Cybersecurity Test Notes
What is Security
"A state of being secure and free from danger or harm; the actions taken to make someone or something secure." -A successful organization should have multiple layers of security in place to protect: Operations Physical Infrastructure People Functions Communications -The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information -Including information security management, data security, and network. -C.IA. triad -Is a standard based on confidentiality, integrity, and availability, now viewed as inadequate. -Expanded model consists of a list of critical characteristics of information.
Maintenance and Change
*Longest and most expensive phase. *Consists of the tasks necessary to support and modify the system for the remainder of its useful life. *Life cycle continues until the team determines the process should begin again from the investigation phase.
Year 2000 To Present(2020)
-The Internet brings millions of unsecured computer networks into continuous communication with each other. -The ability to secure a computer's data was influenced by the security of every computer to which it is connected. -Growing threat of cyber attacks has increased the awareness of need for improved security.
ARPANET
1963 program that linked together computers over large distances
Security Systems Development Life Cycle (SecSDLC)
A methodology for the design and implementation of security systems based on the systems development life cycle. The two life cycles contain the same general phases
Key Information Security Concepts
Access Asset Attack Control, safeguard, or countermeasure Exploit Exposure Loss Protection profile or security posture. Risk Subjects and objects of attack Threat Threat agent Threat source Vulnerability
The 1960s
Advanced Research Projects Agency(ARPA) began to examine the practicality of redundant networked communications. Larry Roberts developed the ARPANET from its inception.
1970s-1980s
Arpanet grew in popularity , as did its potential for misuse. The problems with Arpanet security: There is no safety procedures for dial-up connection to Arpanet. Nonexistent user identification and authorization to system.
Critical Characteristics of Information
Availability Accuracy Authenticity Confidentiality Integrity Utility
1978
Bisbey and Hollingsworth publish their study "Protection Analysis : Final Report", which discussed the Protection Analysis project created by ARPA to better understand the vulnerabilities of operating system software and examine the possibility of automated vulnerability detection techniques in existing system software.
Senior Management
Chief information officer(CIO) *Senior technology officer *Primarily responsible for advising the senior executives on strategic planning. *Chief Information security Officer (CISO) -Has primary responsibility for assessment management, and implementation of IS in the organization
Summary
Computer security began immediately after the first main frames were developed. -Successful organizations have multiple layers of security in place: physical, personal, operations, communications, network, and information -Security should be considered a balance between protection and availability. *Information security must be managed similar to any major system implemented in an organization using a methodology. *Implementation of information security is often described as a combination of art and science.
Analysis
Consists of assessments of: The organization Current systems Capability to support proposed systems Analysts determine what the new system is expected to do and how it will interact with existing systems.
Data Responsibilities
Data owners: Senior management responsible for the security and use of a particular set of information Data custodians: Responsible for the information and systems that process, transmit, and store it. Data users: individuals with a information security role
Security as Science
Dealing with technology designed for rigorous performance levels. *Specific conditions cause virtually all actions in computer systems. *Almost every fault, security hole, and systems malfunction is a result of interaction of specific hardware and software.
1979
Dennis Ritchie he is the author for "On the Security of UNIX" and "Protection of Data File Contents" which discussed Protection of Unix and IDs and problems in the system.
The Enigma
Earlier versions of the German Code machine Enigma were first broken by the poles in the 1930s. The British and Americans managed to break later, but more complex during World War II. The increasingly complex versions of the Enigma, especially the submarine or Unterseeboot version of the Enigma, caused considerable anguish to allied forces before finally being cracked. The Information gained from decrypted transmissions was used to the actions of the German armed forces.
Multics
Early Focus of computer security research centered on a system called Multiplex Information and Computing Service. -First operating system was created with security integrated into core functions. -Mainframe, time-sharing operating system was developed in the mid-1960's by General Electric, Bell Labs, and Massachusetts Institute of Technology. -Several MULTICS key players created UNIX. -Primary purpose of UNIX was text processing. - Late 1970's : The microprocessor expanded computing capabilities and security threats.
Software Design Principles
Good software development results in secure products that meet all design specifications. Some Commonplace security principles Minimize mechanisms common to multiple users. Human interface must be easy to use so users routinely/automatically use protection mechanisms.
1982(1&2)
Grampp and Morris write "The UNIX System: UNIX Operating System Security." In this report he examined four "Important handles to computer security": Physical control of primes and computer facilities, management commitment to security objective, education of employees, and administrative procedures aimed at increased security. -The US. Department of Defense Computer Security Evaluation Center publishes the First version of Computer Security(TCSEC) documents, also know as Rainbow Series.
Information Security - Bottom Up Approach
Grassroots effort: Systems administrators attempt to improve security of their systems -Key Advantage : technical expertise of individual administrations. -Seldom works, as it lacks a number of critical features: -Participant Support -Organization Staying Power
Information Security : Is it an Art or a science?
Implementation of information security is often described as a combination of art and science. "Security Artisan" idea: Based on the way individuals perceive system technologists and their abilities.
1992
Internet Engineering Task Force, woking at the Naval Research Laboratory, develop the simple Internet Protocol Plus(SIPP) Security protocols, creating what is now know ad IPSEC security.
Approaches to Information Security Implementation: Top-Down Approach
Issue policy, procedures, and processes Dictate goals and expected outcomes of project Determine accountability for each required action The most successful type of top-down approach also involves a formal development strategy referred to as systems development life cycle.
Balance Information Security and Access
It is impossible to obtain perfect information security. Security should be balance between protection and availability. To achieve balance, the level of security must allow reasonable access, yet protect against threats.
Software Assurance
Many organizations recognize the need to include planning for security objectives. *This approach is known as software assurance. *A national effort is under way to create a common body of knowledge focused on secure software development. *U.S Department of Defense and Department Of Homeland Security supported the Software Assurance Initiative, which resulted in the publication of Secure Software Assurance *SwA CBK serves as strongly recommended guide to developing more secure applications. *SwA CBK, which is a work in progress, contains the following sections : Nature Of Dangers and Fundamental Concepts And Principles. Secure Software Requirements Secure Software Design Secure Software Construction Secure Software Verification, Validation, and Evaluation Secure Software Tools and Methods Secure Software Processes Secure Software Project Management Acquisition Of Secure Software Secure Software Sustainment
1968
Maurice Wilkes discusses password security in Time- Sharing Computer Systems.
The NIST Approach to securing the SDLC
NIST Special publication 800-64, rev.2, maintains that early integration of security in the SDLC enables agencies to maximize return on investment through: Early identification and mitigation of security vulnerabilities and misconfigurations.
Implementation
Needed software is created. Components are ordered, received, and tested. Users are trained and supporting documentation created. Feasibility analysis is prepared. Sponsors are presented with the system for a performance review and acceptance test.
The 1990s
Network of computers become more common Internet become the first global network of system. Initially, network connections were based on de facto standards. In early Internet deployments, security was treated as a low priority. In 1993, DEFCON conference was established to show the people about danger of bad hackers.
Security as Art
No hard and fast rules nor many universally accepted complete solutions No manual for implementing security through entire system
The NIST Approach : Disposal
Provides for disposal of system and closeout of any contracts in place. Key security activities include : -Building and executing disposal/transition plan -Archival of critical information. -Sanitization of media -Disposal of hardware and software
1984
Reeds and Weinberger publish "File Security and the UNIX System Crypt Command." There is no technique that can be secure against wiretapping or is equivalent to the computer. Therefore no technique can be secure against the system administrator or other privileged users.. the naive use have no change"
1973
Schell, Downey, and Popek examine the need for additional security in military systems in Preliminary on the design of secure military computer systems.
The NIST Approach: Intiation
Security at this point is looked at in terms of business risks, with information security office providing input. *Key Security Activities Include : Delineation Of Business requirements in terms of confidentiality, integrity, and availability. *Determination of information categorization and identification of known special handling requirements.
Security as a Social Science
Social Science examines the behavior of individuals interacting with systems. Security begins and end with the people that interact with the system, intentionally or otherwise. security administrators can greatly reduce the levels of risk caused by end users and create more acceptable and supportable security profiles.
The NIST Approach Implementation
System is installed and evaluated in operational environment. Key security activities include : * Integrating Information system into its environment. *Planning and conducting system certification activities in synchronization with testing of security controls. *Completing system accreditation.
The NIST Approach: Operations and Maintenance
Systems are in place and operating, enhancements and modifications to the system are developed and tested, and hardware and software are added or replaced. Key security activities include: conducting operational readiness review Managing configuration of system.
1975
The Federal Information Processing Standards(FIPS) examines DES(Digital Encryption Standard) In the Federal Register.
1970s-1980s-->2
The Information security began with RAND Report(R-609) The scope of computer security grew from physical security to include: securing the data Limiting the random and unauthorized access to data.
Logical Design
The first and driving factor is the business need. -Applications are selected to provide needed services. *Data support and structures capable of providing the needed inputs are identified. *Specific technologies are delineated to implement the physical solution. -Analysts generate estimates of costs and benefits to allow comparison of available option.
Physical Design
The specification of the characteristics of the system components necessary to put the logical design into action.
Security Professionals and the Organization
Wide range of professionals are required to support a diverse information security program. senior management is the key component. Additional administrative support and technical expertise are required to implement details of the IS program.
1970
Willis H. Ware author the report Security Controls for Computer
Components of Information Systems
hardware, software, data, procedures, people