IEEE standard that specifies 1 Mbps and 2 Mbps wireless connectivity. Defines aspects of frequency hopping and direct sequence spread spectrum (DSSS) systems for use in the 2.4 MHz ISM (industrial, scientific, medical) band. Also refers to the IEEE committee responsible for setting wireless LAN standards.
Specifies highspeed wireless connectivity in the 5GHz band using orthogonal frequency division multiplexing (OFDM) with data rates up to 54 Mbps.
Specifies highspeed wireless connectivity in the 2.4GHz ISM band up to 11 Mbps.
Malicious misuse, with the objective of intentional denial, alteration, or destruction.
A type of testing used to determine whether the software is acceptable to the actual users.
A specific type of interaction between a subject and an object that results in the flow of information from one to the other.
access control mechanism
Hardware or software features, operating procedures, management procedures, and various combinations thereof that are designed to detect and prevent unauthorized access and to permit authorized access in an automated system.
The process of limiting access to system or software resources only to authorized programs, processes, or other systems (on a network). This term is synonymous with controlled access and limited access.
A list of users, programs, andor processes and the specifications of access categories to which each is assigned a list denoting which users have what privileges to a particular resource.
access point (AP)
A wireless LAN transceiver interface between the wireless network and a wired network. Access points forward frames between wireless devices and hosts on the LAN.
The nature of an access right to a particular device, program, or file (for example, read, write, execute, append, modify, delete, or create).
Property that allows auditing of IT system activities to be traced to persons or processes that may then be held responsible for their actions. Accountability includes authenticity and nonrepudiation.
A formal declaration by the designated approving authority (DAA) that the AIS is approved to operate in a particular security mode by using a prescribed set of safeguards. Accreditation is the official management authorization for operation of an AIS and is based on the certification process as well as other management considerations. The accreditation statement affixes security responsibility with the DAA and shows that due care has been taken for security.
Synonymous with designated approving authority.
The act of procurement or purchase of a product or service under license, subscription, or contract.
Advanced Encryption Standard (AES) (Rijndael)
A symmetric block cipher with a block size of 128 bits in which the key can be 128, 192, or 256 bits. The Advanced Encryption Standard replaces the Data Encryption Standard (DES) and was announced on November 26, 2001, as Federal Information Processing Standard Publication (FIPS PUB 197).
The top layer of the OSI model, which is concerned with application programs. It provides services such as file transfer and email to the networks end users.
An entity, either human or software, that uses the services offered by the Application layer of the OSI reference model.
application programming interface (API)
An interface to a library of software functions. An API is designed for software developers to call functions from the library, to make requests of an operating system or another software component.
Software that accomplishes functions such as database access, electronic mail, and menu prompts.
When referring to a computer system, an architecture describes the type of components, interfaces, and protocols the system uses and how they fit together. The configuration of any equipment or interconnected system or subsystems of equipment that is used in the automatic acquisition, storage, manipulation, management, movement,control,display,switching,interchange, transmission, or reception of data or information includes computers, ancillary equipment, and services, including support services and related resources.
An object of value.
A measure of confidence that the security features and architecture of an AIS accurately mediate and enforce the security policy. Grounds for confidence that an IT product or system meets its security objectives.
asymmetric (public) key encryption
Cryptographic system that employs two keys, a public key and a private key. The public key is made available to anyone wishing to send an encrypted message to an individual holding the corresponding private key of the public private key pair. Any message encrypted with one of these keys can be decrypted with the other. The private key is always kept private. It should not be possible to derive the private key from the public key.
The act of trying to bypass security controls on a system. An attack can be active, resulting in data modification, or passive, resulting in the release of data. Note The fact that an attack is made does not necessarily mean that it will succeed. The degree of success depends on the vulnerability of the system or activity and the effectiveness of existing countermeasures.
A chronological record of system activities that is sufficient to enable the reconstruction, reviewing, and examination of the sequence of environments and activities surrounding or leading to an operation, a procedure, or an event in a transaction from its inception to its final result.
1 To verify the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to system resources. 2 To verify the integrity of data that have been stored, transmitted, or otherwise exposed to possible unauthorized modification.
Generically, the process of verifying who is at the other end of a transmission.
A device whose identity has been verified during the lifetime of the current link based on the authentication procedure.
The property that allows the ability to validate the claimed identity of a system entity.
The granting of access rights to a user, program, or process.
automated information system (AIS)
An assembly of computer hardware, software, andor firmware that is configured to collect, create, communicate, compute, disseminate, process, store, andor control data or information.
automated information system security
Measures and controls that protect an AIS against denial of service (DoS) and unauthorized (accidental or intentional) disclosure, modification, or destruction of AISs and data. AIS security includes consideration of all hardware andor software functions, characteristics, andor features operational procedures, accountability procedures, and access controls at the central computer facility, remote computers and terminal facilities management constraints physical structures and devices and personnel and communication controls that are needed to provide an acceptable level of risk for the AIS and for the data and information contained in the AIS. It includes the totality of security safeguards needed to provide an acceptable protection level for an AIS and for data handled by an AIS.
automated security monitoring
The use of automated procedures to ensure that security controls are not circumvented.
Timely, reliable access to data and information services for authorized users.
availability of data
The condition in which data is in the place needed by the user, at the time the user needs it, and in the form needed by the user.
A network that interconnects other networks.
Synonymous with trapdoor.
Synonymous with contingency plan.
Specifies the amount of the frequency spectrum that is usable for data transfer. In other words, bandwidth identifies the maximum data rate a signal can attain on the medium without encountering significant attenuation (loss of power). Also, the amount of information one can send through a connection.
A formal state transition model of computer security policy that describes a set of access control rules. In this formal model, the entities in a computer system are divided into abstract sets of subjects and objects. The notion of a secure state is defined, and each state transition preserves security by moving from secure state to secure state, thereby inductively proving that the system is secure. A system state is defined to be secure only if the permitted access modes of subjects to objects are in accordance with a specific security policy. In order to determine whether a specific access mode is allowed, the clearance of a subject is compared to the classification of the object, and a determination is made as to whether the subject is authorized for the specific access mode.
Unauthorized access obtained by tapping the temporarily inactive terminal of a legitimate user.
Access control method in which an individuals physiological or behavioral characteristics are used to determine that individuals access to a particular resource.
Basic inputoutput system. The BIOS is the first program to run when the computer is turned on. BIOS initializes and tests the computer hardware, loads and runs the operating system, and manages setup for making changes in the computer.
Short for binary digit. A single digit number in binary (0 or 1).
The gradual loss of information stored in bits on storage media over time.
Splitting bits into groups of bits and processing the groups such that after they are recombined the correct result is obtained. A countermeasure to a differential power analysis attack that does not expose the target bits internally to the processor, so the power trace is not affected.
black box test
A test in which an ethical hacking team has no knowledge of the target network.
black hat hacker
A hacker who conducts unethical and illegal attacks against information systems to gain unauthorized access to sensitive information.
A symmetric key algorithm that operates on a fixed length block of plaintext and transforms it into a fixed length block of ciphertext. A block cipher is obtained by segregating plaintext into blocks of n characters or bits and applying the same encryption algorithm and key to each block.
The act of searching through storage to locate or acquire information without necessarily knowing the existence or the format of the information being sought.
A condition in which more input is placed into a buffer or data holding area than the allowed or allocated capacity, overwriting other information. Such a condition is exploited by attackers to crash or gain control of a system.
An error, defect, mistake, vulnerability, failure, or fault in a computer system.
A set of bits, usually eight, that represent a single character.
Certification and accreditation.
The operations performed by an application to perform a task.
A visual representation of the sequence of calls.
A protected identifier that identifies an object and specifies the access rights allowed to the accessor who possesses the capability. In a capabilitybased system, access to protected objects (such as files) is granted if the wouldbe accessor possesses a capability for the object.
A restrictive label that has been applied to classified or unclassified data as a means of increasing the protection of the data and further restricting its access.
central processing unit (CPU)
The microprocessor unit or units responsible for interpreting and executing instructions in a computer system.
CERT Coordination Center (CERTCC)
A unit of the Carnegie Mellon University Software Engineering Institute (SEI). SEI is a federally funded R&D center. CERTs mission is to alert the Internet community to vulnerabilities and attacks and to conduct research and training in the areas of computer security, including incident response.
The comprehensive evaluation of the technical and nontechnical security features of an AIS and other safeguards, made in support of the accreditation process, that establishes the extent to which a particular design and implementation meets a specified set of security requirements.
certificate authority (CA)
The official responsible for performing the comprehensive evaluation of the technical and nontechnical security features of an IT system and other safeguards, made in support of the accreditation process, to establish the extent that a particular design and implementation meet a set of specified security requirements.
certificate revocation list
A list of certificates that have been revoked or are no longer valid and should not be relied upon.
cipherblock chaining (CBC)
Cipher block chaining is an encryption mode of the Data Encryption Standard (DES) that operates on plaintext blocks 64 bits in length. Each block of plaintext is XORed with the previous ciphertext block before being encrypted.
A cryptographic transformation that operates on characters or bits.
ciphertext or cryptogram
An unintelligible encrypted message.
A computer that accesses a servers resources.
A network system design in which a processor or computer designated as a file server or database server provides services to other client processors or computers. Applications are distributed between a host server and a remote client.
A group of computers linked together over a fast local area network or other means. Clustered computers work closely together such that they act and appear like a single large computer. Clusters are typically created to improve the availability, performance, or redundancy beyond that provided by a single computer.
When simultaneous transmissions on a communications medium interfere with one another or collide.
Component Object Model (COM)
A Microsoft technology that enables software components to communicate.
A standard for specifying and evaluating the features of computer products and systems.
Common Object Request Broker Architecture (CORBA)
A standard that uses the Object Request Broker (ORB) to implement exchanges among objects in a heterogeneous, distributed environment.
communications security (COMSEC)
Measures and controls taken to deny unauthorized persons information derived from telecommunications and to ensure the authenticity of such telecommunications. Communications security includes cryptosecurity, transmission security, emission security, and physical security of COMSEC material and information.
A software component is a functional component that is part of a larger system.
A violation of a systems security policy such that unauthorized disclosure of sensitive information might have occurred.
Unintentional datarelated or intelligencebearing signals that, when intercepted and analyzed, disclose the information transmission that is received, handled, or otherwise processed by any information processing equipment.
The misuse, alteration, disruption, or destruction of dataprocessing resources. The key is that computer abuse is intentional and improper.
The use of a cryptoalgorithm in a computer, microprocessor, or microcomputer to perform encryption or decryption in order to protect information or to authenticate users, sources, or information.
The physical structure housing data processing operations.
Information collection from and about computer systems that is admissible in a court of law.
Computerrelated crimes involving deliberate misrepresentation, alteration, or disclosure of data in order to obtain something of value (usually for monetary gain). A computer system must have been involved in the perpetration or coverup of the act or series of acts. A computer system might have been involved through improper manipulation of input data, output or results, application programs, data files, computer operations, communications, computer hardware, systems software, or firmware.
computer security (COMPUSEC)
Synonymous with automated information system security.
The total environment in which an automated information system, network, or a component operates. The environment includes physical, administrative, and personnel procedures as well as communication and networking relationships with other information systems.
Keeping a secret attribute of a program hidden to prevent it from being discovered by an attacker.
Assurance that information is not disclosed to unauthorized persons, processes, or devices. The concept of holding sensitive data in confidence, limited to an appropriate set of individuals or organizations.
The process of controlling modifications to the systems hardware, firmware, software, and documentation that provides sufficient assurance that the system is protected against the introduction of improper modifications prior to, during, and after system implementation. Compare with configuration management.
The management of security features and assurances through control of changes made to a systems hardware, software, firmware, documentation, test, test fixtures, and test documentation throughout the development and operational life of the system. Compare with configuration control.
The prevention of the leaking of sensitive data from a program.
Synonymous with star property ( property).
Planned activities such as testing to ensure that software processes and products conform to applicable requirements, standards, and procedures.
Connection oriented service
Service that establishes a logical connection that provides flow control and error control between two stations that need to exchange data.
A path through which communications signals can flow.
Preventing a successful attack on a software system from spreading to other parts of an organizations computing resources.
The intermixing of data at different sensitivity and need to know levels. The lowerlevel data is said to be contaminated by the higherlevel data thus, the contaminating (higherlevel) data might not receive the required level of protection.
Establishing actions to be taken before, during, and after a threatening incident.
A plan for emergency response, backup operations, and postdisaster recovery maintained by an activity as a part of its security program this plan ensures the availability of critical resources and facilitates the continuity of operations in an emergency situation.
If software performs all of its intended functions as specified, it is said to be correct, and exhibits the property of correctness.
continuity of operations
Maintenance of essential IP services after a major outage.
The condition that exists when access control is applied to all users and components of a system.
Copper Data Distributed Interface (CDDI)
A version of FDDI specifying the use of unshielded twisted pair wiring.
The assessment of the cost of providing data protection for a system versus the cost of losing or compromising the data.
Any action, device, procedure, technique, or other reactive measure that reduces the vulnerability of or threat to a system.
A communications channel that enables two cooperating processes to transfer information in a manner that violates the systems security policy.
covert storage channel
A covert channel that involves the direct or indirect writing of a storage location by one process and the direct or indirect reading of the storage location by another process. Covert storage channels typically involve a finite resource (for example, sectors on a disk) shared by two subjects at different security levels.
covert timing channel
A covert channel in which one process signals information to another by modulating its own use of system resources (for example, CPU time) in such a way that this manipulation affects the real response time observed by the second process.
Refers to the ability to break the cipher so that the encrypted message can be read. Cryptanalysis can be accomplished by exploiting weaknesses in the cipher or in some fashion determining the key.
A welldefined procedure, sequence of rules, or steps used to produce a key stream or ciphertext from plaintext, and vice versa. A stepbystep procedure that is used to encipher plaintext and decipher ciphertext. Also called a cryptographic algorithm.
cryptographic application programming interface (CAPI)
An interface to a library of software functions that provide security and cryptography services. CAPI is designed for software developers to call functions from the library, which makes it easier to implement security services.
The principles, means, and methods for rendering information unintelligible and for restoring encrypted information to intelligible form. The word cryptography comes from the Greek kryptos, meaning hidden, and graphein, to write.
A set of transformations from a message space to a ciphertext space. This system includes all cryptovariables (keys), plaintexts, and ciphertexts associated with the transformation algorithm.
cyclic redundancy check (CRC)
A common errordetection process. A mathematical operation is applied to the data when transmitted. The result is appended to the core packet. Upon receipt, the same mathematical operation is performed and checked against the CRC. A mismatch indicates a very high probability that an error has occurred during transmission.
The level of harm the attacker can cause to the system in using the resource in an attack.
damage potential effort ratio
The amount of work done by the attacker to acquire the necessary access rights in order to be able to use the resource in an attack.
A database that comprises tools to support the analysis, design, and development of software and to support good software engineering practices.
Data Encryption Standard (DES)
A cryptographic algorithm for the protection of unclassified data, published in Federal Information Processing Standard (FIPS) 46. The DES, which was approved by the National Institute of Standards and Technology (NIST), is intended for public and government use.
The attribute of data that is related to the preservation of its meaning and completeness, the consistency of its representation(s), and its correspondence to what it represents. When data meets a prior expectation of quality.
Data Link layer
The OSI level that performs the assembly and transmission of data packets, including error control.
The protection of data from unauthorized (accidental or intentional) modification, destruction, or disclosure.
A connectionless form of packet switching whereby the source does not need to establish a connection with the destination before sending data packets.
To unscramble the encipherment process in order to make the message human readable.
declassification of AIS storage media
An administrative decision or procedure to remove or reduce the security classification of the subject media.
A program that bypasses the Content Scrambling System (CSS) software used to prevent the viewing of DVD movie disks on unlicensed platforms.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP)
Establishes for Department of Defense entities a standard process, set of activities, general task descriptions, and management structure to certify and accredit IT systems that will maintain the required security posture. The process is designed to certify that the IT system meets the accreditation requirements and that the system will maintain the accredited security posture throughout the system life cycle. The four phases of the DITSCAP are Definition, Verification, Validation, and Post Accreditation.
To degauss a magnetic storage medium is to remove all the data stored on it by demagnetization. A degausser is a device used for this purpose.
Degausser Products List (DPL)
A list of commercially produced degaussers that meet National Security Agency specifications. This list is included in the NSA Information Systems Security Products and Services Catalogue and is available through the Government Printing Office.
denial of service (DoS)
Any action (or series of actions) that prevents any part of a system from functioning in accordance with its intended purpose. This action includes any action that causes unauthorized destruction, modification, or delay of service. Synonymous with interdiction.
A property of software that can be attained with justifiable confidence when the software functions only as intended.
designated approving authority
The official who has the authority to decide whether to accept the security safeguards prescribed for an AIS, or the official who might be responsible for issuing an accreditation statement that records the decision to accept those safeguards.
The service whereby a computer terminal can use the telephone to initiate and effect communication with a computer.
A method of obscuring redundancy in plaintext by spreading the effect of the transformation over the ciphertext.
Digital Millennium Copyright Act (DMCA) of 1998
In addition to addressing licensing and ownership information, the DMCA prohibits trading, manufacturing, or selling in any way that is intended to bypass copyright protection mechanisms.
directsequence spread spectrum (DSSS)
A method used in 802.11b to split the frequency into 14 channels, each with a frequency range, by combining a data signal with a chipping sequence. Data rates of 1, 2, 5.5, and 11 Mbps are obtainable. DSSS spreads its signal continuously over this widefrequency band.
A sudden, unplanned, calamitous event that produces great damage or loss any event that creates an inability on the organizations part to provide critical business functions for some undetermined period of time.
Synonymous with contingency plan.
disaster recovery plan
Procedure for emergency response, extended backup operations, and postdisaster recovery when an organization suffers a loss of computer resources and physical facilities.
discretionary access control
A means of restricting access to objects based on the identity and needtoknow of the user, process, andor groups to which they belong. The controls are discretionary in the sense that a subject that has certain access permissions is capable of passing that permission (perhaps indirectly) on to any other subject. Compare with mandatory access control.
disk image backup
Conducting a bitlevel copy of a disk, sector by sector, which provides the capability to examine slack space, undeleted clusters, and possibly, deleted files.
Distributed Component Object Model (DCOM)
A distributed object model that is similar to the Common Object Request Broker Architecture (CORBA). DCOM is the distributed version of COM that supports remote objects as if the objects reside in the clients address space. A COM client can access a COM object through the use of a pointer to one of the objects interfaces and then invoke methods through that pointer.
Gathering information on DNS servers.
U.S. Department of Defense.
DoD Trusted Computer System Evaluation Criteria (TCSEC)
A document published by the National Computer Security Center containing a uniform set of basic requirements and evaluation classes for assessing degrees of assurance in the effectiveness of hardware and software security controls built into systems. These criteria are intended for use in the design and evaluation of systems that process andor store sensitive or classified data. This document is Government Standard DoD 5200.28STD and is frequently referred to as the Criteria or the Orange Book.
The unique context (for example, access control parameters) in which a program is operating in effect, the set of objects that a subject has the ability to access.
Degausser Products List.