Digital Encryption Standard. An older symmetric encryption standard used to provide confidentiality. DES is a block cipher and it encrypts data in 64-bit blocks. DES uses 56 bits and is considered cracked. Use AES instead, or 3DES if the hardware doesn't support AES.

Dynamic Host Configuration Protocol. A service used to dynamically assign TCP/ IP configuration information to clients. DHCP is often used to assign IP addresses, subnet masks, default gateways, DNS server addresses, and much more.

Data-Handling Electronics. Term used at NASA indicating electronic systems that handle data.

Diffie-Hellman Ephemeral. An alternative to traditional Diffie-Hellman. Instead of using static keys that stay the same over a long period, DHE uses ephemeral keys, which change for each new session. Sometimes listed as EDH.

Dynamic Link Library. A compiled set of code that can be called from other programs.

File Transfer Protocol Secure. An extension of FTP that uses SSL to encrypt FTP traffic. Some implementations of FTPS use TCP ports 989 and 990.

Hypertext Transfer Protocol. Used for web traffic on the Internet and in intranets. HTTP uses TCP port 80.

Data loss prevention. A network-based DLP system can examine and

analyze network traffic. It can detect if confidential company data or any PII data is included in email and reduce the risk of internal users emailing sensitive data outside the organization. End-point DLP systems can prevent users from copying or printing sensitive data.

Demilitarized zone. A buffer zone between the Internet and an internal network. It allows access to services while segmenting access to the internal  network. Internet clients can access the services hosted on servers in the DMZ, but the DMZ provides a layer of protection for the internal network. DNAT— Dynamic Network Address Translation. A form of NAT that uses multiple public IP addresses. In contrast, PAT uses a single public IP address. It hides addresses on an internalnetwork.

Destination Network Address Translation. A form of NAT that changes the destination IP address for incoming traffic. It is used for port forwarding.

Domain Name System. Used to resolve host names to IP addresses. DNS zones include records such as A records for IPv4 addresses and AAAA records for IPv6 addresses. DNS uses UDP port 53 for DNS client queries and TCP port 53 for zone transfers. DNS poisoning attacks attempt to modify or corrupt DNS data.

Secure zone transfers help prevent these attacks. A pharming attack is a type of

DNS poisoning attack that redirects a web site's traffic to another web site.

Domain Name System Security Extensions. A suite of specifications used to protect the integrity of DNS records and prevent DNS poisoning attacks.

File Transfer Protocol. Used to upload and download files to an FTP server. FTP uses TCP ports 20 and 21. Secure FTP (SFTP) uses SSH for encryption on TCP port 22. FTP Secure (FTPS) uses SSL or TLS for encryption.

Hypertext Markup Language. Language used to create web pages. HTML documents are displayed by web browsers and delivered over the Internet using HTTP or HTTPS. It uses less-than and greater-than characters (< and >) to create tags. Many sites use input validation to block these tags and prevent cross-site scripting attacks.

Denial-of-service. An attack from a single source that attempts to disrupt the services provided by the attacked system. Compare to DDoS.

Disaster recovery plan. A document designed to help a company respond to disasters, such as hurricanes, floods, and fires. It includes a hierarchical list of critical systems and often prioritizes services to restore after an outage. Testing validates the plan. The final phase of disaster recovery includes a review to identify any lessons learned and may include an update of the plan.

Digital Signature Algorithm. A digital signature is an encrypted hash of a message. The sender's private key encrypts the hash of the message to create the digital signature. The recipient decrypts the hash with the sender's public key, and, if successful, it provides authentication, non-repudiation, and integrity. Authentication identifies the sender. Integrity verifies the message has not beenmodified. Non-repudiation is used with online transactions and prevents the sender from later denying he sent the email.

Digital subscriber line. Improvement over traditional dial-up to access the Internet.

Data Service Unit. An interface used to connect equipment to a T1 and similar lines. It typically connects with a CSU as a CSU/ DSU.

Full Disk Encryption. Method to encrypt an entire disk. TrueCrypt is an example.

Hardware security module. A removable or external device that can generate, store, and manage RSA keys used in asymmetric encryption. High-volume e-commerce sites use HSMs to increase the performance of SSL sessions. High-availability clusters needing encryption services can use clustered HSMs.

Extensible Authentication Protocol. An authentication framework that provides general guidance for authentication methods. Variations include EAP-TLS, EAP-TTLS, LEAP, and PEAP.

Extensible Authentication Protocol-Transport Layer Security. An extension of EAP sometimes used with 802.1x. This is one of the most secure EAP standards and is widely implemented. The primary difference between PEAP and EAP-TLS is that EAP-TLS requires certificates on the 802.1x server and on each of the wireless clients. 

Extensible Authentication Protocol-Tunneled Transport Layer Security. An extension of EAP sometimes used with 802.1x. It allows systems to use some older authentication methods such as PAP within a TLS tunnel. It requires a certificate on the 802.1x server but not on the clients.

Elliptic curve cryptography. An asymmetric encryption algorithm commonly used with smaller wireless devices. It uses smaller key sizes and requires less processing power than many other encryption methods.

Elliptic Curve Diffie-Hellman Ephemeral. A version of Diffie-Hellman that uses ECC to generate encryption keys. Ephemeral keys are re-created for each session.

Fibre Channel over Ethernet. A lower-cost alternative to traditional SANs. It supports sending Fibre Channel commands over an IP network.

HMAC-based One-Time Password (HOTP). An open standard used for creating one-time passwords, similar to those used in tokens or key fobs. It combines a secret key and an incrementing counter, and then uses HMAC to create a hash of the result. HOTP passwords do not expire until they are used.

Encrypting File System. A feature within NTFS on Windows systems that supports encrypting individual files or folders for confidentiality.

Electromagnetic interference. Interference caused by motors, power lines, and fluorescent lights. EMI shielding prevents outside interference sources from corrupting data and prevents data from emanating outside the cable.

Electrostatic discharge. Release of static electricity. ESD can damage equipment and low humidity causes a higher incidence of electrostatic discharge (ESD). High humidity can cause condensation on the equipment, which causes water damage.

Electronic Serial Number. Numbers used to uniquely identify mobile devices.

Encapsulating Security Protocol. IPsec includes both AH and ESP. AH provides authentication and integrity using HMAC. ESP provides confidentiality, integrity, and authentication using HMAC and AES or 3DES. ESP is identified with protocol ID number 50.

File System Access Control List. An ACL used for file systems. As an example, NTFS uses the DAC model to protect files and folders.

Hash-based Message Authentication Code. A hashing algorithm used to verify integrity and authenticity of a message with the use of shared secret. When used with TLS and IPsec, HMAC is combined with MD5 and SHA-1 as HMAC-MD5 and HMAC-SHA1, respectively.