Acceptable risk

A suitable level of risk commensurate with the potential benefits of the organization’s operations as determined by senior management.

Access control system

Means to ensure that access to assets is authorized and restricted based on business and security requirements related to logical and physical systems.

Access control tokens

The system decides if access is to be granted or denied based upon the validity of the token for the point where it is read based on time, date, day, holiday, or other condition used for controlling validation.

Accountability

Accountability ensures that account management has assurance that only authorized users are accessing the system and using it properly.

ActiveX Data Objects (ADO)

A Microsoft high-level interface for all kinds of data.

Address Resolution Protocol (ARP)

Is used at the Media Access Control (MAC) Layer to provide for direct communication between two devices within the same LAN segment.

Algorithm

A mathematical function that is used in the encryption and decryption processes.

Asset

An item perceived as having value.

Asset lifecycle

The phases that an asset goes through from creation (collection) to destruction.

Asymmetric

Not identical on both sides. In cryptography, key pairs are used, one to encrypt, the other to decrypt.

Attack surface

Different security testing methods find different vulnerability types.

Attribute- based access control (ABAC)

This is an access control paradigm whereby access rights are granted to users with policies that combine attributes together.

Audit/auditing

The tools, processes, and activities used to perform compliance reviews.

Authorization

The process of defining the specific resources a user needs and determining the type of access to those resources the user may have.

Availability

Ensuring timely and reliable access to and use of information by authorized users.

Baselines

A minimum level of security.

Bit

Most essential representation of data (zero or one) at Layer 1 of the Open Systems Interconnection (OSI) model.

Black-box testing

Testing where no internal details of the system implementation are used.

Bluetooth (Wireless Personal Area Network IEEE 802.15)

Bluetooth wireless technology is an open standard for short-range radio frequency communication used primarily to establish wireless personal area networks (WPANs), and it has been integrated into many types of business and consumer devices.

Bridges

Layer 2 devices that filter traffic between segments based on Media Access Control (MAC) addresses.

Business continuity (BC)

Actions, processes, and tools for ensuring an organization can continue critical operations during a contingency.

Business continuity and disaster recovery (BCDR)

A term used to jointly describe business continuity and disaster recovery efforts.

Business impact analysis (BIA)

A list of the organization’s assets, annotated to reflect the criticality of each asset to the organization.

Capability Maturity Model for Software or Software Capability Maturity Model (CMM or SW-CMM)

Maturity model focused on quality management processes and has five maturity levels that contain several key practices within each maturity level.

Cellular Network

A radio network distributed over land areas called cells, each served by at least one fixed-location transceiver, known as a cell site or base station.

Certificate authority (CA)

An entity trusted by one or more users as an authority that issues, revokes, and manages digital certificates to bind individuals and entities to their public keys.

Change management

A formal, methodical, comprehensive process for requesting, reviewing, and approving changes to the baseline of the IT environment.

CIA/AIC Triad

Security model with the three security concepts of confidentiality, integrity, and availability make up the CIA Triad. It is also sometimes referred to as the AIC Triad.

Ciphertext

The altered form of a plaintext message, so as to be unreadable for anyone except the intended recipients. Something that has been turned into a secret.

Classification

Arrangement of assets into categories.

Clearing

The removal of sensitive data from storage devices in such a way that there is assurance that the data may not be reconstructed using normal system functions or software recovery utilities.

Code-division multiple access (CDMA)

Every call’s data is encoded with a unique key, then the calls are all transmitted at once.

Common Object Request Broker Architecture (CORBA)

A set of standards that addresses the need for interoperability between hardware and software products.

Compliance

Adherence to a mandate; both the actions demonstrating adherence and the tools, processes, and documentation that are used in adherence.

Computer virus

A program written with functions and intent to copy and disperse itself without the knowledge and cooperation of the owner or user of the computer.

Concentrators

Multiplex connected devices into one signal to be transmitted on a network.

Condition coverage

This criterion requires sufficient test cases for each condition in a program decision to take on all possible outcomes at least once. It differs from branch coverage only when multiple conditions must be evaluated to reach a decision.

Confidentiality

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

Configuration management (CM)

A formal, methodical, comprehensive process for establishing a baseline of the IT environment (and each of the assets within that environment).

Confusion

Provided by mixing (changing) the key values used during the repeated rounds of encryption. When the key is modified for each round, it provides added complexity that the attacker would encounter.

Content Distribution Network (CDN)

Is a large distributed system of servers deployed in multiple data centers across the internet.

Covert channel

An information flow that is not controlled by a security control and has the opportunity of disclosing confidential information.

Covert security testing

Performed to simulate the threats that are associated with external adversaries. While the security staff has no knowledge of the covert test, the organization management is fully aware and consents to the test.

Crossover Error Rate (CER)

This is achieved when the type I and type II are equal.

Cryptanalysis

The study of techniques for attempting to defeat cryptographic techniques and, more generally, information security services provided through cryptography.

Cryptography

Secret writing. Today provides the ability to achieve confidentiality, integrity, authenticity, non-repudiation, and access control.

Cryptology

The science that deals with hidden, disguised, or encrypted information and communications.

Curie Temperature

The critical point where a material’s intrinsic magnetic alignment changes direction.

Custodian

Responsible for protecting an asset that has value, while in the custodian’s possession.

Data classification

Entails analyzing the data that the organization retains, determining its importance and value, and then assigning it to a category.

Data custodian

The person/role within the organization owner/controller.

Data flow coverage

This criteria requires sufficient test cases for each feasible data flow to be executed at least once.

Data mining

A decision-making technique that is based on a series of analytical techniques taken from the fields of mathematics, statistics, cybernetics, and genetics.

Data owner/ controller

An entity that collects or creates PII.

Data subject

The individual human related to a set of personal data.

Database Management System (DBMS)

A suite of application programs that typically manages large, structured sets of persistent data.

Database model

Describes the relationship between the data elements and provides a framework for organizing the data.

Decision (branch) coverage

Considered to be a minimum level of coverage for most software products, but decision coverage alone is insufficient for high-integrity applications.

Decryption

The reverse process from encryption. It is the process of converting a ciphertext message back into plaintext through the use of the cryptographic algorithm and the appropriate key that was used to do the original encryption.

Defensible destruction

Eliminating data using a controlled, legally defensible, and regulatory compliant way.

DevOps

An approach based on lean and agile principles in which business owners and the development, operations, and quality assurance departments collaborate.

Diffusion

Provided by mixing up the location of the plaintext throughout the ciphertext. The strongest algorithms exhibit a high degree of confusion and diffusion.

Digital certificate

An electronic document that contains the name of an organization or individual, the business address, the digital signature of the certificate authority issuing the certificate, the certificate holder’s public key, a serial number, and the expiration date. Used to bind individuals and entities to their public keys. Issued by a trusted third party referred to as a Certificate Authority (CA).

Digital rights management (DRM)

A broad range of technologies that grant control and protection to content providers over their own digital media. May use cryptography techniques.

Digital signatures

Provide authentication of a sender and integrity of a sender’s message and non-repudiation services.

Disaster recovery (DR)

Those tasks and activities required to bring an organization back from contingency operations and reinstate regular operations.

Discretionary access control (DAC)

The system owner decides who gets access.

Due care

A legal concept pertaining to the duty owed by a provider to a customer.

Due diligence

Actions taken by a vendor to demonstrate/ provide due care.

Dynamic or Private Ports

Ports 49152 – 65535. Whenever a service is requested that is associated with Well- Known or Registered Ports those services will respond with a dynamic port.

Dynamic testing

When the system under test is executed and its behavior is observed.

Encoding

The action of changing a message into another format through the use of a code.

Encryption

The process of converting the message from its plaintext to ciphertext.

False Acceptance Rate (Type II)

This is erroneous recognition either by confusing one user with another, or by accepting an imposter as a legitimate user.

False Rejection Rate (Type I)

This is failure to recognize a legitimate user.

Fibre Channel over Ethernet (FCoE)

A lightweight encapsulation protocol, and it lacks the reliable data transport of the TCP layer.

Firewalls

Devices that enforce administrative security policies by filtering incoming traffic based on a set of rules.

Frame

Data represented at Layer 2 of the Open Systems Interconnection (OSI) model.

Global System for Mobiles (GSM)

Each call is transformed into digital data that is given a channel and a time slot.

Governance

The process of how an organization is managed; usually includes all aspects of how decisions are made for that organization, such as policies, roles, and procedures the organization uses to make those decisions.

Governance committee

A formal body of personnel who determine how decisions will be made within the organization and the entity that can approve changes and exceptions to current relevant governance.

Guidelines

Suggested practices and expectations of activity to best accomplish tasks and attain goals.

Hash function

Accepts an input message of any length and generates, through a one-way operation, a fixed-length output called a message digest or hash.

Honeypots/ honeynets

Machines that exist on the network, but do not contain sensitive or valuable data, and are meant to distract and occupy maliciousor unauthorized intruders, as a means ofdelaying their attempts to accessproduction data/assets. A number ofmachines of this kind, linked together as anetwork or subnet, are referred to as a “honeynet.”

Identity as a service (IDaaS)

Cloud-based services that broker identity and access management (IAM) functions to target systems on customers’ premises and/or in the cloud.

Identity proofing

The process of collecting and verifying information about a person for the purpose of proving that a person who has requested an account, a credential, or other special privilege is indeed who he or she claims to be and establishing a reliable relationship that can be trusted electronically between the individual and said credential for purposes of electronic authentication.

Initialization vector (IV)

A non-secret binary vector used as the initializing input algorithm, or a random starting point, for the encryption of a plaintext block sequence to increase security by introducing additional cryptographic variance and to synchronize cryptographic equipment.

Integrated Process and Product Development (IPPD)

A management technique that simultaneously integrates all essential acquisition activities through the use of multidisciplinary teams to optimize the design, manufacturing, and supportability processes.

Integrity

Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.

Intellectual property

Intangible assets (notably includes software and data).

Internet Control Message Protocol (ICMP)

Provides a means to send error messages and a way to probe the network to determine network availability.

Internet Group Management Protocol (IGMP)

Used to manage multicasting groups that are a set of hosts anywhere on a network that are listening for a transmission.

Internet Protocol (IPv4)

Is the dominant protocol that operates at the Open Systems Interconnection (OSI) Network Layer 3. IP is responsible for addressing packets so that they can be transmitted from the source to the destination hosts.

Internet Protocol (IPv6)

Is a modernization of IPv4 that includes a much larger address field: IPv6 addresses are 128 bits that support 2128 hosts.

Intrusion detection system (IDS)

A solution that monitors the environment and automatically recognizes malicious attempts to gain unauthorized access.

Intrusion prevention system (IPS)

A solution that monitors the environment and automatically takes action when it recognizes malicious attempts to gain unauthorized access.

Inventory

Complete list of items.

Job rotation

The practice of having personnel become familiar with multiple positions within the organization as a means to reduce single points of failure and to better detect insider threats.

Key Clustering

When different encryption keys generate the same ciphertext from the same plaintext message.

Key Length

The size of a key, usually measured in bits, that a cryptographic algorithm uses in ciphering or deciphering protected information.

Key or Cryptovariable

The input that controls the operation of the cryptographic algorithm. It determines the behavior of the algorithm and permits the reliable encryption and decryption of the message.

Knowledge Discovery in Databases (KDD)

A mathematical, statistical, and visualization method of identifying valid and useful patterns in data.

Least privilege

The practice of only granting a user the minimal permissions necessary to perform their explicit job function.

Lifecycle

Phases that an asset goes through from creation to destruction.

Log

A record of actions and events that have taken place on a computer system.

Logical access control system

Non-physical system that allows access based upon pre-determined policies.

Loop coverage

This criterion requires sufficient test cases for all program loops to be executed for zero, one, two, and many iterations covering initialization, typical running, and termination (boundary) conditions.

Mandatory access controls (MAC)

Access control that requires the system itself to manage access controls in accordance with the organization’s security policies.

Maximum allowable downtime (MAD)

The measure of how long an organization can survive an interruption of critical functions. Also known as maximum tolerable downtime (MTD).

Media

Any object that contains data.

Message authentication code (MAC)

A small block of data that is generated using a secret key and then appended to the message, used to address integrity.

Message digest

A small representation of a larger message. Message digests are used to ensure the authentication and integrity of information, not the confidentiality.

Metadata

Information about the data.

Misuse case

A use case from the point of view of an actor hostile to the system under design.

Multi-condition coverage

These criteria require sufficient test cases to exercise all possible combinations of conditions in a program decision.

Multi-factor authentication

Ensures that a user is who he or she claims to be. The more factors used to determine a person’s identity, the greater the trust of authenticity.

Multiprotocol Label Switching (MPLS)

Is a wide area networking protocol that operates at both Layer 2 and 3 and does label switching.

Need-to-know

Primarily associated with organizations that assign clearance levels to all users and classification levels to all assets; restricts users with the same clearance level from sharing information unless they are working on the same effort. Entails compartmentalization.

Negative testing

This ensures the application can gracefully handle invalid input or unexpected user behavior.

Network Function Virtualization (NFV)

The objective of NFV is to decouple functions such as firewall management, intrusion detection, network address translation, or name service resolution away from specific hardware implementation into software solutions.

Non-repudiation

Inability to deny. In cryptography, a service that ensures the sender cannot deny a message was sent and the integrity of the message is intact, and the receiver cannot claim receiving a different message.

Null cipher

Hiding plaintext within other plaintext. A form of steganography.

Open Authorization (OAuth)

The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.

Open Shortest Path First (OSPF)

An interior gateway routing protocol developed for IP networks based on the shortest path first or link-state algorithm.

OSI Layer 1

Physical layer.

OSI Layer 2

Data-link layer.

OSI Layer 3

Network layer.

OSI Layer 4

Transport layer.

OSI Layer 5

Session layer.

OSI Layer 6

Presentation layer.

OSI Layer 7

Application layer.

Overt security testing

Overt testing can be used with both internal and external testing. When used from an internal perspective, the bad actor simulated is an employee of the organization. The organization’s IT staff is made aware of the testing and can assist the assessor in limiting the impact of the test by providing specific guidelines for the test scope and parameters.

Ownership

Possessing something, usually of value.

Packet

Representation of data at Layer 3 of the Open Systems Interconnection (OSI) model.

Packet Loss

A technique called Packet Loss Concealment (PLC) is used in VoIP communications to mask the effect of dropped packets.

Parity bits

RAID technique; logical mechanism used to mark striped data; allows recovery of missing drive(s) by pulling data from adjacent drives.

Patch

An update/fix for an IT asset.

Path coverage

This criteria require sufficient test cases for each feasible path, basis path, etc., from start to exit of a defined program segment, to be executed at least once.

Personally identifiable information (PII)

Any data about a human being that could be used to identify that person.

Physical access control system

An automated system that manages the passage of people or assets through an opening(s) in a secure perimeter(s) based on a set of authorization rules.

Ping of Death

Exceeds maximum packet size and causes receiving system to fail.

Ping Scanning

Network mapping technique to detect if host replies to a ping, then the attacker knows that a host exists at that address.

Plaintext

The message in its natural format has not been turned into a secret.

Point-to-Point Protocol (PPP)

Provides a standard method for transporting multiprotocol datagrams over point-to-point links.

Policy

Documents published and promulgated by senior management dictating and describing the organization’s strategic goals.

Port Address Translation (PAT)

An extension to NAT to translate all addresses to one routable IP address and translate the source port number in the packet to a unique value.

Positive testing

This determines that your application works as expected.

Privacy

The right of a human individual to control the distribution of information about him- or herself.

Procedures

Explicit, repeatable activities to accomplish a specific task. Procedures can address one-time or infrequent actions or common, regular occurrences.

Purging

The removal of sensitive data from a system or storage device with the intent that the data cannot be reconstructed by any known technique.

Qualitative

Measuring something without using numbers, using adjectives, scales, and grades, etc.

Quantitative

Using numbers to measure something, usually monetary values.

Real user monitoring (RUM)

An approach to web monitoring that aims to capture and analyze every transaction of every user of a website or application.

Recovery point objective (RPO)

A measure of how much data the organization can lose before the organization is no longer viable.

Recovery time objective (RTO)

The target time set for recovering from any interruption.

Registered Ports

Ports 1024 – 49151. These ports typically accompany non-system applications associated with vendors and developers.

Registration authority (RA)

This performs certificate registration services on behalf of a Certificate Authority (CA).

Remanence

Residual magnetism left behind.

Residual risk

The risk remaining after security controls have been put in place as a means of risk mitigation.

Resources

Assets of an organization that can be used effectively.

Responsibility

Obligation for doing something. Can be delegated.

Risk

The possibility of damage or harm and the likelihood that damage or harm will be realized.

Risk acceptance

Determining that the potential benefits of a business function outweigh the possible risk impact/likelihood and performing that business function with no other action.

Risk avoidance

Determining that the impact and/or likelihood of a specific risk is too great to be offset by the potential benefits and not performing a certain business function because of that determination.

Risk mitigation

Putting security controls in place to attenuate the possible impact and/or likelihood of a specific risk.

Risk transference

Paying an external party to accept the financial impact of a given risk.

Role-based access control (RBAC)

An access control model that bases the access control authorizations on the roles (or functions) that the user is assigned within an organization.

Rule-based access control (RBAC)

An access control model that is based on a list of predefined rules that determine what accesses should be granted.

Sandbox

An isolated test environment that simulates the production environment but will not affect production components/data.

Security Assertion Markup Language 2.0 (SAML 2.0)

A version of the SAML standard for exchanging authentication and authorization data between security domains.

Security control framework

A notional construct outlining the organization’s approach to security, including a list of specific security processes, procedures, and solutions used by the organization.

Security governance

The entirety of the policies, roles, and processes the organization uses to make security decisions in an organization.

Segment

Data representation at Layer 4 of the Open Systems Interconnection (OSI) model.

Separation of duties

The practice of ensuring that no organizational process can be completed by a single person; forces collusion as a means to reduce insider threats.

Session Initiation Protocol (SIP)

Is designed to manage multimedia connections.

Single factor authentication

Involves the use of simply one of the three available factors solely to carry out the authentication process being requested.

Smurf

ICMP Echo Request sent to the network broadcast address of a spoofed victim causing all nodes to respond to the victim with an Echo Reply.

Software assurance

The level of confidence that software is free from vulnerabilities either intentionally designed into the software or accidentally inserted at any time during its lifecycle and that it functions in the intended manner.

Software- defined networks (SDNs)

Separates network systems into three components: raw data, how the data is sent, and what purpose the data serves. This involves a focus on data, control, and application (management) functions or “planes”.

Software Defined Wide Area Network (SD-WAN)

Is an extension of the SDN practices to connect to entities spread across the internet to support WAN architecture especially related to cloud migration.

Standards

Specific mandates explicitly stating expectations of performance or conformance.

Statement coverage

This criterion requires sufficient test cases for each program statement to be executed at least once; however, its achievement is insufficient to provide confidence in a software product’s behavior.

Static source code analysis (SAST)

Analysis of the application source code for finding vulnerabilities without executing the application.

Steganography

Hiding something within something else, or data hidden within other data.

When a cryptosystem performs its encryption on a bit-by-bit basis.

Striping

RAID technique; writing a data set across multiple drives.

Substitution

The process of exchanging one letter or bit for another.

Switches

Operate at Layer 2. A switch establishes a collision domain per port.

Symmetric algorithm

Operate with a single cryptographic key that is used for both encryption and decryption of the message.

Synthetic performance monitoring

Involves having external agents run scripted transactions against a web application.

Teardrop Attack

Exploits the reassembly of fragmented IP packets in the fragment offset field that indicates the starting position, or offset, of the data contained in a fragmented packet relative to the data of the original unfragmented packet.

Threat modeling

A process by which developers can understand security threats to a system, determine risks from those threats, and establish appropriate mitigations.

Time multiplexing

Allows the operating system to provide well- defined and structured access to processes that need to use resources according to a controlled and tightly managed schedule.

Time of check time of use (TOCTOU) Attacks

Takes advantage of the dependency on the timing of events that takes place in a multitasking operating system.

Transmission Control Protocol (TCP)

Provides connection-oriented data management and reliable data transfer.

Transport Control Protocol/ Internet Protocol (TCP/ IP) Model

Layering model structured into four layers (network interface layer, internet layer, transport layer, host-to-host transport layer, application layer).

Transposition

The process of reordering the plaintext to hide the message by using the same letters or bits.

Trusted computing base (TCB)

The collection of all of the hardware, software, and firmware within a computer system that contains all elements of the system responsible for supporting the security policy and the isolation of objects.

Trusted Platform Module (TPM)

A secure crypto processor and storage module.

Uninterruptible power supplies (UPS)

Batteries that provide temporary, immediate power during times when utility service is interrupted.

Use cases

Abstract episodes of interaction between a system and its environment.

User Datagram Protocol (UDP)

The User Datagram Protocol provides connectionless data transfer without error detection and correction.

Virtual Local Area Networks (VLANs)

Allow network administrators to use switches to create software-based LAN segments that can be defined based on factors other than physical location.

Voice over Internet Protocol (VoIP)

Is a technology that allows you to make voice calls using a broadband internet connection instead of a regular (or analog) phone line.

Waterfall Development Methodology

A development model in which each phase contains a list of activities that must be performed and documented before the next phase begins.

Well-Known Ports

Ports 0–1023 ports are related to the common protocols that are utilized in the underlying management of Transport Control Protocol/Internet Protocol (TCP/IP) system, Domain Name Service (DNS), Simple Mail Transfer Protocol (SMTP), etc.

White-box testing

A design that allows one to peek inside the “box” and focuses specifically on using internal knowledge of the software to guide the selection of test data.

Whitelisting/ blacklisting

A whitelist is a list of email addresses and/or internet addresses that someone knows as “good” senders. A blacklist is a corresponding list of known “bad” senders.

Wi-Fi (Wireless LAN IEEE 802.11x)

Primarily associated with computer networking, Wi-Fi uses the IEEE 802.11x specification to create a wireless local-area network either public or private.

WiMAX
(Broadband Wireless Access IEEE 802.16)

One well-known example of wireless broadband is WiMAX. WiMAX can potentially deliver data rates of more than 30 megabits per second.

Work factor

This represents the time and effort required to break a cryptography system.