Intro to Information Security Chapter 1
Info Security Concept - Threat
A collective of objects or persons that threaten an asset.
Info Security Concept - Subjects and Objects
A computer can either be a subject in an attack - performing the attack - or an object - on the receiving end of the attack.
Why is a methodology important in the implementation of information security? How does a methodology imporve the process?
A formal methodology ensures a rigorus process and avoids missing steps.
Info Security Concept - Exposure
A known exploit that is present on a computer systems.
Info Security Concept - Vulnerability
A known hole in a software package that can be used in an exploit.
Info Security Concept - Exploit
A known process to take advantage of a vulnerability or the act of using that process.
MULTICS
An early OS that computer security concepts were first tested on. It had security built in - Ken Thompson & Dennis Richie came from this project.
How does the practice of information security qualify as both an art and a science? How does security as a social science influence its practice?
Art because there are no hard and fast rules especially with users and policy. Science because the software is developed by computer scientists and engineers. Faults are a precise interaction of hardware and software that can be fixed given enough time.
Describe the critical characteristics of information. How are they used in the study of computer security?
Availability: Authorised users can access the information Accuracy: free from errors Authenticity: genuine Confidentiality: preventing disclosure to unauthorized individuals. Integrity: whole and uncorrupted. Utility: has a value for some purpose Possession: Ownership
Why does polymorphism cause greater concern than traditional malware? How does it affect detection?
Because it changes over time making it more difficult to detect.
Why do employees constitute one of the greatest threats to information security?
Because they have access to all information, they can maliciously or unintentionally cause damage to data and hardware.
How is the top down approach to information security suerior to the bottom up approach?
Bottom up lacks a number of critical features such as participant support and organizational staying power, whereas top down has strong upper management support, dedicated funding, clear planning and the oppertunity to influence organizations culture.
How has the perception of the hacker changed in recent years? What is the profile of the hacker today?
Classical is 14-18 year old male with little parental supervision. Modern is 13-70 male or female well educated person.
Info Security Concept - Loss
Confidential information that is attacked and disclosed suffers a loss.
What re the tree components of te CIA triangle and what are they used for?
Confidentiality: Informations should only be accessible to its intended recipients. Integrity: Information should arrive the same as it was sent. Availability: Information should be available to those authorized to use it.
Who decides how and when data in an organization will be used and or controlled? Who is responsible for seeing these wishes are carried out?
Control and use of data in the Data owners are responsible for how and when data will be used, Data users are working with the data in their daily jobs.
What are the types of password attacks? What can an admin do to prevent them?
Cracking, Brute force and Dictionary attacks are the 3 types of password attacks. Limit the number of password attempts, enforce minimum complexity policy (numbers, capitals etc), disallows dictionary words in passwords.
What is the difference between a DOS and a DDOS? Which is potentially more devastating? Why?
DOS attacks are a single user sending a large number of connections in a attempt to overwhelm a target server. DDOS is when many users (or many compromised systems) simultaneously perform a DOS attack. The DDOS is more dangerous because unlike a DOS there is no single user you can block, no easy way to overcome it.
It is important to protect data in motion and data at resst. In what other state must data be Protected? In which of the three states is data most difficult to protect?
Data being processed is the third state of data. Data in motion is the most difficult to protect, because once it leaves the organization anything could happen to it.
Why is data the most important asset and organization possesses? What other assets in an organization require protection?
Data in an organization represents its transaction records and its ability to deliver value to its customers, without this the organization would not be able to carry out day to day workings. Other assests that require protection include the ability of the organization to function and the safe operation of applications, technology assets and people.
What type of security was dominant in the early years of computing?
Early security was entirely physical security.
How can dual controls, such as two person conformation, reduce the threats from acts of human error and failure? What other controls can reduce this threat?
Employees are one of the greatest threats in information security, either intentional or via human error. Dual controls reduce this because additional people are required to check which prevents mistakes and requires collaboration between people intentionally doing harm. Other methods include backups, approve before delete, limit access of drives and applications to employees who 'need-to-know'
Info Security Concept - Protection Profile
Encompassing control, policy, education, training and awareness, and technology that an organization implements.
Info Security Concept - Control
Factors that can counter security vulnerabilities (e.g. procedures, policies, mechanisms).
What are the various types of force majeure? Which type might be of greatest concern to an organization in Las vegas? Oklahoma City? Miami? LA?
Force Majeure = Force of Nature. LA might be dust, tornadoes would be a concern in Atlanta etc...
Who has the definition of hack evolved over the last 30 years?
In te early days of computing, enthusiasts were called hacks or hackers, because they could tear apart the instruction code or even the comptuer itself to manipulate its output. The term hacker at one time expressed respect for anothers ability. In recent years the association with an illigal activity has negativly tinged the term.
Who has computer security evolved into modern information security?
In the early days before ARPANET machines were only physically secured. After ARPANET it was realised that this was just one componen.
Information Characteristics - Utility
Information that can serve a purpose and is useful. The data must be in a format that the end users can use.
Information Characteristics - Integrity
Information that is whole, uncorrupted, and authentic.
Info Security Concept - Attack
Intentional or unintentional compromise or damage of data.
How does technological obsolence constitue a threat to information security? How can an organization protect against it?
It occurs when technology becomes outdated, and results in an increased threat. Proper planning is the best way to fight it, outdated technologies must be replaced in a timley fashion.
What is the relationship between the MULTICS project and early development of computer society?
It was the first and operating system created with security as its primary goal. Shortly after the restructuring of MULTICS, several key engineers started working on UNIX which did not require the same level of security.
In the history of the study of computer security, what system is the father of almost all modern multiuser systems?
Mainframe computer systems
How is information security a management problem? What can management do that technology cannot?
Managment need to perform detailed risk assessments and spend hudreds of thousands of dollars to protect the the day to day functioning of the organization. Technology set policy, nor fix social issues.
What are some ways a social engineering hacker can attempt to gain information about a user's login and password? How would this type of attack differ if it were targeted towards administrators assistant versus a data entry clerk?
Most commonly it is done by roleplaying someone else, eg a maintanence team or a janitor to get physical access to assets. A data entry clerk may be easily swayed by mentioning the CEO would get pissed, whereas someone higher up would require more convincing.
Information Characteristics - Possession
Ownership or control over information. The possession of information doesn't imply accessibility.
What was important about Rand Report R-609?
RR609 was the first widly recognized published document to identify the role of management and policy issues in computer security.
What paper is the foundation of all subsequent studies of computer security?
Rand Report R-609
Who is involved in the security development life cycle? Who leads the process?
Security professionals are involved in the SDLC. Senior magagement, security project team and data owners are leads in the project.
What is the most common form of violation of intellectual property? How does an organization protect against it? What agencies fight it?
Software Piracy. Software licencing helps to fight this. Software information industry association (SIIA) and Business Software Alliance (BSA) both fight against IP Violations.
Six Components of an Information System
Software, Hardware, Data, Networks, Policies/Procedures, and People
Identify the five components of an information system. Which are most directly affected by the study of computer security? Which are most commonly associated with its study?
Software, Hardware, Data, People, Procedures
Information Characteristics - Availability
That ability for authorized users to access information unobstructed and in the correct format.
If the CIA triangle is incomplete, why is it so commonly used in security?
The CIA trianle is still used because it addresses the major concerns with the vulnerability of information systems
Who is ultimatly responsible for the security of information in the organization?
The Cheif Information Security Officer (CISO)
Info Security Concept - Access
The ability to use and modify a computer system.
For a sinffer attack to succeed, what must the attacker do? How can an attacker gain access to a netowrk to use the sniffer system?
The attacker must first gain access to a network to install the sniffer. Usually this is done using social engineering to get into the building to plant a physical sniffer device.
SDLC - Analysis
The second step in the SDLC. Assess current system against new system, develop system requirements, study integration with old system.
What is the difference between vulnerability and exposure?
Vulnerability is a fault witin the system, such as software package flaws, unlocked doors or an unprotected system port. It leaves things open to an attack or damage. Exposure is a single instance when a system is open to damage. Vulnerabilities can in turn be the cause of exposure.
Information Characteristics - Accuracy
When information is free from errors and is in the format that the end users expect.
Information Characteristics - Authenticity
When information is in its original state, not tampered with.
Information Characteristics - Confidentiality
When information is protected from unauthorized users.
What is a buffer overflow and how is it used against a webserver?
A buffer overflow occurs when more data is sent then the receivers buffer can handle - usually resulting in non-buffer application memory being overwritten. Buffer overflow on a webserver may allow an attacker to run executable code on the webserver either maniuplating files directly or creating a backdoor for later use.
What measures can individuals take to protect against shoulder surfing?
- Be aware of who is around when accessing confidential information - limit the number of times you access confidential information- Avoid accessing confidential information while others are present.
Systems Development Life Cycle (SDLC)
A methodology that is used to develop an information system.
Who should lead a security team? Should the approach to security be more magerial or technical?
A project manager with information security technical skills. The approach to security should be managerial, top down.
Info Security Concept - Asset
A resource that is being protected.
What is the difference between a skilled hacker and an unskilled hacker?
A skilled hacker develops software and code exploits, and masters many technologies like programming, network protocols and operating systems. The unskilled hacker uses expert written software to exploit a system, ususally with little knowledge of how it works.
Info Security Concept - Threat Agent
A specific instance of a threat - a single virus.
Methodology
A structured, multi-step process that is used to develop a system.
How does a threat to information security differ from an attack? How can the two overlap?
A threat is a weakness in the system that could potentially be exploited, an attack is the realization of the thread that causes damage to the system. They overlap because a Threat agent attacks a system using a threat
What is the difference between an exploit and a vulnerability?
A vulnerability is a weakness in a system. An exploit takes advantage of a vulnerability to perform some unintended action.
SDLC - Implementation
The fifth step in the SDLC. Develop/Buy software, document system, train users.
SDLC - Investigation
The first step in the SDLC. Investigate feasibility and cost, and outline project scope and goals.
SDLC - Physical Design
The fourth step in the SDLC. Select technologies to support step 3 solutions, select best solution, decide to make or buy components.
Security Systems Development Life Cycle (SecSDLC)
The methodology used to create Information Systems with security built in.
ARPANET
The predecessor to the Internet.
Info Security Concept - Risk
The probability that something unwanted will happen.
SDLC - Maintenance and Change
The sixth step in the SDLC. Support/Modify system during life cycle, test against business needs, patch and upgrade as necessary.
SDLC - Logical Design
The third step in the SDLC. Assess business needs against preliminary plan , select apps/data support/structures, create multiple solutions.
What are the various types of malware? How do worms differ from viruses? Do trojan horses carry viruses or worms?
Types of malware: Viruses, worms, trojan horses, logic bombs and back doors. Viruses and worms both replicate and can do damage, but worms are typically stand alone programs. A trojan horse may carry either.