Security and Cryptography Vocabulary

Flashcards about Core Security Concepts, Cybersecurity, and Cryptography

Information Security

Defined by the information being protected from unauthorized access or alteration and yet is available to authorized individuals when required.

Information Assurance (IA)

A term used to describe not just the protection of information but a means of knowing the level of protection that has been accomplished. It involves assuring information andmanaging risks related to the use, processing, storage and transmission of information.

Hacker

Individuals who attempt to gain unauthorized access to computer systems or networks.

Phreaking

The hacking of the systems and computers used by a telephone company to operate its telephone network.

Confidentiality

Ensures that only those individuals who have the authority to view a piece of information may do so.

Integrity

Deals with the generation and modification of data; only authorized individuals should ever be able to create, change, or delete information.

Availability

Ensures that the data, or the system itself, is available for use when the authorized user wants it.

Authentication

Attempts to ensure that an individual is who they claim to be.

Nonrepudiation

Deals with the ability to verify that a message has been sent and received and that the sender can be identified and verified.

Auditability

Refers to whether a control can be verified to be functioning properly.

NIST Cybersecurity Framework Model core functions

Identify, protect, detect, respond and recover.

Session Management

A set of activities employed to establish a communication channel between two parties.

Exception Management

The management of changes to normal processing; an important consideration during software development.

Configuration Management

Involves the design and operation of elements to ensure the proper functional environment of a system.

Host security

Takes a granular view and focuses on protecting each computer and device individually.

Network Security

Emphasis is placed on controlling access to internal computers from external entities.

Least privilege

A subject should have only the necessary rights and privileges to perform its task with no additional permissions.

Separation of privilege

A protection mechanism should be constructed so that it uses more than one piece of information to make access decisions.

Separation of duties

The application of separation of privilege to the people side of the security function.

Fail-safe defaults

When something fails, it should do so to a safe state.

Default deny (Implicit deny)

Deny access by default, and grant access only when explicit permission exists.

Economy of mechanism

Always using simple solutions when available.

Complete mediation

Each and every request should be verified.

Open design

The protection of an object should not rely upon secrecy of the protection mechanism itself.

Kerckhoff’s Principle

A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.

Security through obscurity

Protecting something by hiding it or using secrecy of design/implementation; considered a poor approach.

Least common mechanism

Mechanisms used to access resources should be dedicated and not shared.

Psychological acceptability

Refers to the users’ acceptance of security measures. If security measures are perceived as an impediment, users may bypass them.

Defense in depth (layered security)

The use of multiple, different defense mechanisms with a goal of improving the defensive response to an attack.

Diversity of defense

Involves making different layers of security dissimilar.

Access Control

The ability to control whether a subject can interact with an object.

Authentication

Deals with verifying the identity of a subject.

Authentication Factors

Something you know, something you have, something about you.

Group Policy

Defines applicable operating system and application settings and permissions for a group.

Password Policy

Addresses procedures for selecting user passwords, frequency of changes, and distribution.

Bell-LaPadula security model

Addresses data confidentiality in computer operating systems with “no read up, no write down” principles.

Brewer-Nash security model (Chinese Wall model)

Defined by controlling read and write access based on conflict of interest rules.

Biba security model

Protects integrity with “no write up, no read down” principles.

Clark-Wilson security model

Uses well-formed transactions as a basis for rules.

Policies

High-level, broad statements of what the organization wants to accomplish.

Procedures

Step-by-step instructions on how to implement policies in the organization.

Standards

Mandatory elements regarding the implementation of a policy.

Guidelines

Recommendations relating to a policy; they are not mandatory steps.

Security Policy

A high-level statement produced by senior management that outlines what security means to the organization and its goals for security.

Change Management Policy

Ensures proper procedures are followed when modifications to the IT infrastructure are made.

Data ownership

A business function responsible for establishing requirements for security, privacy, and retention of data.

Data backup

Ensures that adequate backups occur; is an important security element.

Classification of information

Needed due to different importance or sensitivity of information. Examples include Confidential, Secret, Top Secret, Publicly Releasable, Proprietary, Company Confidential, and For Internal Use Only.

Need to know

Each individual is supplied the absolute minimum amount of information and privileges needed to perform work; access requires justified need to know.

Disposal and destruction policy

Prescribes secure disposal and destruction of sensitive data, including shredding papers and securely deleting or degaussing magnetic storage.

Code of ethics

Describes expected behavior at the highest level, demanding honesty, professionalism, and addressing privacy/confidentiality and conflicts of interest.

Job rotation and mandatory vacations

Security protection mechanism and tool to detect fraud through cross-training and free audits.

Employee hiring/promotions & Business partner relationships

Policies should ensure the organization hires the most capable and trustworthy employees and address on-boarding/off-boarding processes for business partners.

Acceptable Use Policy (AUP)

Outlines what the organization considers to be the appropriate use of company resources, such as computer systems, e-mail, Internet access, and networks.

Internet Usage Policy

Goal is to ensure maximum employee productivity and to limit potential liability from inappropriate Internet use.

E-mail Usage Policy

Specifies what the company allows employees to send and reminds employees of the risks of clicking on links in e-mails or opening attachments.

Clean desk policy

Specifies that sensitive information must not be left unsecured in the work area when the worker is not present.

Bring Your Own Device (BYOD) policy

Primary purpose is to lower risk associated with connecting personal devices to a company’s network, with security as its center element.

Privacy policy

Explains guiding principles in guarding personal data.

Personally Identifiable Information (PII)

Includes any data that can be used to uniquely identify an individual. Examples: Name, address, driver’s license number, and other details.

Due Care

Generally refers to the standard of care a reasonable person is expected to exercise in all situations.

Due Diligence

Generally refers to the standard of care a business is expected to exercise in preparation for a business transaction.

Due Process

Concerned with guaranteeing fundamental fairness, justice, and liberty in relation to an individual’s legal rights.

Incident Response Policy

Developed to outline how the organization will prepare for and respond to security incidents, covering preparation, detection, containment, recovery, and follow-up.

Security Awareness and Training

Enhance an organization’s security posture by teaching personnel how to follow correct actions and make them aware of social engineering attacks.

Role-based Training

Training needs to be targeted to the user with regard to their role.

Compliance

Organizations must build laws, regulations, contractual requirements, standards, and best practices into their own policies and procedures.

User Habits

A front-line security tool that engages the workforce to improve the overall security posture.

Training Metrics and Compliance

Requires a record-keeping system measuring compliance with attendance and the effectiveness of the training.

Interoperability Agreements

Written agreements used to ensure agreement is understood between the parties.

Service Level Agreements (SLA)

Contractual agreements between entities that describe specified levels of service.

Business Partnership Agreement (BPA)

Legal agreement between partners establishing the terms, conditions, and expectations of the relationship.

Memorandum of Understanding (MOU)

Written agreement expressing a set of intended actions that generally lacks the binding powers of a contract.

Interconnection Security Agreement (ISA)

Specialized agreement between organizations that have interconnected IT systems to document the security requirements.

Physical Security

All mechanisms used to ensure that physical access to the computer systems and networks is restricted to only authorized users.

Man Trap

A small space large enough for only one person at a time, with two locking doors.

Surge protectors and Uninterruptible Power Supply (UPS)

Protects sensitive electronic equipment from momentary surges and disruptions; a UPS should be considered for critical systems.

Fire Suppression

Includes detectors to identify fires early and suppression systems (e.g., standard sprinklers, gas-based systems).

Van Eck phenomenon

Eavesdropping on monitor displays by decoding the electromagnetic interference produced by the monitors.

TEMPEST

Military program to control electronic emanations susceptible to eavesdropping.

Prevention Methods against Electromagnetic Eavesdropping

distance, shielding, and Faraday cage

Social Engineering

The process of convincing an authorized individual to provide confidential information or access.

Ego or Vanity Attack

Exploits a victim's desire to be seen as intelligent or knowledgeable.

Sympathy Attack

Attacker pretends to be in a real jam and needs assistance to get tasks done immediately.

Intimidation Attack

Attacker pretends to be an authoritative figure, an influential person in the organization, or law enforcement.

Phishing

Attacker attempts to obtain sensitive information by masquerading as a trusted entity in an e-mail or instant message.

Spear Phishing

Special targeting of groups with something in common, typically via email.

Pharming

Misdirecting users to fake web sites made to look official.

Smishing

SMS phishing.

Advanced Persistent Threat (APT)

A method of attack focusing on stealth and continuous presence on a system, often using phishing for initial entry.

Vishing

A variation of phishing that uses voice communication technology.

SPAM

Bulk unsolicited e-mail; malicious versions include attachments with malware or links to malicious web sites.

SPIM

SPAM delivered via instant messaging application.

Shoulder surfing

Attacker observes individual entering sensitive information on a form, keypad, or keyboard.

Reverse social engineering

Occurs when the attacker hopes to convince the target to initiate the contact.

Hoaxes

Can be very damaging if it causes users to take some sort of action that weakens security; training and awareness are the best defense.

Tailgating or Piggybacking

Following closely behind a person who has just used his own access card or PIN to gain physical access.

Dumpster diving

Going through a target’s trash in hopes of finding valuable information.

Backdoor

An avenue used to access a system while circumventing normal security mechanisms.

Data handling

Employees need training on how to recognize data classification and handling requirements and how to follow the proper handling processes.