Term
|
Definition
| infrastructures such as water, electricity, oil and gas refineries, and distribution, banking and finance, and telecommunications; loss would have severe repercussions on the nation |
|
|
Term
|
Definition
| highly technical individuals; have the ability to write scripts that exploit vulnerabilities and also capable of discovering new vulnerabilities |
|
|
Term
|
Definition
| act of deliberately accessing computer systems and networks without authorization |
|
|
Term
|
Definition
| a hacker who uses his / her skill for political purposes |
|
|
Term
| highly structured threat: |
|
Definition
| threat that is backed by the time and resources to allow virtually any form of attack |
|
|
Term
|
Definition
| use of information security techniques, both offensive and defensive, when combating an opponent |
|
|
Term
|
Definition
| the use of a series of ICMP ping messages to map out a network |
|
|
Term
|
Definition
| examination of TCP and UDP ports to determine which are open and what services are running |
|
|
Term
|
Definition
| hackers with little true technical skill and hence only use scripts that someone else has developed |
|
|
Term
|
Definition
| threat that has reasonable financial backing and can last for a few days or more; organizational elements allow for greater time to penetrate and attack a system |
|
|
Term
|
Definition
| generally conducted over short periods, do not involve large numbers of individuals, have little financial backing; usually accomplished by insiders or outsiders not seeking collusion with others |
|
|
Term
|
Definition
| the ability to control whether a subject (individual or process running on a computer system) can interact with an object (file or hardware device); term used to describe a variety of protection schemes; sometimes refers to all security features used to prevent unauthorized access; controls what operations a user can perform |
|
|
Term
|
Definition
| process by which a subject’s identity is verified; ensure that an individual is who they claim to be |
|
|
Term
|
Definition
| part of the “CIA” of security; applies to the resources being present and accessible when the subject (user) wants to access or use them |
|
|
Term
| Bell-LaPadula security model: |
|
Definition
| security model built around the property of confidentiality; characterized by no-read-up and no-write-down rules |
|
|
Term
|
Definition
| security model built around property of integrity; characterized by no-write-up and no-read-down rules |
|
|
Term
|
Definition
| part of the “CIA” of security; information should not be disclosed to unauthorized |
|
|
Term
|
Definition
| all actions are prohibited unless specifically authorized |
|
|
Term
|
Definition
| part of the “CIA” of security; information is not modified except by authorized individuals |
|
|
Term
|
Definition
| ability to verify that an operation has been performed by a particular person or account; system property that prevents parties to a transaction from subsequently denying involvement in the transaction; deals with ability to verify that a message has been sent and received, and sender can be identified and verified; tied to asymmetric cryptography |
|
|
Term
| security through obscurity: |
|
Definition
| uses the approach of protecting something by hiding it |
|
|
Term
|
Definition
| ensures that for any given task, more than one individual needs to be involved |
|
|
Term
|
Definition
| process of convincing an authorized individual to provide confidential information or access to an unauthorized individual |
|
|
Term
| Quantitative risk assessment |
|
Definition
| Only deals with strict $$ amount. |
|
|
Term
| Qualitative risk assessment |
|
Definition
| takes into account of tangible and intangible value |
|
|
Term
| Risk Assessment and Mitigation |
|
Definition
| Deals with identifying, assessing and reducing the risk of security breaches against company assests. |
|
|
Term
|
Definition
| Annual Loss Expectancy (ALE = ARO * SLE) |
|
|
Term
|
Definition
| Annual Rate of Occurance (risk of occurance) |
|
|
Term
|
Definition
| Single Loss of expectancy (loss of revenue based on down time) |
|
|
Term
|
Definition
| Identifying hardware and data, evaluating their worth. |
|
|
Term
|
Definition
| options based on the probability of the risk vs. the cost of the solution (avoidence, transference, acceptance, mitigation, and deterrence) |
|
|
Term
|
Definition
| Risk doesn't merit the cost of implementing a solution |
|
|
Term
|
Definition
| Company transfers the risk to a third party (such as an insurance company or offsite storage area) |
|
|
Term
|
Definition
| Acceptable level of risk for the profits that can be achieved. |
|
|
Term
|
Definition
| implementing countermeasures for the risk. |
|
|
Term
|
Definition
| extension of mitigation where more controls are used to deter threats. |
|
|
Term
|
Definition
| Security issue that has passed security controls as a legitimate action when it should not have. |
|
|
Term
|
Definition
| Legitimate action that is perceived as a risk/threat. |
|
|
Term
|
Definition
| Security policies, Network access policies, HR policies. |
|
|
Term
|
Definition
| Health Insurance Portability and Accountability |
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
