isa\ Flashcards
Items of fact collected by an organization. Data includes
raw numbers, facts, and words. Student quiz scores are a simple
example of data.
Data
The unauthorized taking of personally
identifiable information with the intent of committing fraud and
abuse of a person’s financial and personal reputation,
purchasing goods and services without authorization, and
generally impersonating the victim for illegal or unethical
purposes
Identity Theft
was the first widely recognized
published document to identify the role of management and
policy issues in computer security.
RAND Report R-609
The model, which was created by John
McCumber in 1991, provides a graphical representation of the
architectural approach widely used in computer and
information security,
McCumber Cube- T
are rules that mandate or prohibit certain behavior and
are enforced by the state.
Laws-
In 1973, An Internet pioneer identified
fundamental problems with ARPANET security.
Robert M. Metcalfe
a well-informed sense of assurance that
the Information risk and controls are in balance.
Information Security
is a potential weakness in an asset or its
defensive control system(s).
Vulnerability
measures that an organization takes to ensure every
employee knows what is acceptable and what is not
Due care
Reasonable steps taken by people or
organizations to meet the obligations imposed by laws or
regulations.
Due diligence
In the context of information security, the right of
individuals or groups to protect themselves and their
information from unauthorized access, providing
confidentiality.
Privacy
The power to make legal decisions and
judgments; typically, an area within which an entity such as a
court or law enforcement agency is empowered to make legal
decisions
Jurisdiction
An entity’s legal obligation or responsibility
Liability
A legal requirement to make compensation or
payment resulting from a loss or injury
Restitution
Attack can be intentional or unintentional act that can damage
or otherwise compromise information and the systems that
support it. Attacks can be active or passive and direct or
indirect
Attack
The creation, ownership, and
control of original ideas as well as the representation of those
ideas.
Intellectual property (IP)
model
of information security evolved from a concept developed by
the computer security industry called the C.I.A. triad.
The Committee on National Security Systems (CNSS)
has been the standard for computer security in both
industry and government since the development of the
mainframe.
C.I.A. triad
means the need to secure the physical
location of computer technology from outside threats.
Computer Security
a collection of related data stored in a structured
form and usually managed by a database management system.
Database
During the Cold War, many more mainframe
computers were brought online to accomplish more
complex and sophisticated tasks.
1960’s
These mainframes required a less cumbersome process
of communication than mailing magnetic tapes
between computer centers
1960’s
In response to this need, the Department of Defense’s
Advanced Research Projects Agency (ARPA) began
examining the feasibility of a redundant, networked
communications system to support the military’s
exchange of information.
1960’s
developed the ARPANET
(Advanced Research Projects Agency Network)
project
In 1968, Dr. Larry Roberts
an interruption in service, usually
from a service provider, which causes an adverse event within
an organization
Availability Disruption
Guidelines that dictate certain behavior within the
organization
Policy -
is a fixed moral attitudes or customs of a
particular group
Cultural Mores
The unauthorized duplication, installation,
or distribution of copyrighted computer software, which is a
violation of intellectual property.
Software Piracy
- A document or part of a
document that specifies the expected level of service from a
service provider. An SLA usually contains provisions for
minimum acceptable availability and penalties or remediation
procedures for downtime.
Service Level Agreement (SLA)
The documented product of operational
planning; a plan for the organization’s intended operational
efforts on a day-to-day basis for the next several months.
Operational plan
The actions taken by management to
specify the short-term goals and objectives of the organization
in order to obtain specified tactical goals, followed by estimates
and schedules for the allocation of resources necessary to
achieve those goals and objectives
Operational planning
- The documented product of tactical planning; a
plan for the organization’s intended tactical efforts over the next
few years.
Tactical plan
- The actions taken by management to
specify the intermediate goals and objectives of the
organization in order to obtain specified strategic goals,
followed by estimates and schedules for the allocation of
resources necessary to achieve those goals and objectives.
Tactical planning
Conduct a thorough risk
assessment to identify potential threats and
vulnerabilities associated with the adoption of the new
cloud-based system. This assessment should consider
factors such as data sensitivity, regulatory compliance
requirements, and the potential impact of security
breaches on the organization’s operations and
reputation.
Risk Assessment:
Develop a set of
security policies and procedures tailored to the specific
needs of the organization and aligned with industry
best practices. These policies should cover areas such
as data encryption, access controls, authentication
mechanisms, and incident response protocols.
Security Policies and Procedures
Implement a range of security
controls to mitigate identified risks and vulnerabilities.
This may include deploying firewalls, intrusion
detection systems, endpoint protection solutions, and
encryption technologies to safeguard data both in
transit and at rest
Security Controls
Provide
comprehensive training and awareness programs to
educate employees about security best practices, their
roles and responsibilities in maintaining security, and
the potential consequences of security breaches. This
will help create a security-conscious culture within the
organization
Employee Training and Awareness
Establish mechanisms for continuous monitoring of
the security posture of the cloud-based system,
including regular vulnerability assessments,
penetration testing, and log analysis. This will enable
the organization to proactively identify and address
emerging security threats and weaknesses
Continuous Monitoring and Improvement:
Ensure that
the security plan is in compliance with relevant
regulatory requirements such as GDPR, CCPA, and
industry standards like ISO 27001. Additionally,
consider legal implications related to data sovereignty,
contractual agreements with cloud service providers,
and liability in the event of security incidents
Compliance and Legal Considerations:
Collaborate closely with
stakeholders to identify security requirements early in
the development process. Conduct threat modeling
exercises to anticipate potential security risks and
define security objectives for the project.
Requirements Gathering:
Integrate security principles into the
architectural design of the software. Define security
controls, such as authentication mechanisms, access
controls, encryption methods, and secure
communication protocols. Consider security
implications when designing user interfaces and data
flows
Design Phase:
Implement secure coding
practices and guidelines to mitigate common
vulnerabilities such as injection attacks, cross-site
scripting (XSS), and insecure deserialization. Use
secure development frameworks and libraries to
reduce the risk of introducing security flaws into the
codebase
Development Phase:
Conduct thorough security testing,
including static code analysis, dynamic application
security testing (DAST), and penetration testing.
Identify and remediate security vulnerabilities,
ensuring that the software meets security requirements
and industry standards.
Testing Phase:
allows the attacker
to acquire valuable information, such as account
credentials, account numbers, or other critical
data.
Cross-Site Scripting (XSS)
caused by a developer’s
failure to ensure that command input is validated
before it is used in the program.
Command Injection-
Implement secure deployment
practices, such as using secure configuration settings,
encrypting sensitive data, and regularly patching and
updating software components. Employ secure
deployment pipelines and automate security checks to
ensure consistent and secure deployments.
Deployment Phase:
Establish procedures for
monitoring and maintaining the security of the
deployed software. Implement security monitoring
tools to detect and respond to security incidents in realtime. Provide regular security updates and patches to
address newly discovered vulnerabilities
Maintenance Phase:
an attacker can make the
target system execute instructions or take
advantage of some other unintended consequence
of the failure
Buffer Overruns-
Document securityrelated decisions, configurations, and procedures
throughout the SDLC. Provide training and awareness
programs for developers, testers, and other
stakeholders to promote a security-conscious culture
and ensure adherence to security policies and best
practices.
Documentation and Training:
One of the marks of
effective software is the ability to catch and
resolve exceptions—unusual situations that
require special processing. If the program
doesn’t manage exceptions correctly, the
software may not perform as expected
Catching Exceptions
Traffic on
a wired network is also vulnerable to interception
in some situations.
Failure to Protect Network Traffic
Failure to properly implement sufficiently strong
access controls makes the data vulnerable.
Failure to Store and Protect Data Securely
can cause a variety of
unexpected system behaviors.
Failure to Handle Errors
An attacker may
embed characters that are meaningful as
formatting directives (such as %x, %d, %p, etc.)
into malicious input.
Format String Problems-
If an attacker changes the
expected location of a file by intercepting and
modifying a program code call, the attacker can
force a program to use files other than the ones it
is supposed to use
Improper File Access
Those who understand the
workings of such a “random” number generator
can predict particular values at particular times
Failure to Use Cryptographically Strong
Random Numbers
While most programmers
assume that using SSL guarantees security, they
often mishandle this technology.
Improper Use of SSL
- One of the most common
methods of obtaining inside and classified
information is directly or indirectly from one
person, usually an employee
Information Leakage
An
integer bug can result when a programmer does
not validate the inputs to a calculation to verify
that the integers are of the expected size
Integer Bugs (Overflows/Underflows)-
Developers use a
process known as change control to ensure that
the working system delivered to users represents
the intent of the developers
Neglecting Change Control-
Employees prefer doing things
the easy way. When faced with an “official way”
of performing a task and an “unofficial way”—
which is easier—they prefer the latter.
Poor Usability-
a failure of a program that
occurs when an unexpected ordering of events in its execution results in a conflict over access to
the same system resource.
Race Conditions
occurs when developers fail to
properly validate user input before using it to
query a relational database
SQL Injection-
Other
attacks attempt to compromise the DNS servers
further up the DNS distribution mode—those of
ISPs or backbone connectivity providers.
Trusting Network Address Resolution-
an
unauthorized person might receive a key that was
copied onto a USB device and shipped
Unauthenticated Key Exchange-
can cause problems that allow an attacker to send malicious code to the user’s computer by inserting the script into an otherwise normal Web site.
Web Client-Related Vulnerability (XSS)-
Cross-site request forgery (XSRF or CSRF) attacks cause users to attack servers they access legitimately, on behalf of an outside attacker.
Web Server-Related Vulnerabilities (XSS, XSRF, and Response Splitting)-
an
attacker can harvest the information from a magic
URL as it travels across the network, or use
scripts on the client to modify information in
hidden form fields.
Use of Magic URLs and Hidden Forms-
Failure to require sufficient password strength and to control incorrect password entry is a serious security issue.
Use of Weak Password-Based Systems-
one of the first attempts to protect federal computer systems by establishing minimum acceptable security practices
Computer Security Act of 1987-
which provides law enforcement agencies with broader latitude to combat terrorism related activities.
USA PATRIOT Act of 2001-
is the cornerstone of many computer-related federal laws and enforcement efforts.
Computer Fraud and Abuse Act of 1986 (CFA Act or CFAA)-
mandates that all federal agencies establish informationsecurityprogramstoprotecttheirinformation assets.
Federal Information Security Management Act (FISMA)-
known as the National Bureau of Standards prior to 1988—is responsible for developing these security standards and guidelines in cooperation with the National Security Agency.
National Institute of Standards and Technology (NIST)-
