Assignment - topic 4
abhinavdharani
CISSP_FlashCards.pdf
Access Control Domain
Access
Control Lists
(ACLs)
CISSP
Access Control Domain
Provide an easy method for specifying which
users, or subjects, are allowed to access
which object (i.e., files).
Access Control Domain
Application-Based
IDS
(AIDS)
CISSP
Access Control Domain
Analyze what’s going on in an application
using the application’s transaction log files.
Access Control Domain
Compartmentalized
information
CISSP
Access Control Domain
This is information that requires a special
authorization beyond the normal
classification system.
Access Control Domain
Compensating
controls
CISSP
Access Control Domain
These controls reinforce or replace normal
controls that are unavailable for any reason.
Access Control Domain
Corrective controls
CISSP
Access Control Domain
These controls remedy the circumstances
that enabled the unwanted activity, and/or
return conditions to where they were prior
to the unwanted activity.
Access Control Domain
Crossover
Error Rate
(CER)
CISSP
Access Control Domain
As the sensitivity of the biometric system is
adjusted, FAR & FRR values change
inversely.
Access Control Domain
Detective
controls
CISSP
Access Control Domain
These controls identify, log, and alert
management to unwanted actions or events,
as or after they occur.
Access Control Domain
Deterrent
controls
CISSP
Access Control Domain
These controls prescribe some sort of
punishment, ranging from embarrassment
to job termination or jail time for
noncompliance. Their intent is to dissuade
people from performing unwanted acts.
Access Control Domain
Directive
controls
CISSP
Access Control Domain
Those controls dictated by organizational
and legal authorities.
Access Control Domain
Discretionary
Access Control
(DAC)
CISSP
Access Control Domain
A means of restricting access to objects
based on the identity of subjects and/or
groups to which they belong.
Access Control Domain
False Rejection
Rate (FRR),
Type I Error
CISSP
Access Control Domain
Authentication fails when it should not. This
happens when an authorized person is
denied access.
Access Control Domain
False Acceptance
Rate (FAR),
Type II Error
CISSP
Access Control Domain
Authentication is successful when it should
not be. This happens when an unauthorized
person is granted access. This may happen
because the biometric system cannot
distinguish between the biometric
signatures of different people. This is the far
more serious of the two error conditions.
Access Control Domain
Host-Based IDS
(HIDS)
CISSP
Access Control Domain
Analyze information from a single computer
and consequently offer greater precision
and reliability and can show the results of
an attack.
Access Control Domain
Intrusion Detection
Systems (IDS)
CISSP
Access Control Domain
Real-time monitoring of events as they
happen in a computer system or network,
using audit trail records and network traffic
and analyzing events to detect potential
intrusion attempts.
Access Control Domain
Intrusion
Prevention Systems
(IPS)
CISSP
Access Control Domain
Any hardware or software mechanism that
has the ability to detect and stop attacks.
Access Control Domain
Kerberos
Process
CISSP
Access Control Domain
An SSO open-standards protocol for
authentication in a single security domain.
Access Control Domain
Key
Distribution Center
(KDC)
CISSP
Access Control Domain
Works as both an Authentication Server
(AS) and a Ticket Granting Server (TGS).
Access Control Domain
Least
privilege
CISSP
Access Control Domain
The principle that people or processes
should only be allowed access to the
resources they absolutely need to
accomplish their assigned work, and only
for as long as necessary to complete that
work.
Access Control Domain
Mandatory
Access Control
(MAC)
CISSP
Access Control Domain
Means of restricting access to objects based
on the sensitivity (as represented by a label)
of the information contained in the objects
and the formal authorization (i.e., clearance)
of subjects to access information of such
sensitivity.
Access Control Domain
Need-to-know
CISSP
Access Control Domain
This principle restricts users from accessing
information or systems not required to
perform their jobs.
Access Control Domain
Network-Based IDS
(NIDS)
CISSP
Access Control Domain
Can detect potential attacks by analyzing
captured network packets.
Access Control Domain
Preventative
controls
CISSP
Access Control Domain
These controls block unwanted actions.
Access Control Domain
Recovery
controls
CISSP
Access Control Domain
These controls restore lost computing
resources or capabilities and help
the organization to return to normal
operations and recover monetary
losses caused by a security violation
or incident.
Access Control Domain
Rule-Based
Access Control
CISSP
Access Control Domain
Access is based on a list of rules created or
authorized by system owners that specify
the privileges granted to users.
Access Control Domain
Security
Domains
CISSP
Access Control Domain
The set of objects that a subject in an
information system is allowed to access.
Access Control Domain
Separation
of duties
CISSP
Access Control Domain
No one person should have control
over the complete processing of a
transaction or series of transactions where
that control would allow the person to
manipulate the transaction(s) for personal
gain or make an avoidable mistake.
Access Control Domain
Single Sign-On
(SSO)
Process
CISSP
Access Control Domain
A centralized authentication database that
administers access to multiple resources.
Access Control Domain
Social
engineering
CISSP
Access Control Domain
Gaining critical or sensitive information
through social interaction, typically with the
organization’s employees, suppliers, and
contractors.
Access Control Domain
War
dialing
CISSP
Access Control Domain
The technique of sequentially calling a range
of telephone numbers in an attempt to
identify modems, remote access devices,
and maintenance connections of computers
on a network.
Access Control Domain
Wireless
penetration
CISSP
Access Control Domain
The introduction of wireless networks and
other wireless devices such as keyboards,
mice, and VGA projectors, whether
through formal approved network
configuration management or the
inadvertent actions of well-meaning users,
have introduced additional security
exposures.
Information Security Governance and Risk Management
Annual Rate
of Occurrence
(ARO)
CISSP
Information Security Governance and Risk Management
The number of times per year that an
incident is likely to occur.
Information Security Governance and Risk Management
Asset
CISSP
Information Security Governance and Risk Management
Any person, facility, material, information,
or activity that has a positive value to an
owner.
Information Security Governance and Risk Management
Attack
CISSP
Information Security Governance and Risk Management
Attempt to gain unauthorized access to an
information system’s services, resources, or
information, or the attempt to compromise
an information system’s integrity,
availability, or confidentiality.
Information Security Governance and Risk Management
Business Continuity
Plan (BCP)
CISSP
Information Security Governance and Risk Management
A documented and tested plan for
responding to an emergency.
Information Security Governance and Risk Management
COBIT® CISSP
Information Security Governance and Risk Management
Control Objectives for Information and
Related Technology.
Information Security Governance and Risk Management
Control
CISSP
Information Security Governance and Risk Management
Any protective action, device, procedure,
technique, or other measure that reduces
exposures.
Information Security Governance and Risk Management
Countermeasures
CISSP
Information Security Governance and Risk Management
The deployment of a set of security services
to protect against a security threat.
Information Security Governance and Risk Management
Due
care
CISSP
Information Security Governance and Risk Management
Managers and their organizations have a
duty to provide for information security to
ensure that the type of control, the cost of
control, and the deployment of control are
appropriate for the system being managed.
Information Security Governance and Risk Management
Due
diligence
CISSP
Information Security Governance and Risk Management
The enforcement of due care policy and
provisions to ensure that the due care steps
taken to protect assets are working
effectively.
Information Security Governance and Risk Management
Exposure
Factor (EF)
CISSP
Information Security Governance and Risk Management
A measure of the magnitude of loss or
influence on the value of an asset.
Information Security Governance and Risk Management
Information
Security
Management
Systems (ISMS)
CISSP
Information Security Governance and Risk Management
The International Standards Organization
(ISO) defines ISMS to bethat part of an
overall management system based on a
business risk approach to establish,
implement, operate, monitor, maintain, and
improve information security.
Information Security Governance and Risk Management
Likelihood
CISSP
Information Security Governance and Risk Management
The qualitative or quantitative likelihood
that a potential hazard will occur or a
potential threat will be instantiated. Most
international standards define six levels of
likelihood (lowest to highest): incredible,
improbable, remote, occasional, probable,
and frequent.
Information Security Governance and Risk Management
Risk
CISSP
Information Security Governance and Risk Management
(1)The probability that a particular security
threat will exploit a particular vulnerability
resulting in loss or harm to an asset or
precluding the organization from reaching a
goal or objective.
(2) A combination of the probability of an
event and its consequences.
Information Security Governance and Risk Management
Risk
management
CISSP
Information Security Governance and Risk Management
Coordinated activities to direct and control an organization with regard to risk; The discipline of
identifying and measuring security risks associated with
an information system, and controlling and reducing those risks to an acceptable level. The goal of risk management is to invest organizational resources to
mitigate security risks in a cost-effective manner, while
enabling timely and effective mission accomplishment. Risk management is an important aspect of information assurance and defense-in-depth.
Information Security Governance and Risk Management
Safeguard
CISSP
Information Security Governance and Risk Management
Protection included to counteract a known or expected
condition.
Information Security Governance and Risk Management
Threat
CISSP
Information Security Governance and Risk Management
Any entity or event with the potential to
adversely impact an information system
through unauthorized access, destruction,
disclosure, modification of data, or denial of
service.
Information Security Governance and Risk Management
Threat-source
CISSP
Information Security Governance and Risk Management
Either (a) intent and method targeted at the
intentional exploitation of a vulnerability, or
(b) a situation and method that may
accidentally trigger a vulnerability.
Synonymous with threat agent.
Information Security Governance and Risk Management
Total
risk
CISSP
Information Security Governance and Risk Management
The potential for the occurrence of an
adverse event if no mitigating action
is taken (i.e., the potential for any applicable
threat to exploit a system vulnerability). See
also acceptable risk, residual risk, minimum
level of protection.
Information Security Governance and Risk Management
Vulnerability
CISSP
Information Security Governance and Risk Management
A weakness in a system that can
be exploited to violate the system’s
intended behavior relative to safety,
security, reliability, availability,
integrity, etc.
Software Development Security Domain
Adware
CISSP
Software Development Security Domain
Software to generate ads that installs itself
on your computer when you download
some other (usually free) program from the
Web.
Software Development Security Domain
Aggregation
CISSP
Software Development Security Domain
A relation, such as CONSISTS OF
or CONTAINS, between types that defines
the composition of a type
from other types.
Software Development Security Domain
Application
Programming
Interface
(API)
CISSP
Software Development Security Domain
A set of calling conventions defining how a
service is invoked through a software
package.
Software Development Security Domain
Botnets
CISSP
Software Development Security Domain
A network of infected zombie computers
controlled by a botherder. Botnets range in
size from a just a handful of infected
computers to hundreds of thousands or
millions.
Also known as botherd.
Software Development Security Domain
Buffer
overflow
CISSP
Software Development Security Domain
An anomaly where a program, while
writing data to a buffer, overruns the
buffer’s boundary and overwrites adjacent
memory. This is a special case of violation
of memory safety.
Software Development Security Domain
Cookie poisoning
(manipulation)
CISSP
Software Development Security Domain
Attacks involving the modification of the
contents of a cookie in order to bypass
security mechanisms.
Software Development Security Domain
Covert
channel
CISSP
Software Development Security Domain
A channel of communication within a
computer system, or network, that is
not designed or intended to transfer
information.
Software Development Security Domain
Cross Site
Request Forgeries
(CSRF)
CISSP
Software Development Security Domain
A type of malicious exploit of a website
whereby unauthorized commands
are transmitted from a user that the
website trusts.
Software Development Security Domain
Cross-Site Scripting
(XSS)
CISSP
Software Development Security Domain
A type of computer security vulnerability
typically found in Web applications.
XSS enables attackers to inject client-side
script into Web pages viewed by other
users.
Software Development Security Domain
Dangling
pointer
CISSP
Software Development Security Domain
Pointers that do not point to a valid object
of the appropriate type.
Software Development Security Domain
Data
hiding
CISSP
Software Development Security Domain
A software development technique
specifically used in object-oriented
programming (OOP) to hide internal object
details (data members). Data hiding ensures
exclusive data access to class members and
protects object integrity by preventing
unintended or intended changes.
Software Development Security Domain
Denial of Service
(DoS)
CISSP
Software Development Security Domain
The unauthorized prevention of authorized
access to resources or the delaying of time-
critical operations.
Software Development Security Domain
Distributed
Denial of Service
(DDoS)
CISSP
Software Development Security Domain
Multiple computers flooding a Web site
with so many requests for service that it
slows down or crashes.
Software Development Security Domain
Fast flux
botnets
CISSP
Software Development Security Domain
A DNS technique used by botnets to hide
phishing and malware delivery sites behind an
ever-changing network of compromised hosts
acting as proxies.
Software Development Security Domain
Garbage collection
CISSP
Software Development Security Domain
A language mechanism that automatically
deallocates memory
for objects that are not accessible
or referenced.
Software Development Security Domain
HTTP Response
Splitting
CISSP
Software Development Security Domain
A form of web application vulnerability, resulting
from the failure of the application or its
environment to properly sanitize input values. It
can be used to perform cross-site
scripting attacks, cross-user defacement, web
cache poisoning, and similar exploits.
Software Development Security Domain
Keystroke
logging
CISSP
Software Development Security Domain
The action of recording (or logging) the
keys struck on a keyboard, typically in a
covert manner so that the person using the
keyboard is unaware that their actions are
being monitored.
Software Development Security Domain
Open
source
CISSP
Software Development Security Domain
A philosophy that promotes free
redistribution and access to an end
product’s design and implementation details.
Software Development Security Domain
Pharming
CISSP
Software Development Security Domain
An attack intended to redirect a website‘s
traffic to another, bogus site.
Software Development Security Domain
Phishing
CISSP
Software Development Security Domain
The act of attempting to acquire
information such as usernames, passwords,
and credit card details (and sometimes,
indirectly, money) by masquerading as a
trustworthy entity
in an electronic communication.
Software Development Security Domain
Race
condition
CISSP
Software Development Security Domain
A type of flaw in an electronic or
software system where the output is
dependent on the sequence or timing of
other uncontrollable events.
Software Development Security Domain
Remote
Access Trojans
(RATs)
CISSP
Software Development Security Domain
A malware program that includes a back
door for administrative control over the
target computer.
Software Development Security Domain
Rootkits
CISSP
Software Development Security Domain
A stealthy type of software, often malicious,
designed to hide the existence of certain
processes or programs from normal
methods of detection and enable continued
privileged access to a computer.
Software Development Security Domain
Social
engineering
CISSP
Software Development Security Domain
The art of manipulating people into performing
actions or divulging confidential information.
Software Development Security Domain
SPAM
CISSP
Software Development Security Domain
The use of electronic messaging systems to
send unsolicited bulk messages, especially
advertising, indiscriminately.
Software Development Security Domain
Spear
phishing
CISSP
Software Development Security Domain
Phishing attempts directed at specific
individuals or companies. Attackers
may gather personal information about
their target to increase their probability of
success.
Software Development Security Domain
SQL
injection
CISSP
Software Development Security Domain
A technique often used to attack data
driven applications. This is done by including
portions of SQL statements
in an entry field in an attempt to get
the website to pass a newly formed rogue
SQL command to the database (e.g., dump
the database contents to
the attacker).
Software Development Security Domain
URL
manipulation
CISSP
Software Development Security Domain
By manipulating certain parts of a URL,
a hacker can get a web server to deliver
web pages he is not supposed to have
access to.
Software Development Security Domain
Web
applets
CISSP
Software Development Security Domain
Provide interactive features to web applications
that cannot be provided by HTML alone. They
can capture mouse input and also have controls
like buttons or check boxes. In response
to the user action an applet can change
the provided graphic content.
Cryptography Domain
Algorithm
CISSP
Cryptography Domain
A computing procedure designed to
perform a task such as encryption,
decryption, compression, or hashing.
Cryptography Domain
Certificate
CISSP
Cryptography Domain
A digitally signed, special block of data that
contains a public key and the identifying
information for the entity,
or principal, that owns the associated
private key.
Cryptography Domain
Certificate
Authority
(CA)
CISSP
Cryptography Domain
A trusted entity or third party that
issues and signs public key certificates,
thereby attesting to the validity of the public
keys.
Cryptography Domain
Ciphertext/
Cryptogram
CISSP
Cryptography Domain
This is the enciphered, encrypted, or
scrambled form of a message.
Cryptography Domain
Collisions
CISSP
Cryptography Domain
Where two different messages would
provide the same hash or digest value.
Cryptography Domain
Cryptanalysis
CISSP
Cryptography Domain
The practice of defeating the protective
properties of cryptography. Reading protected
information, altering messages or integrity
values, and violating authentication schemes are
all forms of cryptanalysis. The practice of testing
cryptographic algorithms to determine their
strength or resistance to compromise is also a
form of cryptanalysis.
Cryptography Domain
Cryptography
CISSP
Cryptography Domain
The word cryptography is based on the
Greek words “kryptos” (hidden) and “grafi”
(writing). It is a mathematical manipulation
of information that prevents the
information from being disclosed or altered.
Cryptography Domain
Cryptology
CISSP
Cryptography Domain
The study of cryptography and
cryptanalysis.
Cryptography Domain
Cryptanalysis
CISSP
Cryptography Domain
The practice of defeating the protective
properties of cryptography.
Cryptography Domain
Cryptovariable
(key)
CISSP
Cryptography Domain
The (often-secret) value used in the
transformation of the message in a
cryptographic operation that controls the
operation of the algorithm in a unique,
predictable manner.
Cryptography Domain
Decipher/
decrypt/
decode
CISSP
Cryptography Domain
Descrambling an encrypted message and
converting it into plaintext.
Cryptography Domain
Digital
Signature
CISSP
Cryptography Domain
Proves that the message has not been
altered (Message Integrity), and it proves
who sent the message (Proof of Origin and
non-repudiation).
Cryptography Domain
Electronic
Code Book
(ECB)
CISSP
Cryptography Domain
Each block of plaintext is independently
encrypted into a respective block of
ciphertext. This can be down in parallel.
Cryptography Domain
Encrypt/encipher
CISSP
Cryptography Domain
Scrambling a plaintext message by using an
algorithm, usually in conjunction with a key.
Cryptography Domain
Exclusive-OR
(XOR)
CISSP
Cryptography Domain
A basic transformation technique and
another name for binary addition.
Cryptography Domain
Hash
Functions
CISSP
Cryptography Domain
Used to ensure message integrity.
For example, when a message is sent over a
communications channel, it
may be altered either accidentally or
intentionally while in transit.
Cryptography Domain
Initialization Vector
(IV)
CISSP
Cryptography Domain
A random value that is XOR’d with the
plaintext message before encryption.
Cryptography Domain
Kerckhoff’s
Principle
CISSP
Cryptography Domain
States that the strength of a cryptosystem is
based on the secrecy
of the key and not on the secrecy of
the algorithm.
Cryptography Domain
Key
Clustering
CISSP
Cryptography Domain
A weakness that would exist in a
cryptosystem if two different keys
would generate the same ciphertext from
the same plaintext.
Cryptography Domain
Key
space
CISSP
Cryptography Domain
The total number of keys available to the
user of a cryptosystem.
Cryptography Domain
Non-repudiation
CISSP
Cryptography Domain
A security service by which evidence
is maintained so that the sender and
recipient of data cannot deny having
participated in the communication. Referred
to individually as
non-repudiation of origin and
non-repudiation of receipt.
Cryptography Domain
Plaintext/
Cleartext
CISSP
Cryptography Domain
This is the natural or human-readable form
of a message.
Cryptography Domain
Registration
Authority
(RA)
CISSP
Cryptography Domain
The primary organization that verifies
a certificate Applicant’s information
and identity.
Cryptography Domain
Scytale
Rod
CISSP
Cryptography Domain
A simple transposition cipher system that
employs a rod of a certain thickness around
which was wrapped a long, thin strip of
parchment.
Cryptography Domain
Secure HTTP
(S-HTTP)
CISSP
Cryptography Domain
A protocol for transmitting data securely
over the World Wide Web designed to
transmit individual messages securely.
Cryptography Domain
Secure
Sockets Layer
(SSL)/TLS
CISSP
Cryptography Domain
Uses two keys to encrypt data: a public key
known to everyone and a private or secret
key known only to the recipient of the
message.
Cryptography Domain
Synchronous and
Self-synchronous
CISSP
Cryptography Domain
An algorithm in which the keystream is
generated based on the original key, bit-by-
bit, in sync with the arrival of the plaintext.
Cryptography Domain
Transport
Layer Security
(TLS)
CISSP
Cryptography Domain
A protocol that guarantees privacy and data
integrity between client/server applications
communicating over the Internet.
Cryptography Domain
Work
Factor
CISSP
Cryptography Domain
An estimate of the effort/time needed
to overcome a protective measure by
an attacker with specified expertise
and resources.
Security Architecture and Design Domain
Architecture
CISSP
Security Architecture and Design Domain
A high-level perspective of how
business requirements are to be structured
and aligned with technology and processes
in a comprehensive
and manageable way.
Security Architecture and Design Domain
Best
practice
CISSP
Security Architecture and Design Domain
A well-recognized and accepted approach
to designing, developing,
managing/monitoring, and enhancing
processes; often codified into a standard.
Security Architecture and Design Domain
Cache
CISSP
Security Architecture and Design Domain
The very fast memory directly on the CPU
chip body. It is not upgradeable.
Security Architecture and Design Domain
Central
Processing Unit
(CPU)
CISSP
Security Architecture and Design Domain
The heartbeat of a system. It controls
primary processing, interaction with
peripheral devices, organization of memory,
and control over networking operations.
Security Architecture and Design Domain
Closed
systems
CISSP
Security Architecture and Design Domain
Proprietary interfaces. Many older systems
used proprietary interfaces, and
implementations were customized for a
specific application’s environments.
Interoperability was sacrificed to achieve
uniqueness and obscurity, an illusion that
security through obscurity works.
Security Architecture and Design Domain
Confidentiality
CISSP
Security Architecture and Design Domain
Limiting information access and disclosure
to authorized users.
Security Architecture and Design Domain
Dedicated systems
CISSP
Security Architecture and Design Domain
Single level of processing permitted. In
military applications, this often means that
the system was only used for a single
purpose (firing a weapon, for example) and
only personnel holding the designated
security clearance are granted access to the
system.
Security Architecture and Design Domain
Embedded systems
CISSP
Security Architecture and Design Domain
A single purpose computer built into
a device and typically programmed to
perform a dedicated function.
Security Architecture and Design Domain
Enterprise Security
Architecture
(ESA)
CISSP
Security Architecture and Design Domain
Includes all areas of security for an
organization: leadership, strategy,
organizational structure, planning, design,
implementation, and operations.
Security Architecture and Design Domain
Firmware
CISSP
Security Architecture and Design Domain
Software that is permanently (or semi-
permanently) embedded in hardware and
typically provides low-level services and/or
control of hardware.
Security Architecture and Design Domain
Framework
CISSP
Security Architecture and Design Domain
A defined approach to the process used to
achieve the goals of an architecture, based
on policy, and reflecting the requirements
and expectations of the various
stakeholders.
Security Architecture and Design Domain
Infrastructure
CISSP
Security Architecture and Design Domain
The integrated building blocks that support
the goals of the architecture.
Security Architecture and Design Domain
Information-flow
model
CISSP
Security Architecture and Design Domain
Tracks the movement of information from one
object to another so that movement of sensitive
data to an unprotected area will be identified. A
covert channel is the release of information in
violation of security policy. The Information-
Flow Model specifically addresses the issue of
covert channel analysis; no other model
addresses this.
Security Architecture and Design Domain
Information
Security
Architecture
(ISA)
CISSP
Security Architecture and Design Domain
Another term from the ISO/IEC 27002.
High-level description of how security
requirements are structured.
Security Architecture and Design Domain
Information
Security
Management
System(ISMS)
CISSP
Security Architecture and Design Domain
Sets a standard for addressing
security throughout the development,
deployment, and implementation schedule.
Security Architecture and Design Domain
Integrity
CISSP
Security Architecture and Design Domain
The trustworthiness of information
resources.
Security Architecture and Design Domain
Lattice-based model
CISSP
Security Architecture and Design Domain
Hierarchical model defining access control
privilege levels. Each subject and object
would be defined in a level of the lattice
with a least upper boundary and greatest
lower boundary.
Security Architecture and Design Domain
Mainframe
CISSP
Security Architecture and Design Domain
A large, highly fault-tolerant, multiuser
computer engineered to run without
interruption for long periods of time.
Security Architecture and Design Domain
Microcomputers
CISSP
Security Architecture and Design Domain
These may take many forms, such
as free-standing towers, desktops,
or blades.
Security Architecture and Design Domain
Minicomputer
CISSP
Security Architecture and Design Domain
Often seen as the little brother to a
mainframe, but frequently still architected
into a centralized model.
Security Architecture and Design Domain
Model
CISSP
Security Architecture and Design Domain
Outlines how security is to be implemented
within the organization.
Security Architecture and Design Domain
Multilevel
systems
CISSP
Security Architecture and Design Domain
Processing at two levels is permitted
through some form of user authentication
and authorization
(i.e., user and administrator).
Security Architecture and Design Domain
Non-interference
model
CISSP
Security Architecture and Design Domain
Is based upon rules to prevent processes
(subjects) that are operating in different
domains from affecting (interfering with)
each other in violation of security policy.
Security Architecture and Design Domain
Open
systems
CISSP
Security Architecture and Design Domain
Standards-based interfaces. Many of today’s
systems use standard interfaces and support
standardized protocols. Most of these are
designed for client/server environments.
Security Architecture and Design Domain
Primary
storage
CISSP
Security Architecture and Design Domain
The memory directly accessible by the CPU
and with the highest response speed.
Security Architecture and Design Domain
Protection Profile
(PP)
CISSP
Security Architecture and Design Domain
A general set of security requirements and
objectives for a category of products that
meet similar consumer needs for IT
security.
Security Architecture and Design Domain
Registers
CISSP
Security Architecture and Design Domain
Very high-speed storage structures built
into the CPU chip set and are often used to
store timing and state information for the
CPU to maintain control over processes.
Security Architecture and Design Domain
Security
kernel
CISSP
Security Architecture and Design Domain
Consists of several components including
software, firmware, and hardware. They
represent represents all the security
functionality of the operating system.
Security Architecture and Design Domain
Security Target
(ST)
CISSP
Security Architecture and Design Domain
Contains the IT security objectives and
requirements of a specific, identified TOE
and defines the functional and assurance
measures offered by that TOE to meet
stated requirements.
Security Architecture and Design Domain
Servers
CISSP
Security Architecture and Design Domain
Provide storage and computing services for
users who are connected to them. They are
typically larger, more fault-tolerant
computers, usually serving more than one
user.
Security Architecture and Design Domain
Single-level systems
CISSP
Security Architecture and Design Domain
Like early generation PCs running DOS and
early Windows OS, these systems place all
users at the same privilege level and permit
users to execute any instruction available.
Security Architecture and Design Domain
State-machine
model
CISSP
Security Architecture and Design Domain
Is one that looks for a change in state. State
is defined as the condition an entity is in at
a point in time. A state machine — such as
a stateful inspection firewall — looks for a
change in state over time.
Security Architecture and Design Domain
Target of evaluation
(TOE)
CISSP
Security Architecture and Design Domain
A set of software, firmware, and/or
hardware to be evaluated, possibly
accompanied by guidance.
Operations Security Domain
Bypass Label
Processing
(BLP)
CISSP
Operations Security Domain
Can give someone the ability to bypass the
security controls.
Operations Security Domain
Data
mirroring
CISSP
Operations Security Domain
Is the replication of data on separate disks
in real time to ensure continuous
availability, currency, and accuracy (i.e.,
RAID Level 1).
Operations Security Domain
Data
remanence
CISSP
Operations Security Domain
Is the residual physical representation of
data remaining on media after the data has
been in some way erased.
Operations Security Domain
Database
shadowing
CISSP
Operations Security Domain
Reduces recovery time from a database
failure by using a database restore and roll-
forward process, using a backup and the
journals to enable recovery without data
loss.
Operations Security Domain
Degaussing
CISSP
Operations Security Domain
Leaves the domains in random patterns
with no preference to orientation, thereby
rendering previous data unrecoverable.
Operations Security Domain
Electronic
vaulting
CISSP
Operations Security Domain
Is the bulk transfer of backup data over
communications facilities.
Operations Security Domain
File image
CISSP
Operations Security Domain
Backup software that creates disk image
files with exact, byte-by-byte copies of a
hard drive, partition, or logical disk.
Operations Security Domain
Initial
Program Load
(IPL)
CISSP
Operations Security Domain
Starting a system program with required
system software, and operating the
computer system as directed.
Operations Security Domain
Malicious
code
CISSP
Operations Security Domain
Software that performs unauthorized
functions causing the normal operation of
an information system to be abnormal.
Operations Security Domain
Need-to-know
CISSP
Operations Security Domain
Describes the restriction of data, which is
considered very sensitive.
Operations Security Domain
Redundant servers
CISSP
Operations Security Domain
Provides fault tolerance by having one or
more entire systems available in case the
primary one crashes.
Operations Security Domain
Remote
journaling
CISSP
Operations Security Domain
Delivers real-time database data integrity by
capturing and transmitting the journal and
transaction log data offsite as they are
created.
Operations Security Domain
Special Privilege
Accounts
CISSP
Operations Security Domain
These accounts are privileged (Root or
built-in Administrator Accounts, Service
Accounts, Administrator Accounts, and
Power User Accounts).
Business Continuity and Disaster Recovery Planning Domain
Business Continuity
Institute
(BCI)
CISSP
Business Continuity and Disaster Recovery Planning Domain
An extension/improvement to the previous
professional practices document. This
domain closely maps to the format and
terminology of the BCI GPG documents.
Business Continuity and Disaster Recovery Planning Domain
Business Continuity
Plan (BCP)
CISSP
Business Continuity and Disaster Recovery Planning Domain
Addresses business disruption, interruption,
or loss from the initial response to the
point at which normal business operations
are resumed.
Business Continuity and Disaster Recovery Planning Domain
Business Standards
Institution (BS 25999)
CISSP
Business Continuity and Disaster Recovery Planning Domain
Represents a framework for resilience and
success for a company to enact and follow.
Business Continuity and Disaster Recovery Planning Domain
Checklist or Desk
Check
CISSP
Business Continuity and Disaster Recovery Planning Domain
Participants review plan contents and check
information such as phone numbers,
equipment, and locations.
Business Continuity and Disaster Recovery Planning Domain
Cold
site
CISSP
Business Continuity and Disaster Recovery Planning Domain
An empty data center with heating,
ventilation, and air conditioning (HVAC)
and power.
Business Continuity and Disaster Recovery Planning Domain
Disaster Recovery
Institute
International (DRII)
CISSP
Business Continuity and Disaster Recovery Planning Domain
Information can be found here for various
certifications for business continuity
management.
Business Continuity and Disaster Recovery Planning Domain
Emergency
Operations Center
(EOC)
CISSP
Business Continuity and Disaster Recovery Planning Domain
Central management point for a crisis. The
staff assigned to it must be able to handle
the stress and decision-making
responsibilities associated with a disaster.
Business Continuity and Disaster Recovery Planning Domain
Full Interruption
Test
CISSP
Business Continuity and Disaster Recovery Planning Domain
Primary operations are shut down and
continuity relies solely on recovery
procedure accuracy, completeness, and
personnel ability.
Business Continuity and Disaster Recovery Planning Domain
Hot site
CISSP
Business Continuity and Disaster Recovery Planning Domain
Features fully provisioned IT and offices.
Data must be retrieved and loaded before
operations are resumed. Some commercial
hot sites allow data backups to be stored
nearby for a fee.
Business Continuity and Disaster Recovery Planning Domain
Incident
Management Plan
(IMP)
CISSP
Business Continuity and Disaster Recovery Planning Domain
Defines how the strategic issues of a crisis
affecting the organization would be
addressed and managed by the chief
executive/senior managers.
Business Continuity and Disaster Recovery Planning Domain
Maximum Tolerable
Downtime
(MTD)
CISSP
Business Continuity and Disaster Recovery Planning Domain
The time by which the business MUST
recover critical services.
Business Continuity and Disaster Recovery Planning Domain
Parallel
testing
CISSP
Business Continuity and Disaster Recovery Planning Domain
Basically an operations test to show that
critical systems can be run at the alternate
site.
Business Continuity and Disaster Recovery Planning Domain
Recovery Point
Objective
(RPO)
CISSP
Business Continuity and Disaster Recovery Planning Domain
Measures the tolerance for data loss.
Business Continuity and Disaster Recovery Planning Domain
Recovery Time
Objective
(RTO)
CISSP
Business Continuity and Disaster Recovery Planning Domain
This is the time by which the organization
would LIKE to recover.
Business Continuity and Disaster Recovery Planning Domain
Service Level
Agreements
(SLA)
CISSP
Business Continuity and Disaster Recovery Planning Domain
Can relate to acceptable outage times,
committed repair times, maintenance
windows, and operational and performance
standards.
Business Continuity and Disaster Recovery Planning Domain
Simulations
CISSP
Business Continuity and Disaster Recovery Planning Domain
Typically include a pretend disaster, and all
teams exercise their training and judgment
and simulate their actions.
Business Continuity and Disaster Recovery Planning Domain
Structured
walk-throughs
CISSP
Business Continuity and Disaster Recovery Planning Domain
Team members meet and discuss each plan
element and procedure across several
meetings. They step through the plans and
have some role interaction, but all is done
within the confines of the conference room.
Business Continuity and Disaster Recovery Planning Domain
Warm
site
CISSP
Business Continuity and Disaster Recovery Planning Domain
Has some common IT, communications,
power, and HVAC. IT equipment (such as
servers and communications) must be
procured and transferred to the site, and
the data must be retrieved and loaded.
Legal, Regulations, Investigations, and Compliance Domain
Administrative
law
CISSP
Legal, Regulations, Investigations, and Compliance Domain
Encompasses the laws and legal principles
defining the powers, procedures, processes,
and acts of administrative agencies.
Legal, Regulations, Investigations, and Compliance Domain
Civil
law
CISSP
Legal, Regulations, Investigations, and Compliance Domain
Highly systematized and structured and
relies on declarations of broad, general
principles, often ignoring the details.
Legal, Regulations, Investigations, and Compliance Domain
Copyright
CISSP
Legal, Regulations, Investigations, and Compliance Domain
Covers the expression of ideas.
Legal, Regulations, Investigations, and Compliance Domain
Criminal
law
CISSP
Legal, Regulations, Investigations, and Compliance Domain
Deals with addressing the behaviors or
conduct that are seen as harmful to the
general public and/or society in general.
Legal, Regulations, Investigations, and Compliance Domain
Customary
law
CISSP
Legal, Regulations, Investigations, and Compliance Domain
Consists of the written and unwritten rules
that have developed from the customs and
traditions of communities.
Legal, Regulations, Investigations, and Compliance Domain
Freeware
CISSP
Legal, Regulations, Investigations, and Compliance Domain
Software that can be used, copied, studied,
modified, and redistributed without
restriction.
Legal, Regulations, Investigations, and Compliance Domain
Hearsay
CISSP
Legal, Regulations, Investigations, and Compliance Domain
Evidence that is based on what the witness
was told rather than on his or her personal
knowledge and is not normally admissible in
court.
Legal, Regulations, Investigations, and Compliance Domain
Intellectual
property
CISSP
Legal, Regulations, Investigations, and Compliance Domain
Proprietary business or technical
information, processes, designs, practices,
etc., that are confidential and critical to the
business.
Legal, Regulations, Investigations, and Compliance Domain
Interrogation
CISSP
Legal, Regulations, Investigations, and Compliance Domain
An adversarial technique where the suspect
is put under real or perceived stress (often
through being accused of complicity in the
crime) in order to compel him or her to
confess or divulge specific information.
Legal, Regulations, Investigations, and Compliance Domain
Interviewing
CISSP
Legal, Regulations, Investigations, and Compliance Domain
The purpose of this is information gathering
with the objective of seeking/determining
the truth.
Legal, Regulations, Investigations, and Compliance Domain
Libel and
defamation
CISSP
Legal, Regulations, Investigations, and Compliance Domain
The legal responsibility that one might have
for making false statements that harm the
reputation of another.
Legal, Regulations, Investigations, and Compliance Domain
Patents
CISSP
Legal, Regulations, Investigations, and Compliance Domain
Protect novel, useful, and non-obvious
inventions.
Legal, Regulations, Investigations, and Compliance Domain
Privacy and the
Organization for
Economic Cooperation
and Development
(OECD)
CISSP
Legal, Regulations, Investigations, and Compliance Domain
A group of 30 member countries sharing a
commitment to democratic government
and the market economy. It has eight core
principles pertaining to the protection of
privacy and personal information.
Legal, Regulations, Investigations, and Compliance Domain
Prudent person
rule
CISSP
Legal, Regulations, Investigations, and Compliance Domain
The general test for appropriate and
responsible protection of assets. It
considers what actions a careful person
would take to protect the assets of the
organization from harm or unnecessary risk.
Legal, Regulations, Investigations, and Compliance Domain
Religious Law
CISSP
Legal, Regulations, Investigations, and Compliance Domain
Law is considered to be decreed by a
Supreme Being. Lawmakers and law
scholars do not create laws; they attempt
to discover the truth of law.
Legal, Regulations, Investigations, and Compliance Domain
Shareware
CISSP
Legal, Regulations, Investigations, and Compliance Domain
A marketing method for commercial
software, whereby a trial version is
distributed in advance and without payment,
as is common for proprietary software.
Legal, Regulations, Investigations, and Compliance Domain
Trademark
CISSP
Legal, Regulations, Investigations, and Compliance Domain
Protects the “good will” that merchants or
vendors invest in the recognition of their
products.
Physical (Environmental) Security Domain
Brownout
CISSP
Physical (Environmental) Security Domain
A reduction of voltage by the utility
company for a prolonged period of time.
Physical (Environmental) Security Domain
Electrical circuits
CISSP
Physical (Environmental) Security Domain
Used to detect open windows or doors —
many work on magnetic switches that close
the electrical circuit when the window is
opened and moves the magnet away from
the electrical switch.
Physical (Environmental) Security Domain
Electrostatic
discharge
CISSP
Physical (Environmental) Security Domain
A power surge generated by a person or
device contacting another device and
transferring a high voltage shock.
Physical (Environmental) Security Domain
Infrared/night vision
lighting
CISSP
Physical (Environmental) Security Domain
Can assist in low-light conditions and
augment closed circuit TV cameras to
monitor an area at night.
Physical (Environmental) Security Domain
In-Rush current
CISSP
Physical (Environmental) Security Domain
The initial surge of current experienced
when power supply resumes after failure.
This can damage equipment or cause
breakers to trip/fail.
Physical (Environmental) Security Domain
Interference (noise)
CISSP
Physical (Environmental) Security Domain
A natural occurrence that happens when
unwanted signals are generated in circuits
that are in close proximity.
Physical (Environmental) Security Domain
Lock bumping
CISSP
Physical (Environmental) Security Domain
Involves cutting a key to the maximum
depth on all cuts and hammering the key
with a “Tomahawk” (a flexible hammer) to
transfer maximum force to all of the pins so
that they jump into the open position.
Physical (Environmental) Security Domain
Microwave
CISSP
Physical (Environmental) Security Domain
Receiver diode picks up transmitted and
“bounced” energy waves in an enclosure.
Intruder disrupts the waves and activates
the alarm.
Physical (Environmental) Security Domain
Motion sensors
CISSP
Physical (Environmental) Security Domain
Most work on Passive Infrared technology.
Various types may autodial an emergency
number, sound an alarm, or trigger lights
when they sense motion.
Physical (Environmental) Security Domain
Network
Access Control
(NAC)
CISSP
Physical (Environmental) Security Domain
Basic functions include validating software
and release levels (Firewall, Antivirus, Anti-
Spam, etc.) and providing login security to
the device and the network.
Physical (Environmental) Security Domain
Passive infrared
CISSP
Physical (Environmental) Security Domain
Objects radiate infrared with the heat of
their bodies. Detector notes the change and
triggers an alarm.
Physical (Environmental) Security Domain
Pressure/motion
sensitive
CISSP
Physical (Environmental) Security Domain
Use of buried fiber and pressure plates to
detect vehicles and persons travelling close
to the buried cable.
Physical (Environmental) Security Domain
Sounds and
vibration
CISSP
Physical (Environmental) Security Domain
Microphones and other monitoring
equipment are used to detect changes in
sound or listen in to a facility.
Physical (Environmental) Security Domain
Photoelectric
CISSP
Physical (Environmental) Security Domain
Active infrared beam that triggers an alarm
when the beam is broken.
Physical (Environmental) Security Domain
Sag/Dip
CISSP
Physical (Environmental) Security Domain
A short period of low voltage.
Physical (Environmental) Security Domain
Standby/backup
lighting
CISSP
Physical (Environmental) Security Domain
Lighting with a battery supply that is
automatically turned on when power goes
out.
Physical (Environmental) Security Domain
Strike/strike
plate
CISSP
Physical (Environmental) Security Domain
These form a separate rectangular metal
piece that is inserted into the door jam.
