Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
103 Cards in this Set
- Front
- Back
|
Access
|
A subject’s ability to view, modify, or communicate with an object. Access enables the flow of information between the subject and the object.
|
|
|
Access Control
|
Mechanisms, controls, and methods of limiting access to resources to authorized subjects only.
|
|
|
Access Control List (ACL)
|
A list of subjects that are authorized to access a particular object. Typically, the types of access are read, write, execute, append, modify, delete, and create.
|
|
|
Access Control Mechanism
|
Administrative, physical, or technical control that is designed to detect and prevent unauthorized access to a resource or environment.
|
|
|
Accountability
|
A security principle indicating that individuals must be identifiable and must be held responsible for their actions.
|
|
|
Accredited
|
A computer system or network that has received official authorization and approval to process sensitive data in a specific operational environment. There must be a security evaluation of the system’s hardware, software, configurations, and controls by technical personnel.
|
|
|
Add-On Security
|
Security protection mechanisms that are hardware or software retrofitted to a system to increase that system’s protection level.
|
|
|
Administrative Controls
|
Security mechanisms that are management’s responsibility
and referred to as “soft” controls. These controls include the development and publication of policies, standards, procedures, and guidelines, the screening of personnel, security awareness training, the monitoring of system activity, and change control procedures. |
|
|
CIA Triad
|
The three security principles: availability, integrity, and confidentiality.
|
|
|
Annualized Loss Expectancy (ALE)
|
A dollar amount that estimates the loss potential from a risk in a span of a year.
single loss expectancy (SLE) × annualized rate of occurrence (ARO) = ALE |
|
|
Annualized Rate of Occurrence (ARO)
|
The value that represents the estimated possibility of a specific threat taking place within a one-year timeframe.
|
|
|
Assurance
|
A measurement of confidence in the level of protection that a specific security control delivers and the degree to which it enforces the security policy.
|
|
|
Attack
|
An attempt to bypass security controls in a system with the mission of using that system or compromising it. An attack is usually accomplished by exploiting a current vulnerability.
|
|
|
Audit Trail
|
A chronological set of logs and records used to provide evidence of a system’s performance or activity that took place on the system. These logs and records
can be used to attempt to reconstruct past events and track the activities that took place and possibly detect and identify intruders. |
|
|
Autehnticate
|
To verify the identity of a subject requesting the use of a system and/or access to network resources. The steps to giving a subject access to an object should be identification, authentication, and authorization.
|
|
|
Authorization
|
Granting access to an object after the subject has been properly identified and authenticated.
|
|
|
Automated Information System (AIS)
|
A computer system that is used to process and transmit data. It is a collection of hardware, software, and firmware that works together to accept, compute, communicate, store, process, transmit, and control dataprocessing functions.
|
|
|
Availability
|
The reliability and accessibility of data and resources to authorized individuals in a timely manner.
|
|
|
Back Up
|
Copy and move data to a medium so that it may be restored if the original data is corrupted or destroyed. A full backup copies all the data from the system to the backup medium. An incremental backup copies only the files that have been modified since the previous backup. A differential backup backs up all files since the last full backup.
|
|
|
Backdoor
|
An undocumented way of gaining access to a computer system. After a system is compromised, an attacker may load a program that listens on a port (backdoor) so that the attacker can enter the system at any time. A backdoor is also referred to as a trapdoor.
|
|
|
Baseline
|
The minimum level of security necessary to support and enforce a security policy.
|
|
|
Bell-LaPadula Model
|
The model uses a formal state transition model that describes its access controls and how they should perform. When the system must transition from one state to another, the security of the system should never be lowered or compromised. See also multilevel security, simple security property, and star property (*-property).
|
|
|
Biba Model
|
A formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity.
|
|
|
Biometrics
|
When used within computer security, used to identify individuals by physiological characteristics, such as a fingerprint, hand geometry, or pattern in the iris.
|
|
|
Browsing
|
Searching through storage media looking for specific information without necessarily knowing what format the information is in. A browsing attack is one in which the attacker looks around a computer system either to see what looks interesting or to find specific information.
|
|
|
Brute Force Attack
|
An attack that continually tries different inputs to achieve a predefined goal, which can be used to obtain credentials for unauthorized access.
|
|
|
Callback
|
A procedure for identifying a system that accessed an environment remotely. In a callback, the host system disconnects the caller and then dials the authorized telephone number of the remote terminal in order to reestablish the connection. Synonymous with dialback.
|
|
|
Capability
|
A capability outlines the objects a subject can access and the operations the subject can carry out on the different objects. It indicates the access rights for a specific subject; many times, the capability is in the form of a ticket.
|
|
|
Certification
|
The technical evaluation of the security components and their compliance for the purpose of accreditation. A certification process can use safeguard evaluation, risk analysis, verification, testing, and auditing techniques to assess the appropriateness of a specific system processing a certain level of information within a particular environment. The certification is the testing of the security component or system, and the accreditation is the approval from management of the security component or system.
|
|
|
Challenge-Response Method
|
A method used to verify the identity of a subject by sending the subject an unpredictable or random value. If the subject responds with the expected value in return, the subject is authenticated.
|
|
|
Ciphertext
|
Data that has been encrypted and is unreadable until it has been converted into plaintext.
|
|
|
Clark-Wilson Model
|
An integrity model that addresses all three integrity goals: prevent unauthorized users from making modifications, prevent authorized users from making improper modifications, and maintain internal and external consistency through auditing.
|
|
|
Classification
|
A systematic arrangement of objects into groups or categories according to a set of established criteria. Data and resources can be assigned a level of sensitivity as they are being created, amended, enhanced, stored, or transmitted. The classification level then determines the extent to which the resource needs to be controlled and secured, and is indicative of its value in terms of information assets.
|
|
|
Cleartext
|
In data communications, cleartext is the form of a message or data which is transferred or stored without cryptographic protection.
|
|
|
Collusion
|
Two or more people working together to carry out a fraudulent activity. More than one person would need to work together to cause some type of destruction or fraud; this drastically reduces its probability.
|
|
|
Communications Security
|
Controls in place to protect information as it is being transmitted, especially by telecommunications mechanisms.
|
|
|
Compartment
|
A class of information that has need-to-know access controls beyond those normally provided for access to confidential, secret, or top-secret information. A compartment is the same thing as a category within a security label. Just because a subject has the proper classification, that does not mean it has a need to know. The category, or compartment, of the security label enforces the subject’s need to know.
|
|
|
Compartmented Mode Workstation (CMW)
|
A workstation that contains the necessary controls to be able to operate as a trusted computer. The system is trusted to keep data from different classification levels and categories in separate compartments and properly protected.
|
|
|
Compensating Controls
|
Controls that are alternative procedures designed to reduce the risk. They are used to “counterbalance” the effects of an internal control weakness.
|
|
|
Compromise
|
A violation of the security policy of a system or an organization such that unauthorized disclosure or modification of sensitive information occurs.
|
|
|
Computer Fraud
|
Computer-related crimes involving deliberate misrepresentation, modification, or disclosure of data in order to compromise a system or obtain something of value.
|
|
|
Confidentiality
|
A security principle that works to ensure that information is not disclosed to unauthorized subjects.
|
|
|
Configuration Management
|
The identification, control, accounting, and documentation of all changes that take place to system hardware, software, firmware, supporting documentation, and test results throughout the lifespan of the system.
|
|
|
Confinement
|
Controlling information in a manner that prevents sensitive data from being leaked from a program to another program, subject, or object in an unauthorized manner.
|
|
|
Contingency Plan
|
A plan put in place before any potential emergencies, with the mission of dealing with possible future emergencies. It pertains to training personnel, performing backups, preparing critical facilities, and recovering from an emergency or disaster so that business operations can continue.
|
|
|
Control Zone
|
The space within a facility that is used to protect sensitive processing equipment. Controls are in place to protect equipment from physical or technical unauthorized entry or compromise. The zone can also be used to prevent electrical waves carrying sensitive data from leaving the area.
|
|
|
Cost/Benefit Analysis
|
An assessment that is performed to ensure that the cost of a safeguard does not outweigh the benefit of the safeguard. Spending more to protect an asset than the asset is actually worth does not make good business sense. All possible safeguards must be evaluated to ensure that the most security-effective and cost-effective choice is made.
|
|
|
Countermeasure
|
A control, method, technique, or procedure that is put into place to prevent a threat agent from exploiting a vulnerability. A countermeasure is put into place to mitigate risk. Also called a safeguard or control.
|
|
|
Covert Channel
|
A communications path that enables a process to transmit information in a way that violates the system’s security policy.
|
|
|
Covert Storage Channel
|
A covert channel that involves writing to a storage location by one process and the direct or indirect reading of the storage location by another process. Covert storage channels typically involve a resource (for example, sectors on a disk) that is shared by two subjects at different security levels.
|
|
|
Covert Timing Channel
|
A covert channel in which one process modulates its system resource (for example, CPU cycles), which is interpreted by a second process as some type of communication.
|
|
|
Cryptanalysis
|
The practice of breaking cryptosystems and algorithms used in encryption and decryption processes.
|
|
|
Cryptography
|
The science of secret writing that enables storage and transmission of data in a form that is available only to the intended individuals.
|
|
|
Cryptology
|
The study of cryptography and cryptanalysis.
|
|
|
Cryptosystem
|
The hardware or software implementation of cryptography.
|
|
|
Data Classification
|
Assignments to data that indicate the level of availability, integrity, and confidentiality that is required for each type of information.
|
|
|
Data Custodian
|
An individual who is responsible for the maintenance and protection of the data. This role is usually filled by the IT department (usually the network administrator). The duties include performing regular backups of the data, implementing security mechanisms, periodically validating the integrity of the data, restoring data from backup media, and fulfilling the requirements specified in the company’s security policy, standards, and guidelines that pertain to information security and data protection.
|
|
|
Data Encryption Standard (DES)
|
Symmetric key encryption algorithm that was adopted by the government as a federal standard for protecting sensitive unclassified information. DES was later replaced with Advanced Encryption Standard (AES).
|
|
|
Data Remanence
|
A measure of the magnetic flux density remaining after removal of the applied magnetic force, which is used to erase data. Refers to any data remaining on magnetic storage media.
|
|
|
Database Shadowing
|
A mirroring technology used in databases, in which information is written to at least two hard drives for the purpose of redundancy.
|
|
|
Declassification
|
An administrative decision or procedure to remove or reduce the security classification information.
|
|
|
Dedicated Security Mode
|
The mode in which a system operates if all users have the clearance or authorization to access, and the need to know about, all data processed within the system. All users have been given formal access approval for all information on the system and have signed nondisclosure agreements pertaining to this information.
|
|
|
Degauss
|
Process that demagnetizes magnetic media so that a very low residue of magnetic induction is left on the media. Used to effectively erase data from media.
|
|
|
Delphi Technique
|
A group decision method used to ensure that each member of a group gives an honest and anonymous opinion pertaining to the company’s risks.
|
|
|
Denial of Service (DoS)
|
Any action, or series of actions, that prevents a system, or its resources, from functioning in accordance with its intended purpose.
|
|
|
Dial-Up
|
The service whereby a computer terminal can use telephone lines, usually via a modem, to initiate and continue communication with another computer system.
|
|
|
Dictionary Attack
|
A form of attack in which an attacker uses a large set of likely combinations to guess a secret, usually a password.
|
|
|
Digital Signature
|
An electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.
|
|
|
Disaster Recovery Plan
|
A plan developed to help a company recover from a disaster. It provides procedures for emergency response, extended backup operations, and post-disaster recovery when an organization suffers a loss of computer processing capability or resources and physical facilities.
|
|
|
Discretionary Access Control (DAC)
|
An access control model and policy that restricts access to objects based on the identity of the subjects and the groups to which those subjects belong. The data owner has the discretion of allowing or denying others access to the resources it owns.
|
|
|
Domain
|
The set of objects that a subject is allowed to access. Within this domain, all subjects and objects share a common security policy, procedures, and rules, and they are managed by the same management system.
|
|
|
Due Care
|
Steps taken to show that a company has taken responsibility for the activities that occur within the corporation and has taken the necessary steps to help protect the company, its resources, and employees.
|
|
|
Due Diligence
|
The process of systematically evaluating information to identify vulnerabilities, threats, and issues relating to an organization’s overall risk.
|
|
|
Electronic Vaulting
|
The transfer of backup data to an offsite location. This process is primarily a batch process of transmitting data through communications lines to a server at an alternate location.
|
|
|
Emanations
|
Electrical and electromagnetic signals emitted from electrical equipment that can transmit through the airwaves. These signals carry information that can be captured and deciphered, which can cause a security breach. These are also called emissions.
|
|
|
Encryption
|
The transformation of plaintext into unreadable ciphertext.
|
|
|
End-to-End Encryption
|
A technology that encrypts the data payload of a packet.
|
|
|
Evaluated Products List (EPL)
|
A list of products that have been evaluated and assigned an assurance rating. The products could be evaluated using several different criterion: TCSEC, ITSEC, or Common Criteria.
|
|
|
Exposure
|
An instance of being exposed to losses from a threat. A weakness or vulnerability can cause an organization to be exposed to possible damages.
|
|
|
Exposure Factor
|
The percentage of loss a realized threat could have on a certain asset.
|
|
|
Failover
|
A backup operation that automatically switches to a standby system if the primary system fails or is taken offline. It is an important fault-tolerant function that provides system availability.
|
|
|
Fail-Safe
|
A functionality that ensures that when software or a system fails for any reason, it does not end up in a vulnerable state. After a failure, software might default to no access instead of allowing full control, which would be an example of a fail-safe measure.
|
|
|
Firmware
|
Software instructions that have been written into read-only memory (ROM) or a programmable ROM (PROM) chip.
|
|
|
Formal Security Policy Model
|
A mathematical statement of a security policy. When an operating system is created, it can be built upon a predeveloped model that lays out how all activities will take place in each and every situation. This model can be expressed mathematically, which is then translated into a programming language.
|
|
|
Formal Verification
|
Validating and testing of highly trusted systems. The tests are designed to show design verification, consistency between the formal specifications and the formal security policy model, implementation verification, consistency between the formal specifications, and the actual implementation of the product.
|
|
|
Gateway
|
A system or device that connects two unlike environments or systems. The gateway is usually required to translate between different types of applications or protocols.
|
|
|
Guidelines
|
Recommended actions and operational guides for users, IT staff, operations staff, and others when a specific standard does not apply.
|
|
|
Handshaking Procedure
|
A dialog between two entities for the purpose of identifying and authenticating the entities to one another. The dialog can take place between two computers or two applications residing on different computers. It is an activity that usually takes place within a protocol.
|
|
|
Honeypot
|
A computer set up as a sacrificial lamb on the network in the hope that attackers will attack this system instead of actual production systems.
|
|
|
Identification
|
A subject provides some type of data to an authentication service. Identification is the first step in the authentication process.
|
|
|
Information Owner
|
The person who has final corporate responsibility of data protection and would be the one held liable for any negligence when it comes to protecting the company’s information assets. The person who holds this role—usually a senior executive within the management group of the company—is responsible for assigning a classification to the information and dictating how the information should be protected.
|
|
|
Integrity
|
A security principle that makes sure that information and systems are not modified maliciously or accidentally.
|
|
|
Intrusion Detection System (IDS)
|
Software employed to monitor and detect possible attacks and behaviors that vary from the normal and expected activity. The IDS can be network based, which monitors network traffic, or host based, which monitors activities of a specific system and protects system files and control mechanisms.
|
|
|
Isolation
|
The containment of processes in a system in such a way that they are separated from one another to ensure integrity and confidentiality.
|
|
|
Kernel
|
The core of an operating system, a kernel manages the machine’s hardware resources (including the processor and the memory), and provides and controls the way any other software component accesses these resources.
|
|
|
Key
|
A discreet data set that controls the operation of a cryptography algorithm. In encryption, a key specifies the particular transformation of plaintext into ciphertext, or vice versa during decryption. Keys are also used in other cryptographic algorithms, such as digital signature schemes and keyed-hash functions (also known as HMACs), which are often used for authentication and integrity.
|
|
|
Keystroke Monitoring
|
A type of auditing that can review or record keystrokes entered by a user during an active session.
|
|
|
Lattice-Based Access Control Model
|
A mathematical model that allows a system to easily represent the different security levels and control access attempts based on those levels. Every pair of elements has a highest lower bound and a lowest upper bound of access rights. The classes stemmed from military designations.
|
|
|
Least Privilege
|
The security principle that requires each subject to be granted the most restrictive set of privileges needed for the performance of authorized tasks. The application of this principle limits the damage that can result from accident, error, or unauthorized use.
|
|
|
Life-Cycle Assurance
|
Confidence that a trusted system is designed, developed, and maintained with formal designs and controls. This includes design specification and verification, implementation, testing, configuration management, and distribution.
|
|
|
Link Encryption
|
A type of encryption technology that encrypts packets’ headers, trailers, and the data payload. Each network communications node, or hop, must decrypt the packets to read its address and routing information and then re-encrypt the packets. This is different from end-to-end encryption.
|
|
|
Logic Bomb
|
A malicious program that is triggered by a specific event or condition.
|
|
|
Loss Potential
|
The potential losses that can be accrued if a threat agent actually exploits a vulnerability.
|
