Recently updated

Authentication is the process of verifying the identity of a user, device, or system before granting access.

Assurance levels for PKIs, and for X.509 public key certificates issued by a PKI. [DoD7] (See: "first law" under "Courtney's laws".) "Class 2": Intended for applications handling unclassified, low value data in minimally or moderately protected environments. "Class 3": Intended for applications handling unclassified, medium value data in moderately protected environments, or handling unclassified or high value data in highly protected environments, and for discretionary access control of classified data in highly protected environments. "Class 4": Intended for applications handling unclassified, high value data in minimally protected environments. "Class 5": Intended for applications handling classified data in minimally protected environments, and for authentication of material that would affect the security of classified systems.

A portable, user controlled, physical device (e.g., smart card or PCMCIA card) used to store cryptographic information and possibly also perform cryptographic functions. (See: cryptographic card, token.)

Availability is the property that systems and data are accessible and usable when needed.

Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.

An identifier assigned to an item of keying material.

Result of TRANSEC measures used to hide or disguise a communication.

Synonym for "accreditor".

A set of mathematically related keys a public key and a private key that are used for asymmetric cryptography and are generated in a way that makes it computationally infeasible to derive the private key from knowledge of the public key. (See: Diffie Hellman Merkle, RSA.)

A capability to limit network traffic between networks and/or information systems.

Synonyms for some form of "checksum".

A procedure that combines the key generation and key distribution steps needed to set up or install a secure communication association.

From the early days of the Internet, the IANA was chartered by the ISOC and the U.S. Government's Federal Network Council to be the central coordination, allocation, and registration body for parameters for Internet protocols. Superseded by ICANN.

A synonym for "smurf attack".

A computer program that performs a specific function directly for a user (as opposed to a program that is part of a computer operating system and exists to perform functions in support of application programs).

A numeric code used to indicate the minimum accounting controls required for items of accountable COMSEC material within the COMSEC material control system (CMCS).

A key recovery technique for storing knowledge of a cryptographic key or parts thereof in the custody of one or more third parties called "escrow agents", so that the key can be recovered and used in specified circumstances. (Compare: key encapsulation.)

A gateway for traffic flowing at OSIRM Layer 2 between two networks (usually two LANs). (Compare: bridge CA, router.)

See: American National Standards Institute.

Adversaries may rely on a targeted organizations user interaction for the execution of malicious code. User interaction may consist of installing applications, opening email attachments, or granting higher permissions to documents.

Data in which the semantic information content (i.e., the meaning) is intelligible or is directly available, i.e., not encrypted. (See: cleartext, in the clear. Compare: cipher text, plain text.)

The process of generating configuration data and issuing public key certificates to build and operate a certification hierarchy. (See: certificate management.)

"Logistics and accounting system through which COMSEC material marked 'CRYPTO' is distributed, controlled, and safeguarded." [C4009] (See: COMSEC account, COMSEC custodian.)

An International Standard that is a code of practice, derived from Part 1 of British Standard 7799, for managing the security of information systems in an organization. This standard does not provide definitive or specific material on any security topic. It provides general guidance on a wide variety of topics, but typically does not go into depth. (See: IATF, [SP14].)

Synonym for "source integrity".

Not encrypted. (See: clear text.)

See: Extensible Authentication Protocol.

Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment. This may manifest itself as a temporary communication failure between a device and its control source, where the interface recovers and becomes available once the interference ceases. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)

The material physical components of an information system. (See: firmware, software.)

A set of cryptographic algorithms together with the key management processes that support use of the algorithms in some application context.

See: counter mode.

A security association that involves the use of cryptography to provide security services for data exchanged by the associated entities. (See: ISAKMP.)

An information transfer path within a system. (See: covert channel.)

"Use of sophisticated signal recovery equipment in a laboratory environment to recover information from data storage media." [C4009]

Adversaries may communicate with compromised devices using out of band data streams. This could be done for a variety of reasons, including evading network traffic monitoring, as a backup method of command and control, or for data exfiltration if the device is not connected to any Internet providing networks (i.e. cellular or Wi Fi). Several out of band data streams exist, such as SMS messages, NFC, and Bluetooth.

Reassignment and reuse of an area of a storage medium (e.g., random access memory, floppy disk, magnetic tape) that once contained sensitive data objects. Before being reassigned for use by a new subject, the area needs to be erased or, in some cases, purged. [NCS04] (See: object.)

A penetration technique in which an intruder avoids detection and traceback by using multiple, linked, communication networks to access and attack a system. [C4009]

The output of a hash function. (See: hash code, hash value. Compare: hash value.)

A patented, symmetric block cipher that uses a 128 bit key and operates on 64 bit blocks. [Schn] (See: symmetric cryptography.)

Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports, such as the examples provided below.

A successor to the PLI, updated to use TCP/IP and newer military grade COMSEC equipment (TSEC/KG 84). The IPLI was a portable, modular system that was developed for use in tactical, packet radio networks. (See: end to end encryption.)

In X.509, a CRL that may contain certificate revocation notifications for certificates issued by CAs other than the issuer (i.e., signer) of the ICRL.

An unintended or unauthorized intra system channel that enables two cooperating entities to transfer information in a way that violates the system's security policy but does not exceed the entities' access authorizations. (See: covert storage channel, covert timing channel, out of band, tunnel.)

A computer network that an organization uses for application data traffic between the organization and its business partners. (Compare: intranet.)

A partial CRL that only contains entries for certificates that have been revoked since the issuance of a prior, base CRL [X509]. This method can be used to partition CRLs that become too large and unwieldy. (Compare: CRL distribution point.)

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.

An Internet protocol (originally developed by Cisco Corporation) that uses tunneling of PPP over IP to create a virtual extension of a dial up link across a network, initiated by the dial up server and transparent to the dial up user. (See: L2TP.)

The CA that signs a digital certificate or CRL.

See: Domain of Interpretation.

A level of security assurance that is beyond the highest level (level A1) of criteria specified by the TCSEC. (See: Tutorial under "Trusted Computer System Evaluation Criteria".)