How to Respond to an Attack
Key Terms
Acceptable Use Policy (AUP)
A policy that defines what employees, contractors, and third parties are authorized to do on the organization's IT infrastructure and its assets. AUPs are common for access to IT resources, systems, applications, Internet access, email access, and so on.
Adware
A software program that automatically forces pop-up windows of Internet marketing messages to users' browsers on their workstation devices. Adware is different from spyware in that adware does not examine a user's individual browser usage and does not examine this information on a user's browser.
Botnet
A term used to describe robot-controlled workstations that are part of a collection of other robot-controlled workstations.
Buffer overflow
In computer programming, this occurs when a software application somehow writes data beyond the allocated end of a buffer in memory. Buffer overflow is usually caused by software bugs and improper syntax and programming, thus opening or exposing the application to malicious code injections or other targeted attack commands.
Confidentiality Agreement
An agreement that employees, contractors, or third-party users must read and sign prior to being granted access rights and privileges to the organization's IT infrastructure and its assets.
Cookies
A message from a website given to an individual's web browser on the workstation device. The workstation browser stores this text message in a text file. The message is sent back to the web server each time that the browser goes to that website.
Defense-in-Depth
A term used to describe a layered approach to information security for an IT infrastructure.
Denial of Service (DoS)
A type of attack on a network or an IT device where unnecessary or bogus network traffic renders the network or a targeted IT device inoperable. This attack negatively impacts availability of an IT system, resource, or application.
Distributed Denial of Service (DDoS)
Similar to DoS, except the attack is launched from multiple, distributed agent IP devices.
Domain Name System (DNS)
A hierarchy of Internet servers that translate alphanumeric domain names into IP addresses and vice versa. Because domain names are alphanumeric, it's easier to remember these names than IP addresses.
Enterprise vulnerability management
The overall responsibility and management of vulnerabilities within an organization and how that management of vulnerabilities will be achieved through dissemination of duties throughout the IT organization.
Finger
On some Unix systems, finger identifies who is logged on and active and sometimes provides personal information about that individual.
Hash
A mathematical algorithm that is used to ensure that a transmitted message has not been tampered with. The sender generates a hash of the message, encrypts it, and sends it with the message itself. The recipient then decrypts both the message and the hash, produces another hash from the received message, and compares the two hashes. If they're the same, there is a very high probability that the message was transmitted intact.
Honeypots
An Internet-attached server that acts as a decoy, luring in potential hackers in order to study their activities and monitor how they are able to break in to a system.
Identify theft
An attack where an individual's personal, confidential, banking, and financial identify is stolen and compromised by another individual or individuals. Use of your social security number without your consent or permission may result in identify theft.
Insecure computing habits
The bad habits that employees, contractors, and third-party users have accumulated over the years can be attributed to the organization's lack of security-awareness training, lack of security controls, and lack of any security policies or Acceptable Use Policies (AUPs).
Intrusion Detection System (IDS)
A network-monitoring device typically installed at Internet ingress/egress points used to inspect inbound and outbound network activity and identify suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system.
IT security architecture and framework
A term used to describe a hierarchical definition for information security policies, standards, procedures, and guidelines.
Minimum acceptable level of risk
The stake in the ground that an organization defines for the seven areas of information security responsibility. Depending on the goals and objectives for maintaining confidentiality, integrity, and availability of the IT infrastructure and its assets, the minimum level of acceptable risk will dictate the amount of information security.
Phishing
The act of misleading or conning an individual into releasing or providing personal and confidential information to an attacker masquerading as a legitimate individual or business.
Security bulletins
A memorandum or message from a software vendor or manufacturer documenting a known security defect in the software or application itself. Security bulletins are typically accompanied with instructions for loading a software patch to mitigate the security defect or software vulnerability.
Security defect
A security defect is usually an unidentified and undocumented deficiency in a product or piece of software that ultimately results in a security vulnerability being identified.
Security Incident Response Team (SIRT)
A team of professionals that usually encompasses human resources, legal, IT, and IT security to appropriately respond to critical, major, and minor security breaches and security incidents that the organization encounters.
Smurf attack
A DDoS attack where the attacker transmits large amounts of ICMP echo request (PING) packets to a targeted IP destination device using the targeted destination's IP source address. This is called spoofing the IP source address. IP routers and other IP devices that respond to broadcasts will respond back to the targeted IP device with ICMP echo replies, thus multiplying the amount of bogus traffic.
SNMP community strings
An assigned authentication keyword or password that allows a remote application to access specific SNMP objects in the Management Information Base (MIB) tree. Standard SNMP installations support Read-Only (RO) SNMP community strings and Read-Write (RW) community strings.
SNMP community strings "Public" and "Private"
This is an inherent vulnerability in SNMP management and SNMP manageable devices because "Public" is the default password used for Read-Only (RO) SNMP community strings. "Private" is the default password used for Read-Write (RW) SNMP community strings. These default passwords must be changed in all SNMP manageable devices appropriately according to the password creation and changing policies of the IT organization.
Social engineering
The act of obtaining or attempting to obtain otherwise secure data by coaxing an individual into revealing private or confidential information.
Software bug
An error in software programming. A software bug that typically requires an immediate fix (such as a software patch) to minimize the vulnerability window and potential for exploitation by an attacker.
Software flaw
An error in how the software or application was architected. Typically a software flaw cannot be fixed with a software patch because a flaw requires a reengineered solution to fix.
Spyware
Any software application that covertly gathers information about a user's Internet usage and activity and then exploits this information by sending adware and pop-up ads similar in nature to the user's Internet usage history.
SYN flood attack
A DDoS attack where the attacker sends a succession of SYN packets with a spoof address to a targeted destination IP device but does not send the last ACK packet to acknowledge and confirm receipt. This leaves half-open connections between the client and the server until all resources are absorbed, rendering the server or targeted IP destination device as unavailable because of resource allocation to this attack.
URLs
A Uniform Resource Locator is the global address on the Internet and World Wide Web where domain names are used to resolve IP addresses.
WHOIS
An Internet utility that returns information about the domain name and IP address.