The following acronyms and terms are used in this chapter. For the explanation and definition purpose of this chapter, these acronyms and terms are defined as follows:
Accountability
The traceability of actions performed on a system to a specific system entity or user.
Advanced Encryption Standard (AES)
The new U.S. standard for encrypting sensitive but unclassified data. Also known as Rijndael, this symmetric encryption standard can be implemented in one of three key sizes: 128, 192, and 256 bits. It is considered a fast, simple, robust encryption mechanism.
Authentication
A method that enables you to identify someone. Authentication verifies the identity and legitimacy of the individual to access the system and its resources. Common authentication methods include passwords, tokens, and biometric systems.
Authorization
The process of granting or denying access to a network resource based on the user's credentials.
Availability
Ensures that the systems responsible for delivering, storing, and processing data are available and accessible as needed by individuals who are authorized to use the resources.
Bell-LaPadula
This access control model was actually the first formal model developed to protect confidentiality. This is a state machine that enforces confidentiality.
Biba
The Biba model was the first model developed to address the concerns of integrity. It does not address availability or confidentiality. It is based on the premise that internal threats are being protected and focuses on external threats.
Clark-Wilson
This integrity-based access control model was developed with the intention to be used for commercial activities. This model dictates that the separation of duties must be enforced, subjects must access data through an application, and auditing is required.
Computer Emergency Response Team (CERT)
An organization developed to provide incident response services to victims of attacks, publish alerts concerning vulnerabilities and threats, and offer other information to help improve the organization's capability to respond to computer and network security issues.
Confidentiality
Data or information is not made available or disclosed to unauthorized persons.
Crossover error rate (CER)
The CER is a comparison measurement for different biometric devices and technologies to measure their accuracy. The CER is the point at which FAR and FRR are equal, or cross over. The lower the CER the more accurate the biometric system.
Data Encryption Standard (DES)
DES is a symmetric encryption standard that is based on a 64-bit block. DES processes 64 bits of plain text at a time to output 64-bit blocks of cipher text. DES uses a 56-bit key and has four modes of operation. Because DES has been broken, 3DES is more commonly used.
Defense in depth
The process of multilayered security. The layers may be administrative, technical, or logical.
Denial-of-service (DoS) attack
A type of attack that denies the organization access to resources. It typically works by flooding the network with useless traffic.
Discretionary Access Control
An access policy that allows the resource owner to determine access.
Encryption
The science of turning plain text into cipher text.
False acceptance rate (FAR)
This measurement evaluates the likelihood that a biometric access control system will wrongly accept an unauthorized user.
False rejection rate (FRR)
This measurement evaluates the likelihood that a biometric access control system will reject a legitimate user.
Hashing algorithm
Hashing is used to verify the integrity of data and messages. A well-designed hashing algorithm examines every bit of the data while it is being condensed, and even a slight change to the data will result in a large change in the message hash. It is considered a one-way process.
Inference attacks
This form of attack relies on the attacker's ability to make logical connections between seemingly unrelated pieces of information.
Integrity
One of the three items considered to be part of the security triad; the others are confidentiality and availability. It is used to verify the accuracy and completeness of an item.
Mandatory access control
A means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (such as clearance) of subjects to access information of such sensitivity.
Redundant array of inexpensive disks (RAID)
A category of disk drives that employ two or more disk drives in combination for fault tolerance and performance gains.
Role-based access control
A form of access control that assigns users to roles based on their organizational functions and determines authorization based on those unique roles.
Social engineering
A nontechnical type of attack that relies heavily on human interaction and often involves tricking other people to break normal security procedures.
Trusted Computer Security Evaluation Criteria (TCSEC)
A collection of criteria used to grade or rate the security offered by a computer system product. Because each of the books of the series has different color covers, it is also known as the Rainbow Series.
Introduction to Assessing Network Vulnerabilities
Foundations and Principles of Security
Why Risk Assessment
Risk-Assessment Methodologies
Scoping the Project
Understanding the Attacker
Performing the Assessment
Tools Used for Assessments and Evaluations
Preparing the Final Report
Post-Assessment Activities
Appendix A. Security Assessment Resources
Appendix B. Security Assessment Forms
Appendix C. Security Assessment Sample Report
Appendix D. Dealing with Consultants and Outside Vendors
Appendix E. SIRT Team Report Format Template