Recently updated

See: secondary definition under "system user".

"A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements." [X509] (Compare: CPS, security policy.)

In a system being operated in periods processing mode, the act of purging all information from one processing period and then changing over to the next processing period. (See: BLACK, RED.)

Measures to implement and assure security services in a computer system, particularly those that assure access control service.

An adversary with physical access to a mobile device may seek to bypass the device’s lockscreen. Several methods exist to accomplish this, including:

See: Internet Corporation for Assigned Names and Numbers.

A type of man in the middle attack in which the attacker can cause two parties, at the time they negotiate a security association, to agree on a lower level of protection than the highest level that could have been supported by both of them. (Compare: downgrade.)

Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in Loss of Safety. Operations that result in Loss of Control may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of Loss of Productivity and Revenue.

All components of an information system to be accredited by an authorizing official and excludes separately accredited systems, to which the information system is connected. Synonymous with the term security perimeter defined in CNSS Instruction 4009 and DCID 6/3.

See: secondary definition under "exposure".

Adversaries may perform data destruction over the course of an operation. The adversary may drop or create malware, tools, or other non native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such non native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post intrusion cleanup process. (Citation: Enterprise ATT&CK January 2018)

Delete stored data. (See: sanitize, zeroize.)

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. (Citation: The MITRE Corporation)

Adversaries may attempt to manipulate the information reported back to operators or controllers. This manipulation may be short term or sustained. During this time the process itself could be in a much different state than what is reported. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)

An abbreviation used in this Glossary to refer to a document or other item of written material that is generated in the Internet Standards Process (RFC 2026), i.e., an RFC, an Internet Draft, or some other item of discourse.

See: computer security.

An Internet Standard protocol (RFC 792) that is used to report error conditions during IP datagram processing and to exchange other information concerning the state of the IP network.

See: no PIN ORA.

See: Tutorial under "Trusted Computer System Evaluation Criteria". (Compare: beyond A1.)

Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by giving artifacts the name and icon of a legitimate, trusted application (i.e., Settings), or using a package name that matches legitimate, trusted applications (i.e., ).

An attack that is implemented with distributed computing. (See: zombie.)

An identifier that uniquely represents an object in the X.500 Directory Information Tree (DIT) [X501]. (Compare: domain name, identity, naming authority.)

The national defense or foreign relations of the United States of America.

Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering or URI hijacking and typically requires user action to grant access, such as through a system “Open With” dialogue.

Adversaries may use Android’s Native Development Kit (NDK) to write native functions that can achieve execution of binaries or functions. Like system calls on a traditional desktop operating system, native code achieves execution on a lower level than normal Android SDK calls.

Roster of individuals authorized admittance to a controlled area.

Magnetic representation of residual information remaining on a magnetic medium after the medium has been cleared. [NCS25] (See: clear, degauss, purge.)

A collection of related subsystems located on one or more computer platforms at a single site. (See: site.)

An organizational RA that operates in a mode in which the ORA performs no card management functions and, therefore, does not require knowledge of either the SSO PIN or user PIN for an end user's FORTEZZA PC card.

A technical description to provide a basis for interoperation between PKI components from different vendors; consists primarily of a profile of certificate and CRL extensions and a set of transactions for PKI operation. [SP15]

An Internet protocol (RFC 2045) that enhances the basic format of Internet electronic mail messages (RFC 822) (a) to enable character sets other than U.S. ASCII to be used for textual headers and content and (b) to carry non textual and multi part content. (See: S/MIME.)

A cryptographic token in the form of a smart card or a PC card.

The IEEE is a not for profit association of approximately 300,000 individual members in 150 countries. The IEEE produces nearly one third of the world's published literature in electrical engineering, computers, and control technology; holds hundreds of major, annual conferences; and maintains more than 800 active standards, with many more under development. (See: SILS.)

A public key certificate issued to a merchant. Sometimes used to refer to a pair of such certificates where one is for digital signature use and the other is for encryption.

Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include environment information such as location.(Citation: SWB Exodus March 2019)

Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence.(Citation: Mandiant APT29 Eye Spy Email Nov 22)(Citation: Anomali Rocke March 2019) Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely.

See: Kernelized Secure Operating System.

"A complete and convincing mathematical argument, presenting the full logical justification for each step in the proof, for the truth of a theorem or set of theorems." [NCSSG]

See: COMSEC Material Control System.

Adversaries may modify parameters used to instruct industrial control system devices. These devices operate via programs that dictate how and when to perform actions based on such parameters. Such parameters can determine the extent to which an action is performed and may specify additional options. For example, a program on a control system device dictating motor processes may take a parameter defining the total number of seconds to run that motor.

Half of a byte (i.e., usually, 4 bits).

Adversaries may leverage credentials that are hardcoded in software or firmware to gain an unauthorized interactive user session to an asset. Examples credentials that may be hardcoded in an asset include:

A tree structured (loop free) topology of relationships between CAs and the entities to whom the CAs issue public key certificates. (See: hierarchical PKI, hierarchy management.)

An adversary could use knowledge of the techniques used by security software to evade detection.(Citation: Brodie)(Citation: Tan) For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed "su" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature based detection.(Citation: Rastogi)

Items designed to secure or authenticate communications or information in general; these items include (but are not limited to) keys; equipment, devices, documents, firmware, and software that embodies or describes cryptographic logic; and other items that perform COMSEC functions. [C4009] (Compare: keying material.)

A cryptographic hash [R1321] that produces a 128 bit hash result and was designed by Ron Rivest to be an improved version of MD4. (See: Derivation under "MD2".)

See: multilevel secure

Adversaries may attempt to leverage Application Program Interfaces (APIs) used for communication between control software and the hardware. Specific functionality is often coded into APIs which can be called by software to engage specific functions on a device or other software.

Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by:

The event that occurs when a certificate ceases to be valid because its assigned lifetime has been exceeded. (See: certificate revocation, expire.)