Book Chapter 1 - Information Security
bottom-up approach
-A method of establishing security policies and/or practices that begins as a grassroots effort in which systems administrators attempt to improve the security of their systems. -The key advantage of the bottom-up approach is the technical expertise of individual administrators. By working with information systems on a day-to-day basis, these administrators possess in-depth knowledge that can greatly enhance the development of an information security system. They know and understand the threats to their systems and the mechanisms needed to protect them successfully. Unfortunately, the bottom-up approach seldom works because it lacks critical features such as participant support and organizational staying power.
systems development life cycle (SDLC)
-A methodology for the design and implementation of an information system. The SDLC contains different phases depending on the methodology deployed, but generally the phases address the investigation, analysis, design, implementation, and maintenance of an information system. -An SDLC is a methodology for the design and implementation of an information system. -The traditional SDLC approach consists of six general phases, they are: Investigation, Analysis, Logical Design, Physical Design, Implementation, Maintenance and Change, -At the end of each phase of the traditional SDLC comes a structured review or reality check, during which the team determines if the project should be continued, discontinued, outsourced, postponed, or returned to an earlier phase. This determination depends on whether the project is proceeding as expected and whether it needs additional expertise, organizational knowledge, or other resources.
top-down approach
-A methodology of establishing security policies and/or practices that is initiated by upper management. -The top-down approach has a higher probability of success. With this approach, the project is initiated by upper-level managers who issue policies, procedures, and processes; dictate the goals and expected outcomes; and determine accountability for each required action. -This approach has strong upper-management support, a dedicated champion, usually dedicated funding, a clear planning and implementation process, and the means of influencing organizational culture. The most successful kind of top-down approach also involves a formal development strategy known as a systems development life cycle.
Access
-A subject or object's ability to use, manipulate, modify, or affect another subject or object. -Authorized users have legal access to a system, whereas hackers must gain illegal access to a system. Access controls regulate this ability.
Exploit:
-A technique used to compromise a system. This term can be a verb or a noun. -Threat agents may attempt to exploit a system or other information asset by using it illegally for their personal gain. Or, an exploit can be a documented process to take advantage of a vulnerability or exposure, usually in software, that is either inherent in the software or created by the attacker. -Exploits make use of existing software tools or custom-made software components.
Describe Physical Design - SDLC waterfall methodology
-During the physical design phase, specific technologies are selected to support the alternatives identified and evaluated in the logical design. The selected components are evaluated based on a make-or-buy decision—the option to develop components in-house or purchase them from a vendor. -Final designs integrate various components and technologies. After yet another feasibility analysis, the entire solution is presented to the organization's management for approval.
1984
-Grampp and Morris write "The UNIX System: UNIX Operating System Security." In this report, the authors examined four "important handles to computer security": physical control of premises and computer facilities, management commitment to security objectives, education of employees, and administrative procedures aimed at increased security.8 -Reeds and Weinberger publish "File Security and the UNIX System Crypt Command." Their premise was: "No technique can be secure against wiretapping or its equivalent on the computer. Therefore no technique can be secure against the system administrator or other privileged users...the naive user has no chance."9
Hardware - Describe as a Component of an Information System
-Hardware is the physical technology that houses and executes the software, stores and transports the data, and provides interfaces for the entry and removal of information from the system. -Physical security policies deal with hardware as a physical asset and with the protection of physical assets from harm or theft. Applying the traditional tools of physical security, such as locks and keys, restricts access to and interaction with the hardware components of an information system. Securing
How has the term computer security evolved over time?
-In the early days of computers, this term specified the need to secure the physical location of computer technology from outside threats. -This term later came to represent all actions taken to preserve computer systems from losses. -It has evolved into the current concept of information security as the scope of protecting information in an organization has expanded.
Describe Implementation - SDLC waterfall methodology
-In the implementation phase, any needed software is created. Components are ordered, received, and tested. -Afterward, users are trained and supporting documentation created. -Once all components are tested individually, they are installed and tested as a system. A feasibility analysis is again prepared, and the sponsors are then presented with the system for a performance review and acceptance test.
Describe Logical Design - SDLC waterfall methodology
-In the logical design phase, the information gained from the analysis phase is used to begin creating a systems solution for a business problem. -In any systems solution, the first and driving factor must be the business need. Based on the business need, applications are selected to provide needed services, and then the team chooses data support and structures capable of providing the needed inputs. -Finally, based on all of this, specific technologies are delineated to implement the physical solution. The logical design, therefore, is the blueprint for the desired solution. The logical design is implementation independent, meaning that it contains no reference to specific technologies, vendors, or products. Instead, it addresses how the proposed system will solve the problem at hand. In this stage, analysts generate estimates of costs and benefits to allow for a general comparison of available options. At the end of this phase, another feasibility analysis is performed.
data owners
-Individuals who control, and are therefore responsible for, the security and use of a particular set of information; data owners may rely on custodians for the practical aspects of protecting their information, specifying which users are authorized to access it, but they are ultimately responsible for it. -Members of senior management who are responsible for the security and use of a particular set of information. The data owners usually determine the level of data classification (discussed later), as well as the changes to that classification required by organizational change. The data owners work with subordinate managers to oversee the day-to-day administration of the data.
data custodians
-Individuals who work directly with data owners and are responsible for storage, maintenance, and protection of information. -Working directly with data owners, data custodians are responsible for the information and the systems that process, transmit, and store it. Depending on the size of the organization, this may be a dedicated position, such as the CISO, or it may be an additional responsibility of a systems administrator or other technology manager. -The duties of a data custodian often include overseeing data storage and backups, implementing the specific procedures and policies laid out in the security policies and plans, and reporting to the data owner.
data users
-Internal and external stakeholders (customers, suppliers, and employees) who interact with information in support of their organization's planning and operations. -Everyone in the organization is responsible for the security of data, so data users are included here as individuals with an information security role.
1968
-Maurice Wilkes discusses password security in Time-Sharing Computer Systems.
1979
-Morris and Thompson author "Password Security: A Case History," published in the Communications of the Association for Computing Machinery (ACM). The paper examined the design history of a password security scheme on a remotely accessed, time-sharing system. -Dennis Ritchie publishes "On the Security of UNIX" and "Protection of Data File Contents," which discussed secure user IDs, secure group IDs, and the problems inherent in the systems.
Describe Maintenance and Change - SDLC waterfall methodology
-The maintenance and change phase is the longest and most expensive of the process. -This phase consists of the tasks necessary to support and modify the system for the remainder of its useful life cycle. Even though formal development may conclude during this phase, the life cycle of the project continues until the team determines that the process should begin again from the investigation phase. At periodic points, the system is tested for compliance, and the feasibility of continuance versus discontinuance is evaluated. Upgrades, updates, and patches are managed. -As the needs of the organization change, the systems that support the organization must also change. The people who manage and support the systems must continually monitor their effectiveness in relation to the organization's environment. When a current system can no longer support the evolving mission of the organization, the project is terminated and a new project is implemented.
Explain the beginning of information security?
-The need for computer security arose during World War II when the first mainframe computers were developed and used to aid computations for communication code-breaking messages from enemy cryptographic devices like the Enigma. -Earlier versions of the German code machine Enigma were first broken by the Poles in the 1930s. The British and Americans managed to break later with more complex versions during World War II. The information gained from decrypted transmissions was used to anticipate the actions of German armed forces. -Multiple levels of security were implemented to protect these devices and the missions they served. During these early years, information security was a straightforward process composed predominantly of physical security and simple document classification schemes. Access to sensitive military locations, for example, was controlled by means of badges, keys, and the facial recognition of authorized personnel by security guards. -The primary threats to security were physical theft of equipment, espionage against products of the systems, and sabotage. -One of the first documented security problems that fell outside these categories occurred in the early 1960s, when a systems administrator was working on a MOTD (message of the day) file while another administrator was editing the password file. A software glitch mixed the two files, and the entire password file was printed on every output file.
Asset
-The organizational resource that is being protected. An asset can be logical, such as a Web site, software information, or data; or an asset can be physical, such as a person, computer system, hardware, or other tangible object. -Assets, particularly information assets, are the focus of what security efforts are attempting to protect.
What were some computer network vulnerabilities from the 1979 release of the RAND Report R-609?
-The scope of computer security expanded significantly from the safety of physical locations and hardware to include: • Securing the data • Limiting random and unauthorized access to that data • Involving personnel from multiple levels of the organization in information security
What happened in the 2000's
-The security of each computer's stored information is contingent on the security level of every other computer to which it is connected. -The growing threat of cyberattacks has made governments and companies more aware of the need to defend the computerized control systems of utilities and other critical infrastructure. -The attack on the World Trade Centers on September 11, 2001 resulted in major legislation changes related to computer security, specifically to facilitate law enforcement's ability to collect information about terrorism. The USA PATRIOT Act of 2001 and its follow-up laws, the USA PATRIOT Improvement and Reauthorization Act of 2005, the PATRIOT Sunsets Act of 2011, and the USA FREEDOM Act.
Software - Describe as a Component of an Information System
-The software component of an IS includes applications (programs), operating systems, and assorted command utilities. -The exploitation of errors in software programming accounts for a substantial portion of the attacks on information. The information technology (IT) industry is rife with reports warning of holes, bugs, weaknesses, or other fundamental problems in software. In
Threat source:
A category of objects, people, or other entities that represents the origin of danger to an asset—in other words, a category of threat agents. Threat sources are always present and can be purposeful or undirected. For example, threat agent "hackers," as part of the threat source "acts of trespass or espionage," purposely threaten unprotected information systems, while threat agent "severe storms," as part of the threat source "acts of God/acts of nature," incidentally threaten buildings and their contents.
Exposure:
A condition or state of being exposed; in information security, exposure exists when a vulnerability is known to an attacker.
software assurance (SA)
A methodological approach to the development of software that seeks to build security into the development life cycle rather than address it at later stages. SA attempts to intentionally create software free of vulnerabilities and provide effective, efficient software that users can deploy with confidence.
Vulnerability:
A potential weakness in an asset or its defensive control system(s). Some examples of vulnerabilities are a flaw in a software package, an unprotected system port, and an unlocked door. Some well-known vulnerabilities have been examined, documented, and published; others remain latent (or undiscovered).
personally identifiable information (PII)
A set of information that could uniquely identify an individual.
Loss:
A single instance of an information asset suffering damage or destruction, unintended or unauthorized modification or disclosure, or denial of use. When an organization's information is stolen, it has suffered a loss.
project team
A small functional team of people who are experienced in one or multiple facets of the required technical and nontechnical areas for the project to which they are assigned.
security
A state of being secure and free from danger or harm. Also, the actions taken to make someone or something secure.
network security
A subset of communications security; the protection of voice and data networking components, connections, and content.
Security as a Social Science
A third view to consider is information security as a social science, which integrates components of art and science and adds another dimension to the discussion. Social science examines the behavior of people as they interact with systems, whether they are societal systems or, as in this context, information systems. Information security begins and ends with the people inside the organization and the people who interact with the system, intentionally or otherwise.
waterfall model
A type of SDLC in which each phase of the process "flows from" the information gained in the previous phase, with multiple opportunities to return to previous phases and make adjustments.
Threat event:
An occurrence of an event caused by a threat agent. An example of a threat event might be damage caused by a storm. This term is commonly used interchangeably with the term attack.
Threat:
Any event or circumstance that has the potential to adversely affect operations and assets. The term threat source is commonly used interchangeably with the more generic term threat. While the two terms are technically distinct, in order to simplify discussion, the text will continue to use the term threat to describe threat sources.
CNSS
Committee on National Security Systems
The three types of data ownership and their respective responsibilities are
Data owners, data custodians, and data users
Security as Science
Technology developed by computer scientists and engineers—which is designed for rigorous performance levels—makes information security a science as well as an art. Most scientists agree that specific conditions cause virtually all actions in computer systems. Almost every fault, security hole, and systems malfunction is a result of the interaction of specific hardware and software. If the developers had sufficient time, they could resolve and eliminate all of these faults. The faults that remain are usually the result of technology malfunctioning for any of a thousand reasons. There are many sources of recognized and approved security methods and techniques that provide sound technical security advice. Best practices, standards of due care, and other tried-and-true methods can minimize the level of guesswork necessary to secure an organization's information and systems.
Security as Art
The administrators and technicians who implement security can be compared to a painter applying oils to canvas. A touch of color here, a brush stroke there, just enough to represent the image the artist wants to convey without overwhelming the viewer—or in security terms, without overly restricting user access. There are no hard and fast rules regulating the installation of various security mechanisms, nor are there many universally accepted complete solutions. While many manuals exist to support individual systems, no manual can help implement security throughout an entire interconnected system. This is especially true given the complex levels of interaction among users, policy, and technology controls.
Protection profile or security posture:
The entire set of controls and safeguards, including policy, education, training and awareness, and technology, that the organization implements to protect the asset. The terms are sometimes used interchangeably with the term security program, although a security program often comprises managerial aspects of security, including planning, personnel, and subordinate programs.
Risk:
The probability of an unwanted occurrence, such as an adverse event or loss. Organizations must minimize risk to match their risk appetite—the quantity and nature of risk they are willing to accept.
communications security
The protection of all communications media, technology, and content.
physical security
The protection of physical items, objects, or areas from unauthorized access and misuse.
Threat agent:
The specific instance or a component of a threat. For example, the threat source of "trespass or espionage" is a category of potential danger to information assets, while "external professional hacker" (like Kevin Mitnick, who was convicted of hacking into phone systems) is a specific threat agent. A lightning strike, hailstorm, or tornado is a threat agent that is part of the threat source known as "acts of God/acts of nature."
main difference between top-down and bottom-up approach
Upper management drives the top-down approach to security implementation, in contrast with the bottom-up approach or grassroots effort, in which individuals choose security implementation strategies.
The CNSS model of information security evolved from
a concept developed by the computer security industry called the C.I.A. triad.
Good software development should result in
a finished product that meets all of its design specifications. Information security considerations are a critical component of those specifications, though that has not always been true.
the C.I.A. triad must be protected at all times. This protection is implemented by
by multiple measures that include policies, education, training and awareness, and technology.
The critical characteristics of information, includes
confidentiality, integrity, and availability (the C.I.A. triad)
DevOps and SecOps are
emerging accelerated development models that merge development and operational skills.
Information systems are made up of the major components of
hardware, software, data, people, procedures, and networks.
NIST
is the National Institute of Standards and Technology.
Once the system is implemented...
it is maintained and modified over the remainder of its working life. Any information systems implementation may have multiple iterations as the cycle is repeated over time. Only by constant examination and renewal can any system, especially an information security program, perform up to expectations in a constantly changing environment.
A successful organization should have multiple layers of security in place to protect its
operations, physical infrastructure, people, functions, communications, and information.
types of security
physical security, personal security, operations security, communications security, national security, and network security
Security is
protection from danger.
Information security evolved from
the early field of computer security.
The Committee on National Security Systems (CNSS) defines information security as
the protection of information and its critical elements, including the systems and hardware that use, store, and transmit the information
Information security is
the protection of information assets that use, store, or transmit information through the application of policy, education, and technology.
information security
Protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training and awareness, and technology.
Subjects and objects of attack:
-A computer can be either the subject of an attack—an agent entity used to conduct the attack—or the object of an attack: the target entity. -A computer can also be both the subject and object of an attack. For example, it can be compromised by an attack (object) and then used to attack other systems (subject).
methodology
-A formal approach to solving a problem based on a structured sequence of procedures. -Using a methodology ensures a rigorous process with a clearly defined goal and increases the probability of success. Once a methodology has been adopted, the key milestones are established and a team is selected and made accountable for accomplishing the project goals.
McCumber Cube
-A graphical representation of the architectural approach widely used in computer and information security; commonly shown as a cube composed of 3x3x3 cells, similar to a Rubik's Cube. -The model, which was created by John McCumber in 1991, provides a graphical representation of the architectural approach widely used in computer and information security; it is now known as the McCumber Cube.13 -When extrapolated, the three dimensions of each axis become a 3x3x3 cube with 27 cells representing areas that must be addressed to secure today's information systems. To ensure comprehensive system security, each of the 27 areas must be properly addressed during the security process. -For example, the intersection of technology, integrity, and storage requires a set of controls or safeguards that address the need to use technology to protect the integrity of information while in storage. One such control might be a system for detecting host intrusion that protects the integrity of information by alerting security administrators to the potential modification of a critical file. A common omission from such a model is the need for guidelines and policies that provide direction for the practices and implementations of technologies.
community of interest and describe some outlined in this book
-A group of individuals who are united by similar interests or values within an organization and who share a common goal of helping the organization to meet its objectives. -Each organization develops and maintains its own unique culture and values. Within each organizational culture, there are communities of interest that develop and evolve. While an organization can have many different communities of interest, this book identifies the three that are most common and that have roles and responsibilities in information security. In theory, each role must complement the other, but this is often not the case in practice. -The three communities of interest identified in this book are: 1-Information Security Management and Professionals: The roles of information security professionals are aligned with the goals and mission of the information security community of interest. These job functions and organizational roles focus on protecting the organization's information systems and stored information from attacks. 2-Information Technology Management and Professionals: The community of interest made up of IT managers and skilled professionals in systems design, programming, networks, and other related disciplines has many of the same objectives as the information security community. However, its members focus more on costs of system creation and operation, ease of use for system users, and timeliness of system creation, as well as transaction response time. The goals of the IT community and the information security community are not always in complete alignment, and depending on the organizational structure, this may cause conflict. 3-Organizational Management and Professionals: The organization's general management team and the rest of the personnel in the organization make up the other major community of interest. This large group is almost always made up of subsets of other interests as well, including executive management, production management, human resources, accounting, and legal staff, to name just a few. The IT community often categorizes these groups as users of information technology systems, while the information security community categorizes them as security subjects. In fact, this community serves as the greatest reminder that all IT systems and information security objectives exist to further the objectives of the broad organizational community. The most efficient IT systems operated in the most secure fashion ever devised have no value if they are not useful to the organization as a whole.
What happened in the 1960s?
-During the Cold War, many more mainframe computers were brought online to accomplish more complex and sophisticated tasks. These mainframes required a less cumbersome process of communication than mailing magnetic tapes between computer centers. -In response to the need for a less cumbersome process to communicate, the Department of Defense's Advanced Research Projects Agency (ARPA) began examining the feasibility of a redundant, networked communications system to support the military's exchange of information. In 1968, Dr. Larry Roberts developed the ARPANET. -ARPANET evolved into what we now know as the Internet, and Roberts became known as its founder.
What happened in the 70s and 80s
-ARPANET became more popular and saw wider use, increasing the potential for its misuse. In 1973, Internet pioneer Robert M. Metcalfe (pictured in Figure 1-3) identified fundamental problems with ARPANET security. As one of the creators of Ethernet, a dominant local area networking protocol, he knew that individual remote sites did not have sufficient controls and safeguards to protect data from unauthorized remote users. Other problems abounded: vulnerability of password structure and formats; lack of safety procedures for dial-up connections; and nonexistent user identification and authorizations. -In 1978, Richard Bisbey and Dennis Hollingworth, two researchers in the Information Sciences Institute at the University of Southern California, published a study entitled "Protection Analysis: Final Report." It focused on a project undertaken by ARPA to understand and detect vulnerabilities in operating system security. -Security that went beyond protecting the physical location of computing devices effectively began with a single paper published by the RAND Corporation in February 1970 for the Department of Defense. RAND Report R-609 attempted to define the multiple controls and mechanisms necessary for the protection of a computerized data processing system. The document was classified for almost ten years, and is now considered to be the paper that started the study of computer security. -In June 1967, ARPA formed a task force to study the process of securing classified information systems. The task force was assembled in October 1967 and met regularly to formulate recommendations, which ultimately became the contents of RAND Report R-609. The document was declassified in 1979 and released as Security Controls for Computer Systems: Report of Defense Science Board Task Force on Computer Security-RAND Report R-609-1. The content of the two documents is identical with the exception of two transmittal memorandums. -RAND Report R-609 was the first widely recognized published document to identify the role of management and policy issues in computer security. It noted that the wide use of networking components in military information systems introduced security risks that could not be mitigated by the routine practices then used to secure these systems.
utility
-An attribute of information that describes how data has value or usefulness for an end purpose. -The utility of information is the quality or state of having value for some purpose or end. In other words, information has value when it can serve a purpose. If information is available but is not in a meaningful format to the end user, it is not useful. For example, U.S. Census data can quickly become overwhelming and difficult for a private citizen to interpret; however, for a politician, the same data reveals information about residents in a district, such as their race, gender, and age. This information can help form a politician's next campaign strategy.
availability
-An attribute of information that describes how data is accessible and correctly formatted for use without interference or obstruction. -Availability enables authorized users—people or computer systems—to access information without interference or obstruction and to receive it in the required format. -Consider, for example, research libraries that require identification before entrance. Librarians protect the contents of the library so that they are available only to authorized patrons. The librarian must accept a patron's identification before the patron has free access to the book stacks. Once authorized patrons have access to the stacks, they expect to find the information they need in a usable format and familiar language. In this case, the information is bound in a book that is written in English.
accuracy
-An attribute of information that describes how data is free of errors and has the value that the user expects. -If the information has been intentionally or unintentionally modified, it is no longer accurate. -Consider a checking account, for example. You assume that the information in your account is an accurate representation of your finances. Incorrect information in the account can result from external or internal errors. If a bank teller, for instance, mistakenly adds or subtracts too much money from your account, the value of the information is changed. Or, you may accidentally enter an incorrect amount into your account register. Either way, an inaccurate bank balance could cause you to make other mistakes, such as bouncing a check.
authenticity
-An attribute of information that describes how data is genuine or original rather than reproduced or fabricated. -Authenticity of information is the quality or state of being genuine or original, rather than a reproduction or fabrication. Information is authentic when it is in the same state in which it was created, placed, stored, or transferred. -Consider for a moment some common assumptions about e-mail. When you receive e-mail, you assume that a specific individual or group created and transmitted the e-mail—you assume you know its origin. This is not always the case. E-mail spoofing, the act of sending an e-mail message with a modified field, is a problem for many people today because the modified field often is the address of the originator. Spoofing the sender's address can fool e-mail recipients into thinking that the messages are legitimate traffic, thus inducing them to open e-mail they otherwise might not have.
confidentiality
-An attribute of information that describes how data is protected from disclosure or exposure to unauthorized individuals or systems. -Confidentiality ensures that only users with the rights, privileges, and need to access information are able to do so. -When unauthorized individuals or systems view information, its confidentiality is breached. -To protect the confidentiality of information, you can use several measures, including the following: • Information classification • Secure document storage • Application of general security policies • Education of information custodians and end users -Confidentiality, like most characteristics of information, is interdependent with other characteristics and is closely related to the characteristic known as privacy. -As a consumer, you give up pieces of personal information in exchange for convenience or value almost daily. By using a "members" card at a grocery store, you disclose some of your spending habits. When you fill out an online survey, you exchange pieces of your personal history for access to online privileges. When you sign up for a free magazine, Web resource, or free software application, you provide personally identifiable information (PII). The bits and pieces of personal information you disclose may be copied, sold, replicated, distributed, and eventually coalesced into profiles and even complete dossiers of you and your life.
Data - Describe as a Component of an Information System
-Data stored, processed, and transmitted by a computer system must be protected. Data is often the most valuable asset of an organization and therefore is the main target of intentional attacks. -Systems developed in recent years are likely to make use of database management systems. When used properly, they should improve the security of the data and the applications that rely on the data. Unfortunately, many system development projects do not make full use of the database management system's security capabilities, and in some cases the database is implemented in ways that make them less secure than traditional file systems. Because data and information exist in physical form in many organizations as paper reports, handwritten notes, and computer printouts, the protection of physical information is as important as the protection of electronic, computer-based information.
integrity
-An attribute of information that describes how data is whole, complete, and uncorrupted. -The integrity of information is threatened when it is exposed to corruption, damage, destruction,or other disruption of its authentic state. -Corruption can occur while information is being stored or transmitted. Many computer viruses and worms are designed with the explicit purpose of corrupting data. For this reason, a key method for detecting a virus or worm is to look for changes in file integrity, as shown by the file size. Another key method of assuring information integrity is file hashing, in which a file is read by a special algorithm that uses the bit values in the file to compute a single large number called a hash value. The hash value for any combination of bits is unique. -If a computer system performs the same hashing algorithm on a file and obtains a different number than the file's recorded hash value, the file has been compromised and the integrity of the information is lost. Information integrity is the cornerstone of information systems because information is of no value or use if users cannot verify its integrity. -File corruption is not necessarily the result of external forces, such as hackers. Noise in the transmission media, for instance, can also cause data to lose its integrity. Transmitting data on a circuit with a low voltage level can alter and corrupt the data. Redundancy bits and check bits can compensate for internal and external threats to the integrity of information. During each transmission, algorithms, hash values, and error-correcting codes ensure the integrity of the information. Data whose integrity has been compromised is retransmitted.
possession
-An attribute of information that describes how the data's ownership or control is legitimate or authorized. -The possession of information is the quality or state of ownership or control. Information is said to be in one's possession if one obtains it, independent of format or other characteristics. -While a breach of confidentiality always results in a breach of possession, a breach of possession does not always lead to a breach of confidentiality. For example, assume a company stores its critical customer data using an encrypted file system. An employee who has quit decides to take a copy of the tape backups and sell the customer records to the competition. The removal of the tapes from their secure environment is a breach of possession. But, because the data is encrypted, neither the former employee nor anyone else can read it without the proper decryption methods; therefore, there is no breach of confidentiality. -Today, people who are caught selling company secrets face increasingly stiff fines and a strong likelihood of jail time. Also, companies are growing more reluctant to hire people who have demonstrated dishonesty in their past. -Another example might be that of a ransomware attack in which a hacker encrypts important information and offers to provide the decryption key for a fee. The attack would result in a breach of possession because the owner would no longer have possession of the information.
chief information officer (CIO)
-An executive-level position that oversees the organization's computing technology and strives to create efficiency in the processing and access of the organization's information. -The CIO is primarily responsible for advising the chief executive officer, president, or company owner on strategic planning that affects the management of information in the organization. The CIO translates the strategic plans of the organization as a whole into strategic information plans for the information systems or data processing division of the organization. Once this is accomplished, CIOs work with subordinate managers to develop tactical and operational plans for the division and to enable planning and management of the systems that support the organization.
Attack
-An intentional or unintentional act that can damage or otherwise compromise information and the systems that support it. -Attacks can be active or passive, intentional or unintentional, and direct or indirect. -Someone who casually reads sensitive information not intended for his or her use is committing a passive attack. -A hacker attempting to break into an information system is an intentional attack. -A lightning strike that causes a building fire is an unintentional attack. A direct attack is perpetrated by a hacker using a PC to break into a system. -An indirect attack is a hacker compromising a system and using it to attack other systems—for example, as part of a botnet (slang for robot network). This group of compromised computers, runningsoftware of the attacker's choosing, can operate autonomously or under the attacker's direct control to attack systems and steal user information or conduct distributed denial-of-service attacks. -Direct attacks originate from the threat itself. -Indirect attacks originate from a compromised system or resource that is malfunctioning or working under the control of a threat.
What is ARPANET? When? Who founded it?
-As part of the Department of Defense's Defense's Advanced Research Projects Agency (ARPA), Dr. Larry Roberts developed the ARPANET In 1968. -a tool for sharing Defense Department information -ARPANET evolved into what we now know as the Internet, and Roberts became known as its founder.
What happened in the 1990s?
-At the close of the 20th century, networks of computers became more common, as did the need to connect them to each other. This gave rise to the Internet, the first global network of networks. The Internet was made available to the general public in the 1990s after decades of being the domain of government, academia, and dedicated industry professionals. The Internet brought connectivity to virtually all computers that could reach a phone line or an Internetconnected local area network (LAN). -After the Internet was commercialized, the technology became pervasive, reaching almost every corner of the globe with an expanding array of uses. -Since its inception as ARPANET, a tool for sharing Defense Department information, the Internet has become an interconnection of millions of networks. At first, these connections were based on de facto standards because industry standards for interconnected networks did not exist. These de facto standards did little to ensure the security of information, though some degree of security was introduced as precursor technologies were widely adopted and became industry standards. -Early computing approaches relied on security that was built into the physical environment of the data center that housed the computers. As networked computers became the dominant style of computing, the ability to physically secure a networked computer was lost, and the stored information became more exposed to security threats. -In 1993, the first DEFCON conference was held in Las Vegas. Originally it was established as a gathering for people interested in information security, including authors, lawyers, government employees, and law enforcement officials. A compelling topic was the involvement of hackers in creating an interesting venue for the exchange of information between two adversarial groups—the "white hats" of law enforcement and security professionals and the "black hats" of hackers and computer criminals. -In the late 1990s and into the 2000s, many large corporations began publicly integrating security into their organizations. Antivirus products became extremely popular, and information security began to emerge as an independent discipline.
1978
-Bisbey and Hollingworth publish their study "Protection Analysis: Final Report," which discussed the Protection Analysis project created by ARPA to better understand the vulnerabilities of operating system security and examine the possibility of automated vulnerability detection techniques in existing system software.7
Describe MULTICS and its impact
-Much of the early research on computer security centered on a system called Multiplexed Information and Computing Service (MULTICS). Although it is now obsolete, MULTICS is noteworthy because it was the first operating system to integrate security into its core functions. It was a mainframe, time-sharing operating system developed in the mid-1960s by a consortium of General Electric (GE), Bell Labs, and the Massachusetts Institute of Technology (MIT). -In 1969, not long after the restructuring of the MULTICS project, several of its developers (Ken Thompson, Dennis Ritchie, Rudd Canaday, and Doug McIlroy) created a new operating system called UNIX. While the MULTICS system implemented multiple security levels and passwords, the UNIX system did not. Its primary function, text processing, did not require the same level of security as that of its predecessor. Not until the early 1970s did even the simplest component of security, the password function, become a component of UNIX. -In the late 1970s, the microprocessor brought the personal computer (PC) and a new age of computing. The PC became the workhorse of modern computing, moving it out of the data center. This decentralization of data processing systems in the 1980s gave rise to networking—the interconnecting of PCs and mainframe computers, which enabled the entire computing community to make all its resources work together. -In the early 1980s, TCP (the Transmission Control Protocol) and IP (the Internet Protocol) were developed and became the primary protocols for the ARPANET, eventually becoming the protocols we use on the Internet to this day. Also during this time frame, DNS, the hierarchical Domain Name System, was developed. The first dial-up Internet service provider (ISP)—The World, operated by Standard Tool & Die—came online, allowing home users to access the Internet. Prior to that, vendors like CompuServe, GEnie, Prodigy, and Delphi had provided dial-up access for online computer services, while independent Bulletin Board Systems (BBSs) became popular for sharing information among their subscribers. -In the mid-1980s, the U.S. Government passed several key pieces of legislation that formalized the recognition of computer security as a critical issue for federal information systems. The Computer Fraud and Abuse Act of 1986 and the Computer Security Act of 1987 defined computer security and specified responsibilities and associated penalties. In 1988, the Defense Advanced Research Projects Agency (DARPA) within the Department of Defense created the Computer Emergency Response Team (CERT) to address network security.
NIST has adopted a simplified SLDC for their approach, based on
-NIST has adopted a simplified SLDC for their approach, based on five phases: initiation, development/acquisition, implementation/assessment, operation/maintenance, and disposal. -Each phase of the SDLC should include consideration for the security of the system being assembled as well as the information it uses.
Procedures - Describe as a Component of an Information System
-Procedures are written instructions for accomplishing a specific task. -When an unauthorized user obtains an organization's procedures, it poses a threat to the integrity of the information. For example, a consultant to a bank learned how to wire funds by using the computer center's procedures, which were readily available. By taking advantage of a security weakness (lack of authentication), the bank consultant ordered millions of dollars to be transferred by wire to his own account. Lax security procedures caused the loss of more than $10 million before the situation was corrected. -Most organizations distribute procedures to employees so they can access the information system, but many of these companies often fail to provide proper education for using the procedures safely. Educating employees about safeguarding procedures is as important as physically securing the information system. After all, procedures are information in their own right. Therefore, knowledge of procedures, as with all critical information, should be disseminated among members of an organization on a need-to-know basis.
1992
-Researchers for the Internet Engineering Task Force, working at the Naval Research Laboratory, develop the Simple Internet Protocol Plus (SIPP) Security protocols, creating what is now known as IPSEC security.
1973
-Schell, Downey, and Popek examine the need for additional security in military systems in Preliminary Notes on the Design of Secure Military Computer Systems.
Control
-Synonyms: Control, safeguard, or countermeasure Security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve security within an organization.
1975
-The Federal Information Processing Standards (FIPS) examines DES (Digital Encryption Standard) in the Federal Register.
1982
-The U.S. Department of Defense Computer Security Evaluation Center publishes the first version of the Trusted Computer Security (TCSEC) documents, which came to be known as the Rainbow Series.
Describe Analysis - SDLC waterfall methodology
-The analysis phase begins with the information gained during the investigation phase. -This phase consists primarily of assessments of the organization, its current systems, and its capability to support the proposed systems. Analysts begin by determining what the new system is expected to do and how it will interact with existing systems. -This phase ends with documentation of the findings and an update of the feasibility analysis.
information system (IS)
-The entire set of software, hardware, data, people, procedures, and networks that enable the use of information resources in the organization. -The six critical components of hardware, software, networks, people, procedures, and data enable information to be input, processed, output, and stored. Each of these IS components has its own strengths and weaknesses, as well as its own characteristics and uses. Each component of the IS also has its own security requirements.
C.I.A. triad
-The industry standard for computer security since the development of the mainframe. The standard is based on three characteristics that describe the utility of information: confidentiality, integrity, and availability. -The C.I.A. triad has been the standard for computer security in both industry and government since the development of the mainframe. -The security of the three characteristics stated is as important today as it has always been, but the C.I.A. triad model is generally viewed as no longer adequate in addressing the constantly changing environment. The threats to the confidentiality, integrity, and availability of information have evolved into a vast collection of events, including accidental or intentional damage, destruction, theft, unintended or unauthorized modification, or other misuses from human or nonhuman threats. This vast array of constantly evolving threats has prompted the development of a more robust model that addresses the complexities of the current information security environment. The expanded model consists of a list of critical characteristics of information.
When organizations need to develop systems in-house, they can choose from a variety of approaches that have emerged over time. Explain
-The traditional approach to software development has given rise to a number of variations, including RAD, JAD, Agile, and one of the newest approaches, DevOps. -Whereas in early development projects, systems owners and software developers would collaborate to define specifications and create systems, an approach known as joint application development (JAD) added members of the management team from the supported business unit and in some cases, future users of the systems being created. -Another innovation that often occurred with the JAD approach was to increase the speed at which requirements were collected and software was prototyped, thus allowing more iterations in the design process—an approach called rapid application development (RAD). This type of development later evolved into a combined approach known as the spiral method, in which each stage of development was completed in smaller increments, with delivery of working software components occurring more frequently and the software under development coming closer to its intended finished state with each pass through the development process. -Taking the objectives of JAD and RAD even further is the collective approach to systems development known as agile or extreme programming (XP), including aspects of systems development known as Kanban and scrum. As the need to reduce the time taken in the systems development cycle from gathering requirements to testing software continued to evolve, even faster feedback cycles were required to reduce time to market and shorten feature rollout times. When coupled with a need to better integrate the effort of the development team and the operations team to improve the functionality and security of applications, another model known as DevOps has begun to emerge. DevOps focuses on integrating the need for the development team to provide iterative and rapid improvements to system functionality and the need for the operations team to improve security and minimize the disruption from software release cycles. By collaborating across the entire software/service lifecycle, DevOps uses a continuous development model that relies on systems thinking, short feedback loops, and continuous experimentation and learning. -An emerging development has been called SecOps by some. This is a process of using the DevOps methodologies of an integrated development and operations approach that is applied to the specification, creation, and implementation of security control systems.
People - Describe as a Component of an Information System
-Though often overlooked in computer security considerations, people have always been a threat to information security. Social engineering can prey on the tendency to cut corners and the commonplace nature of human error. It can be used to manipulate people to obtain access information about a system. -Unless policy, education and training, awareness, and technology are properly employed to prevent people from accidentally or intentionally damaging or losing information, they will remain the weakest link. Social engineering can prey on the tendency to cut corners and the commonplace nature of human error. It can be used to manipulate people to obtain access information about a system.
chief information security officer (CISO)
-Typically considered the top information security officer in an organization. The CISO is usually not an executive-level position, and frequently the person in this role reports to the CIO. -Has primary responsibility for the assessment, management, and implementation of information security in the organization. -The CISO may also be referred to as the manager for IT security, the security administrator, or by a similar title. The CISO usually reports directly to the CIO, although in larger organizations, one or more layers of management might exist between the two. However, the recommendations of the CISO to the CIO must be given equal if not greater priority than other technology and information-related proposals.
Describe Investigation - SDLC waterfall methodology
-What problem is the system being developed to solve? -The investigation phase begins by examining the event or plan that initiates the process. -During this phase, the objectives, constraints, and scope of the project are specified. -A preliminary cost-benefit analysis evaluates the perceived benefits and their appropriate levels of cost. At the conclusion of this phase and at every phase afterward, a process will be undertaken to assess economic, technical, and behavioral feasibilities and ensure that implementation is worth the organization's time and effort.
Networks - Describe as a Component of an Information System
-When information systems are connected to each other to form LANs, and these LANs are connected to other networks such as the Internet, new security challenges rapidly emerge. -Applying the traditional tools of physical security, such as locks and keys, to restrict access to the system's hardware components is still important. However, when computer systems are networked, this approach is no longer enough. Steps to provide network security such as installing and configuring firewalls are essential, as is implementing intrusion detection systems to make system owners aware of ongoing compromises.
1970
-Willis H. Ware authors the report Security Controls for Computer Systems: Report of Defense Science Board Task Force on Computer Security-RAND Report R-609, which was not declassified until 1979. It became known as the seminal work identifying the need for computer security.
What's a common belief in enterprise information security?
-that enterprise information security is a "critical business capability that needs to be aligned with corporate expectations and culture that provides the leadership and insight to identify risks and implement effective controls." -aligning information security needs with business objectives must be the top priority.
PII
Personally identifiable information (PII) is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.
Members of the security project team fill the following roles:
• Champion: A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization. • Team leader: A project manager who may also be a departmental line manager or staff unit manager, and who understands project management, personnel management, and information security technical requirements. • Security policy developers: People who understand the organizational culture, existing policies, and requirements for developing and implementing successful policies. • Risk assessment specialists: People who understand financial risk assessment techniques, the value of organizational assets, and the security methods to be used. • Security professionals: Dedicated, trained, and well-educated specialists in all aspects of information security from both a technical and nontechnical standpoint. • Systems administrators: People with the primary responsibility for administering systems that house the information used by the organization. • End users: Those whom the new system will most directly affect. Ideally, a selection of users from various departments, levels, and degrees of technical knowledge assist the team in focusing on the application of realistic controls that do not disrupt the essential business activities they seek to safeguard.
