Chapter 1 - Introduction to Information Security Flashcards
Learning Objectives
Upon completion of this material, you should be able to:
- Define information security
- Recount the history of computer security and how it evolved into information security
- Define key terms and critical concepts of information security
- List the phases of the security systems development life cycle
- Describe the information security roles of professionals within an organization
Information Security Definition
a well-informed sense of assurance that the information risks and controls are in balance
Origins of information security
Started around the Second World War and continued on into the Cold War
What is ARPA & why was it created?
Advanced Research Project Agency 1960s to examine feasibility of redundant networked communications
Larry Roberts- ARPANET
ARPANET goal
The primary objective was to develop networking and resource sharing.
In its initial stages it had no security for dial-up connections (AKA authorization/passwords)
What was the Rand Report R-609? during what decades? and what was its major significance?
This was the paper that started the study of computer security and identified the role of management and policy issues in it
70s & 80s
Shift from physical security to information security: securing the data, limiting random/unauthorized access to the data, and tasking people directly with these duties.
What is MULTICS?
Multiplexed information and computing service
Several key players of MULTICS created UNIX primarily for text processing
90s
Internet became the first global network of networks
93 DEFCON conference for IS
Name 6 layers for security/protection:
- Operations
- Physical infrastructure
- People
- Functions
- Communications
- Information
CIA Triangle
CIA -
Confidentiality
Integrity
Availability
CNSS Security Model
The McCumber Cube
Committee on National Security Systems
Confidentiality
Integrity
Availability
Policy Education Tech
Storage/Processing/Transmission
This graphic informs the fundamental approach of the chapter and can be used to illustrate the intersection of information states (x-axis), key objectives of C.I.A. (y-axis), and the three primary means to implement (policy, education, and technology)
Information Systems (IS) definition
•is the entire set of people, procedures, and technology that enable business to use information.
–Software
–Hardware
–Data
–People
–Procedures
– Networks
Security as a balance b/w x and x
balance between protection and availability
Approaches to IS Implementation
- Bottom-up (grassroots effort) - rarely works due to little support and organizational staying power. Does have the advantage of having the technical expertise of individual administrators on its side.
- Top-down - carried out by upper mgmt. - policies, procedures, and processes, goals, and accountability. The most successful approach is referred to as systems development life cycle
What is the SDLC - systems development life cycle
- ): a methodology for the design and implementation of an information system
- Methodology: a formal approach to solving a problem based on a structured sequence of procedures
- Using a methodology:
–Ensures a rigorous process with a clearly defined goal
–Increases probability of success
Traditional SDLC consists of six general phases.
What are the 6 stages of the SDLC
- Investigation
- Analysis
- Logical Design
- Physical Design
- Implementation
- Maintenance and change
IALPIM
(inside ankle bone low practically immobilizes man)
SecSDLC
Using the same phases of SDLC to identify specific threats and create specific controls that counter them
Software Assurance (SwA)
CBK
Need to include planning for security obj. in SDLC used to create systems.
Common body of knowledge
Identified security principles:
- –Economy of mechanism
- –Fail-safe defaults
- –Complete mediation
- –Open design
- –Separation of privilege
- –Least privilege
- –Least common mechanism
- Psychological acceptability
Economy of mechanism: Keep the design as simple and small as possible.
Fail-safe defaults: Base access decisions on permission rather than exclusion.
Complete mediation: Every access to every object must be checked for authority.
Open design: The design should not be secret, but rather depend on the possession of keys or passwords.
Separation of privilege: Where feasible, a protection mechanism should require two keys to unlock, rather than one.
Least privilege: Every program and every user of the system should operate using the least set of privileges necessary to complete the job.
Least common mechanism: Minimize mechanisms (or shared variables) common to more than one user and depended on by all users.
Psychological acceptability: It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly.
NIST Approach to Securing SDLC
maximizes return on investment through (4:)
NIST - National Institute of Standards and Technology
- –Early identification and mitigation of security vulnerabilities and misconfigurations
- –Awareness of potential engineering challenges
- –Identification of shared security services and reuse of security strategies and tools
- –Facilitation of informed executive decision making
CIO
CISO
Chief information officer - advises the senior executives on strategic planning
Chief information security officer - primarily assesses, manages, and implements IS and reports directly to CIO
Data owners
Members of senior management who are responsible for the security and use of a particular set of information. The data owners usually determine the level of data classification (discussed later), as well as the changes to that classification required by organizational change. The data owners work with subordinate managers to oversee the day-to-day administration of the data.
Data custodians
Working directly with data owners, data custodians are responsible for the information and the systems that process, transmit, and store it. Depending on the size of the organization, this may be a dedicated position, such as the CISO, or it may be an additional responsibility of a systems administrator or other technology manager. The duties of a data custodian often include overseeing data storage and backups, implementing the specific procedures and policies laid out in the security policies and plans, and reporting to the data owner.
Data Users
Everyone in the organization is responsible for the security of data, so data users are included here as individuals with an information security role.
3 Views of Information Security
- art
- science
- social science
Who was Robert M. Metcalf and what was the importance of his work?
Brought awareness to the risks and vulnerabilities of ARPANET
Information Security as defined by CNSS
in book
Components of information security
House Diagram
Base Level:
Confidentiality, Integrity, Availability
Columns:
Computer/Data/Network Security
Roof:
Policy, Information Security and Governance to ensure management of information security
Information Security
Protection of CIA (confidentiality, integrity, and availability)
Subject and Object of an attack
Technology Stack
Information Systems (IS)
The combination of software, hardware, data, people, procedures,
methodology
A methodology is a formal approach to solving a problem by means of a structured sequence of procedures.
SDLC Waterfall Methodology (6)
- Investigation
- Analysis
- Logical Design
- Physical Design
- Implementation
- Maintenance and Change
Note: repeat when system is no longer viable
community of interest
a community of interest is a group of individuals who are united by similar interests or values within an organization and who share a common goal of helping the organization to meet its objectives. While there can be many different communities of interest in an organization, this book identifies the three that are most common and that have roles and responsibilities in information security
What are the 3 most common communities of interest found with Information Security?
- Information security management and professionals
- Information technology management and professionals
- Organizational management and professionals
Confidentiality
Integrity
Availability
Confidentiality: Only authorized users and processes should be able to access or modify data
Ex. of managing confidentiality: access control lists, volume, and file encryption, and Unix file permissions.
Integrity: Data should be maintained in a correct state and nobody should be able to improperly modify it, either accidentally or maliciously. Make it so that it is possible to reverse the damage caused by a bad actor.
Availability: Authorized users should be able to access data whenever they need to do so.
Install redundancies to allow access through power outages, connection problems, hardware failures, etc.
Access
a subject or object’s ability to use, manipulate, modify or affect another subject or object.
Asset
organizational resource being protected
Attack
an intentional or unintentional act that can damage or otherwise compromise information and the systems that support it.
Control/Safeguard/Countermeasure
are the security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve security within an organization
Exploit
a technique used to compromise a system
Exposure
a condition or state of being exposed/vulnerable
Loss
A single instance of an information asset suffering damage or destruction, unintended or unauthorized modification or disclosure, or denial of use.
Protection Profile or Security Posture
entire set of controls and safeguards that the organization takes to protect the asset
Risk
the probability of an unwanted occurrence
Subjects and Objects
A PC can be either an agent entity used to conduct an attack or the target entity.
Subject of the attack
Object of the attack
Threat
a category of objects, people, or other entities that represents a danger to an asset.
Threat Agent
the specific instance or a component of a threat.
Vulnerability
weaknesses or faults in a system or protection mechanism that expose information to attack or damage.
Availability of Information
Enables users who need access to do so without interference or obstruction and in the required format. The information is said to be available to an authorized user when and where needed and in the correct format
Accuracy of information
Free from mistake or error and having the value that the end user expects. If the information contains a value different from what the user expects due to intentional or unintentional modification of its content, the information is said to no longer be accurate.
Authenticity
quality of being original, as opposed to being a reproduction or fabrication.
Information is authentic when it is the information that was originally created, placed, stored or transferred.
Confidentiality of information
The quality or state of preventing disclosure or exposre to unauthorized individuals or systems.
Utility
the quality of having value for some purpose or end. Information has value when it serves a particular purpose.
This means that if information is available, but not in a format that is useful to the end-user, it is not useful.
Possession
Having ownership or control of some object or item.
A breach of confidentiality always results in a breach of possession. However, a breach in possession does not always result in a breach in confidentiality.