Chapter 1 - introduction To Security Flashcards
End-of-life systems
System for which vendors have dropped all support for security updates due to the systems age
Improper input handling
Software that allows the user to enter data but does not validate or filter user input to prevent a malicious action.
Improper error handling
Software that does not properly trap an error condition and provides an attacker with underlying access to the system.
Race condition
A software occurrence when two concurrent threads of execution access a shared resource simultaneously, resulting in unintended consequences.
Resource exhaustion
A situations in which a hardware device with unlimited resources (CPU, memory, file system storage, etc.) is exploited by an attacker who intentionally tries to consume more resources than intended.
Vulnerable business processes
A situation in which an attacker manipulated commonplace actions that are routinely performed, also called business process compromise.
System sprawl
The widespread proliferation of devices across an enterprise.
Undocumented assets
Devices that are not formally identified or documented in an enterprise. Leads to system sprawl.
Zero day
An attack in which there are no days of warning.
Confidentiality
Security actions that ensure that only authorized parties can view the information
Integrity
Security actions that ensure that the information is correct and no unauthorized person or malicious software has altered the data.
Availability
Security actions that ensure that data is accessible to authorized users
Information security
That which protects the integrity, confidentiality, and availability of information through products, people, and procedures on the devices that store, manipulate, and transmit the information.
Asset
An item that has value
Ex. Scooter
Threat
A type of action that has the potential to cause harm.
Ex. Theft of scooter
Threat actor
A person or element that has the power to carry out a threat
Ex. Thief
Vulnerability
A flaw or weakness that allows a threat agent to bypass security.
Ex. Fence hole
Attack vector
The means by which an attack can occur
Ex. Go through fence hole
Risk
A situation that involves exposure to danger
Ex. Stolen scooter
Attack surface
The sum of all the different attack vectors
Risk response techniques
1) accept
2) transfer
3) avoid
4) mitigate
Risk deterrence
Involves understanding something about attackers and then informing them of the harm that could come their way if they attack an asset
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Healthcare enterprises must guard protected healthcare information and implement policies and procedures to safeguard it, whether in paper or electronic format
The Sarbanes-Oxley Act of 2002
An attempt to fight corporate corruption. Stringent reporting requirements and internal controls on electronic financial reporting systems are required.
