Information Security Midterm

Threat

objects, persons or other entities representing potential dangers to assets

something with the potential to do harm

Vulnerability

A weakness that may be exploited by a Threat

a weakness or fault which decreases security

Attack

An act that attempts to exploit a vulnerability, the “realization” of a threat; any unauthorized cyber act aimed at violating the security policy of a cyber-asset and causing damage, disruption or disruption of the services or access to the information of the said national cyber asset

Information Security

Protection of the confidentiality, integrity, and availability

Confidentiality

Controlling and preventing unauthorized access and/or disclosure of company data; the principle that only authorized sources can access sensitive information and functions

Integrity

Data which has not been tampered with; the principles that only authorized individuals and resources may add, modify, or delete sensitive information and features

Availability

Timely and reliable access to data; the principles that systems, functions, and data must be available on demand upon agreed parameters based on SLA service level

DoS (Denial of Service)

An attack which attempts to overload a target host so that it cannot respond to legitimate requests, thus effectively taking the provided service off-line

DDoS (Distributed Denial of Services)

A DoS attack which coordinates multiple attackers (often distributed systems) to provide a greater attack volume simultaneously

Smurf Attack

When a computer sends a broadcast message to a bunch of computers in a network spoofing to be the victim computer, resulting in all those computers responding to the victim computer

Verification of Web User Input

An effective countermeasure against attacks like Command Injection

Backdoor

Writing in additional code which allows access bypassing authentication

Sniffer

A program that eavesdrops on routed information and looks for specific information such as passwords by examining each packet in the data stream

Cyber Kill Chain

Phases of an attack, where stopping any phase will interrupt the attack

Ransomware

An attack method where information is stolen/encrypted and compensation is demanded for its return or to not disclose it

Intellectual Property (IP)

Creations of the mind, such as inventions literary and artistic works;  designs and symbols, names and images used in commerce

Quality of Service Deviations

Products or services not delivered as expected, which can be inbound from suppliers or outbound to customers

Deprecated

A feature that may be left in a system temporarily, may have known exploits, may disappear in future releases, and has no support (maintenance discontinued)

Verizon DBIR (Data Breach Investigations Report)

A report that provides summaries of findings on known initial access vectors, human involvement in breaches, DDOS by industry/organization, and patterns over time in educational services breaches

Tempest Attack

A side-channel attack that passively monitors acoustic, electrical, or other emissions to gain confidential information

Zero Day

A vulnerability of an app or system where the vendor does not have a fix

Spoofing

Masquerading as another person or IP address

Man-in-the-Middle (MitM)

An attacker inserting themselves between the victim and the victim’s intended destination, relaying communications

Brute Force Attack

Attempting every possible combination of characters to crack a password

TCP (Transmission Control Protocol)

A network protocol that ensures reliable, in-order delivery, handles congestion/flow control, and requires connection setup ensures your data arrives at its destination

UDP (User Datagram Protocol)

A network protocol that provides unreliable, unordered delivery  known as a fire and forget protocol

DMZ (Demilitarized Zone)

A network area that isolates a LAN from an untrusted network data should not be stored in the DMZ of the network

Port

A service used in networking to tie communications to a service

DHCP Required Information

IP Address, Subnet Mask, Router IP, and DNS IP

DNS (Domain Name System)

The service that converts a web address to an IP Address

Rubber Ducky

Appears to be a drive but the computer thinks it is a keyboard  typically executes a "reverse" shell when plugged in

McCumber Cube States of Data

Store, Process, and Transmit

McCumber Cube Countermeasures (Categories)

Policy, Education / Awareness, and Technology

Software Development Tradeoff

Fast, good, or cheap - pick two

Policy (Information Security)

Defines authority and the rules by which organizations will manage risk like a company’s laws

Standard (Information Security)

Defines the minimum requirements to comply; minimum specifications for compliance

Guideline (Information Security)

Defines recommended steps to comply; recommendations for compliance

Employee Risk/Asset

Employees simultaneously represent an organization’s most valuable resource and its greatest risk

RAID (Redundant Arrays of Inexpensive Disks)

A method of implementing storage mostly intended to improve redundancy

Security by Design

The process of building in security before developing and implementing a product

ARPANET

Developed by the Advanced Research Projects Agency (ARPA) Network in the 1960s

The Internet

Created based on the ARPANet

CIO (Chief Information Officer)

Accountable for the management, implementation, and usability of information and computer technologies

CISO (Chief Information Security Officer)

Accountable for an organization's information, data, and system security

Industrial Standard Framework Creators

NIST (National Institute of Standards and Technology), ISO (International Organization for Standardization), and CIS (Center for Internet Security)

Training (Security)

Formal and job specific education

Awareness (Security)

Focusing attention on security; provides a basic understanding of the need for security

Data Steward

Accountable for the security and use of a set of information; appointed by the data trustee to oversee the management of a particular set of information

Data Custodian

Responsible for implementation of security of information and systems that process, transmit, and store it

Framework (Information Security)

Provides a common language and describes an org's security posture

Exploit

A technique used to compromise an information system

Countermeasure (Control/Safeguard)

An implementation or policy intended to improve security against a threat

Access

The ability to interact with a resource, legitimately or not

Enigma Machine

Had the purpose of encrypting/decrypting data

Data Classification Purpose

To identify the type of data and where it is

Ethics

Rules and practices, enforced by society and personal interaction, which define socially acceptable behavior; they are not enforced by the government

Policies vs Laws (Hierarchy)

Policies are a business’s “laws,” but they can never supersede actual laws

Right to Work

Means you are not forced to join a union

At Will Employment

If no contract exists, either party may sever a relationship for any reason

Due Diligence

Taking steps to ensure compliance with a law, regulation, or other requirement for the systems and data you have in an organization

Due Care

Ensuring the continued compliance; ongoing efforts to keep data and systems secure

FOIA (Freedom of Information Act of 1966)

Allows citizens to request public records from federal agencies

Ohio Sunshine Laws (Ohio Public Record Act)

Provides citizens steps to request public records from Ohio government

FERPA (Family Educational Rights and Privacy Act)

A regulation for the protection of student data

HIPAA (Health Insurance Portability and Accountability Act of 1996)

A regulation for the protection of medical data

Information Aggregation

Information assembled from multiple sources to gather a greater understanding

Intellectual Property

Creations of the mind, such as inventions; literary and artistic works. Designs and symbols, names and images used in commerce

Identity Theft

Occurs when someone steals a victim’s personally identifiable information (PII) and poses as the victim to conduct actions/make purchases

USA PATRIOT Act of 2001

Gave broader latitude in order to combat terrorism-related activities

PCI DSS (Payment Card Industry Data Security Standards)

A standard of performance (not a law) developed by major credit card providers (Visa, MC, Discover, etc.) to which organizations processing payment cards must comply

Responding to Identity Theft (FTC initial step)

Place an initial fraud alert

CISA (Cybersecurity and Infrastructure Security Agency)

Offers services to government, industry, and the private sector; part of the DHS

NSA (National Security Agency)

The nation’s cryptologic organization; responsible for signal intelligence and information assurance (security)

FBI (Federal Bureau of Investigation)

Primary law enforcement agency that investigates traditional crimes and cybercrimes

Risk Identification

Identifying risk and assessing the magnitude

Four Methods of Risk Control (Treatment)

Accept, Avoid, Mitigate, and Transfer

Risk Formula

Likelihood * Impact

Risk Appetite

The amount of risk a company is willing to accept

Risk Tolerance

The assessment of the amount of risk an organization is willing to accept for a particular information asset; how much variation you can allow for a specific need

Residual Risk

The amount of risk remaining after risk control measures are taken; the risk to information assets that remains even after current controls have been applied

Risk Treatment: Accept

The decision to do nothing beyond the current level of protection

Risk Treatment: Avoid

The intentional choice not to do what is causing the risk

Risk Treatment: Mitigate

Reduces the risk by improving security

Risk Treatment: Transfer

Letting another party handle the risk

Cost-Benefit Analysis (CBA)

Evaluating the value of assets to be protected compared with the expense of the protection

SLA (Service Level Agreement)

An effective agreement needed when transferring risk to another party

ALE (Annual Loss Expectancy)

The acronym for measuring the amount of loss in a year

ALE Formula

SLE * ARO (Single Loss Expectancy * Annual Rate of Occurrence)

SLE Formula (Single Loss Expectancy)

Asset Value (AV) * Exposure Factor (EF)

Calculation Example (AV=$50k, EF=100%, ARO=0.5)

An annual loss expectancy of $25,000 ($50,000 * 100% * 0.5)

CIA Triad Component (5-9s)

Focused on the Availability component

Risk Management Responsibility (Upper Management)

Responsible to oversee, enable, and support risk management efforts of an organization

Analysis Paralysis

Becoming so concerned about every risk that you do not move forward

Third Party Risk Assessment

Evaluating a vendor’s security posture to ensure it is meeting your organization’s minimum security standards

Open-Source Intelligence (OSInt)

Overt data collection using publicly available resources; collecting and analyzing publicly available sources to ascertain information about a target

Attack Tree

Diagrams that model how attackers might try to access a system or network