Recently updated

Synonym for "buffer zone".

A CA that issues digital certificates to merchants and is operated on behalf of a payment card brand, an acquirer, or another party according to brand rules. Acquirers verify and approve requests for merchant certificates prior to issuance by the MCA. An MCA does not issue a CRL, but does distribute CRLs issued by root CAs, brand CAs, geopolitical CAs, and payment gateway CAs. [SET2]

An attack that attempts to cause a failure in a system by providing more input than the system can process properly. (See: denial of service, fairness. Compare: jamming.)

The process of encrypting audio information.

Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device.

An analysis performed on a nonprocedural, formal, system specification that locates potential flows of information between system variables. By assigning security levels to the variables, the analysis can find some types of covert channels. [Huff]

See: secondary definition under "ISO".

An adversary may use access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM)/mobile device management (MDM) server console to track the location of mobile devices managed by the service.(Citation: Krebs Location)

A distributed system in which one or more entities, called clients, request a specific service from one or more other entities, called servers, that provide the service to the clients.

Adversaries may leverage external facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.(Citation: MacOS VNC software for Remote Desktop)

See: certification practice statement.

See: Minimum Interoperability Specification for PKI Components.

A finite set of step by step instructions for a problem solving or computation procedure, especially one that can be implemented by a computer. (See: cryptographic algorithm.)

"Official responsible for directing the operation of a cryptonet and for managing the operational use and control of keying material assigned to the cryptonet." [C4009, N4006]

The private extension defined by PKIX for X.509 certificates to indicate "how to access CA information and services for the issuer of the certificate in which the extension appears. Information and services may include on line validation services and CA policy data." [R3280] (See: private extension.)

A computer document, or part of a document, that contains hyperlinks to other documents; i.e., text that contains active pointers to other text. Usually written in HTML and accessed using a web browser. (See: hypermedia.)

A key establishment method by which a secret key is generated by a system entity in a communication association and securely sent to another entity in the association. (Compare: key agreement.)

"The corroboration that the source of data received is as claimed." [I7498 2] (See: authentication.)

Property of a system whereby a subject has write access to an object only if the classification of the object dominates the clearance of the subject. (See: property, Bell LaPadula model.)

A private, not for profit association that administers U.S. private sector voluntary standards.

A statement of a (relatively long term) duty or (relatively short term) task that is assigned to an organization or system, indicates the purpose and objectives of the duty or task, and may indicate the actions to be taken to achieve it.

See: IP Security Protocol.

See: object identifier.

A block cipher mode that modifies ECB mode to operate on plaintext segments of variable length less than or equal to the block length. [FP081] (See: block cipher, [SP38A].)

A message authentication code [SP38B] that is based on a symmetric block cipher. (See: block cipher.)

A PKI consisting of only a CA that cross certifies with CAs of some other PKIs. (See: cross certification. Compare: bridge.)

A neutral internetwork segment used to connect other segments that each operate under a different security policy.

Adversaries may modify system software binaries to establish persistent access to devices. System software binaries are used by the underlying operating system and users over adb or terminal emulators.

Adversaries may steal the credentials of a specific user or service account using credential access techniques. In some cases, default credentials for control system devices may be publicly available. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network, and may even be used for persistent access to remote systems. Compromised and default credentials may also grant an adversary increased privilege to specific systems and devices or access to restricted areas of the network. Adversaries may choose not to use malware or tools, in conjunction with the legitimate access those credentials provide, to make it harder to detect their presence or to control devices and send legitimate commands in an unintended way.

Measures that implement and assure security services in a communication system, particularly those that provide data confidentiality and data integrity and that authenticate communicating entities.

A person who controls the service configuration of a system or the functional privileges of operators and other users. (See: administrative security. Compare: operator, SSO, user.)

The collective aspect of a set of attribute values (i.e., a set of characteristics) by which a system user or other system entity is recognizable or known. (See: authenticate, registration. Compare: identifier.)

An organization that has official approval to evaluate the security of products and systems under the Common Criteria, ITSEC, or some other standard. (Compare: KLIF.)

Adversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values.

Network sniffing is the practice of using a network interface on a computer system to monitor or capture information (Citation: Enterprise ATT&CK January 2018) regardless of whether it is the specified destination for the information.

See: Internet Protocol Suite.

See: Lightweight Directory Access Protocol.

See: key auto key. (Compare: KEK.)

The condition of an identity being unknown or concealed. (See: alias, anonymizer, anonymous credential, anonymous login, identity, onion routing, persona certificate. Compare: privacy.)

That minuscule fraction of time in which you realize that your private key has been compromised.

A condition of a system service or other system resource such that denial of access to, or lack of availability of, the resource would jeopardize a system user's ability to perform a primary mission function or would result in other serious consequences. (See: Critical. Compare: mission essential.)

Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

An end to end encryption system for computer data networks that was developed by the U.S. DoD in the 1980s to provide host to host data confidentiality service for datagrams in OSIRM Layer 3. [Roge] (Compare: BLACKER, IPsec.)

An authorized process by which information is declassified. (Compare: classification.)

See: Institute of Electrical and Electronics Engineers, Inc.

A security model that is formal. Example: Bell LaPadula model. [Land] (See: formal, security model.)

See: Authentication Header

See: Layer 2 Tunneling Protocol.

Those systems that are so vital to a nation that their incapacity or destruction would have a debilitating effect on national security, the economy, or public health and safety.

A branch of cryptography in which a cryptographic system or algorithms use the same secret key (a shared secret key).