Cloned from: CISSP - Definitions



keywords:
Bookmark and Share



Front Back
802.11i (WPA-2)
An amendment to the 802.11 standard that defines a new authentication and encryption technique that is similar to IPSec. To date, no real-world attack has compromised a properly configured WPA-2 wireless network.
802.1x
A form of wireless authentication protection that requires all wireless clients to pass a gauntlet of RADIUS or TACACS services before network access is granted.
1000Base-T
A form of twisted-pair cable that supports 1000Mbps or 1Gbs throughput at 100 meter distances. Often called Gigabit Ethernet.
100Base-TX
Another form of twisted-pair cable similar to 100Base-T.
10Base2
A type of coaxial cable. Often used to connect systems to backbone trunks. 10Base2 has a maximum span of 185 meters with maximum throughput of 10Mpbs. Also called thinnet.
10Base5
A type of coaxial cable. Often used as a network’s backbone. 10Base5 has a maximum span of 500 meters with maximum throughput of 10Mpbs. Also called thicknet.
10Base-T
A type of network cable that consists of four pairs of wires that are twisted around each other and then sheathed in a PVC insulator. Also called twisted-pair.
abnormal activity
Any system activity that does not normally occur on your system. Also referred to as suspicious activity.
abstraction
The collection of similar elements into groups, classes, or roles for the assignment of security controls, restrictions, or permissions as a collective.
acceptance testing
A form of testing that attempts to verify that a system satisfies the stated criteria for functionality and possibly also for security capabilities of a product. It is used to determine whether end users or customers will accept the completed product.
accepting risk
The valuation by management of the cost/benefit analysis of possible safeguards and the determination that the cost of the countermeasure greatly outweighs the possible cost of loss because of a risk.
access
The transfer of information from an object to a subject.
access control
The mechanism by which subjects are granted or restricted access to objects.
access control list (ACL)
The column of an access control matrix that specifies what level of access each subject has over an object.
access control matrix
A table of subjects and objects that indicates the actions or functions that each subject can perform on each object. Each column of the matrix is an ACL. Each row of the matrix is a capability list.
access tracking
Auditing, logging, and monitoring the attempted access or activities of a subject. Also referred to as activity tracking.
account lockout
An element of the password policy’s programmatic controls that disables a user account after a specified number of failed logon attempts. Account lockout is an effective countermeasure to brute-force and dictionary attacks against a system’s logon prompt.
accountability
The process of holding someone responsible (accountable) for something. In this context, accountability is possible if a subject’s identity and actions can be tracked and verified.
accreditation
The formal declaration by the Designated Approving Authority (DAA) that an IT system is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk.
ACID model
The letters in ACID represent the four required characteristics of database transactions: atomicity, consistency, isolation, and durability.
active content
Web programs that users download to their own computer for execution rather than consuming server-side resources.
ActiveX
Microsoft’s component object model (COM) technology used in web applications. ActiveX is implemented using any one of a variety of languages, including Visual Basic, C, C++, and Java.
Address Resolution Protocol (ARP)
A subprotocol of the TCP/IP protocol suite that operates at the Data Link layer (layer 2). ARP is used to discover the MAC address of a system by polling using its IP address.
addressing
The means by which a processor refers to various locations in memory.
administrative access controls
The policies and procedures defined by an organization’s security policy to implement and enforce overall access control. Examples of administrative access controls include hiring practices, background checks, data classification, security training, vacation history reviews, work supervision, personnel controls, and testing.
administrative law
Regulations that cover a range of topics from procedures to be used within a federal agency to immigration policies that will be used to enforce the laws passed by Congress. Administrative law is published in the Code of Federal Regulations (CFR).
administrative physical security controls
Security controls that include facility construction and selection, site management, personnel controls, awareness training, and emergency response and procedures.
admissible evidence
Evidence that is relevant to determining a fact. The fact that the evidence seeks to determine must be material (in other words, related) to the case. In addition, the evidence must be competent, meaning that it must have been obtained legally. Evidence that results from an illegal search would be inadmissible because it is not competent.
Advanced Encryption Standard (AES)
The encryption standard selected in October 2000 by the National Institute for Standards and Technology (NIST) that is based on the Rijndael cipher.
advisory policy
A policy that discusses behaviors and activities that are acceptable and defines consequences of violations. An advisory policy discusses the senior management’s desires for security and compliance within an organization. Most policies are advisory.
agent
Intelligent code objects that perform actions on behalf of a user. They typically take initial instructions from the user and then carry on their activity in an unattended manner for a predetermined period of time, until certain conditions are met, or for an indefinite period.
aggregate functions
SQL functions, such as COUNT(), MIN(), MAX(), SUM(), and AVG(), that can be run against a database to produce an information set.
aggregation
A number of functions that combine records from one or more tables to produce potentially useful information.
alarm
A mechanism that is separate from a motion detector and triggers a deterrent, triggers a repellant, and/or triggers a notification. Whenever a motion detector registers a significant or meaningful change in the environment, it triggers an alarm.
alarm triggers
Notifications sent to administrators when a specific event occurs.
AND
The operation (represented by the ^ symbol) that checks to see whether two values are both true.
analytic attack
An algebraic manipulation that attempts to reduce the complexity of a cryptographic algorithm. This attack focuses on the logic of the algorithm itself.
annualized loss expectancy (ALE)
The possible yearly cost of all instances of a specific realized threat against a specific asset. The ALE is calculated using the formula ALE = single loss expectancy (SLE) * annualized rate of occurrence (ARO).
annualized rate of occurrence (ARO)
The expected frequency that a specific threat or risk will occur (in other words, become realized) within a single year.
applet
Code objects sent from a server to a client to perform some action. Applets are self-contained miniature programs that execute independently of the server that sent them.
Application layer
Layer 7 of the Open Systems Interconnection (OSI) model.
application-level gateway firewall
A firewall that filters traffic based on the Internet service (in other words, application) used to transmit or receive the data. Application-level gateways are known as second-generation firewalls.
assembly language
A higher-level alternative to machine language code. Assembly languages use mnemonics to represent the basic instruction set of a CPU but still require hardware-specific knowledge.
asset
Anything within an environment that should be protected. The loss or disclosure of an asset could result in an overall security compromise, loss of productivity, reduction in profits, additional expenditures, discontinuation of the organization, and numerous intangible consequences.
asset valuation
A dollar value assigned to an asset based on actual cost and nonmonetary expenses, such as costs to develop, maintain, administer, advertise, support, repair, and replace; as well as other values, such as public confidence, industry support, productivity enhancement, knowledge equity, and ownership benefits.
asset value (AV)
A dollar value assigned to an asset based on actual cost and nonmonetary expenses.
assurance
The degree of confidence that security needs are satisfied. Assurance must be continually maintained, updated, and reverified.
asymmetric key
Public key cryptosystems that use a pair of keys (public and private) for each participant. Messages encrypted with one key from the pair can only be decrypted with the other key from the same pair.
asynchronous transfer mode (ATM)
A cell-switching technology rather than a packet-switching technology like Frame Relay. ATM uses virtual circuits much like Frame Relay, but because it uses fixed-size frames or cells, it can guarantee throughput. This makes ATM an excellent WAN technology for voice and video conferencing.
atomicity
One of the four required characteristics of all database transactions. A database transaction must be an “all-or-nothing” affair. If any part of the transaction fails, the entire transaction must be rolled back as if it never occurred.
x of y cards Next > >> >|