20 August 2019

🛡️Information Security: Cryptanalysis (Definitions)

"Cryptanalysis is the science of analyzing cryptographic methods and algorithms, generally probing them for weaknesses. Cryptanalysts devise new methods of defeating cryptographic algorithms." (Michael Coles & Rodney Landrum, , "Expert SQL Server 2008 Encryption", 2008)

"The science (or art) of breaking cryptographic algorithms." (Mark S Merkow & Lakshmikanth Raghavan, "Secure and Resilient Software Development", 2010)

"The study of mathematical techniques designed to defeat cryptographic techniques. Collectively, a branch of science that deals with cryptography and cryptanalysis is called cryptology. " (Alex Berson & Lawrence Dubov, "Master Data Management and Data Governance", 2010)

"The art of breaking ciphertext." (Manish Agrawal, "Information Security and IT Risk Management", 2014)

"Practice of uncovering flaws within cryptosystems." (Adam Gordon, "Official (ISC)2 Guide to the CISSP CBK" 4th Ed., 2015)

"The process of decrypting a message without knowing the cipher or key used to encrypt it" (Nell Dale & John Lewis, "Computer Science Illuminated" 6th Ed., 2015)

"The practice of breaking cryptosystems and algorithms used in encryption and decryption processes." (Shon Harris & Fernando Maymi, "CISSP All-in-One Exam Guide" 8th Ed., 2018)

"The process of breaking encryption without the benefit of the key under which data was encrypted." (O Sami Saydjari, "Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time", 2018)

"Cryptanalysis refers to the study of the cryptosystem or ciphertext to crack the confidentiality of the underlying information and try to gain unauthorized access to the content." (Shafali Agarwal, "Preserving Information Security Using Fractal-Based Cryptosystem", Handbook of Research on Cyber Crime and Information Privacy, 2021)

🛡️Information Security: Advanced Persistent Threat [APT] (Definitions)

"A sustained, human-intensive attack that leverages the full range of computer intrusion techniques." (Manish Agrawal, "Information Security and IT Risk Management", 2014)

"A group or entity that has the capability and intent to persistently target a specific organization. They typically have the backing of an organization with almost unlimited resources, such as a government." (Darril Gibson, "Effective Help Desk Specialist Skills", 2014)

"A network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organization. APT attacks target organizations in sectors with high-value information, such as national defense, manufacturing, and the financial industry. APTs differ from other types of attack in their careful target selection and persistent, often stealthy, intrusion efforts over extended periods." (William Stallings, "Effective Cybersecurity: A Guide to Using Best Practices and Standards", 2018)

"Sophisticated attacks that are carefully crafted by hostile governments or organizations, usually for political vengeance or financial gain. They often combine the most advanced malware, spear-phishing, and intrusion techniques available." (Mark Rhodes-Ousley, "Information Security: The Complete Reference, Second Edition" 2nd Ed., 2013)

"An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives using multiple attack vectors." (NIST SP800-61)

"An adversary with sophisticated levels of expertise and significant resources, allowing it through the use of multiple different attack vectors (e.g., cyber, physical, and deception) to generate opportunities to achieve its objectives, which are typically to establish and extend footholds within the information technology infrastructure of organizations for purposes of continually exfiltrating information and/or to undermine or impede critical aspects of a mission, program, or organization, or place itself in a position to do so in the future; moreover, the advanced persistent threat pursues its objectives repeatedly over an extended period of time, adapting to a defender’s efforts to resist it, and with determination to maintain the level of interaction needed to execute its objectives." (CNSSI 4009-2015)

🛡️Information Security: Threat (Definitions)

"An imminent security violation that could occur at any time due to unchecked security vulnerabilities." (Carlos Coronel et al, "Database Systems: Design, Implementation, and Management" 9th Ed., 2011)

"Anything or anyone that represents a danger to an organization’s IT resources. Threats can exploit vulnerabilities, resulting in losses to an organization." (Darril Gibson, "Effective Help Desk Specialist Skills", 2014)

"The capabilities, intentions, and attack methods of adversaries to exploit or cause harm to assets." (Manish Agrawal, "Information Security and IT Risk Management", 2014)

"The potential cause of an unwanted incident, which may result in harm to a system or organisation." (David Sutton, "Information Risk Management: A practitioner’s guide", 2014)

"Any activity that represents a possible danger." (Weiss, "Auditing IT Infrastructures for Compliance" 2nd Ed., 2015)

"The danger of a threat agent exploiting a vulnerability." (Adam Gordon, "Official (ISC)2 Guide to the CISSP CBK" 4th Ed., 2015)

"A potential for violation of security that exists when there is a circumstance, a capability, an action, or an event that could breach security and cause harm. That is, a threat is a possible danger that might exploit vulnerability." (William Stallings, "Effective Cybersecurity: A Guide to Using Best Practices and Standards", 2018)

"A possible danger to a computer system, which may result in the interception, alteration, obstruction, or destruction of computational resources, or other disruption to the system." (NIST SP 800-28 Version 2)

"A potential cause of an unwanted incident." (ISO/IEC 13335)

"A potential cause of an unwanted incident, which may result in harm to a system or organisation."(ISO/IEC 27000:2014)

"An activity, deliberate or unintentional, with the potential for causing harm to an automated information system or activity." (NIST SP 800-16)

"Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability." (FIPS 200)

"Any circumstance or event with the potential to cause harm to an information system in the form of destruction, disclosure, adverse modification of data, and/or denial of service." (NIST SP 800-32)

"An event or condition that has the potential for causing asset loss and the undesirable consequences or impact from such loss." (NIST SP 1800-17b)

"Anything that might exploit a Vulnerability. Any potential cause of an Incident can be considered to be a Threat." (ITIL)

"The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability. "(NIST SP 800-47)

19 August 2019

🛡️Information Security: Public Key Cryptography [PKC] (Definitions)

"Also known as asymmetric cryptography, a form of cryptography in which a user has a pair of cryptographic keys - a public key and a private key. The private key is kept secret, while the public key may be widely distributed. The keys are related mathematically, but the private key cannot be practically derived from the public key. A message encrypted with the public key can be decrypted only with the corresponding private key." (Martin Oberhofer et al, "Enterprise Master Data Management", 2008)

"Cryptography involving public keys, as opposed to cryptography making use of shared secrets. See Symmetric cryptography." (Mark S Merkow & Lakshmikanth Raghavan, "Secure and Resilient Software Development", 2010)

"An approach to cryptography in which each user has two related keys, one public and one private" (Nell Dale & John Lewis, "Computer Science Illuminated" 6th Ed., 2015)

"An asymmetric cryptosystem where the encrypting and decrypting keys are different and it is computationally infeasible to calculate one form the other, given the encrypting algorithm. In public key cryptography, the encrypting key is made public, but the decrypting key is kept secret." (Adam Gordon, "Official (ISC)2 Guide to the CISSP CBK 4th Ed.", 2015)

"An encryption method that uses a two-part key: a public key and a private key. Users generally distribute their public key but keep their private key to themselves. This is also known as asymmetric cryptography." (James R Kalyvas & Michael R Overly, "Big Data: A business and legal guide", 2015)

"Encryption system using a public-private key pair for encryption or digital signature. The encrypt and decrypt keys are different, and one cannot derive the private key from the public key." (O Sami Saydjari, "Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time", 2018)

"Public-key cryptography refers to a cryptographic system requiring two separate keys, one of which is secret and one of which is public. Although different, the two parts of the key pair are mathematically linked. One key locks or encrypts the plaintext, and the other unlocks or decrypts the cipher text. Neither key can perform both functions by itself. The public key may be published without compromising security, while the private key must not be revealed to anyone not authorized to read the messages." (Addepalli V N Krishna & M Balamurugan, "Security Mechanisms in Cloud Computing-Based Big Data", 2019)

"A cryptographic system that requires public and private keys. The private key can decrypt messages encrypted with the corresponding public key, and vice versa. The public key can be made available to the public without compromising security and used to verify that messages sent by the holder of the private key must be genuine." (Daniel Leuck et al, "Learning Java" 5th Ed., 2020)

18 August 2019

🛡️Information Security: Cryptosystem (Definitions)

"Hardware or software implementation of cryptography that contains all the necessary software, protocols, algorithms, and keys." (Adam Gordon, "Official (ISC)2 Guide to the CISSP CBK" 4th Ed., 2015)

"The hardware or software implementation of cryptography." (Shon Harris & Fernando Maymi, "CISSP All-in-One Exam Guide" 8th Ed., 2018)

"A set of cryptographic algorithms together with the key management processes that support use of the algorithms in some application context." (William Stallings, "Effective Cybersecurity: A Guide to Using Best Practices and Standards", 2018)

"A cryptosystem includes a complete process of key generation, encryption, and decryption techniques for secure data communication over the insecure channel." (Shafali Agarwal, "Preserving Information Security Using Fractal-Based Cryptosystem", Handbook of Research on Cyber Crime and Information Privacy, 2021)

"Associated information security (INFOSEC) items interacting to provide a single means of encryption or decryption." (CNSSI 4009-2015)

[manual cryptosystem:] "Cryptosystem in which the cryptographic processes are performed without the use of crypto-equipment or auto-manual devices." (CNSSI 4009-2015)

[online cryptosystem:] "Cryptographic system in which encryption and decryption are performed in association with the transmitting and receiving functions." (CNSSI 4009-2015)

[off-line cryptosystem:] "Cryptographic system in which encryption and decryption are performed independently of the transmission and reception functions." (CNSSI 4009-2015)

17 August 2019

🛡️Information Security: Asymmetric Encryption (Definitions)

"Requires a pair of keys to encode and decode information. One key is used to encrypt the plain text, and a second key, which is part of the matched pair, is used to decrypt that cipher text." (Marilyn Miller-White et al, "MCITP Administrator: Microsoft® SQL Server™ 2005 Optimization and Maintenance 70-444", 2007)

"Asymmetric encryption is an encryption model in which the encryption and decryption processes use different keys. Modern asymmetric encryption algorithms are based on the public key/private key pairs, in which the encryption and decryption keys are different but nontrivially related. The public key is widely known and distributed for encryption while the private key is kept secret and used for decryption. Although the keys are related, it is considered infeasible to try to derive the private key from the public key." (Michael Coles & Rodney Landrum, , "Expert SQL Server 2008 Encryption", 2008)

"Asymmetric encryption is encryption that requires two different keys: one to encrypt data and another to decrypt it. The most common form of asymmetric encryption is public key encryption, in which the two keys are mathematically related." (Michael Coles, "Pro T-SQL 2008 Programmer's Guide", 2008)

"Asymmetric encryption, also known as public-key encryption, is a form of data encryption where the encryption key (also called the public key) and the corresponding decryption key (also called the private key) are different. A message encrypted with the public key can be decrypted only with the corresponding private key. The public key and the private key are related mathematically, but it is computationally infeasible to derive the private key from the public key. Therefore, a recipient could distribute the public key widely." (Ninghui Li, "Asymmetric Encryption", 2009)

"Encryption that requires two different keys: one to encrypt data and another to decrypt it. The most common form of asymmetric encryption is public key encryption, in which the two keys are mathematically related." (Miguel Cebollero et al, "Pro T-SQL Programmer’s Guide" 4th Ed., 2015)

"Public-key cryptography refers to a cryptographic system requiring two separate keys, one of which is secret and one of which is public. Although different, the two parts of the key pair are mathematically linked. One key locks or encrypts the plaintext, and the other unlocks or decrypts the cipher text. Neither key can perform both functions by itself. The public key may be published without compromising security, while the private key must not be revealed to anyone not authorized to read the messages." (Addepalli V N Krishna & M Balamurugan, "Security Mechanisms in Cloud Computing-Based Big Data", 2019)

15 August 2019

🛡️Information Security: Vulnerability (Definitions)

"In computer security, a weakness which allows an attacker to reduce a system’s information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To be vulnerable, an attacker must have at least one applicable tool or technique that can connect to a system weakness." (Mark S Merkow & Lakshmikanth Raghavan, "Secure and Resilient Software Development", 2010)

"A weakness in a system’s component that could be exploited to allow unauthorized access or cause service disruptions." (Carlos Coronel et al, "Database Systems: Design, Implementation, and Management" 9th Ed., 2011)

"A characteristic that leads to exposure, and that may be exploited by a threat to cause harm. Vulnerabilities are most commonly a result of a software flaw or misconfiguration. See also threat." (Mark Rhodes-Ousley, "Information Security: The Complete Reference, Second Edition" 2nd Ed., 2013)

"a weakness in an information system that gives a threat the opportunity to compromise an asset." (Manish Agrawal, "Information Security and IT Risk Management", 2014)

"A weakness. It can be a weakness in any organizational IT systems, networks, configurations, users, or data. If a threat exploits a vulnerability, it can result in a loss to an organization." (Darril Gibson, "Effective Help Desk Specialist Skills", 2014)

"an error in the specification, development, or configuration of software such that its execution can violate the security policy." ( Manish Agrawal, "Information Security and IT Risk Management", 2014)

"The intrinsic properties of something resulting in susceptibility to a risk source that can lead to an event with a consequence" (David Sutton, "Information Risk Management: A practitioner’s guide", 2014)

"Weakness or a lack of a countermeasure." (Adam Gordon, "Official (ISC)2 Guide to the CISSP CBK" 4th Ed., 2015)

"A characteristic or specific weakness that renders an organization or asset (such as information or an information system) open to exploitation by a given threat or susceptible to a given hazard." (Olivera Injac & Ramo Šendelj, "National Security Policy and Strategy and Cyber Security Risks", 2016)

"A flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy." (William Stallings, "Effective Cybersecurity: A Guide to Using Best Practices and Standards", 2018)

"The property of a system whereby it is susceptible to a given attack succeeding against that system." (O Sami Saydjari, "Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time", 2018)

"A vulnerability is any weakness in a product, process or system which could potentially be exploited to reduce the security or function of that product, process, or system." (Sandra Blanke et al, "How Can a Cybersecurity Student Become a Cybersecurity Professional and Succeed in a Cybersecurity Career?", 2019)

"the intrinsic properties of something resulting in susceptibility to a risk source that can lead to an event with a consequence" (ISO Guide 73:2009)

 "weakness that could be exploited by a thread" (ITIL)

12 August 2019

🛡️Information Security: Access Control (Definitions)

"The ability to selectively control who can get at or manipulate information in, for example, a Web server." (Tim Berners-Lee, "Weaving the Web", 1999)

"The methods by which interactions with resources are limited to collections of users or programs for the purpose of enforcing integrity, confidentiality, or availability constraints." (Kim Haase et al, "The J2EE™ Tutorial", 2002)

"Limiting access to resources according to rights granted by the system administrator, application, or policy." (Tom Petrocelli, "Data Protection and Information Lifecycle Management", 2005)

"Determining who or what can go where, when, and how." (Judith Hurwitz et al, "Service Oriented Architecture For Dummies" 2nd Ed., 2009)

"Management of who is allowed access and who is not allowed access to networks, data files, applications, or other digital resources." (Linda Volonino & Efraim Turban, "Information Technology for Management" 8th Ed, 2011)

"Any mechanism to regulate access to something, but for parallel programs this term generally applies to shared memory. The term is sometimes extended to I/O devices as well. For parallel programming, the objective is generally to provide deterministic results by preventing an object from being modified by multiple tasks simultaneously. Most often this is referred to as mutual exclusion, which includes locks, mutexes, atomic operations, and transactional memory models. This may also require some control on reading access to prevent viewing of an object in a partially modified state." (Michael McCool et al, "Structured Parallel Programming", 2012)

"Secures content and identifies who can read, create, modify, and delete content." (Charles Cooper & Ann Rockley, "Managing Enterprise Content: A Unified Content Strategy" 2nd Ed., 2012)

"A technique used to permit or deny use of data or information system resources to specific users, programs, processes, or other systems based on previously granted authorization to those resources." (Mark Rhodes-Ousley, "Information Security: The Complete Reference, Second Edition" 2nd Ed., 2013)

"The act of limiting access to information system resources only to authorized users, programs, processes, or other systems." (Manish Agrawal, "Information Security and IT Risk Management", 2014)

"The means to ensure that access to assets is authorised and restricted on business and security requirements." (David Sutton, "Information Risk Management: A practitioner’s guide", 2014)

"Are security features that control how users and systems communicate and interact with other systems and resources." (Adam Gordon, "Official (ISC)2 Guide to the CISSP CBK" 4th Ed., 2015)

"Mechanisms, controls, and methods of limiting access to resources to authorized subjects only." (Shon Harris & Fernando Maymi, "CISSP All-in-One Exam Guide" 8th Ed, 2018)

"The process of granting or denying specific requests (1) for accessing and using information and related information processing services and (2) to enter specific physical facilities. Access control ensures that access to assets is authorized and restricted based on business and security requirements." (William Stallings, "Effective Cybersecurity: A Guide to Using Best Practices and Standards", 2018)

11 August 2019

🛡️Information Security: Privacy (Definitions)

"Privacy is concerned with the appropriate use of personal data based on regulation and the explicit consent of the party." (Martin Oberhofer et al, "Enterprise Master Data Management", 2008)

[MDM privacy:] "Privacy is focused on the appropriate use of personal data based on regulation and the explicit consent of the Party. MDM Systems that have Party data (customer or patient) are quite sensitive to privacy concerns and regulations." (Allen Dreibelbis et al, "Enterprise Master Data Management", 2008)

"The ability of keeping secret someone’s identity, resources, or actions. It is realized by anonymity and pseudonymity." (Tomasz Ciszkowski & Zbigniew Kotulski, "Secure Routing with Reputation in MANET", 2008)

"Proper handling and use of personal information (PI) throughout its life cycle, consistent with data-protection principles and the preferences of the subject." (Alex Berson & Lawrence Dubov, "Master Data Management and Data Governance", 2010)

"Control of data usage dealing with the rights of individuals and organizations to determine the 'who, what, when, where, and how' of data access." (Carlos Coronel et al, "Database Systems: Design, Implementation, and Management" 9th Ed., 2011)

"Keeping information as a secret, known only to the originators of that information. This contrasts with confidentiality, in which information is shared among a select group of recipients." (Mark Rhodes-Ousley, "Information Security: The Complete Reference" 2nd Ed., 2013)

"The ability of a person to keep personal information to himself or herself." (Jason Williamson, "Getting a Big Data Job For Dummies", 2015)

"The protection of individual rights to nondisclosure." (Mike Harwood, "Internet Security: How to Defend Against Attackers on the Web" 2nd Ed., 2015)

"The right of individuals to control or influence what information related to them may be collected and stored and by whom, as well as to whom that information may be disclosed." (William Stallings, "Effective Cybersecurity: A Guide to Using Best Practices and Standards", 2018)

"The right of individuals to a private life includes a right not to have personal information about themselves made public." (Open Data Handbook)

07 August 2019

🛡️Information Security: Certificate (Definitions)

"An asymmetric key, usually issued by a certificate authority, that contains the public key of a public/private key pair as well as identifying information, expiration dates, and other information and that provides the ability to authenticate its holder. Certificates are used in SQL Server 2005 to secure logins or other database objects." (Victor Isakov et al, "MCITP Administrator: Microsoft SQL Server 2005 Optimization and Maintenance (70-444) Study Guide", 2007)

"A certificate is an electronic document consisting of an asymmetric key with additional metadata such as an expiration date and a digital signature that allows it to be verified by a third-party like a certificate authority (CA)." (Michael Coles, "Pro T-SQL 2008 Programmer's Guide", 2008)

"A certificate is an electronic document that uses a digital signature to bind an asymmetric key with a public identity. In its simplest form, a certificate is essentially an asymmetric key which can have additional metadata, like a certificate name, subject, and expiration date. A certificate can be selfsigned or issued by a certificate authority." (Michael Coles & Rodney Landrum, , "Expert SQL Server 2008 Encryption", 2008)

"A data object that binds information about a person or some other entity to a public key. The binding is generally done using a digital signature from a trusted third party (a certification authority)." (Mark S Merkow & Lakshmikanth Raghavan, "Secure and Resilient Software Development", 2010)

"(1) A token of authorization or authentication. (2) In data security, a computer data security object that includes identity information, validity specification, and a key." (DAMA International, "The DAMA Dictionary of Data Management", 2011)

"A digital document that is commonly used for authentication and to help secure information on a network. A certificate binds a public key to an entity that holds the corresponding private key. Certificates are digitally signed by the certification authority that issues them, and they can be issued for a user, a computer, or a service." (Microsoft, "SQL Server 2012 Glossary", 2012)

"A bundle of information containing the encrypted public key of the server, and the identification of the key provider." (Manish Agrawal, "Information Security and IT Risk Management", 2014)

"An electronic document used to identify an individual, a system, a server, a company, or some other entity, and to associate a public key with the entity. A digital certificate is issued by a certification authority and is digitally signed by that authority." (IBM, "Informix Servers 12.1", 2014)

"A representation of a sender’s authenticated public key used to minimize malicious forgeries" (Nell Dale & John Lewis, "Computer Science Illuminated" 6th Ed., 2015)

"A small electronic file that serves to validate or encrypt a message or browser session. Digital certificates are often used to create a digital signature which offers non-repudiation of a user or a Web site." (Mike Harwood, "Internet Security: How to Defend Against Attackers on the Web" 2nd Ed., 2015)

"An electronic document consisting of an asymmetric key with additional metadata such as an expiration date and a digital signature that allows it to be verified by a third party like a certificate authority (CA)." (Miguel Cebollero et al, "Pro T-SQL Programmer’s Guide 4th Ed", 2015)

"Cryptography-related electronic documents that allow for node identification and authentication. Digital certificates require more administrative work than some other methods but provide greater security." (Weiss, "Auditing IT Infrastructures for Compliance" 2nd Ed., 2015)

"Digital identity used within a PKI. Generated and maintained by a certificate authority and used for authentication." (Adam Gordon, "Official (ISC)2 Guide to the CISSP CBK" 4th Ed., 2015)

"A cryptographic binding between a user identifier and their public key as signed by a recognized authority called a certificate authority." (O Sami Saydjari, "Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time", 2018)

"In computer security, a digital document that binds a public key to the identity of the certificate owner, thereby enabling the certificate owner to be authenticated. A certificate is issued by a certificate authority and is digitally signed by that authority." (Sybase, "Open Server Server-Library/C Reference Manual", 2019)

"An electronic document using a digital signature to assert the identity of a person, group, or organization. Certificates attest to the identity of a person or group and contain that organization’s public key. A certificate is signed by a certificate authority with its digital signature." (Daniel Leuck et al, "Learning Java" 5th Ed., 2020)

06 August 2019

🛡️Information Security: Access Control Model (Definitions)

"A list of credentials attached to a resource that indicates who has authorized access to that resource." (Mark S Merkow & Lakshmikanth Raghavan, "Secure and Resilient Software Development", 2010)

"In Windows-based systems, a list of access control entries (ACE) that apply to an entire object, a set of the object's properties, or an individual property of an object, and that define the access granted to one or more security principals." (Microsoft, SQL Server 2012 Glossary, 2012)

"An electronic list that specifies who can do what with an object. For example, an ACL on a file specifies who can read, write, execute, delete, and otherwise manipulate the file." (Mark Rhodes-Ousley, "Information Security: The Complete Reference, Second Edition" 2nd Ed., 2013)

"A list of permissions attached to specified objects. " (Manish Agrawal, "Information Security and IT Risk Management", 2014)

"Lists of permissions that define which users or groups can access an object." (Weiss, "Auditing IT Infrastructures for Compliance" 2nd Ed, 2015)

"In systems such as electronic records management, electronic document and records management systems, or document management systems, a list of individuals authorized to access, view, amend, transfer, or delete documents, records, or files. Access rights are enforced through software controls." (Robert F Smallwood, "Information Governance: Concepts, Strategies, and Best Practices", 2014)

"A data structure that enumerates the access rights for all active entities (e.g., users) within a system." (O Sami Saydjari, "Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time", 2018)

"A list of subjects that are authorized to access a particular object. Typically, the types of access are read, write, execute, append, modify, delete, and create." (Shon Harris & Fernando Maymi, "CISSP All-in-One Exam Guide" 8th Ed, 2018)

05 August 2019

🛡️Information Security: Security Policy (Definitions)

"The active policy on the client's computer that programmatically generates a granted set of permissions from a set of requested permissions. A security policy consists of several levels that interact; by default only permissions granted by all layers are allowed to be granted." (Damien Watkins et al, "Programming in the .NET Environment", 2002)

"A collection of standards, policies, and procedures created to guarantee the security of a system and ensure auditing and compliance." (Carlos Coronel et al, "Database Systems: Design, Implementation, and Management" 9th Ed, 2011)

"The set of decisions that govern security controls." (Mark Rhodes-Ousley, "Information Security: The Complete Reference" 2nd Ed., 2013)

"In label-based access control, a database object that is associated with one or more tables and that defines how LBAC can be used to protect those tables. The security policy defines what security labels can be used, how the security labels are compared to each other, and whether optional behaviors are used. See also label-based access control, security label." (IBM, "Informix Servers 12.1", 2014)

"A written statement describing the constraints or behavior an organization embraces regarding the information provided by its users" (Nell Dale & John Lewis, "Computer Science Illuminated" 6th Ed., 2015)

"Strategic tool used to dictate how sensitive information and resources are to be managed and protected." (Adam Gordon, "Official (ISC)2 Guide to the CISSP CBK" 4th Ed., 2015)

"Set of rules, guidelines and procedures represented in official security documents that define way in which state will protect its own national security interests." (Olivera Injac & Ramo Šendelj, "National Security Policy and Strategy and Cyber Security Risks", 2016)

"A set of rules and practices that specify or regulate how a system or an organization provides security services to protect sensitive and critical system resources." (William Stallings, "Effective Cybersecurity: A Guide to Using Best Practices and Standards", 2018)

"A statement of the rules governing the access to a system’s protected resources." (O Sami Saydjari, "Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time", 2018)

"In label-based access control, a database object that is associated with one or more tables and that defines how LBAC can be used to protect those tables. The security policy defines what security labels can be used, how the security labels are compared to each other, and whether optional behaviors are used. See also label-based access control, security label." (Sybase, "Open Server Server-Library/C Reference Manual", 2019)

"A set of criteria for the provision of security services." (CNSSI 4009-2015 NIST)

 "A set of methods for protecting a database from accidental or malicious destruction of data or damage to the database infrastructure." (Oracle)

"Security policies define the objectives and constraints for the security program. Policies are created at several levels, ranging from organization or corporate policy to specific operational constraints (e.g., remote access). In general, policies provide answers to the questions 'what' and 'why' without dealing with 'how'. Policies are normally stated in terms that are technology-independent." (NIST SP 800-82 Rev. 2)

🛡️Information Security: Trojan Horse (Definitions)

"Malware that looks like something beneficial but has a malicious component. Users are tricked into downloading and installing the malware, thinking it’s worthwhile. After the user installs the Trojan, the malicious component runs. Trojans are named after the Trojan horse from Greek mythology." (Darril Gibson, "Effective Help Desk Specialist Skills", 2014)

"A program posing as a harmless piece of software that can contain malware such as viruses or spyware." (Andy Walker, "Absolute Beginner’s Guide To: Security, Spam, Spyware & Viruses", 2005)

"Malicious code that creates backdoors, giving an attacker illegal access to a network or account through a network port." (Linda Volonino & Efraim Turban, "Information Technology for Management 8th Ed", 2011)

"software that appears to be an application but is, in fact, a destructive program." (Bill Holtsnider & Brian D Jaffe, "IT Manager's Handbook" 3rd Ed., 2012)

"An apparently useful and innocent program containing additional hidden code that allows the unauthorized collection, exploitation, falsification, or destruction of data. A Trojan is often received from a familiar e-mail address or URL or in the form of a familiar attachment." (Mark Rhodes-Ousley, "Information Security: The Complete Reference" 2nd Ed., 2013)

"A form of malware application hidden within another application that introduces backdoor access." (Mike Harwood, "Internet Security: How to Defend Against Attackers on the Web 2nd Ed.", 2015)

"A malicious program disguised as a benevolent resource" (Nell Dale & John Lewis, "Computer Science Illuminated, 6th Ed.", 2015)

"A piece of malicious software that looks harmless but has a detrimental effect on a computer when it runs." (Faithe Wempen, "Computing Fundamentals: Introduction to Computers", 2015)

"A program that is disguised as another program with the goal of carrying out malicious activities in the background without the user knowing." (Adam Gordon, "Official (ISC)2 Guide to the CISSP CBK" 4th Ed., 2015)

"A piece of software or code that is disguised as a legitimate software that is created with the intention to breach a system or networks security." (Hamid R Arabnia et al, "Application of Big Data for National Security", 2015)

"Software that either hides or masquerades as a useful or benign program." (Weiss, "Auditing IT Infrastructures for Compliance" 2nd Ed., 2015)

"A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program." (O Sami Saydjari, "Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time", 2018)

04 August 2019

🛡️Information Security: Exploit (Definitions)

"A program that takes advantage of a known security weakness in a computer." (Andy Walker, "Absolute Beginner’s Guide To: Security, Spam, Spyware & Viruses", 2005)

"An exploit is a technique or software code (often in the form of scripts) that takes advantage of vulnerability or security weakness in a piece of target software." (Mark S Merkow & Lakshmikanth Raghavan, "Secure and Resilient Software Development", 2010)

"Used as a noun in this case, this refers to a known way to compromise a program to get it to do something the author didn’t intend. Your task is to write unexploitable programs." (Jon Orwant et al, "Programming Perl" 4th Ed., 2012)

"Either: an attack technique that can be directed at a particular computer system or software component and that takes advantage of a specific vulnerability, or the act of successfully implementing such an attack technique." (Mark Rhodes-Ousley, "Information Security: The Complete Reference, Second Edition" 2nd Ed., 2013)

"An exploit is a particular form of attack in which a tried and tested method of causing impact is followed with some rigour. Exploits are similar in nature to processes, but whereas processes are generally benign, exploits are almost always harmful." (David Sutton, "Information Risk Management: A practitioner’s guide", 2014)

"A method or program that takes advantage of a vulnerability in a target system to accomplish an attack." (O Sami Saydjari, "Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time", 2018)

"An attack on a computer system, especially one that takes advantage of a particular vulnerability the system offers to intruders." (William Stallings, "Effective Cybersecurity: A Guide to Using Best Practices and Standards", 2018)

🛡️Information Security: Data Loss Prevention [DLP] (Definitions)

"Attempts to prevent the loss of confidentiality of sensitive information by limiting the use of confidential information only for authorized purposes." (David G Hill, "Data Protection: Governance, Risk Management, and Compliance", 2009)

"A set of technologies and inspection techniques used to classify information content contained within an object—such as a file, an email, a packet, an application or a data store - while at rest (in storage), in use (during an operation), or in transit (across a network). DLP tools also have the ability to dynamically apply a policy - such as log, report, classify, relocate, tag, and encrypt - and/or apply enterprise data rights management protections." (William Stallings, "Effective Cybersecurity: A Guide to Using Best Practices and Standards", 2018)

"Data loss prevention (DLP; also known as data leak prevention) is a computer security term referring to systems that identify, monitor, and protect data in use (e.g. endpoint actions), data in motion (e.g. network actions), and data at rest (e.g. data storage) through deep content inspection, contextual security analysis of transaction (attributes of originator, data object, medium, timing, recipient/destination, and so on) and with a centralized management framework. Systems are designed to detect and prevent unauthorized use and transmission of confidential information." (Robert F Smallwood, "Information Governance for Healthcare Professionals", 2018)

[data leak prevention (DLP):] "The actions that organizations take to prevent unauthorized external parties from gaining access to sensitive data." (Shon Harris & Fernando Maymi, "CISSP All-in-One Exam Guide, 8th Ed", 2018)

"A capability that detects and prevents violations to corporate policies regarding the use, storage, and transmission of sensitive data. Its purpose is to enforce policies to prevent unwanted dissemination of sensitive information." (Forrester)

 "A systems ability to identify, monitor, and protect data in use (e.g. endpoint actions), data in motion (e.g. network actions), and data at rest (e.g. data storage) through deep packet content inspection, contextual security analysis of transaction (attributes of originator, data object, medium, timing, recipient/destination, etc.), within a centralized management framework. Data loss prevention capabilities are designed to detect and prevent the unauthorized use and transmission of NSS information." (CNSSI 4009-2015) 

Related Posts Plugin for WordPress, Blogger...

About Me

My photo
Koeln, NRW, Germany
IT Professional with more than 24 years experience in IT in the area of full life-cycle of Web/Desktop/Database Applications Development, Software Engineering, Consultancy, Data Management, Data Quality, Data Migrations, Reporting, ERP implementations & support, Team/Project/IT Management, etc.