CSSLP - trevor_k34

*-property

This aspect of the Bell-LaPadula security model is commonly referred to as the "no-write-down" rule because it doesn't allow a user to write to a file with a lower security classification, thus preserving confidentiality.

Triple DES encryption (3DES)

This type of encryption uses a standard and puts it through three rounds of encryption used to improve security.

802.11

A family of standards that describe network protocols for wireless devices.

802.1X

An IEEE standard for performing authentication over networks.

abuse case

A use case built around a work process designed to abuse a normal work process.

acceptance testing

The formal analysis that is done to determine whether a system or software product satisfies its acceptance criteria.

acceptable use policy (AUP)

A policy that communicates to users what specific uses of computer resources are permitted.

access

A subject's ability to perform specific operations on an object, such as a file. Typical levels include read, write, execute, and delete.

access control

Mechanisms or methods used to determine what access permissions subjects (such as users) have for specific objects (such as files).

access control list (ACL)

A list associated with an object (such as a file) that identifies what level of access each subject (such as a user) has—what they can do to the object (such as read, write, or execute).

Active Directory

The directory service portion of the Windows operating system that stores information about network-based entities (such as applications, files, printers, and people) and provides a structured, consistent way to name, describe, locate, access, and manage these resources.

ActiveX

A Microsoft technology that facilitates rich Internet applications and, therefore, extends and enhances the functionality of Microsoft Internet Explorer. Like Java, ActiveX enables the development of interactive content. When an ActiveX-aware browser encounters a webpage that includes an unsupported feature, it can automatically install the appropriate application so the feature can be used.

Address Resolution Protocol (ARP)

A protocol in the TCP/IP suite specification used to map an IP address to a Media Access Control (MAC) address.

adware

Advertising-supported software that automatically plays, displays, or downloads advertisements after the software is installed or while the application is being used.

algorithm

A step-by-step procedure—typically an established computation for solving a problem within a set number of steps.

alpha testing

This is a form of end-to-end testing done prior to product delivery to determine operational and functional issues.

annualized loss expectancy (ALE)

How much an event is expected to cost the business per year, given the dollar cost of the loss and how often it is likely to occur. ALE \= single loss expectancy * annualized rate of occurrence.

annualized rate of occurrence (ARO)

The frequency with which an event is expected to occur on an annualized basis.

anomaly

Something that does not fit into an expected pattern.

application

A program or group of programs designed to provide specific user functions, such as a word processor or web server.

ARP

See Address Resolution Protocol.

asset

Resources and information an organization needs to conduct its business.

asymmetric encryption

Also called public key cryptography, this is a system for encrypting data that uses two mathematically derived keys to encrypt and decrypt a message—a public key, available to everyone, and a private key, available only to the owner of the key.

attack

An action taken against a vulnerability to exploit a system.

Attack Surface Analyzer

A product from Microsoft designed to enumerate the elements of a system that are subject to attack.

attack surface evaluation

An examination of the elements of a system that are subject to attack and mitigations that can be applied.

attack surface measurement

A measurement of the relative number of attack points in the system throughout the development process.

attack surface minimization

The processes used to minimize the number of attackable elements in a system.

attack tree

A graphical method of examining the required elements to successfully prosecute an attack.

audit trail

A set of records or events, generally organized chronologically, that record what activity has occurred on a system. These records (often computer files) are often used in an attempt to re-create what took place when a security incident occurred, and they can also be used to detect possible intruders.

auditing

Actions or processes used to verify the assigned privileges and rights of a user, or any capabilities used to create and maintain a record showing who accessed a particular system and what actions they performed.

authentication

The process by which a subject's (such as a user's) identity is verified.

authentication, authorization, and accounting (AAA)

Three common functions performed upon system login. Authentication and authorization almost always occur, with accounting being somewhat less common.

Authentication Header (AH)

A portion of the IPsec security protocol that provides authentication services and replay-detection ability. AH can be used either by itself or with Encapsulating Security Payload (ESP). Refer to RFC 2402.

availability

Part of the "CIA" of security. Availability applies to hardware, software, and data, specifically meaning that each of these should be present and accessible when the subject (the user) wants to access or use them.

backdoor

A hidden method used to gain access to a computer system, network, or application. Often used by software developers to ensure unrestricted access to the systems they create. Synonymous with trapdoor.

backup

Refers to copying and storing data in a secondary location, separate from the original, to preserve the data in the event that the original is lost, corrupted, or destroyed.

baseline

A system or software as it is built and functioning at a specific point in time. Serves as a foundation for comparison or measurement, providing the necessary visibility to control change.

baseline management

The process of managing change in a system with relationship to the baseline configuration.

Bell-LaPadula security model

A computer security model built around the property of confidentiality and characterized by no-read-up and no-write-down rules.

beta testing

A form of end-to-end testing performed prior to releasing a production version of a system.

Biba security model

An information security model built around the property of integrity and characterized by no-write-up and no-read-down rules.

biometrics

Used to verify an individual's identity to the system or network using something unique about the individual for the verification process. Examples include fingerprints, retinal scans, hand and facial geometry, and voice analysis.

BIOS

The part of the operating system that links specific hardware devices to the operating system software.

black box

A form of testing where the testers have zero knowledge of the inner workings of a system.

bootstrapping

A self-sustaining process that continues through its course without external stimuli.

botnet

A term for a collection of software robots, or bots, that run autonomously and automatically, and commonly invisibly, in the background. The term is most often associated with malicious software, but it can also refer to the network of computers using distributed computing software.

buffer overflow

A specific type of software coding error that enables user input to overflow the allocated storage area and corrupt a running program.

bug bar

The defining of thresholds for bugs that determines which ones must be fixed prior to release to production.

business continuity planning (BCP)

The plans a business develops to continue critical operations in the event of a major disruption.

cache

The temporary storage of information before use, typically used to speed up systems. In an Internet context, refers to the storage of commonly accessed webpages, graphics files, and other content locally on a user's PC or a web server. The cache helps to minimize download time and preserve bandwidth for frequently accessed websites, and it helps reduce the load on a web server.

canonical form

The simplest form of an expression, one that all variants are resolved to prior to evaluation.

capability maturity model (CMM)

A structured methodology that helps organizations improve the maturity of their software processes by providing an evolutionary path from ad hoc processes to disciplined software management processes. Developed at Carnegie Mellon University's Software Engineering Institute.

centralized management

A type of privilege management that brings the authority and responsibility for managing and maintaining rights and privileges into a single group, location, or area.

certificate

A cryptographically signed object that contains an identity and a public key associated with this identity. The certificate can be used to establish identity, analogous to a notarized written document.

certificate revocation list (CRL)

A digitally signed object that lists all of the current but revoked certificates issued by a given certification authority. This allows users to verify whether a certificate is currently valid even if it has not expired. CRL is analogous to a list of stolen charge card numbers that allows stores to reject bad credit cards.

certification authority (CA)

An entity responsible for issuing and revoking certificates. CAs are typically not associated with the company requiring the certificate, although they exist for internal company use as well (such as Microsoft). This term is also applied to server software that provides these services. The term certificate authority is used interchangeably with certification authority.

chain of custody

Rules for documenting, handling, and safeguarding evidence to ensure no unanticipated changes are made to the evidence.

Challenge Handshake Authentication Protocol (CHAP)

Used to provide authentication across point-to-point links using the Point-to-Point Protocol (PPP).

change management

A standard methodology for performing and recording changes during software development and operation.

change control board (CCB)

A body that oversees the change management process and enables management to oversee and coordinate projects.

CIA of security

Refers to confidentiality, integrity, and authorization, the basic functions of any security system.

client server

A model in which a client machine is employed for users, with servers providing resources for computing.

CLR

Microsoft's Common Language Runtime—an interpreter for .NET languages on a system.

cloud computing

The automatic provisioning of computational resources on demand is referred to as cloud computing.

code signing

The application of digital signature technology to software to determine integrity and authenticity.

command injection

An attack against an input validation failure designed to force a malicious command to be processed on the system.

commercial off the shelf (COTS)

A software system designed for commercial use.

compensating controls

Compensating controls are the security controls used when a direct control cannot be applied to a requirement.

complete mediation

The process of ensuring a system consistently applies the required checks on every applicable occurrence.

confidentiality

Part of the CIA of security. Refers to the security principle that states that information should not be disclosed to unauthorized individuals.

configuration auditing

The process of verifying that configuration items are built and maintained according to requirements, standards, or contractual agreements.

configuration control

The process of controlling changes to items that have been baselined.

configuration identification

The process of identifying which assets need to be managed and controlled.

configuration item

Data and software (or other assets) that are identified and managed as part of the software change management process. Also known as computer software configuration item.

configuration management

The set of processes employed to create baseline configurations in an environment and managing configurations to comply with those baselines.

configuration management database (CMDB)

A database that contains the information used in the process of managing change in a system.

configuration management system (CMS)

The system used in the process of managing change in a software system.

configuration status accounting

Procedures for tracking and maintaining data relative to each configuration item in the baseline.

constrained data item

The data element in the Clark-Wilson integrity model that is under integrity control.

control

A measure taken to detect, prevent, or mitigate the risk associated with a threat.

cookie

Information stored on a user's computer by a web server to maintain the state of the connection to the web server. Used primarily so preferences or previously used information can be recalled on future requests to the server.

countermeasure

See control.

Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP)

An enhanced data cryptographic encapsulation mechanism based upon the counter mode, with CBC-MAC from AES designed for use over wireless LANs.

cracking

A term used by some to refer to malicious hacking, in which an individual attempts to gain unauthorized access to computer systems or networks. See also hacking.

CRC

See cyclic redundancy check.

CRL

See certificate revocation list.

cross-site request forgery (CSRF or XSRF)

A method of attacking a system by sending malicious input to the system and relying upon the parsers and execution elements to perform the requested actions, thus instantiating the attack. XSRF exploits the trust a site has in the user's browser.

cross-site scripting (XSS)

A method of attacking a system by sending script commands to the system input and relying upon the parsers and execution elements to perform the requested scripted actions, thus instantiating the attack. XSS exploits the trust a user has for the site.

cryptanalysis

The process of attempting to break a cryptographic system.

cryptography

The art of secret writing that enables an individual to hide the contents of a message or file from all but the intended recipient.

cryptographic agility

The ability for applications to change which cryptographic algorithms or implementations they use without having to make changes to the source code.

cryptographic validation

The validation of cryptographic functions to meet specific requirements.

cyclic redundancy check (CRC)

An error detection technique that uses a series of two 8-bit block check characters to represent an entire block of data. These block check characters are incorporated into the transmission frame and then checked at the receiving end.

common vulnerability enumeration (CVE)

An enumeration of common vulnerability patterns in software.

common weakness enumeration (CWE)

An enumeration of common weakness patterns in software that lead to vulnerabilities.

CVE

See common vulnerability enumeration.

CWE

See common weakness enumeration.

DAC

See discretionary access control.

data classification

The labeling of data elements with security, confidentiality, and integrity requirements.