Terms

Adversaries may attempt to make a payload or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the device or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.

A passive information system related entity containing or receiving information.

An official, globally unique name for a thing, written as a sequence of integers (which are formed and assigned as defined in the ASN.1 standard) and used to reference the thing in abstract specifications and during negotiation of security services in a protocol.

Reassignment and reuse of an area of a storage medium (e.g., random access memory, floppy disk, magnetic tape) that once contained sensitive data objects. Before being reassigned for use by a new subject, the area needs to be erased or, in some cases, purged. [NCS04] (See: object.)

A type of threat action that interrupts delivery of system services by hindering system operations. (See: disruption.)

A data unit of eight bits. (Compare: byte.)

See: secondary definition under "attack".

That minuscule fraction of time in which you realize that your private key has been compromised.

A manual encryption system in the form of a paper pad for one time use.

A "one time password" is a simple authentication technique in which each password is used only once as authentication information that verifies an identity. This technique counters the threat of a replay attack that uses passwords captured by wiretapping.

Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to a compromised system without receiving return output. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.

Irreversible transformation of plain text to cipher text, such that the plain text cannot be recovered from the cipher text by other than exhaustive procedures even if the cryptographic key is known. (See: brute force, encryption.)

"A (mathematical) function, f, [that] is easy to compute, but which for a general value y in the range, it is computationally difficult to find a value x in the domain such that f(x) = y. There may be a few values of y for which finding x is not computationally difficult." [X509]

A system that can be used to provide both (a) data confidentiality and (b) traffic flow confidentiality for network packets, and also provide (c) anonymity for the source of the packets.

An Internet protocol [R2560] used by a client to obtain from a server the validity status and other information about a digital certificate. (Mentioned in [X509] but not specified there.)

A system environment that meets at least one of the following two conditions: (a) Application developers (including maintainers) do not have sufficient clearance or authorization to provide an acceptable presumption that they have not introduced malicious logic. (b) Configuration control does not provide sufficient assurance that applications and the equipment are protected against the introduction of malicious logic prior to and during the operation of system applications. [NCS04] (See: "first law" under "Courtney's laws". Compare: closed security environment.)

"Storage of classified information within an accredited facility, but not in General Services Administration approved secure containers, while the facility is unoccupied by authorized personnel." [C4009]

A joint ISO/ITU T standard [I7498 1] for a seven layer, architectural communication framework for interconnection of computers in networks. (See: OSIRM Security Architecture. Compare: Internet Protocol Suite.)

A NICE Framework category consisting of specialty areas responsible for providing the support, administration, and maintenance necessary to ensure effective and efficient IT system performance and security.

An action based exercise where personnel rehearse reactions to an incident scenario, drawing on their understanding of plans and procedures, roles, and responsibilities.

Synonym for "system integrity"; this synonym emphasizes the actual performance of system functions rather than just the ability to perform them.

System capabilities, or performance of system functions, that are needed either (a) to securely manage a system or (b) to manage security features of a system. (Compare: operations security (OPSEC).)

A process to identify, control, and protect evidence of the planning and execution of sensitive activities and operations, and thereby prevent potential adversaries from gaining knowledge of capabilities and intentions. (See: communications cover. Compare: operational security.)

The hardware and software systems used to operate industrial control devices.

A person who has been authorized to direct selected functions of a system. (Compare: manager, user.)

Synonym for "Trusted Computer System Evaluation Criteria" [CSC1, DoD1].

An X.509 public key certificate in which the "subject" field contains the name of an institution or set (e.g., a business, government, school, labor union, club, ethnic group, nationality, system, or group of individuals playing the same role), rather than the name of an individual person or device. (Compare: persona certificate, role certificate.)

An RA for an organization.

Synonym for "data origin authentication". (See: authentication, data origin authentication.)

Synonym for "data origin authentication". (See: authenticity, data origin authentication.)

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform Lateral Movement and access restricted information.

Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is responsible for managing the finite resources as well as preventing the entire system from being overwhelmed by excessive demands on its capacity. These attacks do not need to exhaust the actual resources on a system; the attacks may simply exhaust the limits and available resources that an OS self imposes.

See: Open Systems Interconnection Reference Model.

The part of the OSIRM [I7498 2] that specifies the security services and security mechanisms that can be applied to protect communications between two systems. (See: security architecture.)

Information transfer using a channel or method that is outside (i.e., separate from or different from) the main channel or normal method.

Adversaries may communicate with compromised devices using out of band data streams. This could be done for a variety of reasons, including evading network traffic monitoring, as a backup method of command and control, or for data exfiltration if the device is not connected to any Internet providing networks (i.e. cellular or Wi Fi). Several out of band data streams exist, such as SMS messages, NFC, and Bluetooth.

A block cipher mode that modifies ECB mode to operate on plaintext segments of variable length less than or equal to the block length. [FP081] (See: block cipher, [SP38A].)

See: secondary definition under "attack". Compare: outsider.)

A user (usually a person) that accesses a system from a position that is outside the system's security perimeter. (Compare: authorized user, insider, unauthorized user.)

A person or group of persons external to an organization who are not authorized to access its assets and pose a potential risk to the organization and its assets.

an undesirable machine learning behavior that occurs when the machine learning model gives accurate predictions for training data but not for new data

See: secondary definition under "obstruction".

A NICE Framework category consisting of specialty areas providing leadership, management, direction, and/or development and advocacy so that all individuals and the organization may effectively conduct cybersecurity work.

Changing a key in a remote cryptographic device by sending a new key directly to the device via a channel that the device is protecting. [C4009]