Information security terms – Information security encyclopedia
An asset is valuable property for organization that deserve to protect; in information technology field usually refers to valuable data and information systems.
Vulnerability is a weakness in organization information systems which allows an attacker to abuse it. It can be software, hardware or techno logic weakness.
The most famous weaknesses in software and operating systems that may be caused by a bug of programming. Of course, vulnerability should not only be counted in computer programs because a security vulnerability may also appear in individual habits, such as an expert or manager who writes his passwords on paper and attaches to the body of a computer case, and forgets that it may also be seen by unauthorized persons.
Sometimes there is a weakness in technology. For example, a problem with the FTP (file transfer protocol) is that the username and password are sent in the same way as typed and not, which can be exploited by the hacker (similar situation the Telnet protocol).
Another example is the lack of a powerful firewall.
With proper upgrades and a god security policy, vulnerability decreases.
In Information technology, threat is a possible danger that might exploit a vulnerability to breach security and therefore cause possible damage to information or information systems. It can also be said that the threat is a condition or a state that can disturb security. As example if remote access is not secured and encrypted it’s a kind of threat.
In computer and networks, attack is any attempt to expose, alter, disable, destroy, hijack or unauthorized access (through vulnerability) to or make unauthorized use of organization information assets or services.
Active attacks and passive attacks
Active attack is a network exploit in which hacker attempts to make changes to data on the target or data en route to the target or availability/quality of accessibility of data. One of active attacks is masquerade attack, in this attack the intruder pretends to be a particular user of a system to gain access or to gain greater privileges than they are authorized for; other attacks are replay attack, D-DOS and attacks with the result of data manipulation.
Passive attack is a network attack that a system is monitored and sometimes scanned for vulnerabilities (e.g. open ports). The purpose is only to get information about the target and no data is changed on the target. For example, sniffer and network traffic analysis attack.
Active attacks are easier to detect than passive, but passive attacks are more dangerous because they are more likely to be discover later.
In addition to active and passive attacks, attacks can also be divided into Insider attacks and Outsider Attacks.
Insider attack is a malicious attack perpetrated on a network or computer system by a person with authorized system access, usually there is less security against insider attacks because organizations focus on protection from external attacks. An insider attack is also known as an insider threat and can make huge damage to organization information system.
Outsider attacks perpetrated by adversaries that is not authorized user in the network. However, the adversary may have access to the physical medium, particularly if we are dealing with wireless networks. Therefore, attacks such as replay messages and eavesdropping fall into this classification. However, coping with this attack is fairly easy by using traditional security techniques such as encryption and digital signatures.
Malware is a software which is specifically designed to manipulate, disable, damage, or gain unauthorized access to an information system that can infect computer systems, tablets and smart phones.
After intrusion, malware is able to send spam emails, hijack password and information.
Security have three primary and main element:
1 – Confidentiality
2 – Integrity
3 – Availability
+ 4 – Access control
+ 5 – Non-repudiation
1 – Confidentiality
Confidentiality is a set of rules that limits access to information and deny access for unauthorized users. Protecting data disclosure in passive sniffer attack: by encrypting and obfuscating information before sending. Protecting data streams against traffic analysis passive attacks traffic analysis by encrypting information about data origin, destination, length, and traffic properties of a communication channel. e.g. VPN.
2 – Integrity
Integrity is the assurance that the information is trustworthy and accurate.
Target is Avoid deletion, add, repeat, in other words, apply any unauthorized alteration in the data.
Data is The most important assets of systems and organizations.
The most important security objectives of organizations:
Protecting data (valuable assets) against attackers with the help of various types of access and permission levels, and more.
3 – Availability
Availability is a guarantee of reliable access to the information by authorized people.
Allowing authorized users to access the system according to the system’s functional characteristics and access rights at authorized times.in other words allows users to use system resources according to the criteria, under any circumstances.
Types of Attacks to Lose or Reduce Accessibility (e.g. D-DoS attacks).
4 – Access control
In the fields of information security, access control is the selective restriction of access to organization assets. The act of accessing may mean consuming, entering, or using; Locks and login systems are two analogous mechanisms of access control.
If we have security levels in our organization, the following are noteworthy:
1 – Dependence of the security level on the levels of confidentiality specified in the organization security policy.
2 – Define user access level corresponding to the security level specified for information.
3 – Ability to restrict and control access of users based on the access control policy.
5 – Non-Repudiation
No possibility of deny for every side of communication about presence in and receipt of the message; With the help of digital signature and cryptography, this can be achieved.
Today, the term hacker in popular culture refers to computer security experts who have the ability to penetrate and control computer systems for a variety of purposes.
Hackers come in three general categories: white hat hackers, black hat hackers, and gray hat hackers.
White hat hackers:
White hat hackers are good people who use hacking skills for defense purposes. They are usually security professionals who have hack knowledge and tools and use them to discover the weaknesses and prevent assets from further attacks and the legal penetration test and analysis, they are called ethical hackers.
Black hat hackers:
Black hat hackers are bad guys. Rogue hackers or crackers use their skills for illegal use. They break the integrity of the information systems with illegal intent. With unauthorized access, black hat hackers are able to corrupt vital and important data issues, causing interruptions to users’ services and causing problems. These hackers are easily identifiable from white hat hackers.
Gray hat hackers
Gray hat hackers are hackers that may act as defensive or malicious depending on the circumstances. You may well use your knowledge or use it on necessity.
Information Security policy:
Security policy is a document that states organization plans to protect the company’s physical, data and information system assets. It’s a kind of do’s and don’ts and rules of behavior.
These policies are the basis of all information security planning, design and deployment and should be able to provide a direction on how to handle issues and what are the best technologies to be used. These policies will direct quality of software or equipment functionality. And will result to security standards, procedures and practices.
Information Security policy types:
1 – Enterprise Information Security Policies(EISP)
In Enterprise Information Security Policy, a direct support is given to the organization’s mission, vision and direction and is general security policy that sets strategic direction, scope of information security. This security policy will view and direct all the security efforts. The EISP on the other hand also provides a direction in the development, implementation and management of the security program and sets out the requirements that must be met by the information security framework.
2 – Issue-specific Security Policies(ISSP)
Issue-specific Security Policy Provides detailed, targeted guidance concerning the use of a particular process, system or technology e.g. email, internet and computer systems.
In ISSP, the scope and functionality of the security policy is tested. The technologies that need to be used are specified. Authorization of user access, privacy protection, fair and responsible use of the technology is addressed. Often, the users are prohibited from using the information in a manner that can harm others.
3 – System-specific Security Policies(SysSP)
System-specific Security Policies Provides detailed, targeted guidance focus the use of a particular process, technology or an information system.
SysSP often include standards and procedures to be implemented while maintaining of systems. This security policy is also used to address the implementation and configuration of technology as well as the behavior of the people.
Information Security Blueprint
Blueprints are detailed plans or programs to execute. After the organization developed the information security policies and standards, the information security department will develop the blueprint for the information security program. The information security department will list all the information assets and prioritizes the threats and dangers of the organization, a risk assessment analysis is made. These assessments will to design security blueprint for the organization.
This security blueprint will act as the basis for the design, selection and implementation of all security program elements including policy implementation, ongoing policy management, risk management programs, personnel education and training programs, technological controls and maintenance of the security programs.
Converts data into illegible form using a variety of calculations and mathematical algorithms and the ability to retrieve data with an algorithm.
- Digital signature
Digital signature uses a digital code (generated and authenticated by public key encryption algorithm) which is attached to an electronically transmitted document to verify its contents integrity and the sender’s identity, in other words that the sender cannot deny having sent the message (non-repudiation), and that the message was not manipulated in transmission (integrity).
- Access control
Dividing information into ordinary, confidential, secret and super-secret categories
Determine the availability of each user
System control of each user’s access after authentication
All kinds of access:
Read, Write, Both, or None
- Data integrity
Includes mechanisms to ensure the integrity of a unit or streams of data
- Authentication exchange:
A mechanism to authenticate an entity with the help of information exchange.
Hackers generally spend around 90% of time collecting information on the target and another 10% on the attack.
Social engineering is a non-technical way to break the system or network security. A process of deceiving users of a system and stimulating them to provide information that is used to bypass security mechanisms. Considering social engineering is very important, because hackers use it to attack the human element of the system. This method can be used to collect information before an attack.
Social engineering is the use of persuasion and stimulation to deceive users in order to access information or encourage the victim to perform some operations. Usually, a social engineer uses a phone or an Internet connection to steal the user and capture sensitive information or trigger them to do things that endanger the organization’s security policy. In this way, social engineers, instead of using computer vulnerabilities, use the natural tendencies of individuals to create trust. Users are the weakest link in security. This principle is the reason for doing social engineering.
The most dangerous part of social engineering is that companies that have authentication, firewall, VPN, and network monitoring software are vulnerable to attack, because social engineering does not directly attack security standards, but circumvents it.
As mentioned before, people are the weakest link in the security chain, and the best way to deal with a social engineering attack is to have a good policy and personnel training. For organization, the social engineering is the most difficult type of attack that cannot prevent it from using software and hardware only.
The social engineering is art of hacking humans.