Key Terms
 Access control Encompasses four processes: identification, authentication,
authorization, and accountability.
 Access control policy A formal policy to determine how access rights are granted to
entities and groups.
 Accountability Assures that all actions on a system can be attributed to an
authenticated identity.
 Advanced Encryption Standard (AES) A Federal Information Processing Standard
(FIPS) specified cryptographic algorithm for use within the U.S. government to protect
unclassified information.
 Agent Synonymous with sensor. This is a piece of software that resides on a system and
reports back to a management server.
 Application-level firewall A device, typically a computer, that provides a defense
between a network inside the firewall and a network outside the firewall (the Internet)
that could pose a threat to the inside network. All traffic to and from the network must
pass through the firewall, so that unauthorized traffic can be blocked.
 Asymmetric encryption Synonymous with public key encryption. A method of
communicating on a network using two different but related keys, one to encrypt and
the other to decrypt messages.
 Token Device A device that uses a challenge response method, in which a server
challenges a user during login with a numerical sequence. The user places the sequence
into a token, which generates a response that is entered to gain access.
 Authentication The process of validating a supplicant’s purported identity. It ensures
that the entity requesting access is the entity claimed.
 Authorization Determines which actions that entity can perform in that physical or
logical area.
 Authorization ticket In a client/server environment, a token issued to a particular client
that verifies to a server that the client is requesting services on behalf of an authorized
user and that the client is a valid member of a system and therefore authorized to
receive services.
 Bastion host Synonymous with sacrificial host. A dedicated firewall that enables a
router to prescreen data packets to minimize the network traffic and load on a proxy
server.
 Behavior-based IDPS Or statistical anomaly-based IDPS. Able to detect new types of
attacks because it looks for abnormal activity of any type.
 Biometric Literally means life measurement.
 Cache server The server used by proxy servers to temporarily store frequently accessed
pages.
 Certificate authority (CA) An agency that manages the issuance of digital certificates
and serves as the electronic notary public to verify their worth and integrity.
 Ciphertext A message that is formed when plaintext data is encrypted by a
cryptosystem.
 Clipping level When the activity falls outside the baseline parameters it is known as the
clipping level.
 Content filter A software device that allows administrators to work within a network to
restrict accessibility to information.
 Crossover error rate (CER) Evaluation criteria for biometric technologies, the
crossover rate is the point at which the number of false rejections (denial of access to




















authorized users) equals the number of the false acceptances (granting of access to
unauthorized users).
Cryptanalysis The methodologies used to obtain information from encoded messages
when the cryptographic algorithm and/or keys are unknown.
Cryptography From the Greek work kryptos, meaning hidden, and graphein, meaning
to write. The enciphering and deciphering of coded messages.
Cryptology The science of encryption; a field of study that encompasses cryptography
and cryptanalysis.
Demilitarized zone (DMZ) An intermediate area between a trusted network and an
untrusted network.
Diffie-Hellman key exchange method A method for exchanging private keys using
public key encryption.
Digital certificate An electronic document attached to a file that certifies the file is
from the organization it claims to be from and has not been modified from the original
format.
Digital signature An encrypted message that is independently verified as authentic by a
central facility (registry).
Dumb cards ID cards or ATM cards with magnetic stripes containing the digital (and
often encrypted) user personal identification number (PIN) against which a user input is
compared; performs no computation as contrasted with smart cards, which can perform
some computations using an onboard processor.
Dynamic packet filtering firewall A firewall that allows only a particular packet with
a particular source, destination, and port address to enter through the firewall.
Encryption The process of converting an original message into a form that is
unreadable by unauthorized individuals.
False accept rate The percentage or value associated with the rate at which fraudulent
users or nonusers are allowed access to systems or areas as a result of a failure in the
biometric device.
False reject rate The percentage or value associated with the rate at which authentic
users are denied or prevented access to authorized areas as a result of a failure in the
biometric device.
Fingerprinting A data-gathering process that discovers the assets that can be accessed
from a network, usually performed in advance of a planned attack. It is the systematic
examination of the entire set of Internet addresses of the organization.
Firewall A device that provides a defense between a more trusted network inside the
firewall and a less trusted network outside the firewall (the Internet) that filters network
traffic that could pose a threat to the inside network. All traffic to and from the network
must pass through the firewall, so that unauthorized network traffic can be blocked.
Footprint The geographic area within which a wireless access point provides sufficient
signal strength to maintain a connection.
Footprinting The identification of the Internet addresses that are owned or controlled
by an organization.
Honeypot A computer server configured to misdirect hackers by resembling a
production system that contains substantial information.
Host-based IDPS Works by configuring and classifying various categories of systems
and data files. Host-based IDPSs can monitor multiple computers simultaneously.
Identification The mechanism that provides information about an unverified entity—
called a supplicant—that wants to be granted access to a known entity.
IEEE 802.11i An amendment to the 802.11. It specifies security protocols for wireless
networks.
 Intrusion detection and prevention systems (IDPSs) These work like burglar alarms.
When the system detects a violation—the IT equivalent of an opened or broken
window—it activates the alarm. This alarm can be audible and visible (noise and
lights), or it can be a silent alarm that sends a message to a monitoring company.
 IP Security (IPSec) The primary and dominant cryptographic authentication and
encryption product of the IETF’s IP Protocol Security Working Group.
 Kerberos A cryptosystem that uses symmetric key encryption to validate an individual
user to various network resources.
 Minutiae In biometrics, unique points of reference that are digitized and stored in an
encrypted format for comparison with scanned human characteristics.
 Monoalphabetic substitution In encryption, the substitution of one value for another
using a single alphabet.
 Network-address translation (NAT) A method of mapping real, valid, external IP
addresses to special ranges of internal IP addresses, creating a barrier to internal
intrusion.
 Network-based IDPSs A systems that monitors network traffic for potential intrusion
activity. When a predefined condition occurs, the network-based IDPS notifies the
appropriate administrator or takes defined actions based in predetermined conditions.
 Nonrepudiation A message characteristic wherein the fact that a message was sent by a
particular entity cannot be refuted.
 Open port Open port can be used to send commands to a computer, gain access to a
server, and exert control over a networking device.
 Packet filtering firewall A type of networking device that filters data packets based on
their network-level headers as they travel in and out of an organization’s network.
 Packet sniffer A network tool that collects copies of packets from the network and
analyzes them.
 Passphrase A series of characters, typically longer than a password, from which a
virtual password is derived.
 Password A private word or combination of characters that only the user knows.
 Permutation cipher Synonymous with transposition cipher. The rearranging of values
within a block to create coded information.
 Plaintext Synonymous with cleartext. The unencrypted message that will be encrypted
into ciphertext for transmission over an unsecured channel.
 Polyalphabetic substitutions In encryption, the substitution of one value for another,
using two or more alphabets.
 Port A network channel or connection point in a data communications system.
 Port-address translation (PAT) It converts a single real, valid, external IP address to
special ranges of internal IP addresses.
 Port scanners The tools used to identify (or fingerprint) computers that are active on a
network.
 Pre-shared keys Authentication server can issue keys to authenticated users.
Sometimes users are allowed to share a key. Use of these pre-shared keys is quite
convenient but is not secure.
 Pretty Good Privacy (PGP) A hybrid cryptosystem that combines some of the best
available cryptographic algorithms. PGP is the open source de facto standard for
encryption and authentication of e-mail and file storage applications.
 Privacy Enhanced Mail (PEM) A standard proposed by the Internet Engineering Task
Force (IETF) that will function with public key cryptosystems. PEM uses 3DES
symmetric key encryption and RSA for key exchanges and digital signatures.
 Private key encryption Synonymous with symmetric encryption. A method of
communicating on a network using a single key to both encrypt and decrypt a message.
 Proxy server Synonymous with proxy firewall. A server that is configured to look like
a Web server and that performs actions on behalf of that server to protect it from
hacking.
 Public key encryption Synonymous with asymmetric encryption. A method of
communicating on a network using two different keys, one to encrypt and the other to
decrypt a message.
 Remote Authentication Dial-in User Service (RADIUS) A system that authenticates
the credentials of users who are trying to access an organization’s network through a
dial-up connection.
 Sacrificial host Synonymous with bastion host. A dedicated firewall that enables a
router to prescreen data packets to minimize the network traffic and load on a proxy
server.
 Secret key In symmetric encryption, the single key shared by both parties. In
asymmetric encryption, the private key retained by the owner for use in decrypting
messages encrypted with owner’s public key.
 Secure Electronic Transactions (SET) A standard developed by MasterCard and
VISA in 1997 to provide protection from electronic payment fraud. It works by
encrypting the credit card transfers with DES for encryption and RSA for key exchange.
 Secure Hypertext Transfer Protocol (SHTTP) A protocol designed to enable secure
communications across the Internet. SHTTP is the application of SSL over HTTP,
which allows the encryption of all information passing between two computers through
a protected and secure virtual connection.
 Secure Multipurpose Internet Mail Extensions (S/MIME) A specification developed
to increase the security of e-mail that adds encryption and user authentication.
 Secure Shell (SSH) A popular extension to the TCP/IP protocol suite, sponsored by the
IETF. It provides authentication services between a client and a server and is used to
secure replacement tools for terminal emulation, remote management, and file transfer
applications.
 Secure Sockets Layer (SSL) A protocol for transmitting private information securely
over the Internet.
 Sensor Synonymous with agent. This is a piece of software that resides on a system and
reports back to a management server.
 Signature-based IDPS Or knowledge-based IDPS examines data traffic for something
that matches the signatures, which comprise preconfigured, predetermined attack
patterns.
 Smart card A device that contains memory and a processor that can verify and validate
a number of pieces of information about an individual beyond recording facts.
 Stateful inspection firewall Devices that track network connections that are established
between internal and external systems.
 State table A process used by a server that tracks the state and context of each
connection to authenticate the exchange of packets by recording which host sent which
packet, when, and to which remote host.
 Statistical anomaly-based IDPS (stat IDPS) or behavior based IDPS. Able to detect
new types of attacks because it looks for abnormal activity of any type.
 Strong authentication The use of two or more authentication mechanism types to
authenticate a single transaction or session; for example, the use of something you have
and something you know as occurs when making an ATM banking transaction.
 Substitution cipher In encryption, the substitution of one value for another.
 Supplicant An entity requesting access to a controlled system. May be a person or
other entity attempting to gain access to an information or other system.
 Symmetric encryption Synonymous with private key encryption. Symmetric
encryption is a method of communicating on a network using a single key to both
encrypt and decrypt a message.
 Synchronous tokens Authentication devices that are synchronized with a server so that
each device (server and token) uses the time or a time-based database to generate a
number that is entered during the user login phase.
 Systems logs Records maintained by a particular system that has been configured to
record specific information, such as failed access attempts and systems modifications.
Logs have many uses, such as intrusion detection, determining the root cause of a
system failure, or simply tracking the use of a particular resource.
 Terminal Access Controller Access Control System (TACACS) A remote access
system that validates a user’s credentials.
 Transport mode One of the two modes of operation of the IP Security Protocol. In
transport mode, only the IP data is encrypted, not the IP headers.
 Transposition cipher Synonymous with permutation cipher. The rearranging of values
within a block to create coded information.
 Triple DES (3DES) It is an improvement to DES and uses as many as three keys in
succession. It is substantially more secure than DES, not only because it uses as many
as three keys instead of one, but also because it performs three different encryption
operations.
 Trusted network A network segment that has had some degree of protection
established (such as an intranet that is inside an organization’s firewall) and is therefore
perceived as being less susceptible to attack or loss.
 Tunnel mode One of the two modes of operation of the IP Security Protocol. In tunnel
mode, the entire IP packet is encrypted and placed as payload into another IP packet.
 Untrusted network A network segment perceived as uncontrolled, such as the Internet.
 Virtual password A password calculated or extracted from a passphrase that meets
system storage requirements.
 Virtual private networks (VPNs) A network within a network that typically allows a
user to use the Internet as a private network.
 Vulnerability scanner A device that scans servers to identify exposed usernames,
shows open network shares, and exposes configuration problems and other
vulnerabilities.
 War dialer An automatic phone-dialing program that dials every number on a list or in
a configured range (e.g., 555-1000 to 555-2000), and checks to see if a person,
answering machine, or modem picks up.
 War driving A technique used to determine the location of wireless access points and
then assess that access point’s security requirements with the intent to determine if an
unauthorized connection is possible.
 Wi-Fi Protected Access (WPA) A family of protocols used to secure wireless
networks. It was initially developed as an intermediate solution known as WPA.
Currently known as WPA2, it incorporates the IEEE 802.11i standards.
 Wired Equivalent Privacy (WEP) Part of the IEEE 802.11 wireless networking
standard designed to provide a basic level of security protection to these radio networks
with an intent to prevent unauthorized access or eavesdropping.
 Wireless access point (WAP) A radio transceiver device that enables radio-frequency
network access to a local area network.
 WPA2 A second-generation version of Wi-Fi Protected Access that provides increased
capabilities for authentication and encryption, and increased throughput as compared to
WEP.
 XOR cipher conversion A programming algorithm that uses the Boolean XOR
function to combine binary digits from two data streams, one with a clear text and the
other with an encryption key, to produce an encrypted data stream.