Information Security Overview
Graphical password
A graphical, or non-textual password is more difficult to crack than a normal password. Non-textual passwords offer security by taking advantage of the fact that users typically remember visual images with greater ease than they do letters or words. When authenticating, a user can be presented with an image that must be clicked on in specific places in order to verify the user.
Hacker
A person trained to find weaknesses in a computer or computer network and exploit them. Hacker also refers to someone with an advanced understanding of computers and networks who misuses their talents and is motivated by a multitude of reasons, such as profit, political activism, or challenge.
Trojan
A piece of malicious software hidden inside a seemingly legitimate program or file that performs an activity without the user's knowledge. Trojans may erase data, corrupt files or allow remote access to a computer.
Virus
A type of program that performs unwanted actions on the target system, frequently causing damage. A virus requires a person to actively do something, such as open an infected file.
Control
A way of authorizing who has access to a computer system. Control is accomplished through authentication.
Vulnerability
A weakness that can potentially be exploited by an attacker.
Active attack
Active attacks are focused on a more tangible outcome such as making services unavailable. See Interruption, Modification, and Fabrication.
Modification
An attacker not only takes control of, but also modifies an asset in some manner.
Cracker
An individual who modifies software to remove or disable features usually related to software protection methods. Also refers to a black hat hacker - one who hacks for malicious purpose as opposed to white hat hackers who perform security research and penetration testing.
Attack
Any attempt to destroy, expose, alter, disable, steal or gain unauthorized access or use of an information technology asset.
Adware
Any software package that automatically displays advertisements. The goal of the Adware is to generate revenue for its author. Some adware may include spyware such as keyloggers and other privacy-invasive software.
Biometrics
Biometric authentication is based on something the user is.
Two-Factor Authentication
Combines two or more of the types of authentication, such as something the user knows, like a password, with something the user has, like an ID badge. Both items would need to be present before access to a system is granted.
Brute force attack
During a brute force attack, attackers try every possible combination of letters, numbers, symbols and spaces in an effort to find the correct password. By trying every possible combination, it is inevitable that attackers will eventually discover your password.
Dictionary attack
During a dictionary attack, attackers pick words at random from a dictionary and experiment to see if one of the randomly chosen words happens to be the correct password.
Hybrid
During a hybrid attack, attackers target passwords made of words from the dictionary followed by a letter or a number. It combines brute force and dictionary attacks.
Authentication
During the authentication phase, the system somehow verifies the unknown person's claim of identity. Frequently this is a true or false process - the user is who they claim to be or an impostor has been discovered.
Passive attack
In a passive attack, the goal is to obtain information. See Interception.
Spyware
Malware designed to collect information about users without their knowledge. Spyware is typically installed without the user's knowledge.
Rootkit
Malware designed to hide the existence of certain processes or programs, and uses administrator access to gain access to a computer without detection.
Interception
Occurs when an attacker gains unauthorized access to an asset. This asset could be data traveling over a network, a stolen laptop computer or something else. Examples include eavesdropping, link monitoring and packet capturing.
Interruption
Occurs when an attacker makes an asset become unavailable.
Fabrication
Occurs whenever a counterfeit object is created.
Eavesdropping
Passwords can be stolen from public computers or over Wi-Fi. All someone needs to do is use sniffing software to "listen in" on your Internet communications. The ability to eavesdrop on an network is one of the biggest security issues for IT administrators.
Confidentiality
Pertains to who is authorized to access a particular resource or file. Preserving confidentiality becomes an exercise in ensuring that only desired users can access a particular piece of information. See disclosure.
Digital signatures
Provide a way to cryptographically sign a message or piece of information.
Malware
Short for malicious software - software used to interrupt computer operations, gain unauthorized access to computer systems or gather sensitive information. Includes spyware, adware, viruses, worms, Trojans and rootkit
Shoulder spoofing
Shoulder surfing is a non-technical attack that anyone can implement. It occurs when someone watches you type in your username and password. Shoulder surfing attacks can occur at work or in public places.
Worm
Similar to a virus, a worm is a type of program that performs unwanted actions on a computer system, frequently causing damage. Unlike a virus, a worm can infect systems without any human assistance.
Spoofing
Spoofing is when someone creates a website with a login prompt that looks very similar to a website you would normally enter your login credentials. When you enter your credentials, you get a login error but the attacker obtains your username and password.
Motives
The attacker must have some reason for carrying out the attack. Since this is a product of the attacker's personality, it frequently changes from case to case, though there are exceptions.
Information Security
The practice of ensuring we have control over who, what, when, where and how our information is accessed and modified.
Disclosure
The process of revealing confidential information by the unauthorized access of a computer system.
Method
The set of specific skills, knowledge and resources required for a particular attack, including the technical expertise to successfully complete the attack.
Opportunity
The target system must be available to the attacker if he is to conduct his attack.
Integrity
The trustworthiness of information resources. Integrity includes the idea that the information was entered correctly. See alteration.
Keyloggers
Through malware such as a Trojan, keyloggers can be installed on your computer. A keylogger records your keystrokes and sends the data back to the attacker. Through this method, they can learn your user name(s), passwords and other personal information.
Availibility
To ensure that an asset is accessible to perform its role when an authorized user attempts to access it. See denial.
Resetting/recovery
Using social engineering techniques, someone can gather enough personal information to successfully go through the password reset or recovery process and change your password. This would give them access to your account and lock you out.
Spoofing
When an attacker fabricates or alters data in an effort to either hide the source of an attack or hide the attack itself.
Denial
When authorized users and systems are unable to access a particular asset. Denial is the result of failure to meet availability objectives.
Alteration
When data is added, modified, or removed without proper authorization. Alteration can occur when the objective of integrity has not been met.
What is a vulnerability? a. A weakness that can potentially be exploited by an attacker b. An opening which an attacker has already used to perpetrate an attack c. Actions taken by an individual to provoke an attack d. Any countermeasure that prevents an attack from happening
a. A weakness that can potentially be exploited by an attacker
A typographical error, although not malicious, is a failure to ensure integrity and would be considered an example of . a. Alteration b. Damage c. Disclosure d. Denial
a. Alteration
In regard to information security, what is availability? Select one: a. Ensuring a resource is accessible to authorized users b. The condition of the contents of the object c. Data is hidden from unauthorized users d. Ensuring users only use an asset or object in the manner it was intended
a. Ensuring a resource is accessible to authorized users
Which of the following are examples of a case in which disclosure is a more tempting form of attack than alteration? a. Schematics for a new type of military vehicle b. Medical records c. Financial data that is used by analysts to make decisions d. All of the above
a. Schematics for a new type of military vehicle
Which of the following is an example of a case in which confidentiality is arguably more important than integrity? a. Schematics for a new type of missile technology b. Financial data used to make investment decisions c. Access to a subscription based website Incorrect d. The public telephone directory
a. Schematics for a new type of missile technology
Which of the following is not a category of attacker? a. Crackers/hackers b. Administrators c. Amateurs d. Professional/Career Criminals
b. Administrators
What is a control? a. A weakness that can potentially be exploited by a hacker b. Any countermeasure that prevents a vulnerability from being exploited c. Actions taken by an individual to exploit a vulnerability and gain root access to a machine d. A weakness that has already been exploited by a hacker
b. Any countermeasure that prevents a vulnerability from being exploited
You manage the records system for a major university. Your primary area of responsibility is academic records (i.e. grades and transcripts). You do not have enough resources to defend against every possible type of attack, meaning that you must prioritize your defenses. Which of the four broad categories of attack would you be most likely to make your lowest priority? a. Interruption b. Interception c. Fabrication d. Modification
b. Interception
A subordinate becomes angry with his or her supervisor. They want to sabotage their supervisor's work, but do not wish to get caught or leave the company. They decide to secretly modify some of their supervisor's files, causing the supervisor to make work decisions based on faulty information. This is an example of what type of attack? a. Interruption b. Modification c. Interception d. Fabrication
b. Modification
Does an attacker require full access to an asset for a modification attack to succeed? a. Yes b. No c. Sometimes d. It depends on the asset
b. No
You designed the computer systems in your organization so that everything requires a username and password. An attacker who has targeted your organization realizes this and adjusts his/her strategy accordingly. Which of the following methods of attack is an attacker most likely to use? a. Physically show up on-site and attempt to explore the building until finding someone who has carelessly taped his/her username and password to their monitor b. Attempt to guess usernames and passwords at random c. Call the IT helpdesk and pretend to be someone who has lost their password, causing the helpdesk to reset their account with a blank or default password d. Write a computer program to try every combination of letters and numbers until a usable username and password is found
c. Call the IT helpdesk and pretend to be someone who has lost their password, causing the helpdesk to reset their account with a blank or default password
The revealing of corporate espionage is what type of component of the DAD triad? a. Damage b. Denial c. Disclosure d. Alteration
c. Disclosure
The Recording Industry Association of America (RIAA), representing all of the major music labels, has spent considerable time and money attempting to prosecute individuals committing this type of attack using Peer-to-peer networks like Napster. a. Interception b. Interruption c. Fabrication d. Modification
c. Fabrication
An employee is angry with his boss and wants to sabotage the company. To accomplish this he secretly changes some of the values in his boss's copy of the quarterly report. His boss then reads this false data and makes decisions based on this fraudulent information. In this instance, what quality of information security has been damaged? a. Availability loss b. Confidentiality loss c. Integrity loss d. Access loss
c. Integrity loss
Why do some attackers seek to deprive customers of the availability of an online business? a. Availability is more important than the other goals of information security professionals b. Availability is the least important component of security c. To disrupt the organization's ability to perform normal business activities d. None of the above
c. To disrupt the organization's ability to perform normal business activities
A program that performs unwanted actions on a system and requires human intervention to spread is an example of what? a. Worm b. Trojan c. Virus d. Malware
c. Virus
A(n) is the result of a vulnerability being exploited. a. Proxy b. Disclosure c. Virus d. Attack
d. Attack
Which of the following is an example of a case where alteration is a more tempting form of attack than disclosure? a. Subscription-based website b. The public telephone system c. Current weather forecasts d. Financial data used by analysts to make decisions
d. Financial data used by analysts to make decisions
Which of the following is true about computer viruses and worms? a. If you do not open strange e-mails, you cannot be infected. b. If you only have dial-up Internet access, you cannot be infected. c. If you use automatic software patching, you cannot be infected d. None of the above
d. None of the above
