Information Security Quiz #1
White hat
"ethical hacker" has permission to identify vulnerabilities and perform penetration testing, identify these to help fix them
Black hat
A hacker who exposes vulnerabilities for financial gain or for some malicious purpose. They attempt to prove technical prowess, and do so by not disclosing the vulnerabilities
vulnerability
A weakness that allows a threat to be realized or to have an effect on an asset
Threat
Any action that could damage an asset.
Example of industry implementing IoT
Auto-industry
Example of authentication control
Biometric device
CIPA
Children's Internet Protection Act 2011- requires public schools and public libraries to use an internet safety policy.
CIA Triad
Confidentiality, Integrity, Availability
Compliance laws
FISMA, SOX, GLBA, HIPAA, CIPA, FERPA
FERPA
Family Educational Rights and Privacy Act - 1974- protects the private data of students and their school records
Business Continuity plan (BCP)
Gives priorities to the functions an organization needs to keep going. A written plan for a structured response to any events that result in an interruption to critical business activities or functions.
GLBA
Gramm-leach-bliley Act of 1999 - requires all types of financial institutions to protect customers' private financial information
phreaking
Hacking of the systems and computers used by phone companies
HIPAA
Health Insurance Portability and Accountability Act of 1996 - requires health care organizations to have security and privacy controls implemented to ensure patient privacy
SOX
Sarbanes-Oxley Act of 2002. requires publicly traded companies to submit accurate and reliable financial reporting. This law does not require securing private information, but it does require security controls to protect the confidentiality and integrity of the reporting itself.
Risk
The likelihood that something bad will happen to an asset
BYOD (bring your own device)
The practice of allowing users to use their own personal devices to connect to an organizational network.
Uptime
The total amount of time the IT system, application and data was accessible.
Gap analysis
a comparison of the security controls you have in place and the controls you need in order to address all identified threats
Standard
a detailed written definition for hardware and software and how they are to be used. It ensures that consistent security controls are used throughout the IT system.
Trojan Horse
a program that on the surface appears to have a legitimate use or purpose but in fact is malicious, masquerades itself as a useful program
Worms
a self-contained program that replicates and sends copies of itself to other computers without any user input or action. Does not have to attach to an existing program
Policy
a short written statement that the people in charge of an organization have set as a course of action or direction. Comes from upper management and applies to the entire organization.
Guidelines
a suggested course of action for using the policy, standards, or procedures. They are specific or flexible regarding use.
Viruses
a virus attaches itself to or copies itself into another program on a computer. This infects host program and causes it to replicate itself to other computers.
Authorization controls
access control lists physical access control network traffic filters
Buffer overflows
an attack conducted by supplying more data than is expected. takes advantages of a system that does not properly account for the amount of data input into an application
Monthly Availability
availability = (total uptime)/(total uptime + total downtime) 30day month x 24hrs x 60mins = xminutes = total uptime for a month
Availability
concerned with ensuring that information is readily accessible to authorized users at all times
Confidentiality
concerned with the privacy and secrecy
Steps in a Disaster Recovery Plan
define potential threats document likely impact scenarios document the business and technical requirements to initiate the implementation phase
Security policy
defines a risk-mitigating definition or solution for your organization
Disaster Recovery plan
defines how a business can get back on its feet after a major disaster.
Acceptable use policy
defines what users are allowed to do with organization-owned IT assets
Hardening a system
ensure controls are in place to control known threats
FISMA
federal info security management act - US law requires federal agencies to provide security controls over resources that support federal operations. Updated in 2004 to the Federal Information Security Modernization Act
Logic bomb
form of malware that executes when a certain predefined event occurs
Gray hat
hacker with average abilities with questionable ethics.
Business Impact Analysis (BIA)
identifies the resources for which a business continuity plan BCP is necessary
ransomware
malware that forces a victim organization to pay money to prevent the deletion of data
botnet
many internet-connected computers under the control of a remote hacker
Information systems face these threats
natural and human-induced threats
Discretionary access system
owner of the resource decides who gets in and changes permission as needed
Separation of duties
process of dividing a task into a series of unique activities performed by different people, each of whom is allowed to execute only one part of the overall task
Backdoors
programs that attackers install after gaining unauthorized access to a system, to ensure that they can continue to have unrestricted access
Security kernel
provides a central point of access control and implements the reference monitor concept. it mediates all access requests and permits access only when the appropriate rules or conditions are met
single sign-on (SSO)
provides for stronger passwords because with only one password to remember, users are generally willing to use stronger passwords
Five critical challenges of IoT
security privacy interoperability legal and regulatory compliance social and economic issues
Rootkits
software programs that have the ability to hide certain things from the operating system
Integrity
the ability to prevent data from being changed in an undesirable or unauthorized manner
Evil Twin Attack
the attacker deploys a fake open or public wireless network to use a packet sniffer on any user who connects to it
Bluesnarfing
the gaining of unauthorized access through a bluetooth connection
Accountability
the process of associating actions with users for later reporting and research. it ensures that a person who access or makes changes to data or systems can be identified
Risk Management
the process of identifying, assessing, prioritizing and addressing risks
downtime
total amount of time that a system, application and data are not accessible
Dictionary attack
works by hashing all the words in a dictionary and then comparing the hashed value with the system password file to discover a match
Procedures
written instructions for how to use policies and standards. Includes plan of action, installation, testing, and auditing of security controls.