Exam 1 Flashcards
Asset
Organizational resource that is being protected. Can be logical, such as a web site, software information, or data; can be physical, such as a person, computer system, hardware, or other tangible object. Assets, particularly information assets, are the focus of what security efforts are attempting to protect.
Information Asset
Focus of information security; information that has value to the organization, and the systems that store, process, and transmit the information.
Information Security (InfoSec)
Protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training and awareness, and technology.
Security
State of being secure and free from danger or harm. In addition, the actions taken to make someone or something secure.
Accountability
Access control mechanism that ensures all actions on a system - authorized or unauthorized - can be attributed to an authenticated identity. Also known as audibility.
Authentication
Access control mechanism that requires the validation and verification of an unauthenticated entity’s purported identity.
Authorization
Access control mechanism that represents the matching of an authenticated entity to a list of information assets and corresponding access levels.
Availability
Attribute of information that describes how data is accessible and correctly formatted for use without interference or obstruction.
C.I.A. Triad
Industry standard for computer security since the development of the mainframe. The standard is based on three characteristics that describe the utility of information: confidentiality, integrity, and availability.
Confidentiality
Attribute of information that describes how data is protected from disclosure or exposure to unauthorized individuals or systems.
Disclosure
In information security, the intentional or unintentional exposure of an information asset to unauthorized parties.
Identification
Access control mechanism whereby unverified entities who seek access to a resource provide a label by which they are known to the system.
Information Aggregation
Collection and combination of pieces of non private data, which could result in information that violates privacy. Not to be confused with aggregate information.
Integrity
Attribute of information that describes how data is whole, complete, and uncorrupted.
Privacy
In the context of information security, the right of individuals or groups to protect themselves and their information from unauthorized access, providing confidentiality.
Attack
Intentional or unintentional act that can damage or otherwise compromise information and the systems that support it. Threat Event.
Exploit
Technique used to compromise a system. This term can be a verb or noun. Threat agents may attempt to exploit a system or other information asset by using it illegally for their personal gain.
Loss
Single instance of an information asset suffering damage or destruction, unintended or unauthorized modification or disclosure, or denial of use.
Threat
Any event or circumstance that has the potential to adversely affect operations and assets. The term threat source is commonly used interchangeably with the more generic term threat.
Threat Agent
Specific instance or a component of a threat.
Vulnerability
Potential weakness in an asset or its defensive control system(s).
Intellectual Property (IP)
Creation, ownership, and control of original ideas as well as the representation of those ideas.
Software Piracy
Unauthorized duplication, installation, or distribution of copyrighted computer software, which is a violation of intellectual property.
Availability Disruption
Interruption in service, usually from a service provider, which causes an adverse event within an organization.
Blackout
Long-term interruption in electrical power availability.
Brownout
Long-term decrease in the quality of electrical power availability.
Fault
Short-term interruption in electrical power availability.
Noise
Presence of additional and disruptive signals in network communications or electrical power delivery.
Sag
Short-term decrease in electrical power availability.
Service Level Agreement (SLA)
Document or part of a document that specifies the expected level of service from a service provider. Usually contains provisions for minimum acceptable availability and penalties or remediation procedures for downtime.
Spike
Short-term increase in electrical power availability, also known as swell.
Surge
Long-term increase in electrical power availability.
Advanced Persistent Threat (APT)
Collection of processes, usually directed by a human agent, that targets a specific organization or individual.
Brute Force Password Attack
Attempt to guess a password by attempting every possible combination of characters and numbers in it.
Competitive Intelligence
Collection and analysis of information about an organization’s business competitors through legal and ethical means to gain business intelligence and competitive advantage.
Cracker
Hacker who intentionally removes or bypasses software copyright protection designed to prevent unauthorized duplication or use.
Cracking
Attempting to reverse-engineer, remove, or bypass a password or other access control protection, such as the copyright protection on software.
Dictionary Password Attack
Variation of the brute force password attack that attempts to narrow the range of possible passwords guessed by using a list of common passwords and possibly including attempts based on the target’s personal information.
Expert Hacker
Hacker who uses extensive knowledge of the inner workings of computer hardware and software to gain unauthorized access to systems and information. Also known as elite hackers. Often create automated exploits,scripts, and tools used by other hackers.
Industrial Espionage
Collection and analysis of information about an organization’s business competitors, often through illegal or unethical means, to gain an unfair competitive advantage. Also known as corporate spying, which is distinguished from espionage for national security reasons.
Jailbreaking
Escalating privileges to gain administrator-level control over a smartphone operating system (usually i phones)
Novice Hacker
Relatively unskilled hacker who uses the work of expert hackers to perform attacks. aka neophyte, n00b, or newbie. Includes script kiddies and packet monkeys.
Packet Monkey
Script kiddie who uses automated exploits to engage in denial-of-service attacks.
Penetration Tester
Information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems.
Phreaker
Hacker who manipulates the public telephone system to make free calls or disrupt services.
Pretexting
Form of social engineering in which the attacker pretends to be an authority figure who needs information to confirm the target’s identity, but the real object is to trick the target into revealing confidential information. Commonly performed by telephone.
Privilege Escalation
Unauthorized modification of an authorized or unauthorized system user account to gain advanced access and control over system resources.
Professional Hacker
Hacker who conducts attacks for personal financial benefit or for a crime organization or foreign government. Not to be confused with a penetration tester.
Rainbow Table
Table of hash values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system’s encrypted password file.
Rooting
Escalating privileges to gain administrator-level control over a computer system (including smart phones). Typically associated with Linux and Android operating systems. See also jailbreaking.
Script Kiddie
Hacker of limited skill who uses expertly written software to attack a system. aka skids, kiddies, or script bunnies.
Shoulder Surfing
Direct, covert observation of individual information or system use.
Trespass
Unauthorized entry into the real or virtual property of another party.
Advance-Fee Fraud (AFF)
Form of social engineering, typically conducted via email, in which an organization or some third party indicates that the recipient is due an exorbitant amount of money and needs only a small advance fee or personal banking information to facilitate the transfer. This may also involve prepayment for services with a payment larger than required; the overpayment is returned and then the initial payment is repudiated.
Phishing
Form of social engineering in which the attacker provides what appears to be a legitimate communication, but it contains hidden or embedded code that redirects the reply to a third-party site in an effort to extract personal or confidential information.
Social Engineering
Process of using social skills to convince people to reveal access credentials or other valuable information to an attacker.
Spear Phishing
Any highly targeted phishing attack.
Information Extortion
Act of an attacker or trusted insider who steals information from a computer system and demands compensation for its return or for an agreement not to disclose the information. aka cyberextortion
Ransomware
Computer software specifically designed to identify and encrypt valuable information in a victim’s system in order to extort payment for the key needed to unlock the encryption.
Cyberterrorism
Conduct of terrorist activities by online attackers.
Cyberwarfare
Formally sanctioned offensive operations conducted by a government or state against information or systems of another government or state aka information warefare
Hacktivist
Hacker who seeks to interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency. aka cyberactivist.
Back Door
Malware payload that provides access to a system by bypassing normal access controls. Also an intentional access control bypass left by a system designer to facilitate development.
Boot Virus
Type of virus that targets the boot sector or Master Boot Record of a computer system’s hard drive or removable storage media.
Clickbait
Content such as email attachments or embedded links crafted to convince unsuspecting users into clicking them which results in more web traffic for the content provider or the installation of unwanted software or malware.
Denial-of-Service (DoS) Attack
Attempts to overwhelm a computer target’s ability to handle incoming communications, prohibiting legitimate users from accessing those systems.
Distributed Denial-of-Service (DDoS) Attack
DoS attack in which a coordinated stream of requests is launched against a target from many locations at the same time using bots or zombies.
Domain Name System (DNS) Cache Poisoning
Intentional hacking and modification of a DNS database to redirect legitimate traffic to illegitimate internet locations. aka DNS spoofing
Macro Virus
Type of virus w written in a specific macro language to target applications that use the language. Virus is activated when the application’s product is opened. Typically affects documents, slideshows, emails, or spreadsheets created by office suite applications.
Malware
Computer software specifically designed to perform malicious or unwanted actions.
Polymorphic Threat
Malware that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for preconfigured signatures.