Mod1: Introduction to Information Security

0.0(0)
studied byStudied by 0 people
GameKnowt Play
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
Card Sorting

1/84

encourage image

There's no tags or description

Looks like no tags are added yet.

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

85 Terms

1
New cards

Security

Is “the quality or state of being secure-to be free from danger.” In other words, protection against adversaries—from those who would do harm, intentionally or otherwise—is the objective.

2
New cards

True

T or F: Organizations need multiple layers to protect operations.

3
New cards
  1. Physical security

  2. Personnel security

  3. Physical security

  4. Communications security

  5. Network security

  6. Information security

What are the Layers of Security?

4
New cards

Physical security

To protect physical items, objects, or areas from unauthorized access and misuse

5
New cards

Personnel security

To protect the individual or group of individuals who are authorized to access the organization and its operations.

6
New cards

Operations security

To protect the details of a particular operation or series of activities.

7
New cards

Communications security

To protect communications media, technology, and content.

8
New cards

Network security

To protect networking components, connections, and contents.

9
New cards

Information security

To protect the confidentiality, integrity and availability of information assets, whether in storage, processing, or transmission. It is achieved via the application of policy, education, training and awareness, and technology.

10
New cards

The Committee on National Security Systems (CNSS)

Defines information security as the protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information.

11
New cards

The C.I.A. triangle

Has been a foundational model, but it no longer fully addresses the complexities of modern threats.

12
New cards

The C.I.A. triangle

  1. Confidentiality

  2. Integrity

  3. Availability

13
New cards

Confidentiality

Ensures information is only accessible to authorized individuals.

14
New cards

Integrity

Ensures information is accurate and reliable.

15
New cards

Availability

Ensures information is accessible when needed.

16
New cards

Evolving Threats

Modern threats include accidental or intentional damage, theft, unauthorized modifications, and other misuse, prompting the development of more comprehensive security models.

17
New cards

Key Information Security Concepts

  1. Access

  2. Asset

  3. Attack

  4. Control (Countermeasure)

  5. Exploit

  6. Exposure

  7. Loss

  8. Protection Profile/Security Posture

  9. Risk

  10. Subjects and Objects

  11. Threat

  12. Threat Agent

  13. Vulnerability

18
New cards

Access

Ability of subjects/objects to use or affect other subjects/objects. Managed by access controls.

19
New cards

Asset

Organizational resource being protected, such as data or physical objects.

20
New cards

Attack

Act (intentional or unintentional) that damages or compromises information or systems. Can be active/passive, direct/indirect.

21
New cards

Control (Countermeasure)

Security mechanisms, policies, or procedures that counter attacks and improve security.

22
New cards

Exploit

A technique to compromise a system or asset, usually by taking advantage of vulnerabilities.

23
New cards

Exposure

A state where a vulnerability is known to an attacker.

24
New cards

Loss

Damage or unauthorized modification/disclosure of an information asset.

25
New cards

Protection Profile/Security Posture

Collection of controls, safeguards, and policies to protect assets.

26
New cards

Risk

The probability of an unwanted event happening; organizations must manage it within acceptable levels.

27
New cards

Subjects and Objects

A computer can be the subject (attacker) or object (target) of an attack.

28
New cards

Threat

A category of entities that can harm an asset; can be purposeful or incidental.

29
New cards

Threat Agent

Specific instance or component of a threat (e.g., hacker or natural disaster).

30
New cards

Vulnerability

Weakness in a system or protection mechanism that exposes it to attack.

31
New cards

Critical Characteristics of Information

  1. Availability

  2. Accuracy

  3. Authenticity

  4. Confidentiality

  5. Integrity

  6. Utility

  7. Possession

32
New cards

Availability

Ensures authorized users can access information without obstruction and in the required format.

33
New cards

Accuracy

Information is valuable when free from mistakes or errors, maintaining its integrity for decision-making.

34
New cards

Authenticity

Information must be genuine, without alterations or fraud (e.g., email spoofing or phishing).

35
New cards

Confidentiality

Protects information from unauthorized access. Breaches occur when sensitive data is exposed or disclosed.

36
New cards

Integrity

Ensures that information remains whole, complete, and uncorrupted. Methods like file hashing help maintain data integrity.

37
New cards

Utility

Information is valuable when it serves a clear purpose and is usable to the end user.

38
New cards

Possession

Refers to ownership or control of information. A breach in possession doesn’t always mean a breach in confidentiality (e.g., encrypted data may still be secure despite unauthorized access).

39
New cards

John McCumber in 1991

The CNSS model, based on the National Training Standard for Information Systems Security Professionals (NSTISSI No. 4011), was created by ——- in ——- and is widely used for evaluating information system security.

40
New cards

McCumber Cube

The model is a 3x3x3 cube, with 27 cells representing areas of system security that must be addressed. The cube is used to ensure comprehensive security across three key dimensions.

41
New cards

McCumber Cube three key dimensions

  1. Technology

  2. Integrity

  3. Storage

42
New cards

Components of an Information Security

  1. Software

  2. Hardware

  3. Data

  4. People

  5. Procedures

  6. Networks

43
New cards

Software

● Includes applications, operating systems, and command utilities.

● Securing software is challenging due to errors, bugs, and weak programming

practices.

● Software security often becomes an afterthought during development.

44
New cards

Hardware

● Physical technology that houses software, stores data, and provides interfaces

for input and output.

● Securing hardware involves physical security measures (e.g., locks and keys) to

protect from theft or damage.

● Breach of physical security can lead to information loss (e.g., laptop theft).

45
New cards

Data

● Valuable asset that must be protected during storage, processing, and

transmission.

● Database management systems are typically used for securing data but are

sometimes inadequately implemented.

46
New cards

People

● Humans can be the weakest link in security due to social engineering, human

error, or malicious intent.

● Proper training, policies, and awareness are necessary to reduce security risks

from people.

47
New cards

Procedures

● Written instructions for tasks within the system.

● Unauthorized access to procedures can lead to security breaches (e.g., improper

use of financial procedures).

● Education on safeguarding procedures is essential.

48
New cards

Networks

● Networking connects systems, creating new security challenges.

● Traditional physical security is insufficient; network security measures like

firewalls and intrusion detection are necessary.

49
New cards

Senior Management

  1. CIO (Chief Information Officer)

  2. CISO (Chief Information Security Officer)

50
New cards

CIO (Chief Information Officer)

o Advises the CEO or president on strategic planning for managing

organizational information.

o Translates organizational strategies into information systems plans.

o Oversees the planning and management of systems supporting the organization.

51
New cards

CISO (Chief Information Security Officer)

o Responsible for assessing, managing, and implementing information

security.

o Reports to the CIO but recommendations may hold greater priority in terms of security.

o May also be called IT security manager or security administrator.

o Placement in the hierarchy varies depending on the organization.

52
New cards

Information Security Project Team

Consists of individuals with technical and non-technical expertise for managing and designing security measures.

53
New cards

Information Security Project Team Roles

  1. Champion

  2. Team Leader

  3. Security Policy Developers

  4. Risk Assessment Specialists

  5. Security Professionals

  6. Systems Administrators

  7. End Users

54
New cards

Champion

Senior executive advocating for the project; ensures administrative and financial support.

55
New cards

Team Leader

A project manager with skills in personnel and project management, and technical requirements.

56
New cards

Security Policy Developers

Experts in organizational culture and policies to create effective security policies.

57
New cards

Risk Assessment Specialists

Evaluate financial risks, asset value, and appropriate security measures.

58
New cards

Security Professionals

Trained individuals handling technical and non-technical aspects

of security.

59
New cards

Systems Administrators

Manage systems that house organizational information.

60
New cards

End Users

Directly impacted by the new system; provide input for practical controls.

61
New cards

Data Responsibilities

  1. Data Owners

  2. Data Custodians

  3. Data Users

62
New cards

Data Owners

o Typically senior management, such as the CIO.

o Decide on data classification and oversee daily data

administration.

63
New cards

Data Custodians

o Handle storage, maintenance, and protection of information.

o Implement security procedures and report to data owners.

64
New cards

Data Users

o All individuals interacting with data in their roles.

o Responsible for maintaining security of the data they use.

65
New cards

Communities of Interest

Groups within the organization with specific objectives aligned with organizational goals.

66
New cards

Communities of Interest

  1. Information Security Management and Professionals

  2. IT Management and Professionals

  3. Organizational Management and Professionals

67
New cards

Information Security Management and Professionals

Focus on protecting information systems from attacks.

68
New cards

IT Management and Professionals

o Emphasis on:

Cost-efficiency.

User-friendly systems.

Timely creation and system performance.

o May experience conflicts with security goals.

69
New cards

Organizational Management and Professionals

o Includes general management, HR, legal, and other departments.

o Considered "users" by IT and "security subjects" by the security

community.

o All IT systems and security measures exist to support this

community's broader objectives.

70
New cards

True

T or F: Information security is often seen as a blend of art and science due to its complexity and the diverse approaches required for implementation.

71
New cards

False (correct ans: does consider)

A third perspective does not consider information security as a social science, emphasizing the role of human behavior and interactions with systems.

72
New cards

Information Security as an Art

Security professionals, likened to "security artisans," implement measures creatively, much like artists working on a canvas.

73
New cards

Information Security as a Science

Rooted in rigorous, logical methodologies developed by computer scientists and engineers.

74
New cards

Information Security as a Social Science

Explores the human aspect of security, integrating principles of art and science.

75
New cards

System Development Life Cycle Phases

  1. Investigation

  2. Analysis

  3. Logical Design

  4. Physical Design

  5. Implementation

  6. Maintenance

  7. Change.

76
New cards

Importance of SDLC

Importance: Security must be incorporated from the inception of the system to avoid costly and continuous fixes.

77
New cards

Investigation Phase

● Identify the problem the system addresses.

● Specify objectives, constraints, scope, and conduct a preliminary cost-benefit

analysis.

● Perform feasibility analysis to assess economic, technical, and behavioral

feasibility.

● Security Steps: Categorize security impact (low, moderate, high) and conduct

a preliminary risk assessment.

78
New cards

Analysis Phase

● Assess the organization, current systems, and capability to support the

proposed system.

● Document findings and update feasibility analysis.

● Security Steps: Further refine risk assessments and define security needs

based on threat environments.

79
New cards

Logical Design Phase

● Create a blueprint for the solution focusing on the business need.

● Select applications, data structures, and potential technologies.

● Develop alternative solutions and conduct feasibility analysis.

● Security Steps:

o Conduct detailed risk assessments.

o Analyze security functional and assurance requirements.

o Document security plans and develop security controls.

80
New cards

Physical Design Phase

● Select specific technologies to implement the logical design.

● Integrate components through make-or-buy decisions.

● Present the final solution for approval.

● Security Steps:

o Develop, test, and evaluate security controls.

o Plan for comprehensive security implementation.

81
New cards

Implementation Phase

● Build, test, and deploy system components.

● Train users and create documentation.

● Conduct performance reviews and acceptance tests.

● Security Steps:

o Validate security controls (certification).

o Obtain official approval for system operations (accreditation).

82
New cards

Maintenance and Change Phase

● Monitor and support the system throughout its lifecycle.

● Upgrade and modify as needed to adapt to organizational changes.

● Security Steps:

o Manage configurations and monitor security controls.

o Preserve data, sanitize media, and dispose of hardware/software

securely.

83
New cards

The Waterfall Model

Is a linear, sequential approach to system development where each phase must be completed before the next one begins.

84
New cards

The Waterfall Model

In this model, the SDLC phases are executed one after the other with little to no overlap, making it easy to manage but less flexible for changes.

85
New cards

False (correct ans: are addressed systematically at each stage WITHOUT revisiting prior phases once they're completed.

T or F: Security steps are incorporated at each phase but follow the structured flow of the Waterfall approach, meaning security considerations are addressed systematically at each stage and revisiting prior phases once they're completed.