56 CMU/SEI-2005-TR-009
penetration testing
The execution of a testing plan, the sole purpose of which is to attempt to hack into a
system using known tools and techniques [RUsecure 05].
physical security
Security measures taken to protect systems, buildings, and related supporting infra-
structure against threats associated with their physical environment [Guttman 95].
port scanning
The act of systematically scanning a computer’s ports [Webopedia 05].
privacy
The quality or condition of being secluded from the presence or view of others [Dic-
tionary.com 05].
procedure
The implementation of a policy in the forms of workflows, orders, or mechanisms
[West-Brown 03].
recognition
The capability of a system to recognize attacks or the probing that precedes attacks
[Ellison 03].
recovery
A system’s ability to restore services after an intrusion has occurred. Recovery also
contributes to a system’s ability to maintain essential services during intrusion [Elli-
son 03].
replay attack
The interception of communications, such as an authentication communication, and
subsequent impersonation of the sender by retransmitting the intercepted communi-
cation [FFIEC 04].
resilience
The ability of a computer or system to both withstand a range of load fluctuations
and also remain stable under continuous and/or adverse conditions [RUsecure 05].
resistance
Capability of a system to resist attacks [Ellison 03].
risk
The product of the level of threat with the level of vulnerability. It establishes the
likelihood of a successful attack [SANS 05].
risk assessment
The process by which risks are identified and the impact of those risks determined
[SANS 05].
security policy
A policy that addresses security issues [West-Brown 03].
script kiddies
The more immature but unfortunately often just as dangerous exploiter of security
lapses on the Internet. The typical script kiddy uses existing and frequently well
known and easy-to-find techniques and programs or scripts to search for and exploit
weaknesses in other computers on the Internet—often randomly and with little regard
or perhaps even understanding of the potentially harmful consequences [TechTarget
05].
spoof
The term is used to describe a variety of ways in which hardware and software can be
fooled. IP spoofing, for example, involves trickery that makes a message appear as if
it came from an authorized IP address [Webopedia 04].
SQL injection
A type of input validation attack specific to database-driven applications where SQL
code is inserted into application queries to manipulate the database [SANS 05].
stakeholder
Anyone who is a direct user, indirect user, manager of users, senior manager, opera-
tions staff member, support (help desk) staff member, developer working on other
systems that integrate or interact with the one under development, or maintenance
professionals potentially affected by the development and/or deployment of a soft-
ware project [Ambler 04].
stealthing
A term that refers to approaches used by malicious code to conceal its presence on an
infected system [SANS 05].
survivability
The capability of a system to complete its mission in a timely manner, even if sig-
nificant portions are compromised by attack or accident. The system should provide
essential services in the presence of successful intrusion and recover compromised
services in a timely manner after intrusion occurs [Mead 03].
target
The object of an attack, especially host, computer, network, system, site, person,
organization, nation, company, government, or other group [Allen 99].
threat
A potential for violation of security, which exists when there is a circumstance, capa-
bility, action, or event that could breach security and cause harm [SANS 05].