Читаем CISSP Practice полностью

Coupling is the manner and degree of interdependence between software modules. It is a measure of the degree to which modules share data. A high degree of coupling indicates a strong dependence among modules, which is not wanted. Data coupling is the best type of coupling, and content coupling is the worst. Data coupling is the sharing of data via parameter lists. With data coupling, only simple data is passed between modules. Similar to data cohesion, components cover an abstract data type. With content coupling, one module directly affects the working of another module as it occurs when a module changes another module’s data or when control is passed from one module to the middle of another module. A lower (weak) coupling value is better. Interfaces exhibiting strong cohesion and weak coupling are less error prone. If various modules exhibit strong internal cohesion, the intermodule coupling tends to be minimal, and vice versa.

Coverage attribute

An attribute associated with an assessment method that addresses the scope or breadth of the assessment objects included in the assessment (for example, types of objects to be assessed and the number of objects to be assessed by type). The values for the coverage attribute, hierarchically from less coverage to more coverage, are basic, focused, and comprehensive.

Covert channel

A communications channel that allows two cooperating processes to transfer information in a manner that violates a security policy but without violating the access control.

Covert storage channel

A covert channel that involves the direct or indirect writing of a storage location by one process and the direct or indirect reading of the storage location by another process. Covert storage channels typically involve a finite resource shared by two subjects at different security levels.

Covert timing channel

A covert channel in which one process signals information to another by modulating its own use of system resources (e.g., CPU time) in such a way that this manipulation affects the real response time observed by the second process.

Cracking (password)

The process of an attacker recovering cryptographic password hashes and using various analytical methods to attempt to identify a character string that will produce one of those hashes.

Credential

An object that authoritatively binds an identity to a token possessed and controlled by a person. It is evidence attesting to one’s right to credit or authority.

Credentials service provider (CSP)

A trusted entity that issues or registers subscriber tokens and issues electronic credentials to subscribers. The CSP may encompass Registration Authorities (RA) and Verifiers that it operates. A CSP may be an independent third party or may issue credentials for its own use.

Criminal law

Law covering all legal aspects of crime.

Criteria

Definitions of properties and constraints to be met by system functionality and assurance.

Critical security parameter

Security-related information (e.g., secret and private cryptographic keys, and authentication data such as passwords and PINs) whose disclosure or modification can compromise the security of a cryptographic module or the security of the information protected by the module.

Criticality

A measure of how important the correct and uninterrupted functioning of the system is to the mission of a user organization. The degree to which the system performs critical processing. A system is critical if any of its requirements are critical.

Criticality level

Refers to the (consequences of) incorrect behavior of a system. The more serious the expected direct and indirect effects of incorrect behavior, the higher the criticality level.

Cross-certificate

A certificate used to establish a trust relationship between two Certification Authorities (CAs). In most cases, a relying party will want to process user certificates that were signed by issuers other than a CA in its trust list. To support this goal, CAs issue cross-certificates that bind another issuer’s name to that issuer’s public key. Cross-certificates are an assertion that a public key may be used to verify signatures on other certificates.

Cross-domain solution

A form of controlled interface that provides the ability to manually and/or automatically access and/or transfer information between different security domains.

Cross-site request forgery (CSRF)

An attack in which a subscriber who is currently authenticated to a relying party and connected through a secure session, browsers to an attacker’s website which causes the subscriber to unknowingly invoke unwanted actions at the relying party.

Cross-site scripting (XSS)