An access control list represents the rule set for controlling access to devices, resources or networks.
An attack which results in an unauthorized state change, such as the manipulation of files, or the adding of unauthorized files
Instantiations of the data source that are identified by the analyzer as being of interest to the security administrator. Examples of this include (but are not limited to) network sessions, user activity, and application events. Activity can range from extremely serious occurrences (such as an unequivocally malicious attack) to less serious occurrences (such as unusual user activity that's worth a further look).
The management constraints and supplemental controls established to provide an acceptable level of protection for data. Sometimes referred to as procedural security.
The ID component that periodically collects data from the data source, sometimes performing some analysis or organization of the data. Also known as a sensor.
Any equipment of an interconnected system or subsystems of equipment that is used in the automatic acquisition, storage, manipulation, control, display, transmission, or reception of data and includes software, firmware, and hardware.
A formatted message describing a circumstance relevant to network security. Alerts are often derived from critical audit events.
The ID component that analyzes the data collected by the sensor for signs of unauthorized or undesired activity or for events that might be of interest to the security administrator.
A person who aspires to be a hacker/cracker but has very limited knowledge or skills related to an AIS. Usually associated with young teens who collect and use simple malicious programs obtained from the Internet.
A model where intrusions are detected by looking for activity that is different from the user's or system's normal behavior.
(Firewall) A firewall system in which service is provided by processes that maintain complete TCP connection state and sequencing. Application level firewalls often re-address traffic so that outgoing traffic appears to have originated from the firewall, rather than the internal host.
The American Registry of Internet Numbers (ARIN) maintains a database of all registered IPs for the Americas. Queries to the database can be made using the whois command or via the web.
Monitors network traffic and collects information on targeted unit networks by detecting unauthorized network activity.
Surveys and Inspections; an analysis of the vulnerabilities of an AIS. Information acquisition and review process designed to assist a customer to determine how best to use resources to protect information in systems.
A measure of confidence that the security features and architecture of an AIS accurately mediate and enforce the security policy.
An attempt to bypass security controls on a computer. The attack may alter, release, or deny data. Whether an attack will succeed depends on the vulnerability of the computer system and the effectiveness of existing countermeasures.
The independent examination of records and activities to ensure compliance with established controls, policy, and operational procedures, and to recommend any indicated changes in controls, policy, or procedures.
The log of system events and activities generated by the operating system.
In computer security systems, a chronological record of system resource usage. This includes user login, file access, other various activities, and whether any actual or attempted security violations occurred, legitimate and unauthorized.
To establish the validity of a claimed user or object.
To positively verify the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to resources in a system.
A field that immediately follows the IP header in an IP datagram and provides authentication and integrity checking for the datagram.
All security features needed to provide an acceptable level of protection for hardware, software, and classified, sensitive, unclassified or critical data, material, or processes in the system.
Assuring information and communications services will be ready for use when expected.
A hole in the security of a computer system deliberately left in place by designers or maintainers. Synonymous with trap door; a hidden software or hardware mechanism used to circumvent security controls.
Formal-state transition model of computer security policy that describes a formal set of access controls based on information sensitivity and subject authorizations.
The Border Gateway Protocol (BGP) is an inter-Autonomous System routing protocol. The primary function of a BGP speaking system is to exchange network reachability information with other BGP systems.
A formal security model for the integrity of subjects and objects in a system.
A blind test is a penetration test or vulnerability assessment in which the auditors have no (or very limited) knowledge of the system under audit. A blind test assists the customer in evaluating information leakage about their systems or networks. During a penetration test, a blind test simulates an uninformed or outside attacker.
A general synonym for crash, normally of software or operating system failures.
The border router is usually the first defense on the network perimeter of an enterprise. It frequently occupies the network connection just before the initial firewall, and provides filtering service for sanity checks on incoming (and outgoing) network packets.
The successful defeat of security controls which could result in a penetration of the system. A violation of controls of a particular information system such that information assets or system components are unduly exposed.
This happens when more data is put into a buffer or holding area, then the buffer can handle. This is due to a mismatch in processing rates between the producing and consuming processes. This can result in system crashes or the creation of a back door leading to system access.
An unwanted and unintended property of a program or piece of hardware, especially one that causes it to malfunction.
A grouping of business functions and processes focused on the production of specific outputs.
A functionally distinct corporate division or strategic business unit that is supported by one or more application systems.
The term used to describe management individuals within the client's enterprise who are responsible for the execution of the business functions. They are the subject matter experts for their area of the business. These are the individuals that can provide the information relative to business function dependencies on internal/external systems/assets, assess the impact of failure and provide contingency options for their given area of expertise
Command and Control
Prevent effective C2 of adversary forces by denying information to, influencing, degrading or destroying the adversary C2 system.
Maintain effective command and control of own forces by turning to friendly advantage or negating adversary effort to deny information to, influence, degrade, or destroy the friendly C2 system. (Pending approval in JP 1-02)
The integrated use of operations security, military deception, psychological operations, electronic warfare, and physical destruction, mutually supported by intelligence, to deny information to, influence, degrade, or destroy adversary command and control capabilities, while protecting friendly command and control capabilities against such actions. Command and control warfare is an application of information operations in military operations and is a subset of information warfare. C2W is both offensive and defensive.
Common Gateway Interface - CGI is the method that Web servers use to allow interaction between servers and programs.
Allows for the creation of dynamic and interactive web pages. They also tend to be the most vulnerable part of a web server (besides the underlying host security).
A hacking program used for cracking VMS passwords.
Also called Kamikaze Packet. A network packet that induces a broadcast storm and network meltdown. Typically an IP Ethernet datagram that passes through a gateway with both source and destination Ethernet and IP address set as the respective broadcast addresses for the subnetworks being gated between.
One form of a firewall. Validates TCP and UDP sessions before opening a connection. Creates a handshake, and once that takes place passes everything through until the session is ended.
A tamper-resistant VLSI chip designed by NSA for encrypting voice communications. It conforms to the Escrow Encryption Standard (EES) and implements the Skipjack encryption algorithm.
COAST is a multiple project, multiple investigator laboratory in computer security research in the Computer Sciences Department at Purdue University. It functions with close ties to researchers and engineers in major companies and government agencies. Its research is focused on real-world needs and limitations, with a special focus on security for legacy computing systems.
An intrusion into a computer system where unauthorized disclosure, modification or destruction of sensitive information may have occurred
The willful or negligent unauthorized activity that affects the availability, confidentiality, or integrity of computer resources. Computer abuse includes fraud, embezzlement, theft, malicious damage, unauthorized use, denial of service, and misappropriation.
Computer-related crimes involving deliberate misrepresentation or alteration of data in order to obtain something of value.
(CNA) Operations to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves. (DODD S-3600.1 of 9 Dec 96)
Technological and managerial procedures applied to computer systems to ensure the availability, integrity and confidentiality of information managed by the computer system.
Any intrusion or attempted intrusion into an automated information system (AIS). Incidents can include probes of multiple computer systems.
Any event of unauthorized access or penetration to an automated information system (AIS).
Assuring information will be kept secret, with access limited to appropriate persons.
Reactive action taken as alternatives once failure occurs on primary operation, functions, procedures, processes, etc. Contingencies provide backup once failure occurs and maintains desired results at a non-optimal but acceptable level. Contingencies are always performed after a failure.
In general, a Contingency Plan describes the processes that an enterprise would implement to ensure continuity of its core business despite a system failure.
Computer Oracle and Password System - A computer network monitoring system for Unix machines. Software tool for checking security on shell scripts and C programs. Checks for security weaknesses and provides warnings.
Commercial Off the Shelf - Software acquired by government contract through a commercial vendor. This software is a standard product, not developed by a vendor for a particular government project.
Action, device, procedure, technique, or other measure that reduces the vulnerability of an automated information system. Countermeasures that are aimed at specific threats and vulnerabilities involve more sophisticated techniques as well as activities traditionally perceived as security.
A popular hacking tool used to decode encrypted passwords. System administrators also use Crack to assess weak passwords by novice users in order to enhance the security of the AIS.
One who breaks security on an AIS.
The act of breaking into a computer system.
A sudden, usually drastic failure of a computer system.
Definition 1) The analysis of a cryptographic system and/or its inputs and outputs to derive confidential variables and/or sensitive data including cleartext. Definition 2) Operations performed in converting encrypted messages to plain text without initial knowledge of the crypto-algorithm and/or key employed in the encryption.
A process that computes a value (referred to as a hashword) from a particular data unit in a manner that, when a hashword is protected, manipulation of the data is detectable.
The art of science concerning the principles, means, and methods for rendering plain text unintelligible and for converting encrypted messages into intelligible form.
The science which deals with hidden, disguised, or encrypted communications.
Describes the world of connected computers and the society that gathers around them. Commonly known as the INTERNET.
A criminal or malicious hacker.
Defense Advanced Research Projects Agency.
A form of attack that is encoded in innocuous seeming data which is executed by a user or a process to implement an attack. A data driven attack is a concern for firewalls, since it may get through the firewall in data form and launch an attack against a system behind the firewall.
Definition 1) (DES) An unclassified crypto algorithm adopted by the National Bureau of Standards for public use. Definition 2) A cryptographic algorithm for the protection of unclassified data, published in Federal Information Processing Standard (FIPS) 46. The DES, which was approved by the National Institute of Standards and Technology (NIST), is intended for public and government use.
The raw information that an intrusion detection system uses to detect unauthorized or undesired activity. Common data sources include (but are not limited to) raw network packets, operating system audit logs, application audit logs, and system-generated checksum data.
Decision Analysis is a process to organize large and complex decision frameworks in a structured manner using a set of logical decision criteria.
Decision Tree is an event-oriented diagram used to represent a decision analysis problem in detail. The events are described in chronological order using nodes. Each node has branches that represent every decision or chance event.
The tool used to depict the connection between business areas, business functions and dependencies. See Appendix A for a sample Dependency Model.
The date when a decision needs to be made as to how to proceed with a given risk. This may be the date when new information will be available about the risk or an event will occur that has bearing on the risk and will provide input to actions that need to be taken for risk mitigation. Or, this may be the date when a decision must be made to allow sufficient time for mitigation or contingency actions to occur.
The shared or interconnected system of computers, communications, data applications, security, people, training and other support structures serving DoD local, national, and worldwide information needs. DII connects DoD mission support, command and control, and intelligence computers through voice, telecommunications, imagery, video, and multimedia services. It provides information processing and services to the subscribers over the Defense Information Systems Network and includes command and control, tactical, intelligence, and commercial communications systems used to transmit DoD information. (Pending approval in JP 1-02)
A process that integrates and coordinates policies and procedures, operations, personnel, and technology to protect information and defend information systems. Defensive information operations are conducted through information assurance, physical security, operations security, counter-deception, counter-psychological operations, counter-intelligence, electronic protect, and special information operations. Defensive information operations ensure timely, accurate, and relevant information access while denying adversaries the opportunity to exploit friendly information and information systems for their own purposes. (Pending approval in JP 1-02)
A program which repeatedly calls the same telephone number. This is benign and legitimate for access to a BBS or malicious when used as a denial of service attack.
Action(s) which prevent any part of an AIS from functioning in accordance with its intended purpose.
Denial of service is a type of attack that consumes network or host resources and succeeds in denying those resources to legitimate users. Denial of service attacks usually do not represent a breach in security, but can inhibit the use of hosts or networks under attack. A distributed denial of service (DDoS) attack is a variation of the DoS attack. A DDoS uses a large number of distributed hosts in the attack to consume the resources of a host or network.
The act of exploiting a terminal which someone else has absent mindedly left logged on.
See Data Encryption Standard
The DMZ is an area of a network between the border router and the perimeter defense device (firewall). The DMZ is often used for public servers and provides only limited protection to its hosts.
The domain name system translates host names into numerical IP (Internet Protocol) addresses which computers on the Internet use to communicate with each other. Resource records in the DNS directory are split into files called zones. Zones are kept on authoritative servers distributed all over the Internet, which answer queries according to DNS network protocol.
Assuming the DNS name of another system by either corrupting the name service cache of a victim system, or by compromising a domain name server for a valid domain.
The edge router receives and packetizes traffic and then sends it to other routers and switches in the network. It is used by service providers to segregate traffic bound for specific groups of addresses, and is usually found between the border router(s) surrounding the perimeter of a large network, and the backbone connections to the service provider on the open internet.
That division of EW involving the use of electromagnetic, directed energy, or antiradiation weapons to attack personnel, facilities, or equipment with the intent of degrading, neutralizing, or destroying enemy combat capability. EA includes: actions taken to prevent or reduce an enemy's effective use of the electromagnetic spectrum, such as jamming and electromagnetic deception and employment of weapons that use either electromagnetic or directed energy as their primary destructive mechanism (lasers, radio frequency, particle beams).
That division of EW involving actions taken to protect personnel, facilities, and equipment from any effects of friendly or enemy employment of EW that degrade, neutralize, or destroy friendly combat capability.
Any military action involving the use of electromagnetic and directed energy to control the electromagnetic spectrum or to attack the enemy. The three major subdivisions within electronic warfare are electronic attack, electronic protection, and electronic warfare support.
That division of EW involving actions tasked by, or under direct control of, an operational commander to search for, intercept, identify, and locate sources of intentional and unintentional radiated electromagnetic energy for the purpose of immediate threat recognition. Thus, electronic warfare support provides information required for immediate decisions involving EW operations and other tactical actions such as threat avoidance, targeting and homing. ES data can be used to produce signals intelligence. (JP 1-02)
An email/network worm transmits itself via email or by exploiting network services. Unlike a virus, a worm usually does not damage the host computer but will co-opt its services to spread itself.
An email virus is a virus that is transmitted via email. It often requires the recipient to execute code on the target machine for infection to begin. The virus may co-opt the hosts mail system to spread itself. Unlike a worm, a virus will cause damage to the infected system.
A mechanism to provide confidentiality and integrity protection to IP datagrams.
The top two rows of the Dependency Model reflecting the enterprise's business units and corporate goals. The Enterprise Profile provides the linkage of risk impacts to corporate the corporate goal.
This is listening with software to the Ethernet interface for packets that interest the user. When the software sees a packet that fits certain criteria, it logs it to a file. The most common criteria for an interesting packet is one that contains words like login or password.
A notification from an analyzer to the security administrator a signature has triggered. An event typically contains information about the activity that triggered the signature, as well as the specifics of the occurrence.
See Raw Expected Value and Net Expected Value
Occurs when an actual intrusive action has occurred but the system allows it to pass as non-intrusive behavior.
Occurs when the system classifies an action as anomalous (a possible intrusion) when it is a legitimate action.
The ability of a system or component to continue normal operation despite the presence of hardware or software faults.
A technology in which message digest hashing algorithms are used to render files and directories tamper evident.
A filter is a device such as a filtering router. A filter allows for the creation of ACLs to control access to devices, resources or networks. It is usually used to screen open ports, so that only valid data is allowed into, or out of, those ports.
Firewalk is a network auditing tool that attempts to determine what transport protocols a given gateway will pass. It is often used to determine if there are viable host machines on the other side of the firewall or router.
A system or combination of systems that enforces a boundary between two or more networks. Gateway that limits access between networks in accordance with local security policy. The typical firewall is an inexpensive micro-based Unix box kept clean of critical data, with many modems and public network ports on it, but just one carefully watched connection back to the rest of the cluster.
To contain, isolate and monitor an unauthorized user within a system in order to gain information about the user. More commonly called a Honey Pot.
Also known as Logic Bomb - Code that can be written in one line of code on any Unix system; used to recursively spawn copies of itself, "explodes" eventually eating all the process table entries and effectively locks up the system.
ftp is the user interface to the ARPANET standard File Transfer Protocol. The program allows a user to transfer files to and from a remote network site. It passes usernames and passwords as plaintext, and has a very poor security stance.
A person who enjoys exploring the details of computers and how to stretch their capabilities. A malicious or inquisitive meddler who tries to discover information by poking around. A person who enjoys learning the details of programming systems and how to stretch their capabilities, as opposed to most users who prefer to learn the minimum necessary.
Unauthorized use, or attempts to circumvent or bypass the security mechanisms of an information system or network.
A hack session extended long outside normal working times, especially one longer than 12 hours.
High risk implies that the problem identified will likely result in a compromise in the near future, that the problem identified may be taken advantage of by an adversary with a low skill level, or that the compromise will provide significant entry into the enterprise itself.
A single computer or workstation; it can be connected to a network
Information, such as audit data from a single host which may be used to detect intrusions
A private key encryption-decryption algorithm that uses a key that is twice the length of a DES key.
A system that detects intrusions using pattern-matching.
An informed test is a penetration test or vulnerability assessment in which the auditors have a good understanding of the system under test. Information about the system under test is provided by the customer. During a penetration test, an informed test simulates a knowledgeable attacker.
The part of the Security Management Process concerning the investigation and resolution of security incidents that occur and are detected. Also known as Incident Response.
Influence diagram is a graphical representation of a decision framework. Decision alternatives, relevant uncertainties, and final outcomes or payoffs are represented, along with influence arcs that define their relationships to each other.
Information Operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.
Actions taken to affect adversary information and information systems while defending one's own information and information systems.
The result of any system of policies and/or procedures for identifying, controlling, and protecting from unauthorized disclosure, information whose protection is authorized by executive order or statute.
The capability to collect, process, and disseminate an uninterrupted flow of information while exploiting or denying an adversary's ability to do the same.
Actions taken to achieve information superiority by affecting adversary information, information based processes, and information systems, while defending our own information, information based processes, and information systems. Any action to deny, exploit, corrupt, or destroy the enemy's information and its functions, protect themselves against those actions; and exploiting their own military information functions.
Information Operations conducted during time of crisis or conflict to achieve or promote specific objectives over a specific adversary or adversaries.
Assuring information will not be accidentally or maliciously altered or destroyed.
A worm program (see: Worm) that was unleashed on the Internet in 1988. It was written by Robert T. Morris as an experiment that got out of hand.
Any set of actions that attempt to compromise the integrity, confidentiality or availability of a resource.
The technology concerned with monitoring computer systems in order to recognize signs of intrusions or policy violations.
Pertaining to techniques which attempt to detect intrusion into a computer or network by observation of actions, security logs, or audit data. Detection of break-ins or attempts either manually or via software expert systems that operate on logs or other information available on the network.
IP is the protocol on which the Internet is based. Devices using IP are addressed with an IP number.
An action whereby an active, established, session is intercepted and co-opted by the unauthorized user. IP splicing attacks may occur after an authentication has been made, permitting the attacker to assume the role of an already authorized user. Primary protections against IP splicing rely on encryption at the session or network layer.
An attack whereby a system attempts to illicitly impersonate another system by using IP network address.
A symbol or sequence of symbols (or electrical or mechanical correlates of symbols) applied to text in order to encrypt or decrypt
The system of giving a piece of a key to each of a certain number of trustees such that the key can be recovered with the collaboration of all the trustees.
A specialized form of audit trail software, or a specially designed device, that records every key struck by a user and every character of the response that the AIS returns to the user.
A lame server is a (DNS) server which has been delegated a DNS zone but is not authoritative for that zone. A lame server can also be a server that claims to be authoritative for a DNS zone when it is not.
A computer communications system limited to no more than a few miles and using high-speed connections (2 to 100 megabits per second). A short-haul communications system that connects ADP devices in a building or group of buildings within a few square kilometers, including workstations, front-end processors, controllers, switches, and gateways.
Use of userid and password information obtained illicitly from one host to compromise another host. The act of TELNETing through one or more hosts in order to preclude a trace (a standard cracker procedure).
A piece of email containing live data intended to do malicious things to the recipient's machine or terminal. Under UNIX, a letterbomb can also try to get part of its contents interpreted as a shell command to the mailer. The results of this could range from silly to denial of service.
A resident computer program which, when executed, checks for a particular condition or particular state of the system which, when satisfied, triggers the perpetration of an unauthorized act. See Trojan.
Low risk implies that it is unlikely that the problem identified will result in a compromise, or that the compromise will lead to a significant escalation of priviliges.
The mail sent to urge others to send massive amounts of email to a single system or person, with the intent to crash the recipient's system. Mailbombing is widely regarded as a serious offense.
Hardware, software, of firmware that is intentionally included in a system for an unauthorized purpose; a Trojan horse
The ID component from which the security administrator manages the various components of the ID system. Management functions typically include (but are not limited to) sensor configuration, analyzer configuration, event notification management, data consolidation, and reporting.
Medium risk implies that the problem identified might result in a compromise, if the adversary has a good skill level and is determined, or if the compromise would easily lead into a higher level of intrusion.
Specialized cryptographic algorithms that are used to render files tamper-evident. The nature of message digest algorithms dictates that if an input data file is changed in any way, the checksum that is calculated from that data file value calculated will change.
Furthermore, a small change in the input data file will result in a large difference in the result.
A random variable x representing a quantitative measure accumulated over a period.
Synonymous with Impersonation, Masquerading or Spoofing.
The system detects intrusions by looking for activity that corresponds to a known intrusion techniques or system vulnerabilities. Also known as Rules Based detection.
Proactive actions taken to eliminate a risk or reduce a risk's impact and/or probability to an acceptable level. Mitigation is always performed prior to a failure occurring.
A computer program or process which mimics the legitimate behavior of a normal system feature (or other apparently useful function) but performs malicious activities once invoked by the user. See Trojan.
Monte Carlo simulations involve generating random variables that are used to recalculate a spreadsheet model hundreds or even thousands of times. Each recalculation represents a different possible set of random events for the model. The results are a distribution of outcomes that provides a quantitative basis for adding insights into the nature and risks associated with a decision framework
Audit data from multiple hosts may be used to detect intrusions.
A penetration technique which capitalizes on a potential weakness in an operating system that does not handle asynchronous interrupts properly and thus, leaves the system in an unprotected state during such interrupts.
Originally named the DoD Computer Security Center, the NCSC is responsible for encouraging the widespread availability of trusted computer systems throughout the Federal Government. With the signing of NSDD-145, the NCSC is responsible for encouraging the widespread availability of trusted computer systems throughout the Federal Government.
The nation-wide interconnection of communications networks, computers, databases, and consumer electronics that make vast amounts of information available to users. The NII encompasses a wide range of equipment, including cameras, scanners, keyboards, facsimile machines, computers, switches, compact disks, video and audio tape, cable, wire, satellites, fiber-optic transmission lines, networks of all types, monitors, printers and much more. The friendly and adversary personnel who make decisions and handle the transmitted information constitute a critical component of the NII.
The nc (or netcat) utility is used for just about anything under the sun involving TCP or UDP. It can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP ports, do port scanning, and source routing.
The impact of the mitigated risk with contingency planning and/or mitigation strategy (Net Expected value = Impact of the mitigated risk with contingency planning/and/or mitigation strategy) * (Mitigated Probability that the mitigated risk becomes a problem)
Two or more machines interconnected for communications.
Network traffic data along with audit data from the hosts used to detect intrusions.
A network device is a device which provides network services. These services could include network switching, routing and filtering. Network devices can also include dedicated HTTP, FTP, printing and file servers. Network devices do not usually support users in the same sense that a host would.
A firewall in which traffic is examined at the network protocol (IP) packet level.
Protection of networks and their services from unauthorized modification, destruction, or disclosure, and provision of assurance that the network performs its critical functions correctly and there are no harmful side-effects. Network security includes providing for data integrity.
Individual formally appointed by a designated approving authority to ensure that the provisions of all applicable directives are implemented throughout the life cycle of an automated information system network.
A network topology represents the configuration and connections of a network. It is often represented graphically as a network map.
Another name for "Leapfrogging"
Nmap is a tool designed to allow system administrators and curious individuals to scan large networks to determine which hosts are up and what services they are offering.
The aspect of DOD security policy which restricts access on the basis of security levels. A security level is composed of a read level and a category set restriction. For read-access to an item of information, a user must have a clearance level greater then or equal to the classification of the information and also have a category clearance which includes all of the access categories specified for the information.
Method by which the sender of data is provided with proof of delivery and the recipient is assured of the sender's identity, so that neither can later deny having processed the data.
Nslookup sends queries to Internet domain name servers. It has two modes: interactive and non-interactive. Interactive mode allows the user to contact servers for information about various hosts and domains or to display a list of hosts in a domain. Non-interactive mode is used to display just the name and requested information for a host or domain.
Environment that does not provide environment sufficient assurance that applications and equipment are protected against the introduction of malicious logic prior to or during the operation of a system.
Provision of tools for the secure internetworking of open systems.
The protection of data from either accidental or unauthorized, intentional modification, destruction, or disclosure during input, processing, or output operations.
Definition 1) The process of denying adversaries information about friendly capabilities and intentions by identifying, controlling, and protecting indicators associated with planning and conducting military operations and other activities.
Definition 2) An analytical process by with the U.S. Government and its supporting contractors can deny to potential adversaries information about capabilities and intentions by identifying, controlling, and protecting evidence of the planning and execution of sensitive activities and operations.
A process of identifying critical information and subsequently analyzing friendly actions attendant to military operations and other activities to: a. Identify those actions that can be observed by adversary intelligence systems. b. Determine indicators hostile intelligence systems might obtain that could be interpreted or pieced together to derive critical information in time to be useful to adversaries. c. Select and execute measures that eliminate or reduce to an acceptable level the vulnerabilities of friendly actions to adversary exploitation. (JP 1-02)
Optimization methods are used to find the best combination of values that maximize and minimize the outcome of a model given certain constraints.
See Trusted Computer Security Evaluation Criteria
Open Systems Interconnection. A set of internationally accepted and openly developed standards that meet the needs of network resource administration and integrated network utility.
Overlay graphs are used to compare output distributions in a cumulative format. The outputs are displayed in lines of varying colors to clarify the comparisons.
A block of data sent over the network transmitting the identities of the sending and receiving stations, error-control information, and message.
Inspects each packet for user defined content, such as an IP address but does not track the state of sessions. This is one of the least secure types of firewall.
A feature incorporated into routers and bridges to limit the flow of information based on pre-determined communications such as source, destination, or type of service being provided by the network. Packet filters let the administrator limit protocol specific traffic to one network segment, isolate email domains, and perform many other traffic control functions.
A device or program that monitors the data traveling between computers on a network
Attack which does not result in an unauthorized state change, such as an attack that only monitors and/or records data.
The threat of unauthorized disclosure of information without changing the state of the system. A type of threat that involves the interception, not the alteration, of information.
An IETF standard for secure electronic mail exchange.
The successful unauthorized access to an automated system.
The description of a situation or set of conditions in which a penetration could occur or of system events which in conjunction can indicate the occurrence of a penetration in progress.
The portion of security testing in which the evaluators attempt to circumvent the security features of a system. The evaluators may be assumed to use all system design and implementation documentation, which may include listings of system source code, manuals, and circuit diagrams. The evaluators work under the same constraints applied to ordinary users.
A penetration test is similar in scope to a vulnerability assessment but is usually more aggressive in its efforts to simulate an attack
The technique of securing a network by controlling access to all entry and exit points of the network. Usually associated with firewalls and/or filters. Perpetrator The entity from the external environment that is taken to be the cause of a risk. An entity in the external environment that performs an attack, i.e. hacker.
A perimeter defense is a network's first line of defense in its connection to an untrusted network (such as the Internet). This often consists of a firewall or filtering router.
The procedures established to ensure that all personnel who have access to any classified information have the required authorizations as well as the appropriate clearances.
A freeware program primarily for secure electronic mail.
A program that modifies other programs or databases in unauthorized ways; especially one that propagates a virus or Trojan horse.
Phone book file demonstration program that hackers use to gain access to a computer system and potentially read and capture password files. A well-known and vulnerable CGI script which does not filter out special characters (such as a new line) input by a user.
An individual who combines phone phreaking with computer hacking.
An individual fascinated by the telephone system. Commonly, an individual who uses his knowledge of the telephone system to make calls at the expense of another.
The art and science of cracking the phone network.
The measures used to provide physical protection of resources against deliberate and accidental threats.
The gaining of unauthorized access to a system via another user's legitimate connection.
The use of the TCP/IP protocol ping, with a packet size higher than 65,507. This will cause a denial of service.
The POP protocol is used to transfer mail saved for a user to the user's computer. Versions 3 and 2 of this protocol are most commonly used.
Scanning one or more hosts or network devices in an effort to discover open, vulnerable ports.
An encryption methodology in which the encryptor and decryptor use the same key, which must be kept secret. This methodology is usually only used by a small group.
Any effort to gather information about a machine or its users for the apparent purpose of gaining unauthorized access to the system at a later date. See scanning.
Process flow diagrams are models that contain symbols used to analyze the flow of information or data. Typically, the diagrams are used to depict business functions, workflow, and statistical data.
Patterns of a user's activity which can detect changes in normal routines.
Normally an Ethernet interface reads all address information and accepts follow-on packets only destined for itself, but when the interface is in promiscuous mode, it reads all information (sniffer), regardless of its destination.
Agreed-upon methods of communications used by computers. A specification that describes the rules and procedures that products should follow to perform activities on a network, such as transmitting data. If they use the same protocols, products from different vendors should be able to communicate on the same network.
A daemon that is run periodically to seek out and erase core files, truncate administrative logfiles, nuke lost+found directories, and otherwise clean up.
A firewall mechanism that replaces the IP address of a host on the internal (protected) network with its own IP address for all traffic passing through it. A software agent that acts on behalf of a user, typical proxies accept a connection from a user, make a decision as to whether or not the user or client IP address is permitted to use the proxy, perhaps does additional authentication, and then completes a connection on behalf of the user to a remote destination.
Planned operations to convey selected information and indicators to foreign audiences to influence their emotions, motives, objective reasoning, and ultimately the behavior of foreign governments, organizations, groups, and individuals. The purpose of psychological operations is to induce or reinforce foreign attitudes and behavior favorable to the originator's objectives.
Type of cryptography in which the encryption process is publicly available and unprotected, but in which a part of the decryption key is protected so that only a party with knowledge of both parts of the decryption process can decrypt the cipher text.
The impact of the unmitigated risk with no contingency planning. (Raw expected value = (Impact of an unmitigated risk with no contingency planning, no mitigation strategies) * (Probability that the risk becomes a problem)
See Trusted Network Interpretation.
A security control concept in which an abstract machine mediates accesses to objects by subjects. In principle, a reference monitor should be complete (in that it mediates every access), isolated from modification by system entities, and verifiable. A security kernel is an implementation of a reference monitor for a given hardware base.
Any program that acts to produce copies of itself examples include; a program, a worm, a fork bomb or virus. It is even claimed by some that UNIX and C are the symbiotic halves of an extremely successful replicator.
The actions that an analyzer takes when a signature is triggered. Sending an event notification to the security administrator is a very common response. Other responses include (but are not limited to) logging the activity, recording the raw data (from the data source) that caused the signature to trigger, terminating a network, user, or application session, or altering network or system access controls.
A retro-virus is a virus that waits until all possible backup media are infected too, so that it is not possible to restore the system to an uninfected state.
This Unix command is the Sun RPC server for remote program execution. This daemon is started by inetd whenever a remote execution request is made.
Risk Analysis is any method qualitative and/or quantitative, for assessing the impacts of risk on decision situations. For example, Monte Carlo Simulation is a very powerful Risk Analysis method.
A study of vulnerabilities, threats, likelihood, loss or impact, and theoretical effectiveness of security measures. The process of evaluating threats and vulnerabilities, known and postulated, to determine expected loss and establish the degree of acceptability to system operations.
A continuous process to provide an estimate of the damage, loss, or harm that could result from the inability to perform a planned activity, or to perform it in the planned timeframe for whatever reason.
This is a graphical record of the results of Business Impact Analysis, including the risk's Expected Value (and other less quantitative impacts) documented on the ODM. The Expected Value is depicted on the bottom row of the ODM with the scope of the risk represented by shaded areas on the ODM.
The total process to identify, control, and minimize the impact of uncertain events. The objective of the risk management program is to reduce risk and obtain and maintain DAA (Designated Approving Authority) approval.
A management approach designed to prevent and reduce risks, including system development risks, and lessen the impact of their occurrence.
See also: Business Area, Business Function, Business Function Owner, Contingency, Contingency Plan, Decision Analysis, Decision Tree, Dependency Model, Decision Point, Influence Diagrams, Mitigation, Monte Carlo Simulation, Net Expected Value, Optimization, Process Flow Diagram, Raw Expected Value, Risk Analysis, Risk Assessment, Risk Footprint, System Owner, and Tornado Graph.
A hacker security tool that captures passwords and message traffic to and from a computer. A collection of tools that allows a hacker to provide a backdoor into a system, collect information on other systems on the network, mask the fact that the system is compromised, and much more. Rootkit is a classic example of Trojan Horse software. Rootkit is available for a wide range of operating systems.
An interconnection device that is similar to a bridge but serves packets or frames containing certain protocols. Routers link LANs at the network layer.
A router is a device that directs network traffic whose destination is beyond the local network. Through the use of various routing protocols like BGP, OSPF and RIP, a router can determine the most advantageous route for the data.
The application of rules during the process of routing so as to chose or avoid specific networks, links or relays.
RSA stands for Rivest-Shamir-Aldeman. A public-key cryptographic algorithm that hinges on the assumption that the factoring of the product of two large primes is difficult.
The intrusion detection system detects intrusions by looking for activity that corresponds to known intrusion techniques (signatures) or system vulnerabilities. Also known as Misuse Detection.
A hacker who hires out for legal cracking jobs, snooping for factions in corporate political fights, lawyers pursuing privacy-rights and First Amendment cases, and other parties with legitimate reasons to need an electronic locksmith.
A tool for remotely probing and identifying the vulnerabilities of systems on IP networks. A powerful freeware program which helps to identify system security weaknesses.
The technology concerned with scanning computer systems and networks in order to find security vulnerabilities. Nessus, nmap, and strobe are all well known scanners.
Scanning, as a method for discovering exploitable communication channels, has been around for ages. The idea is to probe as many listeners as possible, and keep track of the ones that are receptive or useful to your particular need. Much of the field of advertising is based on this paradigm, and the "to current resident" brute force style of bulk mail is an almost perfect parallel to what we will discuss. Just stick a message in every mailbox and wait for the responses to trickle back.
Scanning entered the h/p world along with the phone systems. Here we have this tremendous global telecommunications network, all reachable through codes on our telephone. Millions of numbers are reachable locally, yet we may only be interested in 0.5% of these numbers, perhaps those that answer with a carrier.
The logical solution to finding those numbers that interest us is to try them all. Thus the field of "wardialing" arose. Excellent programs like Toneloc were developed to facilitate the probing of entire exchanges and more. The basic idea is simple. If you dial a number and your modem gives you a CONNECT, you record it. Otherwise the computer hangs up and tirelessly dials the next one.
A device that acts as a gateway between a protected enclave and the outside world.
A condition that results from the establishment and maintenance of protective measures that ensure a state of inviolability from hostile acts or influences.
The human with responsibility for the successful deployment and operation of the intrusion detection system. This person may ultimately charged with responsibility for the defense of the network. In some organizations, the security administrator is associated with the network or systems administration groups. In other organizations, it's an independent position.
A detailed description of all aspects of the system that relate to security, along with a set of principles to guide the design. A security architecture describes how the system is put together to satisfy the security requirements.
A search through a computer system for security problems and vulnerabilities. A security audit is a process which evaluates and assesses the security of a network, host or enterprise.
Countermeasures that are aimed at specific threats and vulnerabilities or involve more active techniques as well as activities traditionally perceived as security
The sets of objects that a subject has the ability to access.
The security-relevant functions, mechanisms, and characteristics of AIS hardware and software.
Any act or circumstance that involves classified information that deviates from the requirements of governing security publications. For example, compromise, possible compromise, inadvertent disclosure, and deviation.
The hardware, firmware, and software elements of a Trusted Computing Base that implement the reference monitor concept. It must mediate all accesses, be protected from modification, and be verifiable as correct.
Piece of information that represents the sensitivity of a subject or object, such as its hierarchical classification (CONFIDENTIAL, SECRET, TOP SECRET) together with any applicable non-hierarchical security categories (e.g., sensitive compartmented information, critical nuclear weapon design information).
The combination of a hierarchical classification and a set of non-hierarchical categories that represents the sensitivity of information.
The ADP official having the designated responsibility for the security of and ADP system
The boundary where security controls are in effect to protect assets.
The set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information.
A formal presentation of the security policy enforced by the system. It must identify the set of rules and practices that regulate how a system manages, protects, and distributes sensitive information.
Types and levels of protection necessary for equipment, data, information, applications, and facilities.
A service, provided by a layer of communicating open systems, which ensures adequate security of the systems or of data transfers.
An instance in which a user or other person circumvents or defeats the controls of a system to obtain unauthorized access to information contained therein or to system resources.
Sendmail sends a message to one or more recipients, routing the message over whatever networks are necessary. Sendmail does internetwork forwarding as necessary to deliver the message to the correct place. Sendmail is a Unix-based Mail Transport Agent.
Sensitivity analysis examines how changes to one or a combination of variables in a model effect the results.
The ID component that periodically collects data from the data source. Also known as an agent.
In many existing ID systems, the sensor and the analyzer are part of the same component.
A system that provides network service such as disk storage and file transfer, or a program that provides such a service. A kind of daemon which performs a service for the requester, which often runs on a computer other than the one which the server runs.
A protocol used by phone companies. Has three basic functions: Supervising, Alerting and Addressing. Supervising monitors the status of a line or circuit to see if it is busy, idle, or requesting service. Alerting indicates the arrival of an incoming call. Addressing is the transmission of routing and destination signals over the network in the form of dial tone or data pulses.
A rule used by the analyzer to identify interesting activity to the security administrator. Signatures are the mechanism by which ID systems detect intrusions.
SMTP is a protocol used to transfer email from one host to another. Commands are in a human readable form. For example the VRFY command (if enabled) will verify the existence of a user mail box on a host. The EXPN command will expand a mail box alias to reveal the true recipient of an email.
Simple Network Management Protocol (SNMP) is a protocol for managing, monitoring, and configuring network devices such as routers, switches, printers and some hosts. Data is accessed by providing "community strings" which are similar in use to passwords.
An NSA-developed encryption algorithm for the Clipper chip. The details of the algorithm are unpublished.
A denial of service attack in which an attacker spoofs the source address of an echo-request ICMP (ping) packet to the broadcast address for a network, causing the machines in the network to respond en masse to the victim thereby clogging its network.
To grab a large document or file for the purpose of using it with or without the author's permission.
An individual hired to break into places in order to test their security; analogous to tiger team.
A program to capture data across a computer network. Used by hackers to capture user id names and passwords. Software tool that audits and identifies network traffic packets. Is also used legitimately by network operations and maintenance personnel to troubleshoot network problems.
A computer criminal or vandal will use the easiest method to gain access to the desired data or machines. These methods may include pretending to be an employee who has forgotten a password, casually viewing passwords entered carelessly by authorized users, or by other means where the natural trust of people is taken advantage of. These methods work just as well inside or outside the enterprise. A disgruntled employee using the account of his office mate to gain inappropriate access to data after hours can be just as dangerous as the corporate spy or computer vandal.
To crash a program by overrunning a fixed-site buffer with excessively large input data. Also, to cause a person or newsgroup to be flooded with irrelevant or inappropriate messages.
Information Operations that by their sensitive nature, due to their potential effect or impact, security requirements, or risk to the national security of the United States, require a special review and approval process.
Secure Profile Inspector - A network monitoring tool for Unix, developed by the Department of Energy.
Spoof refers to fake of forged information or communications. For example, spoofed IPs or packets consist of network packets that are generated by one host but are forged with the IP address of another host.
Pretending to be someone else. The deliberate inducement of a user or a resource to take an incorrect action. Attempt to gain access to an AIS by pretending to be an authorized user. Impersonating, masquerading, and mimicking are forms of spoofing.
Secure shell provides secure (encrypted) authentication and remote sessions. SSH is preferred above Telnet or RSH due to its security features. It uses either a host key, or a long pass phrase, or both, in its authentication mechanism.
Secure Sockets Layer is a protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a private key to encrypt data that's transferred over the SSL connection. It provides authentication and confidentiality to applications.
Occurs when an intruder modifies the operation of the intrusion detector to force false negatives to occur.
When the SYN queue is flooded, no new connection can be opened.
The log of system events and activities, generated by a system process. The system log is typically at a greater degree of abstraction than the operating system audit log.
The term used to describe management individuals within the client enterprise who are responsible for the development and maintenance of support information systems. These are the subject matter experts for their given application/system and provide data for the technical impacts of risks, ripple effects of failures, possible contingency or mitigation actions, etc.
The suite of protocols the Internet is based on.
Tcpdump prints out the headers of packets on a network interface that match a boolean expression. It is a common tool used for network analysis
A software tool for security which provides additional network logging, and restricts service access to authorized hosts by service.
The telnet command is used to communicate with another host using the TELNET protocol. It is a part of the TCP/IP protocol, and operates entirely in clear text. This means that it is especially vulnerable to attackers, and can easily be subverted to an attacker's purpose.
A security policy based on global rules imposed for all users. These rules usually rely on a comparison of the sensitivity of the resources being accessed and the possession of corresponding attributes of users, a group of users, or entities acting on behalf of users.
Allows an attacker, on a certain machine, to control any terminal session that is in progress. An attack hacker can send and receive terminal I/O while a user is on the terminal.
The means through which the ability or intent of a threat agent to adversely affect an automated system, facility, or operation can be manifest. A potential violation of security.
Methods and things used to exploit a vulnerability in an information system, operation, or facility; fire, natural disaster and so forth.
Process of formally evaluating the degree of threat to an information system and describing the nature of the threat.
A software tool which scans for system weaknesses.
Government and industry - sponsored teams of computer experts who attempt to break down the defenses of computer systems in an effort to uncover, and eventually patch, security holes. Sometimes referred to as a Red Team, or a sneaker.
A monitoring program used to scan incoming network connections and generate alerts when calls are received from particular sites, or when logins are attempted using certain ID's.
The map or plan of the network. The physical topology describes how the wires or cables are laid out, and the logical or electrical topology describes how the information flows.
Tornado graphs are a graphical representation of a sensitivity analysis, and they show the effects of input variables from greatest to least in an easy-to-interpret bar chart format. The magnitude of the impact of an input is determined by the size of the bar and the positive or negative input of the impact is determined by the direction of the bar (right or left, respectively).
In a packet-switching network, a unique packet that causes a report of each stage of its progress to be sent to the network control center from each visited system element.
An operation of sending trace packets for determining information; traces the route of UDP packets for the local host to a remote host. Normally traceroute displays the time and location of the route taken to reach its destination computer.
Traceroute prints the route packets take to network host. traceroute utilizes the IP protocol `time to live' field and attempts to elicit an ICMP TIME_EXCEEDED response from each gateway along the path to some host.
A security model rule stating that the security level of an active object cannot change during the period of activity.
A software tool for security. Basically, it works with a database that maintains information about the byte count of files. If the byte count has changed, it will identify it to the system security manager.
An apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation, falsification, or destruction of data. It is a executable program that is disguised as something innocuous such as a game, amusement, or common system command. Once executed it can install services or modify the system to allow an attacker access to the host.
Examples of trojans are Back Orifice, NetBus, and SubSeven.
(TCSEC) A system that employs sufficient hardware and software assurance measures to allow its use for simultaneous processing of a range of sensitive or classified information.
The totality of protection mechanisms within a computer system including hardware, firmware, and software - the combination of which are responsible for enforcing a security policy. A TCB consists of one or more components that together enforce a unified security policy over a product or system.
A trust model represents the trust relationships between an organization or a network with other organizations or networks.
The specific security features, the assurance requirements and the rating structure of the Orange Book as extended to networks of computers ranging from isolated LANs to WANs.
A hacker tool that allows hackers with even a small amount of skill to hijack terminals. It has a GUI interface.
An upstream provider is an Internet Service Provider (ISP) that provides network connectivity and routing to the Internet through dedicated high speed connections. An upstream provider usually provides access to one of the major Internet backbones, or is a major backbone provider.
Usenet is an online, public and distributed forum. Usenet consists of a large hierarchy of news groups. Archives of these news groups provide a wealth of information for the social engineer.
Program that injects itself into an executable program to perform a signature check and warns if there have been any changes.
The process of evaluating a system or component during or at the end of the development process to determine whether it satisfies specified requirements.
A program that can "infect" other programs by modifying them to include a, possibly evolved, copy of itself.
A virtual private network is a secure network in which data may traverse insecure or untrusted networks. The security of this network data is protected by encryption and authentication protocols. A VPN is often used to connect two private networks via an Internet connection.
Hardware, firmware, or software flow that leaves an AIS open for potential exploitation. A weakness in automated system security procedures, administrative controls, physical layout, internal controls, and so forth, that could be exploited by a threat to gain unauthorized access to information or disrupt critical processing.
Systematic examination of an AIS or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.
The technology concerned with scanning computer systems and networks in order to find security vulnerabilities. Also known as scanning.
An Internet service that allows you to search a large number of specially indexed databases.
A physical or logical network that provides capabilities for a number of independent devices to communicate with each other over a common transmission-interconnected topology in geographic areas larger than those served by local area networks.
A program that dials a given list or range of numbers and records those which answer with handshake tones, which might be entry points to computer or telecommunications systems.
What-if Analysis determines which values in a spreadsheet model have the greatest impact on the results. This analysis involves calculating worst, most likely and best case scenarios and summarizing the likelihood of each outcome with statistical charts and graphs.
Whois searches for an Internet directory entry for an identifier which is either a name (such as ``Smith'') or a handle (such as ``SRI-NIC''). The default action, unless directed otherwise with a special name, is to do a very broad search, looking for matches to name in all types of records and most fields (name, nicknames, hostname, net address, etc.) in the database.
Independent program that replicates from machine to machine across network connections often clogging networks and information systems as it spreads.
A zone transfer occurs when an authoritative DNS server provides its zone data to another server. Proper zone transfers occur when secondary DNS servers replicate zone information from a primary server. Promiscuous zone transfers can divulge the internal structure of a network and are a security concern. Zone transfers requested by unauthenticated or unauthorized users should not be permitted.
Last modified: Sat Oct 30 22:49:34 PDT 2004