Information security test 1

Ace your homework & exams now with Quizwiz!

Critical characteristics of information

Confidentiality, integrity, and availability (the C.I.A. triangle) must be protected at all times.

Key U.S. Federal Agencies

Department of Homeland Security (DHS)‏ Federal Bureau of Investigation's National InfraGard Program National Security Agency (NSA) U.S. Secret Service

Security policy developers:

Individuals who understand the organizational culture, policies, and requirements for developing and implementing successful policies.

Why is a methodology important in the implementation of information security? How does a methodology improve the process?

It provides a formal approach to problem solving based on structured sequence of procedures it ensures a rigorous process Increases probability of success

The ISO 27000 Series

One of the most widely referenced and often discussed security models Framework for information security that states organizational security policy is needed to provide management direction and support Purpose is to give recommendations for information security management Provides a common basis for developing organizational security

Risk assessment specialists:

People who understand financial risk assessment techniques, the value of organizational assets, and the security methods to be used.

Systems administrators:

People with the primary responsibility for administering the systems that house the information used by the organization.

maintenance and change

Perhaps the most important phase, given the ever-changing threat environment Often, repairing damage and restoring information is a constant duel with an unseen adversary Information security profile of an organization requires constant adaptation as new threats emerge and old threats evolve

Top-down Approach to Security Implementation

The project is initiated by upper management who issue policy, procedures, and processes; dictate the goals and expected outcomes of the project; and determine who is accountable for each of the required actions.

Deterrence:

best method for preventing an illegal or unethical activity; e.g., laws, policies, technical controls

Policies:

body of expectations that describe acceptable and unacceptable employee behaviors in the workplace function as laws within an organization; must be crafted carefully to ensure they are complete, appropriate, fairly applied to everyone ignorance of it is an acceptable defense

Analysis

documents from the investigation phase are studied. analysis of existing security policies or programs, along with documented current threats and associated controls. include analysis of relevant legal issues that could impact design of the security solution. risk management task - identifying, assessing and evaluating the levels of risk facing the organization - also begins in this stage.

critical features of top-down approach

has strong upper-management support, a dedicated champion, dedicated funding, clear planning, and the opportunity to influence organizational culture.

investigation

identifies process, outcomes, goals, and constrains of the project. begins with enterprise information security policy, and a organizational feasibility analysis if performed.

Three general causes of unethical and illegal behavior

ignorance, accident, intent

Systems Development Life Cycle (SDLC) six general phases

investigation, analysis, logical design, physical design, implementation, and maintenance and change.

the National Security Agency (NSA).

is "the Nation's cryptologic organization. It coordinates, directs, and performs highly specialized activities to protect U.S. information systems and produce foreign intelligence information" is responsible for signal intelligence and information system security.

attack

is a deliberate act that takes advantage of a vulnerability to compromise a controlled system.

What is information security governance?

is a set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risk are managed appropriately and verifying that the enterprise resources are used responsibly.

The Digital Millennium Copyright Act (DMCA)

is the U.S. version of an international effort to reduce the impact of copyright, trademark, and privacy infringement especially through the removal of technological copyright protection measures. The European Union also put forward Directive 95/46/EC that increases protection of individuals with regard to the processing of personal data and the free movement of such data. The United Kingdom has already implemented a version of this directive called the Database Right.

framework

is the basic skeletal structure within which additional detailed planning of the blueprint can be placed as it is developed or refined

The key advantage of the bottom-up approach

is the technical expertise of the individual administrators.

Security and Access Balancing

it is impossible to obtain perfect security. security is not an absolute; it is a process not a goal. Security should be considered a balance between protection and availability

USA PATRIOT Improvement and Reauthorization Act:

made permanent fourteen of the sixteen expanded powers of the Department of Homeland Security and the FBI in investigating terrorist activity

Due diligence:

making a valid effort to protect others; continually maintaining level of effort

Systems Development Life Cycle (SDLC):

methodology for design and implementation of information system within an organization Methodology: formal approach to problem solving based on structured sequence of procedures Using a methodology: Ensures a rigorous process Increases probability of success Traditional SDLC consists of six general phases

Computer Security Act of 1987:

one of the first attempts to protect federal computer systems by establishing minimum acceptable security practices

bottom-up approach lacks a number of critical features

participant support and organizational staying power.

What type of security was dominant in the early years of computing?

physical security and simple document classification schemes.

Measures to protect information

policies, education training and awareness, and technology

How can a security framework assist in the design and implementation of a security infrastructure?

provides an outline of the steps needed to be taken in order to effectively implement security with an organization.

Freedom of Information Act of 1966 (FOIA)

provides any person with the right to request access to federal agency records or information not determined to be a matter of national security. U.S. government agencies are required to disclose any requested information on receipt of a written request. There are exceptions for information that is protected from disclosure, and the act does not apply to state or local government agencies or to private businesses or individuals, although many states have their own version of the FOIA.

USA PATRIOT Act of 2001:

provides law enforcement agencies with broader latitude in order to combat terrorism-related activities

data custodians

responsible for the storage, maintenance, and protection of the information

The scope of computer security grew from physical security to include

safety of data, limiting unauthorized access to data, involvement of personnel from multiple levels of an organization

to achieve balance

the level of security must allow reasonable access yet protection against threats

Key U.S. laws protecting privacy include

Federal Privacy Act of 1974, the Electronic Communications Privacy Act of 1986, and the Health Insurance Portability and Accountability Act of 1996.

Communities in information security

general management, IT management, and security management.

Security professionals:

Dedicated, trained, and well-educated specialists in all aspects of information security from both technical and nontechnical standpoints.

The Design of Security Architecture

Defense in Depth - One of the foundations of security architectures is the requirement to implement security in layers. Defense in depth requires that the organization establish sufficient security controls and safeguards, so that an intruder faces multiple layers of controls. Security Perimeter - The point at which an organization's security protection ends and the outside world begins is referred to as the security perimeter. Unfortunately, the perimeter does not apply to internal attacks from employee threats or on-site physical threats.

Privacy US Regulations

- Privacy of Customer Information Section of the common carrier regulation -Federal Privacy Act of 1974 -Electronic Communications Privacy Act of 1986 -Health Insurance Portability and Accountability Act of 1996 (HIPAA), aka Kennedy-Kassebaum Act -Financial Services Modernization Act, or Gramm-Leach-Bliley Act of 1999

Threats or dangers facing an organization's people, information, and systems fall into the following fourteen general categories:

-Compromises to intellectual property -Deliberate software attacks -Deviations in quality of service -Espionage or trespass - Forces of nature - Human error or failure -Information extortion -Missing, inadequate, or incomplete organizational policy or planning -Missing, inadequate, or incomplete controls -Sabotage or vandalism -Theft -Technical hardware failures or errors - Technical software failures or errors -Technological obsolescence

To minimize liabilities/reduce risks, the information security practitioner must:

-Understand current legal environment -Stay current with laws and regulations -Watch for new issues that emerge

Systems-specific policies fall into two groups

1) Access control lists (ACLs) consists of the access control lists, matrices, and capability tables governing the rights and privileges of a particular user to a particular system. 2) Configuration rules comprise the specific configuration codes entered into security systems to guide the execution of the system.

Security Project Team

A number of individuals who are experienced in one or more facets of required technical and nontechnical areas: Champion Team leader Security policy developers Risk assessment specialists Security professionals Systems administrators End users

Sarbanes-Oxley Act of 2002

Affects executive management of publicly traded corporations and public accounting firms Seeks to improve reliability and accuracy of financial reporting and increase the accountability of corporate governance Penalties for noncompliance range from fines to jail terms Reliability assurance will require additional emphasis on confidentiality and integrity

EISP Elements

An overview of the corporate philosophy on security Information on the structure of the information security organization and individuals who fulfill the information security role Fully articulated responsibilities for security that are shared by all members of the organization (employees, contractors, consultants, partners, and visitors) Fully articulated responsibilities for security that are unique to each role within the organization

Software Development Security Problems

Buffer overruns Command injection Cross-site scripting Failure to handle errors Failure to protect network traffic Failure to store and protect data securely Failure to use cryptographically strong random numbers Format string problems Neglecting change control Improper file access Improper use of SSL Information leakage Integer bugs (overflows/underflows)‏ Race conditions SQL injection

Three approaches when creating and managing Issue Specific Security Policy

Create a number of independent ISSP documents Create a single comprehensive ISSP document Create a modular ISSP document

Criteria for policy enforcement:

Dissemination (distribution) Review (reading) Comprehension (understanding) Compliance (agreement) Uniform enforcement

Export and Espionage Laws

Economic Espionage Act of 1996 (EEA)‏ Security And Freedom Through Encryption Act of 1999 (SAFE)‏ The acts include provisions about encryption that: Reinforce the right to use or sell encryption algorithms, without concern of key registration Prohibit the federal government from requiring it Make it not probable cause in criminal activity Relax export restrictions Additional penalties for using it in a crime

Enterprise Information Security Policy (EISP)

Ensure meeting requirements to establish program and responsibilities assigned therein to various organizational components Use of specified penalties and disciplinary action

Bottom-up approach to information security

Grassroots effort: systems administrators attempt to improve security of their systems.

Dedicated recovery site options

Hot sites - fully operational sites Warm sites - fully operational hardware but software may not be present Cold sites - rudimentary services and facilities

Continuity Strategies

Incident response plans (IRPs); disaster recovery plans (DRPs); business continuity plans (BCPs) Primary functions of above plans IRP focuses on immediate response; if attack escalates or is disastrous, process changes to disaster recovery and BCP DRP typically focuses on restoring systems after disasters occur; as such, is closely associated with BCP BCP occurs concurrently with DRP when damage is major or long term, requiring more than simple restoration of information and information resources

To remain viable, security policies must have:

Individual responsible for the policy (policy administrator) A schedule of reviews Method for making recommendations for reviews Specific policy issuance and revision date Automated policy management

Security Training

Involves providing members of organization with detailed information and hands-on instruction designed to prepare them to perform their duties securely Management of information security can develop customized in-house training or outsource the training program Alternatives to formal training include conferences and programs offered through professional organizations

Information security

Is the protection of information assets that use, store, or transmit information from risk through the application of policy, education, and technology.

Organizational Security Infrastructure objectives:

Manage information security within the company Maintain the security of organizational information processing facilities and information assets accessed by third parties Maintain the security of information when the responsibility for information processing has been outsourced to another organization

Design of Security Architecture (levels of Controls)

Management controls cover security processes that are designed by the strategic planners and performed by security administration of the organization. Management controls address the design and implementation of the security planning process and security program management. Operational controls deal with the operational functionality of security in the organization. They cover management functions and lower-level planning, such as disaster recovery and incident response planning. Operational controls also address personnel security, physical security, and the protection of production inputs and outputs. Technical controls address those tactical and technical issues related to designing and implementing security in the organization. Technical controls cover logical access controls like identification, authentication, authorization, and accountability

Where can a security administrator find information on established security frameworks?

Management from all communities of interest must consider policies as the basis for all information security planning, design, and deployment.

Components of information security

Management of information security, network security, policy, and computer and data security.

Physical Design

Needed security technology is evaluated, alternatives are generated, and final design is selected At end of phase, feasibility study determines readiness of organization for project

Security Awareness

One of least frequently implemented but most beneficial programs is the security awareness program Designed to keep information security at the forefront of users' minds Need not be complicated or expensive If the program is not actively implemented, employees begin to "tune out" and risk of employee accidents and failures increases

Which paper is the foundation of all subsequent studies of computer security?

Rand Report R-609

Which law was created specifically to deal with encryption policy in the United States?

Security and Freedom through Encryption Act of 1999

Implementation

Security solutions are acquired, tested, implemented, and tested again Personnel issues evaluated; specific training and education programs conducted Entire tested package is presented to management for final approval

Components of Issue-Specific Security Policy (ISSP)

Statement of Policy Authorized Access and Usage of Equipment Prohibited Use of Equipment Systems Management Violations of Policy Policy Review and Modification Limitations of Liability

Information Security Governance outcomes (goals)

Strategic alignment Risk management Resource management Performance measures Value delivery

Continuity strategies

There are a number of strategies for planning for business continuity Determining factor in selecting between options is usually cost

End users:

Those whom the new system will most directly impact. Ideally, a selection of users from various departments, levels, and degrees of technical knowledge assist the team in focusing on the application of realistic controls applied in ways that do not disrupt the essential business activities they seek to safeguard.

Off-Site disaster data storage

To get sites up and running quickly, an organization must have the ability to port data into new site's systems Options for getting operations up and running include: Electronic vaulting Remote journaling Database shadowing

Deliberate Software Attacks

Viruses Worms Trojan horses Logic bombs Back door or trap door Polymorphic threats Virus and worm hoaxes

Vulnerability

Weakness in a controlled system, where controls are not present or no longer effective

Exposure

a single instance of a system being open to damage. in information security this exist when a vulnerability known to an attacker is present.

Criminal law

addresses violations harmful to society; actively enforced by the state

ACL Policies

allow configuration to restrict access from anyone and anywhere. regulate: Who can use the system What authorized users can access When authorized users can access the system Where authorized users can access the system from

threat

an object, person, or other entity that represents a constant danger to an asset

Systems-Specific Policy (SysSP)

are frequently codified as standards and procedures used when configuring or maintaining systems.

Rule Policies

are more specific to the operation of a system than ACLs, and they may or may not deal with users directly. Many security systems require specific configuration scripts telling the systems what actions to perform on each set of information they process.

Baselining and best practices

are solid methods for collecting security practices, but provide less detail than a complete methodology

Security policies

are the least expensive control to execute but the most difficult to implement.

Software assurance

attempts to identify the activities involved in creating secure systems.

Key Technology Components (Design of Security Architecture)

firewall, proxy server, intrusion detection systems, and the DMZ.

technical software failures or errors

bugs, code problems, unknown loopholes the biggest problem, is always going to be an issue This category of threats comes from purchasing software with unknown, hidden faults. Large quantities of computer code are written, debugged, published, and sold only to determine that not all bugs were resolved. Sometimes, unique combinations of certain software and hardware reveal new bugs. Sometimes, these items aren't errors but are purposeful shortcuts left by programmers for honest or dishonest reasons.

What are the three components of the C.I.A. triangle? What are they used for?

confidentiality, integrity, and availability. They are the standard for computer security. is a security model created to guide information security policies within a company

Implementation of information security legislation

contributes to a more reliable business environment and a stable economy

Incident response (IR) Planning

covers identification of, classification of, and response to an incident - Attacks classified as incidents if they: Are directed against information assets Have a realistic chance of success Could threaten confidentiality, integrity, or availability of information resources Is more reactive than proactive, with the exception of planning that must occur to prepare IR teams to be ready to react to an incident

logical design

creates and develops the blueprints for security, and it examines and implements key policies that influence later decisions. Also at this stage, critical planning is developed for incident response actions to be taken in the event of partial or catastrophic loss. Next, a feasibility analysis determines whether or not the project should continue or should be outsourced.

the control and used of data is accomplished by

data owners, data custodians, and data users

sabotage or vandalism

destruction of systems or information most of the time is internal Threats can range from petty vandalism to organized sabotage Web site defacing can erode consumer confidence, dropping sales and organization's net worth Threat of hacktivist or cyberactivist operations rising Cyberterrorism: much more sinister form of hacking

overall software quality and the security performance of software can be greatly enhanced by

developing sound development practices,change control and quality assurance into the process.

Policy

direct how issues should be addressed and technologies used, not cover the specifics on the proper operation of equipment or software. guides personnel to function in a manner that will add to the security of its information assets.

Civil law

governs nation or state; manages relationships/conflicts between organizational entities and people

six major components of information systems

hardware, software, data, people, procedures, and network

Why is the top-down approach to information security superior to the bottom-up approach

has strong upper-management support, a dedicated champion, dedicated funding, clear planning, and the opportunity to influence organizational culture.

Intrusion detection systems (IDSs):

in effort to detect unauthorized activity within inner network, or on individual machines, organization may wish to implement this.

Security Education, Training, and Awareness Program

is a control measure designed to reduce the incidences of accidental security breaches by employees. are designed to supplement the general education and training programs in place to educate staff on information security. is designed to build on the general knowledge the employees must possess to do their jobs, familiarizing them with the way to do their jobs, securely.

firewall

is a device that selectively discriminates against information flowing into or out of the organization. Is usually a computing device or specially configured computer that allows or prevents information from entering or exiting the defined area based on a set of predefined rules.

The DMZ (demilitarized zone)

is a no-man's land between the inside and outside networks, where some organizations place Web servers. These servers provide access to organizational Web pages, without allowing Web requests to enter the interior networks.

Disaster Recovery Planning

is planning the preparation for and recovery from a disaster The contingency planning team must decide which actions constitute disasters and which constitute incidents When situations classified as disasters, plans change as to how to respond; take action to secure most valuable assets to preserve value for the longer term DRP strives to reestablish operations at the primary site

The Computer Fraud and Abuse Act of 1986

is the cornerstone of many computer-related federal laws and enforcement efforts.

Business Continuity Planning

outlines reestablishment of critical business operations during a disaster that impacts operations at the primary site. If a disaster has rendered the current location of the business unusable for continued operations, there must be a plan to allow the business to continue to function.

proxy server

performs actions on behalf of another system.

Private law

regulates relationships between individuals and organizations

Public law

regulates structure/administration of government agencies and relationships with citizens, employees, and other governments

data owners

responsible for the security and use of a particular set of information

data users

work with the information to perform their daily jobs supporting the mission of the organization.

Issue-Specific Security Policy (ISSP)

1) Addresses specific areas of technology 2) Requires frequent updates 3) Contains an issue statement on the organization's position on an issue

types of security policy:

1) General or security program policy 2) Issue-specific security policies 3) Systems-specific security policies

types of attacks

- Back door: gaining access to system or network using known or previously unknown/newly discovered access mechanism - Password crack: attempting to reverse calculate a password -Brute force: trying every possible combination of options of a password - Dictionary: selects specific accounts to attack and uses commonly used passwords (i.e., the dictionary) to guide guesses

The ISO 27000 Series

- Code of Practice for Information Security Management, which was originally published as the British Standard BS 7799.

Information security performs four important functions:

- Protecting an organization's ability to function - - Enabling the safe operation of applications implemented on the organization's IT systems - Protecting the data an organization collects and uses - Safeguarding the technology assets in use at an organization

organizations that investigate software abuse:

-Software & Information Industry Association (SIIA) -Business Software Alliance (BSA)‏

The team leader:

A project manager, who may be a departmental line manager or staff unit manager, who understands project management, personnel management, and information security technical requirements.

The champion:

A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization

threat agent

A specific instance or component that represents a danger to an organization's assets. Threats can be accidental or purposeful, for example lightning strikes or hackers.


Related study sets

Maternity and Women's Health Nursing - Newborn

View Set

Verbs w/ Irregular First Persons

View Set

Module 15: Troubleshooting Windows Startup

View Set