Recently updated

The research and development company (originally called Bolt Baranek and Newman, Inc.) that built the ARPANET.

A portable, physical, usually electronic device that is required to be attached to a computer to enable a particular software program to run. (See: token.)

A cryptographic algorithm for encryption and decryption.

See: National Institute of Standards and Technology.

Measures that implement and assure security services in information systems, including in computer systems (see: COMPUSEC) and in communication systems (see: COMSEC).

A smartcard based electronic money system that incorporates cryptography and can be used to make payments via the Internet. (See: IOTP.)

An asymmetric cryptographic algorithm for a digital signature in the form of a pair of large numbers. The signature is computed using rules and parameters such that the identity of the signer and the integrity of the signed data can be verified. (See: DSS.)

A hierarchical level of protection (against unauthorized disclosure) that is required to be applied to certain classified data. (See: classified. Compare: security level.)

A protocol, which is being specified by the IETF working group of the same name, to provide data integrity and domain level (see: DNS, domain name) data origin authentication for Internet mail messages. (Compare: PEM.)

Adversaries may compromise safety system functions designed to maintain safe operation of a process when unacceptable or dangerous conditions occur. Safety systems are often composed of the same elements as control systems but have the sole purpose of ensuring the process fails in a predetermined safe manner.

A computer system feature which may be (a) an unintentional flaw, (b) a mechanism deliberately installed by the system's creator, or (c) a mechanism surreptitiously installed by an intruder that provides access to a system resource by other than the usual procedure and usually is hidden or otherwise not well known. (See: maintenance hook. Compare: Trojan Horse.)

A mode of system operation wherein all users having access to the system possess, for all data handled by the system, both (a) all necessary authorizations (i.e., security clearance and formal access approval) and (b) a need to know. (See: /system operation/ under "mode", formal access approval, need to know, protection level, security clearance.)

A technique for enabling a decision to grant or deny access to be made dynamically at the time the access is attempted, rather than earlier when an access control list or ticket is created.

A self organized group of people who make contributions to the development of Internet technology. The principal body engaged in developing Internet Standards, although not itself a part of the ISOC. Composed of Working Groups, which are arranged into Areas (such as the Security Area), each coordinated by one or more Area Directors. Nominations to the IAB and the IESG are made by a committee selected at random from regular IETF meeting attendees who have volunteered. (RFCs 2026, 3935) [R2323]

AES stands for Advanced Encryption Standard, a widely used symmetric key block cipher standardized by NIST.

A specific ANSI standard for a checksum that is computed with a keyed hash that is based on DES. [A9009] Usage: a.k.a. Data Authentication Code, which is a U.S. Government standard. [FP113] (See: MAC.)

A system entity that is the subject of a public key certificate and that is using, or is permitted and able to use, the matching private key only for purposes other than signing a digital certificate; i.e., an entity that is not a CA.

Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to evade detection. Vulnerabilities may exist in software that can be used to disable or circumvent security features.

Adversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network. Access to a wireless network may be gained through the compromise of a wireless device. (Citation: Alexander Bolshev, Gleb Cherbov July 2014) (Citation: Alexander Bolshev March 2014) Adversaries may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance.

An act or process that presents an identifier to a system so that the system can recognize a system entity and distinguish it from other entities. (See: authentication.)

See: secondary definition under "security".

Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity. By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, or decision making.

An Internet client server protocol that combines aspects of PPTP and L2F and supports tunneling of PPP over an IP network or over frame relay or other switched network. (See: VPN.)

See: cipher feedback.

A property achieved through cryptographic methods of being genuine and being able to be verified and trusted, resulting in confidence in the validity of a transmission, information or a message, or sender of information or a message.

The Federal Information Processing Standards Publication (FIPS PUB) series issued by NIST under the provisions of Section 111(d) of the Federal Property and Administrative Services Act of 1949 as amended by the Computer Security Act of 1987 (Public Law 100 235) as technical guidelines for U.S. Government procurements of information processing system equipment and services. (See: "[FPxxx]" items in Section 7, Informative References.)

An U.S. Government document defining emanation, anti tamper, security fault analysis, and manual key management criteria for DES encryption devices, primary for OSIRM Layer 2. Was renamed "FIPS PUB 140" when responsibility for protecting unclassified, sensitive information was transferred from NSA to NIST, and has since been superseded by newer versions of that standard [FP140].

See: Key Exchange Algorithm.

See: secondary definition under "IPSO".

A security service that protects a system to ensure its availability.

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as <code CopyFromScreen</code , <code xwd</code , or <code screencapture</code .(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)

Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits)

Refers to alternate means of performing system functions despite loss of system resources. (See: contingency plan).

The trust anchor that is superior to all other trust anchors in a particular system or context. (See: trust anchor, top CA.)

The ability and means to communicate with or otherwise interact with a system, to use system resources to handle information, to gain knowledge of the information the system contains, or to control system components and functions.

Adversaries may compress and/or encrypt data that is collected prior to exfiltration. Compressing data can help to obfuscate its contents and minimize use of network resources. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.

The TLS Handshake Protocol consists of three parts (i.e., subprotocols) that enable peer entities to agree upon security parameters for the record layer, authenticate themselves to each other, instantiate negotiated security parameters, and report error conditions to each other. [R4346]

A key establishment method (especially one involving asymmetric cryptography) by which two or more entities, without prior arrangement except a public exchange of data (such as public keys), each can generate the same key value. That is, the method does not send a secret from one entity to the other; instead, both entities, without prior arrangement except a public exchange of data, can compute the same secret value, but that value cannot be computed by other, unauthorized entities. (See: Diffie Hellman Merkle, key establishment, KEA, MQV. Compare: key transport.)

Process by which keying material is generated, distributed, and placed into an ECU without exposure to any human or other system entity, except the cryptographic module that consumes and uses the material. (See: benign.)

A patented, symmetric block cipher designed by Ralph C. Merkle as a plug in replacement for DES. [Schn]

An international consortium of more than 150 commercial, nonprofit, and governmental organizations that was created in 2001 to address technical, business, and policy problems of identity and identity based Web services and develop a standard for federated network identity that supports current and emerging network devices.

See: indirect certificate revocation list.

A packet that arrives unexpectedly at the wrong address or on the wrong network because of incorrect routing or because it has a non registered or ill formed IP address. [R1208]

"A trusted entity that provides on line verification to a Relying Party of a subject certificate's trustworthiness [should instead say 'validity'], and may also provide additional attribute information for the subject certificate." [DoD7]

The event that occurs when a CA declares that a previously valid digital certificate issued by that CA has become invalid; usually stated with an effective date.

The total width of the frequency band that is available to or used by a communication channel; usually expressed in Hertz (Hz). (RFC 3753) (Compare: channel capacity.)

A name that an entity uses in place of its real name, usually for the purpose of either anonymity or masquerade.

See: Internet Engineering Steering Group.

A single word that is used as a security label (usually applied to classified information) but which itself has a classified meaning. (See: classified, /U.S. Government/ security label.)

See: secondary definition under "identity".