Adequate Security: Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse or unauthorized access to or modification of information. Source: OMB Circular A-130
充分的安全性:与信息丢失、滥用或未经授权访问或修改所造成的风险和损害程度相称的安全性。资料来源:管理和预算办公室A-130号通知。
Administrative Controls: Controls implemented through policy and procedures. Examples include access control processes and requiring multiple personnel to conduct a specific operation. Administrative controls in modern environments are often enforced in conjunction with physical and/or technical controls, such as an access-granting policy for new users that requires login and approval by the hiring manager.
行政控制:通过政策和程序实施的控制。示例包括访问控制流程和要求多个人员执行特定操作。现代环境中的行政控制往往与有形和(或)技术控制一起实施,例如对新用户的准入政策,需要登录并得到征聘主管的批准。
Adverse Events: Events with a negative consequence, such as system crashes, network packet floods, unauthorized use of system privileges, defacement of a web page or execution of malicious code that destroys data.
不良事件:具有负面后果的事件,如系统崩溃、网络数据包泛滥、未经授权使用系统权限、网页受损或执行破坏数据的恶意代码。
Application Programming Interface (API): A set of routines, standards, protocols, and tools for building software applications to access a web-based software application or web tool.
应用程序编程接口(API):用于构建软件应用程序以访问基于Web的软件应用程序或Web工具的一组例程、标准、协议和工具。
Application Server: A computer responsible for hosting applications to user workstations. NIST SP 800-82 Rev.2
应用程序服务器:负责将应用程序托管到用户工作站的计算机。NIST SP 800-82版本2
Artificial Intelligence: The ability of computers and robots to simulate human intelligence and behavior.
人工智能:计算机和机器人模拟人类智能和行为的能力。
Asset: Anything of value that is owned by an organization. Assets include both tangible items such as information systems and physical property and intangible assets such as intellectual property.
资产:组织拥有的任何有价值的东西。资产既包括信息系统和有形财产等有形项目,也包括知识产权等无形资产。
Asymmetric Encryption: An algorithm that uses one key to encrypt and a different key to decrypt the input plaintext.
非对称加密:使用一个密钥进行加密,使用另一个密钥对输入明文进行解密的算法。
Audit: Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures. NIST SP 1800-15B
审计:对记录和活动进行独立审查和检查,以评估系统控制的充分性,确保符合既定政策和操作程序。NIST SP 1800-15B
Authentication: The act of identifying or verifying the eligibility of a station, originator, or individual to access specific categories of information. Typically, a measure designed to protect against fraudulent transmissions by establishing the validity of a transmission, message, station or originator.
身份验证:识别或验证电台、发端或个人是否有资格访问特定类别的信息的行为。通常是指通过确定传输、电文、电台或发端的有效性来防止欺诈性传输的一种措施。
Authorization: The right or a permission that is granted to a system entity to access a system resource. NIST 800-82 Rev.2
授权:授予系统实体访问系统资源的权利或权限。NIST 800-82版本2
Availability: Ensuring timely and reliable access to and use of information by authorized users.
可用性:确保授权用户及时、可靠地访问和使用信息。
Baseline: A documented, lowest level of security configuration allowed by a standard or organization.
基线:标准或组织所允许的有文档记录的最低安全配置级别。
Biometric: Biological characteristics of an individual, such as a fingerprint, hand geometry, voice, or iris patterns.
生物特征:一个人的生物特征,如指纹、手形、声音或虹膜图案。
Bit: The most essential representation of data (zero or one) at Layer 1 of the Open Systems Interconnection (OSI) model.
位:开放系统互连(OSI)模型第1层最基本的数据表示(0或1)。
Bot: Malicious code that acts like a remotely controlled “robot” for an attacker, with other Trojan and worm capabilities.
Bot:恶意代码,其行为类似于攻击者远程控制的“机器人”,具有其他特洛伊木马和蠕虫功能。
Breach: The loss of control, compromise, unauthorized disclosure, unauthorized acquisition or any similar occurrence where: a person other than an authorized user accesses or potentially accesses personally identifiable information; or an authorized user accesses personally identifiable information for other than an authorized purpose. Source: NIST SP 800-53 Rev. 5
违反:失去控制,妥协,未经授权的披露,未经授权的获取或任何类似的事件,其中:一个人以外的授权用户访问或可能访问个人身份信息;或授权用户访问个人身份信息用于授权以外的目的。来源:NIST SP 800-53版本5
Broadcast: Broadcast transmission is a one-to-many (one-to-everyone) form of sending internet traffic.
广播:广播传输是一种一对多(一对每个人)的互联网流量发送形式。
Business Continuity (BC): Actions, processes and tools for ensuring an organization can continue critical operations during a contingency.
业务连续性(BC):确保组织在紧急情况下能够继续开展关键业务的行动、流程和工具。
Business Continuity Plan (BCP): The documentation of a predetermined set of instructions or procedures that describe how an organization’s mission/business processes will be sustained during and after a significant disruption.
业务连续性计划(BCP):预先确定的一套指示或程序的文件,说明在重大中断期间和之后如何维持组织的使命/业务流程。
Business Impact Analysis (BIA): An analysis of an information system’s requirements, functions, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption. NIST SP 800-34 Rev. 1
业务影响分析(BIA):对信息系统的需求、功能和相互依赖性的分析,用于在发生重大中断时描述系统应急需求和优先级。NIST SP 800-34版本1
Byte: The byte is a unit of digital information that most commonly consists of eight bits.
字节:字节是数字信息的单位,通常由8位组成。
Checksum: A digit representing the sum of the correct digits in a piece of stored or transmitted digital data, against which later comparisons can be made to detect errors in the data.
校验和:一个数字,代表在一个存储或传输的数字数据中的正确数字的总和,以后可以与它进行比较,以检测数据中的错误。
Ciphertext: The altered form of a plaintext message so it is unreadable for anyone except the intended recipients. In other words, it has been turned into a secret.
密文:明文信息的改变形式,因此除了预定的接收者之外,任何人都无法阅读。换句话说,它已经变成了一个秘密。
Classification: Classification identifies the degree of harm to the organization, its stakeholders or others that might result if an information asset is divulged to an unauthorized person, process or organization. In short, classification is focused first and foremost on maintaining the confidentiality of the data, based on the data sensitivity.
分类:分类确定了如果信息资产泄露给未经授权的人员、流程或组织,可能对组织、其利益相关者或其他人造成的损害程度。简而言之,分类首先侧重于根据数据敏感性维护数据的机密性。
Classified or Sensitive Information: Information that has been determined to require protection against unauthorized disclosure and is marked to indicate its classified status and classification level when in documentary form.
机密或敏感信息:已确定需要保护以防止未经授权披露的信息,并且在文件形式时进行标记以指示其机密状态和机密级别。
Cloud Computing: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. NIST 800-145
云计算:一种模型,用于实现对可配置计算资源(例如,网络、服务器、存储、应用程序和服务),可以通过最少的管理工作或服务提供商交互来快速供应和发布。NIST 800-145
Community Cloud: A system in which the cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy and compliance considerations). It may be owned, managed and operated by one or more of the organizations in the community, a third party or some combination of them, and it may exist on or off premises. NIST 800-145
社区云:一种系统,其中云基础设施被配置为由来自具有共同关注点的组织的特定消费者社区独家使用(例如,使命、安全要求、政策和合规考虑)。它可以由社区中的一个或多个组织、第三方或它们的某种组合拥有、管理和运营,并且可以存在于内部或外部。NIST 800-145
Confidentiality: The characteristic of data or information when it is not made available or disclosed to unauthorized persons or processes. NIST 800-66
机密性:数据或信息不向未经授权的人员或过程提供或披露的特性。NIST 800-66
Configuration Management: A process and discipline used to ensure that the only changes made to a system are those that have been authorized and validated.
配置管理:用于确保对系统所做的更改仅为已授权和验证的更改的过程和规程。
Crime Prevention through Environmental Design (CPTED): An architectural approach to the design of buildings and spaces that emphasizes passive features to reduce the likelihood of criminal activity.
通过环境设计预防犯罪(CPTED):一种建筑设计方法,强调被动功能,以减少犯罪活动的可能性。
Criticality: A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function. NIST SP 800-60 Vol. 1, Rev. 1
关键性:衡量一个组织为完成一项使命或业务职能而依赖信息或信息系统的程度。NIST SP 800-60第1卷,修订版1
Cryptanalyst: One who performs cryptanalysis, which is the study of mathematical techniques for attempting to defeat cryptographic techniques and/or information systems security. This includes the process of looking for errors or weaknesses in the implementation of an algorithm or of the algorithm itself.
密码分析师:进行密码分析的人,这是一门研究数学技术的学科,试图击败密码技术和/或信息系统安全。这包括寻找算法实现或算法本身的错误或弱点的过程。
Cryptography: The study or applications of methods to secure or protect the meaning and content of messages, files, or other information, usually by disguise, obscuration, or other transformations of that content and meaning.
密码学:研究或应用方法来保护或保护消息,文件或其他信息的含义和内容,通常通过伪装,模糊或其他内容和含义的转换。
Data Integrity: The property that data has not been altered in an unauthorized manner. Data integrity covers data in storage, during processing and while in transit. Source: NIST SP 800-27 Rev A
数据完整性:数据未被以未经授权的方式更改的属性。数据完整性涵盖存储、处理和传输过程中的数据。来源:NIST SP 800-27版本A
Data Loss Prevention (DLP): System capabilities designed to detect and prevent the unauthorized use and transmission of information.
数据丢失防护(DLP):旨在检测和防止未经授权使用和传输信息的系统功能。
Decryption: The reverse process from encryption. It is the process of converting a ciphertext message back into plaintext through the use of the cryptographic algorithm and the appropriate key for decryption (which is the same for symmetric encryption, but different for asymmetric encryption). This term is also used interchangeably with “deciphering.”
解密:与加密相反的过程。它是通过使用加密算法和适当的解密密钥将密文消息转换回明文的过程(对于对称加密来说是相同的,但对于非对称加密来说是不同的)。该术语也可与“解密”互换使用。
De-encapsulation: The opposite process of encapsulation, in which bundles of data are unpacked or revealed.
解封装:与封装相反的过程,其中数据包被解包或显示。
Defense in Depth: Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization. Source: NIST SP 800-53 Rev 4
深度防御:信息安全战略整合人员、技术和运营能力,在组织的多个层面和任务中建立可变的屏障。来源:NIST SP 800-53修订版4
Degaussing: A technique of erasing data on disk or tape (including video tapes) that, when performed properly, ensures that there is insufficient magnetic remanence to reconstruct data.
消磁:擦除磁碟或磁带(包括录像带)上资料的技术。如果操作得当,可确保没有足够的剩磁来重建资料。
Denial-of-Service (DoS): The prevention of authorized access to resources or the delaying of time-critical operations. (Time-critical may be milliseconds or it may be hours, depending upon the service provided.) Source: NIST SP 800-27 Rev A
拒绝服务(DoS):阻止对资源的授权访问或延迟时间关键的操作。(时间关键可能是毫秒,也可能是小时,这取决于所提供的服务。)来源:NIST SP 800-27版本A
Digital Signature: The result of a cryptographic transformation of data which, when properly implemented, provides the services of origin authentication, data integrity, and signer non-repudiation. NIST SP 800-12 Rev. 1
数字签名:对数据进行加密转换的结果,如果正确实现,可以提供原始身份验证、数据完整性和签名者不可否认性服务。NIST SP 800-12版本1
Disaster Recovery (DR): In information systems terms, the activities necessary to restore IT and communications services to an organization during and after an outage, disruption or disturbance of any kind or scale.
灾难恢复(DR):在信息系统术语中,在任何类型或规模的停机,中断或干扰期间和之后恢复组织的IT和通信服务所需的活动。
Disaster Recovery Plan (DRP): The processes, policies and procedures related to preparing for recovery or continuation of an organization’s critical business functions, technology infrastructure, systems and applications after the organization experiences a disaster. A disaster is when an organization’s critical business function(s) cannot be performed at an acceptable level within a predetermined period following a disruption.
灾后恢复计划(DRP):一个组织在经历灾难后,为恢复或继续其关键业务职能、技术基础设施、系统和应用程序做准备的过程、政策和程序。灾难是指一个组织的关键业务功能在中断后的预定时间内无法以可接受的水平执行。
Discretionary Access Control (DAC): A certain amount of access control is left to the discretion of the object’s owner, or anyone else who is authorized to control the object’s access. The owner can determine who should have access rights to an object and what those rights should be. NIST SP 800-192
自主访问控制(DAC):一定数量的访问控制由对象的所有者或任何其他有权控制对象访问的人自行决定。所有者可以确定谁应该拥有对象的访问权限以及这些权限应该是什么。NIST SP 800-192
Domain Name Service (DNS): This acronym can be applied to three interrelated elements: a service, a physical server and a network protocol.
域名服务(DNS):这个缩写可以应用于三个相互关联的元素:服务,物理服务器和网络协议。
Egress Monitoring: Monitoring of outgoing network traffic.
Egress Monitoring:监控流出的网络流量。& nbsp;你好
Encapsulation: Enforcement of data hiding and code hiding during all phases of software development and operational use. Bundling together data and methods is the process of encapsulation; its opposite process may be called unpacking, revealing, or using other terms. Also used to refer to taking any set of data and packaging it or hiding it in another data structure, as is common in network protocols and encryption.
封装:在软件开发和操作使用的所有阶段执行数据隐藏和代码隐藏。将数据和方法捆绑在一起是封装的过程;其相反的过程可以称为解包,揭示或使用其他术语。也用来指获取任何数据集并将其打包或隐藏在另一种数据结构中,这在网络协议和加密中很常见。
Encrypt: To protect private information by putting it into a form that can only be read by people who have permission to do so.
加密:通过将其转换为只能由有权限的人阅读的形式来保护私人信息。
Encryption: The process and act of converting the message from its plaintext to ciphertext. Sometimes it is also referred to as enciphering. The two terms are sometimes used interchangeably in literature and have similar meanings.
加密:将信息从明文转换为密文的过程和行为。有时它也被称为加密。这两个术语有时在文学中互换使用,并且具有相似的含义。
Encryption System: The total set of algorithms, processes, hardware, software and procedures that taken together provide an encryption and decryption capability.
加密系统:算法、过程、硬件、软件和过程的总集合,它们一起提供加密和解密能力。
Event: Any observable occurrence in a network or system. Source: NIST SP 800-61 Rev 2
事件:网络或系统中任何可观察到的事件。来源:NIST SP 800-61修订版2
Exploit: A particular attack. It is named this way because these attacks exploit system vulnerabilities.
攻击:特定的攻击。之所以这样命名,是因为这些攻击利用了系统漏洞。
File Transfer Protocol (FTP): The internet protocol (and program) used to transfer files between hosts.
文件传输协议(FTP):用于在主机之间传输文件的Internet协议(和程序)。
Firewalls: Devices that enforce administrative security policies by filtering incoming traffic based on a set of rules.
防火墙:通过根据一组规则过滤传入流量来实施管理安全策略的设备。
Fragment Attack: In a fragment attack, an attacker fragments traffic in such a way that a system is unable to put data packets back together.
碎片攻击:在碎片攻击中,攻击者以系统无法将数据包重新组合在一起的方式对流量进行碎片化。
General Data Protection Regulation (GDPR): In 2016, the European Union passed comprehensive legislation that addresses personal privacy, deeming it an individual human right.
《通用数据保护条例》(GDPR):2016年,欧盟通过了一项全面的立法,涉及个人隐私,将其视为个人人权。
Governance: The process of how an organization is managed; usually includes all aspects of how decisions are made for that organization, such as policies, roles and procedures.
治理:组织如何管理的过程;通常包括如何为该组织做出决策的所有方面,例如政策,角色和程序。
Impact: The magnitude of harm that could be caused by a threat’s exercise of a vulnerability.
影响:威胁使用漏洞可能造成的伤害的程度。
Incident: An event that actually or potentially jeopardizes the confidentiality, integrity or availability of an information system or the information the system processes, stores or transmits.
事件:实际或潜在地危害信息系统或系统处理、存储或传输的信息的机密性、完整性或可用性的事件。
Incident Handling or Incident Response (IR): The process of detecting and analyzing incidents to limit the incident’s effect.
事件处理或事件响应(IR):检测和分析事件以限制事件影响的过程。
Incident Response Plan (IRP): The documentation of a predetermined set of instructions or procedures to detect, respond to and limit consequences of a malicious cyberattack against an organization’s information systems(s). Source: NIST SP 800-34 Rev 1
事件响应计划(IRP):预先确定的一组指令或程序的文档,用于检测、响应和限制针对组织信息系统的恶意网络攻击的后果。来源:NIST SP 800-34修订版1
Information Security Risk: The potential adverse impacts to an organization’s operations (including its mission, functions and image and reputation), assets, individuals, other organizations, and even the nation, which results from the possibility of unauthorized access, use, disclosure, disruption, modification or destruction of information and/or information systems.
信息安全风险:由于信息和/或信息系统可能遭到未经授权的访问、使用、披露、中断、修改或破坏而对组织的运营(包括其使命、职能和形象与声誉)、资产、个人、其他组织乃至国家造成的潜在不利影响。
Infrastructure as a Service (IaaS): The provider of the core computing, storage and network hardware and software that is the foundation upon which organizations can build and then deploy applications. IaaS is popular in the data center where software and servers are purchased as a fully outsourced service and usually billed on usage and how much of the resource is used.
基础设施即服务(IaaS):核心计算、存储和网络硬件和软件的提供商,是组织构建和部署应用程序的基础。IaaS在数据中心很受欢迎,在那里软件和服务器作为完全外包的服务购买,通常按使用量和资源使用量计费。
Ingress Monitoring: Monitoring of incoming network traffic.
Ingress Monitoring:监控传入的网络流量。
Insider Threat: An entity with authorized access that has the potential to harm an information system through destruction, disclosure, modification of data, and/or denial of service. NIST SP 800-32
内部威胁(Insider Threat):一种具有授权访问权限的实体,有可能通过破坏、披露、修改数据和/或拒绝服务来损害信息系统。NIST SP 800-32
Institute of Electrical and Electronics Engineers (IEEE): IEEE is a professional organization that sets standards for telecommunications, computer engineering and similar disciplines.
电气和电子工程师协会(IEEE):IEEE是一个为电信,计算机工程和类似学科制定标准的专业组织。
Integrity: The property of information whereby it is recorded, used and maintained in a way that ensures its completeness, accuracy, internal consistency and usefulness for a stated purpose.
完整性:信息的一种属性,即信息的记录、使用和维护方式能够确保其完整性、准确性、内部一致性和对既定目的的有用性。
International Organization of Standards (ISO): The ISO develops voluntary international standards in collaboration with its partners in international standardization, the International Electro-technical Commission (IEC) and the International Telecommunication Union (ITU), particularly in the field of information and communication technologies.
国际标准化组织(ISO):ISO与国际标准化合作伙伴,国际电工委员会(IEC)和国际电信联盟(ITU)合作制定自愿性国际标准,特别是在信息和通信技术领域。
Internet Control Message Protocol (ICMP): An IP network protocol standardized by the Internet Engineering Task Force (IETF) through RFC 792 to determine if a particular service or host is available.
Internet控制消息协议(英语:Internet Control Message Protocol,缩写:ICMP):由Internet工程任务组(IETF)通过RFC 792标准化的IP网络协议,用于确定特定服务或主机是否可用。
Internet Engineering Task Force (IETF): The internet standards organization, made up of network designers, operators, vendors and researchers, that defines protocol standards (e.g., IP, TCP, DNS) through a process of collaboration and consensus. Source: NIST SP 1800-16B
互联网工程任务组(IETF):互联网标准组织,由网络设计师、运营商、供应商和研究人员组成,定义协议标准(例如,IP、TCP、DNS)通过协作和共识的过程。来源:NIST SP 1800- 16 B
Internet Protocol (IPv4): Standard protocol for transmission of data from source to destinations in packet-switched communications networks and interconnected systems of such networks. CNSSI 4009-2015
互联网协议(IPv4):在分组交换通信网络和此类网络的互连系统中,用于将数据从源传输到目的地的标准协议。CNSSI 4009-2015
Intrusion: A security event, or combination of security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system or system resource without authorization. Source: IETF RFC 4949 Ver 2
入侵:安全事件或安全事件的组合,构成了入侵者在未经授权的情况下获得或试图获得对系统或系统资源的访问的安全事件。来源:IETF RFC 4949 Ver 2
iOS: An operating system manufactured by Apple Inc. Used for mobile devices.
iOS:苹果公司制造的操作系统用于移动的设备。
Layered Defense: The use of multiple controls arranged in series to provide several consecutive controls to protect an asset; also called defense in depth.
分层防御:使用串联的多个控件来提供几个连续的控件来保护资产;也称为深度防御。
Likelihood: The probability that a potential vulnerability may be exercised within the construct of the associated threat environment.
可能性:潜在漏洞可能在相关威胁环境的构造中运行的概率。
Likelihood of Occurrence: A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or set of vulnerabilities.
发生的可能性:基于对给定威胁能够利用给定漏洞或一组漏洞的概率的主观分析的加权因子。
Linux: An operating system that is open source, making its source code legally available to end users.
Linux:一种开放源代码的操作系统,其源代码可合法地提供给最终用户。
Log Anomaly: A system irregularity that is identified when studying log entries which could represent events of interest for further surveillance.
日志异常:在研究日志条目时发现的系统异常,这些日志条目可能代表需要进一步监督的感兴趣事件。
Logging: Collecting and storing user activities in a log, which is a record of the events occurring within an organization’s systems and networks. NIST SP 1800-25B.
日志记录:在日志中收集和存储用户活动,日志是组织系统和网络中发生的事件的记录。NIST SP 1800- 25 B。
Logical Access Control Systems: An automated system that controls an individual’s ability to access one or more computer system resources, such as a workstation, network, application or database. A logical access control system requires the validation of an individual’s identity through some mechanism, such as a PIN, card, biometric or other token. It has the capability to assign different access privileges to different individuals depending on their roles and responsibilities in an organization. NIST SP 800-53 Rev.5.
逻辑访问控制系统:控制个人访问一个或多个计算机系统资源(如工作站、网络、应用程序或数据库)的能力的自动化系统。逻辑出入控制系统要求通过某种机制,如PIN、卡、生物特征或其他令牌,验证个人身份。它能够根据组织中的角色和职责为不同的个人分配不同的访问权限。NIST SP 800-53版本5.& nbsp;你好
Man-in-the-Middle: An attack where the adversary positions himself in between the user and the system so that he can intercept and alter data traveling between them. Source: NISTIR 7711
中间人:一种攻击,对手将自己置于用户和系统之间,以便他可以拦截和更改在他们之间传输的数据。来源:NISTIR 7711
Mandatory Access Control - Access control that requires the system itself to manage access controls in accordance with the organization’s security policies.
强制访问控制-访问控制要求系统本身根据组织的安全策略管理访问控制。
Mantrap - An entrance to a building or an area that requires people to pass through two doors with only one door opened at a time.
陷阱-一个建筑物或一个区域的入口,需要人们通过两个门,一次只打开一个门。
Message Digest - A digital signature that uniquely identifies data and has the property such that changing a single bit in the data will cause a completely different message digest to be generated. NISTIR-8011 Vol.3
消息摘要-唯一标识数据的数字签名,其属性是更改数据中的单个位将导致生成完全不同的消息摘要。NISTIR-8011 Vol.3
Microsegmentation - Part of a zero-trust strategy that breaks LANs into very small, highly localized zones using firewalls or similar technologies. At the limit, this places a firewall at every connection point.
微分段-零信任策略的一部分,它使用防火墙或类似技术将局域网划分为非常小的、高度本地化的区域。在极限情况下,这会在每个连接点上放置防火墙。
Multi-Factor Authentication - Using two or more distinct instances of the three factors of authentication (something you know, something you have, something you are) for identity verification.
多因素身份验证-使用三个身份验证因素(您知道的东西,您拥有的东西,您是的东西)的两个或更多个不同实例进行身份验证。
National Institutes of Standards and Technology (NIST) - The NIST is part of the U.S. Department of Commerce and addresses the measurement infrastructure within science and technology efforts within the U.S. federal government. NIST sets standards in a number of areas, including information security within the Computer Security Resource Center of the Computer Security Divisions.
美国国家标准与技术研究院(NIST)-NIST是美国商务部的一部分,负责美国联邦政府科学和技术工作中的测量基础设施。NIST在许多领域制定标准,包括计算机安全部门计算机安全资源中心的信息安全。
Non-repudiation - The inability to deny taking an action such as creating information, approving information and sending or receiving a message.
不可否认性-无法否认采取的行动,如创建信息,批准信息和发送或接收消息。
Object - Passive information system-related entity (e.g., devices, files, records, tables, processes, programs, domains) containing or receiving information. Access to an object (by a subject) implies access to the information it contains. See subject. Source: NIST SP 800-53 Rev 4
对象-被动信息系统相关实体(例如,设备、文件、记录、表格、进程、程序、域)。(主体)对客体的访问意味着对其所包含的信息的访问。参见主题。来源:NIST SP 800-53修订版4
Operating System - The software “master control application” that runs the computer. It is the first program loaded when the computer is turned on, and its main component, the kernel, resides in memory at all times. The operating system sets the standards for all application programs (such as the Web server) that run in the computer. The applications communicate with the operating system for most user interface and file management operations. NIST SP 800-44 Version 2
操作系统-运行计算机的软件“主控应用程序”。它是计算机启动时加载的第一个程序,其主要组件内核始终驻留在内存中。操作系统为计算机中运行的所有应用程序(如Web服务器)设定了标准。应用程序与操作系统通信,以进行大多数用户界面和文件管理操作。NIST SP 800-44版本2
Oversized Packet Attack - Purposely sending a network packet that is larger than expected or larger than can be handled by the receiving system, causing the receiving system to fail unexpectedly.
恶意数据包攻击-故意发送大于预期或大于接收系统可以处理的网络数据包,导致接收系统意外失败。
Packet - Representation of data at Layer 3 of the Open Systems Interconnection (OSI) model.
数据包-在开放系统互连(OSI)模型第3层的数据表示。
Patch - A software component that, when installed, directly modifies files or device settings related to a different software component without changing the version number or release details for the related software component. Source: ISO/IEC 19770-2
补丁程序-安装后直接修改与不同软件组件相关的文件或设备设置而不更改相关软件组件的版本号或发布详细信息的软件组件。来源:ISO/IEC 19770-2
Patch Management - The systematic notification, identification, deployment, installation and verification of operating system and application software code revisions. These revisions are known as patches, hotfixes, and service packs. Source: CNSSI 4009
补丁管理-系统通知、识别、部署、安装和验证操作系统和应用程序软件代码修订。这些修订版称为补丁程序、修补程序和服务包。资料来源:全国社会保险调查4009。
Payload - The primary action of a malicious code attack.
有效载荷-恶意代码攻击的主要行为。
Payment Card Industry Data Security Standard (PCI DSS) - An information security standard administered by the Payment Card Industry Security Standards Council that applies to merchants and service providers who process credit or debit card transactions.
支付卡行业数据安全标准(PCI DSS)-由支付卡行业安全标准委员会理事会管理的信息安全标准,适用于处理信用卡或借记卡交易的商家和服务提供商。
Personally Identifiable Information (PII) - The National Institute of Standards and Technology, known as NIST, in its Special Publication 800-122 defines PII as “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial and employment information.”
个人可识别信息(PII)–美国国家标准与技术研究所(NIST)在其特别出版物800-122中将PII定义为“由机构维护的关于个人的任何信息,包括(1)可用于区分或追踪个人身份的任何信息,如姓名、社会安全号码、出生日期和地点、母亲的娘家姓或生物特征记录;以及(2)任何其他与个人有关或与个人相关的信息,如医疗、教育、财务和就业信息。
Physical Controls - Controls implemented through a tangible mechanism. Examples include walls, fences, guards, locks, etc. In modern organizations, many physical control systems are linked to technical/logical systems, such as badge readers connected to door locks. Also known as Physical Access Controls.
物理控制-通过有形机制实施的控制。示例包括墙壁、围栏、警卫、锁等。在现代组织中,许多物理控制系统与技术/逻辑系统相关联,例如与门锁相关联的徽章读取器。也称为物理访问控制。
Plaintext - A message or data in its natural format and in readable form; extremely vulnerable from a confidentiality perspective.
明文-自然格式和可读形式的消息或数据;从保密性的角度来看极其脆弱。
Platform as a Service (PaaS) - The web-authoring or application development middleware environment that allows applications to be built in the cloud before they’re deployed as SaaS assets.
平台即服务(PaaS)-Web创作或应用程序开发中间件环境,允许应用程序在部署为SaaS资产之前在云中构建。
Privacy - The right of an individual to control the distribution of information about themselves.
隐私权-个人控制有关自己的信息的分发的权利。
Private Cloud - A cloud computing platform that is implemented within the corporate firewall, under the control of the IT department. A private cloud is designed to offer the same features and benefits of cloud systems but removes a number of objections to the cloud computing model, including control over enterprise and customer data, worries about security, and issues connected to regulatory compliance.
私有云-在IT部门控制下,在企业防火墙内实施的云计算平台。私有云旨在提供与云系统相同的功能和优势,但消除了对云计算模型的许多异议,包括对企业和客户数据的控制,对安全性的担忧以及与法规遵从性相关的问题。
Principle of Least Privilege - The principle that users and programs should have only the minimum privileges necessary to complete their tasks. NIST SP 800-179
最小特权原则:用户和程序应该只拥有完成任务所需的最小特权。NIST SP 800-179
Privileged Account - An information system account with approved authorizations of a privileged user. NIST SP 800-53 Rev. 4
授权帐户-具有特权用户批准授权的信息系统帐户。NIST SP 800-53版本4
Probability - The chances, or likelihood, that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities. Source: NIST SP 800-30 Rev. 1
概率-给定威胁能够利用给定漏洞或一组漏洞的可能性。来源:NIST SP 800-30修订版1
Protected Health Information (PHI) - Information regarding health status, the provision of healthcare or payment for healthcare as defined in HIPAA (Health Insurance Portability and Accountability Act).
受保护的健康信息(PHI)-有关健康状况的信息,医疗保健的提供或医疗保健的支付定义在HIPAA(健康保险流通和责任法案)。
Protocols - A set of rules (formats and procedures) to implement and control some type of association (that is, communication) between systems. NIST SP 800-82 Rev. 2
协议-一组规则(格式和过程),用于实现和控制系统之间的某种类型的关联(即通信)。NIST SP 800-82版本2
Public Cloud - The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. NIST SP 800-145
公共云-云基础设施提供给公众开放使用。它可以由商业、学术或政府组织或它们的某种组合拥有、管理和运营。它存在于云提供商的前提下。NIST SP 800-145
Qualitative Risk Analysis: A method for risk analysis that is based on the assignment of a descriptor such as low, medium or high. Source: NISTIR 8286
定性风险分析:基于低、中或高等描述符分配的风险分析方法。来源:NISTIR 8286
Quantitative Risk Analysis - A method for risk analysis where numerical values are assigned to both impact and likelihood based on statistical probabilities and monetarized valuation of loss or gain. Source: NISTIR 8286
定量风险分析-一种风险分析方法,其中根据统计概率和损失或收益的货币化估值为影响和可能性分配数值。来源:NISTIR 8286
Ransomware - A type of malicious software that locks the computer screen or files, thus preventing or limiting a user from accessing their system and data until money is paid.
勒索软件-一种锁定计算机屏幕或文件的恶意软件,从而阻止或限制用户访问其系统和数据,直到付款。
Records - The recordings (automated and/or manual) of evidence of activities performed or results achieved (e.g., forms, reports, test results), which serve as a basis for verifying that the organization and the information system are performing as intended. Also used to refer to units of related data fields (i.e., groups of data fields that can be accessed by a program and that contain the complete set of information on particular items). NIST SP 800-53 Rev. 4
记录-记录(自动和/或手动)所执行活动或所取得结果的证据(例如,表格、报告、测试结果),作为验证组织和信息系统按预期运行的基础。也用于指相关数据字段的单位(即,可以由程序访问并且包含关于特定项的完整信息集的数据字段组)。NIST SP 800-53版本4
Records Retention - A practice based on the records life cycle, according to which records are retained as long as necessary, and then are destroyed after the appropriate time interval has elapsed.
记录保留-基于记录生命周期的实践,根据该实践,记录将在必要时保留,然后在适当的时间间隔过后销毁。
Remanence - Residual information remaining on storage media after clearing. NIST SP 800-88 Rev. 1
剩磁-清除后存储介质上剩余的信息。NIST SP 800-88版本1
Request for Change (RFC) - The first stage of change management, wherein a change in procedure or product is sought by a stakeholder.
变更请求(RFC)-变更管理的第一阶段,其中流程或产品的变更由利益相关者寻求。
Risk - A measure of the extent to which an entity is threatened by a potential circumstance or event.
风险-衡量实体受到潜在情况或事件威胁的程度。
Risk Acceptance - Determining that the potential benefits of a business function outweigh the possible risk impact/likelihood and performing that business function with no other action.
风险可接受性-确定业务功能的潜在收益超过可能的风险影响/可能性,并在不采取其他措施的情况下执行该业务功能。
Risk Assessment - The process of identifying and analyzing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals and other organizations. The analysis performed as part of risk management which incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place.
风险评估-识别和分析组织运营(包括使命、职能、形象或声誉)、组织资产、个人和其他组织的风险的过程。作为风险管理的一部分进行的分析,其中包括威胁和漏洞分析,并考虑计划或实施的安全控制措施提供的缓解措施。
Risk Avoidance - Determining that the impact and/or likelihood of a specific risk is too great to be offset by the potential benefits and not performing a certain business function because of that determination.
风险规避-确定特定风险的影响和/或可能性太大,无法通过潜在收益抵消,并且由于该确定而不执行特定业务功能。
Risk Management - The process of identifying, evaluating and controlling threats, including all the phases of risk context (or frame), risk assessment, risk treatment and risk monitoring.
风险管理-识别、评估和控制威胁的过程,包括风险背景(或框架)、风险评估、风险处理和风险监控的所有阶段。
Risk Management Framework - A structured approach used to oversee and manage risk for an enterprise. Source: CNSSI 4009
风险管理框架-用于监督和管理企业风险的结构化方法。资料来源:全国社会保险调查4009。
Risk Mitigation - Putting security controls in place to reduce the possible impact and/or likelihood of a specific risk.
风险缓解-实施安全控制措施,以降低特定风险的可能影响和/或可能性。
Risk Tolerance - The level of risk an entity is willing to assume in order to achieve a potential desired result.
风险容忍度-一个实体愿意承担的风险水平,以实现潜在的预期结果。
Risk threshold, risk appetite and acceptable risk - are also terms used synonymously with risk tolerance.
风险阈值、风险偏好和可接受风险-也是与风险容忍度同义的术语。
Risk Transference - Paying an external party to accept the financial impact of a given risk.
风险转移-支付外部方接受给定风险的财务影响。
Risk Treatment - The determination of the best way to address an identified risk.
风险处理-确定解决已识别风险的最佳方法。
Role-Based Access Control (RBAC) - An access control system that sets up user permissions based on roles.
基于角色的访问控制(RBAC)-一种基于角色设置用户权限的访问控制系统。
Rule - An instruction developed to allow or deny access to a system by comparing the validated identity of the subject to an access control list.
规则-通过将主体的有效身份与访问控制列表进行比较来允许或拒绝对系统的访问的指令。
Security Controls - The management, operational and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity and availability of the system and its information. Source: FIPS PUB 199
安全控制-管理、运营和技术控制(即,为保护系统及其信息的机密性、完整性和可用性而为信息系统规定的安全措施或对策。来源:FIPS PUB 199
Security Governance - The entirety of the policies, roles and processes the organization uses to make security decisions in an organization.
安全治理-组织用于在组织中做出安全决策的策略、角色和流程的整体。
Security Operations Center - A centralized organizational function fulfilled by an information security team that monitors, detects and analyzes events on the network or system to prevent and resolve issues before they result in business disruptions.
安全运营中心-由信息安全团队履行的集中组织功能,该团队负责监控、检测和分析网络或系统上的事件,以在问题导致业务中断之前预防和解决问题。
Segregation of Duties - The practice of ensuring that an organizational process cannot be completed by a single person; forces collusion as a means to reduce insider threats. Also commonly known as Separation of Duties.
职责分离-确保组织过程不能由一个人完成的做法;迫使共谋作为减少内部威胁的手段。也就是通常所说的职责分离。
Sensitivity - A measure of the importance assigned to information by its owner, for the purpose of denoting its need for protection. Source: NIST SP 800-60 Vol 1 Rev 1
敏感性-信息所有者为表明信息需要保护而赋予信息的重要性。来源:NIST SP 800-60 1991修订版1
Simple Mail Transport Protocol (SMTP) - The standard communication protocol for sending and receiving emails between senders and receivers.
简单邮件传输协议(SMTP)-用于在收件人和收件人之间发送和接收电子邮件的标准通信协议。
Single-Factor Authentication - Use of just one of the three available factors (something you know, something you have, something you are) to carry out the authentication process being requested.
单因素身份验证-仅使用三个可用因素之一(您知道的东西,您拥有的东西,您是的东西)来执行所请求的身份验证过程。nbsp;你好
Social Engineering - Tactics to infiltrate systems via email, phone, text, or social media, often impersonating a person or agency in authority or offering a gift. A low-tech method would be simply following someone into a secure building.
社交工程-通过电子邮件、电话、文本或社交媒体渗透系统的策略,通常冒充权威人士或机构或提供礼物。一个低科技的方法是简单地跟踪某人进入一个安全的建筑物。nbsp;你好
Software - Computer programs and associated data that may be dynamically written or modified during execution. NIST SP 80-37 Rev. 2
软件-在执行过程中可以动态写入或修改的计算机程序和相关数据。NIST SP 80-37版本2
Software as a Service (SaaS) - The cloud customer uses the cloud provider’s applications running within a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. Derived from NIST 800-145
软件即服务(SaaS)-云客户使用云提供商在云基础设施内运行的应用程序。可通过瘦客户端接口(诸如web浏览器)或程序接口从各种客户端设备访问应用。消费者不管理或控制底层云基础设施,包括网络、服务器、操作系统、存储甚至单个应用程序功能,可能的例外是有限的用户特定应用程序配置设置。来源于NIST 800-145
Spoofing - Faking the sending address of a transmission to gain illegal entry into a secure system. CNSSI 4009-2015
欺骗-伪造传输的发送地址以非法进入安全系统。CNSSI 4009-2015
State - The condition an entity is in at a point in time.
状态-实体在某个时间点所处的状态。
Subject - Generally an individual, process or device causing information to flow among objects or change to the system state. Source: NIST SP800-53 R4
主体-通常是导致信息在对象之间流动或改变系统状态的个人、进程或设备。来源:NIST SP 800 -53 R4
Symmetric Encryption - An algorithm that uses the same key in both the encryption and the decryption processes.
对称加密-在加密和解密过程中使用相同密钥的算法。
System Integrity - The quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation of the system, whether intentional or accidental. Source: NIST SP 800-27 Rev. A
系统完整性-系统以未受损害的方式执行其预期功能时所具有的质量,系统没有未经授权的操纵,无论是故意的还是意外的。来源:NIST SP 800-27版本A
Technical Controls: The security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software or firmware components of the system.
技术控制:安全控制(即,安全措施或对策),主要由信息系统通过系统的硬件、软件或固件组件中包含的机制来实现和执行。
Threat - Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image or reputation), organizational assets, individuals, other organizations or the nation through an information system via unauthorized access, destruction, disclosure, modification of information and/or denial of service. Source: NIST SP 800-30 Rev 1
威胁-通过未经授权的访问、破坏、披露、修改信息和/或拒绝服务,可能对组织运营(包括使命、职能、形象或声誉)、组织资产、个人、其他组织或国家产生不利影响的任何情况或事件。来源:NIST SP 800-30修订版1
Threat Actor - An individual or a group that attempts to exploit vulnerabilities to cause or force a threat to occur.
Threat Actor(威胁执行者)-试图利用漏洞导致或迫使威胁发生的个人或团体。
Threat Vector - The means by which a threat actor carries out their objectives.
威胁向量-威胁行为者实现其目标的手段。
Token - A physical object a user possesses and controls that is used to authenticate the user’s identity. NISTIR 7711
令牌-用户拥有和控制的物理对象,用于验证用户的身份。NISTIR 7711
Transport Control Protocol/Internet Protocol (TCP/IP) Model - Internet working protocol model created by the IETF, which specifies four layers of functionality: Link layer (physical communications), Internet Layer (network-to-network communication), Transport Layer (basic channels for connections and connectionless exchange of data between hosts), and Application Layer, where other protocols and user applications programs make use of network services.
传输控制协议/互联网协议(TCP/IP)模型-由IETF创建的互联网工作协议模型,它规定了四层功能:链路层(物理通信),互联网层(网络到网络通信),传输层(主机之间连接和无连接数据交换的基本通道)和应用层,其中其他协议和用户应用程序使用网络服务。
Turnstile - A one-way spinning door or barrier that allows only one person at a time to enter a building or pass through an area.
旋转门-一种单向旋转门或屏障,每次只允许一个人进入建筑物或通过一个区域。
Unix - An operating system used in software development.
Unix-用于软件开发的操作系统。
User Provisioning - The process of creating, maintaining and deactivating user identities on a system.
用户配置-在系统上创建、维护和停用用户身份的过程。
Virtual Local Area Network (VLAN) - A logical group of workstations, servers, and network devices that appear to be on the same LAN despite their geographical distribution.
虚拟局域网(VLAN)-工作站、服务器和网络设备的逻辑组,尽管它们的地理分布在同一个LAN上。
Virtual Private Network (VPN) - A virtual private network, built on top of existing networks, that can provide a secure communications mechanism for transmission between networks.
虚拟专用网络(VPN)-一种建立在现有网络之上的虚拟专用网络,可以为网络之间的传输提供安全的通信机制。
Vulnerability - Weakness in an information system, system security procedures, internal controls or implementation that could be exploited by a threat source. Source: NIST SP 800-128
漏洞-信息系统、系统安全程序、内部控制或实施中可能被威胁源利用的弱点。来源:NIST SP 800-128
Web Server - A computer that provides World Wide Web (WWW) services on the Internet. It includes the hardware, operating system, Web server software, and Web site content (Web pages). If the Web server is used internally and not by the public, it may be known as an “intranet server.” NIST SP 800-44 Version 2
Web服务器-在Internet上提供万维网(WWW)服务的计算机。它包括硬件、操作系统、Web服务器软件和网站内容(网页)。如果Web服务器是内部使用的,而不是由公众使用的,它可能被称为“内部网服务器”。NIST SP 800-44版本2
Whaling Attack - Phishing attacks that attempt to trick highly placed officials or private individuals with sizable assets into authorizing large fund wire transfers to previously unknown entities.
Whaling Attack(捕鲸攻击)-网络钓鱼攻击,试图欺骗拥有大量资产的高级官员或个人,以授权将大笔资金电汇到以前未知的实体。
Wireless Area Network (WLAN) - A group of computers and devices that are located in the same vicinity, forming a network based on radio transmissions rather than wired connections. A Wi-Fi network is a type of WLAN.
无线局域网(WLAN)-位于同一区域的一组计算机和设备,基于无线电传输而不是有线连接形成网络。Wi-Fi网络是WLAN的一种类型。
Zenmap - The graphical user interface (GUI) for the Nmap Security Scanner, an open-source application that scans networks to determine everything that is connected as well as other information.
Zenmap-Nmap Security Scanner的图形用户界面(GUI),Nmap Security Scanner是一个开源应用程序,可以扫描网络以确定连接的所有内容以及其他信息。
Zero Day - A previously unknown system vulnerability with the potential of exploitation without risk of detection or prevention because it does not, in general, fit recognized patterns, signatures or methods.
Zero Day-以前未知的系统漏洞,可能会被利用而没有检测或预防的风险,因为它通常不符合公认的模式,签名或方法。
Zero Trust - Removing the design belief that the network has any trusted space. Security is managed at each possible level, representing the most granular asset. Microsegmentation of workloads is a tool of the model.
零信任-消除网络具有任何可信空间的设计信念。安全性在每个可能的级别进行管理,代表最细粒度的资产。工作负载的细分是该模型的一个工具。