Studied by 3 people
Looks like no one added any tags here yet for you.
Integrity
Info cannot be destroyed/changed; if it is, changes may be detected and data may be restored *Always Needed
What is the difference between integrity and Information Assurance?
Integrity = Quality
Information Assurance = Reliability
Availablity
Access to authorized when needed *Always Needed; Violated with DoS
ex: homepage, specific access time
Authentication
Verifying origin of message; Not Always Needed, Violated with phishing
ex: logging in/out
Non-repudiation
Shows original sender of message
*spam
*deters sender from falsely claiming they didn't send message
*used in authentication
Access Control
Limiting access to system resources
*use in availability
Security is not Absolute ...
*Trade off between security and usability
*Perfectly secure = unusable
*Perfectly insecure = no security
Isolation
Basic principle underlying the security of computer systems
InfoSec
Security of info and info systems;
Components of an info system:
*computer
*hardware
*software
*people
What is information?
Knowledge obtained from investigation, study, or instruction
*intelligence
*facts, data
What is the difference between data and information?
Data = processing information (raw material)
Information = processed data
*INFORMATION AND DATA = SYNONYMOUS
Where does data reside?
What does information reside?
Data reside in memory/file
Information reside in data
What is ISIA?
InfoSec = protection of info assets
InfoAssurance = accuracy of info
What is Security?
*freedom from danger; safety
*freedom from fear; surety
*something that secures; protection
*SSP
Why are we concerned with security of information?
We want to make sure that our information is protected, including the systems and hardware that are used to store and transmit that info
What are the different types of Security that might be applicable to information?
Confidentiality: Limit disclosure of meaningful data *Not Always Needed Violated by human error and theft
ex: routing number, bank account number, encryption
Threat
Representation of a compromise of security that is possible
Threat Environment
Types of attackers and attacks that companies face
ex: Virus, Hacks, Phishing
Threat Action
Specific instance of a threat happening
ex: DDoSing (distribution Denial of Service)
Threat Agent
Someone or something that creates a threat action
people who purposely attack attack - intentionally
-incident, compromise, breach = successful
-provide useful information = unsuccessful
people who make mistakes/errors human error - unintentionally
*natural events
ex: hackers, mother nature
Hacker
*internal/external
*Ethical = hack system with authorization
*zero-day attack = unknown vulnerability at the time of attack
2/3 of security incidents are ___________________ to the organization
Internal
Insider Threats
Why?
What can they do?
Employees and other trusted people
Detailed Knowledge of System; Operating Defense
Access things they shouldn't; Allow unknown access; harm other people; damage system; violate work law
intentional mistakes
Handling
Take preventive measures of denying any access of the organizations assets by ex employee
Outsider Threat
Hackers, Criminals, Government agents, Terrorists
Malware
Componets
Deliberately designed to violate security
Transport Mechanism = transport malware to where most harm can occur to system; Payload = code that does undesirable things *ex: Trojans, keyloggers
Trapdoor/Backdoor
Malware component intended to bypass security
audit = no evidence
Logic Bomb
Time Bomb
Logic Bomb = activates on conditions
Time Bomb = activates on date/time
Trojan Horse
RAT
Trojan Horse = disguises to be useful but harmful
RAT (Remote Access Trojan) = remote control malware
Software Bacterium
Software Virus
Software Worm
Software Bacterium = replicates itself
Software Virus = code attached to programs on a system *polymorphic
Software Worm = uses network to attack system *Morris worm
What is a rootkit?
Why is it used?
malicious code designed to control admin account
obtain privileges
Adware
Spyware
Ad = annoy people using advertisement popups
Spy = spy on user without his/her knowledge *gather sensitive data
What are some risks when performing offensive security operations?
Breaking Laws
Information security is NOT a technology issues, TECHNOLOGY is a PART of it
*Management of security HARD part (complex)
*Policies help us understand the WHY and WHAT
-help us understand the issues and set goals
-develop plans, with lead to actions
POLICY ---> PLAN (PROTECT --> RESPOND) --> GOALS
Why is security management more than just implementing security technologies?
Security management forms policies and develops a way to both implement technology to solve security problems and protect users
What is the goal of InfoSec?
Protect Systems
Security as an obstacle
Effective when viewed as an enabler
What is security planning?
*Strategic
*Comprehensive
*Formal
*Realistic
What is defense in depth? Examples?
Data, protection, host, internet network, perimeter, physical, policies, procedures, awareness
Ex: manage security
Why is managing security so difficult?
Difficult to quantify, predict cost, and requires communications to all levels
Driving Forces
issues that affect policy and planning processes
Compliance
Why important?
requirements to which companies must respond to
needs a planned series of actions; PRIORITIZATION
What the driving forces behind compliance?
Why does compliance work grow each year?
Plan, Protect, Respond
Because attackers are becoming more sophisticated and new laws and regulations appear increasing compliance work
Why is it important that information security NOT be seen as "cops" looking to "bust" offenders?
IT plans, protects, and responds in IT world
What are some strategic considerations?
Consider all scenerios
SOX
Sarbanes-Oxley Act of 2002 - requires public companies to evaluate their financial control processes and disclose any "material" defects *multinational cooporations
Issue of Privacy
Confidentiality
PII
Personally Identifiable Information
FISMA
Federal InfoSec Management Act - requires yearly audits to evaluate their infosec controls
CISO
Chief InfoSec officer
Where is an organization should the InfoSec function be placed?
within IT because IT and security share many skill sets in common and attacks tend to be within the organizations
What is outsourcing and its impact?
Outsourcing = email
Impact = managing large email implementation and it controls the number of on/outgoing emails
MSSP
Managed Security Service Provider; company the manages InfoSec functions
*not realistic to eliminate all risks
*find balance between risks and control (cost and benefits)
Risk Analysis
reasonable decisions by evaluating risks and controls
Classic Risk Analysis
estimate cost of risks and compare to cost of benefits of potential controls *difficult to use or impossible to practice
-Risk Avoidance/Transference/Reduction/Acceptance
What is a technical Security Architecture?
All of the companies technical countermeasure and how it is organized
Legacy
Out of date but still in use
*Important Principles
-Defense in Depth (multiple layers in defense)
-Minimizing Security Burdens
-Realistic Goals
Why is it important to identify and eliminate single points of vulnerability?
What is the function of a policy?
Why is it important?
*Because an element of the system at which an attacker can do a great deal of damage by compromising a single system
*Statements of what should and not how it should be done
Examples of policies related to InfoSec? What is implementation guidance in this content?
*email policies
*hiring and termination policies
*security policies
*limits the discretion of implements, in order to simplify implementations
What are the 3 types of implementation?
1. standards
2. guidelines
3. procedures
Progmulgation
Process of informing people about policy
What is oversight?
What are some common oversight functions?
*Process of checking compliance with a policy, enforcing policy provisions, taking corrective actions to improve the outcomes
*Automated compliance measurements, periodic manual checks/audits, looking for vulnerabilities, providing hotlines, sanctioning violations, understanding why violations occur
Segregation (or separation) of duties
2 or more people (or type of people or roles) are required to complete a process *personnel policies
What is request/authorization control?
Examples?
*Special case of separation of duties
*Where there is an exceptional/risky situation, a limited number of people can make request
How can exceptions to policies be handled?
Some can request, few can authorize, document the exception
Mandatory vacations and job rotations
Person in a specific role is required to take vacation periodically so someone else has to take that role for a time
What is a governance framework?
Example?
*Structure that can be used as the basis of a policy for an organization
*Committee of Sponsoring Organizations (COSO)
Law
Binding custom or practice of a community
Ethic
Set of moral principles
-Values = determining behavior
-Moral = derived from external source
-Ethics = determined collectively
How is law related to ethics?
Laws mandate or prohibits actions *Drawn from societal ethics
ACM
Association of computing machinery
-basis for ethical decision making
-basis for judging the merit of a formal complaint
*honor property rights including copyrights and patent
*give proper credit for intellectual rights
*know and respect existing laws
*acknowledge and support proper and authorized uses
IEEE
Institute of Electrical and Electronic Engineers
-accepting a personal obligation
EC Conuncil
*Protect the intellectual property of others by relying on his/her own innovation and efforts, thus ensuring that all benefits vet with its originator
*Never knowingly use software/process that is obtained/retained either illegally or unethically
An individual must consider all when deciding how to act such as:
*lawyer
*own conscience
*human resources
How are laws created in the USA?
*Produced by political process of a community
-In USA, each of the 3 branches of government has defined responsibilities in creating and enforcing laws
Why is compromising often a part of the process?
The rights of the individuals are BALANCED against the NEEDS of the collected whole
Expectation of Privacy
How do one know that it is used within the company?
*User can expect his/her information to private
-When a company states that there is/there is no expectation of privacy
Some Legal Protections for intellectual Property?
*Copyrights
*Patents
*Trademarks
*Exclusive rights to reproduce
*Adapt and distribute work rights
Why is electronic data harder to protect than tangible works?
Data files can easily be transmitted across networks
Copyright
What does it come into effect?
Can it be transferred?
Why is it important?
*The right to make copies of original work
*From the moment the work has been created and formatted in fixed form
*Yes
*Because data can easily be copied and stolen without altering the original and then mass produced
When is unauthorized access to an information system allowed?
Scanning the system parts to determine which services are offered could be considered a legitimate way of determining if access is allowed
Who is responsible when an employee commits a crime?
The employer or employee depending on situation
Access Control
Only authorized entities can use
Availability
Only authorized can use system when they need to
Policy Driven control of access to systems, data, and dialouges
*Cryptography
3 A's
*Authentication (verification of individuals identity)
-Requesting access = supplier
-Checking Claim = verification
*Authorization (an entity via his/her identity) is given certain permissions to access particular resources
*Auditing
-After-the-fact analysis of data collected about individuals activites
what are 4 different ways to authenticate a claim of identity's ? Examples?
1. What you know - password
2. What you have - smart card
3. Who you are - fingerprint
4. What you do - how you pronounce passphrase
2- Factor Authentication
Multi-factor Authentication
Why is it useful?
*Weak
*Requires more than one method of authentication from independent categories of credentials to verify the user's identity for a log in or other transaction
*If one method fails, there is a backup
How does it impact the probability of a false
negative result?
Increases probability
How does it impact the probability of a false positive result?
Decreases probability
Mandatory access control
Strict access control to gain entry; no variation allowed
Discretionary access control
Department can decide for individual
How does multilevel security (MLS) system work?
*Technology that protects against leakage of information
*Requires complex layers of control
Common policy requirements for physical security?
Why is it important to consider utilities?
*CCTV, Wireless Camera, Preventing dumpster diving, Locking PC when away from desk
*Electricity, Water, HVAC must be supplied to adequate level, inspected, and tested regularly
-backup generator needed
What are important issues to remember when disposing of computer equipment?
Ensure data destruction, keeping records of decommissioned equipment, minimize environmental liabilities and choosing right users
What is the role of a password in access control?
Common policy Requirements
Misusing password
*Allows restriction to vital password information on a "need to know" basis ~role-based access control
*Changing passwords (something new), 8 char long (1 change of case), 1 digit, 1 special case, and not at the end of the password
*Sharing and reusing password
Examples of physical devices used in access control?
What is the most important issue when using
physical access in this way?
*Cabling Security, Wiring has to be hidden
*Wiring Closets, locked and monitored
*Loss and theft are common (2 Factor Authentications eases both)
Biometrics
Promises what?
What is false Rejection Rate?
What is false Acceptance rate?
Examples?
Based on biological and/or behavior measurements
*promises to make reusable passwords obsolete
*requires enrollment scan
- tight = false rejections (FRR) rate of false acceptances as % of total access attempts
- loose = false acceptances (FAR) match to template that should not be made
*Finger Print recognition, IRIS scanning and face scanning
What are the three purposes for which biometric are commonly used?
*Verification
*Identification
*Watch List
Biometric Failure
-Error : when subject is not tying to fool system
-Deception : fake identity * Finger Print scanners
-Unavailability
Note 
Flashcard (24)