CSSLP
centralized management
A type of privilege management that brings the authority and responsibility for managing and maintaining rights and privileges into a single group, location, or area.
abuse case
A use case built around a work process designed to abuse a normal work process.
auditing
Actions or processes used to verify the assigned privileges and rights of a user, or any capabilities used to create and maintain a record showing who accessed a particular system and what actions they performed.
ARP -
Address Resolution Protocol (ARP) : A protocol in the TCP/IP suite specification used to map an IP address to a Media Access Control (MAC) address.
adware
Advertising-supported software that automatically plays, displays, or downloads advertisements after the software is installed or while the application is being used.
asymmetric encryption
Also called public key cryptography, this is a system for encrypting data that uses two mathematically derived keys to encrypt and decrypt a message—a public key, available to everyone, and a private key, available only to the owner of the key.
802.1X
An IEEE standard for performing authentication over networks.
attack
An action taken against a vulnerability to exploit a system. Attack Surface Analyzer A product from Microsoft designed to enumerate the elements of a system that are subject to attack.
command injection
An attack against an input validation failure designed to force a malicious command to be processed on the system.
attack surface evaluation
An examination of the elements of a system that are subject to attack and mitigations that can be applied.
Biba security model
An information security model built around the property of integrity and characterized by no-write-up and no-read-down rules.
AH
Authentication Header (AH): A portion of the IPsec security protocol that provides authentication services and replay-detection ability. AH can be used either by itself or with Encapsulating Security Payload (ESP). Refer to RFC 2402.
compensating controls
Compensating controls are the security controls used when a direct control cannot be applied to a requirement.
CCMP
Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) : An enhanced data cryptographic encapsulation mechanism based upon the counter mode, with CBC-MAC from AES designed for use over wireless LANs.
configuration item
Data and software (or other assets) that are identified and managed as part of the software change management process. Also known as computer software configuration item.
cookie
Information stored on a user's computer by a web server to maintain the state of the connection to the web server. Used primarily so preferences or previously used information can be recalled on future requests to the server.
access control
Mechanisms or methods used to determine what access permissions subjects (such as users) have for specific objects (such as files).
CLR
Microsoft's Common Language Runtime—an interpreter for .NET languages on a system.
availability
Part of the "CIA" of security. Availability applies to hardware, software, and data, specifically meaning that each of these should be present and accessible when the subject (the user) wants to access or use them.
confidentiality
Part of the CIA of security. Refers to the security principle that states that information should not be disclosed to unauthorized individuals.
configuration status accounting
Procedures for tracking and maintaining data relative to each configuration item in the baseline.
*-property
Pronounced "star property," this aspect of the Bell-LaPadula security model is commonly referred to as the "no-write-down" rule because it doesn't allow a user to write to a file with a lower security classification, thus preserving confidentiality.
CIA of security
Refers to confidentiality, integrity, and authorization, the basic functions of any security system.
backup
Refers to copying and storing data in a secondary location, separate from the original, to preserve the data in the event that the original is lost, corrupted, or destroyed.
asset
Resources and information an organization needs to conduct its business.
chain of custody
Rules for documenting, handling, and safeguarding evidence to ensure no unanticipated changes are made to the evidence.
anomaly
Something that does not fit into an expected pattern.
configuration auditing
The process of verifying that configuration items are built and maintained according to requirements, standards, or contractual agreements.
attack surface minimization
The processes used to minimize the number of attackable elements in a system.
Configuration management
The set of processes employed to create baseline configurations in an environment and managing configurations to comply with those baselines.
canonical form
The simplest form of an expression, one that all variants are resolved to prior to evaluation.
cache
The temporary storage of information before use, typically used to speed up systems. In an Internet context, refers to the storage of commonly accessed webpages, graphics files, and other content locally on a user's PC or a web server. The cache helps to minimize download time and preserve bandwidth for frequently accessed websites, and it helps reduce the load on a web server.
cryptographic validation
The validation of cryptographic functions to meet specific requirements.
alpha testing
This is a form of end-to-end testing done prior to product delivery to determine operational and functional issues.
AUP
acceptable use policy (AUP): A policy that communicates to users what specific uses of computer resources are permitted.
ACL
access control list (ACL): A list associated with an object (such as a file) that identifies what level of access each subject (such as a user) has—what they can do to the object (such as read, write, or execute).
ALE
annualized loss expectancy (ALE) : How much an event is expected to cost the business per year, given the dollar cost of the loss and how often it is likely to occur. ALE = single loss expectancy * annualized rate of occurrence.
ARO
annualized rate of occurrence (ARO) : The frequency with which an event is expected to occur on an annualized basis.
AAA
authentication, authorization, and accounting (AAA) Three common functions performed upon system login. Authentication and authorization almost always occur, with accounting being somewhat less common.
CBP
business continuity planning (BCP): The plans a business develops to continue critical operations in the event of a major disruption.
CMM
capability maturity model (CMM): A structured methodology that helps organizations improve the maturity of their software processes by providing an evolutionary path from ad hoc processes to disciplined software management processes. Developed at Carnegie Mellon University's Software Engineering Institute.
CRL
certificate revocation list (CRL) : A digitally signed object that lists all of the current but revoked certificates issued by a given certification authority. This allows users to verify whether a certificate is currently valid even if it has not expired. CRL is analogous to a list of stolen charge card numbers that allows stores to reject bad credit cards.
CA
certification authority (CA) : An entity responsible for issuing and revoking certificates. CAs are typically not associated with the company requiring the certificate, although they exist for internal company use as well (such as Microsoft). This term is also applied to server software that provides these services. The term certificate authority is used interchangeably with certification authority.
CCB
change control board (CCB) : A body that oversees the change management process and enables management to oversee and coordinate projects.
COTS
commercial off the shelf (COTS): A software system designed for commercial use.
CMDB
configuration management database (CMDB) : A database that contains the information used in the process of managing change in a system.
CMS
configuration management system (CMS): The system used in the process of managing change in a software system.
CSRF/XSRF
cross-site request forgery (CSRF or XSRF) : A method of attacking a system by sending malicious input to the system and relying upon the parsers and execution elements to perform the requested actions, thus instantiating the attack. XSRF exploits the trust a site has in the user's browser.
XSS
cross-site scripting (XSS) A method of attacking a system by sending script commands to the system input and relying upon the parsers and execution elements to perform the requested scripted actions, thus instantiating the attack. XSS exploits the trust a user has for the site.
CRC
cyclic redundancy check (CRC) An error detection technique that uses a series of two 8-bit block check characters to represent an entire block of data. These block check characters are incorporated into the transmission frame and then checked at the receiving end.
baseline management
The process of managing change in a system with relationship to the baseline configuration.
CHAP
-Challenge Handshake Authentication Protocol (CHAP): Used to provide authentication across point-to-point links using the Point-to-Point Protocol (PPP).
ActiveX
A Microsoft technology that facilitates rich Internet applications and, therefore, extends and enhances the functionality of Microsoft Internet Explorer. Like Java, ActiveX enables the development of interactive content. When an ActiveX-aware browser encounters a webpage that includes an unsupported feature, it can automatically install the appropriate application so the feature can be used.
Bell-LaPadula security model
A computer security model built around the property of confidentiality and characterized by no-read-up and no-write-down rules.
certificate
A cryptographically signed object that contains an identity and a public key associated with this identity. The certificate can be used to establish identity, analogous to a notarized written document.
802.11
A family of standards that describe network protocols for wireless devices.
beta testing
A form of end-to-end testing performed prior to releasing a production version of a system.
black box
A form of testing where the testers have zero knowledge of the inner workings of a system.
attack tree
A graphical method of examining the required elements to successfully prosecute an attack.
backdoor
A hidden method used to gain access to a computer system, network, or application. Often used by software developers to ensure unrestricted access to the systems they create. Synonymous with trapdoor.
Control/ countermeasure
A measure taken to detect, prevent, or mitigate the risk associated with a threat.
attack surface measurement
A measurement of the relative number of attack points in the system throughout the development process.
client server
A model in which a client machine is employed for users, with servers providing resources for computing.
application
A program or group of programs designed to provide specific user functions, such as a word processor or web server.
bootstrapping
A self-sustaining process that continues through its course without external stimuli.
audit trail
A set of records or events, generally organized chronologically, that record what activity has occurred on a system. These records (often computer files) are often used in an attempt to re-create what took place when a security incident occurred, and they can also be used to detect possible intruders.
buffer overflow
A specific type of software coding error that enables user input to overflow the allocated storage area and corrupt a running program.
change management
A standard methodology for performing and recording changes during software development and operation.
algorithm
A step-by-step procedure—typically an established computation for solving a problem within a set number of steps.
access
A subject's ability to perform specific operations on an object, such as a file. Typical access levels include read, write, execute, and delete.
baseline
A system or software as it is built and functioning at a specific point in time. Serves as a foundation for comparison or measurement, providing the necessary visibility to control change.
botnet
A term for a collection of software robots, or bots, that run autonomously and automatically, and commonly invisibly, in the background. The term is most often associated with malicious software, but it can also refer to the network of computers using distributed computing software.
cracking
A term used by some to refer to malicious hacking, in which an individual attempts to gain unauthorized access to computer systems or networks.
cryptographic agility
The ability for applications to change which cryptographic algorithms or implementations they use without having to make changes to the source code.
code signing
The application of digital signature technology to software to determine integrity and authenticity.
cryptography
The art of secret writing that enables an individual to hide the contents of a message or file from all but the intended recipient.
cloud computing
The automatic provisioning of computational resources on demand is referred to as cloud computing.
constrained data item
The data element in the Clark-Wilson integrity model that is under integrity control.
bug bar
The defining of thresholds for bugs that determines which ones must be fixed prior to release to production.
Active Directory
The directory service portion of the Windows operating system that stores information about network-based entities (such as applications, files, printers, and people) and provides a structured, consistent way to name, describe, locate, access, and manage these resources.
acceptance testing
The formal analysis that is done to determine whether a system or software product satisfies its acceptance criteria.
BIOS
The part of the operating system that links specific hardware devices to the operating system software.
authentication
The process by which a subject's (such as a user's) identity is verified.
cryptanalysis
The process of attempting to break a cryptographic system.
configuration control
The process of controlling changes to items that have been baselined.
complete mediation
The process of ensuring a system consistently applies the required checks on every applicable occurrence.
configuration identification
The process of identifying which assets need to be managed and controlled.
3DES
Triple DES encryption—three rounds of DES encryption used to improve security.
Biometrics
Used to verify an individual's identity to the system or network using something unique about the individual for the verification process. Examples include fingerprints, retinal scans, hand and facial geometry, and voice analysis.
