Lesson 2 - Information Security Principles of Success

Activities that preserve confidentiality, integrity, and/or availability are:

-Granting access only to authorized personnel -Applying encryption to information that will be sent over the Internet or stored on digital media -Periodically testing computer system security to uncover new vulnerabilities -Building software defensively -Developing a disaster recovery plan to ensure that the business can continue to exist in the event of a disaster or loss of access by personnel.

Security assurance requirements describe...

... to what degree the testing of the system is conducted. -Assurance requirements describe how functional requirements should be implemented and tested.

Security is concerned not with eliminating all threats within a system or facility, but...

... with eliminating known threats and minimizing losses if an attacker succeeds in exploiting a vulnerability.

Controls are implemented to...

...mitigate risk and reduce the potential for loss. -Controls mitigate a wide variety of information security risks and reduce loss.

Processes are documented as ...

...procedures on how to carry out an activity related to security.

Hackers tend to communicate among themselves far better than...

...professional security practitioners ever could. Hackers know about most vulnerabilities long before the general public gets wind of them.

Process controls are implemented to ensure ...

...that different people can perform the same operations exactly in the same way each time.

What represents the three goals of information security?

1-Confidentiality, 2- integrity, and 3-availability -- These goals form the confidentiality, integrity, availability (CIA) triad, the basis of all security programs.

Information security professionals usually address three common challenges to availability:

1-Denial of service (DoS) due to intentional attacks or because of undiscovered flaws in implementation (for example, a program written by a programmer who is unaware of a flaw that could crash the program if a certain unexpected input is encountered) 2-Loss of information system capabilities because of natural disasters (fires, floods, storms, or earthquakes) or human actions (bombs or strikes) 3-Equipment failures during normal use

Functional and Assurance requirements are needed to answer the following 2 questions:

1-Does the system do the right things (behave as promised)? 2-Does the system do the right things in the right way?

Integrity models have three goals:

1-Prevent unauthorized users from making modifications to data or programs 2-Prevent authorized users from making improper or unauthorized modifications 3-Maintain internal and external consistency of data and programs

All information security measures try to address at least one of three goals:

1-Protect the confidentiality of data 2-Preserve the integrity of data 3-Promote the availability of data for authorized use --These goals form the confidentiality, integrity, availability (CIA) triad

Explain and Distinguish among the three main security goals

1-Protect the confidentiality of data 2-Preserve the integrity of data 3-Promote the availability of data for authorized use --These goals form the confidentiality, integrity, availability (CIA) triad The principle of information security protection of confidentiality, integrity, and availability cannot be overemphasized: This is central to all studies and practices in IS. You'll often see the term CIA triad to illustrate the overall goals for IS throughout the research, guidance, and practices you encounter. Integrity Models

When risks are well understood, three outcomes are possible:

1-The risks are mitigated (countered). 2-Insurance is acquired against the losses that would occur if a system were compromised. 3-The risks are accepted and the consequences are managed.

Determining the degree of a risk involves looking at two factors:

1-What is the consequence of a loss? 2-What is the likelihood that this loss will occur?

Process controls for IT security include:

1-assignment of roles for least privilege 2-separation of duties 3-documented procedures --Process controls are implemented to ensure that different people can perform the same operations exactly in the same way each time. Processes are documented as procedures on how to carry out an activity related to security.

Triad - the principle of defense in depth - dictates that a security mechanism serve a purpose by

1-preventing a compromise 2-detecting that a compromise or compromise attempt is underway 3-responding to a compromise while it's happening or after it has been discovered.

Explain the open disclosure debate

A raging and often heated debate within the security community and software developing centers concerns whether to let users know about a problem before a fix or patch can be developed and distributed. Principle 6 tells us that security through obscurity is not an answer: Keeping a given vulnerability secret from users and from the software developer can only lead to a false sense of security. Users have a right to know about defects in the products they purchase, just as they have a right to know about automobile recalls because of defects. The need to know trumps the need to keep secrets, to give users the right to protect themselves.

Which term best describes a cookbook on how to take advantage of a vulnerability?

An exploit is a program or "cookbook" on how to take advantage of a specific vulnerability.

Attacker

Attacker is the link between a vulnerability and an exploit. The attacker has two characteristics: skill and will. 1-Attackers either are skilled in the art of attacking systems or have access to tools that do the work for them. 2-They have the will to perform attacks on systems they do not own and usually care little about the consequences of their actions.

Availability Models

Availability models keep data and resources available for authorized use, especially during emergencies or disasters

B-Rate:

B-Rate is a catchall rating for any box with a lock on it. This rating describes the thickness of the steel used to make the lockbox. No actual testing is performed to gain this rating.

Confidentiality

Confidentiality is sometimes referred to as the principle of least privilege, meaning that users should be given only enough privilege to perform their duties, and no more. Some other synonyms for confidentiality you might encounter include privacy, secrecy, and discretion.

Confidentiality models

Confidentiality models are primarily intended to ensure that no unauthorized access to information is permitted and that accidental disclosure of sensitive information is not possible. Common confidentiality controls are user IDs and passwords

Related to information security, confidentiality is the opposite of which of the following?

Disclosure - Confidentiality models are primarily intended to ensure that no unauthorized access to information is permitted and that accidental disclosure of sensitive information is not possible.

Explain the importance of risk-management tools & techniques for balancing the needs of business

Every system has unique security issues and considerations, so it's imperative to understand the specific nature of data the system will maintain, what hardware and software will be used to deploy the system, and the security skills of the development teams.

Exploit

Exploit is a program or "cookbook" on how to take advantage of a specific vulnerability. It might be a program that a hacker can download over the Internet and then use to search for systems that contain the vulnerability it's designed to exploit. It might also be a series of documented steps on how to exploit the vulnerability after an attacker finds a system that contains it.

Which of the following best represents the two types of IT security requirements?

Functional and assurance -Functional requirements describe what a system should do. Assurance requirements describe how functional requirements should be implemented and tested.

Explain the difference between functional requirements and assurance requirements

Functional and assurance -Functional requirements describe what a system should do. Assurance requirements describe how functional requirements should be implemented and tested. Answering the 2 questions: 1-Does the system do the right things (behave as promised)? 2-Does the system do the right things in the right way?

Extreme risk

Immediate action is required.

What term best describes the assurance that data has not been changed unintentionally due to an accident or malice is?

Integrity - Integrity models keep data pure and trustworthy by protecting system data from intentional or accidental changes.

Integrity Models

Integrity models keep data pure and trustworthy by protecting system data from intentional or accidental changes

Explain the Principle of defense in depth

Layered security, is known as defense in depth. This security is implemented in overlapping layers that provide the three elements needed to secure assets: prevention, detection, and response. Defense in depth also seeks to offset the weaknesses of one security layer by the strengths of two or more layers.

Low risk:

Management is handled by routine procedures.

Moderate risk:

Management responsibility must be specified.

What are the three types of security controls?

People, process, and technology -Security controls are the basic toolkit for the security practitioner who mixes and matches them to carry out the objectives of confidentiality, integrity, and/or availability by using people, processes, and technology to bring them to life.

Defense in depth is needed to ensure that which three mandatory activities are present in a security system?

Prevention, detection, and response -Defense in depth is implemented in overlapping layers that provide the three elements needed to secure assets: prevention, detection, and response.

Explain 12 generally accepted basic principles of information security

Principle 1: There Is No Such Thing As Absolute Security Principle 2: The Three Security Goals Are Confidentiality, Integrity, and Availability Principle 3: Defense in Depth as Strategy Principle 4: When Left on Their Own, People Tend to Make the Worst Security Decisions Principle 5: Computer Security Depends on Two Types of Requirements: Functional and Assurance Principle 6: Security Through Obscurity Is Not an Answer Principle 7: Security = Risk Management Principle 8: The Three Types of Security Controls Are Preventative, Detective, and Responsive Principle 9: Complexity Is the Enemy of Security Principle 10: Fear, Uncertainty, and Doubt Do Not Work in Selling Security Principle 11: People, Process, and Technology Are All Needed to Adequately Secure a System or Facility Principle 12: Open Disclosure of Vulnerabilities Is Good for Security!

Explain Human vulnerabilities in security systems

Principle 4: When Left on Their Own, People Tend to Make the Worst Security Decisions

Which term best describes the probability that a threat to an information system will materialize?

Risk -Risk involves looking at what is the consequence of a loss and the likelihood that this loss will occur.

UL TL-15:

Safes with an Underwriters Laboratory (UL) TL-15 rating have passed standardized tests as defined in UL Standard 687 using tools and an expert group of safe-testing engineers. The UL TL-15 label requires that the safe be constructed of 1-inch solid steel or equivalent. The label means that the safe has been tested for a net working time of 15 minutes using "common hand tools, drills, punches hammers, and pressure applying devices." Net working time means that when the tool comes off the safe, the clock stops. Engineers exercise more than 50 different types of attacks that have proven effective for safecracking.

Explain the fallacy of security through obscurity

Security through obscurity means that hiding the details of the security mechanisms is sufficient to secure the system alone. Obscuring security leads to a false sense of security, which is often more dangerous than not addressing security at all. If the security of a system is maintained by keeping the implementation of the system a secret, the entire system collapses when the first person discovers how the security mechanism works—and someone is always determined to discover these secrets. The better bet is to make sure no one mechanism is responsible for the security of the entire system. Again, this is defense in depth in everything related to protecting data and resources.

High risk:

Senior management's attention is needed.

Separation of Duties

The practice of requiring that processes should be divided between two or more individuals; no one person in an organization should have the ability to control or close down a security activity

CIA Triad

The principle of information security protection of confidentiality, integrity, and availability cannot be overemphasized: This is central to all studies and practices in IS. You'll often see the term CIA triad to illustrate the overall goals for IS throughout the research, guidance, and practices you encounter. Integrity Models

The tactic of FUD

The tactic of fear, uncertainty, and doubt (FUD) no longer works: Information security and IT management is too mature. Now IS managers must justify all investments in security using techniques of the trade. Although this makes the job of information security practitioners more difficult, it also makes them more valuable because of management's need to understand what is being protected and why. When spending resources can be justified with good, solid business rationale, security requests are rarely denied.

C-Rate:

This is defined as a variably thick steel box with a 1-inch-thick door and a lock. No tests are conducted to provide this rating, either.

UL TL-30:

UL TL-30 testing is essentially the same as the TL-15 testing, except for the net working time. Testers get 30 minutes and a few more tools to help them gain access. Testing engineers usually have a safe's manufacturing blueprints and can disassemble the safe before the test begins to see how it works.

Validation

Validation determines the correctness or quality of the mechanisms used to meet the needs.

Verification

Verification is the process of confirming that one or more predetermined requirements or specifications are met.

Which term best describes the absence or weakness in a system that may possibly be exploited?

Vulnerability refers to a known problem within a system or program.

Buffer overflow or buffer overrun vulnerability

Weakness; overload the input area with more information than it can handle, crashing or disabling the program. This is called buffer overflow, and it can permit a malicious user to gain control over the system.

Security functional requirements describe

What a security system should do by design -Functional requirements describe what a system should do.

Explain the importance of risk-analysis

placing an economic value on assets to best determine appropriate countermeasures that protect them from losses. Determining the degree of a risk involves looking at two factors: 1-What is the consequence of a loss? 2-What is the likelihood that this loss will occur?

Vulnerability

refers to a known problem within a system or program.

If you see something,

say something.

The more complex a system gets,

the harder it is to secure. With too many "moving parts" or interfaces between programs and other systems, the system or interfaces become difficult to secure while still permitting them to operate as intended.