ACK The "acknowledgement" flag that can be set in the TCP/IP packet header. Most often seen in the TCP/IP 3-way handshake to set up communications. Active Directory Active directory technology is responsible for offering network security services, such as authentication, interoperation with other system directories, Domain Name System (DNS) naming, and a central storage repository for application data. Adobe Flash Open source software that allows users to play Flash animation files Adobe Reader Open source software that allows users to view, print, and collaborate on pdf files anomaly-based IDS method Detection method that looks for traffic activity that falls outside of normal traffic patterns (other methods include signature-based and protocol-based) API Application Programming Interface is an interface that allows software programs to interact with each other. ARP Address Resolution Protocol attack signature A characteristic byte pattern used in malicious code or an indicator, or set of indicators that allows the identification of malicious network activities. CNSS 4009 availability The property of being accessible and useable upon demand by an authorized entity. NIST 800-53: Ensuring timely and reliable access to and use of information. CNSS 4009

black hat Hackers who intentionally break into systems for malicious purposes, such as, to steal or destroy data, prevent legitimate users from accessing the system or network, and committing fraud, theft, vandalism, or other types of illegal activity blaster Worm that exploits RPC endpoint mapping. See also Nachi. bot Refers to malicious code that is installed on a computer to take command and control of the computer for the attacker’s own purposes. The controlled computer becomes a zombie, or member of a botnet, which can be used to steal data, host malicious content, and launch other attacks, including worms and viruses, to send spam. Also see botnet. botnet Collection of bots controlled by a bot herder. Also see bot. broadcast Data is transmitted to all network destinations, simultaneously addressed to all computers. brute-force attacks Attacks that systematically search for user passwords to hack into a system BSD Berkeley Software Distribution (BSD) is a Unix-based operation system buffer overflow A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Attackers exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system. CNSS 4009 buffer zone A non-technical term to refer to a sub-network between an an untrusted network and trusted network technically referred to as a DMZ

C2 command and control choke point In reference to network security, a choke point is a location on a network where traffic is funneled through a point that can be easily monitored and controlled. Choke points are often established by network applicances such as firewall or routers. cipher text Data in its encrypted form. CNSS 4009 CISCO CISCO Systems, Inc collision domain Network segment where data packets from different devices collide with one another, the data transmission is stopped, a jam signal is sent, and the transmission is tried again at later time. COMMON_CRITERIA The International Common Criteria for Information Technology Security Evaluation (CC) defines general concepts and principles of information technology (IT) security evaluation and presents a general model of evaluation. It presents constructs for expressing IT security objectives, for selecting and defining IT security requirements, and for writing high-level specifications for products and systems DoDI 8500.2, Par E2.1.3 Computer Browser (NetBIOS) Computer Browser service is the mechanism that collects and distributes the list of workgroups and domains and the servers within them. It provides backward compatibility with computers running earlier versions of Windows that must use NetBIOS over TCP/IP and are not Active Directory-capable. Conficker Most wide-spread worm since 2003, exploited vulnerabilities in NetBIOS confidentiality The property that information is not disclosed to system entities (users, processes, devices) unless they have been authorized to access the information. NIST SP 800.53: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. CNSS 4009 connectionless protocol Does not guarantee receipt of packets (e.g., IP) cracker Hackers who attempt to circumvent or break security measures for malicious purposes CSMA/CD Carrier Sense Multiple Access With Collision Domain

DARPA Defense Advanced Research Projects Agency datagram Another term for data packet DCOM Distributed Component Object Model is part of a family of technologies that allow software components to communicate across network boundaries. Defense-in-Depth DoD's layered approach to protecting its information and information systems, which includes preventive layers such as firewalls and anti-virus protection that actually stop attacks denial-of-service The prevention of authorized access to resources or the delaying of time-critical operations. (Time-critical may be milliseconds or it may be hours, depending upon the service provided.) CNSS 4009 Destination Address Provides the IP address of the intended receiver. DF Do Not Fragment DHCP Dynamic Host Configuration Protocol is a network protocol that allows a server to automatically assign an IP address from a pool of addresses that are defined for the network. DHCP Server Dynamic Host Configuration Protocol Server is a service that allows a server to dynamically distribute IP addressing and configuration information to clients. Normally the DHCP server provides the client with at least the basic information of IP address, subnet mask, and default gateway. DMZ Demilitarized Zone is a perimeter network segment that is logically between internal and external networks. Its purpose is to enforce the internal network’s Information Assurance policy for external information exchange and to provide external, untrusted sources with restricted access to releasable information while shielding the internal networks from outside attacks. CNSS 4009 DNS Domain Name System DoD Department of Defense DSL digital subscriber line duplex system A telecommunications system composed of two devices able to communicate with each other in both directions. Half-duplex and full-duplex are implementations of this system.

encryption The process of changing plaintext into ciphertext for the purpose of security or privacy. CNSS 4009 endpoint mapping Refers to how a server listens for incoming client requests and maps each request to its destination server process Ephemeral ports Ports that are reserved for temporary use by the client end of client-server communications. Also see Well Known ports. EPM endpoint mapper Exchange Server/Client The port list includes a conglomeration of ports and services utilized by Microsoft Exchange for the sending and receiving of email messages. /etc/shadow File that stores secure user account information in encrypted format.

false negative Refers to a malicious event for which the IDS fails to provide an alert false positive Refers to a non-malicious event for which the IDS provides a malicious-event alert First rule Fragmentation policy that does not overwrite previous fragments and gives priority to the first fragment, which is used by the Windows operating system. See also Last rule. Flags Packet header field that determines whether routers are allowed to fragment a packet into segments. If fragmentation is allowed, then this field also identifies parts of the packet for the receiver. Flow Label IPv6 header field that labels a set of packets with the same origin and destination, or flow, thus allowing IPv6 routers to handle packets with the same flow in the same way. footprint A method for discovering what software, applications, and services are on a targeted machine or device Frag3 preprocessor Configuration option in Snort that allows you to reassemble fragments in multiple ways: First, Last, or both. Fragment Offset Packet header field that helps to reconstruct a fragmented packet at the next router in the link. The receiving system uses this field to identify the place of the fragment in the original datagram. Fragrouter Fragrouter tool FTP File Transfer Protocol Full duplex Communication occurs in both directions between a sender and a receiver simultaneously.

hacker Unauthorized user who attempts to or gains access to an information system CNSS 4009 hacktivist Type of hacker who is politically or socially motivated to break into and or attack information systems half duplex Communication between two devices but in only one direction at a time. harden Server hardening includes techniques used to establish a security baseline on a system, particularly those connected to semi- or untrusted networks. header Portion of a data packet or datagram that contains identifying information such as the IP version number and the source and destination addresses. Header Checksum Packet header field that protects the IPv4 header by identifying whether errors or data corruption occurred during transmission. HIDS Host-based Intrusion Detection System. See Host-based IDS. CNSS 4009 hop limit Number of possible times a packet may hop, or be forwarded, from router to router. This field helps to identify any routing errors that can lead to packets getting stuck in infinite loops. The maximum hop limit in IPv6 is 255. See also hop count or TTL for IPv4. Host-based IDS IDS that operates on information collected from within an individual computer system. This vantage point allows host-based IDSes to determine exactly which processes and user accounts are involved in a particular attack on the Operating System. Furthermore, unlike network-based IDSes, host-based IDSes can more readily “see” the intended outcome of an attempted attack, because they can directly access and monitor the data files and system processes usually targeted by attacks. CNSS 4009 HP Hewlett Packard HTTP Hypertext Transfer Protocol HTTPS Hypertext Transfer Protocol Secure

IANA Internet Assigned Numbers Authority ICMP Internet Control Message Protocol IDS Intrusion Detection System. See Intrusion Detection System. CNSS 4009 IETF Internet Engineering Task Force IHL Internet Header Length is a packet header field that specifies the header size. IM instant messaging IMAP Internet Message Access Protocol infection vector Method used by malicious code to propagate itself or infect the computer CNSS 4009 insider threat An entity with authorized access (i.e., within the security domain) that has the potential to harm an information system or enterprise through destruction, disclosure, modification of data, and/or denial of service. CNSS 4009 integrity The property whereby an entity has not been modified in an unauthorized manner. NIST 800-53: Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. CNSS 4009 Internet The Internet is the single, interconnected, worldwide system of commercial, governmental, educational, and other computer networks that share (a) the protocol suite specified by the IAB and (b) the name and address spaces managed by the Internet Corporation for Assigned Names and Numbers (ICANN). CNSS 4009 Internet Information Service Microsoft-developed web server. interoperability Capability of computers and networks to communicate with each other despite their different components and technologies intrusion Unauthorized act of bypassing the security mechanisms of a system CNSS 4009 Intrusion Detection System Hardware or software products that gather and analyze information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organizations) and misuse (attacks from within the organizations) CNSS 4009 IP Internet Protocol is a standard protocol for transmission of data from source to destinations in packet-switched communications networks and interconnected systems of such networks CNSS 4009 IPv4 Internet Protocol version 4 is a system of addresses used to identify entities on a network, which represents 32 bits of address data. Also see IPv6. IPv6 Internet Protocol version 6 is a system of addresses used to identify entities on a network, which represents 128 bits of address data. Also see IPv4. IRC Internet Relay Chat is a multi-user multi-channel chat system that is neither client nor network specific. ISO International Organization for Standardization ISP Internet service provider

MAC address Media Access Control address - the unique identifier for each network assigned to network interface cards by the manufacturer. CNSS 4009 malicious code Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code. CNSS 4009 malware See malicious code. CNSS 4009 man-in-the-middle attack A form of active wiretapping attack in which the attacker intercepts and selectively modifies communicated data to masquerade as one or more of the entities involved in a communication association. CNSS 4009 many-to-one NAT An extension of NAT that permits multiple devices to be located behind and mapped to a single public IP address by translating both the IP address and associated port. Also called Port Address Translation (PAT). MF More Fragments mirror port Port on a switch that is dedicated to receiving copies network traffic from each port on the switch. MSS Maximum Segment Size MSSQL Microsoft Standard Query Language is the Microsoft implementation of the SQL relational database model. MTU Maximum Transmission Unit multicast Transmitted data to multiple destinations, but not all network destinations, using special address assignments.

Nachi Worm that exploits RPC endpoint mapping. See also Blaster. NAT Network Address Translation is an Internet standard that allows one set of IP address to be used internally and a different set of addresses to be used externally for the purpose of a maximizing IP address space or masking internal IP addresses. NetLogon The NetLogon service verifies logon requests while registering, authenticating, and locating domain controllers. network Information system(s) implemented with a collection of interconnected components. Such components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices. CNSS 4009 network share Devices or pieces of information that can be accessed and shared by remote computers (e.g., shared files, folders, printers, and scanners) Network-based Intrusion Detection System IDS that detects attacks by capturing and analyzing network packets. Listening on a network segment or switch, one network-based IDS can monitor the network traffic affecting multiple hosts that are connected to the network segment. CNSS 4009 Next Header IPv6 header field that identifies the first field of the packet data, or payload, which immediately follows the packet header. This field usually indicates the packet’s Transport layer protocol. NIDS Network-based intrusion detection system Nimda NetBIOS-based worm. See also Sasser. Nmap Open source network scanning utility used for host discovery, network mapping, service identification, and auditing NT New Technology (Windows)

packet Smallest building blocks of information on networks, which consist of header fields and data, or payload. PAT Port Address Translation is an extension of NAT that permits multiple devices to be located behind and mapped to a single public IP address by translating both the IP address and associated port. Also called one-to-many NAT. patching Application of software and or firmware updates that correct coding errors and bugs. The most common types of patches are those that correct security vulnerabilities. payload Actual data contained in a packet or datagram. Also see header. Payload Length IPv6 packet header field that specifies the length of the packet’s data or payload. PC personal computer phishing Deceiving individuals into disclosing sensitive personal information through deceptive computer-based means. phone home A term used to define the process of a bot on an infected machine communicating back to a bot master with information or for further instruction. CNSS 4009 PHP Hypertext Preprocessor pivoting Technique for using an initial foothold on a network to further compromise the network plaintext Unencrypted information. POP Post Office Protocol CNSS 4009 port aggregator A network tapping methodology that allows multiple traffic streams to be monitored by a single device. port number Identifies the application or service to be used for receiving the data packet. Also see Ephemeral and Well Known ports. preprocessor Software that processes packet data before the data is actually passed through security signatures for reassembly. See also Frag3 preprocessor. promiscuous sniffing Method to sniff network traffic where the network interface cards is set to promiscuous mode and intercepts all packets on the network, not just those destined for that host. protocol Set of rules and formats, semantic and syntactic, permitting information systems to exchange information protocol-based IDS method Detection method that analyzes the protocol activity against standard protocol behaviors (other methods include anomaly-based and signature-based) CNSS 4009

Remote Desktop Remote desktop is a session virtualization capability that allows users access to remote computers using the Remote Desktop Protocol. RFC Request for Comments RFC 1918 In RFC 1918, the Internet Engineering Task Force (IETF) directed the Internet Assigned Numbers Authority (IANA) to reserve three blocks or ranges of IPv4 addresses for private networks. RFC 1918 addresses Non-publicly routable IP address space to be used on private networks, which means that these addresses are for internal use only and are not routed on the Internet. RFI Remote File Inclusion rootkit A set of tools used by an attacker after gaining root-level access to a host to conceal the attacker’s activities on the host and permit the attacker to maintain root-level access to the host through covert means. RPC remote procedure call

Sasser NetBIOS-based worm. See also Nimda. script kiddie Inexperienced hackers who use pre-packaged tools for breaking into systems services Processes or groups of tasks that provide basic functionality and support for other programs. E-mail, file transfer, routing, and so on are examples of services. SharePoint Portal Server Microsoft SharePoint Server works with Microsoft IIS web server to produce sites intended for collaboration, file sharing, web databases, social networking and web publishing. signature Recognizable, distinguishing pattern. See also attack signature. signature-based IDS method Detection method that looks for specific patterns of an attack in the network traffic (other methods include protocol-based and anomaly-based) CNSS 4009 SMB Server Message Block SMTP Simple Mail Transfer Protocol SNMP Simple Network Management Protocol SNORT A free, open source network intrusion detection and prevention system socket Combination of an IP address and port number into a single expression (also called a network socket) socket pair A source IP address and source port, and a destination IP address and a destination port, which describe a unique connection on a network Source Address Provides the IP address of the original sender. SPA Switched Port Analyzer SPAN port Term used for port mirroring on Cisco switches SQL Structured Query Language SSG Secure Services Gateway SSH Secure Shell SYN synchronize packet sent by a client to a server on port 80 as a request to synchronize SYN/ACK Synchronize - Acknowledge. Two of the flags that can be set in a TCP/IP packet header. synchronize/acknowledge Part of the three-way handshake that establishes connections within the TCP/IP protocol stack. The server acknowledges the client's "SYN" packet and then sends it's own "SYN" packet back to the client. Systems Center Configuration Manager Systems Center Configuration Manager is systems management software that provides remote control, patch management, software distribution, operating system deployment, network access protection, and hardware and software inventory. Formerly known as Systems Management Server, or SMS.

TAPS Test Access Ports TCP Transmission Control Protocol TCP/IP Transmission Control Protocol/Internet Protocol is the underlying protocol of the Internet, developed by a DoD agency called Defense Advanced Research Projects Agency (DARPA). Also refers to a model of interoperability that conceptualizes a 4-layer framework for connecting dissimilar systems with a set of standards, or protocols, allowing the systems to work together. Also see Open Systems Interconnection model. TCP/IP Print Service The TCP/IP Printing Service, also called Unix Printing, integrates print services for Windows based machines into Unix environments. TCP/UDP Transmission Control Protocol/User Datagram Protocol Telnet Terminal Emulation Over a Network TFTP Trivial File Transport Protocol Total Length Packet header field that identifies the entire datagram size, including header and data. The minimum datagram length is 20 bytes, and the maximum is 65,535. Traffic Class IPv6 header field that differentiates packets according to priority (also called Packet Priority field). trojan horse A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program. true-negative IDS event Refers to a non-malicious activity for which the IDS does not provide an alert true-positive IDS event Refers to malicious traffic or traffic of interest that has occurred, and for which the IDS provides an alert for further examination CNSS 4009 trusted networks A network that with appropriate technical, administrative, and physical access controls to assume a certain level of security and trust TTL The Time to Live field may also be referred to as a hop count. It tracks the datagram’s length of life, or the number of times the packet can hop, or be forwarded, from router to router. The value in this field can prevent the packet from endlessly traversing a network. tunneling Technology enabling one network to send its data via another network’s connections. Tunneling works by encapsulating a network protocol within packets carried by the second network. Type of Service Packet header field that specifies how to prioritize information on its way to its destination, for example, with a preference for low delay or high reliability.

Well Known ports Ports reserved for system and/or root processes and applications with the required privileges. Also see Ephemeral ports. whois A TCP/IP protocol used to provide information services to users. Traditionally the whois protocol is leveraged for domain name and IP address lookups querying databases containing this information. Windows Internet Name Service (WINS) Windows Internet Name Service is a Microsoft implementation of NetBIOS that provides mapping of client names to IP addresses as assigned by a DHCP server. worm A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself. See malicious code. WWW World Wide Web