Busy. Please wait.

show password
Forgot Password?

Don't have an account?  Sign up 

Username is available taken
show password


Make sure to remember your password. If you forget it there is no way for StudyStack to send you a reset link. You would need to create a new account.
We do not share your email address with others. It is only used to allow you to reset your password. For details read our Privacy Policy and Terms of Service.

Already a StudyStack user? Log In

Reset Password
Enter the associated with your account, and we'll email you a link to reset your password.

Remove ads
Don't know
remaining cards
To flip the current card, click it or press the Spacebar key.  To move the current card to one of the three colored boxes, click on the box.  You may also press the UP ARROW key to move the card to the "Know" box, the DOWN ARROW key to move the card to the "Don't know" box, or the RIGHT ARROW key to move the card to the Remaining box.  You may also click on the card displayed in any of the three boxes to bring that card back to the center.

Pass complete!

"Know" box contains:
Time elapsed:
restart all cards

Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.

  Normal Size     Small Size show me how

Information Security

Chapters 1-3

Rand Report first widely recognized published document to identify the role of management and policy issues in computer security
Multiplexed Information and Computing Service (MULTICS) Much of the early research on computer security centered on a system called
microprocessor In the late 1970s, the _____ brought the personal computer and a new age of computing. The PC became the workhorse of modern computing, thereby moving it out of the data center.
security In general, _____ is “the quality or state of being secure—to be free from danger.” In other words, protection against adversaries—from those who would do harm, intentionally or otherwise—is the objective.
physical security _____ protects physical items, objects, or areas from unauthorized access and misuse
personnel security _____ protects the individual or group of individuals who are authorized to access the organization and its operations
operations security _____ protects the details of a particular operation or series of activities
network security _____ protects networking components, connections, and contents
information security _____ protects the confidentiality, integrity and availability of information assets, whether in storage, processing, or transmission. It is achieved via the application of policy, education, training and awareness, and technology
information security _____ is the protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information
confidentiality, integrity, and availability Three characteristics of information that give it value to organizations:
access A subject or object’s ability to use, manipulate, modify, or affect another subject or object. Authorized users have legal access to a system, whereas hackers have illegal access to a system. Access controls regulate this ability
attack An intentional or unintentional act that can cause damage to or otherwise compromise information and/or the systems that support it
control, safeguard, or countermeasure Security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the security within an organization
exploit An attempt on a system or other information asset by using it illegally for their personal gain or a documented process to take advantage of a vulnerability or exposure, usually in software
exposure In information security, _____exists when a vulnerability known to an attacker is present.
loss A single instance of an information asset suffering damage or unintended or unauthorized modification or disclosure
protection profile or security posture The entire set of controls and safeguards, including policy, education, training and awareness, and technology, that the organization implements (or fails to implement) to protect the asset
risk The probability that something unwanted will happen
subject / object A computer can be either the _____ (subject or object) of an attack—an agent entity used to conduct the attack—or the _____ (subject or object) of an attack—the target entity
threat A category of objects, persons, or other entities that presents a danger to an asset. _____ are always present and can be purposeful or undirected
threat agent The specific instance or a component of a threat. All hackers in the world present a collective threat but one single hacker is a _____.
vulnerability A weaknesses or fault in a system or protection mechanism that opens it to attack or damage.
Availability, Accuracy, Authenticity, Confidentiality, Integrity, Utility, Possession Critical Characteristics of Information: the value of information comes from the 7 characteristics it possesses:
availability _____ enables authorized users—persons or computer systems—to access information without interference or obstruction and to receive it in the required format
accuracy Information has _____ when it is free from mistakes or errors and it has the value that the end user expects
authenticity _____ of information is the quality or state of being genuine or original, rather than a reproduction or fabrication. Information has _____ when it is in the same state in which it was created, placed, stored, or transferred
email spoofing ____ is the act of sending an e-mail message with a modified field and is a problem for many people today because often the modified field is the address of the originator
pretexting Pretending to be someone you are not is sometimes called _____ when it is undertaken by law enforcement agents or private investigators.
phishing ____ is when an attacker attempts to obtain personal or financial information using fraudulent means, most often by posing as another individual or organization.
integrity Information has _____ when it is whole, complete, and uncorrupted. The _____ of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state.
hashing when a file is read by a special algorithm that uses the value of the bits in the file to compute a single large number
utility The _____ of information is the quality or state of having value for some purpose or end. Information has value when it can serve a purpose
possession The _____ of information is the quality or state of ownership or control. Information is said to be this if one obtains it, independent of format or other characteristics
information system (IS) An _____ is much more than computer hardware; it is the entire set of software, hardware, data, people, procedures, and networks that make possible the use of information resources in the organization.
software, hardware, data, people, procedures, networks Six components of an Information System are:
hardware _____ is the physical technology that houses and executes the software, stores and transports the data, and provides interfaces for the entry and removal of information from the system
data _____ stored, processed, and transmitted by a computer system must be protected. _____ is often the most valuable asset possessed by an organization and it is the main target of intentional attacks
people the weakest link in an organization’s information security program
procedures _____ are written instructions for accomplishing a specific task. When an unauthorized user obtains an organization’s _____, this poses a threat to the integrity of the information
networking The IS component that created much of the need for increased computer and information security is _____
reasonable access To achieve balance and to operate an information system that satisfies the user and the security professional, the security level must allow _____, yet protect against threats
bottom-up Information security can begin as a grassroots effort in which systems administrators attempt to improve the security of their systems. This is often referred to as a _____ approach.
top-down The _____ approach—in which the project is initiated by upper-level managers who issue policy, procedures and processes, dictate the goals and expected outcomes, and determine accountability for each required action, has a high probability of success.
processes and procedures The _____ of the information security implementation must be documented and integrated into the organizational culture. They must be adopted and promoted by the organization’s management.
systems development life cycle (SDLC) The _____ is a methodology for the design and implementation of an information system.
Investigation, Analysis, Logical Design, Physical Design, Implementation, Maintenance A methodology is a formal approach to solving a problem by means of a structured sequence of procedures. List the six parts of the systems development life cycle:
investigation The _____ phase begins with an examination of the event or plan that initiates the process. During the _____ phase, the objectives, constraints, and scope of the project are specified.
analysis The _____ phase begins with the information gained during the investigation phase. This phase consists primarily of assessments of the organization, its current systems, and its capability to support the proposed systems.
logical design In the _____ phase, the information gained from the analysis phase is used to begin creating a systems solution for a business problem.
physical design During the _____ phase, specific technologies are selected to support the alternatives identified and evaluated in the logical design. This phase integrates various components and technologies.
implementation In the _____ phase, any needed software is created. Components are ordered, received, and tested.
maintenance The _____ phase is the longest and most expensive phase of the process. This phase consists of the tasks necessary to support and modify the system for the remainder of its useful life cycle.
remain the same The primary mission of an information security program is to ensure that systems and their contents _____ _____ _____.
1. Protecting the organization’s ability to function 2. Enabling the safe operation of applications running on the organization’s IT systems 3. Protecting the data the organization collects and uses 4. Safeguarding the organization’s technology assets Information security performs four important functions for an organization. They are:
policy Managing information security has more to do with _____ and its enforcement than with the technology of its implementation.
goods and services Even when transactions are not online, information systems and the data they process enable the creation and movement of _____. Therefore, protecting data in motion and data at rest are both critical aspects of information security.
size and scope To perform effectively, organizations must employ secure infrastructure services appropriate to the _____ of the enterprise.
public key infrastructure (PKI) _____ is an integrated system of software, encryption methodologies, and involves the use of digital certificates to ensure the confidentiality of Internet communications and transactions.
firewall _____ is a mechanism that keeps certain kinds of network traffic out of a private network
threat _____ is an object, person, or other entity that presents an ongoing danger to an asset.
intellectual property _____ is defined as “the ownership of ideas and control over the tangible or virtual representation of those ideas. _____ can be trade secrets, copyrights, trademarks, and patents.
software piracy unlawful use or duplication of software-based intellectual property.
malicious code or malware Deliberate software attacks occur when an individual or group designs and deploys software to attack a system. Most of this software is referred to as _____. They damage, destroy, or deny service to the target systems.
virus A computer _____ consists of segments of code that perform malicious actions. The code attaches itself to an existing program and takes control of that program’s access to the targeted computer.
macro virus A _____ is embedded in automatically executing malicious macro code used by word processors, spread sheets, and database applications
worm A _____ is malicious program that replicates itself constantly, without requiring another program environment. They can continue replicating themselves until they completely fill available resources
trojan horse _____ are software programs that hide their true nature and reveal their designed behavior only when activated. _____ are frequently disguised as helpful, interesting, or necessary pieces of software
back door or trap door A virus or worm can have a payload that installs a _____ component in a system, which allows the attacker to access the system at will with special privileges.
polymorphic A _____ threat is one that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for preconfigured signatures.
availability disruption _____ are irregularities in Internet service, communications, and power supplies that can dramatically affect the accessibility of information and systems.
brownout A momentary low voltage or sag, or a more prolonged drop in voltage, known as a _____, can cause systems to shut down or reset, or otherwise disrupt availability.
espionage or trespass _____ is a well-known and broad category of electronic and human activities that can breach the confidentiality of information.
competitive intelligence Some information gathering techniques are quite legal, for example, using a Web browser to perform market research. These legal techniques are called, collectively, _____.
hacker The classic perpetrator of espionage or trespass is the _____. They are “people who use and create computer software [to] gain access to information illegally.”
script kiddies Expert hacker programs are automated exploits that allow novice hackers to act as _____ or hackers of limited skill who use expertly written software to attack a system
packet monkeys _____ are script kiddies who use automated exploits to engage in distributed denial-of-service attacks
cracker The term _____ is now commonly associated with an individual who cracks or removes software protection that is designed to prevent unauthorized duplication.
phreaker A _____ hacks the public telephone network to make free calls or disrupt services.
human error or failure ______ are from inexperience, improper training, and incorrect assumptions by users of a system. These are the weakest links in a system.
information extortion _____ occurs when an attacker or trusted insider steals information from a computer system and demands compensation for its return or for an agreement not to disclose it. This is common in credit card number theft.
policy (or planning) Missing, inadequate, or incomplete organizational _____ makes an organization vulnerable to loss, damage, or disclosure of information assets when other threats lead to attacks.
controls Missing, inadequate, or incomplete _____ that are missing, misconfigured, antiquated, or poorly designed make an organization more likely to suffer losses when other threats lead to attacks.
sabotage / vandalism _____ is a category of threat involving the deliberate destruction of a computer system or business, or acts of mischief to either destroy an asset or damage the image of an organization.
hacktivist or cyberactivist _____ operations interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.
cyberterrorism is the premeditated, politically motivated attacks against information, computer systems, computer programs, and data which result in violence against noncombatant targets by subnational groups or clandestine agents
theft _____ is the illegal taking of anothers property, which can be physical, electronic, or intellectual
trap doors Shortcut access routes into programs that bypass security checks are called _____ and can cause serious security breaches.
malicious code A _____ attack includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information.
bot A ____ is an automated software program that executes certain commands when it receives a specific input.
Spyware _____ is “any technology that aids in gathering information about a person or organization without their knowledge. Spyware is placed on a computer to secretly gather information about the user and report it.
adware _____ is any software program intended for marketing purposes such as that used to deliver and display advertising banners or popups to the user’s screen or tracking the user’s online usage or purchasing activity
brute force The application of computing and network resources to try every possible password combination is called a _____ attack.
dictionary The _____ attack is a variation of the brute force attack which narrows the field by selecting specific target accounts and using a list of commonly used passwords instead of random combinations
denial-of-service (DoS) In a _____ attack, the attacker sends a large number of connection or information requests to a target. So many requests are made that the target system becomes overloaded and cannot respond to requests for service.
distributed denial-of-service (DDoS) A _____ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time.
spoofing _____ is a technique used to gain unauthorized access to computers, wherein the intruder sends messages with a source IP address that has been forged to indicate that the messages are coming from a trusted host.
man-in-the-middle / hijacking In _____ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network.
spam _____is unsolicited commercial e-mail.
mail bomb A _____is when an attacker routes large quantities of e-mail to the target.
sniffer A _____ is a program or device that can monitor data traveling over a network.
social engineering _____ is the process of using social skills to convince people to reveal access credentials or other valuable information to the attacker.
URL manipulation, web site forgery, and phone phishing Phishing attacks use three primary techniques, often in combination with one another:
pharming _____ is the redirection of legitimate Web traffic to an illegitimate site for the purpose of obtaining private information.
timing A _____ attack explores the contents of a Web browser’s cache and stores a malicious cookie on the client’s system.
software assurance An approach to software development that includes planning for security objectives in the systems development lifecyle used to create systems with procedures and software deployed in a secure fashion is called _____.
economy of mechanism Commonplace security principle that says: Keep the design as simple and small as possible
fail-safe defaults Commonplace security principle that says: base access decisions on permission rather than exclusion
open design Commonplace security principle that says: the design should not be secret but rather dependent on the possession of keys or passwords
separation of privilege Commonplace security principle that says: where feasible a protection mechanism should require two keys to unlock, rather than one
least privilege Commonplace security principle that says: every program and every user of the system should operate using the smallest set of rights necessary to complete the job
least common mechanism Commonplace security principle that says: minimize shared variables common to more than one user and depended on by all users
psychological acceptability Commonplace security principle that says: it is essential that the human interface be designed for ease of use so protection mechanisms be applied properly
complete mediation Commonplace security principle that says: every access to every object must be checked for authority
buffer A _____ are used to manage mismatches in the processing rates between two entities involved in a communication process.
overrun A buffer _____ is an application error that occurs when more data is sent to a program buffer than it is designed to handle.
command injection _____ problems occur when user input is passed directly to a compiler or interpreter. The underlying issue is the developer’s failure to ensure that command input is validated before it is used in the program.
cross site scripting (or XSS) _____ occurs when an application running on a Web server gathers data from a user in order to steal it.
programmers _____ are responsible for integrating access controls into, and keeping secret information out of, programs.
random number generators Most modern cryptosystems use ____. These use a mathematical algorithm, based on a seed value and another other system component (such as the computer clock) to simulate a random number.
change control Control Developers use a process known as _____ to ensure that the working system delivered to users represents the intent of the developers.
Improper File Access When an attacker changes the expected location of a file by intercepting and modifying a program code call, the attacker can force a program to use files other than the ones the program is supposed to use. This is called ______.
secure sockets layer Programmers use ______ abbreviated as (SSL) to transfer sensitive data, such as credit card numbers and other personal information, between a client and server.
information leakage _____ is one of the most common methods of obtaining inside and classified information is directly or indirectly from an individual, usually an employee.
race condition A _____ is a failure of a program that occurs when an unexpected ordering of events in the execution of the program results in a conflict over access to the same system resource.
SQL injection _____ occurs when developers fail to properly validate user input before using it to query a relational database.
unauthenticated key exchange _____ is one of the biggest challenges in private key systems, which involve two users sharing the same key, is securely getting the key to the other party.
laws _____ are rules that mandate or prohibit certain behavior
ethics _____ define socially acceptable behaviors
liability _____ is the legal obligation of an entity that extends beyond criminal or contract law; it includes the legal obligation to make restitution, or to compensate for wrongs committed.
due care _____ standards are met when an organization makes sure that every employee knows what is acceptable or unacceptable behavior, and knows the consequences of illegal or unethical actions.
due diligence _____ requires that an organization make a valid effort to protect others and continually maintains this level of effort.
jurisdiction Any court can assert its authority over an individual or organization if it can establish _____. That is, the court’s right to hear a case if a wrong is committed in its territory or involves its citizenry.
policy A _____ is a guideline that describes acceptable and unacceptable employee behaviors in the workplace. These function as organizational laws, complete with penalties, judicial practices, and sanctions to require compliance.
policy The difference between a policy and a law is that ignorance of a _____ is an acceptable defense.
1. dissemination (distribution), 2. review (reading), 3. comprehension (understanding), 4. compliance (agreement), 5. uniform enforcement For a policy to become enforceable, it must meet the following five criteria:
dissemination _____ is when an organization must be able to demonstrate that the relevant policy has been made readily available for review by the employee.
review _____ is when an organization must be able to demonstrate that it disseminated the document in an intelligible form such as alternate languages
comprehension _____ is when an organization must be able to demonstrate that the employee understood the requirements and content of the policy. Common techniques include quizzes and other assessments.
compliance _____ is when an organization must be able to demonstrate that the employee agreed to comply with the policy through act or affirmation. Common techniques include logon banners or signed document indicating agreement to comply with policy.
uniform enforcement _____ is when an organization must be able to demonstrate that the policy has been evenly applied, regardless of employee status or assignment.
civil law _____ comprises a wide variety of laws that govern a nation or state and deal with the relationships and conflicts between organizational entities and people.
criminal law _____ addresses activities and conduct harmful to society, and is actively enforced by the state.
private law _____ encompasses family law, commercial law, and labor law, and regulates the relationship between individuals and organizations.
The Computer Fraud and Abuse Act of 1986 (CFA Act) _____ is the cornerstone of many computer-related federal laws and enforcement efforts. It was amended in October 1996 by the National Information Infrastructure Protection Act, WHICH increased the penalties for selected crimes.
USA Patriot Act of 2001 _____ provides law enforcement agencies with broader latitude in order to combat terrorism-related activities. This act was amended by the USA Patriot Improvement and Reauthorization Act.
Computer Security Act of 1987 _____ was one of the first attempts to protect federal computer systems by establishing minimum acceptable security practices.
The Federal Privacy Act of 1974 _____ regulates government agencies and holds them accountable if they release private information about individuals or businesses without permission.
Electronic Communications Privacy Act of 1986 _____ is a collection of statutes that regulates the interception of wire, electronic, and oral communications.
The Fourth Amendment of the U.S. Constitution _____ protects individuals from unlawful search and seizure.
Health Insurance Portability and Accountability Act Of 1996 (HIPAA) _____ protects the confidentiality and security of health care data by establishing and enforcing standards and by standardizing electronic data interchange.
Financial Services Modernization Act or Gramm-Leach-Bliley Act of 1999 _____ focuses on facilitating affiliation among banks, securities firms, and insurance companies. Specifically, this act requires all financial institutions to disclose their privacy policies on the sharing of nonpublic personal information.
The Fraud and Related Activity in Connection with Identification Documents, Authentication Features, and Information (Title 18, U.S.C. § 1028) _____ criminalizes creation, reproduction, transfer, possession, or use of unauthorized or false identification documents or document-making equipment.
Economic Espionage Act in 1996 To protect American ingenuity, intellectual property, and competitive advantage, Congress passed the _____. This law attempts to prevent trade secrets from being illegally shared.
The Security and Freedom through Encryption Act of 1999 _____ provides guidance on the use of encryption and provides protection from government intervention.
The Sarbanes-Oxley Act of 2002 _____ affects the executive management of publicly traded corporations and public accounting firms. This law seeks to improve the reliability and accuracy of financial reporting.
The Freedom of Information Act _____ allows any person to request access to federal agency records or information not determined to be a matter of national security.
Convention on Cybercrime in 2001 _____ created an international task force to oversee a range of security functions associated with Internet activities for standardized technology laws across international borders.
The Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS), created by the World Trade Organization (WTO) _____ introduced intellectual property rules into the multilateral trade system. It is the first significant international effort to protect intellectual property rights.
Digital Millennium Copyright Act (DMCA) _____ reduces the impact of copyright, trademark, and privacy infringement, especially when accomplished via the removal of technological copyright protection measures.
severity of the penalty The _____ depends on the value of the information obtained and whether the offense is judged to have been committed: 1. For purposes of commercial advantage 2. For private financial gain 3. In furtherance of a criminal act
privacy _____ is not absolute freedom from observation, but rather is a more precise “state of being free from unsanctioned intrusion.”
aggregate information _____ is created by combining pieces of non private data—often collected during software updates and via cookies—that when combined may violate privacy.
identity theft The Federal Trade Commission (FTC) describes _____ is “occurring when someone uses your personally identifying information, like your name, Social Security number, or credit card number, without your permission, to commit fraud or other crimes.”
fair use _____ allows copyrighted materials to be used to support news reporting, teaching, scholarship, and a number of similar activities, as long as the use is for educational or library purposes, is not for profit, and is not excessive.
ignorance, accident, and intent There are three general causes of unethical and illegal behavior:
fear, probability of apprehension, probability of penalty administration Laws and policies and their associated penalties only deter if three conditions are present:
Department of Homeland Security (DHS) The _____ was created in 2003 by the Homeland Security Act of 2002, which was passed in response to the events of September 11, 2001.
National InfraGard Program Established in January 2001, the _____ began as a cooperative effort between the FBI’s Cleveland Field Office and local technology professionals.
the Secret Service In addition to providing protective services for key U.S. government members, _____ is also charged with the detection and arrest of any person committing a United States federal offense relating to computer fraud.
Created by: kimberjingle