Principles of Information System Security Flashcards

A comprehensive set of practice questions covering the principles of information system security based on the lecture transcript.

How can security be realized according to the transcript?

Security can be realized through Prevention (preventing damage), Detection (detecting damage), and Reaction (recovering assets or from damage).

What is the definition of Information Security provided in the transcript?

The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to ensure confidentiality, integrity, and availability.

According to the transcript, why has the success rate of hacking increased despite a decrease in technical skills?

Due to three factors: hacking tools found easily by googling, increased technology with end-users (bandwidth and processing speeds), and access to hacking information manuals.

How does NIST define Information Systems?

A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

What are the three things an attacker must have, according to the transcript?

An attacker must have means, opportunity, and motive.

Define 'Vulnerability' as described in the text.

A weakness, design problem, or implementation error in a system that can lead to an unexpected and undesirable event regarding the security system.

What is a 'Threat'?

A set of circumstances that has the potential to cause loss or harm, or an indication of a potential undesirable event.

What is the difference between an 'Attack' and a 'Risk'?

A Risk is the possibility of suffering harm or loss, while an Attack is a realization of a threat or an assault on the system security.

Distinguish between White Hat and Black Hat Hackers.

White Hat hackers (Ethical Hackers) try to find weaknesses as part of testing without intent to harm, while Black Hat hackers (crackers) hack to gain unauthorized access and harm operations or steal information.

What is a Grey Hat Hacker?

A blend of black and white hat hackers who exploit security weaknesses without permission for fun or to bring weaknesses to the owner's attention, but without malicious intent.

Define 'Blue Hat Hackers'.

Someone outside computer security consulting firms who is used to bug-test a system prior to its launch to look for exploits and close gaps.

What is a 'Script Kiddie'?

A non-expert who breaks into computer systems using pre-packaged automated tools written by others, usually with little understanding of the underlying concept.

Define 'Hacktivist'.

A hacker who utilizes technology to announce a social, ideological, religious, or political message, often involving website defacement or denial-of-service attacks.

What are 'Security Controls'?

The management, operational, and technical controls (safeguards or countermeasures) prescribed for a system to protect its confidentiality, availability, and integrity.

What is a 'Security Policy'?

A document describing a company’s security controls and activities that states what is and is not allowed without specifying technologies.

Define the security objective of 'Confidentiality'.

Keeping information secret from all but those who are authorized to see or access it; also referred to as secrecy or privacy.

What are the two sub-elements of Integrity?

Data Integrity (property that data has not been altered unauthorized) and System Integrity (quality of a system performing its function in an unimpaired manner).

What is 'Non-Repudiation'?

The guarantee that the sender of a message cannot later deny having sent the message and the recipient cannot deny having received it.

Define 'Availability' in the context of information system security.

The ability to access a resource when it is needed, ensuring timely and reliable access to the use of information.

What constitutes a 'Security Mechanism'?

It encompasses protocols, algorithms, and non-cryptographic techniques (hardware protection) used to achieve specific security objectives.

What is 'Social Engineering'?

A technique a hacker uses to steal data through psychological manipulation combined with social scenes.

Define 'Message Authentication'.

Validating the source of information, also known as data origin authentication.