Common Cryptographic Architecture (CCA) Common Cryptographic Architecture (CCA) A cryptographic architecture developed by IBM for its computing platforms. Overview Common Cryptographic Architecture (CCA) defines a set of application programming interfaces (APIs) for providing cryptographic services to applications. These APIs include functions for confidentiality, data integ- rity, and message authentication. The architecture is based on the Data Encryption Standard (DES) and has found widespread use in the banking and financial industry in the IBM 4758, a tamper-resistant Peripheral Component Interconnect (PCI) card that plugs into PCs to provide cryptographic functions for secure commu- nications. The IBM is encased in a hardened metal case and contains temperature, shock, and X-ray sensors to guard against tampering, and it is Federal Information Processing Standards (FIPS) 140-1 Level 4 certified. Despite the hardened nature of this cryptographic device and the fact that it uses strong Triple DES (3DES) encryption, in 2002, an attack was devised by a team of researchers at Cambridge University’s William Gates Computer Laboratory; using off-the-shelf hard- ware costing less than $1,000, the team took less than a day to discover an encryption key used by CCA. See Also: 3DES, cryptography, Data Encryption Stan dard (DES), encryption algorithm Common Vulnerabilities and Exposures (CVE) An emerging industry standard for naming vulnerabili- ties and other information security exposures. Overview Common Vulnerabilities and Exposures (CVE) is main- tained by MITRE Corporation in collaboration with security experts, academic institutions, government agencies, and security tool vendors. CVE was devel- oped to standardize the naming of security vulnerabili- ties so that information could be shared between different security databases and tools. CVE functions as compromised system a kind of dictionary of all publicly known vulnerabili- ties and exposures for operating systems and applica- tions. The National Institute of Standards and Technology (NIST) has recognized the importance of the CVE as an emerging industry standard. For More InformationŽ Visit MITRE at cve.mitre.org for more information. See Also: vulnerability compromised system A computer system with unknown integrity because an attacker has gained illicit access. Overview The goal of a malicious individual attacking a computer system is to compromise the system. To compromise a system means to penetrate the security defenses of the system and gain access to some level of control over its processes and information. There are different levels at which a system can be compromised, ranging from relatively benign, such as Web site defacement, to extremely dangerous, such as gaining root access. Once a system has been compromised, the attacker is said to have achieved an exploit. This may then be the launch- ing ground for further exploits, for example, as in distributed denial of service (DDoS) attacks in which compromised systems called zombies are used to launch attacks against other systems. The CERT Coordination Center (CERT/CC) offers rec- ommendations on procedures to follow in the event of a system being compromised. Recommended steps include these: ● Consultation with management, legal counsel, and law enforcement agencies ● Disconnecting the system from your network ● Imaging the system for analysis of the intrusion ● Searching for modifications in system, configura- tion, and data files ● Examining other systems on your network for evi- dence of compromise C 63 Common Cryptographic Architecture (CCA) Common Cryptographic Architecture (CCA) A cryptographic architecture developed by IBM for its computing platforms. Overview Common Cryptographic Architecture (CCA) defines a set of application programming interfaces (APIs) for providing cryptographic services to applications. These APIs include functions for confidentiality, data integ- rity, and message authentication. The architecture is based on the Data Encryption Standard (DES) and has found widespread use in the banking and financial industry in the IBM 4758, a tamper-resistant Peripheral Component Interconnect (PCI) card that plugs into PCs to provide cryptographic functions for secure commu- nications. The IBM is encased in a hardened metal case and contains temperature, shock, and X-ray sensors to guard against tampering, and it is Federal Information Processing Standards (FIPS) 140-1 Level 4 certified. Despite the hardened nature of this cryptographic device and the fact that it uses strong Triple DES (3DES) encryption, in 2002, an attack was devised by a team of researchers at Cambridge University’s William Gates Computer Laboratory; using off-the-shelf hard- ware costing less than $1,000, the team took less than a day to discover an encryption key used by CCA. See Also: 3DES, cryptography, Data Encryption Stan dard (DES), encryption algorithm Common Vulnerabilities and Exposures (CVE) An emerging industry standard for naming vulnerabili- ties and other information security exposures. Overview Common Vulnerabilities and Exposures (CVE) is main- tained by MITRE Corporation in collaboration with security experts, academic institutions, government agencies, and security tool vendors. CVE was devel- oped to standardize the naming of security vulnerabili- ties so that information could be shared between different security databases and tools. CVE functions as compromised system a kind of dictionary of all publicly known vulnerabili- ties and exposures for operating systems and applica- tions. The National Institute of Standards and Technology (NIST) has recognized the importance of the CVE as an emerging industry standard. For More InformationŽ Visit MITRE at cve.mitre.org for more information. See Also: vulnerability compromised system A computer system with unknown integrity because an attacker has gained illicit access. Overview The goal of a malicious individual attacking a computer system is to compromise the system. To compromise a system means to penetrate the security defenses of the system and gain access to some level of control over its processes and information. There are different levels at which a system can be compromised, ranging from relatively benign, such as Web site defacement, to extremely dangerous, such as gaining root access. Once a system has been compromised, the attacker is said to have achieved an exploit. This may then be the launch- ing ground for further exploits, for example, as in distributed denial of service (DDoS) attacks in which compromised systems called zombies are used to launch attacks against other systems. The CERT Coordination Center (CERT/CC) offers rec- ommendations on procedures to follow in the event of a system being compromised. Recommended steps include these: ● Consultation with management, legal counsel, and law enforcement agencies ● Disconnecting the system from your network ● Imaging the system for analysis of the intrusion ● Searching for modifications in system, configura- tion, and data files ● Examining other systems on your network for evi- dence of compromise C 63 . government agencies, and security tool vendors. CVE was devel- oped to standardize the naming of security vulnerabili- ties so that information could be shared between different security databases. government agencies, and security tool vendors. CVE was devel- oped to standardize the naming of security vulnerabili- ties so that information could be shared between different security databases. compromised system a kind of dictionary of all publicly known vulnerabili- ties and exposures for operating systems and applica- tions. The National Institute of Standards and Technology