Lecture 1 - Introduction to Information Security Flashcards
?
Earlier versions of the German code machine ? were first broken by the Poles in the 1930s.
The History of Information Security
Enigma
?
The British and Americans managed to break later, more complex versions during World War II.
The History of Information Security
Enigma
?
The increasingly complex versions of the ?, especially the submarine version of the ?, caused considerable anguish to Allied forces before finally being cracked.
The History of Information Security
Enigma
The Enigma
Earlier versions of the German code machine Enigma were first broken by the Poles in the ?.
Hint: 19xxs
The History of Information Security
1930s
?
During the Cold War, many more mainframes were brought online to accomplish more complex and sophisticated tasks.
Hint: 19xxs
The History of Information Security
1960s
?
During the next decade, ARPANET became popular and more widely used, and the potential for its misuse grew.
Hint: 19xxs and 19xxs
The History of Information Security
1970s and 80s
1968
Maurice Wilkes discusses password security in ?.
Hint: ? Computer Systems
The History of Information Security
Time-Sharing Computer Systems
1973
Schell, Downey, and Popek examine the need for additional security in military systems in “Preliminary Notes on the Design of ?”.
Hint: ? Computer Systems
The History of Information Security
Secure Military Computer Systems
1975
The Federal Information Processing Standards (FIPS) examines Digital Encryption Standard (DES) in the ?.
The History of Information Security
Federal Register
1978
Bisbey and Hollingworth publish their study “?: Final Report”, discussing the ? project created by ARPA to better understand the vulnerabilities detection techniques in existing system software.
The History of Information Security
Protection Analysis
1979
Morris and Thompson author “?: A Case History” published in the Communications of the Association for Computing Machinery (ACM). This paper examines the history of a design for a ? scheme on a remotely accessed, time-sharing system.
The History of Information Security
Password Security
1979
Dennis Ritchie publishes “On the Security of UNIX” and “Protection of Data File Contents” discussing secure user IDs and secure group IDs, and the problems inherent in the systems.
The History of Information Security
1984
Grampp and Morris write ”?”. In this report, the authors examine four “important handles to computer security”: (1) physical control of premises and computer facilities, (2) management commitment to security objectives, (3) education of employees, and (4) administrative procedures aimed at increased security.
Hint: ? OS ?
The History of Information Security
UNIX Operating System Security
1984
Reeds and Weinberger publish ”?”. Their premise was: “No technique can be secure against wiretapping or its equivalent on the computer. Therefore no technique can be secure against the systems administrator or other priviledged users … the naive user has no chance.”
Hint: ? ? and the UNIX ? ? ?
The History of Information Security
File Security and the UNIX System Crypt Command
?
At the close of the twentieth century, networks of computers became more common, as did the need to connect these networks to each other. professionals.
Hint: 19xxs
The History of Information Security
1990s
?
Today, the Internet brings millions of unsecured computer networks into continuous communication with each other. The security of each computer’s stored information is now contingent on the level of security of every other computer to which it is connected.
Hint: 2XXX ? ?
The History of Information Security
2000 to Present
In general, ? is “the quality or state of being secure— to be free from danger.” In other words, protection against adversaries— from those who would do harm, intentionally or otherwise— is the objective.
What is Security?
Security
6 Layers of Security (to protect organization operations)
A successful organization should have the following multiple layers of security in place to protect its operations: ?, ??, ???, ????, ?????, and ??????.
What is Security?
- Physical security
- Personnel security
- Operations security
- Communications security
- Network security
- Information security
?
?, to protect physical items, objects, or areas from unauthorized access and misuse.
6 Layers of Security (to protect organization operations)
Physical security
?
?, to protect the individual or group of individuals who are authorized to access the organization and its operations
6 Layers of Security (to protect organization operations)
Personnel security
?
?, to protect the details of a particular operation or series of activities.
6 Layers of Security (to protect organization operations)
Operations security
?
?, to protect communications media, technology, and content
6 Layers of Security (to protect organization operations)
Communications security
?
?, to protect networking components, connections, and contents
6 Layers of Security (to protect organization operations)
Network security
?
?, to protect the confidentiality, integrity and availability
of information assets, whether in storage, processing, or transmission.
6 Layers of Security (to protect organization operations)
Information security
4 Components of Information Security
Components of Information Security: ?, ??, ???, and ???.
- Management of information security
- Network security
- Computer & data security
- Policy
13 Key Information Security Concepts
Key Information Security Concepts: ?, ??, ???, ????, ?????, ??????, ???????, ????????, ?????????, ??????????, ???????????, ????????????, and ?????????????.
- Access
- Asset
- Attack
- Control, safeguard, or countermeasure
- Exploit
- Exposure
- Loss
- Protection profile or security posture
- Risk
- Subjects and objects
- Threat
- Threat agent
- Vulnerability
?
A subject or object’s ability to use, manipulate, modify, or affect another subject or object.
13 Key Information Security Concepts
Access
?
The organizational resource that is being protected.
An asset can be:
* logical, such as a Web site, information, or data; or
* physical, such as a person, computer system, or other tangible object.
13 Key Information Security Concepts
Asset
Asset
An asset can be ?, such as a Web site, information, or data; or an asset can be ??, such as a person, computer system, or other tangible object.
13 Key Information Security Concepts
- logical
- physical
?
An intentional or unintentional act that can cause damage to or otherwise compromise information and/or the systems that support it.
13 Key Information Security Concepts
Attack
?
Security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the security within an organization.
13 Key Information Security Concepts
Control, safeguard, or countermeasure
?
A technique used to compromise a system.
13 Key Information Security Concepts
Exploit
?
A condition or state of being exposed. In information security, ? exists when a vulnerability known to an attacker is present.
13 Key Information Security Concepts
Exposure
?
A single instance of an information asset suffering damage or unintended or unauthorized modification or disclosure.
13 Key Information Security Concepts
Loss
?
The entire set of controls and safeguards, including policy, education, training and awareness, and technology, that the organization implements (or fails to implement) to protect the asset.
13 Key Information Security Concepts
Protection profile or security posture
?
The probability that something unwanted will happen.
13 Key Information Security Concepts
Risk
?
A computer can be either:
* the subject of an attack—an agent entity used to conduct the attack— or
* the object of an attack— the target entity.
13 Key Information Security Concepts
Subjects and objects
?
A category of objects, persons, or other entities that presents a danger to an asset. ?s are always present and can be purposeful or undirected.
13 Key Information Security Concepts
Threat
?
The specific instance or a component of a threat.
13 Key Information Security Concepts
Threat agent
?
A weaknesses or fault in a system or protection
mechanism that opens it to attack or damage.
13 Key Information Security Concepts
Vulnerability
7 Critical Characteristics of Information
Critical Characteristics of Information: ?, ??, ???, ????, ?????, ??????, and ???????.
- Availability
- Accuracy
- Authenticity
- Integrity
- Confidentiality
- Utility
- Possession
?
? enables authorized users— persons or computer
systems— to access information without interference or obstruction and to receive it in the required format.
7 Critical Characteristics of Information
Availability
?
Information has ? when it is free from mistakes or errors and it has the value that the end user expects. If information has been intentionally or unintentionally modified, it is no longer accurate.
7 Critical Characteristics of Information
Accuracy
?
? of information is the quality or state of being genuine or original, rather than a reproduction or fabrication.
7 Critical Characteristics of Information
Authenticity
?
Information has ? when it is whole, complete, and uncorrupted. The ? of information is threatened when the information is exposed to corruption.
7 Critical Characteristics of Information
Integrity
?
Information has ? when it is protected from disclosure or exposure to unauthorized individuals or systems.
7 Critical Characteristics of Information
Confidentiality
4 Number of Measures (to protect the confidentiality of information)
To protect the confidentiality of information, you can use a number of measures, including the following: ?, ??, ???, and ????.
Critical Characteristics of Information - Confidentiality
- Information classification
- Secure document storage
- Application of general security policies
- Education of information custodians and end users
?
The ? of information is the quality or state of having value for some purpose or end.
7 Critical Characteristics of Information
Utility
?
The ? of information is the quality or state of ownership or control.
7 Critical Characteristics of Information
Possession
6 Components of an Information System
Components of an Information System: ?, ??, ???, ????, ?????, and ??????.
- Software
- Hardware
- Data
- People
- Procedures
- Networks
?
? is perhaps the most difficult IS (Information System) component to secure. The exploitation of errors in software programming accounts for a substantial portion of the attacks on information.
6 Components of an Information System
Software
?
? is the physical technology that houses and executes the software, stores and transports the data, and provides interfaces for the entry and removal of information from the system.
6 Components of an Information System
Hardware
?
? stored, processed, and transmitted by a
computer system must be protected.
6 Components of an Information System
Data
?
Though often overlooked in computer security considerations, ? have always been a threat to information security.
6 Components of an Information System
People
?
Another frequently overlooked component of an IS (Information System) is ?. ? are written instructions for accomplishing a specific task.
When an unauthorized user obtains an organization’s ?, this poses a threat to the integrity of the information.
6 Components of an Information System
Procedures
?
The IS (Information System) component that created much of the need for increased computer and information security is ?ing.
6 Components of an Information System
Networks
2 Approaches to Information Security Implementation
Approaches to Information Security Implementation: ? and ??.
- Bottom-up Approach
- Top-down Approach
?
The implementation of information security in an organization must begin somewhere, and cannot happen overnight.
2 Approaches to Information Security Implementation
- Bottom-up Approach
?
Securing information assets is in fact an incremental process that requires coordination, time, and patience.
2 Approaches to Information Security Implementation
- Bottom-up Approach
?
**Information security* can begin as a grassroots effort in which systems administrators attempt to improve the security of their systems.
2 Approaches to Information Security Implementation
- Bottom-up Approach
?
The ?— in which the project is initiated by upper-level managers who issue policy, procedures and processes, dictate the goals and expected outcomes, and determine accountability for
each required action— has a higher probability of
success.
2 Approaches to Information Security Implementation
- Top-down Approach
4 Sections of Information Security Responsibilies
The following sections describe the typical information security responsibilities of various professional roles in an organization: ?, ??, ???, and ????.
Security Professionals and the Organization
- Senior Management
- Information Security Project Team
- Data Responsibilities
- Communities of Interest
7 Members of the Security Project Team
Members of the security project team: ?, ??, ???, ????, ?????, ??????, and ???????.
Information Security Project Team
- Champion
- Team leader
- Security policy developers
- Risk assessment specialists
- Security professionals
- Systems administrators
- End users
?
A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization.
7 Members of the Security Project Team
Champion
?
A project manager, who may be a departmental line manager or staff unit manager, who understands project management, personnel management, and information security technical requirements.
7 Members of the Security Project Team
Team Leader
?
People who understand the organizational culture, existing policies, and requirements for developing and implementing successful policies.
7 Members of the Security Project Team
Security Policy Developers
?
People who understand financial risk assessment techniques, the value of organizational assets, and the security methods to be used.
7 Members of the Security Project Team
Risk Assessment Specialists
?
Dedicated, trained, and well-educated specialists in all aspects of information security from both a technical and nontechnical standpoint.
7 Members of the Security Project Team
Security Professionals
?
People with the primary responsibility for administering the systems that house the information used by the organization.
7 Members of the Security Project Team
Systems Administrators
?
Those whom the new system will most directly affect.
Ideally, a selection of users from various departments, levels, and degrees of technical knowledge assists the team in focusing on the application of realistic controls applied in ways that do not disrupt the essential business activities they seek to safeguard.
7 Members of the Security Project Team
End Users
3 Types of Data Ownership
The three types of data ownership are: ?, ??, and ???
Data Responsibilities
- Data owners
- Data custodians
- Data users
?
Those responsible for the security and use of a particular set of information.
3 Types of Data Ownership
Data owners
?
Working directly with data owners, ? are responsible for the storage, maintenance, and protection of the information.
3 Types of Data Ownership
Data custodians
?
End users who work with the information to perform their assigned roles supporting the mission of the organization.
3 Types of Data Ownership
Data users
3 Communities of Interest
The three Communities of Interest are ?, ??, and ???.
- Information Security Management and Professionals
- Information Technology Management and Professionals
- Organizational Management and Professionals
?
The administrators and technicians who implement security can
be compared to a painter applying oils to canvas
A touch of color here, a brush stroke there, just enough to represent the image the artist wants to convey without overwhelming the viewer, or in security terms, without overly restricting user access.
Information Security: Is it an Art of a Science?
Security as Art
?
Technology developed by computer scientists and engineers—which is designed for rigorous performance levels—makes information security a science as well as an art.
Most scientists agree that specific conditions cause virtually all actions in computer systems.
Information Security: Is it an Art of a Science?
Security as Science
?
A third view to consider is information ?, which integrates some of the components of art and science and adds another dimension to the discussion.
?? examines the behavior of individuals as they
interact with systems, whether these are societal systems
or, as in this context, information systems
Information Security: Is it an Art of a Science?
- Security as a Social Science
- Social Science
