CYB 600 CHAPTER 1: Information Systems Security
Software development life cycle (SDLC)
Apply secure software development life cycle tactics when designing and developing software.
Risk
likelihood that something bad will happen to an asset
Availability
the amount of time users can use a system, application, and data.
World Wide Web (WWW)
A collection of documents that are hyperlinked among one another and accessed using the Internet.
Data classification standard
A definition of different data types with respect to security sensitivity.
Internet
A global network of computer networks that uses the TCP/IP family of protocols and applications to connect nearly 2 billion users.
End-User License Agreement (EULA)
A licensing agreement between the software manufacturer and users, which limits the liability for software errors, bugs, or vulnerabilities.
Application gateway firewalls
A network device or computer that serves as a firewall and an intermediary between internal computers and computers on the Internet.
Proxy firewall
A network device or computer that serves as a firewall and an intermediary between internal computers and computers on the Internet.
Business continuity plan (BCP)
A plan for how to handle outages to IT systems, applications, and data access in order to maintain business operations.
Transmission Control Protocol/Internet Protocol (TCP/IP)
A popular suite of protocols that operate at both the Network and Transport Layer of the OSI Reference Model. TCP/IP governs all activity across the Internet and through most corporate and home networks.
Fair Isaac Corp (FICO)
A publicly traded company that provides information used by the consumer credit reporting agencies Equifax, Experian, and TransUnion.
IT security policy framework
A set of rules for security. The framework is hierarchical and includes policies, standards, procedures, and guidelines.
Vulnerability assessment
A software review that identifies bugs or errors in software.
Internet of Things (IoT)
A term used to refer to the large number of networked devices (e.g., personal items, home appliances, cloud services, vehicles, etc.) that can now connect to the Internet.
You can help ensure confidentiality by implementing __________.
A virtual private network for remote access
Vulnerability
A weakness that allows a threat to be realized or to have an effect on an asset
security control
Action an organization takes to help reduce risk.
acceptable use policy (AUP)
An AUP defines what users are allowed and not allowed to do with organization-owned IT assets
Ethernet
An IEEE 802.3 CSMA/CD standard for Ethernet networking supporting speeds from 10 Mbps to over 10 Gbps.
service-level agreements (SLAs)
An SLA is a contract that guarantees a minimum monthly availability of service for wide area network (WAN) and Internet access links.
Wireless Fidelity (Wi-Fi)
An alliance among wireless manufacturers to brand certified products that interoperate with wireless LAN standards. A Wi-Fi hotspot is a wireless LAN access location.
Hypertext Transfer Protocol Secure (HTTPS)
An application layer protocol that allows users to communicate and access content via web pages and browsers.
Two-factor authentication
An authentication method that uses two types of authentication credentials. See also two-step authentication.
Data breach
An incident in which sensitive data is accessed and stolen
A data classification standard is usually part of which policy definition?
Asset protection policy
The __________ tenet of information systems security is concerned with the recovery time objective.
Availability
Availability
Availability is a mathematical calculation where A = (Total Uptime) / (Total Uptime + Total Downtime).
Organizations that require customer service representatives to access private customer data can best protect customer privacy and make it easy to access other customer data by using which of the following security controls?
Blocking out customer private data details and allowing access only to the last four digits of Social Security numbers or account numbers
Internet IP packets are to cleartext what encrypted IP packets are to __________.
Ciphertext
Accountability
Defining the roles, responsibilities, and what key IT security employees and incident response team members must do.
Downtime
Downtime is the total amount of time that a system, application, and data are not accessible
Which of the following security controls can help mitigate malicious email attachments?
Email filtering and quarantining Email attachment antivirus scanning Verifying with users that email source is reputable Holding all inbound emails with unknown attachments All of the above
Software manufacturers limit their liability when selling software using which of the following?
End-User License Agreements
Port 20: File Transfer Protocol (FTP)
FTP is a protocol for performing file transfers. FTP uses TCP as a connection-oriented data transmission but in cleartext, including the password. Connection-oriented means individual packets are numbered and acknowledged as being received, to increase integrity of the file transfer.
Wireless access point (WAP)
For wireless LANs (WLANs), radio transceivers are used to transmit IP packets from a WLAN NIC to a wireless access point (WAP).
Port 80: Hypertext Transfer Protocol (HTTP)
HTTP is the communications protocol between web browsers and websites with data in cleartext.
TENETS OF INFORMATION SYSTEMS SECURIT -C-I-A triad
Information that is secure satisfies three main tenets, or properties, of information. Confidentiality—Only authorized users can view information. Integrity—Only authorized users can change information. Availability—Information is accessible by authorized users whenever they request the information.
Multiprotocol Label Switching (MPLS)
MPLS uses labels or tags to make virtual connections between endpoints in a WAN.
Mean time between failures (MTBF)
MTBF is the predicted amount of time between failures of an IT system during operation.
Mean time to failure (MTTF)
MTTF is the average amount of time between failures for a particular system.
Mean time to repair (MTTR)
MTTR is the average amount of time it takes to repair a system, application, or component.
Which of the following is not a U.S. compliance law or act?
PCI DSS
Family Educational Rights and Privacy Act (FERPA)
Passed in 1974, FERPA protects the private data of students and their school records.
Health Insurance Portability and Accountability Act (HIPAA)
Passed in 1996, HIPAA requires health care organizations to have security and privacy controls implemented to ensure patient privacy.
Sarbanes-Oxley Act (SOX)
Passed in 1999, GLBA requires all types of financial institutions to protect customers' private financial information.
Children's Internet Protection Act (CIPA)
Passed in 2000 and updated in 2011, CIPA requires public schools and public libraries to use an Internet safety policy. The policy must address the following:
Federal Information Security Management Act (FISMA)
Passed in 2002, FISMA requires federal civilian agencies to provide security controls over resources that support federal operations.
Federal Information Security Modernization Act (FISMA)
Passed in 2014, FISMA was enacted to update FISMA 2002 with information on modern threats as well as security controls and best practices.
How can an IT security policy framework can reduce risk?
Policies define how security controls and countermeasures must be used to comply with laws and regulations.
Recovery time objective (RTO)
RTO is the amount of time it takes to recover and make a system, application, and data available for use after an outage.
Payment Card Industry Data Security Standard (PCI DSS)
Requires protection of consumer privacy data with proper security controls. ( global standard, not US federal law).
Ping
Stands for "packet Internet groper." Ping uses the Internet Control Message Protocol (ICMP) echo-request and echo-reply communications to verify end-to-end IP connectivity.
Port 69: Trivial File Transfer Protocol (TFTP)
TFTP is a protocol for performing file transfers. TFTP utilizes UDP as a connectionless data transmission but in cleartext. This is used for small and quick file transfers, given that it does not guarantee individual packet delivery.
Port 23: Terminal Network (Telnet)
Telnet is a network protocol for performing remote terminal access to another device. Telnet uses TCP and sends data in cleartext.
Demilitarized zone (DMZ)
The DMZ is a LAN segment in the LAN-to-WAN Domain that acts as a buffer zone for inbound and outbound IP traffic.
(ISC)2©
The International Information Systems Security Certification Consortium. A nonprofit organization dedicated to certifying information systems security professionals.
What is the weakest link in an IT infrastructure?
The User Domain is the weakest link in an IT infrastructure.
Cybersecurity
The act of securing and protecting individuals, businesses, organizations, and governments that are connected to the Internet and the Web.
Identity theft
The act of stealing personally identifiable information with the intent to open new accounts, make purchases, or commit fraud.
Maximizing availability primarily involves minimizing __________.
The amount of downtime recovering from a disaster The mean time to repair a system or application Downtime by implementing a business continuity plan The recovery time objective
e-commerce
The buying and selling of goods and services online through a secure website, with payment by credit card or direct debit from a checking account.
Generation Y
The generation composed of those born between 1980 and 2000 in the United States
cyberspace
The global online virtual world created by the Internet where individuals, businesses, organizations, and governments connect to one another.
unified communications
The integration of multiple types of enterprise communication, such as instant messaging, voice, video, and data, all on a single network.
Network interface card (NIC)
The interface between the computer and the LAN physical media.
Authorization
The process of granting rights to use an organization's IT assets, systems, applications, and data to a specific user.
Identification
The process of providing identifying information, such as a username, a logon ID, or an account number.
Information security
The protection of data itself.
information systems
The servers and application software on which information and data reside.
Subnet mask
The subnet mask address defines the IP network number and IP host number.
Masking
The use of a special character (e.g., X or *) to hide some of the characters of a sensitive data element, such as a credit card number or a Social Security number.
vulnerability window
The vulnerability window is the gap in time a workstation is exposed to a known vulnerability until patched
Authentication
This is the process for proving that a remote user is who the user claims to be. The most common authentication method is supplying a password.
Encrypting email communications is needed if you are sending confidential information within an email message through the public Internet
True
If you are a publicly traded company or U.S. federal government agency, you must go public and announce that you have had a data breach and must inform the impacted individuals of that data breach.
True
Information security is specific to securing information, whereas information systems security is focused on the security of the systems that house the information.
True
Using security policies, standards, procedures, and guidelines helps organizations decrease risks and threats.
True
A data breach is typically performed after which of the following?
Unauthorized access to systems and application is obtained
cleartext
Unencrypted data, the opposite of ciphertext. Data sent as cleartext is readable and understandable.
Uptime
Uptime is the total amount of time that a system, application, and data are accessible.
The __________ is the weakest link in an IT infrastructure.
User Domain
What are the seven domains of an IT infrastructure?
User Domain Work station domain LAN Domain LAN to WAN Domain Remote Access domain WAN Domain System/ Application Domain
IP default gateway router
acts as the entry/exit to the LAN
threat
any action that could damage an asset
Information systems security
collection of activities that protect the information system and the data stored in it
local area network (LAN)
collection of computers connected to one another or to a common connection medium.Network connection mediums can include wires, fiber-optic cables, or radio waves.
Malware (Malicious Software)
computer program written to cause a specific action to occur, such as erasing a hard drive
virus
computer program written to cause damage to a system, an application, or data
Virtual private networks (VPNs)
dedicated encrypted tunnel from one endpoint to another. The VPN tunnel can be created between a remote workstation using the public Internet and a VPN router or a secure browser and a Secure Sockets Layer virtual private network (SSL-VPN) website.
Acceptable use policy (AUP)
defines what users are allowed and not allowed to do with organization-owned IT assets
business continuity plan (BCP)
gives priorities to the functions an organization needs to keep going
protocol
list of rules and methods for communicating
Simple Network Management Protocol (SNMP)
network monitoring and management—SNMP is used for network device monitoring, alarm, and performance.
IP stateful firewall
security appliance used to filter inbound IP packets based on various ACL definitions configured for IP, TCP, and UDP packet headers. A stateful firewall can examine IP, TCP, or UDP packet headers for filtering.
Cryptography
the practice of hiding data and keeping it away from unauthorized users.
Encryption
the process of transforming data from cleartext into ciphertext.
Ciphertext
the scrambled data that are the result of encrypting cleartext
