Term
|
Definition
- provide for processing integrity by preventing submission of unauthorized or fictitious transactions and unauthorized changes to stored data or programs
- protect against a variety of attacks, including viruses and worms, thereby ensuring the system is available when needed |
|
|
Term
| three fundamental information security concepts |
|
Definition
- security as a management issue, not a technology issue
- time-based model of security
- defense in depth |
|
|
Term
| security as a management issue |
|
Definition
- develop and document policies
- effectively communicate those policies to all authorized users
- design and employ appropriate control procedures to implement those policies
- monitor the system, and take corrective action to maintain compliance with the policies |
|
|
Term
| time-based model of security |
|
Definition
- given enough time and resources, any preventive control can be circumvented
- consequently, effective control requires supplementing preventive procedures with methods for detecting incidents and procedures for taking corrective remedial action
- detection and correction must be timely, especially for information security, because once preventive controls have been breached, it takes little time to destroy, compromise, or steal the organization's economic and information resources |
|
|
Term
|
Definition
| - collecting information to identify potential vulnerabilities |
|
|
Term
|
Definition
| - tricking unsuspecting employees into allowing access to system |
|
|
Term
|
Definition
| - detailed scan of system to identify potential points of remote entry |
|
|
Term
|
Definition
| - researching vulnerabilities of software identified during scan |
|
|
Term
|
Definition
| - unauthorized access to system |
|
|
Term
|
Definition
| - removing evidence of attack |
|
|
Term
| major types of preventive controls used for defense in depth |
|
Definition
- authentication controls
- authorization controls
- training
- physical access controls
- remote access controls
- host and application hardening procedures
- encryption |
|
|
Term
|
Definition
- passwords
- tokens
- biometrics
- MAC addresses |
|
|
Term
|
Definition
- access control matrices
- compatibility tests
- implemented by creating an access control matrix
- specifies what part of the IS a user can access and what actions they are permitted to perform
- when an employee tries to access a particular resource, the system performs a compatibility test that matches the user's authentication credentials against the matrix to determine if the action should be allowed |
|
|
Term
|
Definition
| - either a special-purpose hardware device or software running on a general purpose computer |
|
|
Term
| intrusion prevention systems |
|
Definition
- deep packet inspection is the heart of a new type of filter
- designed to identify and drop packets that are part of an attack |
|
|
Term
|
Definition
- attacks often exploit software vulnerabilities
- buffer overflows
- SQL injections
- cross-site scripting
- buffer overflow attack |
|
|
Term
|
Definition
- attacker sends a program more data than it can handle
- may cause the system to crash or provide a command prompt, giving the attacker full administrative privileges and control |
|
|
Term
|
Definition
| - the process of transforming normal text into unreadable gibberish |
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
| - reverses the encryption process |
|
|
Term
|
Definition
- assymetric encryption and hashing are used to create digital signitures
- information encrypted with the creator's private key
- information can only be decrypted using the corresponding public key
- so successful decryption with an entity's public key proves the message could only have been created by the entity that holds the corresponding private key
- the private key is known only to its owner, so only the owner could have created the message |
|
|
Term
|
Definition
- electronic document, created and digitally signed by a trusted third party
- certifies the identity of the owner of a particular public key
- contains that party's public key
- these certificates can be stored on websites
- browsers are designed to automatically obtain a copy of that digital certificate and use the public key contained therein to communicate with the website
- you can manually examine the contents of a website's digital certificate by double-clicking on the lock icon that appears in the lower, right-hand corner of the browser window
- digital certificates provide an automated method for obtaining an organization's or individual's public key |
|
|
Term
| public key infrastructure (PKI) |
|
Definition
| - system and processes used to issue and manage asymmetric keys and digital certificates |
|
|
Term
|
Definition
- an organization that issues public and private keys and records the public key in a digital certificate
- hashes the information stored on a digital certificate
- encrypts that hash with its private key
- appends that digital signature to the digital certificate |
|
|
Term
|
Definition
- use a cursive imprint of a person's name applied to an electronic document
- legally binding like a paper document |
|
|
Term
| three key components that satisfy the preceding criteria |
|
Definition
- establishment of a computer emergency response team
- designation of a specific individual with organization-wide responsibility for security
- an organized patch management system |
|
|
Term
|
Definition
| - employ multiple layers of control in order to avoid having a single point of failure |
|
|
Term
|
Definition
| - focuses on verifying the identity of the person or device attempting to access the system |
|
|
Term
| multifactor authentication |
|
Definition
| - the use of two or more methods of basic authentication at once |
|
|
Term
|
Definition
| - restricts access of authenticated users to specific portions of the system and specifies what actions they are permitted to perform |
|
|
Term
|
Definition
| - table specifying which portions of the system users are permitted to access and what actions they can perform |
|
|
Term
|
Definition
| - matches the user's authentication credentials against the access control matrix to determine whether that employee should be allowed to access that resource and perform the requested action |
|
|
Term
|
Definition
| - use deception to obtain unauthorized access to information resources |
|
|
Term
|
Definition
| - connects an organization's information system to the internet |
|
|
Term
|
Definition
| - separate network that permits controlled access from the internet to selected resources, such as the organization's e-commerce web server |
|
|
Term
| transmission control protocol (TCP) |
|
Definition
| - specifies the procedures for dividing files and documents into packets to be sent over the internet and the methods for reassembly of the original document or file at the destination |
|
|
Term
|
Definition
| - specifies the structure of those packets and how to route them to the proper destination |
|
|
Term
|
Definition
| - designed to read the destination address fields in IP packet headers to decide where to send (route) the packet next |
|
|
Term
| access control list (ACL) |
|
Definition
| - determines which packets are allowed entry and which are dropped |
|
|
Term
|
Definition
| - screens individual IP packets based solely on the contents of the source and/or destination field in the IP packet header |
|
|
Term
| stateful packet filtering |
|
Definition
| - maintains a table that lists all established connections between the organization's computers and the internet |
|
|
Term
|
Definition
| - firewalls that examine the data in the body of an IP packet can provide more effective access control than those that look only at information in the IP header |
|
|
Term
| intrusion prevention systems (IPS) |
|
Definition
| - designed to identify and drop packets that are part of an attack |
|
|
Term
| remote authentication dial-in user service (RADIUS) |
|
Definition
| - standard method for verifying the identity of users attempting to obtain dial-in access |
|
|
Term
|
Definition
- potential point of attack
- flaws |
|
|
Term
|
Definition
| - process of turning off unnecessary features |
|
|
Term
|
Definition
| - making copies of all encryption keys used by employees and storing those copies securely |
|
|
Term
|
Definition
| - process that takes plaintext of any length and transforms it into a short code |
|
|
Term
|
Definition
| - process of examining logs to monitor security |
|
|
Term
| intrusion detection systems (IDS) |
|
Definition
| - create logs of network traffic that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful intrusions |
|
|
Term
|
Definition
| - automated tools designed to identify whether a given system possess any well-known vulnerabilities |
|
|
Term
|
Definition
| - authorized attempt by either an internal audit team or an external security consulting firm to break into the organization's information system |
|
|
Term
| computer emergency response team (CERT) |
|
Definition
- sometimes referred to as a computer incident response team (CIRT)
- responsible for dealing with major incidents
- should include not only technical specialists but also senior operations management, because some potential responses to security incidents have significant economic consequences |
|
|
Term
|
Definition
| - set of instructions for taking advantage of a vulnerability |
|
|
Term
|
Definition
| - code released by software developers that fixes a particular vulnerability |
|
|
Term
|
Definition
| - process for regularly applying patches and updates to all software used by the organization |
|
|
