CYB-110 (Introduction to Cybersecurity) Midterm

InfoSec Primary Mission

To ensure that information assets, and the systems that house them, remain safe and useful.

Protecting function, protecting data, enabling safe app operations, and safeguarding technology assets

4 InfoSec Functions

The Business Wins Rule

When security needs and business needs collide, business needs win out.

Three Communities of Interest

General management, IT management, and InfoSec management.

Data Protection States

Data in transit, data in processing, and data at rest.

Planning, Policy, Programs, Protection, People, and Project management.

The Six Ps of InfoSec

Primary IT Focus

To ensure the effective and efficient processing of information.

Primary InfoSec Focus

To ensure the confidentiality, integrity, and availability (CIA) of information.

GRC Approach

Governance, Risk Management, and Compliance.

McCumber Cube

A 3D security model mapping 27 cells across Information States, Security Measures, and the CIA Triad.

SecSDLC

A systems development process that maps security considerations directly across all execution phases.

Confidentiality

The security characteristic achieved when unauthorized individuals or systems are prevented from viewing information.

Availability

Enables authorized users to access information without interference or obstruction and receive it in the required format.

Possession

The quality or state of having ownership or physical control of an asset.

Utility

The quality or state of an asset having value for a specific purpose or end.

Authenticity

The quality or state of being genuine or original, rather than a reproduction or fabrication.

Data Owners

Senior managers responsible for the classification, security, and final business utility of information assets.

Data Custodians

Individuals assigned the task of managing a specific data set and coordinating its storage, protection, and backups.

Data Users

Personnel who interact with information systems to perform daily job duties and support the mission.

Blackout

A long-term interruption or complete outage in electrical power availability.

Brownout

A prolonged drop in electrical voltage levels.

Sag

A short-term drop in voltage.

Fault

A momentary power interruption that typically clears itself automatically.

Exploit

A technique used to compromise a system or vulnerability.

Trap Door / Backdoor

A component installed in a system by a virus or worm that allows an attacker to bypass authentication at will.

Zombies

Compromised systems directed remotely by an attacker to participate in secondary attacks like DDoS.

Man-in-the-Middle

An attack where an adversary monitors, sniffs, modifies, and inserts rogue packets back into a network stream.

Hacktivist Operations

Online vandalism or disruptions designed to protest the operations, policies, or actions of an organization or government.

MTBF

Mean time between failures; total operation time divided by the total number of hardware failures.

Software Piracy

The unauthorized duplication, installation, or distribution of copyrighted software.

Buffer Overflow

An application anomaly where a program overwrites adjacent memory blocks, potentially leading to executable control.

Cross-Site Scripting

An application-layer attack where malicious scripts are injected into otherwise benign and trusted websites.

Trojan Horse

A malware program that hides its true intent and reveals its destructive behavior only after execution.

Polymorphic Threat

A threat or malware variant that changes its physical shape or characteristics over time to evade detection.

Spam

Unsolicited commercial email that can clog user inboxes and serve as a delivery mechanism for malicious payloads.

Phishing

An attacker's attempt to obtain personal or financial information using fraudulent, spoofed communication.

Enterprise Information Security Policy

The high-level policy that sets the strategic direction, scope, and tone for all organizational security efforts.

Issue-Specific Security Policy

A policy designed to regulate a specific technical area requiring detailed management guidance, such as email or internet use.

Systems-Specific Security Policy

Technical policies that often function as standards or procedures used when configuring or maintaining specific systems.

Operational Controls

Security controls addressing personnel security, physical security, and the protection of production inputs and outputs.

Policy Administrator

The designated individual responsible for the creation, regular review, modification, and maintenance of an organizational policy.

Policies

Managerial statements that mandate or dictate certain behavior within an organization.

Capability Table

A user-centric security specification matrix tracking what functions a specific user can perform across diverse assets.

Access Control List

An asset-centric list that tracks which specific users or processes have permission to access a resource.

ISO/IEC 27002

An international standard providing recommendations for effective information security management.

Knowing Yourself (Sun Tzu)

Identifying, examining, and understanding information assets, systems, and vulnerabilities.

Knowing the Enemy (Sun Tzu)

Identifying, examining, and understanding threats facing the organization's information assets.

Risk Management Definition

The process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level.

Risk Identification

The recognition, enumeration, and documentation of risks to an organization's information assets.

Risk Assessment

The combined phase of identification, analysis, and evaluation of risk.

Risk Treatment (Risk Control)

The application of safeguards or controls that reduce risks to an acceptable level.

Risk Framework

The overall structure of the strategic planning and design for the entirety of an organization's risk management efforts.

Acceptance Strategy

The choice to do nothing to protect a vulnerability and to accept the operational outcome of its exploit.

Threat Assessment

An evaluation of threats to assets that determines their likelihood of occurrence and potential business impact.

Annualized Rate of Occurrence (ARO)

How often you expect a specific type of attack to occur within a year.

Exposure Factor

The expected percentage of loss that would occur to an asset from a single successful attack.

TVA Worksheet

A document showing a comparative ranking of prioritized assets against prioritized threats to map key vulnerabilities.

Cost-Benefit Analysis

The formal process evaluating whether the economic savings of a safeguard exceed its acquisition and operational costs.

Single Loss Expectancy (SLE)

The calculated monetary loss expected from a single occurrence of a specific risk; Asset Value multiplied by Exposure Factor.

Annualized Loss Expectancy (ALE)

The calculated total monetary loss expected from a risk over a one-year timeframe; SLE multiplied by ARO.

Contingency Planning (CP)

Overall planning for unexpected adverse events to prepare for, detect, react to, and recover from threats.

Business Impact Analysis (BIA), Incident Response (IR) plan, Disaster Recovery (DR) plan, and Business Continuity (BC) plan.

Four Components of CP

BIA vs Loss Analysis

BIA is broader, containing organizational impacts and systemic relationships, not just potential asset losses.

Alert Message

A scripted description of an incident providing just enough info for individuals to know what portion of the IRP to implement.

Hot Site

A fully configured computer facility capable of establishing operational capabilities at a moment's notice.

Cold Site

A resumption location providing physical space and utilities but no pre-installed computer hardware.

Warm Site

A backup facility that features physical space, infrastructure, and cooling plus some partially configured hardware but lacks final data backups.

Business Continuity Plan

A strategic framework ensuring that critical business functions continue if a catastrophic incident or disaster occurs.

Continuity Planning Management Team (CPMT)

The group of senior managers organized to lead all contingency planning efforts.

Digital Malfeasance

A crime involving digital media, computer technology, or related technology components.

Crisis Management

An organization's set of planning efforts for dealing with potential human injury, emotional trauma, or loss of life during a disaster.

Chain of Evidence

Detailed documentation of the collection, storage, transfer, and ownership of evidentiary material from a crime scene through court.

Full Backup

A comprehensive duplication of every piece of data stored within a target system.

Differential Backup

An archival strategy that captures only data modified since the conclusion of the most recent full backup.

Incremental Backup

An archival strategy that captures only data modified since the conclusion of the most recent backup of any kind.

Incident Damage Assessment

The process of assessing the immediate state of systems and data to determine the physical and technical impact of an incident.

IR vs DR Focus

Incident Response focuses on immediate detection and tactical containment, whereas Disaster Recovery focuses on full technical reestablishment.

Laws

Rules that mandate or prohibit certain behavior, backed by the coercive power and enforcement of a governing state authority.

Ethics

The collective principles of acceptable, socially tolerated conduct based on organizational or societal norms without state enforcement.

Cultural Mores

Fixed moral attitudes or customs of a particular group.

Liability

The legal obligation of an entity extending beyond criminal or contract law, including restitution.

Restitution

The legal obligation to compensate an injured party for wrongs committed.

Jurisdiction

A court's right to hear a case if the wrong was committed in its territory or involved its citizenry.

Long-arm Jurisdiction

The application of laws to those residing outside a court's normal jurisdiction.

Due Care

The legal standard requiring an organization to act responsibly, execute required safeguards, and understand consequences.

Due Diligence

The continuous monitoring and verification that an organization is actively maintaining its required security posture.

ISACA

A professional association focused on IT auditing, control, and security containing both technical and managerial professionals.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Act that protects the confidentiality and security of healthcare data.

Payment Card Industry Data Security Standard (PCI-DSS)

Technical and operational rules designed to enhance the security of payment account data.

InfraGard

An FBI-established program matching field offices with public, private, and academic entities to collaborate on asset protection.

Ethical Education

The overriding factor shown by studies to level and improve ethical perceptions within a small population.

Computer Fraud and Abuse Act

The foundational 1984 US cybersecurity law modified by the National Information Infrastructure Protection Act of 1996.

Information Aggregation

The process of combining pieces of nonprivate data that together create a dataset violating privacy boundaries.

Privacy Act of 1974

A federal law regulating how government agencies collect, maintain, use, and disseminate individual records.

The Gramm-Leach-Bliley Act of 1999 (GLBA)

Controls the privacy and technical security of consumer financial data.

USA PATRIOT Act

A law providing law enforcement with broader latitude in intercepting communications during threat investigations.