Official (ISC)² SSCP

Access Control Object

A passive entity that typically receives or contains some form of data.

Access Control Subject

An active entity and can be any user, program, or process that requests permission to cause data to flow from an access control object to the access control subject or between access control objects.

Asynchronous Password Token

A one-time password is generated without the use of a clock, either from a one-time pad or cryptographic algorithm.

Authorization

Determines whether a user is permitted to access a particular resource.

Connected Tokens

Must be physically connected to the computer to which the user is authenticating.

Contactless Tokens

Form a logical connection to the client computer but do not require a physical connection.

Disconnected Tokens

Have neither a physical nor logical connection to the client computer.

Entitlement

A set of rules, defined by the resource owner, for managing access to a resource (asset, service, or entity) and for what purpose.

Identity Management

The task of controlling information about users on computers.

Proof of Identity

Verify people's identities before the enterprise issues them accounts and credentials.

Kerberos

A popular network authentication protocol for indirect (third-party) authentication services.

Lightweight Directory Access Protocol (LDAP)

A client/server-based directory query protocol loosely based on X.500, commonly used to manage user information. LDAP is a front end and not used to manage or synchronize data per se as opposed to DNS.

Single Sign-On (SSO)

Designed to provide strong authentication using secret-key cryptography, allowing a single identity to be shared across multiple applications.

Static Password Token

The device contains a password that is physically hidden (not visible to the possessor) but that is transmitted for each authentication.

Synchronous Dynamic Password Token

A timer is used to rotate through various combinations produced by a cryptographic algorithm.

Trust Path

A series of trust relationships that authentication requests must follow between domains

6to4

Transition mechanism for migrating from IPv4 to IPv6. It allows systems to use IPv6 to communicate if their traffic has to transverse an IPv4 network.

Absolute addresses

Hardware addresses used by the CPU.

Abstraction

The capability to suppress unnecessary details so the important, inherent properties can be examined and reviewed.

Accepted ways for handling risk

Accept, transfer, mitigate, avoid.

Access

The flow of information between a subject and an object.

Access control matrix

A table of subjects and objects indicating what actions individual subjects can take upon individual objects.

Access control model

An access control model is a framework that dictates how subjects access objects.

Access controls

Are security features that control how users and systems communicate and interact with other systems and resources.

Accreditation

Formal acceptance of the adequacy of a system's overall security by management.

Active attack

Attack where the attacker does interact with processing or communication activities.

ActiveX

A Microsoft technology composed of a set of OOP technologies and tools based on COM and DCOM. It is a framework for defining reusable software components in a programming language-independent manner

Address bus

Physical connections between processing components and memory segments used to communicate the physical memory addresses being used during processing procedures.

Address resolution protocol (ARP)

A networking protocol used for resolution of network layer IP addresses into link layer MAC addresses.

Address space layout randomization (ASLR)

Memory protection mechanism used by some operating systems. The addresses used by components of a process are randomized so that it is harder for an attacker to exploit specific memory vulnerabilities.

Algebraic attack

Cryptanalysis attack that exploits vulnerabilities within the intrinsic algebraic structure of mathematical functions.

Algorithm

Set of mathematical and logic rules used in cryptographic functions.

Analog signals

Continuously varying electromagnetic wave that represents and transmits data.

Analytic attack

Cryptanalysis attack that exploits vulnerabilities within the algorithm structure.

Annualized loss expectancy (ALE)

Annual expected loss if a specific vulnerability is exploited and how it affects a single asset. SLE × ARO = ALE.

Application programming interface (API)

Software interface that enables process-to-

process interaction. Common way to provide access to standard routines to a set of software programs.

Arithmetic logic unit (ALU)

A component of the computer's processing unit, in which arithmetic and matching operations are performed.

AS/NZS 4360

Australia and New Zealand business risk management assessment approach.

Assemblers

Tools that convert assembly code into the necessary machine-compatible binary language for processing activities to take place.

Assembly language

A low-level programming language that is the mnemonic representation of machine-level instructions.

Assurance evaluation criteria

Check-list and process of examining the security-relevant parts of a system (TCB, reference monitor, security kernel) and assigning the system an assurance rating.

Asymmetric algorithm

Encryption method that uses two different key types, public and private. Also called public key cryptography.

Asymmetric mode multiprocessing

When a computer has two or more CPUs and one CPU is dedicated to a specific program while the other CPUs carry out general processing procedures

Asynchronous communication

Transmission sequencing technology that uses start and stop bits or similar encoding mechanism. Used in environments that transmit a variable amount of data in a periodic fashion.

Asynchronous token generating method

Employs a challenge/response scheme to authenticate the user.

Attack surface

Components available to be used by an attacker against the product itself.

Attenuation

Gradual loss in intensity of any kind of flux through a medium. As an electrical signal travels down a cable, the signal can degrade and distort or corrupt the data it is carrying.

Attribute

A column in a two-dimensional database.

Authentication Header (AH) Protocol

Protocol within the IPSec suite used for integrity and authentication.

Authenticode

A type of code signing, which is the process of digitally signing software components and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was digitally signed. Authenticode is Microsoft's implementation of code signing.

Availability

Reliable and timely access to data and resources is provided to authorized individuals.

Avalanche effect

Algorithm design requirement so that slight changes to the input result in drastic changes to the output.

Base registers

Beginning of address space assigned to a process. Used to ensure a process does not make a request outside its assigned memory boundaries.

Baseband transmission

Uses the full bandwidth for only one communication channel and has a low data transfer rate compared to broadband.

Bastion host

A highly exposed device that will most likely be targeted for attacks, and thus should be hardened.

Behavior blocking

Allowing the suspicious code to execute within the operating system and watches its interactions with the operating system, looking for suspicious activities.

Confidentiality

data is not disclosed to unauthorized users

Integrity

prevents any unauthorized or unwanted modification of data

Availability

ensures that IT systems and data are available when needed

Backups

Copies of data stored in case the original is stolen or becomes corrupt

Redundant disks

Provides fault tolerance by mirroring data on another drive. If the first drive fails, data is not lost since the system can automatically switch over to the other drive.

Redundant servers

Provides fault tolerance by having one or more entire systems available in case the primary one crashes.

Redundant connections

Provides fault tolerance by having redundant internet connections so if one fails, the organization can still has connectivity

Redundant sites

Hot, cold, or warm sites are planned for business continuity incase of emergency. Hot sites are ready at a moment's notice. Cold sites are empty buildings with just electricity and running water. Warm sites are hybrids.

Hashing

These algorithms provide data integrity only

Defense in Depth

A defense that uses multiple types of security devices to protect a network. Also called layered security.

Authenication

Identifies user(s)

Authorization

Defines what the user(s) can access

Accounting

Tracking user(s) activities.

Accountability

Underlying goals of the AAAs of security. The trait of being willing to take responsibility for your actions

Nonrepudiation

A user cannot deny any particular act that he or she did on the IT system

Least Privilege

Providing only the minimum amount of privileges necessary to perform a job or function.

Separation of Duties

Distributing tasks and associated privileges among multiple people, primary objective to prevent fraud and errors

Due Diligence

Necessary level of care and attention that is taken to investigate an action before it is taken. (Look before jumping)

Due Care

The requirement that a professional exercise reasonable ability and judgement in a specific circumstance, the absence of which constitutes negligence. Also called standard of care.

Three Factors of Authentication

Something you... know, have and are

False Reject Rate

The percentage or value associated with the rate at which authentic users are denied or prevented access to authorized areas as a result of a failure in the biometric device.

False Accept Rate

The percentage of identification instances in which unauthorized users are allowed access to systems or areas as a result of a failure in the biometric device.

Crossover Error Rate

The crossover error rate, also called the equal error rate, is the point at which the number of false positives matches the number of false negatives in a bio metric system. Select the system with the lowest crossover error rate within your budget.

Multifactor Authentication

A form of authentication where a user must use two or more factors to prove his or her identity.

Single Sign-on Authentication

Authenticate once to access multiple resources

Centralized Authentication

Credentials for the users are stored on a central server. Any user is able to log on to the network once and then access any computer in the network (as long as the user has permissions). For example, if a computer is part of a Microsoft domain, the central server will be a domain controller and hold accounts for all users in the domain.

Decentralized Authentication

Every computer has a separate database that stores credentials. If a user needed to log on to all four computers in this network, he or she would need to have four separate sets of credentials—one for each system.

Offline Authentication

Allows users who have logged in to the system at one time to still log in even when they are disconnected from a network. In a Windows environment, the system uses cached credentials. (A user will not be able to access network resources while using cached credentials. The user can only access resources on the local system using these offline credentials)

One-Time Passwords

Passwords created to be used only once. Because it's used only once, there's little risk of the password being reused even if an attacker is able to capture it while it is transmitted.

Subject

Accesses a resource (ex: users, computers, applications, networks)

Object

The resource being accessed (ex: data, hardware, applications, networks, facilities)

Logical Access Control

A mechanism that limits access to computer systems and network resources.

Access Control Lists

These lists are used to identify systems and specify which users, protocols, or services are allowed

Security Kernel

Consists of several components including software, firmware, and hardware. They represent represents all the security functionality of the operating system.

Physical Access Control

A mechanism that limits access to physical resources, such as buildings or rooms (ex: lock doors, alarm systems, cipher locks, CCTVs, guards)

Access Control Models

Regulate the admission of users into trusted areas of the organization-both logical access to information systems and physical access to the organization's facilities

Discretionary Access Control (DAC)

The least restrictive access control. Is an access policy determined by the owner of a file (or other resource). The owner decides who's allowed access to a file and what privileges they have.

Non-Discretionary Access Control (Non-DAC)

Access rules are closely managed by the security administrator. Offers stronger security than DAC because it does not rely only on users compliance

Mandatory Access Control (MAC)

The most restrictive access control. Users are assigned a security level or clearance, and when they try to access an object, their clearance level is compared to the objects sensitivity level. If they match the user can access the object, if not, the user is denied access

Bell-LaPadula Model

Security model that deals only with confidentiality. Two rules: simple security property rule, the star property rule

Simple Security Property Rule

No read up. No subject can read information from an object with a security classification higher than that possessed by the subject itself.

The * Property (Star-property) Rule

No write down. Subjects granted access to any security level may not write to any object at a lower security level.

Biba Model

Security model that deals only with integrity.

Simple Integrity Axiom

No read down. Subjects granted access to any security level may not read an object at a lower security level