Mist quiz 3
Security controls (administrative, technical, physical)
- Administrative Controls: Policies, standards, procedures, guidelines, personnel screening, training - Technical Controls ("logical controls"): Authentication, encryption, firewalls, biometrics, etc. - Physical Controls: Locks, monitoring, mantraps, environmental control
Relationship between security controls and security frameworks
- An organizational security framework is your organization's suite of security controls - It is made up of many entities, protection mechanisms, processes, and procedures that all work together and rely on each other to protect the company
AIC Triad
- Availability - integrity - Confidentiality
"Best practice" security control illustrations (e.g., continuity planning, employment/HR, data management)
- Continuity planning typically relies on backup sites - Rotation of duties - Mandatory vacations - Split knowledge - Unlink sensitive data from other data to minimize the damage if it is stolen - Encrypt data both in transit and in storage so that it is unreadable if it does fall into the wrong hands
The role of good management in the companies of the future; how to lead effectively
- Egalitarianism—especially of ideas. Everything is fair game. - Transparency of information
The relationship between transaction cost economics and self-organizing (why might companies be considered passe?)
- Markets have lower production costs (the costs of making goods and services) - Hierarchies have lower coordination costs (the costs of setting up production and keeping it running) - As coordination costs go down, markets become more and more attractive Competition in markets bring prices down, but it costs more to hire new people every time.
When and why outsiders can be more effective than experts
- New knowledge is being created in other fields and it is slow to enter the core - Many problems, opportunities, and projects benefit from different perspectives, people, and teams - The crowd is so valuable, in large part, because it's massively marginal: it contains huge numbers of people who are some combination of smart, well-trained, experienced, tenacious, and motivated
Characteristics of effective self-organizing structures (e.g., openness, non-credentialism, etc.)
- Openness - Noncredentialism - Verifiable and reversible contributions - Clear outcomes - Self-organization
Database vs. spreadsheet as a tool for data storage
- Security: Administrator can grant each user a different level of access, - Elimination of redundant data via relational model - Data Access: Multiple types of users can query a single database simultaneously - Big Data: Databases can handle much larger datasets
Cryptocurrencies and the blockchain - Specifically, I want you to recognize the tension that exists between a digital currency and the free, perfect, instant properties of digital information goods. - You should also know, in general terms, what the role of the blockchain is with respect to
- The bitcoin is a digital good - It is essential that BTC not follow the free, perfect, and instant economics of information goods - Blockchain acts as a distributed/decentralized ledger system that logs transactions
core
Dominant organizations, institutions, groups, and processes of the pre-Internet era (p. 231)
Ways to organize the crowd (e.g., formal hierarchies, markets, self-organizing structures like Wikipedia/Open Source)
Formal hierarchy is good when the work has to be perfect (medical equipment) Markets let people freely transact with each other without centralized control.
Conventional technical approaches to security (e.g., MFA, monitoring, software updates)
Multifactor authentication (MFA) - Something you know - Something you have - Something you are (e.g., your fingerprint) Monitoring and anomaly detection - Intrusion detection (e.g., flagged account after numerous failed login attempts) - Intrusion prevention (e.g., blocked access to critical systems from international IP addresses) Routine patching of newly-discovered vulnerabilities; software update
crowd
New participants and practices enabled by the net and its attendant technologies
Shortfalls of the conventional technical approach (e.g., Social engineering, insider threats)
Skilled hackers prefer social engineering attacks over brute force attacks - It is easier to fool a human than a machine "Insider threats" - Motives for malicious attacks include financial gain; revenge Conventional technical approaches to IT security risks overemphasize identifiable risks
Ox weight example (incl. the four criteria to make crowd-based estimation effective)
The guy made everyone guess the weight of the cow and the average ended up being the correct answer. - Independence - Diversity - Decentralization - Aggregation
Problems arising from the non-hierarchical/messy crowd
This presents two difficult problems: - Overload: It can be hard to find what you're looking for in an ocean of uncontrolled information (The core can curate information, but there's just too much in the crowd) - Malicious Intent: Some of its members behave in hurtful ways (The core can evict bad actors, but that's hard to do on the web)
one-to-one
When an instance of one entity can have a relationship with one and only one instance of the other entity.
One to many
When an instance of the first entity can have a relationship with one or more instances of the second entity, but instances of the second entity can be related to only one instance of the first.
Many-to - Many
When instances of each entity can be related to one or more instances of the other entity.
Database
a collection of organized data that allows access, retrieval, and use of data
Primary keys
an attribute that can have a unique value for every instance (record) that you store in a table (social security number, student ID number, etc.)
How to model a database, generally (e.g., the use of Crow's Foot notation, etc)
entities are connected by crows feet. a branch means it is a many to many or one to many notation
integrity
maintaining and assuring the accuracy and reliability of the information and systems over its lifecycle
Foreign Key
one table is always the primary key in another table
The "stories" behind the hacking methods illustrated in the in-class videos
phishing the telephone company email password hack
Attributes
properties that we want to store values for. correspond to columns
availability
refers to the ability for authorized parties to access data and systems when necessary
Data Base Management System (DBMS)
software application that lets you create and work with a database
Confidentiality
the property that information is not disclosed or otherwise made available to unauthorized individuals, entities, or processes.
entities
things and concepts for which you wish to store data in the database; connected through relationships may include: Movie, Actor, Production Company, etc.