NIST Information Security Terms Flashcards
NISTIR 7298 Revision 2 Familiarization with key information security terms
Access
Ability to make use of any information system (IS) resource.
SOURCE: SP 800-32
Ability and means to communicate with or otherwise interact with a system, to use system resources to handle information, to gain knowledge of the information the system contains, or to control system components and functions.
SOURCE: CNSSI-4009
Access Authority
An entity responsible for monitoring and granting access privileges for other authorized entities.
SOURCE: CNSSI-4009
Access Control
The process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., federal buildings, military establishments, border crossing entrances).
SOURCE: FIPS 201; CNSSI-4009
Access Control List (ACL)
- A list of permissions associated with an object. The list specifies who or what is allowed to access the object and what operations are allowed to be performed on the object.
- A mechanism that implements access control for a system resource by enumerating the system entities that are permitted to access the resource and stating, either implicitly or explicitly, the access modes granted to each entity.
SOURCE: CNSSI-4009
Access Control Lists (ACLs)
A register of:
1. users (including groups, machines, processes) who have been given permission to use a particular system resource, and
2. the types of access they have been permitted.
SOURCE: SP 800-12
Access Control Mechanism
Security safeguards (i.e., hardware and software features, physical controls, operating procedures, management procedures, and various combinations of these) designed to detect and deny unauthorized access and permit authorized access to an information system. SOURCE: CNSSI-4009
Access Level
A category within a given security classification limiting entry or system connectivity to only authorized persons.
SOURCE: CNSSI-4009
Access List
Roster of individuals authorized admittance to a controlled area.
SOURCE: CNSSI-4009
Access Point
A device that logically connects wireless client devices operating in infrastructure to one another and provides access to a distribution system, if connected, which is typically an organization’s enterprise wired network.
SOURCE: SP 800-48; SP 800-121
Access Profile
Association of a user with a list of protected objects the user may access.
SOURCE: CNSSI-4009
Access Type
Privilege to perform action on an object. Read, write, execute, append, modify, delete, and create are examples of access types. See Write.
SOURCE: CNSSI-4009
Account Management, User
Involves
1) the process of requesting, establishing, issuing, and closing user accounts;
2) tracking users and their respective access authorizations; and
3) managing these functions.
SOURCE: SP 800-12
Accountability
The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.
SOURCE: SP 800-27
Principle that an individual is entrusted to safeguard and control equipment, keying material, and information and is answerable to proper authority for the loss or misuse of that equipment or information.
SOURCE: CNSSI-4009
Accounting Legend Code (ALC)
Numeric code used to indicate the minimum accounting controls required for items of accountable communications security (COMSEC) material within the COMSEC Material Control System.
SOURCE: CNSSI-4009
Accounting Number
Number assigned to an item of COMSEC material to facilitate its control.
SOURCE: CNSSI-4009
Accreditation
See Authorization
Accreditation Authority
See Authorizing Official
Accreditation Boundary
See Authorization Boundary
Accreditation Package
Product comprised of a System Security Plan (SSP) and a report documenting the basis for the accreditation decision.
SOURCE: CNSSI-4009
Accrediting Authority
Synonymous with Designated Accrediting Authority (DAA). See also Authorizing Official.
SOURCE: CNSSI-4009
Activation Data
Private data, other than keys, that are required to access cryptographic modules.
SOURCE: SP 800-32
Active Attack
An attack that alters a system or data.
SOURCE: CNSSI-4009
An attack on the authentication protocol where the Attacker transmits data to the Claimant, Credential Service Provider, Verifier, or Relying Party. Examples of active attacks include man-in-the-middle, impersonation, and session hijacking.
SOURCE: SP 800-63
Active Content
Electronic documents that can carry out or trigger actions automatically on a computer platform without the intervention of a user.
SOURCE: SP 800-28
Software in various forms that is able to automatically carry out or trigger actions on a computer platform without the intervention of a user.
SOURCE: CNSSI-4009
Active Security Testing
Security testing that involves direct interaction with a target, such as sending packets to a target.
SOURCE: SP 800-115
Activities
An assessment object that includes specific protection-related
pursuits or actions supporting an information system that involve people (e.g., conducting system backup operations, monitoring network traffic).
SOURCE: SP 800-53A
Ad Hoc Network
A wireless network that dynamically connects wireless client devices to each other without the use of an infrastructure device, such as an access point or a base station.
SOURCE: SP 800-121
Add-on Security
Incorporation of new hardware, software, or firmware safeguards in an operational information system.
SOURCE: CNSSI-4009
Adequate Security
Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information.
SOURCE: SP 800-53; FIPS 200; OMB Circular A-130, App. III
Security commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information.
Note: This includes assuring that information systems operate effectively and provide appropriate confidentiality, integrity, and availability, through the use of cost-effective management, personnel, operational, and technical controls.
SOURCE: CNSSI-4009; SP 800-37
Administrative Account
A user account with full privileges on a computer.
SOURCE: SP 800-69
Administrative Safeguards
Administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic health information and to manage the conduct of the covered entity’s workforce in relation to protecting that information.
SOURCE: SP 800-66
Advanced Encryption Standard –
AES
The Advanced Encryption Standard specifies a U.S. government-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information. This standard specifies the Rijndael algorithm, a symmetric block cipher that can process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits.
SOURCE: FIPS 197
A U.S. government-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information.
SOURCE: CNSSI-4009
Advanced Key Processor (AKP)
A cryptographic device that performs all cryptographic functions for a management client node and contains the interfaces to 1) exchange information with a client platform, 2) interact with fill devices, and 3) connect a client platform securely to the primary services node (PRSN).
SOURCE: CNSSI-4009
Advanced Persistent Threats(APT)
An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.
SOURCE: SP 800-39
Adversary
Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities.
SOURCE: SP 800-30
Advisory
Notification of significant new trends or developments regarding the threat to the information systems of an organization. This notification may include analytical insights into trends, intentions, technologies, or tactics of an adversary targeting information systems.
SOURCE: CNSSI-4009
Agency
Any executive department, military department, government corporation, government-controlled corporation, or other establishment in the executive branch of the government (including the Executive Office of the President), or any independent regulatory agency, but does not include: 1) the Government Accountability Office; 2) the Federal Election Commission; 3) the governments of the District of Columbia and of the territories and possessions of the United States, and their various subdivisions; or 4) government-owned contractor-operated facilities, including laboratories engaged in national defense research and production activities.
SOURCE: FIPS 200; 44 U.S.C., Sec. 3502
ALSO See Executive Agency.
Agency Certification Authority –
CA
A CA that acts on behalf of an agency and is under the operational control of an agency.
SOURCE: SP 800-32
Agent
A program acting on behalf of a person or organization.
SOURCE: SP 800-95
Alert
Notification that a specific attack has been directed at an organization’s information systems.
SOURCE: CNSSI-4009
Allocation
The process an organization employs to determine whether security controls are defined as system-specific, hybrid, or common.
The process an organization employs to assign security controls to specific information system components responsible for providing a particular security capability (e.g., router, server, remote sensor).
SOURCE: SP 800-37
Alternate COMSEC Custodian
Individual designated by proper authority to perform the duties of the COMSEC custodian during the temporary absence of the COMSEC custodian.
SOURCE: CNSSI-4009
Alternate Work Site
Governmentwide, national program allowing federal employees to work at home or at geographically convenient satellite offices for part of the work week (e.g., telecommuting).
SOURCE: CNSSI-4009
Analysis
The examination of acquired data for its significance and probative value to the case.
SOURCE: SP 800-72
Anomaly-Based Detection
The process of comparing definitions of what activity is considered normal against observed events to identify significant deviations.
SOURCE: SP 800-94
Anti-jam
Countermeasures ensuring that transmitted information can be received despite deliberate jamming attempts.
SOURCE: CNSSI-4009
Anti-spoof
Countermeasures taken to prevent the unauthorized use of legitimate Identification & Authentication (I&A) data, however it was obtained, to mimic a subject different from the attacker.
SOURCE: CNSSI-4009
Antispyware Software
A program that specializes in detecting both malware and non-malware forms of spyware.
SOURCE: SP 800-69
Antivirus Software
A program that monitors a computer or network to identify all major types of malware and prevent or contain malware incidents.
SOURCE: SP 800-83
Applicant
The subscriber is sometimes called an “applicant” after applying to a certification authority for a certificate, but before the certificate issuance procedure is completed.
SOURCE: SP 800-32
Application
A software program hosted by an information system.
SOURCE: SP 800-37
Software program that performs a specific function directly for a user and can be executed without access to system control, monitoring, or administrative privileges.
SOURCE: CNSSI-4009
Approval to Operate (ATO)
The official management decision issued by a DAA or PAA to authorize operation of an information system and to explicitly accept the residual risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals.
SOURCE: CNSSI-4009
Approved
Federal Information Processing Standard (FIPS)-approved or National Institute of Standards and Technology (NIST)-recommended. An algorithm or technique that is either
1) specified in a FIPS or NIST Recommendation, or
2) adopted in a FIPS or NIST Recommendation.
SOURCE: FIPS 201
Approved –
FIPS-approved and/or NIST-recommended.
SOURCE: FIPS 140-2
FIPS-approved and/or NIST-recommended. An algorithm or technique that is either 1) specified in a FIPS or NIST Recommendation, 2) adopted in a FIPS or NIST Recommendation, or 3) specified in a list of NIST-approved security functions.
SOURCE: FIPS 186