Safeguards

Protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system and to protect computational resources by eliminating or reducing the vulnerability or risk to a system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices to counter a specific threat or attack. Available safeguards include hardware and software devices and mechanisms, policies, procedures, standards, guidelines, management controls, technical controls, operational controls, personnel controls, and physical controls. Synonymous with security controls and countermeasures.

Salami technique

In data security, it pertains to fraud spread over a large number of individual transactions (e.g., a program that does not round off figures but diverts the leftovers to a personal account).

Salt

A nonsecret value that is used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.

Salting (password)

The inclusion of a random value in the password hashing process that greatly decreases the likelihood of identical passwords returning the same hash.

Sandbox

A system that allows an untrusted application to run in a highly controlled environment where the application’s permissions are restricted to an essential set of computer permissions. In particular, an application in a sandbox is usually restricted from accessing the file system or the network. A widely used example of applications running inside a sandbox is a JavaApplet. A behavioral sandbox uses runtime monitor for ensuring the execution of mobile code, conforming to the enforcement model.

Sandbox security model

Java’s security model, in which applets can operate, creating a safe sandbox for applet processing.

Sandboxing

(1) A method of isolating application modules into distinct fault domains enforced by software. The technique allows untrusted programs written in an unsafe language, such as C, to be executed safely within the single virtual address space of an application. Untrusted machine interpretable code modules are transformed so that all memory accesses are confined to code and data segments within their fault domain. Access to system resources can also be controlled through a unique identifier associated with each domain. (2) New malicious code protection products introduce a “sandbox” technology allowing users the option to run programs such as Java and Active-X in quarantined sub-directories of systems. If malicious code is detected in a quarantined program, the system removes the associated files, protecting the rest of the system. (3) A method of isolating each guest operating system from the others and restricting what resources they can access and what privileges they can have (i.e., restrictions and privileges).

Sanding

The application of an abrasive substance to the media’s physical recording surface.

Sanitization

The changing of content information in order to meet the requirements of the sensitivity level of the network to which the information is being sent. It is a process to remove information from media so that information recovery is not possible. It includes removing all classified labels, markings, and activity logs. Synonymous with scrubbing.

S-box

Nonlinear substitution table boxes (S-boxes) used in several byte substitution transformations and in the key expansion routine to perform a one-for-one substitution of a byte value. This substitution, which is implemented with simple electrical circuits, is done so fast in that it does not require any computation, just signal propagation. The S-box design, which is implemented in hardware for cryptographic algorithm, follows Kerckhoff’s principle (security-by-obscurity) in that an attacker knows that the general method is substituting the bits, but he does not know which bit goes where. Hence, there is no need to hide the substitution method. S-boxes and P-boxes are combined to form a product cipher, where wiring of the P-box is placed inside the S-box. (that is, S-box is first and P-box is next.) S-boxes are used in the advanced encryption standard (Tanenbaum).

Scalability

(1) A measure of the ease of changing the capability of a system. (2) The ability to support more users, concurrent sessions, and throughput than a single SSL-VPN device can typically handle. (3) The ability to move application software source code and data into systems and environments that have a variety of performance characteristics and capabilities without significant modification.

Scanning

(1) Sequentially going through combinations of numbers and letters to look for access to telephone numbers and secret passwords. (2) Sending packets or requests to another system to gain information to be used in a subsequent attack.

Scavenging

Searching through object residue (file storage space) to acquire unauthorized data.

Scenario analysis

An information system's vulnerability assessment technique in which various possible attack methods are identified and the existing controls are examined in light of their ability to counter such attack methods.

Schema

A set of specifications that defines a database. Specifically, it includes entity names, sets, groups, data items, areas, sort sequences, access keys, and security locks.

Scoping guidance

Specific factors related to technology, infrastructure, public access, scalability, common security controls, and risk that can be considered by organizations in the applicability and implementation of individual security controls in the security control baseline.

Screen scraper

A computer program that extracts data from websites. The program captures information from a computer display not intended for processing, captures the bitmap data from a computer screen, or queries the graphical controls used in an application to obtain references to the underlying programming objects. Screen scrapers can extract data from mobile devices (such as, PDAs and SmartPhones) and non-mobile devices. Regarding security threats, the screen scraper belongs to the malware family in that its similar to malware threats including keyloggers, spyware, bad adware, rootkits, backdoors, and bots.

Screened host firewall

It combines a packet-filtering router with an application gateway located on the protected subnet side of the router.

Screened subnet firewall

Conceptually, it is similar to a dual-homed gateway, except that an entire network, rather than a single host is reachable from the outside. It can be used to locate each component of the firewall on a separate system, thereby increasing throughput and flexibility.

Screening router

A router is used to implement part of a firewall’s security by configuring it to selectively permit or deny traffic at a network level.

Script

(1) A sequence of instructions, ranging from a simple list of operating system commands to full-blown programming language statements, which can be executed automatically by an interpreter. (2) A sequence of commands, often residing in a text file, which can be interpreted and executed automatically. (3) Unlike compiled programs, which execute directly on a computer processor, a script must be processed by another program that carries out the indicated actions.

Scripting language