Ch.1 Intro to Information Security

confidentiality, integrity and availability (CIA)

three basic security protections that must be extended over the information

confidentiality

ensures only approved individuals may access or view info

integrity

ensures that data is correct and unaltered

availability

ensures that information is accessible to authorized users

authentication authorization and accounting (AAA)

provides a framework to control access to computer resources

authentication

act of verifying credentials are authentic and not fabricated

authorization

grants permission for a user to take a particular action

accounting

creates a record that is preserved of who accessed the network and when they disconnected from it

control

safeguard employed within an enterprise to protect the CIA of information. Also called a countermeasure

managerial

controls that use administrative methods

operational

controls that are implemented and executed by people

technical

controls that are incorporated as part of hardware software or firmware

physical

controls that implement security in a defined structure and location

deterrent control

controls that attempt to discourage security violations before they occur

preventive control

controls used to prevent the threat from coming in contact with the vulnerability

detective control

controls designed to identify any threat that has reached the system

compensating control

controls that provide an alternative to normal controls that for some reason cannot be used

corrective control

controls intended to mitigate or lessen the damage caused by the incident

directive control

controls designed to ensure that a particular outcome is achieved

threat actor

an individual or entity responsible for attacks

unskilled attackers

individuals who want to perform attacks yet lack the technical knowledge to carry them out

data exfiltration

threat actor’s motivation of unauthorized copyiong of data

shadow IT

process of bypassing corporate approval for technology purchases (ethical motivation)

insider threat

employees contractors and business partners who pose a threat from the position of a trusted entity

hactivists

threat actors who are strongly motivated by philosophical or political beliefs

nation-state actors

threat actors employed by their own government to carry out attacks

advanced persistent threat (APT)

use innovative attack tools that silently extract data over an extended period of time

attack surface

digital platform that threat actors target for their exploits

supply chain

network that moves a product from its creation to the end-user

supply chain infections

maleware that can be injected into a product during its manufacturing, storage and distribution

open-source software

software where the source code is available for anyone to use freely without restrictions

malicious update

attack in which a software update is infected with malware and distributed

zero-day

vulnerability for which there are no days of advanced warning

misconfigurations

erroneous technology settings

data loss

the destruction of data so that it cannot be recovered

data exfiltration

stealing data to distribute it to other parties

data breach

stealing data to disclose it in an unauthorized fashion

identity theft

taking personally identifiable information to impersonate someone

framework

series of documented processes used to define policies and procedures for implementation and management of security controls in an enterprise environment

benchmarks/secure configuration guides

serve as a guideline for configuring a device or software so that it is resilient to attacks

requests for comments (RFCs)

document “white papers” that are authored by technology bodies employing specialists engineers and scientists who are experts in those areas

threat vector

also known as an attack surface