Security Awareness Applying Practical Security in Your World, Chapter 1 terms

Ace your homework & exams now with Quizwiz!

Difficulties in defending against attacks

1. Universally connected devices (internet) 2. Increased speed of attacks. 3. Greater sophistication of attacks. 4. Availability and simplicity of attack tools. 5. Faster detection of vulnerabilities. 6. Delays in security updating. 7. Weak security updates distribution. 8. Distributed attacks 9. User confusion.

Vulnerability

A flaw or weakness that allows a threat agent to bypass security.

Threat agent

A person or element that has the power to carry out a threat.

Payment Card Industry Data Security Standard (PCI DSS)

A set of security standards that all companies that process, store, or transmit credit card information must follow. PCI DSS applies to any organization or merchant regardless of its size or number of card transactions, that processes transactions either online or in person. The maximum penalty for not complying is $100,000 per month.

Risk

A situation that involves exposure to some type of danger.

Risk acceptance

Accept the risk.

Asset

An item of value.

Risk deterrance

Ask someone else to take responsibility for the risk.

Exploit kit

Automated attack package that can be used without an advanced knowledge of computers.

Risk avoidance

Avoid the risk (i.e. don't purchase device)

Cyberterriorists

Cause disruption and panic. Motivation is ideological attacking for the sake of their principles and beliefs.

Products

Forms of security around the data. May be as basic as door locks or as complicated as network security equipment.

Cybercriminals

Fortune over fame. Cybercriminals launch attacks against other users and their computers. Cybercriminals are a loose network of attackers , identity thieves, and financial fraudsters who are highly motivated, less risk averse, well funded, and tenacious.

Health Insurance Portability and Accountability Act (HIPAA)

Healthcare enterprises must guard protected healthcare information and implement policies and procedures to safeguard it, whether it be in paper or electronic format. Those who wrongfully disclose individually identifiable health information can be fined up to $50,000 for each violation up to a maximum of $1.5 million per calendar year and sentenced up to 10 years in prison.

Threat

Information security threats are events or actions that represent a danger to information assets.

Threat vector

Means by which the attack can occur (i.e. vulnerability).

Confidentiality

Only authorized parties can view the information.

Authorization

Permission or approval to access specific technology resources.

The Sarbanes-Oxley Act of 2002 (Sarbox)

Pertains to corporate fraud. Sarbox covers the corporate officers, auditors, and attorneys of publicly traded companies. Stringent reporting requirements and internal controls on electronic financial reporting systems are required. Corporate officers who willfully and knowingly certify a false financial report can be fined up to $5 million and serve 20 years in prison.

Policies and Procedures

Plans and policies established by an organization to ensure that people correctly use the products.

Threat likelihood

Probability that potential threat will actually occur.

Risk transference

Purchase risk insurance to minimize losses if the threat does come to fruition.

The Graham-Leach-Bliley Act (GLBA)

Requires banks and financial institutes to alert customers of their policies and practices in disclosing customer information. All electric and paper data containing personally identifiable financial information must be protected. The penalty for noncompliance for a class of individuals is up to $500,000.

Insiders

Retaliate against employer, shame government. Insiders are employees, contractors, business partners or business associates who are able to access information from within the organization.

Hactivists

Right a perceived wrong against them. Also motivated by ideology; however, unlike cyberterrorists who launch attacks against foreign nations to incite panic, hactivists are generally not as well defined. Hactivists break into websites and change the contents on the site as a means of making a political statement against those who oppose their beliefs.

Brokers

Sell their knowledge of a vulnerability to other attackers or even governments. These buyers are generally willing to pay a high price because this vulnerability is unknown to the software vendor. and thus is unlikely to be "patched" until after new attacks based on it are already widespread.

State-Sponsored Attacks

Spy on citizens, disrupt foreign governments.

Identity theft

Stealing another person's personal information, such as Social Security number, and then using the information to impersonate the victim, generally for financial gain.

Risk mitigation

Take action to prevent the risk from happening.

Cyberterrorism

The FBI defines cyberterrorism as any "premeditated, politically motivated attack against information, computer systems, computer programs, and data which results in violence against noncombatant targets by subnational groups or clandestine agents."

Availability

The data is accessible to authorized users (and that the information is not "locked up" so tight that they cannot access it).

Security

The goal to be free from danger as well as the process that achieves that freedom. The necessary steps to protect a person or property from harm.

Authentiication

The individual is who she claims to be (the authentic or genuine person) and not an imposer.

Integrity

The information is correct and no unauthorized person or malicious software has altered the data.

Information security

The task of protecting the integrity, confidentiality and availability of information on the devices that store, manipulate, and transmit the information through products, people, and procedures.

People

Those who implement and properly use security products to protect data.

Script kiddies

Thrills, notoriety. Younger individuals who attack computers, yet lack the knowledge of computers and networks needed to do so. The use automated attack software (scripts) from websites to perform malicious acts.

Accounting

Tracking (audit trail) of events.


Related study sets

Food Protection Manager Certification Examination

View Set

World History and Geography Final

View Set

Chapter 12 - Reinsurance; Industry Organizations; The Customer

View Set

TRADE DISCOUNT AND CASH DISCOUNT

View Set

Interactive Process/Coping and Stress Practice questions

View Set

Chapter 2: Characteristic of Culture

View Set

CRM Exam - Part 2.B.2 - Risk Assessments and Mitigation

View Set