Domain 3: Security Architecture and Engineering Flashcards
Algorithm
A mathematical function used in the encryption and decryption processes. It may be quite simple or extremely complex. Also defined as the set of instructions by which encryption and decryption is done.
Asymmetric Encryption
Process that uses different keys for encryption than it does for decryption, and in which the decryption key is computationally infeasible to determine given the encryption key itself, from plaintext and corresponding ciphertext, or from knowledge of the key generation or encryption algorithm.
Block Mode Encryption
Using fixed-length sequences of input plaintext symbols as the unit of encryption.
Ciphertext
The altered form of a plaintext message so as to be unreadable for anyone except the intended recipients. In other words, it has been turned into a secret.
Collision
This occurs when a hash function generates the same output for different inputs. In other words, two different messages produce the same message digest.
Crime Prevention Through Environmental Design (CPTED
An architectural approach to the design of buildings and spaces, which emphasizes passive features to reduce the likelihood of criminal activity
Cryptanalysis
The study of techniques for attempting to defeat cryptographic techniques and, more generally, information security services.
Cryptographic Hash, Cryptographic Hash Function
A process or function that transforms an input plaintext into a unique value called a hash (or hash value). These do not use cryptographic algorithms; the term “cryptographic” refers to the assertion that strong hash algorithms are one-way functions; that is, it is computationally infeasible to determine the input plaintext from the hash value and knowledge of the algorithm alone. Message digests are an example of the use of a cryptographic hash.
Cryptography
The study or applications of methods to secure or protect the meaning and content of messages, files, or other information, usually by disguise, obscuration, or other transformations of that content and meaning.
Cryptosystem
The complete set of hardware, software, communications elements, and procedures that allows parties to communicate, store information, or use information that is protected by cryptographic means. The system includes the algorithm, key, and key management functions, together with other services that can be provided through cryptography.
Cryptovariable
One or more parameters inherent to a particular cryptographic algorithm and its implementation in a cryptosystem. Block size, key length, and number of iterations (or rounds) are examples.
Decoding
The reverse process of encoding, converting the encoded message back into its plaintext format.
Decryption
The reverse process of encryption. It is the process of converting a ciphertext message back into plaintext using the cryptographic algorithm and appropriate key for decryption (which is the same for symmetric encryption, but different for asymmetric encryption). This term is also used interchangeably with “deciphering.”
Encoding
The action of changing a message or other set of information into another format using a code. Unlike encryption, which obscures or hides the meaning, encoded information can still be read by anyone with knowledge of the encoding process.
Encryption
The process and act of converting the message from its plaintext into ciphertext. Sometimes it is also referred to as enciphering. The two terms are sometimes used interchangeably in literature and have similar meanings.
Encryption System
The total set of algorithms, processes, hardware, software, and procedures that taken together provide an encryption and decryption capability.
Frequency Analysis
A form of cryptanalysis that uses the frequency of occurrence of letters, words, or symbols in the plaintext alphabet as a way of reducing the search space.
Hybrid Encryption System
A system that uses both symmetric and asymmetric encryption processes.
What are the encryption systems? symm and Asymm
In Band
Refers to transmitting or sharing control information, such as encryption keys and cryptovariables, over the same communications path, channel, or system controlled or protected by that information.
Key
The input that controls the operation of the cryptographic algorithm. It determines the behavior of the algorithm and permits the reliable encryption and decryption of the message.
Key Escrow
A process by which keys (asymmetric or symmetric) are placed in a trusted storage agent’s custody for later retrieval. The trustworthiness of the encryption system(s) being used is thus completely placed in the escrow agent’s control.
Symmetric cryptosystem
use a shared secret key available to all users of the cryptosystem
Integrity
ensures that data is not altered without authorization
Digital signatures
Message integrity is enforced through the use of encrypted message digests
a recipient can verify the message digest is valid and data not altered in transit
Key space
the range of values that are valid for use as a key for a specific algorithm
Kerckhoff’s Principle
that a cryptographic system should be secure even if everything about the system, except the key, is public knowledge
Cryptovariables
cryptographic keys
One way function
hash, mathematical operation that easily produces output values for each possible combination of inputs but makes it impossible to retrieve the input values
Nonce
is a random number that acts as a placeholder variable in mathematical functions
Split knowledge
separation of duties and two-person control contained in a single solution
Recovery agent
the third party in a split knowledge setup, that uses the key escrow
Transposition Ciphers
uses an encryption algorithm to rearrange the letters of a plaintext message
Columnar transposition
Substitution cipher
use the encryption algorithm to replace each character or bit of the plaintext message with a different character
Caesar Cipher, ROT13, Vigenere system
One Time Pad
use a different substitution alphabet for each letter of the plaintext message.
- must be randomly generated
- must be physically protected against disclosure
- each one-time pad must only be used once
- the key must be as long as the message to be encrypted
Block cipher
operate on chunks or blocks, of a message and apply the encryption algorithm to an entire message block at the same time
most modern encryption algorithms use a type of block cipher
Stream cipher
operate on one character or bit of the message at a time
one-time pad, caesar cipher
Hybrid cryptography
Combines both Symmetric and Asymmetric key encryptions because of the slow speed of operation for asymmetric.
Hashing collision
Occurs when a hash function creates the same value for two different methods. Two messages create the same hash value
Electronic Code Block (ECB)
Least secure, encrypts blocks of 64 meaning encrypted blocks could repeat. More easy to break because of the less randomness
Cipher block Chaining Mode (CBC)
each block of unencrypted test is XORed with the block of ciphertext immediately preceding it before it is encrypted
encryption blocks are chained together
Cipher Feedback (CFB)
Streaming cipher version of CBC. Uses memory buffers in real time instead of blocks. bit by bit
Output feedback mode (OFB)
Ciphers operate in almost the same fashion as they do in CFB, but instead of being XORed it XORs the plaintext with a seed value, no chaining functions and transmission errors do not propogate
Counter Mode (CTR)
uses a stream cipher similar to that used in CFB and OFB Just uses a counter instead of a seed value
Galois/Counter Mode (GCM)
same as CTR but includes authentication tags to the encryption process for more authenticity
Data Encryption Standard (DES)
56-bit and operates in long series of XOR operations, lots of flaws, not secure anymore. Operates in all the cipher modes
Triple DES
slightly stronger than DES, but 3 keys and longer 168-bit, flawed and should not be used
Blowfish
Block cipher, 64-bit, key length 32-448 bits
Blowfish sounds weird, 448 bits is weird
Skipjack
Block Cipher, 64-bit, 80-bit key
Rivest cipher 4 (RC4)
Stream Cipher, 40-2048bits, key, no block size
Rivest Cipher 5 (RC5)
block: 32, 64, 128 Key 0-2040
Rivest Cipher 6 (RC6)
Block: 128, Key: 128, 192, 256
Skipjack
Block Size: 64 Key 80
3DES
Block size: 64 Key: 112 or 168
3D blocks
CAST-128
Block: 64 Key: 40-128
CAST-256
Block 128 Key: 128, 160,192, 224, 256
Offline distribution
Physical exchanging of keys
Public Key Encryption
Use of a public key to setup initial communication, once the link is established a secret key can be securely transferred over the public key link.
Hardware Security Module (HSM)
Dedicated hardware devices used to manage crypto keys. Expensive to implement
Symmetric Key Exposure Formula
of keys = n(n-1) / 2
Hashed Message Algorithm Code (HMAC)
implements a partial digital signature, guarantees the integrity of a message during transmissions
does not provide nonrepudiation
Digital Certificates
provide communication parties with the assurance that the people they are communicating with truly are who they claim to be.
Digital Certificate Standard
X.509 - which means they conform to the long list of data contained certificate.
serial number, issuer name, signature algorithm, validity period, public key, and more
Certificate Authority
the glue that binds the public key infrastructure together, being a neutral organization that notarizes digital certificates.
Registration Authorities
assist Certificate authorities by taking the burden of verifying user’s identities prior to issuing a digital certificate.
Self-signed certificates
for use inside an organization, may be configured to trust the internal CA, saving some expense for obtaining it from a third party.
Certificate Signing Request
after properly enrolling with a CA by identifying yourself, this request takes your public key and the CA creates an X.509 digital certificate registered to you
S/MIME
x.509 certificate for exchanging keys. Uses RSA encryption algorithm standard for encrypted email
Transport Layer Security (TLS)
Uses the exchange of digital certificates to negotiate encryption/decryption between the browser and web server.
Creates that secure communication between a user browsing a website
Perfect forward secrecy
layers of encryption prevent nodes in the relay chain from reading anything other than the specific information they need to accept and forward the traffic
Steganography
art of using cryptographic techniques to embed secret messages within another message
Link Encryption
protects communication circuits by creating a secure tunnel between two points. Everything including the header, trailer, address, and routing data is encrypted
End-to-End Encryption
protects communication between two parties and is performed independently of link encryption
Faster that link because it does not encrypt headers, addresses, routing data and therefor susceptible to eavesdropping
IPsec
Provides complete infrastructure for secured network communications.
Tunnel Mode
IPsec, entire packet including the header is encrypted in communication.
Transport mode
only the packet payload is encrypted for end-to-end encryption
Security Association
the session you create with IPsec, represents the communication session and records and configuration and status information about the connection.
Homomorphic encryption
technology that allows you to perform computations on data that is encrypted,
Analytic Attack
algebraic manipulation that attempts to reduce the complexity of the algorithm
Implementation Attack
exploits weaknesses in the implementation of the cryptographic system. Exploiting software code
Statistical Attack
attacks statistical weaknesses like floating point errors, and the inability to produce truly random numbers
Fault Injection Attack
attackers attempt to compromise the integrity of the cryptographic device causing some internal error
Side-Channel Attack
Attack the systems surrounding the cryptography to find changes in cpu, power consumption, etc.
Timing Attack
Type of side channel attack that measures precisely how long it takes to encrypt something.
Replay Attack
Capturing the encrypted message, and then ‘replays’ that message to initiate a session
Closed System
designed to work well with a narrow range of other systems
Open system
designed using agreed-upon industry standards, much easier to integrate with out manufacturers.
Fail-Securely
it will fail in a secured manner by default if there is a system crash, reducing potential data exposure and other security risks
Fail-Soft
Allows a system to keep running after a component fails
Fail-Safe
When a failure occurs, the system will revert back to a point that protects the health and safety of people.
Emergency door must open always, despite the risk
Don’t Repeat Yourself
Eliminate redundancy by not having the same code in multiple places
Computing Minimalism
Craft code to use the least necessary hardware.
Worse is Better
quality of software does not necessarily get better with more capabilities or functions.
Zero Trust
nothing inside the organization is automatically trusted.
Every request for access or activity is assumed to be from an unknown or untrusted location. everything is always verified
Assume a breach has already occured
Privacy by Design
guideline to integrate privacy protections into products during the early design phase rather than tacking it on later.
Trusted Computing Base
design principle that is the combination of hardware, software, and controls hat work together to form a trusted base to enforce your security policy .
State Machine Model
Describes a system in which is always secure no matter the state it is in.
Secure state machine
system always boots in a secure state, maintains a secure state across all transitions
Information Flow Model
Focuses on controlling the flow of information, based on the state model, Look at how information flows and whether or not its secure
Bell-LaPadula Model
Dept of Def, clearance levels and need to know,
Can’t read a higher clearance level, and you can’t write DOWN to a lower clearance level.
Biba Model
Opposite of Bell-LaPadula, More about the modification of objects and data. Designed to address integrity issues of objects
Lacks confidentiality and availability
Clark-Wilson Model
Multifaceted approach to enforcing data integrity where the formal state machine limits modification to a system through a limited or controlled intermediary program or interface
Restricted Interface Model
Enforces separation of duties
Brewer and Nash Model
permits access controls to change dynamically based on user’s previous activities.
Goguen–Meseguer model
An integrity model based on predetermining the set or domain of objects that a subject can access.
Foundation of noninterference model
noninterference model
A model loosely based on the information flow model. The noninterference model is concerned with the actions of one subject affecting the system state or actions of another subject.
Sutherland model
An integrity model that focuses on preventing interference in support of integrity.
Graham–Denning model
A security model focused on the secure creation and deletion of both subjects and objects.
Harrison–Ruzzo–Ullman (HRU) model
A security model that focuses on the assignment of object access rights to subjects as well as the resilience of those assigned rights. It is an extension of the Graham–Denning model.
Common Criteria (CC)
The loosely used phrase for the combination of the Common Criteria for IT Security Evaluation (CC) and the Common Methodology for IT Security Evaluation (CEM). Together these form the Common Criteria Recognition Agreement (CCRA). Simplified, this provides a means via the Common Criteria certification process for independently evaluating products in licensed labs and providing a level of assurance regarding product security. Defined in ISO/IEC 15408.
authorization to operate (ATO)
Often related to government or military agencies or contractors, an ATO is the formal approval to perform business functions once compliance with a contract, standard, framework, or regulation is confirmed. An ATO is often issued for a limited period of time and can be lost or canceled by the approving authority at any time based on any significant change to the environment.
Authorizing Official (AO)
An authorized entity who can evaluate an IT/IS system, its operations, and its risks, and potentially issue an ATO. Aka designated approving authority (DAA), Approving Authority (AA), Security Control Assessor (SCA), and Recommending Official (RA).
5 years
Trusted Platform Module (TPM)
A specification for a cryptoprocessor as well as the chip in a mainboard supporting this function. A TPM chip is used to store and process cryptographic keys for the purposes of a hardware- supported/implemented hard drive encryption system.
constrained interface
An access control used in applications that restrict what users can do or see based on their assigned privileges. Subjects with restricted privileges have limited access. Aka restricted interface.
fault tolerance
The ability of a system to suffer a fault but continue to operate and/or without losing data. Fault tolerance is achieved by adding redundant components such as additional disks within a redundant array of independent disks (RAID) or additional servers within a failover clustered configuration.
Multitasking
A system handling two or more tasks simultaneously
Multicore
A CPU chip containing two, four, eight, dozens, or more independent execution
cores that can operate simultaneously and/or independently. There are even some specialty
chips with over 10,000 cores.
Multiprogramming
The pseudo-simultaneous execution of two tasks on a single processor
coordinated by the operating system for the purpose of increasing operational efficiency.
Multiprogramming is considered a relatively obsolete technology and is rarely found in use
today except in legacy systems.
Multithreading
A process that allows multiple users to use the same process without interfering with each other
Protection Rings
A security design that organizes code and components in an operating system
(as well as applications, utilities, or other code that runs under the operating system’s control) into
concentric rings, each having increasing or decreasing levels of capabilities and access
Ring 0: OS Kernel/Memory
Ring 1: Other OS Components
Ring 2: Drivers, protocols
Ring 3: User-level programs
Privileged Mode
The mode designed to give the operating system access to the full range
of instructions supported by the CPU. Aka kernel mode. See also protected mode.
Ring 0-2
Mediated-access model
When a process that runs in a higher-numbered ring must ask a
handler or a driver in a lower-numbered ring for services they need. Aka system call.
electrically erasable programmable read-only memory (EEPROM)
A version of ROM
that can be erased with an electrical signal. EEPROMs can be erased without removal from
the computer, giving them much greater flexibility than standard PROM and EPROM chips.
Sometimes referred to incorrectly as electronically erasable PROM (EEPROM).
Read-only memory
Memory that can be read but cannot be written to.
programmable read-only memory (PROM)
A PROM chip that does not have its contents
“burned in” at the factory as is done with standard ROM chips. Instead, special functionality
is installed that allows the end user to burn in the contents of the chip.
Flash memory
A concept derived from EEPROM. It is a nonvolatile form of storage
media that can be electronically erased and rewritten. The primary difference between
EEPROM and flash memory is that EEPROM must be fully erased to be rewritten whereas
flash memory can be erased and written in blocks or pages. The most common type of flash
memory is NAND flash. It is widely used in memory cards, thumb drives, mobile devices,
and SSDs (solid-state drives).
Random Access Memory (RAM)
Readable and writable memory that contains information
the computer uses during processing. RAM retains its contents only when power is continuously supplied to it.
Cache RAM
A process that takes data from slower devices and temporarily stores it in
higher-performance devices when its repeated use is expected.
Register
A limited amount of onboard memory in a CPU.
register address
The address of a register, which is a small memory location directly on the CPU. When the CPU needs information from one of those registers to complete an operation, it can simply use the register address (for example, “register one”) to access the information.
immediate addressing
A way of referring to data that is supplied to the CPU as part of an instruction.
memory addressing
The means of referring to various locations in memory. See register addressing, immediate addressing, direct addressing, indirect addressing, and base+offset addressing.
direct addressing
A process by which the CPU is provided with the actual address of the memory location to be accessed.
indirect addressing
The memory address that is supplied to the CPU as part of the instruction and doesn’t contain the actual value that the CPU is to use as an operand. Instead, the memory address contains another memory address (perhaps located on a different page). The CPU then retrieves the actual operand from that address.
base+offset addressing
An addressing scheme that uses a value stored in one of the CPU’s registers as the base location from which to begin counting. The CPU then adds the offset supplied with the instruction to that base address and retrieves the operand from the computed memory location.
secondary memory
Magnetic/optical media and other storage devices that contain data not immediately available to the CPU.
swap file, pagefile, paging file
A special storage file used when virtual memory is enabled to use space on a storage device to expand the addressable memory space of a system.
virtual memory
A special type of secondary memory that is managed by the operating system in such a manner that it appears to be real memory.
primary storage
The RAM that a computer uses to keep necessary information readily available.
secondary storage
Data repositories that include magnetic and optical media, such as tapes, disks, hard drives, and CD/DVD storage.
volatile storage
A storage medium, such as RAM, that loses its contents when power is removed from the resource.
nonvolatile storage
A storage system that does not depend on the presence of power to maintain its contents, such as magnetic/optical media and nonvolatile RAM (NVRAM).
random access storage
Devices, such as RAM and hard drives, that allow the operating system to request contents from any point within the media.
sequential storage
Devices that require that you read (or speed past) all of the data physically stored prior to the desired location. A common example of a sequential storage device is a magnetic tape drive.
data remnants, data remanence
Data that remains on media after the data has been supposedly removed. Sanitization methods attempt to ensure that all data is removed from media without any data remnants/remanence remaining.
emanations
Electromagnetic or radio frequency signals that may contain data that can be intercepted through eavesdropping on those signals.
TEMPEST
The study and control of electronic signals produced by various types of electronic hardware, such as computers, televisions, phones, and so on. Its primary goal is to prevent EM and RF radiation from leaving a strictly defined area so as to eliminate the possibility of external radiation monitoring, eavesdropping, and signal sniffing.
Unified Extensible Firmware Interface (UEFI)
A replacement or improvement to the basic input/output system (BIOS) that provides support for all of the same functions as BIOS with many improvements, such as support for larger hard drives (especially for booting), faster boot times, enhanced security features, and even the ability to use a mouse when making system changes (BIOS was limited to keyboard control only). See measured boot.
BIOS (Basic Input/Output System)
The basic low- end firmware or software embedded in the hardware’s electrically erasable programmable read- only memory (EEPROM). See also Unified Extensible Firmware Interface (UEFI).
applet
Code objects sent from a server to a client to perform some action. Applets are self- contained miniature programs that execute independently of the server that sent them.
parallel data systems, parallel computing
A computation system designed to perform numerous calculations simultaneously. Parallel data systems often go far beyond basic multiprocessing capabilities. They often include the concept of dividing up a large task into smaller elements and then distributing each subelement to a different processing subsystem for parallel computation. This implementation is based on the idea that some problems can be solved efficiently if they are broken into smaller tasks that can be worked on concurrently. Aka large- scale parallel data systems.
symmetric multiprocessing (SMP
A type of system in which the processors share not only a common operating system but also a common data bus and memory resources. The collection of processors also works collectively on a single task, code, or project.
asymmetric multiprocessing (AMP)
A form of multiprocessing where the processors are often operating independently of each other. Usually each processor has its own OS and/or task instruction set. Under AMP, processors can be configured to execute only specific code or to operate on specific tasks (or vice versa, where specific code or tasks are allowed to run only on specific processors; this might be called affinity in some circumstances).
grid computing
A form of parallel distributed processing that loosely groups a significant number of processing nodes toward the completion of a specific processing goal.
industrial control system (ICS
A form of computer- management device that controls industrial processes and machines. ICSs are used across a wide range of industries, including manufacturing, fabrication, electricity generation and distribution, water distribution, sewage processing, and oil refining. There are several forms of ICS, including distributed control systems (DCSs), programmable logic controllers (PLCs), and supervisory control and data acquisition (SCADA).
SCADA (Supervisory Control and Data Acquisition)
A type of industrial control system (ICS). An ICS is a form of computer- management device that controls industrial processes and machines.
High-performance Computing
Computing platforms designed to perform complex calculations or data manipulations at extremely high speeds. Supercomputers and MPP solutions are common examples of HPC systems. HPC systems are used when real- time or near- real- time processing of massive data is necessary for a particular task or application. These applications can include scientific studies, industrial research, medical analysis, societal solutions, and commercial endeavors.
real- time operating system (RTOS)
An OS designed to process or handle data as it arrives on the system with minimal latency or delay. An RTOS is usually stored on read- only memory (ROM) and is designed to operate in a hard real- time or soft real- time condition.
Industrial Internet of Things (IIoT)
A derivative of IoT that focuses more on industrial, engineering, manufacturing, or infrastructure level oversight, automation, management, and sensing. IIoT is an evolution of ICS and DCS that integrates cloud services to perform data collection, analysis, optimization, and automation.
edge computing
A computation architecture that is part of the Industrial Internet of Things (IIoT). In edge computing, the intelligence and processing are contained within each device, which is at or near the edge of the network. See fog computing.
embedded system
A computer implemented as part of a larger system. The embedded system is typically designed around a limited set of specific functions in relation to the larger product of which it’s a component. It may consist of the same components found in a typical computer system, or it may be a microcontroller (an integrated chip with on- board memory and peripheral ports).
static system, static environment
A set of conditions, events, and surroundings that don’t change. In theory, once understood, a static environment doesn’t offer new or surprising elements. A static IT environment is any system that is intended to remain unchanged by users and administrators. The goal is to prevent or at least reduce the possibility of a user implementing change that could result in reduced security or functional operation.
network-enabled devices
Any type of device (whether mobile or stationary) that has native network capabilities. This generally assumes the network in question is a wireless type of network, primarily that provided by a mobile telecommunications company. However, it can also refer to devices that connect to Wi- Fi (especially when they can connect automatically), devices that share data connectivity from a wireless telco service (such as a mobile hot spot), and devices with RJ- 45jacks to receive a standard Ethernet cable for a wired connection.
cyberphysical system, cyber- physical system
A computer system that can interact with the real world, such as take measurements with a sensor, control lights, open doors, turn on motors, and so forth. See Internet of Things (IoT) and industrial control system (ICS).
multifunction devices (MFDs)
Devices that are combinations of several products into one, such as a combined printer, scanner, and fax machine. Aka all- in- one device. See multifunction printers (MFPs).
wrapper
Something used to enclose or contain something else. Wrappers are well known in the security community in relation to Trojan horse malware. A wrapper of this sort is used to combine a benign host with a malicious payload. Wrappers are also used as encapsulation solutions. Some static environments may be configured to reject updates, changes, or software installations unless they’re introduced through a controlled channel or wrapper.
micro-services, micro-API, microservices
An emerging feature of web- based solutions that derives from service- oriented architecture (SOA). A micro- service is simply one element, feature, capability, business logic, or function of a web application that can be called upon or used by other web applications.
service- oriented architecture (SOA)
A means to construct new applications or functions out of existing but separate and distinct software services.
infrastructure as code (IaC)
Infrastructure as code is a change in how hardware management is perceived and handled. Instead of seeing hardware configuration as a manual, direct hands- on, one- on- one administration hassle, it is viewed as just another collection of elements to be managed in the same way that software and code are managed under DevOps
virtualization
A technology used to host one or more operating systems within the memory of a single host computer. This mechanism allows practically any operating system to operate on any hardware. Aka virtualization technology.
hypervisor
The component of virtualization that creates, manages, and operates the virtual machines. The computer running the hypervisor is known as the host and the OSs running within a hypervisor- supported virtual machine are known as guest OSs. Aka virtual machine monitor (VMM) and virtual machine manager (VMM).
type 1 hypervisor
A native or bare- metal hypervisor. In this configuration, there is no host operating system (OS); instead, the hypervisor installs directly onto the hardware where the host OS would normally reside.
type 2 hypervisor
A hosted hypervisor. In this configuration, a standard regular operating system (OS) is present on the hardware, and then the hypervisor is installed as another software application.
virtual application
A software product deployed in such a way that it is fooled into believing it is interacting with a full host OS. A virtual (or virtualized) application has been packaged or encapsulated so that it can execute but operate without full access to the host OS or platform. Aka guest application and virtual software.
containerization
The next step in the evolution of the virtualization trend for both internally hosted systems and cloud providers and services. Containerization is based on the concept of eliminating the duplication of OS elements and removing the hypervisor altogether. Instead, each application is placed into a container that includes only the resources needed to support the enclosed application. There are many different technological solutions that are grouped into the concept of containerization. Some refer to the application instances as containers, zones, cells, virtual private servers, partitions, virtual environments, virtual kernels, or jails. Aka OS virtualization.
unified endpoint management (UEM
A type of software tool that provides a single management platform to control mobile, PC, IoT, wearables, ICS, and other devices. It replaces mobile device management (MDM) and enterprise mobility management (EMM) products.
mobile application management (MAM)
A software product similar to a mobile device management (MDM) product, but it focuses on app management rather than the entire mobile device.
geofencing
The designation of a specific geographical area that is then used to implement features on mobile devices. A geofence can be defined by GPS coordinates, wireless indoor positioning systems, or presence or lack of a specific wireless signal.
process isolation
One of the fundamental security procedures put into place during system design. Basically, using process isolation mechanisms (whether part of the operating system or part of the hardware itself) ensures that each process has its own isolated memory space for storage of data and the actual executing application code itself
covert timing channel
A channel that conveys information by altering the performance of a system component or modifying a resource’s timing in a predictable manner.
covert storage channel
A channel that conveys information by writing data to a common storage area where another process can read it.
covert channel
The means by which data can be communicated outside of normal, expected, or detectable methods. See covert storage channel and covert timing channel.
