ITI Exam 3 - 2

0.0(0)
studied byStudied by 0 people
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
Card Sorting

1/99

encourage image

There's no tags or description

Looks like no tags are added yet.

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

100 Terms

1
New cards

CIA Triad

Confidentiality, Integrity, Availability

- Model that forms the basis of information privacy
- Used for finding vulnerabilities and methods for creating solutions

2
New cards

Confidentiality

Preserve restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information

3
New cards

Availability

Ensure timely / reliable access to and use of information

4
New cards

Integrity

Guard against improper information modification or destruction and ensure information non-repudiation / authenticity

5
New cards

Data Integrity

Property that data has not been altered without authorization
- Accounts for data in storage, during processing, and in transit

6
New cards

System Integrity

Quality that a system has when it performs its intended function without being altered

7
New cards

Privacy in Public assignment

Asking us to stalk others (listen to their conversation at a train station, gather information without being noticed, and try to find them online)
- Shows how someone using information observed in a public place is uncomfortable / can be used to find you online
- This is what big tech does

8
New cards

Griswold v. Connecticut

Established that there is an implied right to privacy in the U.S. Constitution
- Right to privacy exists "in the penumbras" of the Bill of Rights

9
New cards

Is there a right to privacy?

No.
- Not mentioned in the Constitution or Bill of Rights

10
New cards

Is the right to privacy implied?

Yes.
- Implied in Bill of Rights
- 4th amendment: citizens have a right to protect themselves, their homes, effects, etc. from "unreasonable searches and seizures" by the government

11
New cards

Umbra

Shadow effect / darkest area
- Bill of Rights context: Directly stated in the Bill of Rights

12
New cards

Penumbras

Not as dark, affected by shadow and light
- Bill of Rights context: Not directly stated but implied

13
New cards

FERPA (Family Educational Rights and Privacy Act)

Law that states students have the right to access their own education record, seek to have records amended, and control of disclosure of personally identifiable information
- Part of CIA triad: Confidentiality

14
New cards

Information Security

- Protects organizations from bad people
- Protects individuals from bad organizations

15
New cards

Hacker

Advanced computer technology enthusiast
- Often a member of a computing / programming subculture (ex: "Hacker culture")

16
New cards

Hacking

Manipulating something to do something it was not originally made to do
- Furniture ___: Changing a bookshelf to be a desk
- Computer _____: Changing a computer to executer commands it isn't supposed to do

17
New cards

Social Engineering

Any intentional act that influences a person to take an action that may or may not be in their best interests
- Ex: TV commercials (evoke emotions to get you to do something)

18
New cards

Types of social engineering attacks

- Pretexting
- Phishing / Whaling
- Vishing
- Scareware
- Tailgating / Piggybacking
- Urgency
- Authority

19
New cards

Pretexting

Form of social engineering where an attacker makes up a believable story

20
New cards

Authority

Form of social engineering that uses intimidation

21
New cards

Five phases of a typical social engineering attack

SE Pyramid (top -> down)

1. OSINT / Intel
2. Pretext Development
3. Attack Plan
4. Attack Launch
5. Reporting

22
New cards

Phase 1: OSINT

Open-source information / intelligence gathering
- Sources: Internet, social media, government records
- Skills needed: Research, analysis, writing
- Most time consuming
- Documentation: How will you document, save, and catalog all information you find?

23
New cards

Phase 2: Pretext Development

What kind of scenario can we put people in that will increase the likelihood of success when we try to attack the weakest link?
- Decide what changes / additions need to made to ensure success
- Decide what props / tools are needed

24
New cards

Phase 3: Attack Plan

What are the specific steps we will take to compromise the weakest link?
- Contingency plans. back up plans, etc...
- Skills needed: Creativity, great collaboration skills
- Three W's: What, when, who

25
New cards

Three W's

What, When, Who
- What: What's the plan? What are we trying to achieve? What does the client want?
- When: When is the best time to launch the attack?
- Who: Who needs to be available at a moment's notice for support / assistance?

26
New cards

Phase 4: Attack Launch

Execute the plan
- Use an outline
- Be prepared, don't be so scripted that you can't be dynamic during the attack

27
New cards

Phase 5: Reporting

When you are doing this for a client, they want to know how successful you were in attacking them
- Most important phase
- Skills needed: Professional writing and interpersonal skills

28
New cards

Social Engineering in Action: Professor's experience

- Hired as a contractor security engineer
- Sometimes tested whole system, including human part of system
- Tasked with trying to steal information about the organization's business from the new team of lawyers working there
- Reason: If we can do it, so can actual criminals

29
New cards

Is hacking a crime?

No.
- You can be paid to do it (as a professional)
- Crime is separate from the hacking itself

30
New cards

DNS (Domain Name System)

Converts domain names / host names into IP addresses
- Allows users to remember a "friendly name" instead of numbers (easier to remember www.cisco.com than 198.133.219.25)

31
New cards

Domain

Any text / string you enter to reach a webpage
- Ex: abc.com

32
New cards

IP Address

Number sequence
- If you type this into a browser, it will take you to that website

33
New cards

DNS resolver

"Phone book" of the full system
- When a user searches for a website name, this matches it to the IP address

34
New cards

Route Server

Top level of DNS hierarchy
- Found in different locations across the world
- Managed by 12 organizations

35
New cards

Cache Memory

A type of memory used to temporarily store frequently used data or programs (in this case websites) for quick access

36
New cards

TLD (Top Level Domain)

Has all information on top level domains
- Ex: .com, .net, .org

37
New cards

Auth Name Server (Domain Name Server)

Sends back the IP address of a particular website the user requested
- IP address is sent back to DNS resolver, which stores it in its cache
- After storing the IP address, it is then sent back to the web browser that originally requested it

38
New cards

SOPA (Stop Online Piracy Act) / PIPA (Protect IP Act)

Proposed bills that are aimed to combat online piracy / copyright infringement
- Raised concerns about potential censorship / threats to internet freedom

39
New cards

SOPA / PIPA methods to combat online piracy

- Cut off money (Force a financial service provider to not give money to people associated with a disliked site)
- Block access (DNS, when a user searches a site send them somewhere else / prevent access)

40
New cards

Problems with SOPA / PIPA

- Threaten free speech (if websites have users who break infringement rights, the Supreme Court can go after the website itself)
- Stifle innovation / new startups (Innovative companies will get in trouble if the idea could harm existing ones (ex: Movie industry tried to stop VCR by suing them, music industry thought MP3 players were a threat))
- Grant a lot of power to big media corporations

41
New cards

Censor Search

Search engines would be asked to not show any results for blacklisted web pages

42
New cards

DNS' role in SOPA and PIPA

Allowed websites to redirect users to other sites
- Ex: Looking up reddit, the IP address you got was a different one given to your computer

43
New cards

Hacktivism

Use of computer technology to achieve a political agenda through legally ambiguous means
- Goal: Bring issues to light / cause social change

44
New cards

Aaron Swartz

Hacktivist
- Arrested by MIT after connecting a computer to MIT network to download academic journals from JSTOR
- Found dead by suicide

45
New cards

Encryption

Process of encoding messages to keep them secret, so only "authorized" parties who know the cipher can read it

46
New cards

Algorithm

Series of steps

47
New cards

Plain text

Text that is not encrypted

48
New cards

Cipher text

Scrambled form of the message / data

49
New cards

Specific substitution ciphers to remember

Caesar, ROT13, Vigenere

50
New cards

Cipher

Process of turning plain text into cipher text

51
New cards

Caesar Cipher

Technique for encryption that shifts the alphabet by some number of characters

52
New cards

ROT13

Rotate letters by 13 (or whatever number given)

53
New cards

Process of encryption

- Plain text is enciphered to become cipher text
- Cipher text is deciphered through a key

54
New cards

Key (encryption)

Code that unlocks encryption
- Receiver needs to know the steps of the key in order to decipher plain text

55
New cards

Substitution cipher

Substituting letters for other ones to encrypt a message

56
New cards

Information System

Discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information

57
New cards

System

Reflect the broader applicability of information resources of any size / complexity organized for the collection, processing, use, etc. of data / information

58
New cards

Information

Facts, ideas, or knowledge that could be represented as various forms of data and communicated between systems

59
New cards

Data-Mining

Process of analyzing data to extract information not offered by raw data alone
- Allows NSA to create a more detailed understanding of a person's life

60
New cards

AES (Advanced Encryption Standard)

- Hardest shell (encryption)
- Available as 128, 192, or 256 bits
- Used in most email programs / web browsers
- Considered so strong that NSA has approved it for government communications
- Due to how strong it is, it was one of the reasons the Utah Data Center was more (since NSA can't break it, they want to be able to store it)
- The more messages a target sends, the more likely it is the system will recognize patterns

61
New cards

How trackers work

- When you visit a website, the browser makes a "request" (HTTP request)
- Since advertising code / invisible trackers are on the site, your browser might make hundreds of requests to third parties
- Data is collected (browser, time zone, browser settings, what version of a software you have installed)
- While some data is collected to help the site run correctly, most of the info gathered is to get information on you

62
New cards

Main methods of data collection

- Cookie tracking
- Browser fingerprinting

63
New cards

Cookies

Small chunks of information that websites store in your browser
- Main purpose: Remember helpful things (ex: login info)

64
New cards

Digital Fingerprint

List of characteristics that are unique to a single user, their browser, and their hardware setup
- Includes info such as information browser needs to access websites and location of website user is requesting
- Hosts seemingly insignificant information (screen resolution, installed fonts)
- Tracking sites combine all small pieces to form a "fingerprint" of your device

65
New cards

Difference between cookies and digital fingerprinting

Cookies:
- Accurate / effective while being used
- Lose all value if removed
- Track user until deleted

Fingerprinting:
- More permanent identifiers
- Things they track are harder to change and impossible to delete

66
New cards

Main dynamics that make trackers hard to avoid online

- Impact on usability
- Identifiable protections

67
New cards

Impact on usability

Enhanced privacy comes at expense of functionality
- Many pages require you to disable your ad blocker to see content, or require you to use an "official" app
- Ex: Disable javascript but could result in website losing functionality

68
New cards

Identifiable protections

Protections can become a part of your fingerprints
- Add ons could lead to identification

69
New cards

Reason for increase in social engineering

- Easiest to attack
- Cost to set up is low
- Risk of doing an attack is lower
- Potential payout is high

70
New cards

Brain modes

- Alpha
- Beta

71
New cards

Goal of a social engineer

Get you to make a decision without thinking
- Desired brain mode: Alpha

72
New cards

Alpha (brain mode)

Daydreaming, "relaxed, focused concentration"
- Anyone who wants to manipulate you wants you in this mode

73
New cards

Beta (brain mode)

Alert, observant, aware of things going on

74
New cards

Hacker (Original definition)

Someone who needs to know how something works
- Not satisfied with base knowledge
- Once advanced knowledge was obtained, they would see if it was possible to bypass, enhance, exploit, alter original purpose

75
New cards

Oxytocin

Hormone that helps us make decisions
- Linked with trust

76
New cards

Dopamine

Produced by brain, released in moments of pleasure, happiness, or stimulation

77
New cards

Four vectors of social engineering (malicious)

- SMiShing
- Vishing
- Phishing
- Impersonation
Combination attacks are most common

78
New cards

SMiShing

Phishing through text messages
- Includes links
- Once links are clicked, they steal credentials and / or load malware onto devices

79
New cards

Vishing

Voice phishing
- Easy, cheap, profitable for attacker
- Ex: AI voice, people will use it to make it sound like it's a loved one in danger

80
New cards

Phishing

Sending a message from what appears to be a trusted source in order to obtain personal information
- Most dangerous

81
New cards

Impersonation

People impersonate authority and commit crimes
- Ex: A man impersonated police and used that to deal in child pornography

82
New cards

What is the weakest link in cybersecurity?

Humans
- Most likely to violate security procedures (error, not knowing information, deliberate actions that compromise an organization)

83
New cards

Idea to improve the human factor in cybersecurity

Educate people on how to protect themselves
- Hope: People will comply with expectations and respect the information they have access to

84
New cards

Current goal of cybersecurity in organizations

Give humans the context they need on cybersecurity
- Stop using mentality of "weakest link in the chain"
- New focus: Reliable / resistant factor of the system (recognize individual behaviors, acknowledge it's part of an ongoing learning process)

85
New cards

Cybersecurity misconception

Companies will be safer if they invest in new technologies
- Incorrect because despite how good tech is, people are the weakest link

86
New cards

Solution to people being a risk in cybersecurity

Education needs to teach employees to understand:
- How their actions affect reality / the organization they are a part of
- Individuals need to assume responsibility for risk that they expose the organizations digital things to

87
New cards

Practices used by organizations to make employees more secure

- Practice 1: Training
- Practice 2: Raising awareness
- Practice 3: Appropriation

First two are most commonly used

88
New cards

Practice 1: Training

Meeting called to give people information on the organization's process / practices concerning data protection
- Typically done during onboarding process

Informs people of:
- How the relationship is
- How to handle information the organization has
- What is expected of them in terms of their access to information
- Consequences of failing to adhere to organization processes

89
New cards

Practice 2: Raising Awareness

Use of concrete actions / experiences to train people
- Allows for development of practical skills / knowledge
- Typically done in the workplace to contextualize actions in people's everyday tasks

90
New cards

Practice 3: Appropriation

Construct a meaning / mission for protecting information
- Make it possible to act according to ethical / responsible measures
- Goal: Connect individuals with their responsibilities for results of their choices / actions in relation to data security

91
New cards

Aaron Swartz' goal with JSTOR

Distribute a significant portion of their archive
- Reason: "Information is power. But like all power, there are those who want to keep it for themselves"

92
New cards

EIFL

Mission: Expand access to scholarly work
- Common theme: Frustration since progress with publishers / online archives was slow
- Prime annoyance: JSTOR (despite claim that they would embrace values of education, JSTOR refused to negotiate discounts)

93
New cards

Swartz arrest

Arrested less than 4 months after initial attack (caught breaking into computer closet)
- Indicted on four counts (wire fraud, computer fraud, recklessly damaging a protected computer)
- 9 counts added in September 2012

94
New cards

Aaron Swartz attack on JSTOR

Bought a laptop, logged into MIT computer network, and began liberating JSTOR
- Ensuring court case led him to commit suicide on January 11, 2013

95
New cards

Guerilla Open Access Manifesto

Aaron Swartz' manifesto discussing the idea of making online information open to the public
- "Information is power"

96
New cards

Open Access Movement

Working to change the privatization of online info
- Don't want scientists to do all the work only to have their research locked away
- Might be too late (even if this can be changed, it'll only apply to new things, not stuff that's already behind a paywall)

97
New cards

According to Swartz, private corporations are

- Charging academics to pay to read their colleagues works
- Scan entire libraries but only allow companies to read them
- Scientific articles are only able to be accessed by students in elite universities

98
New cards

Swartz' advice for the public

What we need to do:
- Take information, make copies, share them
- Take stuff that isn't copyrighted and add it to archives
- Buy secret databases and put them on the web
- Download scientific journals and upload them to the file-sharing networks

What we can do to help:
- Password share
- Download and upload things

99
New cards

Why large corporations are blinded by greed (Aaron Swartz opinion)

- Laws they work under require it
- Shareholders would be mad if they gave everything away for free
- Politicians support them
- Pass laws that make it illegal to share

100
New cards

Data "at rest"

Data that is stored somewhere (mobile device, laptop, server, external hard drive)
- Not moving from one place to another