Information Security

  1. Intellectual Property
    The creation, ownership, and control of original ideas as well as the representation of those ideas.
  2. Software Piracy
    The unauthorized duplication, installation, or distribution of copyrighted computer software, which if a violation of intellectual property.
  3. What are the two organizations that investigate allegations of software piracy?
    Software & Information Industry Association (SIIA)

    Business Software Alliance (BSA)
  4. Availability Disruption
    An interruption in service, usually from a service provider, which causes an adverse event within an organization.
  5. Downtime
    The percentage of time a particular service is not available; the opposite of uptime.
  6. Service Level Agreement (SLA)
    A document or part of a document that specifies the expected level of service from a service provider.  An SLA usually contains provisions for minimum acceptable availability and penalties or remediation procedures for downtime.
  7. Uptime
    The percentage of time a particular service is available; the opposite of downtime.
  8. Blackout
    A long term interruption (outage) in electrical power availability.
  9. Brownout
    A long term decrease in electrical power availability.
  10. Fault
    A short term interruption in electrical power availability.
  11. Noise
    The presence of additional and disruptive signals in network communications or electrical power delivery.
  12. Sag
    A short term decrease in electrical power availability
  13. Spike
    A short term increase in electrical power availability, also known as a Swell.
  14. Surge
    A long term increase in electrical power availability.
  15. Competitive intelligence
    The collection and analysis of information about an organization's business competitors through legal and ethical means to gain business intelligence and competitive advantage.
  16. Industrial espionage
    The collection and analysis of information about an organization's business competitors, often through illegal or unethical means, to gain an unfair competitive advantage.  Also known as corporate spying, which is distinguished from espionage for national security reasons.
  17. Shoulder surfing
    The direct, covert observation of individual information or system use.
  18. Expert hacker
    A hacker who uses extensive knowledge of the inner workings of computer hardware and software to gain unauthorized access to systems and information.  Also known as elite hackers, expert hackers often create automated exploits, scripts, and tools used by other hackers.
  19. Hacker
    A person who accesses systems and information without authorization and often illegally.
  20. Jailbreaking
    Escalating privileges to gain administrator-level control over a smartphone operating system (typically associated with Apple iOS).  Also see Rooting.
  21. Novice hacker
    A relatively unskilled hacker who uses the work of expert hackers to perform attacks.  Also known as a neophyte, n00b, or newbie.  This category of hackers includes script kiddies and packet monkeys.
  22. Packet monkey
    A script kiddie who uses automated exploits to engage in denial-of-service attacks.
  23. Penetration tester
    An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems.
  24. Privilege escalation
    The unauthorized modification of an authorized or unauthorized system user account to gain advanced access and control over system resources.
  25. Professional hacker
    A hacker who conducts attacks for personal financial benefit or for a crime organization or foreign government.  Not to be confused with a penetration tester.
  26. Rooting
    Escalating privileges to gain administrator-level control over a computer system (including smartphones).  Typically associated with Android OS smartphones.  See also Jailbreaking.
  27. Script kiddie
    A hacker of limited skill who uses expertly written software to attack a system.  Also known as skids, skiddies, or script bunnies.
  28. Tresspass
    unauthorized entry into the real or virtual property of another party.
  29. Cracker
    A hacker who intentionally removes or bypasses software copyright protection designed to prevent unauthorized duplication or use.
  30. Phreaker
    A hacker who manipulates the public telephone system to make free calls or disrupt services.
  31. Security Systems Development Life cycle (Sec SDLC)
    A methodology fo the design and implementation of security systems based on the systems development life cycle.  Both contain the same goal phases.
  32. Top-down approach
    Establishing policies that are initiated by upper management.
  33. Bottom-up approach
    Establishing policies that begin as a grassroots effort in which system administrators attempt to improve the security of their systems.
  34. Information System
    The entire set of software, hardware, data, people, procedures and networks that enable the use of information resources in the organization.
  35. Data accuracy
    How data us free of errors and has the value the user expects.
  36. Data authenticity
    How data is genuine or original rather than reproduced or fabricated.
  37. Data availability
    How data is accessible and correctly formatted for use without interference or obstruction.
  38. Data confidentiality
    How data is protected from disclosure or exposure to unauthorized individuals or systems.
  39. Data integrity
    How data is whole, complete, and uncorrupted.
  40. Data possession
    How data's ownership or control is legitimate or authorized.
  41. Data utility
    How data has value or usefulness for an end purpose.
  42. Vulnerability
    A weakness or fault in a system or protection mechanism that opens it to attack or damage.
  43. Threat agent
    A specific instance or component of a threat.
  44. Threat
    • A category of objects, people, etc. that represents a danger to an asset.
    • Can be purposeful or unpurposeful.
  45. Subjects and objects
    A computer can be the subject or object of an attack.
  46. Risk
    Probability of an unwanted occurrence.
  47. Protection profile
    Security posture
    • The entire set of controls and safeguards.
    • A security program adds managerial aspects.
  48. Loss
    An instance of an information asset suffering damage, destruction, or unintended/unauthorized modification, or disclosure, or denial of use.
  49. Exposure
    • A combination or state if being exposed.
    • Exists when a vulnerability is known to an attacker.
  50. Exploit
    • A technique used to compromise a system.
    • Can be a verb or noun.
    • Can be a computer or a process.
  51. Control
    Security mechanisms, policies, or procedures that can successfully counter attacks, reduce risks, resolve vulnerabilities, and improve security.
  52. Attack
    • Intentional or unintentional.
    • Direct or indirect.
    • Act that can damage or compromise information.
  53. Asset
    • The organizational resource that is being protected.
    • Can be physical or logical (data/programs).
  54. Access
    • A subject's ability to use, manipulate, modify, or affect another subject.
    • Can be legal or illegal.
    • Access controls regulate this.
  55. Security
    • A state of being secure and free from danger or harm.
    • Also the actions taken to make someone or something secure.
  56. Physical security
    The protection of physical items, objects, or areas from unauthorized access and misuse.
  57. Network security
    • A subset of communications security.
    • the protection of voice and data networking components, connections, and content.
  58. Information security
    Protection of the confidentiality, integrity and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training & awareness, and technology.
  59. Communication security
    The protection of all communication media, technology, and content.
  60. Software assurance
    • A methodological approach to the development of software that seeks to build security into the development life cycle rather than later.
    • S.A. attempts to intentionally create software free of vulnerabilities and provide effective, efficient software that users can deploy with confidence.
  61. C.I.A. Triangle
    • The industry standard cor computer security since the development of the mainframe.
    • Based on three characteristics that describe the utility of information:
    • * Confidentiality
    • * Integrity
    • * Availability
  62. Computer security
    • In the early days this term specified the need to secure the physical location of computer technology from outside threats.
    • This term later came to represent all actions taken to preserve computer systems from losses.
    • It has evolved into the current concept of information security as the scope of protecting information in an organization has expanded.
  63. McCumber cube
    • Graphical representation of the architectural approach widely used in computer and information security; commonly shown as a 3.3 cube.
    • X: Storage, Processing, Transmission
    • Y: Confidentiality, Integrity, Availability
    • Z: Policy, Education, Technology
  64. Waterfall model
    • A type of SDLC in which each phase "flows from" the information gained in the previous phase, with multiple opportunities to return to previous phases and make adjustments.
    • Investigation -> Analysis -> Logical Design -> Physical Design -> Implementation -> Maintenance & Change
  65. Methodology
    A formal approach to solving a problem based on a structured sequence of procedures.
  66. Systems Development Life Cycle (SDLC)
    • A methodology for the design and implementation of an information system.
    • Contains different phases depending on the methodology; generally the phases address the investigation, analysis, design, implementation and maintenance of an information system.
  67. 10.3 password rule
    An industry recommendation for password structure and strength that specifies passwords should be at least 10 characters long and contain at least one uppercase letter, one lowercase letter, one number, and one special character.
  68. Brute force password attack
    An attempt to guess a password by attempting every possible combination of characters and numbers in it.
  69. Cracking
    Attempting to reverse-engineer, remove, or bypass a password or other access control protection, such as the copyright protection on software.  See Cracker.
  70. Dictionary password attack
    A variation of the brute force password attack that attempts to narrow the range of possible passwords guessed by using a list of common passwords and possibly including attempts based on the target's personal information.
  71. Rainbow table
    A table of hash values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system's encrypted password file.
  72. Force majeure
    • Literally "superior force".
    • Refers to natural disasters, civil disorder, and acts of war.
  73. Advance-fee fraud (AFF)
    A form of social engineering, typically conducted via e-mail, in which an organization or some third party indicates that the recipient if due an exorbitant amount of money and needs only a small advance fee of personal banking information to facilitate the transfer.
  74. Phishing
    A form of social engineering in which te attacker provides what appears to be a legitimate communication (usually e-mail), but it contains hidden or embedded code that redirects the reply to a third-party site in an effort to extract personal or confidential information.
  75. Pretexting
    A form of social engineering in which the attacker pretends to be an authority figure who needs information to confirm the target's identity, but the real object is to trick the target into revealing confidential information.  pretexting is commonly performed by telephone.
  76. Social engineering
    The process of using social skills to convince people to reveal access credentials or other valuable information to an attacker.
  77. Spear phishing
    Any highly targeted phishing attack.
  78. Information extortion
    The act of an attacker or trusted insider who steals information from a computer system and demands compensation for its return or for an agreement not to disclose the information.  Also known as cyberextortion.
  79. Cyberactivist
    A hacker who seeks to interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.
  80. Cyberterrorist
    A hacker who attacks systems to conduct terrorist activities via networks or Internet pathways.
  81. Cyberwarfare
    Formally sanctioned offensive operations conducted by a government or state against information or systems of another government or state.
  82. Adware
    Malware intended to provide undesired marketing and advertising, including popups and banners on a user's screens.
  83. Boot virus
    Also known as a boot sector virus, a type of virus that targets the boot sector or Master Boot Record (MBR) of a computer system's hard drive or removable storage media.
  84. Macro virus
    A type of virus written in a specific macro language to target applications that use the language.  The virus is activated when the application's product is opened.  A macro virus typically affects documents, slideshows, e-mails, or spreadsheets created by office suite applications.
  85. Malware
    Malicious code
    Malicious software
    Computer software specifically designed to perform malicious or unwanted actions.
  86. Non-memory-resident virus
    Non-resident virus
    A virus that terminates after it has been activated, infected its host system, and replicated itself.  NMR viruses do not reside in an operating system or memory after executing.
  87. Memory-resident virus
    Resident virus
    A virus that is capable of installing itself in a computer's operating system, starting when the computer is activated, and residing in the system's memory even after the host application is terminated.
  88. Polymorphic threat
    Malware (a virus or worm) that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for preconfigured signatures.
  89. Spyware
    Any technology that aids in gathering information about people or organizations without their knowledge.
  90. Trojan horse
    A malware program that hides its true nature and reveals its designed behavior only when activated.
  91. Virus
    A type of malware that is attached to other executable programs.  When activated, it replicates and propagates itself to multiple systems, spreading by multiple communications vectors.  For example, a virus might send copies of itself to all users in the infected system's e-mail program.
  92. Virus hoax
    A message that reports the presence of a nonexistent virus or worm and wastes valuable time as employees share the message.
  93. Worm
    A type of malware that is capable of activation and replication without being attached to an existing program.
  94. Back door
    Maintenance hook
    Trap door
    A malware payload that provides access to a system by bypassing normal access controls.  A back door is also an intentional access control bypass left by a system designer to facilitate development.
  95. Bot
    An automated software program that executes certain commands when it receives a specific input.
  96. Denial-of-service (DoS) attack
    An attack that attempts to overwhelm a computer target's ability to handle incoming communications, prohibiting legitimate users from accessing those systems.
  97. Distributed denial-of-service (DDoS) attack
    A DoS attack in which a coordinated stream of requests is launched against a target from many locations at the same time using bots.
  98. Mail bomb
    An attack designed to overwhelm the receiver with excessive quantities of e-mail.
  99. Spam
    Undesired e-mail, typically commercial advertising transmitted in bulk.
  100. Domain name system (DNS) cache poisoning
    DNS spoofing
    The intentional hacking and modification of a DNS database to redirect legitimate traffic to illegitimate Internet locations.
  101. Man-in-the-middle
    A group of attacks whereby a person intercepts a communications stream and inserts himself in the conversation to convince each of the legitimate parties that he is the other communications partner.  Some man-in-the-middle attacks involve encryption functions.
  102. Packet sniffer
    A software program or hardware appliance that can intercept, copy, and interpret network traffic.
  103. Pharming
    The redirection of legitimate user Web traffic to illegitimate Web sites with the intent to collect personal information.
  104. Session hijacking
    TCP hijacking
    A form of man-in-the-middle attack whereby the attacker inserts himself into TCP/IP communications.
  105. Spoofing
    A technique for gaining unauthorized access to computers using a forged or modified source IP address to give the perception that messages are coming from a trusted host.
  106. Mean time between failure (MTBF)
    The average amount of time between hardware failures, calculated as the total amount of operation time for a specified number of units divided by the total number of failures.
  107. Mean time to diagnose (MTTD)
    The average amount of time a computer repair technician needs to determine the cause of a failure.
  108. Mean to time to failure (MTTF)
    The average amount of time until the next hardware failure.
  109. Mean time to repair (MTTR)
    The average amount of time a computer repair technician needs to resolve the cause of a failure through replacement or repair of a faulty unit.
  110. Buffer overrun
    Buffer overflow
    An application error that occurs when more data is sent to a program buffer than it is designed to handle.
  111. Command injection
    An application error that occurs when user input is passed directly to a compiler or interpreter without screening for content that may disrupt or compromise the intended function.
  112. Cross-site scripting (XSS)
    A Web application fault that occurs when an application running on a Web server inserts commands into a user's browser session and causes information to be sent to a hostile server.
  113. Integer bug
    A class of computational errors caused by methods that computers use to store and manipulate integer numbers; this bug can be exploited by attackers.
Card Set
Information Security
Information Security