Terms

"Hidden functionality within an application program, which becomes activated when an undocumented, and often convoluted, set of commands and keystrokes is entered. Easter eggs are typically used to display the credits for the development team and [are] intended to be non threatening" [SP28], but Easter eggs have the potential to contain malicious code.

Passive wiretapping done secretly, i.e., without the knowledge of the originator or the intended recipients of the communication.

Electronic cash; money that is in the form of data and can be used as a payment mechanism on the Internet. (See: IOTP.)

The principle that a security mechanism should be designed to minimize the number of alternative ways of achieving a service. (Compare: economy of mechanism.)

The principle that a security mechanism should be designed to be as simple as possible, so that (a) the mechanism can be correctly implemented and (b) it can be verified that the operation of the mechanism enforces the system's security policy. (Compare: economy of alternatives, least privilege.)

criminal activity that involves the use of computers or networks such as the internet

In the NICE Framework, cybersecurity work where a person: Conducts training of personnel within pertinent subject domain; develop, plan, coordinate, deliver, and/or evaluate training courses, methods, and techniques as appropriate.

"A measure of strength of a cryptographic algorithm, regardless of actual key length." [IATF] (See: work factor.)

A property of a TOE representing how well it provides security in the context of its actual or proposed operational use.

A block cipher mode in which a plaintext block is used directly as input to the encryption algorithm and the resultant output block is used directly as cipher text [FP081]. (See: block cipher, [SP38A].)

Business conducted through paperless exchanges of information, using electronic data interchange, electronic funds transfer (EFT), electronic mail, computer bulletin boards, facsimile, and other paperless technologies.

Computer to computer exchange, between trading partners, of business data in standardized document formats.

"Interoperable collection of systems developed by ... the U.S. Government to automate the planning, ordering, generating, distributing, storing, filling, using, and destroying of electronic keying material and the management of other types of COMSEC material." [C4009]

Any mark in electronic form associated with an electronic document, applied with the intent to sign the document.

A secure container to hold, in digitized form, some sensitive data objects that belong to the owner, such as electronic money, authentication material, and various types of personal information. (See: IOTP.)

An algorithm for asymmetric cryptography, invented in 1985 by Taher El Gamal, that is based on the difficulty of calculating discrete logarithms and can be used for both encryption and digital signatures. [ElGa]

A type of asymmetric cryptography based on mathematics of groups that are defined by the points on a curve, where the curve is defined by a quadratic equation in a finite field. [Schn]

A standard [A9062] that is the analog, in elliptic curve cryptography, of the Digital Signature Algorithm.

Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Emails may also contain details of ongoing incident response operations, which may allow adversaries to adjust their techniques in order to maintain persistence or evade defenses.(Citation: TrustedSec OOB Communications)(Citation: CISA AA20 352A 2021) Adversaries can collect or forward email from mail servers or clients.

Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code New InboxRule</code or <code Set InboxRule</code PowerShell cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New InboxRule)(Citation: Microsoft Set InboxRule)

A signal (e.g., electromagnetic or acoustic) that is emitted by a system (e.g., through radiation or conductance) as a consequence (i.e., byproduct) of the system's operation, and that may contain information. (See: emanations security.)

See: secondary definition under "interception".

Physical security measures to protect against data compromise that could occur because of emanations that might be received and read by an unauthorized party. (See: emanation, TEMPEST.)

"Cryptography engineered into an equipment or system whose basic function is not cryptographic." [C4009]

Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to Subvert Trust Controls by not impacting execution controls such as digital signatures and notarization tickets.(Citation: Sentinel Labs)

Synonym for "contingency plan".

An urgent response to a fire, flood, civil commotion, natural disaster, bomb threat, or other serious situation, with the intent of protecting lives, limiting damage to property, and minimizing disruption of system operations. [FP087] (See: availability, CERT, emergency plan.)

An Internet protocol [R2406, R4303] designed to provide data confidentiality service and other security services for IP datagrams. (See: IPsec. Compare: AH.)

To convert plaintext to ciphertext by means of a cryptographic system.

Synonym for "encryption".

A set of system resources that operate in the same security domain and that share the protection of a single, common, continuous security perimeter. (Compare: domain.)

To convert plaintext to ciphertext by means of a code.

The generic term encompassing encipher and encode.

Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.

Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as Software Packing, Steganography, and Embedded Payloads, share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., Deobfuscate/Decode Files or Information) at the time of execution/use.

Encryption is the process of transforming information so it is unintelligible without the appropriate key.

A public key certificate that contains a public key that is intended to be used for encrypting data, rather than for verifying digital signatures or performing other cryptographic functions.

Final destination device into which a key is loaded for operational use.

A system entity that is the subject of a public key certificate and that is using, or is permitted and able to use, the matching private key only for purposes other than signing a digital certificate; i.e., an entity that is not a CA.

"Unclassified cryptographic equipment that embodies a U.S. Government classified cryptographic logic and is endorsed by NSA for the protection of national security information." [C4009] (Compare: CCI, type 2 product.)

Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.

A computer that implements all seven layers of the OSIRM and may attach to a subnetwork. Usage: In the IPS context, an end system is called a "host".

Continuous protection of data that flows between two points in a network, effected by encrypting data when it leaves its source, keeping it encrypted while it passes through any intermediate computers (such as routers), and decrypting it only when it arrives at the intended final destination. (See: wiretapping. Compare: link encryption.)

A system entity, usually a human individual, that makes use of system resources, primarily for application purposes as opposed to system management purposes.

A comprehensive approach to risk management that engages people, processes, and systems across an organization to improve the quality of decision making for managing risks that may hinder an organization’s ability to achieve its objectives.

"The deliberate planting of apparent flaws in a system for the purpose of detecting attempted penetrations or confusing an intruder about which flaws to exploit." [FP039] (See: honey pot.)

An information theoretic measure (usually stated as a number of bits) of the amount of uncertainty that an attacker faces to determine the value of a secret. [SP63] (See: strength.)

Refers to a cryptographic key or other cryptographic parameter or data object that is short lived, temporary, or used one time. (See: session key. Compare: static.)

Delete stored data. (See: sanitize, zeroize.)

A checksum designed to detect, but not correct, accidental (i.e., unintentional) changes in data.