Information Security

Front 1

WHY ARE INFORMATION SYSTEMS VULNERABLE

Back 1

1. Bottom line: There is no such thing as privacy!

2. Systems connected to a network are vulnerable. Connectivity exposes systems to the outside world.

3. Trends in security vulnerabilities suggest that even "offline" systems are at risk

4. Systems are vulnerable from hardware, software, network, nature, and people perspectives

Front 2

INFORMATION SECURITY (INFOSEC)

Back 2

The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability

Front 3

INFO AND INFO SYSTEMS:

Back 3

Do not need to be computer based. InfoSec is a general term that applies to protection of information regardless of where it created, stored, communicated, and destroyed

Front 4

CONFIDENTIALITY

Back 4

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information

*Only those with the right or authorization to access information are able to do so

Front 5

INTEGRITY

Back 5

The property that data has not been altered in an unauthorized manner. Data integrity covers data in storage, during processing, and while in transit.

*Guarding against improper information modification or destruction, and include ensuring information non-repudiation and authenticity

Front 6

AVAILABILITY

Back 6

Ensuring timely and reliable access to and use of information

*For any information system to serve its purpose, the information must be available when it is needed

Front 7

TYPES OF ATTACKS:

Back 7

1. Malware

2. Unauthorized Access (hacking)

3. Denial-of-Service Attacks (DoS and DDoS)

Front 8

TYPES OF ATTACKERS

Back 8

1. Hackers

2. Disgruntled Employees/Ex-Employees

3. Other organizations, terrorists, even other countries

Front 9

MALWARE

Back 9

Malicious Software; most common type of attack; viruses, worms, trojan horses, spyware, root kits, key loggers, etc.

Front 10

VIRUSES

Back 10

A small program that is written to alter the way a computer operates, without the permission or knowledge of the user. A computer virus attaches itself to a program or file so it can spread from one computer to another; a host. It cannot infect a computer unless the program is run. Cannot spread without human intervention!

Front 11

WORMS

Back 11

Programs that replicate themselves from system to system without the use of a host file. Considered a subclass of a virus. The biggest danger is its ability to replicate itself on a system. Can send out hundreds or thousands of copies of itself to create a devastating effect

Front 12

TROJAN HORSE

Back 12

Software program that appears legitimate but is actually malicious; unlike viruses and worms, neither reproduce by infecting other files, nor do they self-replicate; must be invited onto your computer; create a back door to give access to another user

Front 13

SPYWARE

Back 13

General term that is used for the programs that covertly monitor your activity on your computer; gather personal information

Front 14

HACKING

Back 14

Intentionally using a computer resource without authorization or in excess of authorization

Front 15

TRADITIONAL HACKING PROCEDURE:

Back 15

1. Scan networks for computers which may have vulnerabilities

2. Once a computer or sever is found use an "exploit" (software based attack method) to break-in

3. After break-in, install "hacker tool-kit" (software that typically automates many hacking tasks!)--Delete log files, make hacker an admin user, etc.

Front 16

DENIAL OF SERVICE ATTACKS (DoS)

Back 16

A method that hackers use to prevent or deny legitimate users access to a computer; typically executed using the DoS tools that send many request packets to a targeted Internet server; the attack floods the server's resources and makes the system unusable.

Front 17

DISTRIBUTED DENIAL OF SERVICE ATTACK (DDoS)

Back 17

Multiple machines used to administer a DoS attack; zombie computers or Bot-nets; hackers use viruses, worms, trojans, to gain control over a large number of computers; they send commands to these "bots" or "zombie" computers to send data traffic to a target server. All major commercial and govt websites have been a victim

Front 18

SOCIAL ENGINEERING

Back 18

Tricking/manipulating victims into performing actions or divulging confidential information. May be technology based

Front 19

PHISHING

Back 19

A type of social engineerign attack in which an email or message is sent with a link to an authentic looking (but fake) web site where users are asked to enter confidential information

Front 20

THE "GOOD GUYS"

Back 20

1. Hackers

2. White Hat

Front 21

THE "BAD GUYS"

Back 21

1. Crackers

2. Black Hat

Front 22

SCRIPT KIDDIES

Back 22

Inexperienced individuals trying to become hackers by using readily available scripts and tools to carry out hacking activities. They are dangerous because there are too many wannabes.

Front 23

CRIMINAL HACKES

Back 23

Most active today and represent the majority of attackers. Motivation is typically money; steal credit card information, identities, extortion, steal trade secrets to sell to competitors, etc.

Front 24

HACKTIVISM

Back 24

Hacking as activism; targets typically include govt and large organizations. Famous groups include "Anonymous" and "Lulz-sec"

Front 25

WHY DISGRUNTLED EMPLOYEES ARE A THREAT

Back 25

1. They are familiar with systems and possible vulnerabilities

2. Have access

3. Know what can cause the greatest damage

4. Disgruntled IT staff, particularly those in networking, software development, and IT security, could be truly disruptive

Front 26

ADVANCED PERSISTENT THREATS (APTs)

Back 26

Large scale, sophisticated operations, such as governments or large organizations that target other entities and pose some of the most menacing cyber-threats

Front 27

BUSINESS CONTINUITY PLANNING

Back 27

Outlines procedures for keeping an organization operational in the event of a catastrophic event such as natural disasters, major information security breaches, geo-political and military events, etc.

Front 28

IS SECURITY PLANNING PRINCIPLES

Back 28

1. Risk analysis

2. Defense in depth

3. Minimum permissions

Front 29

RISK ANALYSIS

Back 29

The process of rationally weighing the costs of protection versus threats for individual IT and Data assets. When planning for security, orgs are better off conducting thoroughly.

Front 30

DEFENSE IN DEPTH

Back 30

A planning principle that specifies that there should be multiple layers of protection for IT assets. If one layer fails, then it is likely that the other layers are still able to protect.

Front 31

MINIMUM PERMISSIONS

Back 31

A security planning principle which specifies that users of our IT systems be given the "least" or "minimum" permissions they need to carry out their jobs.

*sometimes known as "principle of least privilege"

Bottom line: Give only those privileges that are absolutely essential to a user's work

Front 32

TECHNICAL AND NONTECHNICAL SAFEGUARDS

Back 32

1. Access Control

2. Firewalls

3. Cryptography

4. Securing wireless networks

5. Legal requirements

Front 33

ACCESS CONTROL

Back 33

1. Authentication

2. Authorization

Front 34

AUTHENTICATION

Back 34

Making sure the person claiming to be someone is actually that person

1. Something you have (ID card, access cards,or other security tokens)

2. Something you know (passwords, challenge questions, PINS, etc.)

3. Something you are (biometrics: fingerprint or palm scanning, iris scanning, etc.)

Front 35

AUTHORIZATION

Back 35

Ensuring that the authenticated person has privileges appropriate for his/her role

Front 36

FIREWALLS

Back 36

System designed to detect intrusion and prevent unauthorized access into and out of a corporate network; isolates a private/corporate network from the internet

Front 37

FIREWALL ISOLATION WORKS BOTH WAYS

Back 37

To and from a private network, known as "ingress" and "egress" filtering

Front 38

FIREWALLS COULD BE IMPLEMENTED AS:

Back 38

1. Hardware device only

2. Software only

3. Combination of both

Front 39

CRYPTOGRAPHY

Back 39

The use of techniques, based on mathematics, to ensure secure communications between two parties in the presence f a "third-party" or "adversary"

Front 40

ENCRYPTION

Back 40

The process of encoding information in such as way that third parties cannot read it

Front 41

PLAIN TEXT

Back 41

The message to be encrypted

Front 42

CIPHER

Back 42

An algorithm (or pair of algorithms) used to encrypt the plain text

Front 43

KEY

Back 43

A (usually) short string of characters used in conjuction with a cipher to carry out the encryption. It is held secret, while ciphers are publicly known

Front 44

CIPHER TEXT

Back 44

The message after it is encrypted

Front 45

ASYMMETRIC KEY ENCRYPTION, OR PUBLIC KEY CRYPTOGRAPHY

Back 45

A cryptography method in which both the sender and receiver have two keys each

Front 46

PUBLIC KEY

Back 46

Made public; Public key of RECEIVER used for encryption

Front 47

PRIVATE KEY

Back 47

Kept secret; Private key of RECEIVER used for decryption

Front 48

SECURING WIRELESS NETWORKS:WLANS

Back 48

Inherently not as secure because the data signals get "broadcasted." Must use encryption to protect data traffic

Front 49

WAR DRIVING

Back 49

Eavesdroppers "drive by" buildings to detect "open networks" and attempt to break into them. All they need is a laptop, wireless antenna, and some hacking software. aka drive by hacking

Front 50

LEGAL REQUIREMENTS

Back 50

Laws (national and international) require organizations and their employees to treat IT security seriously. Also a major reason why organizations must worry about security.

Front 51

THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Back 51

US federal law requiring protection of Medical Health Records and now "electronic health records."

Front 52

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT (FERPA)

Back 52

US federal law requiring the protection of student records

Front 53

GRAMM-LEACH-BLILEY ACT

Back 53

Requires financial institutions to ensure security and confidentiality of customer data

Front 54

SARBANES-OXLEY ACT (SOX)

Back 54

Imposes responsibility on management to safeguard accuracy and integrity of financial data. Also restricts what kind of information is shared

Front 55

IT INFRASTRUCTURE

Back 55

All of the hardware, software, networks, facilities, etc. that are required to develop, test, deliver, monitor, control, or support applications and IT services

**does not include the associated people, processes, and documentation

Front 56

HARDWARE

Back 56

the tangible

Front 57

SOFTWARE

Back 57

Set of instructions or computer programs that tell the hardware what to do.

Front 58

2 BROAD TYPES OF SOFTWARE

Back 58

1. Systems software (operating systems, utilities)

2. Application software (used to carry on specific tasks

Front 59

APPLICATION SOFTWARE

Back 59

Can be bought "off-the-shelf" readymade, can be developed in-house, outsourced, or some combination of both

Front 60

NETWORKS

Back 60

Two or more computers that are connected via software and hardware so that they can communicate with each other

Front 61

CLOUD COMMPUTING

Back 61

An umbrella term used to denote accessing software applications, and/or data storage, and/or processing capacity over the internet

Front 62

THREE TERMS OF CLOUD COMPUTING

Back 62

1. Software as a service (SaaS)

2. Platform as a service (PaaS)

3. Infrastructure as a service (IaaS)

Front 63

SOFTWARE AS A SERVICE (SaaS)

Back 63

A software delivery model in which a vendor provides software and associate data to a client via the internet. Both the software and the data are hosed in the cloud. Clients access the software through a web browser

**previously known as application service provision/providers (ASP)

Front 64

KEY BENEFITS OF SaaS

Back 64

1. No need to develop software. Pay by number of users

2. No need to have dedicated hardware to run those applications, the vendor does it in the cloud

3. Updates are taken care of

4. Software supposedly based on "best practices"

Front 65

CONS OF SaaS

Back 65

1. Cannot customize much (customization is possible but costly)

2. Possible loss of control.../vendor lock-in

Front 66

PLATFORM AS A SERVICE (PaaS)

Back 66

In this model, cloud providers deliver a computing platform, typically including operating system, programming language execution environment, database, and web/application server

Front 67

THE PLATFORM IS:

Back 67

1. A specific combination of software and hardware

2. It allows users to create/deploy own applications using vendor specific platform

Front 68

INFRASTRUCTURE AS A SERVICE (IaaS)

Back 68

Most basic form of cloud offering where vendors provide computers (typically servers) to their clients.

Front 69

KEY POINTS OF IaaS

Back 69

1. Servers are most likely "virtualized" such that a single physical machine can host multiple virtual servers belonging to one or more clients

2. The computers come with plenty of other products/services to make it extremely easy for clients to get started, scale up, or scale down as needed