Focused On Your Success


The All.Net Security Database


Generated Fri Jun 27 09:58:50 PDT 2003 by fc@red.a.net

Cause/Mechanism:
  • Threat Profiles
  • Attack Methods
  • Defense Methods
    Process:
  • Prevention
  • Detection
  • Reaction
    Impact:
  • Integrity
  • Availability
  • Confidential
  • Use Control
  • Other:
  • Risk Management
  • Database Description

    Domain:
  • Physical
  • Informational
  • Systemic
    Sophistication:
  • Theoretical
  • Demonstrated
  • Widespread
  • Perspectives:
  • Management
  • Policy
  • Standards
  • Procedures
  • Documentation
  • Audit
  • Testing
  • Technical Safeguards
  • Personnel
  • Incident Handling
  • Legal
  • Physical
  • Awareness
  • Training
  • Education
  • Organization
  • Brekne's Mechanistic:
  • Input
  • Output
  • Storage
  • Processing
  • Transmission
  • Brekne's Causal:
  • Accidental
  • Malicious
  • Brekne's Method:
  • Leakage
  • Masquerade
  • Denial
  • Corruption
  • Usage
  • Mental

  • Attack19:

    Name:protection missetting exploitation

    Complexity: Setting protections properly is not a trivial matter, but there are linear time algorithms for automating settings once there is a decision procedure in place to determine what values to set protection to. No substantial mathematical analysis has been published in this area and no results have been published for the complexity of building a decision procedure, however it is known that, under some conditions, it is impossible to have settings that both provide all appropriate access and deny all inappropriate access. [Cohen91] It is known to be undecidable for a general purpose subject/object system whether a given subject will eventually gain any particular right over any particular object. [Harrison76]
    fc@red.a.net

    Related Database Material

    [TBVInput - Relates to Input]
    [TBVAccidental - Relates to Accidental]
    [TBVMalicious - Relates to Malicious]
    [TBVLeakage - Relates to Leakage]
    [TBVDenial - Relates to Denial]
    [TBVUsage - Relates to Usage]
    [PDRIntegrity - Relates to Integrity]
    [PDRConfidentiality - Relates to Confidentiality]
    [PDRUse - Relates to Use]
    [PDRWidespread - Relates to Widespread]
    [PLSLogical - Relates to Logical]
    [Threat1 - insiders]
    [Threat2 - private investigators]
    [Threat4 - consultants]
    [Threat6 - customers]
    [Threat8 - competitors]
    [Threat9 - whistle blowers]
    [Threat10 - hackers]
    [Threat11 - crackers]
    [Threat13 - cyber-gangs]
    [Threat14 - tiger teams]
    [Threat16 - professional thieves]
    [Threat20 - crackers for hire]
    [Threat25 - industrial espionage experts]
    [Threat26 - foreign agents and spies]
    [Threat28 - government agencies]
    [Threat30 - economic rivals]
    [Threat31 - nation states]
    [Threat32 - global coalitions]
    [Threat33 - military organizations]
    [Threat35 - information warriors]
    [Threat36 - extortionists]
    [Defense32 - anomaly detection]
    [Defense30 - audit analysis]
    [Defense45 - augmented authentication devices time or use variant]
    [Defense47 - authorization limitation]
    [Defense8 - automated protection checkers and setters]
    [Defense57 - change management]
    [Defense49 - classifying information as to sensitivity]
    [Defense58 - configuration management]
    [Defense72 - detailed audit]
    [Defense13 - detection before failure]
    [Defense118 - document and information control procedures]
    [Defense60 - drop boxes and processors]
    [Defense7 - effective mandatory access control]
    [Defense138 - filtering devices]
    [Defense56 - fine-grained access control]
    [Defense14 - human intervention after detection]
    [Defense65 - increased or enhanced perimeters]
    [Defense74 - information flow controls]
    [Defense130 - internal control principle (GASSP)]
    [Defense37 - least privilege]
    [Defense84 - limited function]
    [Defense85 - limited sharing]
    [Defense86 - limited transitivity]
    [Defense59 - lockouts]
    [Defense82 - locks]
    [Defense107 - minimizing copies of sensitive information]
    [Defense31 - misuse detection]
    [Defense108 - numbering and tracking all sensitive information]
    [Defense22 - out-of-range detection]
    [Defense121 - program change logs]
    [Defense122 - protection of names of resources]
    [Defense101 - regular review of protection measures]
    [Defense100 - retaining confidentiality of security status information]
    [Defense51 - secure design]
    [Defense83 - secure or trusted channels]
    [Defense40 - separation of duties]
    [Defense41 - separation of function]
    [Defense1 - strong change control]
    [Defense48 - security marking and/or labeling]
    [Defense20 - temporary blindness]
    [Defense52 - testing]
    [Defense125 - time, location, function, and other similar access limitations]
    [Defense128 - timeliness principle (GASSP)]
    [Defense9 - trusted applications]
    [Defense97 - trusted system technologies]