Network Security, Chapter 1: Introduction to Information Security

Information Security Team Project

(Roles not defined since it the names imply such) - Champion - Team Leader - Security Policy Developers - Risk Assessment Specialists - Security Professionals - Systems, network, and storage administrators - End Users

Threat

A category of objects, persons, or other entities that presents a danger to an asset. Threats are always present and can be purposeful or undirected.

Backdoor, trap door, or maintenance hook

A component in a system that allows the attackers to access the system at will, bypassing the standard login controls.

Subjects and Objects

A computer can either be the subject of an attack - an agent entity used to conduct the attack - or the object of an attack - the target entity. A computer can be both the subject and object of the attack when, for example, it is compromised by an attack (object) and is then used to attack other systems (subject).

Exposure

A condition or state of being exposed. In information security exposure exists when a vulnerability known to an attacker is present.

Defense in Depth

A defense that uses multiple types of security devices to protect a network. Also called layered security.

Advance Fee Fraud (AFF)

A form of social engineering, typically conducted via e-mail, in which an organization or some third party indicates that the recipient is due an exorbitant amount of money and needs only a small advance fee or personal banking information to facilitate the transfer. Nicknamed "419" after the Nigerian penal code, is an example of social engineering.

Dictionary Attack

A password attack that creates versions of common passwords (the dictionary) to try and gain access.

Sniffer

A program or device that can monitor data traveling over a network. They can be virtually impossible to detect and can be inserted almost anywhere. These often work on TCP/IP networks, where they are sometimes referred to as packet sniffers.

Security Policy

A set of rules that protect an origination's assets. Management must define three types of security policies: - Enterprise information security policies - Issue-specific security policies - System-specific security policies

Loss

A single instance of an information asset suffering damage, unintended or unauthorized modification, or disclosure. When an organization's information is stolen, it has suffered a loss.

Access

A subject or object's ability to use, manipulate, modify or affect another subject or object. Authorized users have legal access to a system. Access controls regulate this access.

Technical Specifications SysSP

A systems-specific security policy that expresses technical details for the acquisition, implementation, configuration, and management of a particular technology, written from a technical perspective. Typically the policy includes details on configuration rules, systems policies, and access control.

Exploit

A technique used to compromise a system. This term can be a verb or a noun. Threat agents may attempt to exploit a system or other information asset by using it illegally for their personal gain. Alternatively, an exploit can be a documented process used to take advantage of a vulnerability or exposure usually in software, that is either inherent in the software or created by the attacker. Exploits make use of existing software tools or custom-made software components.

Spoofing

A technique used to gain unauthorized access to computers, wherein the intruder sends messages whose IP addresses indicate to the recipient that the messages are coming from a trusted host. To engage in IP spoofing, a hacker must first use a variety of methods to find an IP address of a trusted host and then modify the packet headers so that it appears that the packets are coming from that host.

Boot Virus

A virus that infects the key operating system files located in a computer's boot sector.

Macro Virus

A virus that is embedded in the automatically executing macro code common in word processors, spread sheets and database applications.

Vision

A written statement of the organizations long term goals.

Issue-Specific Security Policy (ISSP)

Addresses specific areas of technology, stating the organizations position on each issue. -Use of company-owned networks and the Internet -Use of telecommunications technologies (fax and phone) -Use of e-mail -Specific minimum configurations of computers to defend against worms and viruses -Prohibitions against hacking or testing organization security controls -Home use of company-owned computer equipment -Use of personal equipment on company networks -Use of photocopy equipment

Security Models

Allows professionals to map abstract security goals to concrete ideas and blueprints for how to implement proper security controls.

Buffer Overflow

An application error that occurs when more data is sent to a buffer than it can handle. During a buffer overflow, the attacker can make the target system execute instructions, or the attacker can take advantage of some other unintended consequence of the failure.

Man-in-the-Middle Attacks

An attacker monitors (sniffs) packets from the network, modifies them using IP spoofing techniques, and inserts them back into the network, allowing the attacker to eavesdrop as well as to change, delete, reroute, add, forge, or divert data.

Mail Bomb

An attacker reroutes large quantities of e-mail to the target system. This can be accomplished using social engineering or by exploiting various technical flaws in the SMTP. This can affect crucial information to be buried underneath the mass amounts of unwanted e-mails.

Cyberterrorist

An individual or group that hacks systems to conduct terrorist activities through a network or internet pathway.

Cracker

An individual who "cracks" or removes software protection that is designed to prevent unauthorized duplication or use.

Phreaker

An individual who hacks the public telephone network to make free calls or disrupt services.

Attack

An intentional or unintentional act that can cause damage to or otherwise compromise the information and/or the systems that support it. Attacks can be active or passive, intentional or unintentional, and direct or indirect. Passive Attack: Someone casually reading information that was not intended for them. Intentional Attack: A hacker attempting to break into an information system. Unintentional Attack: A lightning strike that causes a fire in the building. Direct Attack: A hacker using a personal computer to break into a system. Indirect Attack: A hacker compromising a system and using it to attack other systems (botnet).

Data Users

Are end users who work with the information to perform their daily jobs supporting the mission of the organization, and who therefore share the responsibility for data security.

Data Owners

Are those responsible for the security and use of a particular set of information. They are usually members of senior management and could be CIOs. The data owners usually determine the level of data classification associated with the data. The data owners work with subordinate managers to oversee the day-to-day administration of the data.

Password Cracking

Attempting to guess a password.

Spam

Come on, not the canned kind.

C.I.A. Triad

Confidentiality, Integrity, Availability (Antiquated)

Access Control Lost (ACL)

Consist of the user access lists, matrices, and capability tables that govern the rights and privileges of users.

McCumber Cube

Created by John McCumber in 1991, it provides a graphical description of the architectural approach widely used in computer and information security.

ISO/IEC 27002 Major Process Steps

Defines steps to creating an ISMS or information security management system.

Security Perimeter

Defines the boundary between the outer limit of an organization's security and the beginning of the outside world. Within security perimeters an organization can establish security domains - areas of trust.

Information Security Standards

Detailed descriptions of what must be done to comply with policies. De facto Standards are informal, where as, de jure standards are published, scrutinized and ratified by the group.

Availability

Enables authorized users - persons, or computer systems - to access information without interference or obstruction, and to recieve it in the required format.

Information Security Policy

Guidance or instructions that an organization's senior management implements to regulate the activities of the members who make decisions, take actions, and perform other duties.

Script Kiddies

Hackers of limited skill who use expertly written software to attack a system.

Possession

IS the ownership or control of some object or item. Information is said to be in one's possession if one obtains it, independent of format or other characteristics.

Redundancy

Implementing multiple types of technology and thereby preventing the failure of one system from compromising the security of information.

Access Control Matrix

Includes a combination of tables and lists; organizational assets are listed along the column headers, and users are listed along the row headers.

Hackers

Individuals who gain access to information or systems without explicit authorization often illegally.

Hacktivist or Cyberactivist

Individuals who interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.

IETF Security Architecture

Internet Engineering Task Force

Mission

Is a written statement of the organizations purpose.

Security Framework

Is an outline of the overall information security strategy and a road map for planned changes to the organization's information security environment.

Chief Information Officer (CIO)

Is often the senior technology officer. Titles such as vice president of information (VP), information technology, and systems may also be used. The CIO is primarily responsible for advising the chief executive officer (CEO), president, or company owner on the strategic planning that affects the management of information in the organization.

Security Blueprint

Is the basis for the design, selection, and implementation of all security program elements, including policy implementation, ongoing policy management, risk management programs, education and training programs, technological controls and maintenance of the security program.

Chief Information Security Officer (CISO)

Is the individual primarily responsible for the assessment, management, and implementation of information security in the organization. The CISO may also be referred to as the manager for IT Security, security administrator, or a similar title. The CISO usually reports directly to the CIO.

Social Engineering

Is the process of using social skills to convince people to reveal access credentials or other valuable information to the attacker.

Information Security (InfoSec)

Is the protection of information and its critical elements including the systems and hardware that use, store, and transmit that information. Information Security includes: Security Management, Computer and Data Security, and Network Security.

Confidentiality

Is the protection of information from disclosure or exposure to unauthorized individuals or systems. This means that only those with the rights and privileges to access the information are able to do so. To protect any breach in the confidentiality or information, a number of measures can be used: -Information Classification -Secure Document Storage - Application of General Security Policies - Education of Information Custodians and End Users

Utility

Is the quality or state of having value for some purpose or end. To have utility, information must be in a format meaningful to the end user. The example being US Census Data.

Enterprise Information Security Policy (EISP), General Security Policy, IT Security Policy, Information Security Policy

It is based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts. It is an executive level document.

Rainbow Tables

Large pregenerated data sets of encrypted passwords used in password attacks.

Distributed Denial-of-Service (DDoS)

Launches a coordinated stream of requests against a target from many locations at the same time. Most DDoS attacks are preceded by a preparation phase in which many systems, perhaps thousands, are compromised. The compromised systems are then turned into zombies (or bots) that are directed remotely by the attacker to participate in the attack.

Worms

Malicious programs that replicate themselves constantly without requiring another program to provide a safe environment for replication. (Named for the tapeworms in Brunner's novel "The Shockwave Rider")

Rootkit

Malicious software designed to operate with administrative access while hiding itself from the operating system and monitoring controls.

Accuracy

Means that information is free from mistakes or errors and has the value that the end user expects it to have.

Privacy

Means the information is used in accordance with the legal requirements mandated for employees, partners and customers. In a rush to protect data from theft or mischief, organizations often trample the rights of the individuals.

Integrity

Means the information remains whole, complete and uncorrupted. The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state.

Shoulder Surfing

Observing others' passwords by watching system login activities.

Intellectual Property

Often referred to as IP, intellectual property is defined as works of the mind, such as inventions, literature, art, logos, names, symbols. and other creative works. IP is protected by law, and any use, whether or not it requires payments or permission, should be properly credited.

Systems-Specific Policy (SysSP)

Policies that can be separated into two general areas, managerial guidance and technical specifications.

Information Security Policy

Provides rules for the protection of the information assets of the organization.

Packet Monkeys

Script kiddies who use automated tools to inundate a Web site with a barrage of network traffic, usually resulting in a denial of service.

Control, Safeguard, or Countermeasure

Security mechanisms, policies, or procedures that can successfully counterattack, reduce risk, resolve vulnerabilities, and otherwise improve the security within an organization.

Computer Viruses

Segments of code that perform malicious actions.

Malicious Code (malcode) or Malicious Software (malware)

Software components or programs designed to damage, destroy, or deny service to target systems. Includes viruses, worms, Trojan horses, and an expanding taxonomy of other malicious software.

Trojan Horses

Software programs that reveal their designed behavior only when activated, often appearing benign until that time.

Capability Table

Specifies which subjects and objects users or groups can access; in some systems, they are called user profiles or user policies.

NIST Security Models

Standards published by the Computer Security Resource Center of the National Institute for Standards and Technology.

Managerial Guidance SysSP

SysSP document that is created by management to guide the implementation and configuration of technology, as well as to regulate the behavior of people in the organization.

Denial of Service (DoS)

The attacker sends a large number of connection or information requests to a target. So many requests are made that the target system cannot handle them along with other, legitimate requests for serve. The system may crash, or it may simply be unable to perform ordinary functions.

Production Profile or Security Posture

The entire set of controls and safeguards (including policy, education, training and awareness, and technology) that the organization implements (or fails to implement) to protect the asset. The term "security program" also gets used for this, but it often includes managerial aspects of security, including planning, personnel and subordinate programs.

Software Piracy

The most common IP breach, the unlawful use or duplication of software-based IP.

Asset

The organizational resource that is being protected. An asset can be "logical", such as a Web site, information, or data, or it can be "physical", such as a person, computer system, or other tangible object. Assets, and particularly information assets, are the focus of security efforts; they are what those efforts are attempting to protect.

Risk

The probability that something unwanted will happen. Organizations must minimize risk to match their risk appetite - the quantity and nature or risk the organization is willing to accept.

Strategic Planning

The process of moving the organization towards its vision.

Communications Security

The protection of an organization's communications, media, technology, and content.

Network Security

The protection of networking components, connections and contents which is the primary focus of this textbook.

Operations Security

The protection of the details of a particular organization or series of activities.

Personal Security

The protection of the people who are authorized to access the organization and its operations.

Physical Security

The protection of the physical items or areas of an organization from unauthorized access and misuse.

Threat Agent

The specific instance of a threat or particular component of a threat. For example, all hackers are a collective threat, Kevin Mitnick, is a threat agent. Likewise, a lightning strike or hailstorm is a threat agent that is part of the threat of sever storms.

Configuration Rule Policies

The specific instructions entered into a security system to regulate how it reacts to the data it receives.

Brute Force Attack

Using computing or network resources to try every possible combination of available characters, numbers, and symbols for a password.

Vulnerability

Weakness or faults in a system or protection mechanism that is opens it to the possibility of attacks or damages. Well-known vulnerabilities are those that have been examined, documented, and published; others remain latent.

Data Custodians

Work directly with data owners and are responsible for the storage, maintenance, and protection of the information. Depending on the size of the organization, the custodian may be a dedicated position, such as the CISO, or it may be an additional responsibility of a systems administrator or other technology manager. The duties of a data custodian often include overseeing data storage and backups, implementing the specific procedures and policies laid out in the security policies and plans, and reporting to the data owner.

Timing Attack

Works by measuring the time required to access a Web page and deducing that the user has visited the site before by the presence of the page in the browser's cache. Another attack by the same name is a side channel attack on cryptographic algorithms using measurement of the time required to perform cryptographic functions.