Security Architecture Engineering (SAE) Flashcards
1
Q
Accreditation
A
the managerial approval to operate a system based upon knowledge of risk to operate
2
Q
Alarm Station
A
A manually actuated device installed at a fixed location to transmit an alarm signal in response to an alarm condition.
3
Q
Annunciator
A
A device that signals a change of protection zone status in a security system.
4
Q
Architecture
A
high level design or model with a goal of consistency, integrity, and balance
5
Q
Bell-LaPadula
A
Security policy model with simple security property and *-property. The simple security property is no process may read data at a higher level. This is also known as no read up (NRU). The *-property: no process may write data to a lower level. This is also known as no write down (NWD).
6
Q
Biba
A
Security policy model that deals with integrity alone and ignores confidentiality. First rule integrity - preventing unauthorized users from making modifications. Simple integrity - No read down. Star integrity - No write up. Service commands - Tranquility.
7
Q
Blackout
A
prolonged loss of commercial power
8
Q
Bollard
A
vehicle stopping object
9
Q
Bolt
A
The part of a lock which, when actuated, is projected (or “thrown”) from the lock into a retaining member, such as a strike plate, to prevent a door or window from moving or opening.
10
Q
Bounds
A
a process consist of limits set on the memory addresses and resources it can access. The bounds state the area within which a process is confined or contained.
11
Q
Brewer-Nash
A
Created Chinese-Wall model to handle conflicts of interest. Law firm 1 works for Company A. Law firm 2 works for Company B. Law firm 1 and Law firm2 merges. Ensures paralegals on Law firm 1 only works on Company A and paralegals on Law firm 2 only works on Company B.
12
Q
Brownout
A
reduction of voltage by the utility company for a prolonged period of time
13
Q
Bumping
A
hitting a filed down key in a lock with a hammer to open without real key
14
Q
Capacitance
A
The property of two or more objects, which enables them to store electrical energy in an electric field between them. The basic measurement unit is the Farad.
15
Q
Card Access
A
A type of access control system that uses a card with a coded area or strip, on or inside the card, to actuate a lock or other access control device.
16
Q
Card Key
A
A card usually plastic, that contains encoded information to open a locking device.
17
Q
Central Processing Unit
A
the core of a computer that calculates
18
Q
Central Station
A
An organization or business established for the purpose of monitoring subscribers’ alarm systems from a centralized monitoring location rather than at the individual sites.
19
Q
Certification
A
the technical and risk assesment of a system within the context of the operating environment
20
Q
CICS
A
complex instructions. Many operations per instruction. Less number of fetches
21
Q
Clark and Wilson
A
Integrity security model. Three integrity goals: Preventing unauthorized users from making modifications, Preventing authorized users from making improper modifications, maintaining internal and external consistency. Defines well formed transactions, Separation of duties, Access Triple - subject-application-object.
22
Q
Classified Information
A
Official information that has been identified and marked as Top Secret, Secret, or Confidential in the interests of national security.~
23
Q
Closed Circuit Television (CCTV)
A
A television system, hard-wired, used for proprietary purposes and not for public or general broadcast.
24
Q
Combination Lock
A
A keyless lock which requires the turning of a numbered dial to a preset sequence of numbers for the lock to open.
25
Common Criteria
the current internationally accepted set of standards and processes for information security products evaluation and assurance, which joins function and assurance requirements
26
Confinement
to restrict the actions of a program. Simply put, process confinement allows a process to read from and write to only certain memory locations and resources. This is also known as sandboxing.
27
Conflict of interest
one entity with two competing allegiances
28
Covert Channel
an unintended communication path
29
CPU Cache
dedicated fast memory located on the same board as the CPU
30
Custodian
An individual who is designated the responsibility for maintaining, safeguarding and accounting for classified information.
31
Data Execution Prevention
a system-level memory protection feature that is built into the OS, it prevents code from being run from data pages such as the default heap, stacks, and memory pools.
32
Data hiding
a software design technique for abstraction of a process
33
Data Mining
technique allow analysts to comb through data warehouses and look for potential correlated information.
34
Data Warehousing
large databases, store large amounts of information from a variety of databases for use with specialized analysis techniques.
35
Deadbolt Lock
A lock that uses strong metal components that cannot be easily forced.
36
Dedicated Line
A power or transmission line with a single function, such as data transmission, or to a single source such as an outlet for a computer.
37
Deterrent
Any physical or psychological device or method that discourages action.
38
Doppler Effect
The change in the frequency of a light wave or sound wave, resulting from relative motion of the source and the receiver.
39
Electromagnetic Interference (EMI)
high frequency noise
40
Electromagnetic Lock
A door lock that uses an electrically actuated magnetic attraction to secure the door. Magnetic locks use no moving parts.
41
Electrostatic Discharge
power surge
42
Embedded
hardware or software that is part of a larger system
43
Fault
momentary loss of power
44
Fire Detection
Alerts personnel to the presence of a fire
45
Fire Prevention
Reduces causes of fire
46
Fire Suppression
to reduce fire
47
Firmware
reprogrammable basic startup instructions
48
Foil
An electrically conductive ribbon used for a sensing circuit.
49
Framework
third party processes used to organize the implementation of an architecture
50
Generator
fault tolerance for power
51
Gong
Not model implementation, not answer
52
Graham Denning
focused on relationship between subjects and objects. Need update, delete, modify. Integrity security model.
53
Harrison-Russo-Ullman
More granular than Graham Denning. Access control with list and matrix. Integrity security model.
54
Information Flow model
mediation of covert channels must be addressed
55
Infrared Motion Detector
A passive, low power, area protection device that detects a change in ambient temperature within the coverage pattern caused by the movement of a body.
56
Infrastructure
specific format of technical and physical controls that support the chosen framework and the architecture
57
Inrush Current
initial surge of current
58
Interference (noise)
natural occurrence in circuits that are in close proximity
59
Intrusion Detection System
An alarm system comprised of intrusion sensors and alarm annunciation devices for the purpose of detecting intruders.
60
ISO 27001
focused on the standardization and certification of an organization’s information security management system (ISMS), security governance, a standard; ISMS. Info security minimum systems
61
ISO 27002
inspired from ISO 17799; a guideline which lists security control objectives and recommends a range of specific security controls; more granular than 27001. 14 areas
62
ITSEC
the past internationally accepted set of standards and processes for information security products evaluation and assurance, which separates function and assurance requirements
63
Jeuneman
Not model implementation, not answer
64
Karger
Not model implementation, not answer
65
Kernel
the core logic engine of an operating system which almost never changes
66
Lattice
a one way, directed graph which indicates confidentiality or integrity flow
67
Layering
a programming design concept which abstracts one set of functions from another in a serialized fashion
68
Lee & Shockley
Not model implementation, not answer
69
Lipner
Confidentiality and Integrity - use for VAX VMS and Windows
70
MAC
Subjects are labelled as to their level of clearance. Objects are labelled as to their level of classification or sensitivity.
71
Mantrap
a physical enclosure for verifying identity before entry to a facility SYN- double door system
72
Masked/Interruptible
cooperative hardware and operating system notification process for prioritizing execution due to the change in state of components
73
Memory Addressing
When using memory resources, the processor must have some means of referring to various locations in memory. The solution to this problem is known as addressing
74
Memory management
a program in the operating system responsible for maintaining the hierarchical storage relocation requirements for processes and data from RAM to hard drives
75
Microwave Sensor
An active intrusion sensor that detects the movement of a person or object through a pattern of microwave energy.
76
Monolithic Operating System Architecture
All of the code working in kernel mode/system mode in an ad hoc and non-modularized OS
77
Multi Threading
execute different parts of a program simultaneously
78
Multi-Core
more than one CPU on a single board
79
Multi-processing
to execute more than one instruction at an instant in time
80
Multi-processor
more than one processor sharing same memory, also know as parallel systems
81
Multi-programming
rapid switching back and forth between programs from the computer's perspective and appearing to do more that one thing at a time from the user's perspective
82
Multi-state machine
can offer several security levels without risk of compromising the system’s integrity.
83
Multi-tasking
more than one process in the middle of executing at a time
84
Multiprocessing
more than one CPU is involved.
85
Multitasking
execute more than one task at the same time
86
Non-interference
subjects will not interact with each other's objects
87
Operating
state of computer, to be running a process
88
Paging
divides memory address space into even size blocks called pages. To emulate that we have more RAM than we have.
SYSTEM KERNAL KNOWS THE LOCATION OF THE PAGE FILE
89
Photoelectric Alarm
A kind of motion detector that uses a focused beam of light to detect an intruder.
90
Picking
using small special tools all tumblers of the lock are aligned for opening a door
91
Preemptive
a type of multitasking that allows for more even distribution of computing time among competing request
92
Primary storage
memory - RAM
93
Process isolation
a form of data hiding which protects running threads of execution from using each other's memory
94
Protection
memory management technique that allows two processes to run concurrently without interaction
95
Protection Keying
Numerical values, Divides physical memory up into particular sized blocks, each of which has an associated numerical value called a protection key
96
Race Condition
two or more processes require access to the same resource and must complete their tasks in the proper order for normal functions
97
Radio Frequency Interference (RFI)
lower frequency noise
98
Rainbow series
Red = trusted network, Orange = TCSEC evaluation
Brown = trusted facilities management dcsmmmTan = audit, Aqua = glossary.
Green = password management
99
Reference Monitor
the hardware and software mediator of all subject and object interactions which has as its primary goal security policy enforcement.
100
Relocation
memory management technique which allows data to be moved from one memory address to another
101
Ring protection
implementation of operating system protection mechanism, where more sensitive built upon the layering concept
102
RISC
reduced instructions. Simpler operations per instruction. More fetches.
103
Running
a process state, to be executing a process on the CPU
104
SaaS
Software-as-a-Service, is a derivative of PaaS. Provides on-demand online access to specific software applications or suites without the need for local installation. In many cases, there are few local hardware and OS limitations.
105
SABSA
Sherwood Applied Business Security Architecture (SABSA) is an enterprise security architecture framework that is similar to the Zachman framework. It uses the six communication questions (What, Where, When, Why, Who, and How) that intersect with six layers (operational, component, physical, logical, conceptual, and contextual).
106
Sag/Dip
short period of low voltage.
107
Secondary storage
the hard drive
108
Security Blueprint
a template for the designing the architecture
109
Security domain
an administrative unit or a group of objects and subjects controlled by one reference monitor
110
Security kernel
subset of operating systems components dedicated to protection mechanisms
111
Segmentation
dividing a computer’s memory into segments.
112
Sharing
memory management technique which allows subjects to use the same resource
113
Single state machine
operates in the security environment at the highest level of classification of the information within the computer. In other words, all users on that system must have clearance to access the info on that system.
114
Site accreditation
the applications and systems at a specific, self-contained location are evaluated.
115
Stack Memory Segment
used by processors to communicate instructions and data to each other
116
State machine model
abstract and mathematical in nature, defining all possible states, transitions and operations
117
Stopped
a process state, to be either be unable to run waiting for an external event or terminated
118
Supervisor mode
(monitor, system, privileged) a state for operating system tasks only
119
Surge
sudden rise in voltage in the power supply.
120
Surge Suppressor
to reduce sudden rises in current
121
Surreptitious Entry
The unauthorized entry into a facility or security container in a manner in which evidence of such entry is not discernable under normal circumstances.
122
Surveillance
high degree of visual control
123
Sutherland
Not model implementation, not answer
124
System accreditation
a major application or general support system is evaluated.
125
TCSEC (Orange Book)
the past U.S. military accepted set of standards and processes for computer systems evaluation and assurance, which combines function and assurance requirements
126
Territoriality
people protect their domain
127
Threads
a unit of execution
128
TNI (Red Book)
the past U.S. military accepted set of standards and processes for network evaluation and assurance, which combines function and assurance requirements
129
TOCTTOU attack
race condition exploits, and communication disconnects are known as state attacks because they attack timing, data flow control, and transition between one system state to another.
130
Top Guard
Anti-personnel device, usually of barbed or concertina wire, installed at the tops of fences and along roof edges.
131
Transients
line noise that is superimposed on the supply circuit.
132
Trusted Computing Base
all of the protection mechanism in a computer system
133
Type accreditation
an application or system that is distributed to a number of different locations is evaluated.
134
Ultrasonic Detector
A device that senses motion in a protected area by a Doppler shift in the transmitted ultrasonic energy.
135
Uninterruptible Power Source UPS
to smooth out reductions or increases in power
136
User mode
(problem or program state) the problems solving state, the opposite of supervisor mode
137
Virtual Memory
memory management programming which make the limited RAM of the physical machine appear to be more by using a portion of the hard drive
138
Virtual SAN
software-defined shared storage system is a virtual re-creation of a SAN on top of a virtualized network or an SDN.
139
Wait
a process state, (blocked) needing input before continuing
140
Zachman framework
Enterprise Architecture Framework
A two-dimensional model that intersects communication interrogatives (What, Why, Where, and so on) with various viewpoints (Planner, Owner, Designer, and so on). It is designed to help optimize communication between the various viewpoints during the creation of the security architecture.
141
Zone
Large protected premises are divided into areas or zones, each having it own identification and/or annunciation.
142
IPv6 features
Mobile
Quality of Service
Jumbograms
Next Header
IPsec as next header
143
IPv6 Control
Limit unsanctioned paths
Threat
Vulnerable to eavesdropping and injection attacks -> v6 globally unique addresses ->
If VPN dropped, possible communication
144
IPv6 Control
Limit addresses to a small range of a subnet and controlling assignment rate
NDP DoS attacks when a router is overwhelmed by address resolution requests
145
IPv6 Control
Router advisement guard
Eavesdropping via spoofed router advertisements
146
IPv6 Control
DHCPv6 - Shield filtering rules
Unauthorized ports and malicious packets for DHCP services
147
IPv6 Control
PEPs configured to enforce recommended header order
Malformed packets: do not conform to the recommended header extension order or maximum number of extension header repetitions
