25 August 2019

🛡️Information Security: Attack (Definitions)

[active attack:] "Any network-based attack other than simple eavesdropping (i.e., a passive attack)." (Mark S Merkow & Lakshmikanth Raghavan, "Secure and Resilient Software Development", 2010)

"Unauthorized activity with malicious intent that uses specially crafted code or techniques." (Mark Rhodes-Ousley, "Information Security: The Complete Reference" 2nd Ed., 2013)

"An attempt to destroy, expose, alter, disable, steal or gain unauthorised access to or make unauthorised use of an asset," (David Sutton, "Information Risk Management: A practitioner’s guide", 2014)

[active attack:] "Attack where the attacker does interact with processing or communication activities." (Adam Gordon, "Official (ISC)2 Guide to the CISSP CBK" 4th Ed., 2015)

[passive attack:] "Attack where the attacker does not interact with processing or communication activities, but only carries out observation and data collection, as in network sniffing." (Adam Gordon, "Official (ISC)2 Guide to the CISSP CBK" 4th Ed., 2015)

"An attempt to gain unauthorized access to system services, resources, or information, or an attempt to compromise system integrity." (Olivera Injac & Ramo Šendelj, "National Security Policy and Strategy and Cyber Security Risks", 2016)

"A sequence of actions intended to have a specified effect favorable to an actor that is adversarial to the owners of that system." (O Sami Saydjari, "Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time", 2018)

"An attempt to bypass security controls in a system with the mission of using that system or compromising it. An attack is usually accomplished by exploiting a current vulnerability." (Shon Harris & Fernando Maymi, "CISSP All-in-One Exam Guide" 8th Ed., 2018)

"Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or information itself." (William Stallings, "Effective Cybersecurity: A Guide to Using Best Practices and Standards", 2018)

"an aggressive action against a person, an organisation or an asset intended to cause damage or loss." (ISO/IEC 27000:2014)

🛡️Information Security: Digital Signature (Definitions)

"A form of electronic authentication of a digital document. Digital signatures are created and verified using public key cryptography and serve to tie the document being signed to the signer." (J P Getty Trust, "Introduction to Metadata" 2nd Ed., 2008)

"Data which proves that a document, message, or other piece of data was not modified since being processed and sent from a particular party." (Mark S Merkow & Lakshmikanth Raghavan, "Secure and Resilient Software Development", 2010)

"cryptographic transformations of data that allow a recipient of the data to prove the source (non-repudiation) and integrity of the data." (Manish Agrawal, "Information Security and IT Risk Management", 2014)

"Data that is appended to a message, made from the message itself and the sender’s private key, to ensure the authenticity of the message" (Nell Dale & John Lewis, "Computer Science Illuminated" 6th Ed., 2015)

"Ensuring the authenticity and integrity of a message through the use of hashing algorithms and asymmetric algorithms. The message digest is encrypted with the sender’s private key." (Adam Gordon, "Official (ISC)2 Guide to the CISSP CBK" 4th Ed., 2015)

"A means of authenticating that a message or data came from a particular source with a known system identity." (O Sami Saydjari, "Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time", 2018)

"An electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified." (Shon Harris & Fernando Maymi, "CISSP All-in-One Exam Guide, 8th Ed", 2018)

"An encrypted means of identification that cannot be forged and that enables clients to validate servers and vice versa." (Microfocus)

"The combination of the private key, public key, message and hashing generates a digital signature. A digital signature is unique for every transaction and is a way to prove that the originator of the message has access to the private key." (AICPA)

24 August 2019

🛡️Information Security: Cyberattack (Definitions)

"Act or effect of an offensive activity cybernetic." (Claudia Canongia & Raphael Mandarino, "Cybersecurity: The New Challenge of the Information Society", 2012)

"Attacks on an organization’s IT resources through cyberspace. The purpose of the attacks might be for monetary gain, intelligence gathering, or vandalism." (Darril Gibson, "Effective Help Desk Specialist Skills", 2014)

"A cyberattack is a deliberate attack on computer systems, a website, or individual computers using a computer. A cyberattack compromises the integrity and/or availability of the computer/system on which the information is stored." (Sanjukta Pookulangara, "Cybersecurity: What Matters to Consumers - An Exploratory Study", 2016)

"Any type of offensive maneuver employed by individuals or whole organizations that targets computer information systems, infrastructures, computer networks, and/or personal computer devices by various means of malicious acts usually originating from an anonymous source that either steals, alters, or destroys a specified target by hacking into a susceptible system." (Kimberly Lukin, "Russian Cyberwarfare Taxonomy and Cybersecurity Contradictions between Russia and EU", 2016)

"When electronic data is used without authorization or malicious activities occur, such as spyware and viruses." (Brittany Bullard, "Style and Statistics", 2016)

"A deliberate exploitation of computer systems, technology-dependent enterprises and networks." (Mika Westerlund et al, "A Three-Vector Approach to Blind Spots in Cybersecurity", 2018)

"Is a deliberate exploitation of computer systems, technology systems, and networks. Cyberattacks use malicious code to alter computer code, logic or data, resulting in disruptive results that can compromise data. It is an illegal attempt to harm someone’s computer system or the information on it, using the internet." (Thokozani I Nzimakwe, "Government's Dynamic Approach to Addressing Challenges of Cybersecurity in South Africa", 2018)

"The state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this." (Christopher T Anglim, "Cybersecurity Legislation", 2020)

🛡️Information Security: Brute-Force Attack (Definitions)

"A brute force attack attempts to defeat a cryptographic algorithm by trying a large number of possibilities. A brute force attack on a cipher might include trying a large number of keys in the key space to decrypt a message. Brute force attack is the most inefficient method of attacking a cipher, and most cryptanalysis is concerned with finding more efficient means of defeating ciphers." (Michael Coles & Rodney Landrum, , "Expert SQL Server 2008 Encryption", 2008)

"An attack on an encryption algorithm in which the encryption key for ciphertext is determined by trying to decrypt with every key until valid plaintext is obtained." (Mark S Merkow & Lakshmikanth Raghavan, "Secure and Resilient Software Development", 2010)

"A method used for breaking encryption systems. Brute-force methodology entails trying all the possible keys until the proper one is found." (Mark Rhodes-Ousley, "Information Security: The Complete Reference" 2nd Ed., 2013)

"A method by which a hacker tries to gain access to an account on the target system by trying to “guess” the correct password." ( Manish Agrawal, "Information Security and IT Risk Management", 2014)

"Involves programs designed to guess at every possible combination until the password or key is cracked." (Mike Harwood, "Internet Security: How to Defend Against Attackers on the Web 2nd Ed.", 2015)

"An attack that continually tries different inputs to achieve a predefined goal, which can be used to obtain credentials for unauthorized access." (Shon Harris & Fernando Maymi, "CISSP All-in-One Exam Guide" 8th Ed, 2018)

23 August 2019

🛡️Information Security: Cybercrime (Definitions)

 "A variety of offenses related to information technology, including extortion, boiler-room investment and gambling fraud, and fraudulent transfers of funds." (Robert McCrie, "Security Operations Management" 2nd Ed., 2006)

"Any type of crime that targets computers, or uses computer networks or devices, and violates existing laws. Cybercrime includes cyber vandalism, cyber theft, and cyber-attacks." (Darril Gibson, "Effective Help Desk Specialist Skills", 2014)

"Any crime that is facilitated through the use of computers and networks. This can include crimes that are dependent on computers or networks in order to take place, as well as those whose impact and reach are increased by their use." (Hamid R Arabnia et al, "Application of Big Data for National Security", 2015)

"Cybercrime is defined as any illegal activity that uses a computer either as the object of the crime OR as a tool to commit an offense." (Sanjukta Pookulangara, "Cybersecurity: What Matters to Consumers - An Exploratory Study", 2016)

"Any crime that is facilitated or committed using a computer, network, or hardware device." (Anisha B D Gani & Yudi Fernando, "Concept and Practices of Cyber Supply Chain in Manufacturing Context", 2018)

"Is all illegal acts, the commission of which involves the use of information and communication technologies. It is generally thought of as any criminal activity involving a computer system."  (Thokozani I Nzimakwe, "Government's Dynamic Approach to Addressing Challenges of Cybersecurity in South Africa", 2018)

"Any criminal action perpetrated primarily through the use of a computer." (Christopher T Anglim, "Cybersecurity Legislation", 2020)

"Criminal activity involving computer systems, networks, and/or the internet." (Boaventura DaCosta & Soonhwa Seok, "Cybercrime in Online Gaming", 2020)

22 August 2019

🛡️Information Security: Access Control Lists (Definitions)

"In Windows-based systems, a list of access control entries (ACE) that apply to an entire object, a set of the object's properties, or an individual property of an object, and that define the access granted to one or more security principals." (Microsoft, "SQL Server 2012 Glossary", 2012)

"An electronic list that specifies who can do what with an object. For example, an ACL on a file specifies who can read, write, execute, delete, and otherwise manipulate the file." (Mark Rhodes-Ousley, "Information Security: The Complete Reference" 2nd Ed., 2013)

"a list of permissions attached to specified objects. Often abbreviated as ACL." ( Manish Agrawal, "Information Security and IT Risk Management", 2014)

"In systems such as electronic records management, electronic document and records management systems, or document management systems, a list of individuals authorized to access, view, amend, transfer, or delete documents, records, or files. Access rights are enforced through software controls." (Robert F Smallwood, "Information Governance: Concepts, Strategies, and Best Practices", 2014)

"A list of credentials attached to a resource that indicates who has authorized access to that resource." (Mark S Merkow & Lakshmikanth Raghavan, "Secure and Resilient Software Development", 2010)

"A data structure that enumerates the access rights for all active entities (e.g., users) within a system." (O Sami Saydjari, "Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time", 2018)

"A list of subjects that are authorized to access a particular object. Typically, the types of access are read, write, execute, append, modify, delete, and create." (Shon Harris & Fernando Maymi, "CISSP All-in-One Exam Guide, 8th Ed", 2018)

"Lists of permissions that define which users or groups can access an object." (Weiss, "Auditing IT Infrastructures for Compliance, 2nd Ed", 2015)

🛡️Information Security: Attack Surface (Definitions)

"The attack surface of a software environment is the code within a computer system that can be run by unauthenticated users. This includes, but is not limited to, user input fields, protocols, interfaces, and services." (Mark S Merkow & Lakshmikanth Raghavan, "Secure and Resilient Software Development", 2010)

"The total vulnerabilities of a system that can be exploited by an attacker." (Mark Rhodes-Ousley, "Information Security: The Complete Reference" 2nd Ed., 2013)

"Components available to be used by an attacker against the product itself." (Adam Gordon, "Official (ISC)2 Guide to the CISSP CBK" 4th Ed., 2015)

"The avenues of attack that are available to an attacker by virtue of those avenues being exposed in some manner." (O Sami Saydjari, "Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time", 2018)

"The reachable and exploitable vulnerabilities in a system." (William Stallings, "Effective Cybersecurity: A Guide to Using Best Practices and Standards", 2018)

 "The totality of different attack vectors through which cyber compromises may occur." (Shalin Hai-Jew, "Safe Distances: Online and RL Hyper-Personal Relationships as Potential Attack Surfaces", 2018)

"The sum of all externally addressable vulnerabilities within an environment or system." (Forrester)

21 August 2019

🛡️Information Security: SQL Injection Attack (Definitions)

"This is a way that hackers can bring a database down. SQL injection attacks can be avoided by using stored procedures with the appropriate configured parameters." (Joseph L Jorden & Dandy Weyn, "MCTS Microsoft SQL Server 2005: Implementation and Maintenance Study Guide - Exam 70-431", 2006)

"An attack on a database made by inserting escape characters or additional commands into a batch, allowing the attacker to run commands on the database server. This exploits poor validation or weak designs in application code that allow extra commands to be submitted to the server." (Marilyn Miller-White et al, "MCITP Administrator: Microsoft® SQL Server™ 2005 Optimization and Maintenance 70-444", 2007)

"An Internet attack against a database accessible via a web page. Automated programs are available to launch attacks, and successful SQL injection attacks can obtain the entire layout of a database and all the data." (Darril Gibson, "MCITP SQL Server 2005 Database Developer All-in-One Exam Guide", 2008)

"An attack against a database system launched through an application program containing embedded SQL." (Jan L Harrington, "Relational Database Design and Implementation: Clearly explained" 3rd Ed., 2009)

"A type of attack designed to break through database security and access the information. A SQL injection attack “injects” or manipulates SQL code." (Mike Harwood, "Internet Security: How to Defend Against Attackers on the Web 2nd Ed.", 2015)


20 August 2019

🛡️Information Security: Cryptanalysis (Definitions)

"Cryptanalysis is the science of analyzing cryptographic methods and algorithms, generally probing them for weaknesses. Cryptanalysts devise new methods of defeating cryptographic algorithms." (Michael Coles & Rodney Landrum, , "Expert SQL Server 2008 Encryption", 2008)

"The science (or art) of breaking cryptographic algorithms." (Mark S Merkow & Lakshmikanth Raghavan, "Secure and Resilient Software Development", 2010)

"The study of mathematical techniques designed to defeat cryptographic techniques. Collectively, a branch of science that deals with cryptography and cryptanalysis is called cryptology. " (Alex Berson & Lawrence Dubov, "Master Data Management and Data Governance", 2010)

"The art of breaking ciphertext." (Manish Agrawal, "Information Security and IT Risk Management", 2014)

"Practice of uncovering flaws within cryptosystems." (Adam Gordon, "Official (ISC)2 Guide to the CISSP CBK" 4th Ed., 2015)

"The process of decrypting a message without knowing the cipher or key used to encrypt it" (Nell Dale & John Lewis, "Computer Science Illuminated" 6th Ed., 2015)

"The practice of breaking cryptosystems and algorithms used in encryption and decryption processes." (Shon Harris & Fernando Maymi, "CISSP All-in-One Exam Guide" 8th Ed., 2018)

"The process of breaking encryption without the benefit of the key under which data was encrypted." (O Sami Saydjari, "Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time", 2018)

"Cryptanalysis refers to the study of the cryptosystem or ciphertext to crack the confidentiality of the underlying information and try to gain unauthorized access to the content." (Shafali Agarwal, "Preserving Information Security Using Fractal-Based Cryptosystem", Handbook of Research on Cyber Crime and Information Privacy, 2021)

🛡️Information Security: Advanced Persistent Threat [APT] (Definitions)

"A sustained, human-intensive attack that leverages the full range of computer intrusion techniques." (Manish Agrawal, "Information Security and IT Risk Management", 2014)

"A group or entity that has the capability and intent to persistently target a specific organization. They typically have the backing of an organization with almost unlimited resources, such as a government." (Darril Gibson, "Effective Help Desk Specialist Skills", 2014)

"A network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organization. APT attacks target organizations in sectors with high-value information, such as national defense, manufacturing, and the financial industry. APTs differ from other types of attack in their careful target selection and persistent, often stealthy, intrusion efforts over extended periods." (William Stallings, "Effective Cybersecurity: A Guide to Using Best Practices and Standards", 2018)

"Sophisticated attacks that are carefully crafted by hostile governments or organizations, usually for political vengeance or financial gain. They often combine the most advanced malware, spear-phishing, and intrusion techniques available." (Mark Rhodes-Ousley, "Information Security: The Complete Reference, Second Edition" 2nd Ed., 2013)

"An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives using multiple attack vectors." (NIST SP800-61)

"An adversary with sophisticated levels of expertise and significant resources, allowing it through the use of multiple different attack vectors (e.g., cyber, physical, and deception) to generate opportunities to achieve its objectives, which are typically to establish and extend footholds within the information technology infrastructure of organizations for purposes of continually exfiltrating information and/or to undermine or impede critical aspects of a mission, program, or organization, or place itself in a position to do so in the future; moreover, the advanced persistent threat pursues its objectives repeatedly over an extended period of time, adapting to a defender’s efforts to resist it, and with determination to maintain the level of interaction needed to execute its objectives." (CNSSI 4009-2015)

🛡️Information Security: Threat (Definitions)

"An imminent security violation that could occur at any time due to unchecked security vulnerabilities." (Carlos Coronel et al, "Database Systems: Design, Implementation, and Management" 9th Ed., 2011)

"Anything or anyone that represents a danger to an organization’s IT resources. Threats can exploit vulnerabilities, resulting in losses to an organization." (Darril Gibson, "Effective Help Desk Specialist Skills", 2014)

"The capabilities, intentions, and attack methods of adversaries to exploit or cause harm to assets." (Manish Agrawal, "Information Security and IT Risk Management", 2014)

"The potential cause of an unwanted incident, which may result in harm to a system or organisation." (David Sutton, "Information Risk Management: A practitioner’s guide", 2014)

"Any activity that represents a possible danger." (Weiss, "Auditing IT Infrastructures for Compliance" 2nd Ed., 2015)

"The danger of a threat agent exploiting a vulnerability." (Adam Gordon, "Official (ISC)2 Guide to the CISSP CBK" 4th Ed., 2015)

"A potential for violation of security that exists when there is a circumstance, a capability, an action, or an event that could breach security and cause harm. That is, a threat is a possible danger that might exploit vulnerability." (William Stallings, "Effective Cybersecurity: A Guide to Using Best Practices and Standards", 2018)

"A possible danger to a computer system, which may result in the interception, alteration, obstruction, or destruction of computational resources, or other disruption to the system." (NIST SP 800-28 Version 2)

"A potential cause of an unwanted incident." (ISO/IEC 13335)

"A potential cause of an unwanted incident, which may result in harm to a system or organisation."(ISO/IEC 27000:2014)

"An activity, deliberate or unintentional, with the potential for causing harm to an automated information system or activity." (NIST SP 800-16)

"Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability." (FIPS 200)

"Any circumstance or event with the potential to cause harm to an information system in the form of destruction, disclosure, adverse modification of data, and/or denial of service." (NIST SP 800-32)

"An event or condition that has the potential for causing asset loss and the undesirable consequences or impact from such loss." (NIST SP 1800-17b)

"Anything that might exploit a Vulnerability. Any potential cause of an Incident can be considered to be a Threat." (ITIL)

"The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability. "(NIST SP 800-47)

19 August 2019

🛡️Information Security: Public Key Cryptography [PKC] (Definitions)

"Also known as asymmetric cryptography, a form of cryptography in which a user has a pair of cryptographic keys - a public key and a private key. The private key is kept secret, while the public key may be widely distributed. The keys are related mathematically, but the private key cannot be practically derived from the public key. A message encrypted with the public key can be decrypted only with the corresponding private key." (Martin Oberhofer et al, "Enterprise Master Data Management", 2008)

"Cryptography involving public keys, as opposed to cryptography making use of shared secrets. See Symmetric cryptography." (Mark S Merkow & Lakshmikanth Raghavan, "Secure and Resilient Software Development", 2010)

"An approach to cryptography in which each user has two related keys, one public and one private" (Nell Dale & John Lewis, "Computer Science Illuminated" 6th Ed., 2015)

"An asymmetric cryptosystem where the encrypting and decrypting keys are different and it is computationally infeasible to calculate one form the other, given the encrypting algorithm. In public key cryptography, the encrypting key is made public, but the decrypting key is kept secret." (Adam Gordon, "Official (ISC)2 Guide to the CISSP CBK 4th Ed.", 2015)

"An encryption method that uses a two-part key: a public key and a private key. Users generally distribute their public key but keep their private key to themselves. This is also known as asymmetric cryptography." (James R Kalyvas & Michael R Overly, "Big Data: A business and legal guide", 2015)

"Encryption system using a public-private key pair for encryption or digital signature. The encrypt and decrypt keys are different, and one cannot derive the private key from the public key." (O Sami Saydjari, "Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time", 2018)

"Public-key cryptography refers to a cryptographic system requiring two separate keys, one of which is secret and one of which is public. Although different, the two parts of the key pair are mathematically linked. One key locks or encrypts the plaintext, and the other unlocks or decrypts the cipher text. Neither key can perform both functions by itself. The public key may be published without compromising security, while the private key must not be revealed to anyone not authorized to read the messages." (Addepalli V N Krishna & M Balamurugan, "Security Mechanisms in Cloud Computing-Based Big Data", 2019)

"A cryptographic system that requires public and private keys. The private key can decrypt messages encrypted with the corresponding public key, and vice versa. The public key can be made available to the public without compromising security and used to verify that messages sent by the holder of the private key must be genuine." (Daniel Leuck et al, "Learning Java" 5th Ed., 2020)

18 August 2019

Information System: Cryptosystem (Definitions)

"Hardware or software implementation of cryptography that contains all the necessary software, protocols, algorithms, and keys." (Adam Gordon, "Official (ISC)2 Guide to the CISSP CBK" 4th Ed., 2015)

"The hardware or software implementation of cryptography." (Shon Harris & Fernando Maymi, "CISSP All-in-One Exam Guide" 8th Ed., 2018)

"A set of cryptographic algorithms together with the key management processes that support use of the algorithms in some application context." (William Stallings, "Effective Cybersecurity: A Guide to Using Best Practices and Standards", 2018)

"A cryptosystem includes a complete process of key generation, encryption, and decryption techniques for secure data communication over the insecure channel." (Shafali Agarwal, "Preserving Information Security Using Fractal-Based Cryptosystem", Handbook of Research on Cyber Crime and Information Privacy, 2021)

"Associated information security (INFOSEC) items interacting to provide a single means of encryption or decryption." (CNSSI 4009-2015)

[manual cryptosystem:] "Cryptosystem in which the cryptographic processes are performed without the use of crypto-equipment or auto-manual devices." (CNSSI 4009-2015)

[online cryptosystem:] "Cryptographic system in which encryption and decryption are performed in association with the transmitting and receiving functions." (CNSSI 4009-2015)

[off-line cryptosystem:] "Cryptographic system in which encryption and decryption are performed independently of the transmission and reception functions." (CNSSI 4009-2015)

17 August 2019

🛡️Information Security: Asymmetric Encryption (Definitions)

"Requires a pair of keys to encode and decode information. One key is used to encrypt the plain text, and a second key, which is part of the matched pair, is used to decrypt that cipher text." (Marilyn Miller-White et al, "MCITP Administrator: Microsoft® SQL Server™ 2005 Optimization and Maintenance 70-444", 2007)

"Asymmetric encryption is an encryption model in which the encryption and decryption processes use different keys. Modern asymmetric encryption algorithms are based on the public key/private key pairs, in which the encryption and decryption keys are different but nontrivially related. The public key is widely known and distributed for encryption while the private key is kept secret and used for decryption. Although the keys are related, it is considered infeasible to try to derive the private key from the public key." (Michael Coles & Rodney Landrum, , "Expert SQL Server 2008 Encryption", 2008)

"Asymmetric encryption is encryption that requires two different keys: one to encrypt data and another to decrypt it. The most common form of asymmetric encryption is public key encryption, in which the two keys are mathematically related." (Michael Coles, "Pro T-SQL 2008 Programmer's Guide", 2008)

"Asymmetric encryption, also known as public-key encryption, is a form of data encryption where the encryption key (also called the public key) and the corresponding decryption key (also called the private key) are different. A message encrypted with the public key can be decrypted only with the corresponding private key. The public key and the private key are related mathematically, but it is computationally infeasible to derive the private key from the public key. Therefore, a recipient could distribute the public key widely." (Ninghui Li, "Asymmetric Encryption", 2009)

"Encryption that requires two different keys: one to encrypt data and another to decrypt it. The most common form of asymmetric encryption is public key encryption, in which the two keys are mathematically related." (Miguel Cebollero et al, "Pro T-SQL Programmer’s Guide" 4th Ed., 2015)

"Public-key cryptography refers to a cryptographic system requiring two separate keys, one of which is secret and one of which is public. Although different, the two parts of the key pair are mathematically linked. One key locks or encrypts the plaintext, and the other unlocks or decrypts the cipher text. Neither key can perform both functions by itself. The public key may be published without compromising security, while the private key must not be revealed to anyone not authorized to read the messages." (Addepalli V N Krishna & M Balamurugan, "Security Mechanisms in Cloud Computing-Based Big Data", 2019)

15 August 2019

🛡️Information Security: Vulnerability (Definitions)

"In computer security, a weakness which allows an attacker to reduce a system’s information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To be vulnerable, an attacker must have at least one applicable tool or technique that can connect to a system weakness." (Mark S Merkow & Lakshmikanth Raghavan, "Secure and Resilient Software Development", 2010)

"A weakness in a system’s component that could be exploited to allow unauthorized access or cause service disruptions." (Carlos Coronel et al, "Database Systems: Design, Implementation, and Management" 9th Ed., 2011)

"A characteristic that leads to exposure, and that may be exploited by a threat to cause harm. Vulnerabilities are most commonly a result of a software flaw or misconfiguration. See also threat." (Mark Rhodes-Ousley, "Information Security: The Complete Reference, Second Edition" 2nd Ed., 2013)

"a weakness in an information system that gives a threat the opportunity to compromise an asset." (Manish Agrawal, "Information Security and IT Risk Management", 2014)

"A weakness. It can be a weakness in any organizational IT systems, networks, configurations, users, or data. If a threat exploits a vulnerability, it can result in a loss to an organization." (Darril Gibson, "Effective Help Desk Specialist Skills", 2014)

"an error in the specification, development, or configuration of software such that its execution can violate the security policy." ( Manish Agrawal, "Information Security and IT Risk Management", 2014)

"The intrinsic properties of something resulting in susceptibility to a risk source that can lead to an event with a consequence" (David Sutton, "Information Risk Management: A practitioner’s guide", 2014)

"Weakness or a lack of a countermeasure." (Adam Gordon, "Official (ISC)2 Guide to the CISSP CBK" 4th Ed., 2015)

"A characteristic or specific weakness that renders an organization or asset (such as information or an information system) open to exploitation by a given threat or susceptible to a given hazard." (Olivera Injac & Ramo Šendelj, "National Security Policy and Strategy and Cyber Security Risks", 2016)

"A flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy." (William Stallings, "Effective Cybersecurity: A Guide to Using Best Practices and Standards", 2018)

"The property of a system whereby it is susceptible to a given attack succeeding against that system." (O Sami Saydjari, "Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time", 2018)

"A vulnerability is any weakness in a product, process or system which could potentially be exploited to reduce the security or function of that product, process, or system." (Sandra Blanke et al, "How Can a Cybersecurity Student Become a Cybersecurity Professional and Succeed in a Cybersecurity Career?", 2019)

"the intrinsic properties of something resulting in susceptibility to a risk source that can lead to an event with a consequence" (ISO Guide 73:2009)

 "weakness that could be exploited by a thread" (ITIL)

Related Posts Plugin for WordPress, Blogger...

About Me

My photo
Koeln, NRW, Germany
IT Professional with more than 24 years experience in IT in the area of full life-cycle of Web/Desktop/Database Applications Development, Software Engineering, Consultancy, Data Management, Data Quality, Data Migrations, Reporting, ERP implementations & support, Team/Project/IT Management, etc.