ISM 4323 Final

What is an information security incident? What are the basic steps involved in handling an incident?

A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. 1. Preparation 2. Detection and Analysis 3. Containment 4. Post-Incident Analysis

What is the policy cycle? Why does policy development proceed through a cycle?

A policy cycle is the incident response cycle for when each incident policies will be need to made because of each incident will happen. There is a writing the policy, impact assessment and promulgation, and review.

What is an information security policy? What is a standard? How are standards different from policies? How are the two similar?

A policy is a document of records that records a high-level principle or course of action that has been decided on. A standard is a set of rules that are accepted and adopted by several organizations. A policy is a general path for an organization to follow, while standards are instructions on how to stay on that path. Both policies and standards should be implemented so that all members understand the information security goals within the organization.

What is the wtmp file? What is the utmp file? How can the information in these files be useful?

A wtmp file is a file that has historical login and logout information. The information is useful in finding out who was the most recent person to log into a system. A umtp file is a file that shows currently logged in users. If an unknown host is seen the system can go into incident response mode.

Briefly describe the terms Access Control and User Management and their role in information security

Access control is the act of limiting access to information system resources only to authorized users, programs, processes or other systems. They establish what users are allowed to do within a system. Typically, access controls refer to files and directories that an individual may or may not have the ability to read, modify or delete. A key component of access control is user management, which defines the rights of members towards information in an organization. Access controls make sure that the confidentiality of information stays intact by only allowing authorized individuals view, modify, or delete certain files in the system. Integrity is also upheld with access controls by not letting unauthorized members edit documents. User management will update new members and remove terminated employees. Good user management will also track when users change roles and update their access controls as needed.

What is incident response policy? What is a disaster? What is disaster recovery? What is business impact analysis?

An incident response policy explains the methods an organization should use when an incident occurs. A disaster is a catastrophic event that causes destruction to an organization. Disaster recovery is the process created by the IT department that brings systems back up and running. Business Impact Analysis is the identification of services and products that are critical to the organization. It uses the asset identification we learned about earlier and makes plans based off of them.

What is asset characterization? What is asset sensitivity? What are the different classes of sensitivity commonly used to characterize assets?

Asset characterization helps dedicate resources appropriately toward protecting assets. Asset sensitivity describes how much damage a breach of confidentiality or violation of integrity of an asset would cause to organization. Restricted asset is an asset in which disclosure or alteration would have adverse consequences for the organization. Unrestricted assets are assets not classified or restricted, so if the data was leaked or viewed by someone it would not cause problems for the organization.

What is asset criticality? What are the different classes of criticality commonly used to characterize assets?

Asset criticality is a measure of the importance of an asset to the immediate survival od an organization. Essential asset should be considered essential if the loss of availability would cause immediate severe repercussions for the organization. Required asset is considered required when it is important to the organization but the organization would be able to continue to operate for a period of time even if the asset is not available. Deferrable asset is an asset that is needed for optimal operation of the organization but whose loss of availability would not cause major issues to the organization in the near term.

What is a credential? What are the 3 categories of credentials?

Credentials are pieces of information used to verify one's identity. Something you know Something you have Something you are

What is block encryption? What is cipher-block chaining?

Block encryption is a process of converting a plaintext block into an encryption block. It is a way of combining encrypted blocks. It is necessary because it eliminates block identity and uses the previous block as input while encrypting the next block.

What are the common locations of log files on Unix-based systems? What is the syslog service? What are syslog selectors? What are the parts of a syslog selector?

Common locations of logs files on Unix-based systems are /var/log/messages or /var/log/syslog. Syslog is a way for network devices to send event messages to a logging server. Syslog service is a process designed to handle messages for programs that are "syslog-aware". Syslog selectors are the way to use the syslog service. This is specified in a configuration file. It is composed by combining a selector coupled with an action. The two parts to the syslog selector are facility and priority.

What is compliance? List at least 2 of the laws with implications for information security professionals. What is the difference between compliance and security?

Compliance is sometimes referred to as regulatory compliance, involves following specifications put forth by policies of legal requirements. It is necessary to meet the policies set by the state, federal, or customer agreements set by them. Some policies that could be in place could be HIPPA, GLB, FERPA, or SOX. Compliance is more of a broad policy for standard for all company's and security is more fine tuned for the specific organization on how they should protect their data and what they want to do themselves.

What are deep packet inspection firewalls? What additional capabilities do they offer, compared to packet-filtering firewalls?

Deep packet inspection firewalls examine packet data, in addition to protocol headers. It compares against databases of known malicious payloads and identifies payloads that attempt to launch buffer overflow or other attacks.

What is encryption? What is confusion-diffusion paradigm of cryptography?

Encryption is the cryptographic transformation of data to produce ciphertext. Confusion-Diffusion paradigm is a good basis for secrecy systems. Confusion is making the relationship between the plaintext and ciphertext as complex as possible and diffusion is spreading the impact of a change in 1 bit of plaintext to all bits.

What are environment variables? What are built-in variables? How are they different from environment variables? What should the value of $? be if the last command that was executed completed successfully?

Environment Variables are variables created automatically on login or starting new terminal window. Environment variables can be used in shell scripts and commands just like regular variables Built-in variables provide a wide array of small functions. They can report the type of hardware the server is running and return the status of the last command issued. They are different from environment variables because they are already defined with useful values. The value of $? will be the return value of the successfully executed command.

What are firewalls? Write an example firewall rule and describe what the rule does.

Firewalls are hardware or software that prevents the dangers originating on one network from spreading to another network. They allow one network to connect to another network while maintaining some amount of protection. block in quick from 192.168.0.0/16 to any - Blocks incoming traffic from the IP address 192.168.0.0/16.

How do HIPAA (the Health Insurance Portability and Accountability Act) and Sarbanes-Oxley act relate to information security?

HIPAA relates to information security, because it enforces confidentiality in the medical field. Personal records including patient records and insurance documentation should be shared with those who are authorized. Sarbanes-Oxley Act correlates to information security by enforcing rules that maintain the integrity of financial statements. SOX forces CEO's and CFO's to sign off on every 10-K saying that every number in the financial statements are correct to the best of their knowledge and are liable for any discrepancies. Many changes were also made in the auditing field to implement stricter controls in organizations all the way from journal entries all the way to the Balance Sheet.

What is Identity Management? Briefly describe the phases of the Identity Management model.

Identity management is the processes of identifying individuals and collating all necessary data to grant or revoke privileges for these users to resources. Phase I is identity discovery, where all new and updated identities in the organization are located. Phase II is identity reconciliation, which is the process of comparing each discovered identity to a master record of all people in the organization. Phase III is identity enrichment, where data is collected on each individual's relationship in the organization.

What is information security? What is CIA-triad in information security context?

Information Security is defined as protecting information and information systems from unauthorized use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability. Integrity is guarding against improper information modification and ensuring information authenticity. Confidentiality is protecting information from unauthorized access and protecting personal privacy. Availability is ensuring that information will always have timely and reliable access.

What are IDS/ IPS? Briefly describe signature-based IDSs, anomaly-based IDSs, and protocol-state-based IDSs.

Intrusion detection systems (IDS). Monitor IT systems for malicious activity or violations of usage policies. Intrusion prevention systems build on IDS and attempt to stop potential intrusions. IDS/IPS cannot be trusted to detect all malicious activity. Signatures-based IDS - Sequence of bytes that is known to be a part of malicious software. Anomalies-based IDS - Deviations between observed events and defined activity patterns. Protocol-state-based IDS - Compare observed events against defined activities for each protocol state.

What is log analysis? What is the goal of log analysis?

Log analysis is the process of making sense out of computer-generated records. Security administrators use logs during the analysis stage of an incident. Access to system logs is likely the first item a security admin will request as part of an investigation.

Provide a brief overview of the NIST 800-39 risk management framework. Draw a figure showing the components of the framework, and the relationships of these components to each other.

NIST 800-39 are recommendations for managing information security risk. The framework is composed of four parts, the risk frame, the risk assessment, risk response, and risk monitoring. The risk frame describes the environment in which risk-based decisions made. It breaks down various risk criteria to all members within the organization. The risk assessment identifies and aggregates the risks that face the organization. The risk response addresses how organizations respond to risks once they are determined. Risk monitoring evaluates the effectiveness of the organization's risk-management plan.

Provide a brief overview of the OCTAVE methodology developed by the SEI. How is it related to the NIST 800-39 and ISO 27000 standards?

OCTAVE stands for Operationally Critical Threat, Asset, Vulnerability Evaluation. The methodology is very similar to the risk assessment portion of NIST 800-39, and has three main phases: identifying critical assets and the threats to those assets, identifying the vulnerabilities, both organizational and technological that expose those threats, creating risk to the org, and developing a practiced-based protection strategy and risk mitigation plans to support the org's missions and priorities. As stated earlier, OCTAVE is very similar in its design to the risk assessment phase of NIST 800-39, where risks are identified by analyzing potential threats and vulnerabilities within the organization. OCTAVE, NIST 800-39, and the ISO 27000 series all provide steps of identifying threats and vulnerabilities in order to determine risks that the organization could face, then providing possible controls to the risks with monitoring in the near future to see if the solutions had been effective.

What is reactive monitoring? What is proactive testing? Provide some common reactive monitoring methods and some common proactive testing methods?

Reactive monitoring is detecting and analyzing failures after they have occurred. Common reactive methods include event logs, which should be set up to send alerts when unusual activity is noticed within the system. Proactive testing is the act of testing a system for issues before they arise. Examples of proactive monitoring are vulnerability scanners that access the systems and search for potential vulnerabilities. Another example is penetration testing, where "white collar" hackers attempt to break into the system, which will indicate weaknesses.

What is risk? What is risk management? What is IT risk management and how is it related to an organization's overall risk management?

Risk is a quantitative measure of the potential damage caused by a specific threat. Risk management is managing the impacts of unusual events. IT risk management is the risk associated with the use of information systems in an organization, and how evaluating information security.

Briefly describe the Morris Worm and the Gang of 414's and their impact on information security

Robert Morris, a graduate student at Cornell University, released a self-replicating program as an experiment to measure the size of the internet. As a design feature of the program, many systems it infected were brought down, and created the largest internet outage to date (about 10%). This program is considered the first computer worm. Morris was sentenced to probation and community service. Gang of 414's was a group of teenagers from Milwaukee that were able to gain access to computer systems that should not have been available to them, including high-profile systems like the Memorial Sloan-Kettering Cancer Center in New York. These "attacks" did no actual harm, but raised questions about how easily it could be for those who wanted to harm the systems to gain access if it was so easy for the kids. The coverage of this event brought the first mainstream use of the word "hacker."

Given the following ls -l output, what do you know about the ownership and access permissions for the accounting folder? How can you use the chmod command to give write permissions to all members of "accounting_grp" to the "accounting" folder? drwxr-xr--. 2 root accounting_grp 4096 Jan 28 19:07 accounting/

Root owns the file. It belongs to the user group accounting_grp. The user can read, write, and execute the folder. The user group can read and execute the directory, and the world/other users can read the directory. The command that can give write permissions to all members of accounting_grp could be chmod 774 accounting/

Describe secret key cryptography, public key cryptography, digital signatures, and hash functions.

Secret key cryptography uses the same key to encrypt and decrypt messages. Public key cryptography uses two keys. One is used for encryption and is widely distributed. A different key is used for decryption and it is kept confidential. Digital signatures are defined as cryptographic transformations of data that allow a recipient of the data to prove the source (non-repudiation) and integrity of the data. Hash functions transform input of arbitrary length into outputs of fixed length.

What is shell scripting and what is it used for? What is the important difference between scripting languages and other computer languages?

Shell scripting is an application constructed from multiple command lines and is used to accomplish tasks. They are used for automated processes that run in the shell processes through a Unix system from boot up to configure the user's shell environment. The important difference between them is that scripts don't have to be compiled into binary before runtime and that they are converted during runtime.

What is the IT asset lifecycle? What are the stages in the lifecycle?

The assets that you have, have life cycles and go through stages to minimize the likelihood of security issues arising in the asset. Planning stage: The biggest part of the life cycle as it is the best time to evaluate the organization's processes to try and leverage a new asset to help the company. It is a request for information stage on where you are and where you want to go. Acquiring stage: The prime concerns of this stage are associated with the viability of the vendor. Request for proposal is done at this stage, although the company doesn't care how they get done. Deploy stage: This stage happens when the asset is ready to be given to the employees. The main part of this stage is implementing the new service and getting rid of the old one. Manage stage: The managing stage is to make sure that when the asset is deployed that it doesn't introduce any new vulnerabilities into the new system. Retire stage: The retiring stage is when the asset is no longer contributing to the mission of the organization and will be removed from it. It can happen because it is obsolete or because it will create more profit.

What is the first line of every BASH script? What happens when the script file does not have execute permissions for the user attempting to run the script?

The first line is (#! bin/bash/) which tells the operating system which file should be sent to be used as processing. The user won't be able to run it.

What are the goals of incident analysis? What is containment? What is eradication?

The goal is to find the log files and look for backdoors, look for the port numbers and see if there are botnets, and see if stakeholders are in any restricted or essential assets. Containment is the act of preventing the expansion of harm. It is important because it keeps threats from compromising more data. Eradication is removing the causes of a detrimental event. There is no single way to eradicate the source of an attack, as they all are followed through differently.

Briefly describe the Information Security Model and define the components.

The information security model includes the core components of information security, shows the relationship of these components to each other, and excludes everything else. The model is a representation of the real world. Components Assets: As a resource or information that is to be protected. Vulnerabilities: Is a weakness in an information system that gives a threat the opportunity to compromise an asset. Threat: The capabilities, intentions and attack methods of adversaries to exploit or cause harm to assets. Controls: Security controls are safeguards used to minimize the impact of threats.

What is the top of a filesystem hierarchy called? How is it represented in UNIX systems? What is a path? Give the difference between a relative and absolute path?

The top filesystem is called the filesystem ROOT and is represented by a single slash (/). The location of a file or directory in the hierarchy is a path. Absolute path is paths that are the exact location of the file that is being referenced which includes each directory up to the root. The relative path is the given location of the file in relation to the current directory.

What are Threat Agents? What are the different types of threat agents?

Threat agent is the individual, organization, or group that originates a particular threat action. External agent, Internal agent, Partners

What is a threat? Describe a threat model.

Threats are capabilities, intentions, and attack methods of adversaries to exploit or cause harm to assets. The interactions between relevant agents, actions, and assets constitute the threat model facing an organization. Threat models can tell someone what you should protect and who should be protecting it and why someone would want it.

What are viruses and worms? What is the primary difference between them?

Viruses and worms are computer programs that adversely affect computers and propagate through the network without the user's consent. The difference between them is that virus uses other programs to spread, whereas the worm can propagate all by itself.

Briefly define the following: a. brute-force attack b. 0-day vulnerability c. cross-site scripting attack (XSS) d. threat shifting

a. A brute force attack is when a hacker tries to access the targets system by guessing the correct password. b. It is a threat developed by a threat agent before a solution to eliminate the vulnerability was found and made public. c. It is a common web-based attack in which it allows a malicious user to enter information with malicious content in it. d. Threat shifting is the response of hackers to controls, in which they change some characteristics of their target in order to overcome the safeguards.

Briefly describe the following in context of Information Security: a. Single point of failure b. Active Directory c. Domain Controller d. Group Policies

a. A part of a system whose failure will stop the entire system from working. b. An active directory is a collection of technologies that provide centralized user management and access control across all computers that are "members" of the domain. c. Definition: "The server that implements the active directory rules within a domain." More info: The domain controller maintains information on the user accounts, authenticates users on the domain based on the information, and authorized users based on the information. d. Group policy is an infrastructure that allows you to implement specific configurations for the users and computers.

Name at least one advantage and disadvantage to using: a. Shared Tokens b. CAS c. Shibboleth d. OpenID

a. Shared tokens allow you to use SSO for applications under the same domain, but not over different domains. Central Authentication Service (CAS) protocol is one of the leading open-source single sign-on technologies, especially in higher education. CAS is compatible with most programming languages available today, and does not contain the cryptographic hashes that make shared tokens difficult to implement. The problem is that while allowing returning users to not enter credentials for up to 2 hours after supplying them, this allows other users to gain access to his information if he does not properly log out of the system. c. Shibboleth allows users from different branches of an organization to reach a shared collection of resources (USF Tampa, USF St. Pete, USF Sarasota). The weakness with Shibboleth is that phishing attacks can be used to gain access to the resources, as well as the need for registration with the Federation. OpenID allows users to have a single sign-on and use the same credentials for other applications that are connected through the OpenID, such as using your Google credentials for American Airlines profile. The weakness is that you only have one password that needs to be compromised for other users to gain access to information from many different applications you use.

Describe the following vulnerabilities: a. lack of input validation b. Buffer-overflow c. unrestricted upload d. missing authorization

a. The input validation vulnerability refers to a situation where user input is used in the software without confirming its validity. b. The buffer overflow vulnerability refers to the situation where a program puts more data into a storage location than it can hold. c. The unrestricted uploads vulnerability occurs when files are accepted by software without verifying that the file follows strict specifications. d. The missing authorization vulnerability happens when a software program allows users access to privileged parts of the program without verifying the credentials of the user.

What are the following UNIXs command used for? a. Pwd b. Cd c. ls d. rm

a. The present working directory, it lets you know what directory you are currently located in b. Change directory, this command lets you change directories, either specifying a certain directory with its name, or using a - to go back to the previous directory, and cd with no other text to return to home. c. Ls lists the files of the current directory. d. rm allows you to delete files, as well as directories with -r