Cyber 3100 Principles of Info Security Chapter 1

Threat Source

A category of objects, people, or other entities that represents the origin of danger to an asset—in other words, a category of threat agents. Threat sources are always present and can be purposeful or undirected. For example, threat agent"hackers,"as part of the threat source"acts of trespass or espionage,"purposely threaten unprotected information systems, while threat agent"severe storms,"as part of the threat source"acts of God/acts of nature,"incidentally threaten buildings and their contents.

subject and object

A computer can also be both the ____________ and ____________ of an attack. For example, it can be compromised by an attack (object) and then used to attack other systems(subject ).

Subject

A computer can be either the ____________ of an attack—an agent entity used to conduct the attack

Exposure

A condition or state of being exposed; in information security, ____________ exists when a vulnerability is known to an attacker.

Community of Interest

A group of individuals who are united by similar interests or values within an organization and who share a common goal of helping the organization to meet its objectives.

intentional attack

A hacker attempting to break into an information system is an ____________ ____________.

unintentional attack

A lightning strike that causes a building fire is an ____________ ____________.

bottom-up approach

A method of establishing security policies and/or practices that begins as a grassroots effort in which systems administrators attempt to improve the security of their systems.

Software Assurance (SA)

A methodological approach to the development of software that seeks to build security into the development life cycle rather than address it at later stages. SA attempts to intentionally create software free of vulnerabilities and provide effective, efficient software that users can deploy with confidence.

Systems development life cycle (SDLC):

A methodology for the design and implementation of an information system. The SDLC contains different phases depending on the methodology deployed, but generally, the phases address the investigation, analysis, design, implementation, and maintenance of an information system.

Indirect attack

An ____________ ____________ is a hacker compromising a system and using it to attack other systems—for example, as part of a botnet (slang for robot network). This group of compromised computers, running software of the attacker's choosing, can operate autonomously or under the attacker's direct control to attack systems and steal user information or conduct distributed denial-of-service attacks.

utility

An attribute of information that describes how data has value or usefulness for an end purpose.

Availability

An attribute of information that describes how data is accessible and correctly formatted for use without interference or obstruction.

Accuracy

An attribute of information that describes how data is free of errors and has the value that the user expects.

Authenticity

An attribute of information that describes how data is genuine or original rather than reproduced or fabricated.

Confidentiality

An attribute of information that describes how data is protected from disclosure or exposure to unauthorized individuals or systems.

integrity

An attribute of information that describes how data is whole, complete, and uncorrupted.

possession

An attribute of information that describes how the data's ownership or control is legitimate or authorized.

chief information officer (CIO)

An executive-level position that oversees the organization's computing technology and strives to create efficiency in the processing and access of the organization's information.

Attack

An intentional or unintentional act that can damage or otherwise compromise information and the systems that support it. ____________s can be active or passive, intentional or unintentional, and direct or indirect. Direct attacks originate from the threat itself.

Threat event

An occurrence of an event caused by a threat agent. An example of athreat event might be damage caused by a storm. This term is commonly used inter-changeably with the termattack.

Threat

Any event or circumstance that has the potential to adversely affect operations and assets. The term ____________ source is commonly used interchangeably with the more generic term ____________ . While the two terms are technically distinct, in order to simplify the discussion, the text will continue to use the term ____________ to describe ____________ sources.

Enigma

German code making machine

DEFCON conference

In 1993, ____________ was established for those interested in information security

Computer Security

In the early days of computers, this term specified the need to secure the physical location of computer technology from outside threats. This term later came to represent all actions taken to preserve computer systems from losses. It has evolved into the current concept of information security as the scope of protecting information in an organization has expanded.

data owners

Individuals who control, and are therefore responsible for, the security and use of a particular set of information; data owners may rely on custodians for the practical aspects of protecting their information, specifying which users are authorized to access it, but they are ultimately responsible for it.

data custodians

Individuals who work directly with data owners and are responsible for storage,maintenance, and protection of information.

Top-down approach

Initiated by upper management-Issue policy, procedures, and processes-Dictate goals and expected outcomes of project-Determine accountability for each required action

data users

Internal and external stakeholders (customers, suppliers, and employees) who interact with information in support of their organization's planning and operations.

Robert M. Metcalfe

Internet pioneer Found fundamental problems with APRANET

Microprocessor

Late 1970s: The _____________ expanded computing capabilities and security threats

Rand Report R-609

Paper report that started the study of computer security. First widely recognized published document to identify the role of management and policy issues in computer security

Information Security

Protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training and awareness, and technology.

Control, safeguard, or countermeasure

Security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve security within an organization. The various levels and types of controls are discussed more fully in the following chapters.

Passive attack

Someone who casually reads sensitive information not intended for his or her use is committing a ____________ ____________.

Secure Software Assurance (SwA) Common Body of Knowledge (CBK)

SwA CBK serves as a strongly recommended guide to developing more secure applications

Object

The ____________ of an attack: the target entity

communications security

The protection of all communications media, technology, and content.

Physical Security

The scope of computer security grew from ___________ .The protection of physical items, objects, or areas from unauthorized access andmisuse.

MULTICS

_____ was the first operating system to integrate security as its core functions.

Indirect attacks

____________ ____________ originate from a compromised system or resource that is malfunctioning or working under the control of a threat.

Information system (IS)

________________ is the entire set of people, procedures, and technology that enable business to use information.

Methodology

a formal approach to solving a problem based on a structured sequence of procedures

UNIX

everal MULTICS key players created ________.

NIST Special Publication 800-64, rev. 2

maintains that early integration of security in the SDLC enables agencies to maximize return on investment

When it is the _____________ of an attack, the computer is the entity being attacked

object

McCumber Cube

provides a graphical representation of the architectural approach widely used in computer and information security. Confidentaility-Integrity-Availibilty x Storage-Processing-Transmission

When it is the ______ of an attack, the computer is used as an active tool to conduct attack.

subject

Mainframe

time-sharing operating system was developed in the mid-1960s by General Electric (GE), Bell Labs, and Massachusetts Institute of Technology (MIT)

Direct Attack

A ____________ ____________ is perpetrated by a hacker using a PC to break into a system.

Advanced Research Projects Agency Network (ARPANET)

(1960's) Began to examine the feasibility of redundant networked communications

Larry Roberts

(1960's) The father of the ARPANET

Vulnerability

A potential weakness in an asset or its defensive control system(s). Some examples of vulnerabilities are a flaw in a software package, an unprotected system port, and an unlocked door. Some well-known vulnerabilities have been examined,documented, and published; others remain latent (or undiscovered).Critical Characteristics of Information

personally identifiable information (PII)

A set of information that could uniquely identify an individual.

Loss

A single instance of an information asset suffering damage or destruction, unintended or unauthorized modification or disclosure, or denial of use. When an organization's information is stolen, it has suffered a ____________ .

project team

A small functional team of people who are experienced in one or multiple facets of the required technical and nontechnical areas for the project to which they are assigned.

Security

A state of being secure and free from danger or harm. Also, the actions taken to make someone or something secure.

Access

A subject or object's ability to use, manipulate, modify, or affect another sub-ject or object. Authorized users have legal access to a system, whereas hackers must gain illegal access to a system. Access controls regulate this ability.

Network Security

A subset of communications security; the protection of voice and data networking components, connections, and content.

Exploit

A technique used to compromise a system. This term can be a verb or a noun. Threat agents may attempt to ____________ a system or other information asset by using it illegally for their personal gain. Or, an ____________ can be a documented process to take advantage of a vulnerability or exposure, usually in software, that is either inherent in the software or created by the attacker. ____________ make use of existing software tools or custom-made software components.

Waterfall Model

A type of SDLC in which each phase of the process"flows from" the information gained in the previous phase, with multiple opportunities to return to previous phases and make adjustments.

Protection profile or security posture

The entire set of controls and safeguards, including policy, education, training and awareness, and technology, that the organization implements to protect the asset. The terms are sometimes used interchangeably with the term security program, although a security program often comprises managerial aspects of security, including planning, personnel, and subordinate programs.

CIA Triad

The industry standard for computer security since the development of the mainframe. The standard is based on three characteristics that describe the utility of information: confidentiality, integrity, and availability.

Asset

The organizational resource that is being protected. An ____________can be logical, such as a Web site, software information, or data; or an ____________can be physical, such as a person, computer system, hardware, or other tangible object. ____________, particularly information ____________, are the focus of what security efforts are attempting to protect.

Risk

The probability of an unwanted occurrence, such as an adverse event or loss. Organizations must minimize ____________ to match their ____________ appetite—the quantity and nature of ____________ they are willing to accept.

Threat agent

The specific instance or a component of a threat. For example, the threat source of"trespass or espionage" is a category of potential danger to information assets, while"external professional hacker"(like Kevin Mitnick, who was convicted of hacking into phone systems) is a specific ____________ ____________ . A lightning strike, hailstorm, or tornado is a ____________ ____________ that is part of the threat source known as"acts of God/acts of nature."

Richard Bisbey and Dennis Hollingswoth

Two researchers in the Information Sciences Institute at the University of Southern California published a study entitled"Protection Analysis: Final Report."It focused on a project undertaken by ARPA to understand and detect vulnerabilities

chief information security officer (CISO)

Typically considered the top information security officer in an organization. The CISO is usually not an executive-level position, and frequently the person in this role reports to the CIO.