Information Security Concepts
Trusted OS
A trusted OS provides sufficient support for multilevel security and sufficient evidence of correctness to satisfy a given set of (government or organizational) requirements (i.e. a security policy).
Multi-level Security
A secure-technology strategy designed to prevent secrets from leaking between computer systems or users, when some of them have access to those secrets but others do not.
Security Policy
A documented statement that defines what security is expected from a system.
OS Kernel
“The part of an operating system that performs the lowest-level functions.”
Security Kernel
A separate portion of the OS kernel responsible for security functionality.
Data
Individual “facts” that can be used to develop one or more conclusions. “Consumable” digital assets: Programming data types. Multimedia/unstructured data. Results from measurement or characterization.
Information
Knowledge that can be derived from a collection of related data items. Data processed into an “informative format” that can be understood by its intended audience.
DOS
A general category of system attack in which access to network-based applications or data is denied to intended users.
SQL Injection Attack
A code injection technique that exploits a security vulnerability in the database layer of a software application.
User Authentication
The process of establishing or confirming someone (i.e. a user) or something (i.e. an application) as “authentic.” Are “who” they represent themselves to be.
Access Privilege
The right, or opportunity, to use a computer system in a specific way.
Audit Trail
The complete history of a given process, that identifies each step taken from initiation all the way through to completion.
Backup Data
Valuable data/information that is: -Duplicated to ensure protection against loss, and/or -Not currently in use by an organization, and is typically stored separately, on portable media to: -Free up space, and -Support data recovery in case of a disaster.
Intrusion Detection
The act of identifying attempts to compromise the IA of a resource.
Authentication
The process of identifying and approving a database user’s right to access a database.
Authorization
The process of granting a valid database user the rights to access, or use, various database objects, privileges, and resources.
Role
A named group of related privileges
Principle of Least Privilege
Database users should only be granted the minimum amount of privilege necessary to do their assigned tasks.
Encryption
Converting sensitive data into an encoded format, called a ciphertext, so that it cannot be easily understood by unauthorized individuals.
Obfuscation
A protection mechanism that obscures information so that it cannot be readily interpreted.
Infer
To come to a conclusion or to reason out a solution based upon either evidence or surmise.
Software Fingerprint
Evidence that can be used to identify a software component.
Network Scanning
The second step in network intelligence gathering, in which software tools are used to locate and identify active hosts – i.e. client and server resources on a network.
Denial-of-Service Attack (DoS)
Nefarious actions by attacker(s) specifically designed to prevent the legitimate users of a service from being able to access that service.
Vulnerability Assessment
Using a manual – or better, an automatic – process to connect to a system and check for security weaknesses.
Security Monitoring
Act of listening to, copying, or recording communications on one’s own systems to determine the level of security provided.