(1) The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action. (2) The property that enables system activities to be traced to individuals who may then be held responsible for their actions. This is a management and preventive control.
A principle that calls for holding individuals responsible for their actions. In computer systems, this is enabled through identification and authentication, the specifications of authorized actions, and the auditing of the user’s activity.
The official management decision given by a senior officer to authorize operation of an information system and to explicitly accept the risk to organizations (including mission, functions, image, or reputation), organization assets, or individuals, based on the implementation of an agreed-upon set of security controls.
Official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organization operations, assets, or individuals. Synonymous with authorizing official or accrediting authority.
All components of an information system to be accredited by an authorizing official and excludes separately accredited systems, to which the information system is connected.
The evidence provided to the authorizing official to be used in the security accreditation decision process. Evidence includes, but is not limited to (1) the system security plan, (2) the assessment results from the security certification, and (3) the plan of actions and milestones.
A qualitative assessment of correctness or freedom from error.
An exploitation of sound produced during a computation. It is a general class of a side channel attack (Wikipedia).
Private data, other than keys, that is required to access cryptographic modules.
An attack on the authentication protocol where the attacker transmits data to the claimant or verifier. Examples of active attacks include a man-in-the-middle (MitM), impersonation, and session hijacking. Active attacks can result in the disclosure or dissemination of data files, denial-of-service, or modification of data.
Electronic documents that can carry out or trigger actions automatically on a computer platform without the intervention of a user. Active content technologies allow enable mobile code associated with a document to execute as the document is rendered.
(1) Hands-on security testing of systems and networks to identity their security vulnerabilities. (2) Security testing that involves direct interaction with a target, such as sending packets to a target.
The cryptographic key lifecycle state in which a cryptographic key is available for use for a set of applications, algorithms, and security entities.
The attaching of an unauthorized device, such as a computer terminal, to a communications circuit for the purpose of obtaining access to data through the generation of false messages or control signals or by altering the communications of legitimate users.
Software components downloaded automatically with a Web page and executed by a Web browser. A loosely defined set of technologies developed by Microsoft, Active-X is an outgrowth of two other Microsoft technologies called OLE (Object Linking and Embedding) and COM (Component Object Model). As a monitor, Active-X can be very confusing because it applies to a whole set of COM-based technologies. Most people, however, think only of Active-X controls, which represent a specific way of implementing Active-X technologies.
Any effort initiated as a result of environmental changes (e.g. laws and regulations) in which software must operate.
Access control is based on the IP address and/or hostname of the host requesting information. It is easy to implement for small groups of users, not practical for large groups of users. It is susceptible to attacks such as IP spoofing and DNS poisoning.
A protocol used to obtain a node’s physical address. A client station broadcasts an ARP request onto the network with the Internet Protocol (IP) address of the target node with which it wants to communicate, and with that address the node responds by sending back its physical address so that packets can be transmitted to it.