CTC 362 Quiz 1, Part 1
what is security
"A state of being secure and free from danger or harm; the actions taken to make someone or something secure."
Using a methodology:
-Ensures a rigorous process with a clearly defined goal -Increases probability of success
SDLC waterfall consists of
-Investigation - Analysis - Logical Design - Physical Design - Implementation -Maintains and Change
Initiated by upper management (Top-Down Approach)
-Issue policy, procedures, and processes -Dictate goals and expected outcomes of project -Determine accountability for each required action
Fundamental problems with ARPANET security were identified
-No safety procedures for dial-up connections to ARPANET -Nonexistent user identification and authorization to system
A successful organization should have multiple layers of security in place to protect which are?
-Operations -Physical infrastructure -People -Functions -Communications -Information
Information system (IS) is the entire set of people, procedures, and technology that enable business to use information.
-Software -Hardware -Data -People -Procedures -Networks
Analysis Consists of assessments of: (SDLC)
-The organization -Current systems -Capability to support proposed systems
The value of information comes from the characteristics it possesses:
Availability Accuracy Authenticity Confidentiality Integrity Utility Possession
Investigation begins
Begins with an enterprise information security policy (EISP) -Outlines implementation of a security program within the organization Organizational feasibility analysis is performed.
(SecSDLC) involves
It involves identifying specific threats and creating specific controls to counter them.
Maintenance and Change (SDLC)
Longest and most expensive phase Consists of the tasks necessary to support and modify the system for the remainder of its useful life Life cycle continues until the team determines the process should begin again from the investigation phase. When current system can no longer support the organization's mission, a new project is implemented.
Early focus of computer security research centered on a system called
Multiplexed Information and Computing Service (MULTICS).
Implementation (SDLC)
Needed software is created. Components are ordered, received, and tested. Users are trained and supporting documentation created. Feasibility analysis is prepared. -Sponsors are presented with the system for a performance review and acceptance test.
Seldom works, as it lacks a number of critical features: (Bottom-Up Approach)
Participant support and Organizational staying power
The scope of computer security grew from physical security to include:
Securing the data Limiting random and unauthorized access to data Involving personnel from multiple levels of the organization in information security
Physical Design (SDLC)
Specific technologies are selected to support the alternatives identified and evaluated in the logical design. Selected components are evaluated on make-or-buy decision. Feasibility analysis is performed. -Entire solution is presented to organization's management for approval.
Grassroots effort (Bottom-Up Approach)
Systems administrators attempt to improve security of their systems.
Logical Design (SDLC)
The first and driving factor is the business need. -Applications are selected to provide needed services. Data support and structures capable of providing the needed inputs are identified. Specific technologies are delineated to implement the physical solution. Analysts generate estimates of costs and benefits to allow comparison of available options. Feasibility analysis is performed at the end.
The Security Systems Development Life Cycle (SecSDLC)
The same phases used in traditional SDLC can be adapted to support implementation of an IS project.
A computer can be the subject of an attack and/or the object of an attack True/False
True
Groups developing code-breaking computations during World War II created the first modern computers. True/False
True
Impossible to obtain perfect information security—it is a process, not a goal. True/False
True
Several MULTICS key players created
UNIX
Investigation (SDLC)
What problem is the system being developed to solve? Objectives, constraints, and scope of project are specified. Preliminary cost-benefit analysis is developed. At the end of all phases, a process is undertaken to assess economic, technical, and behavioral feasibilities and ensure implementation is worth the time and effort.
Methodology:
a formal approach to solving a problem based on a structured sequence of procedures
The most successful type of top-down approach also involves a
a formal development strategy referred to as systems development life cycle.
Systems development life cycle (SDLC):
a methodology for the design and implementation of an information system
C.I.A. triangle is?
a standard based on 1)confidentiality, 2)integrity, and 3)availability, now viewed as inadequate. Expanded model consists of a list of critical characteristics of information.
To achieve balance, the level of security must allow reasonable
access, yet protect against threats.
Computer security began immediately
after the first mainframes were developed.
in the 1990 In early Internet deployments, security was treated
as a low priority.
Growing threat of cyber attacks has increased the
awareness of need for improved security. Nation-states engaging in information warfare
In the 1990 Networks of computers became more
common, as did the need to connect them to each other.
Late 1970s: The microprocessor expanded
computing capabilities and security threats.
in the 1990 Initially, network connections were based on
de facto standards.
Analysts determine what new system is
expected to do and how it will interact with existing systems.
Analysis ends with documentation of
findings and an update of feasibility.
Mainframe, time-sharing OS was developed
in the mid-1960s by General Electric (GE), Bell Labs, and Massachusetts Institute of Technology (MIT).
In 1993, DEFCON conference was established for those
interested in information security.
Multics was the first
operating system was created with security integrated into core functions.
Rudimentary is defending against
physical theft, espionage, and sabotage
Investigation Identifies
process, outcomes, goals, and constraints of the project
SecSDLC is a coherent
program rather than a series of random, seemingly unconnected actions.
Security should be considered a balance between
protection and availability.
Traditional SDLC consists of
six general phases.
Key advantage (Bottom-Up Approach)
technical expertise of individual administrators
Larry Roberts developed
the ARPANET from its inception.
Advanced Research Project Agency (ARPA) began to examine
the feasibility of redundant networked communications
in the 1990 Internet became
the first global network of networks.
in the 2000 The ability to secure a computer's data was influenced by
the security of every computer to which it is connected
in the 2000 The Internet brings millions of
unsecured computer networks into continuous communication with each other.
Information security began
with Rand Report R-609 (paper that started the study of computer security and identified the role of management and policy issues in it).