info security ch 1
How can the practice of information security be described as both an art and a science?
- Requires various kinds of tools and technologies used for technical purposes.- No clear-cut rules on how to install various security mechanisms
Identify the six components of an information system. Which are most directly affected by the study of computer security? Which are most commonly associated with its study?
- Software - Hardware - Data - People - Procedures - Networks
SDLC - NIST Software Development Lifecycle (SDLC)
1. Initiation 2. Development/Acquisition 3. Implementation/assessment 4. Operation/Maintenance 5. Disposal
The traditional SDLC approach consists of six general phase
1. Investigation 2. Analysis 3. Logical Design 4. Physical Design 5. Implementation 6. Maintenance and Change
Threat Source
A category of objects, people, or other entities that represents the origin of danger to an asset—in other words, a category of threat agents
Subjects and objects of attack
A computer can be either the subject of an attack—an agent entity used to conduct the attack—or the object of an attack
Exposure
A condition or state of being exposed; in information security, exposure exists when a vulnerability is known to an attacker.
methodology
A formal approach to solving a problem based on a structured sequence of procedures.
Why is a methodology important in the implementation of information security? How does a methodology improve the process?
A formal methodology ensures a rigorous process and avoids missing steps.
McCumber Cube
A graphical representation of the architectural approach widely used in computer and information security. commonly shown as a cube composed of 3x3x3 cells, similar to a rubik's cube
community of interest
A group of individuals who are united by similar interests or values with in an organization and who share a common goal of helping the organization to meet its objectives.
bottom-up approach
A method of establishing security policies and/or practices that begins as a grassroots effort in which systems administrators attempt to improve the security of their systems.
software assurance (SA)
A methodological approach to the development of software that seeks to build security into the development life cycle rather than address it at later stages. SA attempts to intentionally create software free of vulnerabilities and provide effective, efficient software that users can deploy with confidence.
systems development life cycle (SDLC)
A methodology for the design and implementation of an information system. contains different phases depending on the methodology deployed, but generally the phases address the investigation, analysis, design, implementation,and maintenance of an information system.
top-down approach
A methodology of establishing security policies and/or practices that is initiated by upper management.
Vulnerability
A potential weakness in an asset or its defensive control system(s).
personally identifiable information (PII)
A set of information that could uniquely identify an individual.
project team
A small functional team of people who are experienced in one or multiple facets of the required technical and nontechnical areas for the project to which they are assigned.
security
A state of being secure and free from danger or harm. Also, the actions taken to make someone or something secure.
Access
A subject or object's ability to use, manipulate, modify, or affect another sub-ject or object
network security
A subset of communications security;the protection of voice and data networking components, connections, and content.
Exploit
A technique used to compromise a system
What is the difference between a threat agent and a threat?
A threat is a constant danger to an asset, whereas a threat agent is the facilitator of an attack.
waterfall model
A type of SDLC in which each phase of the process"flows from"the informationgained in the previous phase, with multiple opportunities to return to previous phases and makeadjustments.
ARPA
Advanced Research Projects Agency
ARPANET
Advanced Research Projects Agency Network
utility
An attribute of information that describes how data has value or usefulness for an end purpose.
availability
An attribute of information that describes how data is accessible and correctly formatted for use without interference or obstruction.
accuracy
An attribute of information that describes how data is free of errors and has the value that the user expects.
authenticity
An attribute of information that describes how data is genuine or original rather than reproduced or fabricated.
confidentiality
An attribute of information that describes how data is protected from disclosure or exposure to unauthorized individuals or systems.
integrity
An attribute of information that describes how data is whole, complete, and uncorrupted.
possession
An attribute of information that describes how the data's ownership or control is legitimate or authorized.
chief information officer (CIO)
An executive-level position that oversees the organization's computing technology and strives to create efficiency in the processing and access of the organization's information.
Attack
An intentional or unintentional act that can damage or otherwise compromise information and the systems that support it
threat event
An occurrence of an event caused by a threat agent
Threat
Any event or circumstance that has the potential to adversely affect operation sand assets.
Describe the critical characteristics of information. How are they used in the study of computer security?
Availability: Authorized users can access the information Accuracy: Free from errors. Authenticity: Genuine. Confidentiality: Preventing disclosure to unauthorized individuals. Integrity: Whole and uncorrupted. Utility: Has a value for some purpose. Possession: Ownership.
CNSS
Committee on National Security Systems
CBK
Common Body of Knowledge
(CERT)
Computer Emergency Response Team
What are the three components of the C.I.A. triad? What are they used for?
Confidentiality, integrity, and availability. information security
How does the view of security as a social science influence its practice?
Deals with people, and information security is primarily a people issue.
DARPA
Defense Advanced Research Projects Agency
SDLC Analysis
Determine user requirements for new system and develop logical system models (i.e., graphic displays that demonstrate the relationships between resources, activities, and outputs and outcomes)
nist initiation
During this first phase of the NIST development life cycle, •Initial delineation of business requirements in terms of confidentiality, integrity, and availability; •Determination of information categorization and identification of known special handling requirements to transmit, store, or create information such as personally identifiable information; and •Determination of any privacy requirements.
Why is the top-down approach to information security superior to the bottom-up approach?
Has a strong upper-management support, a dedicated champion, usually dedicated funding, a clear planning and implementation process and the means of influencing organizational culture.
Computer Security
In the early days of computers, this term specified the need to secure the physical location of computer technology from outside threats. This term later came to represent all actions taken to preserve computer systems from losses. It has evolved into the current concept of information security as the scope of protecting information in an organization ha sexpanded.
data owners
Individuals who control, and are therefore responsible for, the security and use of a particular set of information; data owners may rely on custodians for the practical aspects of protecting their information, specifying which users are authorized to access it, but they are ultimately responsible for it.
data custodians
Individuals who work directly with data owners and are responsible for storage,maintenance, and protection of information.
data users
Internal and external stakeholders (customers, suppliers, and employees) who interact with information in support of their organization's planning and operations.
JAD
Joint Application Development- management process that allows developers to work directly with users
What system is the predecessor of almost all modern multi user systems?
MULTICS
SDLC - Maintenance
Modifications or corrections to the system are made
NIST
National Institute of Standards and Technology
SDLC: Implementation
Purpose-programming, testing, training, installation, documenting Deliverable-operational programs, documentation, training materials Database activity- database implementation, including coded programs, documentation, installation and conversion
Which paper is the foundation of all subsequent studies of computer security?
Rand Report R-609, sponsored by the Department of Defense
RAD
Rapid Application Development- rapid prototyping with strict time limits
Control, safeguard, or countermeasure
Security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and other wise improve security within an organization.
Which members of an organization are involved in the security systems development life cycle? Who leads the process?
Security professionals are involved in the SDLC. Senior management, security project team and data owners are leads in the project.
If the C.I.A. triad is incomplete, why is it so commonly used in security?
The CIA triangle is still used because it addresses the major concerns with the vulnerability of information systems.
How is infrastructure protection (assuring the security of utility services) related to information security?
The availability of information assets is dependent on having information systems that are reliable and that remain highly available.
Protection profile or security posture
The entire set of controls and safeguards, including policy, education, training and awareness, and technology, that the organization implements to protect the asset. The terms are sometimes used interchangeably with the term security program, although a security program often comprises managerial aspects of security, including planning, personnel, and subordinate programs.
information system (IS)
The entire set of software, hardware, data, people, procedures, and networks that enable the use of information resources in the organization.
C.I.A. triad
The industry standard for computer security since the development of the mainframe.The standard is based on three characteristics that describe the utility of information:confidentiality, integrity, and availability.
Asset
The organizational resource that is being protected
Risk
The probability of an unwanted occurrence, such as an adverse event or loss.
communications security
The protection of all communications media, technology, and content.information security Protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education,training and awareness, and technology.
physical security
The protection of physical items, objects, or areas from unauthorized access and misuse.
nist Development/Acquisition
This section addresses security considerations unique to the second nist SDLC phase. •Conduct the risk assessment and use the results to supplement the baselinesecurity controls; •Analyze security requirements;•Perform functional and security testing;•Prepare initial documents for system certification and accreditation; and •Design security architecture.
TCP
Transmission Control Protocol
chief information security officer (CISO)
Typically considered the top information security officer in an organization. is usually not an executive-level position, and frequently the person in this role reports to the CIO.
What is the difference between vulnerability and exposure?
Vulnerability is a fault witin the system, such as software package flaws, unlocked doors or an unprotected system port. It leaves things open to an attack or damage. Exposure is a single instance when a system is open to damage.
SDLC - Physical Design
converted but are still abstractions of the system that will be built later, but they are now more complete and may include network maps and descriptions of servers and other devices to be used in the system
nist Operations and Maintenance
is the fourth phase of the nist SDLC. In this phase •Conduct an operational readiness review;•Manage the configuration of the system; •Institute processes and procedures for assured operations and continuousmonitoring of the information system's security controls; and •Perform reauthorization as required. [...]
SDLC - Investigation
is the most important, begins by examining the event or plan that initiates the process. During this phase, the objectives, constraints, ands cope of the project are specified
Multiplexed Information and Computing Service (MULTICS)
it was the first operating system to integrate security into its core functions. It was a mainframe, time-sharing operating system developed in the mid-1960s by a consortium of General Electric (GE), Bell Labs, and the Massachusetts Institute of Technology (MIT).
What type of security was dominant in the early years of computing?
physical security.
nist Implementation/Assessment
s the third phase of the nist SDLC. During this phase,the system will be installed and evaluated in the organization's operational environment •Integrate the information system into its environment; •Plan and conduct system certification activities in synchronization with testing of security controls; and •Complete system accreditation activities. [...
nist Disposal
the final phase in the nist SDLC, provides for disposal of a system and closeout of any contracts in place -Building and executing a disposal/transition plan; -Archival of critical information; •Sanitization of media; and •Disposal of hardware and software.
SDLC - Logical Design
the information gained from the analysis phase is used to begin creating a systems solution for a business problem, analysts generate estimates of costs and benefits to allow for a general comparison of available options. At the end of this phase, another feasibility analysis is performed.
Threat agent
the specific instance or a component of a threat