Acceptable risk A suitable level of risk commensurate with the potential benefits of the organization’s operations as determined by senior management. Access control system Means to ensure that access to assets is authorized and restricted based on business and security requirements related to logical and physical systems. Access control tokens The system decides if access is to be granted or denied based upon the validity of the token for the point where it is read based on time, date, day, holiday, or other condition used for controlling validation. Accountability Accountability ensures that account management has assurance that only authorized users are accessing the system and using it properly. ActiveX Data Objects (ADO) A Microsoft high-level interface for all kinds of data. Address Resolution Protocol (ARP) Is used at the Media Access Control (MAC) Layer to provide for direct communication between two devices within the same LAN segment. Algorithm A mathematical function that is used in the encryption and decryption processes. Asset An item perceived as having value. Asset lifecycle The phases that an asset goes through from creation (collection) to destruction. Asymmetric Not identical on both sides. In cryptography, key pairs are used, one to encrypt, the other to decrypt. Attack surface Different security testing methods find different vulnerability types. Attribute- based access control (ABAC) This is an access control paradigm whereby access rights are granted to users with policies that combine attributes together. Audit/auditing The tools, processes, and activities used to perform compliance reviews. Authorization The process of defining the specific resources a user needs and determining the type of access to those resources the user may have. Availability Ensuring timely and reliable access to and use of information by authorized users. Baselines A minimum level of security. Bit Most essential representation of data (zero or one) at Layer 1 of the Open Systems Interconnection (OSI) model. Black-box testing Testing where no internal details of the system implementation are used. Bluetooth (Wireless Personal Area Network IEEE 802.15) Bluetooth wireless technology is an open standard for short-range radio frequency communication used primarily to establish wireless personal area networks (WPANs), and it has been integrated into many types of business and consumer devices. Bridges Layer 2 devices that filter traffic between segments based on Media Access Control (MAC) addresses. Business continuity (BC) Actions, processes, and tools for ensuring an organization can continue critical operations during a contingency. Business continuity and disaster recovery (BCDR) A term used to jointly describe business continuity and disaster recovery efforts. A list of the organization’s assets, annotated to Business impact analysis reflect the criticality of each asset to the (BIA) organization. Capability Maturity Model for Software or Software Capability Maturity model focused on quality management processes and has five maturity levels that contain several key practices within each maturity level. Maturity Model (CMM or SW-CMM) Cellular Network A radio network distributed over land areas called cells, each served by at least one fixed-location transceiver, known as a cell site or base station. An entity trusted by one or more users as an authority that issues, revokes, and manages digital Certificate authority (CA) certificates tof bind individuals and entities to their public keys. Change management A formal, methodical, comprehensive process for requesting, reviewing, and approving changes to the baseline of the IT environment. CIA/AIC Triad Security model with the three security concepts of confidentiality, integrity, and availability make up the CIA Triad. It is also sometimes referred to as the AIC Triad. Ciphertext The altered form of a plaintext message, so as to be unreadable for anyone except the intended recipients. Something that has been turned into a secret. Classification Arrangement of assets into categories. Clearing The removal of sensitive data from storage devices in such a way that there is assurance that the data may not be reconstructed using normal system functions or software recovery utilities. Code-division multiple access (CDMA) Every call’s data is encoded with a unique key, then the calls are all transmitted at once. Common Object Request Broker Architecture (CORBA) A set of standards that addresses the need for interoperability between hardware and software products. Compliance Adherence to a mandate; both the actions demonstrating adherence and the tools, processes, and documentation that are used in adherence. Computer virus A program written with functions and intent to copy and disperse itself without the knowledge and cooperation of the owner or user of the computer. Concentrators Multiplex connected devices into one signal to be transmitted on a network. Condition coverage This criterion requires sufficient test cases for each condition in a program decision to take on all possible outcomes at least once. It differs from branch coverage only when multiple conditions must be evaluated to reach a decision. Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. Configuration management (CM) A formal, methodical, comprehensive process for establishing a baseline of the IT environment (and each of the assets within that environment). Confusion Provided by mixing (changing) the key values used during the repeated rounds of encryption. When the key is modified for each round, it provides added complexity that the attacker would encounter. Content Distribution Network (CDN) Is a large distributed system of servers deployed in multiple data centers across the internet. Covert channel An information flow that is not controlled by a security control and has the opportunity of disclosing confidential information. Covert security testing Performed to simulate the threats that are associated with external adversaries. While the security staff has no knowledge of the covert test, the organization management is fully aware and consents to the test. Crossover Error Rate (CER) This is achieved when the type I and type II are equal. Cryptanalysis The study of techniques for attempting to defeat cryptographic techniques and, more generally, information security services provided through cryptography. Cryptography Secret writing. Today provides the ability to achieve confidentiality, integrity, authenticity, nonrepudiation, and access control. Cryptology The science that deals with hidden, disguised, or encrypted information and communications. Curie Temperature The critical point where a material’s intrinsic magnetic alignment changes direction. Custodian Responsible for protecting an asset that has value, while in the custodian’s possession. Data classification Entails analyzing the data that the organization retains, determining its importance and value, and then assigning it to a category. Data custodian The person/role within the organization owner/controller. Data flow coverage This criteria requires sufficient test cases for each feasible data flow to be executed at least once. Data mining A decision-making technique that is based on a series of analytical techniques taken from the fields of mathematics, statistics, cybernetics, and genetics. Data owner/ controller An entity that collects or creates PII. Data subject The individual human related to a set of personal data. Database Management System (DBMS) A suite of application programs that typically manages large, structured sets of persistent data. Database model Describes the relationship between the data elements and provides a framework for organizing the data. Decision (branch) coverage Considered to be a minimum level of coverage for most software products, but decision coverage alone is insufficient for high-integrity applications. Decryption The reverse process from encryption. It is the process of converting a ciphertext message back into plaintext through the use of the cryptographic algorithm and the appropriate key that was used to do the original encryption. Defensible destruction Eliminating data using a controlled, legally defensible, and regulatory compliant way. DevOps An approach based on lean and agile principles in which business owners and the development, operations, and quality assurance departments collaborate. Diffusion Provided by mixing up the location of the plaintext throughout the ciphertext. The strongest algorithms exhibit a high degree of confusion and diffusion. Digital certificate An electronic document that contains the name of an organization or individual, the business address, the digital signature of the certificate authority issuing the certificate, the certificate holder’s public key, a serial number, and the expiration date. Used to bind individuals and entities to their public keys. Issued by a trusted third party referred to as a Certificate Authority (CA). Digital rights management (DRM) A broad range of technologies that grant control and protection to content providers over their own digital media. May use cryptography techniques. Digital signatures Provide authentication of a sender and integrity of a sender’s message and non-repudiation services. Disaster recovery (DR) Those tasks and activities required to bring an organization back from contingency operations and reinstate regular operations. Discretionary access control (DAC) The system owner decides who gets access. Due care A legal concept pertaining to the duty owed by a provider to a customer. Due diligence Actions taken by a vendor to demonstrate/ provide due care. Ports 49152 – 65535. Whenever a service is requested that is associated with Well- Known or Dynamic or Private Ports Registered Ports those services will respond with a dynamic port. Dynamic testing When the system under test is executed and its behavior is observed. Encoding The action of changing a message into another format through the use of a code. Encryption The process of converting the message from its plaintext to ciphertext. False Acceptance Rate (Type II) This is erroneous recognition either by confusing one user with another, or by accepting an imposter as a legitimate user. False Rejection Rate (Type I) This is failure to recognize a legitimate user. Fibre Channel over Ethernet (FCoE) A lightweight encapsulation protocol, and it lacks the reliable data transport of the TCP layer. Firewalls Devices that enforce administrative security policies by filtering incoming traffic based on a set of rules. Frame Data represented at Layer 2 of the Open Systems Interconnection (OSI) model. Global System for Mobiles (GSM) Each call is transformed into digital data that is given a channel and a time slot. Governance The process of how an organization is managed; usually includes all aspects of how decisions are made for that organization, such as policies, roles, and procedures the organization uses to make those decisions. Governance committee A formal body of personnel who determine how decisions will be made within the organization and the entity that can approve changes and exceptions to current relevant governance. Guidelines Suggested practices and expectations of activity to best accomplish tasks and attain goals. Hash function Accepts an input message of any length and generates, through a one-way operation, a fixedlength output called a message digest or hash. Honeypots/ honeynets Machines that exist on the network, but do not contain sensitive or valuable data, and are meant to distract and occupy maliciousor unauthorized intruders, as a means ofdelaying their attempts to accessproduction data/assets. A number ofmachines of this kind, linked together as anetwork or subnet, are referred to as a “honeynet.” Identity as a service (IDaaS) Cloud-based services that broker identity and access management (IAM) functions to target systems on customers’ premises and/or in the cloud. Identity proofing The process of collecting and verifying information about a person for the purpose of proving that a person who has requested an account, a credential, or other special privilege is indeed who he or she claims to be and establishing a reliable relationship that can be trusted electronically between the individual and said credential for purposes of electronic authentication. Initialization vector (IV) A non-secret binary vector used as the initializing input algorithm, or a random starting point, for the encryption of a plaintext block sequence to increase security by introducing additional cryptographic variance and to synchronize cryptographic equipment. Integrated Process and Product Development (IPPD) A management technique that simultaneously integrates all essential acquisition activities through the use of multidisciplinary teams to optimize the design, manufacturing, and supportability processes. Integrity Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity. Intellectual property Intangible assets (notably includes software and data). Provides a means to send error messages and a Internet Control Message way to probe the network to determine network Protocol (ICMP) availability. Internet Group Management Protocol (IGMP) Used to manage multicasting groups that are a set of hosts anywhere on a network that are listening for a transmission. Internet Protocol (IPv4) Is the dominant protocol that operates at the Open Systems Interconnection (OSI) Network Layer 3. IP is responsible for addressing packets so that they can be transmitted from the source to the destination hosts. Internet Protocol (IPv6) Is a modernization of IPv4 that includes a much larger address field: IPv6 addresses are 128 bits that support 2128 hosts. Intrusion detection system (IDS) A solution that monitors the environment and automatically recognizes malicious attempts to gain unauthorized access. Intrusion prevention system (IPS) A solution that monitors the environment and automatically takes action when it recognizes malicious attempts to gain unauthorized access. Inventory Complete list of items. Job rotation The practice of having personnel become familiar with multiple positions within the organization as a means to reduce single points of failure and to better detect insider threats. Key Clustering When different encryption keys generate the same ciphertext from the same plaintext message. Key Length The size of a key, usually measured in bits, that a cryptographic algorithm uses in ciphering or deciphering protected information. Key or Cryptovariable The input that controls the operation of the cryptographic algorithm. It determines the behavior of the algorithm and permits the reliable encryption and decryption of the message. Knowledge Discovery in Databases (KDD) A mathematical, statistical, and visualization method of identifying valid and useful patterns in data. Least privilege The practice of only granting a user the minimal permissions necessary to perform their explicit job function. Lifecycle Phases that an asset goes through from creation to destruction. Log A record of actions and events that have taken place on a computer system. Logical access control system Non-physical system that allows access based upon pre-determined policies. Loop coverage This criterion requires sufficient test cases for all program loops to be executed for zero, one, two, and many iterations covering initialization, typical running, and termination (boundary) conditions. Mandatory access controls (MAC) Access control that requires the system itself to manage access controls in accordance with the organization’s security policies. Maximum allowable downtime (MAD) The measure of how long an organization can survive an interruption of critical functions. Also known as maximum tolerable downtime (MTD). Media Any object that contains data. Message authentication code (MAC) A small block of data that is generated using a secret key and then appended to the message, used to address integrity. Message digest A small representation of a larger message. Message digests are used to ensure the authentication and integrity of information, not the confidentiality. Metadata Information about the data. Misuse case A use case from the point of view of an actor hostile to the system under design. These criteria require sufficient test cases to Multi-condition coverage exercise all possible combinations of conditions in a program decision. Multi-factor authentication Ensures that a user is who he or she claims to be. The more factors used to determine a person’s identity, the greater the trust of authenticity. Multiprotocol Label Switching (MPLS) Is a wide area networking protocol that operates at both Layer 2 and 3 and does label switching. Need-to-know Primarily associated with organizations that assign clearance levels to all users and classification levels to all assets; restricts users with the same clearance level from sharing information unless they are working on the same effort. Entails compartmentalization. Negative testing This ensures the application can gracefully handle invalid input or unexpected user behavior. Network Function Virtualization (NFV) The objective of NFV is to decouple functions such as firewall management, intrusion detection, network address translation, or name service resolution away from specific hardware implementation into software solutions. Non-repudiation Inability to deny. In cryptography, a service that ensures the sender cannot deny a message was sent and the integrity of the message is intact, and the receiver cannot claim receiving a different message. Null cipher Hiding plaintext within other plaintext. A form of steganography. Open Authorization (OAuth) The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. Open Shortest Path First (OSPF) An interior gateway routing protocol developed for IP networks based on the shortest path first or linkstate algorithm. OSI Layer 1 Physical layer. OSI Layer 2 Data-link layer. OSI Layer 3 Network layer. OSI Layer 4 Transport layer. OSI Layer 5 Session layer. OSI Layer 6 Presentation layer. OSI Layer 7 Application layer. Overt security testing Overt testing can be used with both internal and external testing. When used from an internal perspective, the bad actor simulated is an employee of the organization. The organization’s IT staff is made aware of the testing and can assist the assessor in limiting the impact of the test by providing specific guidelines for the test scope and parameters. Ownership Possessing something, usually of value. Packet Representation of data at Layer 3 of the Open Systems Interconnection (OSI) model. Packet Loss A technique called Packet Loss Concealment (PLC) is used in VoIP communications to mask the effect of dropped packets. Parity bits RAID technique; logical mechanism used to mark striped data; allows recovery of missing drive(s) by pulling data from adjacent drives. Patch An update/fix for an IT asset. Path coverage This criteria require sufficient test cases for each feasible path, basis path, etc., from start to exit of a defined program segment, to be executed at least once. Personally identifiable information (PII) Any data about a human being that could be used to identify that person. Physical access control system An automated system that manages the passage of people or assets through an opening(s) in a secure perimeter(s) based on a set of authorization rules. Ping of Death Exceeds maximum packet size and causes receiving system to fail. Ping Scanning Network mapping technique to detect if host replies to a ping, then the attacker knows that a host exists at that address. Plaintext The message in its natural format has not been turned into a secret. Point-to-Point Protocol (PPP) Provides a standard method for transporting multiprotocol datagrams over point-to-point links. Policy Documents published and promulgated by senior management dictating and describing the organization’s strategic goals. An extension to NAT to translate all addresses to Port Address Translation one routable IP address and translate the source (PAT) port number in the packet to a unique value. Positive testing This determines that your application works as expected. Privacy The right of a human individual to control the distribution of information about him- or herself. Procedures Explicit, repeatable activities to accomplish a specific task. Procedures can address one-time or infrequent actions or common, regular occurrences. Purging The removal of sensitive data from a system or storage device with the intent that the data cannot be reconstructed by any known technique. Qualitative Measuring something without using numbers, using adjectives, scales, and grades, etc. Quantitative Using numbers to measure something, usually monetary values. Real user monitoring (RUM) An approach to web monitoring that aims to capture and analyze every transaction of every user of a website or application. Recovery point objective (RPO) A measure of how much data the organization can lose before the organization is no longer viable. Recovery time objective (RTO) The target time set for recovering from any interruption. Registered Ports Ports 1024 – 49151. These ports typically accompany non-system applications associated with vendors and developers. Registration authority (RA) This performs certificate registration services on behalf of a Certificate Authority (CA). Remanence Residual magnetism left behind. Residual risk The risk remaining after security controls have been put in place as a means of risk mitigation. Resources Assets of an organization that can be used effectively. Responsibility Obligation for doing something. Can be delegated. Risk The possibility of damage or harm and the likelihood that damage or harm will be realized. Risk acceptance Determining that the potential benefits of a business function outweigh the possible risk impact/likelihood and performing that business function with no other action. Risk avoidance Determining that the impact and/or likelihood of a specific risk is too great to be offset by the potential benefits and not performing a certain business function because of that determination. Risk mitigation Putting security controls in place to attenuate the possible impact and/or likelihood of a specific risk. Risk transference Paying an external party to accept the financial impact of a given risk. Role-based access control (RBAC) An access control model that bases the access control authorizations on the roles (or functions) that the user is assigned within an organization. Rule-based access control (RBAC) An access control model that is based on a list of predefined rules that determine what accesses should be granted. Sandbox An isolated test environment that simulates the production environment but will not affect production components/data. Security Assertion Markup Language 2.0 (SAML 2.0) A version of the SAML standard for exchanging authentication and authorization data between security domains. Security control framework A notional construct outlining the organization’s approach to security, including a list of specific security processes, procedures, and solutions used by the organization. Security governance The entirety of the policies, roles, and processes the organization uses to make security decisions in an organization. Segment Data representation at Layer 4 of the Open Systems Interconnection (OSI) model. Separation of duties The practice of ensuring that no organizational process can be completed by a single person; forces collusion as a means to reduce insider threats. Session Initiation Protocol (SIP) Is designed to manage multimedia connections. Single factor authentication Involves the use of simply one of the three available factors solely to carry out the authentication process being requested. Smurf ICMP Echo Request sent to the network broadcast address of a spoofed victim causing all nodes to respond to the victim with an Echo Reply. Software assurance The level of confidence that software is free from vulnerabilities either intentionally designed into the software or accidentally inserted at any time during its lifecycle and that it functions in the intended manner. Software- defined networks (SDNs) Separates network systems into three components: raw data, how the data is sent, and what purpose the data serves. This involves a focus on data, control, and application (management) functions or “planes”. Is an extension of the SDN practices to connect to Software Defined Wide entities spread across the internet to support WAN Area Network (SD-WAN) architecture especially related to cloud migration. Standards Specific mandates explicitly stating expectations of performance or conformance. Statement coverage This criterion requires sufficient test cases for each program statement to be executed at least once; however, its achievement is insufficient to provide confidence in a software product’s behavior. Static source code analysis (SAST) Analysis of the application source code for finding vulnerabilities without executing the application. Steganography Hiding something within something else, or data hidden within other data. Stream cipher When a cryptosystem performs its encryption on a bit-by-bit basis. Striping RAID technique; writing a data set across multiple drives. Substitution The process of exchanging one letter or bit for another. Switches Operate at Layer 2. A switch establishes a collision domain per port. Symmetric algorithm Operate with a single cryptographic key that is used for both encryption and decryption of the message. Synthetic performance monitoring Involves having external agents run scripted transactions against a web application. Teardrop Attack Exploits the reassembly of fragmented IP packets in the fragment offset field that indicates the starting position, or offset, of the data contained in a fragmented packet relative to the data of the original unfragmented packet. Threat modeling A process by which developers can understand security threats to a system, determine risks from those threats, and establish appropriate mitigations. Time multiplexing Allows the operating system to provide welldefined and structured access to processes that need to use resources according to a controlled and tightly managed schedule. Takes advantage of the dependency on the timing Time of check time of use of events that takes place in a multitasking (TOCTOU) Attacks operating system. Transmission Control Protocol (TCP) Provides connection-oriented data management and reliable data transfer. Layering model structured into four layers Transport Control (network interface layer, internet layer, transport Protocol/ Internet layer, host-to-host transport layer, application Protocol (TCP/ IP) Model layer). Transposition The process of reordering the plaintext to hide the message by using the same letters or bits. Trusted computing base (TCB) The collection of all of the hardware, software, and firmware within a computer system that contains all elements of the system responsible for supporting the security policy and the isolation of objects. Trusted Platform Module A secure crypto processor and storage module. (TPM) Uninterruptible power supplies (UPS) Batteries that provide temporary, immediate power during times when utility service is interrupted. Use cases Abstract episodes of interaction between a system and its environment. User Datagram Protocol (UDP) The User Datagram Protocol provides connectionless data transfer without error detection and correction. Virtual Local Area Networks (VLANs) Allow network administrators to use switches to create software-based LAN segments that can be defined based on factors other than physical location. Voice over Internet Protocol (VoIP) Is a technology that allows you to make voice calls using a broadband internet connection instead of a regular (or analog) phone line. Waterfall Development Methodology A development model in which each phase contains a list of activities that must be performed and documented before the next phase begins. Well-Known Ports Ports 0–1023 ports are related to the common protocols that are utilized in the underlying management of Transport Control Protocol/Internet Protocol (TCP/IP) system, Domain Name Service (DNS), Simple Mail Transfer Protocol (SMTP), etc. White-box testing A design that allows one to peek inside the “box” and focuses specifically on using internal knowledge of the\ software to guide the selection of test data. Whitelisting/ blacklisting A whitelist is a list of email addresses and/or internet addresses that someone knows as “good” senders. A blacklist is a corresponding list of known “bad” senders. Wi-Fi (Wireless LAN IEEE 802.11x) Primarily associated with computer networking, Wi-Fi uses the IEEE 802.11x specification to create a wireless local-area network either public or private. WiMAX (Broadband Wireless Access IEEE 802.16) One well-known example of wireless broadband is WiMAX. WiMAX can potentially deliver data rates of more than 30 megabits per second. Work factor This represents the time and effort required to break a cryptography system.