E <- 4. Definitions -> G
F English
- $ fail-safe
- 1. (I) Synonym for "fail-secure".
2. (I) A mode of termination of system functions that prevents damage to specified system resources and system entities (i.e., specified data, property, and life) when a failure occurs or is detected in the system (but the failure still might cause a security compromise). (See: failure control.)
Tutorial: Definitions 1 and 2 are opposing design alternatives. Therefore, IDOCs SHOULD NOT use this term without providing a definition for it. If definition 1 is intended, IDOCs can avoid ambiguity by using "fail-secure" instead.
$ fail-secure- (I) A mode of termination of system functions that prevents loss of secure state when a failure occurs or is detected in the system (but the failure still might cause damage to some system resource or system entity). (See: failure control. Compare: fail-safe.)
$ fail-soft- (I) Selective termination of affected, non-essential system functions when a failure occurs or is detected in the system. (See: failure control.)
$ failure control- (I) A methodology used to provide fail-safe, fail-secure or fail- soft termination and recovery of system functions. [FP039]
$ fairness- (I) A property of an access protocol for a system resource whereby the resource is made equitably or impartially available to all eligible users. (RFC 3753)
Tutorial: Fairness can be used to defend against some types of denial-of-service attacks on a system connected to a network. However, this technique assumes that the system can properly receive and process inputs from the network. Therefore, the technique can mitigate flooding but is ineffective against jamming.
$ falsification- (I) A type of threat action whereby false data deceives an authorized entity. (See: active wiretapping, deception.)
Usage: This type of threat action includes the following subtypes:
- "Substitution": Altering or replacing valid data with false data that serves to deceive an authorized entity.
- "Insertion": Introducing false data that serves to deceive an authorized entity.
$ fault tree- (I) A branching, hierarchical data structure that is used to represent events and to determine the various combinations of component failures and human acts that could result in a specified undesirable system event. (See: attack tree, flaw hypothesis methodology.)
Tutorial: "Fault-tree analysis" is a technique in which an undesired state of a system is specified and the system is studied in the context of its environment and operation to find all credible ways in which the event could occur. The specified fault event is represented as the root of the tree. The remainder of the tree represents AND or OR combinations of subevents, and sequential combinations of subevents, that could cause the root event to occur. The main purpose of a fault-tree analysis is to calculate the probability of the root event, using statistics or other analytical methods and incorporating actual or predicted quantitative reliability and maintainability data. When the root event is a security violation, and some of the subevents are deliberate acts intended to achieve the root event, then the fault tree is an attack tree.
$ FEAL- (O) A family of symmetric block ciphers that was developed in Japan; uses a 64-bit block, keys of either 64 or 128 bits, and a variable number of rounds; and has been successfully attacked by cryptanalysts. [Schn]
$ Federal Information Processing Standards (FIPS)- (N) The Federal Information Processing Standards Publication (FIPS PUB) series issued by NIST under the provisions of Section 111(d) of the Federal Property and Administrative Services Act of 1949 as amended by the Computer Security Act of 1987 (Public Law 100-235) as technical guidelines for U.S. Government procurements of information processing system equipment and services. (See: "[FPxxx]" items in Section 7, Informative References.)
$ Federal Public-key Infrastructure (FPKI)- (O) A PKI being planned to establish facilities, specifications, and policies needed by the U.S. Government to use public-key certificates in systems involving unclassified but sensitive applications and interactions between Federal agencies as well as with entities of state and local governments, the business community, and the public. [FPKI]
$ Federal Standard 1027- (N) An U.S. Government document defining emanation, anti-tamper, security fault analysis, and manual key management criteria for DES encryption devices, primary for OSIRM Layer 2. Was renamed "FIPS PUB 140" when responsibility for protecting unclassified, sensitive information was transferred from NSA to NIST, and has since been superseded by newer versions of that standard [FP140].
$ File Transfer Protocol (FTP)- (I) A TCP-based, Application-Layer, Internet Standard protocol (RFC 959) for moving data files from one computer to another.
$ fill device- (N) /COMSEC/ A device used to transfer or store keying material in electronic form or to insert keying material into cryptographic equipment.
$ filter- 1. (I) /noun/ Synonym for "guard". (Compare: content filter, filtering router.)
2. (I) /verb/ To process a flow of data and selectively block passage or permit passage of individual data items according to a security policy.
$ filtering router- (I) An internetwork router that selectively prevents the passage of data packets according to a security policy. (See: guard.)
Tutorial: A router usually has two or more physical connections to networks or other systems; and when the router receives a packet on one of those connections, it forwards the packet on a second connection. A filtering router does the same; but it first decides, according to some security policy, whether the packet should be forwarded at all. The policy is implemented by rules (packet filters) loaded into the router. The rules mostly involve values of data packet control fields (especially IP source and destination addresses and TCP port numbers) [R2179]. A filtering router may be used alone as a simple firewall or be used as a component of a more complex firewall.
$ financial institution- (N) "An establishment responsible for facilitating customer- initiated transactions or transmission of funds for the extension of credit or the custody, loan, exchange, or issuance of money." [SET2]
$ fingerprint- 1. (I) A pattern of curves formed by the ridges on a fingertip. (See: biometric authentication. Compare: thumbprint.)
2. (D) /PGP/ A hash result ("key fingerprint") used to authenticate a public key or other data. [PGP]
Deprecated Definition: IDOCs SHOULD NOT use this term with definition 2, and SHOULD NOT use this term as a synonym for "hash result" of *any* kind. Either use would mix concepts in a potentially misleading way.
$ FIPS- (N) See: Federal Information Processing Standards.
$ FIPS PUB 140- (N) The U.S. Government standard [FP140] for security requirements to be met by a cryptographic module when the module is used to protect unclassified information in computer and communication systems. (See: Common Criteria, FIPS, Federal Standard 1027.)
Tutorial: The standard specifies four increasing levels (from "Level 1" to "Level 4") of requirements to cover a wide range of potential applications and environments. The requirements address basic design and documentation, module interfaces, authorized roles and services, physical security, software security, operating system security, key management, cryptographic algorithms, electromagnetic interference and electromagnetic compatibility (EMI/EMC), and self-testing. NIST and the Canadian Communication Security Establishment jointly certify modules.
$ FIREFLY- (O) /U.S. Government/ "Key management protocol based on public-key cryptography." [C4009]
$ firewall- 1. (I) An internetwork gateway that restricts data communication traffic to and from one of the connected networks (the one said to be "inside" the firewall) and thus protects that network's system resources against threats from the other network (the one that is said to be "outside" the firewall). (See: guard, security gateway.)
2. (O) A device or system that controls the flow of traffic between networks using differing security postures. [SP41]
Tutorial: A firewall typically protects a smaller, secure network (such as a corporate LAN, or even just one host) from a larger network (such as the Internet). The firewall is installed at the point where the networks connect, and the firewall applies policy rules to control traffic that flows in and out of the protected network.
A firewall is not always a single computer. For example, a firewall may consist of a pair of filtering routers and one or more proxy servers running on one or more bastion hosts, all connected to a small, dedicated LAN (see: buffer zone) between the two routers. The external router blocks attacks that use IP to break security (IP address spoofing, source routing, packet fragments), while proxy servers block attacks that would exploit a vulnerability in a higher-layer protocol or service. The internal router blocks traffic from leaving the protected network except through the proxy servers. The difficult part is defining criteria by which packets are denied passage through the firewall, because a firewall not only needs to keep unauthorized traffic (i.e., intruders) out, but usually also needs to let authorized traffic pass both in and out.
$ firmware- (I) Computer programs and data stored in hardware -- typically in read-only memory (ROM) or programmable read-only memory (PROM) -- such that the programs and data cannot be dynamically written or modified during execution of the programs. (See: hardware, software.)
$ FIRST- (N) See: Forum of Incident Response and Security Teams.
$ flaw- 1. (I) An error in the design, implementation, or operation of an information system. A flaw may result in a vulnerability. (Compare: vulnerability.)
2. (D) "An error of commission, omission, or oversight in a system that allows protection mechanisms to be bypassed." [NCSSG] (Compare: vulnerability. See: brain-damaged.)
Deprecated Definition: IDOCs SHOULD NOT use this term with definition 2; not every flaw is a vulnerability.
$ flaw hypothesis methodology- (I) An evaluation or attack technique in which specifications and documentation for a system are analyzed to hypothesize flaws in the system. The list of hypothetical flaws is prioritized on the basis of the estimated probability that a flaw exists and, assuming it does, on the ease of exploiting it and the extent of control or compromise it would provide. The prioritized list is used to direct a penetration test or attack against the system. [NCS04] (See: fault tree, flaw.)
$ flooding- 1. (I) An attack that attempts to cause a failure in a system by providing more input than the system can process properly. (See: denial of service, fairness. Compare: jamming.)
Tutorial: Flooding uses "overload" as a type of "obstruction" intended to cause "disruption".
2. (I) The process of delivering data or control messages to every node of a network. (RFC 3753)
$ flow analysis- (I) An analysis performed on a nonprocedural, formal, system specification that locates potential flows of information between system variables. By assigning security levels to the variables, the analysis can find some types of covert channels. [Huff]
$ flow control- 1. (I) /data security/ A procedure or technique to ensure that information transfers within a system are not made from one security level to another security level, and especially not from a higher level to a lower level. [Denns] (See: covert channel, confinement property, information flow policy, simple security property.)
2. (O) /data security/ "A concept requiring that information transfers within a system be controlled so that information in certain types of objects cannot, via any channel within the system, flow to certain other types of objects." [NCSSG]
$ For Official Use Only (FOUO)- (O) /U.S. DoD/ A U.S. Government designation for information that has not been given a security classification pursuant to the criteria of an Executive Order dealing with national security, but which may be withheld from the public because disclosure would cause a foreseeable harm to an interest protected by one of the exemptions stated in the Freedom of Information Act (Section 552 of title 5, United States Code). (See: security label, security marking. Compare: classified.)
$ formal- (I) Expressed in a restricted syntax language with defined semantics based on well-established mathematical concepts. [CCIB] (Compare: informal, semiformal.)
$ formal access approval- (O) /U.S. Government/ Documented approval by a data owner to allow access to a particular category of information in a system. (See: category.)
$ Formal Development Methodology- (O) See: Ina Jo.
$ formal model- (I) A security model that is formal. Example: Bell-LaPadula model. [Land] (See: formal, security model.)
$ formal proof- (I) "A complete and convincing mathematical argument, presenting the full logical justification for each step in the proof, for the truth of a theorem or set of theorems." [NCSSG]
$ formal specification- (I) A precise description of the (intended) behavior of a system, usually written in a mathematical language, sometimes for the purpose of supporting formal verification through a correctness proof. [Huff] (See: Affirm, Gypsy, HDM, Ina Jo.) (See: formal.)
Tutorial: A formal specification can be written at any level of detail but is usually a top-level specification.
$ formal top-level specification- (I) "A top-level specification that is written in a formal mathematical language to allow theorems showing the correspondence of the system specification to its formal requirements to be hypothesized and formally proven." [NCS04] (See: formal specification.)
$ formulary- (I) A technique for enabling a decision to grant or deny access to be made dynamically at the time the access is attempted, rather than earlier when an access control list or ticket is created.
$ FORTEZZA(trademark)- (O) A registered trademark of NSA, used for a family of interoperable security products that implement a NIST/NSA-approved suite of cryptographic algorithms for digital signature, hash, encryption, and key exchange. The products include a PC card (which contains a CAPSTONE chip), and compatible serial port modems, server boards, and software implementations.
$ Forum of Incident Response and Security Teams (FIRST)- (N) An international consortium of CSIRTs (e.g., CIAC) that work together to handle computer security incidents and promote preventive activities. (See: CSIRT, security incident.)
Tutorial: FIRST was founded in 1990 and, as of July 2004, had more than 100 members spanning the globe. Its mission includes:
- Provide members with technical information, tools, methods, assistance, and guidance.
- Coordinate proactive liaison activities and analytical support.
- Encourage development of quality products and services.
- Improve national and international information security for governments, private industry, academia, and the individual.
- Enhance the image and status of the CSIRT community.
$ forward secrecy- (I) See: perfect forward secrecy.
$ FOUO- (O) See: For Official Use Only.
$ FPKI- (O) See: Federal Public-Key Infrastructure.
$ fraggle attack- (D) /slang/ A synonym for "smurf attack".
Deprecated Term: It is likely that other cultures use different metaphors for this concept. Therefore, to avoid international misunderstanding, IDOCs SHOULD NOT use this term.
Derivation: The Fraggles are a fictional race of small humanoids (represented as hand puppets in a children's television series, "Fraggle Rock") that live underground.
$ frequency hopping- (N) Repeated switching of frequencies during radio transmission according to a specified algorithm. [C4009] (See: spread spectrum.)
Tutorial: Frequency hopping is a TRANSEC technique to minimize the potential for unauthorized interception or jamming.
$ fresh- (I) Recently generated; not replayed from some earlier interaction of the protocol.
Usage: Describes data contained in a PDU that is received and processed for the first time. (See: liveness, nonce, replay attack.)
$ FTP- (I) See: File Transfer Protocol.
E <- 4. Definitions -> G