Information Security and Assurance - C725
Factors involved in calculating the value of a countermeasure
- Cost of purchase, development, and licensing - Cost of implementation and customization - Cost of annual operation, maintenance, administration, and so on - Cost of annual repairs and upgrades - Productivity improvement or loss - Changes to environment - Cost of testing and evaluation
Types of Computer crimes
- Military and intelligence attacks - Business attacks - Financial attacks - Terrorist attacks - Grudge attacks - Thrill attacks
The three major provisions of the Federal Sentencing Guidelines
- The guidelines formalized the prudent man rule, which requires senior executives to take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation. This rule, developed in the realm of fiscal responsibility, now applies to information security as well. - The guidelines allowed organizations and executives to minimize punishment for infractions by demonstrating that they used due diligence in the conduct of their information security duties. - The guidelines outlined three burdens of proof for negligence. First, the person accused of negligence must have a legally recognized obligation. Second, the person must have failed to comply with recognized standards. Finally, there must be a causal relationship between the act of negligence and subsequent damages.
The six major elements of quantitative risk analysis 1. (AV) Assign Asset Value 2. (EF) Caluculate Exposure Factor 3. (SLE) Calculate single loss expectancy 4. (ARO) Asses the annualized rate of occurance 5. (ALE) Derive the annualized loss expectancy 6. Perform Cost Benefit Analysis
1. (AV) 2. (EF) 3. (SLE) 4. (ARO) 5. (ALE) 6. Perform Cost Benefit Analysis
The 5 important criteria for design verification
1. A formal model of the security policy must be clearly identified and documented, including a mathematical proof that the model is consistent with its axioms and is sufficient to support the security policy. 2. A formal top-level specification must be produced that includes abstract definitions of the functions the TCB performs and of the hardware and/or firmware mechanisms that support separated execution domains. 3. The formal top-level specification of the TCB must be shown to be consistent with the model using formal techniques where possible (when verification tools exist) or informal ones when formal techniques are unavailable. 4. The TCB implementation (in hardware, firmware, and software) must be informally shown to be consistent with the formal top-level specification. The elements of the formal top-level specification must be shown, using informal techniques, to correspond to the elements of the TCB. The formal top-level specification must express the unified protection mechanism required to satisfy the security policy. The elements of this protection mechanism are mapped to the elements of the TCB. 5. Formal analysis techniques must be used to identify and analyze covert channels. Informal techniques can identify covert timing channels (unwanted communications based on temporal activities). The developer must justify any continued existence of identified covert channels in the system.
The 10 Domains of the Information Security Common Body of Knowledge (CBK)
1. Information Security Governance and Risk Management 2. Security Architecture and Design 3. Business Continuity and Disaster Recovery Planning 4. Legal Regulations, Investigations, and Compliance 5. Physical (Environmental) Security 6. Operations Security 7. Access Control 8. Cryptography 9. Telecommunications and Network Security 10. Software Development Security
The three main requirements for a patent.
1. The invention must be new. Inventions are patentable only if they are original ideas. The invention must be useful. 2. It must actually work and accomplish some sort of task. 3. The invention must not be obvious. You could not, for example, obtain a patent for your idea to use a drinking cup to collect rainwater. This is an obvious solution. You might, however, be able to patent a specially designed cup that optimizes the amount of rainwater collected while minimizing evaporation.
Ten Commandments of Computer Ethics
1. Thou shalt not use a computer to harm other people. 2. Thou shalt not interfere with other people's computer work. 3. Thou shalt not snoop around in other people's computer files. 4. Thou shalt not use a computer to steal. 5. Thou shalt not use a computer to bear false witness. 6. Thou shalt not copy proprietary software for which you have not paid. 7. Thou shalt not use other people's computer resources without authorization or proper compensation. 8. Thou shalt not appropriate other people's intellectual output. 9. Thou shalt think about the social consequences of the program you are writing or the system you are designing. 10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.
Six principles to guide digital evidence technicians
1. When dealing with digital evidence, all of the general forensic and procedural principles must be applied. 2. Upon seizing digital evidence, actions taken should not change that evidence. 3. When it is necessary for a person to access original digital evidence, that person should be trained for the purpose. 4. All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review. 5. An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession. 6. Any agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles.
The Information Technology Security Evaluation Criteria (ITSEC)
A European-developed criterion that fills a role roughly equivalent to the TCSEC for use throughout the European Community.
Process isolation
A TCB practice in which a design objective in which each process has its own distinct address space for its application code and data. Such a design makes it possible to prevent each process from accessing another process's data. This prevents data or information leakage and prevents modification of the data while in memory.
Data hiding a.k.a. information hiding
A TCB practice in which a mechanism used to ensure that information available at one processing level is not available in another, regardless of whether it is higher or lower. It is also a concept in the object-oriented programming (OOP) technique when information is encapsulated within an object and can be directly manipulated only by the services provided within the object.
The principle of least privilege
A TCB practice in which a process (program) have no more privilege than what it really needs to perform its functions. Any modules that require supervisor or root access (that is, complete system privileges) are embedded in the operating system kernel. The kernel handles all requests for system resources and mediates the access from external modules to privileged modules when required.
Abstraction
A TCB practice in which a process that defines a specific set of permissible values for an object and the operations that are permissible on that object. This involves ignoring or separating implementation details to concentrate on what is important to maintain security.
Information storage
A TCB practice in which parts of a computer system that retain a physical state (information) for some interval of time, possibly even after electrical power to the computer is removed.
Layering
A TCB practice in which process operation that is divided into layers by function. Each layer deals with a specific activity. The lower (outer) layers perform basic tasks, whereas the higher (inner) layers perform more complex or protected tasks.
Hardware segmentation
A TCB practice in which specifically relates to the segmentation of memory into protected segments. The kernel allocates the required amount of memory for the process to load its application code, its process data, and its application data. The system prevents user processes from accessing another process's allocated memory. It also prevents user processes from accessing system memory.
Division D: Minimal Protection
A TCSEC class (division) for systems that have been formally evaluated but fail to meet the requirements for a higher evaluation class. This classification is also used for unrated or untested systems. TCSEC does not contain specific requirements for this type of class evaluations, but some of the TCSEC interpretation documents (including other Rainbow Series documents) do permit specifying this type of class level of evaluation.
Division A: Verified Protection
A TCSEC class (division) for systems that is characterized by the use of formal security verification methods to ensure that the mandatory and discretionary security controls employed within the system effectively protect classified or other sensitive information that the system stores or processes. Extensive documentation is required to demonstrate that the TCB meets the security requirements in all aspects of design, development, and implementation.
Division C: Discretionary Protection
A TCSEC class (division) for systems that provides for discretionary protection, based on the need-to-know or least privilege principle, and for audit control mechanisms that enforce the personal accountability of subjects for the actions they take while using the system. In the commercial world, discretionary protection shelters objects from unauthorized subjects through the assignment of privilege to the subject by the object's owner. In other words, a data owner (human being) gets to decide who is authorized to access his or her objects (data, programs, and so forth).
Breach
A _______ is the occurrence of a security mechanism being bypassed or thwarted by a threat agent. When a _________ is combined with an attack, a penetration, or intrusion, can result.
scenario
A __________ is a written description of a single major threat. The description focuses on how a threat would be instigated and what effects its occurrence could have on the organization, the IT infrastructure, and specific assets. Generally, the __________ are limited to one page of text to keep them manageable.
penetration
A _____________ is the condition in which a threat agent has gained access to an organization's infrastructure through the circumvention of security controls and is able to directly imperil assets.
transposition
A basic method of disguising messages in which letters are rearranged into a different order.
substitution
A basic method of disguising messages in which letters are replaced by other letters and/or symbols.
Common Evaluation Methodology Editorial Board (CEMEB)
A board of member responsible for producing an agreed-upon methodology for conducting evaluations to apply the CC to security targets.
Media Analysis
A branch of computer forensic analysis, involves the identification and extraction of information from storage media. This may include the following: Magnetic media (e.g., hard disks, tapes) Optical media (e.g., compact discs (CDs), digital versatile discs (DVDs), Blu-ray discs) Memory (e.g., random-access memory (RAM), solid-state storage) Techniques used for this type of analysis may include the recovery of deleted files from unallocated sectors of the physical disk, the live analysis of storage media connected to a computer system (especially useful when examining encrypted media), and the static analysis of forensic images of storage media.
Common Criteria
A catalog of components that developers of PPs use to form the requirements definition which is needed to consider the threats to an environment for a trusted product or system.
B-Rate Safe Rating
A catchall safe rating for any box with a lock on it. This rating describes the thickness of the steel used to make the lockbox. No actual testing is performed to gain this rating.
Grudge Attacks
A category of computer crime attacks in which are carried out to damage an organization or a person. The damage could be in the loss of information or information processing capabilities or harm to the organization or a person's reputation.
Financial Attacks
A category of computer crime attacks in which are carried out to unlawfully obtain money or services. They are the type of computer crime you most commonly hear about in the news. The goal of a financial attack could be to steal credit card numbers, increase the balance in a bank account, or place "free" long-distance telephone calls.
Thrill attacks
A category of computer crime attacks in which are launched only for the fun of it. Attackers who lack the ability to devise their own attacks will often download programs that do their work for them. These attackers are often called script kiddies because they run only other people's programs, or scripts, to launch an attack.
Military and intelligence attacks
A category of computer crime attacks in which are launched primarily to obtain secret and restricted information from law enforcement or military and technological research sources.
Business Attacks
A category of computer crime attacks in which is focused on illegally obtaining an organization's confidential information. This could be information that is critical to the operation of the organization, such as a secret recipe, or information that could damage the organization's reputation if disclosed, such as personal information about its employees.
Terrorist Attacks
A category of computer crime attacks in which the goal is to disrupt normal life and instill fear.
Test class
A class of security evaluation assurance requirements in which cover the testing requirements needed to demonstrate that the TSF satisfies the TOE security functional requirements. This class addresses coverage, depth of developer testing, and functional tests for independent lab testing.
Guidance class
A class of security evaluation assurance requirements in which define the requirements for coherence, coverage, and completeness of the operational documentation the developer has provided. This documentation, which provides two categories of information (for users and for administrators), is an important factor in the secure operation of the TOE.
Delivery and operation class
A class of security evaluation assurance requirements in which define the requirements for the measures, procedures, and standards concerned with secure delivery, installation, and operational use of the TOE. This ensures that the security protection the TOE offers is not compromised during transfer, installation, startup, and operation.
Development class
A class of security evaluation assurance requirements in which define the requirements for the stepwise (proceeding in steps) refinement of the TOE security functions (TSF) from the summary specification in the security target, down to the actual implementation. Each of the resulting TSF representations provides information to help the evaluator determine whether the functional requirements of the TOE have been met.
Lifecycle support class
A class of security evaluation assurance requirements in which defines the requirements for adopting a well-defined lifecycle model for all the steps of the TOE development, including flaw remediation procedures and policies, correct use of tools and techniques, and the security measures used to protect the development environment.
Configuration management class
A class of security evaluation assurance requirements in which helps ensure that the integrity of the TOE is preserved through required discipline and control in the processes of refinement and modification of the TOE and other related information. This prevents unauthorized modifications, additions, or deletions to the TOE and provides assurance that the TOE and documentation used for evaluation are the ones prepared for distribution.
Vulnerability assessment class
A class of security functional requirements in which defines the requirements directed at identifying exploitable vulnerabilities. Specifically, it addresses vulnerabilities introduced in the construction, operation, misuse, or incorrect configuration of the TOE.
Protection profile evaluation
A class of security functional requirements in which demonstrates that the PP is complete, consistent, and technically sound, and that an evaluated PP is suitable as the basis for developing an ST.
Security target evaluation class
A class of security functional requirements in which demonstrates that the ST is complete, consistent, and technically sound, and is suitable as the basis for the corresponding TOE evaluation.
Security management
A class of security functional requirements in which functions are intended to specify the management of several aspects of the TOE security functions security attributes and security data.
User data protection
A class of security functional requirements in which functions are related to protecting user data within a TOE during import, export, and storage.
Cryptographic support
A class of security functional requirements in which functions are used when the TOE implements cryptographic functions in hardware, firmware, or software.
Maintenance of assurance class
A class of security functional requirements in which provides the requirements intended for application after a TOE has been certified against the Common Criteria. This class' requirements help ensure that the TOE will continue to meet its security target as changes are made to the TOE or its environment. Such changes include the discovery of new threats or vulnerabilities, changes in user requirements, and the correction of bugs found in the certified TOE.
Identification and authentication
A class of security functional requirements in which the functions ensure that users are associated with the proper security attributes (including identity, groups, and roles).
Resource utilization
A class of security functional requirements in which the functions support the availability of required resources such as CPU and storage capacity. Fault tolerance protects against unavailability of capabilities caused by failure of the TOE. Priority of service ensures that the resources will be allocated to the more important or time-critical tasks and cannot be monopolized by lower-priority tasks.
TOE access
A class of security functional requirements in which the requirements control the establishment of a user's session.
Privacy
A class of security functional requirements in which the requirements protect a user against discovery and misuse of identity by other users.
Protection of the TOE security functions (TSF)
A class of security functional requirements in which the requirements relate to the integrity and management of the mechanisms that provide the TSF and to the integrity of TSF data.
Audit
A class of security functional requirements in which the security auditing functions involve recognizing, recording, storing, and analyzing information related to security-relevant activities. The resulting audit records can be examined to determine which security-relevant activities took place and which user is responsible for them.
Communications
A class of security functional requirements in which these functional requirements are related to ensuring both the identity of a transmitted information originator and the identity of the recipient. These functions ensure that an originator cannot deny having sent the message, nor can the recipient deny having received it.
Trusted Computer System Evaluation Criteria (TCSEC)
A collection of criteria used to grade or rate the security claimed for a computer system product. The now-obsolete TCSEC was often called the Orange Book because of its orange cover.
Business sensitive or business confidential
A common taxonomy classification for commercial businesses in which can be described as information employees and other insiders need to perform their duties. This can include company directories (address books, email addresses, and so forth), invoice information, department budget information, internal policies, and so forth.
Customer confidential
A common taxonomy classification for commercial businesses in which information that identifies individual customers of the business or institution and can include their purchase activity, account-specific information, credit card numbers, social security numbers (when needed), grades or course information (in the case of a university), or any other information considered personally identifiable information (PII) that dictates need-to-know or least privilege controls to ensure confidentiality and integrity.
Trade secret
A common taxonomy classification for commercial businesses in which information that is severely restricted and protected through more strict need-to-know controls than customer confidential information. Some examples of this type of information include the recipe for Coca-Cola, employee disciplinary actions, pre-released financial statement information, or proprietary secrets that offer a competitive advantage to the business.
Public information
A common taxonomy classification for commercial businesses that is intended for public dissemination. This might include marketing content on a website, direct mail inserts, directories of contact information, published annual reports, and so forth.
Common Evaluation Methodology (CEM)
A companion document to the CC. It focuses on the actions evaluators must take to determine that CC requirements for a TOE are present. It is an evaluation tool to ensure consistent application of the requirements across multiple evaluations and multiple schemes.
2001 U.S. Patriot Act HR 3162
A computer security/privacy law also known as "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism of 2001." The Act was passed by Congress and the Senate to deter and punish terrorist acts in the United States and around the world, to enhance law enforcement investigatory tools, and for other purposes related to international terrorism.
2010 Fair Debt Collection Practices Act
A computer security/privacy law that addresses unfair or unconscionable means to collect or attempt to collect any debt.
2002 Federal Information Security Management Act
A computer security/privacy law that defines the basic statutory requirements for protecting federal computer systems.
2000 National Security Directive 42 (NSD-42)
A computer security/privacy law that established the Committee on National Security Systems (CNSS), which provides guidance on the security of national defense systems, among other roles.
1996 U.S. Kennedy-Kassenbaum Health Insurance and Portability Accountability Act (HIPAA)
A computer security/privacy law that protects the confidentiality and portability of personal health care information.
1986 U.S. Electronic Communications Act
A computer security/privacy law that protects the confidentiality of private message systems through unauthorized eavesdropping.
1970 U.S. Fair Credit Reporting Act
A computer security/privacy law that regulates the activities of credit bureaus.
1987 U.S. Computer Security Act
A computer security/privacy law which was a congressional declaration to improve the security and privacy of sensitive information in federal computer systems and establish minimum acceptable security practices for such systems.
Procedures a.k.a. standard operating procedure (SOP)
A detailed, step-by-step how-to document that describes the exact actions necessary to implement a specific security mechanism, control, or solution. It could discuss the entire system deployment operation or focus on a single product or aspect, such as deploying a firewall or updating virus definitions. In most cases, these are system and software specific.
security policy
A document that defines the scope of security needed by the organization and discusses the assets that require protection and the extent to which security solutions should go to provide the necessary protection.
Asset valuation
A dollar value assigned to an asset based on actual cost and nonmonetary expenses. These can include costs to develop, maintain, administer, advertise, support, repair, and replace an asset; they can also include more elusive values, such as public confidence, industry support, productivity enhancement, knowledge equity, and ownership benefits.
The International Traffic in Arms Regulations (ITAR)
A federal regulation that controls the export of items that are specifically designated as military and defense items, including technical information related to those items. The items covered under this regulation appear on a list called the United States Munitions List
The Export Administration Regulations (EAR)
A federal regulation that cover a broader set of items than those on the ITAR (USML) whichis designed for commercial use but may have military applications. Items covered by this regulation appear on the Commerce Control List (CCL) maintained by the U.S. Department of Commerce. Notably, this regulation includes an entire category covering information security products.
perimeter intrusion and detection assessment system (PIDAS)
A fencing that uses passive vibration sensors to detect intruders or any attempts to compromise the system. Turnstiles are less effective than either gates or fences.
Risk Rejection
A final but unacceptable possible response to risk is to reject risk or ignore risk. Denying that a risk exists and hoping that it will never be realized are not valid or prudent due-care responses to risk.
risk framework
A guideline or recipe for how risk is to be assessed, resolved, and monitored.
Digital Millennium Copyright Act (DMCA)
A hotly debate in 1998, which turned into an Act to help the rapidly changing digital landscape that was stretching the reach of existing copyright law.
Internal auditors
A job title: Conduct periodic risk-based reviews of information resources security policies and procedures.
Information resources security officer
A job title: Directs policies and procedures designed to protect information resources (identifies vulnerabilities, develops security awareness program, and so forth).
Chief information security officer (CISO)
A job title: Establishes and maintains security and risk-management programs for information resources.
Users
A job title: Have access to information resources in accordance with the owner-defined controls and access rules.
Owners of information resources
A job title: Have the responsibility of carrying out the program that uses the resources. This does not imply personal ownership. These individuals might be regarded as program managers or delegates for the owner.
Information resources manager
A job title: Maintains policies and procedures that provide for security and risk management of information resources.
Custodians of information resources
A job title: Provide technical facilities, data processing, and other support services to owners and users of information resources.
Technical managers (network and system administrators)
A job title: Provide technical support for security of information resources.
Risk reporting
A key task to perform at the conclusion of a risk analysis.
European Union General Data Protection Regulation
A new, comprehensive law covering the protection of personal information in 2016. The General Data Protection Regulation (GDPR) is scheduled to go into effect on May 25, 2018, and will replace the older data protection directives on that date. The main purpose of this law is to provide a single, harmonized law that covers data throughout the European Union.
Class A1: Verified Design
A particular TCSEC class (division) for systems that are functionally equivalent to those in Class B3, with no additional architectural features or policy requirements added. The distinguishing feature of systems in this class is the analysis derived from formal design specification and verification techniques and the resulting high degree of assurance that the TCB is correctly implemented. This assurance is developmental in nature, starting with a formal model of the security policy and a formal top-level specification of the design.
Class B2: Structured Protection
A particular TCSEC class (division) for systems that clearly defines and documents formal security policiy models that require extending the discretionary and mandatory access control enforcement in Class B1 systems to all subjects and objects in the system. In addition, covert channels are addressed. Covert channels are possible wherever a system has an opportunity to provide unintended communications. One example of a covert channel is a back door in a system that circumvents the security mechanisms and enables moving data from a higher classification level to an area where lower classifications of data are accessible.
Class C2: Controlled Access Protection
A particular TCSEC class (division) for systems that enforces a more finely grained discretionary access control than C1 systems, making users individually accountable for their actions through login procedures, auditing of security-relevant events, and resource isolation. This means that no program can gain access to the memory areas other programs use.
Division B: Mandatory Protection
A particular TCSEC class (division) for systems that must preserve the integrity of sensitivity labels and use them to enforce a set of mandatory access control rules. Systems in this division must carry the sensitivity labels (Secret or Top Secret, for example) with major data structures in the system.
Class B3: Security Domains
A particular TCSEC class (division) for systems that must satisfy the reference monitor requirements to do the following: - Mediate all accesses of subjects to objects - Resist tampering - Have a small enough size that it can be subjected to analysis and tests the TCB is structured to exclude program code that's not essential to security policy enforcement. This requires significant system engineering during TCB design and implementation, with the goal of minimizing its complexity. A security administrator role is supported, audit mechanisms are expanded to signal (trace) security-relevant events, and system recovery procedures are required. This system is deemed highly resistant to penetration.
Class B1: Labeled Security Protection
A particular TCSEC class (division) for systems that require all the features Class C2 systems require. In addition, an informal statement of the security policy model, data labeling, and mandatory access control over named subjects and objects must be present. The system must have the capability to accurately label exported information from the system, and any flaws identified during testing must be removed.
Class C1: Discretionary Security Protection
A particular TCSEC class (division) for systems that satisfies the discretionary access control requirements by separating users and data. It incorporates mechanisms that are capable of enforcing access limitations on an individual basis.
Security policies and procedures Explanation: Answer A is correct. The Carnegie Melon Information Network Institute (INI) designed programs to carry out multiple tasks including Information Security Policies.
A program for information security should include which of the following elements? A. Security policies and procedures B. Intentional attacks only C. Unintentional attacks only D. None of these
What am I trying to protect? What is threatening my system? How much time, effort, and money am I willing to spend?
A risk analysis answers what three fundamental questions?
Physical controls
A security control that involves physical mechanisms deployed to prevent, monitor, or detect direct contact with systems or areas within a facility. Examples include guards, fences, motion detectors, locked doors, sealed windows, lights, cable protection, laptop locks, badges, swipe cards, guard dogs, video cameras, mantraps, and alarms
Administrative controls a.k.a. Management controls
A security control that involves policies and procedures defined by an organization's security policy and other regulations or requirements. Examples include policies, procedures, hiring practices, background checks, data classifications and labeling, security awareness and training efforts, vacation history, reports and reviews, work supervision, personnel controls, and testing.
Technical control a.k.a logical control
A security control that involves the hardware or software mechanisms used to manage access and to provide protection for resources and systems. Examples include authentication methods (such as usernames, passwords, smartcards, and biometrics), encryption, constrained interfaces, access control lists, protocols, firewalls, routers, intrusion detection systems (IDSs), and clipping levels.
Recovery controls
A security control that is an extension of corrective controls but have more advanced or complex abilities. Examples of _______ _______ include backups and restores, fault-tolerant drive systems, system imaging, server clustering, antivirus software, and database or virtual machine shadowing.
directive control
A security control that is deployed to direct, confine, or control the actions of subjects to force or encourage compliance with security policies. Examples of _______ _______ include security policy requirements or criteria, posted notifications, escape route exit signs, monitoring, supervision, and procedures.
deterrent control
A security control that is deployed to discourage violation of security policies. They often depend on individuals deciding not to take an unwanted action.
detective control
A security control that is deployed to discover or detect unwanted or unauthorized activity. _______ _______ operate after the fact and can discover the activity only after it has occurred.
compensation control
A security control that is deployed to provide various options to other existing controls to aid in enforcement and support of security policies.
preventive control
A security control that is deployed to thwart or stop unwanted or unauthorized activity from occurring.
corrective control
A security control that modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred. It attempts to correct any problems that occurred as a result of a security incident. _______ _______ can be simple, such as terminating malicious activity or rebooting a system.
Clark and Wilson model
A security model that Proposes "well formed transactions." It requires mathematical proof that steps are performed in order exactly as they are listed, authenticates the individuals who perform the steps, and defines separation of duties.
Access matrix model
A security model that acts as a state machine model for a discretionary access control environment.
State machine mode
A security model that acts as an abstract mathematical model consisting of state variables and transition functions.
Covers ways to prevent subjects operating in one domain from affecting each other in violation of security policy.
A security model that covers ways to prevent subjects operating in one domain from affecting each other in violation of security policy.
Information flow model
A security model that simplifies analysis of covert channels. A covert channel is a communication channel that allows two cooperating processes of different security levels (one higher than the other) to transfer information in a way that violates a system's security policy.
Federal Cybersecurity Laws of 2014
A series of bills signed into law by Barack Obama in 2014 that modernized the federal government's approach to cybersecurity issues.
The NIST Cybersecurity Framework (CSF)
A set of standards designed to serve as a voluntary risk-based framework for securing information and systems.
reference monitor a.k.a. abstract machine
A software model that mediates all access from any subject (user or other device) to any object (resource, data, and so forth); it cannot be bypassed. It mediates accesses to objects by subjects. In principle, it should be: Complete, to mediate every access Isolated from modification by other system entities (objects and processes) Verifiable, doing only what it's programmed to do and not being susceptible to circumvention by malicious acts or programmer error
Fuzz testing
A specialized dynamic testing technique that provides many different types of input to software to stress its limits and find previously undetected flaws. This method of testing software supplies invalid input to the software, either randomly generated or specially crafted to trigger known software vulnerabilities. The tester then monitors the performance of the application, watching for software crashes, buffer overflows, or other undesirable and/or unpredictable outcomes.
Step 4
A step in the quantitative risk analysis. Derive the overall loss potential per threat by calculating the annualized loss expectancy (ALE).
Step 1
A step in the quantitative risk analysis. Inventory assets, and assign a value (asset value, or AV). (Asset value is detailed further in a later section of this lesson named "Asset Valuation.")
Step 6
A step in the quantitative risk analysis. Perform a cost/benefit analysis of each countermeasure for each threat for each asset. Select the most appropriate response to each threat.
Step 5
A step in the quantitative risk analysis. Research countermeasures for each threat, and then calculate the changes to ARO and ALE based on an applied countermeasure.
Step 2
A step in the quantitative risk analysis. Research each asset, and produce a list of all possible threats of each individual asset. For each listed threat, calculate the exposure factor (EF) and single loss expectancy (SLE).
Multitasking
A technique used by a system that is capable of running two or more tasks in a concurrent performance or interleaved execution.
STRIDE
A threat categorization scheme developed by Microsoft.
Trike Trike provides a method of performing a security audit in a reliable and repeatable procedure. It also provides a consistent framework for communication and collaboration among security workers. Trike is used to craft an assessment of an acceptable level of risk for each class of asset that is then used to determine appropriate risk response actions.
A threat methodology which can be identified by the acronym (DREAD). Disaster, Reproducibility, Exploitibility, Affected Users, Discoverability also known as
Visual, Agile, and Simple Threat (VAST)
A threat modeling concept based on Agile project management and programming principles. The goal this methodology is to integrate threat and risk management into an Agile programming environment on a scalable basis.
Process for Attack Simulation and Threat Analysis (PASTA)
A threat modeling methodology. that uses a risk-centric approach. It aims at selecting or developing countermeasures in relation to the value of the assets to be protected.
Multics
A time-sharing operating system project begun in 1965 as a joint project by MIT Project MAC, Bell Telephone Laboratories, and General Electric. It was the first operating system to provide a hierarchical file system.
Hardware/Embedded Device Analysis
A type of Analysis in which an analyst may review the contents of hardware and embedded devices. This may include a review of: Personal computers Smartphones Tablet computers Embedded computers in cars, security systems, and other devices Analysts conducting these reviews must have specialized knowledge of the systems under review. This often requires calling in expert consultants who are familiar with the memory, storage systems, and operating systems of such devices. Because of the complex interactions between software, hardware, and storage, the discipline of hardware analysis requires skills in both media analysis and software analysis. Investigation Process
Software Analysis
A type of analysis in which an analyst may conduct a review of software code, looking for back doors, logic bombs, interpret the log files from application or database servers, seeking other signs of malicious activity, such as SQL injection attacks, privilege escalations, or other application attacks.
Network Analysis
A type of analysis in which the task of the analyst is to collect and correlate information from multiple disparate sources and produce as comprehensive a picture of network activity as possible. Methods include: - Intrusion detection and prevention system logs - Network flow data captured by a flow monitoring system - Packet captures deliberately collected during an incident - Logs from firewalls and other network security devices
Dumpster diving
A type of computer crime in which a criminal simply digs through trash and recycling bins looking for receipts, checks, and other personal and sensitive information. (If you don't shred all your receipts or lock up your recycling bin where you dispose of protected information, someone might be rummaging through your personal or proprietary information at this very moment.)
Information warfare
A type of computer crime in which attacks upon a country's computer network to gain economic or military advantage.
Embezzlement
A type of computer crime in which employees modify computer software to collect round-off amounts (fractions of a penny) from a company's accounting program.
Software piracy
A type of computer crime in which the attacker copies or downloads software and uses it without permission.
Emanation eavesdropping
A type of computer crime in which the attacker intercepts radio frequency (RF) signals emanated by wireless computers to extract sensitive or classified information. This U.S. government's TEMPEST program addresses this problem by requiring shields on computers transmitting such data. Operated by the U.S. Department of Defense (DOD), the TEMPEST program has created a cottage industry of companies that create protective equipment to prevent foreign spies from collecting stray computer signals issued from DOD labs or U.S. embassies.
Spoofing of Internet Protocol (IP) addresses
A type of computer crime in which the attacker sends a message with a false originating IP address to convince the recipient that the sender is someone else. Every computer on the Internet is assigned a unique IP address. In this case, the attacker masquerades as a legitimate Internet site by using that site's IP address.
Social engineering
A type of computer crime in which the attacker solicits information such as passwords or personal identification numbers (PINs) from unwitting victims. For example, a thief might call a help desk pretending to be a user whose password needs resetting.
Rogue code
A type of computer crime in which the user inadvertently launches software that can log a user's keystrokes and either send them to a remote server or perform other undesirable activities, such as deleting files or destroying the operating system, rendering the computer useless.
Denial of service (DoS) attacks
A type of computer crime that overloads a computer's resources (particularly the temporary storage area in computers, called the buffers) from any number of sources until the system is so bogged down that it cannot honor requests. The attacks in February 2000 on Yahoo! took the site down for 3 hours. A day later, eBay, Amazon.com, Buy.com, and CNN.com were hit with the same type of attack. The following day, E*TRADE and ZDNet were struck.
Documentary Evidence
A type of evidence includes any written items brought into court to prove a fact at hand. This type of evidence must also be authenticated. For example, if an attorney wants to introduce a computer log as evidence, they must bring a witness (for example, the system administrator) into court to testify that the log was collected as a routine business practice and is indeed the actual log that the system collected.
Testimonial Evidence
A type of evidence that consisting of the testimony of a witness, either verbal testimony in court or written testimony in a recorded deposition.
Real Evidence
A type of evidence, (also known as object evidence) consists of things that may actually be brought into a court of law. In common criminal proceedings, this may include items such as a murder weapon, clothing, or other physical objects. In a computer crime case, this type of evidence might include seized computer equipment, such as a keyboard with fingerprints on it or a hard drive from a hacker's computer system. Depending on the circumstances, this type evidence may also be conclusive evidence, such as deoxyribonucleic acid (DNA), that is incontrovertible.
Volatile memory
A type of information storage in which it experiences a complete loss of any stored information when the power is removed.
Virtual memory
A type of information storage in which it extends the volume of primary storage by using secondary storage to hold the memory contents. In this way, the operating system can run programs larger than the available physical memory. This memory (memory contents stored on disk) is swapped in and out of primary memory when needed for processing.
Secondary storage
A type of information storage in which it is a nonvolatile storage format that can store application and system code plus data when the system is not in use. Examples of this type of storage are disk drives or other persistent data storage mechanisms (including Flash [USB] drives, memory sticks, and tapes).
Sequential storage
A type of information storage in which it is computer memory that is accessed sequentially. An example of this is magnetic tape.
Primary storage a.k.a. (RAM) Random Access Memory
A type of information storage in which it is the computer's main memory that is directly addressable by the central processing unit (CPU). Primary storage is a volatile storage medium, meaning that the contents of the physical memory are lost when the power is removed.
Random memory
A type of information storage in which it is the computer's primary working and storage area. It is addressable directly by the CPU and stores application or system code in addition to data.
Real memory
A type of information storage in which refers to a definite storage location for a program in memory and direct access to a peripheral device. This is common with database management systems that control how storage is used outside the operating system's control.
Administrative Law
A type of law that covers topics as mundane as the procedures to be used within a federal agency to obtain a desk telephone to more substantial issues such as the immigration policies that will be used to enforce the laws passed by Congress. It does not require an act of the legislative branch to gain the force of law, it must comply with all existing civil and criminal laws.
Civil Law
A type of law that form the bulk of our body of laws. They are designed to provide for an orderly society and govern matters that are not crimes but that require an impartial arbiter to settle between individuals and organizations. Examples of the types of matters include contract disputes, real estate transactions, employment matters, and estate/probate procedures. They're also are used to create the framework of government that the executive branch uses to carry out its responsibilities. These laws provide budgets for governmental activities and lay out the authority granted to the executive branch to create administrative laws (see the next section).
Criminal Law
A type of law that forms the bedrock of the body of laws that preserve the peace and keep our society safe. Many high-profile court cases involve matters of this type of law; these are the laws that the police and other law enforcement agencies concern themselves with. This type of law contains prohibitions against acts such as murder, assault, robbery, and arson. Penalties for violating these statutes fall in a range that includes mandatory hours of community service, monetary penalties in the form of fines (small and large), and deprivation of civil liberties in the form of prison sentences.
Shrink-wrap license agreement
A type of licensing agreement which are written on the outside of the software packaging. They commonly include a clause stating that you acknowledge agreement to the terms of the contract simply by breaking the shrink-wrap seal on the package.
Click-through license agreement
A type of licensing agreement which the contract terms are either written on the software box or included in the software documentation. During the installation process, you are required to click a button indicating that you have read the terms of the agreement and agree to abide by them. This adds an active consent to the process, ensuring that the individual is aware of the agreement's existence prior to installation.
Cloud services license agreement
A type of licensing agreement which users, in their excitement to access a new service, simply click their way through the agreement without reading it and may unwittingly bind their entire organization to onerous terms and conditions.
Contractual license agreements
A type of licensing agreement which uses a written contract between the software vendor and the customer, outlining the responsibilities of each. These agreements are commonly found for high-priced and/or highly specialized software packages.
Quantitative risk analysis
A type of risk analysis that assigns real dollar figures to the loss of an asset.
Qualitative risk analysis
A type of risk analysis that assigns subjective and intangible values to the loss of an asset.
bottom-up approach
A type of security management planning where IT staff makes security decisions directly without input from senior management. This approach is rarely used in organizations and is considered problematic in the IT industry.
top-down approach
A type of security management planning where upper, or senior, management is responsible for initiating and defining policies for the organization.
Operations Security
A type of security used to identify the controls over software, hardware, media, and the operators and administrators who possess elevated access privileges to any of these resources. It is primarily concerned with data center operations processes, personnel, and technology, and is needed to protect assets from threats during normal use.
Functional Decomposition
A type of threat modeling in typically performed using data flow diagrams. The key aspect of this step is to understand the boundaries of untrusted and trusted components, for a better understanding of the attack surface of an application that an attacker might want to exploit.
Calculating Safeguard Cost/Benefit
ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard (ACS) = value of the safeguard to the company
digital signature or digitally signing a message
After computing the message digest for your message, you encrypt it using your private key and append (attach) the encrypted message digest to your original message.
Reduction analysis Whether an application, a system, or an entire environment, it needs to be divided into smaller containers or compartments. Those might be subroutines, modules, or objects if you're focusing on software, computers, or operating systems; they might be protocols if you're focusing on systems or networks; or they might be departments, tasks, and networks if you're focusing on an entire business infrastructure. Each identified sub-element should be evaluated in order to understand inputs, processing, security, data management, storage, and outputs.
After determining the potential attack concepts, the next step in threat modeling is to perform ______________ analysis. ______________ analysis is also known as decomposing the application, system, or environment. The purpose of this task is to gain a greater understanding of the logic of the product as well as its interactions with external elements. Also known as decomposing the application
Data classification
Also called classification, the primary means by which data is protected based on its need for secrecy, sensitivity, or confidentiality. It is the process of organizing items, objects, subjects, and so on into groups, categories, or collections with similarities.
Communications Assistance for Law Enforcement Act (CALEA) of 1994
An Act amended to the Electronic Communications Privacy Act of 1986. This Act requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order, regardless of the technology in use.
Health Insurance Portability and Accountability Act (HIPAA)
An Act that Congress passed which made numerous changes to the laws governing health insurance and health maintenance organizations (HMOs). Among the provisions of this Act are privacy and security regulations requiring strict security measures for hospitals, physicians, insurance companies, and other organizations that process or store private medical information about individuals. This Act also clearly defines the rights of individuals who are the subject of medical records and requires organizations that maintain such records to disclose these rights in writing.
Economic Espionage Act of 1996
An Act that extends the definition of property to include proprietary economic information so that the theft of this information can be considered industrial or corporate espionage. This changed the legal definition of theft so that it was no longer restricted by physical constraints.
Electronic Communications Privacy Act of 1986
An Act that makes it a crime to invade the electronic privacy of an individual.
The Privacy Act of 1974
An Act that mandates that government agencies maintain only the records that are necessary for conducting their business and that they destroy those records when they are no longer needed for a legitimate function of government. It provides a formal procedure for individuals to gain access to records the government maintains about them and to request that incorrect records be amended.
open system
An _______ _______ is based on accepted standards and employs standard interfaces to allow connections between different systems. It promotes interoperability and gives the user full access to the total system capability.
Attack
An _______ is the exploitation of a vulnerability by a threat agent. In other words, it is any intentional attempt to exploit a vulnerability of an organization's security infrastructure to cause damage, loss, or disclosure of assets. It can also be viewed as any violation or failure to adhere to an organization's security policy.
Asset
An ________ is anything within an environment that should be protected. It is anything used in a business process or task. It can be a computer file, a network service, a system resource, a process, a program, a product, an IT infrastructure, a database, a hardware device, furniture, product recipes/formulas, intellectual property, personnel, software, facilities, and so on.
Scrum
An agile project management methodology in which uses the real-world progress of a project, not a best guess or an uninformed forecast, to plan and schedule releases. For this method, projects are divided into explicit work cycles, known as sprints, that typically last one week, two weeks, or three weeks. At the end of each sprint, stakeholders and team members meet to assess the progress of a project and plan its next steps. This allows a project's direction to be adjusted or reoriented based on completed work, not on speculation or predictions.
Denial of service (DoS)
An attack that attempts to prevent authorized use of a resource. This can be done through flaw exploitation, connection overloading, or traffic flooding. This type of threat does not necessarily result in full interruption to a resource; it could instead reduce throughput or introduce latency in order to hamper productive use of a resource. Although most of these attacks are temporary and last only as long as the attacker maintains the onslaught, there are some permanent attacks that use this threat technique. A permanent attack might involve the destruction of a dataset, the replacement of software with malicious alternatives, or forcing a firmware flash operation that could be interrupted or that installs faulty firmware. Any of these attacks would render a permanently damaged system that is not able to be restored to normal operation with a simple reboot or by waiting out the attackers. A full system repair and backup restoration would be required to recover from a permanent attack.
Elevation of privilege
An attack where a limited user account is transformed into an account with greater privileges, powers, and access. This might be accomplished through theft or exploitation of the credentials of a higher-level account, such as that of an administrator or root. It also might be accomplished through a system or application exploit that temporarily or permanently grants additional powers to an otherwise limited account.
Spoofing
An attack with the goal of gaining access to a target system through the use of a falsified identity. This method can be used against Internet Protocol (IP) addresses, MAC addresses, usernames, system names, wireless network service set identifiers (SSIDs), email addresses, and many other types of logical identification. When an attacker lies about their identity as a valid or authorized entity, they are often able to bypass filters and blockades against unauthorized access. Once this type of attack has successfully granted an attacker access to a target system, subsequent attacks of abuse, data theft, or privilege escalation can be initiated.
EAL7
An evaluation Assurance level that applies to the development of security TOEs for application in extremely high-risk situations, when the value of such assets justifies the costs for higher assurance levels.
EAL1
An evaluation Assurance level that applies when some confidence in correct operation is required, but the threats to security are not viewed as serious. It is valuable when independent assurance is required to support the contention that due care has been exercised in protecting personal or similar types of information. The intention is that this evaluation can be successfully conducted without assistance from the developer of the TOE, at a low cost. An evaluation at this level provides evidence that the TOE functions in a manner consistent with its documentation and that it provides useful protection against identified threats. Think of this level as kicking the tires on a vehicle that you're considering for purchase.
EAL3
An evaluation Assurance level that permits a conscientious developer to gain maximum assurance from positive security engineering at the design stage without substantial alteration of existing sound development practices. This level applies when developers or users require a moderate level of independently assured security; it requires a thorough investigation of the TOE and its development without substantial reengineering.
EAL4
An evaluation Assurance level that permits a developer to gain maximum assurance from positive security engineering based on good commercial development practices that, though rigorous, do not require substantial specialist knowledge, skills, and other resources. EAL4 is applicable when developers or users require a moderate to high level of independently assured security in conventional off-the-shelf TOEs. Additional security-specific engineering costs could be involved.
EAL5
An evaluation Assurance level that permits a developer to gain maximum assurance from security engineering based on rigorous commercial development practices supported by moderate application of specialist security engineering techniques. Such a TOE likely is designed and developed with the intent of achieving EAL5 assurance. EAL5 is applicable when developers or users require a high level of independently assured security in a planned development and require a rigorous development approach without incurring unreasonable costs for special security engineering techniques.
EAL6
An evaluation Assurance level that permits developers to gain high assurance from applying security engineering techniques to a rigorous development environment, to produce a premium TOE for protecting high-value assets against significant risks. This level is applicable to developing security TOEs in high-risk situations, when the value of the protected assets justifies additional costs.
EAL2
An evaluation Assurance level that requires a developer's cooperation in terms of the delivery of design information and test results, but it does not demand more effort from the developer than is consistent with good commercial practice; it also should not require a substantially increased investment of money or time. this level is applicable when developers or users require a low to moderate level of independently assured security, in the absence of ready availability of the complete development record. Such a situation might arise when securing legacy systems or when access to the developer is limited.
Operational Investigations
An investigation that examine issues related to the organization's computing infrastructure and have the primary goal of resolving a particular type of issue. For example, an information technology (IT) team noticing performance issues on their web servers may conduct an this type of investigation which is designed to determine the cause of the performance problems.
Civil Investigations
An investigation that typically does not involve law enforcement but rather involves internal employees and outside consultants working on behalf of a legal team. They prepare the evidence necessary to present a case in civil court resolving a dispute between two parties.
Criminal Investigations
An investigation typically conducted by law enforcement personnel, investigate the alleged violation of criminal law. These investigations may result in charging suspects with a crime and the prosecution of those charges in criminal court.
Family Educational Rights and Privacy Act (FERPA)
Another specialized privacy bill that affects any educational institution that accepts any form of funding from the federal government (the vast majority of schools). It grants certain privacy rights to students older than 18 and the parents of minor students.
Tampering
Any action resulting in unauthorized changes or manipulation of data, whether in transit or in storage. This type of threat is used to falsify communications or alter static information. Such attacks are a violation of integrity as well as availability.
finite-state machine
Any device that stores the status or state of something at a given time that can operate based on inputs to change the stored status and/or cause an action or output to take place. The importance of this is that the machine has distinct states that it remembers. In Multics, for example, a state was associated with each ring of trust. Each computer's data register also stores a state. The read-only memory from which a boot (computer start-up) program is loaded stores a state. In fact, the boot program is an initial state. The operating system is itself a state, and each application that it runs begins with some initial state that can change as it handles input. Thus, at any moment in time, a computer system can be seen as a complex set of states and each program in it as a this. In practice, however, these types of machines are used to develop and describe specific device or program interactions for purposes of discovery or evaluation.
Threats
Any potential occurrence that may cause an undesirable or unwanted outcome for an organization or for a specific asset. They are any action or inaction that could cause damage, destruction, alteration, loss, or disclosure of assets or that could block access to or prevent maintenance of assets. They can be large or small and result in large or small consequences. They can be intentional or accidental. They can originate from people, organizations, hardware, networks, structures, or nature.
Security models that help evaluators determine if the implementation of a reference monitor meets the design requirements
Bell-LaPadula model Biba integrity model Clark and Wilson model Noninterference model State machine model Access matrix model Information flow model
Asset and Data Classification
Businesses and agencies need this standard to help determine how much security is needed for appropriate protection. A rule of thumb states that one should never spend more on security than the value of the asset being protected. Benefits to this standard: Data confidentiality, integrity, and availability are improved because appropriate controls are used throughout the enterprise. Protection mechanisms are maximized. A process exists to review the values of company business data. Decision quality increases because the quality of the data upon which the decision is being made has been improved.
patent trolls
Businesses that exist solely as companies that derive their revenue by engaging in legal action against companies that they feel infringe upon the patents held in their portfolio.
TCSEC Classes Vs. ITSEC Functional and Assurance Classes
C1 F-C1, E1 C2 F-C2, E2 B1 F-B1, E3 B2 F-B2, E4 B3 F-B3, E5 A1 F-B3, E6
CC EAL levels, along with backward compatibility to the Orange Book and ITSEC criteria levels.
CAL OBCL ITSEC — D E0 EAL1 — — EAL2 C1 E1 EAL3 C2 E2 EAL4 B1 E3 EAL5 B2 E4 EAL6 B3 E5 EAL7 A1 E6
All of these
Careers in information security are booming because of which of the following factors? A. Threats of cyberterrorism B. Government regulations C. Growth of the Internet D. All of these
The Common Criteria, also known as ISO 15408
Combines the best features of the TCSEC with the ITSEC and the CTCPEC, and synergizes them into a single international standard.
NIST SP 800-171
Commonly used NIST standard: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. Compliance with this standard's security controls (which are quite similar to those found in NIST 800-53) is often included as a contractual requirement by government agencies. Federal contractors must often comply with NIST SP 800-171.
NIST SP 800-53
Commonly used NIST standard: Security and Privacy Controls for Federal Information Systems and Organizations. This standard is required for use in federal computing systems and is also commonly used as an industry cybersecurity benchmark.
Four common or possible business classification levels
Confidential Private Sensitive Public
Health Information Technology for Economic and Clinical Health (HITECH)
Congress amended HIPAA by passing this Act. This law updated many of HIPAA's privacy and security requirements and was implemented through the HIPAA Omnibus Rule in 2013.this ammendment to HIPAA allowed for coverages during data breaches.
USA PATRIOT Act of 2001
Congress passed the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 in direct response to the September 11, 2001, terrorist attacks in New York City and Washington, DC. This Act greatly broadened the powers of law enforcement organizations and intelligence agencies across a number of areas, including when monitoring electronic communications.
intent to use application
Conveys trademark protection as of the date of filing provided that you actually use the trademark in commerce within a certain time period.
C. Prevention, detection, and response Explanation: Defense in depth is implemented in overlapping layers that provide the three elements needed to secure assets: prevention, detection, and response.
Defense in depth is needed to ensure that which three mandatory activities are present in a security system? A. Prevention, response, and prosecution B. Response, collection of evidence, and prosecution C. Prevention, detection, and response D. Prevention, response, and management
baseline
Defines a minimum level of security that every system throughout the organization must meet. All systems not complying with this tactical procedure should be taken out of production until they can be brought up to the baseline. This procedure establishes a common foundational secure state on which all additional and more stringent security measures can be built. It is usually system specific and often refer to an industry or government standard, like the Trusted Computer System Evaluation Criteria (TCSEC) or Information Technology Security Evaluation and Criteria (ITSEC) or NIST (National Institute of Standards and Technology) standards.
Assurance requirements
Describe how the functional requirements should be implemented and tested.
Functional requirements
Describe what a system should do by design
Perimeter intrusion detectors
Devices that are based on dry contact switches or photoelectric sensors.
Motion detectors
Devices that detect unusual movements within a well-defined interior space.
audit trails
Enables examiners to trace or follow the history of a transaction through the institution.
ITSEC specialized, stand alone, (nonhierarchical) classes
F-IN for high-integrity F-AV for high-availability F-DI for high data integrity F-DC for high data confidentiality F-DX for networks that require high demands for confidentiality and integrity during data exchanges
Three structured approaches to accurately identify relevant threats.
Focused on Assets, Focused on Attackers, Focused on Software
Business continuity plan
Focuses on policies and procedures that make a disruptive event have a little impact on the business
Bell-LaPadula Model
Formed in the 1970's, a formal security model that describes a set of access control rules. A subjects access to an object is allowed or disallowed by comparing the objects security classification with the subjects security clearance. It is intended to preserve the principle of least privilege. It is a formal description of allowable paths of information flow in a secure system and defines security requirements for systems handling data at different sensitivity levels. The model defines a secure state and access between subjects and objects in accordance with specific security policy.
Regulatory Investigations
Government agencies may conduct this type of investigation when they believe that an individual or corporation has violated administrative law. Regulators typically conduct these investigations with a standard of proof commensurate with the venue where they expect to try their case. These types of investigations vary widely in scope and procedure and are often conducted by government agents.
Guidelines
Guidelines
Third-Party Audit
Having an independent third-party auditor, as defined by the American Institute of Certified Public Accountants (AICPA), can provide an unbiased review of an entity's security infrastructure, based on Service Organization Control (SOC) (SOC) reports. Statement on Standards for Attestation Engagements (SSAE) is a regulation that defines how service organizations report on their compliance using the various SOC reports. The SSAE 16 version of the regulation, effective June 15, 2011, was replaced by SSAE 18 as of May 1, 2017. The SOC1 and SOC2 auditing frameworks are worth considering for the purpose of a security assessment. The SOC1 audit focuses on a description of security mechanisms to assess their suitability. The SOC2 audit focuses on implemented security controls in relation to availability, security, integrity, privacy, and confidentiality. For more on SOC audits, see AICPA. For all acquisitions, establish minimum security requirements. These should be modeled from your existing security policy. The security requirements for new hardware, software, or services should always meet or exceed the security of your existing infrastructure. When working with an external service, be sure to review any service-level agreement (SLA) to ensure that security is a prescribed component of the contracted services. This could include customization of service-level requirements for your specific needs.
E2
ITSEC assurance class that provides E1 requirements, plus an informal description of detailed designs, testing evidence, configuration control requirements, and approved distribution procedures
E3
ITSEC assurance class that provides E2 requirements, plus source code and drawings that are evaluated and testing evidence of security mechanisms that are evaluated
E4
ITSEC assurance class that provides E3 requirements, plus a formal model of security policy, semiformal specification of security enforcing functions, architectural design documents, and detailed design documents
E5
ITSEC assurance class that provides E4 requirements, plus evidence of close correspondence between detailed design and source code (traceability of design into implementation)
E6
ITSEC assurance class that provides E5 requirements, plus a formal specification of security-enforcing functions and architectural design, along with consistency with the formal security policy model
E0
ITSEC assurance class that provides Inadequate assurance; fails to meet E1 requirements
E1
ITSEC assurance class that provides an informal description of the TOE's architectural design and functional testing that the TOE satisfies target requirements
security kernel The TCB, reference monitor, and security kernel are essential for military- and government-grade information technology (IT) security to prevent unauthorized access or threats to the integrity of programs, operating systems, or data.
Implementation of a reference monitor for a specific hardware base, such as Sun Solaris, Red Hat Linux, or Mac OS X.
Identity Theft and Assumption Deterrence Act
In 1998, the president signed this Act, which makes identity theft a crime against the person whose identity was stolen and provides severe criminal penalties (up to a 15-year prison term and/or a $250,000 fine) for anyone found guilty of violating this law.
Electronic Discovery
In legal proceedings, each side has a duty to preserve evidence related to the case and, through the discovery process, share information with their adversary in the proceedings. This discovery process applies to both paper records and electronic records and the electronic discovery (or eDiscovery) process facilitates the processing of electronic information for disclosure.
Packages Packages are reusable and can be used to construct larger packages as well.
In the Common Criteria (CC), this element permits the expression of requirements that meet an identifiable subset of security objectives.
17
In the United States, a patent is good for _____ years.
Privileged Operations
In the decomposition process, any activity that requires greater privileges than of a standard user account or process, typically required to make system changes or alter security
Trust Boundaries
In the decomposition process, any location where the level of trust or security changes.
Input Points
In the decomposition process, locations where external input is received
Details about Security Stance and Approach
In the decomposition process, the declaration of the security policy, security foundations, and security assumptions
Data Flow Paths
In the decomposition process, the movement of data between locations
People
Information security is primarily a discipline to manage the behavior of _____. A. Technology B. People C. Processes D. Organizations
D. All of these Explanation: Availability models keep data and resources available for authorized use, especially during emergencies or disasters.
Information security professionals usually address which of these three common challenges to availability: A. Denial of service (DoS) due to intentional attacks or because of undiscovered flaws in implementation (for example, a program written by a programmer who is unaware of a flaw that could crash the program if a certain unexpected input is encountered) B. Loss of information system capabilities because of natural disasters (fires, floods, storms, or earthquakes) or human actions (bombs or strikes) C. Equipment failures during normal use. D. All of these
D. All of these Explanation: Integrity models keep data pure and trustworthy by protecting system data from intentional or accidental changes.
Integrity models have which of the three goals: A. Prevent unauthorized users from making modifications to data or programs B. Prevent authorized users from making improper or unauthorized modifications C. Maintain internal and external consistency of data and programs D. All of these
Administrative Investigations
Internal investigations that examine either operational issues or a violation of the organization's policies. They may be conducted as part of a technical troubleshooting effort or in support of other administrative processes, such as Human Resources disciplinary procedures.
Document Exchange and Review
Investigate the means by which datasets and documentation are exchanged as well as the formal processes by which they perform assessments and reviews.
Business continuity plan
Involves reviewing the risks to organizational procedures
Common Criteria (CC) Project
Joint efforts among the United States (TCSEC), Canada (CTCPEC), and Europe (ITSEC) began in 1993 to harmonize security evaluation criteria to enable true comparability for the results of independent security evaluations. These joint activities were designed to align international separate criteria into a single set of IT security criteria that could be broadly used.
Trademark Law
Law that protects words, slogans, and logos used to identify a company and its products or services.
Regulations
Laws passed by regulators and lawmakers
Copyright Laws
Laws that guarantee the creators of "original works of authorship" protection against the unauthorized duplication of their work. There are 8 broad categories.
four privacy practices that all companies engaged in electronic commerce should observe
Notice/awareness: In general, websites should tell the user how they collect and handle user information. The notice should be conspicuous, and the privacy policy should clearly state how the site collects and uses information. Choice/consent: Websites must give consumers control over how their personally identifying information is used. Abuse of this practice is gathering information for a stated purpose but using it in another way, one to which the consumer might object. Access/participation: Perhaps the most controversial of the fair practices, users would be able to review, correct, and, in some cases, delete personally identifying information on a particular website. Most companies that currently collect personal information have no means of allowing people to review what the company collected, nor do they provide any way for a person to correct incorrect information. Implementing this control would be a burden to companies to retrofit onto an existing system. As you have likely seen with commercial credit reports, inaccurate information or information used out of context can make people's lives problematic. Security/integrity: Websites must do more than reassure users that their information is secure with a "feel-good" policy statement. The site must implement policies, procedures, and tools that will prevent unauthorized access and hostile attacks against the site.
guidelines
Offers recommendations on how standards and baselines are implemented and serves as an operational guide for both security professionals and users. These elements of a security policy are flexible so they can be customized for each unique system or condition and can be used in the creation of new procedures. They state which security mechanisms should be deployed instead of prescribing a specific product or control and detailing configuration settings. They outline methodologies, include suggested actions, and are not compulsory.
Residual risk total risk - controls gap = residual risk
Once countermeasures are implemented, the risk that remains is known as _______ ______. The risk that management has chosen to accept rather than mitigate.
Control Objectives for Information and Related Technology (COBIT )
One of the more widely used security control frameworks. It is a documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA).
A. Employees' attitudes and behaviors Explanation: Because people are the weakest link in any security-related process, it's crucial that a security program address user education, awareness, and training on policies and procedures that affect them.
One purpose of a security awareness program is to modify which of the following? A. Employees' attitudes and behaviors B. Management's approach C. Attitudes of employees toward sensitive data D. Corporate attitudes about safeguarding data
Three parts of the Common Evaluation Methodology.
Part 1: Introduction and General Model Part 2: CC Evaluation Methodology Part 3: Extensions to the Methodology
European Union Privacy Law
Passed in 1995 by the EU Parliment, a sweeping directive outlining privacy measures that must be in place for protecting personal data processed by information systems.
The Federal Information Security Management Act of 2002 (FISMA)
Passed in the early 2000's this Act requires that federal agencies implement an information security program that covers the agency's operations. This Act also requires that government agencies include the activities of contractors in their security management programs. This Act repealed and replaced two earlier laws: the Computer Security Act of 1987 and the Government Information Security Reform Act of 2000.
B. CISA Explanation: The subject areas of the CISA focuses more on security with business procedures than technology.
People more interested in certifying themselves as security experts in a business context should consider preparing for which of the following certifications? A. GIAC B. CISA C. ISSAP D. SSCP
Step 3
Perform a threat analysis to calculate the likelihood of each threat being realized within a single year—that is, the annualized rate of occurrence (ARO).
COBIT 5 (Five Key principles for governance and management of enterprise IT)
Principle 1: Meeting Stakeholder Needs Principle 2: Covering the Enterprise End-to-End Principle 3: Applying a Single, Integrated Framework Principle 4: Enabling a Holistic Approach Principle 5: Separating Governance From Management
Code of Ethics Canons
Protect society, the common good, necessary public trust and confidence, and the infrastructure. Security professionals have great social responsibility. We are charged with the burden of ensuring that our actions benefit the common good. Act honorably, honestly, justly, responsibly, and legally. Integrity is essential to the conduct of our duties. We cannot carry out our duties effectively if others within our organization, the security community, or the general public have doubts about the accuracy of the guidance we provide or the motives behind our actions. Provide diligent and competent service to principals. Although we have responsibilities to society as a whole, we also have specific responsibilities to those who have hired us to protect their infrastructure. We must ensure that we are in a position to provide unbiased, competent service to our organization. Advance and protect the profession. Our chosen profession changes on a continuous basis. As security professionals, we must ensure that our knowledge remains current and that we contribute our own knowledge to the community's common body of knowledge.
D. All of these Explanation: The goals of (ISC)2 are maintaining a Common Body of Knowledge for information security, certifying industry professionals and practitioners according to the international IS standard, administering training and certification examinations and ensuring that credentials are maintained, primarily through continuing education.
Question : ISC2 was formed for which of the following purposes? A. Maintaining a Common Body of Knowledge for information security B. Certifying industry professionals and practitioners in an international IS standard C. Ensuring that credentials are maintained, primarily through continuing education D. All of these
Three types of evidence can be used in a court of law
Real evidence Documentary evidence Testimonial evidence
Responses to risk
Reduce or mitigate Assign or transfer Accept Deter Avoid Reject or ignore
Three overall categories of security policies
Regulatory, Advisory, and Informative.
B. Disclosure Explanation: Confidentiality models are primarily intended to ensure that no unauthorized access to information is permitted and that accidental disclosure of sensitive information is not possible.
Related to information security, confidentiality is the opposite of which of the following? A. Closure B. Disclosure C. Disaster D. Disposal
Ownership
Relating to data classification or categorization, this is the formal assignment of responsibility to an individual or group.
Process/Policy Review
Request copies of their security policies, processes/procedures, and documentation of incidents and responses for review.
UL TL-15 Safe Rating
Safes with an Underwriters Laboratory rating that have passed standardized tests as defined in Underwriters Laboratory Standard 687 using tools and an expert group of safe-testing engineers. The safe rating label requires that the safe be constructed of 1-inch solid steel or equivalent. The label means that the safe has been tested for a net working time of 15 minutes using "common hand tools, drills, punches hammers, and pressure applying devices." Net working time means that when the tool comes off the safe, the clock stops. Engineers exercise more than 50 different types of attacks that have proven effective for safecracking.
What is SD3+C?
Secure by Design, Secure by Default, Secure in Deployment and Communication
Security standards
Security baselines are below what?
Safeguards
Security controls, or countermeasures that remove or reduce a vulnerability or protects against one or more specific threats. It can be installing a software patch, making a configuration change, hiring security guards, altering the infrastructure, modifying processes, improving the security policy, training personnel more effectively, electrifying a perimeter fence, installing lights, and so on. It is any action or product that reduces risk through the elimination or lessening of a threat or a vulnerability anywhere within an organization.
A. What a security system should do by design
Security functional requirements describe which of the following? A. What a security system should do by design B. What controls a security system must implement C. Quality assurance description and testing approach D. How to implement the system
Security policies
Security standards are the next level below what?
Unethical practices in listed in the RFC 1087
Seeks to gain unauthorized access to the resources of the internet Disrupts the intended use of the internet Wastes resources (people, capacity, computer) through such actions Destroys the integrity of computer-based information Compromises the privacy of users
Focused on Attackers
Some organizations are able to identify potential attackers and can identify the threats they represent based on the attacker's goals. For example, a government is often able to identify potential attackers and recognize what the attackers want to achieve. They can then use this knowledge to identify and protect their relevant assets. A challenge with this approach is that new attackers can appear that weren't previously considered a threat.
The meaning of the acronym STRIDE, the threat categorization scheme developed by Microsoft.
Spoofing, Tampering, Repudiation, Information Disclosure, Denial of service (DoS), Elevation of privilege
The 7 stages of PASTA Each stage of PASTA has a specific list of objectives to achieve and deliverables to produce in order to complete the stage.
Stage I: Definition of the Objectives (DO) for the Analysis of Risks Stage II: Definition of the Technical Scope (DTS) Stage III: Application Decomposition and Analysis (ADA) Stage IV: Threat Analysis (TA) Stage V: Weakness and Vulnerability Analysis (WVA) Stage VI: Attack Modeling & Simulation (AMS) Stage VII: Risk Analysis & Management (RAM)
The six major steps or phases in quantitative risk analysis
Step 1. Inventory assets and assign a value Step 2. Research each asset Step 3. Perform a threat analysis Step 4. Derive the overall loss Step 5. Research countermeasures Step 6. Perform a cost/benefit analysis
Procedures
Step-by-step instructions on how to perform a specific security activity (configure a firewall, install an operating system, and others) Regulations
True
T or F A PP has an intro, TOE description, and security environment with 3 more subsections.
True
T or F Although STRIDE is typically used to focus on application threats, it is applicable to other situations, such as network threats and host threats.
True
T or F Assurance levels in the Common Criteria above Evaluation Assurance Level (EAL) 4 are typically reserved for national government systems.
True
T or F Assurance requirements describe how functional requirements should be implemented and tested.
True
T or F Class A1 systems must meet five important criteria for design verification, independent of the particular specification language or verification system used:
True They use specific operating systems and hardware to perform the task and generally lack standard interfaces to allow connection to other systems. The user is generally limited in the applications and programming languages available.
T or F Closed systems are proprietary in nature.
True
T or F Computer security policies come in four types.
True
T or F Copyright law protects only the actual text of the source code and doesn't prohibit others from rewriting your code in a different form and accomplishing the same objective.
True
T or F Copyrights and patents both provide protection for a limited period of time. Once your legal protection expires, other firms are free to use your work at will (and they have all the details from the public disclosure you made during the application process!).
True
T or F Filing a copyright or patent application requires that you publicly disclose the details of your work or invention. This automatically removes the "secret" nature of your property and may harm your firm by removing the mystique surrounding a product or by allowing unscrupulous competitors to copy your property in violation of international intellectual property laws.
True
T or F Functional requirements describe what a system should do.
True
T or F ISP's are not held liable for criminal using their circuits and violating copyright law as long as the follow conditions from the DMCA are met: - The transmission must be initiated by a person other than the provider. - The transmission, routing, provision of connections, or copying must be carried out by an automated technical process without selection of material by the service provider. - The service provider must not determine the recipients of the material. - Any intermediate copies must not ordinarily be accessible to anyone other than anticipated recipients and must not be retained for longer than reasonably necessary. - The material must be transmitted with no modification to its content.
True
T or F In "The ring of trust" Trust in a system moves from the outside to the inside in a unidirectional mode.
True
T or F In 1994, Congress recognized that the face of computer security had drastically changed since the CFAA was last amended in 1986 and made a number of sweeping changes to the act. Collectively, these changes (CFAA Amendments) are referred to as the Computer Abuse Amendments Act of 1994 and included the following provisions: - Outlawed the creation of any type of malicious code that might cause damage to a computer system - Modified the CFAA to cover any computer used in interstate commerce rather than just "federal interest" computer systems - Allowed for the imprisonment of offenders, regardless of whether they actually intended to cause damage - Provided legal authority for the victims of computer crime to pursue civil action to gain injunctive relief and compensation for damages
True
T or F In the United States, trademarks are granted for an initial period of 10 years and can be renewed for unlimited successive 10-year periods.
True
T or F Most qualitative risk analysis methodologies make use of interrelated elements: Threats Vulnerabilities Controls
True
T or F Multics was the first operating system to provide a hierarchical file system
True Once a diagram has been crafted, identify all of the technologies involved. This would include operating systems, applications (network service and client based), and protocols. Be specific as to the version numbers and update/patch level in use. Next, identify attacks that could be targeted at each element of the diagram. Keep in mind that all forms of attacks should be considered, including logical/technical, physical, and social. For example, be sure to include spoofing, tampering, and social engineering. This process will quickly lead you into the next phase of threat modeling: reduction analysis.
T or F Once an understanding has been gained in regard to the threats facing your development project or deployed infrastructure, the next step in threat modeling is to determine the potential attack concepts that could be realized. This is often accomplished through the creation of a diagram of the elements involved in a transaction along with indications of data flow and privilege boundaries
True
T or F PCI DSS has 12 main requirements. Install and maintain a firewall configuration to protect cardholder data. Do not use vendor-supplied defaults for system passwords and other security parameters. Protect stored cardholder data. Encrypt transmission of cardholder data across open, public networks. Protect all systems against malware and regularly update antivirus software or programs. Develop and maintain secure systems and applications. Restrict access to cardholder data by business need-to-know. Identify and authenticate access to system components. Restrict physical access to cardholder data. Track and monitor all access to network resources and cardholder data. Regularly test security systems and processes. Maintain a policy that addresses information security for all personnel.
True
T or F Patent law does not provide adequate protection for computer software products.
True
T or F Security assurance divisions above Division C are usually reserved for governmental systems and are rarely found in the commercial world unless the company acts as a subcontractor to government agencies requiring such protections.
True
T or F Service Providers for cahcing, search engines and the storage of data must take prompt action to remove copyrighted materials upon notification of the infringement.
True
T or F TCSEC provided classes (or divisions) of trust that are roughly equivalent to object classifications of Unclassified, Secret, Top Secret, and beyond Top Secret, using the letters D, C, B, and A, respectively.
True A security policy does not define who is to do what but rather defines what must be done by the various roles within the security infrastructure. Then these defined security roles are assigned to individuals as a job description or an assigned work task.
T or F Tasks and responsibilities in regards to developing a security policy should not be assigned to an individual person, but rather to a job function or role.
True For example, if the SLE of an asset is $90,000 and the ARO for a specific threat (such as total power loss) is .5, then the ALE is $45,000. On the other hand, if the ARO for a specific threat (such as compromised user account) is 15, then the ALE would be $1,350,000.-
T or F The ALE is calculated using the following formula: ALE = single loss expectancy (SLE) * annualized rate of occurrence (ARO) Or more simply: ALE = SLE * ARO
True
T or F The CC breaks apart the functional and assurance requirements into distinct elements that users can select for customized security device implementation.
True
T or F The Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) is the Canadian equivalent of the TCSEC
True
T or F The Electronic Discovery Reference Model describes a standard process for conducting eDiscovery with nine steps: Information Governance ensures that information is well organized for future eDiscovery efforts. Identification locates the information that may be responsive to a discovery request when the organization believes that litigation is likely. Preservation ensures that potentially discoverable information is protected against alteration or deletion. Collection gathers the responsive information centrally for use in the eDiscovery process. Processing screens the collected information to perform a "rough cut" of irrelevant information, reducing the amount of information requiring detailed screening. Review examines the remaining information to determine what information is responsive to the request and removing any information protected by attorney-client privilege. Analysis performs deeper inspection of the content and context of remaining information. Production places the information into a format that may be shared with others. Presentation displays the information to witnesses, the court, and other parties.
True
T or F The Federal Criteria for Information Technology Security (Federal Criteria, or FC) was developed as a joint project by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA).
True
T or F The Federal Criteria was an attempt to develop a set of newer criteria to replace the aging TCSEC. It introduces the concept of a protection profile (PP) that empowers users or buyers of technology to specify their security requirements for hardware and software.
True
T or F The ITSEC places increased emphasis on integrity and availability and attempts to provide a uniform approach to the evaluation of both products and systems. It also introduces the security target (ST), a written document that contains these components: - A system security policy - Required security-enforcing functions - Required security mechanisms - Claimed ratings of minimum strength - Target evaluation levels, expressed as both functional and evaluation (F-xx and E-yy)
True
T or F The International Safe Harbor Principles include the following privacy guidelines: Notice: Companies must notify individuals about what personally identifying information they are collecting, why they are collecting it, and how to contact the collectors. Choice: Individuals must be able to choose whether and how their personal information is used by, or disclosed to, third parties. Onward transfer: Third parties receiving personal information must provide the same level of privacy protection as the company from which the information is obtained. Security: Companies housing personal information and sensitive data must secure the data and prevent its loss, misuse, disclosure, alteration, and unauthorized access. Data integrity: Companies must be able to reassure individuals that their data is complete, accurate, current, and used for the stated purposes only. Access: Individuals must have the right and ability to access their information and correct, modify, or delete any portion of it. Enforcement: Each company must adopt policies and practices that enforce the aforementioned privacy principles.
True For example: The SLE is expressed in a dollar value. For example, if an asset is valued at $200,000 and it has an EF of 45 percent for a specific threat, then the SLE of the threat for that asset is $90,000.
T or F The SLE is calculated using the following formula: SLE = asset value (AV) * exposure factor (EF) or more simply: SLE = AV * EF
True
T or F The acceptance of a trademark application in the United States depends on these two main requirements: - The trademark must not be confusingly similar to another trademark—you should determine this during your attorney's due diligence search. There will be an open opposition period during which other companies may dispute your trademark application. - The trademark should not be descriptive of the goods and services that you will offer. For example, "Mike's Software Company" would not be a good trademark candidate because it describes the product produced by the company. The USPTO may reject an application if it considers the trademark descriptive.
True
T or F The annual costs of safeguards should not exceed the expected annual cost of asset loss
True
T or F The following PCI DSS are requirements: Preserve the stored cardholder data Limit the physical access to cardholder data Develop and preserve secure systems and applications Monitor all access to network resources and cardholder data
True
T or F The following are elements of an effective information security program. - Periodic assessments of risk, including the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the organization - Policies and procedures that are based on risk assessments, cost-effectively reducing information security risks to an acceptable level and ensuring that information security is addressed throughout the lifecycle of each organizational information system - Subordinate plans for providing adequate information security for networks, facilities, information systems, or groups of information systems, as appropriate - Security awareness training to inform personnel (including contractors and other users of information systems that support the operations and assets of the organization) of the information security risks associated with their activities and their responsibilities in complying with organizational policies and procedures designed to reduce these risks - Periodic testing and evaluation of the effectiveness of information security policies, procedures, practices, and security controls to be performed with a frequency depending on risk, but no less than annually - A process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies in the information security policies, procedures, and practices of the organization - Procedures for detecting, reporting, and responding to security incidents - Plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the organization
True
T or F The main objective of trademark protection is to avoid confusion in the marketplace while protecting the intellectual property rights of people and organizations.
True
T or F The major provisions of the original Comprehensive Crime Control Act (CCCA) of 1984 made it a crime to perform the following: - Access classified information or financial information in a federal system without authorization or in excess of authorized privileges - Access a computer used exclusively by the federal government without authorization Use a federal computer to perpetrate a fraud (unless the only object of the fraud was to gain use of the computer itself) - Cause malicious damage to a federal computer system in excess of $1,000 - Modify medical records in a computer when doing so impairs or may impair the examination, diagnosis, treatment, or medical care of an individual - Traffic in computer passwords if the trafficking affects interstate commerce or involves a federal computer system
True The RMF promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes, provides senior leaders the necessary information to make cost-effective, risk-based decisions with regard to the organizational information systems supporting their core missions and business functions, and integrates information security into the enterprise architecture and systems development lifecycle (SDLC).
T or F The six-step RMF includes security categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring.
True Threat modeling identifies the potential harm, the probability of occurrence, the priority of concern, and the means to eradicate or reduce the threat.
T or F Threat modeling is the security process where potential threats are identified, categorized, and analyzed.
True
T or F To qualify for Privacy Shield protection, U.S. companies conducting business in Europe must meet the seven requirements for the processing of personal information: 1. Informing Individuals About Data Processing 2. Providing Free and Accessible Dispute Resolution 3. Cooperating with the Department of Commerce 4. Maintaining Data Integrity and Purpose Limitation 5. Ensuring Accountability for Data Transferred to Third Parties 6. Transparency Related to Enforcement Actions 7. Ensuring Commitments Are Kept As Long As Data Is Held
True
T or F Trade secret protection is one of the best ways to protect computer software.
True If you use a trademark in the course of your public activities, you are automatically protected under any relevant trademark law and can use the ™ symbol to show that you intend to protect words or slogans as trademarks. If you want official recognition of your trademark, you can register it with the United States Patent and Trademark Office (USPTO).
T or F Trademarks do not need to be officially registered to gain protection under the law.
True
T or F Two basic types of risk analysis exist: quantitative and qualitative.
True
T or F Using the CC framework, users and developers of IT security products create protection profiles (PPs) as an implementation-independent collection of objectives and requirements for any given category of products or systems that must meet similar needs (such as firewalls). Protection profiles are needed to support defining functional standards and serve as an aid in specifying needs for procurement purposes.
True
T or F When Congress passed the CFAA, it raised the threshold of damage from $1,000 to $5,000 but also dramatically altered the scope of the regulation. Instead of merely covering federal computers that processed sensitive information, the act was changed to cover all "federal interest" computers. This widened the coverage of the act to include the following: - Any computer used exclusively by the U.S. government - Any computer used exclusively by a financial institution - Any computer used by the government or a financial institution when the offense impedes the ability of the government or institution to use that system - Any combination of computers used to commit an offense when they are not all located in the same state
True When engaging third-party assessment and monitoring services, keep in mind that the external entity needs to show security-mindedness in their business operations. If an external organization is unable to manage their own internal operations on a secure basis, how can they provide reliable security management functions for yours?
T or F When evaluating a third party for your security integration, you should consider the following processes: On-Site Assessment, Document Exchange and Review, Process/Policy Review, Third-Party Audit
true
T or F risk = threat * vulnerability
True
T or F Common taxonomy for commercial businesses might provide for the following classes: Public information, Business sensitive or business confidential, Customer confidential, Trade secret
A. A collection of mechanisms to create secure architectures for asset protection Explanation: Access Control Systems and Methodology domain includes understanding identification, authentication, authorization, and logging and monitoring techniques and technologies, understanding access control attacks, assessing effectiveness of access controls and understanding the identity and access provisioning life cycle.
The Access Control domain includes which of the following? A. A collection of mechanisms to create secure architectures for asset protection B. Instructions on how to install perimeter door security C. A methodology for applications development D. A methodology for secure data center operations
Biba Integrity Model
The Biba model covers integrity levels, which are analogs to the sensitivity levels from the Bell-LaPadula model. Integrity levels cover inappropriate modification of data and prevent unauthorized users from making modifications to resources and data. This security model uses a read-up, write-down approach. Subjects cannot read objects of lesser integrity and cannot write to objects of higher integrity. Think of CIA analysts and the information they need to perform their duties. Under this model, an analyst with Top Secret clearance can see only information that's labeled as Top Secret with respect to integrity (confirmed by multiple sources, and so forth); likewise, this analyst can contribute information only at his or her clearance level. People with higher clearances are not "poisoned" with data from a lower level of integrity and cannot poison those with clearances higher than theirs.
Single Loss Expectancy (SLE)
The EF is needed to calculate the __________. The __________ is the cost associated with a single realized risk against a specific asset. It indicates the exact amount of loss an organization would experience if an asset were harmed by a specific threat occurring.
B. Identification of controls over hardware, media, and personnel
The Operations Security domain includes which of the following? A. Mechanisms for secure access to a data center B.Identification of controls over hardware, media, and personnel C. Help-desk support for security incidents D. Consulting on IT projects
Common Law
The United States inherited what law system from England as the basis for most of its legal systems?
Delphi Technique
The __________ is simply an anonymous feedback-and-response process used to enable a group to reach an anonymous consensus. Its primary purpose is to elicit honest and uninfluenced responses from all participants.
Annualized Rate of Occurrence For example: The ARO of an earthquake in Tulsa may be .00001, whereas the ARO of an earthquake in San Francisco may be .03 (for a 6.7+ magnitude), or you can compare the ARO of an earthquake in Tulsa of .00001 to the ARO of an email virus in an office in Tulsa of 10,000,000.
The __________ is the expected frequency with which a specific threat or risk will occur (that is, become realized) within a single year. The __________ can range from a value of 0.0 (zero), indicating that the threat or risk will never be realized, to a very large number, indicating that the threat or risk occurs often. Calculating the __________ can be complicated. It can be derived from historical records, statistical analysis, or guesswork. __________ calculation is also known as probability determination. The __________ for some threats or risks is calculated by multiplying the likelihood of a single occurrence by the number of users who could initiate the threat.
Exposure Factor
The __________ represents the percentage of loss that an organization would experience if a specific asset were violated by a realized risk. The __________ can also be called the loss potential. In most cases, a realized risk does not result in the total loss of an asset. The __________ simply indicates the expected overall asset value loss because of a single realized risk. The __________ is usually small for assets that are easily replaceable, such as hardware. It can be very large for assets that are irreplaceable or proprietary, such as product designs or a database of customers. The __________ is expressed as a percentage.
Repudiation
The ability of a user or attacker to deny having performed an action or activity. Often attackers engage in these attacks in order to maintain plausible deniability so as not to be held accountable for their actions. These attacks can also result in innocent third parties being blamed for security violations.
Total risk
The amount of risk an organization would face if no safeguards were implemented. threats * vulnerabilities * asset value = total risk
Confidentiality
The concept of the measures used to ensure the protection of the secrecy of data, objects, or resources.
supply chain
The concept that most computers, devices, networks, and systems are not built by a single entity.
Fourth Amendment
The direct interpretation of this amendment prohibits government agents from searching private property without a warrant and probable cause.
Federal Sentencing Guidelines
The documents released in 1991 provided punishment guidelines to help federal judges interpret computer crime laws. Three major provisions of these guidelines have had a lasting impact on the information security community.
U.S. Can Stop Terrorism. Top Secret Secret Confidential Sensitive But unclassified Unclassified
The easy way to remember the names of the five levels of the government or military data classification scheme,
Admissible Evidence
The evidence must be relevant to determining a fact. The fact that the evidence seeks to determine must be material (that is, related) to the case. The evidence must be competent, meaning it must have been obtained legally. Evidence that results from an illegal search would be inadmissible because it is not competent.
Procedures
The final element of the formalized security policy structure
CD's and DVD's
The first major division of the DCMA was designed to protect copy-prevention mechanisms placed on what kind of medium?
Computer Fraud and Abuse Act (CFAA)
The first major piece of cybercrime-specific legislation in the United States. It was written to exclusively cover computer crimes that crossed state boundaries to avoid infringing on states' rights.
security control assessment (SCA)
The formal evaluation of a security infrastructure's individual mechanisms against a baseline or reliability expectation.
The National Institute of Standards and Technology (NIST)
The group responsible for developing the FISMA implementation guidelines.
D. All of these
The growing demand for InfoSec specialists is occurring predominantly in which of the following types of organizations? A. Government B. Corporations C. Not-for-profit foundations D. All of these
Top Secret
The highest level of government/military data classification. The unauthorized disclosure of top-secret data will have drastic effects and cause grave damage to national security. This data is compartmentalized on a need-to-know basis such that a user could have this clearance and have access to no data until the user has a need to know.
Risk Mitigation
The implementation of safeguards and countermeasures to eliminate vulnerabilities or block threats. Picking the most cost-effective or beneficial countermeasure is part of risk management, but it is not an element of risk assessment.
Risk Assignment a.k.a Risk Transferring
The placement of the cost of loss a risk represents onto another entity or organization. Purchasing insurance and outsourcing are common forms of _______ ________.
Separation of duties
The prevention of conflict of interest, wrongful acts, fraud, abuse, and errors. Also, it is the detection of control failures that include security breaches, information theft, and circumvention of security controls.
risk analysis
The process by which the goals of risk management are achieved.
Risk Deterrence
The process of implementing deterrents to would-be violators of security and policy. Some examples include implementation of auditing, security cameras, security guards, instructional signage, warning banners, motion detectors, strong authentication, and making it known that the organization is willing to cooperate with authorities and prosecute those who participate in cybercrime.
Documentation review
The process of reading the exchanged materials and verifying them against standards and expectations. This review is typically performed before any on-site inspection takes place. If the exchanged documentation is sufficient and meets expectations (or at least requirements), then an on-site review will be able to focus on compliance with the stated documentation.
Risk Avoidance
The process of selecting alternate options or activities that have less associated risk than the default, common, expedient, or cheap option. For example, choosing to fly to a destination instead of driving to it is a form of _______ _______. Another example is to locate a business in Arizona instead of Florida to avoid hurricanes.
Risk Acceptance
The result after a cost/benefit analysis shows countermeasure costs would outweigh the possible cost of loss due to a risk. It also means that management has agreed to accept the consequences and the loss if the risk is realized.
Information disclosure
The revelation or distribution of private, confidential, or controlled information to external or unauthorized entities. This could include customer identity information, financial information, or proprietary business operation details. This threat type can take advantage of system design and implementation mistakes, such as failing to remove debugging code, leaving sample applications and accounts, not sanitizing programming notes from client-visible content (such as comments in Hypertext Markup Language (HTML) documents), using hidden form fields, or allowing overly detailed error messages to be shown to users.
Code of Ethics Preamble
The safety and welfare of society and the common good, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. Therefore, strict adherence to this Code is a condition of certification.
Trusted Computing Base (TCB)
The totality of protection mechanisms within a computer system, including hardware, firmware, and software. It consists of one or more components that together enforce a unified security policy over a product or system.
Bell-LaPadula model and the Biba integrity model
The two security models that were a major influence for the TCSEC and ITSEC,
Vulnerability
The weakness in an asset or the absence or the weakness of a safeguard or countermeasure.
Admissible Evidence
There are three basic requirements for evidence to be introduced into a court of law.
Children's Online Privacy Protection Act of 1998
This Act makes a series of demands on websites that cater to children or knowingly collect information from children.
Gramm-Leach-Bliley Act of 1999
This Act relaxed the strict governmental regulations between financial institutions. It included a number of limitations on the types of information that could be exchanged even among subsidiaries of the same corporation and required financial institutions to provide written privacy policies to all their customers by July 1, 2001.
National Information Infrastructure Protection Act of 1996
This Act, amended by Congress in the mid 90's to the Computer Fraud and Abuse Act included the following main new areas of coverage: - Broadens CFAA to cover computer systems used in international commerce in addition to systems used in interstate commerce - Extends similar protections to portions of the national infrastructure other than computing systems, such as railroads, gas pipelines, electric power grids, and telecommunications circuits - Treats any intentional or reckless act that causes damage to critical portions of the national infrastructure as a felony
I. Cryptography
This CBK domain contains the stuff of espionage and spy novels. It involves encrypting data so that authorized individuals may view the sensitive data and unauthorized individuals may not. Cryptography is a highly complex topic. The InfoSec specialist needs to understand the function but not necessarily the mechanics of cryptography. Topics include: Identifying the application and use of cryptography Comprehending the cryptographic life cycle Understanding encryption concepts Identifying key management processes Using digital signatures Identifying nonrepudiation Recognizing the methods of cryptanalytic attacks Using cryptography to maintain network security Using cryptography to maintain application security Understanding the public key infrastructure (PKI) Identifying certificate-related issues Understanding information-hiding alternatives ANSWER CHOICES: A. Business Continuity and Disaster Recovery Planning B. Physical (Environmental) Security C. Legal Regulations, Investigations, and Compliance D. Software Development Security E. Operations Security F. Information Security Governance and Risk Management G. Access Control H. Security Architecture and Design I. Cryptography J. Telecommunications and Network Security
G. Access Control
This CBK domain covers Who may access the system, and what can they do after they are signed on. Topics include: Understanding identification, authentication, authorization, and logging and monitoring techniques and technologies Understanding access control attacks Assessing effectiveness of access controls Understanding the identity and access provisioning life cycle ANSWER CHOICES: A. Business Continuity and Disaster Recovery Planning B. Physical (Environmental) Security C. Legal Regulations, Investigations, and Compliance D. Software Development Security E. Operations Security F. Information Security Governance and Risk Management G. Access Control H. Security Architecture and Design I. Cryptography J. Telecommunications and Network Security
J. Telecommunications and Network Security
This CBK domain covers another technical segment of the CBK. Topics include not just network topologies, but also their weaknesses and defenses. Many of the operational tools, such as firewalls, fall into this domain, along with the following subject areas: Understanding secure network architecture and design Securing network components Establishing secure communications channels (VPN, SSL, and so on) Understanding network attacks (denial of service, spoofing, and so on) ANSWER CHOICES: A. Business Continuity and Disaster Recovery Planning B. Physical (Environmental) Security C. Legal Regulations, Investigations, and Compliance D. Software Development Security E. Operations Security F. Information Security Governance and Risk Management G. Access Control H. Security Architecture and Design I. Cryptography J. Telecommunications and Network Security
C. Legal Regulations, Investigations, and Compliance
This CBK domain covers the different targets of computer crimes, bodies of law, and the different types of laws and regulations as they apply to computer security. Topics include: Understanding legal issues that pertain to information security internationally Adopting professional ethics Understanding and supporting investigations Understanding forensic procedures Following compliance requirements and procedures Ensuring security in contractual agreements and procurement processes (such as cloud computing, outsourcing, and vendor governance) ANSWER CHOICES: A. Business Continuity and Disaster Recovery Planning B. Physical (Environmental) Security C. Legal Regulations, Investigations, and Compliance D. Software Development Security E. Operations Security F. Information Security Governance and Risk Management G. Access Control H. Security Architecture and Design I. Cryptography J. Telecommunications and Network Security
E. Operations Security
This CBK domain covers the kind of operational procedures and tools that eliminate or reduce the capability to exploit critical information. It includes defining the controls over media, hardware, and operators with special systems privileges. Topics include: Understanding security operations concepts (need-to-know, separation of duties, and so on) Employing resource protection Managing incident response Implementing preventable measures against attacks Implementing and supporting patch and vulnerability management Understanding change and configuration management Understanding system resilience and fault-tolerant requirements ANSWER CHOICES: A. Business Continuity and Disaster Recovery Planning B. Physical (Environmental) Security C. Legal Regulations, Investigations, and Compliance D. Software Development Security E. Operations Security F. Information Security Governance and Risk Management G. Access Control H. Security Architecture and Design I. Cryptography J. Telecommunications and Network Security
A. Business Continuity and Disaster Recovery Planning
This CBK domain demonstrates business continuity requirements, conducting business impact analysis, developing a recovery strategy, understanding the disaster recovery process, exercising, assessing, and maintaining the plans. Topics include: Understanding business continuity requirements Conducting business impact analysis Developing a recovery strategy Understanding the disaster recovery process Exercising, assessing, and maintaining the plans ANSWER CHOICES: A. Business Continuity and Disaster Recovery Planning B. Physical (Environmental) Security C. Legal Regulations, Investigations, and Compliance D. Software Development Security E. Operations Security F. Information Security Governance and Risk Management G. Access Control H. Security Architecture and Design I. Cryptography J. Telecommunications and Network Security
H. Security Architecture and Design
This CBK domain discusses concepts, principles, structures, and standards used to design, implement, monitor, and secure operating systems, equipment, networks, applications, and other controls to enforce various levels of confidentiality, integrity, and availability. Topics include: Understanding the fundamental concepts of security models (confidentiality models, integrity models, and multilevel models) Identifying the components of information systems security evaluation models (such as Common Criteria) Understanding security capabilities of information systems (memory protection, trusted platform modules, and so on) Pinpointing the vulnerabilities of security architectures Recognizing software and system vulnerabilities and threats Understanding countermeasure principles (such as defense in depth) ANSWER CHOICES: A. Business Continuity and Disaster Recovery Planning B. Physical (Environmental) Security C. Legal Regulations, Investigations, and Compliance D. Software Development Security E. Operations Security F. Information Security Governance and Risk Management G. Access Control H. Security Architecture and Design I. Cryptography J. Telecommunications and Network Security
F. Information Security Governance and Risk Management
This CBK domain emphasizes the importance of a comprehensive security plan that includes security policies and procedures for protecting data and how it is administered. Topics include: Understanding and aligning security functions with the goals, mission, and objectives of the organization Understanding and applying security governance Understanding and applying concepts of confidentiality, integrity, and availability Developing and implementing security policies Managing the information life cycle (classification, categorization, and ownership) Managing third-party governance (on-site assessments, document exchange and review, process and policy reviews) Understanding and applying risk management concepts Managing personnel security Developing and managing security education, training, and awareness Managing the security function (budgets, metrics, and so on) ANSWER CHOICES: A. Business Continuity and Disaster Recovery Planning B. Physical (Environmental) Security C. Legal Regulations, Investigations, and Compliance D. Software Development Security E. Operations Security F. Information Security Governance and Risk Management G. Access Control H. Security Architecture and Design I. Cryptography J. Telecommunications and Network Security
D. Software Development Security
This CBK domain focuses on sound and secure application development techniques. This domain requires a good understanding of the controls needed for the software development life cycle (SDLC), and how they're applied during each phase. Topics include: Understanding and applying security in the SDLC Understanding the environment and security controls Assessing the effectiveness of software security ANSWER CHOICES: A. Business Continuity and Disaster Recovery Planning B. Physical (Environmental) Security C. Legal Regulations, Investigations, and Compliance D. Software Development Security E. Operations Security F. Information Security Governance and Risk Management G. Access Control H. Security Architecture and Design I. Cryptography J. Telecommunications and Network Security
B. Physical (Environmental) Security
This CBK domain includes securing the physical site using policies and procedures coupled with the appropriate alarm and intrusion detection systems, monitoring systems, and so forth. Topics include: Understanding site and facility design considerations Supporting the implementation and operation of perimeter security (physical access controls and monitoring, keys, locks, safes, and so on) Supporting the implementation and operation of facilities security (badges, smart cards, PINs, and so on) Supporting the protection and securing of equipment Understanding personnel privacy and safety (duress, travel, and so on) ANSWER CHOICES: A. Business Continuity and Disaster Recovery Planning B. Physical (Environmental) Security C. Legal Regulations, Investigations, and Compliance D. Software Development Security E. Operations Security F. Information Security Governance and Risk Management G. Access Control H. Security Architecture and Design I. Cryptography J. Telecommunications and Network Security
Security Professional
This Role is assigned to a trained and experienced network, systems, and security engineer who is responsible for following the directives mandated by senior management.
UL TL-30 Safe Rating
This Underwriters Laboratory rating testing is essentially the same as the TL-15 testing, except for the net working time. Testers get 30 minutes and a few more tools to help them gain access. Testing engineers usually have a safe's manufacturing blueprints and can disassemble the safe before the test begins to see how it works.
Advisory policy
This category of a security policy discusses behaviors and activities that are acceptable and defines consequences of violations. It explains senior management's desires for security and compliance within an organization. Most policies are in this category.
Information policy
This category of a security policy is designed to provide information or knowledge about a specific subject, such as company goals, mission statements, or how the organization interacts with partners and customers. It provides support, research, or background information relevant to the specific elements of the overall policy.
Regulatory policy
This category of a security policy is required whenever industry or legal standards are applicable to your organization. This policy discusses the regulations that must be followed and outlines the procedures that should be used to elicit compliance.
Licensing
This category of copyright law protect software licensing agreements.
Trade Secret
This category of copyright law protects intellectual property of businesses, property that is absolutely critical to their business, and significant damage would result if it were disclosed to competitors and/or the public
Patents
This category of copyright law protects the intellectual property rights of inventors. They provide a period of 20 years during which the inventor is granted exclusive rights to use the invention (whether directly or via licensing agreements). At the end of the patent exclusivity period, the invention is in the public domain available for anyone to use.
Confidential
This common business/private sector data classification level is the highest level of classification. This is used for data that is extremely sensitive and for internal use only. A significant negative impact could occur for a company if this type of data is disclosed. Sometimes the label proprietary is substituted. Sometimes proprietary data is considered a specific form of this type of information. If proprietary data is disclosed, it can have drastic effects on the competitive edge of an organization.
Public
This common business/private sector data classification level is the lowest level of classification. This is used for all data that does not fit in one of the higher classifications. Its disclosure does not have a serious negative impact on the organization.
Sensitive
This common business/private sector data classification level is used for data that is more classified than public data. A negative impact could occur for the company if sensitive data is disclosed.
Private
This common business/private sector data classification level is used for data that is of a private or personal nature and intended for internal use only. A significant negative impact could occur for the company or individuals if private data is disclosed.
Security governance
This is the collection of practices related to supporting, defining, and directing the security efforts of an organization. This is closely related to and often intertwined with corporate and IT governance.
Third-party governance
This is the system of oversight that may be mandated by law, regulation, industry standards, contractual obligation, or licensing requirements. The actual method of governance may vary, but it generally involves an outside investigator or auditor. These auditors might be designated by a governing body or might be consultants hired by the target organization.
Secret
This level of government/military data classification is used for data of a restricted nature. The unauthorized disclosure of data classified as secret will have significant effects and cause critical damage to national security.
Confidential
This level of government/military data classification is used for data of a sensitive, proprietary, or highly valuable nature. The unauthorized disclosure of data with this classification level will have noticeable effects and cause serious damage to national security. This classification is used for all data between secret and sensitive but unclassified classifications.
Sensitive But Unclassified (SBU)
This level of government/military data classification is used for data that is for internal use or for office use only (FOUO). Often this data classification is used to protect information that could violate the privacy rights of individuals. This is not technically a classification label; instead, it is a marking or label used to indicate use or management.
Unclassified
This level of government/military data classification is used for data that is neither sensitive nor classified. The disclosure of this type of data does not compromise confidentiality or cause any noticeable damage. This is not technically a classification label; instead, it is a marking or label used to indicate use or management.
Focused on Assets
This method uses asset valuation results and attempts to identify threats to the valuable assets. For example, a specific asset can be evaluated to determine if it is susceptible to an attack. If the asset hosts data, access controls can be evaluated to identify threats that can bypass authentication or authorization mechanisms.
The International Organization on Computer Evidence (IOCE)
This organization outlines six principles to guide digital evidence technicians as they perform media analysis, network analysis, and software analysis in the pursuit of forensically recovered evidence:
Part 1: Introduction and General Model
This part of the CEM describes agreed-upon principles of evaluation and introduces agreed-upon evaluation terminology dealing with the process of evaluation.
Part 2: CC Evaluation Methodology
This part of the CEM is based on CC Part 3 evaluator actions. It uses well-defined assertions to refine CC Part 3 evaluator actions and tangible evaluator activities to determine requirement compliance. In addition, it offers guidance to further clarify the intent evaluator actions. This part provides for methodologies to evaluate the following: PPs STs EAL1 EAL2 EAL3 EAL4 EAL5 EAL6 EAL7 Components not included in an EAL
Part 3: Extensions to the Methodology
This part of the CEM takes full advantage of the evaluation results. This part includes topics such as guidance on the composition and content of evaluation document deliverables.
Issue-specific policy
This policy addresses specific issues of concern to the organization. These issues could be regulatory in nature—for example, the Payment Card Industry (PCI) data security standard, Sarbanes-Oxley (SOX), or the Gramm-Leach-Bliley Act (GLBA), to name a few.
Program-framework policy
This policy establishes the overall approach to computer security (as a computer security framework). This policy adds detail to the program by describing the elements and organization of the program and department that will carry out the security mission.
System-specific policy
This policy focuses on policy issues that management has decided for a specific system.
Program-level policy
This policy is used for creating a management-sponsored computer security program. This policy, at the highest level, might prescribe the need for information security and can delegate the creation and management of the program to a role within the IT department. Think of this as the mission statement for the IT security program.
Chain Of Evidence (a.k.a. Chain Of Custody)
This process documents everyone who handles evidence—including the police who originally collect it, the evidence technicians who process it, and the lawyers who use it in court. The location of the evidence must be fully documented from the moment it was collected to the moment it appears in court to ensure that it is indeed the same item. This requires thorough labeling of evidence and comprehensive logs noting who had access to the evidence at specific times and the reasons they required such access.
User
This role is assigned to any person who has access to the secured system. Their access is tied to their work tasks and is limited so they have only enough access to perform the tasks necessary for their job position (the principle of least privilege). They are responsible for understanding and upholding the security policy of an organization by following prescribed operational procedures and operating within defined security parameters.
Data Owner
This role is assigned to the person who is responsible for classifying information for placement and protection within the security solution. They are typically a high-level manager who is ultimately responsible for data protection.
Senior Manager
This role is assigned to the person who is ultimately responsible for the security maintained by an organization and who should be most concerned about the protection of its assets. They sign off on all policy issues.
Data Custodian
This role is assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management. They perform all activities necessary to provide adequate protection for the CIA Triad (confidentiality, integrity, and availability) of data and to fulfill the requirements and responsibilities delegated from upper management. These activities can include performing and testing backups, validating data integrity, deploying security solutions, and managing data storage based on classification.
Auditor
This role is responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate. They may be assigned to a security professional or a trained user. The auditor produces compliance and effectiveness reports that are reviewed by the senior manager.
C-Rate Safe Rating
This safe rating is defined as a variably thick steel box with a 1-inch-thick door and a lock. No tests are conducted to provide this rating, either.
Strategic Plan
This security plan is a long-term plan that is fairly stable. It defines the organization's security purpose. It also helps to understand security function and align it to the goals, mission, and objectives of the organization. It's useful for about five years if it is maintained and updated annually. This plan also serves as the planning horizon. Long-term goals and visions for the future are discussed this plan. This plan should include a risk assessment.
Tactical Plan
This security plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan or can be crafted ad hoc based upon unpredicted events. This plan is typically useful for about a year and often prescribes and schedules the tasks necessary to accomplish organizational goals. Some examples of these plans are project plans, acquisition plans, hiring plans, budget plans, maintenance plans, support plans, and system development plans.
Operational Plan
This security plan is a short-term, highly detailed plan based on the strategic and tactical plans. It is valid or useful only for a short time. These plans must be updated often (such as monthly or quarterly) to retain compliance with tactical plans. These plans spell out how to accomplish the various goals of the organization. They include resource allotments, budgetary requirements, staffing assignments, scheduling, and step-by-step or implementation procedures. These plans include details on how the implementation processes are in compliance with the organization's security policy. Examples of these plans are training plans, system deployment plans, and product design plans.
Acceptable Use Policy
This security policy is a commonly produced document that exists as part of the overall security documentation infrastructure. The use of this policy is specifically designed to assign security roles within the organization as well as ensure the responsibilities tied to those roles. This policy defines a level of acceptable performance and expectation of behavior and activity. Failure to comply with the policy may result in job action warnings, penalties, or termination.
Civil Investigations
This type of investigation uses the weaker preponderance of the evidence standard. Meeting this standard simply requires that the evidence demonstrate that the outcome of the case is more likely than not. For this reason, evidence collection standards for these type of investigations are not as rigorous as those used in criminal investigations.
reactive approach This technique of threat modeling is the core concept behind ethical hacking, penetration testing, source code review, and fuzz testing. Although these processes are often useful in finding flaws and threats that need to be addressed, they unfortunately result in additional effort in coding to add in new countermeasures. Returning back to the design phase might produce better products in the long run, but starting over from scratch is massively expensive and causes significant time delays to product release. Thus, the shortcut is to craft updates or patches to be added to the product after deployment.
This type of threat modeling takes place after a product has been created and deployed. This deployment could be in a test or laboratory environment or to the general marketplace. This type of threat modeling is also known as the adversarial approach.
proactive approach This method is based on predicting threats and designing in specific defenses during the coding and crafting process, rather than relying on post-deployment updates and patches.
This type of threat modeling takes place during the early stages of systems development, specifically during initial design and specifications establishment. This type of threat modeling is also known as a defensive approach.
What are the two goals of SD3+C?
To reduce the number of security-related design and coding defects To reduce the severity of any remaining defects
Five levels of government/military classification
Top secret, Secret, Confidential, Sensitive but unclassified, Unclassified.
Standards and baselines
Topic-specific (standards) and system-specific (baselines) documents that describe overall requirements for security
True
True or False Gathering Evidence allows three common alternatives: Voluntary surrender, subpoena, search warrant
True
True or False The chain of custody evidence label should include the following types of information regarding the collection: General description of the evidence Time and date the evidence was collected Exact location the evidence was collected from Name of the person collecting the evidence Relevant circumstances surrounding the collection
True
True or False The governing body that administers the CISSP certification is the International Information Systems Security Certification Consortium. It was developed to provide the basis for CISSP behavior. It is a simple code with a preamble and four canons. The canons provides diligent and competent service to principals
True
True or False Two additional evidence rules apply specifically to documentary evidence: The best evidence rule states that when a document is used as evidence in a court proceeding, the original document must be introduced. Copies or descriptions of original evidence (known as secondary evidence) will not be accepted as evidence unless certain exceptions to the rule apply. The parol evidence rule states that when an agreement between parties is put into written form, the written document is assumed to contain all the terms of the agreement and no verbal agreements may modify the written agreement.
The Five Key Concepts in the Decomposition process.
Trust Boundaries, Data Flow Paths, Input Points, Privileged Operations, Details about Security Stance and Approach
Economic Espionage Act of 1996
Two major provision of this Act: - Anyone found guilty of stealing trade secrets from a U.S. corporation with the intention of benefiting a foreign government or agent may be fined up to $500,000 and imprisoned for up to 15 years. - Anyone found guilty of stealing trade secrets under other circumstances may be fined up to $250,000 and imprisoned for up to 10 years.
business case Explanation: A business case is often made to justify the start of a new project, especially a project related to security.
Usually a documented argument or stated position in order to define a need to make a decision or take some form of action.
On-Site Assessment
Visit the site of the organization to interview personnel and observe their operating habits.
Major categories of physical security threats defined by the CBK
Weather: Tornadoes, hurricanes, floods, fire, snow, ice, heat, cold, humidity, and so forth Fire/chemical: Explosions, toxic waste/gases, smoke, and fire Earth movement: Earthquakes and mudslides Structural failure: Building collapse because of snow/ice or moving objects (cars, trucks, airplanes, and so forth) Energy: Loss of power, radiation, magnetic wave interference, and so forth Biological: Virus, bacteria, and infestations of animals or insects Human: Strikes, sabotage, terrorism, and war
Plain text
When ciphertext is passed through a decryption algorithm, it becomes _________.
Functional and assurance Explanation: Functional requirements describe what a system should do. Assurance requirements describe how functional requirements should be implemented and tested.
Which of the following best represents the two types of IT security requirements? A. Functional and logical B. Logical and physical C. Functional and assurance D. Functional and physical
D. A description of specific technologies used in the field of information security regulations Policies are the most crucial element in a corporate information security infrastructure and must be considered long before security technology is acquired and deployed.
Which of the following choices is not part of a security policy? A. A definition of overall steps of information security and the importance of security B. A statement of management intent, supporting the goals and principles of information security C. A definition of general and specific responsibilities for information security management D. A description of specific technologies used in the field of information security regulations
Labor walkout
Which of the following events is considered a man-made disaster? A. Earthquake B. Tornado C. Flooding caused by a broken water main D. Labor walkout
D. Personnel safety
Which of the following is the number one priority of disaster response? A. Hardware protection B. Software protection C. Transaction processing D. Personnel safety
A. Division A, Division B, Division C, Division D
Which of the following places the Orange Book classifications in order from most secure to least secure? A. Division A, Division B, Division C, Division D B. Division D, Division C, Division B, Division A C. Division D, Division B, Division A, Division C D. Division C, Division D, Division B, Division A
A. Confidentiality, integrity, and availability Explanation: These goals form the confidentiality, integrity, availability (CIA) triad, the basis of all security programs.
Which of the following represents the three goals of information security? A. Confidentiality, integrity, and availability B. Prevention, detection, and response C. People controls, process controls, and technology controls D. Network security, PC security, and mainframe security
C .Employee bonding to protect against losses due to theft Explanation: Policies, standards, procedures and practices issued by human resources should address internal information security processes and functions. These documents should address pre-employment screening and background checks, processes for handling employee termination, creation and revocation of employee accounts, email and voice mail forwarding after departure, lock keys and safe combination changes, system password changes, and company property collections upon departure (for badges, credit cards, and so forth).
Which of the following should not be addressed by employee termination practices? A. Removal of the employee from active payroll files B .Return of access badges C .Employee bonding to protect against losses due to theft D .Deletion of assigned logon ID and passwords to prohibit system access
B. IT security measures should be tailored to meet organizational security goals. Explanation: IT Security Measures (Controls) are risk reducing acts (goals) that detect, prevent, or minimize loss associated with the occurrence of a specified threat or category of threats.
Which of the following statements best describes IT security measures? A. IT security measures should be complex. B. IT security measures should be tailored to meet organizational security goals. C. IT security measures should make sure that every asset of the organization is well protected. D. IT security measures should not be developed in a layered fashion.
A. The information security Common Body of Knowledge is a compilation and distillation of all security information collected internationally of relevance to information security professionals.
Which of the following statements best describes the information security Common Body of Knowledge? A. The information security Common Body of Knowledge is a compilation and distillation of all security information collected internationally of relevance to information security professionals. B. The information security Common Body of Knowledge is a volume of books published by the ISC2. C. The information security Common Body of Knowledge is a reference list of books and other publications put together by practitioners in information security. D. The information security Common Body of Knowledge is an encyclopedia of information security principles, best practices, and regulations.
B. Both plans describe preventative, not reactive, security procedures. Explanation: The business continuity plan (BCP) describes the critical processes, procedures, and personnel that must be protected in the event of an emergency (preventative) and The disaster recovery plan (DRP) describes the exact steps and procedures personnel in key departments, specifically the IT department, must follow to recover critical business systems in the event of a disaster that causes the loss of access to systems required for business operations (reactive).
Which of the following statements is not true about the BCP and DRP? A. Both plans deal with security infractions after they occur. B. Both plans describe preventative, not reactive, security procedures. C. The BCP and DRP share the goal of maintaining "business as usual" activities. D. They belong to the same domain of the Common Body of Knowledge.
B. Controls are implemented to mitigate risk and reduce the potential for loss. Explanation: Controls mitigate a wide variety of information security risks and reduce loss.
Which of the following statements is true? A. Controls are implemented to eliminate risk and eliminate the potential for loss. B. Controls are implemented to mitigate risk and reduce the potential for loss. C. Controls are implemented to eliminate risk and reduce the potential for loss. D. Controls are implemented to mitigate risk and eliminate the potential for loss.
C. Trusted computing base Explanation: The Trusted Computing Base (TCB) is the totality of protection mechanisms within a computer system, including hardware, firmware, and software.
Which of the following terms best defines the sum of protection mechanisms inside the computer, including hardware, firmware, and software? A . Trusted system B .Security kernel C. Trusted computing base D. Security perimeter
A. Multiprocessing Explanation: Multiprocessing provides for simultaneous execution of two or more programs by a processor (CPU). This can alternatively be done through parallel processing of a single program by two or more processors in a multiprocessor system that all have common access to main storage.
Which of the following terms best describes a computer that uses more than one CPU in parallel to execute instructions? A. Multiprocessing B. Multitasking C. Multithreading D. Parallel running
D. Integrity Explanation: The Biba model covers integrity levels, which are analogs to the sensitivity levels from the Bell-LaPadula model. Integrity levels cover inappropriate modification of data and prevent unauthorized users from making modifications to resources and data/
Which of the following terms best describes the primary concern of the Biba security model? A. Confidentiality B. Reliability C. Availability D. Integrity
D) Risk Explanation: Risk involves looking at what is the consequence of a loss and the likelihood that this loss will occur.
Which of the following terms best describes the probability that a threat to an information system will materialize? A. Threat B. Vulnerability C. Hole D. Risk
B. A vulnerability
Which of the following would be defined as an absence or weakness of a safeguard that could be exploited? A. A threat B. A vulnerability C. A risk D. An exposure
digesting data or creating a message digest
With a computer program, a document is run through a one-way hashing formula to produce a small numeric value that's unique but easily repeatable for that exact stream of data.
targets of evaluation (TOE)
_______ _______ _______ are the specific products or systems that fall into an evaluation against an existing PP. The sets of evidence about a TOE and the TOE itself form the inputs to a security target (ST) that certified independent evaluators use as the basis for evaluation.
Protection Profiles
_______ _______work as a generic description of product and environmental requirements
Qualitative Risk Analysis The process of performing qualitative risk analysis involves judgment, intuition, and experience. You can use many techniques to perform qualitative risk analysis: Brainstorming Delphi technique Storyboarding Focus groups Surveys Questionnaires Checklists One-on-one meetings Interviews
__________ analysis is more scenario based than it is calculator based. Rather than assigning exact dollar figures to possible losses, you rank threats on a scale to evaluate their risks, costs, and effects.
Exposure
being susceptible to asset loss because of a threat
cryptosystem
disguises messages, allowing only selected people to see through the disguise.
multiprogramming system
permits the interleaved execution of two or more programs on a processor.
Multiprocessing
provides for simultaneous execution of two or more programs by a processor (CPU). This can alternatively be done through parallel processing of a single program by two or more processors in a multiprocessor system that all have common access to main storage.
The Trusted Network Interpretation (TNI) of the TCSEC
the Red Book of the Rainbow Series. This document restates the requirements of the TCSEC in a network context as contrasted with TCSEC on stand-alone and non-networked environments.
Plain text
the message that is passed through an encryption algorithm becomes a cipher
Risk
the possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset
Cryptanalysis
the science (or art) of breaking a cryptosystem.
Cryptography
the science (or art) of designing, building, and using cryptosystems.
Cryptology
the umbrella study of cryptography and cryptanalysis.