CompTIA Security+ Acronyms

802.1x

A port-based authentication protocol. Wireless can use 802.1X. For example, WPA2-Enterprise mode uses an 802.1X server (implemented as a RADIUS server) to add authentication.

3DES

Triple Digital Encryption Standard. A symmetric algorithm used to encrypt data and provide confidentiality. It was originally designed as a replacement for DES. It uses multiple keys and multiple passes and is not as efficient as AES, but is still used in some applications, such as when hardware doesn't support AES.

AAA

Authentication, Authorization, and Accounting. AAA protocols are used in remote access systems. For example, TACACS + is an AAA protocol that uses multiple challenges and responses during a session. Authentication verifies a user's identification. Authorization determines if a user should have access. Accounting tracks a user's access with logs.

ACE

Access Control Entry. Identifies a user or group that is granted permission to a resource. ACEs are contained within a DACL in NTFS.

ACL

Access control list. A list of rules used to grant access to a resource. In NTFS, a list of ACEs makes up the ACL for a resource. In a firewall, an ACL identifies traffic that is allowed or blocked based on IP addresses, networks, ports, and some protocols (using the protocol ID).

AES

Advanced Encryption Standard. A symmetric algorithm used to encrypt data and provide confidentiality. AES is quick, highly secure, and used in a wide assortment of cryptography schemes. It includes key sizes of 128 bits, 192 bits, or 256 bits.

AES256

Advanced Encryption Standard 256 bit. AES sometimes includes the number of bits used in the encryption keys and AES256 uses 256-bit encryption keys.

AH

Authentication Header. IPsec includes both AH and ESP. AH provides authentication and integrity, and ESP provides confidentiality, integrity, and authentication. AH is identified with protocol ID number 51.

ALE

Annualized loss expectancy. Used to measure risk with annualized rate of occurrence (ARO) and single loss expectancy (SLE). The ALE identifies the total amount of loss expected for a given risk. The calculation is SLE × ARO = ALE.

AP

Access point, short for wireless access point (WAP). APs provide access to a wired network to wireless clients. Many APs support isolation mode to segment wireless uses from other wireless users.

ARO

Annualized rate of occurrence. Used to measure risk with annualized loss expectancy (ALE) and single loss expectancy (SLE). The ARO identifies how many times a loss is expected to occur in a year. The calculation is SLE × ARO = ALE.

ARP

Address Resolution Protocol. Resolves IP addresses to MAC addresses. ARP poisoning attacks can redirect traffic through an attacker's system by sending false MAC address updates. VLAN segregation helps prevent the scope of ARP poisoning attacks within a network.

AUP

Acceptable use policy. An AUP defines proper system usage. It will often describe the purpose of computer systems and networks, how users can access them, and the responsibilities of users when accessing the systems.

BCP

Business continuity plan. A plan that helps an organization predict and plan for potential outages of critical services or functions. It includes disaster recovery elements that provide the steps used to return critical functions to operation after an outage. A BIA is a part of a BCP and the BIA drives decisions to create redundancies such as failover clusters or alternate sites.

BIA

Business impact analysis. The BIA identifies critical business or mission requirements and includes elements such as Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs), but it doesn't identify solutions.

BIOS

Basic Input/ Output System. A computer's firmware used to manipulate different settings such as the date and time, boot drive, and access password.

BOTS

Network Robots. An automated program or system used to perform one or more tasks. A malicious botnet is group of computers called zombies and controlled through a command-and-control server. Attackers use malware to join computers to botnets. Zombies regularly check in with the command-and-control server and can launch DDoS attacks against other victims. Botnet activity often includes hundreds of outbound connections, and some botnets use Internet Relay Chat (IRC) channels.

CA

Certificate Authority. An organization that manages, issues, and signs certificates and is part of a PKI. Certificates are an important part of asymmetric encryption. Certificates include public keys along with details on the owner of the certificate and on the CA that issued the certificate. Certificate owners share their public key by sharing a copy of their certificate.

CAC

Common Access Card. A specialized type of smart card used by United States Department of Defense. It includes photo identification and provides confidentiality, integrity, authentication, and non-repudiation for the users. It is similar to a PIV.

CAN

Controller Area Network. A standard that allows microcontrollers and devices to communicate with each other without a host computer.

CCMP

Counter Mode with Cipher Block Chaining Message Authentication Code Protocol. An encryption protocol based on AES used with WPA2 for wireless security. It is more secure then TKIP, used with the original release of WPA.

CCTV

Closed-circuit television. This is a detective control that provides video surveillance. Video surveillance provides reliable proof of a person's location and activity. It can be used by an organization to verify if any equipment or data is being removed.

CERT

Computer Emergency Response Team. A group of experts that respond to security incidents. Also known as CIRT, SIRT, or IRT.

CHAP

Challenge Handshake Authentication Protocol. Authentication mechanism where a server challenges a client. MS-CHAPv2 is an improvement over CHAP and uses mutual authentication.

CIA

Confidentiality, integrity, and availability. These three form the security triad. Confidentiality helps prevent the unauthorized disclosure of data. Integrity provides assurances that data has not been modified, tampered with, or corrupted. Availability indicates that data and services are available when needed.

CIRT

Computer Incident Response Team. A group of experts that respond to security incidents. Also known as CERT, SIRT, or IRT.

COOP

Continuity of Operations Plan. A COOP site provides an alternate location for operations after a critical outage. A hot site includes personnel, equipment, software, and communications capabilities of the primary site with all the data up to date. A hot site can take over for a failed primary site within an hour. A cold site will have power and connectivity needed for COOP activation, but little else. A warm site is a compromise between a hot site and a cold site.

CRC

Cyclical Redundancy Check. An error detection code used to detect accidental changes that can affect the integrity of data.

CRL

Certification Revocation List. A list of certificates that have been revoked. Certificates are commonly revoked if they are compromised. The certificate authority (CA) that issued the certificate publishes a CRL, and a CRL is public.

DAC

Discretionary Access Control. An access control model where all objects have owners and owners can modify permissions for the objects (files and folders). Microsoft's NTFS uses the DAC model. Other access control models are MAC and RBAC.

DACL

Discretionary Access Control List. List of Access Control Entries (ACEs) in Microsoft's NTFS. Each ACE includes a security identifier (SID) and a permission.

DDoS

Distributed denial-of-service. An attack on a system launched from multiple sources intended to make a computer's resources or services unavailable to users. DDoS attacks are often launched from zombies in botnets. DDoS attacks typically include sustained, abnormally high network traffic. A performance baseline helps administrators detect a DDoS. Compare to DoS. DEP - Data Execution Prevention. A security feature in some operating systems. It helps prevent an application or service from executing code from a non-executable memory region

DES

Digital Encryption Standard. An older symmetric encryption standard used to provide confidentiality. DES uses 56 bits and is considered cracked.

IPsec

Internet Protocol Security. Used to encrypt traffic on the wire and can operate in both tunnel mode and transport mode. It uses tunnel mode for VPN traffic. IPsec is built into IPv6, but can also work with IPv4 and it includes both AH and ESP. AH provides authentication and integrity, and ESP provides confidentiality, integrity, and authentication. IPsec uses port 500 for IKE with VPN connections.

LAN

Local area network. Group of hosts connected within a network.

SELinux

Security-Enhanced Linux. A trusted operating system platform that prevents malicious or suspicious code from executing on both Linux and UNIX systems. It is one of the few operating systems that use the MAC model.

DHCP

Dynamic Host Configuration Protocol. A service used to dynamically assign TCP/ IP configuration information to clients. DHCP is often used to assign IP addresses, subnet masks, default gateways, DNS server addresses, and much more.

DLL

Dynamic Link Library. A compiled set of code that can be called from other programs. DLP - Data Loss Protection. A network-based DLP system can examine and analyze network traffic. It can detect if confidential company data or any PII data is included in e-mail and reduce the risk of internal users e-mailing sensitive data outside the organization.

DMZ

Demilitarized zone. Area between two firewalls separating the Internet and an internal network. A DMZ provides a layer of protection for Internet-facing servers. It allows access to a server or service for Internet users while segmenting and protecting access to the internal network.

DNS

Domain Name System. Used to resolve host names to IP addresses. DNS is the primary name resolution service used on the Internet and is also used on internal networks. DNS uses port 53. DNS poisoning attempts to modify or corrupt cached DNS results. A pharming attack is a specific type of DNS poisoning attack that redirects a website's traffic to another website.

DoS

Denial-of-service. An attack from a single source that attempts to disrupt the services provided by another system. Examples include SYN flood, smurf, and some buffer overflow attacks. Compare to DDoS.

DRP

Disaster recovery plan. A document designed to help a company respond to disasters, such as hurricanes, floods, and fires. It includes a hierarchical list of critical systems and often prioritizes services to restore after an outage. Testing validates the plan. Recovered systems are tested before returning them to operation, and this can include a comparison to baselines. The final phase of disaster recovery includes a review to identify any lessons learned and may include an update of the plan.

DSA

Digital Signature Algorithm. A digital signature is an encrypted hash of a message. The sender's private key encrypts the hash of the message to create the digital signature. The recipient decrypts the hash with the sender's public key, and, if successful, it provides authentication, non-repudiation, and integrity. Authentication identifies the sender. Integrity verifies the message has not been modified. Non-repudiation is used with online transactions and prevents the sender from later denying they sent the e-mail.

EAP

Extensible Authentication Protocol. An authentication framework that provides general guidance for authentication methods. Variations include LEAP and PEAP

ECC

Elliptic curve cryptography. An asymmetric encryption algorithm commonly used with smaller wireless devices. It uses smaller key sizes and requires less processing power than many other encryption methods

EFS

Encrypting File System. A feature within NTFS on Windows systems that supports encrypting individual files or folders for confidentiality.

EMI

Electromagnetic interference. Interference caused by motors, power lines, and fluorescent lights. Cables can be shielded to protect signals from EMI. Additionally, EMI shielding prevents signal emanation, so it can prevent someone from capturing network traffic.

ESP

Encapsulating Security Protocol. IPsec includes both AH and ESP. AH provides authentication and integrity, and ESP provides confidentiality, integrity, and authentication. ESP is identified with protocol ID number 50.

FTP

File Transfer Protocol. Used to upload and download files to an FTP server. FTP uses ports 20 and 21. Secure FTP (SFTP) uses SSH for encryption on port 22. FTP Secure (FTPS) uses SSL or TLS for encryption.

FTPS

File Transfer Protocol Secure. An extension of FTP that uses SSL or TLS to encrypt FTP traffic. Some implementations of FTPS use ports 989 and 990.

GPG

GNU Privacy Guard (GPG). Free software that is based on the OpenPGP standard. It is similar to PGP but avoids any conflict with existing licensing by using open standards.

GPO

Group Policy object. Group Policy is used within Microsoft Windows to manage users and computers. It is implemented on a domain controller within a domain. Administrators use it to create password policies, lock down the GUI, configure host-based firewalls, and much more. GPS - Global Positioning System. GPS tracking can help locate lost mobile devices. Remote wipe, or remote sanitize, erases all data on lost devices. Full disk encryption protects the data on the device if it is lost.

GRE

Generic Routing Encapsulation. A tunneling protocol developed by Cisco Systems.

GUI

Graphical user interface. Users interact with the graphical elements instead of typing in commands from a text interface. Windows is an example of a GUI.

HDD

Hard disk drive. A disk drive that has one or more platters and a spindle. In contrast, USB flash drives use flash memory.

HIDS

Host-based intrusion detection system. An IDS used to monitor an individual server or workstation. It protects local resources on the host such as the operating system files.

HIPS

Host-based intrusion prevention system. An extension of a host-based IDS. Designed to react in real time to catch an attack in action.

HMAC

Hash-based Message Authentication Code. An HMAC is a fixed length string of bits similar to other hashing algorithms such as MD5 and SHA-1, but it also uses a secret key to add some randomness to the result.

HSM

Hardware security module. A removable or external device that can generate, store, and manage RSA keys used in asymmetric encryption. High-volume e-commerce sites use HSMs to increase the performance of SSL sessions. High-availability clusters needing encryption services can use clustered HSMs.

HTML

Hypertext Markup Language. Language used to create web pages served on the Internet. HTML documents are displayed by web browsers and delivered over the Internet using HTTP or HTTPS. It uses less than and greater than characters (< and >) to create tags. Many sites use input validation to block these tags and prevent cross-site scripting attacks.

HTTP

Hypertext Transfer Protocol. Used for web traffic on the Internet and in intranets. HTTP uses port 80.

HTTPS

Hypertext Transfer Protocol Secure. Encrypts HTTP traffic with SSL or TLS using port 443.

HVAC

Heating, ventilation, and air conditioning. HVAC systems increase availability by regulating airflow within data centers and server rooms. They use hot and cold to regulate the cooling, thermostats to ensure a relatively constant temperature, and humidity controls to reduce the potential for static discharges, and damage from condensation. They are often integrated with fire alarm systems and either have dampers or the ability to be turned off in the event of a fire.

IaaS

Infrastructure as a Service. A cloud computing technology useful for heavily utilized systems and networks. Organizations can limit their hardware footprint and personnel costs by renting access to hardware such as servers. Compare to PaaS and SaaS.

ICMP

Internet Control Message Protocol. Used for diagnostics such as ping. Many DoS attacks use ICMP. It is common to block ICMP at firewalls and routers. If ping fails, but other connectivity to a server succeeds, it indicates that ICMP is blocked.

ID

Identification. For example, a protocol ID identifies a protocol based on a number. AH is identified with protocol ID number 51 and ESP is identified with protocol ID number 50.

IDS

Intrusion detection system. A detective control used to detect attacks after they occur. A signature-based IDS (also called definition-based) uses a database of predefined traffic patterns. An anomaly-based IDS (also called behavior-based) starts with a performance baseline of normal behavior and compares network traffic against this baseline. An IDS can be either host-based (HIDS) or network-based (NIDS). In contrast, a firewall is a preventative control that attempts to prevent the attacks before they occur. An IPS is a preventative control that will stop an attack in progress.

IEEE

Institute of Electrical and Electronic Engineers. International organization with a focus on electrical, electronics, and information technology topics. IEEE standards are well respected and followed by vendors around the world.

IGMP

Internet Group Management Protocol. Used for multicasting. Computers belonging to a multicasting group have a multicasting IP address in addition to a standard unicast IP address. IIS - Internet Information Services. A Microsoft Windows web server. IIS comes free with Microsoft Windows Server products.

IKE

Internet Key Exchange. Used with IPsec to create a secure channel over port 500 in a VPN tunnel.

IM

Instant Messaging. Real-time direct text-based communication between two or more people, often referred to as chat.

IMAP4

Internet Message Access Protocol v4. Used to store e-mail on servers and allow clients to manage their e-mail on the server. IMAP4 uses port 143.

IPS

Intrusion prevention system. A preventative control that will stop an attack in progress. It is similar to an active IDS except that it's placed in line with traffic. An IPS can actively monitor data streams, detect malicious content, and stop attacks in progress.

IPv4

Internet Protocol version 4. Identifies hosts using a 32-bit IP address. IPv4 is expressed in dotted decimal format with decimal numbers separated by dots or periods like this: 192.168.1.1. IPv6 - Internet Protocol version 6. Identifies hosts using a 128-bit address. IPv6 is expressed as eight groups of four hexadecimal characters (numbers and letters), such as this: FE80: 0000: 0000: 0000: 20D4: 3FF7: 003F:DE62.

IRC

Internet Relay Chat. A form of real-time Internet text messaging often used with chat sessions. Some botnets have used IRC channels to control zombie computers through a command and control server.

IRT

Incident Response Team. A group of experts that respond to security incidents. Also known as CERT, CIRT, or SIRT.

ISP

Internet Service Provider. Company that provides Internet access to customers.

IV

Initialization vector. An provides randomization of encryption keys to help ensure that keys are not reused. WEP was susceptible to IV attacks because it used relatively small IVs. In an IV attack, the attacker uses packet injection, increasing the number of packets to analyze, and discovers the encryption key.

KDC

Key Distribution Center. Part of the Kerberos protocol used for network authentication. The KDC issues time-stamped tickets that expire.

L2TP

Layer 2 Tunneling Protocol. Tunneling protocol used with VPNs. L2TP is commonly used with IPsec (L2TP/ IPsec). L2TP uses port 1701.

LANMAN

Local area network manager. Older authentication protocol used to provide backward compatibility to Windows 9x clients. LANMAN passwords are easily cracked due to how they are stored.

LDAP

Lightweight Directory Access Protocol. Language used to communicate with directories such as Microsoft's Active Directory. It provides a central location to manage user accounts and other directory objects. LDAP uses port 389 when unencrypted and port 636 when encrypted. LEAP - Lightweight Extensible Authentication Protocol. A modified version of the Challenge Handshake Authentication Protocol (CHAP) created by Cisco.

MAC

Mandatory Access Control. Access control model that uses sensitivity labels assigned to objects (files and folders) and subjects (users). SELinux (deployed in both Linux and UNIX platforms) is a trusted operating system platform using the MAC model. Other access control models are DAC and RBAC.

MAC

Media access control. A 48-bit address used to uniquely identify network interface cards. It also called a hardware address or a physical address, and is commonly displayed as six pairs of hexadecimal characters. Port security on a switch can limit access using MAC filtering. Wireless access points can use MAC filtering to restrict access to only certain clients, though an attacker can easily beat this.

MAC

Message authentication code. Method used to provide integrity for messages. A MAC uses a secret key to encrypt the hash. Some versions called HMAC.

MAN

Metropolitan area network. A computer network that spans a metropolitan area such as a city or a large campus

MBR

Master Boot Record. An area on a hard disk in its first sector. When the BIOS boots a system, it looks at the MBR for instructions and information on how to boot the disk and load the operating system. Some malware tries to hide here.

MD5

Message Digest 5. A hashing function used to provide integrity. MD5 uses 128 bits. A hash is simply a number created by applying the algorithm to a file or message at different times. The hashes are compared to each other to verify that integrity has been maintained.

MITM

Man in the middle. A MITM attack is a form of active interception allowing an attacker to intercept traffic and insert malicious code sent to other clients. Kerberos provides mutual authentication and helps prevent MITM attacks.

MS-CHAP

Microsoft Challenge Handshake Authentication Protocol. Microsoft's implementation of CHAP. MS-CHAPv2 provides mutual authentication.

MTU

Maximum Transmission Unit. The MTU identifies the size of data that can be transferred.

NAC

Network access control. Inspects clients for health and can restrict network access to unhealthy clients to a remediation network. Clients run agents and these agents report status to a NAC server. NAC is used for VPN and internal clients. MAC filtering is a form of NAC.

NAT

Network Address Translation. A service that translates public IP addresses to private and private IP addresses to public. It hides addresses on an internal network.

NIDS

Network-based intrusion detection system. IDS used to monitor a network. It can detect network-based attacks, such as smurf attacks. A NIDS cannot monitor encrypted traffic, and cannot monitor traffic on individual hosts.

NIPS

Network-based intrusion prevention system. An IPS that monitors the network. An IPS can actively monitor data streams, detect malicious content, and stop attacks in progress.

NIST

National Institute of Standards and Technology. NIST is a part of the U.S. Department of Commerce, and it includes an Information Technology Laboratory (ITL). The ITL publishes special publications related to security that are freely available for download here: http:// csrc.nist.gov/ publications/ PubsSPs.html.

NOOP

No operation, sometimes listed as NOP. NOOP instructions are often used in a buffer overflow attack. An attacker often writes a large number of NOOP instructions as a NOOP sled into memory, followed with malicious code.

NOS

Network Operating System. Software that runs on a server and enables the server to manage resources on a network.

NTFS

New Technology File System. A file system used in Microsoft operating systems that provides security. NTFS uses the DAC model.

NTLM

New Technology LANMAN. Authentication protocol intended to improve LANMAN. The LANMAN protocol stores passwords using a hash of the password by first dividing the password into two seven-character blocks, and then converting all lowercase letters to uppercase. This makes LANMAN easy to crack. NTLM stores passwords in LANMAN format for backward compatibility, unless the passwords are greater than fifteen characters. NTLMv1 is older and has known vulnerabilities. NTLMv2 is newer and secure.