Information Security
is the protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information.
Network security
the protection of networking components, connections, and contents.
physical security
the protection of the physical items or areas of an organization from unauthorized access and misuse
operations security
the protection of the details of a particular operation or series of activities
Communications security
the protection of an organization's communications media, technology, and content
Access
a subject or object's ability to use, manipulate, modify or affect another subject or object
Asset
The organizational resource that is being protected
Attack
An intentional or unintentional act that can cause damage to or otherwise compromise the information or the systems that support it.
control, safeguard, countermeasure
Security mechanisms, policies, or procedures that can successfully counterattack, reduce risk, resolve vulnerabilities, and otherwise improve the security within an organization.q
Exploit
A technique used to compromise a system
Exposure
A condition or state of being exposed.
Intellectual Property
Often referred to as IP, intellectual property is defined as works of the mind, such as inventions literature, art, logos, names, symbols, and other creative work.
Loss
A single instance of an information asset suffering damage, unintended or unauthorized modification, or disclosure.
Protection profile or security posture
The entire set of controls and safeguards that the organization implements to protect the asset.
Risk
the probability that something unwanted will happen.
risk appetite
the quantity and nature of risk the organization is willing to accept
subject of and attack
an agent entity used to conduct the attack
object of an attack
the target entity
threat
a category of objects, persons, or other entities that presents a danger to an asset.
threat agent
the specific instance of a threat or a particular component of a threat
vulnerability
weaknesses or faults in a system or protection mechanism that open it to the possibility of attack or damage
well-known vulnerabilities
those that have been examined, documented, and published; others remain latent
availability
enables authorized users to access information without interference or obstruction, and to receive it in the required format
accuracy
means that information is free from mistakes or errors and has the value that the end user expects it to have
authenticity
is the quality or state of being genuine or original rather than a reproduction or fabrication
confidentiality
is the protection of information from disclosure or exposure to unauthorized individuals or systems.
data owners
are those responsible for the security and use of a particular set of information
data custodians
work directly with data owners and are responsible for the storage, maintenance, and protection of the information
data users
are end users who work with the information to perform their daily jobs supporting the mission of the organization, and who therefore share the responsibility for data security
integrity
means that information remains whole, complete, and uncorrupted
utility
is the quality or state of having value for some purpose or end
possession
is the ownership or control of some object or item
privacy
means that information is used in accordance with the legal requirements mandated for employees, partners, and customers
C.I.A. triad
industry standard for computer security since the development of the mainframe.
confidentiality
integrity
availability
McCumber Cube
provides a graphical description of the architectural approach widely used in computer and information security.
cracker
and individual who cracks or removes software protection that is designed to prevent unauthorized duplication or use
cyberterrorist
an individual or group that hacks systems to conduct terrorist activities through a network or internet pathway
hackers
individuals who gain access to information or systems without explicit authorization, often illegally
hacktivist or cyberactivist
individuals who interfere with or disrupt systems to protest the operations, policies, or actions of an organization of government agency
malicious code or malicious software
software components or programs designed to damage, destroy, or deny service to the target systems
computer viruses
segments of code that perform malicious actions
macro virus
one that is embedded in the automatically executing macro code common in word processors, spread sheets, and database applications
boot virus
one that infects the key operating system files located in a computer's boot sector
worms
malicious programs that replicate themselves constantly without requiring another program to provide a safe environment for replication
Trojan Horses
software programs that reveal their designed behavior only when activated often appearing benign until that time
backdoor, trap door, or maintenance hook
a component in a system that allow the attacker to access the system at will, bypassing standard login controls
rootkit
malicious software designed to operate with administrative access while hiding itself from the operating system and monitoring tools
packet monkeys
script kiddies who use automated tools to inundate a web site with a barrage of network traffic, usually resulting in a denial of service
phreaker
an individual who hacks the public telephone network to make free calls or disrupt services
script kiddies
hackers of limited skill who use expertly written software to attack a system
shoulder surfing
observing others' passwords by watching system login activities
software piracy
the most common IP breach, the unlawful use or duplication of software based intellectual property
password cracking
a number of attacks attempt to bypass access controls by guessing passwords
rainbow tables
database of precomputed hashes
brute force attack
using computing and network resources to try every possible combination of available characters, numbers, and symbols for a password
dictionary attack
narrows the field by selecting specific target accounts and using a list of commonly used passwords instead of random combinations
denial of service
the attacker sends a large number of connection or information requests to a target to crash the system
zombies
machines that are directed remotely by the attacker to participate in the attack.
spoofing
is a technique used to gain unauthorized access to computers, wherein the intruder send messages whose IP addresses indicate to the recipient that the messages are coming from a trusted host
man in the middle
an attacker monitors packets from the network, modifies them using IP spoofing techniques, and inserts them back into the network, allowing the attacker to eavesdrop a well as to change, delete, reroute, add, forge, or divert date
spam
has been used as a meas of making malicious code attacks more effective
mail bomb
an attacker routes large quantities of e mail to the target system
sniffer
program or device that monitors data traveling over a network
social engineering
is the process of using social skills to convince people to reveal access credentials or other valuable information to the attacker
butter overflow
is an application error that occurs when more data is sent to a buffer that it can handle
timing attack
works by measuring the time required to access a web page and deducing that the user has visited the site before by the presence of the page in the browser's cache
chief information officer (CIO)
is often the senior technology officer
chief information security officer (CISO)
is the individual primarily responsible for the assessment, management, and implementation of information security in the organization.
policy
is guidance or instructions that an organization's senior management implements to regulate the activities of the organization members who make decisions, take actions, and perform other duties.
standards
detailed descriptions of what must be done to comply with policy
mission
written statement of the organization's purpose
vision
written statement of the organization's long term goals
strategic planning
the process of moving the organization towards its vision
security policy
set of rules that protect an organization's asset
information security policy
provides rules for the protection of the information assets of the organization
enterprise information security policy
it is based on an directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts.
issue specific security policy
requires frequent updates, addresses specific areas of technology, stating the organization's position on each issue
capability table
specifies which subjects and objects users or groups can access
access control matrix
includes a combination of tables and lists
configuration rule policies
are the specific instruction entered into a security system to regulate how it reacts to the data it receives
security blueprint
is the basis for the design, selection, and implementation of all security program elements, including policy implementation, ongoing policy management, risk management programs, education and training programs, technological controls, and maintenance of
security framework
outline of the overall information security strategy and a roadmap for planned changes to the organization's information security environment
spheres of security
are the foundations of the security framework
benchmarking and best business practices
are methods used by some organizations to assess security practices
defense in depth
layered implementation of security
redundancy
implementing multiple types of technology and thereby preventing the failure of one system from compromising the security of information
security perimeter
defines the boundary between the outer limit of an organization's security and the beginning of the outside world
security domains
areas of trust within which users can freely communicate