IAS Flashcards
“The quality or state of being secure—to be free
from danger”
Security
Types of security
Physical security
– Personal security
– Operations security
– Communications security
– Network security
– Information security
Critical Characteristics of Information
Availability
– Accuracy
– Authenticity
– Confidentiality
– Integrity
– Utility
– Possession
Components of an Information System
Software
– Hardware
– Data
– People
– Procedures
– Network
SDLC
Systems Development Life Cycle
methodology for design and implementation of
information system within an organization
Systems Development Life Cycle (SDLC):
: formal approach to problem solving
based on structured sequence of procedures
Methodology
SLDC 6 general phrases
investigation
analysis
logical design
physical design
implementation
maintenance and change
Preliminary cost-benefit analysis is developed
Investigation
determine what new system is expected
to do and how it will interact with existing systems
Analysis
Data support and structures capable of providing
the needed inputs are identified
Creates and develops blueprints for information
security
Logical Design
- Technologies to support the alternatives identified
and evaluated in the logical design are selected - Components evaluated on make-or-buy decision
Physical Design
- Needed software created
- Components ordered, received, and tested
- Users trained and documentation create
Implementation
- Longest and most expensive phase
- Consists of tasks necessary to support and modify
system for remainder of its useful life
Maintenance and Change
Information Security Project Team
- A number of individuals who are experienced in
one or more facets of required technical and
nontechnical areas:
– Champion
– Team leader
– Security policy developers
– Risk assessment specialists
– Security professionals
– Systems administrators
– End user
: responsible for the security and use of
a particular set of information
Data owner
: responsible for storage,
maintenance, and protection of information
Data custodian
: end users who work with information to
perform their daily jobs supporting the mission of
the organization
Data users
: an object, person, or other entity that
represents a constant danger to an asset
Threat
“ownership of ideas and
control over the tangible or virtual representation of
those ideas
Intellectual property (IP):
Malware attacks
Viruses
– Worms
– Trojan horses
– Logic bombs
– Back door or trap door
– Polymorphic threats
– Virus and worm hoaxes
– Develops software scripts and program exploits
– Usually a master of many skills
– Will often create attack software and share with
others
Expert hacker
– Many more unskilled hackers than expert hackers
– Use expertly written software to exploit a system
– Do not usually fully understand the systems they
hack
Unskilled hacker
: “cracks” or removes software protection
designed to prevent unauthorized duplication
Cracker
: hacks the public telephone network
Phreaker
: much more sinister form of hacking
Cyberterrorism
- Illegal taking of another’s physical, electronic, or
intellectual property
Theft
– Acts or actions that exploits vulnerability (i.e., an
identified weakness) in controlled system
Attacks
: includes execution of viruses,
worms, Trojan horses, and active Web scripts with
intent to destroy or steal information
– Malicious code
– : transmission of a virus hoax with a real
virus attached; more devious form of attack
Hoaxes
- Types of attacks
Back door
Password crack
Brute force:
Dictionary:
Denial-of-service (DoS):
Distributed denial-of-service (DDoS)
Spoofing:
Man-in-the-middle:
Spam
Mail bombing:
Sniffers
Phishing:
Pharming:
Social engineering:
– : gaining access to system or network
using known or previously unknown/newly
discovered access mechanis
Back door
–: attempting to reverse calculate a
password
Password crack
: trying every possible combination of
options of a password
Brute force
: selects specific accounts to attack and
uses commonly used passwords (i.e., the dictionary)
to guide guesses
Dictionary
attacker sends large
number of connection or information requests to a
target
* Target system cannot handle successfully along with
other, legitimate service requests
* May result in system crash or inability to perform
ordinary functions
– Denial-of-service (DoS):
: coordinated
stream of requests is launched against target from
many locations simultaneously
Distributed denial-of-service (DDoS)
: technique used to gain unauthorized
access; intruder assumes a trusted IP address
Spoofing
: attacker monitors network
packets, modifies them, and inserts them back into
network
Man-in-the-middle
: unsolicited commercial e-mail; more a
nuisance than an attack, though is emerging as a
vector for some attacks
– Spam
: also a DoS; attacker routes large
quantities of e-mail to target
Mail bombing
: program or device that monitors data
traveling over network; can be used both for
legitimate purposes and for stealing information from
a network
Sniffers
– : an attempt to gain personal/financial
information from individual, usually by posing as
legitimate entity
Phishing
: redirection of legitimate Web traffic (e.g.,
browser requests) to illegitimate site for the purpose
of obtaining private information
Pharming
using social skills to convince
people to reveal access credentials or other valuable
information to attacker
– Social engineering:
: rules that mandate or prohibit certain
societal behavior
Laws
: define socially acceptable behavior
Ethics
: fixed moral attitudes or customs of
a particular group; ethics based on these
Cultural mores
: legal obligation of an entity extending
beyond criminal or contract law; includes legal
obligation to make restitution
Liability
: to compensate for wrongs committed
by an organization or its employees
Restitution
: insuring that employees know what
constitutes acceptable behavior and know the
consequences of illegal or unethical actions
Due care
: making a valid effort to protect
others; continually maintaining level of effort
Due diligence
: court’s right to hear a case if the wrong
was committed in its territory or involved its
citizenry
Jurisdiction
: right of any court to impose
its authority over an individual or organization if it
can establish jurisdiction
Long arm jurisdiction
: body of expectations that describe
acceptable and unacceptable employee behaviors
in the workplace
Policies
Criteria for policy enforcement:
– Dissemination (distribution)
– Review (reading)
– Comprehension (understanding)
– Compliance (agreement)
– Uniform enforcement
Types of Law
Civil:
* Criminal
* Private:
* Public:
governs nation or state; manages
relationships/conflicts between organizational
entities and people
Civil:
: addresses violations harmful to society;
actively enforced by the state
Criminal
: regulates relationships between individuals
and organizations
Private
: regulates structure/administration of
government agencies and relationships with
citizens, employees, and other governments
Public
- One of the hottest topics in information security
- Is a “state of being free from unsanctioned
intrusion” - Ability to aggregate data from multiple sources
allows creation of information databases previously
impossible
Privacy
– Federal Trade Commission: “occurring when
someone uses your personally identifying
information, like your name, Social Security number,
or credit card number, without your permission, to
commit fraud or other crimes”
Identity Theft
