SecurITyCerts dot Org

       Navigating Security Certifications

CISSP Acronym Edge: CISSP Study & Review Guide December 2016+

Main CISSP Acronym Edge Index

Domain 3: Security Engineering - all but Cryptography

This is a massive domain! I've broken it into two parts. This part has everything except crypto.

Get a PDF of The CISSP Acronym Edge: CISSP Study & Review Guide -  signup below & I'll send it to you.

BLP – Bell-LaPadula. A theoretical security model focused solely on protecting confidentiality, and used in DoD classified systems. Requires data classification. There are two main rules:
    • No Read Up (Simple Security Property). A subject cannot read an object at a higher classification level. For example a secret user cannot read top secret data.
    • No Write Down (* Security Property, pronounced “Star Security Property”). A subject at a higher classification level cannot write to a lower classification level. For example a secret user cannot email to unclassified systems.

BIBA – The Biba Security Model, named after Ken Biba, is a theoretical security model focused solely on integrity, and the opposite of Bell-LaPadula. Requires data classification. There are two main rules:
    • No Read Down (Simple Security Axiom). A subject cannot read an object at a lower classification level. For example a top secret user cannot read secret data. This is to prevent bad information from moving up. Think about a document that has been declassified for example. It is often less integral as parts of it have been removed (or blacked out for physical documents).
    • No Write Up (* Integrity Axiom). A subject at a lower classification level cannot write to a higher classification level. For example a secret user cannot write to a top secret file.

Clark-Wilson – A theoretical security model focused on integrity, both internal and external. Does not require data classification. Integrity is enforced through separation of duties and well formed transactions.

Chinese Wall Model (also called Brewer and Nash) – A model designed to help prevent Conflicts of Interest. Different Conflict of Interest groups are defined and users may not access data across groups where a conflict of interest may occur. For example, Conflict of Interest groups could be set up in a consulting organization that do not allow an employee to access confidential data about a client and their other clients who are competitors.

COI – Conflict of Interest.

ACL – Access Control List.

ACM – Access Control Matrix. An ACM is a matrix where the X-axis specifies resources or objects, and the Y-axis specifies subjects such as users (or maybe roles/groups). Each cell specifies what access a specific subject (or role/group) has to a specific object. In a typical computer environment, where you may have thousands of users, groups, and other subjects like running processes, and who knows how many files and other objects, a full blown ACM is going to be absurdly large meaning it’s basically a theoretical concept in this case. A limited ACM, one for example showing which roles have what access to certain functionality, can be useful in designing and understanding systems.

TCB – Trusted Computing Base. The low level hardware, software like the OS kernel and firmware, that must be trusted or nothing secure can be built on the system. TCSEC and ITSEC (below) are concerned with defining and qualifying the TCB.

TCSEC – Trusted Computer Systems Evaluation Criteria, also known as the Orange Book. A US centric (Department of Defense) standard. Ranges from “D” – minimal protection, to “A” – verified design. Not actively used today, but other models are built using its concepts (like ITSEC).

ITSEC – Information Technology Security Evaluation Criteria. The first European attempt at an evaluation criteria (similar to the Orange Book or TCSEC). Despite being European, it’s considered “International.”
ITSEC has two parts, Functionally (F) and Assurance (E). It is quite complex and essentially superseded by the much simpler EAL below.

EAL – Evaluation Assurance Level, also known as the Common Criteria, a follow on to ITSEC and much simpler and more reasonable. Each product or system gets an EAL level, ranging from EAL1 (functionally tested) to EAL7 (formally verified, designed, and tested).

The second European attempt at an evaluation criteria. Once again, despite being European, it’s considered “International.”

ToE – Target of Evaluation, what is being evaluated by the Common Criteria (EAL).

OS – Operating System. The basic software that controls the hardware and allows the execution of application software efficiently. Examples of common operating systems include Windows 10, MacOS, and the various types of Linux and Unix.

IPL – Initial Program Load. The operating system on a mainframe computer is sometimes called the IPL.

TPM – Trusted Platform Module. A chip on the motherboard that stores encryption keys. Think of it as an on-motherboard smart card. Included in many motherboards and mobile devices. Apple stopped including the TPM in their hardware in 2009.

GUI – Graphical User Interface. Many programs and operating systems have a GUI (pronounced “gooey”) while others may only have a command line interface.

ALU – Arithmetic Logic Unit. The part of the CPU that performs arithmetic and logic operations.

CISC – Complex Instruction Set Computer. A CPU which has a rich instruction set. This makes life easy for low level programmers as they have lots of instructions they can call, instead of needing to rely on just a very basic instruction set. Most personal computers are CISC based.

RISC – Reduced Instruction Set Computer. As CPUs became more complex and got a more complex instruction set, some manufacturers started to make RISC CPU based computers. A RISC based CPU has only a few instructions, but can execute them all very quickly. Low level programming is more difficult on a RISC based computer.

ASLR – Address Space Layout Randomization. ASLR arranges the address space of a process differently each time it executes to make buffer overflow vulnerabilities more difficult to exploit.

DEP – Data Execution Protection. An operating system security feature that marks areas of memory as either executable or non-executable. It helps prevent against buffer overflow exploits as well as some other exploits and some program errors.

NX Stack – Non eXecutable Stack. A technique used to make buffer overflow vulnerabilities more difficult to exploit. DEP is often implemented at the hardware level by processor architectures that support the NX (No eXecute) bit.

Canary – Canaries are another technique to help prevent buffer overflows. A canary is a known value that is put between a buffer and control data on the stack. If the canary value changes, it is likely that the buffer has overflowed and overwritten the canary, and appropriate action can be taken such as terminating the program.

VM – Virtual memory. VM allows each process to believe it has its own dedicated physical memory and the Virtual Memory Manager (VMM) maps between virtual memory and the underlying physical memory.

VMM – Virtual Memory Manager. The part of the operating system that handles virtual memory. Today often implemented in part by hardware support (a MMU or memory management unit) that is part of the same chip that holds the CPU, such as on the Intel x86 microprocessors.

TOC/TOU – Time of Check/Time of Use. A timing attack. Imagine an application that creates a file, and then applies appropriate permissions to it (hey, that’s how they taught me to do it in school). There is a vulnerability for a fraction of second between when the file is created and when the file has appropriate security permissions applied that might be exploitable. Also known as a race condition.

VDI – Virtual Desktop Interface. With VDI, hosts run a virtual desktop client which loads a virtual machine image from a centralized location.

VPS – Virtual Private Server. A Virtual Machine hosted by a third party hosting provider. Full access to the Virtual Machine is typically allowed by the provider.

VMEscape – Escaping from a virtual machine to the host operating system or to another virtual machine. Although VMEscape has not been seen in the wild, this attack has been demonstrated before.

P2V - Physical to Virtual. Converting a physical machine to a virtual machine. This can be done manual, semi-automatically, or automatically.

TPM – Trusted Platform Module. Essentially a chip on the motherboard. Many PCs and laptops have TPMs built in, although Apple hasn’t included TPMs in years. The TPM is similar to a built in smart card, and performs cryptographic functions. Originally designed for Digital Rights Management. As one example of its use, Windows systems implementing Bitlocker can use the TPM to do bootup file integrity checking to detect infection by kernel level rootkits.

DBMS – Database Management System. Some well known DBMSs include MySQL, Microsoft SQL Server, and Oracle. Most DBMSs support a relational data model (think tables, rows, columns) but there are other data models such as hierarchical, mesh, object oriented, and more.

DML – Data Manipulation Language. A database term. Structured Query Language (SQL), pronounced “Sequel,” is the most popular and is used to retrieve and manipulate data in relational databases.

DDL – Data Definition Language. A database term. A language for defining data structures such as database schemas. Commonly this is Structured Query Language (SQL), or more specifically a subset of SQL.

XSS – Cross Site Scripting. A vulnerability where client side code, for example Javascript, HTML, or SQL, can be injected into and executed on the server side. A prime defense is sanitizing all input on the server side (assuming “all input is evil”).

SQL Injection – An injection attack where SQL code is placed into an input field and passed to the backend database, modifying how it operates. For example a SQL injection attack might be used to dump a database’s contents, destroy data, or acquire administrator privileges. SQL Injection is a common attack vector for Web Sites.

IOT – Internet of Things. A term used to describe all the various Internet connected embedded devices such as baby monitors, fitness monitors, refrigerators, light bulbs and more.

SCADA – Supervisory Control and Data Acquisition systems. Think Industrial Control Systems, for example to control oil refineries.

RTU – Remote Terminal Units. RTUs connect to physical sensors in SCADA systems and convert data to digital signals. Sometimes called a Remote Telecontrol Unit.

HMI – Human Machine Interface. HMIs present data to human operators in SCADA systems.

DDP – Distributed Data Processing. An ancient term ISC2 still uses (Wikipedia doesn’t even have a reference) that means we are not still all on a mainframe from very dumb terminals nearby.

Site and Facility Design and Physical Security:

The simplest question on physical security counts as much as the most complicated question on crypto.

Remember, safety is always #1 on the exam. There are a few things to memorize here, like heights of fences, types of fire extinguishers, classes of gates, etc.

CCTV – Closed Circuit TeleVision. A primarily detective physical control. Although wireless and IP based cameras are more common these days, there are still a lot of CCTV systems in use.

CRT – Cathode Ray Tube. Old style monitors, which are heavy, relatively fragile, and deep, and made of a vacuum tube with three electron beams, one for red, green, and blue, producing an image. Older cameras were also CRT based.

CCD – Charge Coupled Discharge. The technology used by newer cameras, and in fact most cameras today.

Heights of Fences - Seriously, just memorize this (feet and meters). It shows up often enough on the exam.

HVAC – Heating, Ventilation, and Air Conditioning. HVAC is an issue in physical and environmental security. With joint tenancy, HVAC can be a major concern as others may have access to your HVAC controls.

EPO – Emergency Power Off. Sometimes called the “big red button” which can shut off power to the entire data center when an emergency occurs (or when it’s pressed by mistake).

EMI – ElectroMagnetic Interference. High frequency EMI is called RFI.

RFI – Radio Frequency Interference. RFI can be caused by devices like neon lights and electric motors and RFI can modulate electric power, called “noise” on the electric power. Normally electric cables are routed away from other cables, grounded, and shielded to help prevent noise from RFI and from EMI (ElectroMagnetic Interference).

IP – Intellectual Property. Physical security, at least in large part for most organizations, should be focused on protecting IP. Yeah, yeah, I know it stands for something else too.

Get a PDF of The CISSP Acronym Edge: CISSP Study & Review Guide -  signup below & I'll send it to you.

We respect your email privacy