AAA (authentication, authorization, accountability), BC1
absolute addressing, 228
abstraction, 171, BC1
abuse of resources, 255
access control, 155, 229, 232–235, BC1
Access Control domain
data access controls, 63–67
definition, 19–20, 39–40
prep test questions about, 70–72
resources for, 69
services provided by, 42–43
system access controls, 43–44, 59–62, BC27
testing, 67–69
types of, 40–42
access control list (ACL), 64, BC1
access logs, 356
access matrix model, 67, 233–234, BC1
access rights, with DAC, 63
accountability, 43, 170, BC1
accreditation, 133, 167, 241–242, BC1
accumulation of privileges, 250
active hub, 81
active IDS, 108
active monitor, on token-ring network, 84
ActiveX, for applets, 156
address bus, 226
Address Resolution Protocol (ARP), 91, 93, BC3
address space, BC1
administrative controls
definition, 40–41, BC1
for Operations Security domain, 261
for Physical (Environmental) Security domain, 356–357
administrative management and control, 256–258
administrative (regulatory) laws, 306, BC1
Advanced Encryption Standard (AES), 203, BC2
advisory policies, 131
adware, BC2
agent, 155, BC2
agents of change, principles for, 33
aggregation, 159, 250–251, BC2
AH (Authentication Header), 107, 215, BC2
alarms, 350–351
ALE (Annualized Loss Expectancy), 142, 145, BC2
ALU (Arithmetic Logic Unit), 224
American National Standards Institute (ANSI), 200
American Society for Industrial Security (ASIS International), 375
analog signaling, 78
analytic attack, 217
annual maintenance fee (AMF), 27
Annualized Loss Expectancy (ALE), 142, 145, BC2
Annualized Rate of Occurrence (ARO), 142
anomaly-based IDS, 270
ANSI (American National Standards Institute), 200
antivirus (AV) software, 180–181, 248, BC2
applet, 155–156, 176, BC3
Application Layer (Layer 7), OSI model, 98–100
Application Layer, TCP/IP model, 100
application level firewall, BC2
application scan, 68, BC2
Application Security domain
antivirus software, 180–181
attack methods used on, 173–180
databases, 158–161
definition, 21–22, 153
distributed applications, 154–156
knowledge-based systems, 161–162
object-oriented applications, 157–158
perpetrators of attacks, 182–183
prep test questions about, 185–187
resources for, 184
security controls, 169–173
systems development life cycle, 162–169
application software, BC2
application-level gateway firewall, 102–103
architecture. See Security Architecture and Design domain
archives, BC3
ARCnet protocol, 84
Arithmetic Logic Unit (ALU), 224
ARO (Annualized Rate of Occurrence), 142
ARP (Address Resolution Protocol), 91, 93, BC3
artificial intelligence, 161–162
ASIS International (American Society for Industrial Security), 375
asset, 139, BC3
asset classification and control, 356
asset valuation, 140
Associate of (ISC)2, 32
asymmetric key cryptography, 203–207, BC3
asynchronous communication, 91
asynchronous dynamic password tokens, 54
ATM (Asynchronous Transfer Mode), 90, BC3
ATM (automatic teller machine), 44
Attachment Unit Interface (AUI), 78
attacks
on access control systems, 62
on applications, 173–180
on cryptosystems, 217–219
on HTTP and HTML, 115
on networks, 117–118
perpetrators of, 182–183
audit, BC3
audit trail
components of records in, 263
definition, BC3
for Physical (Environmental) Security domain, 356
problems in, 264–265
protection of, 266–267
reasons for, 262–263
retaining, 265–266
time synchronization for, 264
types of, 263
auditing, 262
AUI (Attachment Unit Interface), 78
authentication
biometrics and behavior, 48–53, 349, BC4
cryptography for, 190
definition, 42, BC3
factors based on, 43–44
identification component of, 44
of messages, 207–210
passwords, 45–48, 53, BC19
PIN (personal identification number), 48, BC19
SSO (single sign-on), 54–59
three-factor authentication, 44
tokens, 53–54
Two-Factor authentication, 44
authentication, authorization, accountability (AAA), BC1
Authentication Header (AH), 107, 215, BC2
authorization, 42–43, BC3
automatic controls, 259, BC3
automatic teller machine (ATM), 44
AV (antivirus) software, 180–181, 248, BC2
availability, 125, 258, BC3