Security Flashcards
What is information security?
All the processes and policies designed to protect an orgs info and IS from unauthorized access, use, disclosure, disruption, modification, or destruction
What is a Threat to an info source?
any danger to which a system may be exposed
What is the exposure of an info resource?
The harm, loss, or damage that can result if a threat compromises that resource
What is an info resources vulnerability
Possibility that a threat will harm that resource
What is cybercrime?
illegal activities conducted over computer networks, particularly the internet
What are 5 factors contributing to vulnerability of organizational resources?
- Interconnected, interdependent, wirelessly networked business environment
- Smaller, faster, cheaper computers and storage devices
- Decreasing skills necessary to be a computer hacker
- International organized crime taking over cybercrime
- Lack of management support
What are human errors risk areas
Higher level employees and greater access privileges are a greater threat
2 areas: HR and IS
What are human mistakes
- Carelessness with devices
- Opening questionable emails
- Careless internet surfing
- Poor passwords
- Carelessness with one’s office
- Carelessness using unmanaged devices
- Carelessness with discarded equipment
- Careless monitoring of environmental hazards
What is social engineering
An attack in which the perpetrator uses social skills to trick a legitimate employee into providing confidential company information such as passwords
What are social engineering methods
- Impersonation: pretending to be a manager of an IS employee
- Tailgating: following behind an employee to enter restricted areas
- Shoulder surfing: watching over shoulder
Examples of deliberate threats to IS
- Espionage
- Theft of equipment and info
- ID theft
- Software attacks
What is espionage/trespass
Occurs when an unauthorized individual attempts to gain illegal access to an orgs info.
Used for competitive intelligence
What is identity theft
Deliberate assumption of another person’s identity, usually to gain access to their financial info or to frame them for a crime
Stealing mail, stealing personal info, infiltrating orgs that store large amounts of personal info, phishing
What are the types of software attacks?
- Remote attacks needing user action
- Remote attacks needing no user action
- Attacks by a programmer developing system
What are types of remote attacks needing user action
- Virus: malicious actions by attaching to another computer program
- Worm: malicious actions and will spread by itself
- Phishing: deception to acquire info
- Spear phishing: attacks a large group of people
What are types of remote attacks needing no user action
- Denial-of-service attack: an attacker sends so many info requests to a computer system that the target cannot handle them successfully and crashes
- Distributed denial of service attack: first takes on many computers, these computers are zombies or bots, the attacker uses the bots to form a botnet to deliver coordinated stream of info requests to a target computer causing it to crash
What are types of attacks by a programmer developing system
- Trojan horse: software program that hide in other computer programs and reveal their designed behaviour only when activated
- Back door: password only known to attacker that allows them to access a computer system at will
- Logic bomb: code that is embedded within an orgs existing computer programs designed to activate and perform destructive action under specific conditions
What is a ransomware
Malicious software that blocks access to a computer system or encrypts an orgs data until the org pays a sum of money
What are orgs doing to protect info resources
Risk management with 3 processes:
risk analysis
risk mitigation
controls evaluation
What is involved in risk analysis
- Assessing the value of the asset
- Estimate the probability that each asset will be compromised
- Compare the probable cost of the asset being compromised with the cost of protecting it
What is risk mitigation?
Process where an org takes concrete actions against risks
implementing controls to prevent threats from occurring and developing a means of recovery if the threat becomes a reality
What are the most common risk mitigation strategies
- Risk acceptance: accept the potential risk, continue operating with no controls
- Risk limitation: implementing controls that minimize impact of threat
- Risk transference: transfer the risk by using other means to compensate for the loss, such as by purchasing insurance
What are controls evaluation
Org identifies security deficiencies and calculates the costs of implementing adequate control measures to compare against the value of those measures
if the costs of implementing a control is greater than the value of the asset, the control is not cost effective
What are info security controls
- Physical controls: stop unauthorized individuals. Walls, doors, gates…
- Access controls: physical or logical (PIN, password programs, advanced biometric security)
- Communication/network controls: can data securely move across your network. Firewalls, VPN
What is authentication and authorization?
Authentication: confirms the ID of the person requiring access–> something the user is, something they have, something they do (signature), something they know (PIN)
Authorization: determines which actions, rights or privileges the person has, based on their verified ID
What is encryption?
Process of converting an original message into a form that cannot be read by anyone except the intended receiver, all systems use a key which is the code that scrambles and decode the messages
Symmetric vs symmetric key algorithms
Symmetric: encryption which use the same key for encryption and decryption
Asymmetric: a pair of keys a public key and private key
Public keys are used for encryption or signature verification
Private keys decrypt and sign
What is a digital certificate
Electronic document attached to a file that certifies that the file if from the org it claims to be from and has not been modified from its original format
