Of course you need to study and be prepared, but you will never feel 100% prepared. That is OK!
Whether you barely pass, or pass with a 99%, you will still be a CISSP.
And if you pass with a 99%, you’ve wasted a lot of your life preparing, memorizing things you’d look up in the real world, and that’s time you’ll never get back.
MAC – Mandatory Access Control. A MAC system is one where access control is based on labels (such as security classifications and clearances) and enforced by the system and cannot be overridden. If you think government systems with classified data on them you have the right idea. Ordinary operating systems like Windows, Unix, and Linux are not MAC.
DAC – Discretionary Access Control. A system where access controls are under the discretion of the owner of a resource as well as the administrators. For example, Windows is a DAC system and if you own a file, you can give rights to other users. Also an administrator can give rights to users. When I think DAC, I think consumer and most commercial systems.
RBAC – Role Based Access Control. A system where access is based on what roles you have. In reality, these roles are usually mapped to operating systems groups, so the access or rights you have are determined by what groups you belong to.
ACM – Access Control Matrix. An ACM is a matrix where the X-axis specifies resources or objects, and the Y-axis specifies subjects such as users or roles/groups. Each cell specifies what access a specific subject has to a specific object. In a typical computer environment, where you may have thousands of users, groups, and other subjects like running processes, and who knows how many files and other objects, a full blown ACM is going to be absurdly large meaning it’s basically a theoretical concept in this case. A limited ACM, one for example showing which roles have what access to certain functionality, can be useful in designing and understanding systems.
CIRT – Computer Incident Response Team. A CIRT analyses potential incidents and responds if appropriate. Synonymous with CERT, Computer Emergency Response Team.
FRR – False Reject Rate. In biometric systems, the FRR is the percentage of authentic users who are denied access. It is also known as Type I Error (pronounced as “type one error”). I remember it as Type I as it is not as bad as Type II, below.
FAR – False Accept Rate. In biometric systems, Type II Error (pronounced as “type two error”) is the percentage of fake or unenrolled users allowed access. I remember it as Type II as it is worse than Type I (of course the requirements of the system are an issue, but in general it is worse).
CER – Crossover Error Rate. A biometric system can be tuned to minimize FAR or FRR. The CER is when a system is tuned so that the FAR and FRR are the same, and is used as a metric to indicate the overall accuracy of the biometric system.
SSO – Single Sign On.
KDC – Key Distribution Server. In the Kerberos Authentication system, the KDC is essentially a login server that knows everyone’s password (or “secret key”) and issues login credentials, known as TGTs.
TGT – Ticket Granting Ticket. Kerberos issues a TGT when a user first logs in. It is sent to the user encrypted by their password, and if they got their password correct, decrypted and their login succeeds.
SESAME – Secure European System for Applications in a Multi-Vendor Environment. Kerberos is seen by ISC2 as USA centric, as it was developed at MIT in Massachusetts. SESAME is the same idea, but considered international by ISC2 (European somehow equals international). Kerberos uses tickets and symmetric encryption, SESAME uses Privilege Attribute Certificates or PACs and both symmetric and asymmetric encryption. This conveniently avoids the issue that SESAME never took off or was widely implemented at all, and essentially doesn’t exist anymore (yes, I’m aware there is a smidgen of legacy use at Master Card, but really, who cares?).
PAC – Privilege Attribute Certificate. Again, SESAME use PACs, while Kerberos uses tickets.
IDS – Intrusion Detection System. An IDS is like an alarm system. It watches and raises alarms or “alerts” when something occurs that should be further investigated. Just like physical alarm systems, IDSs have false alarms or alerts as well.
NIDS – Network Intrusion Detection System. An IDS that functions by watching the packets on a network. A NIDS will commonly be placed at a network aggregation point, for example before the firewall, after the firewall, or on a spanning/mirroring port on a network switch. Snort is a popular open source NIDS.
HIDS – Host Intrusion Detection System. An IDS that sits on one specific host and watches it. HIDS is commonly used to refer to anything that protects a host, and there are also HIDS specific products available. OSSEC is a popular open source HIDS.
TOC/TOU – Time of Check/Time of Use. A timing attack. Imagine an application that creates a file, and then applies appropriate permission to it (hey, that’s how they taught me to do it in school). There is a vulnerability for a fraction of second between when the file is created and when the file has appropriate security permissions applied that might be exploitable. Also known as a race condition.
DOS – Denial Of Service.
DDOS – Distributed Denial of Service. An example would be a 100,000 computer strong botnet where each computer in the botnet sends a few packets to one IP address. Good chance that whatever sits at that IP address will be overwhelmed.
EMI – Electronic Magnetic Interference. Especially with older systems, for example ones using Cathode Ray Tube based monitors, there is a substantial amount of EMI. It is possible to remotely receive this EMI and for example recreate what is on the screen. Although perhaps beyond the capability of your competitors, this is well within the capability of many nation-states.
Get a PDF of The Entire Acronym List - signup in the
upper right hand corner and I'll send you a link.