Security Awareness Applying Practical Security in Your World, Chapter 1 terms
Difficulties in defending against attacks
1. Universally connected devices (internet) 2. Increased speed of attacks. 3. Greater sophistication of attacks. 4. Availability and simplicity of attack tools. 5. Faster detection of vulnerabilities. 6. Delays in security updating. 7. Weak security updates distribution. 8. Distributed attacks 9. User confusion.
Vulnerability
A flaw or weakness that allows a threat agent to bypass security.
Threat agent
A person or element that has the power to carry out a threat.
Payment Card Industry Data Security Standard (PCI DSS)
A set of security standards that all companies that process, store, or transmit credit card information must follow. PCI DSS applies to any organization or merchant regardless of its size or number of card transactions, that processes transactions either online or in person. The maximum penalty for not complying is $100,000 per month.
Risk
A situation that involves exposure to some type of danger.
Risk acceptance
Accept the risk.
Asset
An item of value.
Risk deterrance
Ask someone else to take responsibility for the risk.
Exploit kit
Automated attack package that can be used without an advanced knowledge of computers.
Risk avoidance
Avoid the risk (i.e. don't purchase device)
Cyberterriorists
Cause disruption and panic. Motivation is ideological attacking for the sake of their principles and beliefs.
Products
Forms of security around the data. May be as basic as door locks or as complicated as network security equipment.
Cybercriminals
Fortune over fame. Cybercriminals launch attacks against other users and their computers. Cybercriminals are a loose network of attackers , identity thieves, and financial fraudsters who are highly motivated, less risk averse, well funded, and tenacious.
Health Insurance Portability and Accountability Act (HIPAA)
Healthcare enterprises must guard protected healthcare information and implement policies and procedures to safeguard it, whether it be in paper or electronic format. Those who wrongfully disclose individually identifiable health information can be fined up to $50,000 for each violation up to a maximum of $1.5 million per calendar year and sentenced up to 10 years in prison.
Threat
Information security threats are events or actions that represent a danger to information assets.
Threat vector
Means by which the attack can occur (i.e. vulnerability).
Confidentiality
Only authorized parties can view the information.
Authorization
Permission or approval to access specific technology resources.
The Sarbanes-Oxley Act of 2002 (Sarbox)
Pertains to corporate fraud. Sarbox covers the corporate officers, auditors, and attorneys of publicly traded companies. Stringent reporting requirements and internal controls on electronic financial reporting systems are required. Corporate officers who willfully and knowingly certify a false financial report can be fined up to $5 million and serve 20 years in prison.
Policies and Procedures
Plans and policies established by an organization to ensure that people correctly use the products.
Threat likelihood
Probability that potential threat will actually occur.
Risk transference
Purchase risk insurance to minimize losses if the threat does come to fruition.
The Graham-Leach-Bliley Act (GLBA)
Requires banks and financial institutes to alert customers of their policies and practices in disclosing customer information. All electric and paper data containing personally identifiable financial information must be protected. The penalty for noncompliance for a class of individuals is up to $500,000.
Insiders
Retaliate against employer, shame government. Insiders are employees, contractors, business partners or business associates who are able to access information from within the organization.
Hactivists
Right a perceived wrong against them. Also motivated by ideology; however, unlike cyberterrorists who launch attacks against foreign nations to incite panic, hactivists are generally not as well defined. Hactivists break into websites and change the contents on the site as a means of making a political statement against those who oppose their beliefs.
Brokers
Sell their knowledge of a vulnerability to other attackers or even governments. These buyers are generally willing to pay a high price because this vulnerability is unknown to the software vendor. and thus is unlikely to be "patched" until after new attacks based on it are already widespread.
State-Sponsored Attacks
Spy on citizens, disrupt foreign governments.
Identity theft
Stealing another person's personal information, such as Social Security number, and then using the information to impersonate the victim, generally for financial gain.
Risk mitigation
Take action to prevent the risk from happening.
Cyberterrorism
The FBI defines cyberterrorism as any "premeditated, politically motivated attack against information, computer systems, computer programs, and data which results in violence against noncombatant targets by subnational groups or clandestine agents."
Availability
The data is accessible to authorized users (and that the information is not "locked up" so tight that they cannot access it).
Security
The goal to be free from danger as well as the process that achieves that freedom. The necessary steps to protect a person or property from harm.
Authentiication
The individual is who she claims to be (the authentic or genuine person) and not an imposer.
Integrity
The information is correct and no unauthorized person or malicious software has altered the data.
Information security
The task of protecting the integrity, confidentiality and availability of information on the devices that store, manipulate, and transmit the information through products, people, and procedures.
People
Those who implement and properly use security products to protect data.
Script kiddies
Thrills, notoriety. Younger individuals who attack computers, yet lack the knowledge of computers and networks needed to do so. The use automated attack software (scripts) from websites to perform malicious acts.
Accounting
Tracking (audit trail) of events.