ITO 70740

•There are three types of InfoSec performance measurements

1. those that determine the effectiveness of the execution of InfoSec policy, 2. those that determine the effectiveness and/or efficiency of the delivery of InfoSec services, and 3. those that assess the impact of an incident or other security event on the organization or its mission

•IDPSs types

1. host-based(detects and prevents changes in system files) 2. network-based(detects and prevents abnormal traffic)

•What is Information Technology (IT)?

Any computer-based tool that people use to work with information and to support the information and information-processing needs of an organization

Examples of threats to InfoSec

Compromises of IP Espionage- When an unauthorized person gains access to information an organization is trying to protect Software Attacks: Viruses, Malware

Symmetric Encryption

Each of the methods of encryption and decryption described requires that the same algorithm and key are used to both encipher and decipher the message, known as private key encryption •One challenge in symmetric key encryption is getting a copy of the key to the receiver, a process that must be conducted out-of-band to avoid interception

Info SEC involve the...

Info SEC involve the entire organization, as represented by three distinct groups of managers and professionals, or communities of interest: •Those in the field of information security •Those in the field of IT •Those from the rest of the organization

SETA Program

Security Education, Training, and Awareness Programs: •The SETA program is designed to reduce accidental security breaches by members of the organization •SETA programs offer three major benefits: •They can improve employee behavior •They can inform members of the organization about where to report violations of policy •They enable the organization to hold employees accountable for their actions •The purpose of SETA is to enhance security: •By building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems •By developing skills and knowledge so that computer users can perform their jobs while using IT systems more securely •By improving awareness of the need to protect system resources

Solving a Problem steps

Step 1: Recognize and Define the Problem Step 2: Gather Facts and Make Assumptions Step 3: Develop Possible Solutions Step 4: Analyze and Compare Possible Solutions (Feasibility Analyses) Step 5: Select, Implement, and Evaluate a Solution

•Once a candidate has accepted a job offer...

•Once a candidate has accepted a job offer, the employment contract becomes an important security instrument. Many of the policies discussed in Chapter 4 require an employee to agree in writing

•The unique functions of information security management are known as the six Ps:

•Planning •Policy •Programs •Protection •People •Project management

hybrid system

asymmetric encryption is used to exchange symmetric keys so that two organizations can conduct quick, efficient, and secure communications based on symmetric encryption

clean desk policy

clean desk policy—requiring employees to secure all information in an appropriate storage container at the end of each business day

Mandatory Access Controls (MACs)

•A Mandatory Access Control (MAC) is required and is structured and coordinated within a data classification scheme that rates each collection of information as well as each user •These ratings are often referred to as sensitivity levels or classification levels •When MACs are implemented, users and data owners have limited control over access to information resources

Background check

•A background check should be conducted before the organization extends an offer to any candidate, regardless of job level, to uncover past criminal behavior or other information. Background checks differ in their levels of detail and depth

The Difference Between Leadership and Management

•A leader influences employees so that they are willing to accomplish objectives, and is expected to lead by example and demonstrate personal traits that instill a desire in others to follow •By comparison, a manager administers the resources of the organization—creates budgets, authorizes expenditures, and recruits, hires, evaluates, and terminates employees

•Bull's-eye model layers:

•Policies—first layer of defense •Networks—threats first meet the organization's network •Systems—computers and manufacturing systems •Applications—all applications systems

Policy definition

•A quality information security program begins and ends with policy •In general, a policy is simply a manager's or other governing body's statement of intent; as such, a policy (document) actually contains multiple policies (statements) •Some basic rules must be followed when shaping a policy: •Policy should never conflict with law •Policy must be able to stand up in court if challenged •Policy must be properly supported and administered

•A security awareness program can deliver its message via

•A security awareness program can deliver its message via videotapes, newsletters, posters, bulletin boards, flyers, demonstrations, briefings, short reminder notices at log-on, talks, or lectures

What is a system?

•A set of entities or objects working as a whole to achieve a certain goal

Threat vs. Attack

•A threat represents a potentialrisk to an information asset, whereas an attack (or threat event) represents an ongoing act against the asset that could result in a loss

•Access controls

•Access controls regulate the admission of users into trusted areas of the organization. Access control comprises four elements: identification, authentication, authorization, and accountability

SDLC

•An SDLC is a methodology for the design and implementation of an information system and is combined with sound project management practices to develop key project milestones, allocate resources, select personnel, and perform the tasks needed to accomplish a project's objectives

Issue-Specific Security Policy (ISSP)

•An issue-specific security policy (ISSP) is "an organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies" •In some organizations, ISSPs are referred to as fair and responsible use policies, describing the intent of the policy to regulate appropriate use •The ISSP should providea common understanding of the purposes for which an employee can and cannot use the resource •An effective ISSP accomplishes the following: •It articulates the organization's expectations about how its technology-based system should be used •It documents how the technology-based system is controlled and identifies the processes and authorities that provide this control •It protects the organization against liability for an employee's inappropriate or illegal use of the system •Every organization's ISSPs should: •Address specific technology-based systems •Require frequent updates •Contain a statement on the organization's position on an issue

EISP Elements

•An overview of the corporate philosophy on security •Information on the structure of the InfoSec organization and individuals who fulfill the InfoSec role •Fully articulated responsibilities for security that are shared by all members of the organization (employees, contractors, consultants, partners, and visitors) •Fully articulated responsibilities for security that are unique to each role within the organization

•Approaches to access control include

•Approaches to access control include directive, deterrent, preventative, detective, corrective, recovery, and compensating. Access controls may be classified as management, operational (or administrative), or technical

Asymmetric Encryption

•Asymmetric encryption, or public key encryption, uses two different but related keys, either of which can be used to encrypt or decrypt the message •The problem with asymmetric encryption is that it requires four keys to hold a single conversation between two parties, and the number of keys grows geometrically as parties are added

Attack Exploit Vulnerability

•Attack: "an intentional or unintentional act that can damage or otherwise compromise information and the systems that support it" •Exploit: "a technique used to compromise a system... Threat agents may attempt to exploit a system or other information asset by using it illegally for their personal gain" •Vulnerability: "a potential weakness in an asset or its defensive control system(s)"

Class object attributes state

•Class: a general template used to define and create specific instances, or objects •Object: a person, place, or thing about which we want to capture information •Object (instance): instantiation of a class •Attributes: information that describes the object •State: describes the object's values and relationships at a point in time

•Committee on National Security Systems (CNSS)

•Committee on National Security Systems (CNSS) Security Model (also known as the McCumber Cube) provides a detailed perspective on security. The CNSS Model is a standard used to identify gaps in the coverage of an InfoSec program

Confidentiality Integrity Availability

•Confidentiality: means limiting access to information only to those who need it, and preventing access by those who do not Integrity: is "an attribute of information that describes how data is whole, complete, and uncorrupted" •Availability: of information means that authorized users, either people or other systems, have access to it in a usable format

Managerial Guidance SysSPs

•Created by the management to guide the implementation and configuration of technology, as well as to address the behavior of people in the organization in ways that support the security of information •Applies to any technology that affects the confidentiality, integrity, or availability of information •Informs technologists of management intent

Encryption •Cryptology

•Encryption is the process of converting an original message into a form that cannot be understood by unauthorized individuals •Cryptology, the science of encryption, encompasses two disciplines: cryptography and cryptanalysis •Cryptography—from the Greek words kryptos, meaning "hidden," and graphein, meaning "to write"—describes the processes involved in encoding and decoding messages so that others cannot understand them •Cryptanalysis—from analyein, meaning "to break up"—is the process of deciphering the original message (or plaintext) from an encrypted message (or ciphertext), without knowing the algorithms and keys used to perform the encryption

•When an employee leaves an organization...

•When an employee leaves an organization, a number of security-related concerns arise, including the continuity of protection for all information to which the employee had access

Enterprise Information Security Policy (EISP)

•Enterprise information security policy (EISP) is high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts •An EISP is also known as a security program policy, general security policy, IT security policy, high-level InfoSec policy, or simply an InfoSec policy •Usually drafted by the CISO -the EISP guides the development, implementation, and management requirements of the InfoSec program,

•three types of information security policy:

•Enterprise information security program policy, which sets the strategic direction, scope, and tone for all security efforts; the EISP must be based on and support the organization's vision and mission statements •Issue-specific information security policies, which provide guidance to all members of an organization regarding the use of IT •System-specific information security policies, which guide the management and technical specifications of particular technologies and systems

•Laws, policies, and their associated penalties only provide deterrence if three conditions are present:

•Fear of penalty •Probability of being apprehended •Probability of penalty being applied

Guidelines for Effective Policy

•For policies to be effective, and legally defensible, they must be properly: 1.Developed using industry-accepted practices, and formally approved by management 2.Distributed using all appropriate methods 3.Read by all employees 4.Understood by all employees 5.Formally agreed to by act or affirmation 6.Uniformly applied and enforced

•Full-time security personnel deployment will vary depending on the organization's size:

•Full-time security personnel deployment will vary depending on the organization's size: •Very large organizations may have more than 20 full-time security personnel and 40 or more individuals with part-time responsibilities •Large organizations will have an average of one to two full-time managers, three to four full-timetechnicians/administrators, and as many as 16 part-time staff members •Medium-sized organizations may have only one full-time security person and as many as three individuals with part-time responsibilities •Smaller organizations may have either one individual with full-time duties in InfoSec or one individualwho is a part-time manager

Intrusion Detection and Prevention Systems

•IDPSs work like burglar alarms and combine tried-and-true detection methods from intrusion detection systems (IDSs) with the capability to react to changes in the environment, which is available in intrusion prevention technology •As most modern technology in this category has the capability both to detect and prevent, the term IDPS is generally used to describe the devices or applications

IT enables... •Who is responsible for securing information assets?

•IT enables the storage and transportation of information—often a company's most valuable resource—from one business unit to another •Astute managers increasingly recognize the critical nature of information security as the vehicle by which the organization's information assets are secured -Yet, all employees are responsible for information security

•There are three general causes of unethical and illegal behavior, such as an employee failing to follow policy:

•Ignorance •Accident •Intent

Firewalls •The most common types of firewalls are:

•In InfoSec, a firewall is any device that prevents a specific type of information from moving between the outside world, known as the untrusted network (e.g., the Internet), and the inside world, known as the trusted network •The most common types of firewalls are: •Packet filtering firewalls •Application layer proxy firewalls •Stateful packet inspection firewalls •Unified Threat Management (UTM) devices

Access Control Lists

•In general ACLs regulate: •Whocan use the system •Whatauthorized users can access •Whenauthorized users can access the system •Whereauthorized users can access the system from •Howauthorized users can access the system •Common user privileges (also known as permissions) include: •Read •Write •Execute •Delete

•InfoSec positions can be classified into one of three types:

•InfoSec positions can be classified into one of three types: those that define, those that build, and those that administer: •Definers provide the policies, guidelines, and standards -They're the people who do the consulting and the risk assessment, who develop the product and technical architectures -These are senior people with a lot of broad knowledge, but often not a lot of depth •Then you have the builders -They're the real techies, who create and install security solutions •Finally, you have the people who operate and administrate the security tools, the security monitoring function, and the people who continuously improve the processes

•Information security (InfoSec) definition

•Information security (InfoSec) focuses on the protection of information and the characteristics that give it value, such as confidentiality, integrity, and availability, and includes the technology that houses and transfers that information through a variety of protection mechanisms such as policy, training and awareness programs, and technology

•What is Information System (IS)?

•Interrelated components (people, processes, data, functions, and technologies - hardware and software) used to collect, process, store, analyze, and disseminate information for a specific reason

•Access control is built on several key principles:

•Least privilege: The principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties •Need to know: Limits a user's access to the specific information required to perform the currently assigned task, and not merely to the category of data required for a general work function •Separation of duties: A control requiring that significant tasks be split up in such a way that more than one individual is responsible for their completion

•Nondiscretionarycontrols are determined by •Discretionary access controls (DACs) are

•Nondiscretionarycontrols are determined by a central authority in the organization and can be based on roles or on a specified set of tasks •Discretionary access controls (DACs) are implemented at the discretion or option of the data user

Delivery Methods

•Often other factors—budget, scheduling, and needs of the organization—come first •Formal Class •Computer-Based Training (CBT) •On-the-Job Training •Self-Study (Noncomputerized)

Common definitions: Policy Standard Guidelines Procedures Practices

•Policy is a set of "organizational guidelines that dictate certain behavior within the organization" •A standard is "a detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance" •Guidelines are "nonmandatory recommendations the employee may use as a reference in complying with a policy" •Procedures are "step-by-step instructions designed to assist employees in following policies, standards, and guidelines" •Practices are "examples of actions that illustrate compliance with policies" •Policies define whatyou can do and not do, whereas the other documents focus on the how

PIIAAA

•Privacy: right of individuals or groups to protect themselves and their information from unauthorized access, providing confidentiality" Information Aggregation: Many organizations collect, swap, and sell personal information as a commodity. Identification: unverified entities who seek access to a resource provide a label by which they are known to the system Authentication: •It is the process by which a control establishes whether a user (or system) has the identity it claims to have Authorization: the matching of an authenticated entity to a list of information assets and corresponding access levels Accountability: all actions on a system—authorized or unauthorized—can be attributed to an authenticated identity

•The difference between privacy and security

•Security is about protection against danger while privacy is about protection against intrusion (seemingly benign at first but may or may not become a risky intrusion, why and how?)

Security Training

•Security training involves providing members of the organization with detailed information and hands-on instruction to enable them to perform their duties securely •Management can either develop customized training or outsource all or part of the training program •There are two methods for customizing training for users: •Functional background: -General user -Managerial user -Technical user •Skill level: -Novice -Intermediate -Advanced

•Separation of duties •Two-man control

•Separation of duties is used to make it difficult for an individual to violate information security and breach the confidentiality, integrity, or availability of information •Two-man control requires that two individuals review and approve each other's work before the task is considered complete

Methods to minimize employees' opportunities to misuse information

•Separation of duties, two-person control, job and task rotation, mandatory vacations, and least privilege are among the practices and methods recommended to minimize employees' opportunities to misuse information

InfoSec Project Team

•Should consist of individuals experienced in one or multiple technical and nontechnical areas including: •Champion •Team leader •Security policy developers •Risk assessment specialists •Security professionals •Systems administrators •End users

Technical Specifications SysSPs

•System administrators' directions and actions on implementing managerial policy •While the manager is primarily responsible for the creation of the managerial specifications, the sysadmins may be the primary authors or architects of the technical specifications version •There are two general methods of implementing such technical controls: •Access control lists •Configuration rules

System-Specific Security Policy

•System-Specific Security Policies (SysSPs) are"organizational policies that often function as standards or procedures to be used when configuring or maintaining systems" •SysSPs can be: •separated into managerial guidance and technical specifications; or •combined in a single unified SysSP document

CIA Triad

•The C.I.A. triad—confidentiality, integrity, and availability—has expanded into a more comprehensive list of critical characteristics of information

SecSDLC

•The SDLC approach can be scaled up to support the design, implementation, and maintenance of an entire security program, which is then called the security systems development life cycle (SecSDLC). •The SecSDLC process involves the identification of specific threats and the risks that they represent as well as the subsequent design and implementation of specific controls to counter those threats and manage the risk •The SecSDLC could be event-driven or plan-driven

Chief Information Security Officer

•The chief information security officer (CISO), or in some cases, the CSO, is usually the top InfoSec officer in the organization and is the spokesperson for the security team and responsible for the overall InfoSec program •The senior executive responsible for security may also be called the director of security, senior security manager, or some similar title •The CISO usually reports directly to the CIO, although in larger organizations one or more additional layers of management may separate the two officers

SecSDLC phases

•The investigation phase of the SecSDLC begins with a directive from upper management dictating the process, outcomes, and goals of the project, as well as its budget and other constraints. In the analysis phase, the team examines existing security policies or programs, along with documented current threats and associated controls The design phase of the SecSDLC includes two distinct phases, the logical design phase, where blueprints for security are created, and key policies that influence later decisions are examined and implemented, and the physical design phase, where the security technology needed to support these blueprints is evaluated, alternative solutions are generated, and a final design is determined •The maintenance and change phase of the SecSDLC, though last, is perhaps most important, given the flexibility and persistence of many of the threats facing the modern organization

•Three types of authentication mechanisms:

•Three types of authentication mechanisms: •Something a person knows -A password, passphrase (e.g., May The Force Be With You Always - Mayt4sBwUa), or other unique code, such as a PIN -Best practice: a minimum length of 10 characters and contain at least one uppercase letter, one lowercase letter, one number, and one system-acceptable special character; 10.4 password rule •Something a person has -Dumb card with magnetic strips (e.g., ATM card) -Smart card with embedded computer chip (e.g., ATM card with a chip) -Cryptographic token with a processor in a card that has a display (e.g., ATM card with a token/chip) -Multifactor authentication •Something a person can produce -Fingerprint, palm print, facial recognition, etc.

Planning for InfoSec

•bottom-up—a grassroots effort in which systems and network administrators attempt to improve the security of their systems •top-down—a formal program, proposed and coordinated by high-level managers with executive management support to provide resources; give direction; issue policies, procedures, and processes; dictate the goals and expected outcomes of the project; and determine who is accountable for each of the required actions

Security Clearances

•each user of an information asset is assigned an authorization level that identifies the level of information classification he or she can access

Common Cipher

•substitution, transposition, and XOR (eXclusiveOR) •In a substitution cipher, you substitute one value for another The transposition cipher (or permutation cipher) simply rearranges the values within a block to create the ciphertext, and can be done at the bit level or at the byte (character) level •XOR works simply, if the two values are the same, you get "0"; if not, you get "1"