Security Flashcards
Ensuring that information is viewable only by authorized users or systems, and is either inaccessible or unreadable to unauthorized users.
Confidentiality
Ensuring that information remains accurate and complete over its entire lifetime. In particular, this means making sure that data in storage or transit can’t be modified in an undetected manner.
Integrity
Ensuring that information is always easily accessible to authorized users. This means making sure that connectivity and performance is maintained at the highest possible level.
Availability
The core of information security is commonly summed up into three components, known as the CIA triad
Confidentiality
Integrity
Availability
The chance of harm coming to an asset
Risk
Anything that can cause harm to an asset
Threat
Any weakness the asset has against potential threats
Vulnerability
Malicious or unwanted software designed to steal data or impair your computer’s performance
Malware
Hackers, malicious software, and other automated attacks can try to access your computer over the network to steal data, or implant malware.
Network attacks
A malicious or even negligent user getting access to your account can do damage directly, or just weaken other security measures to make your data more vulnerable
Unauthorized users
Older hardware, software, and network protocols commonly have outdated security features or known vulnerabilities that make them unsafe against modern threats
Insecure technologies
Most common vulnerabilities in the enterprise include:
Insecure technologies Weak configurations Non-compliant systems Physical environment User behavior Weak documentation
Target vulnerabilities which have not yet been patched, and may not even be known to software vendors
zero-day attacks
Watching someone who is viewing or entering sensitive information, or eavesdropping on confidential conversations
Shoulder surfing
Hunting for discarded documents and other media in a target’s trash, looking for information
Dumpster diving
Getting into a secure area by tagging along right behind someone who has legitimate access, with or without their knowledge
Piggybacking/Tailgating
Impersonating an authority figure or other relevant person over the phone and requesting sensitive information
Phone impersonation
Sending unsolicited emails or other electronic messages, with undesired or malicious content
Spam
Using fake but official-looking messages to trick users into performing dangerous actions
Phishing
A variant of phishing that targets specific people, such as members of an organization or even individual users
Spear phishing
Malware attached to an infected file, usually an executable program but possibly as a script inside a data file like an office document
Virus
Malware that spreads without any human interaction
Worm
Malware that appears to be a harmless or useful program, like a game or even an anti-virus application
Trojan horse
Any hidden way into a system or application that bypasses normal authentication systems.
Backdoor
Turn the computer into a zombie: part of a large network of computers that performs distributed network attacks or other processing tasks
Botnet
Malware that compromises boot systems and core operating system functions in order to hide from most detection methods
Rootkit
A particularly intrusive sort of malware that attempts to extort money from the victim in order to undo or prevent further damage
Ransomware
Malware specifically designed to gather information about user and computer activities to send to other parties, often through a backdoor
Spyware
Malware that delivers advertisements to the infected system, either as pop-ups or within browser or other application windows
Adware
The attacker tries every possible password or key in a methodical order, until finding the right one
Brute force
The attacker uses a word list, such as a literal dictionaries or list of common passwords
Dictionary attack
Many password-based authentication systems rely on cryptographic hashes generated from the password, rather than the password itself
Hash table
A more popular variety of hash table that’s designed to use less disk space, most effective against short passwords
Rainbow table
Designed to prevent legitimate users from accessing a network service or an entire network
DoS: Denial of service
Where a single target is flooded by traffic from many individual computers, often spread across the Internet.
DDoS: Distributed denial of service
Any attack that intercepts or observes private communications
Eavesdropping
A form of eavesdropping where an attacker intercepts and relays communications between two points, often impersonating each party in the eyes of the other
Man-in-the-middle
A technique that falsifies the origin of network communications, either to redirect responses or to trick users into thinking it comes from a trustworthy source
Spoofing
An attacker giving false replies to DNS requests sent by a host, in order to redirect traffic to a malicious or fraudulent site
DNS hijacking
A US federal law designed to prevent fraudulent accounting practices. It applies primarily to financial records managed by companies that do business in the United States.
SOX: The Sarbanes-Oxley Act of 2002
A US law governing health insurance coverage, but from an IT perspective it protects the privacy of patient records. It applies to any organization that stores or handles protected data.
HIPAA: The Health Insurance Portability and Accountability Act
A newly enacted European Union regulation which protects the privacy of individual data related to EU residents. It applies not only to any organization in the EU which handles personal information, but specifically to foreign organizations that do business with or market to EU residents.
GDPR: The General Data Protection Regulation
It’s a set of shared rules developed by the world’s major credit card companies and administered by the PCI Council. Part of the contract an organization must sign before it is permitted to process payment cards.
PCI DSS
Information that can be used to uniquely identify an individual person, either on its own or in conjunction with other information.
PII: Personally identifiable information
Positive identification of a person or system wishing to initiate communications, for example via a username/password or an ID card.
Authentication
Specifying the exact resources a given authorized user is allowed to access, such as file permissions on a hard drive.
Authorization
Auditing and logging the actions of an authenticated user for later review, such as operating system logs tracking logins and accessed files
Accounting
A list attached to a resource, giving permissions, or rules about exactly who can access it.
access control lists ACL
Members of this group have full control of the computer, and they can assign user rights and access control permissions to users as necessary
Administrators
Only found on Domain accounts. Members of this group have full control of computers throughout the domain
Domain Admins
Members of this group can perform common tasks and run most applications
Users
In older versions of Windows, members of this group had privileges beyond that of an ordinary user, but less than that of an administrator
Power Users
Connected to an individual’s health status, medical treatments, and health care payments. Defined by HIPAA, and must be protected by any organization under the jurisdiction of that law
PHI: Protected health information
A broad set of privacy laws intended to make sure that businesses which make sure consumers are aware of what PII businesses collect about them, and to give them more control over what is collected and how long it is kept.
GDPR
Regulations apply to any information regarding payment cards issued by major credit card vendors, and the customers that pay using those cards
PCI
Uses the same key for both encryption and decryption. Also known as private key cryptography since the key must be kept secret for security to be affected
Symmetric
Uses two mathematically related keys. Data encrypted with the first key can only be decrypted with the second, and vice-versa. Also known as public key cryptography, since typically only one key is kept private and the other is public knowledge.
Asymmetric
Don’t contain the original data and can’t be reliably reversed. However, since any change to data changes its hash, data can be compared to a stored hash to verify its integrity. Hashes are important in data preservation, authentication, and system integrity checking. Common algorithms include MD5, SHA-1, and the SHA-2 family.
Hashing
Positive identification of a person or system wishing to initiate communications, for example via a username/password or an ID card.
Authentication
Specifying the exact resources a given authorized user is allowed to access, such as file permissions on a hard drive
Authorization
Auditing and logging the actions of an authenticated user for later review, such as operating system logs tracking logins and accessed files.
Accounting
3 Authentication factors
Knowledge
Possession
Inherence
Any physical property intrinsic to an individual human body, ranging from fingerprints to DNA to scent
Biometrics
Examples of Biometrics
Fingerprint and palm scanners Retinal scanners Iris scanners Facial recognition Voice recognition systems
A file created and signed using special cryptographic algorithms.
Digital certificate
Valid for a single session, so can’t be stolen and reused.
OTP: A one-time password
Any physical device used to aid authentication by containing secret information
Hardware token
A process that utilizes a communications channel that is separate from the primary communication channel used by two entities trying to establish an authenticated connection.
out-of-band authentication
