* Describe the multiple types of security systems present in many organizations.
1.) Physical Security - protect items, objects, and places
2.) Personnel security - protect individual access to the organization
3.) Operation security - protect details of activities
4.) Communications security - protect communications media, technology, and content
5.) Network security - protect networking components, connections, and contents
6.) Information security - protect the confidentiality, availability, and integrity of information assets.
List and describe the six phases of the security systems development life cycle.
1.) Investigation - Costs, goals, feasibility, resources, and scope are analyzed, outlined, and documented by management.
2.) Analysis - Assess current system vs. the plan in phase 1. Develop requirements and integration to existing system, perform risk analysis and examine legal issues, document and analyze current threats.
3.) Logical Design - Assess current business needs vs. the plan in phase 2. Develop a security blueprint, plan incident report actions and business disaster response, determine feasibility of continuation of project or outsourcing, select applications, data support and structures, consider multiple solutions for consideration, document findings.
4.) Physical Design - Technologies selected to support phase 3. Best solution is chosen, decision made to make or buy components, technologies needed to support blueprint are chosen, define successful solution, design physical security measures, approve project.
5.) Implementation - Develop or buy software, components, security solutions. Document the system, train its users, test system and review performance, and present tested package to management for approval.
6.) Maintenance and Change - Support and modify the system during its lifespan, periodically testing for business need compliance. System is monitored then patched, upgraded, and repaired as needed to meet changing threats.
Outline types of data ownership and their respective responsibilities.
1. Data Owners
- Responsible for security and use of a particular set of information
- Usually senior management members, maybe CIOs.
- Usually determine the level of data classification and changes to that classification as required by organizational changes.
- Work with subordinate managers to oversee daily data administration.
2. Data Custodians
- Work directly with data owners
- Responsible for storage, maintenance, protection of information.
- May be CISO or responsibility of systems admin or technology manager, depending on organization size.
- Duties include overseeing data storage, backups, implementing procedures and polices laid out in security policies and plans, reporting to data owner
3. Data Users
- Work with information to perform assigned roles
- Everyone is responsible for security of data in the organization
What are the requirements for a policy to become enforceable?
1. Dissemination (Distribution) - The policy is readily available for review, electronically or otherwise.
2. Review (Reading) - The policy must be available to all, including non-English, illiterate, reading-impaired, etc. for example by making recordings or alternate language versions of the policy available.
3. Comprehension (Understanding) - The organization must be able to demonstrate that requirements are understood by the employee, usually by testing or other assessment of the policy.
4. Compliancy (Agreement) - The organization must be able to demonstrate that the employee agreed to comply with the policy though act or affirmation. Commonly used techniques include signed documents or logon banners.
5. Uniform enforcement - The organization must be able to demonstrate that the policy has been uniformly enforced, regardless of employee status or assignment.
List the five fundamental principles of HIPAA.
1. Consumer control of medical information
2. Boundaries on the use of medical information
3. Accountability for the privacy of private information
4. Balance of public responsibility for the use of medical information for the greater good
measured against impact to the individual
5. Security of health information
List three of the provisions included in the Security And Freedom Through Encryption Act of 1999.
1. Prohibit the federal government from requiring the use of encryption for contracts,
grants, and other official documents and correspondence.
2. State that the use of encryption is not probable cause to suspect criminal activity.
3. Reinforce an individual's right to use or sell encryption algorithms, without concern
for regulations requiring some form of key registration.
Describe five new subdivisions of information system components of SecSDLC/risk management.
1. People - Employees and nonemployees. Employees include those who have trusted roles, authority, and accountability, and employees with no special privleges with specific assignments. Nonemployees include contractors, consultants, trusted members of other organizations, and strangers.
2. Procedures - IT & Business procedures: standard and sensitive. Sensitive procedures are ones that may enable threat agents to attack or otherwise introduce risk.
3. Data & Information - Management of information in three states: transmission, processing, storage.
4. Software - Components assigned one category: Applications, operating systems, or security components.
5. Hardware - Assigned to one category: systems devices & peripherals, or devices that are part of information security control systems. Latter is protected more thoroughly and given special treatment.
* List seven key areas identified by Microsoft as best security practices for home users.
1. Using antivirus software
2. Using strong passwords
3. Verifying software security settings
4. Updating product security
5. Building personal firewalls
6. Backing up data early and often
7. Protecting against power surges and loss
List Microsoft's "Ten Immutable Laws of Security" in any order.
1. If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.
2. If a bad guy can alter the operating system on your computer, it's not your computer anymore.
3. If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
4. If you allow a bad guy to upload programs to your Web site, it's not your Web site anymore.
5. Weak passwords trump strong security.
6. A machine is only as secure as the administrator is trustworthy.
7. Encrypted data is only as secure as the decryption key.
8. An out-of-date virus scanner is only marginally better than no virus scanner at all.
9. Absolute anonymity isn't practical, in real life or on the Web.
10. Technology is not a panacea.
What three purposes does the ISSP serve?
Addresses specific areas of technology, such as authorized and prohibited usage of equipment, policies, liability, and systems management.
Requires frequent updates.
Contains a statement on the organization's position on specific issues.
* What is the purpose of security education, training, and awareness (SETA)?
The purpose of SETA is to enhance security by improving awareness of the need to protect system resources, developing skills and knowledge so computer users can perform their jobs more securely, and building in-depth knowledge to design, implement, or operate security programs for organizations and systems.
* Compare electronic vaulting and remote journaling.
The transfer of large batches of data to an off-site facility is called electronic vaulting. The transfer of live transactions to an off-site facility is called remote journaling. It differs from electronic vaulting in that 1) only transactions are transferred, not archived data, and 2) the transfer is in real-time. Electronic vaulting is much like a traditional backup, with a dump of data to the off-site storage, but remote journaling involves activities on a systems level, much like server fault tolerance, with the data written to two locations simultaneously.
Briefly describe the seven best practices rules for firewall use.
1.) All traffic from the trusted network is allowed out. This allows the users to send the information and access services when they are needed without being stopped by the firewall outbound traffic filter.
2.) The firewall is never accessible directly from a public network for management/configuration, so only authorized administrators can access the firewall controls.
3.) Simple Mail Transport Protocol data is allowed in, but filtered by routing it through a SMTP gateway so it is delivered in a secure manner.
4.) All Internet Contol Message Protocol ("ping service") data should be denied to prevent snooping by hackers.
5.) Telnet access to all internal servers from public networks should be blocked. The organization's DNS server should at least be blocked to prevent the entire organization's network being brought down by attackers.
6.) When Web services are offered outside the firewall, HTTP traffic should be denied from reaching your internal networks through the use of some form of proxy access or DMZ architecture.
7.) All data that is not verifiable and authentic should be denied.
List and describe the three interacting services of the Kerberos system.
1.) The Authentication Server (AS) - authenticates clients and servers.
2.) Key Distribution Center (KDC) - Generates, issues session keys.
3.) Kerberos Ticket Granting Service (TGS) - Provides tickets to clients who request services. A ticket is an ID card for a client that is verified with the Kerberos server to ensure that they are a valid member of the system and are authorized to receive the requested services. Tickets include the client name, network address, validation starting and ending time, and session key, all encrypted in the private key of the server from which the client is requesting services.
What must a VPN that proposes to offer a secure and reliable capability while relying on public networks accomplish?
1.) Encapsulation of incoming and outgoing data. - The native protocol of the client is embedded within the frames of a protocol that can be routed over the public network and be usable by the server network environment.
2.) Encryption of incoming and outgoing data. - Keeps the data contents private while they are in transit over the public network, but still usable by client and server computers and local networks on either end of the VPN connection.
3.) Authentication of the remote computer/remote user. - Authentication and the subsequent authorization of the user to perform specific actions are predicated on accurate and reliable identification of the remote system and/or user.
A(n) ______ occurs when an attacker attempts to gain entry or disrupt the normal operations of an information system, almost always with the intent to do harm.
The ongoing activity from alarm events that are accurate and noteworthy but not necessarily significant as potentially successful attacks is called ____.
Three methods dominate the IDPSs detection methods: ____-based approach, statistical anomaly-based approach or the stateful packet inspection approach.
A signature-based IDPS is sometimes called a(n) ____-based IDPS.
A(n) ____ system contains pseudo-services that emulate well-known services, but is configured in ways that make it look vulnerable to attacks.
* List and describe at least four reasons to acquire and use an intrusion detection and
prevention system (IDPS). (p. 295, ch. 7)
1.) To prevent problem behaviors by increasing the perceived risk of discovery and punishment for those who would attack or otherwise abuse the system
2.) To detect attacks and other security violations that are not prevented by other security measures
3.) To detect and deal with the preambles to attacks
4.) To document the existing threat to an organization
5.) To act as quality control for security design and administration, especially in large and complex enterprises
6.) To provide useful information about intrusions that do take place to allow for improved diagnosis, recovery, and correction of causative factors.
List and describe the three advantages of NIDPSs.
1.) Can enable an organization to use a few NIDPSS devices to monitor a large network.
2.) NIDPSs are usually passive devices and can be deployed into existing networks with little or no disruption to normal network operations.
3.) NIDPSs are not usually susceptible to direct attack, may not be detectable by attackers.
List and describe the four advantages of HIDPSs.
1.) An HIDPS can detect local events on host systems and also detect attacks that may elude a network-based IDPS.
2.) An HIDPS functions on the host system, where encrypted traffic will have been decrypted and is available for processing.
3.) The use of switched network protocols does not affect an HIDPS.
4.) An HIDPS can detect inconsistencies in how applications and systems programs were used by examining the records stored in audit logs. Can detect some atttacks such as trojan horses.
____ is the entire range of values that can possibly be used to construct an individual key.
____ is the information used in conjunction with an algorithm to create the ciphertext from the plaintext or derive the plaintext from the ciphertext.
More advanced substitution ciphers use two or more alphabets, and are referred to as ____ substitutions.
A method of encryption that requires the same secret key to encipher and decipher the message is known as ____ encryption.
The science of encryption is known as _______.
The process of hiding messages within the digital encoding of a picture or graphic is called ______.
A mathematical ____ is a "secret mechanism that enables you to easily accomplish the reverse function in a one-way function."
* Describe how hash functions work and what they are used for. (p. 362, ch. 8)
Hash functions are mathematical algorithms that are used by making a message summary (called a digest or fingerprint) that will confirm the identity of a specific message and the integrity of the message, confirming that there haven't been any changes to the content since it was sent. Hash functions do not require keys, but can use a code called a MAC that will allow only specific users, or key holders, to access the message digest. Hash functions are one-way and are used for password verification to confirm the user's identity. A hash value is created based on original input from the user (the password) and is stored for later user. When the password is entered later by a user, a new hash value is made and is compared to the original in order to confirm identity.
* Describe symmetric and asymmetric encryptions. (p. 364-366, ch. 8)
Symmetric encryption methods use a single secret key to both encipher and decipher a message. They use mathematical operations that can be programmed into extremely fast computing algorithms in order for the encryption and decryption process to go quickly even on a small computer. Both sender and recipient of the message must have the key, and if the key is lost, the message can be accessed and decrypted by others without the sender ever knowing. The key must be delivered to the receiver in another way, in a process conducted out of band on another channel or band other than the message itself, to avoid interception by others. Asymmetric encryption, on the other hand, uses two keys instead of one. The keys are different, but related, and either key can be used to encrypt or decrypt the message. Asymmetric encryption is also known as public-key encryption, because a message encrypted with key A can only be decrypted with key B and vice versa. One key is often used as a private key and the other a public key that can be used by anyone.
Describe digital certificates.
Digital certificates are public-key document or container files that allow computer programs to validate the key and identify to whom it belongs. They contain a key value and identifying information about the entity that controls the key. Certificates are usually issued and certified by a third party, usually a certificate authority, and contains a digital signature that certifies the file origin and integrity. They help ensure to users that their files are authentic by using a cryptographic key.
____ occurs when an authorized person presents a key to open a door, and other people, who may or may not be authorized, also enter.
The most sophisticated locks are ____ locks.
Class ____ fires are extinguished by agents that remove oxygen from the fire.
The ______ lock may rely on a key that is a carefully shaped piece of metal, which is rotated to turn tumblers that release secured loops of steel, aluminum, or brass.
A specialized type of keycard reader is the ______ reader, which allows individuals simply to place their cards within the reader's range.
A(n) ______ is a small enclosure that has separate entry and exit points.
* Identify the "Seven Major Sources of Physical Loss"? (p. 399, ch. 9)
1. Extreme temperature: heat, cold
2. Gases: war gases, commercial vapors, humid or dry air, suspended particles
3. Liquids: water, chemicals
4. Living organisms: viruses, bacteria, people, animals, insects
5. Projectiles: tangible objects in motion, powered objects
6. Movement: collapse, shearing, shaking, vibration, liquefaction, flow waves, separation,
7. Energy anomalies: electrical surge or failure, magnetism, static electricity, aging
circuitry; radiation: sound, light, radio, microwave, electromagnetic, atomic
Explain how a mantrap works.
A mantrap is a small enclosure that has separate entry and exit points. A person gains access to the area and enters a mantrap. At the second door, the person must request access to the room via electronic or biometric lock and key, and if confirmed they are allowed entry and may exit the mantrap. If they are not confirmed, however, the person cannot leave the mantrap until security overrides the locks.
Describe different types of sensors to detect intrusions.
Motion detectors are either active or passive and work by detecting movement within a confined space. Thermal detectors work by detecting rates of change in the ambient temperature in the room. Contact and weight sensors work when two contacts are connected, such as when a foot steps on a pressure-sensitive pad under a rug, or a window being opened triggers a pin and spring sensor. Vibration sensors detect movement of the sensor itself rather than movement in the environment.
Public organizations often have "____" to spend all their remaining funds before the end of the fiscal year.
In the ____ process, measured results are compared to expected results.
negative feedback loop
The ____ level of the bull's-eye model establishes the ground rules for the use of all systems and describes what is appropriate and what is inappropriate, it enables all other information security components to function correctly.
_________ is a phenomenon in which the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts than in accomplishing meaningful project work.
The _______ operations strategy involves running the new methods alongside the old methods.
One of the oldest models of change is the ______ change model.
* What are the major steps in executing the project plan? (p. 436, ch. 10)
1.) Planning the project
2.) Supervising tasks and action steps
3.) Wrapping up the project.
* What major project tasks does the WBS document? (p. 436, ch. 10)
1.) Work to be accomplished (activities and deliverables)
2.) Individuals (or skill set) assigned to perform the task
3.) Start and end dates for the task (when known)
4.) Amount of effort required for completion in hours or work days
5.) Estimated capital expenses for the task
6.) Estimated noncapital expenses for the task
7.) Identification of dependencies between and among tasks
What can the organization do by managing the process of change?
- Improve communication about change across the organization
- Enhance coordination between groups within the organization as change is scheduled
- Reduce unintended consequences by having a process to resolve conflict and disruption
that change can introduce
- Improve quality of service as potential failures are eliminated and groups work
- Assure management that all groups are complying with the organization's policies
regarding technology governance, procurement, accounting, and information security
The information security function can be placed within the ____.
a. insurance and risk management function
b. administrative services function
c. legal department
d. All of the above
D. All of the above (insurance and risk management function, administrative services function, & legal department)
The organization should conduct a behavioral feasibility study before the _________ phase.
SANS developed a series of technical security certifications in 1999 that are known as the Global Information ______ Certification or GIAC family of certifications.
When new employees are introduced into the organization's culture and workflow, they should receive as part of their ________ an extensive information security briefing.
________ departures include resignation, retirement, promotion, or relocation.
Employees should be provided access to the minimal amount of information for the minimal amount of time necessary for them to perform their duties. This is referred to as the principle of _______.
* What tasks must be performed when an employee prepares to leave an organization? (p. 497-498, ch. 11)
1.) Access to the organization's systems must be disabled.
2.) Removable media must be returned.
3.) Hard drives must be secured.
4.) File cabinet locks must be changed.
5.) Office door locks must be changed.
6.) Keycard access must be revoked.
7.) Personal effects must be removed from the organization's premises.
* Describe the concept of separation of duties. (p. 505, ch. 11)
It is a strategy for the protection of information assets and in the prevention of financial loss by reducing the chance of an individual violating information security and breaching the confidentiality, integrity, or availability of information. The control stipulates that the completion of a significant task that involves sensitive information, especially financial information, should require at least two people. If only one person had authorization, there may be no way to stop them from copying the information and removing it from the premises.
____ are a component of the security triple.
d. All of the above
d. All of the above [Threats, assets, and vulnerabilities]
To evaluate the performance of a security system, administrators must establish system performance ____.
The primary mailing list, called simply ____, provides time-sensitive coverage of emerging vulnerabilities, documenting how they are exploited, and reporting on how to remediate them. Individuals can register for the flagship mailing list or any one of the entire family of its mailing lists.
Detailed ____ on the highest risk warnings can include identifying which vendor updates apply to which vulnerabilities as well as which types of defenses have been found to work against the specific vulnerabilities reported.
Virtually all aspects of a company's environment are _______.
A(n) ________ analysis is a procedure that compares the current state of a network segment (the systems and services it offers) against a known previous state of that same network segment (the baseline of systems and services).
The primary goal of the vulnerability assessment and ______ domain is to identify specific, documented vulnerabilities and remediate them in a timely fashion.
List the four steps to developing a CM plan.
1.) Establish baselines
2.) Identify configuration
3.) Describe configuration control process
4.) Identify schedule for configuration audits
* List the five domains of the recommended maintenance model. (p. 536, ch. 12)
1.) External monitoring
2.) Internal monitoring
3.) Planning and risk assessment
4.) Vulnerability assessment and remediation
5.) Readiness and review
* Describe viruses and worms.
A computer virus consists of segments of code that perform malicious actions. This code behaves very much like a virus pathogen attacking animals and plants, using the cells own replication machinery to propagate and attack. The code attaches itself to the existing program and takes control of that programs access to the targeted computer. The virus-controlled target program then carries out the virus's plan, by replicating itself into additional targeted systems. A worm is a malicious program that replicates itself constantly, without requiring another program to provide a safe environment for replication. Worms can continue replicating themselves until they completely fill available resources, such as memory, hard drive space, and network bandwidth.
* A(n) _____ is an object, person, or other entity that represents an ongoing danger to an asset.
* A(n) _______ is an identified weakness in a controlled system, where controls are not present or are no longer effective.
* Asset _____ is the process of assigning financial value or worth to each information asset.
* Implementing multiple types of technology and thereby precluding that the failure of one system will compromise the security of information is referred to as _____.
* A(n) _____ is an information security program that prevents specific types of information from moving between the outside world and the inside world.
* Describe the capabilities of a sniffer.
A sniffer is a program or device that can monitor data traveling over a network. Sniffers can be used both for legitimate network management functions and for stealing information from a network. Unauthorized sniffers can be extremely dangerous to a networks security, because they are virtually impossible to detect and can be inserted almost anywhere. This makes them a favorite weapon in the hackers arsenal. Sniffers often work on TCP/IP networks, where they're sometimes called packet sniffers. Sniffers add risk to the network, because many systems and users send information on local networks in clear text. A sniffer program shows all the data going by, including passwords, the data inside files and screens full of sensitive data from applications.
* An alert or ______ is an indication that a system has just been attacked or is under attack.