Читаем CISSP Practice полностью

Protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system and to protect computational resources by eliminating or reducing the vulnerability or risk to a system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices to counter a specific threat or attack. Available safeguards include hardware and software devices and mechanisms, policies, procedures, standards, guidelines, management controls, technical controls, operational controls, personnel controls, and physical controls. Synonymous with security controls and countermeasures.

Salami technique

In data security, it pertains to fraud spread over a large number of individual transactions (e.g., a program that does not round off figures but diverts the leftovers to a personal account).

Salt

A nonsecret value that is used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.

Salting (password)

The inclusion of a random value in the password hashing process that greatly decreases the likelihood of identical passwords returning the same hash.

Sandbox

A system that allows an untrusted application to run in a highly controlled environment where the application’s permissions are restricted to an essential set of computer permissions. In particular, an application in a sandbox is usually restricted from accessing the file system or the network. A widely used example of applications running inside a sandbox is a JavaApplet. A behavioral sandbox uses runtime monitor for ensuring the execution of mobile code, conforming to the enforcement model.

Sandbox security model

Java’s security model, in which applets can operate, creating a safe sandbox for applet processing.

Sandboxing

(1) A method of isolating application modules into distinct fault domains enforced by software. The technique allows untrusted programs written in an unsafe language, such as C, to be executed safely within the single virtual address space of an application. Untrusted machine interpretable code modules are transformed so that all memory accesses are confined to code and data segments within their fault domain. Access to system resources can also be controlled through a unique identifier associated with each domain. (2) New malicious code protection products introduce a “sandbox” technology allowing users the option to run programs such as Java and Active-X in quarantined sub-directories of systems. If malicious code is detected in a quarantined program, the system removes the associated files, protecting the rest of the system. (3) A method of isolating each guest operating system from the others and restricting what resources they can access and what privileges they can have (i.e., restrictions and privileges).

Sanding

The application of an abrasive substance to the media’s physical recording surface.

Sanitization

The changing of content information in order to meet the requirements of the sensitivity level of the network to which the information is being sent. It is a process to remove information from media so that information recovery is not possible. It includes removing all classified labels, markings, and activity logs. Synonymous with scrubbing.

S-box

Nonlinear substitution table boxes (S-boxes) used in several byte substitution transformations and in the key expansion routine to perform a one-for-one substitution of a byte value. This substitution, which is implemented with simple electrical circuits, is done so fast in that it does not require any computation, just signal propagation. The S-box design, which is implemented in hardware for cryptographic algorithm, follows Kerckhoff’s principle (security-by-obscurity) in that an attacker knows that the general method is substituting the bits, but he does not know which bit goes where. Hence, there is no need to hide the substitution method. S-boxes and P-boxes are combined to form a product cipher, where wiring of the P-box is placed inside the S-box. (that is, S-box is first and P-box is next.) S-boxes are used in the advanced encryption standard (Tanenbaum).

Scalability

(1) A measure of the ease of changing the capability of a system. (2) The ability to support more users, concurrent sessions, and throughput than a single SSL-VPN device can typically handle. (3) The ability to move application software source code and data into systems and environments that have a variety of performance characteristics and capabilities without significant modification.

Scanning