Chapter 1 - introduction To Security

Question 1

End-of-life systems

Answer 1

System for which vendors have dropped all support for security updates due to the systems age

Question 2

Improper input handling

Answer 2

Software that allows the user to enter data but does not validate or filter user input to prevent a malicious action.

Question 3

Improper error handling

Answer 3

Software that does not properly trap an error condition and provides an attacker with underlying access to the system.

Question 4

Race condition

Answer 4

A software occurrence when two concurrent threads of execution access a shared resource simultaneously, resulting in unintended consequences.

Question 5

Resource exhaustion

Answer 5

A situations in which a hardware device with unlimited resources (CPU, memory, file system storage, etc.) is exploited by an attacker who intentionally tries to consume more resources than intended.

Question 6

Vulnerable business processes

Answer 6

A situation in which an attacker manipulated commonplace actions that are routinely performed, also called business process compromise.

Question 7

System sprawl

Answer 7

The widespread proliferation of devices across an enterprise.

Question 8

Undocumented assets

Answer 8

Devices that are not formally identified or documented in an enterprise. Leads to system sprawl.

Question 9

Zero day

Answer 9

An attack in which there are no days of warning.

Question 10

Confidentiality

Answer 10

Security actions that ensure that only authorized parties can view the information

Question 11

Integrity

Answer 11

Security actions that ensure that the information is correct and no unauthorized person or malicious software has altered the data.

Question 12

Availability

Answer 12

Security actions that ensure that data is accessible to authorized users

Question 13

Information security

Answer 13

That which protects the integrity, confidentiality, and availability of information through products, people, and procedures on the devices that store, manipulate, and transmit the information.

Question 14

Asset

Answer 14

An item that has value

Ex. Scooter

Question 15

Threat

Answer 15

A type of action that has the potential to cause harm.

Ex. Theft of scooter

Question 16

Threat actor

Answer 16

A person or element that has the power to carry out a threat

Ex. Thief

Question 17

Vulnerability

Answer 17

A flaw or weakness that allows a threat agent to bypass security.

Ex. Fence hole

Question 18

Attack vector

Answer 18

The means by which an attack can occur

Ex. Go through fence hole

Question 19

Risk

Answer 19

A situation that involves exposure to danger

Ex. Stolen scooter

Question 20

Attack surface

Answer 20

The sum of all the different attack vectors

Question 21

Risk response techniques

Answer 21

1) accept
2) transfer
3) avoid
4) mitigate

Question 22

Risk deterrence

Answer 22

Involves understanding something about attackers and then informing them of the harm that could come their way if they attack an asset

Question 23

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Answer 23

Healthcare enterprises must guard protected healthcare information and implement policies and procedures to safeguard it, whether in paper or electronic format

Question 24

The Sarbanes-Oxley Act of 2002

Answer 24

An attempt to fight corporate corruption. Stringent reporting requirements and internal controls on electronic financial reporting systems are required.

Question 25

Gramm-Leach Bliley Act of 1999 (GLBA)

Answer 25

Requires banks and financial institutions to alert customers of their policies and practices in disclosing customer information. All electronic and paper data containing personally identifiable financial information must be protected.

Question 26

Payment Card Industry Data Security Standard (PCI DSS)

Answer 26

A set of security standards that all companies that process, store, or transmit credit or debit card information must follow.

Question 27

California’s Database Security Breach Notification Act of 2003

Answer 27

Require businesses to inform residents within a specific period (typically 48 hours) if a breach of personal information has or is believed to have occurred.

Question 28

Script kiddies

Answer 28

Individual who lacks advanced knowledge of computers and networks and so uses downloaded automated attack software to attack information systems

Question 29

Hacktivists

Answer 29

A group of threat actors that is strongly motivated by ideology

Question 30

Nation state actors

Answer 30

State-sponsored attackers employed by a government for launching computer attacks against foes.

Question 31

Advanced Persistent Threat (APT)

Answer 31

A new class of attack that uses innovative attack tools to infect a system and then silently extracts data over an extended period.

Question 32

Five fundamental security principles

Answer 32

1) layering
2) limiting
3) diversity
4) obscurity
5) simplicity

Question 33

Layered security

Answer 33

Creating multiple layers of security defenses through which an attacker must penetrate. Also called defense-in-depth

Question 34

Limiting

Answer 34

Limiting access to information reduces the threat against it. Only personnel who must use the data should have access to it.

Question 35

Diversity

Answer 35

Just as it is important to protect data with layers of security, the layers also must be different

Question 36

Vendor diversity

Answer 36

Using security products provided by different manufacturers

Question 37

Control diversity

Answer 37

Having different groups responsible for regulating access to a system

Question 38

Obscurity

Answer 38

Obscuring to the outside world what is in the inside makes attacks that much more difficult

Question 39

Simplicity

Answer 39

The more complex of information security becomes, the more difficult it is to understand. Complex systems allow many opportunities for something to go wrong.

Question 40

Black hat hacker

Answer 40

Attackers who violated computer security for personal gain or to inflict malicious damage.

Question 41

White hat hackers

Answer 41

“Ethical attackers” who received permission to probe system for any weaknesses.

Question 42

Gray hat hackers

Answer 42

Attackers who would break into computer system without permission and then publicly disclose vulnerability