Four Important Functions of Info Security
protect the orgs ability to function enable the safe operation of applications running on the orgs IT systems protecting the data the org collects and uses safeguarding the orgs technology assets
Responsible for protecting the functionality of an organization
both general management and IT management are responsible for implementing information security that protects the organizations ability to function
public key infrastructure (PKI)
integrated system of software, encryption methodologies, and legal agreements that can be used to support the entire information infrastructure
compromises to intellectual property
piracy copyright infringement
viruses, worms, macros, denial of service
deviations in quality of service
ISP, power, or WAN service issues from service providers
unauthorized access and/or data collection
fire, flood, earthquake, lightning
accidents, employee mistakes
blackmail, information disclosure
missing, inadequate, or incomplete
loss of access to information systems due to disk drive failure without proper backup and recovery plan organization policy or planning in place
missing, inadequate, or incomplete controls
network compromised because no firewall security controls
destruction of systems or information
illegal confiscation of equipment or information
technical hardware failures or erros
technical software failures or errors
bugs, code problems, unknown loopholes
technological obsolescence
antiquated or outdated technologies
trade secrets, copyrights, trademarks, and patents. unauthorized appropriation of IP constitutes a threat to information security
unlawful use or duplication of software based intellectual property
combat piracy/enforce copyright laws
online registration digital watermarks, embedded code, copyright codes, intentional placement of bad sectors on software media
malicious code/malware/malicious software
synonymous with malware or malicious software. software designed to damage, destroy, or deny service to the target systems
one of two forms of malicious code or malware. virus requires a host software environment in which to execute and it cannot function without such a host
one of the most common methods of virus transmission
virus that is contained in a downloaded file attachment such as word processing documents, spread sheets, and database applications
program that infects the key operating system files located in a computer's boot sector
one of two forms of malicious code or malware. virus that replicates itself on other machines without the need of another program environment
software programs that hide their true nature (usually destructive) and reveal their designed behavior only when activated
inventor of the worm, postgrad at Cornell
electronic hole in software that is left open by accident or intention that allows an attacker to access the system at will with special privileges. can be installed by a virus, worm or an attacker who takes control of a system
threat that changes its apparent shape over time, to become a new threat not detectable by techniques looking for a preconfigured signature
email warning of a virus that is fictitious
situation in which a product or service is not delivered to the organization as expected
Service Level Agreement (SLA)
contract of a web host provider covering responsibility for internet services as well as for hardware and software used to operate the web site
momentary increase in voltage
can lead to fluctuations such as power excesses, power shortages, and power losses. problems for orgs that provide adequately conditioned power for their info systems equipment
prolonged increase in voltage
momentary incidence of low voltage
prolonged drop in voltage
complete loss of power for a moment
broad category of electronic and human activities that can breach the confidentiality of information. unauthorized individual gains access to the info an org is trying to protect.
info gained legally that gives an org an advantage over its competition
info gained illegally that gives an org an advantage over its competition
acto of observing info without authorization by looking over a shoulder or spotting info from a distance
act of entering a premises or system without authorization
people who use and create computer software to gain access to info illegally
expert hacker/elite hacker
individual develops software scripts and program exploits used by novice hackers. also a maser of several programming languages, networking protocols, and operating systems, has a mastery of the technical environment of the targeted system
individual who depends on the expertise of others to abuse systems
hackers of limited skill who use expertly written software to exploit a system but do not fully understand or appreciate the systems they hack
hackers of limited skill who use automated exploits to engage in distributed denial of service attacks
individual who removes an application's software protection that is designed to prevent unauthorized duplication, or a criminal hacker
person who hacks the public telephone network to make free calls and disrupt services
threat to hardware components of info systems that falls in forces of nature or acts of God because it is unexpected or occurs with little warning. structural damage to building housing equipment of the info system , also: smoke damage, water damage
threat that falls in forces of nature/acts of God. unexpected or very little warning. overflowing of water onto land that is normally dry, causing direct damage to all or part of info system or building that houses it
forces of nature/acts of God. unexpected, little warning. sudden movement of the earth's crust caused by the release of stress along geologic faults or volcanic activity. causes direct damage to info system and/or building that houses it
forces of nature/acts of God. unexpected/little warning. abrupt, discontinuous natural electric discharge. usually damages all or part of an info system and/or its power distribution components
forces of nature/acts of God. unexpected/very little warning. downward sliding of mass of earth and rock. may directly damage all or part of and info system or more likely the building that houses it
forces of nature/acts of God. unexpected/very little warning. typically rotating columns of air whirling at destructively high speeds. can directly damage all or part of an info system or more likely the bldg that houses it
forces of nature/acts of God. unexpected/little warning. in the equatorial regions of the atlantic ocean or caribbean sea or easter regions of the pacific ocean. usually involve heavy rains, can directly damage all or part of info system or bldg
forces of nature/acts of God. unexpected/little warning. very large ocean wave caused by underwater earthquake or volcanic eruption. direct damage to info system or building.
electrostatic discharge (ESD)
forces of nature/acts of God. unexpected/little warning. spark produced form a buildup of static electricity
forces of nature/act of God. Unexpected/little warning. can shorten the life of info systems and disrupt normal operations, causing unplanned downtime
acts performed without intent or malicious purpose by an authorized user. inexperience, improper training, incorrect assumptions are causes.
when an attacker or trusted insider steals information from a computer system and demands compensation for its return or for an agreement not to disclose it. common in credit card number theft.
missing, inadequate, or incomplete organizational policy/planning
makes an org vulnerable to loss, damage, or disclosure of info assets when other threats lead to attacks. info security is at its core, a mgmt function.
missing, inadequate, or incomplete controls
security safeguards and information asset protection controls that are missing, misconfigured, antiquated, or poorly designed or managed. make an org more likely to suffer losses when other threats lead to attacks.
deliberate sabotage of a computer system or business, or acts of vandalism to either destroy an asset or damage the image of the org. can range from petty vandalism by employees to organized sabotage against an organization
individual who uses technology as a tool for civil disobedience
act of hacking to conduct terrorist activities through network or internet pathways
illegal taking of another's property
technical hardware failures or errors
when a manufacturer distributes equipment containing a known or unknown flaw. defects can cause the system to perform outside of expected parameters, resulting in unreliable service or lack of availability
technical software failures or errors
software sometimes sold before all bugs are detected. some software/hardware combos reveal new bugs. failures range from bugs to untested failure conditions. sometimes they are purposeful shortcuts left by programmers for benign reasons
technological obsolescence
antiquated or outdated infrastructure can lead to unreliable and untrustworthy systems. risk of loss of data integrity from attacks. strategic planning should always include analysis of the technology currently in use.
act that takes advantage of a vulnerability to compromise a controlled system
specific instance or component that represents a danger to an orgs assets. can be accidental or purposeful. lightning strikes or hackers
weakness in a controlled system, where controls are not present or are no longer effective
viruses, worms, trojan horses, active web scripts with intent to destroy or steal info. designed to damage, destroy, or deny service to the target system
any technology that aids in gathering info about a person or org without their knowledge
automated software program that executes certain commands when it receives a specific input
any software program intended for marketing purposes such as those used to deliver and display advertising banners or popups to the user's screen or tracking the user's online usage or purchasing activity.
transmission of a virus hoax with a real virus attached. when the attack is masked in a seemingly legit message, unsuspecting users more readily distribute it
infected system scans a random or local range of IP addresses and targets any of several vulnerabilities known to hackers or left over from previous exploits such as CodeRed, Back orifice, or PoizonBox
infected system has write access to any web pages, it makes all web content files (.html, .asp, .cgi, and others) infectious, so that users who browse to those pages become infected
each infected machine infects certain common executable or script files on all computers to which it can write with virus code that can cause infection
using vulnerabilities in file systems and the way many organizations configure them, the infected machine copies the viral component to all locations it can reach
by sending email infections to addresses found in the address book, the infected machine infects many users, whose mail reading programs also automatically run the program and infect other systems
simple network management protocol (SNMP)
using only widely known passwords employed in early versions of this protocol (used for remote management of network and computer devices), the attacking program gains control of the device. Most vendors have closed these vulnerabilities with upgrades
using a known or previously unknown & newly discovered access mechanism, an attacker can gain access to a system or network resource
attempting to reverse calculate a password
application of computing and network resources to try every possible combination of options of a password
attempt to repeatedly guess passwords to commonly used accounts
brute force attack on passwords. uses a list of commonly used passwords instead of random combinations. in cryptography, done by encrypting each entry with the same crypto system used by target & comparing the result against target's cipher txt
attack which the attacker send a large number of connection or information requests to overwhelm and cripple a target
distributed denial of service (DDoS)
attach in which a coordinated stream of connection requests is launched against a target from many locations at the same time
computer that has been compromised and may later be used as an agent to be directed towards a target. The use as an agent is controlled remotely (usually by the way of a transmitted command) by the attacker
technique used to gain unauthorized access to computers, wherein the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host
man in the middle (TCP hijacking)
attack in which the abuser records data packets from the network, modifies them, and inserts them back into the network
unsolicited commercial email
form of denial of service attack in which the abuser sends a large number of connection or information requests to overwhelm and cripple a target
program or device that can monitor data traveling over a network
sniffers that work on TCP/IP networks
process of using social skills to convince people to review access credentials or other valuable information to the attacker
attempt to obtain personal or financial information using fraudulent means, usually by posing as a legitimate entity
highly targeted phishing attack that usually appears to be from an employer, colleague, or other legit correspondent
3 primary techniques of phishing
URL manipulation, Website forgery, phone phishing
redirection of legit web traffic to an illegitimate site for the purpose of obtaining private information
changing a legit host entry in a domain name server (DNS) to point to an attacker's website
attack in which an abuser explores the contents of a web browser's cache. these attacks allow a web designer to create a malicious form of cookie to store on the client's system
keep the design as simple and small as possible
base access decisions on permission rather than exclusion
every access to every object must be checked for authority
design should not be secret but rather depend on the possession of keys or passwords
where feasible, a protection mechanism should require two keys to unlock rather than one
every program and every user of the system should operate using the least set of privileges necessary to complete the job
minimize mechanisms ro shared variables common to more than one user and depended on by all users
psychological acceptability
essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly
buffer overflow (buffer overrun)
application error that occurs when more data is sent to a buffer than it can handle
occurs when user input is passed directly to a compiler or interpreter. underlying issue is the developer's failure to ensure that command input is validated before it is used in the program
occurs when an application running on a web server gathers data from auger in order to steal it
can cause a variety of unexpected system behaviors. programmers are expected to anticipate problems an prepare their application code to handle them
process to assure an organization that changes to systems are managed and all parties that need to be informed are aware of the planned changes. ensures that the working system delivered to users represents the intent of the developers
attacker changes the expected location of a file by intercepting and modifying a program code call, the attacker can force a program to use files other than the one it is supposed to use
one of the most common methods of obtaining inside and classified info is directly or indirectly from an individual, usually an employee
mathematical computing bug that is exploited indirectly by an attacker to corrupt other areas of memory in order to control an application
failure of a program that occurs when an unexpected ordering of events in the execution of the program results in a conflict over access to the same system resource
occurs when developers fail to properly validate user input before using it to query a relational database
unauthenticated key exchange
can occur on the internet where an attacker writes a variant of a public key system & places it out as freeware or corrupts or intercepts the function of someone else's public key encryption system by posing as a public key repository