Читаем CISSP Practice полностью

(1) The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action. (2) The property that enables system activities to be traced to individuals who may then be held responsible for their actions. This is a management and preventive control.

Accountability principle

A principle that calls for holding individuals responsible for their actions. In computer systems, this is enabled through identification and authentication, the specifications of authorized actions, and the auditing of the user’s activity.

Accreditation

The official management decision given by a senior officer to authorize operation of an information system and to explicitly accept the risk to organizations (including mission, functions, image, or reputation), organization assets, or individuals, based on the implementation of an agreed-upon set of security controls.

Accreditation authority

Official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organization operations, assets, or individuals. Synonymous with authorizing official or accrediting authority.

Accreditation boundary

All components of an information system to be accredited by an authorizing official and excludes separately accredited systems, to which the information system is connected.

Accreditation package

The evidence provided to the authorizing official to be used in the security accreditation decision process. Evidence includes, but is not limited to (1) the system security plan, (2) the assessment results from the security certification, and (3) the plan of actions and milestones.

Accuracy

A qualitative assessment of correctness or freedom from error.

Acoustic cryptanalysis attack

An exploitation of sound produced during a computation. It is a general class of a side channel attack (Wikipedia).

Activation data

Private data, other than keys, that is required to access cryptographic modules.

Active attack

An attack on the authentication protocol where the attacker transmits data to the claimant or verifier. Examples of active attacks include a man-in-the-middle (MitM), impersonation, and session hijacking. Active attacks can result in the disclosure or dissemination of data files, denial-of-service, or modification of data.

Active content

Electronic documents that can carry out or trigger actions automatically on a computer platform without the intervention of a user. Active content technologies allow enable mobile code associated with a document to execute as the document is rendered.

Active security testing

(1) Hands-on security testing of systems and networks to identity their security vulnerabilities. (2) Security testing that involves direct interaction with a target, such as sending packets to a target.

Active state

The cryptographic key lifecycle state in which a cryptographic key is available for use for a set of applications, algorithms, and security entities.

Active wiretapping

The attaching of an unauthorized device, such as a computer terminal, to a communications circuit for the purpose of obtaining access to data through the generation of false messages or control signals or by altering the communications of legitimate users.

Active-X

Software components downloaded automatically with a Web page and executed by a Web browser. A loosely defined set of technologies developed by Microsoft, Active-X is an outgrowth of two other Microsoft technologies called OLE (Object Linking and Embedding) and COM (Component Object Model). As a monitor, Active-X can be very confusing because it applies to a whole set of COM-based technologies. Most people, however, think only of Active-X controls, which represent a specific way of implementing Active-X technologies.

Adaptive maintenance

Any effort initiated as a result of environmental changes (e.g. laws and regulations) in which software must operate.

Address-based authentication

Access control is based on the IP address and/or hostname of the host requesting information. It is easy to implement for small groups of users, not practical for large groups of users. It is susceptible to attacks such as IP spoofing and DNS poisoning.

Address resolution protocol (ARP)

A protocol used to obtain a node’s physical address. A client station broadcasts an ARP request onto the network with the Internet Protocol (IP) address of the target node with which it wants to communicate, and with that address the node responds by sending back its physical address so that packets can be transmitted to it.