CYB 600 CHAPTER 1: Information Systems Security

Software development life cycle (SDLC)

Apply secure software development life cycle tactics when designing and developing software.

Risk

likelihood that something bad will happen to an asset

Availability

the amount of time users can use a system, application, and data.

World Wide Web (WWW)

A collection of documents that are hyperlinked among one another and accessed using the Internet.

Data classification standard

A definition of different data types with respect to security sensitivity.

Internet

A global network of computer networks that uses the TCP/IP family of protocols and applications to connect nearly 2 billion users.

End-User License Agreement (EULA)

A licensing agreement between the software manufacturer and users, which limits the liability for software errors, bugs, or vulnerabilities.

Application gateway firewalls

A network device or computer that serves as a firewall and an intermediary between internal computers and computers on the Internet.

Proxy firewall

A network device or computer that serves as a firewall and an intermediary between internal computers and computers on the Internet.

Business continuity plan (BCP)

A plan for how to handle outages to IT systems, applications, and data access in order to maintain business operations.

Transmission Control Protocol/Internet Protocol (TCP/IP)

A popular suite of protocols that operate at both the Network and Transport Layer of the OSI Reference Model. TCP/IP governs all activity across the Internet and through most corporate and home networks.

Fair Isaac Corp (FICO)

A publicly traded company that provides information used by the consumer credit reporting agencies Equifax, Experian, and TransUnion.

IT security policy framework

A set of rules for security. The framework is hierarchical and includes policies, standards, procedures, and guidelines.

Vulnerability assessment

A software review that identifies bugs or errors in software.

Internet of Things (IoT)

A term used to refer to the large number of networked devices (e.g., personal items, home appliances, cloud services, vehicles, etc.) that can now connect to the Internet.

You can help ensure confidentiality by implementing __________.

A virtual private network for remote access

Vulnerability

A weakness that allows a threat to be realized or to have an effect on an asset

security control

Action an organization takes to help reduce risk.

acceptable use policy (AUP)

An AUP defines what users are allowed and not allowed to do with organization-owned IT assets

Ethernet

An IEEE 802.3 CSMA/CD standard for Ethernet networking supporting speeds from 10 Mbps to over 10 Gbps.

service-level agreements (SLAs)

An SLA is a contract that guarantees a minimum monthly availability of service for wide area network (WAN) and Internet access links.

Wireless Fidelity (Wi-Fi)

An alliance among wireless manufacturers to brand certified products that interoperate with wireless LAN standards. A Wi-Fi hotspot is a wireless LAN access location.

Hypertext Transfer Protocol Secure (HTTPS)

An application layer protocol that allows users to communicate and access content via web pages and browsers.

Two-factor authentication

An authentication method that uses two types of authentication credentials. See also two-step authentication.

Data breach

An incident in which sensitive data is accessed and stolen

A data classification standard is usually part of which policy definition?

Asset protection policy

The __________ tenet of information systems security is concerned with the recovery time objective.

Availability

Availability

Availability is a mathematical calculation where A = (Total Uptime) / (Total Uptime + Total Downtime).

Organizations that require customer service representatives to access private customer data can best protect customer privacy and make it easy to access other customer data by using which of the following security controls?

Blocking out customer private data details and allowing access only to the last four digits of Social Security numbers or account numbers

Internet IP packets are to cleartext what encrypted IP packets are to __________.

Ciphertext

Accountability

Defining the roles, responsibilities, and what key IT security employees and incident response team members must do.

Downtime

Downtime is the total amount of time that a system, application, and data are not accessible

Which of the following security controls can help mitigate malicious email attachments?

Email filtering and quarantining Email attachment antivirus scanning Verifying with users that email source is reputable Holding all inbound emails with unknown attachments All of the above

Software manufacturers limit their liability when selling software using which of the following?

End-User License Agreements

Port 20: File Transfer Protocol (FTP)

FTP is a protocol for performing file transfers. FTP uses TCP as a connection-oriented data transmission but in cleartext, including the password. Connection-oriented means individual packets are numbered and acknowledged as being received, to increase integrity of the file transfer.

Wireless access point (WAP)

For wireless LANs (WLANs), radio transceivers are used to transmit IP packets from a WLAN NIC to a wireless access point (WAP).

Port 80: Hypertext Transfer Protocol (HTTP)

HTTP is the communications protocol between web browsers and websites with data in cleartext.

TENETS OF INFORMATION SYSTEMS SECURIT -C-I-A triad

Information that is secure satisfies three main tenets, or properties, of information. Confidentiality—Only authorized users can view information. Integrity—Only authorized users can change information. Availability—Information is accessible by authorized users whenever they request the information.

Multiprotocol Label Switching (MPLS)

MPLS uses labels or tags to make virtual connections between endpoints in a WAN.

Mean time between failures (MTBF)

MTBF is the predicted amount of time between failures of an IT system during operation.

Mean time to failure (MTTF)

MTTF is the average amount of time between failures for a particular system.

Mean time to repair (MTTR)

MTTR is the average amount of time it takes to repair a system, application, or component.

Which of the following is not a U.S. compliance law or act?

PCI DSS

Family Educational Rights and Privacy Act (FERPA)

Passed in 1974, FERPA protects the private data of students and their school records.

Health Insurance Portability and Accountability Act (HIPAA)

Passed in 1996, HIPAA requires health care organizations to have security and privacy controls implemented to ensure patient privacy.

Sarbanes-Oxley Act (SOX)

Passed in 1999, GLBA requires all types of financial institutions to protect customers' private financial information.

Children's Internet Protection Act (CIPA)

Passed in 2000 and updated in 2011, CIPA requires public schools and public libraries to use an Internet safety policy. The policy must address the following:

Federal Information Security Management Act (FISMA)

Passed in 2002, FISMA requires federal civilian agencies to provide security controls over resources that support federal operations.

Federal Information Security Modernization Act (FISMA)

Passed in 2014, FISMA was enacted to update FISMA 2002 with information on modern threats as well as security controls and best practices.

How can an IT security policy framework can reduce risk?

Policies define how security controls and countermeasures must be used to comply with laws and regulations.

Recovery time objective (RTO)

RTO is the amount of time it takes to recover and make a system, application, and data available for use after an outage.

Payment Card Industry Data Security Standard (PCI DSS)

Requires protection of consumer privacy data with proper security controls. ( global standard, not US federal law).

Ping

Stands for "packet Internet groper." Ping uses the Internet Control Message Protocol (ICMP) echo-request and echo-reply communications to verify end-to-end IP connectivity.

Port 69: Trivial File Transfer Protocol (TFTP)

TFTP is a protocol for performing file transfers. TFTP utilizes UDP as a connectionless data transmission but in cleartext. This is used for small and quick file transfers, given that it does not guarantee individual packet delivery.

Port 23: Terminal Network (Telnet)

Telnet is a network protocol for performing remote terminal access to another device. Telnet uses TCP and sends data in cleartext.

Demilitarized zone (DMZ)

The DMZ is a LAN segment in the LAN-to-WAN Domain that acts as a buffer zone for inbound and outbound IP traffic.

(ISC)2©

The International Information Systems Security Certification Consortium. A nonprofit organization dedicated to certifying information systems security professionals.

What is the weakest link in an IT infrastructure?

The User Domain is the weakest link in an IT infrastructure.

Cybersecurity

The act of securing and protecting individuals, businesses, organizations, and governments that are connected to the Internet and the Web.

Identity theft

The act of stealing personally identifiable information with the intent to open new accounts, make purchases, or commit fraud.

Maximizing availability primarily involves minimizing __________.

The amount of downtime recovering from a disaster The mean time to repair a system or application Downtime by implementing a business continuity plan The recovery time objective

e-commerce

The buying and selling of goods and services online through a secure website, with payment by credit card or direct debit from a checking account.

Generation Y

The generation composed of those born between 1980 and 2000 in the United States

cyberspace

The global online virtual world created by the Internet where individuals, businesses, organizations, and governments connect to one another.

unified communications

The integration of multiple types of enterprise communication, such as instant messaging, voice, video, and data, all on a single network.

Network interface card (NIC)

The interface between the computer and the LAN physical media.

Authorization

The process of granting rights to use an organization's IT assets, systems, applications, and data to a specific user.

Identification

The process of providing identifying information, such as a username, a logon ID, or an account number.

Information security

The protection of data itself.

information systems

The servers and application software on which information and data reside.

Subnet mask

The subnet mask address defines the IP network number and IP host number.

Masking

The use of a special character (e.g., X or *) to hide some of the characters of a sensitive data element, such as a credit card number or a Social Security number.

vulnerability window

The vulnerability window is the gap in time a workstation is exposed to a known vulnerability until patched

Authentication

This is the process for proving that a remote user is who the user claims to be. The most common authentication method is supplying a password.

Encrypting email communications is needed if you are sending confidential information within an email message through the public Internet

True

If you are a publicly traded company or U.S. federal government agency, you must go public and announce that you have had a data breach and must inform the impacted individuals of that data breach.

True

Information security is specific to securing information, whereas information systems security is focused on the security of the systems that house the information.

True

Using security policies, standards, procedures, and guidelines helps organizations decrease risks and threats.

True

A data breach is typically performed after which of the following?

Unauthorized access to systems and application is obtained

cleartext

Unencrypted data, the opposite of ciphertext. Data sent as cleartext is readable and understandable.

Uptime

Uptime is the total amount of time that a system, application, and data are accessible.

The __________ is the weakest link in an IT infrastructure.

User Domain

What are the seven domains of an IT infrastructure?

User Domain Work station domain LAN Domain LAN to WAN Domain Remote Access domain WAN Domain System/ Application Domain

IP default gateway router

acts as the entry/exit to the LAN

threat

any action that could damage an asset

Information systems security

collection of activities that protect the information system and the data stored in it

local area network (LAN)

collection of computers connected to one another or to a common connection medium.Network connection mediums can include wires, fiber-optic cables, or radio waves.

Malware (Malicious Software)

computer program written to cause a specific action to occur, such as erasing a hard drive

virus

computer program written to cause damage to a system, an application, or data

Virtual private networks (VPNs)

dedicated encrypted tunnel from one endpoint to another. The VPN tunnel can be created between a remote workstation using the public Internet and a VPN router or a secure browser and a Secure Sockets Layer virtual private network (SSL-VPN) website.

Acceptable use policy (AUP)

defines what users are allowed and not allowed to do with organization-owned IT assets

business continuity plan (BCP)

gives priorities to the functions an organization needs to keep going

protocol

list of rules and methods for communicating

Simple Network Management Protocol (SNMP)

network monitoring and management—SNMP is used for network device monitoring, alarm, and performance.

IP stateful firewall

security appliance used to filter inbound IP packets based on various ACL definitions configured for IP, TCP, and UDP packet headers. A stateful firewall can examine IP, TCP, or UDP packet headers for filtering.

Cryptography

the practice of hiding data and keeping it away from unauthorized users.

Encryption

the process of transforming data from cleartext into ciphertext.

Ciphertext

the scrambled data that are the result of encrypting cleartext