CyBOK (version 1)

From Брацка Правка
Jump to: navigation, search

At CNM Wiki, the CyBOK (version 1) refers to Version 1.0 of the The Cyber Security Body of Knowledge that was published on 31st October 2019 at https://www.cybok.org/


Developers

Editors

  • Awais Rashid, University of Bristol
  • Howard Chivers, University of York
  • George Danezis, University College London
  • Emil Lupu, Imperial College London
  • Andrew Martin, University of Oxford

Project manager

  • Yvonne Rigby, University of Bristol

Production

  • Joseph Hallett, University of Bristol

Copyrights

©CrownCopyright, The National Cyber Security Centre 2019. This information is licensed under the Open Government Licence v3.0. To view this license, visit: https://www.nationalarchives.gov.uk/doc/open-government-licence/

When you use this information under the Open Government License, you should include the following attribution:

CyBOK Version 1.0 ©CrownCopyright, The National Cyber Security Centre 2019, licensed under the Open Government Licence: https://www.nationalarchives.gov.uk/doc/open-government-licence/. The CyBOK project would like to understand how the CyBOK is being used and its uptake. The project would like organisations using, or intending to use, CyBOK for the purposes of education, training, course development, professional development etc. to contact it at contact@cybok.org to let the project know how they are using CyBOK.

Glossary

  • 419 scam. A particular version of advance fee fraud specific to Nigeria.
  • Access control. The process of denying or granting access requests.
  • Actuator. An actuator is a device that moves or controls some mechanism. An actuator turns a control signal into mechanical action such as an electric motor. Actuators may be based on hydraulic, pneumatic, electric, thermal or mechanical means, but are increasingly being driven by software. An actuator ties a control system to its environment.
  • Advance fee fraud. A crime in which the victim is promised a reward, but in order to obtain it has to first pay a small fee to the fraudster.
  • Advanced persistent threat. An attack to an organization that continues its activities and yet remains undetected for an extended period of time.
  • Affiliate programme. A scheme where main organisation provides a "brand" and all the means required to carry out orders, shipments and payments.
  • ALARA. A method to reduce risk to levels As Low As Reasonably Allowable.
  • ALARP. A method to reduce risk to levels As Low As Reasonably Possible.
  • Alert. In the SOIM context, an alert should refer to an event, or group of events, of interest from a security perspective, representing either an attack symptom or consequence. An alert is necessarily the outcome of an analysis process performed by an Intrusion Detection System sensor on event traces.
  • Anonymity. The state of being not identifiable within a set of subjects, the anonymity set.
  • Appification. The replacement of websites with applications that run on mobile devices.
  • ASIC. Application Specific Integrated Circuit is one class on integrated circuits, where the circuit is tuned to a specific application or set of applications. E.g. a TPM is a dedicated ASIC for security applications.
  • Attack surface. The set of entry points where an attacker can attempt unauthorised access. Security approaches endeavor to keep the attack surface as small as possible.
  • Authentication. Verifying a claimed attribute value.
  • Authentication. The process of verifying the identity of an individual or entity.
  • Authorisation. A) deciding whether to grant an access request (to a subject) or b)assigning access rights to a principal.
  • Botnet. A network of compromised computers (or, bots) that is controlled by an attacker to launch coordinated malicious activities.
  • Bulletproof hosting service providers. providers that are well known not to comply with law enforcement takedown requests. This is made possible by either being located in countries with lax cybercrime legislation, or by the service provider operators actively bribing local law enforcement.
  • Byzantine. Anomalous behavior when an entity/attacker sends different (albeit valid) information to different recipients.
  • Card skimming. The practice of installing devices on ATM that allow for the cloning of the cards that are being inserted.
  • Carving. (File/data content carving) The process of recovering and reconstructing file content directly from block storage without using the file system metadata. More generally, data(structure) carving is the process of reconstructing logical objects (such as files and database records) from a bulk data capture (disk/RAM image) without using metadata that describes the location and layout of the artifacts. Data carvers use knowledge of the data formats to identify and validate the extracted content.
  • Certificate. A digitally signed data structure binding an entity (called subject) to some attribute.
  • Click fraud. The practice of using malware to generate fake clicks on websites.
  • CMOS. Complementary Metal Oxide Semiconductor technology is the most popular silicon technology to make integrated circuits. It consists of complementary PMOS and NMOS transistors. Its main advantages are that it has a very low static power consumption and relative robust operation. Hence it made it possible to integrate a large number of transistors (millions to billions) into one integrated circuit.
  • Confidentiality. The property that ensures that information is not made available or disclosed to unauthorised individuals, entities, or processes.
  • Consensus. Consensus (and similarly for Consistency) refers to mechanisms and the property of achieving varied types of agreement on values or coordination of state/entities, typically in the presence of specified failures. As there are precise technical specifications involved for consensus and different types of consistency, the reader is referred to the section on Coordination Properties and to the references [1071, 1072, 1077].
  • Consumer. In the context of a given transaction, a natural person who enters into a transaction other than for business or professional purposes. A given person may act as a consumer in some transactional contexts, and a non-consumer in others. N.B. This definition is far from universal. Some laws adopt definitions of 'consumer' that vary from this.
  • Coordination schema. The mechanisms that help orchestrate the actions of the involved entities.
  • Covert Channel Attack. An attack that results in the unauthorised capability to glean or transfer information between entities that are not specified to be able to communicate as per the security policy.
  • CPU. Central Processing Unit is a general purpose integrated circuit made to execute a program. It typically consists of an arithmetic unit, a program control unit, a bus structure and storage for code and data. Many types and variations exist. One SOC could contain one or more CPU cores with peripherals, extra memory, etc.
  • Credential. An input presented for authentication.
  • Critical National Infrastructure. Facilities, systems, sites, information, people, networks and processes, necessary for a country to function and upon which daily life depend.
  • Cryptocurrency mining. The practice of generating cryptocurrencies by solving cryptographic tasks.
  • Cyber-dependent crime. Crime that can only be committed with the use of computers or technology devices.
  • Cyber-enabled crime. Crime that has an increased reach compared to its offline counterpart through the use of technology.
  • Cyber-Physical System. Engineered systems that are built from, and depend upon, the seamless integration of computation, and physical components [1833].
  • Cyberbullying. Sending or posting harmful material or engaging in other forms of social aggression using the Internet or other digital technologies.
  • Cyberspace. A global domain within the information environment consisting of an interdependent network of information system infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.
  • Cyberstalking. The practice of using electronic means to stalk another person.
  • Delegation. The act of granting access rights one holds to another principal.
  • Digital trace (forensic trace). An explicit, or implicit, record that testifies to the execution of specific computations, or the communication and/or storage of specific data.
  • Digital forensics. The process of identifying and reconstructing the relevant sequence of events that have led to the currently observable state of a target IT system or (digital) artifacts.
  • Distributed Control System. A control system that combines supervised control of several individual computer-based controllers in different control-loop throughout a process. In contrast to SCADA systems, the supervision of these systems tends to be on site rather than remote.
  • Doxing. An attack where the victim's private information is publicly released online.
  • DRAM. DRAM is Dynamic Random Access Memory. Very popular because of its high density. It requires only one transistor and one small capacitance to store one bit of data. It requires regular refreshing. It looses its value when the power supply is turned off.
  • Drive-by download attack. An attack in which a webpage tries to exploit a software vulnerability in the victim's browser with the goal of installing malware.
  • Dumpz. Stolen credit card records.
  • Email spam. Unsolicited bulk email.
  • Encryption. The process of transforming information (commonly referred to as plain text/data) using an algorithm(called cipher) to make it unreadable to anyone except those possessing special knowledge, commonly referred to as a cryptographic key.
  • Event. Trace of activity provided by a computing environment. In the SOIM context, this is a piece of evidence logged that an activity was performed in the monitored system. Events are acquired sequentially by sensors to obtain at race of the activity on a computer or network, to find indicator of compromise.
  • Exploit. Software or data that takes advantage of a vulnerability in a system to cause unintended consequences. (Source = NCSC Glossary).
  • Exploit kit. A tool that collects a large number of vulnerabilities and are sold on the black market for other criminals to use.
  • File. A named (opaque) sequence of bytes that is stored persistently.
  • File system (filesystem). An operating system subsystem that is responsible for the persistent storage and organisation of user and system files on a partition/volume.
  • FPGA. A field Programmable Gate Array or FPGA is a specialized integrated circuit that contains configurable logic, which can stillbeprogrammedafterfabrication. Programmingisdonebyloadingabitstreamwhichconfigureseachofthe programmablelogicgatesindividually.
  • Fullz. Stolen credit card records that also contain billing information.
  • GPU. Graphics Processing Unit is a specialized programmable integrated circuit. Its components (arithmetic units, instruction set, memory configuration, bus structure) are all optimized to accelerate graphics, video and image processing applications.
  • Hacktivism. The act of computer crime motivated by a political goal.
  • HDL. A Hardware Description Language is a special language to describe digital hardware at the register transfer level. Most well known languages are VHDL and Verilog.
  • Homomorphic encryption. A form of encryption that when computing on cipher texts, generates an encrypted result which, when decrypted, matches the result of the computation as if it had been performed on the plain text.
  • Honeypot. In the context of SOIM, honeypots can be operated locally as an additional detection methods upplementing IDS sensors, or by an external CTI service provider.
  • IC. An Integrated Circuit is an electronic device that contains a large amount of electronic components, mostly transistors integrated into one piece of semiconductor material, usually CMOS silicon. A common name is a 'chip' or a 'siliconchip'.
  • Identity management. The process of creating, using, and terminating electronic identities.
  • Impact. The result of a threat exploiting a vulnerability. In the context of SOIM, this is the extent of damage caused by the attack to either the ICT infrastructure, or to business processes.
  • Incident. In the SOIM context, an incident is described as a set of alerts that are considered evidence of a cybersecurity breach, generally a successful attack (although serious attempts, or attempts against critical systems, may also be considered incidents.
  • Industrial Control Systems. General term that encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC) often found in the industrial sectors and critical infrastructures. An ICS consists of combinations of control components (e.g., electrical, mechanical, hydraulic, pneumatic) that act together to achieve an industrial objective(e.g., manufacturing, transportation of matter or energy).
  • Industrial Internet of Things. System that connects and integrates industrial control systems with enterprise systems, business processes, and analytics.
  • Industry 4.0. Industry 4.0 refers to the modernization of manufacturing with Internet of Things services, which provide the basis for the fourth industrial revolution. The first industrial revolution was enabled by the introduction of mechanical production facilities powered by water and steam, the second revolution was enabled by mass production powered by electrical energy, and the third revolution was enabled by the introduction of electronics and information technology.
  • Information System. In the SOIM context, it designs the ICT infrastructure to detect possible attacks.
  • Integrity. The property that ensures that data is real, accurate and safeguarded from unauthorised user modification.
  • International governmental organisation. A legal person established and recognised as such by more than one state pursuant to treaty (e.g., the United Nations, INTERPOL, the International Maritime Organization, etc.). In practice, often simplified as 'International Organisation' or 'Treaty Organisation'.
  • Internet of Things. Network of physical objects or "things" embedded with electronics, software, sensors, and connectivity to enable objects to exchange data with the manufacturer, operator and/or other connected devices. The IoT refers to devices, that are often constrained in communication and computation capabilities, now becoming more commonly connected to the Internet, and to various services that are built on top of the capabilities these devices jointly provide.
  • Intrusion Prevention System (IDPS). Intrusion Detection System with the additional capability to take immediate and local action to block the detected attack. This implies two differences, the positioning of the device as an interceptor through which all requests, malicious or benign, will pass, and the ability to diagnose the malicious behaviour with certainty. See also Intrusion Detection System and sensor.
  • Key-logger. A virus or physical device that logs keystrokes to secretly capture private information such as passwords or credit card details. (Source = BSI Glossary).
  • Leader election. Following the replacement of an existing leader, on failure of a leader or for fairness or load balancing, the process of electing a new entity to perform the leadership activities of coordination.
  • Legal action. The process by which a person brings a legal claim to a tribunal for adjudication or to enforce the results of a prior adjudication. This is the method used to enforce a right of action.
  • Legal person. An entity vested with sufficient characteristics of personhood to merit a legal identity separate from its constituent members. These characteristics include: the right to commence or respond to legal action in the entity's name; the right to own assets in the entity's name; and the right to enter into obligations in the entity's name. Legal persons generally include: states; international governmental organisations; public or private entities incorporated pursuant to the law of a state and vested by that state with the characteristics of personhood, such as an English public limited company (PLC), a Delaware limited liability partnership (LLP), a French société anonyme (S.A.), a German gesellschaft mit beschränkter hafting (GmbH), the City of New York, etc.
  • Likelihood. A measure capturing the degree of possibility that a threat will exploit a vulnerability, and therefore produce an undesirable outcome.
  • Logical acquisition. The process of obtaining the data relies on one or more software layers as intermediaries to acquire the data from the storage device.
  • Logical volume. A collection of physical volumes presented and managed as a single unit.
  • Malware analysis. The process of analyzing malware code and understanding its intended functionalities.
  • Malware detection. The process of detecting the presence of malware in a system.
  • Metadata. Information about data or sent along with data, e.g., the IP address, the location, or the operative system a message is sent from.
  • Metamorphic malware. Malware of which each iteration or instance has different code from the preceding one. The code changes make it difficult to recognize the different iterations are the same malware (contrast with polymorphic malware).
  • Meterpreter. A tool that allows an attacker to control a victim's computer by running an invisible shell and establishing a communication channel back to the attacking machine.
  • Middleware. A software layer between the Operating System and the Application Layer designed to facilitate the interconnection and interaction between distributed components. Often referred to as the "softwareglue" that binds components together.
  • Money mule. A person who is recruited by a criminal to perform money laundering.
  • Natural person. A human being, living or deceased.
  • Object. The entity accessed by an access operation.
  • Obligation. operation to be performed in conjunction with an access request that had been granted.
  • Operational Technology. Components and systems, also known as Industrial Control Systems (ICS) that underpin Critical National Infrastructure (CNI) such as energy provision, transportation, and water treatment. They also underpin complex manufacturing systems where processes are too heavy-duty, monotonous, or dangerous for human involvement.
  • Operational Technology. Hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise.
  • overlay. Refers to the overlay network in peer-to-peer systems that is a virtual network linking a specified set of nodes as built on top of the nodes of the physical network.
  • Packed malware. Packed malware is obfuscated malware in which the malicious program is compressed and cannot be analysed statically.
  • Packing. A technique to obfuscate malware (see packed malware).
  • Partition (physical volume). A contiguous allocation of blocks for a specific purpose, such as the organisation of a file system.
  • Passive dns. A mechanism to collect large amounts of DNS data by storing DNS responses from servers. (Source=RFC7719)
  • PCB. A Printed Circuit Board is a specialized board which holds the different integrated circuits. It is made of an insulated material with copper wiring to connect the pins of different integrated circuits with each other and the outside.
  • Permission. Synonym for access right.
  • Person. A natural person or legal person.
  • Phishing. A fraud that lures users into giving away access credentials to online services to a criminal.
  • Phishing kit. A programme that can be installed on a server and will produce an appropriately-looking webpage for many popular services.
  • Physical acquisition. The process of obtaining the data directly from hardware media, without the mediation of any (untrusted) third-party software.
  • Polymorphic malware. Malware that changes each instance to avoid detection. It typically has two parts: the decryptor and the encrypted program body. Each instance can encrypt the malware program differently and hence has a different decryptor; however, once decrypted, the same malware code is executed. (contrast with metamorphic malware).
  • Polymorphism. See polymorphic malware.
  • Potentially unwanted program. A program that may not be wanted by a user and is often downloaded along with a program that the user wants. Examples include adware, spyware, etc.
  • Principal. In policies, the active entity in an access request.
  • Privilege. An access right to a system resource.
  • Privilege. A synonym for access right.
  • Programmable Logic Controller (PLC). An industrially hardened computer-based unit that performs discrete or continuous control functions in a variety of processing plant and factory environments. It was originally intended as a relay replacement equipment for the automotive industry. As opposed to DCS, they can be sold as stand-alone equipment (instead of an integrated system as DCS).
  • RAM. RAM is Random Access Memory. It is memory on an integrated circuit to store values (data or code).
  • Reference monitor. The abstract component that mediates all accesses to objects.
  • Replication. The aspect of adding physical or logical copies of a resource.
  • Reshipping mule. A person who is recruited by a criminal to send goods purchased with stolen credit cards abroad.
  • Right of action. A right arising in law for one person to take legal action against another.
  • Root of Trust. A root of trust is a component used to realize a security function, upon which a designer relies but of which the trustworthiness cannot be explicitly verified.
  • Safety. In the context of malware analysis, a requirement that malware should be prevented from causing damage to the connected systems and networks while it runs in the analysis environment.
  • Security model. high-level specifications of a system designed to enforce certain security policies.
  • Sensor. A device that perceives certain characteristics of the real world and transfers them into a digital representation.
  • Sensor. Equipment (software and/or hardware) aimed at detecting and alerting cyberattacks, also referred to as the Intrusion Detection System (IDS).
  • Sextortion. A crime in which a miscreant lures victims to perform sexual acts in front of a camera (e.g., a webcam in a chat room), records those acts, and later asks for a monetary payment in order not to release the footage.
  • Side Channel Attack. Side Channel Attack An attack based on information gained from the implementation of a system (e.g., that of a cryptographic algorithm) rather than weaknesses in the algorithm (e.g., those discovered via cryptanalysis). Side Channel Attacks can be mounted based on monitoring data or key dependent variations in execution time, power consumption or electromagnetic radiation of integrated circuits.
  • Signature. A more current definition is indicator of compromise.
  • Sinkholing. A technique used by a DNS server to give out false information to prevent the use of a domain name.
  • Slack space. The difference between the allocated storage for a data object, such as file, or a volume, and the storage in actual use.
  • SOC. System-on-chip is a very large integrated circuit that combines multiple large components, which in previous generations might have consisted of multiple chips on one circuit board.
  • SRAM. SRAM is Static Random Access Memory, a type of memory that makes it easy to address each individual bit, requiring typically 6 transistors per bit. SRAM looses its values when the power supply is turned off.
  • State. A legal person that normally possesses the following qualifications: a permanent population; a defined territory; a government; and a legal capacity to enter into relations with other states. In the context of pubic international law and diplomacy, confirming the status of an entity as a 'state' is a decision normally made individually by other states through proclamation, exchange of ambassadors, etc. In the context of a federation (e.g., States of Australia, Provinces of Canada, Länder of Germany, States of the US), recognition normally takes place in accordance with the constitutional procedures of that federation.
  • Subject. An entity in an IT system that speaks for a principal (sometimes used as a synonym for principal).
  • Supervisory Control and Data Acquisition. A supervisory control system that integrates remote data acquisition systems with data transmission systems and Human-Machine Interface (HMI) software to provide a centralised monitoring and control system for numerous process inputs and outputs. SCADA systems are designed to collect field information, transfer it to a central computer facility, and display the information to the operator graphically or textually, there by allowing the operator to monitor or control an entire system from a central location in near real time. SCADA systems and Distributed Control Systems (DCS) are often networked together. This is the case for electric power control, although the electric power generation facility is controlled by a DCS, the DCS must communicate with the SCADA system to coordinate production output with transmission and distribution demands.
  • Territorial. Of, or related to, territory.
  • Territory. A delimited region of geographic space (i.e., real space, including air and water). Often used in law to describe boundaries of a state (e.g., the territory of the Republic of Italy).
  • Threat. An individual, event, or action that has the capability to exploit a vulnerability.
  • Token. A device used for authentication.
  • Token. A data structure encoding the result of an access decision.
  • Trace. Ordered set of events, generally of the same type, gathered in a container for easy sequential access. A trace is, for example, a packet capture or a log file. The order is not necessarily chronological, but is fixed at the time of writing the trace.
  • Transducer. A device that converts variations in a physical quantity, such as pressure or brightness, into an electrical signal, or vice versa.
  • Triage. Triage is a partial forensic examination conducted under (significant) time and resource constraints.
  • Trusted Computing Base. The Trusted Computing Base (TCB) is the typical root of trust for a computer system. It contains all hardware and software components, that need to be trusted and of which the trust worthiness cannot be explicitly verified. If security vulnerabilities occur in the TCB, then the security of the entire computer system might be at risk.
  • Trusted Platform Module. A Trusted Platform Module is a functional component that can perform cryptographic operations, manage keys, and provide remote attestation services. When implemented as a cryptographic co-processor and embedded on a personal computer platform, it provides roots of trust so that the platform can identify itself, its current configuration, and running software.
  • Unlinkability. The property of two (or more) items in a system that ensures that these items are no more and no less related than they are related concerning the apriori knowledge of the adversary.
  • Virus. A hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting-i.e., inserting a copy of itself into and becoming part of another program. A virus cannot run by itself; it requires that its host program be run to make the virus active. (Source = SANS security glossary).
  • VLSI. Very Large Scale Integration is a collection of electronic design automation techniques to translate a HDL description into the actual polygons required for the mask making of an integrated circuit. The VLSI tools made it possible to manage the complexity of designing large integrated circuits.
  • Vulnerability. Something open to attack or misuse that could lead to an undesirable outcome.
  • Webification. The process of using web technologies to display and transfer content on the web and mobile devices.
  • Wifi. A family of radio technologies that is used for the wireless local area networking (WLAN).
  • Worm. A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively. (Source = SANS security glossary).
  • YARA. YARA is a tool primarily used in malware analysis. It describes malware families using textual or binary patterns. (Source=Wikipedia).