Fundamentals of Information Systems Security

BCP order of priorities

1) Safety and well-being of people. 2) Continuity of critical business functions and operations, whether onsite or offsite, manual, or dependent upon IT systems. 3) Continuity of IT infrastructure components within the seven domains of an IT infrastructure.

Smurf Attack

A DDoS attack in which large numbers of ICMP packets with the intended victim's spoofed source IP are broadcast to a computer computer network using an IP broadcast address. Most devices will respond by default, flooding the victims computer with response traffic.

cracker

A hacker who has hostile intent, possesses sophisticated skills, and may be interested in financial gain.

Risk Register

A list of identified risks that results from the risk-identification process. (according to PMI)

Rule Based Access Control (RBAC)

A list of rules, maintained by the data owner, determines which users have access to objects. Success depends on level of trust you have with data owners.

cookie

A text file created by a Web site and stored on a visitor's hard drive. Cookies store information about who the user is and what the user has done on the site. Can potentially include credit card and logon information.

Pharming

A type of attack that seeks to obtain personal or private financial information through domain spoofing. Pharming poisons a domain name on the DNS server.

Replay Attack

A type of network attack where an attacker captures network traffic and stores it for retransmission at a later time to gain unauthorized access to a network.

URL hijacking

A user is directed to a different website that what he or she requested, usually to a fake page that the attacker has created. Also known as typo squatting.

Biba Integrity Model

Access control model based on integrity levels. Subjects cannot read or change objects that have higher level of integrity than the subject does. Subjects cannot ask for service from subjects that have a higher integrity level.

Clark-Wilson Integrity Model

Access control model that focusses on what happens when users allowed into a system try to do things they aren't permitted to do. Also looks at integrity threats, such as verifying that software does what it is designed to do.

ISO/IEC 27005,"Information Security Risk Management"

An ISO standard that describes information security risk management in a generic manner. The documents include examples of approaches to information security risk assessment and lists of possible threats, vulnerabilities, and security controls.

Bell-LaPadula Security Model

An access control model that focuses on the confidentiality of data and the control of access to classified information. Parts of a system are divided into subjects and objects, and the current condition of a system is described as its state. Focuses on moving from secure stat to secure state.

Masquerade Attack

An attack in which one user or computer pretends to be another user or computer. Usually include IP spoofing or replaying attacks.

DNS poisoning

An attack that substitutes DNS addresses so that the computer is automatically redirected to an attacker's site.

ARP poisining

Attacker sends spoofed ARP messages onto a LAN. The aim is generally to associate the attacker's MAC address with the IP address of another host, causing any traffic meant for that IP address to be sent to the attacker instead.

Availability Formula

Availability = (total time - downtime) / (total time)

Remote Access Domain Vulnerabilities

Brute-force password attacks on access and private data. Unauthorized remote access to resources. Data leakage from remote access or lost storage devices.

BCP

Business Continuity Plan. A written plan for a structured response to any events that result in an interruption to critical business activities or functions.

BIA

Business Impact Analysis. A formal analysis of an organization's functions and activities that classifies them as critical or noncritical. A BIA arranges critical activities based on importance and helps an organization determine which functions to restore in what order if there is a major interruption.

Packet sniffing

Capturing IP packets off a wireless network and analyzing the TCP/IP packet data using a tool such as Wireshark.

CRAMM

Central Computing and Telecommunications Agency Risk Analysis and Management Method. Developed in UK, based on the best practices of UK government organizations. Best suited for large organizations.

CIPA

Children's Internet Protection Act. Requires public schools and public libraries to use an internet safety policy. Restricts access to inappropriate material etc.

COPPA

Children's Online Privacy Protection Act. Restricts how online information is collected from children under 13 years of age. Defines the responsibilities of an operator to protect children's privacy and safety online.

BYOD Concerns

Data ownership, support ownership, patch management, antivirus management, forensics, privacy, onboarding/offboarding, adherence to corporate policies, user acceptance, architecture/infrastructure considerations, legal concerns, acceptable-use policy, onboard camera/video.

DRP

Disaster Recovery Plan. Directs the actions necessary to recover resources after a disaster. A DRP is part of a BCP. A BCP does not specify how to recover from disasters, only interruptions. Interruptions are generally minor events that may only disrupt one or more business process for a short period.

Patriot Act

Expanded the ability of law enforcement agencies to access information that pertains to ongoing investigations.

LAN-to-WAN Doman Vulnerabilities

Exposure and unauthorized access to internal resources from the outside. Introduction of malicious software. Loss of productivity due to lack of internet access.

Cold site

Facility with basic environmental utilities but no infrastructure components

Warm site

Facility with environmental utilities and basic computer hardware.

Hot site

Facility with environmental utilities, hardware, software, and data that closely mirrors the original data center.

Evil Twin Attack

Faking an open or public wireless network to use a packet sniffer on any user who connects to it.

FERPA

Family Educational Rights and Privacy Act. Protects the privacy of student education records. Schools must receive written permission from a parent or eligible student before releasing education records

FFIEC

Federal Financial Institutions Examination Council. Established a risk profile assessment and a cybersecurity maturity assessment that financial organizations can use as benchmarks in self assessments.

FISMA

Federal Information Security Management Act. Requires every federal agency to develop and maintain formal information security programs.

Sarbanes-Oxley Act

Federal legislation passed in 2002 that sets higher ethical standards for public corporations and accounting firms. Key provisions limit conflict-of-interest issues and require financial officers and CEOs to certify the validity of their financial statements.

DoS flooding attacks

Flooding attacks overwhelm the victim's CPU, memory, or network resources by sending large numbers of useless requests.

Government Information Security Reform Act

Focuses on management and evaluation of the security of unclassified and national security systems.

GLBA

Gramm-Leach-Bliley Act. Addresses information security concerns in the financial industry. Requires that financial institutions provide their clients a privacy notice that explains what information the company gathers about the client, where it is shared, and how it is protected.

Bluejacking

Hacking and gaining control of the Bluetooth wireless communication link between a user's earphone and smartphone device

HIPAA

Health Insurance Portability and Accountability Act. Governs the way personal medical information must be handled.

Cross-Site Scripting (XSS)

Injecting scripts into a web application server to redirect attacks back to the client. This is not an attack on the web application but rather on users of the server to launch attacks on other computers that access it.

NFC attack

Intercepting, at close range, communications between two mobile operating system devices.

User Domain Vulnerabilities

Lack of awareness or concern for security. Accidental acceptable use policy violation. Intentional malicious activity. Social engineering.

DoS logic attack

Logic attacks use software flaws to crash or seriously hinder the performance of remote servers.

IV attack

Modifying the initialization vector of an encrypted IP packet in the transmission in hopes of decrypting a common encryption key over time

Bluesnarfing

Packet sniffing communications traffic between bluetooth devices

Attack Tools

Password crackers, keystroke loggers, look at book for more.

PCI DSS

Payment Card Industry Data Security Standard. Not a law, but affects any organization that processes or stores credit card info. A comprehensive security standard that includes requirements for security management, policies, procedures, network architecture, software design, etc.

War driving

Physically driving around neighborhoods or business complexes looking for wireless access points and networks that broadcast an open or public network connection.

IT Security Policy Framework Components

Policy, Standard, Procedures, Guidelines. Policy = short statement which acts as a course of action or direction. Standard = detailed written definition for hardware and software and how they are to be used. Procedures = written instructions for how to use policies and standards. Guidelines = suggested course of action.

RPO

Recovery Point Objective. Measured in time, the RPO is the maximum amount of data loss that is acceptable. Provides direction on how to back up data, policies on recovery, and whether loss prevention or loss correction is a better option. Defines the last point in time for data recovery that can be enabled back into prduction.

RTO

Recovery Time Objective. Expresses the maximum allowable time to recover the function. Defines the amount of time it takes to recover a production IT system, application, and access to data.

California Database Security Breach Act

Requires any company that stores customer data electronically to notify its customers any time there is a security breach.

NIST SP800-30

Risk Management Guide for Information Technology Systems. Part of a series of reports which provide detailed guidance of what you should consider in risk management and risk assessment in computer security. The reports include checklists, graphics, formulas, references to U.S. regulatory issues.

IoT Challenges

Security, privacy, interoperability and standards, legal and regulatory compliance, e-commerce and economic development issues,

Spim

Spam over Internet Messaging

OCTAVE

The OCTAVE approach defines a risk-based strategic assessment and planning technique for security. It is a self-directed approach. Requires a distributed approach with business units working with the IT organization.

Mobile site

Trailer with necessary environmental utilities that can operate as a warm site or cold site.

WAN Domain Vulnerabilities

Transmitting private data unencrypted. Malicious attacks from anonymous sources. Denial of service attacks. Weaknesses in software.

LAN Domain Vulnerabilities

Unauthorized network access. Transmitting private data unencrypted. Spreading malicious software.

System/Application Domain Vulnerabilities

Unauthorized physical or logical access to resources. Weaknesses in server operating system or application software. Data loss from errors, failures, or disasters.

Workstation Domain Vulnerabilities

Unauthorized user access. Malicious software introduced. Weaknesses in installed software.

7 IT domains

User, Workstation, LAN, LAN to WAN, WAN, System/Application, Remote Acces

Rogue Access Points

Using an unauthorized network device to offer wireless availability to unsuspecting users

man-in-the-middle attack

an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.

War chalking

creating a map of the physical or geographic location of any wireless access points and networks

Mandatory Access Control (MAC)

permission to access a system or any resource is determined by the sensitivity of the resource and security level of the subject. It cannot be given to someone else. Stronger than DAC.

Discretionary Access Control (DAC)

the owner of the resource decides who gets in and changes permissions as needed. The owner can give that job to others.

Nondiscretionary Access Control

when the overall system administrator within an organization tightly controls access from a centrally managed location.