ISDS 418 Final Study Guide

Security training

"How" A security training program is designed to teach people the skills to perform their IS- related tasks more securely. Training teaches what people should do and how they should do it.

Security awareness

"What" A security awareness program seeks to inform and focus an employee's attention on issues related to security within the organization. Awareness tools are used to promote information security and inform users of threats and vulnerabilities that impact their division or department and personal work environment by explaining the what but not the how of security, and communicating what is and what is not allowed.

Security education

"Why" This is targeted at security professionals and those whose jobs require expertise in security. Security education is normally outside the scope of most organization awareness and training programs.

Asset

- "anything that needs to be protected" - A system resource or capability of value to its owner that requires protection

Four approaches to identifying and mitigating risks to an organization's IT infrastructure

- Baseline approach - Informal approach - Detailed risk analysis - Combined approach

Cost-benefit analysis in choosing controls

- If the control would reduce risk more than needed, then a less expensive alternative could be used. - If the control would cost more than the risk reduction provided, then an alternative should be used. - If a control does not reduce the risk sufficiently, then either more or different controls should be used. - If the control provides sufficient risk reduction and is the most cost effective, then use it.

Risk Treatment

- Risk acceptance - accept risk b/c cost/time - Risk avoidance - not proceeding with the activity or system that creates this risk - Risk transfer - xfer to 3rd party - Reduce consequence - reduce risk by backups/recovery plan - Reduce likelihood - lower chance of vulnerability

A professional code of conduct can serve the following functions

1. A code can serve two inspirational functions: as a positive stimulus for ethical conduct on the part of the professional, and to instill confidence in the customer or user of an IS product or service. 2. A code can be educational. 3. A code provides a measure of support for a professional whose decision to act ethically in a situation may create conflict with an employer or customer. 4. A code can be a means of deterrence and discipline. 5. A code can enhance the profession's public image, if it is seen to be widely honored

Three Fundamental Questions

1. What assets do we need to protect? 2. How are those assets threatened? 3. What can we do to counter those threats? IT security management is the formal process of answering these questions, ensuring that critical assets are sufficiently protected in a cost-effective manner. Next, an IT security risk assessment is needed that answers these 3 questions.

Computer Security Incident Response Team (CSIRT)

A capability set up for the purpose of assisting in responding to computer security-related incidents that involve sites within a defined constituency; also called a computer incident response team (CIRT) or a CIRC (Computer Incident Response Center, Computer Incident Response Capability)

Vulnerability

A characteristic of a piece of technology which can be exploited to perpetrate a security incident. For example, if a program unintentionally allowed ordinary users to execute arbitrary operating system commands in privileged mode, this "feature" would be a vulnerability.

Vulnerability

A flaw or weakness in an asset's design, implementation, or operation and management that could be exploited by some threat.

Threat

A potential for a threat source to exploit a vulnerability in some asset, which if it occurs may compromise the security of the asset and cause harm to the asset's owner.

IT Security Management

A process used to achieve and maintain appropriate levels of confidentiality, integrity, availability, accountability, authenticity, and reliability

Incident

A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.

Operational controls

Address the correct implementation and use of security policies and standards, ensuring consistency in security operations and correcting identified operational deficiencies. These controls relate to mechanisms and procedures that are primarily implemented by people rather than systems. They are used to improve the security of a system or group of systems.

Artifact

Any file or object found on a system that might be involved in probing or attacking systems and networks or that is being used to defeat security measures. Artifacts can include, but are not limited to, computer viruses, Trojan horse programs, worms, exploit scripts, and toolkits.

Intellectual property

Any intangible asset that consists of human knowledge and ideas. Examples include software, data, novels, sound recordings, the design of a new type of mousetrap, or a cure for a disease. 3 types of intellectual property: copyrights, trademarks, and patents.

Baseline Approach

Basic level of security controls on systems using baseline documents, codes of practice, and industry best practice. Adv: does not require additional resources in conducting a more formal risk assessment Disadv: no special consideration is given to variations in the organization's risk exposure based on who they are and how their systems are used.

Separation of duties

Carefully separate duties so that people involved in checking for inappropriate use are not also capable of making such inappropriate use.

Security Compliance

Checking is an audit process to review the organization's security processes.

Computers as storage devices

Computers can be used to further unlawful activity by using a computer or a computer device as a passive storage medium.

Detailed Risk Analysis

Detailed risk assessment of the organization's IT systems, using a formal structured process Adv: provides the most detailed examination of security risks Disadv: significant cost in time, resources, and expertise

Unlinkability

Ensures that a user may make multiple uses of resources or services without others being able to link these uses together.

Pseudonymity

Ensures that a user may use a resource or service without disclosing its user identity, but can still be accountable for that use.

Anonymity

Ensures that a user may use a resource or service without disclosing the user's identity.

Unobservability

Ensures that a user may use a resource or service without others, especially third parties, being able to observe that the resource or service is being used.

Handling incidents

Figure 17.2 illustrates a typical incident-handling life cycle. Once an incident is opened, it transitions through a number of states, with all the information relating to the incident (its change of state and associated actions), until no further action is required from the team's perspective and the incident is finally closed. The cyclical portion of Figure 17.2 (lower left) indicates those states that may be visited multiple times during the activity's life cycle

Preventative controls

Focus on preventing security breaches from occurring, by inhibiting attempts to violate security policies or exploit a vulnerability

Management controls

Focus on security policies, planning, guidelines, and standards that influence the selection of operational and technical controls to reduce the risk of loss and to protect the organization's mission. These controls refer to issues that management needs to address.

Detection and recovery controls

Focus on the response to a security breach, by warning of violations or attempted violations of security policies or the identified exploit of a vulnerability and by providing means to restore the resulting lost computing resources

Least privilege

Give each person the minimum access necessary to do his or her job.

Clearinghouse

Handles the financial transaction for issuing the digital license to the consumer and pays royalty fees to the content provider and distribution fees to the distributor accordingly.

Content provider

Holds the digital rights of the content and wants to protect these rights. Examples are a music record label and a movie studio.

Informal Approach

Informal, pragmatic risk analysis for the organization's IT systems Adv: individuals performing the analysis require no additional skills Disadv: Because a formal process is not used, there is a chance that some risks may not be considered appropriately, potentially leaving the organization vulnerable.

Infringement

Invasion of the rights secured by copyrights, trademarks, and patents.

Technical controls

Involve the correct use of hardware and software security capabilities in systems. These range from simple to complex measures that work together to secure critical and sensitive data, information, and IT systems functions.

Configuration management

Keeping track of the configuration of each system in use and the changes made to each.

Real property

Land and things permanently attached to the land, such as trees, buildings, and stationary mobile homes.

Computers as communications tools

Many of the crimes falling within this category are simply traditional crimes that are committed online. Examples include the illegal sale of prescription drugs, controlled substances, alcohol, and guns; fraud; gambling; and child pornography.

Identity management

Mechanisms to uniquely identify entities, such as parties and content.

Table 15.1 NIST SP800-53 Security Controls

Must know: Match a control (family) to its control class. To do that, know general definition of each control shown in Table 15.3. https://prnt.sc/vyqxdt

Limited reliance on key employees

No one in an organization should be irreplaceable. If your organization depends on the ongoing performance of a key employee, then your organization is at risk.

Personal property

Personal effects, moveable property and goods, such as cars, bank accounts, wages, securities, a small business, furniture, insurance policies, jewelry, patents, pets, and season baseball tickets.

Supportive controls

Pervasive, generic, underlying technical IT security capabilities that are interrelated with, and used by, many other controls.

Rights management

Processes and functions needed to manage rights, rights holders, and associated requirements.

Content management

Processes and functions needed to manage the content lifestyle.

Distributor

Provides distribution channels, such as an online shop or a Web retailer. For example, an online distributor receives the digital content from the content provider and creates a Web catalog presenting the content and rights metadata for the content promotion.

Detecting Incidents

Security incidents may be detected by users or administration staff who report a system malfunction or anomalous behavior.

Constituency

The group of users, sites, networks, or organizations served by the CSIRT.

Risk apetite

The level of risk the organization views as acceptable

Maintenance

The maintenance tasks include ensuring that: - Controls are periodically reviewed to verify that they still function as intended. - Controls are upgraded when new requirements are discovered. - Changes to systems do not adversely affect the controls. - New threats or vulnerabilities have not become known.

Risk

The potential for loss computed as the combination of the likelihood that a given threat exploits some vulnerability to an asset, and the magnitude of harmful consequence that results to the asset's owner.

Incident Handling

The procedures used to respond to a security incident comprise the final aspect included in the follow-up stage of IT security management.

Triage

The process of receiving, initial sorting, and prioritizing of information to facilitate its appropriate handling.

Change management

The process used to review proposed changes to systems for implications on the organization's systems and use.

Risk reduction comes from reduction in threat likelihood or reduction in consequence

The reduction in likelihood may result either by reducing the vulnerabilities (flaws or weaknesses) in the system or by reducing the capability and motivation of the threat source. The reduction in consequence occurs by reducing the magnitude of the adverse impact of the threat occurring in the organization.

Feasibility and Effectiveness of a control

The resulting list of controls should include details of the feasibility and effectiveness of each control. The feasibility addresses factors such as technical compatibility with and operational impact on existing systems and user's likely acceptance of the control. The effectiveness equates the cost of implementation against the reduction in level of risk achieved by implementing the control.

Cybercrime Victims

The success of cybercriminals, and the relative lack of success of law enforcement

Computers as targets

This form of crime targets a computer system, to acquire information stored on that computer system, to control the target system without authorization or payment (theft of service), or to alter the integrity of data or interfere with the availability of the computer or server.

Data transformation

This function encodes or encrypts portions of the data so as to preserver privacy but still allow data analysis functions needed for effective use. An example of such data analysis functions is the detection of terrorist activity patterns

Anonymization

This function removes specific identifying information from query results, such as last name and telephone number, but creates some sort of anonymized unique identifier so that analysts can detect connections between queries.

Selective revelation

This is a method for minimizing exposure of individual information while enabling continuous analysis of potentially interconnected data.

Consumer

Uses the system to access the digital content by retrieving downloadable or streaming content through the distribution channel and then paying for the digital license.

Rights holders

are the content providers, who either created the content or have acquired rights to the content.

Consumers

are those who purchase the right to access to content for specific uses.

Combined Approach

combines elements of the baseline, informal, and detailed risk analysis approaches. Adv: The use of the initial high-level analysis to determine where further resources need to be expended, rather than facing a full detailed risk analysis of all systems, may well be easier to sell to management. Disadv: If the initial high-level analysis is inaccurate, then some systems for which a detailed risk analysis should be performed may remain vulnerable for some time.

Table 15.3 Detailed NIST SP800-53 Security Controls

https://prnt.sc/vyqxm9 https://prnt.sc/vyqxq7

Service providers

include distributors and clearinghouses.

Digital Rights Management

refers to systems and procedures that ensure that holders of digital rights are clearly identified and receive the stipulated payment for their works.

Programmers, developers, and system maintainers

require more specialized or advanced training.

Figure 14.4 Generic Organizational Risk Context

sry i'm broke https://prnt.sc/vyqj9y

Computer crime, or cybercrime

used broadly to describe criminal activity in which computers or computer networks are a tool, a target, or a place of criminal activity.

Threats from internal users include the following:

• Gaining unauthorized access or enabling others to gain unauthorized access • Altering data • Deleting production and backup data • Crashing systems • Destroying systems • Misusing systems for personal gain or to damage the organization • Holding data hostage • Stealing strategic or customer data for corporate espionage or fraud schemes