1/84
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced |
---|
No study sessions yet.
Security
Is “the quality or state of being secure-to be free from danger.” In other words, protection against adversaries—from those who would do harm, intentionally or otherwise—is the objective.
True
T or F: Organizations need multiple layers to protect operations.
Physical security
Personnel security
Physical security
Communications security
Network security
Information security
What are the Layers of Security?
Physical security
To protect physical items, objects, or areas from unauthorized access and misuse
Personnel security
To protect the individual or group of individuals who are authorized to access the organization and its operations.
Operations security
To protect the details of a particular operation or series of activities.
Communications security
To protect communications media, technology, and content.
Network security
To protect networking components, connections, and contents.
Information security
To protect the confidentiality, integrity and availability of information assets, whether in storage, processing, or transmission. It is achieved via the application of policy, education, training and awareness, and technology.
The Committee on National Security Systems (CNSS)
Defines information security as the protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information.
The C.I.A. triangle
Has been a foundational model, but it no longer fully addresses the complexities of modern threats.
The C.I.A. triangle
Confidentiality
Integrity
Availability
Confidentiality
Ensures information is only accessible to authorized individuals.
Integrity
Ensures information is accurate and reliable.
Availability
Ensures information is accessible when needed.
Evolving Threats
Modern threats include accidental or intentional damage, theft, unauthorized modifications, and other misuse, prompting the development of more comprehensive security models.
Key Information Security Concepts
Access
Asset
Attack
Control (Countermeasure)
Exploit
Exposure
Loss
Protection Profile/Security Posture
Risk
Subjects and Objects
Threat
Threat Agent
Vulnerability
Access
Ability of subjects/objects to use or affect other subjects/objects. Managed by access controls.
Asset
Organizational resource being protected, such as data or physical objects.
Attack
Act (intentional or unintentional) that damages or compromises information or systems. Can be active/passive, direct/indirect.
Control (Countermeasure)
Security mechanisms, policies, or procedures that counter attacks and improve security.
Exploit
A technique to compromise a system or asset, usually by taking advantage of vulnerabilities.
Exposure
A state where a vulnerability is known to an attacker.
Loss
Damage or unauthorized modification/disclosure of an information asset.
Protection Profile/Security Posture
Collection of controls, safeguards, and policies to protect assets.
Risk
The probability of an unwanted event happening; organizations must manage it within acceptable levels.
Subjects and Objects
A computer can be the subject (attacker) or object (target) of an attack.
Threat
A category of entities that can harm an asset; can be purposeful or incidental.
Threat Agent
Specific instance or component of a threat (e.g., hacker or natural disaster).
Vulnerability
Weakness in a system or protection mechanism that exposes it to attack.
Critical Characteristics of Information
Availability
Accuracy
Authenticity
Confidentiality
Integrity
Utility
Possession
Availability
Ensures authorized users can access information without obstruction and in the required format.
Accuracy
Information is valuable when free from mistakes or errors, maintaining its integrity for decision-making.
Authenticity
Information must be genuine, without alterations or fraud (e.g., email spoofing or phishing).
Confidentiality
Protects information from unauthorized access. Breaches occur when sensitive data is exposed or disclosed.
Integrity
Ensures that information remains whole, complete, and uncorrupted. Methods like file hashing help maintain data integrity.
Utility
Information is valuable when it serves a clear purpose and is usable to the end user.
Possession
Refers to ownership or control of information. A breach in possession doesn’t always mean a breach in confidentiality (e.g., encrypted data may still be secure despite unauthorized access).
John McCumber in 1991
The CNSS model, based on the National Training Standard for Information Systems Security Professionals (NSTISSI No. 4011), was created by ——- in ——- and is widely used for evaluating information system security.
McCumber Cube
The model is a 3x3x3 cube, with 27 cells representing areas of system security that must be addressed. The cube is used to ensure comprehensive security across three key dimensions.
McCumber Cube three key dimensions
Technology
Integrity
Storage
Components of an Information Security
Software
Hardware
Data
People
Procedures
Networks
Software
● Includes applications, operating systems, and command utilities.
● Securing software is challenging due to errors, bugs, and weak programming
practices.
● Software security often becomes an afterthought during development.
Hardware
● Physical technology that houses software, stores data, and provides interfaces
for input and output.
● Securing hardware involves physical security measures (e.g., locks and keys) to
protect from theft or damage.
● Breach of physical security can lead to information loss (e.g., laptop theft).
Data
● Valuable asset that must be protected during storage, processing, and
transmission.
● Database management systems are typically used for securing data but are
sometimes inadequately implemented.
People
● Humans can be the weakest link in security due to social engineering, human
error, or malicious intent.
● Proper training, policies, and awareness are necessary to reduce security risks
from people.
Procedures
● Written instructions for tasks within the system.
● Unauthorized access to procedures can lead to security breaches (e.g., improper
use of financial procedures).
● Education on safeguarding procedures is essential.
Networks
● Networking connects systems, creating new security challenges.
● Traditional physical security is insufficient; network security measures like
firewalls and intrusion detection are necessary.
Senior Management
CIO (Chief Information Officer)
CISO (Chief Information Security Officer)
CIO (Chief Information Officer)
o Advises the CEO or president on strategic planning for managing
organizational information.
o Translates organizational strategies into information systems plans.
o Oversees the planning and management of systems supporting the organization.
CISO (Chief Information Security Officer)
o Responsible for assessing, managing, and implementing information
security.
o Reports to the CIO but recommendations may hold greater priority in terms of security.
o May also be called IT security manager or security administrator.
o Placement in the hierarchy varies depending on the organization.
Information Security Project Team
Consists of individuals with technical and non-technical expertise for managing and designing security measures.
Information Security Project Team Roles
Champion
Team Leader
Security Policy Developers
Risk Assessment Specialists
Security Professionals
Systems Administrators
End Users
Champion
Senior executive advocating for the project; ensures administrative and financial support.
Team Leader
A project manager with skills in personnel and project management, and technical requirements.
Security Policy Developers
Experts in organizational culture and policies to create effective security policies.
Risk Assessment Specialists
Evaluate financial risks, asset value, and appropriate security measures.
Security Professionals
Trained individuals handling technical and non-technical aspects
of security.
Systems Administrators
Manage systems that house organizational information.
End Users
Directly impacted by the new system; provide input for practical controls.
Data Responsibilities
Data Owners
Data Custodians
Data Users
Data Owners
o Typically senior management, such as the CIO.
o Decide on data classification and oversee daily data
administration.
Data Custodians
o Handle storage, maintenance, and protection of information.
o Implement security procedures and report to data owners.
Data Users
o All individuals interacting with data in their roles.
o Responsible for maintaining security of the data they use.
Communities of Interest
Groups within the organization with specific objectives aligned with organizational goals.
Communities of Interest
Information Security Management and Professionals
IT Management and Professionals
Organizational Management and Professionals
Information Security Management and Professionals
Focus on protecting information systems from attacks.
IT Management and Professionals
o Emphasis on:
▪ Cost-efficiency.
▪ User-friendly systems.
▪ Timely creation and system performance.
o May experience conflicts with security goals.
Organizational Management and Professionals
o Includes general management, HR, legal, and other departments.
o Considered "users" by IT and "security subjects" by the security
community.
o All IT systems and security measures exist to support this
community's broader objectives.
True
T or F: Information security is often seen as a blend of art and science due to its complexity and the diverse approaches required for implementation.
False (correct ans: does consider)
A third perspective does not consider information security as a social science, emphasizing the role of human behavior and interactions with systems.
Information Security as an Art
Security professionals, likened to "security artisans," implement measures creatively, much like artists working on a canvas.
Information Security as a Science
Rooted in rigorous, logical methodologies developed by computer scientists and engineers.
Information Security as a Social Science
Explores the human aspect of security, integrating principles of art and science.
System Development Life Cycle Phases
Investigation
Analysis
Logical Design
Physical Design
Implementation
Maintenance
Change.
Importance of SDLC
Importance: Security must be incorporated from the inception of the system to avoid costly and continuous fixes.
Investigation Phase
● Identify the problem the system addresses.
● Specify objectives, constraints, scope, and conduct a preliminary cost-benefit
analysis.
● Perform feasibility analysis to assess economic, technical, and behavioral
feasibility.
● Security Steps: Categorize security impact (low, moderate, high) and conduct
a preliminary risk assessment.
Analysis Phase
● Assess the organization, current systems, and capability to support the
proposed system.
● Document findings and update feasibility analysis.
● Security Steps: Further refine risk assessments and define security needs
based on threat environments.
Logical Design Phase
● Create a blueprint for the solution focusing on the business need.
● Select applications, data structures, and potential technologies.
● Develop alternative solutions and conduct feasibility analysis.
● Security Steps:
o Conduct detailed risk assessments.
o Analyze security functional and assurance requirements.
o Document security plans and develop security controls.
Physical Design Phase
● Select specific technologies to implement the logical design.
● Integrate components through make-or-buy decisions.
● Present the final solution for approval.
● Security Steps:
o Develop, test, and evaluate security controls.
o Plan for comprehensive security implementation.
Implementation Phase
● Build, test, and deploy system components.
● Train users and create documentation.
● Conduct performance reviews and acceptance tests.
● Security Steps:
o Validate security controls (certification).
o Obtain official approval for system operations (accreditation).
Maintenance and Change Phase
● Monitor and support the system throughout its lifecycle.
● Upgrade and modify as needed to adapt to organizational changes.
● Security Steps:
o Manage configurations and monitor security controls.
o Preserve data, sanitize media, and dispose of hardware/software
securely.
The Waterfall Model
Is a linear, sequential approach to system development where each phase must be completed before the next one begins.
The Waterfall Model
In this model, the SDLC phases are executed one after the other with little to no overlap, making it easy to manage but less flexible for changes.
False (correct ans: are addressed systematically at each stage WITHOUT revisiting prior phases once they're completed.
T or F: Security steps are incorporated at each phase but follow the structured flow of the Waterfall approach, meaning security considerations are addressed systematically at each stage and revisiting prior phases once they're completed.