Partitioned security mode

Information system security mode of operation wherein all personnel have the clearance, but not necessarily formal access approved and need-to-know, for all information handled by an information system.

Partitioning

The act of logically dividing a media into portions that function as physically separate units.

Passive attack

(1) An attack against an authentication protocol where the attacker intercepts data traveling along the network between the claimant and verifier, but does not alter the data (i.e., eavesdropping). (2) An attack that does not alter systems or data.

Passive fingerprinting

Analyzing packet headers for certain unusual characteristics or combinations of characteristics that are exhibited by particular operating systems or applications.

Passive security testing

Security testing that does not involve any direct interaction with the targets, such as sending packets to a target.

Passive sensor

A sensor that is deployed so that it monitors a copy of the actual network traffic.

Passive testing

Nonintrusive security testing primarily involving reviews of documents such as policies, procedures, security requirements, software code, system configurations, and system logs.

Passive wiretapping

The monitoring or recording of data while data is transmitted over a communications link, without altering or affecting the data.

Passphrase

A relatively long password consisting of a series of words, such as a phrase or full sentence.

Password

(1) A protected/private string of letters, numbers, and/or special characters used to authenticate an identity or to authorize access to data and system resources. (2) A secret that a claimant memorizes and uses to authenticate his identity. (3) Passwords are typically character strings (e.g., letters, numbers, and other symbols) used to authenticate an identity or to verify access authorizations. This is a technical and preventive control.

Password authentication protocol (PAP)

A protocol that allows enables peers connected by a Point-to- Point Protocol (PPP) link to authenticate each other using the simple exchange of a user-name and password. It is not a secure protocol because it transmits data in a plaintext.

Password cracker

An application testing for passwords that can be easily guessed such as words in the dictionary or simple strings of characters (e.g., “abcdefgh” or “qwertyuiop”).

Password cracking

The process of recovering secret passwords stored in a computer system or transmitted over a network.

Password protected

(1) The ability to protect a file using a password access control, protecting the data contents from being viewed with the appropriate viewer unless the proper password is entered. (2) The ability to protect the contents of a file or device from being accessed until the correct password is entered.

Password synchronization

It is a technology that takes a password from the user and changes the passwords on other system resources to be the same as that password so that the user can use the same password when authenticating to each system resource.

Password system

A system that uses a password or passphrase to authenticate a person’s identity or to authorize a person’s access to data and that consists of a means for performing one or more of the following password operations: generation, distribution, entry, storage, authentication, replacement, encryption and/or decryption of passwords.

Patch

(1) An update to an operating system, application, or other software issued specifically to correct particular problems with the software. (2) A section of software code inserted into a program to correct mistakes or to alter the program, generally supplied by the vendor of software. (3) A patch (sometimes called a “fix”) is a “repair job” for a piece of programming. A patch is the immediate solution to an identified problem that is provided to users; it can sometimes be downloaded from the software maker’s website. The patch is not necessarily the best solution for the problem, and the product developers often find a better solution to provide when they package the product for its next release. A patch is usually developed and distributed as a replacement for or an insertion in compiled code (that is, in a binary file or object module). In many operating systems, a special program is provided to manage and track the installation of patches.

Patch management

(1) The systematic notification, identification, deployment, installation, and verification of operating system and application software code revisions, which are known as patches, hot fixes, and service packs. (2) The process of acquiring, testing, and distributing patches to the appropriate administrators and users throughout the organization.

Payback method

The payback period is stated in years and estimates the time it takes to recover the original investment outlay. The payback period is calculated by dividing the net investment by the average annual operating cash inflows. The payback method can be used to assess the financial feasibility of an investment in information security program.

Payload

(1) The portion of a virus that contains the code for the virus’s objective, which may range from the relatively benign (e.g., annoying people and stating personal opinions) to the highly malicious (e.g., forwarding personal information to others and wiping out systems and files). (2) A protection for packet headers and data in the Internet Protocol security (IPsec). (3) Information passed down from the previous layer to the next layer in a TCP/IP network. (4) A life-cycle function of a worm where it is the code that carries to perform a task beyond its standard life-cycle functions. (5) The input data to the counter with cipher-block chaining-message authentication code (CCM) generation-encryption process that is both authenticated and encrypted.

Peer review

A quality assurance method in which two or more programmers review and critique each other’s work for accuracy and consistency with other parts of the system and detect program errors. This is a management and detective control.

Peer-to-peer computing

See Mesh computing.

Peer-to-peer (P2P) file sharing program

Free and easily accessible software that poses risks to individuals and organizations. It unknowingly enables users to copy private files, downloads material that is protected by the copyright laws, downloads a virus, or facilitates a security breach.

Peer-to-peer (P2P) network

Each networked host computer running both the client and server parts of an application system.

Perfective maintenance

All changes, insertions, deletions, modifications, extensions, and enhancements made to a system to meet the user’s evolving or expanding needs.

Performance metrics

They provide the means for tying information security controls’ implementation, efficiency, effectiveness, and impact levels.

Performance testing

A testing approach to assess how well a system meets its specified performance requirements.

Persistent cookie

A cookie stored on a computer’s hard drive indefinitely so that a website can identify the user during subsequent visits. These cookies are set with expiration dates and are valid until the user deletes them.

Personal digital assistant (PDA)