Term
|
Definition
| security features that control how users and systems communicate and interact with other systems and resources |
|
|
Term
|
Definition
| the flow of information between a subject and an object |
|
|
Term
|
Definition
| An active entity that requests access to an object or the data within an object |
|
|
Term
|
Definition
| a passive entity that contains information or needed functionality |
|
|
Term
|
Definition
| Ability to access an object or file |
|
|
Term
|
Definition
| protecting data, or a resource, from being altered in an unauthorized fashion |
|
|
Term
|
Definition
| the assurance that information is not disclosed to unauthorized individuals, programs, or processes |
|
|
Term
|
Definition
| a method of ensuring that a subject (user, program, or process) is the entity it claims to be |
|
|
Term
|
Definition
| the subject is usually required to provide a second piece to the credential set. This piece could be a password, passphrase, cryptographic key, personal identification number (PIN), anatomical attribute, or token. |
|
|
Term
|
Definition
| the system determines what the subject may access to |
|
|
Term
|
Definition
| Audit logs and monitoring to track subject activities with objects |
|
|
Term
|
Definition
| technical tools used for identification, authentication, authorization, and accountability. They are software components that enforce access control measures for systems, programs, processes, and information |
|
|
Term
|
Definition
when processes carry out their tasks on a shared resource in an incorrect order
In software, when the authentication and authorization steps are split into two functions, there is a possibility an attacker could use a race condition to force the authorization step to be completed before the authentication step. This would be a flaw in the software that the attacker has figured out how to exploit. |
|
|
Term
|
Definition
| contains two out of these three methods: something a person knows, has, or is |
|
|
Term
|
Definition
| a broad and loaded term that encompasses the use of different products to identify, authenticate, and authorize users through automated means |
|
|
Term
|
Definition
| allows an administrator to configure and manage how identification, authentication, authorization, and access control take place within the network and on individual systems |
|
|
Term
|
Definition
| a way of identifying and naming the objects the directory will manage |
|
|
Term
|
Definition
| gathers the necessary information from multiple sources and stores it in one central directory |
|
|
Term
|
Definition
| virtual directory does not have the identity data in its directory but points to where the actual data reside |
|
|
Term
| Web access management (WAM) |
|
Definition
| Controls what users can access when using a web browser to interact with web-based enterprise assets |
|
|
Term
|
Definition
| allows a user to authenticate one time and then access resources in the environment without needing to re-authenticate. |
|
|
Term
|
Definition
| deals with creating user accounts on all systems, modifying the account privileges when necessary, and decommissioning the accounts when they are no longer needed |
|
|
Term
|
Definition
| the creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes. |
|
|
Term
| Authoritative System of Record |
|
Definition
| a hierarchical tree-like structure system that tracks subjects and their authorization chains |
|
|
Term
|
Definition
| a portable identity, and its associated entitlements, that can be used across business boundaries. It allows a user to be authenticated across multiple IT systems and enterprises |
|
|
Term
|
Definition
| A user’s identity can be a collection of her attributes (department, role in company, shift time, clearance, and others); her entitlements (resources available to her, authoritative rights in the company, and so on); and her traits (biometric information, height, sex, and so forth). |
|
|
Term
|
Definition
| Parts of a website that act as a point of access to information. A portal presents information from diverse sources in a unified manner. It can offer various services, as in e-mail, news updates, stock prices, data access, price lookups, access to databases, and entertainment |
|
|
Term
|
Definition
| pluggable user-interface software components that present information from other systems |
|
|
Term
|
Definition
HyperText Markup Language
A markup language is a way to structure text and data sets, and it dictates how these will be viewed and used.
When you adjust margins and other formatting capabilities in a word processor, you are marking up the text in the word processor’s markup language.
If you develop a web page, you are using some type of markup language. |
|
|
Term
|
Definition
| Extensible Markup Language |
|
|
Term
|
Definition
| Service Provisioning Markup Language - allows for the exchange of provisioning data between applications, allows for the automation of user management (account creation, amendments, revocation) and access entitlement configuration related to electronically published services across multiple provisioning systems. |
|
|
Term
|
Definition
| Security Assertion Markup Language - an XML standard that allows the exchange of authentication and authorization data to be shared between security domains. |
|
|
Term
|
Definition
| a collection of technologies and standards that allow services (weather updates, stock tickers, email, customer resource management, etc.) to be provided on distributed systems and be “served up” in one place. |
|
|
Term
|
Definition
| Simple Object Access Protocol - a specification that outlines how information pertaining to web services is exchanged in a structured manner. It provides the basic messaging framework, which allows users to request a service and, in exchange, the service is made available to that user |
|
|
Term
| Service oriented architecture |
|
Definition
| a way to provide independent services residing on different systems in different business domains in one consistent manner. For example, if your company has a web portal that allows you to access the company’s CRM, an employee directory, and a help-desk ticketing application, this is most likely being provided through an SOA. |
|
|
Term
|
Definition
| Extensible Access Control Markup Language - used to express security policies and access rights to assets provided through web services and other enterprise applications. |
|
|
Term
|
Definition
| scans a person’s physiological attribute or behavioral trait and compares it to a record created in an earlier enrollment process. |
|
|
Term
|
Definition
| This rating is stated as a percentage and represents the point at which the false rejection rate equals the false acceptance rate. This rating is the most important measurement when determining the system’s accuracy. |
|
|
Term
|
Definition
| scans the blood-vessel pattern of the retina on the backside of the eyeball. |
|
|
Term
|
Definition
| the colored portion of the eye that surrounds the pupil. The iris has unique patterns, rifts, colors, rings, coronas, and furrows. |
|
|
Term
|
Definition
| captures electrical signals when a person types a certain phrase. As a person types a specified phrase, the biometric system captures the speed and motions of this action. Each individual has a certain style and speed, which translate into unique signals. |
|
|
Term
|
Definition
| looks at the different peaks and valleys of the hand, along with its overall shape and curvature. |
|
|
Term
|
Definition
| a protected string of characters that is used to authenticate an individual |
|
|
Term
|
Definition
| Listening to network traffic to capture information, especially when a user is sending her password to an authentication server. |
|
|
Term
|
Definition
| a form of network attack in which a valid data transmission is maliciously or fraudulently repeated with the goal of obtaining unauthorized access. |
|
|
Term
|
Definition
| Performed with tools that cycle through many possible character, number, and symbol combinations to uncover a password. |
|
|
Term
|
Definition
| Files of thousands of words are compared to the user’s password until a match is found. |
|
|
Term
|
Definition
| An attacker falsely convinces an individual that she has the necessary authorization to access specific resources. |
|
|
Term
|
Definition
| An attacker uses a table that contains all possible passwords already in a hash format. |
|
|
Term
|
Definition
| it is used by a security professional to test the strength of a password. |
|
|
Term
|
Definition
| Tool usually used by a hacker to crack passwords |
|
|
Term
|
Definition
fact- or opinion-based information used to verify an individual’s identity
A user is enrolled by answering several questions based on her life experiences. Ex. - mother’s maiden name, favorite color, dog’s name, or the school she graduated from. |
|
|
Term
|
Definition
| also called a dynamic password. It is used for authentication purposes and is only good once. After the password is used, it is no longer valid |
|
|
Term
|
Definition
| synchronizes with the authentication service by using time or a counter as the core piece of the authentication process. |
|
|
Term
|
Definition
| employs a challenge/response scheme to authenticate the user. In this situation, the authentication server sends the user a challenge, a random value, also called a nonce. The user enters this random value into the token device, which encrypts it and returns a value the user uses as a one-time password. |
|
|
Term
|
Definition
| a sequence of characters that is longer than a password (thus a “phrase”) and, in some cases, takes the place of a password during an authentication process. The user enters this phrase into an application, and the application transforms the value into a virtual password, making the passphrase the length and format that is required by the application. |
|
|
Term
| Memory card vs. Smart card |
|
Definition
| A memory card holds information but cannot process information. A smart card holds information and has the necessary hardware and software to actually process that information. |
|
|
Term
|
Definition
| The attacker reviews the result of an encryption function after introducing an error to the card, and also reviews the correct result, which the card performs when no errors are introduced. Analysis of these different results may allow an attacker to reverse-engineer the encryption process, with the hope of uncovering the encryption key |
|
|
Term
|
Definition
| Nonintrusive and are used to uncover sensitive information about how a component works, without trying to compromise any type of flaw or Weakness. A noninvasive attack is one in which the attacker watches how something works and how it reacts in different situations instead of trying to “invade” it with more intrusive measures. |
|
|
Term
|
Definition
| similar to the least-privilege principle. It is based on the concept that individuals should be given access only to the information they absolutely require in order to perform their job duties. |
|
|
Term
|
Definition
| would allow a user to enter credentials one time and be able to access all resources allowed to user |
|
|
Term
|
Definition
| three-headed dog that guards the entrance to the underworld in Greek mythology. a security technology that provides authentication functionality, with the purpose of protecting a company’s assets. Kerberos is an authentication protocol and was designed in the mid-1980s as part of MIT’s Project Athena. It works in a client/server model and is based on symmetric key cryptography. |
|
|
Term
| Kerberos - Key Distribution Center |
|
Definition
| the most important component within a Kerberos environment. The KDC holds all users’ and services’ secret keys. It provides an authentication service, as well as key distribution functionality. |
|
|
Term
|
Definition
| can be users, applications, or network services. The KDC must have an account for, and share a secret key with, each principal |
|
|
Term
|
Definition
| generated by the ticket granting service (TGS) on the KDC and given to a principal when that principal, let’s say a user, needs to authenticate to another principal, let’s say a print server. |
|
|
Term
|
Definition
| a set of Kerboros - principals |
|
|
Term
|
Definition
| Secure European System for Applications in a Multi-vendor Environment (SESAME) project is a single sign-on technology developed to extend Kerberos functionality and improve upon its weaknesses. SESAME uses symmetric and asymmetric cryptographic techniques to authenticate subjects to network resources. |
|
|
Term
|
Definition
| When the user starts the computer, it runs a short list of instructions and then points itself to a server that will actually download the operating system, or interactive operating software, to the terminal. This enforces a strict type of access control, |
|
|
Term
| SESAME - Privileged Attribute Certificates |
|
Definition
| SESAME uses Privileged Attribute Certificates (PACs), which contain the subject’s identity, access capabilities for the object, access time period, and lifetime of the PAC. |
|
|
Term
| SESAME - Privileged Attribute Server |
|
Definition
The PAC is digitally signed so the object can validate it came from the trusted authentication server, which is referred to as the Privileged Attribute Server (PAS).
The PAS holds a similar role to that of the KDC within Kerberos. After a user successfully authenticates to the authentication service (AS), he is presented with a token to give to the PAS.
The PAS then creates a PAC for the user to present to the resource he is trying to access. |
|
|
Term
|
Definition
| a framework that dictates how subjects access objects |
|
|
Term
| discretionary access control model |
|
Definition
| (DAC) enables the owner of the resource to specify which subjects can access specific resources. This model is called discretionary because the control of access is based on the discretion of the owner. |
|
|
Term
|
Definition
MAC model - It contains a classification and different categories. The classification indicates the sensitivity level, and the categories enforce need-to know rules
In a military environment, the classifications could be top secret, secret, confidential, and unclassified. Each classification is more trusted than the one below it. A commercial organization might use confidential, proprietary, corporate, and sensitive.
The categories can correspond to departments (UN, Information Warfare, Treasury), projects (CRM, AirportSecurity, 2011Budget), or management levels. |
|
|
Term
| mandatory access control model |
|
Definition
| (MAC) model, users do not have the discretion of determining who can access objects as in a DAC model. An operating system that is based upon a MAC model greatly reduces the amount of rights, permissions, and functionality a user has for security purposes. The system can be used by the user for very focused and specific purposes, and that is it. These systems are usually very specialized and are in place to protected highly classified data. |
|
|
Term
| Role-Based Access Control model |
|
Definition
| Access decisions are based on each subject’s role and/or functional position. |
|
|
Term
|
Definition
| allows the administrator to set up an organizational RBAC model that maps to the organizational structures and functional delineations required in a specific environment. |
|
|
Term
| Rule-based access control |
|
Definition
| uses specific rules that indicate what can and cannot happen between a subject and an object |
|
|
Term
|
Definition
| mechanisms used to restrict user access to data contained in databases |
|
|
Term
|
Definition
| a table of subjects and objects indicating what actions individual subjects can take upon individual objects |
|
|
Term
| content-dependent access control |
|
Definition
| access to objects is determined by the content within the object |
|
|
Term
| Context-dependent access control |
|
Definition
| makes access decisions based on the context of a collection of information rather than on the sensitivity of the data. A system that is using context-dependent access control “reviews the situation” and then makes a decision |
|
|
Term
| centralized access control administration |
|
Definition
| one entity (department or individual) is responsible for overseeing access to all corporate resources. This entity configures the mechanisms that enforce access control |
|
|
Term
|
Definition
Remote Authentication Dial-In User Service (RADIUS) is a network protocol that provides client/server authentication and authorization, and audits remote users
RADIUS is also used within corporate environments to provide road warriors and home users access to network resources. RADIUS allows companies to maintain user
profiles in a central database. The access server and RADIUS server communicate over the RADIUS protocol.When a user dials in and is properly authenticated, a preconfigured profile is assigned to him to control what resources he can and cannot access. This technology allows companies to have a single administered entry point, which provides standardization in security and a simplistic way to track usage and network statistics. |
|
|
Term
|
Definition
Terminal Access Controller Access Control System (TACACS) provides basically the same functionality as RADIUS with a few improvments in some of its characteristics
TACACS+ uses a true authentication, authorization, and accounting/audit (AAA) architecture
RADIUS encrypts the user’s password only as it is being transmitted from the RADIUS client to the RADIUS server
TACACS+ uses TCP as its transport protocol,
while RADIUS uses UDP. UDP requires more checking for droped packets |
|
|
Term
|
Definition
| protocols are just agreed-upon ways of communication |
|
|
Term
|
Definition
Another AAA protocol that has been developed to build upon the functionality of RADIUS and overcome many of its limitations.
Provides more flexibility and capabilities to meet the new demands of today’s complex and diverse networks. |
|
|
Term
| decentralized access control administration |
|
Definition
| gives control of access to the people closer to the resources—the people who may better understand who should and should not have access to certain files, data, and resources. In this approach, it is often the functional manager who assigns access control rights to employees |
|
|
Term
| security event management |
|
Definition
| (SEM) gather logs from various devices (servers, firewalls, routers, etc.) and attempt to correlate the log data and provide analysis capabilities looking for anomalies |
|
|
Term
|
Definition
| Deleting specific incriminating data within audit logs |
|
|
Term
|
Definition
|
|
Term
|
Definition
| a type of monitoring that can review and record keystrokes entered by a user during an active session |
|
|
Term
|
Definition
| pertain to reassigning to a subject media that previously contained one or more objects. This means before someone uses a hard drive, USB drive, or tape, it should be cleared of any residual information still on it. |
|
|
Term
|
Definition
| outlines how to develop countermeasures that control spurious electrical signals emitted by electrical equipment |
|
|
Term
|
Definition
| A countermeasure used to keep intruders from extracting information from electrical transmissions is white noise. White noise is a uniform spectrum of random electrical signals. It is distributed over the full spectrum so the bandwidth is constant and an intruder is not able to decipher real information from random noise or random information. |
|
|
Term
| Intrusion detection systems |
|
Definition
| (IDSs) are designed to detect a security breach. Intrusion detection is the process of detecting an unauthorized use of, or attack upon, a computer, network, or telecommunications infrastructure. |
|
|
Term
|
Definition
(NIDS) uses sensors, which are either host computers with the necessary software installed or dedicated appliances—each with its network interface card (NIC) in promiscuous mode
When a NIC is put into promiscuous mode, the NIC driver captures all traffic, makes a copy of all packets, and then passes one copy to the TCP stack and one copy to an analyzer to look for specific types of patterns.
An NIDS monitors network traffic and cannot “see” the activity going on inside a computer itself. To monitor the activities within a computer system, a company would need to implement a host-based IDS. |
|
|
Term
|
Definition
| (HIDS) can be installed on individual workstations and/or servers to watch for inappropriate or anomalous activity |
|
|
Term
|
Definition
| Models of how the attacks are carried out |
|
|
Term
|
Definition
| a behavioral-based system do not use predefined signatures, but rather are put in a learning mode to build a profile of an environment’s “normal” activities. After this profile is built, all future traffic and activities are compared to it. |
|
|
Term
|
Definition
| preconfigured rules are applied to this data to indicate whether anything suspicious is taking place. Ie. - if a root user creates two files in the same directory and then makes a call to a specific administrative tool, an alert should be sent |
|
|
Term
| intrusion prevention system |
|
Definition
| The goal of an IPS is to detect this activity and not allow the traffic to gain access to the target in the first place, |
|
|
Term
|
Definition
| a computer set up as a sacrificial lamb on the network. Used to entice a would-be attacker to this computer instead of attacking authentic production systems on a network |
|
|
Term
|
Definition
| a general term for programs or devices able to examine traffic on a LAN segment |
|
|
Term
|
Definition
| the program hashes the dictionary words and compares the resulting message digest with the system password file that also stores its passwords in a one-way hashed format. If the hashed values match, it means a password has just been uncovered. |
|
|
Term
|
Definition
| continually tries different inputs to achieve a predefined goal. Brute force is defined as “trying every possible combination until the correct one is identified". |
|
|
Term
|
Definition
| the war dialer inserts a long list of phone numbers into a war dialing program in hopes of finding a modem that can be exploited to gain unauthorized access. |
|
|
Term
|
Definition
| attacker can use a program that presents to the user a fake logon screen, which often tricks the user into attempting to log on |
|
|
Term
|
Definition
| type of social engineering with the goal of obtaining personal information, credentials, credit card number, or financial data. The attackers lure, or fish, for sensitive data through various different methods |
|
|
Term
|
Definition
| redirects a victim to a seemingly legitimate, yet fake, web site |
|
|
Term
|
Definition
| Attacker makes a DNS server resolve a host name into an incorrect IP address |
|
|
Term
|
Definition
| this means the organization is looking for all the holes that a bad guy could somehow exploit and enter. |
|
|
Term
|
Definition
| a structured approach to identifying potential threats that could exploit vulnerabilities |
|
|
