ISA finals
weakness or fault in a system that exposes information to attack
ex; bug in a computer / lack of controls
vulnerabilities
method for taking advantage of a known vulnerabilitiy
exploit
one for which there is no known threat (vulnerability is there but not exploitable)
dangling vulnerability
does not expose danger as there is no vulnerability to exploit (threat is there but can't do damage)
dangling threat
attempt to gain access, cause damage to or otherwise comprise information and/or system that support its.
attack
attacker observes interaction with the system
passive attack
attacker directly interact with the system
active attack
attacker has no deliberate goal of misuse
unintentional attack
type of consequence, involving accidental , exposure of information to an agent not authorized access
Inadvertant disclosure
security profile implementation of the security effort within a organization
security posture
possibility that a particular threat will adversely impact an information systems by exploiting a particular vulnerability assessment if risk must take into account to exploit
risk
process for an organization to address the risk in their environment.There are several management frameworks and each defines a proceed organization to follow
Risk Management
risk not avoided or transferred are retained by the organization
risk acceptance
not performing an activity that would incur risk
Risk Avoidance
taking action to reduce to reduce the lossess due to a risk
risk mitigation
shift the risk to someone else
risk transfer
attack subject
threat actor
attack object
target information system
organization/entity is a set of ways in which an adversay can enter the system is vulnerable to attack
attack surface
instance when the system is vulnerable to attack
exposure
situation in which the attacker has succeed
comprise
recognized action specific generalized or theoritical that an adversary (threat actor) might be expected to take in preparation for an attack
indicator
outcome of an attack
consequences
generic term that implies a mechanism in a place to provide a basis for confidence in the reability/ security of a system
trust
security features of a system that provide enforcement of a security policy
trust mechanism
collection of all the trust mechanism of a computer system which collectively enforce the policy
trusted computing base
measure of confidence that the security features, practices, procedures and architecture of a system accurately mediates
Assurance
provides unified approach to conceptualizing parts of IA
trusted management
big part of IA
controlling interaction(actions,principals,policies, and credentials)
process which an assets is manage from its arrival or creation to it's termination or destruction
life cycle
process, divided into stages performed sequentially
waterfall model
process which the project manager for a system qill ensure that appropriate information assurance safeguards are incorporated into a system
security system life cycle
Class APE
System evaluation
Class ACM
configuration management
Class ADO
Delivery Operations
Class ADV
Development
Class AGC
Guidance Documentation
Class ALC
Life Cycle
Class ATE
Test
Class AVA
Vulnerabilitiy Assessment
Class AMA
Maintenance Assurance
what are the 7 waterfall model sequentially performed
1, Requirements
2, Design
3, Coding
4, Testing
5, Deployment
6, Production
7, Decommission
various policy management systems - buit the goal of formalizing and describing these relationship
keynote 1999
extensible access control markup language
xacml 2009
defines several life cycle models for development/ acquisition of computer software
software engineering
building secure software assert that software and system security is "all about managing risk"
viega and mcgraw
6 steps of viega and megraw
assess assets
assess threats
assess vulnerabilities
assess risk
prioritize countermeasures options
make risk management decision