Access Controls (Models and Mechanisms)

The management of admission to system and network resources. It grants

authenticated users access to specific resources based on company policies
and the permission level assigned to the user or user group. Access control
often includes authentication, which proves the identity of the user or client
machine attempting to log in (PC Magazine, 2018).

Adversarial Thinking

The ability to think like a hacker. Identifying characteristics including where,

when, and how hackers might attack, and their tactics for evading detection
(Hamman, Hopkinson, Markham, Chaplik, & Metzler, 2017).

Anomaly Detection

An approach to intrusion detection that establishes a baseline model of

behavior for users and components in a computer system or network.
Deviations from the baseline cause alerts that direct the attention of human
operators to the anomalies (PC Magazine, 2018).

Artificial Intelligence

Devices and applications that exhibit human intelligence and behavior,

including robots, self-driving cars, medical diagnosis, and voice- and natural-
language recognition. AI implies the capability to learn and adapt through
experience and the ability to come up with solutions to problems without using
rigid, predefined algorithms, which is the approach of non-AI software (PC
Magazine, 2018).

Attack Vector

The approach used to assault a computer system or network. As it is a fancy

way of saying “method or type of attack,” the term may refer to a variety of
vulnerabilities. For example, an operating system or web browser may have a
flaw that is exploited by a website. Human shortcomings are also used to
engineer attack vectors. For example, a novice user may open an email
attachment that contains a virus, and most everyone can be persuaded at
least once in a lifetime to reveal a password for some seemingly relevant
reason (PC Magazine, 2018).
Correlation Techniques

The analysis of intrusion detection based on previous incidents that may be

similar to the current incident. Can be used to identify possible ways to start to
create a fix for the vulnerability.

Cross Log Comparison and Analysis

The comparison of two different log files to try and determine outliers and
anomalies. Usually done with some type of software analysis tool (PC
Magazine, 2018).

Data Logging

The continuous recording of data. The term may refer to the automatic
collection of data from sensors in the field, or in a factory or scientific
environment. It may also refer to gathering traffic statistics in a network or
events in the computer (PC Magazine, 2018).

Deep Packet Inspection

Analyzing network traffic to discover the type of application that sent the data.
In order to prioritize traffic or filter out unwanted data, deep packet inspection
can differentiate data such as video, audio, chat, voice over IP (VoIP), email,
and web. As it inspects the packets all the way up to layer seven, deep packet
inspection can be used to analyze anything and everything within the packet
that is not encrypted. For example, it can determine not only that the packets
contain the contents of a webpage, but also which website the page is from
(PC Magazine, 2018).

Defense in Depth

Using multiple systems to resist attackers. For example, if an external firewall

is breached, an internal intrusion detection system can sound an alarm. If
systems are breached and data can be stolen, keeping all vital records
encrypted on disk and encrypted during transmission prevents attackers from
using the data, even if they get it (PC Magazine, 2018).

Demilitarized Zone (DMZ)

A middle ground between an organization’s trusted internal network and an

untrusted, external network such as the internet. Also called a perimeter
network, the DMZ is a subnetwork (subnet) that may sit between firewalls or
off one leg of a firewall. Organizations typically place their web, mail, and
authentication servers in it. It is a military term that refers to the area between
two enemies (PC Magazine, 2018).

Device Reconfiguration

The changing of hardware on the fly to protect against a compromised device.

Restoring the device to the system defaults or changing the protection
scheme to secure the device from an attack in real time.

Distributed Intrusion Detection

The implementation of network protection across multiple computers or

devices. The formation allows for systems to not fall prey if a single machine is
compromised. Normally a system has measure to regain control of a
compromised system.

Exposure

The degree to which information can be accessed using authorized or

unauthorized methods (PC Magazine, 2018).

Establishing Profiles

Creating patterns and signatures of attack vectors for the purpose of

identifying threats.

Files Systems

The software that people use to copy, move, rename, and delete files is
known as a file manager, not a file system.

The software and method for storing and retrieving files on a disk, SSD, or
USB drive. The file system takes commands from the operating system to
read and write the disk clusters (groups of sectors). It manages the
folder/directory structure and provides an index to the files. It also defines the
syntax used to access them (i.e., how the “path” to the file is coded). File
systems dictate how files are named, the maximum size of a file, and the
volume of storage (PC Magazine, 2018).

Filtering
To select data, filters use patterns (masks) against which all data are
compared. Only matching data are “passed through,” hence the concept of a
filter. For example, email clients and servers can look for messages with text
patterns that are recognized as spam and then delete them. An email client
can be set up to filter messages and store them in separate mailboxes as a
way of organizing the mail, or it can be set to alert the user when a certain
type of message arrives (PC Magazine, 2018).

Filtering Algorithms

A process that allows traffic through based on some set of rules. The rules are
enforced to keep unauthorized information from passing through the network
defense.

Firewall

The primary method for keeping a computer secure from intruders. A firewall
allows or blocks traffic into and out of a private network or the user’s
computer. Firewalls are widely used to give users secure access to the
internet and to separate a company’s public web server from its internal
network. They are also used to keep internal network segments secure; for
example, the accounting network might be vulnerable to snooping from within
the enterprise (PC Magazine, 2018).

Fundamental Security Design Principles

 Abstraction

The removal of clutter. Only the needed information is provided for an

object-oriented mentality. This is a way to allow adversaries to see only
a minimal amount of information while securing other aspects of the
model (Tjaden, 2015).

 Complete Mediation

All accesses to objects should be checked to ensure that they are

allowed (Bishop, 2003).

 Encapsulation

The ability to only use a resource as it was designed to be used. This

may mean that a piece of equipment is not being used maliciously or in
a way that could be detrimental to the overall system (Tjaden, 2015).
 Fail-Safe Defaults / Fail Secure

The theory that unless a subject is given explicit access to an object, it

should be denied access to that object (Bishop, 2003).

 Information Hiding

Users having an interface to interact with the system behind the scenes.
The user should not be worried about the nuts and bolts behind the
scenes, only the modes of access presented to them. This topic is also
integrated with object-oriented programming (Tjaden, 2015).

 Isolation

Individual processes or tasks running in their own space. This ensures

that the processes will have enough resources to run and will not
interfere with other processes running (Tjaden, 2015).

 Layering

Having multiple forms of security. These forms of security can be from

hardware or software and involve a series of checks and balances to
make sure the entire system is secured from multiple perspectives
(Tjaden, 2015).

 Least Astonishment (Psychological Acceptability)

Security mechanisms should not make the resource more difficult to

access than when security mechanisms were not present (Bishop,
2003).

 Least Privilege

The assurance that an entity only has the minimal amount of privileges
to perform its duties. There is no extension of privileges to senior people
just because they are senior; if they don’t need the permissions to
perform their normal everyday tasks, then they don’t receive higher
privileges (Tjaden, 2015).

 Minimization of Implementation (Least Common Mechanism)

Mechanisms used to access resources should not be shared (Bishop,

2003).
  Minimize Trust Surface (Reluctance to Trust)

The ability to reduce the degree to which the user or a component

depends on the reliability of another component (Bishop, 2003)

 Modularity

Breaking down large tasks into smaller, more manageable tasks. This
smaller task may be reused, and therefore the process can be
repurposed time and time again (Tjaden, 2015).

 Open Design

The security of a mechanism should not depend on the secrecy of its

design or implementation (Bishop, 2003).

 Separation (of Domains)

The division of power within a system. No one part of a system should

have complete control over another part. There should always be a
system of checks and balances that leverage the ability for parts of the
system to work together (Tjaden, 2015).

 Simplicity (of Design)

The straightforward layout of a product. The ability to reduce the

learning curve when analyzing and understanding the hardware or
software involved in the information system (Tjaden, 2015).

 Trust Relationships

A logical connection that is established between directory domains so

that the rights and privileges of users and devices in one domain are
shared with the other (PC Magazine, 2018)

 Usability

How easy hardware or software is to operate, especially for the first-

time user. Considering how difficult applications and websites can be to
navigate through, one would wish that all designers took usability into
greater consideration than they do (PC Magazine, 2018).

Fuzzy Logic
A mathematical technique for dealing with imprecise data and problems that
have many solutions rather than one. Although it is implemented in digital
computers, which ultimately make only yes-no decisions, fuzzy logic works
with ranges of values, solving problems in a way that more resembles human
logic.

Fuzzy logic is used for solving problems with expert systems and real-time
systems that must react to an imperfect environment of highly variable,
volatile, or unpredictable conditions. It “smoothes the edges,” so to speak,
circumventing abrupt changes in operation that could result from relying on
traditional either-or and all-or-nothing logic (PC Magazine, 2018).

Hierarchical IDSs

Defense-in-depth methodology that puts layers of intrusion detection in place.

Each level elevates the strength of the response to the next level if needed.

Honeynets

A honeynet is a network containing honeypots. A virtual honeynet is one that

resides in a single server, but pretends to be a full network (PC Magazine,
2018).

Honeypot

A server that is configured to detect an intruder by mirroring a real production

system. A honeypot appears as an ordinary server doing work, but all the data
and transactions are phony. Located either in or outside the firewall, the
honeypot is used to learn about an intruder’s techniques as well as determine
vulnerabilities in the real system (PC Magazine, 2018).

Hypervisor

A system program that provides a virtual machine environment. The term

came from the IBM mainframe world, which first introduced the virtual
machine (virtualization) concept in the form of VM. This was initially introduced
as software only, but was later enhanced with hardware circuits (PC
Magazine, 2018).

Intrusion Detection Systems

Software that detects an attack on a network or computer system. A network
IDS (NIDS) is designed to support multiple hosts, whereas a host IDS (HIDS)
is set up to detect illegal actions within the host. Most IDS programs typically
use signatures of known hacker attempts to signal an alert. Others look for
deviations of the normal routine as indications of an attack. Intrusion detection
is very tricky. Too much analysis can add excessive overhead and also trigger
false alarms. Insufficient analysis can overlook a valid attack (PC Magazine,
2018).

Intrusion Prevention Systems

Software that prevents an attack on a network or computer system. It is a

significant step beyond an intrusion detection system (IDS). Whereas an IDS
passively monitors traffic by sniffing packets at a switch port, an IPS resides
inline like a firewall, intercepting and forwarding packets. It is thus capable of
blocking the attack in real time (PC Magazine, 2018).

Log Aggregation

Log management is the process of handling copious volumes of logs that are
made up of several processes, such as log collection, log aggregation,
storage, rotation, analysis, search, and reporting.

Log aggregation, therefore, is a step in the overall management process in

which you consolidate different log formats coming from different sources all
into one place. This makes it easier for you to analyze, search, and report on
your data. (Stringfellow, 2017).

Log File Analysis

The analysis of information generated by the computer systems. The files can
be analyzed for anomalies or other patterns that are set by the alert levels of
the organization.

Memory

The computer’s temporary workspace, which for decades has been a

collection of dynamic RAM (DRAM) chips. A major resource in the computer,
memory (RAM) determines the size and number of programs that can be run
at the same time, as well as the amount of data that can be processed
instantly (PC Magazine, 2018).
Memory Management

A variety of methods used to store and keep track of data and programs in
memory and reclaim the space when no longer needed. Virtual memory is the
most common memory management function in every computer (PC
Magazine, 2018).

Multithreading

A feature within a CPU that allows two or more instruction streams (threads)
to execute concurrently. Each stream is a subprocess that is managed by the
CPU and operating system. Today’s CPUs support a large number of threads.
For example, IBM’s POWER8 CPU comes with up to 12 cores, and each core
handles eight threads for a total of 96 threads.

Operating systems are written to use multithreading wherever possible;

however, applications can also be written to take advantage of this parallel
processing. If the application is very complex, the effort can be formidable
even for experienced programmers (PC Magazine, 2018).

Network Access Control

An umbrella term for managing access to a network. Network access control

(NAC) authenticates users logging into the network and determines what they
can see and do. Network access control may also be capable of examining
the health of the user’s computer or mobile device (the endpoints), and it can
be implemented with multiple software components or via an integrated
package (PC Magazine, 2018).

Network Address Translation (NAT)

The technology that maintains the privacy of the addresses of the computers
in a home or business network when accessing the internet. NAT converts the
private addresses that are assigned to the internal computers to one or more
public addresses that are visible on the internet. It is an IETF standard that is
implemented in a router or firewall as well as in any user’s machine that is
configured to share its internet connection.

NAT assigns a number to the packet headers of the messages going out to
the internet and keeps track of them via an internal table that it creates. When
responses come back from the internet, NAT uses the table to perform the
reverse conversion to the private IP address of the requesting client machine
(PC Magazine, 2018).

Network Analyzer

A hardware device or server software that captures packets transmitted in a

network for routine inspection and problem detection. Also called a “sniffer,”
“packet sniffer,” “packet analyzer,” “packet sampler,” “traffic analyzer” and
“protocol analyzer,” the hardware analyzer plugs into a port on a network
switch and decodes one or more protocols into a human-readable format for
the network administrator. It can also store packets for further analysis later
on.

In order to alert admins about traffic problems, packets are analyzed in real
time. Hardware network analyzers can detect voltage and cable problems,
whereas software analyzers cannot (PC Magazine, 2018).

Network Attacks

An assault against a computer system or network as the result of deliberate,

intelligent action—for example, denial-of-service attacks, penetration, or
sabotage (PC Magazine, 2018).

Network Hardening / System Hardening

Making a user’s computer more secure. It ensures that the latest patches to
operating systems, web browsers, and other vulnerable applications are
automatically applied. It may also include the disabling of file sharing and the
establishing of login passwords (PC Magazine, 2018).

Neural Network

An artificial intelligence (AI) modeling technique loosely based on the behavior

of neurons in the human brain. Unlike regular applications that are
programmed to deliver precise results (e.g., “if this, do that”), neural networks
“learn” how to solve a problem and improve over time. The foundation of
“machine learning” and “deep learning,” neural networks are used in robotics,
diagnosing, forecasting, image processing, and pattern recognition (PC
Magazine, 2018).

Opening Application
The initial program that is instantiated when an intrusion is detected. Often
used as a first line of defense to start mitigation strategies.

Policy Management

Enforcing the policy (i.e., rules and regulations) of the organization that pertain
to information and computing. Also called “policy-based management,” policy
management mostly deals with database access and network resource
issues, such as which users have access to what data and how network traffic
is prioritized (PC Magazine, 2018).

Privileged and Non-privileged States

The rights granted to a single user or group of users who operate a computer.
Administrative privileges allow a user the right to make any and all changes in
the computer, including setting up accounts for other users. User-level
privileges are more restricted.

The rights granted to software running in the computer, which determines

which hardware and software resources can be accessed and changed (PC
Magazine, 2018).

Process

To manipulate data in the computer. The computer is said to be processing no

matter what action it is taking upon the data, whether the data is actually
being updated in a database or just being displayed on-screen.

In order to evaluate a computer system’s performance, the time it takes to

process data internally is often analyzed separately from the time it takes to
get it in and out of the computer. The I/O (input/output) is usually more time
consuming than the processing (PC Magazine, 2018).

Proxy Server

It is a computer system or router that breaks the connection between sender

and receiver. Functioning as a relay between client and server, proxy servers
help prevent an attacker from invading a private network and are one of
several tools used to build a firewall.

The word proxy means “to act on behalf of another,” and a proxy server acts
on behalf of the user. All requests from clients to the internet go to the proxy
server first. The proxy evaluates the request, and if allowed, reestablishes it
on the outbound side to the internet. Likewise, responses from the internet go
to the proxy server to be evaluated. The proxy then relays the message to the
client. Both client and server think they are communicating with one another,
but, in fact, they are dealing only with the proxy (PC Magazine, 2018).

Reach Back

The amount of time that can be assessed to look back at events that
influenced behaviors. This methodology is used to determine the history of
events that led up to an intrusion.

Session Interruption

Stopping the current process where irregularities have been detected. This is
a form of intrusion detection that stops rogue processes from getting out of
control.

Signature Detection

The identification of a threat based on the pattern or content of its creation.

Signatures are also identified by previous incidents that involved the process.

SNMP Trap

Using the network management protocol to trap data on the network. This can
be used to isolate bad traffic so it can be handled.

Specification-Based Detection

Identification of a threat based on a set of rules that were violated. This

process is very specific and is used in companies that are looking for
compliance issues and compliance regulations.

Statistical Techniques

The analysis of intrusion detection based on a pattern of numbers or a

sequence of steps taken by the attacker.

Stealth Mode

Taking place in secret. Stealth mode often refers to the policy of startups,
when companies are developing unique products, or the policy of established
companies when they are creating something new. Everyone is sworn to
secrecy, and a low profile is kept until launch time (PC Magazine, 2018).

Thread

In a multithreaded system, a thread is one process that occurs simultaneously

with other processes (PC Magazine, 2018).

Trace Recording

The capture of network traffic from a specific host to a destination. Usually

done after an intrusion has been detected.

Virtualization

A variety of technologies for managing computer resources by providing a

software interface, known as an abstraction layer, between the software
(operating system and applications) and the hardware. Virtualization turns
“physical” RAM and storage into “logical” resources (PC Magazine, 2018).

Virtual Memory

Simulating more random access memory (RAM) than actually exists, allowing
the computer to run larger programs and multiple programs concurrently. A
common function in most every OS and hardware platform, virtual memory
uses storage (hard drive or solid-state drive) to temporarily hold what was in
RAM.

Virtual memory allows multiple programs to load in RAM at the same time.
Each application addresses RAM starting at zero, but virtual memory takes
control of the RAM addressing and lets each application function as if it had
unlimited RAM (PC Magazine, 2018).

Virtual Private Network (VPN)

A private network configured within a public network, such as the internet or a

carrier’s network. Years ago, this obsoleted private lines between company
branches. VPNs also allow mobile users access to the company LAN by using
data encryption to maintain privacy.

In the past, common carriers used their vast networks to “tunnel” traffic
between customer locations to give the appearance of a private network while
 sharing backbone trunks, no different than the way the internet works. Prior to
the internet’s IP protocol, VPNs were built over X.25, Switched 56, frame
relay, and ATM technologies (PC Magazine, 2018).

Visual / Audio Alert

The use of alarms or warning systems to make individuals aware that the
system has been compromised.

References

Bishop, M. (2003). Computer security: Art and science (1st ed.). Boston, MA:
Addison-Wesley Professional.

Hamman, S. T., Hopkinson, K. M., Markham, R. L., Chaplik, A. M., & Metzler, G. E.
(2017). Teaching game theory to improve adversarial thinking in cybersecurity
students. IEEE Transactions on Education, 60(3), 205-211.

PC Magazine. (2018). Encyclopedia. Retrieved from

https://www.pcmag.com/encyclopedia

Stringfellow, Angela. (2017, September). Log aggregation 101: Methods, tools,

tutorials and more. Retrieved from https://stackify.com/log-aggregation-101/

Tjaden, B. C. (2015). Appendix 1 – Cybersecurity first principles. Retrieved from

https://users.cs.jmu.edu/tjadenbc/Bootcamp/0-GenCyber-First-Principles.pdf