Читаем CISSP Practice полностью

A Common Criteria (CC) term for an IT product or system and its associated administrator and user guidance documentation that is the subject of a security evaluation. A product that has been installed and is being operated according to its guidance.

Target identification and analysis techniques

Information security testing techniques, mostly active and generally conducted using automated tools, used to identify systems, ports, services, and potential vulnerabilities. These techniques include network discovery, network port and service identification, vulnerability scanning, wireless scanning, and application security testing.

Target vulnerability validation techniques

Active information security testing techniques that corroborate the existence of vulnerabilities. These techniques include password cracking, remote access testing, penetration testing, social engineering, and physical security testing.

TCP wrappers

Transmission control protocol (TCP) wrapper, a network security tool, allows the administrator to log connections to TCP service. It can also restrict incoming connections to these services from systems. These features are useful when tracking or controlling unwanted network connection attempts.

Teardrop attack

This freezes vulnerable hosts by exploiting a bug in the fragmented packet re-assembly routines. A countermeasure is to install software patches and upgrades.

Technical attack

An attack that can be perpetrated by circumventing or nullifying hardware and software protection mechanisms, rather than by subverting system personnel or other users.

Technical controls

(1) An automated security control employed by the system. (2) The security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system.

Technical security

The set of hardware, firmware, software, and supporting controls that implement security policy, accountability, assurance, and documentation.

Technical vulnerability

A hardware, firmware, communication, or software flaw that leaves a computer processing system open for potential exploitation, either externally or internally, thereby resulting in risk for the owner, user, or manager of the system.

Technology convergence

It occurs when two or more specific and compatible technologies are combined to work in harmony. For example, in a data center physical facility, physical security controls (keys, locks, and visitor escort), logical security controls (biometrics and access controls), and environmental controls (heat and humidity) can be combined for effective implementation of controls. These controls can be based on

Technology gap

A technology that is needed to mitigate a threat at a sufficient level but is not available.

Telecommuting

The ability for an organization’s employees and contractors to conduct work from locations other than the organization’s facilities.

Telework

The ability for an organization’s employees and contractors to conduct work from locations other than the organization’s facilities.

Telework device

A consumer device or PC used for performing telework.

Telnet

Protocol used for (possibly for remote) login to a computer host.

TEMPEST

A short name referring to investigation, study, and control of compromising emanations from telecommunications and automated information systems equipment. (i.e., spurious electronic signals emitted by electrical equipment). A low signal-to-ratio is preferred to control the tempest shielded equipment.

TEMPEST attack

Based on leaked electromagnetic radiation, which can directly provide plaintext and other information that an attacker needs to attack. It is a general class of side channel attack (Wikipedia).

Test

A type of assessment method that is characterized by the process of exercising one or more assessment objects under specified conditions to compare actual with expected behavior, the results of which are used to support the determination of security control effectiveness over time.

Test design

The test approach and associated tests.

Test harness

Software that automates the software engineering testing process to test the software as thoroughly as possible before using it on a real application. If appropriate, the component should include the source code (for “white box” components) and a “management application” if the data managed by the component must be entered or updated independent of the consuming application. Finally, a component should be delivered with samples of consumption of the component to indicate how the component operates within an application environment.