Info Assurance Reviewer PDF

Info Assurance Reviewer Active attacks involve some modification of stored or transmitted data or the creation of false data. There are four categories of acti...

Info Assurance Reviewer Active attacks involve some modification of stored or transmitted data or the creation of false data. There are four categories of active attacks: replay, masquerade, modification of messages, and denial of service. masquerade takes place when one entity pretends to be a different entity. A masquerade attack usually includes one of the other forms of active attack. Replay involves the passive capture of a data unit and its subsequent retransmission to produce an An administrator is a member of the organization unauthorized effect. who is responsible for deploying, maintaining, and Data modification simply means that some securing the organization’s mobile devices as well portion of a legitimate message is altered or that as ensuring that deployed devices and their messages are delayed or reordered to produce an installed apps conform to the organization’s unauthorized effect. security requirements. denial-of-service attack prevents or inhibits the app testing facility in the organization that normal use or management of communication employs automated and/or human analyzers to facilities. Such an attack may have a specific evaluate the security characteristics of an app, target including searching for malware, identifying vulnerabilities, and assessing risks. auditor is to inspect reports and risk assessments from one or more analyzers to ensure that an app meets the security requirements of the organization. Types of Attacks Passive attacks are like eavesdropping or monitoring transmissions. The goal of the attacker is to obtain information that is being transmitted. Securing Application Two types of passive attacks are the release of Web server security and privacy are concerned message contents and traffic analysis: with the vulnerabilities and threats associated Release of message contents: In this type, an with the platform that hosts a website, including attacker will monitor an unprotected the operating system (OS), file and database communication medium like unencrypted email systems, and network traffic or telephone call and intercept it for sensitive Web application security and privacy are information. concerned with web software, including any Traffic analysis: In this type, an attacker monitors applications accessible via the Web. communication channels to collect a range of Web browser security and privacy are information, including human and machine concerned with the browser used from a client identities, locations of these identities, and types system to access a web server of encryption used, if applicable. Security Service the individuals whose information is in the collected data. Security service is a processing or communication service that enhances the Accuracy and consistency of Data security of the data processing systems, and the Outdated personal data: Using outdated, information transfers of an organization. Security incorrect, or bogus user data and failing to update services are intended to counter security attacks, or correct the data. and they make use of security mechanisms to provide the services. Vulnerabilities in third-party libraries: Third- party software libraries are reusable components Access control is the ability to limit and control that may be distributed freely or offered for a fee access to host systems and applications via to other software vendors. Software development communications links. To achieve this, each entity by component or modules may be more efficient, trying to gain access must first be identified or and third-party libraries are routinely used across authenticated so that access rights can be the industry. tailored to the individual. Insufficient deletion of personal data: Failing to Authentication service is concerned with delete personal data effectively and/or in a timely ensuring that communication is authentic. In the fashion after the termination of the specified case of a single message, such as a warning or an purpose or upon request. alarm signal, the function of the authentication service is to ensure the recipient that the message Attacks is from the source that it claims to be from. Passive attacks are like eavesdropping or Data confidentiality is the protection of monitoring transmissions. The goal of the attacker transmitted data from passive attacks. is to obtain information that is being transmitted. Concerning the content of data transmission, Two types of passive attacks are the release of several levels of protection can be identified. The message contents and traffic analysis broadest service protects all user data transmitted between two users over a period. Active attacks involve some modification of stored or transmitted data or the creation of false Data integrity ensures that messages are data. There are four categories of active attacks: received as sent, with no duplication, insertion, replay, masquerade, modification of messages, modification, reordering, or replays and denial of service. Nonrepudiation prevents either a sender or a Security attacks are any action that receiver from denying a transmitted message. compromises the security of information owned Thus, when a message is sent, the receiver can by an organization. prove that the alleged sender sent the message. Traffic analysis: In this type, an attacker monitors Availability service means that a system or a communication channels to collect a range of system resource is accessible and usable upon information, including human and machine demand by an authorized system entity, identities, locations of these identities, and types of encryption used, if applicable. Group Collecting User Information Group that repackages and sells information. Data collectors collect information directly from their customers, audience, or other types of users Data brokers compile large amounts of personal of their services. data from several data collectors and other data brokers without having direct online contact with Data brokers compile large amounts of personal the individuals whose information is in the data from several data collectors and other data collected data. Data brokers repackage and sell brokers without having direct online contact with the collected information to various data users, Role of Auditors: Auditors inspect reports and typically without the permission or input of the risk assessments to ensure that apps meet the individuals involved. Because consumers organization’s security requirements. These generally do not directly interact with data requirements are essential to protect the brokers, they have no means of knowing the extent organization’s data and mobile infrastructure and nature of the information that data brokers collect about them and share with others for their financial gain. Data brokers can collect Tools and techniques information about consumers from various public and nonpublic sources, including courthouse Security mechanisms are technical tools and records, website cookies, and loyalty card techniques that are used to implement security programs. Typically, brokers create profiles of services individuals for marketing purposes and sell them A process that is designed to detect, prevent, or to data users. recover from a security attack. Security Services Security Requirements Prevention of Passive Attacks Web application security and privacy are Active Attacks concerned with web software, including any applications accessible via the Web Security Objective and CIA Triad Security objectives are goals and constraints that affect the confidentiality, integrity, and availability Enterprise mobility management systems: of your data and application Enterprise mobility management (EMM) is a general term that refers to everything involved in Confidentiality: Also known as data managing mobile devices and related confidentiality, this property means that components (e.g., wireless networks). EMM is information is not made available or disclosed to much broader than just information security; it unauthorized individuals, entities, or processes. A includes mobile application management, loss of confidentiality is the unauthorized inventory management, and cost management. disclosure of information. Although EMM is not directly classified as a security technology, it can help in deploying Data integrity ensures that data (both stored and policies to an enterprise’s device pool and is transmitted packets) and programs are changed monitoring a device’s state. only in a specified and authorized manner. A loss of data integrity is the unauthorized modification or destruction of information. Security Vetting: The process of vetting mobile System integrity ensures that a system performs apps includes specific security requirements. its intended function in an unimpaired manner, Administrators submit apps to testing facilities free from deliberate or inadvertent unauthorized where automated and human analyzers evaluate manipulation of the system their security characteristics. The analysis focuses on detecting malware, identifying vulnerabilities, Availability ensures that systems work promptly and assessing risks. Only after passing this and the service is not denied to authorized users. evaluation can the app be deployed on mobile A loss of availability is the disruption of access to devices or use of information or an information system. Authenticity: The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or a Web browser security and privacy are message originator. This means verifying that concerned with the browser used from a client users are who they say they are and that each system to access a web server input arriving at the system came from a trusted Mobile app privacy: Legitimate mobile apps may source. be vulnerable to several privacy and security Accountability: The security goal that generates threats, typically due to poor coding practices the requirement for actions of an entity to be used in app development or underlying traced uniquely to that entity. This supports vulnerabilities in the mobile device operating nonrepudiation, deterrence, fault isolation, system intrusion detection and prevention, and after- System Integrity: action recovery and legal action. System integrity ensures that a system performs Web browser security and privacy its intended function in an unimpaired manner, Web browser security and privacy are free from deliberate or inadvertent unauthorized concerned with the browser used from a client manipulation of the system system to access a web server. Data brokers Data brokers compile large amounts of personal data from several data collectors and other data brokers without having direct online contact with the individuals whose information is in the collected data. Data brokers repackage and sell the collected information to various data users, typically without the permission or input of the individuals involved. Because consumers generally do not directly interact with data brokers, they have no means of knowing the extent and nature of the information that data brokers collect about them and share with others for their financial gain. Data brokers can collect information about consumers from various public and nonpublic sources, including courthouse records, website cookies, and loyalty card programs. Typically, brokers create profiles of individuals for marketing purposes and sell them to data users. Security and privacy Web server security and privacy are concerned with the vulnerabilities and threats associated with the platform that hosts a website, including the operating system (OS), file and database systems, and network traffic Web application security and privacy are concerned with web software, including any applications accessible via the Web.

Info Assurance Reviewer PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue