Saturday 10:00 AM - 11:30 AM

Exam Type
Identification (10 points)
Matching Type (10 points)
Modified True or False: (10 points)
Application (Essay) (20 points)

Uncategorized TermzZz
** haha ang saya kaunting kembot na lang!!! **

Personal Data
- information that can be used to identify an individual, including but not limited to
name, address, phone number, email address, and online identifiers
- can exist in both digital and physical forms

Passwords
- one of the most commonly used forms of authentication in computer systems

Access Control
- practice of limiting access to resources or systems to authorized users

Data Deletion
- process of removing data from a storage medium
- example: emptying the recycle bin

Terms of Service (ToS)

- legally binding contracts that governs the rules of the relationship between a user
and a service provider
- outlines the rights and responsibilities of both parties regarding the use of the
service

Physical Security
- measures taken to protect physical assets such as buildings, equipment and data
centers from unauthorized access, damage, or theft
- securing physical access to target equipment

Password Security
- practice of creating and using secure passwords to protect accounts and systems
from unauthorized access
 - doesn’t recommend dictionary words for passwords due to vulnerability to dictionary
attacks

Software Updates
- updates released software vendors to fix bugs, add new features, and patch security
vulnerabilities
- crucial for maintaining security and protecting against exploits

Hardware Vulnerabilities
- weaknesses in the physical components of a system (CPU, motherboard, others)

Software Vulnerabilities
- weaknesses in the software components of a system (OS, apps, others)

Stuxnet
- sophisticated computer worm discovered in 2010 that targeted Iran’s nuclear
facilities
- believed to have been developed for cyber warfare purposes
- built jointly by US and Israel
- “Operation Olympic Games”

The Cyber Kill Chain

- concept of different stages of a cyberattack
- developed by Lockheed Martin based on military terminology

MITRE ATT&CK Framework

- globally accessible knowledge base of adversary tactics and techniques based on
real-world observations
- used to categorize and understand cyber adversary behavior in cybersecurity

Common Vulnerabilities and Exposures (CVE)

- list of publicly disclosed computer security flaws
- each vulnerability = CVE ID number (reference for tracking of vulnerabilities across
different systems and organizations)

Processing
- data that is being used to perform an operation such as updating a database record
(data in process)
- example: An employee updates a customer’s address in a database record

Transmission
- data traveling between information systems (data in transit)
 - example: sending an email containing sensitive information from one computer to
another over a network

Storage
- data stored in memory or on a permanent storage device (hard drive, solid-state
drive, or USB drive - data at rest)

McCumber INFOSEC Model (McCumber Cube)

- model framework for establishing and evaluating information security programs
- created by John McCumber
- 3D Rubik’s Cube-like grid

-
1. Confidentiality
- protection of sensitive information from unauthorized access and disclosure
- only authorized individuals have access to sensitive information
- example practices: restricted access, implementing data encryption and
regularly reviewing access logs and auditing access permissions
2. Integrity
- accuracy and consistency of data over its lifecycle
- data cannot be altered or deleted by unauthorized individuals and that data is
consistent and accurate
- example practices: version control of systems, digital signatures, checksums,
hash functions
3. Availability
- ability of authorized individuals to access the data and resources they need
when they need them
- example practices: load balancing and clustering, setting up of redundant
network connections and power supplies to prevent downtime due to
infrastructure failures, using cloud services or offsite backups, implementing
disaster recovery plan to quickly restore services in the event of a major
disruption
Awareness, Training, and Education
- measures put in place by an organization to ensure that users are knowledgeable
about potential security threats and the actions they can take to protect information
systems
- example: conducting regular security awareness sessions

Technology
- software and hardware-based solutions designed to protect information systems
- example: firewall - continuously monitoring and filtering network traffic in search of
possible malicious incidents

Policy and Procedure

- administrative controls that provide a foundation for how an organization
implements information assurance
- example: incident response plans and best practice guidelines
- example 2: establishing policy that requires employees to change their passwords
regularly and providing a procedure for them to do so securely

Types of Malware
1. Keylogger
- designed to track and spy on online activity by logging every key pressed on
the keyboard
2. Adware
- designed to automatically deliver advertisements to user most oftenly on a
web browser
3. Backdoor 🚪

- used to gain remote access by bypassing normal authentication procedures

and issue remote system commands
4. Scareware
 - uses scare tactics to rick users into taking a specific action often by displaying
alarm messages or pop-ups
5. Virus
- computer program that, when executed, replicates and attaches itself to other
executable files such as documents by inserting its own code
6. Trojan Horse
- carries out malicious operations by masking its true intent
- may appear legitimate but is actually very dangerous
7. Worm
- replicates itself in order to spread from one computer to another
- do not require user participation after the initial infection and can spread
quickly over a network
8. Rootkit
- designed to modify operation system (OS) to create a backdoor which
attackers can use to access a computer remotely

Types of Cyberattack
1. Social Engineering
- attack focused on manipulating people into performing actions or divulging
confidential information
- can be both technical and non-technical in nature
2. Phishing
- attackers attempt to trick individuals into providing sensitive information
- typically done through fraudulent emails, messages, or websites that appear to
be from a legitimate source
3. Spear Phishing
- targeted on specific individual/group version of phishing usually by researching
their social media profiles or other public information
- customized email/message to make it appear more legitimate, increasing of
the victim falling for the scam
4. Baiting
- tactic involving enticing the victim with an offer (free download or a gift card)
- appears legitimate but when the victim downloads the file or enters their
information, they unknowingly install malware or give away sensitive
information
5. Pretexting
- impersonating someone else to gain victim’s trust to extract sensitive
information from the victim
- example: pretending to be company executive
6. Quid Pro Quo (Something for Something)
 - offering a service in exchange for sensitive information
- example: offering to victim’s computer but asks for login credentials and then
disappears
7. Denial-of-Service (DoS)
- network attack that results in some sort of interruption of network service to
users, devices, or applications, often by overwhelming the target with a flood
of traffic
8. SEO Poisoning
- manipulating search engine results in order to redirect users to malicious
websites or to steal personal information
- often used in conjunction with other tactics such as phishing or malware
- effective because it targets users when they are actively searching for
information online
9. Password Attacks
- various techniques that cybercriminals use to gain unauthorized access to
systems or networks by guessing or cracking passwords
10. Advanced Persistent Threats (APT)
- targeted attacks typically carried out by well-funded and highly skilled
attackers

Types of Password Attacks

1. Brute Force Attack
- tries every possible combination of characters until the correct password is
guessed
- time-consuming and resource-intensive
2. Dictionary Attack
- uses a list of common words or phrases to guess
3. Password Spraying
- attempting to login to an account with a small number of commonly used
passwords rather than trying a large number of different passwords for a single
user

Password Policy (an example)

1. Purpose - to secure organization infosec
2. Scope - to all employees, 3rd-party users w/ access to the infosys
3. Password Creation
- at least 12 char long
- mix of uppercase and lowercase, numbers, special char
- no part of user’s name
 - not reused / shared with others
4. Password Management
- changed at least every 90 days
- enabled Multi-Factor Authentication
5. Password Storage - not stored in plain text, use a pw manager
6. Security Tips - passphrases over passwords, avoid: bday, names or common words
7. Enforcement - failure to comply = disciplinary action
8. Training and Awareness - statement of regular training and awareness programs
about password security