Information Security Quiz #1

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

White hat

"ethical hacker" has permission to identify vulnerabilities and perform penetration testing, identify these to help fix them

Black hat

A hacker who exposes vulnerabilities for financial gain or for some malicious purpose. They attempt to prove technical prowess, and do so by not disclosing the vulnerabilities

vulnerability

A weakness that allows a threat to be realized or to have an effect on an asset

Threat

Any action that could damage an asset.

Example of industry implementing IoT

Auto-industry

Example of authentication control

Biometric device

CIPA

Children's Internet Protection Act 2011- requires public schools and public libraries to use an internet safety policy.

CIA Triad

Confidentiality, Integrity, Availability

Compliance laws

FISMA, SOX, GLBA, HIPAA, CIPA, FERPA

FERPA

Family Educational Rights and Privacy Act - 1974- protects the private data of students and their school records

Business Continuity plan (BCP)

Gives priorities to the functions an organization needs to keep going. A written plan for a structured response to any events that result in an interruption to critical business activities or functions.

GLBA

Gramm-leach-bliley Act of 1999 - requires all types of financial institutions to protect customers' private financial information

phreaking

Hacking of the systems and computers used by phone companies

HIPAA

Health Insurance Portability and Accountability Act of 1996 - requires health care organizations to have security and privacy controls implemented to ensure patient privacy

SOX

Sarbanes-Oxley Act of 2002. requires publicly traded companies to submit accurate and reliable financial reporting. This law does not require securing private information, but it does require security controls to protect the confidentiality and integrity of the reporting itself.

Risk

The likelihood that something bad will happen to an asset

BYOD (bring your own device)

The practice of allowing users to use their own personal devices to connect to an organizational network.

Uptime

The total amount of time the IT system, application and data was accessible.

Gap analysis

a comparison of the security controls you have in place and the controls you need in order to address all identified threats

Standard

a detailed written definition for hardware and software and how they are to be used. It ensures that consistent security controls are used throughout the IT system.

Trojan Horse

a program that on the surface appears to have a legitimate use or purpose but in fact is malicious, masquerades itself as a useful program

Worms

a self-contained program that replicates and sends copies of itself to other computers without any user input or action. Does not have to attach to an existing program

Policy

a short written statement that the people in charge of an organization have set as a course of action or direction. Comes from upper management and applies to the entire organization.

Guidelines

a suggested course of action for using the policy, standards, or procedures. They are specific or flexible regarding use.

Viruses

a virus attaches itself to or copies itself into another program on a computer. This infects host program and causes it to replicate itself to other computers.

Authorization controls

access control lists physical access control network traffic filters

Buffer overflows

an attack conducted by supplying more data than is expected. takes advantages of a system that does not properly account for the amount of data input into an application

Monthly Availability

availability = (total uptime)/(total uptime + total downtime) 30day month x 24hrs x 60mins = xminutes = total uptime for a month

Availability

concerned with ensuring that information is readily accessible to authorized users at all times

Confidentiality

concerned with the privacy and secrecy

Steps in a Disaster Recovery Plan

define potential threats document likely impact scenarios document the business and technical requirements to initiate the implementation phase

Security policy

defines a risk-mitigating definition or solution for your organization

Disaster Recovery plan

defines how a business can get back on its feet after a major disaster.

Acceptable use policy

defines what users are allowed to do with organization-owned IT assets

Hardening a system

ensure controls are in place to control known threats

FISMA

federal info security management act - US law requires federal agencies to provide security controls over resources that support federal operations. Updated in 2004 to the Federal Information Security Modernization Act

Logic bomb

form of malware that executes when a certain predefined event occurs

Gray hat

hacker with average abilities with questionable ethics.

Business Impact Analysis (BIA)

identifies the resources for which a business continuity plan BCP is necessary

ransomware

malware that forces a victim organization to pay money to prevent the deletion of data

botnet

many internet-connected computers under the control of a remote hacker

Information systems face these threats

natural and human-induced threats

Discretionary access system

owner of the resource decides who gets in and changes permission as needed

Separation of duties

process of dividing a task into a series of unique activities performed by different people, each of whom is allowed to execute only one part of the overall task

Backdoors

programs that attackers install after gaining unauthorized access to a system, to ensure that they can continue to have unrestricted access

Security kernel

provides a central point of access control and implements the reference monitor concept. it mediates all access requests and permits access only when the appropriate rules or conditions are met

single sign-on (SSO)

provides for stronger passwords because with only one password to remember, users are generally willing to use stronger passwords

Five critical challenges of IoT

security privacy interoperability legal and regulatory compliance social and economic issues

Rootkits

software programs that have the ability to hide certain things from the operating system

Integrity

the ability to prevent data from being changed in an undesirable or unauthorized manner

Evil Twin Attack

the attacker deploys a fake open or public wireless network to use a packet sniffer on any user who connects to it

Bluesnarfing

the gaining of unauthorized access through a bluetooth connection

Accountability

the process of associating actions with users for later reporting and research. it ensures that a person who access or makes changes to data or systems can be identified

Risk Management

the process of identifying, assessing, prioritizing and addressing risks

downtime

total amount of time that a system, application and data are not accessible

Dictionary attack

works by hashing all the words in a dictionary and then comparing the hashed value with the system password file to discover a match

Procedures

written instructions for how to use policies and standards. Includes plan of action, installation, testing, and auditing of security controls.


Kaugnay na mga set ng pag-aaral

Advanced Google Analytics (Assessment 1)

View Set

Unit 7 Study Guide - American History 2

View Set

Google IT Support Professional Certificate: Operating Systems and you. Week 3

View Set

ms prep 53: Patients with Male Reproductive Disorders

View Set

Chapter 2 Types of life policies

View Set