Kartlar: isan 3350 txst information security | Quizlet

Internet

Global network of networks enabling communication and data transfer.

World Wide Web (WWW)

Application layer service on the Internet using HTTP/HTTPS for websites.

TCP

Transmission Control Protocol; reliable, connection-oriented communication (e.g., web browsing, email).

UDP

User Datagram Protocol; faster, no error checking (e.g., streaming, gaming).

IoT (Internet of Things)

Everyday devices connected to the Internet (e.g., smartwatches, cars, home sensors).

Cybersecurity

Protecting systems, networks, and data from digital attacks.

Data Security

Ensuring confidentiality, integrity, and availability of information.

Risk

Likelihood a threat will exploit a vulnerability.

Threat

Anything with potential to harm (hackers, malware, disasters).

Vulnerability

A weakness in hardware, software, or processes.

Information System

Combination of hardware, software, data, people, and processes.

Information System Security

Measures to protect an IS from unauthorized access or modification.

CIPA

Children’s Internet Protection Act (protects minors online in schools/libraries).

FERPA

Family Educational Rights & Privacy Act (protects student records).

SOX

Sarbanes-Oxley Act (financial reporting/accounting integrity).

HIPAA

Health Insurance Portability and Accountability Act (medical records privacy).

GLBA

Gramm-Leach-Bliley Act (financial institutions must protect customer data).

PCI DSS

Payment Card Industry Data Security Standard (credit card transactions).

Confidentiality

Prevent unauthorized disclosure (e.g., encryption, access control).

Integrity

Ensure data is accurate and unaltered (e.g., hashing, checksums).

Availability

Ensure systems are accessible when needed (e.g., redundancy, backups).

Uptime

Percentage of time a system is operational.

Downtime

Percentage of time a system is unavailable.

MTTF

Mean Time to Failure â€" average time until system fails.

MTTR

Mean Time to Repair â€" average time to fix after failure.

MTBF

Mean Time Between Failures â€" average time between failures.

RPO

Recovery Point Objective â€" maximum acceptable data loss measured in time.

RTO

Recovery Time Objective â€" maximum acceptable downtime after disruption.

User Domain

End-users; risk = weak passwords, phishing.

Workstation Domain

Desktops/laptops; risk = malware, unpatched OS.

LAN Domain

Internal networks; risk = unauthorized access, sniffing.

LAN-to-WAN Domain

Firewall/router zone; risk = intrusion, misconfigurations.

WAN Domain

Internet connections; risk = DoS, eavesdropping.

Remote Access Domain

VPN users; risk = credential theft.

System/Application Domain

Servers & apps; risk = SQL injection, misconfigured services.

Security Policy Framework

Defines rules and procedures for security.

Acceptable Use Policy (AUP)

Defines proper use of company systems.

Security Awareness

Training users on phishing, social engineering.

Asset Classification Policy

Categorize data by sensitivity.

Asset Management Policy

Inventory and handling of assets.

Asset Protection Policy

Defines how assets are protected.

Private Data

PII such as SSN, DOB.

Confidential Data

Internal business data.

Internal Use Only

Data limited to employees.

Public Data

Data open to anyone.

Top Secret / Secret / Confidential

Government-style sensitivity levels.

Drivers for IoT

Connectivity, cost reduction, sensor innovation, and demand for automation.

Evolution of IoT

Shift from simple connected devices to smart, integrated ecosystems.

IoT Impact on Humans

Health monitoring, smart homes, GPS, online banking, e-commerce, cars.

IoT Impact on Business

Retail, remote sensors, traffic monitoring, B2C, B2B, AaaS (Anything as a Service).

E-Business

Conducting business processes on the Internet.

E-Commerce

Buying and selling online (B2C, B2B).

Internet Business Challenges

Security, privacy, interoperability, compliance, infrastructure.

E-Business Strategy Elements

Marketing, e-customer service, payment processing, IoT integration.

IP Mobility

Ability of devices to move across networks without losing connectivity.

Mobile Node

Device moving across networks.

Home Agent

Keeps track of mobile node’s location.

Foreign Agent

Helps mobile node connect when away from home network.

Care of Address

Temporary IP given to mobile node.

Correspondent Node

System communicating with mobile node.

IoT Security Challenges

Weak authentication, lack of updates, vulnerable sensors.

IoT Privacy Challenges

Collection of personal data, location tracking.

IoT Interoperability Challenges

Different devices & standards unable to communicate.

Legal/Regulatory Compliance

Who collects data, who sells it, liability issues.

Risk

Likelihood that a threat will exploit a vulnerability.

Threat

Potential cause of harm (hacker, malware, disaster).

Vulnerability

Weakness in system or process.

Impact

Potential damage from a threat.

Event

Any occurrence in system operations.

Incident

Event that negatively impacts security.

Control

Safeguard to mitigate risk.

Countermeasure

Action to prevent or reduce risk.

Risk Management Process

Identify, Assess & Prioritize, Plan Response, Implement, Monitor.

Qualitative Risk Assessment

Uses subjective measures (high, medium, low).

Quantitative Risk Assessment

Uses numeric values (ALE, SLE, ARO).

SLE

Single Loss Expectancy = Asset Value × Exposure Factor.

ARO

Annualized Rate of Occurrence (expected frequency).

ALE

Annualized Loss Expectancy = SLE × ARO.

Administrative Controls

Policies, training, awareness programs.

Detective Controls

Identify incidents (IDS, logs).

Preventive Controls

Stop incidents (firewalls, encryption).

Corrective Controls

Fix after incidents (patches, restores).

Physical Security Examples

Locks, guards, CCTV, fences, biometrics.

Social Engineering Attacks

Phishing, vishing, smishing, tailgating, impersonation.

Wireless Attacks

Evil Twin, Bluesnarfing, War driving, Jamming.

Web App Attacks

SQL Injection, XSS, CSRF, Buffer Overflow, Directory Traversal.

Types of Threats

Disclosure, Alteration, Denial, Fabrication.

Types of Hackers

Black hat, White hat, Gray hat, Crackers.

Business Impact Analysis (BIA)

Identifies critical systems and impact of downtime.

Business Continuity Plan (BCP)

Strategy for continuing operations during disruption.

Disaster Recovery Plan (DRP)

Plan to restore IT systems after disaster.

Gap Analysis

Finding difference between current security and required security.

Compliance Laws

HIPAA, SOX, PCI DSS, FERPA, etc.

BYOD Concerns

Ownership, patch management, antivirus, privacy risks.

Forensics

Collecting evidence after a security event.

Privacy Policies

Acceptable use, user acceptance, corporate adherence.

Full Device Encryption

Protects data at rest on laptops/phones.

Remote Wipe

Allows deleting device data remotely.

Screen Locks

Prevents unauthorized access to idle devices.

Application Control

Restricts which apps can be installed/executed.