CH17. Information Security: Barbarians at the Gateway (and Just About Everywhere Else)
_____ are hordes of surreptitiously infiltrated computers linked and controlled remotely, and are also known as zombie networks.
Botnet
intrusion detection systems
A system that monitors network use for potential hacking attempts. Such a system may take preventative action to block, isolate, or identify attempted infiltration, and raise further alarms to warn security personnel.
hack
A term that may, depending on the context, refer to either 1) breaking into a computer system, or 2) a particularly clever solution.
hacker
A term that, depending on the context, may be applied to either 1) someone who breaks into computer systems, or 2) to a particularly clever programmer.
certificate authority
A trusted third party that provides authentication services in public key encryption schemes
encryption
Scrambling data using a code or formula, known as a cipher, such that it is hidden from those who do not have the unlocking key.
spoofed
Term used in security to refer to forging or disguising the origin or identity. E-mail transmissions and packets that have been altered to seem as if they came from another source are referred to as being "spoofed."
Two-factor or multi-factor authentication systems can slow consumers down, leading to consumer annoyance and dissatisfaction.
True--For most consumer applications, slowing down users with a two-factor or multi-factor authentication system would be an impractical mandate
Keyloggers spyware can be either software-based or hardware-based?
True--Keylogger is a type of spyware that records user keystrokes. Keyloggers can be either software-based or hardware-based, such as a recording "dongle" that is plugged in between a keyboard and a PC.
Stuxnet showed that with computers at the heart of so many systems, it's now possible to destroy critical infrastructure without firing a shot.
True--Stuxnet showed that with computers at the heart of so many systems, it's now possible to destroy critical infrastructure without firing a shot
multi-factor authentication
When identity is proven by presenting more than one item for proof of credentials. Multiple factors often include a password and some other identifier such as a unique code sent via e-mail or mobile phone text, a biometric reading (e.g., fingerprint or iris scan), a swipe or tap card, or other form of identification.
Edward Snowden is:
a US government contractor thought whistle-blower by many, who released (in violation of US law) secret documents exposing state-run surveillance networks.
cash-out fraudsters
Criminals who purchase assets from data harvesters to be used for illegal financial gain. Actions may include using stolen credit card numbers to purchase goods, creating fake accounts via identity fraud, and more.
data harvesters
Cybercriminals who infiltrate systems and collect data for illegal resale.
firewalls
A system that acts as a control for network traffic, blocking unauthorized traffic while permitting acceptable use.
_____ refer to protesters seeking to make a political point by leveraging technology tools, often through system infiltration, defacement, or damage
Hacktivists
black hat hackers
A computer criminal.
phishing
A con executed using technology, typically targeted at acquiring sensitive information or tricking someone into installing malicious software.
hacktivists
A protester seeking to make a political point by leveraging technology tools, often through system infiltration, defacement, or damage.
honeypots
A seemingly tempting, but bogus target meant to draw hacking attempts. By monitoring infiltration attempts against a honeypot, organizations may gain insight into the identity of hackers and their techniques, and they can share this with partners and law enforcement.
public key encryption
A two-key system used for securing electronic transmissions. One key distributed publicly is used to encrypt (lock) data, but it cannot unlock data. Unlocking can only be performed with the private key. The private key also cannot be reverse engineered from the public key. By distributing public keys, but keeping the private key, Internet services can ensure transmissions to their site are secure.
brute-force attacks
An attack that exhausts all possible password combinations in order to break into an account. The larger and more complicated a password or key, the longer a brute-force attack will take.
distributed denial of service (DDoS)
An attack where a firm's computer systems are flooded with thousands of seemingly legitimate requests, the sheer volume of which will slow or shut down the site's use. DDoS attacks are often performed via botnets.
zero-day exploits
Attacks that are so new that they haven't been clearly identified, and so they haven't made it into security screening systems.
key
Code that unlocks encryption.
dumpster diving
Combing through trash to identify valuable assets.
One way to enhance security against malware on smartphones is to modify the phone to work off network
False--Most smartphones have layers of security to block the spread of malware, so hackers typically hunt for the weakest victims. Easy marks include "jail-broken" iPhones, devices with warranty-voiding modifications in which security restrictions are overridden to allow phones to be used off network, and for the installation of unsanctioned applications.
Public key encryption is considered far weaker than private key encryption, so most websites avoid using public key systems.
False--Most websites that deal with financial transactions (e.g., banks, online stores) secure transmissions using a method called public key encryption. The system works with two keys-a public key and a private key. The public key can "lock" or encrypt data, but it can't unlock it: that can only be performed by the private key. So a website that wants you to transmit secure information will send you a public key-you use this to lock the data, and no one that intercepts that transmission can break in unless they've got the private key. If the website does its job, it will keep the private key out of reach of all potentially prying eyes.
VPN software should only be used on an organization's internal network. Never use VPN software on a public wireless network, as this could give hackers an entryway from your computer into your organization's secure network
False--Public wireless connections pose significant security threats. The use of VPN (virtual private network) software can reduce threats by making Internet transmissions unreadable if they are intercepted. VPN networks use encryption to scramble data, making it difficult for hackers to access.
The encryption math behind OpenSSL is so solid and would require such an extensive amount of computing power to execute a brute-force attack, that OpenSSL had (as of the writing of the textbook) never been compromised.
False--While encryption math is quite strong, that does not mean that all software using this math can't have other bugs that create vulnerabilities. The Heartbleed bug, a weakness in the OpenSSL security software, may have created a vulnerability in software used by two-thirds of Web sites and which is embedded into all sorts of Internet-connected products.
shoulder surfing
Gaining compromising information through observation (as in looking over someone's shoulder).
whitelists
Highly restrictive programs that permit communication only with approved entities and/or in an approved manner.
botnets
Hordes of surreptitiously infiltrated computers, linked and controlled remotely, also known as zombie networks.
Which of the following is a valid observation regarding information security?
Information security isn't just a technology problem. a host of personnel and procedural factors can create and amplify a firm's vulnerability.
blacklists
Programs that deny the entry or exit of specific IP addresses, products, Internet domains, and other communication restrictions.
_______________ is an example of an exploit in which hackers target security vulnerabilities caused by software developers not validating user input.
SQL injection technique--directly target poorly designed and programmed websites, zeroing in on a sloppy programming practice where software developers don't validate user input
Which of the following factors is thought to have been at work during the Target security breach?
Security software notification went off shortly after unauthorized software began collecting data inside Target's network, but Target ignored the warning. While the area where credit card transactions are processed is supposed to be walled off from other areas of the Target network, hackers found holes and eventually nestled their code in a sweet spot for grabbing customer data, disguising the code with the label "BladeLogic" the name of a legitimate data center management product. The firm's security software has an option to automatically delete malware as it's detected but Target's security team had turned that function off.
white hat hackers
Someone who uncovers computer weaknesses without exploiting them. The goal of the white hat hacker is to improve system security.
biometrics
Technologies that measure and analyze human body characteristics for identification or authentication. These might include fingerprint readers, retina scanners, voice and face recognition, and more.
voice-print
Technology that identifies users via unique characteristics in speech.
Although the attack on Target was one of the largest credit card breaches in US business history, the software that executed the attack was not considered to be especially sophisticated.
True--The malware used to breach Target was described by one security expert as "absolutely unsophisticated and uninteresting."
A white hat hacker looks for weaknesses in security mechanisms, with a view to help plug the holes that might be exploited by cyber-criminals.
True--White hats are the good guys who probe for weaknesses, but don't exploit them. Instead, they share their knowledge in hopes that the holes they've found will be plugged and security will be improved. Many firms hire consultants to conduct "white hat" hacking expeditions on their own assets as part of their auditing and security process. "Black hats" are the bad guys.
Why have US technology firms complained that U.S. government surveillance techniques put them at a disadvantage relative to foreign firms?
U.S. firms complain that the actions of surveillance agencies have put them at a disadvantage by damaging their reputation.
An attack in which a firm's computer systems are flooded with thousands of seemingly legitimate requests, the sheer volume of which will slow or shut down the site, is known as:
distributed denial of service
One of the physical threats hackers use is sifting through trash searching for valuable data is called__________________.
dumpster diving
Cons executed through technology and that often try to leverage the reputation of a trusted firm or friend to trick the victim into performing an action or revealing information constitute:
phishing
Con games that trick employees into revealing information or performing other tasks that compromise a firm are known as _____ in security circles.
social engineering
The term _____________ refers to forging or disguising the origin or identity.
spoof
CAPTCHAs (Completely Automated Public Turing Test to Tell Computers and Humans Apart)
those scrambled character images that many sites require to submit some sort of entry (account setup, ticket buying) and are meant to be a Turing Test—a test to distinguish if a task is being performed by a computer or a human.
The phrase __________________ refers to security schemes that automatically send one-time use representations of a credit card which can be received and processed by banking and transaction firms at the time of payment. They are used in ApplePay and Android Pay.
tokenization--A scheme called tokenization sends one-time use representations of a credit card over the Internet. While these tokens will buy your stuff, if stolen then can't be reused by bad guys.
Exploits that attempt to infiltrate a computer system by masquerading as something that they are not are called:
trojans
The key difference between viruses and worms is that:
worms do not need an executable to spread, unlike viruses.