Term
|
Definition
| weakness in the security system that might be exploited to cause loss or harm |
|
|
Term
| Principle of Easiest Penetration |
|
Definition
| An intruder must be expected to use any available means of penetration. |
|
|
Term
| describe the relationship among threats, controls, and vulnerabilities |
|
Definition
| A threat is blocked by control of a vulnerability |
|
|
Term
|
Definition
| a set of circumstances that has the potential to cause loss or harm |
|
|
Term
|
Definition
| an exploitation of a vulnerability |
|
|
Term
|
Definition
| an action, device, procedure, or technique that removes or reduces a vulnerability |
|
|
Term
|
Definition
| some unauthorized party has gained access to an asset |
|
|
Term
|
Definition
- illicit copying of program or data files
- wiretapping to obtain data in a network |
|
|
Term
|
Definition
| an asset of the system becomes lost, unavailable, or unusable |
|
|
Term
|
Definition
- malicious destruction of a hardware device
- erasure of a program or data file
- malfunction of an operating system file manager so that it cannot find a particular disk file. |
|
|
Term
|
Definition
| unauthorized party not only accesses but tampers with an asset |
|
|
Term
|
Definition
*someone might change the values in a database
*alter a program so that it performs an additional computation
*modify data being transmitted electronically |
|
|
Term
|
Definition
| counterfeit objects on a computing system |
|
|
Term
|
Definition
* insert spurious transactions to a network communication system
* add records to an existing database |
|
|
Term
| malicious attacker must have what three things |
|
Definition
# Method: the skills, knowledge, tools, and other things with which to be able to pull off the attack
#Opportunity: the time and access to accomplish the attack
#Motive: a reason to want to perform this attack against this system |
|
|
Term
|
Definition
| computer-related assets are accessed only by authorized parties |
|
|
Term
|
Definition
| assets can be modified only by authorized parties or only in authorized ways |
|
|
Term
|
Definition
| assets are accessible to authorized parties at appropriate times |
|
|
Term
| Three goals of computer security |
|
Definition
| confidentiality, integrity, and availability |
|
|
Term
|
Definition
| access to software is usually carefully controlled so that software is not deleted, destroyed, or replaced accidentally |
|
|
Term
|
Definition
| where a program is maliciously modified to fail when certain conditions are met or when a certain date or time is reached |
|
|
Term
|
Definition
| program that overtly does one thing while covertly doing another |
|
|
Term
|
Definition
| a specific type of Trojan horse that can be used to spread its "infection" from one computer to another |
|
|
Term
|
Definition
| a program that has a secret entry point |
|
|
Term
|
Definition
| code that makes information accessible to unauthorized people or programs |
|
|
Term
| Principle of Adequate Protection |
|
Definition
| Computer items must be protected only until they lose their value. They must be protected to a degree consistent with their value |
|
|
Term
|
Definition
| the crook shaves a little from many accounts and puts these shavings together to form a valuable result, like the meat scraps joined together in a salami. |
|
|
Term
|
Definition
*intercept a message ordering one bank to credit to an account.
* The fabricator might try to replay that message, causing the receiving bank to credit the same account again. |
|
|
Term
|
Definition
*"hacker," (nonmaliciously) programs, manages, or uses computing systems
*"cracker," someone who attempts access to computing systems for malicious purposes. Crackers are the "evildoers." |
|
|
Term
|
Definition
| possibility for harm to occur |
|
|
Term
|
Definition
| formal name for the scrambling process |
|
|
Term
|
Definition
| an agreed-upon sequence of actions that leads to a desired result |
|
|
Term
| internal program controls |
|
Definition
| parts of the program that enforce security restrictions, such as access limitations in a database management program |
|
|
Term
| operating system and network system controls |
|
Definition
| limitations enforced by the operating system or network to protect each user from all other users |
|
|
Term
| independent control programs |
|
Definition
| application programs, such as password checkers, intrusion detection utilities, or virus scanners, that protect against certain types of vulnerabilities |
|
|
Term
|
Definition
| quality standards under which a program is designed, coded, tested, and maintained, to prevent software faults from becoming exploitable vulnerabilities |
|
|
Term
|
Definition
* hardware or smart card implementations of encryption
* locks or cables limiting access or deterring theft
* devices to verify users' identities
* firewalls
* intrusion detection systems
* circuit boards that control access to storage media |
|
|
Term
|
Definition
| locks on doors, guards at entry points, backup copies of important software and data, and physical site planning that reduces the risk of natural disasters |
|
|
Term
| Principle of Effectiveness |
|
Definition
| Controls must be used—and used properly—to be effective. They must be efficient, easy to use, and appropriate |
|
|
Term
| Principle of Weakest Link |
|
Definition
| Security can be no stronger than its weakest link. Whether it is the power supply that powers the firewall or the operating system under the security application or the human who plans, implements, and administers controls, a failure of any control can lead to a security failure. |
|
|
Term
| four kinds of attacks on computing systems |
|
Definition
| interception, interruption, modification, and fabrication |
|
|
Term
|
Definition
| a system must be protected against penetration only so long as the penetration has value to the penetrator |
|
|
Term
|
Definition
*several different controls may apply to address a single vulnerability
*sometimes called a layered defense
*expectation that one control will compensate for a failure of anothe |
|
|
Term
|
Definition
| rely on agreed-upon procedures or policies among users |
|
|
Term
| Ex. of administrative control |
|
Definition
| frequent changes of passwords |
|
|
