1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 293
Выбрать главу

Business rules processor

The sub-component of a service-oriented architecture (SOA) that manages and executes the set of complex business rules that represent the core business activity supported by the component.

Bypass capability

The ability of a service to partially or wholly circumvent encryption or cryptographic authentication.

C

C2C

Consumer-to-consumer (C2C) is an electronic commerce model involving consumers selling directly to consumers (e.g., eBay).

Cache attack

Computer processors are equipped with a cache memory, which decreases the memory access latency. First, the processor looks for the data in cache and then in the memory. When the data is not where the processor is expecting, a cache-miss occurs. The cache-miss attacks enable an unprivileged process to attack other processes running in parallel on the same processor, despite partitioning methods used (for example, memory protection, sandboxing, and virtualization techniques). Attackers use the cache-miss situation to attack weak symmetric encryption algorithms (for example, DES). AES is stronger than DES, and the former should be used during the execution of a processor on a known plaintext.

Callback

Procedure for identifying and authenticating a remote information system terminal, whereby the host system disconnects the terminal and reestablishes the contact.

Campus-area network (CAN)

An interconnected set of local-area networks (LANs) in a limited geographical area such as a college campus or a corporate campus.

Capability list

A list attached to a subject ID specifying what accesses are allowed to the subject.

Capability maturity model (CMM)

CMM is a five-stage model of how software organizations improve, over time, in their ability to develop software. Knowledge of the CMM provides a basis for assessment, comparison, and process improvement. The Carnegie Mellon Software Engineering Institute (SEI) has developed the CMM.

Capture

The method of taking a biometric sample from an end user.

Capturing (password)

The act of an attacker acquiring a password from storage, transmission, or user knowledge and behavior.

Cardholder

An individual possessing an issued personal identity verification (PIV) card.

Carrier sense multiple access (CSMA) protocols

Carrier sense multiple access (CSMA) protocols listen to the channel for a transmitting carrier and act accordingly. If the channel is busy, the station waits until it becomes idle. When the station detects an idle channel, it transmits a frame. If collision occurs, the station waits a random amount of time and starts all over again. The goal is to avoid a collision or detect a collision (CSMA/CA and CSMA/CD). The CSMA/CD is used on LANs in the MAC sublayer, and it is the basis of Ethernet.

CERT/CC

See computer emergency response team coordination center (CERT/CC)

Certificate

(1) A set of data that uniquely identifies a key pair and an owner that is authorized to use the key pair. The certificate contains the owner’s public key and possibly other information, and is digitally signed by a Certification Authority (i.e., a trusted party), thereby binding the public key to the owner. Additional information in the certificate could specify how the key is used and its crypto-period. (2) A digital representation of information which at least (i) identifies the certification authority issuing it, (ii) names or identifies its subscriber, (iii) contains the subscriber’s public key, (iv) identifies its operational period, and (v) is digitally signed by the certification authority issuing it.

Certificate management protocol (CMP)

Both certification authority (CA) and registration authority (RA) software supports the use of certificate management protocol (CMP).

Certificate policy (CP)

A certificate policy is a specialized form of administrative policy tuned to electronic transactions performed during certificate management. A CP addresses all aspects associated with the generation, production, distribution, accounting, compromise recovery, and administration of digital certificates. Indirectly, a CP can also govern the transactions conducted using a communications system protected by a certificate-based security system. By controlling critical certificate extensions, such policies and associated enforcement technology can support provision of the security services required by particular applications.

Certificate-related information

Information such as a subscriber’s postal address that is not included in a certificate. May be used by a certification authority (CA) managing certificates.

Certificate revocation list (CRL)

A list of revoked but unexpired public key certificates created and digitally signed or issued by a certification authority (CA).

Certificate status authority

A trusted entity that provides online verification to a relying party of a subject certificate’s trustworthiness, and may also provide additional attribute information for the subject certificate.

Certification

Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

Certification and accreditation (C&A)

Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

Accreditation is the official management decision given by a senior officer to authorize operation of an information system and to explicitly accept the risk to organization operations (including mission, functions, image, or reputation), organization assets, or individuals, based on the implementation of an agreed-upon set of security controls. It is the administrative act of approving a computer system for use in a particular application. It is a statement that specifies the extent to which the security measures meet specifications. It does not imply a guarantee that the described system is impenetrable. It is an input to the security approval process. This is a management and preventive control.

Certification agent

The individual group or organization responsible for conducting a security certification.

Certification authority (CA)

(1) The entity in a public key infrastructure (PKI) that is responsible for issuing certificates and exacting compliance with a PKI policy. (2) A trusted entity that issues and revokes public key certificates to end entities and other CAs. CAs issue certificate revocation lists (CRLs) periodically, and post certificates and CRLs to a repository.

Certification authority facility

The collection of equipment, personnel, procedures, and buildings (offices) that are used by a CA to perform certificate issuance and revocation.

Certification practice statement (CPS)

A formal statement of the practices that certification authority (CA) employs in issuing, suspending, revoking, and renewing certificates and providing access to them, in accordance with specific requirements (i.e., requirements specified in the certificate policy, or requirements specified in a contract for services).

~ 293 ~