|
A Glossary of Computer Security Terms
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
Access
A specific type of interaction between a subject and an object that
results in the flow of information from one to the other. (Source:
GCST).
Access Control
The process of limiting access to the resources of a system only to
authorized programs, processes, or other systems (in a network).
Synonymous with controlled access and limited access. (Source:
GCST)
Accreditation
A formal declaration by the designated approving authority (DAA)
that the automated information system (AIS) is approved to operate
in a particular security mode using a prescribed sete of safeguards.
Accreditation is the official management authorization for
operation of an AIS and is based on the certification process as
well as other management considerations. The accreditation
statement affixes security responsibility with the DAA and shows
that due care has been taken for security. (Source: GCST)
Assurance
A measure of confidence that the security features and architecture
of an AIS accurately mediate and enforce the security policy.
Compare with trusted computer system. (Source: GCST)
Audit Trail
A chronological record of system activities that is sufficient to
enable the reconstruction, reviewing, and examination of the
sequence of environments and activities surrounding or leading to
an operation, a procedure, or an event in a transaction from its
inception to final results. (Source: GCST)
Authenticate
1.To verify the identity of a user, device, or other entity in a
computer system, often as a prerequisite to allowing access to
resources in a system.
2.To verify the integrity of data that have been stored, transmitted,
or otherwise exposed to possible unauthorized modification.
(Source: GCST)
Authorization
The granting of acccess rights to a user, program, or process.
(Source: GCST)
Automated Information System
An assembly of computer hardware, software, and/or firmware
configured to collect, create, communicate, compute, disseminate,
process, store, and/or control data or information. (Source: GCST)
Availability
The state when data is in the place needed by [or accessible to] the
user, at the time the user needs them, and in the form needed by the
user. (Source: GCST)
Certification
The comprehensive evaluation of the technical and nontechnical
security features of an AIS and other safeguards, made in support
of the accreditation process, that establishes the extent to which a
particular design and implementation meet a specified set of
security requirements. (Source: GCST)
Compartmented Mode of Operation
An AIS is operating in the compartmented mode when each user
with direct or indirect individual access to the AIS, its peripherals,
remote terminals, or remote hosts, has all of the following:
A valid personnel clearance for the most restricted information on
the system.
Formal access approval for, and has signed nondisclosure
agreements for, that information to which the user is to have access.
A valid need-to-know for that information to which the user is to
have access.
(Source: GCST)
Covert Channel
A communications channel that allows two cooperating processes
to transfer information in a manner that violates the system's
security policy. Synonymous with confinement channel. (Source:
GCST)
Covert Storage Channel
A covert channel that involves the direct or indirect writing of a
storage location by one process and the direct or indirect reading of
the storage location by another process. Covert storage channnels
typically involve a finite resource (e.g., sectors on a disk) that is
shared by two subjects at different security levels. (Source: GCST)
Covert Timing Channel
A covert channel in which one process signals information to
another by modulating its own use of system resources (e.g., CPU
time) in such a way that this manipulation affects the real response
time observed by the second process. (Source: GCST)
Dedicated Mode of Operation
An AIS is operating in the dedicated mode when each user with
direct or indirect individual access to the AIS, its peripherals,
remote terminals, or remote hosts, has all of the following:
A valid personnel clearance for all information on the system.
Formal access approval for, and has signed nondisclosure
agreements for, all the information stored and/or processed
(including all compartments, subcompartments, and/or special
access programs).
A valid need-to-know for all information contained within the
system.
(Source: GCST)
Denial of Service
Any action or series of actions that prevent any part of a system
from functioning in accordance with its intended purpose. This
includes any action that causes unauthorized destruction,
modification, or delay of service. Synonymous with interdiction.
(Source: GCST)
Designated Approving Authority (DAA)
The official who has the authority to decide on accepting the
security safeguards prescribed for an AIS, or that official who may
be responsible for issuing an accreditation statement that records
the decision to accept those safeguards. (Source: GCST)
Discretionary Access Control (DAC)
A means of restricting access to objects based on the identity and
need-to-know of the user, process, and/or groups to which they
belong. The controls are discretionary in the sense that a subject
with a certain access permission is capable of passing that
permission (perhaps indirectly) on to any other subject. Compare
mandatory access control. (Source: GCST)
Evaluation
An assessment of a product agains the Trusted Computer System
Evaluation Criteria (The Orange Book).
Information Warfare
Information warfare is the activity by a hacker, terrorist, or other
adversary to disrupt an information system. Traditional security
addresses the protection of information. Information warfare is
aimed at protecting the systems that collect, store, manipulate, and
transport information so that they are not accessed by unauthorized
persons and are available as needed. (Source: Defense Information
Infrastructure Master Plan)
Mandatory Access Control (MAC)
A means of restricting access to objects based on the sensitivity (as
represented by a label) of the information contained in the objects
and the formal authorization (i.e., clearance) of subjects to access
information of such sensitivity. Compare discretionary access
control. (Source: GCST)
Multilevel Mode of Operation
An AIS is operating in the multilevel mode when all of the
following statements are satisfied concerning the users with direct
or indirect access to the AIS, its peripherals, remote terminals, or
remote hosts:
Some do not have a valid personnel clearance for all of the
information processed in the system.
All have the proper clearance and have the appropriate formal
access approval for that information to which they are to have
access.
All have a valid need-to-know for that information to which they
are to have access.
(Source: GCST)
Multilevel Security (MLS)
An MLS system is a system containing information with different
security classifications that simultaneously permits access by users
with different security clearances and needs to know. This system
prevents users from obtaining access to information for which they
lack authorization. (Source: DOD Directive 5200.28)
Risk
The probability that a particular threat will exploit a particular
vulnerability of the system. (Source: GCST)
Risk Analysis
The process of identifying security risks, determining their
magnitude, and identifying areas needing safeguards. Risk analysis
is a part of risk management. Synonymous with risk assessment.
(Source: GCST)
Risk Management
The total process of identifying, controlling, and eliminating or
minimizing uncertain events that may affect system resources. It
includes risk analysis, cost/benefit analysis, selection,
implementation and test, security evaluation of safeguards, and
overall security review. (Source: GCST)
Sensitive Compartmented Information
Information restricted to people who have been given formal access
to the security program, called a compartment.
Security Policy
The set of laws, rules, and practices that regulate how an
organization manages, protects, and distributes sensitive
information. (Source: GCST)
System-High Mode of Operation
An AIS is operating in the system-high mode when each user with
direct or indirect access to the AIS, its peripherals, remote
terminals, or remote hosts, has all of the following:
A valid personnel clearance for all information on the system.
Formal access approval for, and has signed nondisclosure
agreements for, all the information stored and/or processed
(including all compartments, subcompartments, and/or special
access programs).
A valid need-to-know for some of the information contained
within the system.
(Source: GCST)
Trusted Computer System
A system that employs sufficient hardware and software assurance
measures to allow its use for simultaneous processing of a range of
sensitive or classified information. (Source: GCST)
------------------------------------------------------------------------
Note: "GCST" means the Glossary of Computer Security Terms,
NCSC-TG-004, 21 Oct 88 (the "Olive" Book).
26 July 1996
|
|
