IT 223 (George Mason University) Study Guide

Integrity

Info cannot be destroyed/changed; if it is, changes may be detected and data may be restored *Always Needed

What is the difference between integrity and Information Assurance?

Integrity = Quality
Information Assurance = Reliability

Availablity

Access to authorized when needed *Always Needed; Violated with DoS
ex: homepage, specific access time

Authentication

Verifying origin of message; Not Always Needed, Violated with phishing
ex: logging in/out

Non-repudiation

Shows original sender of message
*spam
*deters sender from falsely claiming they didn't send message
*used in authentication

Access Control

Limiting access to system resources
*use in availability

Security is not Absolute ...

*Trade off between security and usability
*Perfectly secure = unusable
*Perfectly insecure = no security

Isolation

Basic principle underlying the security of computer systems

InfoSec

Security of info and info systems;
Components of an info system:
*computer
*hardware
*software
*people

What is information?

Knowledge obtained from investigation, study, or instruction
*intelligence
*facts, data

What is the difference between data and information?

Data = processing information (raw material)
Information = processed data
*INFORMATION AND DATA = SYNONYMOUS

Where does data reside?
What does information reside?

Data reside in memory/file
Information reside in data

What is ISIA?

InfoSec = protection of info assets
InfoAssurance = accuracy of info

What is Security?

*freedom from danger; safety
*freedom from fear; surety
*something that secures; protection
*SSP

Why are we concerned with security of information?

We want to make sure that our information is protected, including the systems and hardware that are used to store and transmit that info

What are the different types of Security that might be applicable to information?

Confidentiality: Limit disclosure of meaningful data *Not Always Needed Violated by human error and theft
ex: routing number, bank account number, encryption

Threat

Representation of a compromise of security that is possible

Threat Environment

Types of attackers and attacks that companies face
ex: Virus, Hacks, Phishing

Threat Action

Specific instance of a threat happening
ex: DDoSing (distribution Denial of Service)

Threat Agent

Someone or something that creates a threat action
people who purposely attack attack - intentionally
-incident, compromise, breach = successful
-provide useful information = unsuccessful
people who make mistakes/errors human error - unintentionally
*natural events
ex: hackers, mother nature

Hacker

*internal/external
*Ethical = hack system with authorization
*zero-day attack = unknown vulnerability at the time of attack

2/3 of security incidents are ___________________ to the organization

Internal

Insider Threats
Why?
What can they do?

Employees and other trusted people
Detailed Knowledge of System; Operating Defense
Access things they shouldn't; Allow unknown access; harm other people; damage system; violate work law
intentional mistakes

Handling

Take preventive measures of denying any access of the organizations assets by ex employee

Outsider Threat

Hackers, Criminals, Government agents, Terrorists

Malware
Componets

Deliberately designed to violate security
Transport Mechanism = transport malware to where most harm can occur to system; Payload = code that does undesirable things *ex: Trojans, keyloggers

Trapdoor/Backdoor

Malware component intended to bypass security
audit = no evidence

Logic Bomb
Time Bomb

Logic Bomb = activates on conditions
Time Bomb = activates on date/time

Trojan Horse
RAT

Trojan Horse = disguises to be useful but harmful
RAT (Remote Access Trojan) = remote control malware

Software Bacterium
Software Virus
Software Worm

Software Bacterium = replicates itself
Software Virus = code attached to programs on a system *polymorphic
Software Worm = uses network to attack system *Morris worm

What is a rootkit?
Why is it used?

malicious code designed to control admin account
obtain privileges

Adware
Spyware

Ad = annoy people using advertisement popups
Spy = spy on user without his/her knowledge *gather sensitive data

What are some risks when performing offensive security operations?

Breaking Laws

Information security is NOT a technology issues, TECHNOLOGY is a PART of it

*Management of security HARD part (complex)
*Policies help us understand the WHY and WHAT
-help us understand the issues and set goals
-develop plans, with lead to actions
POLICY ---> PLAN (PROTECT --> RESPOND) --> GOALS

Why is security management more than just implementing security technologies?

Security management forms policies and develops a way to both implement technology to solve security problems and protect users

What is the goal of InfoSec?

Protect Systems

Security as an obstacle

Effective when viewed as an enabler

What is security planning?

*Strategic
*Comprehensive
*Formal
*Realistic

What is defense in depth? Examples?

Data, protection, host, internet network, perimeter, physical, policies, procedures, awareness
Ex: manage security

Why is managing security so difficult?

Difficult to quantify, predict cost, and requires communications to all levels

Driving Forces

issues that affect policy and planning processes

Compliance
Why important?

requirements to which companies must respond to
needs a planned series of actions; PRIORITIZATION

What the driving forces behind compliance?
Why does compliance work grow each year?

Plan, Protect, Respond
Because attackers are becoming more sophisticated and new laws and regulations appear increasing compliance work

Why is it important that information security NOT be seen as "cops" looking to "bust" offenders?

IT plans, protects, and responds in IT world

What are some strategic considerations?

Consider all scenerios

SOX

Sarbanes-Oxley Act of 2002 - requires public companies to evaluate their financial control processes and disclose any "material" defects *multinational cooporations

Issue of Privacy

Confidentiality

PII

Personally Identifiable Information

FISMA

Federal InfoSec Management Act - requires yearly audits to evaluate their infosec controls

CISO

Chief InfoSec officer

Where is an organization should the InfoSec function be placed?

within IT because IT and security share many skill sets in common and attacks tend to be within the organizations

What is outsourcing and its impact?

Outsourcing = email
Impact = managing large email implementation and it controls the number of on/outgoing emails

MSSP

Managed Security Service Provider; company the manages InfoSec functions
*not realistic to eliminate all risks
*find balance between risks and control (cost and benefits)

Risk Analysis

reasonable decisions by evaluating risks and controls

Classic Risk Analysis

estimate cost of risks and compare to cost of benefits of potential controls *difficult to use or impossible to practice
-Risk Avoidance/Transference/Reduction/Acceptance

What is a technical Security Architecture?

All of the companies technical countermeasure and how it is organized

Legacy

Out of date but still in use
*Important Principles
-Defense in Depth (multiple layers in defense)
-Minimizing Security Burdens
-Realistic Goals

Why is it important to identify and eliminate single points of vulnerability?
What is the function of a policy?
Why is it important?

*Because an element of the system at which an attacker can do a great deal of damage by compromising a single system
*Statements of what should and not how it should be done

Examples of policies related to InfoSec? What is implementation guidance in this content?

*email policies
*hiring and termination policies
*security policies
*limits the discretion of implements, in order to simplify implementations

What are the 3 types of implementation?

1. standards
2. guidelines
3. procedures

Progmulgation

Process of informing people about policy

What is oversight?
What are some common oversight functions?

*Process of checking compliance with a policy, enforcing policy provisions, taking corrective actions to improve the outcomes
*Automated compliance measurements, periodic manual checks/audits, looking for vulnerabilities, providing hotlines, sanctioning violations, understanding why violations occur

Segregation (or separation) of duties

2 or more people (or type of people or roles) are required to complete a process *personnel policies

What is request/authorization control?
Examples?

*Special case of separation of duties
*Where there is an exceptional/risky situation, a limited number of people can make request

How can exceptions to policies be handled?

Some can request, few can authorize, document the exception

Mandatory vacations and job rotations

Person in a specific role is required to take vacation periodically so someone else has to take that role for a time

What is a governance framework?
Example?

*Structure that can be used as the basis of a policy for an organization
*Committee of Sponsoring Organizations (COSO)

Law

Binding custom or practice of a community

Ethic

Set of moral principles
-Values = determining behavior
-Moral = derived from external source
-Ethics = determined collectively

How is law related to ethics?

Laws mandate or prohibits actions *Drawn from societal ethics

ACM

Association of computing machinery
-basis for ethical decision making
-basis for judging the merit of a formal complaint
*honor property rights including copyrights and patent
*give proper credit for intellectual rights
*know and respect existing laws
*acknowledge and support proper and authorized uses

IEEE

Institute of Electrical and Electronic Engineers
-accepting a personal obligation

EC Conuncil

*Protect the intellectual property of others by relying on his/her own innovation and efforts, thus ensuring that all benefits vet with its originator
*Never knowingly use software/process that is obtained/retained either illegally or unethically

An individual must consider all when deciding how to act such as:

*lawyer
*own conscience
*human resources

How are laws created in the USA?

*Produced by political process of a community
-In USA, each of the 3 branches of government has defined responsibilities in creating and enforcing laws

Why is compromising often a part of the process?

The rights of the individuals are BALANCED against the NEEDS of the collected whole

Expectation of Privacy
How do one know that it is used within the company?

*User can expect his/her information to private
-When a company states that there is/there is no expectation of privacy

Some Legal Protections for intellectual Property?

*Copyrights
*Patents
*Trademarks
*Exclusive rights to reproduce
*Adapt and distribute work rights

Why is electronic data harder to protect than tangible works?

Data files can easily be transmitted across networks

Copyright
What does it come into effect?
Can it be transferred?
Why is it important?

*The right to make copies of original work
*From the moment the work has been created and formatted in fixed form
*Yes
*Because data can easily be copied and stolen without altering the original and then mass produced

When is unauthorized access to an information system allowed?

Scanning the system parts to determine which services are offered could be considered a legitimate way of determining if access is allowed

Who is responsible when an employee commits a crime?

The employer or employee depending on situation

Access Control

Only authorized entities can use

Availability

Only authorized can use system when they need to

Policy Driven control of access to systems, data, and dialouges

*Cryptography

3 A's

*Authentication (verification of individuals identity)
-Requesting access = supplier
-Checking Claim = verification
*Authorization (an entity via his/her identity) is given certain permissions to access particular resources
*Auditing
-After-the-fact analysis of data collected about individuals activites

what are 4 different ways to authenticate a claim of identity's ? Examples?

1. What you know - password
2. What you have - smart card
3. Who you are - fingerprint
4. What you do - how you pronounce passphrase

2- Factor Authentication
Multi-factor Authentication
Why is it useful?

*Weak
*Requires more than one method of authentication from independent categories of credentials to verify the user's identity for a log in or other transaction
*If one method fails, there is a backup

How does it impact the probability of a false
negative result?

Increases probability

How does it impact the probability of a false positive result?

Decreases probability

Mandatory access control

Strict access control to gain entry; no variation allowed

Discretionary access control

Department can decide for individual

How does multilevel security (MLS) system work?

*Technology that protects against leakage of information
*Requires complex layers of control

Common policy requirements for physical security?
Why is it important to consider utilities?

*CCTV, Wireless Camera, Preventing dumpster diving, Locking PC when away from desk
*Electricity, Water, HVAC must be supplied to adequate level, inspected, and tested regularly
-backup generator needed

What are important issues to remember when disposing of computer equipment?

Ensure data destruction, keeping records of decommissioned equipment, minimize environmental liabilities and choosing right users

What is the role of a password in access control?
Common policy Requirements
Misusing password

*Allows restriction to vital password information on a "need to know" basis ~role-based access control
*Changing passwords (something new), 8 char long (1 change of case), 1 digit, 1 special case, and not at the end of the password
*Sharing and reusing password

Examples of physical devices used in access control?


What is the most important issue when using
physical access in this way?

*Cabling Security, Wiring has to be hidden
*Wiring Closets, locked and monitored

*Loss and theft are common (2 Factor Authentications eases both)

Biometrics
Promises what?

What is false Rejection Rate?

What is false Acceptance rate?

Examples?

Based on biological and/or behavior measurements
*promises to make reusable passwords obsolete
*requires enrollment scan
- tight = false rejections (FRR) rate of false acceptances as % of total access attempts
- loose = false acceptances (FAR) match to template that should not be made
*Finger Print recognition, IRIS scanning and face scanning

What are the three purposes for which biometric are commonly used?

*Verification
*Identification
*Watch List

Biometric Failure

-Error : when subject is not tying to fool system
-Deception : fake identity * Finger Print scanners
-Unavailability