Network Security, Chapter 1: Introduction to Information Security
Information Security Team Project
(Roles not defined since it the names imply such) - Champion - Team Leader - Security Policy Developers - Risk Assessment Specialists - Security Professionals - Systems, network, and storage administrators - End Users
Threat
A category of objects, persons, or other entities that presents a danger to an asset. Threats are always present and can be purposeful or undirected.
Backdoor, trap door, or maintenance hook
A component in a system that allows the attackers to access the system at will, bypassing the standard login controls.
Subjects and Objects
A computer can either be the subject of an attack - an agent entity used to conduct the attack - or the object of an attack - the target entity. A computer can be both the subject and object of the attack when, for example, it is compromised by an attack (object) and is then used to attack other systems (subject).
Exposure
A condition or state of being exposed. In information security exposure exists when a vulnerability known to an attacker is present.
Defense in Depth
A defense that uses multiple types of security devices to protect a network. Also called layered security.
Advance Fee Fraud (AFF)
A form of social engineering, typically conducted via e-mail, in which an organization or some third party indicates that the recipient is due an exorbitant amount of money and needs only a small advance fee or personal banking information to facilitate the transfer. Nicknamed "419" after the Nigerian penal code, is an example of social engineering.
Dictionary Attack
A password attack that creates versions of common passwords (the dictionary) to try and gain access.
Sniffer
A program or device that can monitor data traveling over a network. They can be virtually impossible to detect and can be inserted almost anywhere. These often work on TCP/IP networks, where they are sometimes referred to as packet sniffers.
Security Policy
A set of rules that protect an origination's assets. Management must define three types of security policies: - Enterprise information security policies - Issue-specific security policies - System-specific security policies
Loss
A single instance of an information asset suffering damage, unintended or unauthorized modification, or disclosure. When an organization's information is stolen, it has suffered a loss.
Access
A subject or object's ability to use, manipulate, modify or affect another subject or object. Authorized users have legal access to a system. Access controls regulate this access.
Technical Specifications SysSP
A systems-specific security policy that expresses technical details for the acquisition, implementation, configuration, and management of a particular technology, written from a technical perspective. Typically the policy includes details on configuration rules, systems policies, and access control.
Exploit
A technique used to compromise a system. This term can be a verb or a noun. Threat agents may attempt to exploit a system or other information asset by using it illegally for their personal gain. Alternatively, an exploit can be a documented process used to take advantage of a vulnerability or exposure usually in software, that is either inherent in the software or created by the attacker. Exploits make use of existing software tools or custom-made software components.
Spoofing
A technique used to gain unauthorized access to computers, wherein the intruder sends messages whose IP addresses indicate to the recipient that the messages are coming from a trusted host. To engage in IP spoofing, a hacker must first use a variety of methods to find an IP address of a trusted host and then modify the packet headers so that it appears that the packets are coming from that host.
Boot Virus
A virus that infects the key operating system files located in a computer's boot sector.
Macro Virus
A virus that is embedded in the automatically executing macro code common in word processors, spread sheets and database applications.
Vision
A written statement of the organizations long term goals.
Issue-Specific Security Policy (ISSP)
Addresses specific areas of technology, stating the organizations position on each issue. -Use of company-owned networks and the Internet -Use of telecommunications technologies (fax and phone) -Use of e-mail -Specific minimum configurations of computers to defend against worms and viruses -Prohibitions against hacking or testing organization security controls -Home use of company-owned computer equipment -Use of personal equipment on company networks -Use of photocopy equipment
Security Models
Allows professionals to map abstract security goals to concrete ideas and blueprints for how to implement proper security controls.
Buffer Overflow
An application error that occurs when more data is sent to a buffer than it can handle. During a buffer overflow, the attacker can make the target system execute instructions, or the attacker can take advantage of some other unintended consequence of the failure.
Man-in-the-Middle Attacks
An attacker monitors (sniffs) packets from the network, modifies them using IP spoofing techniques, and inserts them back into the network, allowing the attacker to eavesdrop as well as to change, delete, reroute, add, forge, or divert data.
Mail Bomb
An attacker reroutes large quantities of e-mail to the target system. This can be accomplished using social engineering or by exploiting various technical flaws in the SMTP. This can affect crucial information to be buried underneath the mass amounts of unwanted e-mails.
Cyberterrorist
An individual or group that hacks systems to conduct terrorist activities through a network or internet pathway.
Cracker
An individual who "cracks" or removes software protection that is designed to prevent unauthorized duplication or use.
Phreaker
An individual who hacks the public telephone network to make free calls or disrupt services.
Attack
An intentional or unintentional act that can cause damage to or otherwise compromise the information and/or the systems that support it. Attacks can be active or passive, intentional or unintentional, and direct or indirect. Passive Attack: Someone casually reading information that was not intended for them. Intentional Attack: A hacker attempting to break into an information system. Unintentional Attack: A lightning strike that causes a fire in the building. Direct Attack: A hacker using a personal computer to break into a system. Indirect Attack: A hacker compromising a system and using it to attack other systems (botnet).
Data Users
Are end users who work with the information to perform their daily jobs supporting the mission of the organization, and who therefore share the responsibility for data security.
Data Owners
Are those responsible for the security and use of a particular set of information. They are usually members of senior management and could be CIOs. The data owners usually determine the level of data classification associated with the data. The data owners work with subordinate managers to oversee the day-to-day administration of the data.
Password Cracking
Attempting to guess a password.
Spam
Come on, not the canned kind.
C.I.A. Triad
Confidentiality, Integrity, Availability (Antiquated)
Access Control Lost (ACL)
Consist of the user access lists, matrices, and capability tables that govern the rights and privileges of users.
McCumber Cube
Created by John McCumber in 1991, it provides a graphical description of the architectural approach widely used in computer and information security.
ISO/IEC 27002 Major Process Steps
Defines steps to creating an ISMS or information security management system.
Security Perimeter
Defines the boundary between the outer limit of an organization's security and the beginning of the outside world. Within security perimeters an organization can establish security domains - areas of trust.
Information Security Standards
Detailed descriptions of what must be done to comply with policies. De facto Standards are informal, where as, de jure standards are published, scrutinized and ratified by the group.
Availability
Enables authorized users - persons, or computer systems - to access information without interference or obstruction, and to recieve it in the required format.
Information Security Policy
Guidance or instructions that an organization's senior management implements to regulate the activities of the members who make decisions, take actions, and perform other duties.
Script Kiddies
Hackers of limited skill who use expertly written software to attack a system.
Possession
IS the ownership or control of some object or item. Information is said to be in one's possession if one obtains it, independent of format or other characteristics.
Redundancy
Implementing multiple types of technology and thereby preventing the failure of one system from compromising the security of information.
Access Control Matrix
Includes a combination of tables and lists; organizational assets are listed along the column headers, and users are listed along the row headers.
Hackers
Individuals who gain access to information or systems without explicit authorization often illegally.
Hacktivist or Cyberactivist
Individuals who interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.
IETF Security Architecture
Internet Engineering Task Force
Mission
Is a written statement of the organizations purpose.
Security Framework
Is an outline of the overall information security strategy and a road map for planned changes to the organization's information security environment.
Chief Information Officer (CIO)
Is often the senior technology officer. Titles such as vice president of information (VP), information technology, and systems may also be used. The CIO is primarily responsible for advising the chief executive officer (CEO), president, or company owner on the strategic planning that affects the management of information in the organization.
Security Blueprint
Is the basis for the design, selection, and implementation of all security program elements, including policy implementation, ongoing policy management, risk management programs, education and training programs, technological controls and maintenance of the security program.
Chief Information Security Officer (CISO)
Is the individual primarily responsible for the assessment, management, and implementation of information security in the organization. The CISO may also be referred to as the manager for IT Security, security administrator, or a similar title. The CISO usually reports directly to the CIO.
Social Engineering
Is the process of using social skills to convince people to reveal access credentials or other valuable information to the attacker.
Information Security (InfoSec)
Is the protection of information and its critical elements including the systems and hardware that use, store, and transmit that information. Information Security includes: Security Management, Computer and Data Security, and Network Security.
Confidentiality
Is the protection of information from disclosure or exposure to unauthorized individuals or systems. This means that only those with the rights and privileges to access the information are able to do so. To protect any breach in the confidentiality or information, a number of measures can be used: -Information Classification -Secure Document Storage - Application of General Security Policies - Education of Information Custodians and End Users
Utility
Is the quality or state of having value for some purpose or end. To have utility, information must be in a format meaningful to the end user. The example being US Census Data.
Enterprise Information Security Policy (EISP), General Security Policy, IT Security Policy, Information Security Policy
It is based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts. It is an executive level document.
Rainbow Tables
Large pregenerated data sets of encrypted passwords used in password attacks.
Distributed Denial-of-Service (DDoS)
Launches a coordinated stream of requests against a target from many locations at the same time. Most DDoS attacks are preceded by a preparation phase in which many systems, perhaps thousands, are compromised. The compromised systems are then turned into zombies (or bots) that are directed remotely by the attacker to participate in the attack.
Worms
Malicious programs that replicate themselves constantly without requiring another program to provide a safe environment for replication. (Named for the tapeworms in Brunner's novel "The Shockwave Rider")
Rootkit
Malicious software designed to operate with administrative access while hiding itself from the operating system and monitoring controls.
Accuracy
Means that information is free from mistakes or errors and has the value that the end user expects it to have.
Privacy
Means the information is used in accordance with the legal requirements mandated for employees, partners and customers. In a rush to protect data from theft or mischief, organizations often trample the rights of the individuals.
Integrity
Means the information remains whole, complete and uncorrupted. The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state.
Shoulder Surfing
Observing others' passwords by watching system login activities.
Intellectual Property
Often referred to as IP, intellectual property is defined as works of the mind, such as inventions, literature, art, logos, names, symbols. and other creative works. IP is protected by law, and any use, whether or not it requires payments or permission, should be properly credited.
Systems-Specific Policy (SysSP)
Policies that can be separated into two general areas, managerial guidance and technical specifications.
Information Security Policy
Provides rules for the protection of the information assets of the organization.
Packet Monkeys
Script kiddies who use automated tools to inundate a Web site with a barrage of network traffic, usually resulting in a denial of service.
Control, Safeguard, or Countermeasure
Security mechanisms, policies, or procedures that can successfully counterattack, reduce risk, resolve vulnerabilities, and otherwise improve the security within an organization.
Computer Viruses
Segments of code that perform malicious actions.
Malicious Code (malcode) or Malicious Software (malware)
Software components or programs designed to damage, destroy, or deny service to target systems. Includes viruses, worms, Trojan horses, and an expanding taxonomy of other malicious software.
Trojan Horses
Software programs that reveal their designed behavior only when activated, often appearing benign until that time.
Capability Table
Specifies which subjects and objects users or groups can access; in some systems, they are called user profiles or user policies.
NIST Security Models
Standards published by the Computer Security Resource Center of the National Institute for Standards and Technology.
Managerial Guidance SysSP
SysSP document that is created by management to guide the implementation and configuration of technology, as well as to regulate the behavior of people in the organization.
Denial of Service (DoS)
The attacker sends a large number of connection or information requests to a target. So many requests are made that the target system cannot handle them along with other, legitimate requests for serve. The system may crash, or it may simply be unable to perform ordinary functions.
Production Profile or Security Posture
The entire set of controls and safeguards (including policy, education, training and awareness, and technology) that the organization implements (or fails to implement) to protect the asset. The term "security program" also gets used for this, but it often includes managerial aspects of security, including planning, personnel and subordinate programs.
Software Piracy
The most common IP breach, the unlawful use or duplication of software-based IP.
Asset
The organizational resource that is being protected. An asset can be "logical", such as a Web site, information, or data, or it can be "physical", such as a person, computer system, or other tangible object. Assets, and particularly information assets, are the focus of security efforts; they are what those efforts are attempting to protect.
Risk
The probability that something unwanted will happen. Organizations must minimize risk to match their risk appetite - the quantity and nature or risk the organization is willing to accept.
Strategic Planning
The process of moving the organization towards its vision.
Communications Security
The protection of an organization's communications, media, technology, and content.
Network Security
The protection of networking components, connections and contents which is the primary focus of this textbook.
Operations Security
The protection of the details of a particular organization or series of activities.
Personal Security
The protection of the people who are authorized to access the organization and its operations.
Physical Security
The protection of the physical items or areas of an organization from unauthorized access and misuse.
Threat Agent
The specific instance of a threat or particular component of a threat. For example, all hackers are a collective threat, Kevin Mitnick, is a threat agent. Likewise, a lightning strike or hailstorm is a threat agent that is part of the threat of sever storms.
Configuration Rule Policies
The specific instructions entered into a security system to regulate how it reacts to the data it receives.
Brute Force Attack
Using computing or network resources to try every possible combination of available characters, numbers, and symbols for a password.
Vulnerability
Weakness or faults in a system or protection mechanism that is opens it to the possibility of attacks or damages. Well-known vulnerabilities are those that have been examined, documented, and published; others remain latent.
Data Custodians
Work directly with data owners and are responsible for the storage, maintenance, and protection of the information. Depending on the size of the organization, the custodian may be a dedicated position, such as the CISO, or it may be an additional responsibility of a systems administrator or other technology manager. The duties of a data custodian often include overseeing data storage and backups, implementing the specific procedures and policies laid out in the security policies and plans, and reporting to the data owner.
Timing Attack
Works by measuring the time required to access a Web page and deducing that the user has visited the site before by the presence of the page in the browser's cache. Another attack by the same name is a side channel attack on cryptographic algorithms using measurement of the time required to perform cryptographic functions.