Terms

Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.

Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence.(Citation: Mandiant APT29 Eye Spy Email Nov 22)(Citation: Anomali Rocke March 2019) Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely.

A computer connected to the Internet that has been surreptitiously / secretly compromised with malicious logic to perform activities under remote the command and control of a remote administrator.

The controller of a botnet that, from a remote location, provides direction to the compromised computers in the botnet.

A collection of computers compromised by malicious code and controlled across a network.

"Obviously wrong: extremely poorly designed. Calling something brain damaged is very extreme. The word implies that the thing is completely unusable, and that its failure to work is due to poor design, not accident." [NCSSG] (See: flaw.)

A distinctive mark or name that identifies a product or business entity.

A CA owned by a payment card brand, such as MasterCard, Visa, or American Express. [SET2] (See: certification hierarchy, SET.)

A digitally signed list, issued by a BCA, of the names of CAs for which CRLs need to be processed when verifying signatures in SET messages. [SET2]

To successfully perform cryptanalysis and thus succeed in decrypting data or performing some other cryptographic function, without initially having knowledge of the key that the function requires. (See: penetrate, strength, work factor.)

A security model [BN89] to enforce the Chinese wall policy. (Compare: Bell LaPadula model, Clark Wilson model.)

A gateway for traffic flowing at OSIRM Layer 2 between two networks (usually two LANs). (Compare: bridge CA, router.)

A PKI consisting of only a CA that cross certifies with CAs of some other PKIs. (See: cross certification. Compare: bridge.)

Part 1 of the standard is a code of practice for how to secure an information system. Part 2 specifies the management framework, objectives, and control requirements for information security management systems. [BS7799] (See: ISO 17799.)

Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities.

A client computer program that can retrieve and display information from servers on the World Wide Web. Examples: Netscape Navigator and Microsoft Internet Explorer.

A cryptanalysis technique or other kind of attack method involving an exhaustive procedure that tries a large number of possible solutions to the problem. (See: impossible, strength, work factor.)

an attack is a method that uses trial and error to crack passwords, login credentials, and encryption keys

Adversaries may repetitively or successively change I/O point values to perform an action. Brute Force I/O may be achieved by changing either a range of I/O point values or a single point value repeatedly to manipulate a process function. The adversary's goal and the information they have about the target environment will influence which of the options they choose. In the case of brute forcing a range of point values, the adversary may be able to achieve an impact without targeting a specific point. In the case where a single point is targeted, the adversary may be able to generate instability on the process function associated with that particular point.

A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold or when a program attempts to put data in a memory area past a buffer. In this case, a buffer is a sequential section of memory allocated to contain anything from a character string to an array of integers. Writing outside the bounds of a block of allocated memory can corrupt data, crash the program, or cause the execution of malicious code.

A neutral internetwork segment used to connect other segments that each operate under a different security policy.

An unexpected and relatively small defect, fault, flaw, or imperfection in an information system or device.

A set of principles, practices, and tools to design, develop, and evolve information systems and software that enhance resistance to vulnerabilities, flaws, and attacks.

Encryption of multiple channels by aggregating them into a single transfer path and then encrypting that path. (See: channel.)

In a few published descriptions of hybrid encryption for SSH, Windows 2000, and other applications, this term refers to a symmetric key that (a) is used to encrypt a relatively large amount of data and (b) is itself encrypted with a public key. (Compare: bulk keying material, session key.)

Refers to handling keying material in large quantities, e.g., as a dataset that contains many items of keying material. (See: type 0. Compare: bulk key, bulk encryption.)

An implementation approach that places a network security mechanism inside the system that is to be protected. (Compare: bump in the wire.)

An implementation approach that places a network security mechanism outside of the system that is to be protected. (Compare: bump in the stack.)

An extended form of cost benefit analysis that considers factors beyond financial metrics, including security factors such as the requirement for security services, their technical and programmatic feasibility, their qualitative benefits, and associated risks. (See: risk analysis.)

Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)

A fundamental unit of computer storage; the smallest addressable unit in a computer's architecture. Usually holds one character of information and, today, usually means eight bits. (Compare: octet.)