Cybersecurity Final

adverse events

Events with negative consequences that could threaten an organization's information assets or operations.

contingency planning (CP)

The actions taken by senior management to specify an organization's priorities and actions if an adverse event becomes an incident or disaster.

business impact analysis (BIA)

An investigation and assessment of adverse events that can affect an organization, conducted as a preliminary phase of the contingency planning process.

Recovery point objective (RPO)

The point in time to which systems will be recovered; the maximum amount of data loss the organization will accept.

Recovery time objective (RTO)

The maximum amount of time that a critical system can remain unavailable before there is an unacceptable impact on other system resources.

Maximum tolerable downtime (MTD)

The total amount of time a system owner is willing to accept for a business process outage, including all impact considerations (the sum of RTO and WRT).

Work recovery time (WRT)

The amount of effort (elapsed time) needed to make business processes work again after the technology element is recovered.

incident response (IR)

An organization's set of planning and preparation efforts for detecting, responding to, and recovering from an incident.

incident

An adverse event that could result in a loss of information assets but does not threaten the viability of the entire organization.

cybersecurity incident response team (CIRT or CSIRT)

An IR team composed of IT and cybersecurity professionals who are prepared to detect, respond to, and recover from an incident.

Electronic vaulting

A backup method that uses bulk transfer of data to an off-site facility.

Remote journaling

A backup method that transfers transaction data to an off-site facility as the backups occur for archiving.

Database shadowing

A backup strategy to store duplicate online transaction data and databases at a remote site on a redundant server.

Incident classification

The process of examining an adverse event to determine whether it constitutes an actual incident.

incident commander

The on-duty manager of the CIRT.

incident detection

The identification and classification of an adverse event as an incident.

alert roster

A list of contact information for personnel to be notified in the event of an incident or disaster.

alert message

A description of the incident containing just enough information so each person knows what portion of the plan to implement.

after-action review (AAR)

A detailed examination and discussion of the events that occurred during an incident, from first detection to final recovery.

Protect and forget

An organizational CP philosophy focusing on defense and preventing reoccurrence rather than attacker identification (also known as "patch and proceed").

Apprehend and prosecute

An organizational CP philosophy that focuses on the identification and prosecution of the attacker (also known as "pursue and prosecute").

Digital forensics

Investigations involving the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary analysis.

e-discovery

The identification and preservation of evidentiary material related to a specific legal action.

disaster recovery (DR)

An organization's planning and preparation efforts for detecting, reacting to, and recovering from a disaster.

business continuity (BC)

An organization's efforts to ensure its long-term viability when a disaster precludes operations at the primary site.

Hot site

A fully configured computing facility that includes all services, communications links, and physical plant operations.

Warm site

A facility that provides many of the same services as a hot site, but typically without installed and configured software applications.

Cold site

A facility providing only rudimentary services, with no computer hardware, peripherals, or active communications services.

Timeshare

A continuity strategy in which an organization co-leases facilities with a business partner or sister organization.

Service bureau

A continuity strategy in which an organization contracts with a service agency to provide a BC facility for a fee.

Mutual agreement

A contract between two organizations to assist each other in a disaster by providing BC facilities and resources.

Rolling mobile site

A strategy involving specialized facilities configured in the payload area of a tractor-trailer.

Work-from-home

A continuity strategy in which an entire organization works from remote locations using virtual meetings and remote access.

business resumption planning (BRP)

Actions taken by senior management to develop and implement a combined DR and BC policy and recovery teams.

crisis management (CM)

Planning and preparation efforts for dealing with human injury, emotional trauma, or events negatively impacting an organization's image.

Desk check

A testing strategy where copies of plans are distributed to individuals for review and validation of components.

Structured walk-through

A testing strategy where involved individuals walk through an organization and discuss steps they would take during an actual event.

talk-through

A form of structured walk-through where individuals meet in a conference room to discuss CP rather than walking around.

Simulation

A testing strategy in which an organization conducts a role-playing exercise as if an actual incident had occurred.

Full-interruption testing

A testing strategy where team members follow all procedures, including interruption of service and restoration of data from backups.

configuration and change management (CCM)

An approach to implementing system change that uses policies, procedures, techniques, and tools to manage and evaluate proposed changes, track changes through completion, and maintain systems inventory and supporting documentation.

configuration management (CM)

An approach to implementing system change that uses policies, procedures, techniques, and tools to manage and evaluate proposed changes, track changes through completion, and maintain systems inventory and supporting documentation.

auditing

The review of a system's use to determine if misuse or malfeasance has occurred.

external monitoring domain

The component of the maintenance model that focuses on evaluating external threats to an organization's information assets.

internal monitoring domain

The component of the maintenance model that focuses on identifying, assessing, and managing the configuration and status of information assets in an organization.

difference analysis

A procedure that compares the current state of a network segment against a known previous state of the same network segment (the baseline).

planning and risk assessment domain

The component of the maintenance model that focuses on identifying and planning ongoing cybersecurity activities and managing risks introduced through IT and cybersecurity projects.

vulnerability assessment and remediation domain

The component of the maintenance model focused on identifying documented vulnerabilities and remediating them in a timely fashion.

vulnerability assessment

The process of identifying and documenting provable flaws in an organization's information asset environment.

Penetration testing

The investigation, assessment, and evaluation of a system by authorized individuals emulating an attack.

pen testing

The investigation, assessment, and evaluation of a system by authorized individuals emulating an attack.

Internet vulnerability assessment

An assessment approach designed to find and document vulnerabilities that may be present in an organization's public network.

intranet vulnerability assessment

An assessment approach designed to find and document selected vulnerabilities that are likely to be present on an organization's internal network.

platform security validation (PSV)

An assessment approach designed to find and document vulnerabilities that may be present because misconfigured systems are used within an organization.

wireless vulnerability assessment

An assessment approach designed to find and document vulnerabilities that may be present in an organization's wireless local area networks.

biometrics

The use of physiological characteristics to provide authentication for a person's identification and validate that they are who they claim to be.

password

A secret combination of characters that only the user should know; it authenticates the user.

passphrase

A plain-language phrase, typically longer than a password, from which a virtual password is derived.

password complexity

The degree of variation or complication in a password or passphrase.

virtual password

A derivative of a passphrase that is an improvement over the standard password because it is based on an easily memorable phrase.

dumb card

An authentication card that contains digital user data, such as a personal identification number (PIN), against which user input is compared.

smart card

An authentication component similar to a dumb card that contains a computer chip to verify and validate several pieces of information instead of just a PIN.

Synchronous tokens

An authentication component in the form of a card or key fob that contains a computer chip and a display and shows a time-based, computer-generated number used to support remote login authentication.

Asynchronous tokens

An authentication component in the form of a card or key fob that contains a computer chip and a display and shows a computer-generated number that is activated to support remote login authentication.

false reject rate

The rate at which authentic users are denied or prevented access to authorized areas because of a failure in a biometric device.

false accept rate

The rate at which fraudulent users or nonusers are allowed access to systems or areas as a result of a failure in a biometric device.

crossover error rate (CER)

The point at which the rate of false rejections equals the rate of false acceptances; it is considered the optimal outcome for biometric systems because it represents a balance between the two error rates.

firewall

The combination of hardware and software that filters or prevents specific information from moving between the outside network (untrusted) and the inside network (trusted).

packet filtering firewall

A networking device that examines the header information of data packets and determines whether to drop (deny) or forward (allow) them based on configuration rules.

application layer proxy firewall

A device capable of functioning both as a firewall and an application layer proxy server.

application layer firewall

A device capable of examining the application layer of network traffic (e.g., HTTP, SMTP) and filtering based on its header content.

proxy server

A server that acts as an intermediary, intercepting requests from external users and retrieving information from an internal source on behalf of the client.

cache server

A web server that only stores and provides requested content by obtaining it from the source and archiving it for future needs.

proxy firewall

A device that provides both firewall and proxy services.

demilitarized zone

An intermediate area between a trusted network and an untrusted network that restricts access to internal systems.

DMZ

An intermediate area between a trusted network and an untrusted network that restricts access to internal systems.

stateful packet inspection (SPI firewall)

A firewall type that keeps track of each network connection between internal and external systems using a state table to expedite communications filtering.

dynamic packet filtering firewall

A firewall type that keeps track of each network connection using a state table and expedites the filtering of communications.

state table

A record of the state and context of each packet in a conversation between an internal and external user or system.

Unified Threat Management (UTM)

A device categorized by the ability to perform the work of multiple devices, such as an SPI firewall, IDPS, content filter, and malware scanner.

deep packet inspection (DPI)

A type of device that can examine multiple protocol headers and content of network traffic, including encrypted or compressed data.

single bastion host architecture

A firewall architecture in which a single device performing firewall duties serves as the only perimeter protection for the network.

bastion host

Any network system, router, or firewall placed between an external untrusted network and an internal trusted network that is exposed to the untrusted network.

sacrificial host

Any network system, router, or firewall placed between an external untrusted network and an internal trusted network that is exposed to the untrusted network.

dual-homed host

A network configuration in which a device contains two network interfaces: one connected to the external network and one to the internal network.

network-address translation (NAT)

A method of converting multiple real, routable external IP addresses to special ranges of internal IP addresses, usually on a one-to-one basis.

port-address translation (PAT)

A firewall architecture in which a single external IP address is mapped dynamically to a range of internal IP addresses by adding a unique port number.

screened-host architecture

A firewall architecture that combines the packet filtering router with a second, dedicated device, such as a proxy server.

screened-subnet architecture

A model consisting of one or more internal bastion hosts located behind a packet filtering router on a dedicated network segment.

total cost of ownership (TCO)

A measurement of the true cost of a device including purchase price, maintenance, upgrades, training, and administration.

content filter

A software program or appliance that allows administrators to restrict content that comes into or leaves a network.

Intrusion detection and prevention system (IDPS)

A system with the capability to detect intrusions and modify its configuration and environment to prevent them.

host-based IDPS (HIDPS)

An IDPS that resides on a particular computer or server (the host) and monitors activity only on that system.

network-based IDPS (NIDPS)

An IDPS that resides on a computer or appliance connected to a network segment and monitors traffic for indications of attacks.

signature-based IDPS

An IDPS that examines data traffic for something that matches the signatures of preconfigured, predetermined attack patterns.

knowledge-based IDPS

An IDPS that examines data traffic for something that matches signatures of preconfigured attack patterns.

anomaly-based IDPS

An IDPS that collects data from normal traffic to establish a baseline, then samples network activity to detect deviations.

behavior-based IDPS

An IDPS that first collects data from normal traffic to establish a baseline, then periodically samples network activity using statistical methods.

clipping level

A predefined assessment level that triggers a predetermined response when surpassed.

agent

A piece of software that resides on a system and reports back to a management application or server.