Chapter 1 Flashcards
A response to risk that acknowledges the risk but takes no steps to address it.
accept
Security controls for developing and ensuring that policies and procedures are carried out; regulating the human factors of security.
administrative controls
A new class of attack that uses innovative attack tools to infect a system and then silently extracts data over a an extended period.
advanced persistent threat (APT)
Deficiencies in software due to poor. design
architecture/design weaknesses
an item that has value.
asset
Characteristic features of different groups of threat actors.
attributes
security actions that ensure that data is accessible to authorized users.
availability
A response to risk that identifies the risk and the decision is made to not engage in the risk-provoking activity.
avoid
Threat actors that launch attack against an opponents’ system to steal classified information.
competitors
the highest data label level of sensitivity.
confidentiality
having different groups responsible for regulating access to a system.
control diversity
the out-of-the-box security config settings
default config
Creating multiple layers of security defenses through which an attacker must penetrate; also called layered security.
defense-in-depth
system for which vendors have dropped all support for security updates due to the system’s age.
end-of-life system
the location outside an enterprise in which some threat actors perform.
external
an attribute of threat actors that can vary widely.
funding and resources
a group of threat actors that is strongly motivated by ideology
hactivists
software that does not properly trap an error condition and provides an attacker with underlying access to the system.
improper error handling
software that allows the user to enter data but does not validate or filter user input to prevent a malicious action.
improper input handling
account set up for a user that might provide more access than is necessary.
improperly config accounts
Frameworks/architectures that are specific to a particular industry or market sector.
industry-specific frameworks
“support structures” for implementing security; also called reference architectures
industry-standard frameworks
employees, contractors, and business partners who can be responsible for an attack.
insiders
security actions that ensure that the information is correct and no unauthorized person or malicious software has altered the data.
integrity
the reasoning behind attacks made by threat actors.
intent and motivation
the location within an enterprise in which some threat actors perform.
internal
information security framework/architectures that are worldwide.
international
when a company that made a device provides no support for the device.
lack of vendor support
creating multiple layers of security defenses through which an attacker must penetrate; also called defense-in-depth.
layered security
an incorrectly configured device.
misconfig
addressing risks by making risks less serious.
mitigate
state-sponsored attackers employed by a government for launching computer attacks against foes.
nation state actors
information security framework/architectures that are domestic.
national
a threat that has not been previously identified.
new threat
information security frameworks/architectures that are not required.
non-regulatory
freely available automated attack software.
open-source intel
threat actors that are moving from traditional organized criminal activities to more rewarding and less risky online attacks.
organized crime
A software occurrence when two concurrent threads of execution access a shared resources simultaneously, resulting in unintended consequences.
race condition
“supporting structures” for implementing security; also called industry-standard frameworks.
reference architectures
information security frameworks/architectures that are required by agencies that regulate the industry.
regulatory
a situation in which a hardware device with limited resources (CPU, memory, file system storage, etc.) is exploited by an attacker who intentionally tries to consume more resources than intended.
resource exhaustion
a situation that involves exposure to danger.
risk
different options available when dealing with risks.
risk response techniques
individual who lacks advanced knowledge of computers and networks and so uses downloaded automated attack software to attack information systems.
script kiddies
threat actors that have developed a high degree of complexity.
sophisticated
the widespread proliferation of devices across an enterprise.
system sprawl
using technology that is carried out or managed by devices as a basis for controlling the access to and usage of sensitive data.
technical controls
a type of action that has the potential to cause harm.
threat
a person or element that has the power to carry out a threat.
threat actor
a response to risk that allows a third party to assume the responsibility of the risk.
transfer
devices that are not formally identified or documented in an enterprise.
undocumented assets
users with little or no instruction in making security decisions.
untrained users
instructing employees as to the security reasons behind security restrictions.
user training
using security products provided by different manufactures.
vendor diversity
a flaw or weakness that allows a threat agent to bypass security.
vulnerability
a situation in which an attacker manipulates commonplace actions that are routinely performed; also called business process compromise.
vulnerable business processes
configuration options that provide limited security choices.
weak config
an attack in which there are no days of warning.
zero day