D

An attack in which the attacker changes the data while en route from source to destination.

An attack encoded in what appears to be ordinary data and is initiated by either a user or a process trigger. Such an attack may pass through the firewall in data form undetected and subsequently launch itself against system resources located behind the firewall.

The most common encryption algorithm with symmetric keys.

The reasonable assurance that data is not changed while en route from a sender to an intended recipient.

The reasonable assurance that data cannot be viewed by anyone other than the intended recipient.

A person who makes or approves policy. These people are often responsible for or own the resources to be protected.

An approach for establishing an adequate IA posture whereby (1) IA solutions integrate people, technology, and operations; (2) IA solutions are layered within and among IT assets; and (3) IA solutions are selected based on their relative level of robustness. Implementation of this approach recognizes that the highly interactive nature of information systems and enclaves creates a shared risk environment; therefore, the adequate assurance of any single asset depends on the adequate assurance of all interconnecting assets.

The ability to empower a principal to act on behalf of another principal.

1. An attack where an attacker floods the server with bogus requests or tampers with legitimate requests . Although the attacker does not benefit, service is denied to legitimate users. This is one of the most difficult attacks to thwart. 2. The result of any action or series of actions that prevents any part of an information system from functioning normally.

1. A crude form of attack in which an attacker uses a large set of likely combinations to guess a secret. For example, an attacker may choose one million commonly used passwords and try them all until the password is determined. 2. A brute force technique of attacking by successively trying all of the variations of words found in a (usually large) list.

A public key algorithm in which two parties, who need not have any prior knowledge of each other, can deduce a secret key that is only known to them and secret from everyone else. Diffie-Hellman is often used to protect the privacy of a communication between two anonymous parties.

A structure for binding a principal's identity to its public key. A certification authority issues and digitally signs a digital certificate.

A process that operates on a message to ensure message source authenticity and integrity and may be required for source nonrepudiation.

A method for verifying that a message originated from a principal and that it has not changed en route. Digital signatures are typically performed by encrypting a digest of the message with the private key of the signing party.

This algorithm uses a private key to sign a message and a public key to verify the signature. It is a standard proposed by the U.S. government.

Open Group's integration of a set of technologies for application development and deployment in a distributed environment. Security features include a Kerberos-based authentication system, GSS API interface, ACL-based authorization environment, delegation, and audit.

A denial of service technique that uses numerous hosts .

A tool deployed to multiple hosts that can be directed to anonymously perform an attack on a target host at some time in the future.

The action of assuming the domain name server (DNS) name of another system by either corrupting the name service cache of the victim or by compromising a DNS for a valid domain.

The change of a classification label to a lower level without changing the contents of the data. Downgrading occurs only if the content of a file meets the requirements of the sensitivity level of the network for which the data is being delivered.

A firewall consisting of a bastion host with two network interfaces: one of which is connected to the protected network, and the other of which is connected to the Internet. IP traffic forwarding is usually disabled, restricting all traffic between the two networks to whatever passes through some kind of application proxy.