Contingency Planning

distributed denial-of-service (DDoS) attack

A DoS attack in which a coordinated stream of requests is launched against a target from many locations at the same time using bots or zombies.

Threat source

A category of objects, people, or other entities that represents the origin of danger to an asset—in other words, a category of threat agents. Threat sources are always present and can be purposeful or undirected. For example, threat agent hackers, as part of the threat source acts of trespass or espionage, purposely threaten unprotected information systems, while threat agent severe storms, as part of the threat source acts of God/acts of nature, incidentally threaten buildings and their contents.

Subjects and objects of attack

A computer can be either the subject of an attack—an agent entity used to conduct the attack—or the object of an attack: the target entity. A computer can also be both the subject and object of an attack. For example, it can be compromised by an attack (object) and then used to attack other systems (subject).

Expoture

A condition or state of being exposed; in information security, exposure exists when a vulnerability is known to an attacker.

service level agreement (SLA)

A document or part of a document that specifies the expected level of service from a service provider; usually contains provisions for minimum acceptable availability and penalties or remediation procedures for downtime.

Pretexting

A form of social engineering in which the attacker pretends to be an authority figure who needs information to confirm the target's identity, but the real object is to trick the target into revealing confidential information; commonly performed by telephone.

Phishing

A form of social engineering in which the attacker provides what appears to be a legitimate communication (usually e-mail), but it contains hidden or embedded code that redirects the reply to a third-party site in an effort to extract personal or confidential information.

advance-fee fraud (AFF)

A form of social engineering, typically conducted via e-mail, in which an organization or some third party indicates that the recipient is due an exorbitant amount of money and needs only a small advance fee or personal banking information to facilitate the transfer.

man-in-the-middle

A group of attacks whereby a person intercepts a communications stream and inserts himself in the conversation to convince each of the legitimate parties that the attacker is the other communications partner.

Intentional Attack

A hacker attempting to break into an information system

professional hacker

A hacker who conducts attacks for personal financial benefit or for a crime organization or foreign government; not to be confused with a penetration tester.

expert hacker

A hacker who uses an extensive knowledge of the inner workings of computer hardware and software to gain unauthorized access to systems and information; also known as elite hackers, expert hackers often create automated exploits, scripts, and tools used by other hackers. usually a master of several programming languages, networking protocols, and operating systems, and exhibits a mastery of the technical environment of the chosen targeted system.

back door

A malware payload that provides access to a system by bypassing normal access controls. A back door is also an intentional access control bypass left by a system designer to facilitate development.

trap door

A malware payload that provides access to a system by bypassing normal access controls. A back door is also an intentional access control bypass left by a system designer to facilitate development.

Managerial guidance SysSP

A managerial guidance SysSP is created by management to guide the implementation and configuration of technology, as well as to address the behavior of people in the organization in ways that support the security of information. These SysSPs are targeted at the technologists responsible for implementation and/or configuration, in order to ensure continuity of intent between management and IT.

Copyright protection and user registration

A number of technical mechanisms—digital watermarks, embedded code, copyright or activation codes, and even the intentional placement of bad sectors on software media—have been used to enforce copyright laws. The most common tool is a unique software registration code in combination with an end-user license agreement (EULA) that is usually displayed during the installation of new software, requiring users to indicate that they have read and agree to conditions of the software's use

hacker

A person who accesses systems and information without authorization and often illegally. who spends long hours examining the types and structures of targeted systems and uses skill, guile, and/or fraud to attempt to bypass controls placed on information owned by someone else. Most hackers are grouped into two general categories—the expert hacker and the novice hacker.

Vulnerability

A potential weakness in an asset or its defensive control system(s). Some examples of vulnerabilities are a flaw in a software package, an unprotected system port, and an unlocked door. Some well-known vulnerabilities have been examined, documented, and published; others remain latent (or undiscovered).

Policy Comprehension

A quote attributed to Confucius states: "Tell me and I forget; show me and I remember; let me do and I understand." In the policy arena, this means simply making certain that a copy of the policy gets to employees in a form they can review may not ensure that they truly understand what the policy requires of them. Bloom, Mesia, and Krathwohl define comprehension as "the ability to grasp the meaning of the material. [It] may be shown ... to go one step beyond the simple remembering of material and represent the lowest level of understanding."

Availability disruption

A reduced level of service in an element of the critical infrastructure.

Sextortion

A spear-phishing and blackmail attack that demands payment to preclude the distribution of hacked recordings of the target visiting pornographic Web sites. e-mails typically include old passwords found on hacker sites on the Web. The result is a detailed and personalized e-mail threatening revelation of alleged illegal or embarrassing information to the target's associates unless payment is provided.

Security

A state of being secure and free from danger or harm. Also, the actions taken to make someone or something secure. To be secure is to be protected from the risk of loss, damage, unwanted modification, or other hazards.

Access

A subject or object's ability to use, manipulate, modify, or affect another subject or object. Authorized users have legal access to a system, whereas hackers must gain illegal access to a system. Access controls regulate this ability.

rainbow table

A table of hash values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system's encrypted password file.

spoofing

A technique for gaining unauthorized access to computers using a forged or modified source IP address to give the perception that messages are coming from a trusted host.

Exploit

A technique used to compromise a system. This term can be a verb or a noun. Threat agents may attempt to exploit a system or other information asset by using it illegally for their personal gain. Or, an exploit can be a documented process to take advantage of a vulnerability or exposure, usually in software, that is either inherent in the software or created by the attacker. Exploits make use of existing software tools or custom-made software components.

dictionary password attack

A variation of the brute force password attack that attempts to narrow the range of possible passwords by using a list of common passwords and possibly including attempts based on the target's personal information.

zombie

An abbreviation of robot, an automated software program that executes certain commands when it receives a specific input.

bot

An abbreviation of robot, an automated software program that executes certain commands when it receives a specific input; also called zombie.

denial-of-service (DoS) attack

An attack that attempts to overwhelm a computer target's ability to handle incoming communications, prohibiting legitimate users from accessing those systems. the attacker sends a large number of connection or information requests to a target, overloading it and preventing it from responding to legitimate requests for service. The system may crash or simply become unable to perform ordinary functions.

brute force password attack

An attempt to guess a password by trying every possible combination of characters and numbers in it.

Availability

An attribute of information that describes how data is accessible and correctly formatted for use without interference or obstruction. Describes how data is accessible and correctly formatted for use without interference or obstruction

Confidentiality

An attribute of information that describes how data is protected from disclosure or exposure to unauthorized individuals or systems. when only the people, agents, or computer systems with the rights and privileges to access them are able to do so. •protection of information from disclosure or exposure to unauthorized individuals or systems.

Integrity

An attribute of information that describes how data is whole, complete, and uncorrupted. when they are not exposed (while being stored, processed, or transmitted) to corruption, damage, destruction, or other disruption of their authentic states; in other words, the information is whole, complete, and uncorrupted. prevention of the corruption of information while it is being stored or transmitted

Threat event

An intentional or unintentional act that can damage or otherwise compromise information and the systems that support it. An example of a threat event might be damage caused by a storm. This term is commonly used interchangeably with the term attack.

Attack

An intentional or unintentional act that can damage or otherwise compromise information and the systems that support it. Attacks can be active or passive, intentional or unintentional, and direct or indirect.

issue-specific security policy (ISSP)

An organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies.

Technological Obsolescence

Antiquated or outdated infrastructure that has had its level of support reduced or discontinued from the original manufacturer can lead to unreliable and untrustworthy systems. Management must recognize that when technology becomes outdated, there is a risk of losing data integrity from attacks. Management's strategic planning should always include an analysis of the technology currently in use. Ideally, proper planning by management should prevent technology from becoming obsolete, but when obsolescence is clear, management must take immediate action. IT professionals play a large role in the identification of probable obsolescence.

spear phishing

Any highly targeted phishing attack

Policy Support for Contingency Planning

As you will note in the coming modules, the development of relevant policy is one of the first tasks of a planning team. As stated previously, policy guides the efforts of employees in following managerial intent. Policy guides everything from how employees should behave to how the organization should plan for and react to an incident or disaster. Without the guidance from policy, individual committee members may not sufficiently and efficiently provide detailed plans to support the organization's contingency operations.

Policy Reading

Barriers to employees reading policies can arise from literacy or language issues. A surprisingly large percentage of the workforce is considered functionally illiterate. In 2017, the U.S. Department of Education's National Center for Educational Statistics (NCES) conducted the Program for the International Assessment of Adult Competencies (PIAAC), which found that 19 percent of American adults between the ages of 16 and 65 scored at a "below basic" level in literacy.* Many jobs do not require literacy skills—for example, custodial staff, groundskeepers, or production line workers. Because such workers can still pose risks to InfoSec, however, they must be made familiar with policy even if it must be read to them. Visually impaired employees also require additional assistance, either through audio or large-type versions of the document.

There are a number of alternative approaches to password cracking:

Brute force—The application of computing and network resources to try every possible password combination is called a brute force password attack. Dictionary attacks—The dictionary password attack, or simply dictionary attack, is a variation of the brute force attack that narrows the field using a dictionary of common passwords and includes information related to the target user, such as names of relatives or pets, and familiar numbers such as phone numbers, addresses, and even Social Security numbers. Rainbow tables—A far more sophisticated and potentially much faster password attack is possible if the attacker can gain access to an encrypted password file, such as the Security Account Manager (SAM) data file. Social engineering password attacks—Using an approach commonly referred to as pretexting, attackers posing as an organization's IT professionals may attempt to gain access to systems information by contacting low-level employees and offering to help with their computer issues.

Communications interception attacks

Common software-based communications attacks include four subcategories designed to intercept and collect information in transit.

Malware

Computer software specifically designed to perform malicious or unwanted actions. is the most common form of software attack; it is also referred to as malicious code or malicious software. Malicious code attacks include the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information

Software Attacks

Deliberate software attacks occur when an individual or group designs and deploys software to attack a system. This type of attack is usually part of a campaign that integrates a variety of tools as well as defined tactics, techniques, and procedures (TTP) to merge specially crafted software and social engineering methods that seek to trick users into installing computer code on their systems. After an infection occurs, the software leverages that foothold by attacking other systems that can be reached from the newly infected system.

standards

Detailed statements of what must be done to comply with the policy, sometimes viewed as the rules governing policy compliance.

polymorphic threat

Malware (a virus or worm) that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for preconfigured signatures.

To produce a complete InfoSec policy portfolio, management should define and implement three types of InfoSec policies

Enterprise information security policy (EISP) Issue-specific security policies (ISSP) Systems-specific security policies (SysSP)

practices

Examples of actions that illustrate compliance with policies.

Risk Management Framework

Executive governance and support, Framework design, Framework implementation, continuous improvement, framework implementation

script kiddies

Hackers of limited skill who use expertly written software to attack a system. Script kiddies are also known as skids, skiddies, or script bunnies.

cyberactivists

Hackers who seek to interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.

hacktivists

Hackers who seek to interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency; also called cyberactivists.

Human Error or Failure

Human error or failure often can be prevented with training, ongoing awareness activities, and controls. These controls range from simple activities, such as requiring the user to type a critical command twice, to more complex procedures, such as verifying commands by a second party. Some common types of human error include the following: Social engineering, Advance-fee fraud, Phishing, Spear phishing, Pretexting

Trojan horses

Malware programs that hide their true nature and reveal their designed behavior only when activated.

enterprise information security policy (EISP) or general security policy

IT security policy, or information security policy. The EISP is a policy based on and directly supportive of the mission, vision, and direction of the organization, and it sets the strategic direction, scope, and tone for all security efforts. The EISP is an executive-level document usually drafted by, or in cooperation with, the chief information officer of the organization. The high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts; also known as a security program policy, general security policy, IT security policy, high-level InfoSec policy, or simply an InfoSec policy. According to NIST, the EISP typically addresses compliance by documenting the organizational structures put into place, describing the programs that have been developed, and reviewing the assignment of responsibilities and/or the use of specified penalties and disciplinary actions

Online activism

In another form of online vandalism, hacktivists or cyberactivists are activists who hack into a target's online resource, such as e-mail or social media, and then release that information to the public.

Policy

In business, a statement of managerial intent designed to guide and regulate employee behavior in the organization; in IT, a computer configuration specification used to standardize system and user behavior. represents a formal statement of the organization's managerial philosophy

noise

In incident response, an event that does not rise to the level of an incident; the presence of additional and disruptive signals in network communications or electrical power delivery.

internet service issues

In organizations that rely heavily on the Internet and the Web to support continued operations, ISP failures can considerably undermine the availability of information.

There are several approaches to creating and managing ISSPs, each with its own set of ISSP documents. Here are the three most common ones:

Independent ISSP documents, each tailored to a specific issue A single comprehensive ISSP document covering all issues A modular ISSP document that unifies policy creation and administration while maintaining each specific issue's requirements

Power irregularities

Irregularities from power utilities are common and can lead to fluctuations such as power excesses, power shortages, and power losses.

Technical Software Failures or Errors

Large quantities of computer code are written, debugged, published, and sold before all their bugs are detected and resolved. Sometimes, combinations of certain software and hardware reveal new failures that range from bugs to untested failure conditions. Sometimes these bugs are not errors, but purposeful shortcuts left by programmers for benign or malign reasons. Collectively, shortcut access routes into programs that bypass security checks are called trap doors, and they can cause serious security breaches.

brownouts

Long-term decreases in the quality of electrical power availability.

surges

Long-term increases in electrical power availability.

blackouts

Long-term interruptions (outages) in electrical power availability.

guidelines

Nonmandatory recommendations the employee may use as a reference in complying with the policy.

Positive online activism—

Not all online activism is negative. Social media outlets, such as Facebook, Twitter, Instagram, and YouTube, are commonly used to perform fundraising, raise awareness of social issues, gather support for legitimate causes, and promote involvement.

systems-specific security policies (SysSPs)

Organizational policies that often function as standards or procedures to be used when configuring or maintaining systems.

Communications and other service provider issues

Other utility services can affect organizations as well. Among these are telephone, water, wastewater, trash pickup, cable television, natural or propane gas, and custodial services.

Policy Management

Policies are living documents that must be nurtured, given that they are constantly changing and growing. They must be properly disseminated (distributed, read, understood, and agreed to) and managed. To remain viable, security policies must have the following: An individual (such as a policy administrator) responsible for the creation, revision, distribution, and storage of the policy; this person should solicit input from all communities of interest in policy development A schedule of reviews to ensure currency and accuracy, and to demonstrate due diligence A mechanism by which individuals can comfortably make recommendations for revisions, preferably anonymously A policy and revision date and possibly a "sunset" expiration date Optionally, policy management software to streamline the steps of writing the policy, tracking the workflow of policy approvals, publishing the policy after it is written and approved, and tracking when individuals have read the policy

Practices

Practices, procedures, and guidelines effectively explain how to comply with policy.

Risk Management Process

Process Preparation, Risk identification, risk analysis, risk evaluation, risk treatment

ransomware

Recent information extortion attacks have involved specialized forms of malware known as ransomware. Software designed to penetrate security controls, identify valuable content, and then encrypt files and data in place in order to extort payment for the key needed to unlock the encryption.

Novice hackers

Relatively unskilled hackers who use the work of expert hackers to perform attacks.

packet monkeys

Script kiddies who use automated exploits to engage in denial-of-service attacks.

Control, safeguard, or countermeasure

Security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve security within an organization. The various levels and types of controls

sags

Short-term decreases in electrical power availability.

spikes

Short-term increases in electrical power availability, also known as swells.

faults

Short-term interruptions in electrical power availability.

packet (network) sniffers

Software programs or hardware appliances that can intercept, copy, and interpret network traffic.

Active attack

Someone who purposefully copies valuable data to re-sell commits an active attack

ISSPs vary from organization to organization, but in general, an effective ISSP should contain the following elements:

Statement of policy—The policy should begin with a clear statement of purpose that answers the following questions: What is the scope of this policy? Who does this policy apply to? What technologies and issues does it address? Who is responsible and accountable for policy implementation? Authorized access and usage of technology—This section of the policy statement addresses who can use the technology governed by the policy and what it can be used for. It defines "fair and responsible use" of equipment and other organizational assets, and it addresses key legal issues, such as protection of personal information and privacy. Prohibited usage of technology—While the previous section describes what the issue or technology can be used for, this section outlines what it cannot be used for. Unless a particular use is clearly prohibited, the organization cannot penalize its employees for misuse. The following can be prohibited: personal use, disruptive use or misuse, criminal use, use of offensive or harassing materials, and infringement of copyrighted, licensed, or other intellectual property.

procedures

Step-by-step instructions designed to assist employees in following policies, standards, and guidelines.

ISSPs vary from organization to organization, but in general, an effective ISSP should contain the following elements:

Systems management—This section focuses on the users' relationship to systems management. It is important to designate all responsibilities to either the systems administrator or the users; otherwise, both parties may infer that the responsibility belongs to the other party. Violations of policy—This section contains not only the specifics of the penalties for each category of violation, but instructions on how individuals in the organization can report observed or suspected violations without fear of recrimination or retribution. Policy review and modification—The policy should contain procedures and a timetable for periodic review. This section contains a specific methodology for the review and modification of the policy to ensure that users do not begin circumventing it as it grows obsolete. Limitations of liability—This final section describes the limitations of the company's liability. It should state that if employees violate company policy or any law using company technologies, the company will not protect them and the company is not liable for their actions.

Technical Hardware Failures or Errors

Technical hardware failures or errors occur when a manufacturer distributes equipment containing a known or unknown flaw. These defects can cause the system to perform outside of expected parameters, resulting in unreliable service or lack of availability. Some errors are terminal—that is, they result in the unrecoverable loss of the equipment. Some errors are intermittent in that they only manifest themselves periodically, resulting in faults that are not easily repeated.

Contingency planning (CP)

The actions taken by senior management to specify the organization's efforts and actions if an adverse event becomes an incident or disaster; includes incident response, disaster recovery, business continuity, and crisis management efforts, as well as preparatory business impact analysis. Being ready for events such as incidents and disasters

cyberterrorism

The conducting of terrorist activities by online attackers.

shoulder surfing

The direct, covert observation of individual information or system use. is used in public or semipublic settings when people gather information they are not authorized to have

Direct Attack

perpetrated by a hacker using a PC to break into a system. originate from the threat itself.

risk management

The entire program of planning for and managing risk to information assets in the organization. which is the process of identifying and controlling the risks to an organization's information assets. All managers are expected to play a role in the risk management process, but information security managers are expected to play the largest roles. Very often, the chief information officer (CIO) will delegate much of the responsibility for risk management to the CISO.

Policy Enforcement

The final component of the design and implementation of effective policies is uniform and impartial enforcement. As in law enforcement, policy enforcement must be able to withstand external scrutiny. Because this scrutiny may occur during legal proceedings—for example, in a civil suit contending wrongful termination—organizations must establish high standards of due care with regard to policy management.

theft

The illegal taking of another's property, which can be physical, electronic, or intellectual. is a constant. The value of information is diminished when it is copied without the owner's knowledge. Physical theft can be controlled easily using a wide variety of measures, from locked doors to trained security personnel and the installation of alarm systems. Electronic theft, however, is a more complex problem to manage and control. When someone steals a physical object, the loss is easily detected; if it has any importance at all, its absence is noted. When electronic information is stolen, the crime is not always readily apparent. Theft is often an overlapping category with software attacks, espionage or trespass, information extortion, and compromises to intellectual property. A hacker or other individual threat agent could access a system and commit most of these offenses if they downloaded a company's information and then threatened to publish it if not paid.

C.I.A. triad

The industry standard for computer security since the development of the mainframe, based on three characteristics that describe the utility of information: confidentiality, integrity, and availability.

Asset

The organizational resource that is being protected. An asset can be logical, such as a Web site, software information, or data. An asset can also be physical, such as a person, a computer system, hardware, or other tangible objects. Assets, particularly information assets, are the focus of what security efforts are attempting to protect.

Risk

The probability of an unwanted occurrence, such as an adverse event or loss. Organizations must minimize risk to match their risk appetite—the quantity and nature of the risk they are willing to accept.

social engineering

The process of using social skills to convince people to reveal access credentials or other valuable information to an attacker.

pharming

The redirection of legitimate user Web traffic to illegitimate Web sites with the intent to collect personal information.

Threat agent

The specific instance or a component of a threat. For example, the threat source of trespass or espionage is a category of potential danger to information assets, while an external professional hacker (like Kevin Mitnick, who was convicted of hacking into phone systems) is a specific threat agent. A lightning strike, hailstorm, or tornado is a threat agent that is part of the threat source known as acts of God/acts of nature. Attempt to exploit a system or information asset by using it illegally for their personal gains.

software piracy

The unauthorized duplication, installation, or distribution of copyrighted computer software, which is a violation of intellectual property. Organizations often purchase or lease the IP of other organizations, and must abide by purchase or licensing agreements for its fair and responsible use.

privilege escalation

The unauthorized modification of an authorized or unauthorized system user account to gain advanced access and control over system resources.

Sabotage or Vandalism

This category of threat involves acts of vandalism or the deliberate sabotage of a computer system or business to destroy an asset or damage the image of an organization. These acts can range from petty vandalism by employees to organized sabotage against an organization. Organizations can minimize their risk of Web site defacement by backing up their Web sites regularly, closely monitoring their Web sites, and minimizing the use of exploitable software such as scripts, plug-ins, and other application programming interfaces (APIs).

viruses

Types of malware that are attached to other executable programs and when activated, replicate and propagate to multiple systems, spreading by multiple communications vectors.

worms

Types of malware that are capable of activation and replication without being attached to an existing program.

Espionage or trespass

Unauthorized entry into the real or virtual property of another party. a well-known and broad category of electronic and human activities that can breach the confidentiality of information. One example, called shoulder surfing,

spam

Unsolicited commercial e-mail, typically advertising transmitted in bulk.

E-mail attacks

Unwanted e-mail, especially bulk commercial e-mail or spam, is a common problem for e-mail users. While many consider spamming a trivial nuisance rather than an attack, it has been used as a means of enhancing malicious code attacks.

his process involves discovering and understanding answers to some key questions with regard to the risk associated with an organization's information assets:

Where and what is the risk (risk identification)? How severe is the current level of risk (risk analysis)? Is the current level of risk acceptable (risk evaluation)? What do I need to do to bring the risk to an acceptable level (risk treatment)?

Technical specification SysSP

While a manager may work with a systems administrator to create managerial policy, as described in the previous section, the systems administrator may in turn need to create a different type of policy to implement the managerial policy. The manager is primarily responsible for creating the managerial specifications component of the SysSP, and sysadmins may be the primary authors or architects of the technical specification.

Policy

represents a formal statement of the organization's managerial philosophy—in the case of InfoSec policies, the organization's InfoSec philosophy

Policy Distribution

While it might seem straightforward, getting the policy document into the hands of employees can require a substantial investment by the organization in order to be effective. The most common alternatives are hard-copy distribution and electronic distribution. Hard copies involve either directly distributing a copy to the employee or posting the policy in a publicly available location. Posting a policy on a bulletin board or in some other public area may be insufficient unless another policy requires the employees to read the bulletin board on a specified schedule (daily, weekly, etc.). Distribution by internal or external mail may still not guarantee that individuals receive the document.

information security policies

Written instructions provided by management that inform employees and others in the workplace about proper behavior regarding the use of information and information assets.

Indirect attack

a hacker compromising a system in order to use it only to attack other systems—for example, as part of a botnet (slang for robot network). This group of compromised computers, running software of the attacker's choosing, can operate autonomously or under the attacker's direct control to attack systems and steal user information or conduct distributed denial-of-service attacks. Direct attacks originate from the threat itself. originate from a compromised system or resource that is malfunctioning or working under the control of a threat.

unintentional Attack

a lightning strike that causes a building fire

Passive attack

a person who casually reads sensitive information not intended for his or her use is committing

Loss

a single instance of an information asset that suffers damage or destruction, unintended or unauthorized modification or disclosure, or denial of use. As one example, when an organization's information is stolen, it has suffered a loss.

attack

an intentional or unintentional act that can damage or otherwise compromise information and the systems that support it. Defenders try to prevent attacks by applying controls, safeguards, or countermeasures

Standards

are more detailed statements of what must be done to comply with policy.

Information extortion, also known as cyberextortion

common in the theft of credit card numbers. It involves the theft of information followed by a request for payment to the information's owner, with the threat of public release unless a demand is met.

Policies

define what you must do and not do, whereas the other documents focus on the how.

Password attacks

fall under the category of espionage or trespass, just as lock-picking falls under breaking and entering. Attempting to guess or reverse-calculate a password is often called password cracking.

Exploit

is a technique used to compromise a system. can be a documented process to take advantage of a vulnerability or exposure, usually in software, that is either inherent in the software or created by the attacker.

Threat

is any event or circumstance that has the potential to adversely affect operations and assets.

Information security (InfoSec)

is the protection of the confidentiality, integrity and availability of information assets, whether in storage, processing or transmission via the application of policy, education, training and awareness, and technology.

Policy compliance

means the employee must agree to the policy. According to "Security Policy: From Design to Maintenance": Policies must be agreed to by act or affirmation. Agreement by act occurs when the employee performs an action that requires them to acknowledge understanding of the policy prior to use of a technology or organizational resource.

Forces of nature

sometimes called Acts of God or force majeure, can present some of the most dangerous threats because they usually occur with little warning and are beyond the control of people. Some typical force of nature attacks include the following: Fire, Flood, earthquake, tornado, Lightning, Landslide or mudslide, Tornados or severe windstorms, Hurricanes, typhoons, and tropical depressions, Tsunami, Electrostatic discharge (ESD), Dust contamination

Information Security

the standards published by the Committee on National Security Systems (CNSS), chaired by the U.S. Secretary of Defense. Information security (InfoSec) focuses on the protection of information and the characteristics that give it value, such as confidentiality, integrity, and availability.

dumpster diving,

where adversaries rummage in refuse for valuable information. Acts of trespass can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems without permission.

Cyberterrorism and cyberwarfare

—A much more sinister form of hacking is cyberterrorism, which targets critical computing and communications networks as well as physical and power utility infrastructures. Cyberterrorism is typically conducted by enemies of the state, not individual hackers.

three types of InfoSec policies

•Enterprise information security policy (EISP) •Issue-specific security policies (ISSP) •Systems-specific security policies (SysSP)