Chapter 1 Introduction to Information Security

Object

A passive entity in an information system that receives or contains information

Availability

A quality or state of information characterized by being accessible and correctly formatted for use without interference or obstruction.

Authenticity

A quality or state of information characterized by being genuine or original rather than reproduced or fabricated.

Exposure

A single instance of a system being open to damage.

Loss

A single instance of an information asset suffering damage or unintended or unauthorized modification or disclosure

Threat agent

A specific instance or component that represents a danger to an organization's assets. Threats can be accidental or purposeful, for example lightning strikes or hackers.

Exploit

A technique used to compromise a system.

computer security

A term that in the early days of computers specified the need to secure the physical location of hardware from outside threats. This term later came to stand for all actions taken to preserve computer systems from losses. It has evolved into the current concept of information security as the scope of protecting information in the organization has expanded

salami theft

Aggregation of information used with criminal intent.

Attack

An act that takes advantage of a vulnerability to compromise a controlled system

Subject

An active entity that interacts with an information system and causes information to move through the system for a specific purpose. Examples include individuals, technical components, and computer processes.

phishing

An attempt to obtain personal or financial information using fraudulent means, usually by posing as a legitimate entity.

accuracy

An attribute of information in which the data is free of errors and has the value that the user expects.

Threat

An object, person, or other entity that represents a constant danger to an asset

standards

Detailed statements of actions that comply with policy

file hashing

Method for ensuring information validity. Involves a file being read by a special algorithm that uses the value of the bits in the file to compute a single large number called a hash value

Protection profile or security posture

Synonymous with protection profile. The implementation of an organization's security policies, procedures, and programs

Control, safeguard, or countermeasure

Synonymous with safeguard and countermeasure. A security mechanism, policy, or procedure that can counter system attack, reduce risks, and resolve vulnerabilities.

Access

The ability to use, manipulate, modify or affect an object.

C.I.A. triangle

The industry standard for computer security since the development of the mainframe. It is based on three characteristics that describe the utility of information: confidentiality, integrity, and availability

Asset

The organizational resource that is being protected. An asset can be logical, such as a Web site or information owned or controlled by the organization; or an asset can be physical, such as a computer system, or other tangible object

Risk

The probability that something can happen

E-mail spoofing

The process of sending an e-mail with a modified field. The modified field is often the address of the originator.

integrity

The quality or state of being whole, complete, and uncorrupted.

possession

The quality or state of having ownership or control of some object or item. Information is said to be in possession if one obtains it, independent of format or other characteristic. While a breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality.

utility

The quality or state of having value for some purpose or end. Information has value when it serves a particular purpose. This means that if information is available, but not in a format meaningful to the end user, it is not useful

confidentiality

The quality or state of information that prevents disclosure or exposure to unauthorized individuals or systems.

risk appetite

The quantity and nature of risk that organizations are willing to accept

Vulnerability

Weakness in a controlled system, where controls are not present or are no longer effective

hash value

a fingerprint of the author's message that is compared wit the recipients locally calculated hash of the same message

McCumber Cube

a graphical representation of the architectural approach widely used in computer and info security.

bottom-up approach

a method of establishing security policies that begins as a grassroots effort in which systems administrators attempt to improve the security of options of a password

top-down approach

a method of establishing security policies that begins as a grassroots effort in which systems administrators attempt to improve the security of options of a password

methodology

formal approach to problem solving based on structured sequence of procedures

systems development life cycle (SDLC)

methodology for design and implementation of information system within an organization

information system (IS)

the entire set of software, hardware, data, people, procedures, and networks necessary to use info as a resource in the organization

security

the quality or state of being secure—to be free from danger

Communications security

to protect communications media, technology, and content

Network security

to protect networking components, connections, and contents

Physical security

to protect physical items, objects, or areas from unauthorized access and misuse

Information security

to protect the confidentiality, integrity and availability of information assets, whether in storage, processing, or transmission. It is achieved via the application of policy, education, training and awareness, and technology.

Operations security

to protect the details of a particular operation or series of activities

Personnel security

to protect the individual or group of individuals who are authorized to access the organization and its operations