IT 223 (George Mason University) Study Guide

5.0(1)
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
Card Sorting

1/317

encourage image

There's no tags or description

Looks like no tags are added yet.

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

318 Terms

1
New cards

Integrity

Info cannot be destroyed/changed; if it is, changes may be detected and data may be restored *Always Needed

2
New cards

What is the difference between integrity and Information Assurance?

Integrity = Quality
Information Assurance = Reliability

3
New cards

Availablity

Access to authorized when needed *Always Needed; Violated with DoS
ex: homepage, specific access time

4
New cards

Authentication

Verifying origin of message; Not Always Needed, Violated with phishing
ex: logging in/out

5
New cards

Non-repudiation

Shows original sender of message
*spam
*deters sender from falsely claiming they didn't send message
*used in authentication

6
New cards

Access Control

Limiting access to system resources
*use in availability

7
New cards

Security is not Absolute ...

*Trade off between security and usability
*Perfectly secure = unusable
*Perfectly insecure = no security

8
New cards

Isolation

Basic principle underlying the security of computer systems

9
New cards

InfoSec

Security of info and info systems;
Components of an info system:
*computer
*hardware
*software
*people

10
New cards

What is information?

Knowledge obtained from investigation, study, or instruction
*intelligence
*facts, data

11
New cards

What is the difference between data and information?

Data = processing information (raw material)
Information = processed data
*INFORMATION AND DATA = SYNONYMOUS

12
New cards

Where does data reside?
What does information reside?

Data reside in memory/file
Information reside in data

13
New cards

What is ISIA?

InfoSec = protection of info assets
InfoAssurance = accuracy of info

14
New cards

What is Security?

*freedom from danger; safety
*freedom from fear; surety
*something that secures; protection
*SSP

15
New cards

Why are we concerned with security of information?

We want to make sure that our information is protected, including the systems and hardware that are used to store and transmit that info

16
New cards

What are the different types of Security that might be applicable to information?

Confidentiality: Limit disclosure of meaningful data *Not Always Needed Violated by human error and theft
ex: routing number, bank account number, encryption

17
New cards

Threat

Representation of a compromise of security that is possible

18
New cards

Threat Environment

Types of attackers and attacks that companies face
ex: Virus, Hacks, Phishing

19
New cards

Threat Action

Specific instance of a threat happening
ex: DDoSing (distribution Denial of Service)

20
New cards

Threat Agent

Someone or something that creates a threat action
people who purposely attack attack - intentionally
-incident, compromise, breach = successful
-provide useful information = unsuccessful
people who make mistakes/errors human error - unintentionally
*natural events
ex: hackers, mother nature

21
New cards

Hacker

*internal/external
*Ethical = hack system with authorization
*zero-day attack = unknown vulnerability at the time of attack

22
New cards

2/3 of security incidents are ___________________ to the organization

Internal

23
New cards

Insider Threats
Why?
What can they do?

Employees and other trusted people
Detailed Knowledge of System; Operating Defense
Access things they shouldn't; Allow unknown access; harm other people; damage system; violate work law
intentional mistakes

24
New cards

Handling

Take preventive measures of denying any access of the organizations assets by ex employee

25
New cards

Outsider Threat

Hackers, Criminals, Government agents, Terrorists

26
New cards

Malware
Componets

Deliberately designed to violate security
Transport Mechanism = transport malware to where most harm can occur to system; Payload = code that does undesirable things *ex: Trojans, keyloggers

27
New cards

Trapdoor/Backdoor

Malware component intended to bypass security
audit = no evidence

28
New cards

Logic Bomb
Time Bomb

Logic Bomb = activates on conditions
Time Bomb = activates on date/time

29
New cards

Trojan Horse
RAT

Trojan Horse = disguises to be useful but harmful
RAT (Remote Access Trojan) = remote control malware

30
New cards

Software Bacterium
Software Virus
Software Worm

Software Bacterium = replicates itself
Software Virus = code attached to programs on a system *polymorphic
Software Worm = uses network to attack system *Morris worm

31
New cards

What is a rootkit?
Why is it used?

malicious code designed to control admin account
obtain privileges

32
New cards

Adware
Spyware

Ad = annoy people using advertisement popups
Spy = spy on user without his/her knowledge *gather sensitive data

33
New cards

What are some risks when performing offensive security operations?

Breaking Laws

34
New cards

Information security is NOT a technology issues, TECHNOLOGY is a PART of it

*Management of security HARD part (complex)
*Policies help us understand the WHY and WHAT
-help us understand the issues and set goals
-develop plans, with lead to actions
POLICY ---> PLAN (PROTECT --> RESPOND) --> GOALS

35
New cards

Why is security management more than just implementing security technologies?

Security management forms policies and develops a way to both implement technology to solve security problems and protect users

36
New cards

What is the goal of InfoSec?

Protect Systems

37
New cards

Security as an obstacle

Effective when viewed as an enabler

38
New cards

What is security planning?

*Strategic
*Comprehensive
*Formal
*Realistic

39
New cards

What is defense in depth? Examples?

Data, protection, host, internet network, perimeter, physical, policies, procedures, awareness
Ex: manage security

40
New cards

Why is managing security so difficult?

Difficult to quantify, predict cost, and requires communications to all levels

41
New cards

Driving Forces

issues that affect policy and planning processes

42
New cards

Compliance
Why important?

requirements to which companies must respond to
needs a planned series of actions; PRIORITIZATION

43
New cards

What the driving forces behind compliance?
Why does compliance work grow each year?

Plan, Protect, Respond
Because attackers are becoming more sophisticated and new laws and regulations appear increasing compliance work

44
New cards

Why is it important that information security NOT be seen as "cops" looking to "bust" offenders?

IT plans, protects, and responds in IT world

45
New cards

What are some strategic considerations?

Consider all scenerios

46
New cards

SOX

Sarbanes-Oxley Act of 2002 - requires public companies to evaluate their financial control processes and disclose any "material" defects *multinational cooporations

47
New cards

Issue of Privacy

Confidentiality

48
New cards

PII

Personally Identifiable Information

49
New cards

FISMA

Federal InfoSec Management Act - requires yearly audits to evaluate their infosec controls

50
New cards

CISO

Chief InfoSec officer

51
New cards

Where is an organization should the InfoSec function be placed?

within IT because IT and security share many skill sets in common and attacks tend to be within the organizations

52
New cards

What is outsourcing and its impact?

Outsourcing = email
Impact = managing large email implementation and it controls the number of on/outgoing emails

53
New cards

MSSP

Managed Security Service Provider; company the manages InfoSec functions
*not realistic to eliminate all risks
*find balance between risks and control (cost and benefits)

54
New cards

Risk Analysis

reasonable decisions by evaluating risks and controls

55
New cards

Classic Risk Analysis

estimate cost of risks and compare to cost of benefits of potential controls *difficult to use or impossible to practice
-Risk Avoidance/Transference/Reduction/Acceptance

56
New cards

What is a technical Security Architecture?

All of the companies technical countermeasure and how it is organized

57
New cards

Legacy

Out of date but still in use
*Important Principles
-Defense in Depth (multiple layers in defense)
-Minimizing Security Burdens
-Realistic Goals

58
New cards

Why is it important to identify and eliminate single points of vulnerability?
What is the function of a policy?
Why is it important?

*Because an element of the system at which an attacker can do a great deal of damage by compromising a single system
*Statements of what should and not how it should be done

59
New cards

Examples of policies related to InfoSec? What is implementation guidance in this content?

*email policies
*hiring and termination policies
*security policies
*limits the discretion of implements, in order to simplify implementations

60
New cards

What are the 3 types of implementation?

1. standards
2. guidelines
3. procedures

61
New cards

Progmulgation

Process of informing people about policy

62
New cards

What is oversight?
What are some common oversight functions?

*Process of checking compliance with a policy, enforcing policy provisions, taking corrective actions to improve the outcomes
*Automated compliance measurements, periodic manual checks/audits, looking for vulnerabilities, providing hotlines, sanctioning violations, understanding why violations occur

63
New cards

Segregation (or separation) of duties

2 or more people (or type of people or roles) are required to complete a process *personnel policies

64
New cards

What is request/authorization control?
Examples?

*Special case of separation of duties
*Where there is an exceptional/risky situation, a limited number of people can make request

65
New cards

How can exceptions to policies be handled?

Some can request, few can authorize, document the exception

66
New cards

Mandatory vacations and job rotations

Person in a specific role is required to take vacation periodically so someone else has to take that role for a time

67
New cards

What is a governance framework?
Example?

*Structure that can be used as the basis of a policy for an organization
*Committee of Sponsoring Organizations (COSO)

68
New cards

Law

Binding custom or practice of a community

69
New cards

Ethic

Set of moral principles
-Values = determining behavior
-Moral = derived from external source
-Ethics = determined collectively

70
New cards

How is law related to ethics?

Laws mandate or prohibits actions *Drawn from societal ethics

71
New cards

ACM

Association of computing machinery
-basis for ethical decision making
-basis for judging the merit of a formal complaint
*honor property rights including copyrights and patent
*give proper credit for intellectual rights
*know and respect existing laws
*acknowledge and support proper and authorized uses

72
New cards

IEEE

Institute of Electrical and Electronic Engineers
-accepting a personal obligation

73
New cards

EC Conuncil

*Protect the intellectual property of others by relying on his/her own innovation and efforts, thus ensuring that all benefits vet with its originator
*Never knowingly use software/process that is obtained/retained either illegally or unethically

74
New cards

An individual must consider all when deciding how to act such as:

*lawyer
*own conscience
*human resources

75
New cards

How are laws created in the USA?

*Produced by political process of a community
-In USA, each of the 3 branches of government has defined responsibilities in creating and enforcing laws

76
New cards

Why is compromising often a part of the process?

The rights of the individuals are BALANCED against the NEEDS of the collected whole

77
New cards

Expectation of Privacy
How do one know that it is used within the company?

*User can expect his/her information to private
-When a company states that there is/there is no expectation of privacy

78
New cards

Some Legal Protections for intellectual Property?

*Copyrights
*Patents
*Trademarks
*Exclusive rights to reproduce
*Adapt and distribute work rights

79
New cards

Why is electronic data harder to protect than tangible works?

Data files can easily be transmitted across networks

80
New cards

Copyright
What does it come into effect?
Can it be transferred?
Why is it important?

*The right to make copies of original work
*From the moment the work has been created and formatted in fixed form
*Yes
*Because data can easily be copied and stolen without altering the original and then mass produced

81
New cards

When is unauthorized access to an information system allowed?

Scanning the system parts to determine which services are offered could be considered a legitimate way of determining if access is allowed

82
New cards

Who is responsible when an employee commits a crime?

The employer or employee depending on situation

83
New cards

Access Control

Only authorized entities can use

84
New cards

Availability

Only authorized can use system when they need to

85
New cards

Policy Driven control of access to systems, data, and dialouges

*Cryptography

86
New cards

3 A's

*Authentication (verification of individuals identity)
-Requesting access = supplier
-Checking Claim = verification
*Authorization (an entity via his/her identity) is given certain permissions to access particular resources
*Auditing
-After-the-fact analysis of data collected about individuals activites

87
New cards

what are 4 different ways to authenticate a claim of identity's ? Examples?

1. What you know - password
2. What you have - smart card
3. Who you are - fingerprint
4. What you do - how you pronounce passphrase

88
New cards

2- Factor Authentication
Multi-factor Authentication
Why is it useful?

*Weak
*Requires more than one method of authentication from independent categories of credentials to verify the user's identity for a log in or other transaction
*If one method fails, there is a backup

89
New cards

How does it impact the probability of a false
negative result?

Increases probability

90
New cards

How does it impact the probability of a false positive result?

Decreases probability

91
New cards

Mandatory access control

Strict access control to gain entry; no variation allowed

92
New cards

Discretionary access control

Department can decide for individual

93
New cards

How does multilevel security (MLS) system work?

*Technology that protects against leakage of information
*Requires complex layers of control

94
New cards

Common policy requirements for physical security?
Why is it important to consider utilities?

*CCTV, Wireless Camera, Preventing dumpster diving, Locking PC when away from desk
*Electricity, Water, HVAC must be supplied to adequate level, inspected, and tested regularly
-backup generator needed

95
New cards

What are important issues to remember when disposing of computer equipment?

Ensure data destruction, keeping records of decommissioned equipment, minimize environmental liabilities and choosing right users

96
New cards

What is the role of a password in access control?
Common policy Requirements
Misusing password

*Allows restriction to vital password information on a "need to know" basis ~role-based access control
*Changing passwords (something new), 8 char long (1 change of case), 1 digit, 1 special case, and not at the end of the password
*Sharing and reusing password

97
New cards

Examples of physical devices used in access control?


What is the most important issue when using
physical access in this way?

*Cabling Security, Wiring has to be hidden
*Wiring Closets, locked and monitored

*Loss and theft are common (2 Factor Authentications eases both)

98
New cards

Biometrics
Promises what?

What is false Rejection Rate?

What is false Acceptance rate?

Examples?

Based on biological and/or behavior measurements
*promises to make reusable passwords obsolete
*requires enrollment scan
- tight = false rejections (FRR) rate of false acceptances as % of total access attempts
- loose = false acceptances (FAR) match to template that should not be made
*Finger Print recognition, IRIS scanning and face scanning

99
New cards

What are the three purposes for which biometric are commonly used?

*Verification
*Identification
*Watch List

100
New cards

Biometric Failure

-Error : when subject is not tying to fool system
-Deception : fake identity * Finger Print scanners
-Unavailability