A handheld computer that serves as a tool for reading and conveying documents, electronic mail, and other electronic media over a communications link, and for organizing personal information, such as a name-and-address database, a to-do list, and an appointment calendar.

Personal identification number (PIN)

(1) A password consisting only of decimal digits. (2) A secret that a claimant memorizes and uses to authenticate his identity.

Personal identity verification (PIV) card

A physical artifact (e.g., identity card and smart card) issued to an individual that contains stored identity credentials (e.g., photograph, cryptographic keys, and digitized fingerprint representation) such that the claimed identity of the cardholder can be verified against the stored credentials by another person (human readable and verifiable) or an automated process (computer readable and verifiable).

Penetration

The successful act of bypassing the security mechanisms of a system.

Penetration signature

The characteristics or identifying marks produced by a penetration.

Penetration study

A study to determine the feasibility and methods for defeating system controls.

Penetration testing

(1) A test methodology in which assessors, using all available documentation (e.g., system design, source code, and manuals) and working under specific constraints, attempt to circumvent or defeat the security features of an information system. (2) Security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability.

Per-call key

A unique traffic encryption key is generated automatically by certain secure telecommunications systems to secure single voice or data transmissions.

Perfect forward secrecy

An option available during quick mode that causes a new-shared secret to be created through a Diffie-Hellman exchange for each IPsec SA (security association).

Perimeter

A boundary within which security controls are applied to protect assets. A security perimeter typically includes a security kernel, some trusted-code facilities, hardware, and possibly some communications channels.

Perimeter-based security

The technique of securing a network by controlling access to all entry and exit points of the network.

Perimeter protection (logical)

The security controls such as e-mail gateways, proxy servers, and firewalls provide logical access perimeter security controls, and they act as the first line-of-defense.

Perimeter protection (physical)

The objective of physical perimeter or boundary protection is to deter trespassing and to funnel employees, visitors, and the public to selected entrances. Gates and security guards provide the perimeter protection.

Permissions

A description of the type of authorized interactions (such as read, write, execute, add, modify, and delete) that a subject can have with an object.

Personal-area network (PAN)

It is used by an individual or in a home-based business connecting desktop PC, laptop PC, notebook PC, and PDA with a mouse, keyboard, and printer.

Personal computer (PC)

A desktop or laptop computer running a standard PC operating system (e.g., Windows Vista, Windows XP, Linux/UNIX, and Mac OS X).

Personal firewall

A software-based firewall installed on a desktop or laptop computer to monitor and control its incoming and outgoing network traffic, and which blocks communications that are unwanted.

Personal firewall appliance

A device that performs functions similar to a personal firewall for a group of computers on a home network.

Personnel screening

A protective measure applied to determine that an individual’s access to sensitive, unclassified automated information is admissible. The need for and extent of a screening process are normally based on an assessment of risk, cost, benefit, and feasibility as well as other protective measures in place. Effective screening processes are applied in such a way as to allow a range of implementation, from minimal procedures to more stringent procedures commensurate with the sensitivity of the data to be accessed and the magnitude of harm or loss that could be caused by the individual. This is a management and preventive control.

Personnel security

It includes the procedures to ensure that access to classified and sensitive unclassified information is granted only after a determination has been made about a person’s trustworthiness and only if a valid need-to-know exists. It is the procedures established to ensure that all personnel who have access to sensitive information have the required authority as well as appropriate clearances.

Petri net model

The Petri net model is used for protocol modeling to demonstrate the correctness of a protocol. Mathematical techniques are used in specifying and verifying the protocol correctness. A Petri net model has four basic elements, such as places (states), transitions, arcs (input and output), and tokens. A transition is enabled if there is at least one input token in each of its input places (states). Petri nets are a graphical technique used to model relevant aspects of the system behavior and to assess and improve safety and operational requirements through analysis and redesign. They are used for concurrent application systems that need data synchronization mechanisms and for analyzing thread interactions.

Pharming attack

(1) An attack in which an attacker corrupts an infrastructure service such as domain name service (DNS) causing the subscriber to be misdirected to a forged verifier/relying party, and revealing sensitive information, downloading harmful software, or contributing to a fraudulent act. (2) Using technical means (e.g., DNS server software) to redirect users into accessing a fake website masquerading as a legitimate one and divulging personal information.

Phishing attack

(1) An attack in which the subscriber is lured (usually through an e-mail) to interact with a counterfeit verifier, and tricked into revealing information that can be used to masquerade as that subscriber to the real verifier. (2) A digital form of social engineering technique that uses authentic-looking but phony (bogus) e-mails to request personal information from users or direct them to a fake website that requests such information. (3) Tricking or deceiving individuals into disclosing sensitive personal information through deceptive computer-based means.

Physical access controls

The controls over physical access to the elements of a system can include controlled areas, barriers that isolate each area, entry points in the barriers, and screening measures at each of the entry points.

Physical protection system

The primary functions of a physical protection system include detection, delay, and response.

Physical security

(1) It includes controlling access to facilities that contain classified and sensitive unclassified information. (2) It also addresses the protection of the structures that contain the computer equipment. (3) It is the application of physical barriers and control procedures as countermeasures against threats to resources and sensitive information. (4) It is the use of locks, guards, badges, and similar administrative measures to control access to the computer and related equipment.