Acronyms for the Certified Information Systems Security Professional (CISSP) Exam

802.1x – An IEEE standard which separates physical access to a network from logical access. Physically connecting to a network, i.e. OSI Layer 1, for example by physically plugging into a network switch or connecting to a 802.11 Wi-Fi network, does not guarantee logical access. Numerous checks can be done before allowing logical access.

  • A 1 meter or 3 to 4 foot fence will deter casual trespassers.
  • A 2 meter or 6 to 7 foot fence are difficult to climb and will deter general intruders.
  • A 2.4 meter or 8 foot fence with 3 strands of barbed wire will deter a determined intruder.

AAA – Authentication, Authorization, and Accountability.

ACL – Access Control List.

ACM – Access Control Matrix. An ACM is a matrix where the X-axis specifies resources or objects, and the Y-axis specifies subjects such as users (or maybe roles/groups). Each cell specifies what access a specific subject (or role/group) has to a specific object. In a typical computer environment, where you may have thousands of users, groups, and other subjects like running processes, and who knows how many files and other objects, a full blown ACM is going to be absurdly large meaning it’s basically a theoretical concept in this case. A limited ACM, one for example showing which roles have what access to certain functionality, can be useful in designing and understanding systems.

ALE – Annualized Loss Expectancy. Your SLE times your ARO. If your SLE is $20,000 per wedding dress stolen, and your ARO is 5, your ALE is $100,000. Knowing this value helps you make intelligent business decisions including those pertaining to security controls.

ALU – Arithmetic Logic Unit. The part of the CPU that performs arithmetic and logic operations.

ARO – Annualized Rate of Occurrence. How many times a year a threat is manifest. If 5 of your vintage wedding dresses are stolen each year, your ARO is 5.

ARP – Address Resolution Protocol, resolves between network addresses and link layer addresses, for example between IP addresses and MAC addresses.

ASDL – Asymmetric Digital Subscriber Line. Faster download speeds than upload speeds.

ASLR – Address Space Layout Randomization. ASLR arranges the address space of a process differently each time it executes to make buffer overflow vulnerabilities more difficult to exploit.

ATA Secure Erase – Used to securely erase SSDs. More secure than an OS disk format, however not all data may be erased in case of physical damage; physical blocks marked as “bad” may still contain data.

ATM – Asynchronous Transfer Mode. An older protocol which is typically used as a high speed backbone connecting LANs together, although it also can be used as a LAN protocol. Frames are 53 bytes, 48 of data and 5 of header. Elegant design based on the technologies and limitations of the day or an odd bastard designed by committee? Perhaps a bit of both.

Authentication – Proving an identity, for example by showing a government issued ID or entering a correct password or biometrics.

Availability – Data and services are available when needed for authorized business purposes.

BCP – Business Continuity Plan. An overarching plan to minimize interruption to a business after a disruptive event like a disaster occurs. The BCP is a long term and strategic plan. The BCP deals with risks that have not been handled by other controls.

There is always a default BCP, which is you die or go out of business when a large disruptive event occurs.

BGP – Border Gateway Protocol, a very commonly used routing protocol between autonomous systems on the Internet. Basically the “glue” that holds the Internet together.

BIA – Business Impact Analysis. The BIA comes after the (limited to critical systems) risk analysis and determines tolerable impact levels to systems.

BIBA – The Biba Security Model, named after Ken Biba, is a theoretical security model focused solely on integrity, and the opposite of Bell-LaPadula. Requires data classification. There are two main rules:
• No Read Down (Simple Security Axiom). A subject cannot read an object at a lower classification level. For example a top secret user cannot read secret data. This is to prevent bad information from moving up. Think about a document that has been declassified for example. It is often less integral as parts of it have been removed (or blacked out for physical documents).
• No Write Up (* Integrity Axiom). A subject at a lower classification level cannot write to a higher classification level. For example a secret user cannot write to a top secret file.

BLP – Bell-LaPadula. A theoretical security model focused solely on protecting confidentiality, and used in DoD classified systems. Requires data classification. There are two main rules:
• No Read Up (Simple Security Property). A subject cannot read an object at a higher classification level. For example a secret user cannot read top secret data.
• No Write Down (* Security Property, pronounced “Star Security Property”). A subject at a higher classification level cannot write to a lower classification level. For example a secret user cannot email to unclassified systems.

Bottom of Form

BPA – Business Partnership Agreement. A legal agreement between partners detailing the relationship and individual contributions and obligations. Often a complex document as it attempts to cover all possible business situations. Certainly security breaches and other security situations are one possible situation which could cause stress in a partnership.

BSA – Business Software Alliance, an industry group whose primary purpose is to prevent copyright infringement of software produced by its members. Software piracy is a big issue, but they are controversial because of some of their tactics, including their “Bust Your Boss!” campaign and others which pay disgruntled employees up to $200,000 to report alleged software piracy.

Canary – Canaries are another technique to help prevent buffer overflows. A canary is a known value that is put between a buffer and control data on the stack. If the canary value changes, it is likely that the buffer has overflowed and overwritten the canary, and appropriate action can be taken such as terminating the program.

CAPEX – CAPital EXpenditure. A business expense which is an investment in the future of the organization. Examples include investments in software, hardware, and buildings.

CASE tools – Computer Aided Software Engineering tools.

CCB – Change Control Board.

CCD – Charge Coupled Discharge. The technology used by newer cameras, and in fact most cameras today.

CCTV – Closed Circuit TeleVision. A primarily detective physical control. Although wireless and IP based cameras are more common these days, there are still a lot of CCTV systems in use.

CDN – Content Distribution Network. Examples include CloudFlare and Akamai.

CER – Crossover Error Rate. A biometric system can be tuned to minimize FAR or FRR. The CER is when a system is tuned so that the FAR and FRR are the same, and is used as a metric to indicate the overall accuracy of the biometric system.

CHAP – Challenge Handshake Authentication Protocol, a protocol that does not send the password over the network. Some RADIUS Servers use CHAP.

CHD – Card Holder Data. Credit Card related information such as credit card numbers, cardholders names, card verification values (CVV), expiration dates, etc.

Chinese Wall Model (also called Brewer and Nash) – A model designed to help prevent Conflicts of Interest. Different Conflict of Interest groups are defined and users may not access data across groups where a conflict of interest may occur. For example, Conflict of Interest groups could be set up in a consulting organization that do not allow an employee to access confidential data about a client and their other clients who are competitors.

CIA – Confidentiality, Integrity, and Availability, the three tenets of security. For every organization one of these will be most important, but they will all be important.

CIDR – Classless Inter-Domain Routing. A method for allocating (and routing) IP addresses that extends IP addresses beyond classful addressing (e.g. Class A, B, and C).

Circuit Switching – A circuit switched network establishes a dedicated communications channel, called a circuit, between two network nodes before they can communicate. The legacy phone network (PSTN) is an example of a circuit switched network.

CIS – The Center for Internet Security. A non profit organization whose goal is to foster cyber security through collaborative best practices. They make a wide variety of benchmarks, assessment tools, and much more available.

CISC – Complex Instruction Set Computer. A CPU which has a rich instruction set. This makes life easy for low level programmers as they have lots of instructions they can call, instead of needing to rely on just a very basic instruction set. Most personal computers are CISC based.

Clark-Wilson – A theoretical security model focused on integrity, both internal and external. Does not require data classification. Integrity is enforced through separation of duties and well formed transactions.

Client Side Attacks – An attack initiated by the victim/client, often by clicking on a link on the web or in an email.

CMDB – Change Management Database, or Configuration Management Database.

CMM – Capability Maturity Model. A model aimed at improving process and quality. CMM assigns one of 5 levels.

• Level One, Initial: uses terms like “chaotic.”
• Level Two, Repeatable: Some repeatable processes have been defined. Basic project management.
• Level Three, Defined: A standard software process for both engineering and management is defined and all projects use an approved tailored version.
• Level Four, Quantitatively Managed: Adds detailed metrics.
• Level Five, Optimizing: Focused on continual process improvement.

CMMI – Capability Maturity Model Integration. A recent version of CMM with the same 5 levels as the original CMM.

COI – Conflict of Interest.

COM/DCOM – Component Object Model/Distributed Component Object Model. A Microsoft proprietary technology similar to CORBA. Good stuff, and they let out the source code and people started implementing on other platforms like Unix/Linux but the WWW protocols took over.

Confidentiality – Only authorized access by authorized entities for authorized purposes. Authorized entities accessing data they are authorized to access for unauthorized purposes is a breach of confidentiality. For example an authorized hospital employee accessing a medical record they are authorized to access because the patient is famous and they are curious is a breach of confidentiality.

COOP – Continuity Of Operations Plan. A term commonly used in the US Government and other governments similar to the term BCP. Although in practice the terms COOP and BCP are sometimes used interchangeably, for the exam at least, the COOP is part of the BCP dealing with sustaining or continuing operations.

CORBA – Common Object Request Broker Architecture. An industry standard for ORBs from the OMG (below) that was a good first attempt but was so vague that CORBA compliant ORB implementations from different vendors like IBM, Sun, and HP, simply did not interoperate.

COTS –Commercial Off The Self (or sometimes Common Off The Shelf), as in COTS software. Microsoft Office is COTS software. Custom applications are not. The term COTS originated from and is used by the USA government.

CPU – Central Processing Unit.

CRT – Cathode Ray Tube. Old style monitors, which are heavy, relatively fragile, and deep, and made of a vacuum tube with three electron beams, one for red, green, and blue, producing an image. Older cameras were also CRT based.

CSMA – Carrier Sense Multiple Access.

CSMA/CA – Carrier Sense Multiple Access with Collision Avoidance, used for example by Wi-Fi.

CSMA/CD – Carrier Sense Multiple Access with Collision Detection, used for example by Ethernet.

CVSS – Common Vulnerability Scoring System. An open standard metric for comparing the severity of IT vulnerabilities.

DAC – Discretionary Access Control. A system where access controls are under the discretion of the owner of a resource as well as the administrators. For example, Windows is a DAC system and if you own a file, you can give rights to other users. Also an administrator can give rights to users. When you think DAC, think consumer and most commercial systems.

DAD – Disclosure, Alteration, and Destruction. The opposite of CIA. CIA is often expressed as DAD, its opposite. Confidentiality and (unauthorized) Disclosure as well as Integrity and (unauthorized) Alteration are fairly obvious opposites. By Availability and Destruction being opposites we mean any “Destruction of Access.”

DASD – Direct Access Storage Device. Secondary storage directly attached to a host computer. Examples include internal and external device drives connected via IDE, SATA and other interfaces. Allows direct block level access.

Data Controller – The entity that creates and manages sensitive data. A commonly given example is a company that collects and manages their employee data for payroll purposes.

Data Processor – A 3rd party entity that processes data on behalf of the Data Controller. A commonly given example is a company that processes payroll data on behalf of the Data Controller.

DBMS – Database Management System. Some well known DBMSs include MySQL, Microsoft SQL Server, and Oracle. Most DBMSs support a relational data model (think tables, rows, columns) but there are other data models such as hierarchical, mesh, object oriented, and more.

DCE – Data Communication Equipment or Data Circuit-Terminating Equipment, a hardware device that sits between a DTE and the data transmission circuit. One example of a DCE is a modem.

DDL – Data Definition Language. A database term. A language for defining data structures such as database schemas. Commonly this is Structured Query Language (SQL), or more specifically a subset of SQL.

DDOS – Distributed Denial of Service. An example of DDOS would be a 100,000 computer strong botnet where each computer sends a few packets to one IP address. Good chance that whatever sits at that IP address will be overwhelmed.

DDP – Distributed Data Processing. An ancient term ISC2 still uses (Wikipedia doesn’t even have a reference) that means we are not still all on a mainframe from very dumb terminals nearby.

Decommissioning/Deprovisioning – Removing a resource from active production. Possible resources include systems, applications, users, and data. Decommissioning/Deprovisioning must be done securely.

DEP – Data Execution Protection. An operating system security feature that marks areas of memory as either executable or non-executable. It helps prevent against buffer overflow exploits as well as some other exploits and some program errors.

DevOps – The concept, practice, and philosophy that development and operations are integrated; code is developed with the operational environment in mind.

Diameter – A draft specification for a replacement for RADIUS servers that overcomes many limitations of RADIUS. I’ve never seen a Diameter server. Do they actually exist?

DISA – The USA Defense Information Systems Agency, a United States Department of Defense (DoD) support agency that provides information technology and communications support.

DML – Data Manipulation Language. A database term. Structured Query Language (SQL), pronounced “Sequel,” is the most popular and is used to retrieve and manipulate data in relational databases.

DMZ – DeMilitarized Zone, the Internet accessible part of an organization’s network.

DNP3 – Distributed Network Protocol. Mainly used in SCADA systems by electric and water companies. An example of a multi-layer protocol. DNP3 is layer 2 and layer 7 and arguably layer 4 as well.

DNS – Domain Name System, a hierarchical distributed naming system for converting names like to IP addresses and vice-versa.

DOS – Denial of Service.

DRAM – Dynamic Random Access Memory. A type of RAM usually used for main memory, for example the laptop I’m typing on now has 8 Gig of memory/DRAM. DRAM must be refreshed many times a second as it depends on small capacitance charges that decay with time.

DRP – Disaster Recovery Plan. The subcomponent of the Business Continuity plan that deals with the recovery of IT systems. Short term and tactical.

DSL – Digital Subscriber Line.

DSU/CSU – Data Service Unit/Channel Service Unit. A modem sized hardware device that connects a DTE (like a router) to a digital circuit like a T1 or T3 line. A DSU/CSU is an example of a DCE.

DTE – Data Terminal Equipment, any device connected to a network like a workstation, server, router, bridge, etc.

EAL – Evaluation Assurance Level, also known as the Common Criteria, a follow on to ITSEC and much simpler and more reasonable. Each product or system gets an EAL level, ranging from EAL1 (functionally tested) to EAL7 (formally verified, designed, and tested).

EAP – Extensible Authentication Protocol, an authentication framework used with PPP, wireless, and more. There are many EAP protocols, over 100. Some RADIUS Servers use EAP.

EEPROM – Electrically Erasable PROM. A type of ROM that can be rewritten. Most computers use EEPROM for their BIOS today. This is sometimes called “Flash Memory” even though it is the far less common EPROMs that are erased by flashing them with UV light.

EF – Exposure Factor. The amount of an asset that is lost when a threat is manifested. For example, if you sell vintage wedding dresses, and the threat is theft, the EF is 100% – if a dress is stolen it is 100% gone!

EGP – Exterior Gateway Protocol. A routing protocol used to exchange information between autonomous systems, for example BGP below.

ELA – Enterprise License Agreement. An enterprise level software licensing agreement.

EMI – ElectroMagnetic Interference. High frequency EMI is called RFI.

EMI – Electronic Magnetic Interference or Electromagnetic Interference. Especially with older systems, for example ones using Cathode Ray Tube based monitors, there is a substantial amount of EMI. It is possible to remotely receive this EMI and recreate what is on the screen. Although perhaps beyond the capability of your competitors, this is well within the capability of many nation-states.

Enrollment Time – In biometric systems, how long it takes to initially enter a user into the system. In enrollment, information about the user is captured and entered into the system. An enrollment time of 2 minutes is considered acceptable.

EPO – Emergency Power Off. Sometimes called the “big red button” which can shut off power to the entire data center when an emergency occurs (or when it’s pressed by mistake).

EPROM – A type of PROM that can be erased and reprogrammed. It is erased by “flashing” it with ultraviolet light. EPROMs are uncommon today.

ESI – Electronically Stored Information.

FAR – False Accept Rate. In biometric systems, Type II Error (pronounced as “type two error”) is the percentage of fake or unenrolled users allowed access. I remember it as Type II as it is worse than Type I (of course the requirements of the system are an issue, but in general it is worse).

FCIP – Fibre Channel over IP. FCIP encapsulate Fibre Channel frames and forwards them over IP.

FCoE – Fibre Channel over Ethernet. A Storage Area Network (SAN) protocol. Runs directly on Ethernet, not IP, hence not IP routable.

FDDI – Fiber Distributed Data Interface. A token ring based network. It contains two fiber based rings, one as a backup for the other. Considered legacy as fast Ethernet and other technologies have eclipsed it.

Federated IdM – Federated Identity Management. Single Sign On (SSO) usually refers to identity management across an enterprise. Federated Identity Management refers to identity management across enterprises. Two main Federated Identity Management standards are OpenID and SAML.

Fibre Channel – A high speed network technology used primarily as a Storage Area Network (SAN) protocol.

FISMA – Federal Information Security Management Act. A USA government framework designed to strengthen information security.

FOIA – Freedom of Information Act. Data that would otherwise be classified can be made public through the FOIA. With the emphasis on internationalizing the exam, you probably won’t see FOIA, but it still may be lingering in some questions in the question bank.

Frame Relay – A WAN technology similar to X.25 but without extensive error checking as modern networks are reliable. Primarily legacy.

FRDS– Failure Resistant Disk Systems. RAID, except for RAID 0, are examples of Failure Resistant Disk Systems.

FRR – False Reject Rate. In biometric systems, the FRR is the percentage of authentic users who are denied access. It is also known as Type I Error (pronounced as “type one error”). I remember it as Type I as it is not as bad as Type II, below.

FTP – File Transfer Protocol, a clear text protocol that is widely used but that passes passwords and usernames in clear text over the network.

Fuzzing – Automated stress testing, commonly used to find potential vulnerabilities.

FXS Adaptor– Foreign eXchange Subscriber (or Service or System) Adaptor, also known as an ATA (Analog Telephone Adaptor). Used to connect an analog phone or FAX to VOIP.

GAL – Generic Array Logic or Gate Array Logic. A type of PLD which is reprogrammable.

GAN – Global Area Network. A big WAN. The biggest GAN is obviously the Internet. At least on this planet.

GLBA – Gramm–Leach–Bliley Act, also known as the Financial Services Modernization Act of 1999, is USA regulatory law covering financial services companies such as brokerages, banks, and insurance companies.

GUI – Graphical User Interface. Many programs and operating systems have a GUI (pronounced “gooey”) while others may only have a command line interface.

HDLC – High-Level Data Link Control. A bit-oriented synchronous data link layer protocol based on SDLC (above). I think of it as the protocol that moves data over an X.25 or Frame Relay cloud.

HDSL – High Rate Digital Subscriber Line. Like SDSL but uses two pairs of twisted copper lines instead of one to give a 12,000 feet operating range at 1.544mps symmetric. Sometimes used to implement a T1 line.

Heights of Fences – Seriously, just memorize this (feet and meters). It shows up often enough on the exam.

HIDS – Host Intrusion Detection System. An IDS that sits on one specific host and watches it. HIDS is commonly used to refer to anything that protects a host, and there are also HIDS specific products available. OSSEC is a popular open source HIDS.

HIPAA – Health Insurance Portability and Accountability Act of 1996, is USA regulatory law covering health care organizations.

HMI – Human Machine Interface. HMIs present data to human operators in SCADA systems.

Host Discovery – Determining which IP addresses in the network have live system. Techniques include ARP scans, passive listening, ICMP Sweeps, IPv6 neighbor discovery and many more.

HTTP – Hypertext Transfer Protocol. An application protocol that is the foundation of the web.

HTTPS – HTTP over SSL/TLS. Widely used.

HVAC – Heating, Ventilation, and Air Conditioning. HVAC is an issue in physical and environmental security. With joint tenancy, HVAC can be a major concern as others may have access to your HVAC controls.

IaaS – Infrastructure as a Service. A cloud term. An example is a Virtual Private Server (VPS), a Virtual Machine (VM) you have complete control over. It may be automatically provisioned by your cloud provider on demand or you may supply the VM.

ICMP – Internet Control Message Protocol. A layer 3 protocol like IP, but carried in an IP packet like UDP and TCP.

IDaaS – Identity as a Service (IaaS, Infrastructure as a Service, was already taken).

IDE – Integrated Development Environment. A development environment that provides an integrated workspace which commonly includes source code control, debugging, and compiling.

IDE – Integrated Drive Electronics. Western Digital’s original interface specification for the attachment of storage devices. Used for directly attached storage.

Identity – Who an entity claims they are. “I am Ted Demopoulos.”

IdP – Identity Provider. An OpenID and SAML term that refers to an online service such as a Web site that provides identity information and authenticates users.

IDS – Intrusion Detection System. An IDS is an alarm system. It watches and raises “alerts” when something occurs that needs human investigation. Just like physical alarm systems, IDSs have false alarms or alerts as well. The primary (or at least one of the primary) technical detection controls.

IETF – Internet Engineering task Force. Very simply the group that develops and promotes Internet standards.

IM – Instant Messaging.

Integrity – Only authorized alterations by authorized entities for authorized purposes.

IOT – Internet of Things. A term used to describe all the various Internet connected embedded devices such as baby monitors, fitness monitors, refrigerators, light bulbs and more.

IP – Intellectual Property. Physical security, at least in large part for most organizations, should be focused on protecting IP. Yeah, yeah, I know it stands for something else too.

IP – Internet Protocol. The main protocol of the Internet. A layer 3 protocol. There are two versions of IP, IPv4 and IPv6. IPv4 is currently dominant.

IPL – Initial Program Load. The operating system on a mainframe computer is sometimes called the IPL.

IPS – Intrusion Prevention System. An IPS, unlike an IDS, is an inline device that can stop attacks.An IPS can be implemented in many ways. For example it can be implemented as part of a firewall (for example as an option with CheckPoint’s firewall), as a separate physical network device (for example HP’s TippingPoint), or as a part of an endpoint protection suite (typically combined with AntiVirus/AntiMalware etc.).

ISA – Interconnection Security Agreement. An agreement specifying technical requirements between organizations connecting systems and networks designed to support the MOU/MOA. Most commonly seen in governments like the MOU/MOA.

iSCSI – Internet Small Computer System Interface. SCSI over IP networks. A Storage Area Network (SAN) protocol. Uses normal network cabling.

ISDN – Integrated Services Digital Network, or perhaps “It Still Does Nothing.” A “faster than modem” technology that works over standard copper telephone lines. Never really took off at least in North America, since DSL and Cable Modem came around the same time and are much faster, but still used for some purposes including video teleconferencing and popular in parts of Europe and India as well.

ISO – The International Organization for Standardization.

ITSEC – Information Technology Security Evaluation Criteria. The first European attempt at an evaluation criteria (similar to the Orange Book or TCSEC). Despite being European, it’s considered “International.”
ITSEC has two parts, Functionally (F) and Assurance (E). It is quite complex and essentially superseded by the much simpler EAL below.

KDC – Key Distribution Server. In the Kerberos Authentication System, the KDC is essentially a login server that knows everyone’s password (or “secret key”) and issues login credentials, known as TGTs.

LAN – Local Area Network. A bunch of computers electronically close to each other, typically used to mean within one broadcast domain, i.e. they can broadcast to each other. From the security standpoint, the LAN is also a security demarcation perimeter as if you are in a LAN you are fundamentally more trusted than if you are not in the LAN.

LDAP – Lightweight Directory Access Protocol. Although a protocol, LDAP is commonly used to refer to directory services/databases that support this protocol.

Least Privilege – The concept that a user has the least privileges needed to fulfill their role. Least privilege is probably impossible to implement perfectly. In dynamic organizations without well defined roles it is harder to implement than in more static organizations with well defined roles, but a little least privilege goes a long way and it must always be implemented even if far from perfect.

LLC – Logical Link Control. LLC is the upper part of Layer 2 in the OSI model and acts as the interface between Media Access Control (MAC) and Layer 3, the Network Layer. It handles flow control, error checking, and the multiplexing of protocols over the MAC Layer, allowing multiple disparate network protocols to be used simultaneously, for example IP and AppleTalk.

MAC address – Media Access Control address, a unique hardware address assigned to a network interface, commonly burnt into a NIC at manufacture time.

MAC – Mandatory Access Control. A MAC system is one where access control is based on labels (such as security classifications and clearances), enforced by the system, and cannot be overridden. If you think government systems with classified data on them you have the right idea. Ordinary operating systems like Windows, Unix, and Linux are not MAC. There are MAC versions of Unix and Linux.

MAN – Metropolitan Area Network. As in “What’s bigger than a LAN but smaller than a WAN? A MAN.” Term is not used that often anymore.

Memory: The basic rule with memory is: the faster it is, the more expensive it is, and the less of it you have! Hence most systems have far less SRAM than DRAM for example.

MIME – Multipurpose Internet Mail Extensions. An Internet standard for the format of email that allows non-ASCII character sets, non text attachments, and more. Essentially all Internet email is in MIME format.

MITM – Man In The Middle attack. In a MITM attack, two parties believe they are directly communicating but a third party is in the middle secretly reading, possibly modifying, and relaying the messages.

MLAT – Mutual Legal Assistance Treaty. An agreement between countries covering gathering and sharing information for the purpose of enforcing laws.

MOA – Memorandum Of Agreement. See MOU above.

MOU – Memorandum Of Understanding. A document detailing an agreement between two entities. Often seen in government, as government agencies typically cannot have contracts with each other.

MPLS – Multiprotocol Label Switching. A common way of providing WAN access between networks.

MS SDL – Microsoft Security Development Lifecycle. Microsoft is the name most closely associated with SDL. Their approach has 16 SDL practices.

MTD – Maximum Tolerable Downtime, also sometimes called Maximum Allowable Downtime. How long critical systems can be down until the point of no return, until irreparable damage to the organization is done. The MTD is the primary output of the Business Impact Analysis. For some reason the acronym MAD is never used.

Multi Tenant Cloud – A cloud where data and services for different organizations share the same hardware. Similar to different organizations sharing the same physical building. Sometimes this is appropriate, sometimes it is not!

NAC – Network Access Control. At its simplest, NAC is 802.1x. Most people however agree that NAC goes above and beyond simple 802.1x (although you may hear the terms used interchangeably at times). NAC adds more control to 802.1x, and allows defining granular policies. These can include pre admission controls and post admission controls such as where users/devices are allowed on the network and what they are authorized to do.

NAS – Network Attached Storage. File and directory access, usually over Ethernet. Direct block level access is not possible.

NAT – Network Address Translation.

NDA – Non Disclosure Agreement. A short legal document between two or more parties usually doing business together which states that confidential information may be shared but cannot be disclosed to other parties. For example I have an NDA with The SANS Institute that allows them to share confidential information with me such as new class dates and new course information that is not yet public, and I cannot disclose that information to anyone else.

Need to Know – Need to Know is a related concept to Least Privilege and is more granular and hence may further restrict access. A user only has access to a specific piece of data when they have a need to know it.

NFC – Near Field Communications. Wireless protocol that allows smart phones and other devices to communicate when very close to each other, commonly touching or within very few inches apart.

NGFW – Next Generation FireWall. Originating as a marketing term from Palo Alto Networks, NGFW means a very smart firewall that understands Application Layer (layer 7) protocols.

NIC – Network Interface Card.

NIDS – Network Intrusion Detection System. An IDS that functions by watching the packets on a network. A NIDS will commonly be placed at a network aggregation point, for example before the firewall, after the firewall, or on a spanning/mirroring port on a network switch. Snort is a popular open source NIDS.

NIST – National Institute of Standards and Technology, a US Governmental body formerly known as the National Bureau of Standards (NBS), and responsible for a number of standards pertaining to security, such a DES and AES among many others.

NTP – Network Time Protocol.

NX Stack – Non eXecutable Stack. A technique used to make buffer overflow vulnerabilities more difficult to exploit. DEP is often implemented at the hardware level by processor architectures that support the NX (No eXecute) bit.

OCTAVE – Operationally Critical Threat, Asset, and Vulnerability Evaluation. A threat modeling approach from Carnegie Mellon University.

OECD – European Organization for Economic Cooperation and Development. Primarily European countries but also including Australia, Canada, the USA, Japan and others.

OLA – An internal document specifying agreements between internal departments designed to support the SLA.

OMG – Object Management Consortium. A bunch of smart folks from Framingham Mass that had the “Object Religion” a bit too intensely and developed CORBA. Apparently they still exist but no one really cares.

OpenID – An “open and decentralized identity system” which is considered consumer oriented (but which doesn’t have to be). For example, Google, Yahoo!, Facebook, and WordPress use OpenID.

OPEX – OPerational EXpenditure. A business expense which is required for the day to day operation of an organization, but which is NOT an investment in the future. Examples include taxes, maintenance, salaries, and depreciation.

ORB – Object Request Broker. A middleware service, commonly implemented as a server process per machine, which takes object references and resolves them regardless of where the object may reside in the network.

OS Fingerprinting – Determining what OS exists at an IP address. Accomplished by sending a variety of packets and examining the replies. Nmap and Xprobe3 are common tools.

OS – Operating System. The basic software that controls the hardware and allows the execution of application software efficiently. Examples of common operating systems include Windows 10, MacOS, and the various types of Linux and Unix.

OSI Model – Open Systems Interconnection model, a networking model that breaks networking into 7 layers. Essentially theoretical today but often referred to. You must know the layers for the exam!

OSPF – Open Shortest Path First, a common routing protocol that is more advanced and complex than RIP.

OTP – One Time Passwords, for example created by a hardware device like RSA SecurID or software like S/KEY.

OWASP – Open Web Application Security Project, a non-profit focused on software security.

P2V – Physical to Virtual. Converting a physical machine to a virtual machine. This can be done manual, semi-automatically, or automatically.

PaaS – Platform as a Service. A cloud term. An example is one of the many hosting providers which provide you with a Web Server, for example Apache, to host your Web site(s).

PAC – Privilege Attribute Certificate. Again, SESAME uses PACs, while Kerberos uses tickets.

Packet Switching – In a packet switched network, data is separated into little pieces called “packets” which are transmitted independently though the network. Each packet may take a different route. Also, there are no dedicated communication channels, and different connections may compete for bandwidth on a given communication channel. IP is an example of a packet switched networking technology.

PAN – Personal Area Network. A small number of personal devices connected via a network, for example your phone, tablet, and your dorky ear piece via Bluetooth.

PAP – Password Authentication Protocol, an early protocol that sends the username and password over the network in clear text. For example, some (legacy) RADIUS servers use PAP.

PBX – Private Branch Exchange. A phone switch. Many legacy PBXs are so large you can actually walk into them.

PCI DSS – Payment Card Industry Data Security Standard, usually abbreviated to PCI. Originally started by Visa but now controlled by an industry consortium. A set of best practices for organizations that handle payment cards such as credit and debit cards.

PCI – See PCI DSS below.

PEM – Privacy Enhanced Mail. A standard for securing email that never became popular. S/MIME is used instead.

Penetration Testing – A proactive detective measure whose goals are to find exploitable vulnerabilities before an adversary can. Penetration testers attempt to “break in” within a carefully defined scope.

PHI – Personal Health Information. Any information about health, health care, or health care payments that can be connected to a specific individual. Regulatory law tends to define PHI very broadly.

PICERL – Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned. The 6 steps in incident handling. Yes, you need to know these, including the order.

PII – Personally Identifiable Information. Any data that could potentially be used to identify, contact, or locate a specific individual either alone or in conjunction with other data.

PLD – Programmable Logic Device. PROMs, EPROMs, and EEPROMs are examples of a more general technology and type of chip called a Programmable Logic Device. This term seems to show up fairly often on the exam.

Port Scanning – Scanning TCP and UDP ports on one or more hosts to determine which are open. Nmap is a common port scanning tool.

PPP – Point to Point Protocol, used for dialup connections to the Internet, including ISDN and cellular modems.

Private Networking Addressing – An Internet standard (RFC1918) that allows the network address ranges,, and to be used in private Internets and does not allow them to be routed over the public Internet. A host with a private network address typically is allowed to access the public Internet using Network Address Translation (NAT).

PROM – Programmable Read Only Memory. This is ROM but is blank when manufactured, and programmed by the system developer/designer. Standard PROM can only be programmed once. Thousands or millions of tiny traces on the chip actually burn out when it is programmed. This makes PROMs not so cool for firmware, as the firmware can never be updated.

PSTN – Public Switched Telephone Network. The legacy phone network.

PVC – Permanent Virtual Circuit.

QA – Quality Assurance. A type of dynamic application testing.

QoS – Quality of Service. The concept that network bandwidth can be reserved, for example by an application. In reality, QoS encompasses far more than just bandwidth, including response time, loss, signal-to-noise ratio, echo, interrupts, frequency response, and more.

Qualitative Risk Assessment – Risk Assessment using banded values, for example very low risk, low risk, medium risk, high risk, and very high risk, instead of quantities/metrics.

Quantitative Risk Assessment – Risk Assessment using “quantities” or metric, commonly expressed as dollars. For example, “If XYZ happens, it will cost the organization 7750 dollars.”

RAD – Rapid Application Development.

RADIUS – Remote Authentication Dial In User Service.

RAID – Redundant Array of Inexpensive Disks or Redundant Array of Independent Disks . There are several RAID levels defined by the RAID advisory board. Note that RAID 0, striping, does NOT provide any redundancy, and RAID 2 is the only level which has a required number of disks, 39. 39 might seem like a strange number unless you are mainframe person as traditionally IBM mainframes had 39 disks. I have no idea what they do today on mainframes. If you care, feel free to google it!

RAM – Random Access Memory.

RARP – Reverse Address Resolution Protocol, resolves between link layer addresses and network addresses.

RBAC – Role Based Access Control. A system where access is based on what roles you have. In reality, these roles are usually mapped to operating systems groups, so the access or rights you have are determined by what groups you belong to.

RDP – Remote Desktop Protocol. A Microsoft protocol for Remote Assistance/troubleshooting and Remote Desktop Services which lets admins control remote servers. Allows a user to connect to a remote computer via a GUI.

RFC – Internet standards are known as RFCs, Requests For Comments.

RFI – Radio Frequency Interference. RFI can be caused by devices like neon lights and electric motors and RFI can modulate electric power, called “noise” on the electric power. Normally electric cables are routed away from other cables, grounded, and shielded to help prevent noise from RFI and from EMI (ElectroMagnetic Interference).

RFI – Request For Information. A business process used to collect information from potential suppliers. Often used to identify suppliers to be included in an RFP/RFQ.

RFP – Request For Proposal. A request to potential suppliers, often via a bidding process, for proposals. Even for non security related proposals/projects, security is very often important and unfortunately the inclusion of appropriate security is often falsely assumed. A RFP may include a RFI and RFQ or they may be separate requests.

RFQ – Request For Quote. A document sent to potential suppliers asking for pricing information, i.e. a “quote.”

RIP – Routing Information Protocol, a simple routing protocol that solely uses hop count as the distance metric. The fewer hops, the closer something is, and it ignores any other factors such as network speeds etc.

RISC – Reduced Instruction Set Computer. As CPUs became more complex and got a more complex instruction set, some manufacturers started to make RISC CPU based computers. A RISC based CPU has only a few instructions, but can execute them all very quickly. Low level programming is more difficult on a RISC based computer.

ROI – Return on Investment. If the ROI is positive, it is “worth” doing. If it is negative, it is not.

ROM – Read Only Memory. Memory that is directly addressable from the CPU and contains critical startup code such as that to start the bootup sequence. This critical code is often called “firmware.” For example, think BIOS (Basic Input/Output System) on PCs. ROM is non-volatile – it doesn’t go away when power is removed.

Rotation of Duties – Rotation of duties is often added in addition to Separation of Duties to lessen the likelihood of collusion, two or more individuals cooperating to defeat Separation of Duties.

RP – Relying Party. An OpenID term. Sites that can use identity information from Identity Providers.

RPC – Remote Procedure Call.

RPO – Recovery Point Objective. The targeted duration of how long data can be unavailable. The RPO had better be no more than the MTD!

RTCP – Real Time Control Protocol, used in conjunction with the RTP to carry statistics, quality of service information, and more.

RTO – Recovery Time Objective. The targeted duration of how long a system or process will be down. The RTO had better be no more than the MTD!

RTP – Real Time Protocol. The VOIP protocol that carries digitized voice. Can also carry digitized video.

RTU – Remote Terminal Units. RTUs connect to physical sensors in SCADA systems and convert data to digital signals. Sometimes called a Remote Telecontrol Unit.

S/MIME – Secure/Multipurpose Internet Mail Extensions, a standard for email encryption and digital signature based on digital certificates. Supported by most modern email clients like Thunderbird and Microsoft Outlook.

SaaS – Software as a Service. A cloud term. Gmail is one example, providing email services.

SAML – Security Assertions Markup Language. A standards based approach that allows leveraging authentication across multiple disparate identity providers. Can also be used for authorization.

SAN – Storage Area Network. The network equivalent to directly attached storage. Allows direct block level access.

SATA – Serial AT Attachment, A more modern interface specification for the attachment of storage devices than IDE. Used for directly attached storage.

SBU – Sensitive But Unclassified. A US government classification between Confidential and Unclassified. Disclosure of SBU information will not cause damage to national security.

SCADA – Supervisory Control and Data Acquisition systems. Think Industrial Control Systems, for example to control oil refineries.

Scoping – Determining which parts of a standard are applicable and will be followed.

SCSI – Small Computer System Interface. SCSI consists of a set of standards for connecting and transferring data between computers and hard drives, tape drives, and other peripheral devices. Used for directly attached storage.

SD3+C – Secure by Design, by Default, by Deployment and Communications. A centerpiece of MS SDL.

SDL – Security Development Lifecycle

SDLC – Software Development Life Cycle. Instead of simply sitting down and starting to write code, unfortunately a common technique used in software development historically and still somewhat today, software development should follow a lifecycle, beginning with planning and eventually ending in retirement of the system.

It also stands for Synchronous Data Link Control, an old IBM mainframe technology.

SDLC – Synchronous Data Link Control. An old mainframe protocol. Think IBM’s SNA, System Network Architecture. A layer 2 protocol. Pretty rare these days as IP has taken over the world.

SDN – Software Defined Networking. The concept of controlling a router’s control plane (which includes routing updates, time synchronization, logging and more) remotely/centrally instead of on a granular per router basis.

SDSL – Single Line Digital Subscriber Line – Symmetrical download and upload rates of 1.544 mbps. An operating range of 10,000 feet from the phone company’s central switching equipment.

Security Assessment – A “Holistic Big Picture” review of security, though technical security testing, security process review, and security audits.

Separation of Duties – If an operation is too sensitive for one user to be able to do it, it can be separated so that two or more users are required. For example, think of bank safe deposit boxes, and launching nuclear weapons. No one individual has the privilege alone to do these operations.

Server Side Attacks – An attack initiated against a listening service by an attacker.

Service Fingerprinting – Determining which services are running on specific ports, as opposed to determining the service by the port number, which may be wrong. For example, a user may attempt to “hide” an unauthorized service by placing it on the HTTP port, port 80. Service fingerprinting will figure out what that service is.

SESAME – Secure European System for Applications in a Multi-Vendor Environment. Kerberos is seen by ISC2 as USA centric, as it was developed at MIT in Massachusetts. SESAME is the same idea, but considered international by ISC2 (European somehow equals international). Kerberos uses tickets and symmetric encryption, SESAME uses Privilege Attribute Certificates or PACs and both symmetric and asymmetric encryption. This conveniently avoids the issue that SESAME never took off or was widely implemented at all, and essentially doesn’t exist anymore (yes, I’m aware there is a smidgen of legacy use at Master Card, but really, who cares?).

SET – Secure Electronic Transaction. A protocol for transferring credit card information over insecure networks like the Internet. A legacy protocol that never took off.

S-HTTP – Secure Hypertext Transfer Protocol. A protocol for encrypting web communications that is considered legacy and was never much used. HTTPS is used instead.

SIEM– Security Information and Event Management. “Provides real-time analysis of security alerts generated by network hardware and applications” – Wikipedia. The terms SEM (Security Event Management) and SIM (Security Information Management) are often used interchangeably.

SIP – Session Initialization Protocol. A VOIP signaling protocol for setting up and tearing down VOIP calls, locating users, and negotiating common protocols. The other VOIP signaling protocol is the much more complex H.323.

SLA – Service Level Agreements. A service level agreement is a contract stipulating a certain level of performance with financial penalties for not meeting that performance. For example an SLA with a service provider might stipulate 99% uptime for full payment, with payment prorated or otherwise reduced for not maintaining 99% uptime or greater.

SLE – Single Loss Expectancy. The asset value times the Exposure Factor. If each vintage wedding dress is worth $20,000, the SLE is $20,000.

SLIP – Serial Line Internet Protocol. A protocol for relaying IP packets over dialup lines. Mostly replaced by PPP.

SMTP – Simple Mail Transfer Protocol, the Internet standard for email transmission over IP.

SNMP – Simple Network Management Protocol.

SOX – Sarbanes–Oxley Act of 2002. USA regulatory law covering financial information for publically traded companies which states that top management must personally certify accuracy of financial information. Some parts of SOX also apply to privately held companies.

SP – Service Provider. A SAML term that refers to applications that can use identity and authentication information from Identity Providers.

SQL Injection – An injection attack where SQL code is placed into an input field and passed to the backend database, modifying how it operates. For example a SQL injection attack might be used to dump a database’s contents, destroy data, or acquire administrator privileges. SQL Injection is a common attack vector for Web Sites.

SRAM – Static Random Access Memory. A very fast and expensive form of RAM that is typically used for cache.

SRTP – Secure Real Time Protocol. Currently in draft (Dec 2015), SRTP adds encryption, authentication, message integrity and replay protection to RTP.

SSD – Solid State Drive. Also called a Solid State Disk. Very fast drives which have no moving parts and use integrated circuit assemblies to store data.

SSO – Single Sign On.

STIGS – Secure Technical Implementation Guides from DISA. Secure configuration standards to lockdown software and hardware.

STRIDE/DREAD – Microsoft’s threat modeling approach is known as STRIDE. Their previous approach was known as DREAD.

SVC – Switched Virtual Circuit.

TACACS – Terminal Access Controller Access Control System.

Tailoring – Customizing a standard for a particular organization. Tailoring consists of Scoping then supplementing with additional controls and/or control enhancements as appropriate.

TCB – Trusted Computing Base. The low level hardware, software like the OS kernel and firmware, that must be trusted or nothing secure can be built on the system. TCSEC and ITSEC (below) are concerned with defining and qualifying the TCB.

TCO – Total Cost of Ownership. A financial estimate of the direct and indirect costs of a product or system. For example, an Intrusion Detection System (IDS) might cost $25,000, but if there are expenses involved with setup, training of personnel, and personnel time or maybe even dedicated personnel are required, the TCO will be much higher. For an IDS it will typically be significantly higher.

TCP – Transmission Control Protocol. A layer 4 protocol.

TCSEC – Trusted Computer Systems Evaluation Criteria, also known as the Orange Book. A US centric (Department of Defense) standard. Ranges from “D” – minimal protection, to “A” – verified design. Not actively used today, but other models are built using its concepts (like ITSEC).

TEMPEST – The codename for NSA specifications and a NATO certification to prevent spying via EMI. TEMPEST includes both methods for spying and shielding requirements to prevent such spying.

TFTP –Trivial File Transfer Protocol. A simplified version if FTP most commonly used for transferring configuration or boot files over LANs.

TGT – Ticket Granting Ticket. Kerberos issues a TGT when a user first logs in. It is sent to the user encrypted by a secret key derived from their password, and if they got their password correct, the TGT is decrypted and their login succeeds.

The second European attempt at an evaluation criteria. Once again, despite being European, it’s considered “International.”

Think for example of the Veterans Administration laptop that went missing with lots of veteran’s personal information such as dates of birth, social security numbers, etc. Clearly this was sensitive information, but no damage to national security could result.

Throughput Time – After enrollment, how long it takes it takes to identify or authenticate a user. 6 to 10 seconds per user, or 10 to 6 users per minute, is considered standard and acceptable.

TKIP –Temporal Key Integrity Protocol. WPA, but NOT WPA2, uses TKIP.

TOC/TOU – Time of Check/Time of Use. A timing attack. Imagine an application that creates a file, and then applies appropriate permissions to it (hey, that’s how they taught me to do it in school). There is a vulnerability for a fraction of second between when the file is created and when the file has appropriate security permissions applied that might be exploitable. Also known as a race condition.

ToE – Target of Evaluation, what is being evaluated by the Common Criteria (EAL).

TPM – Trusted Platform Module. A chip on the motherboard that stores encryption keys. Think of it as an on-motherboard smart card. Included in many motherboards and mobile devices. Apple stopped including the TPM in their hardware in 2009.

TPM – Trusted Platform Module. Essentially a chip on the motherboard. Many PCs and laptops have TPMs built in, although Apple hasn’t included TPMs in years. The TPM is similar to a built in smart card, and performs cryptographic functions. Originally designed for Digital Rights Management. As one example of its use, Windows systems implementing Bitlocker can use the TPM to do bootup file integrity checking to detect infection by kernel level rootkits.

UAT – User Acceptance Testing. A type of dynamic application testing

UDP – User Datagram Protocol. A layer 4 protocol.

VC – Virtual Circuit. A virtual circuit simulates a circuit over a packet switched network.

VDI – Virtual Desktop Interface. With VDI, hosts run a virtual desktop client which loads a virtual machine image from a centralized location.

VDSL – Very high rate Digital Subscriber Line. Asymmetric, downstream rates of 13 to 52 mbps and upstream rates of 1.5 to 2.3 mbps, Short range, only 1000 to 4,500 feet from the phone company’s central switching equipment.

VLAN – Virtual Local Area Network.

VM – Virtual memory. VM allows each process to believe it has its own dedicated physical memory and the Virtual Memory Manager (VMM) maps between virtual memory and the underlying physical memory.

VMEscape – Escaping from a virtual machine to the host operating system or to another virtual machine. Although VMEscape has not been seen in the wild, this attack has been demonstrated before.

VMM – Virtual Memory Manager. The part of the operating system that handles virtual memory. Today often implemented in part by hardware support (a MMU or memory management unit) that is part of the same chip that holds the CPU, such as on the Intel x86 microprocessors.

VNC – Virtual Network Computing. Similar conceptually to RDP above but platform independent.

VOIP – Voice Over IP, which interestingly is considered a WAN protocol by ISC2.

VPN – Virtual Private Network.

VPS – Virtual Private Server. A Virtual Machine hosted by a third party hosting provider. Full access to the Virtual Machine is typically allowed by the provider.

VTC – Video Teleconferencing. Commonly uses VOIP protocols.

Vulnerability Scanners – Tools which scan over the network looking for known vulnerabilities. These go way beyond simple port scans. Examples include Nessus, Qualys, SAINT, and many more.

WAN – Wide Area Network. A bunch of LANs connected together via a (usually high speed) backbone.

WEP – Wired Equivalent Privacy. The original Wi-Fi (IEEE 802.11 wireless networks) security protocol. Depreciated as it is very weak and has numerous flaws.

WORM – Write Once Read Many. Sometimes called Write Once Read Memory. A data storage device that once written cannot be rewritten.

WPA – Wi-Fi Protected Access, and WPA2, Wi-Fi Protected Access II, replacements for WEP.

X.25 – A WAN technology popular in the 1980s and still in use. Primarily legacy.

XP – eXtreme Programming, an Agile development method.

XSS – Cross Site Scripting. A vulnerability where client side code, for example Javascript, HTML, or SQL, can be injected into and executed on the server side. A prime defense is sanitizing all input on the server side (assuming “all input is evil”).