This paper (placed at the end for readability) describes 37 different types of actors that may Cause Information System Failure (Threats), 94 different Mechanisms by Which Information Systems are Caused to Fail (Attacks), and 140 different Mechanisms Which May Prevent, Limit, Reduce, or Mitigate Harm (Defenses). These are gathered from many different sources. Where a single source for a single item is available, it is cited in the text. The most comprehensive sources used are not cited throughout the text but rather listed here. [Cohen95] [Neumann95] Other major sources not identified by specific citation are listed here. [Bellovin92] [Bishop96] [Bellovin89] [Cheswick94] [Cohen91] [Cohen94-2] [Denning82] [Feustal73] [Hoffman90] [Knight78] [Lampson73] [Landwehr83] [Linde75] [Neumann89] [Spafford92]

We describe a cause-effect model of information system attacks and defenses based on the notions that particular threats use particular attacks to cause desired consequences and successful defenders use particular defensive measures to defend successfully against those attacks and thus limit the consequences. Human defenders and attackers also use a variety of different viewpoints to understand and analyze their attacks and defenses, and this notion is also brought to bear. We then describe some analytical methods by which this model may be analyzed to derive useful information from available and uncertain information. This useful information can then be applied to meeting the needs of defenders (or if turned on its head attackers) to find effective and minimal cost defenses (or attacks) on information systems. Next we consider the extension of this method to networks and describe a system that implements some of these notions in an experimental testbed called HEAT.

A Cause-Effect Model of Information System Attacks and Defenses:

There is a common notion of cause and effect that has been debated in philosophical terms many times over the ages. Some believe in fate - the happenings of the universe are predetermined. Some believe in chance - God plays dice with the Universe. Regardless of the underlying nature of things, as a fundamental assumption to further work in this area, we take the position that the world works through a system of causes, mechanisms, and effects. Thus we have the picture of systems shown in figure 1.

In this depiction of our assumption, we assert that Causes (also called threats) use Mechanisms (Previously published under the name Attacks and also called Attack Mechanisms) to produce Effects (also called consequences). Protective Mechanisms (also called Defenses) are used to mitigate harm by acting to limit the causes, mechanisms, or effects.

Our schemes of describing Causes, Mechanisms, Effects, and Defenses, are based on the collection of sets of specific causes, mechanisms, effects, and defenses into names groupings, but underlying each of these sets there are specific actors, mechanisms, and consequences that could be analyzed at a detailed level. Since the sets we describe are not strictly classification schemes, there are many-to-many mappings between specifics and sets in our descriptions.

The viewpoints in our model represent the notion that there may be many properties of elements of our model that can be related, analyzed, and used by people and by automation to deal with the issues of information protection.

We believe that the value in this particular model lies in two areas; the reduction of complexity from a model based on all of the specifics allows meaningful computations to be performed in reasonable times, while the increased differentiation over simplified models containing only a few items (e.g., corruption, denial of services, information leakage) allows useful results to be derived. This belief will, we hope, be justified by the analyses we are able to perform.

We also feel it is important to note that this is not the only model of this sort available today. Many other authors have tried to form similar models and we have borrowed freely from them. Some of the models we have considered in our efforts include John Howard's model, the other models he cited and analyzed in his work, and Donn Parker's Model, particularly in the area of consequences.

The specific mappings used in our analysis vary with time, in large part because attackers and defenders are always learning, and in smaller part because new mechanisms are being discovered over time. We also find new ways of correltating issues over time, and this adds new viewpoints. The current viewpoints include:

• Process: Prevention, Detection, and Reaction
• Impact: Integrity, Availability, and Confidentiality
• Domain: Physical, Informational, Systemic
• Sophistication: Theoretical, Demonstrated, Widespread
• Organizational: Management, Policy, Standards, Procedures, Documentation, Audit, Testing, Technical Safeguards, Personnel, Incident Handling, Legal, Physical, Awareness, Training, Education, Organization

The size of the mapping today is on the order of 37x94/3 links from threats to attacks, 94x140/3 links from attacks to defenses, and 28x250/3 links between these items and the viewpoints. The actual count today is about 7,000 links which is stored as a numerical table for analysis purposes. While it is impractical to provide that entire table here, it can be attained from the principal author in electronic form and can be viewed as a linked database on the Internet at http://all.net/

Some Analytical Methods Applicable to the Cause-Effect Model:

Given the above model of cause and effect, we have generated a set of analytical techniques that enable us to do three things:

• Based on the work on medical diagnosis that forms the basis of the Mycin system, we have created an indications capability that predicts causes and correlated mechanisms based on a detected set of mechanisms.
• Based on the notion of covering table, we have analyzed methods for determining an optimal cover for defending against a set of causes.
• Based on syntax and semantics theory, we have created a linguistic problem and solution generator that produces sets of feasible attack and defense scenarios based on a user-specified linguistic question.

Indications and Warnings Analysis:

For indications and warnings it is desirable that, based on the information available, a prediction be produced that (1) indicates the possible causes of the observed information and ranks those causes in order of confidence that they could be a cause, (2) based on those indications, predicts other observable mechanisms and consequences associated with those causes, and (3) provides the means to warn potential defenders and victims of consequences prior to those consequences.

The analysis we perform is based on analysis of a set of observed mechanisms. Given a set of mechanisms that are known or thought to be in use, we reverse the cause-effect model to produce a ranking of all causes that could be associated with each of the observed effects. This ranking is based on the confidence level associated with each observed phenomena and the correlation between capabilities and characteristics of the causes and observed mechanisms.

In the current implementation, a selection of mechanisms is made from a menu of checkboxes using a Web browser. For example, we might select the following set of observed mechanisms:

"false updates", "insertion in transit", "perception management" and "replay attacks"

With this selection, analysis yields several results:

• Corruption of information appears to be the major goal of these attacks
• The sophistication level of the attacker is substantial, and they likely have some special expertise, but they are not using techniques that are never seen elsewhere.
• The most well-matched threat profiles include hackers, private investigators, crackers for hire, cyber-gangs, crackers, insiders, professional thieves, foreign agents and spies, military organizations, global coalitions, nation states, economic rivals, government agencies, tiger teams, and information warriors.
• Less likely are maintenance people, vendors, reporters, competitors, extortionists, and consultants.
• Club initiates, organized crime, activists, and customers are less likely still, followed by deranged people, vandals, infrastructure warriors, drug cartels and police.
• Finally, these mechanisms have no correlation with known capabilities and intent of hoodlums, nature, paramilitary groups, terrorists, or whistle blowers.

Given the resulting metric associated with each cause, we then produce an aggregate metric for each of the mechanisms within the capability and characteristics of those causes. The result is a metric associated with each mechanism indicating how closely it matches the observed phenomena within the context of the model. For the example above:

Salami attacks, kiting, strategic or tactical deceptions, race conditions, dependency analysis and exploitation, reflexive control, breaking key management systems, man-in-the-middle, induced stress failures, audit suppression, illegal value insertion, call forwarding fakery, call forwarding fakery, restoration process corruption or misuse, backup theft, corruption, or destruction, process bypassing, wire closet attacks, repair-replace-remove information, electronic interference, desychronization and time-based attacks, modeling mismatches, environment corruption, inadequate notice exploitation, undocumented or unknown function exploitation, invalid values on calls, get a job, modification in transit, infrastructure interference, and testing are reported as the most highly correlated mechanisms to those observed.

Given the resulting metric associated with each mechanism, we then produce an aggregate metric for each of the consequences that can result from each of those mechanisms. The result is a metric associated with each consequence indicating how closely it matches the observed phenomena within the context of the model.

These results have been used for several different purposes:

• The metrics on mechanisms are used to determine optimal selection of sensors to differentiate or detect while limiting impact on normal operations.
• The metrics associated with attack mechanisms are used as weightings in the covering analyses described above to optimize the design or selection of flexible defenses so as to minimize the effectiveness of further attacks within a budget.
• The analysis of consequences has been extended (as described later) to a networked environment in the form of analyzing the impact of an acquired level of access to one system on the spread of an attack from system to system.

Covering Analysis:

The covering analysis we used is based on the covering analysis used in optimization. The notion of covering analysis is that we have a set of attacks and a set of defenses, where each attack has a metric indicating the relative consequence of its use, each defense has a metric indicating the relative cost of its use, and a covering table indicates whether or to what extent each defense mitigates the consequences of each attack. The analytical challenge is to find an efficient mathematical method for determining an optimal selection of defenses. Optimality can be determined against a set of different measures to produce different results. We have examined two particular measures; (1) minimize the cost for achieving a particular total level of consequence, and (2) minimizing the consequence given a particular budget for defense.

The classic set covering problem has been widely studied because of it's use in airline crew scheduling. We can formulate the defense-allocation problem as a generalization of the set cover problem. Table entries represent the probability that a particular defense can prevent a particular attack. If we assume attack consequences are independent and defense probabilities are independent, then we can calculate the expected consequence from the full set of attacks.

Although this computation is significantly more complicated than classic set cover, we can modify much of the previous work on set cover for this setting. In particular, since set cover is a restrictive special case of the defense-allocation problem, hardness results for set cover apply directly. Thus theoretically, we cannot approximate the best defense set to within a factor of log d, where d is the number of defenses. However, exhaustive methods may be practical for the size of instances generated by small-to-medium sized networks. We have generalized the greedy iterative methods which are asymptotically optimal for set cover. It is also possible that they remain asymptotically optimal in the more general setting. If we also specify a target consequence for each attack rather than all attacks combined, this problem can be modeled as an integer program similar to the set-cover integer program, and therefore, one can apply a generalized versions of the vast number of exact and heuristic methods tuned for this application.

An implementation of covering analysis based on the greedy algorithm is currently implemented. Based on the above example, and with the additional constraints that we wish only to detect corruption and do so with only commercially available mechanisms, we get the following list of potential detection defense mechanisms:

• known-attack scanning
• program change logs
• time, location, function, and other similar access limitations
• filtering devices
• searches and inspections
• redundancy
• deceptions
• procedures
• auditing
• audit analysis
• augmented authentication devices (time or use variant)
• security marking and/or labeling
• classifying information as to sensitivity
• document and information control procedures

The covering analysis indicates that these methods have the potential of detecting all of the identified mechanisms, indicates that the defenses with the best coverage are (1) time, location, function, and other similar access limitations, (2) redundancy, and (3) filtering devices and that in combination, these cover almost all of the identified attack mechanisms. The detailed results of the covering table indicate which classes of defense mechanisms cover which classes of attack mechanisms and use coloring to indicate uncovered attack mechanisms.

Linguistic Analysis:

The third extension is to describe techniques that can be used to analyze systems based on this model. In this extension, we treat the set of all cause, mechanism, effect, defense, and viewpoint sequences as the set of legal statements within a language. We then take a user-specified sentence in the form of menu selections from the set of possible causes, mechanisms, effects, defensive capabilities, and viewpoints, and produce all valid sentences within the language that meet those specifications. A simple example is the input phrase (selected from menus):

"Any attacker uses content-based attacks to deny services - Use widespread (off-the-shelf) prevention defenses to assure availability."

Based on this question, the systems responds with the following set of applicable attack and defense sentences:

"Activists, club initiates, consultants, crackers for hire, customers, cyber-gangs, economic rivals, foreign agents and spies, global coalitions, government agencies, hackers, information warriors, military organizations, nation states, private investigators, professional thieves, reporters, tiger teams, and vendors use content-based attacks to deny services.

• Audit analysis can be used for detection.
• Authorization limitation can be used for prevention or reaction.
• Filtering devices can be used for detection or prevention.
• Known-attack scanning can be used for detection or prevention or reaction.
• Redundancy can be used for detection or prevention or reaction.
• Searches and inspections can be used for detection or reaction."

The Extension of These Results to Networked Systems:

The fourth extension is to use these techniques to analyze networked systems. In this analysis, we generate an attack graph by identifying the vulnerabilities of each of a set of systems within a network and characterizing the way in which those systems can communicate. The attack graph is, in essence, the set of all possible sequences of mechanisms that an attacker can use to achieve a particular goal within a network. We analyze attack graphs and defense postures (sets of defensive mechanisms that can be placed in the network) to (1) increase the minimum cost of attack within a fixed budget for defense and (2) minimize the cost of defense for a given attack budget. We then do an analysis of this graph to find, for example, a minimum cost cut to the attack graph where cuts are used to represent the effect of protective mechanisms.

The attack graph method is flexible, allowing analysis of attacks from both outside and inside the network. It can analyze risks to a specific network asset, or examine the universe of possible consequences following a successful attack. The analysis system requires a database of common attacks broken into atomic steps, specific network configuration and topology information, and an attacker profile. The attack information is then "matched" with the network configuration information and attacker profile to create a "superset" attack graph. Nodes in this graph identify a stage of attack (e.g., the class of machines the attacker has accessed and the privilege levels compromised). Arcs in this graph represent the paths through which mechanisms can be used to change the stage of attack. By assigning costs representing level-of-effort for the attacker (or alternatively probabilities of success) to the arcs, graph analysis algorithms such as shortest-path algorithms can be used to identify the attack paths with the lowest cost (or highest probability) of success. Defense postures (i.e., sets of defensive mechanisms that can be placed in the network) can also be analyzed for their impact on cost (or probability) to increase the minimum cost (or maximum probability) of attack within a fixed budget for defense or minimize the cost (or probability) of successful defense for a given attack budget.

Once the attack graph has been generated, we can also apply analysis methods to determine high-risk attack paths. The graph may also be used to run simulations of attacks and defense both in a batch mode for optimizing a set of fixed defenses or in a real-time mode for predicting the impacts of future attacks given a current situation. This then forms the basis for simulation components of a proposed capability for model-based situation anticipation and constraint for flexible defenses as well as a potential method for use in indications and warnings against information systems and networks.

The CID System:

An automated system (named CID) demonstrates these analyses in useful application. CID is integrated with a set of specially configured hardware, software, and rooms and the HEAT computer network to provide a cyber-warfare experimentation, analysis, training, and gaming environment called the Cyberwarfare Center. In order to understand the role of CID in this environment, we will begin by describing the environment and its uses.

HEAT is a computer network located at Sandia National Laboratories in California. It was originally designed for experimentation with heterogeneous MIMD parallel processing. HEAT consists of more than 60 networked computers (10 each of Suns, SGIs, IBMs, HPs, DECs, and a larger number of PCs) running a wide range of operating systems and versions, intended to provide a rich environment for testing computer and network security systems and methods. To our knowledge, this is the largest computer security testbed in service today, and it is used on a daily basis to test attacks and defenses.

In order to manage attacks and defenses in HEAT at an affordable cost, automation was needed. Coincidentally, an earlier version of CID was, at that time, being rewritten to operate on a combination of an Oracle database server and a Netscape web server. This left several computers previously used for CID development available for use in controlling HEAT. This control is complex enough, and watching what is happening on more than 60 computers simultaneously requires so much display space, that a 'situation room' was constructed for the purposes of being able to carry out this effort. The capabilities of this room included several projection displays, a small network of computers, and a set of tables and chairs. Given the constraints of space and other facilities, the room was designated for multiple uses, including instruction, strategic gaming, and experimentation with HEAT. Thus the Cyberwarfare Center emerged.

Because experiments on attack and defense against live computer networks requires many samples of attack and defense systems, CID, which already had a substantial collection of tools and a database capability was called into service for coordinating the experimental capabilities needed for work on HEAT, the demonstration capabilities and course materials used in training, the scenarios used for gaming, and the analysis used for experimenting with automated flexible defenses. Today, CID is used for all of these purposes and also forms the core of a repository for research and analysis in information security at Sandia's California site.

CID Management of HEAT

In order to manage HEAT, CID provides a Web-based interface that permits a menu selection of the actions to be performed along with check boxes for the HEAT machines the operation is to be performed on. For example, in order to launch automated attacks against a set of HEAT machines, the user might select "FTP attacks" against the checked machines. Those attacks would then be run with results reported to the browser. The table below depicts this interface with bold italics used in place of check boxes.

Similar interfaces either exist or are being completed to allow control of processes, control of defenses in the form of wrapper programs, audit extraction and analysis, and attacks that simulate modeled threat profiles. In addition to this manual sort of management, tools are being contemplated for automating the placement and control of defenses based on a technique called model-based situation anticipation and constraint.

This management interface can run on multiple machines simultaneously, thus allowing an attacker and a defender to participate in a simulated cyber-battle with the attacker granted only attack capabilities and the defender granted only defensive capabilities based on access controls available in CID. For demonstrations, the attack and defense can run on different displays in the cyberwafare center’s training and control facility with the center screen reserved for projecting briefing material related to the demonstrated attacks and defenses. Through the use of collaborative tools, attackers and defenders in separate gaming suites can be observed from the control facility with each on a different screen. Game control functions including sending briefing, status reports, orders, and other information to the participants is handled via the central display, observers or referees can watch the process from the central site, and trainees can watch the battle either as it happens or in replay. This permits attackers and defenders to review their actions in much the same way as other sorts of exercises provide feedback.

Future experiments are anticipated using automated and human defenses against automated and human attackers both for training humans and for testing automated technologies.

Other Features of CID

In addition to the elements described above, CID provides several important features. In each of the examples above, as well as throughout CID, details of each of all technical terms are available by pressing on the mouse button. This drill-down capability includes citations to relevant literature which may also have embedded citations. We are in the process of scanning in all of the references related to material in CID for instantaneous access, thus allowing rapid literature search and analysis. CID also has a search engine to allow general searches of content and drill-down material for the purpose of finding examples and other related information. Under attacks and defenses, drill-down capabilities lead to specific examples of techniques, in some cases including source code for attacks and defenses that can be applied directly against HEAT or elsewhere. Detailed drill-down is also provided to allow intel-based detailing of threats and linkage of case examples to all elements of the database. In coming implementations, additional capabilities will be provided for linking alternative classification schemes into CID and allowing the same analysis of those schemes as is provided for CID's internal schemes. In such an online collection, access controls are also required to allow need-to-know access to specific details. CID currently has limited access control on all records and is being augmented to allow fine-grained access control to all database elements including access controlled search and analysis. This permits a user with limited access to do all of the analytical functions based only on the knowledge available, while users with more complete access may find better solutions.

Summary, Conclusions, and Future Work

The use of a cause-effect model for analyzing attacks and defenses in computer networks appears to have a bright future. Initial results seem to indicate that computational complexity can be effectively traded off against model resolution and that this allows analysis of complex networks for interesting security properties to be done. The creation of tools in combinations with experimental testbeds has allowed much of this work to be validated through experiments, but clearly this work is still in its infancy. Future work is currently being proposed to move forward from the initial results shown here toward the design and implementation of increasingly automated and integrated tools for analyzing and managing larger networks more effectively.

Properties of the Classification Scheme

The classes described by this classification scheme are not orthagonal. For example, a virus may also be a Trojan horse, may contain a time bomb, and may exploit a privileged program to do damage.

Property2: synergistic -

The classes described herein have synergisms so that standard statistical techniques may not be effective in analyzing them. For example, if two attacks are each 90they become 99while two defenses that are 90combined and may even hinder each others' performance.

Property3: non-specificity -

The classes described are, for the most part, non-specific to an architecture or situation. Actual attacks and defenses, however, are quite specific, and the devil - as they say - is in the details.

Property4: descriptive only -

The classes described here are described descriptively and - with a few notable exceptions - have not been thoroughly analyzed or even defined in a mathematical sense.

Property5: limited applicability -

Each class described here may or may not be applicable in or to any particular situation. While threat profiles and historical information may lead us to believe that certain items are more or less important or interesting, there is no scientific basis today for believing that any of these classes should or should not be considered in any given circumstance. This sort of judgement is made today entirely on the basis of a judgement call by decision makers.

Property6: incompleteness -

The classes given here are almost certainly incomplete in covering the possible or even realized attacks and defenses. This is entirely due to the author's and/or reviewers' lack of comprehensive understanding at this time.

Actors that may Cause Information System Failure (Threats)

Employees, board members, and other internal team members who have legitimate access to information and/or information technology.

Threat2: private investigators -

Private individuals or corporate entities that investigate on a for-fee basis.

Threat3: reporters -

People who work for newspapers, news magazines, television, radio, or other media elements.

Threat4: consultants -

People who work under their own control to provide contract services to others.

Threat5: vendors -

People who sell things to you.

Threat6: customers -

People who you buy things from.

Threat8: competitors -

Other individuals or companies in the same or similar businesses and who stand to gain from your loss or who can gain economic advantage by taking advantage of you.

Threat9: whistle blowers -

People who believe that crimes are being committed and that they have a duty to report them to the proper authorities.

Threat10: hackers -

People who enjoy using computers and exploring the information infrastructure and systems connected to it.

Threat11: crackers -

People who maliciously break into information systems and intentionally cause harm in doing so.

Threat12: club initiates -

People who break into information systems as part of a cerimony to become members of clubs.

Threat13: cyber-gangs -

Groups who roam the information infrastructure breaking into systems and doing harm for fun and profit.

Threat14: tiger teams -

People hired to demonstrate vulnerabilities in systems by exploiting those vulnerabilities.

Threat15: maintenance people -

People who typically have access to physical locations in order to do routine maintenance tasks.

Threat16: professional theives -

People who make their living from stealing things.

Threat17: hoodlums -

People who hurt other people in order to get what they want.

Threat18: vandals -

People who damage things for the fun of it.

Threat19: activists -

People who believe in a cause to the point where they take action in order to forward their ends.

Threat20: crackers for hire -

Crackers who get paid to break into systems and do harm.

Threat21: deranged people -

People who are not as in control over their mental faculties as most other people.

Threat22: organized crime -

Organized groups of professional criminals.

Threat23: drug cartels -

Groups that combine forces in order to manufacture and sell drugs.

Threat24: terrorists -

People who attempt to induce terror in others in order to forward their cause.

Threat25: industrial espionage experts -

People who specialize in harming companies to the benefit of other companies.

Threat26: foreign agents and spies -

People who professionally gather information and commit sabotage for governments.

Threat27: police -

People tasked with enforcing laws.

Threat28: government agencies -

Groups that work as parts of government.

Threat29: infrastructure warriors -

People who specialize in destroying enemy infrastructure.

Threat30: economic rivals -

Companies, groups, and governments that compete on a large scale with your companies, groups, and governments.

Threat31: nation states -

National governments - countries.

Threat32: global coalitions -

Global groups that work together toward common goals.

Threat33: military organizations -

Government-sponsored armed and organized groups.

Threat34: paramilitary groups -

Privately-sponsored armed and organized groups.

Threat35: information warriors -

People who specialize in attacking information systems as part of government-sponsored military operations.

Threat36: extortionists -

People who extort money or goods by threatening harm if not paid off.

Threat37: nature -

Things fall apart. Stuf happens. Nature calls. People die.

Mechanisms by Which Information Systems are Caused to Fail (Attacks)

Erroneous entries or missed entries by designers, implementer, maintainers, administrators, and/or users create vulnerabilities exploited by attackers. Examples include forgetting to eliminate default accounts and passwords when installing a system, incorrectly setting protections on network services, and a wide range of other minor mistakes that can lead to disaster. Complexity: There appear to be an unlimited (finite but unbounded) number of possible errors and omissions in general purpose systems. Special-purpose systems may be more constrained.

Attack2: power failure -

Failure of electrical power causes computer and peripheral failures leading to loss of availability, sometimes requiring emergency response, and otherwise disrupting normal operations. [Winkelman95] [Agudo96] [NSTAC96] [Dagle96]

Attack3: cable cuts -

A cable is cut resulting in disrupted communications, usually requiring emergency response, and otherwise disrupting normal operations.

Attack4: fire -

A fire occurs causing physical damage and permanent as well as temporary faults, requiring emergency response, and otherwise disrupting normal operations.

Attack5: flood -

A flood occurs causing physical damage and permanent as well as temporary faults, requiring emergency response, and otherwise disrupting normal operations.

Attack6: earth movement -

The Earth moves causing physical damage and permanent as well as temporary faults, requiring emergency response, and otherwise disrupting normal operations.

Attack7: solar flares -

Changes on the surface of the sun cause excessive amounts of radiation to be delivered, typically resulting in noise bursts on radio communications, disrupted communications, and other changed physical conditions.

Attack8: volcanos -

A volcano erupts causing physical damage and permanent as well as temporary faults, requiring emergency response, and otherwise disrupting normal operations.

Attack9: severe weather -

Severe weather conditions (e.g., hurricane, tornado, winter storm) occur causing physical damage and permanent as well as temporary faults, requiring emergency response, and otherwise disrupting normal operations.

Attack10: static -

Static electricity builds up on surfaces and causes transient or permanent failures in components.

Attack11: environmental control loss -

Environmental controls required to maintain proper operating conditions for equipment fails causing disruption of services. Examples causes include air conditioning failures, heating failures, temperature cycling, smoke, dust, vibration, corrosion, gases, fumes, chemicals.

Attack12: relocation -

Relocation of equipment causes physical harm to equipment and different exposures of equipment to physical and environmental vulnerabilities.

Attack13: system maintenance -

System maintenance causes period of time when systems operate differently than normal and may result in temporary or permanent inappropriate or unsafe configurations. Maintenance can also be exploited by attackers to create forgeries of sites being maintained, to exploit temporary openings in systems created by the maintenance process, or other similar purposes. Maintenance can accidentally result in the introduction of viruses, by leaving improper settings, and by other similar accidental events. Complexity: Statistical techniques and historical data appear to be quite sufficient to analyze system maintenance.

Attack14: testing -

Testing stresses systems inducing a period of time when systems operate differently than normal and may result in temporary or permanent inappropriate or unsafe configurations.

Attack15: inadequate maintenance -

Inadequate maintenance results in uncovered failures over extended periods of time, possibly inducing a period of time when systems operate differently than normal and may result in temporary or permanent inappropriate or unsafe configurations. Complexity: Statistical techniques and historical data appear to be quite sufficient to analyze maintenance adequacy.

Attack16: Trojan horses -

Unintended components or operations are placed in hardware, firmware, software, or wetware causing unintended and/or inappropriate behavior. Examples include time bombs, use or condition bombs, flawed integrated circuits, additional components on boards, additional instructions in memory, operating system modifications, name overloaded programs placed in an execution path, added or modified circuitry, mechanical components, false connectors, false panels, radios placed in network connectors, displays, wires, or other similar components.

Attack17: dumpster diving -

Waste product is examined to find information that might be helpful to the attacker.

Attack18: fictitious people -

Impersonations or false identities are used to bypass controls, manage perception, or create conditions amenable to attack. Examples include spies, impersonators, network personae, fictional callers, and many other false and misleading identity-based methods.

Attack19: protection missetting exploitation -

Mis-set protections on files, directories, systems, or components are exploited to examine, modify, delete, or otherwise disrupt normal operation.

Attack20: resource availability manipulation -

Resources are manipulated so as to make functions requiring those resources operate differently than normal. Examples include e-mail overflow used to disrupt system operation, [Cohen93] file handle consumption used to prevent audits from operating, [Cohen91] and overloading unobservable network paths to force communications to use observable paths.

Attack21: perception management a.k.a. human engineering -

Causing people to believe things that forward the goal. Examples include tricking a person into giving you their password or changing their password to a particular value for a period of time, talking your way into a facility, and causing people to believe in religious doctrine in order to get them to behave as desired.

Attack22: spoofing and masquerading -

Creating false or misleading information in order to fool a person or system into granting access or information not normally available. Examples include operator spoofing to trick the operator into making an error or giving away a password, location spoofing to trick a person or system into believing a false location, login spoofing which creates a fictitious login screen to get users to provide identification and authentication information, email spoofing which forges email to generate desired results, and time spoofing which creates false impressions of relative or absolute time in order to gain advantage.

Attack23: infrastructure interference -

Interfering with infrastructure so as to disrupt services and/or redirect activities. Examples include creating an accident on a particular road at a particular place and time in order to cause a shipment to be rerouted through a checkpoint where components are changed, taking down electrical power in order to deny information services, modifying a domain name server on the Internet in order to alter the path through which information flows from point to point, and cutting a phone line in order to sever communications.

Attack24: infrastructure observation -

Examining the infrastructure in order to gain information. Examples include watching air ticketing information in order to see when particular people go to particular places and using this as an intelligence indicator, tapping a PBX system in order to record key telephone conversations, and watching for passwords on the Internet in order to gain identification and authentication information to multiple computers.

Attack25: insertion in transit -

Insertion of information in transit so as to forge desired communications. Examples include adding transactions to a transaction sequence, insertion of routing information packets so as to reroute information flow, and insertion of shipping address information to replace an otherwise defaulted value.

Attack26: observation in transit -

Examination of information in transit. Examples include telephone tapping, network tapping, and I/O buffer watching.

Attack27: modification in transit -

Modification of information in transit so as to modify communications as desired. Examples include removing end-of-session requests and providing suitable replies, then taking over the unterminated communications link, modification of an amount in an electronic funds transfer request, and rewriting Web pages so as to reroute subsequent traffic through the attacker's site.

Attack28: sympathetic vibration -

Creating or exploiting positive feedback loops or underdamped oscillatory behaviors so as to overload a system. Examples include electrical or acoustic wave enhancement, the creation of packets in the Internet which form infinite communications loops, and protocol errors causing cascade failures in telephone systems.

Attack29: cascade failures -

Design flaws in tightly coupled systems that cause error recovery procedures to induce further errors under select conditions. Examples include the electrical cascade failures in the U.S. power grid, [WSCC96] telephone system cascade failures causing widespread long distance service outages, [Pekarske90] and inter-system cascades such as power failures bringing down telephone switches required to bring back up power stations.

Attack30: bribes and extortion -

Promises or threats that cause trusted parties to violate their trust. Examples include bribing a guard to gain entry into a building, kidnaping a key employee's family members to gain access to a computer system, and using sexually explicit photographs to convince a trusted employee to provide insider information.

Attack31: get a job -

An attacker gets a job in order to gain insider access to a facility. Examples include getting a maintenance job by under-bidding opponents and then stealing and selling inside information to make up for the cost difference, the planting of spies in intelligence agencies of competitors, and other similar sorts of moles.

Attack32: password guessing -

Sequences of passwords are tried against a system or password repository in order to find a valid authentication. Examples include running the program "crack" on a stolen password file, guessing passwords on network routers and PBX switches, and using well-known maintenance passwords to try to gain entry.

Attack33: invalid values on calls -

Invalid values are used to cause unanticipated behavior. Examples include system calls with pointer values leading to unauthorized memory areas and requests for data from databases using system escape characters to cause interprocess communications to operate improperly.

Attack34: undocumented or unknown function exploitation -

Functions not included in the documentation or unknown to the system owners or operators are exploited to perform undesirable actions. Examples include back doors placed in systems to facilitate maintenance,

Attack35: inadequate notice exploitation -

Lack of adequate notice is used as an excuse to do things that notice would normally have prohibited or warned against. Examples include unprosecutable entry via normally unused services, password guessing through an interface not providing notice, and Web server attacks which bypass any notice provided on the home page.

Attack36: excess privilege exploitation -

A program, device, or person is granted privileges not strictly required in order to perform their function and the excess privilege is exploited to gain further privilege or otherwise attack the system. Examples include Unix-based SetUID programs granted root access exploited to grant attackers unlimited access, access to unauthorized need-to-know information by a systems administrator granted too-flexible maintenance access to a network control switch, and user-programmable DMA devices reprogrammed to access normally unauthorized portions of memory.

Attack37: environment corruption -

The computing environment upon which programs or people depend for proper operation is corrupted so as to cause those other programs to operate incorrectly. Examples include manipulating the Unix FS environment variable so as to cause command interpretation to operate unusually, altering the PATH (or similar) variable in multi-user systems to cause unintended programs to be used, and manipulation of a paper form so as to change its function without alerting the person filling it out. In the physical domain, this includes the introduction of gasses, dust, or other particles, chemicals, or elements into the physical environment. In the electromagnetic realm, it includes waveforms. In the human sense, sound, smell, feel, and other sensory input corruption is included.

Attack38: device access exploitation -

Access to a device is exploited to alter its function or cause its function to be used in unanticipated ways. Examples include removing shielding from a wire so as to cause more easily received electromagnetic emanations, reprogramming a bus device to deny services at a hardware level, and altering microcode so as to associate attacker-defined hardware functions with otherwise unused operation codes.

Attack39: modeling mismatches -

Mismatches between models and the realities they are intended to model cause the models to break down in ways exploitable by attackers. Examples include use of the Bell-LaPadula model of security [Bell73] as a basis for designing secure operating systems - thus leaving disruption uncovered, modeling attacks and defenses as if they were statistically independent phenomena for risk analysis - thus ignoring synergistic effects, and modeling misconfigurations as mis-set protection bits - when the content of configuration files remains uncovered.

Attack40: simultaneous access exploitations -

Two or more simultaneous or split multi-part access attempts are made, resulting in an improper decision or loss of audit information. Examples include the use of large numbers of access attempts over a short period of time so as to cause grant/refuse decision software to act in a previously unanticipated and untested fashion, the execution of sequences of operations required for system takeover by multiple user identities, and the holding of a resource required for some other function to proceed so as to deny completion of that service.

Attack41: implied trust exploitation -

Programs operating in a shared environment inappropriately trust the information supplied to them by untrustworthy programs. Examples include forged data from Domain Name Servers in the Internet used to reroute information through attackers, forged replies from authentication daemons causing untrusted software to be run by access control software, forged Network Information Service packets causing wrong password entries to be used in authenticating attackers, and network-based administration programs that can be fooled into forwarding incorrect administrative controls.

Attack42: interrupt sequence mishandling -

Unanticipated or incorrectly handled interrupt sequences cause system operation to be altered unpredictably. Examples include stack frame errors induced by incorrect interrupt handling, the incorrect swapping out of the swapping daemon on unanticipated conditions, and denial of services resulting from improper prioritization of interrupts.

Attack43: emergency procedure exploitation -

An emergency condition is induced resulting in behavioral changes that reduce or alter protection to the advantage of the attacker. Examples include fires, during which access restrictions are often changed or less rigorously enforced, power failures during which many automated alarm and control systems fail in a safe mode with respect to some - possibly exploitable - criteria, and computer incident response during which systems administrators commonly deviate - perhaps exploitably - from their normal behavioral patterns.

Attack44: desychronization and time-based attacks -

Systems that depend on synchronization are desynchronized causing them to fail or operate improperly. Examples include DCE servers that may deny services network-wide when caused to become desynchronized beyond some threshold, cryptographic systems which, once desynchronized may take a substantial amount of time to resynchronize, automated software and systems maintenance tools which may make complex decisions based on slight time differences, and time-based locks which may be caused to open or close at the wrong times.

Attack45: imperfect daemon exploits -

Daemon programs designed to provide privileged services upon request have imperfections that are exploited to provide privileges to the attacker. Examples include Web, Gopher, Sendmail, FTP, TFTP, and other server daemons exploited to gain access to the server from over a network, internal use only daemons such as the Unix cron facility exploited to gain root privileges by otherwise unprivileged users, and automated backup and recovery daemons exploited to overwrite current versions of programs with previous - more vulnerable - versions.

Attack46: multiple error inducement -

The introduction of multiple errors is used to cause otherwise reliable software to fail in unanticipated ways. Examples include the creation of an input syntax error with a previously locked error-log file resulting in inconsistent data state, the premature termination of a communications protocol during an error recovery process - possible causing a cascade failure, and the introduction of simultaneous interleaved attack sequences causing normal detection methods to fail. [Hecht93] [Thyfault92]

Attack47: viruses -

Programs that reproduce and possibly evolve. Examples include the 11,000 or so known viruses, custom file viruses designed to act against specific targets, and process viruses that cause denial of service or thrashing within a single system.

Attack48: data diddling -

Modification of data through unauthorized means. Examples include non-database manipulation of database files accessible to all users, modification of configuration files used to setup further machines, and modification of data residing in temporary files such as intermediate files created during compilation by most compilers.

Attack49: van Eck bugging -

Electromagnetic emanations are observed from afar. Examples include the tapping of Scotland Yard by a reporter to demonstrate a $100 remote tapping device and observed emanations from financial institutions indicative of pending trades.

Attack50: electronic interference -

Jamming signals are introduced to cause failures in electronic communications systems. Examples include the method and apparatus for altering a region in Earth atmosphere, ionosphere, and/or magnetosphere, and common radio jamming techniques.

Attack51: PBX bugging -

Point Branch eXchanges or similar switching centers are attacked in order to exploit weaknesses in their design allowing connected telephone instruments to be tapped. Examples include on-hook bugging of hand-held instruments, open microphone listening, and exploitation of silent conference calling features.

Attack52: audio/video viewing -

Audio and video input devices connected to computers for multi-media applications are exploited to allow attackers to look at and listen to events at remote locations. Examples include most versions of video and audio equipment currently connected to multi-media workstations and some video-phone systems.

Attack53: repair-replace-remove information -

Repair processes are exploited to extract, modify, or destroy information. Examples include computer repair shops copying information and reselling it and maintenance people introducing computer viruses.

Attack54: wire closet attacks -

Break into the wire closet and alter the physical or logical network so as to grant, deny, or alter access. Examples include wire tapping techniques, malicious destruction of wiring causing service disruption, and the introduction of video tape players into surveillance channels to hide physical access.

Attack55: shoulder surfing -

Watching over peoples' shoulders as they use information or information systems. Examples include watching people as they enter their passwords, watching air travelers as they use their computers and review documents while in flight, and observing users in normal operations to understand standard operating procedures.

Attack56: data aggregation -

Legitimately accessible data is aggregated to derive unauthorized information. Examples include getting the total departmental salary figures just before and after a new employee is hired to derive the salary of the new hire, attending a wide range of unclassified but private meetings in a particular area in order to gain an overall picture of what work a group is doing, and tracking movements of many people from a particular organization and correlating that information with job titles and other events to derive intelligence indicators.

Attack57: process bypassing -

Bypassing a normal process in order to gain advantage. Examples include retail returns department employees entering false return data in order to generate refund checks, use of computer networks to generate additional checks after the legitimate checks have passed the last integrity checks, and altering pricing records to reflect false inventory levels to cover up thefts.

Attack58: content-based attacks -

The content sent to an interpretive mechanism causes that mechanism to act inappropriately. Examples include Web-based URLs that bypass firewalls by causing the browser within the firewall to launch attacks against other inside systems, macros written in spreadsheet or word processing languages that cause those programs to perform malicious acts, and compressed archives that contain files with name clashes causing key system files to be overwritten when the archive is decompressed.

Attack59: backup theft, corruption, or destruction -

Backups protected less comprehensively than on-line copies of information are attacked. Examples include the placement of magnetic devices in backup storage areas in order to erase or corrupt magnetic backups, the infection of backup media by computer viruses, and the theft of backup media being disposed near the end of its lifecycle.

Attack60: restoration process corruption or misuse -

The process used to restore information from backup tapes is corrupted or misused to the attackers advantage. Examples include the creation of fake backups containing false information, alteration of tape head alignments so that restoration fails, and the use of privileged restoration programs to grant privilege by restoring protection settings or ownerships to the wrong information.

Attack61: hangup hooking -

Activity termination protocols fail or are interrupted so that termination does not complete properly and the protocol is taken over by the attacker. Examples include modem hangup failures leaving logged-in terminal sessions open to abuse, interrupted telnet sessions taken over by attackers, preventing proper protocol completion as in the Internet SYN attacks so as to deny subsequent services, and refusing to completely disconnect from a call-back modem at the CO, causing the call-back mechanism to become ineffective.

Attack62: call forwarding fakery -

Call forwarding capabilities are abused. Examples include the use of computer controlled call forwarding to forward calls from call-back modems to that attackers get the call-backs, forwarding calls to illegitimate locations so as to intercept communications and provide false or misleading information, and the use of programmable call forwarding to cause long distance calls to be billed to the forwarding party's account.

Attack63: input overflow -

Excessive input is used to overrun input buffers, thus overwriting program or data storage so as to grant the attacker undesired access. Examples include sendmail overflows resulting in unlimited system access from attackers over the Internet, Web server overflows granting Internet attackers unlimited access to Web servers, buffer overruns in privileged programs allowing users to gain privilege, and excessive input used to overrun input buffers causing loss of critical data so as to deny services or disrupt operations.

Attack64: illegal value insertion -

Values not permitted by the specification but allowed to pass the implementation are used to cause abnormal results. Examples include negative dates producing negative interest which accrues to the benefit of the attacker, cash withdrawal values which overflow signed integers in balance adjustment causing large withdrawals to appear as large deposits, and pointer values sent to system calls that point to areas outside of authorized address space for the calling party.

Attack65: residual data gathering -

Data left as a result of incomplete or inadequate deletion is gathered. Examples include object reuse attacks like the DOS undelete command in insecure operating systems, electromagnetic analysis of deleted media to regain deleted bits, and electron microscopy techniques used to extract overwritten data.

Attack66: privileged program misuse -

Programs with privilege are misused so as to provide unauthorized privileged functions. Examples include the use of a backup restoration program by an operator to intentionally restore the wrong information, misuse of an automated script processing facility by forcing it to make illicit copies of legitimate records, and the use of configuration management tools to create vulnerabilities.

Errors caused by the attacker induce incorrect operations. Examples include the creation of a faulty network connection to deny network services, the intentional introduction of incorrect data resulting in incorrect output (i.e., garbage in - garbage out), and the use of a scratched and bent diskette in a disk drive to cause the drive to permanently fail.

Attack68: audit suppression -

Audit trails are prevented from operating properly. Examples include overloading audit mechanisms with irrelevant data so as to prevent proper recording of malicious behavior, network packet corruption to prevent network-based audit trails from being properly recorded, and consuming some resource critical to the auditing process so as to prevent audit from being generated or kept.

Attack69: induced stress failures -

Stresses induced on a system cause it to fail. Examples include paging monsters that result in excessive paging and reduced performance, process viruses that consume various system resources, and large numbers of network packets per unit time which tie up systems by forcing excessive high-priority network interrupt processing.

Attack70: hardware failure - system flaw exploitation -

Known hardware or system flaws are exploited by the attacker. Examples include a hardware flaw permitting a power-down instruction to be executed by a non-privileged user, causing an operating system to use results of a known calculation error in a particular microprocessor for a key decision, and sending a packet with a parameter that is improperly handled by a network component.

Attack71: false updates -

Causing illegitimate updates to be made. Examples include sending a forged update disk containing attack code to a victim, interrupting the normal distribution channel and introducing an intentionally flawed distribution tape to be delivered, and substituting a false update disk for a real one at the vendor or customer site.

Attack72: network service and protocol attacks -

Characteristics of network services are exploited by the attacker. Examples include the creation of infinite protocol loops which result in denial of services (e.g., echo packets under IP), the use of information packets under the Network News Transfer Protocol to map out a remote site, and use of the Source Quench protocol element to reduce traffic rates through select network paths.

Attack73: distributed coordinated attacks -

A set of attackers use a set of vulnerable intermediary systems to attack a set of victims. Examples include a Web-based attack causing thousands of browsers used by users at sites all around the world to attack a single victim site, a set of simultaneous attacks by a coordinated group of attackers to try to overwhelm defenses, and an attack where thousands of intermediaries were fooled into trying to gain access to a victim site.

Attack74: man-in-the-middle -

The attacker positions forces between two communicating parties and both intercepts and relays information between the parties so that each believes they are talking directly to the other when, in fact, both are communicating through the attacker. Examples include attacks on public key cryptosystems permitting a man-in-them-middle to fool both parties, attacks wherein an attacker takes over an ongoing telecommunications session when one party decides to terminate it, and attacks wherein an attacker inserts transactions and prevents responses to those transactions from reaching the legitimate user.

Attack75: selected plaintext -

The attacker gets one of the parties to encrypt or sign one or more messages of the attacker's choosing, thus causing information about the victim's system to be revealed. Examples include causing a user of the RSA signature system to reveal their secret key through a series of signatures, the introduction of malicious commands into the data entry stream of a victim who is blindly following directions of a remote person claiming to be assisting them, and inducing a bank to make a series of attacker-specified transactions so as to cause cryptographic protocols, methods, or keys to be revealed.

Attack76: replay attacks -

Communicated information is replayed and causes unanticipated side effects. Examples include the replay of encrypted funds transfer transmissions so as to cause multiples of an original sum of money to be transferred, replay of coded messages causing the repeated movement of troops, replay of transaction sequences that simulate behavior so as to cover up actual behavior, and the delayed replay of events such as races so as to deceive a victim.

Attack77: cryptanalysis -

Cryptographic techniques are analyzed so as to find methods to break codes used to secure information. Examples include frequency analysis for breaking monoalphabetic substitution ciphers, index of coincidence analysis for breaking polyalphabetic substitution ciphers, the breaking of the Enigma cipher in World War II through mathematical and optical techniques combined with knowledge of keys and key usage, exhaustive attacks on the DES encryption standard, code-listeners for breaking many analog speech encoding systems, and improved factoring for breaking cryptosystems based on modular arithmetic.

Attack78: breaking key management systems -

Keys in cryptographic systems are managed by imperfect management systems that are attacked in order to gain access to keying materials. Examples include attacks based on inadequate randomness in key generation techniques, exploitation of selected plaintext attacks against inadequately implemented automated encryption systems, and breaking into computers housing keying materials.

Attack79: covert channels -

Channels not normally intended for information flow are used to flow information. Examples include widely known covert channels in secure operating systems, time-based covert channel exploitation in encryption engines, and covert channels created by the association of movements of people with activities.

Attack80: error insertion and analysis -

Errors are induced into systems to reveal values stored in those systems. Examples include recent demonstrations of methods for inducing errors so as to reveal keys stored in smart-cards and other similar key-transportation devices, the introduction of multiple errors into redundant systems so as to cause the redundancy to fail, and the introduction of errors designed to cause systems to no longer be used in critical applications.

Attack81: reflexive control -

Reflexive reactions are exploited by the attacker to induce desired behaviors. Examples include the creation of attacks that appear to come from a friend so as to cause automated response systems to shut down friendly communication, induction of select flaws into the power grid so as to cause SCADA systems to reroute power to the financial advantage of select suppliers, and the use of forged or interrupted signals so as to cause friendly fire incidents.

Attack82: dependency analysis and exploitation -

Interdependencies of systems and components are analyzed so as to determine indirect effects and attack weak points upon which strong points depend. Examples include attacking medical information systems in order to disrupt armed forces deployments, attacking the supply chain in order to corrupt information within an organization, and attacking power grid elements in order to disrupt financial systems.

Attack83: interprocess communication attacks -

Interprocess communications channels are attacked in order to subvert normal functioning. Examples include the introduction of false interprocess signals in a network interprocess communications protocol causing misbehavior of trusted programs, the disruption of interprocess communications by resource exhaustion so as to prevent proper checking or reduce or eliminate functionality, and observation of interprocess communications stored in shared temporary data files so as to gain unauthorized information.

Attack84: below-threshold attacks -

Attack detection based on thresholds of activity that differentiate between attacks and similar non-malicious behaviors is exploited by launching attacks that operate below the detection threshold. Examples include breadth-first password guessing attacks, breadth-first port scanning attacks, and low bandwidth covert channel exploitations.

Attack85: peer relationship exploitation -

The transitive trust relationships created by peer-networking are exploited so as to expand privileges to the transitive closure of peer trust. Examples include the activities carried out by the Morris Internet virus in 1988, the exploitation of remote hosts (.rhosts) files in many networks, and the exploitation of remote software distribution channels as a channel for attack.

Attack86: inappropriate defaults -

Unchanged default values set into systems at the factory or in a standard distribution process are known to and exploited by attackers to gain unauthorized access. Example include default passwords, default accounts, and default protection settings.

Exploiting a (usually false) association to gain advantage. Examples include walking into a secure facility with a group of other people as one of the crowd, acting like an ex-policeman to gain intelligence about ongoing police activities, and adding a floppy disk to a series of floppy disks delivered as part of a normal update process.

Attack88: collaborative misuse -

Collaboration of several parties or identities in order to misuse a system. Examples include creation of a false identity by one party and entry of that identity into a computer database by a second party, provision of attack software by an outsider to an insider who is participating in an information theft, partitioning of elements of an attack into multiple parts for coordinated execution so as to conceal the fact of or source of an attack, and the providing of alibis by one party to another when the collaborated in a crime.

Attack89: race conditions -

Interdependent sequences of events are interrupted by other sequences of events that destroy critical dependencies. Examples include the change of conditions tested in one step and depended upon for the next step (e.g., checking for the existence of a file before creating it interrupted by the creation of a file of the same name by another owner), changes between one step in a process and another step assuming that no such change has been made (e.g., the replacement of a mounted file system previously loaded with data in a start-up process), and waiting for non-locked resources available in one step but not in the next (e.g., the mounting of a different tape between an initial read-through and a subsequent restoration).

Attack90: strategic or tactical deceptions -

Deceptions are generally categorized as comprising of concealment, camouflage, false and planted information, ruses, displays, demonstrations, feints, lies, and insight (as described in [Dunnigan95] Jim (James F.) Dunnigan and Albert A. Nofi, Victory and Deceit - Dirty Tricks at War, William Morrow and Co., 1995.) Examples include the creation of a questionnaire asking for detailed information security backgrounds under the auspices of a possible contract used to determine what expertise is available at a particular company to defend against a particular type of attack (a ruse), the creation of a false front organization such as a garbage collection business in order to gain access to valuable information often placed in the trash (camouflage) and the claim of having special capabilities in your upcoming product in order to force other vendors to work in that area even though you never intend to enter into it (a feint).

Attack91: combinations and sequences -

Many attacks combine several techniques synergistically in order to affect their goal. Examples include exploiting an emergency response to a flood to gain entry into a terminal room where password guessing gains entry into a system and subsequent data diddling alters billing records, the use of a virus to create protection missetting which are subsequently exploited by planting a Trojan horse to allow reentry and the creation of fictitious people in key offices who are automatically granted access to appropriate systems (process bypassing) to allow the attacker access to other systems, and the creation of an attractive Web site designed to exploit users who visit it by sending their browsers content-based attacks that set up covert channels through firewalls and extend access through peer network relationships to other systems within the victim's network.

Attack92: kiting -

Inherent delays are exploited by creating a ring of events that chase each others' tails, thus creating the dynamic illusion that things are different the static case would support. Examples include check kiting schemes where delays in processing checks causes temporary conditions where the sum of the balances indicated in a set of accounts is far greater than the total amount of money actually invested, techniques for avoiding payments of debts for a long time based on legally imposed delays in and rules regarding the collection of debts by third parties, and the use of revoked keys in key management systems without adequate revocation protocols.

Attack93: salami attacks -

Many small transactions are used together for a larger aggregated effect. Examples include taking round-off error amounts from financial interest computations and adding them to the thief's account balance (resulting in no net loss to the system), the slow leakage of information through covert channels at rates below normal detection thresholds, and economic intelligence gathering efforts involving the aggregation of small amounts of information from many sources to derive an overall picture of an organization.

Attack94: repudiation -

A transaction or other operation is repudiated by the party recorded as initiating it. Examples include repudiating a stock trade, claiming your account was broken into and that you didn't do it, and asserting that an electronic funds transfer was not done.

Mechanisms Which May Prevent, Limit, Reduce, or Mitigate Harm (Defenses)

Strong change control requires that research and development be partitioned from production and that an intervening change control area be put in place that (1) prevents unauthorized changes from passing, (2) verifies the propriety of all changes, (3) tests all changes against sample production data, (4) only passes verified source code from research and development to production, (5) verifies that all changes are necessary for their stated purpose, (6) verifies that all changes are suitable to their stated purpose, (7) verifies that all changes clearly accomplish their stated purpose and no other purpose, and (8) verifies that the purpose is necessary and appropriate for the production system and authorized by management.

Defense2: waste data destruction -

Effective destruction of waste products so as to make the cost of exploiting those waste products commensurate with the value of keeping those waste products from being exploited. Examples include:
• shreading of waste paper,
• destruction of electromagnetic media,
• removal and destruction of labels and other related information, and
• the introduction of noise to reduce the signal-to-noise ratio.

Defense3: detect waste examination -

Detection of attempts to exploit waste products. Examples include:
• the planting of false information that is easily traceable to the method of dissemination if discovered,
• the use of sensors in waste storage and processing areas to detect and observe activities carried out there, and
• auditing and testing of the destruction process.

Physical and/or informational devices are used to sense properties indicative or abnormal operations or activities. Examples include:
• motion sensors in physically secured areas,
• explosive detecting sensors in doorways, and
• informational sensors in a firewall to detect unauthorized access attempts.

Defense5: background checks -

Information about the background of an individual or organization is gathered in order to assess their trustworthiness for performing desired functions. Examples include:
• inexpensive commercial background checks commonly used in pre-employment screening,
• credit and financial checks commonly used in loan processing, and
• in-depth background checks used for government security clearances.

Defense6: feeding false information -

False information is fed to attackers in order to inhibit the success of their attacks. Examples include:
• providing misleading information to cause foreign governments to spend money on useless lines of research,
• providing false information that will be easily detected by a potential purchaser of information so that the attacker will lose face, and
• the creation of honey pots, lightning rods, or similar target systems designed to be attractive targets and redirect attacks away from more sensitive systems.

Defense7: effective mandatory access control -

Access to information and/or systems and infrastructure is controlled by a set of mechanisms that are not under discretionary control and cannot be bypassed. Examples include:
• the objective implementation of trusted systems,
• POset and Lattice-based systems, and
• systems using digital diodes and/or guard applications to limit access.

Defense8: automated protection checkers and setters -

Automated programs check protection settings of all protected resources in a system to verify that they are properly set. Examples include:
• several Unix-based tools,
• NID and similar multi-platform tools, and
• network security management tools.

Defense9: trusted applications -

Trusted programs may be used to implement or interact with applications. Examples include:
• secure Web and Gopher servers designed to provide secure versions of commonly used services, [Cohen97]
• trusted mail guards used to permit information flow that would be in violation of policy in a Bell-LaPadula-based system if not implemented by a trusted program, and
• most device drivers written for secure operating systems.

Defense10: isolated sub-file-system areas -

Portions of a file system are temporarily isolated for the purpose of running a set of processes so as to attempt to limit access by those processes to that subset of the file system. Examples include:
• the Unix Chroot environment,
• mandatory access controls in POset configurations, and
• VM's virtual disks.

Defense11: quotas -

Each user, group of users, function, program, or other consumer of system resources is granted limited resources by the setting of quotas over the use of those resources by the consumers. Examples include:
• disk quotas available in many operating systems,
• CPU cycle quotas imposed in some environments on a usage per time basis,
• memory usage quotas imposed on many timesharing systems, and
• file handle quotas commonly used in timesharing systems.

Defense12: properly prioritized resource usage -

Resource usage is prioritized so as to fail to provide proper resources only under conditions where success is not possible. Examples of avoiding improper prioritization abound, but only theoretical solutions typically exist for achieving optima.

Defense13: detection before failure -

Redundancy of some sort is used to detect faults before they result in failures. Examples include:
• multi-version systems,
• coding-based fault detection, and
• testing for faults.

Defense14: human intervention after detection -

Once an incident is detected, people intervene. Examples include:
• most methods for disaster recovery (which require human involvement during the recovery process),
• updating of known-virus checkers for new viruses, and
• recovering from most denial of service attacks.

Defense15: physical security -

Physical means are used to prevent harm. Examples include:
• guards, guns, and gates
• fences and other barriers, and
• physics-based alarm systems.

Defense16: redundancy -

Redundancy is used to mitigate risks. Examples include:
• the use of backups,
• standbye systems, and
• cyclic redundancy (CRC) codes.

Defense17: uninterruptable power supplies and motor generators -

Power supply assureance devices assure that electrical power - the life blood of information technology - operates continuously.
• Uninterruptable power supplies provide continuous conditioned power to critical equipment during brownouts, blackouts, and across a wide range of electrical conditions.
• Motor generators provide long-term slow response-time backup power in cases of wide area outages or long-term outages.
• Power conditioning switches, supplies, and other devices assure against power spikes, lightning, and similar events.

Defense18: encryption -

Information is transformed into a form which obscures the content so that the attacker has difficulty understanding it. Examples include:
• DES encryption for protecting transmitted information,
• RSA cryptosystem for exchanging session keys over an open channel, and
• the one-time-pad which provides perfect secrecy if properly implemented.

Defense19: overdamped protocols -

Protocols that tend ro reduce the traffic volume over time are used to prevent positive feedback in network traffic. Examples include:
• protocols that inherently produce less output than input,
• protocols designed to detect loops and eliminate them, and
• protocols that guarantee that the acknowledgement process produces a bounded number of packets.

Defense20: temporary blindness -

Temporarily ignore certain sets of signals based on the belief that they are unreliable. Examples include:
• temporarily ignoring network nodes that appear to be misbehaving,
• temporarily disabling accounts for increasing time periods for each failed password attempt, and
• partitioning a network as an emergency procedure in response to an incident.

Defense21: fault isolation -

When faults are detected, faulty components are isolated from non-faulty components so that the faults do not spread. Examples include:
• the partitioning of corporate networks from the Internet during the Morris Internet virus,
• the normal partitioning of faulty components of the power grid from the rest of the grid, and
• the partitioning of the telephone system into critical and non-critical circuits during a national emergency.

Defense22: out-of-range detection -

Entries not within acceptable bounds are detected. For example:
• negative values for entries that should be positive,
• values for future dates earlier than the present, and
• pointers to locations outside of the user's addressible space might all be detected.

Defense23: reintegration -

Systems or other elements removed from service are put back into service. Examples include:
• the rebooting of systems that have crashed in loosely coupled networks,
• the use of checkpoints and transaction replay for resyncronization in more tightly coupled transaction systems, and
• hardware replacement and resynchronization used in redundant computers.

Defense24: training and awareness -

People are made aware of and trained about how to respond to attack techniques. Examples include training and awareness seminars, in-house awareness programs, and demonstrations wherein users are shown how they might be vulnerable.

Defense25: policies -

Organizations provide specifications of what is expected and how governance is to be affected. Examples include a clear usage policy with details of how it is enforced and what happens to those who break the rules, a policy against using illegal copies of software so as to reduce liability, and clear specification of who is responsible for what functions.

Defense26: rerouting attacks -

Attacks are shunted away from the most critical systems. Examples include honey pots used to lure attackers away from real targets and toward false and planted information, lightning rods used to create attractive targets so that attackers direct their energies away from real targets, shunts used to selectively route attacks around potential targets, and jails used to encapsulate attackers during attacks and gather information about their methods for subsequent analysis and exploitation.

Defense27: standards -

Specific identified methods are specified to implement protection in the hope that they have been well studied and there is a community investment in their use. Examples include the use of X.509 certificates for interoperable key-managed encrypted data transport, Orange book B1 approved systems for increased operating system security assurance, and ISO-9000 processes for high-quality industrial-grade quality assurance.

Defense28: procedures -

Specific identified methods are applied in specific ways to implement protection in the hope that, by uniformly applying these methods, they will be effective. Examples include the use of checklists to verify proper status during preflight, regularly performing backups to assure that information is not inadvertently lost, and a standard method for dealing with bomb threats made over the telephone.

Defense29: auditing -

Events of potential security relevance are generated. Examples include audit records made by financial systems and used to identify fraudulent use, sign-in sheets used to identify who has entered and/or left an area and at what times, and computer-generated audit records that track logins, program executions, file accesses, and other resource uses.

Defense30: audit analysis -

Audit trails are analyzed in order to detect record sequences indicative of illicit or unexpected activities. Examples include searching for indicators of known attacks that appear in audit records, sorting and thresholding of audit trails to detect patterns of misuse, and the cross-correlation of audit records to detect inconsistencies.

Defense31: misuse detection -

Indicators of misuse are analyzed in order to detect specific sequences indicative of misuse. Examples include audit-based misuse detection, analysis of system state to detect misset values or unauthorized changes, and network-based observation of terminal sessions analyzed to detect known attack sequences.

Defense32: anomoly detection -

Patterns of behavior are tracked and changes in these patterns are used to indicate attack. Examples include detection of excessive use, detection of use at unusual hours, and detection of changes in system calls made by user processes.

Defense33: capture and punishment -

Once detected, perpetrators are arrested, tried, convicted, and punished. Examples abound - there is an old saying - the best deterent is swift and certain capture and punishment.

Defense34: improved morality -

People are brought into a level of moral agreement and awareness that prevents them from doing the wrong thing. Examples abound, but situation ethics classes, improved morality training, and ethics classes have been used to affect this goal.

Defense35: awareness of implications -

Making people aware of the penalties and consequences of actions is used to disuade improper behavior. Examples include briefings on the people who have been caught and punished, details of what has happened to innocent victims as a result of previous breached of protection, and personal appearances by people who have been involved in the process.

Defense36: periodic reassessment -

Protection is reassessed periodically to update methods so as to reflect changes in technology, personnel, and other related factors. Examples include periodic reviews, annual outside audits, and regular testing.

Defense37: least privilege -

An individual is granted enough privilege to accomplish assigned tasks, but no more. Examples include limitations on control over infrastructure,

Defense38: financial situation checking -

Financial records of individuals are checked to detect unusual patterns indicative of bribes, extortion, or other impropriety. Examples include periodic examination of banking records, periodic observation to detect excessive or inadequate lifestyle, and credit checks.

Defense39: good hiring practices -

Background checks, reference checks, and other similar hiring practices are used to verify that employees are likely to be loyal, upstanding, honest, and trustworthy.

Defense40: separation of duties -

Responsibilities and privileges should be allocated in such a way that prevents an individual or a small group of collaborating individuals from inappropriately controlling multiple key aspects of a process and causing unacceptable harm or loss. Examples include limiting need to know areas for individuals, eliminating single administrative points of failure, and limiting administrative domains.

Defense41: separation of function -

Functions of systems and networks should be separated in such a way that prevents individual or common-mode faults from producing unacceptable harm or loss. Examples include the use of separate and different media for backups, the division of interlinking functional elements over a set of neet-to-know areas, and

Defense42: multi-person controls -

More than one person is required in order to enact a critical function. Examples include controls to require that two people simultaneously urn keys in order to launch a weapon, cryptographic key distribution systems in which keys are shared among many individuals, a subgroup of which is required to participate in order to grant access, and voting systems in whicch a majority must agree before an action is taken.

Defense43: multi-version programming -

Multiple program versions are independently developed in order to reduce the likelihood of similar faults creating catastrophic failures. Examples include the redundant software used to control the dynamically unstable Space Shuttle during reentry, software used in other critical space systems, and software used in safety systems.

Defense44: hard-to-guess passwords -

Hard-to-guess passwords (something you know) are used to make password guessing difficult. Examples include automatically generated passwords, systems that check passwords when entered, and systems that try to guess passwords in an effort to detect poor selections.

Defense45: augmented authentication devices time or use varient -

Something you have or can do is used to augment normal authentication, typically by a time or use variation in the authentication string. Examples include the Secure-ID authentication device and similar cards, algorithmic authentication, and challenge-response cards.

Defense46: biometrics -

Unique or nearly-unique characteristics of the individual (something you are) is used to authenticate identity. Examples include finger prints, voice prints, retinal blood vessel patterns, DNA sequences, and facial characteristics.

Defense47: authorization limitation -

Authorization is limited in time, space, or otherwise. Examples include limitations of when a user can make certain classes of requests, where requests can be made from, and how much information an individual may attain.

Defense48: security marking and/or labeling -

Markings and/or labels are used to identify the sensitivity of information. Examples include electronic marking within the computer systems, physical marking on each sheet of paper, and labeling of tapes and other storage media.

Defense49: classifying information as to sensitivity -

Information is classified as to its sensitivity when it is created. Examples include the standard classification processes in most large businesses and government agencies, the automated classification of information in trusted systems based on the information it is derived from, and the declassification process performed by the government in order to periodically reassess the sensitivity of information.

Defense50: dynamic password change control -

Users are required to periodically change authentication information. Examples include periodic password change requirements, use-based change requirements, and protection against reuse of passwords or trivial variations on past passwords.

Defense51: secure design -

By designing hardware, software, and/or networks more securely, attacks are made more difficult. Examples include the use of proven secure software, verified designs, and inherently secure architectures.

Defense52: testing -

Tests are used to improve the assurance that protection is effective. Examples include regression testing, functional testing, protection testing, complete tests, and a slew of other techniques. [Lyu95] [Cohen94] [Linn83] [Moyer96] [Pfleeger89] [Puketza96] [Sabnani85] [Sarikaya82] [Bishop96] [Chung95] [Cohen97-13]

Defense53: known-attack scanning -

Looking for known attack sequences as indicated by state or audit information. Examples include virus scanning and pattern matching in audit trails against known attack signatures, and virus monitors that check each program for known viruses at load-time.

Defense54: accountability -

People are held accountable for actions. Examples include vesting ownership in information, tracking activities to individuals, and performance measures of individuals.

Defense55: integrity shells -

Cryptographic checksums or secured modification-time information are used to detect changes to information just before the information is interpreted. Examples include several products on the market and experimental systems. [Cohen88-2] [Cohen88]

Defense56: fine-grained access control -

Access control is provided over increasingly smaller data sets, perhaps down to the bit level. Examples include database field-based access controls, record-by-record controls, and multi-level secure markings of portions of documents.

Defense57: change management -

Changes are controlled so as to increase the assurance that they are valid. Examples include change control systems for software, roll-back and back-out capabilities for updates, and strong change control processes in use in select critical applications.

Defense58: configuration management -

Configurations are managed so as to eliminate known vulnerabilities and assure that configurations are in keeping with policies. Examples include many configuration management tools now available for implementing protection policy across a wide range of platforms, menu-based tools used to set up and administer systems, and tools used to configure and manage firewalls.

Defense59: lockouts -

Entry points or functions are locked to prevent their use - typically in response to an identified threat. Examples include the use of physical locks used to prevent an intruder from escaping, lockout of computer accounts based on incorrect authentication, and lockouts used to prevent people from using systems or network components while under maintenance.

Defense60: drop boxes and processors -

A secured facility is provided for putting valuable information or documents so that it cannot be removed or can only be removed by authorized individuals. Examples include the IBM Abyss processor for secure network-based processing, password analysis components that take in passwords and reveal only whether they were right or wrong, and drop boxes used to place money in for night deposit.

Defense61: authentication of packets -

Packets of information are authenticated. Typical examples include the use of cryptographic checksums, routing information, redundancy inherent in data to test the authenticity and consistency of information.

Defense62: analysis of physical characteristics -

Physical characteristics of information, systems, components, or infrastructure is analyzed to detect deviations from expectations. Examples include the use of time domain reflectometers to detect wiring changes and listening devices, the use of pressure and gas sensors in pipes containing critical wiring to detect breaches of the enclosure, and the analysis of dollar bills to detect forgeries.

Defense63: encrypted authentication -

Authentication information is encrypted in storage or during transit. Examples include the encryption of plaintext passwords passed over networks, the encryption of authenticating information that uniquely identifies a physical item such as a piece of paper by minor deviations in it's surface, and the distribution of authentication over multiple paths to reduce path dependency.

Defense64: tempest protection -

Protection against the exploitation of electromagnetic emanations. Examples include Faraday cages to reduce emanations in the appropriate frequency ranges, the use of special low-emanations components, power levels, and design, and the filtering of power supplies.

Defense65: increased or enhanced perimiters -

Perimiter areas are widened or enhanced so as to provide suitable protection. Examples include increased distance, improved strength or quality in the perimiters, and the use of multiple perimiters in combination such as the combination of a moat and a wall.

Defense66: noise injection -

Noise is injected in order to reduce the signal to noise ration and make compromise more difficult. Examples include the creation of deceptions involving false or misleading information, the induction of electrical, sonic, and other forms of noise to reduce the usability of eminations, and the creation of active noise-reducing barriers to eliminate external noises which might be used to cause speach input devices to take external commands or inputs.

Defense67: jamming -

Signals are used to disrupt communications. Examples include desynchronization of cryptographic systems by induction of bit or signal alterations, the introduction of erroneous bits at a rate or distribution such that checksums or CRC codes are unable to provide adequate coverage, and the intruduction of noise signals in a particular frequency range so as to reduce effective bandwidth for a particular communications device or system.

Defense68: spread spectrum -

The use of frequency-hopping radios or devices to reduce the effect of jamming and complicate listening in on communications. Examples include spread-spectrum portable telephones now available in for homes and spread spectrum radios used in the military.

Defense69: path diversity -

Multiple paths are used to reduce the dependency on a single route of communications or transportation. Examples include the use of different motor routes selected at random near the time of use to avoid hijacking of shipments, the use of multiple network paths used to assure reliability and increase the cost of jamming or bugging, and the use of multiple suppliers and multiple apparent delivery names and addresses to reduce the effect of Trojan horses placed in hardware.

Defense70: quad-tri-multi-angulation -

Multiple signals from different views are coordinated in order to uniquely locate it. Examples include signal triangulation to locate ships on Earth (a near-plane), quadrangulation used in the global positioning system (GPS) to locate a point in 3-space (plus time), and the use of multiple audit trails in a network infrastructure to locate the source of a signal or malicious bit-stream.

Defense71: Faraday boxes -

Conductive enclosures are used to eliminate emanations and induced signals from an enclosed environment. Examples include the use of tempest shielding to reduce eminations from video display units, the use of wire mesh enclosures to eliminate emanations from small installations and computer rooms, and the use of metalic enclosures to prevent electromagnetic pulse weapons from disabling enclosed systems.

Defense72: detailed audit -

Auditors examine an information system to provide an opinion on the suitability of the protective measures for effecting the specified controls. Examples include the use of internal auditors and external auditors.

Defense73: trunk access restriction -

High bandwidth or privileged access ports and lines have restricted access. Examples include protection of trunk telephone lines from access by calls originating on outside lines, limiting access to high-bandwidth infrastructure elements, and physically securing an Ethernet within a building.

Defense74: information flow controls -

Controls that limit the flow of information. Typical examples include mandatory access controls (MAC) used in trusted systems, router configuration which is often used to contain data between members of an organization to remain within the organization, and information flow controls based on work models.

Defense75: disconnect maintenance access -

Maintenance ports are disconnected or controlled so as to effectively eliminate unauthorized access. Example include the proper use of cryptographic modems for covering maintenance ports, the connection of maintenance ports only when maintenance is underway and properly supervised, and the elimination of non-local use of maintenance functions.

Defense76: effective protection mindset -

People's mindset is oriented toward protection issues. Examples include organizations with effective protection awareness programs, organizations with a strong tradition and culture of protection, and individuals with a passion for information protection.

Defense77: physical switches or shields on equipment and devices -

Peripherals such as microphones and cameras are provided with switches capable of definitively disabling their operation, while disks are physically write locked and equipment may use smoke and dust filters. Examples include covers over video cameras, switches that electrically or mechanically disconnect microphones, and keyed disconnects for keyboards, mice, and displays.

Defense78: trusted repair teams -

Trusted groups of individuals working in teams perform repairs so as to mitigate the risks of the repair process introducing corruptions, leaks, or denial. Examples include cleared repair people and specially contracted cleared repair facilities.

Defense79: inventory control -

Inventory is tracked at a granularity level sufficient to be able to identify the relevant history of the relevant parts. Examples include physical inventory control systems, inventory audits, and on-line inventory control over information.

Defense80: secure distribution -

Physical or informational goods are delivered in such a way as to assure security properties. Examples include cryptographic checksums used to seal software distributed over public communications systems, special bonded couriers using secure carying cases, and buying through phoney or friendly corporations so as to conceal the real destination of a shipment.

Defense81: secure key management -

The management of keys in such a way as to retain the security properties those keys are intended to assure. Examples include physical key audits, anti-duplication measures, and periodic rekeying, public-key automated key generation and distribution systems, and analysis of physical traits on keys for integrity verification.

Defense82: locks -

Locks are used to prevent unauthorized entry while permitting authorized entry. Examples include mechanical locks, magnetic locks, and electronic locks, password checkers and similar informational authentication devices, and time-based, use-based, environment-based, or event-based locks.

Defense83: secure or trusted channels -

Secure channels are specially devised communications channels between parties that provide a high degree of assurance that communications security properties are in place. Examples include trusted channels between a user and an operating system required for the implementation of trusted computing bases, cryptographically secured communication channels used in a wide range of circumstances, and physically secured communications paths controlled by gas-filled tubes which lose their communications properties if altered.

Defense84: limited function -

Function is limited so as to prevent exploitation of Turing capability or similar expansion of intended function. Examples include limited function interfaces to systems, special purpose devices which perform only specific functions dictated by their designers, and special devices designed to fail under attempts to use them for other than their intended purpose.

Defense85: limited sharing -

Sharing of information is limited so as to prevent unfettered information flow. Examples include the Bell-LaPadula security model, the Biba integrity model, Denning's Lattice models, and Cohen's POset models. [Bell73] [Biba77] [Denning75] [Cohen87-2]

Defense86: limited transitivity -

Limiting the ability of information to flow more than a certain distance (perhaps in hops) from its original source. Examples include special operating systems that track transitive information flow and limit it and technologies that can only be shared a few times before losing their operability.

Defense87: disable unsafe features -

Features known to be unsafe in a particular environment are disabled. Examples include disabling network file systems operating over open networks, disabling guest accounts, and disabling dial-in modems connected to maintenance ports except when maintenance is required.

Defense88: authenticated information -

Information is authenticated as to source, content, and or other factors of import. Examples include authenticated electronic mail systems based on public-key cryptography, source-authenticated secure channels based on authenticating information related to individuals, and the use of third party certification to authenticate information.

Defense89: integrity checking -

The integrity of information, people, systems, and devices is verified. Examples include detailed analysis of code, change detection with cryptographic checksums, in-depth testing, syntax and consistency verification, and verification of information through independent means.

Defense90: infrastructure-wide digging hotlines -

Toll-free telephone services are provided at the infrastructure level to provide information on the location of cables, gas lines, and other infrastructure elements prior to digging.

Defense91: conservative resource allocation -

Resoureces are allocated so as to assure that anything that is started can be completed with the allocated resources. Examples include the use of overspecification to assure operational compliance, preallocation of all required memory for processing in computer operating systems, and static allocation rather than dynamic allocation in telecommunications systems.

Defense92: fire supression equipment -

Special equipment is put in place to supress fires. Examples include Halon gas, fire extinguishers, and water reserves with dumping capability.

Defense93: fire doors, fire walls, asbestos suits and similar fire-limiting items -

A variety of physical devices and equipment provides effective limitation of fire's effect on buildings, facilities, equipment, and people.

Defense94: concealed services -

Concealment is used to provide services only to those who know how to access them. Examples include secret hallways with trick doors, menu items that don't appear on the menu, and programs that don't appear in listings but operate when properly called.

Defense95: traps -

Traps are devices used to capture an intruder or retain their interest while additional information about them is attained. Examples include man-traps used to capture people trying to illicitly enter a facility, computer traps used to entice attackers to remain while they are traced, and special physical barriers designed to entrap particular sorts of devices used to bypass controls.

Defense96: content checking -

Content is verified to assure that it is within normal specifications or to detect particular content.. Examples include verification of parameter values on operating system calls, examination of inbound shipments, and real-time detection of known attack patterns.

Defense97: trusted system technologies -

Trusted systems are systems that have been certified to meet some set of standards with regard to their design, implementation, and operation. Examples include systems and components approved by a certification body under a published criteria and standard implementations used for a particular purpose within a particular organization. While these systems tend to have more effective protection than systems that are less standard and not certified, the aura of legitimacy is sometimes unjustified.

Defense98: perception management -

Causing people to believe things that forward the goal. Examples include the appearance of tight security which tends to reduce the number of attacks, creating the perception that people who attack a particular system will be caught in order to deter attack, and making people believe that a particularly valuable target is not valuable in order to reduce the number of attempts to attack it.

Defense99: deceptions -

Typical deceptions include concealment, camouflage, false and planted information, reuses, displays, demonstrations, feints, lies, and insight. [Dunnigan95] Examples include facades used to misdirect attackers as to the content of a system, false claims that a facility or system is watched by law enforcement authorities, and Trojan horses planted in software that is downloaded from a site.

Defense100: retaining confidentiality of security status information -

Information on methods used for protection can be protected to make successful and undetected attack more difficult. Examples include not revealing specific weaknesses in specific systems, keeping information on where items are purchased confidential, and not detailing internal procedures to outsiders.

Defense101: regular review of protection measures -

Protection measures are regularly reviewed to assure that they continue to meet requirements. Examples include internal and external protection audits, periodic administrative reviews, and protection posture assessments.

Defense102: independent computer and tool use by auditors -

Auditors create independent systems that permit them to review the content of a system under review with reduced dependency on the hardware and software in the system under review. Examples include removing disks from the system under review for review on a separate computer, booting systems from auditor-provided start-up media in order to assure against operating system subversion, and review of external information fed into and generated by the system under review.

Defense103: standbye equipment -

Special redundant devices are used to assure against systemic faults. Examples include unitenrruptable power supplies, hot and cold standbye systems, off-site recovery facilities, and n-modular redundancy.

Defense104: protection of data used in system testing -

Data used to test systems is protected to prevent attackers from understanding the limits of the tests performed and to assure that the test data doesn't corrupt the system under test.

Defense105: Chinese walls -

Combinations of access are limited so as to limit the combination of information available to an individual. Examples include the Chinese walls used in the finacial industries to prevent traders from gaining access to both future planning information and share value information, need-to-know separation in shared computing bases, and access controls in some firewall environments.

Defense106: tracking, correlation, and analysis of incident reporting and response information -

Incident reports and mitigating actions are collected, reported, correlated, and analyzed. Examples include analysis for patterns of abuse, detection of changes in threat profiles, detection of low-rate attacks, detection of increased overall attack levels, improvement of response performance based on feedback from the analysis process, and the collection and reuse of diagnostic and repair information.

Defense107: minimizing copies of sensitive information -

The number of copies of sensitive information is limited to reduce the opportunity for its leakage. Examples include restrictions on handling of sensitive information in most government and industry facilities.

Defense108: numbering and tracking all sensitive information -

Each copy of sensitive information is numbered, cataloged, and tracked to assure that no illicit copies are accidentally made and to add identifying information to each copy to enable it to be traced to the individual responsible for its handling.

Defense109: independent control of audit information -

Audit information is not kept in the control of the systems about which the information applies. For example, audit information may be immediately transmitted to a separate computer for storage and analysis, a trusted computing base may separate the information from the areas that generate it, or audit information may be written to a write-once output device to assure against subsequent corruption or destruction.

Defense110: low building profile -

Facilities containing vital systems or information are kept in low profile buildings and locations to avoid undue interest or attention. Examples include computer centers located in remote areas, undistinctive and unmarked buildings used for backup storage, and block houses used for storing high valued information.

Defense111: minimize traffic in work areas -

Traffic is limited to reduce the oportunity for diversions. Examples include the separation of areas by partitions, separation of workers on different tasks into different areas, and architecting floor and building areas so as to control flow.

Defense112: place equipment and supplies out of harms way -

Physical isolation of key equipment and proper placement of all information and processing equipment is used to reduce accidental and intentional harm.

Defense113: universal use of badges -

Identifiable badges are worn by every authorized eprson in the facility. Examples include electromagnetic badges that automatically open locks to areas, smart-card badges that include electronic authentication information, and the more common physical badges which use color, format, seals, and similar authenticating information to assert authenticity.

Defense114: control physical access -

Restrictions on who can get to what physical locations when. Examples include gates requiring identification for entry, the use of locks on wire closets, and secure areas for storage of material.

Defense115: separation of equipment so as to limit damage from local events -

Physical distance and separation are used to prevent events effecting one piece of information or technology from also effecting other related ones. Examples include off-site storage facilities, physically distributed processing capabilities, and hot sites for operation during natural disasters and similar events. Physical separation is often mandated by regulation, especially between classified and unclassified computers.

Defense116: inspection of incoming and outgoing materials -

All material is examined when crossing some boundaries to assure that corruption or leakage is not taking place. Examples include examination of incoming hardware for Trojan horses, bomb detection, and detection of improperly cleansed material being sent out, and

Defense117: supression of incomplete or obsolete data -

Incomplete or obsolete data is superssed to prevent its accidental use or intentional abuse. Examples include databases that remove old records, record keeping processes that expunge data after statutory and business requirements no longer necessitate its availability, and the destruction of old criminal records by government when appropriate.

Defense118: document and information control procedures -

Whenever sensitive information is sent or recieved, a procedure is used to confirm the action with the other party. Examples include reciepts for information, non-repudiation services in information networks, and advance notice of inbound transmissions.

Defense119: individual accountability for all assets -

Each information asset is identified as to ownership and stewardship and the owner and steward are held accountable for those assets. Examples include document tracking, owner-based access control decisions, and mandatory actions taken in cases where individuals fail to carry out their responsibility.

Defense120: clear line of responsibility for protection -

Responsibility for protection is clear throughout the organization. Examples include executive-level responsibility for overall information asset protection, deliniated responsibility at every level orf the organization, and spelled out responsibilities for individual accountability.

Defense121: program change logs -

Changes in programs are accounted for in detail. Examples include automated change tracking systems, version control systems, and full-blown change control systems.

Defense122: protection of names of resources -

Names and other identifying information are kept confidential. Examples include keeping the employee phone book and organizational chart from being released to those who might abuse its content, keeping filenames and machine names containing confidential data confidential to make them harder to find, and keeping the names of clients, projects, and other operational information confidential to prevent exploitation.

Defense123: compliance with laws and regulations -

All applicable laws and regulations are followed. Examples include software copyright laws, anti-trust laws, and regulations applying to the separation of information between traders and investment advisors.

Defense124: legal agreements -

Binding legal agreements are used to provide a means of recovering from losses due to neglegence or non-fulfillment. Examples include insurance contracts relating to information assets, employee contracts that specify the employee's responsibilities and punishments for non-compliance, vendor and outsourcing agreements specifying requirements on supplied resources and responsibility for failures in compliance.

Defense125: time, location, function, and other similar access limitations -

Access is restricted based on time, location, function, and other characterizable parameters. Examples include time locks on bank vaults, access controls based on IP address, terminal port, or combinations of these, and barriers which require some time in order to be bypassed.

Defense126: multidisciplinary principle (GASSP) -

Measures, practices, and procedures for the security of information systems should address all relevant considerations and viewpoints, including technical, administrative, organizational, operational, commercial, educational, and legal. [GASSP95]

Defense127: integration principle (GASSP) -

Measures, practices, and procedures for the security of information systems should be coordinated and integrated with each other and with other measures, practices, and procedures of the organization so as to create a coherent system of security. [GASSP95]

Defense128: timeliness principle (GASSP) -

Public and private parties, at both national and international levels, should act in a timely coordinated manner to prevent and to respond to breaches of the security of information systems. [GASSP95]

Defense129: democracy principle (GASSP) -

The security of an information system should be weighed against the rights of users and other individuals affected by the system. [GASSP95]

Defense130: internal control principle (GASSP) -

Information security forms the core of an organization's information internal control system. [GASSP95]

Defense131: adversary principle (GASSP) -

Controls, security strategies, architectures, policies, standards, procedures, and guidelines should be developed and implemented in anticipation of attack from intelligent, rational, and irrational adversaries with harmful intent or harm from negligent or accidental actions. [GASSP95]

Defense132: continuity principle (GASSP) -

Information security professionals should identify their organization's needs for continuity of operations and should prepare the organization and its information systems accordingly. [GASSP95]

Defense133: simplicity principle (GASSP) -

nformation security professionals should favor small and simple safeguards over large and complex safeguards. [GASSP95]

Defense134: periods processing and color changes -

Processing at different levels of security is done at different periods of time with a color change operation used to remove any information used during one period before the next period of processing begins.

Defense135: alarms -

Alarms are used to indicate detected intrusions. Examples include automated software-based intrusion detection systems, alarm systems based on physical sensors reporting to central control rooms, and systems in which each sensor alarms on detection.

Defense136: insurance -

Risk can be mitigated by paying others to assume those risks.

Defense137: choice of location -

Location is often related to risks. Examples include selection of neighborhood and its impact on crime, selection of geographical location and its relation to natural disasters, and selection of countries and its relation to political unrest.

Defense138: filtering devices -

Devices used to limit the pass through of information or physical items. Examples include air filters to limit smoke damage and noxious fumes, packet filters to limit unauthorized and malicious information packets, and noise filters to reduce the impact of external noise.

Defense139: environmental controls -

Devices or methods that control temperature, pressure, humidity, and other environmental factors. Examples include heaters and air conditioners, humidity controllers, and air purifiers.

Defense140: searches and inspections -

Physical, electronic, sonic, and other searches and inspections designed to reveal the presence of illicit devices or tampering.