Module 1 - Intro to InfoSEC

Question 1

When did computer security begin?

Answer 1

immediately after the first mainframes were developed.

Question 2

What was INFOSEC composed of in the early years?

Answer 2

physical security and simple document classification schemes

Question 3

What were the primary threats to INFOSEC in the early years?

Answer 3

1. physical theft of equipment
2. espionage against products of the systems
3. sabotage

Question 4

Year Maurice Wilkes discusses password security in Time-Sharing Computer Systems.

Answer 4

1968

Question 5

Year that Willis H. Ware authors the report “Security Controls for Computer Systems: Report of Defense Science Board Task Force on Computer Security-RAND Report R-609,” which was not declassified until 1979. It became known as the seminal work identifying the need for computer security.

Answer 5

1970

Question 6

Year that Schell, Downey, and Popek examine the need for additional security in military systems in Preliminary Notes on the Design of Secure Military Computer Systems.

Answer 6

1973

Question 7

Year that The Federal Information Processing Standards (FIPS) examines DES (Digital Encryption Standard) in the Federal Register.

Answer 7

1975

Question 8

Year that Bisbey and Hollingworth publish their study “Protection Analysis: Final Report,” which discussed the Protection Analysis project created by ARPA to better understand the vulnerabilities of operating system security and examine the possibility of automated vulnerability detection techniques in existing system software.

Answer 8

1978

Question 9

Year that Morris and Thompson author “Password Security: A Case History,” published in the Communications of the Association for Computing Machinery (ACM). The paper examined the design history of a password security scheme on a remotely accessed, time-sharing system.
Dennis Ritchie publishes “On the Security of UNIX” and “Protection of Data File Contents,” which discussed secure user IDs, secure group IDs, and the problems inherent in the systems.

Answer 9

1979

Question 10

The U.S. Department of Defense Computer Security Evaluation Center publishes the first version of the Trusted Computer Security (TCSEC) documents, which came to be known as the Rainbow Series.

Answer 10

1982

Question 11

Year that Grampp and Morris write “The UNIX System: UNIX Operating System Security.” In this report, the authors examined four “important handles to computer security”: physical control of premises and computer facilities, management commitment to security objectives, education of employees, and administrative procedures aimed at increased security.
Reeds and Weinberger publish “File Security and the UNIX System Crypt Command.” Their premise was: “No technique can be secure against wiretapping or its equivalent on the computer. Therefore, no technique can be secure against the system administrator or other privileged users . . . the naive user has no chance.“

Answer 11

1984

Question 12

Year that Researchers for the Internet Engineering Task Force, working at the Naval Research Laboratory, develop the Simple Internet Protocol Plus (SIPP) Security protocols, creating what is now known as IPSEC security.

Answer 12

1992

Question 13

Who led the development of ARPANET?

Answer 13

Larry Roberts for the Advanced Research Projects Agency

Question 14

What were some of the early security issues with ARPANET?

Answer 14

1. Remote sites did not have sufficient controls and safeguards to protect data from unauthorized remote users.
2. Vulnerability of password structure and formats
3. Lack of safety procedures for dial-up connections
4. Nonexistent user identification and authorizations

Question 15

INFOSEC began with the publishing of what report?

Answer 15

RAND Report R-609

Question 16

The scope of computer security grew from physical security to include (3):

Answer 16

1. Securing the data
2. Limiting random and unauthorized access to data
3. Involving personnel from multiple levels of the organization in information security

Question 17

Which report is this image from?

Answer 17

RAND Report R-609

Question 18

Early research on computer security research centered on a system called:

Answer 18

Multiplexed Information and Computing Service (MULTICS)‏

Question 19

MULTICS was a predecessor of which OS?

Answer 19

UNIX

Question 20

What was UNIX’s primary purpose?

Answer 20

Text Processing

Question 21

When did INFOSEC begin to emerge as an independent discipline?

Answer 21

1990s

Question 22

What is security?

Answer 22

Being secure and free from danger

Question 23

Access

Question 24

Asset

Question 25

Attack

Answer 25

An intentional or unintentional act that can damage or otherwise compromise information and the systems that support it.

Question 26

Control, safeguard, or countermeasure

Question 27

Exploit

Answer 27

A technique used to compromise a system.

Question 28

Exposure

Question 29

Loss

Question 30

Protection profile or security posture

Question 31

Risk

Question 32

Subjects and objects

Question 33

Threat

Answer 33

A potential risk to an asset’s loss of value

Question 34

Threat agent

Question 35

Threat event

Question 36

Threat source

Question 37

Vulnerability

Answer 37

A potential weakness in an asset or its defensive control system(s).

Question 38

What are the critical characteristics of Information (7) (CIA-AAUP)?

Answer 38

Confidentiality
Integrity
Availability
Accuracy
Authenticity
Utility
Possession

Question 39

What is the Bottom-Up approach to INFOSEC?

Answer 39

Grassroots effort: systems administrators work to improve security of their systems.

Question 40

What is the key advantage of the Bottom-Up approach to INFOSEC?

Answer 40

Technical expertise of individual administrators

Question 41

What is the critical weakness of the Bottom-Up approach?

Answer 41

It seldom works, as it lacks a number of critical features, namely participant support
and organizational staying power

Question 42

What is the Top-Down approach to INFOSEC?

Answer 42

Initiated by upper management:
1. Issue policy, procedures, and processes
2. Dictate goals and expected outcomes of project
3. Determine accountability for each required action

Question 43

What does the most successful type of top-down approach include?

Answer 43

a formal development strategy referred to as a systems development life cycle

Question 44

What is the key component of success for security in the organization?

Answer 44

Senior management support

Question 45

Which group in the organization is appointed by data owners to oversee the management of a particular set of information and to coordinate with data custodians for its storage, protection, and use?

Answer 45

Data trustee

Question 46

Information systems are made up of the major components of (6):

Answer 46

1. hardware
2. software
3. data
4. people
5. procedures
6. networks.

Question 47

Responsible for the security and use of a particular set of information

Answer 47

Data owners

Question 48

Responsible for the storage, maintenance, and protection of the information

Answer 48

Data custodians

Question 49

Data trustees

Answer 49

Appointed by data owners to oversee the management of a particular set of information and to coordinate with data custodians for its storage, protection, and use

Question 50

Work with the information to perform their daily jobs and support the mission of the organization

Answer 50

Data users

Question 51

The three communities in INFOSEC are:

Answer 51

1. General management
2. IT management
3. Information security management