Information security test 1
Critical characteristics of information
Confidentiality, integrity, and availability (the C.I.A. triangle) must be protected at all times.
Key U.S. Federal Agencies
Department of Homeland Security (DHS) Federal Bureau of Investigation's National InfraGard Program National Security Agency (NSA) U.S. Secret Service
Security policy developers:
Individuals who understand the organizational culture, policies, and requirements for developing and implementing successful policies.
Why is a methodology important in the implementation of information security? How does a methodology improve the process?
It provides a formal approach to problem solving based on structured sequence of procedures it ensures a rigorous process Increases probability of success
The ISO 27000 Series
One of the most widely referenced and often discussed security models Framework for information security that states organizational security policy is needed to provide management direction and support Purpose is to give recommendations for information security management Provides a common basis for developing organizational security
Risk assessment specialists:
People who understand financial risk assessment techniques, the value of organizational assets, and the security methods to be used.
Systems administrators:
People with the primary responsibility for administering the systems that house the information used by the organization.
maintenance and change
Perhaps the most important phase, given the ever-changing threat environment Often, repairing damage and restoring information is a constant duel with an unseen adversary Information security profile of an organization requires constant adaptation as new threats emerge and old threats evolve
Top-down Approach to Security Implementation
The project is initiated by upper management who issue policy, procedures, and processes; dictate the goals and expected outcomes of the project; and determine who is accountable for each of the required actions.
Deterrence:
best method for preventing an illegal or unethical activity; e.g., laws, policies, technical controls
Policies:
body of expectations that describe acceptable and unacceptable employee behaviors in the workplace function as laws within an organization; must be crafted carefully to ensure they are complete, appropriate, fairly applied to everyone ignorance of it is an acceptable defense
Analysis
documents from the investigation phase are studied. analysis of existing security policies or programs, along with documented current threats and associated controls. include analysis of relevant legal issues that could impact design of the security solution. risk management task - identifying, assessing and evaluating the levels of risk facing the organization - also begins in this stage.
critical features of top-down approach
has strong upper-management support, a dedicated champion, dedicated funding, clear planning, and the opportunity to influence organizational culture.
investigation
identifies process, outcomes, goals, and constrains of the project. begins with enterprise information security policy, and a organizational feasibility analysis if performed.
Three general causes of unethical and illegal behavior
ignorance, accident, intent
Systems Development Life Cycle (SDLC) six general phases
investigation, analysis, logical design, physical design, implementation, and maintenance and change.
the National Security Agency (NSA).
is "the Nation's cryptologic organization. It coordinates, directs, and performs highly specialized activities to protect U.S. information systems and produce foreign intelligence information" is responsible for signal intelligence and information system security.
attack
is a deliberate act that takes advantage of a vulnerability to compromise a controlled system.
What is information security governance?
is a set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risk are managed appropriately and verifying that the enterprise resources are used responsibly.
The Digital Millennium Copyright Act (DMCA)
is the U.S. version of an international effort to reduce the impact of copyright, trademark, and privacy infringement especially through the removal of technological copyright protection measures. The European Union also put forward Directive 95/46/EC that increases protection of individuals with regard to the processing of personal data and the free movement of such data. The United Kingdom has already implemented a version of this directive called the Database Right.
framework
is the basic skeletal structure within which additional detailed planning of the blueprint can be placed as it is developed or refined
The key advantage of the bottom-up approach
is the technical expertise of the individual administrators.
Security and Access Balancing
it is impossible to obtain perfect security. security is not an absolute; it is a process not a goal. Security should be considered a balance between protection and availability
USA PATRIOT Improvement and Reauthorization Act:
made permanent fourteen of the sixteen expanded powers of the Department of Homeland Security and the FBI in investigating terrorist activity
Due diligence:
making a valid effort to protect others; continually maintaining level of effort
Systems Development Life Cycle (SDLC):
methodology for design and implementation of information system within an organization Methodology: formal approach to problem solving based on structured sequence of procedures Using a methodology: Ensures a rigorous process Increases probability of success Traditional SDLC consists of six general phases
Computer Security Act of 1987:
one of the first attempts to protect federal computer systems by establishing minimum acceptable security practices
bottom-up approach lacks a number of critical features
participant support and organizational staying power.
What type of security was dominant in the early years of computing?
physical security and simple document classification schemes.
Measures to protect information
policies, education training and awareness, and technology
How can a security framework assist in the design and implementation of a security infrastructure?
provides an outline of the steps needed to be taken in order to effectively implement security with an organization.
Freedom of Information Act of 1966 (FOIA)
provides any person with the right to request access to federal agency records or information not determined to be a matter of national security. U.S. government agencies are required to disclose any requested information on receipt of a written request. There are exceptions for information that is protected from disclosure, and the act does not apply to state or local government agencies or to private businesses or individuals, although many states have their own version of the FOIA.
USA PATRIOT Act of 2001:
provides law enforcement agencies with broader latitude in order to combat terrorism-related activities
data custodians
responsible for the storage, maintenance, and protection of the information
The scope of computer security grew from physical security to include
safety of data, limiting unauthorized access to data, involvement of personnel from multiple levels of an organization
to achieve balance
the level of security must allow reasonable access yet protection against threats
Key U.S. laws protecting privacy include
Federal Privacy Act of 1974, the Electronic Communications Privacy Act of 1986, and the Health Insurance Portability and Accountability Act of 1996.
Communities in information security
general management, IT management, and security management.
Security professionals:
Dedicated, trained, and well-educated specialists in all aspects of information security from both technical and nontechnical standpoints.
The Design of Security Architecture
Defense in Depth - One of the foundations of security architectures is the requirement to implement security in layers. Defense in depth requires that the organization establish sufficient security controls and safeguards, so that an intruder faces multiple layers of controls. Security Perimeter - The point at which an organization's security protection ends and the outside world begins is referred to as the security perimeter. Unfortunately, the perimeter does not apply to internal attacks from employee threats or on-site physical threats.
Privacy US Regulations
- Privacy of Customer Information Section of the common carrier regulation -Federal Privacy Act of 1974 -Electronic Communications Privacy Act of 1986 -Health Insurance Portability and Accountability Act of 1996 (HIPAA), aka Kennedy-Kassebaum Act -Financial Services Modernization Act, or Gramm-Leach-Bliley Act of 1999
Threats or dangers facing an organization's people, information, and systems fall into the following fourteen general categories:
-Compromises to intellectual property -Deliberate software attacks -Deviations in quality of service -Espionage or trespass - Forces of nature - Human error or failure -Information extortion -Missing, inadequate, or incomplete organizational policy or planning -Missing, inadequate, or incomplete controls -Sabotage or vandalism -Theft -Technical hardware failures or errors - Technical software failures or errors -Technological obsolescence
To minimize liabilities/reduce risks, the information security practitioner must:
-Understand current legal environment -Stay current with laws and regulations -Watch for new issues that emerge
Systems-specific policies fall into two groups
1) Access control lists (ACLs) consists of the access control lists, matrices, and capability tables governing the rights and privileges of a particular user to a particular system. 2) Configuration rules comprise the specific configuration codes entered into security systems to guide the execution of the system.
Security Project Team
A number of individuals who are experienced in one or more facets of required technical and nontechnical areas: Champion Team leader Security policy developers Risk assessment specialists Security professionals Systems administrators End users
Sarbanes-Oxley Act of 2002
Affects executive management of publicly traded corporations and public accounting firms Seeks to improve reliability and accuracy of financial reporting and increase the accountability of corporate governance Penalties for noncompliance range from fines to jail terms Reliability assurance will require additional emphasis on confidentiality and integrity
EISP Elements
An overview of the corporate philosophy on security Information on the structure of the information security organization and individuals who fulfill the information security role Fully articulated responsibilities for security that are shared by all members of the organization (employees, contractors, consultants, partners, and visitors) Fully articulated responsibilities for security that are unique to each role within the organization
Software Development Security Problems
Buffer overruns Command injection Cross-site scripting Failure to handle errors Failure to protect network traffic Failure to store and protect data securely Failure to use cryptographically strong random numbers Format string problems Neglecting change control Improper file access Improper use of SSL Information leakage Integer bugs (overflows/underflows) Race conditions SQL injection
Three approaches when creating and managing Issue Specific Security Policy
Create a number of independent ISSP documents Create a single comprehensive ISSP document Create a modular ISSP document
Criteria for policy enforcement:
Dissemination (distribution) Review (reading) Comprehension (understanding) Compliance (agreement) Uniform enforcement
Export and Espionage Laws
Economic Espionage Act of 1996 (EEA) Security And Freedom Through Encryption Act of 1999 (SAFE) The acts include provisions about encryption that: Reinforce the right to use or sell encryption algorithms, without concern of key registration Prohibit the federal government from requiring it Make it not probable cause in criminal activity Relax export restrictions Additional penalties for using it in a crime
Enterprise Information Security Policy (EISP)
Ensure meeting requirements to establish program and responsibilities assigned therein to various organizational components Use of specified penalties and disciplinary action
Bottom-up approach to information security
Grassroots effort: systems administrators attempt to improve security of their systems.
Dedicated recovery site options
Hot sites - fully operational sites Warm sites - fully operational hardware but software may not be present Cold sites - rudimentary services and facilities
Continuity Strategies
Incident response plans (IRPs); disaster recovery plans (DRPs); business continuity plans (BCPs) Primary functions of above plans IRP focuses on immediate response; if attack escalates or is disastrous, process changes to disaster recovery and BCP DRP typically focuses on restoring systems after disasters occur; as such, is closely associated with BCP BCP occurs concurrently with DRP when damage is major or long term, requiring more than simple restoration of information and information resources
To remain viable, security policies must have:
Individual responsible for the policy (policy administrator) A schedule of reviews Method for making recommendations for reviews Specific policy issuance and revision date Automated policy management
Security Training
Involves providing members of organization with detailed information and hands-on instruction designed to prepare them to perform their duties securely Management of information security can develop customized in-house training or outsource the training program Alternatives to formal training include conferences and programs offered through professional organizations
Information security
Is the protection of information assets that use, store, or transmit information from risk through the application of policy, education, and technology.
Organizational Security Infrastructure objectives:
Manage information security within the company Maintain the security of organizational information processing facilities and information assets accessed by third parties Maintain the security of information when the responsibility for information processing has been outsourced to another organization
Design of Security Architecture (levels of Controls)
Management controls cover security processes that are designed by the strategic planners and performed by security administration of the organization. Management controls address the design and implementation of the security planning process and security program management. Operational controls deal with the operational functionality of security in the organization. They cover management functions and lower-level planning, such as disaster recovery and incident response planning. Operational controls also address personnel security, physical security, and the protection of production inputs and outputs. Technical controls address those tactical and technical issues related to designing and implementing security in the organization. Technical controls cover logical access controls like identification, authentication, authorization, and accountability
Where can a security administrator find information on established security frameworks?
Management from all communities of interest must consider policies as the basis for all information security planning, design, and deployment.
Components of information security
Management of information security, network security, policy, and computer and data security.
Physical Design
Needed security technology is evaluated, alternatives are generated, and final design is selected At end of phase, feasibility study determines readiness of organization for project
Security Awareness
One of least frequently implemented but most beneficial programs is the security awareness program Designed to keep information security at the forefront of users' minds Need not be complicated or expensive If the program is not actively implemented, employees begin to "tune out" and risk of employee accidents and failures increases
Which paper is the foundation of all subsequent studies of computer security?
Rand Report R-609
Which law was created specifically to deal with encryption policy in the United States?
Security and Freedom through Encryption Act of 1999
Implementation
Security solutions are acquired, tested, implemented, and tested again Personnel issues evaluated; specific training and education programs conducted Entire tested package is presented to management for final approval
Components of Issue-Specific Security Policy (ISSP)
Statement of Policy Authorized Access and Usage of Equipment Prohibited Use of Equipment Systems Management Violations of Policy Policy Review and Modification Limitations of Liability
Information Security Governance outcomes (goals)
Strategic alignment Risk management Resource management Performance measures Value delivery
Continuity strategies
There are a number of strategies for planning for business continuity Determining factor in selecting between options is usually cost
End users:
Those whom the new system will most directly impact. Ideally, a selection of users from various departments, levels, and degrees of technical knowledge assist the team in focusing on the application of realistic controls applied in ways that do not disrupt the essential business activities they seek to safeguard.
Off-Site disaster data storage
To get sites up and running quickly, an organization must have the ability to port data into new site's systems Options for getting operations up and running include: Electronic vaulting Remote journaling Database shadowing
Deliberate Software Attacks
Viruses Worms Trojan horses Logic bombs Back door or trap door Polymorphic threats Virus and worm hoaxes
Vulnerability
Weakness in a controlled system, where controls are not present or no longer effective
Exposure
a single instance of a system being open to damage. in information security this exist when a vulnerability known to an attacker is present.
Criminal law
addresses violations harmful to society; actively enforced by the state
ACL Policies
allow configuration to restrict access from anyone and anywhere. regulate: Who can use the system What authorized users can access When authorized users can access the system Where authorized users can access the system from
threat
an object, person, or other entity that represents a constant danger to an asset
Systems-Specific Policy (SysSP)
are frequently codified as standards and procedures used when configuring or maintaining systems.
Rule Policies
are more specific to the operation of a system than ACLs, and they may or may not deal with users directly. Many security systems require specific configuration scripts telling the systems what actions to perform on each set of information they process.
Baselining and best practices
are solid methods for collecting security practices, but provide less detail than a complete methodology
Security policies
are the least expensive control to execute but the most difficult to implement.
Software assurance
attempts to identify the activities involved in creating secure systems.
Key Technology Components (Design of Security Architecture)
firewall, proxy server, intrusion detection systems, and the DMZ.
technical software failures or errors
bugs, code problems, unknown loopholes the biggest problem, is always going to be an issue This category of threats comes from purchasing software with unknown, hidden faults. Large quantities of computer code are written, debugged, published, and sold only to determine that not all bugs were resolved. Sometimes, unique combinations of certain software and hardware reveal new bugs. Sometimes, these items aren't errors but are purposeful shortcuts left by programmers for honest or dishonest reasons.
What are the three components of the C.I.A. triangle? What are they used for?
confidentiality, integrity, and availability. They are the standard for computer security. is a security model created to guide information security policies within a company
Implementation of information security legislation
contributes to a more reliable business environment and a stable economy
Incident response (IR) Planning
covers identification of, classification of, and response to an incident - Attacks classified as incidents if they: Are directed against information assets Have a realistic chance of success Could threaten confidentiality, integrity, or availability of information resources Is more reactive than proactive, with the exception of planning that must occur to prepare IR teams to be ready to react to an incident
logical design
creates and develops the blueprints for security, and it examines and implements key policies that influence later decisions. Also at this stage, critical planning is developed for incident response actions to be taken in the event of partial or catastrophic loss. Next, a feasibility analysis determines whether or not the project should continue or should be outsourced.
the control and used of data is accomplished by
data owners, data custodians, and data users
sabotage or vandalism
destruction of systems or information most of the time is internal Threats can range from petty vandalism to organized sabotage Web site defacing can erode consumer confidence, dropping sales and organization's net worth Threat of hacktivist or cyberactivist operations rising Cyberterrorism: much more sinister form of hacking
overall software quality and the security performance of software can be greatly enhanced by
developing sound development practices,change control and quality assurance into the process.
Policy
direct how issues should be addressed and technologies used, not cover the specifics on the proper operation of equipment or software. guides personnel to function in a manner that will add to the security of its information assets.
Civil law
governs nation or state; manages relationships/conflicts between organizational entities and people
six major components of information systems
hardware, software, data, people, procedures, and network
Why is the top-down approach to information security superior to the bottom-up approach
has strong upper-management support, a dedicated champion, dedicated funding, clear planning, and the opportunity to influence organizational culture.
Intrusion detection systems (IDSs):
in effort to detect unauthorized activity within inner network, or on individual machines, organization may wish to implement this.
Security Education, Training, and Awareness Program
is a control measure designed to reduce the incidences of accidental security breaches by employees. are designed to supplement the general education and training programs in place to educate staff on information security. is designed to build on the general knowledge the employees must possess to do their jobs, familiarizing them with the way to do their jobs, securely.
firewall
is a device that selectively discriminates against information flowing into or out of the organization. Is usually a computing device or specially configured computer that allows or prevents information from entering or exiting the defined area based on a set of predefined rules.
The DMZ (demilitarized zone)
is a no-man's land between the inside and outside networks, where some organizations place Web servers. These servers provide access to organizational Web pages, without allowing Web requests to enter the interior networks.
Disaster Recovery Planning
is planning the preparation for and recovery from a disaster The contingency planning team must decide which actions constitute disasters and which constitute incidents When situations classified as disasters, plans change as to how to respond; take action to secure most valuable assets to preserve value for the longer term DRP strives to reestablish operations at the primary site
The Computer Fraud and Abuse Act of 1986
is the cornerstone of many computer-related federal laws and enforcement efforts.
Business Continuity Planning
outlines reestablishment of critical business operations during a disaster that impacts operations at the primary site. If a disaster has rendered the current location of the business unusable for continued operations, there must be a plan to allow the business to continue to function.
proxy server
performs actions on behalf of another system.
Private law
regulates relationships between individuals and organizations
Public law
regulates structure/administration of government agencies and relationships with citizens, employees, and other governments
data owners
responsible for the security and use of a particular set of information
data users
work with the information to perform their daily jobs supporting the mission of the organization.
Issue-Specific Security Policy (ISSP)
1) Addresses specific areas of technology 2) Requires frequent updates 3) Contains an issue statement on the organization's position on an issue
types of security policy:
1) General or security program policy 2) Issue-specific security policies 3) Systems-specific security policies
types of attacks
- Back door: gaining access to system or network using known or previously unknown/newly discovered access mechanism - Password crack: attempting to reverse calculate a password -Brute force: trying every possible combination of options of a password - Dictionary: selects specific accounts to attack and uses commonly used passwords (i.e., the dictionary) to guide guesses
The ISO 27000 Series
- Code of Practice for Information Security Management, which was originally published as the British Standard BS 7799.
Information security performs four important functions:
- Protecting an organization's ability to function - - Enabling the safe operation of applications implemented on the organization's IT systems - Protecting the data an organization collects and uses - Safeguarding the technology assets in use at an organization
organizations that investigate software abuse:
-Software & Information Industry Association (SIIA) -Business Software Alliance (BSA)
The team leader:
A project manager, who may be a departmental line manager or staff unit manager, who understands project management, personnel management, and information security technical requirements.
The champion:
A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization
threat agent
A specific instance or component that represents a danger to an organization's assets. Threats can be accidental or purposeful, for example lightning strikes or hackers.