Decrypt

To convert, by use of the appropriate key, encrypted (encoded or enciphered) text into its equivalent plaintext through the use of a cryptographic algorithm. The term “decrypt” covers the meanings of decipher and decode.

Decryption

(1) The process of changing ciphertext into plaintext using a cryptographic algorithm and key. (2) The process of a confidentiality mode that transforms encrypted data into the original usable data.

Dedicated proxy server

A form of proxy server that has much more limited firewalling capabilities than an application-proxy gateway.

Defense-in-breadth

A planned, systematic set of multidisciplinary activities that seek to identify, manage, and reduce risk of exploitable vulnerabilities at every stage of the system, network, or sub-component life cycle (system, network, or product design and development; manufacturing; packaging; assembly; system integration; distribution; operations; maintenance; and retirement). It is a strategy dealing with scope of protection coverage of a system. It is also called supply chain protection control. It supports agile defense strategy.

Defense-in-density

A strategy requiring stronger security controls for high risk and complex systems and vice versa.

Defense-in-depth

(1) Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and dimensions of information systems. (2) An approach for establishing an adequate information assurance (IA) posture whereby (i) IA solutions integrate people, technology, and operations, (ii) IA solutions are layered within and among IT assets, and (iii) IA solutions are selected based on their relative level of robustness. Implementation of this approach recognizes that the highly interactive nature of information systems and enclaves creates a shared risk environment; therefore, the adequate assurance of any single asset is dependent upon the adequate assurance of all interconnecting assets. (3) A strategy dealing with controls placed at multiple levels and at multiple places in a given system. It supports agile defense strategy and is the same as security-in-depth.

Defense-in-intensity

A strategy dealing with a range of controls and protection mechanisms designed into a system.

Defense-in-technology

A strategy dealing with diversity of information technologies used in the implementation of a system. Complex technologies create complex security problems.

Defense-in-time

A strategy dealing with applying controls at the right time and at the right geographic location. It considers global systems operating at different time zones.

Defensive programming

Defensive programming, also called robust programming, makes a system more reliable with various programming techniques.

Degauss

(1) To apply a variable, alternating current (AC) field for the purpose of demagnetizing magnetic recording media, usually tapes and cartridges. The process involves increasing the AC field gradually from zero to some maximum value and back to zero, which leaves a very low residue of magnetic induction on the media. (2) To demagnetize, thereby removing magnetic memory. (3) To erase the contents of media. (4) To reduce the magnetic flux to virtual zero by applying a reverse magnetizing field. Also called demagnetizing.

Deleted file

A file that has been logically, but not necessarily physically, erased from the operating system, perhaps to eliminate potentially incriminating evidence. Deleting files does not always necessarily eliminate the possibility of recovering all or part of the original data.

Demilitarized zone (DMZ)

(1) An interface on a routing firewall that is similar to the interfaces found on the firewall’s protected side. Traffic moving between the DMZ and other interfaces on the protected side of the firewall still goes through the firewall and can have firewall protection policies applied. (2) A host or network segment inserted as a “neutral zone” between an organization’s private network and the Internet. (3) A network created by connecting to firewalls. Systems that are externally accessible but need some protections are usually located on DMZ networks.

Denial-of-quality (DoQ)

Denial-of-quality (DoQ) results from lack of quality assurance (QA) methods and quality control (QC) techniques used in delivering messages, packets, and services. DoQ affects QoS and QoP, and could result in DoS.

Denial of service (DoS)

(1) Preventing or limiting the normal use or management of networks or network devices. (2) The prevention of authorized access to resources or the delaying of time-critical operations. Time-critical may be milliseconds or it may be hours, depending upon the service provided. Synonymous with interdiction.

Denial-of-service (DoS) attack

(1) An attack that prevents or impairs the authorized use of networks, operating systems, or application systems by exhausting resources. (2) A type of computer attack that denies service to users by either clogging the system with a deluge of irrelevant messages or sending disruptive commands to the system. (3) A direct attack on availability, it prevents a financial system service provider from receiving or responding to messages from a requester (customer). DoS attacks on the financial system service provider would not be detected by a firewall or an intrusion detection system because these countermeasures are based on either entry-point or per-host specific, but not based on a per-transaction or operation basis. In these situations, two standards (WS-Reliability and WS-ReliableMessaging) are available to guarantee that messages are sent and received in a service-oriented architecture (SOA). XML-gateways can be used to augment the widely accepted techniques because they are capable of preventing and detecting XML-based DoS. Note that DoS is related to QoS and QoP and is resulting from denial-of-quality (DoQ).

Deny-by-default

To block all inbound and outbound traffic that has not been expressly permitted by firewall policy (i.e., unnecessary services that could be used to spread malware).

Depth attribute

An attribute associated with an assessment method that addresses the rigor and level of detail associated with the application of the method. The values for the depth attribute, hierarchically from less depth to more depth, are basic, focused, and comprehensive.

Design verification

The use of verification techniques, usually computer-assisted, to demonstrate a mathematical correspondence between an abstract (security) model and a formal system specification.

Designated approving/accrediting authority

The individual selected by an authorizing official to act on their behalf in coordinating and carrying out the necessary activities required during the security certification and accreditation of an information system.

Desk check reviews

A review of programs by the program author to control and detect program logic errors and misinterpretation of program requirements.

Desktop administrators

These identify changes in login scripts along with Windows Registry or file scans, and implement changes in login scripts.

Destroyed compromised state

The cryptographic key life cycle state that zeroizes a key so that it cannot be recovered and it cannot be used and marks it as compromised, or that marks a destroyed key as compromised. For record purposes, the identifier and other selected metadata of a key may be retained.

Destroyed state