The creation, ownership, and control of original ideas as well as the representation of those ideas.
The unauthorized duplication, installation, or distribution of copyrighted computer software, which if a violation of intellectual property.
What are the two organizations that investigate allegations of software piracy?
Software & Information Industry Association (SIIA)
Business Software Alliance (BSA)
An interruption in service, usually from a service provider, which causes an adverse event within an organization.
The percentage of time a particular service is not available; the opposite of uptime.
Service Level Agreement (SLA)
A document or part of a document that specifies the expected level of service from a service provider. An SLA usually contains provisions for minimum acceptable availability and penalties or remediation procedures for downtime.
The percentage of time a particular service is available; the opposite of downtime.
A long term interruption (outage) in electrical power availability.
A long term decrease in electrical power availability.
A short term interruption in electrical power availability.
The presence of additional and disruptive signals in network communications or electrical power delivery.
A short term decrease in electrical power availability
A short term increase in electrical power availability, also known as a Swell.
A long term increase in electrical power availability.
The collection and analysis of information about an organization's business competitors through legal and ethical means to gain business intelligence and competitive advantage.
The collection and analysis of information about an organization's business competitors, often through illegal or unethical means, to gain an unfair competitive advantage. Also known as corporate spying, which is distinguished from espionage for national security reasons.
The direct, covert observation of individual information or system use.
A hacker who uses extensive knowledge of the inner workings of computer hardware and software to gain unauthorized access to systems and information. Also known as elite hackers, expert hackers often create automated exploits, scripts, and tools used by other hackers.
A person who accesses systems and information without authorization and often illegally.
Escalating privileges to gain administrator-level control over a smartphone operating system (typically associated with Apple iOS). Also see Rooting.
A relatively unskilled hacker who uses the work of expert hackers to perform attacks. Also known as a neophyte, n00b, or newbie. This category of hackers includes script kiddies and packet monkeys.
A script kiddie who uses automated exploits to engage in denial-of-service attacks.
An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems.
The unauthorized modification of an authorized or unauthorized system user account to gain advanced access and control over system resources.
A hacker who conducts attacks for personal financial benefit or for a crime organization or foreign government. Not to be confused with a penetration tester.
Escalating privileges to gain administrator-level control over a computer system (including smartphones). Typically associated with Android OS smartphones. See also Jailbreaking.
A hacker of limited skill who uses expertly written software to attack a system. Also known as skids, skiddies, or script bunnies.
unauthorized entry into the real or virtual property of another party.
A hacker who intentionally removes or bypasses software copyright protection designed to prevent unauthorized duplication or use.
A hacker who manipulates the public telephone system to make free calls or disrupt services.
Security Systems Development Life cycle (Sec SDLC)
A methodology fo the design and implementation of security systems based on the systems development life cycle. Both contain the same goal phases.
Establishing policies that are initiated by upper management.
Establishing policies that begin as a grassroots effort in which system administrators attempt to improve the security of their systems.
The entire set of software, hardware, data, people, procedures and networks that enable the use of information resources in the organization.
How data us free of errors and has the value the user expects.
How data is genuine or original rather than reproduced or fabricated.
How data is accessible and correctly formatted for use without interference or obstruction.
How data is protected from disclosure or exposure to unauthorized individuals or systems.
How data is whole, complete, and uncorrupted.
How data's ownership or control is legitimate or authorized.
How data has value or usefulness for an end purpose.
A weakness or fault in a system or protection mechanism that opens it to attack or damage.
A specific instance or component of a threat.
- A category of objects, people, etc. that represents a danger to an asset.
- Can be purposeful or unpurposeful.
Subjects and objects
A computer can be the subject or object of an attack.
Probability of an unwanted occurrence.
- The entire set of controls and safeguards.
- A security program adds managerial aspects.
An instance of an information asset suffering damage, destruction, or unintended/unauthorized modification, or disclosure, or denial of use.
- A combination or state if being exposed.
- Exists when a vulnerability is known to an attacker.
- A technique used to compromise a system.
- Can be a verb or noun.
- Can be a computer or a process.
Security mechanisms, policies, or procedures that can successfully counter attacks, reduce risks, resolve vulnerabilities, and improve security.
- Intentional or unintentional.
- Direct or indirect.
- Act that can damage or compromise information.
- The organizational resource that is being protected.
- Can be physical or logical (data/programs).
- A subject's ability to use, manipulate, modify, or affect another subject.
- Can be legal or illegal.
- Access controls regulate this.
- A state of being secure and free from danger or harm.
- Also the actions taken to make someone or something secure.
The protection of physical items, objects, or areas from unauthorized access and misuse.
- A subset of communications security.
- the protection of voice and data networking components, connections, and content.
Protection of the confidentiality, integrity and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training & awareness, and technology.
The protection of all communication media, technology, and content.
- A methodological approach to the development of software that seeks to build security into the development life cycle rather than later.
- S.A. attempts to intentionally create software free of vulnerabilities and provide effective, efficient software that users can deploy with confidence.
- The industry standard cor computer security since the development of the mainframe.
- Based on three characteristics that describe the utility of information:
- * Confidentiality
- * Integrity
- * Availability
- In the early days this term specified the need to secure the physical location of computer technology from outside threats.
- This term later came to represent all actions taken to preserve computer systems from losses.
- It has evolved into the current concept of information security as the scope of protecting information in an organization has expanded.
- Graphical representation of the architectural approach widely used in computer and information security; commonly shown as a 3.3 cube.
- X: Storage, Processing, Transmission
- Y: Confidentiality, Integrity, Availability
- Z: Policy, Education, Technology
- A type of SDLC in which each phase "flows from" the information gained in the previous phase, with multiple opportunities to return to previous phases and make adjustments.
- Investigation -> Analysis -> Logical Design -> Physical Design -> Implementation -> Maintenance & Change
A formal approach to solving a problem based on a structured sequence of procedures.
Systems Development Life Cycle (SDLC)
- A methodology for the design and implementation of an information system.
- Contains different phases depending on the methodology; generally the phases address the investigation, analysis, design, implementation and maintenance of an information system.
10.3 password rule
An industry recommendation for password structure and strength that specifies passwords should be at least 10 characters long and contain at least one uppercase letter, one lowercase letter, one number, and one special character.
Brute force password attack
An attempt to guess a password by attempting every possible combination of characters and numbers in it.
Attempting to reverse-engineer, remove, or bypass a password or other access control protection, such as the copyright protection on software. See Cracker.
Dictionary password attack
A variation of the brute force password attack that attempts to narrow the range of possible passwords guessed by using a list of common passwords and possibly including attempts based on the target's personal information.
A table of hash values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system's encrypted password file.
- Literally "superior force".
- Refers to natural disasters, civil disorder, and acts of war.
Advance-fee fraud (AFF)
A form of social engineering, typically conducted via e-mail, in which an organization or some third party indicates that the recipient if due an exorbitant amount of money and needs only a small advance fee of personal banking information to facilitate the transfer.
A form of social engineering in which te attacker provides what appears to be a legitimate communication (usually e-mail), but it contains hidden or embedded code that redirects the reply to a third-party site in an effort to extract personal or confidential information.
A form of social engineering in which the attacker pretends to be an authority figure who needs information to confirm the target's identity, but the real object is to trick the target into revealing confidential information. pretexting is commonly performed by telephone.
The process of using social skills to convince people to reveal access credentials or other valuable information to an attacker.
Any highly targeted phishing attack.
The act of an attacker or trusted insider who steals information from a computer system and demands compensation for its return or for an agreement not to disclose the information. Also known as cyberextortion.
A hacker who seeks to interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.
A hacker who attacks systems to conduct terrorist activities via networks or Internet pathways.
Formally sanctioned offensive operations conducted by a government or state against information or systems of another government or state.
Malware intended to provide undesired marketing and advertising, including popups and banners on a user's screens.
Also known as a boot sector virus, a type of virus that targets the boot sector or Master Boot Record (MBR) of a computer system's hard drive or removable storage media.
A type of virus written in a specific macro language to target applications that use the language. The virus is activated when the application's product is opened. A macro virus typically affects documents, slideshows, e-mails, or spreadsheets created by office suite applications.
Computer software specifically designed to perform malicious or unwanted actions.
A virus that terminates after it has been activated, infected its host system, and replicated itself. NMR viruses do not reside in an operating system or memory after executing.
A virus that is capable of installing itself in a computer's operating system, starting when the computer is activated, and residing in the system's memory even after the host application is terminated.
Malware (a virus or worm) that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for preconfigured signatures.
Any technology that aids in gathering information about people or organizations without their knowledge.
A malware program that hides its true nature and reveals its designed behavior only when activated.
A type of malware that is attached to other executable programs. When activated, it replicates and propagates itself to multiple systems, spreading by multiple communications vectors. For example, a virus might send copies of itself to all users in the infected system's e-mail program.
A message that reports the presence of a nonexistent virus or worm and wastes valuable time as employees share the message.
A type of malware that is capable of activation and replication without being attached to an existing program.
A malware payload that provides access to a system by bypassing normal access controls. A back door is also an intentional access control bypass left by a system designer to facilitate development.
An automated software program that executes certain commands when it receives a specific input.
Denial-of-service (DoS) attack
An attack that attempts to overwhelm a computer target's ability to handle incoming communications, prohibiting legitimate users from accessing those systems.
Distributed denial-of-service (DDoS) attack
A DoS attack in which a coordinated stream of requests is launched against a target from many locations at the same time using bots.
An attack designed to overwhelm the receiver with excessive quantities of e-mail.
Undesired e-mail, typically commercial advertising transmitted in bulk.
Domain name system (DNS) cache poisoning
The intentional hacking and modification of a DNS database to redirect legitimate traffic to illegitimate Internet locations.
A group of attacks whereby a person intercepts a communications stream and inserts himself in the conversation to convince each of the legitimate parties that he is the other communications partner. Some man-in-the-middle attacks involve encryption functions.
A software program or hardware appliance that can intercept, copy, and interpret network traffic.
The redirection of legitimate user Web traffic to illegitimate Web sites with the intent to collect personal information.
A form of man-in-the-middle attack whereby the attacker inserts himself into TCP/IP communications.
A technique for gaining unauthorized access to computers using a forged or modified source IP address to give the perception that messages are coming from a trusted host.
Mean time between failure (MTBF)
The average amount of time between hardware failures, calculated as the total amount of operation time for a specified number of units divided by the total number of failures.
Mean time to diagnose (MTTD)
The average amount of time a computer repair technician needs to determine the cause of a failure.
Mean to time to failure (MTTF)
The average amount of time until the next hardware failure.
Mean time to repair (MTTR)
The average amount of time a computer repair technician needs to resolve the cause of a failure through replacement or repair of a faulty unit.
An application error that occurs when more data is sent to a program buffer than it is designed to handle.
An application error that occurs when user input is passed directly to a compiler or interpreter without screening for content that may disrupt or compromise the intended function.
Cross-site scripting (XSS)
A Web application fault that occurs when an application running on a Web server inserts commands into a user's browser session and causes information to be sent to a hostile server.
A class of computational errors caused by methods that computers use to store and manipulate integer numbers; this bug can be exploited by attackers.