Recently updated

Encryption of multiple channels by aggregating them into a single transfer path and then encrypting that path. (See: channel.)

Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution and access. (Citation: Enterprise ATT&CK October 2019)

See: evaluation assurance level.

A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold or when a program attempts to put data in a memory area past a buffer. In this case, a buffer is a sequential section of memory allocated to contain anything from a character string to an array of integers. Writing outside the bounds of a block of allocated memory can corrupt data, crash the program, or cause the execution of malicious code.

Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information.

The parties that are most often called upon to illustrate the operation of bipartite security protocols. These and other dramatis personae are listed by Schneier [Schn].

"Condition of cryptographic data [such] that [the data] cannot be compromised by human access [to the data]." [C4009]

A characterization of (a) the strength of a security function, mechanism, service, or solution and (b) the assurance (or confidence) that it is implemented and functioning. [Cons, IATF] (See: level of concern.)

A type of checksum algorithm that is not a cryptographic hash but is used to implement data integrity service where accidental changes to data are expected. Sometimes called "cyclic redundancy code".

Adversaries may carry out malicious operations using virtualization solutions to escape from Android sandboxes and to avoid detection. Android uses sandboxes to separate resources and code execution between applications and the operating system.(Citation: Android Application Sandbox) There are a few virtualization solutions available on Android, such as the Android Virtualization Framework (AVF).(Citation: Android AVF Overview)

Adversaries may search common password storage locations to obtain user credentials. Passwords can be stored in several places on a device, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users to manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.

Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to insecure coding practices that can lead to unanticipated behavior. Adversaries may take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.

A preliminary, temporary version of a document that is intended to become an RFC. (Compare: Internet Draft.)

An extension framework for PPP that supports multiple, optional authentication mechanisms, including cleartext passwords, challenge response, and arbitrary dialog sequences. [R3748] (Compare: GSS API, SASL.)

See: Encapsulating Security Payload.

A linked sequence of one or more public key certificates, or one or more public key certificates and one attribute certificate, that enables a certificate user to verify the signature on the last certificate in the path, and thus enables the user to obtain (from that last certificate) a certified public key, or certified attributes, of the system entity that is the subject of that last certificate. (See: trust anchor, certificate validation, valid certificate.)

Adversaries may attempt to disrupt essential components or systems to prevent owner and operator from delivering products or services. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)

A security service that records information needed to establish accountability for system events and for the actions of system entities that cause them. (See: security audit.)

Advanced Research Projects Agency (ARPA) Network, a pioneer packet switched network that (a) was designed, implemented, operated, and maintained by BBN from January 1969 until July 1975 under contract to the U.S. Government; (b) led to the development of today's Internet; and (c) was decommissioned in June 1990. [B4799, Hafn]

A security mechanism that uses a digital signature to provide data integrity and data origin authentication for software that is being distributed for use. (See: mobile code, trusted distribution.)

A certificate document in the form of a digital data object (a data object used by a computer) to which is appended a computed digital signature value that depends on the data object. (See: attribute certificate, public key certificate.)

Synonym for "hash result" or "hash function".

See: Internet Private Line Interface.

Functions, features, and technical characteristics of computer hardware and software, especially of operating systems. Includes mechanisms to regulate the operation of a computer system with regard to access control, flow control, and inference control. (Compare: external controls.)

Cannot be done in any reasonable amount of time. (See: break, brute force, strength, work factor.)

An open source software module that is designed to be integrated with an application for routing, replying to, and otherwise managing and meditating certificate validation requests between that application and the CAs in the ACES PKI.

Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)

Adversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus. These protocols may be used to disguise adversary actions as benign network traffic. Standard protocols may be seen on their associated port or in some cases over a non standard port. Adversaries may use these protocols to reach out of the network for command and control, or in some cases to other infected devices within the network.

"Cryptographic logic [i.e., a mode of operation] using previous key to produce key." [C4009, A1523] (See: CTAK, /cryptographic operation/ under "mode".)

Abbreviation of "end entity" and other terms.

Generate and sign a digital certificate (or a CRL) and, usually, distribute it and make it available to potential certificate users (or CRL users). (See: certificate creation.)

A method [R2827] for countering attacks that use packets with false IP source addresses, by blocking such packets at the boundary between connected networks.

Adversaries may enumerate files and directories or search in specific device locations for desired information within a filesystem. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow on behaviors, including deciding if the adversary should fully infect the target and/or attempt specific actions.

See: merchant certification authority.

See: certification authority.

A set of system resources that operate in the same security domain and that share the protection of a single, common, continuous security perimeter. (Compare: domain.)

Adversaries may compromise protective system functions designed to prevent the effects of faults and abnormal conditions. This can result in equipment damage, prolonged process disruptions and hazards to personnel.

Computer programs and data stored in hardware typically in read only memory (ROM) or programmable read only memory (PROM) such that the programs and data cannot be dynamically written or modified during execution of the programs. (See: hardware, software.)

Adversaries may abuse Android's API method to maintain continuous sensor access. Beginning in Android 9, idle applications running in the background no longer have access to device sensors, such as the camera, microphone, and gyroscope.(Citation: Android SensorsOverview) Applications can retain sensor access by running in the foreground, using Android’s API method. This informs the system that the user is actively interacting with the application, and it should not be killed. The only requirement to start a foreground service is showing a persistent notification to the user.(Citation: Android ForegroundServices)

The mathematical science that deals with cryptanalysis and cryptography.

A subset of the Basic Encoding Rules that always provides only one way to encode any data structure defined by ASN.1. [X690].

Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations. This information may include design documents, schedules, rotational data, or similar artifacts that provide insight on operations. In the Bowman Dam incident, adversaries probed systems for operational data. (Citation: Mark Thompson March 2016) (Citation: Danny Yadron December 2015)

See: Federal Public Key Infrastructure.

Adversaries may repetitively or successively change I/O point values to perform an action. Brute Force I/O may be achieved by changing either a range of I/O point values or a single point value repeatedly to manipulate a process function. The adversary's goal and the information they have about the target environment will influence which of the options they choose. In the case of brute forcing a range of point values, the adversary may be able to achieve an impact without targeting a specific point. In the case where a single point is targeted, the adversary may be able to generate instability on the process function associated with that particular point.

Adversaries may attempt to get a listing of applications that are installed on a device. Adversaries may use the information from Software Discovery during automated discovery to shape follow on behaviors, including whether or not to fully infect the target and/or attempts specific actions.

A cryptographic key that is used to encipher application data. (Compare: key encrypting key.)

An Internet protocol (RFC 2060) by which a client workstation can dynamically access a mailbox on a server host to manipulate

See: Challenge Response Authentication Mechanism.

Create a reserve copy of data or, more generally, provide alternate means to perform system functions despite loss of system resources. (See: contingency plan. Compare: archive.)

A signal (e.g., electromagnetic or acoustic) that is emitted by a system (e.g., through radiation or conductance) as a consequence (i.e., byproduct) of the system's operation, and that may contain information. (See: emanations security.)