Chapter 1 - Introduction to Information Security

Question 1

Learning Objectives

Answer 1

Upon completion of this material, you should be able to:

1. Define information security
2. Recount the history of computer security and how it evolved into information security
3. Define key terms and critical concepts of information security
4. List the phases of the security systems development life cycle
5. Describe the information security roles of professionals within an organization

Question 2

Information Security Definition

Answer 2

a well-informed sense of assurance that the information risks and controls are in balance

Question 3

Origins of information security

Answer 3

Started around the Second World War and continued on into the Cold War

Question 4

What is ARPA & why was it created?

Answer 4

Advanced Research Project Agency 1960s to examine feasibility of redundant networked communications

Larry Roberts- ARPANET

Question 5

ARPANET goal

Answer 5

The primary objective was to develop networking and resource sharing.

In its initial stages it had no security for dial-up connections (AKA authorization/passwords)

Question 6

What was the Rand Report R-609? during what decades? and what was its major significance?

Answer 6

This was the paper that started the study of computer security and identified the role of management and policy issues in it

70s & 80s

Shift from physical security to information security: securing the data, limiting random/unauthorized access to the data, and tasking people directly with these duties.

Question 7

What is MULTICS?

Answer 7

Multiplexed information and computing service

Several key players of MULTICS created UNIX primarily for text processing

Question 8

90s

Answer 8

Internet became the first global network of networks

93 DEFCON conference for IS

Question 9

Name 6 layers for security/protection:

Answer 9

1. Operations
2. Physical infrastructure
3. People
4. Functions
5. Communications
6. Information

Question 10

CIA Triangle

Answer 10

CIA -

Confidentiality

Integrity

Availability

Question 11

CNSS Security Model

The McCumber Cube

Answer 11

Committee on National Security Systems

Confidentiality

Integrity

Availability

Policy Education Tech

Storage/Processing/Transmission

This graphic informs the fundamental approach of the chapter and can be used to illustrate the intersection of information states (x-axis), key objectives of C.I.A. (y-axis), and the three primary means to implement (policy, education, and technology)

Question 12

Information Systems (IS) definition

Answer 12

•is the entire set of people, procedures, and technology that enable business to use information.

–Software

–Hardware

–Data

–People

–Procedures

– Networks

Question 13

Security as a balance b/w x and x

Answer 13

balance between protection and availability

Question 14

Approaches to IS Implementation

Answer 14

1. Bottom-up (grassroots effort) - rarely works due to little support and organizational staying power. Does have the advantage of having the technical expertise of individual administrators on its side.
2. Top-down - carried out by upper mgmt. - policies, procedures, and processes, goals, and accountability. The most successful approach is referred to as systems development life cycle

Question 15

What is the SDLC - systems development life cycle

Answer 15

• ): a methodology for the design and implementation of an information system
• Methodology: a formal approach to solving a problem based on a structured sequence of procedures
• Using a methodology:

–Ensures a rigorous process with a clearly defined goal

–Increases probability of success

Traditional SDLC consists of six general phases.

Question 16

What are the 6 stages of the SDLC

Answer 16

1. Investigation
2. Analysis
3. Logical Design
4. Physical Design
5. Implementation
6. Maintenance and change

IALPIM

(inside ankle bone low practically immobilizes man)

Question 17

SecSDLC

Answer 17

Using the same phases of SDLC to identify specific threats and create specific controls that counter them

Question 18

Software Assurance (SwA)

CBK

Answer 18

Need to include planning for security obj. in SDLC used to create systems.

Common body of knowledge

Question 19

Identified security principles:

1. –Economy of mechanism
2. –Fail-safe defaults
3. –Complete mediation
4. –Open design
5. –Separation of privilege
6. –Least privilege
7. –Least common mechanism
8. Psychological acceptability

Answer 19

Economy of mechanism: Keep the design as simple and small as possible.

Fail-safe defaults: Base access decisions on permission rather than exclusion.

Complete mediation: Every access to every object must be checked for authority.

Open design: The design should not be secret, but rather depend on the possession of keys or passwords.

Separation of privilege: Where feasible, a protection mechanism should require two keys to unlock, rather than one.

Least privilege: Every program and every user of the system should operate using the least set of privileges necessary to complete the job.

Least common mechanism: Minimize mechanisms (or shared variables) common to more than one user and depended on by all users.

Psychological acceptability: It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly.

Question 20

NIST Approach to Securing SDLC

maximizes return on investment through (4:)

NIST - National Institute of Standards and Technology

Answer 20

1. –Early identification and mitigation of security vulnerabilities and misconfigurations
2. –Awareness of potential engineering challenges
3. –Identification of shared security services and reuse of security strategies and tools
4. –Facilitation of informed executive decision making

Question 21

CIO

CISO

Answer 21

Chief information officer - advises the senior executives on strategic planning

Chief information security officer - primarily assesses, manages, and implements IS and reports directly to CIO

Question 22

Data owners

Answer 22

Members of senior management who are responsible for the security and use of a particular set of information. The data owners usually determine the level of data classification (discussed later), as well as the changes to that classification required by organizational change. The data owners work with subordinate managers to oversee the day-to-day administration of the data.

Question 23

Data custodians

Answer 23

Working directly with data owners, data custodians are responsible for the information and the systems that process, transmit, and store it. Depending on the size of the organization, this may be a dedicated position, such as the CISO, or it may be an additional responsibility of a systems administrator or other technology manager. The duties of a data custodian often include overseeing data storage and backups, implementing the specific procedures and policies laid out in the security policies and plans, and reporting to the data owner.

Question 24

Data Users

Answer 24

Everyone in the organization is responsible for the security of data, so data users are included here as individuals with an information security role.

Question 25

3 Views of Information Security

Answer 25

1. art
2. science
3. social science

Question 26

Who was Robert M. Metcalf and what was the importance of his work?

Answer 26

Brought awareness to the risks and vulnerabilities of ARPANET

Question 27

Information Security as defined by CNSS

in book

Question 28

Components of information security

House Diagram

Answer 28

Base Level:

Confidentiality, Integrity, Availability

Columns:

Computer/Data/Network Security

Roof:

Policy, Information Security and Governance to ensure management of information security

Question 29

Information Security

Answer 29

Protection of CIA (confidentiality, integrity, and availability)

Question 30

Subject and Object of an attack

Question 31

Technology Stack

Question 32

Information Systems (IS)

Answer 32

The combination of software, hardware, data, people, procedures,

Question 33

methodology

Answer 33

A methodology is a formal approach to solving a problem by means of a structured sequence of procedures.

Question 34

SDLC Waterfall Methodology (6)

Answer 34

1. Investigation
2. Analysis
3. Logical Design
4. Physical Design
5. Implementation
6. Maintenance and Change

Note: repeat when system is no longer viable

Question 35

community of interest

Answer 35

a community of interest is a group of individuals who are united by similar interests or values within an organization and who share a common goal of helping the organization to meet its objectives. While there can be many different communities of interest in an organization, this book identifies the three that are most common and that have roles and responsibilities in information security

Question 36

What are the 3 most common communities of interest found with Information Security?

Answer 36

1. Information security management and professionals
2. Information technology management and professionals
3. Organizational management and professionals

Question 37

Confidentiality

Integrity

Availability

Answer 37

Confidentiality: Only authorized users and processes should be able to access or modify data

Ex. of managing confidentiality: access control lists, volume, and file encryption, and Unix file permissions.

Integrity: Data should be maintained in a correct state and nobody should be able to improperly modify it, either accidentally or maliciously. Make it so that it is possible to reverse the damage caused by a bad actor.

Availability: Authorized users should be able to access data whenever they need to do so.

Install redundancies to allow access through power outages, connection problems, hardware failures, etc.

Question 38

Access

Answer 38

a subject or object’s ability to use, manipulate, modify or affect another subject or object.

Question 39

Asset

Answer 39

organizational resource being protected

Question 40

Attack

Answer 40

an intentional or unintentional act that can damage or otherwise compromise information and the systems that support it.

Question 41

Control/Safeguard/Countermeasure

Answer 41

are the security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve security within an organization

Question 42

Exploit

Answer 42

a technique used to compromise a system

Question 43

Exposure

Answer 43

a condition or state of being exposed/vulnerable

Question 44

Loss

Answer 44

A single instance of an information asset suffering damage or destruction, unintended or unauthorized modification or disclosure, or denial of use.

Question 45

Protection Profile or Security Posture

Answer 45

entire set of controls and safeguards that the organization takes to protect the asset

Question 46

Risk

Answer 46

the probability of an unwanted occurrence

Question 47

Subjects and Objects

Answer 47

A PC can be either an agent entity used to conduct an attack or the target entity.

Subject of the attack

Object of the attack

Question 48

Threat

Answer 48

a category of objects, people, or other entities that represents a danger to an asset.

Question 49

Threat Agent

Answer 49

the specific instance or a component of a threat.

Question 50

Vulnerability

Answer 50

weaknesses or faults in a system or protection mechanism that expose information to attack or damage.

Question 51

Availability of Information

Answer 51

Enables users who need access to do so without interference or obstruction and in the required format. The information is said to be available to an authorized user when and where needed and in the correct format

Question 52

Accuracy of information

Answer 52

Free from mistake or error and having the value that the end user expects. If the information contains a value different from what the user expects due to intentional or unintentional modification of its content, the information is said to no longer be accurate.

Question 53

Authenticity

Answer 53

quality of being original, as opposed to being a reproduction or fabrication.

Information is authentic when it is the information that was originally created, placed, stored or transferred.

Question 54

Confidentiality of information

Answer 54

The quality or state of preventing disclosure or exposre to unauthorized individuals or systems.

Question 55

Utility

Answer 55

the quality of having value for some purpose or end. Information has value when it serves a particular purpose.

This means that if information is available, but not in a format that is useful to the end-user, it is not useful.

Question 56

Possession

Answer 56

Having ownership or control of some object or item.

A breach of confidentiality always results in a breach of possession. However, a breach in possession does not always result in a breach in confidentiality.