Terms

A mode of system operation wherein all users having access to the system possess, for all data handled by the system, both (a) all necessary authorizations (i.e., security clearance and formal access approval) and (b) a need to know. (See: /system operation/ under "mode", formal access approval, need to know, protection level, security clearance.)

synthetic media that have been digitally manipulated to replace one person's likeness convincingly with that of another

A system login account (usually accessed with a user identifier and password) that has been predefined in a manufactured system to permit initial access when the system is first put into service. (See: harden.)

Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed. (Citation: Keith Stouffer May 2015)

"The siting of mutually supporting defense positions designed to absorb and progressively weaken attack, prevent initial

The U.S. DoD's shared, interconnected system of computers, communications, data, applications, security, people, training, and support structures, serving information needs worldwide. (See: DISN.) Usage: Has evolved to be called the GIG.

The U.S. DoD's consolidated, worldwide, enterprise level telecommunications infrastructure that provides end to end information transfer for supporting military operations; a part of the DII. (Compare: GIG.)

Apply a magnetic field to permanently remove data from a magnetic storage medium, such as a tape or disk [NCS25]. (Compare: erase, purge, sanitize.)

An electrical device that can degauss magnetic storage media.

See: secondary definition under "stream integrity service".

See: secondary definition under "stream integrity service".

See: secondary definition under "exposure".

A partial CRL that only contains entries for certificates that have been revoked since the issuance of a prior, base CRL [X509]. This method can be used to partition CRLs that become too large and unwieldy. (Compare: CRL distribution point.)

Synonym for "buffer zone".

Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls. An adversary may attempt to deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls. An affected process may still be operating during the period of control loss, but not necessarily in a desired state. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)

A denial of service (DoS) attack attempts to make a system or network unavailable to legitimate users.

Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment. This may manifest itself as a temporary communication failure between a device and its control source, where the interface recovers and becomes available once the interference ceases. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)

an information security strategy to strengthens an organization's security posture by implementing multiple levels of protection, including inherently secure computer systems and protocols, high level encryption, and authentication

Synonym for "accreditor".

See: secondary definition under "security".

Adversaries may gather information about a PLCs or controllers current operating mode. Operating modes dictate what change or maintenance functions can be manipulated and are often controlled by a key switch on the PLC (e.g., run, prog [program], and remote). Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below:

See: secondary definition under "security".

Adversaries may abuse Android’s device administration API to obtain a higher degree of control over the device. By abusing the API, adversaries can perform several nefarious actions, such as resetting the device’s password for Endpoint Denial of Service, factory resetting the device for File Deletion and to delete any traces of the malware, disabling all the device’s cameras, or to make it more difficult to uninstall the app.

Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow on behaviors, such as the function/purpose of the host, present security tools (i.e. Security Software Discovery) or other defenses (e.g., Virtualization/Sandbox Evasion), as well as potential exploitable vulnerabilities (e.g., Exploitation for Privilege Escalation).

An adversary may seek to inhibit user interaction by locking the legitimate user out of the device. This is typically accomplished by requesting device administrator permissions and then locking the screen using . Other novel techniques for locking the user out of the device have been observed, such as showing a persistent overlay, using carefully crafted “call” notification screens, and locking HTML pages in the foreground. These techniques can be very difficult to get around, and typically require booting the device into safe mode to uninstall the malware.(Citation: Microsoft MalLockerB)(Citation: Talos GPlayed)(Citation: securelist rotexy 2018)

Adversaries may forcibly restart or shutdown a device in an ICS environment to disrupt and potentially negatively impact physical processes. Methods of device restart and shutdown exist in some devices as built in, standard functionalities. These functionalities can be executed using interactive device web interfaces, CLIs, and network protocol commands.

the combination of cultural philosophies, practices, and tools that increases an organization's ability to deliver applications and services

An attack that uses a brute force technique of successively trying all the words in some large, exhaustive list.

A key agreement algorithm published in 1976 by Whitfield Diffie and Martin Hellman [DH76, R2631].

A certificate document in the form of a digital data object (a data object used by a computer) to which is appended a computed digital signature value that depends on the data object. (See: attribute certificate, public key certificate.)

Adversaries may create self signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self signing, digital certificates will lack the element of trust associated with the signature of a third party certificate authority (CA).

Synonym for "certification".

An electronic data object that represents information originally written in a non electronic, non magnetic medium (usually ink on paper) or is an analogue of a document of that type.

A combination of (a) encrypted content data (of any kind) intended for a recipient and (b) the content encryption key in an encrypted form that has been prepared for the use of the recipient.

The processes and specialized techniques for gathering, retaining, and analyzing system related data (digital evidence) for investigative purposes.

Synonym for "digital certificate".

Synonym for an input parameter of a cryptographic algorithm or other process. (See: key.)

An electronic functionary analogous to a notary public. Provides a trusted timestamp for a digital document, so that someone can later prove that the document existed at that point in time; verifies the signature(s) on a signed document before applying the stamp. (See: notarization.)

A form of access control technology to protect and manage use of digital content or devices in accordance with the content or device provider's intentions.

A value computed with a cryptographic process using a private key and then appended to a data object, thereby digitally signing the data.

An asymmetric cryptographic algorithm for a digital signature in the form of a pair of large numbers. The signature is computed using rules and parameters such that the identity of the signer and the integrity of the signed data can be verified. (See: DSS.)

The U.S. Government standard [FP186] that specifies the DSA.

Computing techniques for inseparably embedding unobtrusive marks or labels as bits in digital data text, graphics, images, video, or audio and for detecting or extracting the marks later.

Denotes various forms of digitized images of handwritten signatures. (Compare: digital signature).

See: secondary definition under "attack". (Compare: indirect attack.)

Adversaries may attempt to cause a denial of service (DoS) by directly sending a high volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. Direct Network Floods are when one or more systems are used to send a high volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.

An OSI protocol [X519] for communication between a Directory User Agent (a type of X.500 client) and a Directory System Agent (a type of X.500 server). (See: LDAP.)

Refers generically to a database server or other system that stores and provides access to values of descriptive or operational data items that are associated with the components of a system. (Compare: repository.)

Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)

Adversaries may disable security tools to avoid potential detection of their tools and activities. This can take the form of disabling security software, modifying SELinux configuration, or other methods to interfere with security tools scanning or reporting information. This is typically done by abusing device administrator permissions or using system exploits to gain root access to the device to modify protected system files.