Terms

A computer program that is not invoked explicitly but waits until a specified condition occurs, and then runs with no associated user (principal), usually for an administrative purpose. (See: zombie.)

Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in Loss of Safety. Operations that result in Loss of Control may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of Loss of Productivity and Revenue.

A threat to a system for which there is no corresponding vulnerability and, therefore, no implied risk.

A vulnerability of a system for which there is no corresponding threat and, therefore, no implied risk.

Information in a specific representation, usually as a sequence of symbols that have meaning.

In the NICE Framework, cybersecurity work where a person: Develops and administers databases and/or data management systems that allow for the storage, query, and utilization of data.

The process of gathering and combining data from different sources, so that the combined data reveals new information.

The ANSI standard for a keyed hash function that is equivalent to DES cipher block chaining with IV = 0. [A9009]

A specific U.S. Government standard [FP113] for a checksum that is computed by the Data Authentication Algorithm. Usage: a.k.a. Message Authentication Code [A9009].) (See: DAC.)

The unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information.

A security incident in which information is exposed to potential unauthorized access, such that unauthorized disclosure, alteration, or use of the information might have occurred. (Compare: security compromise, security incident.)

The property that data is not disclosed to system entities unless they have been authorized to know the data. (See: Bell LaPadula model, classification, data confidentiality service, secret. Compare: privacy.)

A security service that protects data against unauthorized disclosure. (See: access control, data confidentiality, datagram confidentiality service, flow control, inference control.)

Adversaries may perform data destruction over the course of an operation. The adversary may drop or create malware, tools, or other non native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such non native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post intrusion cleanup process. (Citation: Enterprise ATT&CK January 2018)

An adversary may encrypt files stored on a mobile device to prevent the user from accessing them. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.

A symmetric block cipher, defined in the U.S. Government's DES. DEA uses a 64 bit key, of which 56 bits are independently chosen and 8 are parity bits, and maps a 64 bit block into another 64 bit block. [FP046] (See: AES, symmetric cryptography.)

A cryptographic key that is used to encipher application data. (Compare: key encrypting key.)

A U.S. Government standard [FP046] that specifies the DEA and states policy for using the algorithm to protect unclassified, sensitive data. (See: AES.)

Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.

Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of information repositories include reference databases in the process environment, as well as databases in the corporate network that might contain information about the ICS.(Citation: Cybersecurity & Infrastructure Security Agency March 2018)

Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to exfiltration.

Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.

"A self contained, independent entity of data [i.e., a packet] carrying sufficient information to be routed from the source [computer] to the destination computer without reliance on earlier exchanges between this source and destination computer and the transporting network." [R1983] Example: A PDU of IP.

A data confidentiality service that preserves the confidentiality of data in a single, independent, packet; i.e., the service applies to datagrams one at a time. Example: ESP. (See: data confidentiality.)

A data integrity service that preserves the integrity of data in a single, independent, packet; i.e., the service applies to datagrams one at a time. (See: data integrity. Compare: stream integrity service.)

The property that data is complete, intact, and trusted and has not been modified or destroyed in an unauthorized or accidental manner.

A security service that protects against unauthorized changes to data, including both intentional change or destruction and accidental change or loss, by ensuring that changes to data are detectable. (See: data integrity, checksum, datagram integrity service.)

The result of unintentionally or accidentally deleting data, forgetting where it is stored, or exposure to an unauthorized party.

A set of procedures and mechanisms to stop sensitive data from leaving a security boundary.

Adversaries may insert, delete, or alter data in order to manipulate external outcomes or hide activity. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.

The process or techniques used to analyze large sets of existing information to discover previously unrevealed patterns or correlations.

a collaborative data management practice focused on improving the communication, integration and automation of data flows between data managers and data consumers across an organization

"The corroboration that the source of data received is as claimed." [I7498 2] (See: authentication.)

A security service that verifies the identity of a system entity that is claimed to be the original source of received data. (See: authentication, authentication service.)

The organization that has the final statutory and operational authority for specified information.

Synonym for "data confidentiality".

A process for learning, from some cipher text, the plain text that was previously encrypted to produce the cipher text. (See: recovery.)

The protection of data from disclosure, alteration, destruction, or loss that either is accidental or is intentional but unauthorized.

The deliberate or intentional act of stealing of information.

Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.

To revoke the authentication of; to cause no longer to be authenticated.

A circumstance or event that may result in an authorized entity receiving false data and believing it to be true. (See: authentication.)

To convert enciphered text to plain text by means of a cryptographic system.

Synonym for "decryption".

An authorized process by which information is declassified. (Compare: classification.)

To officially remove the security level designation of a classified information item or information type, such that the information is no longer classified (i.e., becomes unclassified). (See: classified, classify, security level. Compare: downgrade.)

To convert encoded text to plain text by means of a code.

A generic term encompassing decode and decipher.

The process of transforming ciphertext into its original plaintext.

A tool, or set of tools, used to decrypt encrypted files. Either for recovery or anti ransomware purposes.