Lesson 1 Flashcards
Where the history of information security begins.
Computer Security
The practice of protecting information and its critical elements by mitigating risks; a part of information risk management.
Information Security
When did computer security begin?
Computer security began immediately after the first mainframes were developed.
WHEN: Department of Defense’s Advanced Research Project Agency (ARPA); feasibility of redundant networked communications.
1960s
WHEN: Popularity and misuse of ARPANet grew and had two (2) fundamental security problems.
1970s & 1980s
What were the two (2) fundamental security problems experienced by the popularity of ARPANET during the 1970s & 1980s?
No safety procedures for dial-up communication to the ARPANET.
User identification and authorization were non-existent.
WHEN: The microprocessor expanded computing capabilities and security threats.
Late 1970s
Who developed the ARPANET project during the 1960s?
Larry Roberts
When was the ARPANET Program Plan released?
June 3, 1968
Where information security and the study of computer security began.
R-609
What was the scope of R-609? (4)
Physical Security
Data Safety
Limited unauthorized access to data.
Involvement of personnel from multiple organization levels.
WHEN: Computer networks grew prevalent; the internet was commercialized.
1990s
WHEN: The internet became a medium of thousands of communication; security is reliant; everyone is vulnerable.
2000s to Present Day
The state of being secure, to be free from danger, and or be protected from adversaries; a balance of protection and availability.
Security
What are the multiple layers of security? (5)
Physical Security
Personal Security
Operations Security
Communications Security
Network Security
To manipulate or modify another subject.
Access
The resource being safeguarded.
Asset
Can harm information and the system that supports it.
Attack
The mechanisms used to counter assaults.
Control / Safeguard / Countermeasure
The act of compromising a system.
Exploit
A condition of state.
Exposure
A single instance of an information asset being damaged in an illegal manner.
Loss
A collection of controls and protections.
Protection Profile / Security Posture
The likelihood for something unfavorable to happen.
Risk
The tool used for an attack (subject); target (object).
Subjects & Objects
A group of items, people, or other entities that pose a ____ to an asset; represents a constant danger to an asset.
Threats
A specific instance of a threat; damages or steals information.
Threat Agent
A flaw or weakness in the system that allows damage.
Vulnerability
What are the values involved in the CIA Triad? (8)
Confidentiality
Integrity
Availability
Accuracy
Authenticity
Phishing
Utility
Possession
A core concept of the CIA Triad that is closely tied to privacy.
Confidentiality
What are the components of an information system? (6/7)
Software
Hardware
Data
People
Procedures
Networks
Laptop Thefts…?
Security from grass-roots effort, technical expertise of individual admins; seldom works; lack of participant support and organizational staying power.
Bottom-up Approach
Initiated by upper management; has strong upper management support, a dedicated champion, dedicated funding, clear planning, and the chance to influence organizational culture.
Top-down Strategy
Supports specialized implementations of a security project; a coherent program rather than a series of random actions.
Security Systems Development Life Cycle (SecSDLC)
The Security Systems Development Life Cycle (SecSDLC) can be… (2)
Event-driven
Plan-driven
A SecSDLC that serves as a response to an occurrence.
Event-driven
A SecSDLC that serves as a result of an implementation strategy.
Plan-driven
What are the phases of the SecSDLC? (6)
1 | Investigation
2 | Analysis
3 | Logical Design
4 | Physical Design
5 | Implementation
6 | Maintenance & Change
Create blueprints for security
Logical Design & Physical Design
The senior technology officer.
Chief Information Officer
Also referred to as the Manager for Security, the Security Administrator, or a similar title.
Chief Information Security Officer
Individuals experienced in one or multiple requirements of technical and non-technical areas.
Information Security Project Team
An Information Security Project Team is usually composed of… (7)
Champion
Team Leader
Security Policy Developers
Risk Assessment Specialists
Security Professionals
Systems Administrators
End Users
The weakest link in the security chain.
End Users
Responsible for the security and use of a particular set of information.
Data Owner
Responsible for the storage, maintenance, and protection of information.
Data Custodian
The end systems users who work with the information.
Data Users
What are the communities of interest of an Information Security Project Team? (3)
Information Security Management & Professionals
Information Technology Management & Professionals
Organizational Management & Professionals
No hard and fast rules, nor many universally accepted solutions, no magic user’s manual, complex levels of interactions.
Security as Art
Dealing with technology designed to perform at high levels of performance, specific conditions cause actions, faults can be resolved with sufficient time.
Security as Science
Examines the behavior of individuals interacting with the systems.
Security as Social Science
