C Flashcards
Callback
A procedure for identifying a system that accessed an environment remotely. In a callback, the host system disconnects the caller and then dials… TBD
Capability
A capability outlines the objects a subject can access and the operations
the subject can carry out on the different objects. It indicates the access rights for a specific
subject; many times, the capability is in the form of a ticket.
Capability maturity model integration (CMMI)
A process model that captures the organization’s maturity and fosters continuous improvement.
Certification
The technical evaluation of the security components and their compliance
for the purpose of accreditation. A certification process can use safeguard evaluation,
risk analysis, verification, testing, and auditing techniques to assess the appropriateness
of a specific system processing a certain level of information within a particular environment.
The certification is the testing of the security component or system, and the accreditation
is the approval from management of the security component or system.
Challenge/ response method
A method used to verify the identity of a subject
by sending the subject an unpredictable or random value. If the subject responds with
the expected value in return, the subject is authenticated.
Ciphertext
Data that has been encrypted and is unreadable until it has been converted
into plaintext.
Clark-Wilson model
An integrity model that addresses all three integrity goals:
prevent unauthorized users from making modifications, prevent authorized users from
making improper modifications, and maintain internal and external consistency
through auditing.
Classification
A systematic arrangement of objects into groups or categories according
to a set of established criteria. Data and resources can be assigned a level of
sensitivity as they are being created, amended, enhanced, stored, or transmitted. The
classification level then determines the extent to which the resource needs to be controlled
and secured, and is indicative of its value in terms of information assets.
Cleartext
In data communications, cleartext is the form of a message or data which
is transferred or stored without cryptographic protection.
Cloud computing
The use of shared remote computing devices for the purpose of providing improved efficiencies, performance, reliability, stability, and security.
Collusion
Two or more people working together to carry out a fraudulent activity.
More than one person would need to work together to cause some type of destruction
or fraud; this drastically reduces its probability.
Communication security
y Controls in place to protect information as it is being
transmitted, especially by telecommunications mechanisms.
Compartment
A class of information that has need-to-know access controls beyond
those normally provided for access to confidential, secret, or top-secret information.
A compartment is the same thing as a category within a security label. Just because
a subject has the proper classification, that does not mean it has a need to know. The
category, or compartment, of the security label enforces the subject’s need to know.
Compensating controls
Controls that are alternative procedures designed to reduce
the risk. They are used to “counterbalance” the effects of an internal control weakness.
Compromise
A violation of the security policy of a system or an organization such
that unauthorized disclosure or modification of sensitive information occurs.
Computer fraud
Computer-related crimes involving deliberate misrepresentation,
modification, or disclosure of data in order to compromise a system or obtain
something of value.
Confidentiality
A security principle that works to ensure that information is not
disclosed to unauthorized subjects.
Configuration management
The identification, control, accounting, and documentation
of all changes that take place to system hardware, software, firmware, supporting
documentation, and test results throughout the lifespan of the system.
Confinement
Controlling information in a manner that prevents sensitive data
from being leaked from a program to another program, subject, or object in an unauthorized
manner.
Contingency plan
A plan put in place before any potential emergencies, with the
mission of dealing with possible future emergencies. It pertains to training personnel,
performing backups, preparing critical facilities, and recovering from an emergency or
disaster so that business operations can continue.
Control zone
The space within a facility that is used to protect sensitive processing
equipment. Controls are in place to protect equipment from physical or technical unauthorized
entry or compromise. The zone can also be used to prevent electrical waves
carrying sensitive data from leaving the area.
Copyright
A legal right that protects the expression of ideas.
Cost/ benefit analysis
An assessment that is performed to ensure that the cost of a
safeguard does not outweigh the benefit of the safeguard. Spending more to protect an asset
than the asset is actually worth does not make good business sense. All possible safeguards must be evaluated to ensure that the most security-effective and cost-effective
choice is made.
Countermeasure
A control, method, technique, or procedure that is put into place
to prevent a threat agent from exploiting a vulnerability. A countermeasure is put into
place to mitigate risk. Also called a safeguard or control.
Covert channel
A communications path that enables a process to transmit information
in a way that violates the system’s security policy
Covert storage channel
A covert channel that involves writing to a storage location
by one process and the direct or indirect reading of the storage location by another
process. Covert storage channels typically involve a resource (for example, sectors
on a disk) that is shared by two subjects at different security levels.
Covert timing channel
A covert channel in which one process modulates its system
resource (for example, CPU cycles), which is interpreted by a second process as
some type of communication.
Cryptanalysis
The practice of breaking cryptosystems and algorithms used in encryption
and decryption processes.
Cryptography
The science of secret writing that enables storage and transmission
of data in a form that is available only to the intended individuals.
Cryptology
The study of cryptography and cryptanalysis
Cryptosystem
The hardware or software implementation of cryptography.
