GLOSSARY

3DES Triple DES encryption—three rounds of DES encryption used to improve
security.
802.11

A family of standards that describe network protocols for wireless devices.

802.1X

An IEEE standard for performing authentication over networks.

acceptable use policy (AUP) A policy that communicates to users what specific
uses of computer resources are permitted.
access A subject’s ability to perform specific operations on an object, such as a file.
Typical access levels include read, write, execute, and delete.
access control Mechanisms or methods used to determine what access permissions subjects (such as users) have for specific objects (such as files).
access control list (ACL) A list associated with an object (such as a file) that
identifies what level of access each subject (such as a user) has—what they can do to the
object (such as read, write, or execute).
Active Directory The directory service portion of the Windows operating system
that stores information about network-based entities (such as applications, files, printers, and people) and provides a structured, consistent way to name, describe, locate,
access, and manage these resources.
ActiveX A Microsoft technology that facilitates rich Internet applications, and
therefore extends and enhances the functionality of Microsoft Internet Explorer. Like
Java, ActiveX enables the development of interactive content. When an ActiveX-aware
browser encounters a web page that includes an unsupported feature, it can automatically install the appropriate application so the feature can be used.

613

CompTIA Security+ All-in-One Exam Guide, Third Edition

614
Address Resolution Protocol (ARP) A protocol in the TCP/IP suite specification used to map an IP address to a Media Access Control (MAC) address.
adware Advertising-supported software that automatically plays, displays, or
downloads advertisements after the software is installed or while the application is
being used.
algorithm A step-by-step procedure—typically an established computation for
solving a problem within a set number of steps.
annualized loss expectancy (ALE) How much an event is expected to cost the
business per year, given the dollar cost of the loss and how often it is likely to occur.
ALE = single loss expectancy × annualized rate of occurrence.
annualized rate of occurrence (ARO)
expected to occur on an annualized basis.
anomaly

The frequency with which an event is

Something that does not fit into an expected pattern.

application A program or group of programs designed to provide specific user
functions, such as a word processor or web server.
ARP
asset

See Address Resolution Protocol.
Resources and information an organization needs to conduct its business.

asymmetric encryption Also called public key cryptography, this is a system for
encrypting data that uses two mathematically derived keys to encrypt and decrypt a

message—a public key, available to everyone, and a private key, available only to the
owner of the key.
audit trail A set of records or events, generally organized chronologically, that record what activity has occurred on a system. These records (often computer files) are
often used in an attempt to re-create what took place when a security incident occurred,
and they can also be used to detect possible intruders.
auditing Actions or processes used to verify the assigned privileges and rights of a
user, or any capabilities used to create and maintain a record showing who accessed a
particular system and what actions they performed.
authentication
verified.

The process by which a subject’s (such as a user’s) identity is

authentication, authorization, and accounting (AAA) Three common
functions performed upon system login. Authentication and authorization almost always occur, with accounting being somewhat less common.


Glossary

615
Authentication Header (AH) A portion of the IPsec security protocol that provides authentication services and replay-detection ability. AH can be used either by itself or with Encapsulating Security Payload (ESP). Refer to RFC 2402.
availability Part of the “CIA” of security. Availability applies to hardware, software,
and data, specifically meaning that each of these should be present and accessible when
the subject (the user) wants to access or use them.
backdoor A hidden method used to gain access to a computer system, network, or
application. Often used by software developers to ensure unrestricted access to the systems they create. Synonymous with trapdoor.
backup Refers to copying and storing data in a secondary location, separate from
the original, to preserve the data in the event that the original is lost, corrupted, or
destroyed.
baseline A system or software as it is built and functioning at a specific point in

time. Serves as a foundation for comparison or measurement, providing the necessary
visibility to control change.
BGP

See Border Gateway Protocol.

biometrics Used to verify an individual’s identity to the system or network using
something unique about the individual, such as a fingerprint, for the verification process. Examples include fingerprints, retinal scans, hand and facial geometry, and voice
analysis.
BIOS The part of the operating system that links specific hardware devices to the
operating system software.
Blowfish A free implementation of a symmetric block cipher developed by Bruce
Schneier as a drop-in replacement for DES and IDEA. It has a variable bit-length scheme
from 32 to 448 bits, resulting in varying levels of security.
bluebugging The use of a Bluetooth-enabled device to eavesdrop on another person’s conversation using that person’s Bluetooth phone as a transmitter. The bluebug
application silently causes a Bluetooth device to make a phone call to another device,
causing the phone to act as a transmitter and allowing the listener to eavesdrop on the
victim’s conversation in real life.
bluejacking The sending of unsolicited messages over Bluetooth to Bluetoothenabled devices such as mobile phones, PDAs, or laptop computers.
bluesnarfing The unauthorized access of information from a Bluetooth-enabled device through a Bluetooth connection, often between phones, desktops, laptops, and PDAs.


CompTIA Security+ All-in-One Exam Guide, Third Edition

616
Border Gateway Protocol (BGP) The interdomain routing protocol implemented in Internet Protocol (IP) networks to enable routing between autonomous
systems.
botnet A term for a collection of software robots, or bots, that run autonomously
and automatically and, commonly, invisibly in the background. The term is most often
associated with malicious software, but it can also refer to the network of computers

using distributed computing software.
buffer overflow A specific type of software coding error that enables user input to
overflow the allocated storage area and corrupt a running program.
Bureau of Industry and Security (BIS) In the U.S. Department of Commerce, the department responsible for export administration regulations that cover encryption technology in the United States.
Business Continuity Planning (BCP) The plans a business develops to continue critical operations in the event of a major disruption.
cache The temporary storage of information before use, typically used to speed up
systems. In an Internet context, refers to the storage of commonly accessed web pages,
graphic files, and other content locally on a user’s PC or a web server. The cache helps
to minimize download time and preserve bandwidth for frequently accessed web sites,
and it helps reduce the load on a web server.
Capability Maturity Model (CMM) A structured methodology helping organizations improve the maturity of their software processes by providing an evolutionary
path from ad hoc processes to disciplined software management processes. Developed
at Carnegie Mellon University’s Software Engineering Institute.
centralized management A type of privilege management that brings the authority and responsibility for managing and maintaining rights and privileges into a
single group, location, or area.
CERT See Computer Emergency Response Team.
certificate A cryptographically signed object that contains an identity and a public
key associated with this identity. The certificate can be used to establish identity, analogous to a notarized written document.
certificate revocation list (CRL) A digitally signed object that lists all of the
current but revoked certificates issued by a given certification authority. This allows
users to verify whether a certificate is currently valid even if it has not expired. CRL is
analogous to a list of stolen charge card numbers that allows stores to reject bad
credit cards.


Glossary

617
certification authority (CA) An entity responsible for issuing and revoking
certificates. CAs are typically not associated with the company requiring the certificate,

although they exist for internal company use as well (such as Microsoft). This term is
also applied to server software that provides these services. The term certificate authority is used interchangeably with certification authority.
chain of custody Rules for documenting, handling, and safeguarding evidence to
ensure no unanticipated changes are made to the evidence.
Challenge Handshake Authentication Protocol (CHAP) Used to provide authentication across point-to-point links using the Point-to-Point Protocol (PPP).
change (configuration) management A standard methodology for performing and recording changes during software development and operation.
change control board (CCB) A body that oversees the change management
process and enables management to oversee and coordinate projects.
CHAP

See Challenge Handshake Authentication Protocol.

CIA of security Refers to confidentiality, integrity, and authorization, the basic
functions of any security system.
cipher A cryptographic system that accepts plaintext input and then outputs ciphertext according to its internal algorithm and key.
ciphertext Used to denote the output of an encryption algorithm. Ciphertext is the
encrypted data.
CIRT See Computer Emergency Response Team.
closed circuit television (CCTV) A private television system, usually hardwired in security applications to record visual information.
cloud computing The automatic provisioning of computational resources on demand across a network.
cold site An inexpensive form of backup site that does not include a current set of
data at all times. A cold site takes longer to get your operational system back up, but it
is considerably less expensive than a warm or hot site.
collisions Used in the analysis of hashing cryptography, it is the property by which
an algorithm will produce the same hash from two different sets of data.
Computer Emergency Response Team (CERT) Also known as a Computer
Incident Response Team (CIRT), this group is responsible for investigating and responding to security breaches, viruses, and other potentially catastrophic incidents.


CompTIA Security+ All-in-One Exam Guide, Third Edition


618
computer security In general terms, the methods, techniques, and tools used to
ensure that a computer system is secure.
computer software configuration item

See configuration item.

confidentiality Part of the CIA of security. Refers to the security principle that
states that information should not be disclosed to unauthorized individuals.
configuration auditing The process of verifying that configuration items are
built and maintained according to requirements, standards, or contractual agreements.
configuration control The process of controlling changes to items that have
been baselined.
configuration identification The process of identifying which assets need to be
managed and controlled.
configuration item Data and software (or other assets) that are identified and
managed as part of the software change management process. Also known as computer
software configuration item.
configuration status accounting Procedures for tracking and maintaining
data relative to each configuration item in the baseline.
cookie Information stored on a user’s computer by a web server to maintain the
state of the connection to the web server. Used primarily so preferences or previously
used information can be recalled on future requests to the server.
countermeasure

See security control.

Counter Mode with Cipher Block Chaining Message Authentication
Code Protocol (CCMP) An enhanced data cryptographic encapsulation mechanism based upon the counter mode with CBC-MAC from AES, designed for use over

wireless LANs.
cracking A term used by some to refer to malicious hacking, in which an individual attempts to gain unauthorized access to computer systems or networks. See also
hacking.
CRC

See Cyclic Redundancy Check.

CRL

See Certificate Revocation List.

cross-site request forgery (CSRF or XSRF) A method of attacking a system
by sending malicious input to the system and relying upon the parsers and execution
elements to perform the requested actions, thus instantiating the attack. XSRF exploits
the trust a site has in the user’s browser.


Glossary

619
cross-site scripting (XSS) A method of attacking a system by sending script
commands to the system input and relying upon the parsers and execution elements to
perform the requested scripted actions, thus instantiating the attack. XSS exploits the
trust a user has for the site.
cryptanalysis

The process of attempting to break a cryptographic system.

cryptography The art of secret writing that enables an individual to hide the contents of a message or file from all but the intended recipient.
Cyclic Redundancy Check (CRC) An error detection technique that uses a series of two 8-bit block check characters to represent an entire block of data. These block

check characters are incorporated into the transmission frame and then checked at the
receiving end.
DAC See Discretionary Access Control.
Data Encryption Standard (DES) A private key encryption algorithm adopted
by the government as a standard for the protection of sensitive but unclassified information. Commonly used in triple DES, where three rounds are applied to provide
greater security.
Data Execution Prevention A security feature of an OS that can be driven by
software, hardware, or both, designed to prevent the execution of code from blocks of
data in memory.
Data Loss Prevention (DLP) Technology, processes, and procedures designed to
detect when unauthorized removal of data from a system occurs. DLP is typically active,
preventing the loss, either by blocking the transfer or dropping the connection.
datagram A packet of data that can be transmitted over a packet-switched system in
a connectionless mode.
decision tree A data structure in which each element is attached to one or more
structures directly beneath it.
demilitarized zone (DMZ) A network segment that exists in a semi-protected
zone between the Internet and the inner secure trusted network.
denial-of-service (DoS) attack An attack in which actions are taken to deprive
authorized individuals from accessing a system, its resources, the data it stores or processes, or the network to which it is connected.
DES

See Data Encryption Standard.

DHCP See Dynamic Host Configuration Protocol.


CompTIA Security+ All-in-One Exam Guide, Third Edition

620

DIAMETER The DIAMETER base protocol is intended to provide an authentication, authorization, and accounting (AAA) framework for applications such as network
access or IP mobility. DIAMETER is a draft IETF proposal.
Diffie-Hellman A cryptographic method of establishing a shared key over an insecure medium in a secure fashion.
digital signature A cryptography-based artifact that is a key component of a public key infrastructure (PKI) implementation. A digital signature can be used to prove
identity because it is created with the private key portion of a public/private key pair. A
recipient can decrypt the signature and, by doing so, receive the assurance that the data
must have come from the sender and that the data has not changed.
digital signature algorithm (DSA)
implementing digital signatures.

A United States government standard for

direct-sequence spread spectrum (DSSS) A method of distributing a communication over multiple frequencies to avoid interference and detection.
disaster recovery plan (DRP) A written plan developed to address how an organization will react to a natural or manmade disaster in order to ensure business
continuity. Related to the concept of a business continuity plan (BCP).
discretionary access control (DAC) An access control mechanism in which
the owner of an object (such as a file) can decide which other subjects (such as other
users) may have access to the object, and what access (read, write, execute) these objects
can have.
distributed denial-of-service (DDoS) attack A special type of DoS attack
in which the attacker elicits the generally unwilling support of other systems to launch
a many-against-one attack.
diversity of defense The approach of creating dissimilar security layers so that an
intruder who is able to breach one layer will be faced with an entirely different set of
defenses at the next layer.
Domain Name Service (DNS) The service that translates an Internet domain
name (such as www.mcgraw-hill.com) into IP addresses.
DRP See disaster recovery plan.
DSSS See direct-sequence spread spectrum.
dumpster diving The practice of searching through trash to discover material that

has been thrown away that is sensitive, yet not destroyed or shredded.


Glossary

621
Dynamic Host Configuration Protocol (DHCP) An Internet Engineering Task
Force (IETF) Internet Protocol (IP) specification for automatically allocating IP addresses
and other configuration information based on network adapter addresses. It enables address pooling and allocation and simplifies TCP/IP installation and administration.
EAP See Extensible Authentication Protocol.
electromagnetic interference (EMI) The disruption or interference of electronics due to an electromagnetic field.
elliptic curve cryptography (ECC) A method of public-key cryptography
based on the algebraic structure of elliptic curves over finite fields.
Encapsulating Security Payload (ESP) A portion of the IPsec implementation that provides for data confidentiality with optional authentication and replaydetection services. ESP completely encapsulates user data in the datagram and can be
used either by itself or in conjunction with Authentication Headers for varying degrees
of IPsec services.
Encrypted File System (EFS) A security feature of Windows, from Windows
2000 onward, that enables the transparent encryption/decryption of files on the
system.
escalation auditing The process of looking for an increase in privileges, such as
when an ordinary user obtains administrator-level privileges.
evidence The documents, verbal statements, and material objects admissible in a
court of law.
exposure factor A measure of the magnitude of loss of an asset. Used in the calculation of single loss expectancy (SLE).
Extensible Authentication Protocol (EAP) A universal authentication
framework used in wireless networks and point-to-point connections. It is defined in
RFC 3748 and has been updated by RFC 5247.
false positive Term used when a security system makes an error and incorrectly
reports the existence of a searched-for object. Examples include an intrusion detection
system that misidentifies benign traffic as hostile, an antivirus program that reports the

existence of a virus in software that actually is not infected, or a biometric system that
allows system access to an unauthorized individual.
FHSS See frequency-hopping spread spectrum.
File Transfer Protocol (FTP)
over a network connection.

An application-level protocol used to transfer files


CompTIA Security+ All-in-One Exam Guide, Third Edition

622
firewall

A network device used to segregate traffic based on rules.

File Transfer Protocol Secure (FTPS) An application-level protocol used to
transfer files over a network connection, which uses FTP over a SSL or TLS connection.
flood guard A network device that blocks flooding-type DOS/DDOS attacks, frequently part of an IDS/IPS.
forensics (or computer forensics) The preservation, identification, documentation, and interpretation of computer data for use in legal proceedings.
free space Sectors on a storage medium that are available for the operating system
to use.
frequency-hopping spread spectrum (FHSS) A method of distributing a
communication over multiple frequencies over time to avoid interference and detection.
Generic Routing Encapsulation (GRE) A tunneling protocol designed to encapsulate a wide variety of network layer packets inside IP tunneling packets.
hacking The term used by the media to refer to the process of gaining unauthorized
access to computer systems and networks. The term has also been used to refer to the
process of delving deep into the code and protocols used in computer systems and
networks. See also cracking.
hash A form of encryption that creates a digest of the data put into the algorithm.

These algorithms are referred to as one-way algorithms because there is no feasible way
to decrypt what has been encrypted.
hash value See message digest.
hashed message authentication code (HMAC) The use of a cryptographic
hash function and a message authentication code to ensure the integrity and authenticity of a message.
heating, ventilation, air conditioning (HVAC) The systems used to heat
and cool air in a building or structure.
HIDS

See host-based intrusion detection system.

HIPS See host-based intrusion prevention system.
honeypot A computer system or portion of a network that has been set up to attract
potential intruders, in the hope that they will leave the other systems alone. Since there
are no legitimate users of this system, any attempt to access it is an indication of unauthorized activity and provides an easy mechanism to spot attacks.


Glossary

623
host-based intrusion detection system (HIDS) A system that looks for
computer intrusions by monitoring activity on one or more individual PCs or servers.
host-based intrusion prevention system (HIPS) A system that automatically responds to computer intrusions by monitoring activity on one or more individual PCs or servers and responding based on a rule set.
hot site A backup site that is fully configured with equipment and data and is ready
to immediately accept transfer of operational processing in the event of failure on the
operational system.
Hypertext Transfer Protocol (HTTP) A protocol for transfer of material
across the Internet that contains links to additional material.
Hypertext Transfer Protocol over SSL/TLS (HTTPS) A protocol for transfer of material across the Internet that contains links to additional material that is carried over a secure tunnel via SSL or TLS.
ICMP


See Internet Control Message Protocol.

IDEA See International Data Encryption Algorithm.
IEEE

See Institute for Electrical and Electronics Engineers.

IETF See Internet Engineering Task Force.
IKE

See Internet Key Exchange.

impact The result of a vulnerability being exploited by a threat, resulting in a loss.
incident response The process of responding to, containing, analyzing, and recovering from a computer-related incident.
information security Often used synonymously with computer security, but
places the emphasis on the protection of the information that the system processes and
stores, instead of on the hardware and software that constitute the system.
Infrastructure as a Service (IaaS) The automatic, on-demand provisioning of
infrastructure elements, operating as a service; a common element of cloud computing.
initialization vector (IV) A data value used to seed a cryptographic algorithm,
providing for a measure of randomness.
Institute for Electrical and Electronics Engineers (IEEE) A nonprofit,
technical, professional institute associated with computer research, standards, and conferences.


CompTIA Security+ All-in-One Exam Guide, Third Edition

624
intangible asset An asset for which a monetary equivalent is difficult or impossible to determine. Examples are brand recognition and goodwill.

integrity Part of the CIA of security, the security principle that requires that information is not modified except by individuals authorized to do so.
International Data Encryption Algorithm (IDEA) A symmetric encryption algorithm used in a variety of systems for bulk encryption services.
Internet Assigned Numbers Authority (IANA) The central coordinator
for the assignment of unique parameter values for Internet protocols. The IANA is chartered by the Internet Society (ISOC) to act as the clearinghouse to assign and coordinate the use of numerous Internet protocol parameters.
Internet Control Message Protocol (ICMP) One of the core protocols of
the TCP/IP protocol suite, used for error reporting and status messages.
Internet Engineering Task Force (IETF) A large international community of
network designers, operators, vendors, and researchers, open to any interested individual concerned with the evolution of Internet architecture and the smooth operation of the Internet. The actual technical work of the IETF is done in its working
groups, which are organized by topic into several areas (such as routing, transport, and
security). Much of the work is handled via mailing lists, with meetings held three
times per year.
Internet Key Exchange (IKE) The protocol formerly known as ISAKMP/Oakley, defined in RFC 2409. A hybrid protocol that uses part of the Oakley and part of the
Secure Key Exchange Mechanism for Internet (SKEMI) protocol suites inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. IKE is
used to establish a shared security policy and authenticated keys for services that require keys (such as IPsec).
Internet Message Access Protocol version 4 (IMAP4)
mon Internet standard protocols for e-mail retrieval.

One of two com-

Internet Protocol (IP) The network layer protocol used by the Internet for routing packets across a network.
Internet Protocol Security (IPsec) A protocol used to secure IP packets during transmission across a network. IPsec offers authentication, integrity, and confidentiality services and uses Authentication Headers (AH) and Encapsulating Security Payload (ESP) to accomplish this functionality.
Internet Security Association and Key Management Protocol
(ISAKMP) A protocol framework that defines the mechanics of implementing a
key exchange protocol and negotiation of a security policy.


Glossary

625
Internet service provider (ISP) A telecommunications firm that provides access to the Internet.

intrusion detection system (IDS) A system to identify suspicious, malicious,
or undesirable activity that indicates a breach in computer security.
IPsec

See Internet Protocol Security.

ISAKMP/Oakley See Internet Key Exchange.
Kerberos A network authentication protocol designed by MIT for use in client/
server environments.
key In cryptography, a sequence of characters or bits used by an algorithm to encrypt
or decrypt a message.
key distribution center (KDC) A component of the Kerberos system for authentication that manages the secure distribution of keys.
keyspace

The entire set of all possible keys for a specific encryption algorithm.

Layer Two Tunneling Protocol (L2TP) A Cisco switching protocol that operates at the data-link layer.
LDAP

See Lightweight Directory Access Protocol.

least privilege A security principle in which a user is provided with the minimum
set of rights and privileges that he or she needs to perform required functions. The goal
is to limit the potential damage that any user can cause.
Lightweight Directory Access Protocol (LDAP)
used to access directory services across a TCP/IP network.

An application protocol

Lightweight Extensible Authentication Protocol (LEAP) A version of

EAP developed by Cisco prior to 802.11i to push 802.1X and WEP adoption.
load balancer A network device that distributes computing across multiple
computers.
local area network (LAN) A grouping of computers in a network structure confined to a limited area and using specific protocols, such as Ethernet for OSI layer 2
traffic addressing.
logic bomb A form of malicious code or software that is triggered by a specific event
or condition. See also time bomb.
loop protection The requirement to prevent bridge loops at the layer 2 level,
which is typically resolved using the Spanning Tree algorithm on switch devices.


CompTIA Security+ All-in-One Exam Guide, Third Edition

626
MAC See mandatory access control, Media Access Control, or Message Authentication Code.
man-in-the-middle attack Any attack that attempts to use a network node as
the intermediary between two other nodes. Each of the endpoint nodes thinks it is talking directly to the other, but each is actually talking to the intermediary.
mandatory access control (MAC) An access control mechanism in which the
security mechanism controls access to all objects (files), and individual subjects (processes or users) cannot change that access.
master boot record (MBR) A strip of data on a hard drive in Windows systems,
meant to result in specific initial functions or identification.
maximum transmission unit (MTU) A measure of the largest payload that a
particular protocol can carry in a single packet in a specific instance.
MD5 Message Digest 5, a hashing algorithm and a specific method of producing a
message digest.
Media Access Control (MAC) A protocol used in the data-link layer for local
network addressing.
message authentication code (MAC) A short piece of data used to authenticate a message. See hashed message authentication code.
message digest The result of applying a hash function to data. Sometimes also
called a hash value. See hash.

metropolitan area network (MAN) A collection of networks interconnected
in a metropolitan area and usually connected to the Internet.
Microsoft Challenge Handshake Authentication Protocol (MSCHAP) A
Microsoft-developed variant of the Challenge Handshake Authentication Protocol
(CHAP).
mitigation Action taken to reduce the likelihood of a threat occurring.
MSCHAP See Microsoft Challenge Handshake Authentication Protocol.
NAC

See Network Access Control.

NAP See Network Access Protection.
NAT See Network Address Translation.


Glossary

627
Network Access Control (NAC) An approach to endpoint security that involves monitoring and remediating endpoint security issues before allowing an object
to connect to a network.
Network Access Protection (NAP) A Microsoft approach to Network Access
Control.
Network Address Translation (NAT) A method of readdressing packets in a
network at a gateway point to enable the use of local, nonroutable IP addresses over a
public network such as the Internet.
network-based intrusion detection system (NIDS) A system for examining network traffic to identify suspicious, malicious, or undesirable behavior.
network-based intrusion prevention system (NIPS) A system that examines network traffic and automatically responds to computer intrusions.
Network Basic Input/Output System (NetBIOS)
communication services across a local area network.


A system that provides

network operating system (NOS) An operating system that includes additional functions and capabilities to assist in connecting computers and devices, such as
printers, to a local area network.
nonrepudiation The ability to verify that an operation has been performed by
a particular person or account. This is a system property that prevents the parties to a
transaction from subsequently denying involvement in the transaction.
Oakley protocol A key exchange protocol that defines how to acquire authenticated keying material based on the Diffie-Hellman key exchange algorithm.
object reuse Assignment of a previously used medium to a subject. The security
implication is that before it is provided to the subject, any data present from a previous
user must be cleared.
one-time pad An unbreakable encryption scheme in which a series of nonrepeating, random bits are used once as a key to encrypt a message. Since each pad is used
only once, no pattern can be established and traditional cryptanalysis techniques are
not effective.
Open Vulnerability and Assessment Language (OVAL) An XML-based
standard for the communication of security information between tools and services.


CompTIA Security+ All-in-One Exam Guide, Third Edition

628
operating system (OS) The basic software that handles input, output, display,
memory management, and all the other highly detailed tasks required to support the
user environment and associated applications.
Orange Book The name commonly used to refer to the now outdated Department
of Defense Trusted Computer Security Evaluation Criteria (TCSEC).
OVAL See Open Vulnerability and Assessment Language.
password A string of characters used to prove an individual’s identity to a system or
object. Used in conjunction with a user ID, it is the most common method of authentication. The password should be kept secret by the individual who owns it.
Password Authentication Protocol (PAP)

thenticate a user to a network access server.

A simple protocol used to au-

patch A replacement set of code designed to correct problems or vulnerabilities in
existing software.
PBX See private branch exchange.
peer-to-peer (P2P) A network connection methodology involving direct connection from peer to peer.
penetration testing A security test in which an attempt is made to circumvent security controls in order to discover vulnerabilities and weaknesses. Also called a pen test.
permissions
controls.

Authorized actions a subject can perform on an object. See also access

personally identifiable information (PII) Information that can be used to
identify a single person.
phreaking Used in the media to refer to the hacking of computer systems and networks associated with the phone company. See also cracking.
plaintext In cryptography, a piece of data that is not encrypted. It can also mean the
data input into an encryption algorithm that would output ciphertext.
Point-to-Point Protocol (PPP) The Internet standard for transmission of IP
packets over a serial line, as in a dial-up connection to an ISP.
Point-to-Point Protocol Extensible Authentication Protocol (PPP EAP)
EAP is a PPP extension that provides support for additional authentication methods
within PPP.


Glossary

629
Point-to-Point Protocol Password Authentication Protocol (PPP PAP)

PAP is a PPP extension that provides support for password authentication methods
over PPP.
Pretty Good Privacy (PGP) A popular encryption program that has the ability
to encrypt and digitally sign e-mail and files.
preventative intrusion detection A system that detects hostile actions or network activity and prevents them from impacting information systems.
privacy
to see it.

Protecting an individual’s personal information from those not authorized

private branch exchange (PBX)
business or entity.

A telephone exchange that serves a specific

privilege auditing The process of checking the rights and privileges assigned to a
specific account or group of accounts.
privilege management The process of restricting a user’s ability to interact with
the computer system.
Protected Extensible Authentication Protocol (PEAP) A protected version of EAP developed by Cisco, Microsoft, and RSA Security that functions by encapsulating the EAP frames in a TLS tunnel.
public key cryptography

See asymmetric encryption.

public key infrastructure (PKI) Infrastructure for binding a public key to a
known user through a trusted intermediary, typically a certificate authority.
qualitative risk assessment The process of subjectively determining the impact
of an event that affects a project, program, or business. It involves the use of expert
judgment, experience, or group consensus to complete the assessment.
quantitative risk assessment The process of objectively determining the impact of an event that affects a project, program, or business. It usually involves the use

of metrics and models to complete the assessment.
RADIUS Remote Authentication Dial-In User Service is a standard protocol for providing authentication services. It is commonly used in dial-up, wireless, and PPP environments.
RAS See Remote Access Service.


CompTIA Security+ All-in-One Exam Guide, Third Edition

630
RBAC

See rule-based access control or role-based access control.

recovery time objective (RTO) The amount of time a business has to restore a
process before unacceptable outcomes result from a disruption.
Remote Access Service/Server (RAS) A combination of hardware and software used to enable remote access to a network.
repudiation
residual risk
risk

The act of denying that a message was either sent or received.
Risks remaining after an iteration of risk management.

The possibility of suffering a loss.

risk assessment or risk analysis The process of analyzing an environment to
identify the threats, vulnerabilities, and mitigating actions to determine (either
quantitatively or qualitatively) the impact of an event affecting a project, program,
or business.
risk management Overall decision-making process of identifying threats and vulnerabilities and their potential impacts, determining the costs to mitigate such events,
and deciding what cost-effective actions can be taken to control these risks.

role-based access control (RBAC) An access control mechanism in which,
instead of the users being assigned specific access permissions for the objects associated
with the computer system or network, a set of roles that the user may perform is assigned to each user.
rule-based access control (RBAC) An access control mechanism based on rules.
safeguard

See security controls.

Secure Copy Protocol (SCP)
transfers.

A network protocol that supports secure file

Secure FTP A method of secure file transfer that involves the tunneling of FTP
through an SSH connection. This is different than SFTP, which is listed below as Secure
Shell File Transfer Protocol.
Secure Hash Algorithm (SHA) A hash algorithm used to hash block data. The
first version is SHA1, with subsequent versions detailing hash digest length: SHA256,
SHA384, and SHA512.
Secure/Multipurpose Internet Mail Extensions (S/MIME) An encrypted implementation of the MIME (Multipurpose Internet Mail Extensions) protocol
specification.


Glossary

631
Secure Shell (SSH) A set of protocols for establishing a secure remote connection
to a computer. This protocol requires a client on each end of the connection and can
use a variety of encryption protocols.
Secure Shell File Transfer Protocol (SFTP)

associated with secure shell protocol (SSH).

A secure file transfer subsystem

Secure Sockets Layer (SSL) An encrypting layer between the session and transport layer of the OSI model designed to encrypt above the transport layer, enabling secure sessions between hosts.
security association (SA) An instance of security policy and keying material
applied to a specific data flow. Both IKE and IPsec use SAs, although these SAs are independent of one another. IPsec SAs are unidirectional and are unique in each security
protocol, whereas IKE SAs are bidirectional. A set of SAs are needed for a protected data
pipe, one per direction per protocol. SAs are uniquely identified by destination (IPsec
endpoint) address, security protocol (AH or ESP), and security parameter index (SPI).
security baseline The end result of the process of establishing an information
system’s security state. It is a known good configuration resistant to attacks and information theft.
security content automation protocol (SCAP) A method of using specific
protocols and data exchanges to automate the determination of vulnerability management, measurement, and policy compliance across a system or set of systems.
security controls A group of technical, management, or operational policies and
procedures designed to implement specific security functionality. Access controls are an
example of a security control.
segregation or separation of duties A basic control that prevents or detects
errors and irregularities by assigning responsibilities to different individuals so that no
single individual can commit fraudulent or malicious actions.
service level agreement (SLA) An agreement between parties concerning the
expected or contracted up-time associated with a system.
service set identifier (SSID) Identifies a specific 802.11 wireless network. It
transmits information about the access point to which the wireless client is connecting.
signature database A collection of activity patterns that have already been identified and categorized and that typically indicate suspicious or malicious activity.
Simple Mail Transfer Protocol (SMTP)
to transfer e-mail between hosts.

The standard Internet protocol used



CompTIA Security+ All-in-One Exam Guide, Third Edition

632
Simple Network Management Protocol (SNMP)
to remotely manage network devices across a network.

A standard protocol used

single loss expectancy (SLE) Monetary loss or impact of each occurrence of a
threat. SLE = asset value × exposure factor.
single sign-on (SSO) An authentication process by which the user can enter a
single user ID and password and then move from application to application or resource
to resource without having to supply further authentication information.
slack space Unused space on a disk drive created when a file is smaller than the
allocated unit of storage (such as a sector).
sniffer A software or hardware device used to observe network traffic as it passes
through a network on a shared broadcast media.
social engineering The art of deceiving another person so that he or she reveals
confidential information. This is often accomplished by posing as an individual who
should be entitled to have access to the information.
Software as a Service (SaaS) The provisioning of software as a service, commonly known as on-demand software.
software development lifecycle model (SDLC) The processes and procedures employed to develop software. Sometimes also called secure development lifecycle model when security is part of the development process.
spam E-mail that is not requested by the recipient and is typically of a commercial
nature. Also known as unsolicited commercial e-mail (UCE).
spam filter A security appliance designed to remove spam at the network layer
before it enters e-mail servers.
spim

Spam sent over an instant messaging channel.


spoofing Making data appear to have originated from another source so as to hide
the true origin from the recipient.
symmetric encryption Encryption that needs all parties to have a copy of the
key, sometimes called a shared secret. The single key is used for both encryption and
decryption.
tangible asset An asset for which a monetary equivalent can be determined. Examples are inventory, buildings, cash, hardware, software, and so on.
Telnet A network protocol used to provide cleartext bidirectional communication
over TCP.


Glossary

633
Tempest The U.S. military’s name for the field associated with electromagnetic eavesdropping on signals emitted by electronic equipment. See also van Eck phenomenon.
Temporal Key Integrity Protocol (TKIP) A security protocol used in 802.11
wireless networks.
threat

Any circumstance or event with the potential to cause harm to an asset.

time bomb A form of logic bomb in which the triggering event is a date or specific
time. See also logic bomb.
TKIP

See Temporal Key Integrity Protocol.

token A hardware device that can be used in a challenge-response authentication
process.
Transmission Control Protocol (TCP) The transport layer protocol for use on

the Internet that allows packet-level tracking of a conversation.
Transport Layer Security (TLS)
Internet standard.

A newer form of SSL being proposed as an

trapdoor See backdoor.
Trivial File Transfer Protocol (TFTP) A simplified version of FTP used for
low-overhead file transfers using UDP port 69.
Trojan horse A form of malicious code that appears to provide one service (and
may indeed provide that service) but that also hides another purpose. This hidden purpose often has a malicious intent. This code may also be simply referred to as a Trojan.
Trusted Platform Module (TPM)
ing platform operations.

A hardware chip to enable trusted comput-

uninterruptible power supply (UPS) A source of power (generally a battery)
designed to provide uninterrupted power to a computer system in the event of a temporary loss of power.
usage auditing The process of recording who did what and when on an information system.
User Datagram Protocol (UDP) A protocol in the TCP/IP protocol suite for
the transport layer that does not sequence packets—it is “fire and forget” in nature.
User ID A unique alphanumeric identifier that identifies individuals who are logging
in or accessing a system.


CompTIA Security+ All-in-One Exam Guide, Third Edition

634
vampire taps A tap that connects to a network line without cutting the connection.
van Eck phenomenon Electromagnetic eavesdropping through the interception

of electronic signals emitted by electrical equipment. See also Tempest.
virtual local area network (VLAN) A broadcast domain inside a switched
system.
virtual private network (VPN) An encrypted network connection across another network, offering a private communication channel across a public medium.
virus A form of malicious code or software that attaches itself to other pieces of code
in order to replicate. Viruses may contain a payload, which is a portion of the code that
is designed to execute when a certain condition is met (such as on a certain date). This
payload is often malicious in nature.
vulnerability A weakness in an asset that can be exploited by a threat to cause harm.
wireless access point (WAP) A network access device that facilitates the connection of wireless devices to a network.
war-dialing An attacker’s attempt to gain unauthorized access to a computer system or network by discovering unprotected connections to the system through the telephone system and modems.
war-driving The attempt by an attacker to discover unprotected wireless networks
by wandering (or driving) around with a wireless device, looking for available wireless
access points.
web application firewall (WAF) A firewall that operates at the application level,
specifically designed to protect web applications by examining requests at the application stack level.
WEP

See Wired Equivalent Privacy.

wide area network (WAN) A network that spans a large geographic region.
Wi-Fi Protected Access (WPA/WPA2) A protocol to secure wireless communications using a subset of the 802.11i standard.
Wired Equivalent Privacy (WEP) The encryption scheme used to attempt to
provide confidentiality and data integrity on 802.11 networks.
Wireless Application Protocol (WAP) A protocol for transmitting data to
small handheld devices such as cellular phones.
Wireless Transport Layer Security (WTLS) The encryption protocol used on
WAP networks.



Glossary

635
worm An independent piece of malicious code or software that self-replicates. Unlike a virus, it does not need to be attached to another piece of code. A worm replicates
by breaking into another system and making a copy of itself on this new system. A
worm can contain a destructive payload but does not have to.
X.509
XOR
XSRF
XSS

The standard format for digital certificates.
Bitwise exclusive OR, an operation commonly used in cryptography.
See cross-site request forgery.

See cross-site scripting.