D3-MH
Message Hardening
Email or Messaging Hardening includes measures taken to ensure the confidentiality and integrity of user to user computer messages.
D3-MAN
Message Authentication
Authenticating the sender of a message and ensuring message integrity.
D3-MENCR
Message Encryption
Encrypting a message body using a cryptographic key.
D3-TAAN
Transfer Agent Authentication
Validating that server components of a messaging infrastructure are authorized to send a particular message.
D3-CH
Credential Hardening
Credential Hardening techniques modify system or network properties in order to protect system or network/domain credentials.
D3-BAN
Biometric Authentication
Using biological measures in order to authenticate a user.
D3-CBAN
Certificate-based Authentication
Requiring a digital certificate in order to authenticate a user.
D3-CP
Certificate Pinning
Persisting either a server's X509 certificate or their public key and comparing that to server's presented identity to allow for greater client confidence in the remote server's identity for SSL connections.
D3-CTS
Credential Transmission Scoping
Limiting the transmission of a credential to a scoped set of relying parties.
D3-DTP
Domain Trust Policy
Restricting inter-domain trust by modifying domain configuration.
D3-MFA
Multi-factor Authentication
Requiring proof of two or more pieces of evidence in order to authenticate a user.
D3-OTP
One-time Password
A one-time password is valid for only one user authentication.
D3-SPP
Strong Password Policy
Modifying system configuration to increase password strength.
D3-UAP
User Account Permissions
Restricting a user account's access to resources.
D3-CRO
Credential Rotation
Expiring an existing set of credentials and reissuing a new valid set
D3-PH
Platform Hardening
Hardening components of a Platform with the intention of making them more difficult to exploit. Platforms includes components such as: * BIOS UEFI Subsystems * Hardware security devices such as Trusted Platform Modules * Boot process logic or code * Kernel software components
D3-BA
Bootloader Authentication
Cryptographically authenticating the bootloader software before system boot.
D3-DENCR
Disk Encryption
Encrypting a hard disk partition to prevent cleartext access to a file system.
D3-DLIC
Driver Load Integrity Checking
Ensuring the integrity of drivers loaded during initialization of the operating system.
D3-FE
File Encryption
Encrypting a file using a cryptographic key.
D3-LFP
Local File Permissions
Restricting access to a local file by configuring operating system functionality.
D3-RFS
RF Shielding
Adding physical barriers to a platform to prevent undesired radio interference.
D3-SU
Software Update
Replacing old software on a computer system component.
D3-SCP
System Configuration Permissions
Restricting system configuration modifications to a specific user or group of users.
D3-TBI
TPM Boot Integrity
Assuring the integrity of a platform by demonstrating that the boot process starts from a trusted combination of hardware and software and continues until the operating system has fully booted and applications are running. Sometimes called Static Root of Trust Measurement (STRM).
D3-AH
Application Hardening
Application Hardening makes an executable application more resilient to a class of exploits which either introduce new code or execute unwanted existing code. These techniques may be applied at compile-time or on an application binary.
D3-ACH
Application Configuration Hardening
Modifying an application's configuration to reduce its attack surface.
D3-DCE
Dead Code Elimination
Removing unreachable or "dead code" from compiled source code.
D3-EHPV
Exception Handler Pointer Validation
Validates that a referenced exception handler pointer is a valid exception handler.
D3-PAN
Pointer Authentication
Comparing the cryptographic hash or derivative of a pointer's value to an expected value.
D3-PSEP
Process Segment Execution Prevention
Preventing execution of any address in a memory region other than the code segment.
D3-SAOR
Segment Address Offset Randomization
Randomizing the base (start) address of one or more segments of memory during the initialization of a process.
D3-SFCV
Stack Frame Canary Validation
Comparing a value stored in a stack frame with a known good value in order to prevent or detect a memory segment overwrite.