Browse — Entity Type · Vulnerability
allDataSystemNetworkIdentityCredentialPhysicalProcessCapabilityOrganizationFrameworkEventMetricVulnerabilityThreatControlFindingRequirementRoleArtifactUnknown
57 terms
TermTypeDefinitionClassificationsUpdated
asset vulnerabilitynounA weakness in any of the organization's property of material value or usefulness or physical layout that could be accidentally triggered or intentionally exploited by a threat in order to gain unauthorized access to information or disrupt processing.Vulnerability
attack surfacenounThe set of ways in which an adversary can enter a system and potentially cause damage.Vulnerability
BackdoornounAn undocumented way of gaining access to a computer system. A backdoor is a potential security risk.Vulnerability
Buffer overflownounA condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Attackers exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system.Vulnerability
bugnounAn unexpected and relatively small defect, fault, flaw, or imperfection in an information system or device.Vulnerability
Compromising EmanationsnounUnintentional signals that, if intercepted and analyzed, would disclose the information transmitted, received, handled, or otherwise processed by information systems equipment. See TEMPEST.VulnerabilityRegulatedCUI
Covert ChannelnounAn unauthorized communication path that manipulates a communications medium in an unexpected, unconventional, or unforeseen way in order to transmit information without detection by anyone other than the entities operating the covert channel.VulnerabilityRestrictedCUI
Covert Storage ChannelnounCovert channel involving the direct or indirect writing to a storage location by one process and the direct or indirect reading of the storage location by another process. Covert storage channels typically involve a finite resource (e.g., sectors on a disk) that is shared by two subjects at different security levels.VulnerabilityRegulatedCUI
Covert Timing ChannelnounCovert channel in which one process signals information to another process by modulating its own use of system resources (e.g., central processing unit time) in such a way that this manipulation affects the real response time observed by the second process.VulnerabilityRegulated
Cross Site ScriptingnounA vulnerability that allows attackers to inject malicious code into an otherwise benign website. These scripts acquire the permissions of scripts generated by the target website and can therefore compromise the confidentiality and integrity of data transfers between the website and client. Websites are vulnerable if they display user supplied data from requests or forms without sanitizing the data so that it is not executable.VulnerabilityRegulated
cybersecurity vulnerabilitynounA flaw in a organization's system which leaves it exposed to and defenseless against a cyberthreat.Vulnerability
Day ZeronounThe "Day Zero" or "Zero Day" is the day a new vulnerability is made known. In some cases, a "zero day" exploit is referred to an exploit for which no patch is available yet. ("day one"- day at which the patch is made available).Vulnerability
Easter EggnounHidden functionality within an application program, which becomes activated when an undocumented, and often convoluted, set of commands and keystrokes are entered. Easter eggs are typically used to display the credits for the development team and are intended to be nonthreatening.Vulnerability
ExploitnounA technique or code that uses a vulnerability to provide system access to the attacker. An exploit is an intentional attack to impact an operating system or application program.Vulnerability
Exploit CodenounA program that allows attackers to automatically break into a system.VulnerabilityRestricted
Exploitable ChannelnounChannel that allows the violation of the security policy governing an information system and is usable or detectable by subjects external to the trusted computing base. See Covert Channel.VulnerabilityRestricted
exposurenounThe potential loss to an area due to the occurrence of an adverse event.VulnerabilityRegulated
False AcceptancenounIn biometrics, the instance of a security system incorrectly verifying or identifying an unauthorized person. It typically is considered the most serious of biometric security errors as it gives unauthorized users access to systems that expressly are trying to keep them out.VulnerabilityRegulated
FlawnounError of commission, omission, or oversight in an information system that may allow protection mechanisms to be bypassed.Vulnerability
Incomplete Parameter CheckingnounSystem flaw that exists when the operating system does not check all parameters fully for accuracy and consistency, thus making the system vulnerable to penetration.VulnerabilityRegulated
Information Assurance Vulnerability AlertnounNotification that is generated when an Information Assurance vulnerability may result in an immediate and potentially severe threat to DoD systems and information; this alert requires corrective action because of the severity of the vulnerability risk.VulnerabilityRegulatedCDI
Line ConductionnounUnintentional signals or noise induced or conducted on a telecommunications or information system signal, power, control, indicator, or other external interface line.VulnerabilityRegulatedCUI
Magnetic RemanencenounMagnetic representation of residual information remaining on a magnetic medium after the medium has been cleared. See Clearing.VulnerabilityRegulatedCUI
Maintenance HooknounSpecial instructions (trapdoors) in software allowing easy maintenance and additional feature development. Since maintenance hooks frequently allow entry into the code without the usual checks, they are a serious security risk if they are not removed prior to live implementation.VulnerabilityRegulatedCUI
MonoculturenounMonoculture is the case where a large number of users run the same software, and are vulnerable to the same attacks.Vulnerability
Multi-Hop ProblemnounThe security risks resulting from a mobile software agent visiting several platforms.Vulnerability
National Vulnerability DatabasenounThe U.S. government repository of standards-based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g., FISMA).VulnerabilityRegulated
Null SessionnounKnown as Anonymous Logon, it is a way of letting an anonymous user retrieve information such as user names and shares over the network or connect without authentication. It is used by applications such as explorer.exe to enumerate shares on remote servers.VulnerabilityRegulated
Open Vulnerability and Assessment LanguagenounSCAP language for specifying low-level testing procedures used by checklists.Vulnerability
Operational Vulnerability InformationnounInformation that describes the presence of an information vulnerability within a specific operational setting or network.VulnerabilityRegulatedCUI
patch and vulnerability management processnounOne of the many process associated with the patching of software applications and the situations when an organization is forced to make emergency configuration changes that may reduce functionality to protect the organization from exploitation of the vulnerability.VulnerabilityRegulated
Predisposing ConditionnounA condition that exists within an organization, a mission/business process, enterprise architecture, or information system including its environment of operation, which contributes to (i.e., increases or decreases) the likelihood that one or more threat events, once initiated, will result in undesirable consequences or adverse impact to organizational operations and assets, individuals, other organizations, or the Nation.Vulnerability
Race ConditionnounA race condition exploits the small window of time between a security control being applied and when the service is used.Vulnerability
Red SignalnounAny electronic emission (e.g., plain text, key, key stream, subkey stream, initial fill, or control signal) that would divulge national security information if recovered.VulnerabilityRegulatedCUI
RemanencenounResidual information remaining on storage media after clearing. See Magnetic Remanence and Clearing.VulnerabilityRegulatedCUI
Routing LoopnounA routing loop is where two or more poorly configured routers repeatedly exchange the same packet over and over.Vulnerability
Single-Hop ProblemnounThe security risks resulting from a mobile software agent moving from its home platform to another platform.Vulnerability
Threat and Vulnerability Management processnounA process that includes vulnerability assessments, vulnerability scanning, penetration testing. Also included in the process is the cataloging of the assets that are in scope, assigning value and importance to those resources, and mitigating or eliminating any vulnerabilities discovered during the process.VulnerabilityRestricted
Trap Doornoun1. A means of reading cryptographically protected information by the use of private knowledge of weaknesses in the cryptographic algorithm used to protect the data. 2. In cryptography, one-to-one function that is easy to compute in one direction, yet believed to be difficult to invert without special information.VulnerabilityRegulatedCUI
unnecessary default accountnounDefault accounts that are not necessary to be installed on the system.VulnerabilityRegulated
unpatched softwarenounSoftware which has not undergone a vulnerability correction, a defect correction, or an improvement of code function.VulnerabilityRegulated
Unprotected SharenounIn Windows terminology, a "share" is a mechanism that allows a user to connect to file systems and printers on other systems. An "unprotected share" is one that allows anyone to connect to it.VulnerabilityRestricted
vulnerabilitynounWeakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.Vulnerability
Vulnerability analysisnounSystematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.Vulnerability
Vulnerability AssessmentnounSystematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.VulnerabilityRegulated
Vulnerability Assessment and ManagementnounIn the NICE Workforce Framework, cybersecurity work where a person: Conducts assessments of threats and vulnerabilities, determines deviations from acceptable configurations, enterprise or local policy, assesses the level of risk, and develops and/or recommends appropriate mitigation countermeasures in operational and non-operational situations.Vulnerability
Vulnerability Management plannounThis purpose of this plan is to establish the organization's assessment and testing process to ensure systems are less susceptible to cyber attack.VulnerabilityInternal
vulnerability mitigationnounThe purpose of this task is to prioritize, evaluate, and implement measures and controls to counteract a weakness or vulnerability.Vulnerability
vulnerability scannounThe check of a system for known vulnerabilities from beginning to end with resultant errors, and status information.VulnerabilityRegulated
Vulnerability scanningnounAn automated process to proactively identify security weaknesses in a network or individual systemVulnerability
weaknessnounAn exception noted in tests of properly designed internal controls that may indicate ineffectiveness. Management must consider the extent of a weakness in such cases. Weaknesses can be classified as a simple deficiency, significant deficiency, or a material weakness.VulnerabilityRegulated
Zero DaynounThe "Day Zero" or "Zero Day" is the day a new vulnerability is made known. In some cases, a "zero day" exploit is referred to an exploit for which no patch is available yet. ("day one" - day at which the patch is made available).Vulnerability
Zero-day attacknounAn attack on a piece of software that has a vulnerability for which there is no known patch.Vulnerability
Zero-day-exploitnounA vulnerability that is exploited before the software creator/vendor is even aware of it's existenceVulnerabilityRestricted