Fundamentals of Information Security Chap 6, 7

Business impact analysis BIA

An analysis of the business to determine what kinds of events will have an impact on what systems.

Structured Query Language SQL injection

An attack technique in which an attacker provides malicious statements to access unauthorized data or carry out unauthorized commands.

single point of failure SPoF

Any component that, if it fails, could interrupt business processing

Vulnerability

Any exposure that could allow a threat to be realized

Malicious software

Any program that carries out actions that you do not intend

Full backup

As its name implies, this backup copies everything to a backup media. It is usually tape, but is sometimes CD, DVD, or disk.

Ownership

Associates person with information to claim legal rights

Rootkits

Type of malware that modifies or replaces one or more existing programs to hide the fact that a computer has been compromised; Modify parts of the operating system to conceal traces of their presence

Limiting Access

Users should be granted only the levels of permissions they need to perform their duties is called the principle of least privilege.

Injection

When malicious software provides deliberately invalid input to some other software

Differential backup

With this type of backup, you start by making a full backup, perhaps on Sunday, when network traffic is lightest. On Monday through Saturday, you back up changes made since Sunday's full backup on a daily basis. As the week progresses, each night's backup (the differential) takes a little longer.

Cryptographer

Works on behalf of a legitimate sender or receiver

XML injection

XML injection is a technique to manipulate the logic of an XML application or service. Injecting XML content into an XML message can alter the logic of an application or even insert malicious content into an XML document.

Auditing

involves checking to see how a computer system's operation has met security goals

Remediation

involves fixing something that is broken or defective.

Classification

is the duty of the data owner or someone the owner assigns

System owner

is the person or group that manages the infrastructure

Value; Sensitivity; Criticality

classification of information criteria

Countermeasure

Counters or addresses a specific threat

Stealth viruses

: Also called armored viruses, these use a number of techniques to conceal themselves from users and from detection software. By installing a low-level system service function, they can intercept any system request and alter the service output to conceal their presence. Stealth viruses can have size stealth, read stealth, or both.

SQL injection

A code injection is used to attack applications that depend on data stored in databases. SQL statements are inserted into an input field and are executed by the application. SQL injection attacks allow attackers to disclose and modify data, violate data integrity, or even destroy data and manipulate the database server.

Agile development

A newer family of project management approaches that depend on very short sprints of activity. Agile works well in very dynamic environments where requirements change and are often revisited.

Safeguard

Addresses gaps or weaknesses in controls that could lead to a realized threat

Incremental backup

Again, you start with a full backup when network traffic is light. Then, each night, you back up only that day's changes. As the week progresses, the nightly (incremental) backup takes about the same amount of time.

Application logging

All applications that access or modify sensitive data should have logs that record who used or changed the data and when.

Simple substitution cipher

Allows any letter to uniquely map to any other letter

Memorandum of understanding (MOU)

Also called a letter of intent Agreement between two or more parties that expresses areas of common interest that result in shared actions. Generally less enforceable than a formal agreement but still more formal than an oral agreement.

File infectors

Attack and modify executable programs (COM, EXE, SYS, and DLL files in Microsoft Windows)

Spear-phishing

Attacker supplies information about victim that appears to come from a legitimate company

Smurf Attack

Attackers direct forged Internet Control Message Protocol (ICMP) echo request packets to IP broadcast addresses from remote locations to generate DoS attacks

Ransomware

Attempts to generate funds directly from a computer user;

Waterfall model

Based on traditional project management practices in which extensive planning precedes any development. Progress through a project moves forward along a well-defined path

Separation of Duties

Breaks a task into subtasks that different users must carry out. Single user cannot carry out a critical task without the help or approval of another user.

Business continuity plan BCP

Contains the actions needed to keep critical business processes running after a disruption

redundancy

Deploying two or more components that are capable of providing the same service

Disaster recovery plan DRP

Details the steps to recover from a disruption and restore the infrastructure necessary for normal business operations

Asymmetric

Different keys used in encryption and decryption

Anonymity

Disguises a user's identity

Caesar cipher

Each letter in the English alphabet a fixed number of positions, with Z wrapping back to A

Vigenère (vee-zhen-AIR) cipher

Encrypts every letter with its own substitution scheme

Peer reviews

Ensure that a peer or another expert double-checks all changes before you put them into production

Positive risks

Exploit-exploitation; Share-sharing; Enhance-enhancement; Accept-acceptance

Service Level Agreement (SLA)

Formal contract between your organization and the outside firm that details the specific services the firm will provide.

Recovery point objective RPO

Incidents can cause loss of data. You must calculate the amount of tolerable data loss for each business function. Recovery procedures must be able to meet the minimums defined here. If the business can afford to lose up to one day's data, then nightly backups might an acceptable solution. However, if the business must prevent all data loss, a redundant server or storage solution will be required.

Control

Includes both safeguards and countermeasures

Reactive

Management responds to changes in the business environment

Job Rotation

Minimizes risk by rotating employees among various systems or duties Prevents collusion, where several employees conspire to commit fraud.

Interconnection security agreement (ISA)

Often extension of a MOU, Serves as agreement that documents the technical requirements of interconnected assets. Most often used to specify technical needs and security responsibilities of connected organizations

Critical business function CBF

Once the BIA has identified the business systems that an incident will affect, you must rank the systems from most to least critical. That ranking determines whether the business can survive—and for how long—in the absence of a critical function

Timestamping

Provides exact time when a producer creates or sends information

System logging

Provides records of who accessed the system and what actions they performed on the system.

12

Public Key Encryption System needs how many keys

Negative risks

Reduce -reduction/mitigation; Transfer -transference/assignment; Accept -acceptance; Avoid -avoidance

Symmetric

Same key used in encryption and decryption

Threat

Something (generally bad) that might happen

Anomaly-based

Sometimes called profile-based systems. Compare current activity with stored profiles of normal or expected activity

Revocation

Stops authorization for access to data.

Blanket purchase agreement (BPA)

Streamlined method of meeting recurring needs for supplies or services Creates preapproved accounts with qualified suppliers to fulfill recurring orders for products or services

Cryptanalyst

Studies encryption and encrypted messages to find hidden meanings; Works on behalf of an unauthorized interceptor; Chore is to break encryption

15

Symmetric Key System requires how many keys

System infectors

Target computer hardware and software startup functions

Emergency operations center EOC

The EOC is the place where the recovery team will meet and work during a disruption. Many businesses have more than one emergency operations center. One might be nearby—for use in the event of a building fire, for example. Another might be a significant distance away—for example, for use in the event of an earthquake or regional power outage.

LDAP injection

The LDAP injection exploits websites that construct LDAP based on user input. Web applications that don't sanitize input enable attackers to alter the way that LDAP statements are constructed. LDAP statements that are modified by an attacker run with the same permissions as the component that executed the command.

Command injection

The goal of this type of attack is to execute commands on a host operating system. A vulnerable application provides the ability for this attack to succeed. These attacks are possible only when an application accepts unvalidated user input and passes the input to a system shell.

Maximum tolerable downtime MTD

The most time a business can survive without a particular critical system. A major disruption is any event that makes a CBF unavailable for longer than its MTD. Each of the disaster-planning and mitigation solutions must be able to recover CBFs within their MTDs. Systems and functions with the shortest MTDs are often the most critical. The next section covers this topic in more detail.

crytography

The research into and study of encryption and decryption, Refers to the practice of using encryption to conceal text, Includes cryptography and cryptanalysis

Recovery time objective RTO

The timeframe for restoring a CBF. RTO must be shorter than or equal to the MTD.

Pharming

The use of social engineering to obtain access credentials such as usernames and passwords

Multipartite viruses

These are hybrid viruses that exhibit multiple behaviors. There are two main types of multipartite virus: Master Boot Record/boot sector viruses and file infecting viruses. Such viruses may exist as file infectors within an application. Upon execution of the infected application, the virus might spawn a Master Boot Record infection, which then infects other files when you restart the system.

Cross-platform viruses

These are less prevalent but can still be potent threats. There have been a number of documented viruses that target multiple operating systems (Apple Macintosh HyperCard viruses, for instance). If those platforms also run Windows emulation software, they become as susceptible to Windows viruses as a native Windows computer.

Retro viruses

These attack countermeasures such as antivirus signature files or integrity databases. A retro virus searches for these data files and deletes or alters them, thereby crippling the antivirus software's ability to function. Other viruses, especially boot viruses (which gain control of the target system at startup), modify Windows Registry keys and other operating system key startup files to disable AV, firewall, and intrusion detection system (IDS) software if found.

Slow viruses

These counter the ability of antivirus programs to detect changes in infected files. This class of virus resides in the computer's memory, where antivirus software cannot detect it. It waits for certain tasks, like copying or moving files, to execute. As the operating system reads the file into memory, the virus alters it before writing to the output file, making it much harder to detect.

Polymorphic viruses

These include a separate encryption engine that stores the virus body in encrypted format while duplicating the main body of the virus. The virus exposes only the decryption routine for possible detection. It embeds the control portion of the virus in the decryption routine, which seizes control of the target system and decrypts the main body of the virus so that it can execute. True polymorphic viruses use an additional mutation engine to vary the decryption process for each iteration. This makes even this portion of the code more difficult to identify.

Cross-site scripting XSS

This is an attack in which an attacker inputs client-side script code to a Web application. The code would then be viewed by other users, and their client software would execute the script instructions. This attack exploits the trust users have for a server.

Cross-site scripting XSS

This technique allows attackers to embed client-side scripts into webpages that users view. When a user views a webpage with a script, the web browser runs the attacking script. These scripts can be used to bypass access controls. XSS effects can pose substantial security risks, depending on how sensitive the data are on the vulnerable site.

Phishing

Tricks users into providing logon information on what appears to be a legitimate website but is actually a website set up by an attacker to obtain this information

security audit

a crucial type of evaluation to avoid a data breach

COBIT Control Objectives for Information and related Technology

a set of best practices for IT management. gives managers, auditors, and IT users a set of generally accepted measures, indicators, processes, and best practices

Cross-site request forgery XSRF

an attacker provides script code that causes a trusted user who views the input script to send malicious commands to a web server. This attack exploits the trust a server has in a user.

Compensating controls

are designed to address a threat in place of a preferred control that is too expensive or difficult to implement.

White-box testing

based on knowledge of the application's design and source code. In fact, white-box tests are generally derived from source code. For example, these tests might target specific constructs found in the source code or try to achieve a certain level of code coverage

Data infectors

called macro infectors; Attack document files containing embedded macro programming capabilities

IDS

captures all traffic on the switch and analyzes it to detect unauthorized activity

Deterrent controls

deter an action that could result in a violation. There is a fine line between deterrent controls and preventative controls. Deterrent controls merely attempt to suggest that a subject not take some action, whereas preventative controls do not allow the action to occur. Deterrent controls are valuable when a knowledgeable user needs the ability to perform some action that involves risk. A deterrent control would allow the action after a warning, whereas a preventative control would not allow the action. In short, the decision to choose between a preventative and deterrent control is often a balance between utility and security.

Back-out plans

ensure that if the change doesn't work properly, a plan exists to restore the system to a known good condition

Host IDS

help identify suspicious activity in near real time

fault tolerance

helps increase an organization's ability to avoid downtime

Detective controls

identify that a threat has landed in your system. An intrusion detection system (IDS) is an example of a detective control.

Disruptions

include extreme weather, criminal activity, civil unrest/terrorist acts, operational, and application failure disruptions

Assessment and auditing tools

include vulnerability-assessment scanners, penetration testing tools, forensic software, and log analyzers

Access control and authorization

includes firewalls, timestamping, single sign-on, identity management, and mobile device security

Documentation

keep documentation current to reflect the true system's design

Gray-box testing

lies somewhere between black-box testing and white-box testing. It uses limited knowledge of the program's internals. In principle, this might mean the tester knows about some parts of the source code and not others. In practice, it usually just means that the tester has access to design documents that are more detailed than specifications or requirements. For example, the tests might be based on an architecture diagram or a state-based model of the program's behavior.

compliance liaison

makes sure all personnel are aware of—and comply with—the organization's

NIDS

monitor outside attacks as well as insider misuse. outside the network gives some idea of the types of attacks faced by the firewall

Network intrusion detection system NIDS

monitors traffic that gets through the firewall to detect malicious activity.

Configuration Management

process of managing all changes to computer and device configurations

Event logs

records of actions that your operating system or application software create.

Corrective controls

reduce the effects of a threat. When you reload an operating system after it is infected with malware, you are using a corrective control . Forensics and incident response are other examples of corrective controls.

Preventive control

stop threats from coming in contact with a vulnerability. An example of a preventive control is an intrusion prevention system (IPS).

Authentication tools

tokens, smart cards, biometrics, passwords, and password recovery

Data loss prevention DLP

use business rules to classify sensitive information to prevent unauthorized end users from sharing it.

Black-box testing

uses test methods that aren't based directly on knowledge of a program's architecture or design. The term implies that either the tester does not have the source code or the details of the source code are not relevant to what is being tested. Put another way, black-box testing focuses on the externally visible behavior of the software. For example, it may be based on requirements, protocol specifications, APIs, or even attempted attacks.