Lecture 1 - Introduction to Information Security Flashcards by J D

Earlier versions of the German code machine ? were first broken by the Poles in the 1930s.

The History of Information Security

Enigma

How well did you know this?

Not at all

Perfectly

The British and Americans managed to break later, more complex versions during World War II.

The History of Information Security

Enigma

How well did you know this?

Not at all

Perfectly

The increasingly complex versions of the ?, especially the submarine version of the ?, caused considerable anguish to Allied forces before finally being cracked.

The History of Information Security

Enigma

How well did you know this?

Not at all

Perfectly

The Enigma

Earlier versions of the German code machine Enigma were first broken by the Poles in the ?.

Hint: 19xxs

The History of Information Security

1930s

How well did you know this?

Not at all

Perfectly

During the Cold War, many more mainframes were brought online to accomplish more complex and sophisticated tasks.

Hint: 19xxs

The History of Information Security

1960s

How well did you know this?

Not at all

Perfectly

During the next decade, ARPANET became popular and more widely used, and the potential for its misuse grew.

Hint: 19xxs and 19xxs

The History of Information Security

1970s and 80s

How well did you know this?

Not at all

Perfectly

1968

Maurice Wilkes discusses password security in ?.

Hint: ? Computer Systems

The History of Information Security

Time-Sharing Computer Systems

How well did you know this?

Not at all

Perfectly

1973

Schell, Downey, and Popek examine the need for additional security in military systems in “Preliminary Notes on the Design of ?”.

Hint: ? Computer Systems

The History of Information Security

Secure Military Computer Systems

How well did you know this?

Not at all

Perfectly

1975

The Federal Information Processing Standards (FIPS) examines Digital Encryption Standard (DES) in the ?.

The History of Information Security

Federal Register

How well did you know this?

Not at all

Perfectly

1978

Bisbey and Hollingworth publish their study “?: Final Report”, discussing the ? project created by ARPA to better understand the vulnerabilities detection techniques in existing system software.

The History of Information Security

Protection Analysis

How well did you know this?

Not at all

Perfectly

1979

Morris and Thompson author “?: A Case History” published in the Communications of the Association for Computing Machinery (ACM). This paper examines the history of a design for a ? scheme on a remotely accessed, time-sharing system.

The History of Information Security

Password Security

How well did you know this?

Not at all

Perfectly

1979

Dennis Ritchie publishes “On the Security of UNIX” and “Protection of Data File Contents” discussing secure user IDs and secure group IDs, and the problems inherent in the systems.

The History of Information Security

How well did you know this?

Not at all

Perfectly

1984

Grampp and Morris write ”?”. In this report, the authors examine four “important handles to computer security”: (1) physical control of premises and computer facilities, (2) management commitment to security objectives, (3) education of employees, and (4) administrative procedures aimed at increased security.

Hint: ? OS ?

The History of Information Security

UNIX Operating System Security

How well did you know this?

Not at all

Perfectly

1984

Reeds and Weinberger publish ”?”. Their premise was: “No technique can be secure against wiretapping or its equivalent on the computer. Therefore no technique can be secure against the systems administrator or other priviledged users … the naive user has no chance.”

Hint: ? ? and the UNIX ? ? ?

The History of Information Security

File Security and the UNIX System Crypt Command

How well did you know this?

Not at all

Perfectly

At the close of the twentieth century, networks of computers became more common, as did the need to connect these networks to each other. professionals.

Hint: 19xxs

The History of Information Security

1990s

How well did you know this?

Not at all

Perfectly

Today, the Internet brings millions of unsecured computer networks into continuous communication with each other. The security of each computer’s stored information is now contingent on the level of security of every other computer to which it is connected.

Hint: 2XXX ? ?

The History of Information Security

2000 to Present

How well did you know this?

Not at all

Perfectly

In general, ? is “the quality or state of being secure— to be free from danger.” In other words, protection against adversaries— from those who would do harm, intentionally or otherwise— is the objective.

What is Security?

Security

How well did you know this?

Not at all

Perfectly

6 Layers of Security (to protect organization operations)

A successful organization should have the following multiple layers of security in place to protect its operations: ?, ??, ???, ????, ?????, and ??????.

What is Security?

Physical security
Personnel security
Operations security
Communications security
Network security
Information security

How well did you know this?

Not at all

Perfectly

?, to protect physical items, objects, or areas from unauthorized access and misuse.

6 Layers of Security (to protect organization operations)

Physical security

How well did you know this?

Not at all

Perfectly

?, to protect the individual or group of individuals who are authorized to access the organization and its operations

6 Layers of Security (to protect organization operations)

Personnel security

How well did you know this?

Not at all

Perfectly

?, to protect the details of a particular operation or series of activities.

6 Layers of Security (to protect organization operations)

Operations security

How well did you know this?

Not at all

Perfectly

?, to protect communications media, technology, and content

6 Layers of Security (to protect organization operations)

Communications security

How well did you know this?

Not at all

Perfectly

?, to protect networking components, connections, and contents

6 Layers of Security (to protect organization operations)

Network security

How well did you know this?

Not at all

Perfectly

?, to protect the confidentiality, integrity and availability
of information assets, whether in storage, processing, or transmission.

6 Layers of Security (to protect organization operations)

Information security

How well did you know this?

Not at all

Perfectly

# 4 Components of Information Security **Components of Information Security**: ?, ??, ???, and ???.

* Management of information security * Network security * Computer & data security * Policy

# 13 Key Information Security Concepts **Key Information Security Concepts**: ?, ??, ???, ????, ?????, ??????, ???????, ????????, ?????????, ??????????, ???????????, ????????????, and ?????????????.

* Access * Asset * Attack * Control, safeguard, or countermeasure * Exploit * Exposure * Loss * Protection profile or security posture * Risk * Subjects and objects * Threat * Threat agent * Vulnerability

# ? A subject or object’s **ability to use, manipulate, modify, or affect** another subject or object. ## Footnote **13 Key Information Security Concepts**

Access

# ? The **organizational resource** that is being protected. An asset can be: * **logical**, such as a Web site, information, or data; or * **physical**, such as a person, computer system, or other tangible object. ## Footnote **13 Key Information Security Concepts**

Asset

# Asset An asset can be **?**, such as a **Web site, information, or data**; or an asset can be **??**, such as a **person, computer system, or other tangible object**. ## Footnote **13 Key Information Security Concepts**

* logical * physical

# ? An intentional or unintentional act that can **cause damage to or otherwise compromise information** and/or the systems that support it. ## Footnote **13 Key Information Security Concepts**

Attack

# ? **Security mechanisms, policies, or procedures** that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the security within an organization. ## Footnote **13 Key Information Security Concepts**

Control, safeguard, or countermeasure

# ? A technique used to **compromise a system**. ## Footnote **13 Key Information Security Concepts**

Exploit

# ? A **condition or state of being exposed**. In information security, **?** exists when a **vulnerability known to an attacker is present**. ## Footnote **13 Key Information Security Concepts**

Exposure

# ? A single instance of an **information asset suffering damage or unintended or unauthorized modification or disclosure**. ## Footnote **13 Key Information Security Concepts**

Loss

# ? The **entire set of controls and safeguards**, including policy, education, training and awareness, and technology, that the organization implements (or fails to implement) to **protect the asset**. ## Footnote **13 Key Information Security Concepts**

Protection profile or security posture

# ? The **probability** that **something unwanted will happen**. ## Footnote **13 Key Information Security Concepts**

Risk

# ? A computer can be either: * the **subject of an attack**—an **agent entity** used to conduct the attack— or * the **object of an attack**— the **target entity**. ## Footnote **13 Key Information Security Concepts**

Subjects and objects

# ? A category of objects, persons, or other entities that **presents a danger** to an asset. **?**s are **always present** and can be **purposeful or undirected**. ## Footnote **13 Key Information Security Concepts**

Threat

# ? The **specific instance** or a **component** of a **threat**. ## Footnote **13 Key Information Security Concepts**

Threat agent

# ? A **weaknesses or fault in a system** or protection mechanism that opens it to attack or damage. ## Footnote **13 Key Information Security Concepts**

Vulnerability

# 7 Critical Characteristics of Information **Critical Characteristics of Information**: ?, ??, ???, ????, ?????, ??????, and ???????.

* Availability * Accuracy * Authenticity * Integrity * Confidentiality * Utility * Possession

# ? **?** enables **authorized users**— persons or computer systems— to **access information** without interference or obstruction and to receive it in the required format. ## Footnote **7 Critical Characteristics of Information**

Availability

# ? Information has **?** when it is **free from mistakes or errors** and it has the **value that the end user expects**. If information has been intentionally or unintentionally modified, it is no longer accurate. ## Footnote **7 Critical Characteristics of Information**

Accuracy

# ? **?** of information is the **quality or state of being genuine or original**, rather than a reproduction or fabrication. ## Footnote **7 Critical Characteristics of Information**

Authenticity

# ? Information has **?** when it is **whole, complete, and uncorrupted**. The **?** of information is threatened when the information is exposed to corruption. ## Footnote **7 Critical Characteristics of Information**

Integrity

# ? Information has **?** when it is **protected from disclosure or exposure** to unauthorized individuals or systems. ## Footnote **7 Critical Characteristics of Information**

Confidentiality

# 4 Number of Measures (to protect the confidentiality of information) To protect the confidentiality of information, you can use a **number of measures**, including the following: ?, ??, ???, and ????. ## Footnote **Critical Characteristics of Information - Confidentiality**

* Information classification * Secure document storage * Application of general security policies * Education of information custodians and end users

# ? The **?** of information is the **quality or state of having value** for some purpose or end. ## Footnote **7 Critical Characteristics of Information**

Utility

# ? The **?** of information is the **quality or state of ownership or control**. ## Footnote **7 Critical Characteristics of Information**

Possession

# 6 Components of an Information System **Components of an Information System**: ?, ??, ???, ????, ?????, and ??????.

* Software * Hardware * Data * People * Procedures * Networks

# ? **?** is perhaps the **most difficult IS (Information System) component to secure**. The **exploitation of errors** in software programming accounts for a substantial portion of the attacks on information. ## Footnote **6 Components of an Information System**

Software

# ? **?** is the **physical technology** that houses and executes the software, stores and transports the data, and provides interfaces for the entry and removal of information from the system. ## Footnote **6 Components of an Information System**

Hardware

# ? **?** **stored, processed, and transmitted** by a computer system must be protected. ## Footnote **6 Components of an Information System**

Data

# ? Though *often overlooked in computer security considerations*, **?** have **always been a threat** to information security. ## Footnote **6 Components of an Information System**

People

# ? *Another frequently overlooked component of an IS (Information System)* is **?**. **?** are **written instructions** for accomplishing a specific task. When an unauthorized user obtains an organization’s **?**, this poses a threat to the integrity of the information. ## Footnote **6 Components of an Information System**

Procedures

# ? The IS (Information System) component that created much of the **need for increased computer and information security** is **?**ing. ## Footnote **6 Components of an Information System**

Networks

# 2 Approaches to Information Security Implementation **Approaches to Information Security Implementation**: ? and ??.

* Bottom-up Approach * Top-down Approach

# ? The **implementation of information security** in an organization must **begin** somewhere, and **cannot happen overnight**. ## Footnote **2 Approaches to Information Security Implementation**

* Bottom-up Approach

# ? **Securing information assets** is in fact an **incremental process** that requires coordination, time, and patience. ## Footnote **2 Approaches to Information Security Implementation**

* Bottom-up Approach

# ? **Information security* can begin as a **grassroots effort** in which **systems administrators attempt to improve the security** of their systems. ## Footnote **2 Approaches to Information Security Implementation**

* Bottom-up Approach

# ? The **?**— in which the project is **initiated by upper-level managers** who issue policy, procedures and processes, dictate the goals and expected outcomes, and determine accountability for each required action— has a **higher probability of success**. ## Footnote **2 Approaches to Information Security Implementation**

* Top-down Approach

# 4 Sections of Information Security Responsibilies The following sections describe the **typical information security responsibilities of various professional roles in an organization**: ?, ??, ???, and ????. ## Footnote **Security Professionals and the Organization**

* Senior Management * Information Security Project Team * Data Responsibilities * Communities of Interest

# 7 Members of the Security Project Team Members of the **security project team**: ?, ??, ???, ????, ?????, ??????, and ???????. ## Footnote **Information Security Project Team**

* Champion * Team leader * Security policy developers * Risk assessment specialists * Security professionals * Systems administrators * End users

# ? A **senior executive** who promotes the project and ensures its support, both *financially* and *administratively*, at the **highest levels of the organization**. ## Footnote **7 Members of the Security Project Team**

Champion

# ? A **project manager**, who may be a *departmental line manager* or *staff unit manager*, who understands **project management**, **personnel management**, and **information security technical requirements**. ## Footnote **7 Members of the Security Project Team**

Team Leader

# ? People who understand the **organizational culture**, **existing policies**, and **requirements for developing and implementing successful policies**. ## Footnote **7 Members of the Security Project Team**

Security Policy Developers

# ? People who understand **financial risk assessment techniques**, the **value of organizational assets**, and the **security methods** to be used. ## Footnote **7 Members of the Security Project Team**

Risk Assessment Specialists

# ? Dedicated, trained, and well-educated specialists in **all aspects of information security** from both a **technical and nontechnical standpoint**. ## Footnote **7 Members of the Security Project Team**

Security Professionals

# ? People with the **primary responsibility** for **administering the systems** that house the information used by the organization. ## Footnote **7 Members of the Security Project Team**

Systems Administrators

# ? Those whom the new system will most **directly affect**. Ideally, a **selection of users from various departments, levels, and degrees of technical knowledge** assists the team in focusing on the application of realistic controls applied in ways that do not disrupt the essential business activities they seek to safeguard. ## Footnote **7 Members of the Security Project Team**

End Users

# 3 Types of Data Ownership The three types of data ownership are: ?, ??, and ??? ## Footnote **Data Responsibilities**

* Data owners * Data custodians * Data users

# ? Those **responsible for the security** and use of a particular set of information. ## Footnote **3 Types of Data Ownership**

Data owners

# ? Working directly with data owners, **?** are **responsible for the storage, maintenance, and protection** of the information. ## Footnote **3 Types of Data Ownership**

Data custodians

# ? **End users who work with the information** to perform their assigned roles supporting the mission of the organization. ## Footnote **3 Types of Data Ownership**

Data users

# 3 Communities of Interest The three Communities of Interest are ?, ??, and ???.

* Information Security Management and Professionals * Information Technology Management and Professionals * Organizational Management and Professionals

# ? The administrators and technicians who implement security can be compared to **a painter applying oils to canvas** A **touch of color here, a brush stroke there**, just enough to **represent the image the artist wants to convey** without overwhelming the viewer, or in security terms, without overly restricting user access. ## Footnote **Information Security: Is it an Art of a Science?**

Security as Art

# ? Technology **developed by computer scientists and engineers**—which is designed for rigorous performance levels—makes **information security a science as well as an art**. Most **scientists** agree that specific conditions cause virtually all actions in computer systems. ## Footnote **Information Security: Is it an Art of a Science?**

Security as Science

# ? A third view to consider is information **?**, which integrates some of the components of art and science and **adds another dimension to the discussion**. **??** **examines the behavior of individuals** as they interact with systems, whether these are societal systems or, as in this context, information systems ## Footnote **Information Security: Is it an Art of a Science?**

* Security as a Social Science * Social Science