ITEC 100 Midterm Review: Security Principles and Policies

Information Assurance

A method of protecting and controlling the risks associated with private data while it is being delivered, processed, and stored.

Information Security

The process of protecting data by minimizing information risks, which includes eliminating the likelihood of misuse or unauthorized access to data.

CIA Triad

A model that includes three core principles: Confidentiality, Integrity, and Availability.

Confidentiality

Keeping disclosure and permitted access boundaries in place, protecting private data, and protecting individual privacy.

Integrity

It comprises preventing unauthorized modification or removal and guaranteeing the authenticity and non-repudiation of data.

Availability

It ensures reliable access to information at the appropriate time.

Separation of Privilege

Access control should require multiple independent conditions to enhance security (e.g., multi-factor authentication).

Least Privilege

Users and processes should operate with the minimum privileges necessary to perform their tasks.

Psychological Acceptability

Security measures should be user-friendly to ensure compliance without frustration.

Isolation

Keep critical system components separate to limit the impact of security breaches.

Encapsulation

Restrict direct access to data and ensure that interactions occur through controlled interfaces.

Modularity

Design systems in independent, interchangeable components to enhance security and maintainability.

Layering

Implement multiple layers of defense to provide redundancy in case one layer fails.

Least Astonishment

System behavior should be predictable and intuitive to avoid user errors that compromise security.

Foundation of Security

Technology brings impactful changes that can make business flourish.

Importance of Security

Security plays a vital role in our daily lives. It is essential to protect us, our families, our homes, and our businesses.

Security Design Principle

Security plays a vital role in our daily lives. It is essential to protect us, our families, our homes, and our businesses.

Use Proven Technology

Leverage secure, well-maintained tools and libraries.

Create Awareness

Educate developers on threats and security principles.

Limit Instruction Dependence

Provide security guidelines in context rather than relying solely on developer knowledge.

Ensure Maintainability

Keep code clean and manageable to reduce security risks.

Security Frameworks

A number of frameworks, including those from the National Institute of Standards and Technology (NIST), assist organizations in putting security measures in place and reducing risks.

Software Security

To create safe systems, it is essential to comprehend software security design principles.

Threats and Vulnerabilities

Effective cybersecurity management requires an understanding of potential threats and vulnerabilities.

Cybersecurity

This entails employing technologies, procedures, and policies to defend networks, systems, and data against cyberattacks.

Automate Security Checks

Use tools to detect vulnerabilities efficiently.

Conduct Manual Reviews

Supplement automated tools with expert security assessments.

Integrate Privacy by Design

Incorporate data protection measures.

Continuously Improve

Develop a structured plan for ongoing security enhancements.

Secure Existing Systems

Apply security principles retroactively to legacy code.

Economy of Mechanism

Keep security designs simple and small to reduce complexity and minimize vulnerabilities.

Fail-safe Defaults

Deny access by default and grant permissions only when explicitly allowed.

Complete Meditation

Every access request must be checked for authorization, preventing bypassing of security controls.

Open Design

Security should not rely on secrecy; systems should remain secure even if their design is publicly known.

Managing the Policy

Use Secure Perspective to effectively manage the security policy you've defined and implemented for your business.

Security Policy

A security policy is a written document outlining how a company protects its physical and IT assets.

Threats

It can be anything that can take advantage of a vulnerability to breach security and negatively alter, erase, harm object or objects of interest.

Attack

Is an information security threat that involves an attempt to obtain, alter, destroy, remove, implant or reveal information without authorized access or permission.

IT Security Policy

An IT Security Policy defines the rules and procedures for accessing and using an organization's IT resources.

Phishing

A social engineering attack that tricks users into revealing sensitive information, such as usernames and passwords, through deceptive emails, texts, or messages.

Email Phishing

Phishing emails use fake domains or deceptive sender names to steal credentials or install malware.

Whaling

Whaling, or CEO fraud, involves attackers impersonating executives via email to request money transfers or document reviews.

Smishing

Smishing is a phishing attack via text messages, tricking users into clicking malicious links that install malware.

Vishing

Vishing, or voice phishing, uses phone calls to trick victims into revealing sensitive information, often by impersonating authorities.

Angler Phishing

Angler phishing exploits social media notifications or messages to deceive users into taking harmful actions.

HTTPS Phishing

Cybercriminals now use HTTPS links in phishing attacks to appear legitimate.

Spear Phishing

Spear phishing targets specific individuals or organizations with deceptive messages that appear trusted, tricking them into revealing sensitive information or compromising their devices.

Pharming

Pharming attacks hijack DNS servers to redirect users to fraudulent websites that mimic legitimate ones.

Pop-up Phishing

Attackers exploit website pop-ups to inject malicious code, tricking users into installing malware by allowing notifications.

Clone Phishing

Clone phishing mimics legitimate emails, replacing attachments or links with malware while appearing to come from a trusted sender.

Evil Twin

An evil twin attack uses a fake Wi-Fi hotspot to steal login credentials through man-in-the-middle tactics.

Watering Hole Phishing

A waterhole attack infects websites commonly visited by a specific group of end-users to compromise their devices and gain network access.

Supply Chain Attack

Supply chain attacks are an emerging kind of threat that target software developers and suppliers.

Acceptable Use Policy (AUP)

Outlines proper practices for employees when accessing IT assets, including hardware, data, internet, and email.

Security Awareness and Training Policy

Well-trained staff is crucial for successful IT security implementation.

Incident Response Policy

Focuses on handling security incidents, distinct from the Disaster Recovery Plan.

Network Security Policy

Ensures that an organization's information systems have appropriate hardware, software, and auditing mechanisms.

Change Management Policy

Ensures that all IT and security changes are managed, tracked, and approved.

Password Creation and Management Policy

Password policy educates employees on creating strong, unique passwords and how often to change them.

Access Control Policy

Ensures users have authorized access to company data.

Remote Access Policy

Remote data security is a growing concern as remote work becomes more common.

Business Email Compromise (BEC)

A cyberattack where attackers impersonate a trusted executive, employee, or business partner to deceive organizations into transferring money or sensitive data.

Authenticated Scans

Using privileged access, these scans detect weaknesses within your internal networks.

Network Scans

Identify weaknesses in network devices like routers, firewalls, and switches by checking for open ports, weak passwords, and outdated firmware.

Web Application Scans

Detect vulnerabilities in web applications, including SQL injection, cross-site scripting (XSS), and insecure authentication.

Host-Based Scans

Assess servers or workstations for missing patches, misconfigurations, and outdated software.

Database Scans

Spot security issues in database systems, such as weak encryption, insecure settings, and unpatched vulnerabilities.

Account Compromise

An executive or employee's email account is hacked and used to request invoice payments to vendors listed in their email contacts.

Attorney Impersonation

Attackers ************* a lawyer or someone from the law firm supposedly in charge of crucial and confidential matters.

Data Theft

Employees under HR and bookkeeping are targeted to obtain personally identifiable information (PII) or tax statements of employees and executives.

CEO Fraud

Where attackers impersonate a company's CEO or executive to trick employees into making unauthorized wire transfers or sharing sensitive information.

Bogus Invoice Scheme

A fraud tactic where attackers pose as suppliers or vendors, sending fake invoices to businesses to deceive them into making payments to fraudulent accounts.

Penetration Testing

Conducted manually by experts, it simulates real-world attacks. Though it takes more time and is costlier, it offers a detailed and accurate evaluation of security risks.

IOT

Stands for The Internet of Things, refers to the network of interconnected physical devices embedded with sensors, software, and connectivity that allow them to collect and exchange data.

Application Security

Involves detecting and fixing vulnerabilities in application software to protect against unauthorized access, alterations, or misuse.

IOT Security

Refers to protecting IoT devices and networks from cyber threats, unauthorized access, and data breaches.

Smart Home Devices

Appliances, security cameras, smart doorbells, and voice assistants often have weak security, making them vulnerable to cyberattacks.

Medical Equipment

Cybercriminals may target IoT healthcare devices like pacemakers, insulin pumps, and patient monitors to disrupt services or steal sensitive health information.

Industrial Control Systems (ICS)

IoT systems in manufacturing and critical infrastructure are susceptible to attacks, leading to operational failures, production delays, or physical damage.

Connected Vehicles

Modern vehicles use IoT for navigation, safety, and diagnostics.

Wearable Technology

Smartwatches, fitness trackers, and other IoT-enabled wearables collect personal health data that can be intercepted or misused by cybercriminals.

Top Security Strategies for Protecting IoT Devices

Includes encryption and secure communication, strong authentication and access controls, network segmentation and firewall, regular updates and patch management, and endpoint protection and monitoring.

Authentication

Verifies user identity, typically using a username and password.

Authorization

After authentication, a user can be authorized to access an application by verifying their identity against a list of approved users.

Encryption

Additional security measures protect sensitive data from cybercriminals even after user verification.

Logging

If a security breach occurs in an application, logging can assist in determining who gained access to the data and how they did so.

Application Testing

A method that ensures that all of these security controls are functioning effectively.

Vulnerability Scanning

An automated process that identifies security weaknesses in computers, networks, and communication systems.

Unauthenticated Scans

These identify vulnerabilities in your external security perimeter without requiring login credentials.

Platform Security

Consists of a collection of tools, processes, and an overarching architectural framework designed to safeguard an enterprise's entire computing environment.

Hardware Security

Relies on physical devices and mechanisms for protection, rather than depending solely on security software like antivirus programs.

Static Application Security Testing (SAST)

Detects code flaws by analyzing source files to identify root causes.

Dynamic Application Security Testing (DAST)

Proactively simulates security breaches on live applications to identify exploitable flaws.

Interactive Application Security Testing (IAST)

Combines SAST and DAST by analyzing applications in real-time during development or production.

Run-time Application Security Protection (RASP)

Focuses on security within applications, providing continuous monitoring and automatic responses to threats.

Appsec Risk

Ensuring the protection of physical devices and components is crucial for preventing unauthorized access, tampering, and hardware-based attacks.

Physical Tampering

Involves unauthorized access to hardware devices to alter, damage, or manipulate them.

Side-Channel Attacks

Exploit unintended information leakage from a device's physical operations, such as power consumption, electromagnetic emissions, or timing variations.

Eavesdropping

Involves intercepting and monitoring electronic signals or communications without authorization.

Counterfeit Hardware

Refers to the use of unauthorized or fake hardware components, which may contain vulnerabilities or malicious code.