IT & Informatics Study Guide for Exam 2

- The CIA Triad is a common model that forms the basis for the development of security systems.

- Its constituent elements are:

Confidentiality: Preserve restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. (Making sure only those with access can view it)

Availability: Ensure timely and reliable access to and use of information.

Integrity: Guard against improper information modification or destruction and ensure information non-repudiation and authenticity (Making sure it can be accessed)

The CIA Triad. What it is, what its constituent elements are, and can you identify when one or more of its elements is the most relevant to a given scenario?

- The DIKW Pyramid stands for Data, Information, Knowledge, and Wisdom. (Each building block is a step toward a higher level.

- Its constituent elements are:

Data: Raw information. Spreadsheets full of numbers and words. It's not processed.

Information: Who, what, where, and when questions. It is processed information. It lets us understand data pools.

Knowledge: How questions. Understanding how each data is the 4th of July tells us that the firework sales increase is due to that.

Wisdom: Why questions. What to do with the information. Applying it.

The DIKW Pyramid. What it is, what its constituent elements are, and can you identify when one or more of its elements is the most relevant to a given scenario?

Cybersecurity refers to the measures and practices used to protect computer systems, networks, and data from unauthorized access, theft, damage, and misuse. Privacy refers to the right of individuals to control their personal information and how it is collected, used, and shared by others. Both aim to protect sensitive information from authorized access, misuse, and disclosure. Cybersecurity protects organizations from people (malicious and otherwise) and privacy protects people from organizations (companies and governments).

What differentiates cybersecurity and privacy, and what do cybersecurity and privacy have in common?

Relations, domains, and tuples (or tables, rows, and columns):

Tables: In a relational database, a table is the same as a record, which is the fundamental data component. It is comprised of a set of fields that are the same in every table or record, such as the name, address and product of the customer.

Rows: Each row in the table is a record with a unique ID called the key.

Columns: Specify a data type

The relational model database model: What its constituent elements are and what does it (like any other database model) help us do?

The amount of movies it takes to connect bacon to a different actor or actress. The higher it is, the more movies it takes to get between that actor and Kevin Bacon. The nodes are actors and the edges are movies.

What does it mean to have a Bacon number or a Jackson number, and what does it mean if it's higher or lower?

ER models depict the relationships between any type of entity.

Entity Relationship Diagrams

The King of England had some of the most connections in the world, which means he has the most edges connecting to him. Therefore, it makes sense that he is one of the best mathematical centers for connections and most people are connected with 3 or fewer nodes between them.

Mathematically speaking, why is it not so surprising that you are connected to the King of England by just three degrees of separation?

Standard Query Language: Used for interacting with RDBMS

CRUD is also known as the SIGAD US-984XN.

Create CRUD: The process of writing new records to the table.

Read CRUD: It is the process of retrieving data back out of the table when it's requested.

Update CRUD: It is the process in which existing data is modified.

Delete CRUD: The process of removal of records from a table.

SQL and CRUD Operations. What are the common ones and what do they do?

Johnette is important because she connects two otherwise isolated groups of people together.

What made Johnette so darn important?

Professor's team was assigned to break into his workplace (at the headquarters of a financial organization) in order to test the security system. It ended horribly because they were able to break in and access legal information. This also caused one of his teammates to have a mental breakdown.

Was my team breaking the law and/or acting unlawfully when we tried to break into the headquarters of a financial organization?

The Utah Data Center is a massive data center in Utah that would be the largest most covert and intrusive intelligence agency ever. It potentially allows NSA to pick up messages through the telecommunications networks. Capturing, storing, and analyzing thousands of messages and images sent on a daily basis which include private emails, calls, and Google searches. As well as personal data trails, parking receipts, travel itineraries, and purchases. Any digital litter.

What makes those databases in the Utah Data Center so darn dangerous? Don't forget to think sociotechnically!

Having to do with the similarities in how the two resources become valuable. Just like oil, raw data isn't valuable in and of itself; rather, the value is created when it is gathered quickly, completely, and accurately, and connected to other relevant data.

"Data is the new oil" refers to?

Tacit Knowledge examples: - I know how to ride a bike. I cannot read how to ride a bike.

Developing tacit knowledge still requires experience, insight, intuition, and judgment.

Explicit knowledge examples: • I know that the warring factions of Lancaster's and Yorks from the House of Plantagenet fought in the War of Roses. I can learn about the Ware of Roses by reading about it.

But developing real explicit knowledge still requires...

Tacit and explicit knowledge

• SIGINT Activity Designator US-984XN aka PRISM

• Began in 2007 as "the number one source of raw

intelligence used for NSA analytic reports."

• Shouldn't this be kept secret? Yes, Top Secret in fact

NSA's PRISM Program

A database plan that establishes the table layout, attributes, & primary keys of the database design

ERD (Entity Relationship Diagram)

Networks consist of:

Nodes: in our friendship networks are the individuals.

Edges: In our friendship network are the relationship between two nodes (people).

Properties: Properties that get passed to the node constructor function when an instance of the node is created in the runtime.

Networks, nodes, edges, and properties

Graph Analytics: Shows relationships between data points in a way superior to traditional tables with columns and rows. Graph database: Data stored as graphical elements - Has its own set of query languages

Graph databases and graph analytics

FOAF: Friend of a friend

• Alice:

0 degrees of separation from Alice

• Alice's friends:

1 degree of separation from Alice

• Friends of each of Alice's friends:

2 degrees of separation from Alice

Connectivity and components

A network graph of friends

Betweenness Centrality

Everyone in the world is connected to

everyone else in the world by 6 degrees of

separation or fewer

small world phenomenon

Assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender's identity, so neither can later deny having processed the information

Non-repudiation

Cryptography is the science of concealing messages with a secret code. Encryption is the way to encrypt and decrypt data. The first is about studying methods to keep a message secret between two parties (like symmetric and asymmetric keys), and the second is about the process itself.

Cryptography and encryption

In cryptography, a symmetric key is one that is used both to encrypt and decrypt information. This means that to decrypt information, one must have the same key that was used to encrypt it.

Symmetric key encryption

A symmetric encryption, also known as public key encryption, uses a public key-private key pairing: data encrypted with the public key can only be decrypted with the private key. TLS (or SSL), the protocol that makes HTTPS possible, relies partially on asymmetric encryption.

Asymmetric key encryption

While hacking is illegal, ethical hacking is a legal method of breaching a security system to detect potential security threats. Ethical hackers look at systems to see if there are any flaws that cybercriminals could take advantage of.

Hacking and ethical hacking

The management, operational, and technical controls (safeguards or countermeasures) prescribed for a system to protect the confidentiality, availability, and integrity of the system and its information

Security controls

It is a logically coherent collection of related data. Databases turn data into information.

What is a database?

Lancashire vs. Yorkshire (Example of explicit knowledge) Know that, not know how.

Who faught in the "War of Roses"?

1. Historical data is collected about the War of the Roses from different sources.

2. Collected data is organized and stored in a

database for future use.

3. A (human) historian analyzes the

information, making connections between

events, names, etc.

4. A (human) historian interprets the analysis

and explains (in a book, lecture, etc.) what

it means.

5. This is not a just history lesson, it's an

example of a data science workflow.

Wisdom: What does it mean that the Tudors won the War of the roses?

We need a sociotechnical systems explanation to understand what databases can do.

How can databases be dangerous?

The process of analyzing large sets of data in order to

extract useful insights and knowledge from it.

Data Analytics

Descriptive analytics focuses on understanding what

has happened in the past.

Descriptive Analytics

Predictive analytics focuses on forecasting future

events based on historical data.

Uses statistical models of past events to

probabilistically predict future outcomes.

Predictive Analytics

Description and prediction

Dangerous analytics at the NSA:

The process of analyzing large sets of network data in

order to extract useful insights and knowledge from it.

Graph Data Analytics

The prevention of authorized access to resources or the

delaying of time-critical operations.

Denial of Service (DoS):

Confidentiality

Someone in your study group fails to lock their laptop whenever they

leave the room. What is most at risk in this scenario?

Confidentiality

The Rutgers class registration system sometimes allows students to register for classes that are not available. What is most at risk in this scenario?

Availability

A group of students succeed in making some Rutgers web sites so slow

that they cannot be used, forcing delays and interruptions in final exams. What is most at risk in this scenario?

Integrity

The ingredients for dishes served at the Brower Dining Hall are posted

online if you know where to look. What is most at risk in this scenario?

Any intentional act that influences a person to take an action that may or may not be in his or her best interests.

Social Engineering

"Specific guarantees in the Bill of Rights have penumbras formed by emanations from those guarantees that given them life and substance."

Penumbras

1. No Constitutional right to privacy

2. SCOTUS says it's in the Bill of Rights, sorta, (penumbras).

Why do we even think we have a right to privacy?

Securing the enterprise end-to-end

Which one of the following is NOT one of the major principles of COBIT?

Confidentiality

Alan is applying access controls to ensure that employees in his company are not able to read files that are not directly related to their job functions. What goal of information security is Alan enforcing?

Steganography

What technique hides sensitive information inside another file, such as an image?

True

True or false: Security leaders planning to deploy a new security control should develop a business case for that control.

Hashing

Which one of the following security controls provides the best ability to detect integrity issues?

Inventory of physical devices and systems, an inventory of software platforms, and applications, mapping organizational communication, data flows, and so on.

What is talked in the asset management category?

asset management, business environment, governance, risk assessment, risk management strategy, and supply chain risk management.

The cybersecurity frame gives 6 categories:

True

True or false: Identity, protect, detect, respond, and recover are things that one does in cybersecurity.

Provides a common language for cybersecurity risk, helps identify and prioritize actions, aligns security actions across control types, and offers different value to different organizations.

NIST Cybersecurity Framework (NCF)): Provides what?

Mandatory for federal agencies

NIST 800-53: Mandatory for who?

Covers cybersecurity control objectives

ISO 27001

Covers cybersecurity control implementation

ISO 27002

Covers privacy controls

ISO 27701

Covers risk management programs

ISO 31000

Meeting stakeholders needs, enabling a holistic approach, creating a dynamic governance system, separating governance from management, tailoring the governance system to enterprise needs, and covering the enterprise end to end.

What six principles does COBIT cover?

A business-focused control framework

Define Control Objectives for IT (COBIT)

Taking reasonable measures to investigate security risks.

Due Care

Consisting of generalists and specialists

CISOS Lead Teams consisting of:

They report through the IT organization or to a risk management leader.

What do CISO's report through?

is the most senior information security leader in an organization

CISO (chief information security officer) is the most what?

Require separation of controls

Corporate Divestitures require what?

Require integration of controls

Corporate Acquisitions require what?

1. Ensure governing bodies understand risks and controls. 2. Inform governing bodies of security incidents. 3. Provide audit reports to governing bodies.

Integrating Security Governance steps: (3)

Typically an an independent board of directors, board of trustees, or similar senior governing body with elected members.

The most senior level of governance is typically what?

It may consist of an Information Governance Committee that includes senior leaders with oversight of information security and data governance functions. The organization may also have a risk of management committee consisting of executives charged with managing all risks to the organization.

Where do government processes take place?

Other business functions and processes.

Information security functions must align themselves with other what?

They need to present a business case that justifies the investment of time and money, balance security and business concerns, achieve confidentiality, integrity, and availability goals.

When proposing a new security control, what do security leaders need to present?

Balance security with business needs.

What must security leaders balance?

Security Leaders must also understand the mission, goals, and objectives of the broader organization

What must security leaders also understand?

It looks for leadership in the protection of information assets, response to security incidents, and other typical security functions.

What does the organization of Security Leader look for?

Serves as the subject matter expert on issues of confidentiality, integrity, and availability

Define security leader

It ensures that any flaws identified by the manufacturer are corrected promptly.

Keeping operating systems and applications patched to current levels ensures what?

Protect services against disruption from a small failure.

Fault Tolerance protects services against what?

Protects services against the failure of a single server.

High availability protects services against what?

Protects a system against failure of a single part.

Redundant components protects a system against what?

- Malicious attackers, - component failures, - application failures, - utility failures

What can availability failures result in? (4)

1. Decrypt the digital signature with the sender's public key.2. Compute the hash value of the message. 3. Compare the values from steps 1 and 2. (If they match, the message is authentic.)

Steps to verifying a Digital Signature: (3)

1. Compute the hash value of a message. 2. Encrypt the hash with the sender's private key.

Steps in creating a Digital Signature: (2)

The ability of one person to prove to another person that the message they sent was received intact.

authencitity

Hash function is a mathematical algorithm that computes a unique digest for a file of any length.

What is hash function?

A control that helps achieve two different goals, authenticity, and non-repudiation.

Digital signatures

Hashing is one of the core controls used to protect integrity.

What is hashing?

Potential integrity failures may result from the intentional alteration of information, such as an employee altering their own salary, user error, such as a data entry clerk accidentally entering the wrong information in a field, software or hardware error such as an application and writing erroneous data to a database, integrity failures may also come from acts of nature such as a lightning strike that alter information stored on a disc.

What can potential integrity failures result in?

it protects an organization's information from accidental or intentional tampering that may come as the result of many different issues.

What do integrity controls protect?

It ensures that information is not altered without authorization.

What does integrity ensure?

By preventing people from accessing sensitive information in the first place. Access control is one's primary mechanism for restricting people from seeing data that they shouldn't see. Access control protects confidentiality by limiting users to accessing only those files where they have been granted permission.

What is one way one protects the confidentiality of information?

Confidentiality ensures that only authorized individuals have access to information and resources. It protects information and systems from unauthorized access.

What does confidentiality ensure?

Graphical Interface, SQL: Structured Query Language

Ways to interact with RDBMS (2)

- protecting the data by performing regularly scheduled backups and copying data to redundant hard drives.-They can also secure information by controlling and monitoring user access and permissions.- Some RDBMS's include components to develop reports with graphs or charts that make it easy to understand.- Also create forms that simplify the process of entering new data.

What additional tasks can RDBMS perform?

The data table gives us a low of flexibility in how we store information about our vacation pictures. It gives us the flexibility to store additional attributes like adding new columns and making the table wider. And it will also easily grow over time to accommodate new pictures by adding additional rows and making the table taller.

What flexibility do data tables give one?

- Attributes can be added with additional columns.- New records can be added with additional rows.- Creates the need to store repetitive information.- Can't easily accommodate special circumstances.

Pros and cons of table structure

Developed by Data scientist E.F. Codd. - "A Relationship Model of Data for Large Shared Data Banks" published in 1970. - Separated the retrieval of information from its storage. - Defined rules to organize data across multiple related tables.

The relational model was developed by?

You need to use use a relational database management system or RDBMS for short.

In order to create and store data in a relational database you need to use what?

- Microsoft SQL Server and Azure SQL Database.- Oracle, PostgreSQL, IBM Db2.- MYSQL is popular on the web.- Microsoft Access on PC and FileMaker on macOS

Examples of RDBMS vendors are:

Create and modify the structure of the data.- Define tables and column names.- Create key-value columns and create relationships.- Manipulate data records and perform CRUD tasks.

RDBMS tasks consist of:

- Identify the facts it needs to store.- Think about what you want to get out of the database.

To design a relational database you must: (2)

Library and bank account numbers, Email address. social security number and driver's license, product number, serial numbers

Real World Primary Keys: