REVIEWER - IAS - MIDTERMS

Security Objectives

Are goals and constraints that affect the confidentiality, integrity, and availability of your data and application.

Confidentiality

This property means that information is not made available or disclosed to unauthorized individuals, entities, or processes.

Data integrity

Ensures that data (both stored and is transmitted packets) and programs are changed only in a specified and authorized manner.

System integrity

Ensures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.

Availability

Ensures that systems work promptly and the service is not denied to authorized users.

Authenticity

The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or a message originator.

Accountability

The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity.

Security attacks

Any action that compromises the security of information owned by an organization.

Security mechanisms

Technical tools and techniques that are used to implement security services.

Security service

A processing or communication service that enhances the security of the data processing systems, and the information transfers of an organization.

Passive Attack

Are like eavesdropping or monitoring transmissions.

Release of message contents

In this type, an attacker will monitor an unprotected communication medium like unencrypted email or telephone call and intercept it for sensitive information.

Traffic analysis

In this type, an attacker monitors communication channels to collect a range of information, including human and machine identities, locations of these identities, and types of encryption used, if applicable.

Active Attack

Involve some modification of stored or transmitted data or the creation of false data.

Masquerade

Takes place when one entity pretends to be a different entity.

Replay

Involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect.

Data modification

Simply means that some portion of a legitimate message is altered or that messages are delayed or reordered to produce an unauthorized effect.

Denial-of-service attack

Prevents or inhibits the normal use or management of communication facilities.

Authentication service

Is concerned with ensuring that communication is authentic.

Access control

Is the ability to limit and control access to host systems and applications via communications links.

Data confidentiality

Is the protection of transmitted data from passive attacks.

Nonrepudiation

Prevents either a sender or a receiver from denying a transmitted message.

Availability service

A system or a system resource is accessible and usable upon demand by an authorized system entity, according to performance specifications for the system.

Online privacy

Refers to privacy concerns related to user interaction with Internet services through web servers and mobile apps.

Data collectors

Collect information directly from their customers, audience, or other types of users of their services.

Data brokers

Compile large amounts of personal data from several data collectors and other data brokers without having direct online contact with the individuals whose information is in the collected data.

Web server security and privacy

Are concerned with the vulnerabilities and threats associated with the platform that hosts a website, including the operating system (OS), file and database systems, and network traffic.

Web application security and privacy

Are concerned with web software, including any applications accessible via the Web.

Web browser security and privacy

Are concerned with the browser used from a client system to access a web server.

Cellular and Wi-Fi infrastructure

Modern Mobile devices are typically equipped with the capability to use cellular and Wi-Fi networks to access the internet and to place telephone calls.

Public application stores (public app stores)

Include native app stores; these are digital distribution services operated and developed by mobile OS vendors.

Device and OS vendor infrastructure

Mobile device and OS vendors host servers to provide updates and patches to the OS and apps.

Enterprise mobility management (EMM)

A general term that refers to everything involved in managing mobile devices and related components (e.g., wireless networks).

App vetting

The process of evaluation and approval or rejection of apps within an organization.

Administrator

A member of the organization who is responsible for deploying, maintaining, and securing the organization's mobile devices as well as ensuring that deployed devices and their installed apps conform to the organization's security requirements.

Auditor

The role of an auditor is to inspect reports and risk assessments from one or more analyzers to ensure that an app meets the security requirements of the organization.

Web application vulnerabilities

Failing to suitable design and implement an application, detect a problem, or promptly apply a fix (patch), which is likely to result in a privacy breach.

User-side data leakage

Failing to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality.

Insufficient data breach response

Not informing the affected persons (data subjects) about a possible breach or data leak, resulting in either from intentional or unintentional events.

Insufficient deletion of personal data

Failing to delete personal data effectively and/or in a timely fashion after the termination of the specified purpose or upon request.

Non-transparent policies, terms, and conditions

Not providing sufficient information describing how data are processed, such as their collection, storage, and processing.

Collection of data not required for the primary purpose

Collecting descriptive, demographic, or any other user-related data that are not needed for the system.

Sharing of data with a third party

Providing user data to a third party without obtaining the user's consent.

Outdated personal data

Using outdated, incorrect, or bogus user data and failing to update or correct the data.

Missing or insufficient session expiration

Failing to effectively enforce session termination.

Insecure data transfer

Failing to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage.

Insecure network communications

Network traffic needs to be securely encrypted to prevent an adversary from eavesdropping.

Web browser vulnerabilities

Adversaries can exploit vulnerabilities in mobile device web browser applications as an entry point to gain access to a mobile device.

Vulnerabilities in third-party libraries

Third-party software libraries are reusable components that may be distributed freely or offered for a fee to other software vendors.