Chapter 15 Β· Glossary

Obfuscation β€” Term Reference

Every term you need for steganography, tokenization, and data masking on the Security+ exam.

Obfuscation
Making data difficult to understand or detect without making it cryptographically unreadable. Obfuscation hides data, replaces it with meaningless substitutes, or shows only partial information. Unlike encryption, the goal is invisibility or substitution rather than mathematical unreadability.
Steganography
The practice of hiding secret data within ordinary, non-secret data β€” images, audio, video, or network traffic β€” so that the existence of the hidden message is concealed. The carrier file looks completely normal to anyone not specifically looking for hidden content.
Carrier File
The ordinary file used to conceal hidden data in steganography. Common carrier types: JPEG/PNG images, MP3/WAV audio files, video files (MP4/AVI), and PDF documents. The carrier file appears and functions completely normally β€” its hidden payload is invisible.
LSB Steganography (Least Significant Bit)
The most common image steganography technique: replaces the least significant bit of each pixel's color value with a bit from the hidden message. Changes are imperceptible to the human eye (changing a pixel value from 200 to 201 is invisible). A 10-megapixel image can hide over 1 MB of data this way.
Network Steganography
Hiding data in network protocol fields β€” unused header fields, TCP timestamps, DNS query payloads, ICMP packets. Used by malware for covert command-and-control communication that blends in with normal network traffic and evades detection systems that analyze content but not header fields.
Digital Watermark
A steganographic technique where identifying information is invisibly embedded in a file (image, document, audio). Used by publishers to track which authorized recipient leaked a document. Unlike visible watermarks, digital watermarks survive copying and are not removed by cropping. Canary tokens are a related concept.
Tokenization
Replacing a sensitive data value with a non-sensitive, randomly generated placeholder (token) that has no mathematical or algorithmic relationship to the original. The mapping between token and original is stored only in a secure token vault. The token can be used in systems and processes that don't need the actual value.
Token Vault
The secure system that stores the mapping between tokens and their original values. The token vault is the single point of trust β€” it is the only place where the original value can be recovered from a token. Protecting the vault is critical; if it is compromised, all tokenized data is exposed.
PCI-DSS Scope Reduction
Using tokenization to keep real payment card numbers out of the merchant's systems entirely. Since the merchant never handles actual card numbers (only tokens), significant portions of their infrastructure fall out of PCI-DSS scope. The payment processor's token vault is in scope; the merchant's retail database is not.
Data Masking
Modifying sensitive data to hide part of it while keeping it recognizable as the same type. Examples: showing only the last four digits of a card number, replacing characters with asterisks, or showing a birth year without the month and day. Used to limit exposure while maintaining enough context for the data to be useful.
Static Data Masking
Creating a persistent copy of a database with sensitive values permanently replaced. The copy contains no real sensitive data and can be safely given to development teams, testers, or vendors. The original database remains unmodified. Common for creating dev/test environments from production data.
Dynamic Data Masking
Applying masking in real-time at the query layer, not in the stored data. Different users see different amounts of information based on their role: a call center agent sees the last four digits; the billing system sees the full number. The underlying data is unmodified; the view of it is role-dependent.
Steganography Detection (Steganalysis)
The analysis of files to detect hidden steganographic content. Tools look for statistical anomalies in image data (patterns inconsistent with normal photography), unusual file size increases, or known steganography algorithm signatures. DLP solutions may include steganalysis capabilities.
Data Loss Prevention (DLP)
Security controls that monitor, detect, and block the transmission of sensitive data outside authorized channels. Steganography can bypass DLP systems that analyze file content for keywords β€” an image embedding confidential text looks like an ordinary image to keyword-based DLP. Advanced DLP includes steganalysis.
Format-Preserving Tokenization
A tokenization variant where the token has the same format as the original value β€” a 16-digit card number tokenizes to a different 16-digit number that passes Luhn check validation. Allows legacy systems to accept tokens without modification, since the token looks like a valid card number.
Pseudonymization
Replacing identifying information with pseudonyms (artificial identifiers) while retaining the data's structure and usefulness. Related to tokenization but typically refers to replacing personal identifiers in datasets for privacy compliance (e.g., GDPR). The link between pseudonym and real identity is stored separately and access-controlled.