Exam 1 Flashcards
Asset
Organizational resource that is being protected. Can be logical, such as a web site, software information, or data; can be physical, such as a person, computer system, hardware, or other tangible object. Assets, particularly information assets, are the focus of what security efforts are attempting to protect.
Information Asset
Focus of information security; information that has value to the organization, and the systems that store, process, and transmit the information.
Information Security (InfoSec)
Protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training and awareness, and technology.
Security
State of being secure and free from danger or harm. In addition, the actions taken to make someone or something secure.
Accountability
Access control mechanism that ensures all actions on a system - authorized or unauthorized - can be attributed to an authenticated identity. Also known as audibility.
Authentication
Access control mechanism that requires the validation and verification of an unauthenticated entity’s purported identity.
Authorization
Access control mechanism that represents the matching of an authenticated entity to a list of information assets and corresponding access levels.
Availability
Attribute of information that describes how data is accessible and correctly formatted for use without interference or obstruction.
C.I.A. Triad
Industry standard for computer security since the development of the mainframe. The standard is based on three characteristics that describe the utility of information: confidentiality, integrity, and availability.
Confidentiality
Attribute of information that describes how data is protected from disclosure or exposure to unauthorized individuals or systems.
Disclosure
In information security, the intentional or unintentional exposure of an information asset to unauthorized parties.
Identification
Access control mechanism whereby unverified entities who seek access to a resource provide a label by which they are known to the system.
Information Aggregation
Collection and combination of pieces of non private data, which could result in information that violates privacy. Not to be confused with aggregate information.
Integrity
Attribute of information that describes how data is whole, complete, and uncorrupted.
Privacy
In the context of information security, the right of individuals or groups to protect themselves and their information from unauthorized access, providing confidentiality.
Attack
Intentional or unintentional act that can damage or otherwise compromise information and the systems that support it. Threat Event.
Exploit
Technique used to compromise a system. This term can be a verb or noun. Threat agents may attempt to exploit a system or other information asset by using it illegally for their personal gain.
Loss
Single instance of an information asset suffering damage or destruction, unintended or unauthorized modification or disclosure, or denial of use.
Threat
Any event or circumstance that has the potential to adversely affect operations and assets. The term threat source is commonly used interchangeably with the more generic term threat.
Threat Agent
Specific instance or a component of a threat.
Vulnerability
Potential weakness in an asset or its defensive control system(s).
Intellectual Property (IP)
Creation, ownership, and control of original ideas as well as the representation of those ideas.
Software Piracy
Unauthorized duplication, installation, or distribution of copyrighted computer software, which is a violation of intellectual property.
Availability Disruption
Interruption in service, usually from a service provider, which causes an adverse event within an organization.
Blackout
Long-term interruption in electrical power availability.
Brownout
Long-term decrease in the quality of electrical power availability.
Fault
Short-term interruption in electrical power availability.
Noise
Presence of additional and disruptive signals in network communications or electrical power delivery.
Sag
Short-term decrease in electrical power availability.
Service Level Agreement (SLA)
Document or part of a document that specifies the expected level of service from a service provider. Usually contains provisions for minimum acceptable availability and penalties or remediation procedures for downtime.
Spike
Short-term increase in electrical power availability, also known as swell.
Surge
Long-term increase in electrical power availability.
Advanced Persistent Threat (APT)
Collection of processes, usually directed by a human agent, that targets a specific organization or individual.
Brute Force Password Attack
Attempt to guess a password by attempting every possible combination of characters and numbers in it.
Competitive Intelligence
Collection and analysis of information about an organization’s business competitors through legal and ethical means to gain business intelligence and competitive advantage.
Cracker
Hacker who intentionally removes or bypasses software copyright protection designed to prevent unauthorized duplication or use.
Cracking
Attempting to reverse-engineer, remove, or bypass a password or other access control protection, such as the copyright protection on software.
Dictionary Password Attack
Variation of the brute force password attack that attempts to narrow the range of possible passwords guessed by using a list of common passwords and possibly including attempts based on the target’s personal information.
Expert Hacker
Hacker who uses extensive knowledge of the inner workings of computer hardware and software to gain unauthorized access to systems and information. Also known as elite hackers. Often create automated exploits,scripts, and tools used by other hackers.
Industrial Espionage
Collection and analysis of information about an organization’s business competitors, often through illegal or unethical means, to gain an unfair competitive advantage. Also known as corporate spying, which is distinguished from espionage for national security reasons.
Jailbreaking
Escalating privileges to gain administrator-level control over a smartphone operating system (usually i phones)
Novice Hacker
Relatively unskilled hacker who uses the work of expert hackers to perform attacks. aka neophyte, n00b, or newbie. Includes script kiddies and packet monkeys.
Packet Monkey
Script kiddie who uses automated exploits to engage in denial-of-service attacks.
Penetration Tester
Information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems.
Phreaker
Hacker who manipulates the public telephone system to make free calls or disrupt services.
Pretexting
Form of social engineering in which the attacker pretends to be an authority figure who needs information to confirm the target’s identity, but the real object is to trick the target into revealing confidential information. Commonly performed by telephone.
Privilege Escalation
Unauthorized modification of an authorized or unauthorized system user account to gain advanced access and control over system resources.
Professional Hacker
Hacker who conducts attacks for personal financial benefit or for a crime organization or foreign government. Not to be confused with a penetration tester.
Rainbow Table
Table of hash values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system’s encrypted password file.
Rooting
Escalating privileges to gain administrator-level control over a computer system (including smart phones). Typically associated with Linux and Android operating systems. See also jailbreaking.
Script Kiddie
Hacker of limited skill who uses expertly written software to attack a system. aka skids, kiddies, or script bunnies.
Shoulder Surfing
Direct, covert observation of individual information or system use.
Trespass
Unauthorized entry into the real or virtual property of another party.
Advance-Fee Fraud (AFF)
Form of social engineering, typically conducted via email, in which an organization or some third party indicates that the recipient is due an exorbitant amount of money and needs only a small advance fee or personal banking information to facilitate the transfer. This may also involve prepayment for services with a payment larger than required; the overpayment is returned and then the initial payment is repudiated.
Phishing
Form of social engineering in which the attacker provides what appears to be a legitimate communication, but it contains hidden or embedded code that redirects the reply to a third-party site in an effort to extract personal or confidential information.
Social Engineering
Process of using social skills to convince people to reveal access credentials or other valuable information to an attacker.
Spear Phishing
Any highly targeted phishing attack.
Information Extortion
Act of an attacker or trusted insider who steals information from a computer system and demands compensation for its return or for an agreement not to disclose the information. aka cyberextortion
Ransomware
Computer software specifically designed to identify and encrypt valuable information in a victim’s system in order to extort payment for the key needed to unlock the encryption.
Cyberterrorism
Conduct of terrorist activities by online attackers.
Cyberwarfare
Formally sanctioned offensive operations conducted by a government or state against information or systems of another government or state aka information warefare
Hacktivist
Hacker who seeks to interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency. aka cyberactivist.
Back Door
Malware payload that provides access to a system by bypassing normal access controls. Also an intentional access control bypass left by a system designer to facilitate development.
Boot Virus
Type of virus that targets the boot sector or Master Boot Record of a computer system’s hard drive or removable storage media.
Clickbait
Content such as email attachments or embedded links crafted to convince unsuspecting users into clicking them which results in more web traffic for the content provider or the installation of unwanted software or malware.
Denial-of-Service (DoS) Attack
Attempts to overwhelm a computer target’s ability to handle incoming communications, prohibiting legitimate users from accessing those systems.
Distributed Denial-of-Service (DDoS) Attack
DoS attack in which a coordinated stream of requests is launched against a target from many locations at the same time using bots or zombies.
Domain Name System (DNS) Cache Poisoning
Intentional hacking and modification of a DNS database to redirect legitimate traffic to illegitimate internet locations. aka DNS spoofing
Macro Virus
Type of virus w written in a specific macro language to target applications that use the language. Virus is activated when the application’s product is opened. Typically affects documents, slideshows, emails, or spreadsheets created by office suite applications.
Malware
Computer software specifically designed to perform malicious or unwanted actions.
Polymorphic Threat
Malware that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for preconfigured signatures.
Virus
Type of malware that is attached to other executable programs. When activated, it replicates and propagates itself to multiple systems, spreading by multiple communications vectors. For example, a virus might send copies of itself to all users in the infected system’s email program.
Mean Time Between Failures (MTBF)
Average amount of time between hardware failures, calculated as the total amount of operation time for a specified number of units divided by the total number of failures.
Mean Time to Diagnose (MTTD)
Average amount of time a computer repair technician needs to determine the cause of a failure.
Mean Time to Failure (MTTF)
Average amount of time until the next hardware failure.
Mean Time to Repair (MTTR)
Average amount of time a computer repair technician needs to resolve the cause of a failure through replacement or repair of a faulty unit.
Leadership
Process of influencing others and gaining their willing cooperation to achieve an objective by providing purpose, direction, and motivation.
Management
Process of achieving objectives by appropriately applying a given set of resources.
Controlling
Process of monitoring progress and making necessary adjustments to achieve desired goals or objectives.
Organizing
Structuring of resources to maximize their efficiency and ease of use.
Planning
Process of creating designs or schemes for future efforts or performance.
Governance
Set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly.
Policy
Guidelines that dictate certain behavior within the organization.
Ethics
Branch of philosophy that considers nature, criteria, sources, logic, and the validity of moral judgment.
Deterrence
Act of attempting to prevent an unwanted action by threatening punishment or retaliation on the instigator if the act takes place.
Computer Fraud and Abuse (CFA) Act
Cornerstone of many computer-related federal laws and enforcement efforts, the CFA formally criminalizes “accessing a computer without authorization or exceeding authorized access” for systems containing information of national interest as determined by the U.S. government.
Computer Security Act (CSA)
US law designed to improve security of federal information systems. It charged the National Bureau of Standards, now NIST, with the development of standards, guidelines, and associated methods and techniques for computer systems, among other responsibilities.
Electronic Communications Privacy Act (ECPA) of 1986
Collection of statutes that regulate the interception of wire, electronic, and oral communications. These statutes are frequently referred to as the “federal wiretapping acts.”
Health Insurance Portability and Accountability Act (HIPAA) of 1996
Attempts to protect the confidentiality and security of health care data by establishing and enforcing standards and by standardizing electronic data interchange.
Privacy Act of 1974
Federal law that regulates the government’s collection, storage, use, and dissemination of individual personal information contained in records maintained by the federal government.
Due Care
Measures that an organization takes to ensure every employee knows what is acceptable and what is not.
Due Diligence
Reasonable steps taken by people or organizations to meet the obligations imposed by laws or regulations.
Jurisdiction
Power to make legal decisions and judgments, typically an area within which an entity such as a court or law enforcement agency is empowered to make legal decisions.
Liability
Entity’s legal obligation or responsibility.
Long-Arm Jurisdiction
Ability of a legal entity to exercise its influence beyond its normal boundaries by asserting a connection between an out-of-jurisdiction entity and a local legal case.
Restitution
Legal requirement to make compensation or payment resulting from a loss or injury.
Digital Forensics
Investigations involving the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and root cause analysis. Like traditional forensics, digital forensics follows clear, well defined methodologies but still tends to be as much art as science.
Digital Malfeasance
Crime against or using digital media, computer technology, or related components; in other words, a computer is the source of a crime or the object of a crime.
e-discovery
Identification and preservation of evidentiary material related to a specific legal action.
Evidentiary Material
Also known as “items of potential evidentiary value,” any information that could potentially support the organization’s legal or policy-based case against a suspect.
Evidentiary Material Policy (EM Policy)
Policy document that guides the development and implementation of EM procedures regarding the collection, handling, and storage of items of potential evidentiary value, as well as the organization and conduct of EM collection teams.
Forensics
Coherent application of methodical investigatory techniques to collect, preserve, and present evidence of crimes in a court-like setting. Forensics allows investigators to determine what happened by examining the results of an event - criminal, natural, intentional, or accidental.
Search Warrant
Permission to search for evidentiary material at a specified location and/or to seize items to return to the investigator’s lab for examination. An affidavit becomes a search warrant when signed by an approving authority.
Stakeholder
A person or organization that has a stake or vested interest in a particular aspect of the planning or operation of the organization in this case, the information assets used in a particular organization.
Strategic Planning
Process of defining and specifying the long-term direction (strategy) to be taken by an organization, and the allocation and acquisition of resources needed to pursue this effort.
Governance, Risk Management, and Compliance (GRC)
An approach to information security strategic guidance from a board of directors or senior management perspective that seeks to integrate the three components of information security governance, risk managements, and regulatory compliance.
Champion
High-level executive, such as a CIO or VP-IT, who will provide political support and influence for a specific project.
Controls and Safeguards
Security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve security within an organization.
Methodology
Formal approach to solving a problem based on a structured sequence of procedures, the use of which ensures a rigorous process and increases the likelihood of achieving the desired final objective.
Security Systems Development Life Cycle (SecSDLC)
Formal approach to designing information security programs that follows the methodology of a traditional information systems development life cycle (SDLC), including a recursive set of phases such as investigation, analysis, logical design, physical design, implementation, and maintenance and change.
Systems Development Life Cycle (SDLC)
Methodology for the design and implementation of an information system. The SDLC contains different phases depending on the methodology deployed, but generally the phases address the investigation, analysis, design, implementation, and maintenance of an information system.
Information Security Policies
Written instructions provided by management that inform employees and others in the workplace about proper behavior regarding the use of information and information assets.
Policy
In business, a statement of managerial intent designed to guide and regulate employee behavior in the organization; in IT, a computer configuration specification used to standardize system and user behavior.
Guidelines
Nonmandatory recommendations the employee may use as a reference in complying with a policy. If the policy states to “use strong passwords, frequently Changed,” the guidelines might advise that “we recommend you don’t use family or pet names, or parts of your Social Security number, employee number, or phone number in your password.”
Practices
Examples of actions that illustrate compliance with policies. If the policy states to “use strong passwords, frequently changed,” the practices might advise that “according to X, most organizations require employees to change passwords at least semiannually.”
Procedures
Step-by-step instructions designed to assist employees in following policies standards and guidelines. If the policy states to “use strong passwords, frequently changed,” the procedure might advise that “in order to change your password, first click on the Windows Start button, then . . .”
Standard
A detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance. If the policy states that employees must “use strong passwords, frequently changed,” the standard might specify that the password “must be at least 8 characters, with at least one number, one letter, and one special character.”
Enterprise Information Security Policy (EISP)
The high-level information security policy that sets the strategic direction, scope, and tone for all of an organization’s security efforts. An EISP is also known as a security program policy, general security policy, IT security policy, high-level InfoSec policy, or simply an InfoSec policy.
Issue-Specific Security Policy (ISSP)
Organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies.
Access Control Lists (ACLs)
Specifications of authorization that govern the rights and privileges of users to a particular information asset. ACLs include user access lists, matrices, and capability tables.
System-Specific Security Policies (SysSPs)
Organizational policies that often function as standards or procedures to be used when configuring or maintaining systems. SysSPs can be separated into two general groups, managerial guidance and technical specifications, but may be written as a single unified SysSP document.
Information Security Program
Entire set of activities, resources, personnel, and technologies used by an organization to manage the risks to its information assets.
Chief Information Officer (CIO)
Typically considered the top information technology officer in an organization. The CIO is usually an executive-level position, and frequently the person in this role reports to the CEO.
Chief Information Security Officer (CISO)
Typically considered the top information security officer in an organization. The CISO is usually not an executive-level position, and frequently the person in this role reports to the CIO.
Chief Security Officer (CSO)
In some organizations, an alternate title for the CISO; in other organizations, the title most commonly assigned to the most senior manager or executive responsible for both information and physical security.
Security Administrator
Hybrid position comprising the responsibilities of both a security technician and a security manager.
Security Analyst
Specialized security administrator responsible for performing systems development life cycle (SDLC) activities in the development of a security system.
Security manager
In larger organizations, a manager responsible for some aspect of information security who reports to the CISO; in smaller organizations, this title may be assigned to the only or senior security administrator.
Security Technician
Technical specialist responsible for the implementation and administration of some security-related technology.
Security Watchstander
Entry-level InfoSec professional responsible for the routine monitoring and operation of a particular InfoSec technology. Also known as a security staffer.
Security Awareness
Portion of the SETA program dedicated to keeping conscious of key InfoSec issues through the use of newsletters, posters, trinkets, and other methods.
Security Education
Portion of the SETA program based on formal delivery of knowledge of InfoSec issues and operations, usually through institutions of higher learning.
Security Education, Training, and Awareness (SETA)
Managerial program designed to improve the security of information assets by providing targeted knowledge, skills, and guidance for organizational employees.
Security Training
Portion of the SETA program focused on providing users with the knowledge, skill, and/or ability to use their assigned resources wisely to avoid creating additional risk to organizational information assets.
Project Management
Process of identifying and controlling the resources applied to a project as well as measuring progress and adjusting the process as progress is made toward the goal.
Scope Creep
Expansion of the quantity or quality of project deliverables from the original project plan.
Critical Path Method (CPM)
Diagramming technique, similar to PERT, designed to identify the sequence of tasks that make up the shortest elapsed time needed to complete a project.
Gantt Chart
Diagramming technique named for its developer, Henry Gantt, which lists activities on the vertical axis of a bar chart and provides a simple timeline on the horizontal axis.
Program Evaluation and Review Technique (PERT)
Diagramming technique developed in the late 1950s that involves specifying activities and their sequence and duration.
Projectitis
Situation in project planning in which the project manager spends more time documenting project tasks, collecting performance measurements, recording prject task information, and updating project completion forecasts in the project management software than accomplishing meaningful project work.
Work Breakdown Structure (WBS)
List of the tasks to be accomplished in the project; the WBS provides details for the work to be accomplished, the skill sets or even specific individuals to perform the tasks, the start and end dates for the task, the estimated resources required, and the dependencies between and among tasks.
Enterprise Risk Management (ERM)
Evaluation and reaction to risk to the entire organization; ERM is not restricted to the risk facing information assets.
Risk Assessment
An approach to combining risk identification, risk analysis, and risk evaluation into a single strategy.
Risk Management (RM)
Entire program of planning for and managing risk to information assets in the organization. Also InfoSec risk management.
RM Framework
The overall structure of the strategic planning and design for the entirety of the organizations RM (risk management).
RM Process
Identification, analysis, evaluation, and treatment of risk to information assets, as specified in the RM framework.
Risk Management Policy
Policy designed to regulate organizational efforts related to the identification, assessment, and treatment of risk to information assets.
Residual Risk
Risk to information assets that remains even after current controls have been applied.
Risk Appetite
Quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility.
Risk Appetite Statement
Formal document developed by the organization that specifies its overall willingness to accept risk to its information assets, based on a synthesis of individual risk tolerances.
Risk Management Plan
A document that contains specifications for the implementation and conduct of RM efforts.
Risk Tolerance/Risk Threshold
Assessment of the amount of risk an organization is willing to accept for a particular information asset, typically synthesized into the organization’s overall risk appetite.
Zero Tolerance Risk Exposure
Extreme level of risk tolerance whereby the organization is unwilling to allow any successful attacks or suffer any loss to an information asset.
Data Classification Scheme
Formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it.
Information Asset
Within the context of risk management, any collection, set or database of information or any asset that collects, stores, processes, or transmits information of value to the organization. Here the terms data and information are interchangeable.
Media
Hardware, integral operating systems, and utilities that collect, store, process, and transmit information.
Risk Identification
Recognition, enumeration, and documentation of risks to an organiation’s information assets.
Threat Assessment
Evaluation of the threats to information assets, including a determination of their likelihood of occurrence and potential impact of an attack.
Impact
Understanding of the potential consequences of a successful attack on an information asset by a threat.
Likelihood
Probability that a specific vulnerability within an organization will be attacked by a threat.
Risk Analysis
Determination of the extent to which an organization’s information assets are exposed to risk.
Uncertainty
State of having limited or imperfect knowledge of a situation, making it less likely that organizations can successfully anticipate future events or outcomes.
Risk Evaluation
Process of comparing an information asset’s risk rating to the numerical representation of the organization’s risk appetite or risk threshold to determine if risk treatment is required.
Process Communications
Necessary information flow within and between the governance group, RM framework team, and RM process team during the implementation of RM.
Process monitoring and Review
Data collection and feedback associated with performance measures used during the conduct of the process.
Bot
Abbreviation for robot, an automated software program that executes certain commands when it receives a specific input. Also zombie.
Mail Bomb
Attack designed to overwhelm the receiver with excessive quantities of email.
Malware
Computer software specifically designed to perform malicious or unwanted actions.
Man-In-The-Middle
Group of attacks whereby a person intercepts a communications stream and inserts himself in the conversation to convince each of the legitimate parties that the attacker is the other communications partner. Some attacks involve encryption functions.
Packet Sniffer / Network Sniffer
Software program or hardware appliance that can intercept, copy, and interpret network traffic.
Pharming
Redirection of legitimate user Web traffic to illegitimate Web sites with the intent to collect personal information.
Polymorphic Threat
Malware (a virus or worm) that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for preconfigured signatures.
Spam
Unsolicited commercial e-mail, typically advertising transmitted in bulk.
Spoofing
Technique for gaining unauthorized access to computers using a forged or modified source IP address to give the perception that messages are coming from a trusted host.
TCP Hijacking / Session Hijacking
Form of man-in-the-middle attack whereby the attacker inserts himself into TCP/IP-based communications. TCP/IP is short for Transmission Control Protocol/Internet Protocol.
Tools, Techniques, and Procedures (TTP)
Means and methods used by adversaries to attack an information asset. Also referred to as tactics, techniques, and procedures.
Trojan Horse
Malware program that hides its true nature and reveals its designed behavior only when activated.
Worm
Type of malware that is capable of activation and replication without being attached to an existing program.
