Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
36 Cards in this Set
- Front
- Back
|
DAC Discretionary Access Control (DAC) |
Allows owners of data to specify what users can access data used most. Access control is based on discretion of data owners. Most common model. Users themselves can assign access to their own data. |
|
|
Role Based Access Control (RBAC): |
( also called Non-discretionary access control ) Centrally controlled model allows access based on the role the user holds in the organization; often hierarchical. Access is given to a group of users that perform a similar function. Based on the separation of duties. |
|
|
Lattice Based Access Control |
a security access methodology that assigns access permissions to both users and objects, creating a grid or lattice layout. A user cannot access an object with a security level greater that his/her own on the lattice. |
|
|
Crossover Error Rate (CER) |
the point at which the false rejection rate equals the false positive rate (this is repeated under biometrics) |
|
|
The False Rejection Rate (FRR) |
consists of the percentage of cases in which a valid user is incorrectly rejected by the system. This type of mistake is known as a Type I error. |
|
|
False Acceptance Rate (FAR) |
consists of the percentage of cases in which an invalid user is incorrectly accepted by the system. This type of mistake is known as a Type II error. |
|
|
TCO
|
Total Cost of Ownershiph
|
|
|
ROI
|
Return on Investmenthiph
|
|
|
The Annualized Loss Expectancy (ALE) ALE = SLE * ARO |
is the expected monetary loss that can be expected for an asset due to a risk over a one year period |
|
|
Exposure Factor The Exposure Factor (EF) is the percentage of value an asset lost due to an incident |
the percentage of value an asset lost due to an incident |
|
|
Single Loss Expectancy (SLE) |
the cost of a single loss
Asset Value (AV) times the Exposure Factor (EF) |
|
|
Annual Rate of Occurrence |
the number of losses you suffer per year |
|
|
Annualized Loss Expectancy (ALE) |
is your yearly cost due to a risk. It is calculated by multiplying the Single Loss Expectancy (SLE) times the Annual Rate of Occurrence (ARO).
|
|
|
Bell-laPadula |
no write down no read up
|
|
|
The Simple Security Property - |
a subject at a given security level may not read an object at a higher security level (no read-up). |
|
|
The *-property (read "star"-property) - |
a subject at a given security level must not write to any object at a lower security level (no write-down). |
|
|
Biba |
no write up no read down |
|
|
The Simple Integrity Axiom |
a subject at a given level of integrity must not read an object at a lower integrity level (no read down). |
|
|
The * (star) Integrity Axiom |
states that a subject at a given level of integrity must not write to any object at a higher level of integrity (no write up). |
|
|
Clark-Wilson |
integrity |
|
|
Graham-Denning: |
securely creating objects
|
|
|
SSE-CMM Maturity Model Level 1: Performed Informally |
You have to do it before you manage its: |
|
|
SSE-CMM Maturity Model Level 2: Planned & Tracked |
Understand what is happening on the project before defining organization wide processes |
|
|
SSE-CMM Maturity Model Well Defined |
Use the best of what you have learned from your project to create organization wide processes |
|
|
SSE-CMM Maturity Model Quantitatively Controlled |
You can't measure it until you know what It is you want to measure |
|
|
SSE-CMM Maturity Model Level 5: Continuously Improving |
Foundation of sound management and awareness
|
|
|
Due care |
doing what a reasonable person would do (i.e. the prudent man rule) |
|
|
Due diligence
|
the management of due care.
|
|
|
Gross negligence
|
the opposite of due care.
|
|
|
Best practice
|
a consensus of the best way to do some task.
|
|
|
Certification |
a detailed inspection that verifies whether a system meets the documented security requirements. |
|
|
Accreditation |
the Data Owner’s acceptance of the risk represented by that system |
|
|
PAP Password Authentication Protocol |
It isthe most basic form of authentication, in which a user's name and password are transmitted over a network and compared to a table of name-password pairs. Typically, the passwords stored in the table are encrypted, however the transmissions of the passwords are in clear text, unencrypted. |
|
|
SPAP Shiva Password Authentication Protocol |
username and password are both encrypted when they are sent, unlike PAP which sends them in clear text |
|
|
Extensible Authentication Protocol |
Sits inside PPP and provides generalized framework for many different authentication methods. |
|
|
Challenge-Handshake Authentication Protocol |
After the Link Establishment phase is complete, the authenticator sends a "challenge" message to the peer.The peer responds with a value calculated using a "one-way hash" function.The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authentication is acknowledged; otherwise the connection SHOULD be terminated.At random intervals, the authenticator sends a new challenge to the peer, and repeats steps 1 to 3 |
