8.1 - Security Risks

Created by

Faith Rose

Cards (65)

CIA Triad
C - Confidentiality
I - Integrity
A - Availability
Employee salaries and perks should be known by
The employee and HR department
Client lists 
Include business sensitive information, should only be accessed when absolutely necessary
External stakeholders 
groups outside an organisation, shareholders for example
Internal stakeholders 
groups within an organisation, like owners and employees
An organisation typically stores information about:
employee salaries
employee perks
client lists
trade secrets
sales numbers
customer information
news about restructuring
All important data should regularly be backed up to a secure location
Some impacts of failing to maintain privacy
Financial
Reputational
Financial impact
Payment compensation
Security improvement costs
Lost customers
Lost revenue
Emails and contact lists can also be targeted during an attack
Reputation 
Loss of data in an attack can lead customers to lose trust and confidence in the company
Restoring lost or corrupted data leads to a time delay, disrupting usual business
Cyber security 
The practice of defending computers, servers, mobile devices, systems, networks and data from malicious attacks
Targets of technical threats
everyone.
Types of technical threats
Botnets
DDoS
Hacking
Malware
Social engineering
Insecure APIs
Open networks
Man-in-the-middle attacks
API 
The interface that allows two or more software applications to communicate
Remote API 
can interact through a communications network with the resources
Not all remote APIs are web APIs, but all web APIs are remote
APIs can become insecure over time
Ad hoc networks 
a network created without the use of a wireless router or access point, meaning the devices communicate directly
Problems with ad hoc networks
slow data transmission
minimal security
Man-in-the-middle attacks (MITM) 
A hacker places themselves in the middle of a communication between devices/users
Hacker 
someone who uses computers to gain unauthorised access to data
Dark net 
networks that are not indexed by search engines, only accessed by those with authorisation
DDoS - Distributed denial-of-service
Vulnerability testing (A.K.A penetration testing)
used to identify vulnerabilities before a cyber attack
Physical threats
internal
external
Internal threats
Location of systems
Layout of systems
System robustness
Circumstances of use
User characteristics
Mitigate 
to take steps to reduce the likelihood of something happening, or reduce the impact if it does happen
Humidity 
Amount of water vapour in the air
Firmware 
code added at manufacturing to a hardware device's non-volatile memory. the software that allows the hardware to run
External threats 
Earthquake
Tsunami / flood
Lightning strikes
Other natural disasters
Human threats 
Human error
Malicious employees
Disguised criminals
Targeted attack
Human error can include
Accidental file deletion
Saving files and folders to a different location
Sending emails with data to the incorrect recipients
Accidental changes in documents
Malicious employees can also be referred to as Turncloaks
Botnets  
networks infected with malicious software, controlled remotely by hackers without the owner's knowledge, used to perform malicious activity against victims.
Zombie computer 
a computer connected to the internet that has been compromised by a hacker, virus or trojan horse
DDoS 
A malicious attempt to disrupt the normal traffic of a targeted server by overwhelming it with a flood of internet traffic.
Hacking 
The act of gaining unauthorised access to computer systems, networks or devices
Malware 
Short for 'malicious software' , referring to any malicious program or code that is harmful to systems