Chapter 1 - Introduction to Information Security Flashcards
Where did the information security began?
It began after the creation of mainframe. It was developed for code breaking computations during WWII.
What are the threats in mainframe era of information seurity?
Physical theft, espionage, and sabotage.
1960 events
- Advance Research Project Agency examine the feasibility redundant communication.
- Larry Roberts was the one who developed ARPANET from its inception. It linked computers (17 computer research centers), resource sharing and it cost 3.4 million dollar.
- ARPANET is the predecessor to the internet.
1970’s - 1980’s events in ISec
It grew popular as well as its misuse. Fundamental problems with ARPANET security were the:
1. Individual remote sites are not secured for unauthorized users.
2. Vulnerability of password structure and formats.
3. No safety procedure for dial up connections to ARPANET.
4. Non-existent user identification and authorization to system.
1970’s - 1980’s events in ISec
Rand Report R-609 - it is a paper that stated the study of computer security. It grew physical security to; safety of data, limiting unauthorize access to data, and involvement of personnel from multiple levels of organization.
MULTICS - Multiplexed information computing services
It is the first operating system that was created with security as its primary goals. Several multics key players created the UNIX.
Late 1970’s
Microprocessor expanded computing capabilities. The presence of mainframe reduced, and it also expanded the security threats.
1990’s
Network of computers became common. The need for interconnect networks grew. It was also the time where security was treated as low priority.
2000 to present
Millions of computer network communicate and the need for security is needed.
What is security?
“The quality or state of being secure—to be free from danger”
What are the 6 security of an organization?
Physical, personal, operational, communication, network, and information security.
What are the components of Isec
Management of Information Security, Network Security, and Computer, data security. and policy.
Access
-a subject or object’s ability to use, manipulate, modify, or affect another subject or object.
Assets
the organizational resource that is being protected.
Exposure
a single instance of being open to damage.
Loss
When an organization’s information is stolen, it has suffered a loss.
Exploit
to take advantage of weaknesses or vulnerability in a system.
Attack
an act that is an intentional or unintentional attempt
to cause damage or compromise to the information and/or the systems that support it.
Control, Safeguard, or Countermeasure-
security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the security within an organization.
Hack
- Good: to use computers or systems for enjoyment;
-Bad: to illegally gain access to a computer or system.
Risk
the probability that something can happen.
Security Blueprint
the plan for the implementation of new security measures in the organization.
Security Model
a collection of specific security rules that represents the implementation of a security policy.
Subject and Object
an active entity that interacts with an information system and causes information to move through the system for a specific end purpose.
Threat
a category of objects, persons, or other entities that
represents a potential danger to an asset.
Threat agent
- specific instance or component of a more
general threat.
Vulnerability
weaknesses or faults in a system or protection mechanism that exposes information to attack or damage.
What are the critical characteristics of information?
Availability, Accuracy, authenticity, confidentiality, integrity, and possession.
Availability
- Enables users who need to access information
to do so without interference or obstruction and in the
required format.
Accuracy
Free from mistake or error and having the value
that the end user expects
Authenticity
The quality or state of being genuine or
original, rather than a reproduction or fabrication
Confidentiality
The quality or state of preventing disclosure
or exposure to unauthorized individuals or systems
Integrity
The quality or state of being whole, complete, and
uncorrupted.
Possession
- The quality or state of having ownership or
control of some object or item
Components of an information system
Software, hardware, data, people. procedure, networks
What two things should be balance in IS?
Protection and Availability
Implementation approach
Bottom-Up and Top-down
Bottom-Up
It seldom works. Why? Lack of participant support and organizational staying power.
Top-down
Initiated by top management.
Senior Management
CIO and CISO
CIO
Advising senior executives on strategic planning
CISO
Assessment, management, and implementation of IS in the organization.
Information Security Project Team
*Team leader
* Security policy developers
* Risk assessment specialists
* Security professionals
* Systems administrators
* End users
Data responsibilities
Data owner, custodian, and users
Data owner
responsible for the security and use of a
particular set of information
Data Custodian
responsible for storage, maintenance, and
protection of information
Data users
end users who work with information to perform
their daily jobs supporting the mission of the organization
Communities of interest
- Information security management and professionals
- Information technology management and professionals
- Organizational management and professionals
