Chapter 1 - introduction To Security Flashcards
End-of-life systems
System for which vendors have dropped all support for security updates due to the systems age
Improper input handling
Software that allows the user to enter data but does not validate or filter user input to prevent a malicious action.
Improper error handling
Software that does not properly trap an error condition and provides an attacker with underlying access to the system.
Race condition
A software occurrence when two concurrent threads of execution access a shared resource simultaneously, resulting in unintended consequences.
Resource exhaustion
A situations in which a hardware device with unlimited resources (CPU, memory, file system storage, etc.) is exploited by an attacker who intentionally tries to consume more resources than intended.
Vulnerable business processes
A situation in which an attacker manipulated commonplace actions that are routinely performed, also called business process compromise.
System sprawl
The widespread proliferation of devices across an enterprise.
Undocumented assets
Devices that are not formally identified or documented in an enterprise. Leads to system sprawl.
Zero day
An attack in which there are no days of warning.
Confidentiality
Security actions that ensure that only authorized parties can view the information
Integrity
Security actions that ensure that the information is correct and no unauthorized person or malicious software has altered the data.
Availability
Security actions that ensure that data is accessible to authorized users
Information security
That which protects the integrity, confidentiality, and availability of information through products, people, and procedures on the devices that store, manipulate, and transmit the information.
Asset
An item that has value
Ex. Scooter
Threat
A type of action that has the potential to cause harm.
Ex. Theft of scooter
Threat actor
A person or element that has the power to carry out a threat
Ex. Thief
Vulnerability
A flaw or weakness that allows a threat agent to bypass security.
Ex. Fence hole
Attack vector
The means by which an attack can occur
Ex. Go through fence hole
Risk
A situation that involves exposure to danger
Ex. Stolen scooter
Attack surface
The sum of all the different attack vectors
Risk response techniques
1) accept
2) transfer
3) avoid
4) mitigate
Risk deterrence
Involves understanding something about attackers and then informing them of the harm that could come their way if they attack an asset
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Healthcare enterprises must guard protected healthcare information and implement policies and procedures to safeguard it, whether in paper or electronic format
The Sarbanes-Oxley Act of 2002
An attempt to fight corporate corruption. Stringent reporting requirements and internal controls on electronic financial reporting systems are required.
Gramm-Leach Bliley Act of 1999 (GLBA)
Requires banks and financial institutions to alert customers of their policies and practices in disclosing customer information. All electronic and paper data containing personally identifiable financial information must be protected.
Payment Card Industry Data Security Standard (PCI DSS)
A set of security standards that all companies that process, store, or transmit credit or debit card information must follow.
California’s Database Security Breach Notification Act of 2003
Require businesses to inform residents within a specific period (typically 48 hours) if a breach of personal information has or is believed to have occurred.
Script kiddies
Individual who lacks advanced knowledge of computers and networks and so uses downloaded automated attack software to attack information systems
Hacktivists
A group of threat actors that is strongly motivated by ideology
Nation state actors
State-sponsored attackers employed by a government for launching computer attacks against foes.
Advanced Persistent Threat (APT)
A new class of attack that uses innovative attack tools to infect a system and then silently extracts data over an extended period.
Five fundamental security principles
1) layering
2) limiting
3) diversity
4) obscurity
5) simplicity
Layered security
Creating multiple layers of security defenses through which an attacker must penetrate. Also called defense-in-depth
Limiting
Limiting access to information reduces the threat against it. Only personnel who must use the data should have access to it.
Diversity
Just as it is important to protect data with layers of security, the layers also must be different
Vendor diversity
Using security products provided by different manufacturers
Control diversity
Having different groups responsible for regulating access to a system
Obscurity
Obscuring to the outside world what is in the inside makes attacks that much more difficult
Simplicity
The more complex of information security becomes, the more difficult it is to understand. Complex systems allow many opportunities for something to go wrong.
Black hat hacker
Attackers who violated computer security for personal gain or to inflict malicious damage.
White hat hackers
“Ethical attackers” who received permission to probe system for any weaknesses.
Gray hat hackers
Attackers who would break into computer system without permission and then publicly disclose vulnerability
