penetration - A successful attempt at circumventing security controls and gaining access to a system.
penetration testing - A method of evaluating the security of a computer system or network by simulating an attack that a malicious hacker would carry out. This is done so that vulnerabilities and weaknesses can be uncovered.
permissions - The type of authorized interactions that a subject can have with an object. Examples include read, write, execute, add, modify, and delete.
personally identifiable information - Any data about a human being that could be used to identify that person.
personnel security - The procedures that are established to ensure that all personnel who have access to sensitive information have the required authority as well as appropriate clearances. Procedures confirm a person\'s background and provide assurance of necessary trustworthiness.
physical access control system - An automated system that manages the passage of people or assets through an opening(s) in a secure perimeter(s) based on a set of authorization rules.
physical controls - Controls that pertain to controlling individual access into the facility and different departments, locking systems and removing unnecessary floppy or CD-ROM drives, protecting the perimeter of the facility, monitoring for intrusion, and checking environmental controls.
physical security - Controls and procedures put into place to prevent intruders from physically accessing a system or facility. The controls enforce access control and authorized access.
piggyback - Unauthorized access to a system by using another user\'s legitimate credentials.
PII - (Personally Identifiable Information) - Any data about a human being that could be used to identify that person.
ping of death - Exceeds maximum packet size and causes receiving system to fail.
ping scanning - Network mapping technique to detect if host replies to a ping, then the attacker knows that a host exists at that address.
PKI - (Public Key Infrastructure) - A framework of programs, procedures, communication protocols, and public key cryptography that enables a diverse group of individuals to communicate securely.
plaintext - In cryptography, the original readable text before it is encrypted.
playback attack - Capturing data and resending the data at a later time in the hope of tricking the receiving system. This is usually carried out to obtain unauthorized access to specific resources.
point-to-point protocol - Provides a standard method for transporting multiprotocol datagrams over point-to-point links.
policy - Documents published and promulgated by senior management dictating and describing the organization
port addess translation - An extension to NAT to translate all addresses to one routable IP address and translate the source port number in the packet to a unique value.
positive testing - This determines that your application works as expected.
PPP - (Point-to-Point Protocol) - Provides a standard method for transporting multiprotocol datagrams over point-to-point links.
privacy - A security principle that protects an individual\'s information and employs controls to ensure that this information is not disseminated or accessed in an unauthorized manner.
private ports - Ports 49152
procedure - Detailed step-by-step instructions to achieve a certain task, which are used by users, IT staff, operations staff, security members, and others.
protection ring - An architecture that provides hierarchies of privileged operation modes of a system, which gives certain access rights to processes that are authorized to operate in that mode. Supports the integrity and confidentiality requirements of multitasking operating systems and enables the operating system to protect itself from user programs and rogue processes.
protocol - A set of rules and formats that enables the standardized exchange of information between different systems.
pseudo-flaw - An apparent loophole deliberately implanted in an operating system or program as a trap for intruders.
public key encryption - A type of encryption that uses two mathematically related keys to encrypt and decrypt messages. The private key is known only to the owner, and the public key is available to anyone.
public key infrastructure - A framework of programs, procedures, communication protocols, and public key cryptography that enables a diverse group of individuals to communicate securely.
purge - The removal of sensitive data from a system, storage device, or peripheral device with storage capacity at the end of a processing period. This action is performed in such a way that there is assurance proportional to the sensitivity of the data that the data cannot be reconstructed.
purging - The removal of sensitive data from a system or storage device with the intent that the data cannot be reconstructed by any known technique.
qualitative - Measuring something without using numbers, using adjectives, scales, and grades, etc.
qualitative risk analysis - A risk analysis method that uses opinion and experience to judge an organization\'s exposure to risks. It uses scenarios and ratings systems.
quantitative - Using numbers to measure something, usually monetary values.
quantitative risk analysis - A risk analysis method that attempts to use percentages in damage estimations and assigns real numbers to the costs of countermeasures for particular risks and the amount of damage that could result from the risk.
RA - (Registration Authority) - This performs certificate registration services on behalf of a Certificate Authority (CA).
RADIUS - (Remote Authentication Dial-In User Service) - A security service that authenticates and authorizes dial-up users and is a centralized access control mechanism.
RB-RBAC - (Rule-Based Role-Based Access Control) - Type of model that uses specific rules that indicate what can and cannot happen between a subject and an object. This access control model is built on top of traditional RBAC and is thus commonly called RB-RBAC to disambiguate the otherwise overloaded RBAC acronym.
RBAC - (Role-Based Access Control) - Type of model that provides access to resources based on the role the user holds within the company or the tasks that the user has been assigned.
read - An operation that results in the flow of information from an object to a subject and does not give the subject the ability to modify the object or the data within the object.
real user monitoring - An approach to web monitoring that aims to capture and analyze every transaction of every user of a website or application.
recovery planning - The advance planning and preparations that are necessary to minimize loss and to ensure the availability of the critical information systems of an organization after a disruption in service or a disaster.
recovery point objective - A measure of how much data the organization can lose before the organization is no longer viable.
recovery point objective - The acceptable amount of data loss measured in time.
recovery time objective - The target time set for recovering from any interruption.
recovery time objective - The maximum time period within which a business process must be restored to a designated service level after a disaster to avoid unacceptable consequences.
reference monitor concept - An access control concept that refers to an abstract machine that mediates all accesses to objects by subjects. The security kernel enforces the reference monitor concept.
registered ports - Ports 1024
registration authority - This performs certificate registration services on behalf of a Certificate Authority (CA).
reliability - The assurance of a given system, or individual component, performing its mission adequately for a specified period of time under the expected operating conditions.
remanence - Residual magnetism left behind.