hh Flashcards
“The quality or state of being secure—to be free from danger”
Security
Security
Types of security
Physical security
– Personal security
– Operations security
– Communications security
– Network security
– Information security
Physical security
– Personal security
– Operations security
– Communications security
– Network security
– Information security
Critical Characteristics of Information
Availability
– Accuracy
– Authenticity
– Confidentiality
– Integrity
– Utility
– Possession
Availability
– Accuracy
– Authenticity
– Confidentiality
– Integrity
– Utility
– Possession
Components of an Information System
Software
– Hardware
– Data
– People
– Procedures
– Network
Software
– Hardware
– Data
– People
– Procedures
– Network
SDLC
Systems Development Life Cycle
Systems Development Life Cycle
methodology for design and implementation of information system within an organization
Systems Development Life Cycle (SDLC):
Methodology
SLDC 6 general phrases
Investigation
Analysis
Logical design
Physical design
Implementation
Maintenance and change
Investigation
Analysis
Logical design
Physical design
Implementation
Maintenance and change
Preliminary cost-benefit analysis is developed
Investigation
determine what new system is expected to do and how it will interact with existing systems
determine what new system is expected to do and how it will interact with existing systems
Analysis
Data support and structures capable of providing the needed inputs are identified
Creates and develops blueprints for information security
Data support and structures capable of providing the needed inputs are identified
Logical Design
Technologies to support the alternatives identified and evaluated in the logical design are selected
Components evaluated on make-or-buy decision
Technologies to support the alternatives identified and evaluated in the logical design are selected
Physical Design
Needed software created
Components ordered, received, and tested
Users trained and documentation created
Needed software created
Implementation
Longest and most expensive phase
Consists of tasks necessary to support and modify system for remainder of its useful life
Longest and most expensive phase
Maintenance and Change
Maintenance and Change
Information Security Project Team
- A number of individuals who are experienced in one or more facets of required technical and nontechnical areas:
– Champion
– Team leader
– Security policy developers
– Risk assessment specialists
– Security professionals
– Systems administrators
– End user
responsible for the security and use of a particular set of information
responsible for the security and use of a particular set of information
Data owner
ownership of ideas and control over the tangible or virtual representation of those ideas
responsible for storage, maintenance, and protection of information
Data custodian
responsible for storage, maintenance, and protection of information
end users who work with information to perform their daily jobs supporting the mission of the organization
Data users
end users who work with information to perform their daily jobs supporting the mission of the organization
an object, person, or other entity that represents a constant danger to an asset
Threat
an object, person, or other entity that represents a constant danger to an asset
control over tangible/virtual ownership of ideas
Intellectual property (IP):
Intellectual property (IP):
Malware attacks
Viruses
– Worms
– Trojan horses
– Logic bombs
– Back door or trap door
– Polymorphic threats
– Virus and worm hoaxes
Develops software scripts and program exploits
Usually a master of many skills
Will often create attack software and share with others
Develops software scripts and program exploits
Expert hacker
Many more unskilled hackers than expert hackers
Use expertly written software to exploit a system
Do not usually fully understand the systems they hack
Many more unskilled hackers than expert hackers
TRUE
Unskilled hacker
“cracks” or removes software protection designed to prevent unauthorized duplication
Cracker
hacks the public telephone network
Phreaker
much more sinister form of hacking
Cyberterrorism
much more sinister form of hacking
Illegal taking of another’s physical, electronic, or intellectual property
Theft
Illegal taking of another’s physical, electronic, or intellectual property
Acts or actions that exploits vulnerability (i.e., an identified weakness) in controlled system
Attacks
includes execution of viruses, worms, Trojan horses, and active Web scripts with intent to destroy or steal information
Malicious code
includes execution of viruses, worms, Trojan horses, and active Web scripts with intent to destroy or steal information
transmission of a virus hoax with a real virus attached; more devious form of attack
Hoaxes
transmission of a virus hoax with a real virus attached; more devious form of attack
Types of attacks
Types of attacks
Back door
Password crack
Brute force:
Dictionary:
Denial-of-service (DoS):
Distributed denial-of-service (DDoS)
Spoofing:
Man-in-the-middle:
Spam
Mail bombing:
Sniffers
Phishing:
Pharming:
Social engineering:
Back door
Back door
gaining access to system or network using known or previously unknown/newly discovered access mechanism
attempting to reverse calculate a password
Password crack
attempting to reverse calculate a password
trying every possible combination of options of a password
Brute force
trying every possible combination of options of a password
selects specific accounts to attack and uses commonly used passwords (i.e., the dictionary) to guide guesses
Dictionary
selects specific accounts to attack and uses commonly used passwords (i.e., the dictionary) to guide guesses
attacker sends large number of connection or information requests to a target
Target system cannot handle successfully along with other, legitimate service requests
May result in system crash or inability to perform ordinary functions
Denial-of-service (DoS):
attacker sends large number of connection or information requests to a target
Target system cannot handle successfully along with other, legitimate service requests
May result in system crash or inability to perform ordinary functions
attacker sends large number of connection or information requests to a target
Distributed denial-of-service (DDoS)
coordinated stream of requests is launched against target from many locations simultaneously
technique used to gain unauthorized access; intruder assumes a trusted IP address
Spoofing
technique used to gain unauthorized access; intruder assumes a trusted IP address
attacker monitors network packets, modifies them, and inserts them back into network
Man-in-the-middle
attacker monitors network packets, modifies them, and inserts them back into network
unsolicited commercial e-mail; more a nuisance than an attack, though is emerging as a vector for some attacks
Spam
unsolicited commercial e-mail; more a nuisance than an attack, though is emerging as a vector for some attacks
also a DoS; attacker routes large quantities of e-mail to target
Mail bombing
also a DoS; attacker routes large quantities of e-mail to target
program or device that monitors data traveling over network; can be used both for legitimate purposes and for stealing information from a network
Sniffers
program or device that monitors data traveling over network; can be used both for legitimate purposes and for stealing information from a network
an attempt to gain personal/financial
Phishing
Spam
unsolicited commercial e-mail; more a nuisance than an attack, though is emerging as a vector for some attacks
Example: Man-in-the-middle attacks can intercept sensitive information.
Mail Bombing
also a DoS; attacker routes large quantities of e-mail to target
Example: Spam emails can overload a recipient’s inbox.
Sniffers
program or device that monitors data traveling over network; can be used both for legitimate purposes and for stealing information from a network
Example: Mail bombing can be used for network security monitoring.
Phishing
an attempt to gain personal/financial information from individual, usually by posing as legitimate entity
Example: Sniffers can be used to steal login credentials.
Pharming
redirection of legitimate Web traffic (e.g., browser requests) to illegitimate site for the purpose of obtaining private information
Example: Phishing emails often lead to fake login pages.
Social Engineering
using social skills to convince people to reveal access credentials or other valuable information to attacker
Example: Pharming can involve impersonating a trusted individual.
Laws
rules that mandate or prohibit certain societal behavior
Example: Social engineering tactics can manipulate human behavior.
Ethics
define socially acceptable behavior
Example: Laws are enforced by legal authorities.
Cultural Mores
fixed moral attitudes or customs of a particular group; ethics based on these
Example: Ethics guide decision-making in professional settings.
legal obligation of an entity extending beyond criminal or contract law; includes legal obligation to make restitution
Example: Liability can result in financial compensation.
Liability
to compensate for wrongs committed by an organization or its employees
Example: Liability insurance protects against legal claims.
Restitution
insuring that employees know what constitutes acceptable behavior and know the consequences of illegal or unethical actions
Example: Restitution can involve disciplinary actions.
Due Care insuring that employees know what constitutes acceptable behavior and know the consequences of illegal or unethical actions
Example: Restitution can involve disciplinary actions.
making a valid effort to protect others; continually maintaining level of effort
Example: Due care involves proactive risk management.
Due Diligence
court’s right to hear a case if the wrong was committed in its territory or involved its citizenry
Example: Due diligence is essential in legal proceedings.
Jurisdiction
right of any court to impose its authority over an individual or organization if it can establish jurisdiction
Example: Jurisdiction determines which court has legal authority.
Long-arm Jurisdiction
body of expectations that describe acceptable and unacceptable employee behaviors in the workplace
Example: Policies set guidelines for employee conduct.
Policy
- Dissemination (distribution)
- Review (reading)
- Comprehension (understanding)
- Compliance (agreement)
- Uniform enforcement
Example: Policy dissemination ensures all employees are informed.
Criteria for policy enforcement
Types of Law
Civil
- Criminal
- Private
- Public
Example: Different types of law govern various aspects of society.
governs nation or state; manages relationships/conflicts between organizational entities and people
Example: Civil law covers disputes between individuals.
Civil
addresses violations harmful to society; actively enforced by the state
Example: Criminal law punishes illegal actions.
Criminal
regulates relationships between individuals and organizations
Example: Private law governs contracts between parties.
Private
regulates structure/administration of government agencies and relationships with citizens, employees, and other governments
Example: Public law governs government operations.
Public
One of the hottest topics in information security
- Is a “state of being free from unsanctioned intrusion”
- Ability to aggregate data from multiple sources allows creation of information databases previously impossible
Example: Privacy laws protect personal data.
Privacy
occurring when someone uses your personally identifying information, like your name, Social Security number, or credit card number, without your permission, to commit fraud or other crimes
Example: Identity theft can lead to financial loss.
Identity Theft
