Information Security: Barbarians at the Gateway Flashcards

A comprehensive set of vocabulary flashcards covering information security threats, malware types, authentication methods, and organizational defense strategies from Chapters 21.3 and 21.4.

Social Engineering

Methods of manipulation that exploit human psychology rather than technical vulnerabilities to gain unauthorized access or information.

Phishing

The use of technology to acquire sensitive information or trick users into installing malicious software, often appearing to come from a trusted institution.

Spear Phishing

A targeted form of phishing aimed at a specific organization or group, making the attack more convincing and dangerous.

Bad Apples

Rogue employees who represent an internal threat by stealing trade secrets, installing malware, or holding a firm hostage using their trusted access.

AI Deepfakes

Sophisticated AI-generated audio, image, or video designed to convincingly impersonate real people or fabricate events.

Honey Trapping

A social engineering tactic where an attractive individual is deployed to charm targets into revealing information or granting favors.

Zero-Day Exploits

Brand-new attacks that have not yet been identified or incorporated into security screening systems, meaning no patch exists at the time of attack.

Script Kiddies

Unsophisticated attackers who rely on pre-built scripts and downloaded tools to launch attacks.

Biometrics

The measurement of unique human body characteristics, such as fingerprints, facial geometry, or voice prints, for authentication.

Two-Factor Authentication (2FA)

A security process requiring two separate forms of identification, typically something you know combined with something you have.

Multi-Factor Authentication (MFA)

An extension of $2FA$ that requires more than two credential types to dramatically raise the bar for attackers.

Single-Use Tokenization

A security architecture that generates a unique token per transaction, rendering intercepted data useless for future fraud.

Passkeys

A password replacement standard developed by the FIDO Alliance that uses biometric authentication and public-key cryptography stored on a device.

Malware

Any software that seeks to compromise a computing system without the owner's permission.

Viruses

Malware that attaches to and infects legitimate software or files, spreading when the infected program runs.

Worms

Malware that exploits security vulnerabilities to spread automatically across networks without user interaction.

Trojans

Malicious software that disguises itself as legitimate software to sneak past defenses and execute a payload.

Botnets / Zombie Networks

Networks of hijacked devices used by attackers for click fraud, spam campaigns, and password attacks.

Keylogger

A type of malware or device that records every keystroke to capture passwords, credit card numbers, and confidential messages.

Ransomware

Malware that encrypts files and demands payment for the decryption key, intended to extort individuals or organizations.

Blended Threats

Cyberattacks that combine multiple malware types or hacking exploits for maximum damage and evasion.

SQL Injection

An exploit targeting poorly coded software that fails to validate user input, allowing attackers to manipulate database queries.

Cross-Site Scripting (XSS)

The process of injecting malicious scripts into web pages viewed by other users to hijack sessions or redirect victims.

Buffer Overflow

An attack that overwrites adjacent memory by submitting more data than a program can handle, potentially executing attacker-controlled code.

Dumpster Diving

A physical threat technique involving combing through discarded trash to recover sensitive documents, hardware, or storage media.

Shoulder Surfing

Gaining access credentials by observing someone type or read a screen in a public place.

Encryption

The process of scrambling data using a cipher to render it unreadable to anyone without the corresponding key.

Brute-Force Attacks

Attacks that exhaustively try every possible password combination to gain access.

ISO 27000 Series

The global gold standard for enterprise security governance, providing a model for establishing and maintaining an Information Security Management System.

Red Teams

Authorized adversaries who probe an organization's systems for weaknesses and test organizational defenses.

Adversary ROI Formula

$$\text{Adversary ROI} = \text{Asset Value to Adversary} - \text{Adversary Cost}$$

Honeypots

Deliberately tempting, bogus targets designed to lure and expose attackers.

Whitelists

A strict security posture that permits communication only with pre-approved entities or in approved formats.

Single Sign-On (SSO)

A tool providing employees with one highly secure, frequently rotated password that works across all applications.