D3-MH Message Hardening Email or Messaging Hardening includes measures taken to ensure the confidentiality and integrity of user to user computer messages.
D3-MAN Message Authentication Authenticating the sender of a message and ensuring message integrity.
D3-MENCR Message Encryption Encrypting a message body using a cryptographic key.
D3-TAAN Transfer Agent Authentication Validating that server components of a messaging infrastructure are authorized to send a particular message.
D3-CH Credential Hardening Credential Hardening techniques modify system or network properties in order to protect system or network/domain credentials.
D3-BAN Biometric Authentication Using biological measures in order to authenticate a user.
D3-CBAN Certificate-based Authentication Requiring a digital certificate in order to authenticate a user.
D3-CP Certificate Pinning Persisting either a server's X509 certificate or their public key and comparing that to server's presented identity to allow for greater client confidence in the remote server's identity for SSL connections.
D3-CTS Credential Transmission Scoping Limiting the transmission of a credential to a scoped set of relying parties.
D3-DTP Domain Trust Policy Restricting inter-domain trust by modifying domain configuration.
D3-MFA Multi-factor Authentication Requiring proof of two or more pieces of evidence in order to authenticate a user.
D3-OTP One-time Password A one-time password is valid for only one user authentication.
D3-SPP Strong Password Policy Modifying system configuration to increase password strength.
D3-UAP User Account Permissions Restricting a user account's access to resources.
D3-CRO Credential Rotation Expiring an existing set of credentials and reissuing a new valid set
D3-PH Platform Hardening Hardening components of a Platform with the intention of making them more difficult to exploit. Platforms includes components such as: * BIOS UEFI Subsystems * Hardware security devices such as Trusted Platform Modules * Boot process logic or code * Kernel software components
D3-BA Bootloader Authentication Cryptographically authenticating the bootloader software before system boot.
D3-DENCR Disk Encryption Encrypting a hard disk partition to prevent cleartext access to a file system.
D3-DLIC Driver Load Integrity Checking Ensuring the integrity of drivers loaded during initialization of the operating system.
D3-FE File Encryption Encrypting a file using a cryptographic key.
D3-LFP Local File Permissions Restricting access to a local file by configuring operating system functionality.
D3-RFS RF Shielding Adding physical barriers to a platform to prevent undesired radio interference.
D3-SU Software Update Replacing old software on a computer system component.
D3-SCP System Configuration Permissions Restricting system configuration modifications to a specific user or group of users.
D3-TBI TPM Boot Integrity Assuring the integrity of a platform by demonstrating that the boot process starts from a trusted combination of hardware and software and continues until the operating system has fully booted and applications are running. Sometimes called Static Root of Trust Measurement (STRM).
D3-AH Application Hardening Application Hardening makes an executable application more resilient to a class of exploits which either introduce new code or execute unwanted existing code. These techniques may be applied at compile-time or on an application binary.
D3-ACH Application Configuration Hardening Modifying an application's configuration to reduce its attack surface.
D3-DCE Dead Code Elimination Removing unreachable or "dead code" from compiled source code.
D3-EHPV Exception Handler Pointer Validation Validates that a referenced exception handler pointer is a valid exception handler.
D3-PAN Pointer Authentication Comparing the cryptographic hash or derivative of a pointer's value to an expected value.
D3-PSEP Process Segment Execution Prevention Preventing execution of any address in a memory region other than the code segment.
D3-SAOR Segment Address Offset Randomization Randomizing the base (start) address of one or more segments of memory during the initialization of a process.
D3-SFCV Stack Frame Canary Validation Comparing a value stored in a stack frame with a known good value in order to prevent or detect a memory segment overwrite.