Asymmetric key cryptography

Two related keys, a public key and a private key that are used to perform complementary operations, such as encryption and decryption or signature generation and signature verification.

Asynchronous attack

(1) An attempt to exploit the interval between a defensive act and the attack in order to render inoperative the effect of the defensive act. For instance, an operating task may be interrupted at once following the checking of a stored parameter. The user regains control and malevolently changes the parameter; the operating system regains control and continues processing using the maliciously altered parameter. (2) It is an indirect attack on the program by altering legitimate data or codes at a time when the program is idle, then causing the changes to be added to the target program at later execution.

Asynchronous transfer mode (ATM) network

Asynchronous transfer mode (ATM) network is a fast packet switching network, which is the foundation for the broadband integrated services digital network (B-ISDN). ATM uses cell technology to transfer data at high speeds using packets of fixed size. The ATM network is a non-IP wide-area network (WAN) because the Internet Protocol (IP) does not fit well with the connection-oriented ATM network. IP is a connectionless protocol.

Attack

(1) The realization of some specific threat that impacts the confidentiality, integrity, accountability, or availability of a computational resource. (2) The act of trying to bypass security controls on a system or a method of breaking the integrity of a cipher. (3) An attempt to obtain a subscriber’s token or to fool a verifier into believing that an unauthorized individual possesses a claimant’s token. (4) An attack may be active, resulting in the alteration of data, or passive, resulting in the release of data. Note: The fact that an attack is made does not necessarily mean it will succeed. The degree of success depends on system vulnerability or activity and the effectiveness of existing countermeasures.

Attack-in-depth strategy

Malicious code attackers use an attack-in-depth strategy in order to carry out their goal. Single-point solutions cannot stop all of their attacks. Defense-in-depth strategy can stop these attacks.

Attack signature

A specific sequence of events indicative of an unauthorized access attempt.

Attacker

(1) A party who is not the claimant or verifier but wishes wants to successfully execute the authentication protocol as a claimant. (2) A party who acts with malicious intent to assault an information system.

Attacker’s work factor

The amount of work necessary for an attacker to break the system or network should exceed the value that the attacker would gain from a successful compromise.

Attribute

A distinct characteristic of real-world objects often specified in terms of their physical traits, such as size, shape, weight, and color. Objects in cyber-world might have attributes describing things such as size, type of encoding, and network address. Attributes are properties of an entity. An entity is described by its attributes. In a database, the attributes of an entity have their analogues in the fields of a record. In an object database, instance variables may be considered attributes of the object.

Attribute-based access control (ABAC)

(1) Access control based on attributes associated with and about subjects, objects, targets, initiators, resources, or the environment. It is an access control ruleset that defines the combination of attributes under which an access may take place. (2) An access control approach in which access is mediated based on attributes associated with subjects (requesters) and the objects to be accessed. Each object and subject has a set of associated attributes, such as location, time of creation, and access rights. Access to an object is authorized or denied depending upon whether the required (e.g., policy-defined) correlation can be made between the attributes of that object and of the requesting subject.

Attribute-based authorization

A structured process that determines when a user is authorized to access information, systems, or services based on attributes of the user and of the information, system, or service.

Attribute certificate

A live scan of a person’s biometric measure is translated into a biometric template, which is then placed in an attribute certificate.

Audit

The independent examination of records and activities to assess the adequacy of system controls, to ensure compliance with established controls, policies, and operational procedures, and to recommend necessary changes in controls, policies, or procedures.

Audit reduction tools

Preprocessors designed to reduce the volume of audit records to facilitate manual review. Before a security review, these tools can remove many audit records known to have little security significance. These tools generally remove records generated by specified classes of events, such as records generated by nightly backups.

Audit trail

(1) A chronological record of system activities that is sufficient to enable the reconstruction and examination of the sequence of events and activities surrounding or leading to an operation, procedure, or event in a security-relevant transaction from inception to results. (2) A record showing who has accessed an IT system and what operations the user has performed during a given period. (3) An automated or manual set of records providing documentary evidence of user transactions. (4) It is used to aid in tracing system activities. This is a technical and detective control.

Auditability

Features and characteristics that allow verification of the adequacy of procedures and controls and of the accuracy of processing transactions and results in either a manual or automated system.

Authenticate

To confirm the identity of an entity when that identity is presented.

Authentication

(1) Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system. (2) A process that establishes the origin of information or determines an entity’s identity. (3) The process of establishing confidence of authenticity and, therefore, the integrity of data. (4) The process of establishing confidence in the identity of users or information system. (5) It is designed to protect against fraudulent activity, authentication verifies the user’s identity and eligibility to access computerized information. It is proving that users are who they claim to be and is normally paired with the term identification. Typically, identification is performed by entering a name or a user ID, and authentication is performed by entering a password, although many organizations are moving to stronger authentication methods such as smart cards and biometrics. Although the ability to sign onto a computer system (enter a correct user ID and password) is often called “accessing the system,” this is actually the identification and authentication function. After a user has entered a system, access controls determine which data the user can read or modify and what programs the user can execute. In other words, identification and authentication come first, followed by access control. Continuous authentication is most effective. When two types of identification are used to authenticate a user, it is called a two-factor authentication process.