because there is no feasible way to decrypt what has been encrypted hash value See message digest hashed message authentication code (HMAC) The use of a cryptographic hash function and a message authentication code to ensure the integrity and authenticity of a message heating, ventilation, air conditioning (HVAC) The systems used to heat and cool air in a building or structure HIDS See host-based intrusion detection system HIPS See host-based intrusion prevention system honeypot A computer system or portion of a network that has been set up to attract potential intruders, in the hope that they will leave the other systems alone Since there are no legitimate users of this system, any attempt to access it is an indication of unauthorized activity and provides an easy mechanism to spot attacks Glossary 623 host-based intrusion detection system (HIDS) A system that looks for computer intrusions by monitoring activity on one or more individual PCs or servers host-based intrusion prevention system (HIPS) A system that automatically responds to computer intrusions by monitoring activity on one or more individual PCs or servers and responding based on a rule set hot site A backup site that is fully configured with equipment and data and is ready to immediately accept transfer of operational processing in the event of failure on the operational system Hypertext Transfer Protocol (HTTP) A protocol for transfer of material across the Internet that contains links to additional material Hypertext Transfer Protocol over SSL/TLS (HTTPS) A protocol for transfer of material across the Internet that contains links to additional material that is carried over a secure tunnel via SSL or TLS ICMP See Internet Control Message Protocol IDEA See International Data Encryption Algorithm IEEE See Institute for Electrical and Electronics Engineers IETF See Internet Engineering Task Force IKE See Internet Key Exchange impact The result of a vulnerability being exploited by a threat, resulting in a loss incident response The process of responding to, containing, analyzing, and recovering from a computer-related incident information security Often used synonymously with computer security, but places the emphasis on the protection of the information that the system processes and stores, instead of on the hardware and software that constitute the system Infrastructure as a Service (IaaS) The automatic, on-demand provisioning of infrastructure elements, operating as a service; a common element of cloud computing initialization vector (IV) A data value used to seed a cryptographic algorithm, providing for a measure of randomness Institute for Electrical and Electronics Engineers (IEEE) A nonprofit, technical, professional institute associated with computer research, standards, and conferences CompTIA Security+ All-in-One Exam Guide, Third Edition 624 intangible asset An asset for which a monetary equivalent is difficult or impossible to determine Examples are brand recognition and goodwill integrity Part of the CIA of security, the security principle that requires that information is not modified except by individuals authorized to so International Data Encryption Algorithm (IDEA) A symmetric encryption algorithm used in a variety of systems for bulk encryption services Internet Assigned Numbers Authority (IANA) The central coordinator for the assignment of unique parameter values for Internet protocols The IANA is chartered by the Internet Society (ISOC) to act as the clearinghouse to assign and coordinate the use of numerous Internet protocol parameters Internet Control Message Protocol (ICMP) One of the core protocols of the TCP/IP protocol suite, used for error reporting and status messages Internet Engineering Task Force (IETF) A large international community of network designers, operators, vendors, and researchers, open to any interested individual concerned with the evolution of Internet architecture and the smooth operation of the Internet The actual technical work of the IETF is done in its working groups, which are organized by topic into several areas (such as routing, transport, and security) Much of the work is handled via mailing lists, with meetings held three times per year Internet Key Exchange (IKE) The protocol formerly known as ISAKMP/Oakley, defined in RFC 2409 A hybrid protocol that uses part of the Oakley and part of the Secure Key Exchange Mechanism for Internet (SKEMI) protocol suites inside the Internet Security Association and Key Management Protocol (ISAKMP) framework IKE is used to establish a shared security policy and authenticated keys for services that require keys (such as IPsec) Internet Message Access Protocol version (IMAP4) mon Internet standard protocols for e-mail retrieval One of two com- Internet Protocol (IP) The network layer protocol used by the Internet for routing packets across a network Internet Protocol Security (IPsec) A protocol used to secure IP packets during transmission across a network IPsec offers authentication, integrity, and confidentiality services and uses Authentication Headers (AH) and Encapsulating Security Payload (ESP) to accomplish this functionality Internet Security Association and Key Management Protocol (ISAKMP) A protocol framework that defines the mechanics of implementing a key exchange protocol and negotiation of a security policy Glossary 625 Internet service provider (ISP) A telecommunications firm that provides access to the Internet intrusion detection system (IDS) A system to identify suspicious, malicious, or undesirable activity that indicates a breach in computer security IPsec See Internet Protocol Security ISAKMP/Oakley See Internet Key Exchange Kerberos A network authentication protocol designed by MIT for use in client/ server environments key In cryptography, a sequence of characters or bits used by an algorithm to encrypt or decrypt a message key distribution center (KDC) A component of the Kerberos system for authentication that manages the secure distribution of keys keyspace The entire set of all possible keys for a specific encryption algorithm Layer Two Tunneling Protocol (L2TP) A Cisco switching protocol that operates at the data-link layer LDAP See Lightweight Directory Access Protocol least privilege A security principle in which a user is provided with the minimum set of rights and privileges that he or she needs to perform required functions The goal is to limit the potential damage that any user can cause Lightweight Directory Access Protocol (LDAP) used to access directory services across a TCP/IP network An application protocol Lightweight Extensible Authentication Protocol (LEAP) A version of EAP developed by Cisco prior to 802.11i to push 802.1X and WEP adoption load balancer A network device that distributes computing across multiple computers local area network (LAN) A grouping of computers in a network structure confined to a limited area and using specific protocols, such as Ethernet for OSI layer traffic addressing logic bomb A form of malicious code or software that is triggered by a specific event or condition See also time bomb loop protection The requirement to prevent bridge loops at the layer level, which is typically resolved using the Spanning Tree algorithm on switch devices CompTIA Security+ All-in-One Exam Guide, Third Edition 626 MAC See mandatory access control, Media Access Control, or Message Authentication Code man-in-the-middle attack Any attack that attempts to use a network node as the intermediary between two other nodes Each of the endpoint nodes thinks it is talking directly to the other, but each is actually talking to the intermediary mandatory access control (MAC) An access control mechanism in which the security mechanism controls access to all objects (files), and individual subjects (processes or users) cannot change that access master boot record (MBR) A strip of data on a hard drive in Windows systems, meant to result in specific initial functions or identification maximum transmission unit (MTU) A measure of the largest payload that a particular protocol can carry in a single packet in a specific instance MD5 Message Digest 5, a hashing algorithm and a specific method of producing a message digest Media Access Control (MAC) A protocol used in the data-link layer for local network addressing message authentication code (MAC) A short piece of data used to authenticate a message See hashed message authentication code message digest The result of applying a hash function to data Sometimes also called a hash value See hash metropolitan area network (MAN) A collection of networks interconnected in a metropolitan area and usually connected to the Internet Microsoft Challenge Handshake Authentication Protocol (MSCHAP) A Microsoft-developed variant of the Challenge Handshake Authentication Protocol (CHAP) mitigation Action taken to reduce the likelihood of a threat occurring MSCHAP See Microsoft Challenge Handshake Authentication Protocol NAC See Network Access Control NAP See Network Access Protection NAT See Network Address Translation Glossary 627 Network Access Control (NAC) An approach to endpoint security that involves monitoring and remediating endpoint security issues before allowing an object to connect to a network Network Access Protection (NAP) A Microsoft approach to Network Access Control Network Address Translation (NAT) A method of readdressing packets in a network at a gateway point to enable the use of local, nonroutable IP addresses over a public network such as the Internet network-based intrusion detection system (NIDS) A system for examining network traffic to identify suspicious, malicious, or undesirable behavior network-based intrusion prevention system (NIPS) A system that examines network traffic and automatically responds to computer intrusions Network Basic Input/Output System (NetBIOS) communication services across a local area network A system that provides network operating system (NOS) An operating system that includes additional functions and capabilities to assist in connecting computers and devices, such as printers, to a local area network nonrepudiation The ability to verify that an operation has been performed by a particular person or account This is a system property that prevents the parties to a transaction from subsequently denying involvement in the transaction Oakley protocol A key exchange protocol that defines how to acquire authenticated keying material based on the Diffie-Hellman key exchange algorithm object reuse Assignment of a previously used medium to a subject The security implication is that before it is provided to the subject, any data present from a previous user must be cleared one-time pad An unbreakable encryption scheme in which a series of nonrepeating, random bits are used once as a key to encrypt a message Since each pad is used only once, no pattern can be established and traditional cryptanalysis techniques are not effective Open Vulnerability and Assessment Language (OVAL) An XML-based standard for the communication of security information between tools and services CompTIA Security+ All-in-One Exam Guide, Third Edition 628 operating system (OS) The basic software that handles input, output, display, memory management, and all the other highly detailed tasks required to support the user environment and associated applications Orange Book The name commonly used to refer to the now outdated Department of Defense Trusted Computer Security Evaluation Criteria (TCSEC) OVAL See Open Vulnerability and Assessment Language password A string of characters used to prove an individual’s identity to a system or object Used in conjunction with a user ID, it is the most common method of authentication The password should be kept secret by the individual who owns it Password Authentication Protocol (PAP) thenticate a user to a network access server A simple protocol used to au- patch A replacement set of code designed to correct problems or vulnerabilities in existing software PBX See private branch exchange peer-to-peer (P2P) A network connection methodology involving direct connection from peer to peer penetration testing A security test in which an attempt is made to circumvent security controls in order to discover vulnerabilities and weaknesses Also called a pen test permissions controls Authorized actions a subject can perform on an object See also access personally identifiable information (PII) Information that can be used to identify a single person phreaking Used in the media to refer to the hacking of computer systems and networks associated with the phone company See also cracking plaintext In cryptography, a piece of data that is not encrypted It can also mean the data input into an encryption algorithm that would output ciphertext Point-to-Point Protocol (PPP) The Internet standard for transmission of IP packets over a serial line, as in a dial-up connection to an ISP Point-to-Point Protocol Extensible Authentication Protocol (PPP EAP) EAP is a PPP extension that provides support for additional authentication methods within PPP Glossary 629 Point-to-Point Protocol Password Authentication Protocol (PPP PAP) PAP is a PPP extension that provides support for password authentication methods over PPP Pretty Good Privacy (PGP) A popular encryption program that has the ability to encrypt and digitally sign e-mail and files preventative intrusion detection A system that detects hostile actions or network activity and prevents them from impacting information systems privacy to see it Protecting an individual’s personal information from those not authorized private branch exchange (PBX) business or entity A telephone exchange that serves a specific privilege auditing The process of checking the rights and privileges assigned to a specific account or group of accounts privilege management The process of restricting a user’s ability to interact with the computer system Protected Extensible Authentication Protocol (PEAP) A protected version of EAP developed by Cisco, Microsoft, and RSA Security that functions by encapsulating the EAP frames in a TLS tunnel public key cryptography See asymmetric encryption public key infrastructure (PKI) Infrastructure for binding a public key to a known user through a trusted intermediary, typically a certificate authority qualitative risk assessment The process of subjectively determining the impact of an event that affects a project, program, or business It involves the use of expert judgment, experience, or group consensus to complete the assessment quantitative risk assessment The process of objectively determining the impact of an event that affects a project, program, or business It usually involves the use of metrics and models to complete the assessment RADIUS Remote Authentication Dial-In User Service is a standard protocol for providing authentication services It is commonly used in dial-up, wireless, and PPP environments RAS See Remote Access Service CompTIA Security+ All-in-One Exam Guide, Third Edition 630 RBAC See rule-based access control or role-based access control recovery time objective (RTO) The amount of time a business has to restore a process before unacceptable outcomes result from a disruption Remote Access Service/Server (RAS) A combination of hardware and software used to enable remote access to a network repudiation residual risk risk The act of denying that a message was either sent or received Risks remaining after an iteration of risk management The possibility of suffering a loss risk assessment or risk analysis The process of analyzing an environment to identify the threats, vulnerabilities, and mitigating actions to determine (either quantitatively or qualitatively) the impact of an event affecting a project, program, or business risk management Overall decision-making process of identifying threats and vulnerabilities and their potential impacts, determining the costs to mitigate such events, and deciding what cost-effective actions can be taken to control these risks role-based access control (RBAC) An access control mechanism in which, instead of the users being assigned specific access permissions for the objects associated with the computer system or network, a set of roles that the user may perform is assigned to each user rule-based access control (RBAC) An access control mechanism based on rules safeguard See security controls Secure Copy Protocol (SCP) transfers A network protocol that supports secure file Secure FTP A method of secure file transfer that involves the tunneling of FTP through an SSH connection This is different than SFTP, which is listed below as Secure Shell File Transfer Protocol Secure Hash Algorithm (SHA) A hash algorithm used to hash block data The first version is SHA1, with subsequent versions detailing hash digest length: SHA256, SHA384, and SHA512 Secure/Multipurpose Internet Mail Extensions (S/MIME) An encrypted implementation of the MIME (Multipurpose Internet Mail Extensions) protocol specification Glossary 631 Secure Shell (SSH) A set of protocols for establishing a secure remote connection to a computer This protocol requires a client on each end of the connection and can use a variety of encryption protocols Secure Shell File Transfer Protocol (SFTP) associated with secure shell protocol (SSH) A secure file transfer subsystem Secure Sockets Layer (SSL) An encrypting layer between the session and transport layer of the OSI model designed to encrypt above the transport layer, enabling secure sessions between hosts security association (SA) An instance of security policy and keying material applied to a specific data flow Both IKE and IPsec use SAs, although these SAs are independent of one another IPsec SAs are unidirectional and are unique in each security protocol, whereas IKE SAs are bidirectional A set of SAs are needed for a protected data pipe, one per direction per protocol SAs are uniquely identified by destination (IPsec endpoint) address, security protocol (AH or ESP), and security parameter index (SPI) security baseline The end result of the process of establishing an information system’s security state It is a known good configuration resistant to attacks and information theft security content automation protocol (SCAP) A method of using specific protocols and data exchanges to automate the determination of vulnerability management, measurement, and policy compliance across a system or set of systems security controls A group of technical, management, or operational policies and procedures designed to implement specific security functionality Access controls are an example of a security control segregation or separation of duties A basic control that prevents or detects errors and irregularities by assigning responsibilities to different individuals so that no single individual can commit fraudulent or malicious actions service level agreement (SLA) An agreement between parties concerning the expected or contracted up-time associated with a system service set identifier (SSID) Identifies a specific 802.11 wireless network It transmits information about the access point to which the wireless client is connecting signature database A collection of activity patterns that have already been identified and categorized and that typically indicate suspicious or malicious activity Simple Mail Transfer Protocol (SMTP) to transfer e-mail between hosts The standard Internet protocol used CompTIA Security+ All-in-One Exam Guide, Third Edition 632 Simple Network Management Protocol (SNMP) to remotely manage network devices across a network A standard protocol used single loss expectancy (SLE) Monetary loss or impact of each occurrence of a threat SLE = asset value × exposure factor single sign-on (SSO) An authentication process by which the user can enter a single user ID and password and then move from application to application or resource to resource without having to supply further authentication information slack space Unused space on a disk drive created when a file is smaller than the allocated unit of storage (such as a sector) sniffer A software or hardware device used to observe network traffic as it passes through a network on a shared broadcast media social engineering The art of deceiving another person so that he or she reveals confidential information This is often accomplished by posing as an individual who should be entitled to have access to the information Software as a Service (SaaS) The provisioning of software as a service, commonly known as on-demand software software development lifecycle model (SDLC) The processes and procedures employed to develop software Sometimes also called secure development lifecycle model when security is part of the development process spam E-mail that is not requested by the recipient and is typically of a commercial nature Also known as unsolicited commercial e-mail (UCE) spam filter A security appliance designed to remove spam at the network layer before it enters e-mail servers spim Spam sent over an instant messaging channel spoofing Making data appear to have originated from another source so as to hide the true origin from the recipient symmetric encryption Encryption that needs all parties to have a copy of the key, sometimes called a shared secret The single key is used for both encryption and decryption tangible asset An asset for which a monetary equivalent can be determined Examples are inventory, buildings, cash, hardware, software, and so on Telnet A network protocol used to provide cleartext bidirectional communication over TCP Glossary 633 Tempest The U.S military’s name for the field associated with electromagnetic eavesdropping on signals emitted by electronic equipment See also van Eck phenomenon Temporal Key Integrity Protocol (TKIP) A security protocol used in 802.11 wireless networks threat Any circumstance or event with the potential to cause harm to an asset time bomb A form of logic bomb in which the triggering event is a date or specific time See also logic bomb TKIP See Temporal Key Integrity Protocol token A hardware device that can be used in a challenge-response authentication process Transmission Control Protocol (TCP) The transport layer protocol for use on the Internet that allows packet-level tracking of a conversation Transport Layer Security (TLS) Internet standard A newer form of SSL being proposed as an trapdoor See backdoor Trivial File Transfer Protocol (TFTP) A simplified version of FTP used for low-overhead file transfers using UDP port 69 Trojan horse A form of malicious code that appears to provide one service (and may indeed provide that service) but that also hides another purpose This hidden purpose often has a malicious intent This code may also be simply referred to as a Trojan Trusted Platform Module (TPM) ing platform operations A hardware chip to enable trusted comput- uninterruptible power supply (UPS) A source of power (generally a battery) designed to provide uninterrupted power to a computer system in the event of a temporary loss of power usage auditing The process of recording who did what and when on an information system User Datagram Protocol (UDP) A protocol in the TCP/IP protocol suite for the transport layer that does not sequence packets—it is “fire and forget” in nature User ID A unique alphanumeric identifier that identifies individuals who are logging in or accessing a system CompTIA Security+ All-in-One Exam Guide, Third Edition 634 vampire taps A tap that connects to a network line without cutting the connection van Eck phenomenon Electromagnetic eavesdropping through the interception of electronic signals emitted by electrical equipment See also Tempest virtual local area network (VLAN) A broadcast domain inside a switched system virtual private network (VPN) An encrypted network connection across another network, offering a private communication channel across a public medium virus A form of malicious code or software that attaches itself to other pieces of code in order to replicate Viruses may contain a payload, which is a portion of the code that is designed to execute when a certain condition is met (such as on a certain date) This payload is often malicious in nature vulnerability A weakness in an asset that can be exploited by a threat to cause harm wireless access point (WAP) A network access device that facilitates the connection of wireless devices to a network war-dialing An attacker’s attempt to gain unauthorized access to a computer system or network by discovering unprotected connections to the system through the telephone system and modems war-driving The attempt by an attacker to discover unprotected wireless networks by wandering (or driving) around with a wireless device, looking for available wireless access points web application firewall (WAF) A firewall that operates at the application level, specifically designed to protect web applications by examining requests at the application stack level WEP See Wired Equivalent Privacy wide area network (WAN) A network that spans a large geographic region Wi-Fi Protected Access (WPA/WPA2) A protocol to secure wireless communications using a subset of the 802.11i standard Wired Equivalent Privacy (WEP) The encryption scheme used to attempt to provide confidentiality and data integrity on 802.11 networks Wireless Application Protocol (WAP) A protocol for transmitting data to small handheld devices such as cellular phones Wireless Transport Layer Security (WTLS) The encryption protocol used on WAP networks Glossary 635 worm An independent piece of malicious code or software that self-replicates Unlike a virus, it does not need to be attached to another piece of code A worm replicates by breaking into another system and making a copy of itself on this new system A worm can contain a destructive payload but does not have to X.509 XOR XSRF XSS The standard format for digital certificates Bitwise exclusive OR, an operation commonly used in cryptography See cross-site request forgery See cross-site scripting  ...CompTIA Security+ All-in-One Exam Guide, Third Edition 614 Address Resolution Protocol (ARP) A protocol... Authentication and authorization almost always occur, with accounting being somewhat less common Glossary 615 Authentication Header (AH) A portion of the IPsec security protocol that provides authentication... device through a Bluetooth connection, often between phones, desktops, laptops, and PDAs CompTIA Security+ All-in-One Exam Guide, Third Edition 616 Border Gateway Protocol (BGP) The interdomain