Читаем CISSP Practice полностью

A computer protection system in which each subject maintains a list of unforgeable bit patterns, called tickets, one for each object the subject is authorized to access (e.g., Kerberos). Compare this with list-oriented protection system.

Tiger team

Conducts penetration testing to attempt a system break-in. It is an old name to discover system weaknesses and to recommend security controls. The new name is red team.

Timebomb

A variant of the Trojan horse in which malicious code is inserted to be triggered later at a particular time. It is a resident computer program that triggers an unauthorized act as a predefined time.

Time-dependent password

A password that is valid only at a certain time of the day or during a specified interval of time.

Time division multiple access (TDMA)

Form of multiple access where a single communication channel is shared by segmenting it by time. Each user is assigned a specific time slot. It is a technique to interweave multiple conversations into one transponder so as to appear to get simultaneous conversations.

Time-outs for inactivity

The setting of time limits for either specific activities or for nonactivity.

Time-stamping

The method of including an unforgeable time stamp with object structures, used for a variety of reasons such as sequence-numbering and expiration of data.

Time-to-exploitation

The elapsed time between the vulnerability is discovered and the time it is exploited.

Time-to-Live (TTL) hack

The Time-To-Live (TTL) hack or hop count prevents IP packets from circulating endlessly in the Internet.

Time-to-recover (TTR)

The time required for any computer resource to be recovered from disruptive events, specifically, the time required to reestablish an activity from an emergency or degraded mode to a normal mode. It is also defined as emergency response time (EMRT).

Timing attack

A side channel attack in which the attacker attempts to compromise a cryptosystem by analyzing the time taken to execute cryptographic algorithms. Every logical operation in a computer takes time to execute, and the time can differ based on the input; with precise measurements of the time for each operation, an attacker can work backward to the input. Information can leak from a system through measurement of the time it takes to respond to certain queries. Timing attacks result from poor system/program design and implementation methods. Timing attacks and sidechannel attacks are useful in identifying or reverse-engineering a cryptographic algorithm used by some device. Other examples of timing attacks include (1) a clock drift attack where it can be used to build random number generators, (2) clock skew exploitation based on CPU heating, and (3) attackers who may find fixed Diffie-Hellman exponents and RSA keys to break cryptosystems (Wikipedia).

TOC-TOU attack

TOC-TOU stands for Time-of-check to time-of-use. An example of TOC-TOU attack is when one print job under one user’s name is exchanged with the print job for another user. It is achieved through bypassing security controls by attacking information after the controls were exercised (that is, when the print job is queued) but before the information is used (that is, prior to printing the job). This attack is based on timing differences and changing states.

Token

(1) Something that the claimant possesses and controls (typically a key or password) used to authenticate the claimant’s identity. (2) When used in the context of authentication, a physical device necessary for user identification. (3) A token is an object that represents something else, such as another object (either physical or virtual). (4) A security token is a physical device, such as a special smart card, that together with something that a user knows, such as a PIN, can enable authorized access to a computer system or network.

Token authenticator

The value that is provided for the protocol stack to prove that the claimant possesses and controls the token. Protocol messages sent to the verifier are dependent upon the token authenticator, but they may or may not explicitly contain it.

Token device

A device used for generating passwords based on some information (e.g., time, date, and personal identification number) that is valid for only a brief period (e.g., one minute).

Top-down approach

An approach that starts with the highest-level component of a hierarchy and proceeds through progressively lower levels.

Topology

(1) The physical, nonlogical features of a card. A card may have either standard or enhanced topography. (2) The structure, consisting of paths and switches, that provides the communications interconnection among nodes of a network.

Total risk