Chapter 1 - Review Questions

What was important about RAND Report R-609?

- 1st widely recognized published document to identify the role of management policy issues in computer security. It attempted to define the multiple controls and mechanisms necessary for the protection of a computerized data processing system.

What are the components of the CIA triad used for?

These three components are frequently used to conveniently articulate the objectives of a security program that must be used in harmony to assure an information system is secure and usable.

What are the three components of the CIA triad?

Confidentiality - Assurance that the information is shared only among authorized persons or organizations. Integrity - Assurance that the information is complete and uncorrupted Availability - Assurance that the information systems and the necessary data are available for use when they are needed).

How has computer security evolved into modern information security?

Early definition - The need to secure the physical location of computer technlogy from outside threats. ^ Later includes - All actions taken to preserve computer systems from losses. Current defintion - Information security viewed as the scope of protecting information in an organization

If the CIA triad is incomplete, why is it so commonly used in security?

It addresses the fundamental concerns of information: confidentiality, integrity, and availability. It is still used because it addresses all of the major concerns with the vulnerability of information systems.

What system is the precessor of almost all modern multiuser systems?

MULTICS

What is the relationship between the MULTICS project and the early development of computer security?

MULTICS, Multiplexed Information and Computing Service, was the first operating system created with security as its primary goal. It was a mainframe, time-sharing operating system developed through a partnership between GE, Bell Labs and MIT. Much of the early focus for research on computer security was centered on this system.

Why is methodology important in the implemntation of information security? How does a methodology improve the process?

Methodology ensures the strict/ perfectly defined process and it increases the likelihood of success. It improves the process because it unifies the process of identifying specific threats and the creation of specific controls to counter those threats into a coherent program.

What type of security was dominant in the early years of computing?

Physical protection/security

Identify the six components of an information system. Which are most directly affected by the study of computer security? Which are most commonly associated with its study?

6 components are: - People: They would be impacted most by the study of computer security. People can be the weakest link in an organization's information security program. And unless policy, education and training, awareness, and technology are properly employed to prevent people from accidentally or intentionally damaging or losing information, they will remain the weakest link. Social engineering can prey on the tendency to cut corners and the commonplace nature of human error. It can be used to manipulate the actions of people to obtain access information about a system. - Procedures: Written instructions for accomplishing a specific task, could be another component, which will be impacted. - Networks: The IS component that created much fo the need for increased computer and information security. Steps to provide network security such as installing and configuring firewalls are essential as is implementing intrusion detection systems to make system owners aware of ongoing compromises - Data: Stored, processed, and transmitted by a computer system must be protected. The most valuable asset to an organization and is consequently the main target of intentional attacks. - Hardware: The physical technology that houses and executes the software, stores and transports, the data, and provides interfaces for the entry and removal of information from the system. -Software: Includes applications (programs), operationg systems, and assorted command utilites. Is probably the most difficult component to secure.

Who should lead a securit team? Should the approach to security be more mangerial or technical?

A project manager, who may be a departmental line manager or staff unit manager, would lead a security team. Typically, that person would understand project management, personnel management, and information security technical requirements. The approach to security should be more managerial than technical, although, the technical ability of the resources actually performing the day-to-day activities is critical. The top-down approach to security implementation is by far the best. It has strong upper management support, a dedicated champion, dedicated funding, clear planning and the opportunity to influence organizational culture.

Describe the critcal characteristics of information. How are they used in the study of computer security?

Availability - enables authorized users to access information without interference or obstruction and to receive it in the rueqired format. Accuracy - data taht is free of errors and has the value that the users expects Authenticity - Information is the quality or state of being genuine or orignal, rather than a reproduction or fabrication. Information is authentic when it is in the same state in whic it was created, placed, and stored, or transferred. Confidentiality - Data is proctected from disclousre or exposure to unauthroized individuals or systems Integrity - Information is whole, complete, and uncorrupted. It is threatened when exposed to corruption, damage, destruction, or other disruptions of its authentic state Utility - Information is the quality or state of having value for some purpose or end. Information has value when it can serve a purpose. i.e. if it isn't in a meaningful format to the end user, it is not useful Possession - Information is the quality or state of ownership or control that is legitimate or authorized

Which members of an organization are involved in the SDLC? Who leads the process?

DLC is a methodology/cycle for executing an information system. This method consists of6 steps to guarantee a high success rate through a systematic method. The six steps areformed by the waterfall model, that is, the results and information from the previous step.(Investigation, analysis, logical design, physical design, implementation, maintenance andchange.) At the end, the completed plan with continuous improvement and inspection is reported tothe CEO, and the CEOs decide whether to implement or suspend the plan.In this sense of view, a CEO with a higher level of authority than the team made up for theplan could have a leading power in this cycle

How can the practice of information secuirty be described as both an art and a science? How does the view of security as a social sceince influence its practice?

Information security is an art because each situation in which a security system is needed is different. When constructing or reconfiguring an information security system you must take into consideration business needs for security requirements and availability requirements in order to construct a unique system that is tailored to the situation at hand. Information security is a science because it deals with various performance levels. Specific conditions cause virtually all actions in computer systems. Information security as a social science takes into consideration users and their experience.

How is infrastructure protection related to information security?

Information security is the protection of information and its critical elements, including the systems and hardware that are used, stored and transmitted. So, that makes the security of utility services a critical element in formation systems

Which paper is the foundation of all subsequent studies of computer security?

RAND Report R-609

Who is ultimately responsible for the securty of information in the organization?

The Chief Information Security Officer (CISO) is primarily responsible for the assessment, management, and implementation of information security in the organization. The CISO usually reports directly to the CIO, although in larger organizations it is not uncommon for one or more layers of management to exist between the two. However, the recommendations of the CISO to the CIO must be given equal, if not greater, priority than other technology and information-related proposals.

Why is the top-down approach to information security superior to the bottom-up approach?

The bottom-up approach is a method of establishing security policies that begins as agrassroots effort in which systems administrators attempt to improve the security of theirsystems. Unfortunately, the bottom-up approach seldom works because it lacks critical features such as participant support and organizational staying power. Unlike bottom-upapproach, the top down approach has a higher probability of success. It is a methodology of establishing security policies that is initiated by upper management who issue policies,procedures, and process. Strong upper management support, a dedicated champion usuallydedicated funding, a clear planning and implementation process and the means of influencing organizational culture are the components that make this strategy better than bottom-up approach.

Who decides how and when data in an organization will be used or controlled? Who is responsible for seeing that these decisions are carried out?

The three types of data ownership and their respective responsibilities are: - Data owners: Those responsible for the security and use of a particular set of information. They are usually members of senior management and could be CIOs. The data owners usually determine the level of data classification (discussed later) associated with the data, as well as the changes to that classification required by organizational change. The data owners work with subordinate managers to oversee the day-to-day administration of the data. - Data custodians: Working directly with data owners, data custodians are responsible for the storage, maintenance, and protection of the information. Depending on the size of the organization, this may be a dedicated position, such as the CISO, or it may be an additional responsibility of a systems administrator or other technology manager. The duties of a data custodian often include overseeing data storage and backups, implementing the specific procedures and policies laid out in the security policies and plans, and reporting to the data owner. - Data users: End users who work with the information to perform their daily jobs supporting the mission of the organization. Everyone in the organization is responsible for the security of data, so data users are included here as individuals with an information security role.

What is the difference between a threat agent and a threat?

Threat - Any event or circumstance that has the potential to adversly affect operations and assets Threat Agent - The specific instance or compnonent of a threat. Example: Acts of God/nature or "external professional hacker"

What is the difference between vulnerability and exposure?

Vulnerability - A potential weakness in an asset or its dfensive control system(s). Example: flaw in software package or an unlocked door Exposure - Exists when a vulnerability is known to an attacker