enables authorized users to access information without interference or obstruction
and to receive it in the required format.
free from mistakes or errors and has the value that the end
Information is the quality or state of being genuine or original, rather than a reproduction or fabrication.
When information is protected from disclosure or exposure to
unauthorized individuals or systems.
When information is whole, complete, and uncorrupted
information is the quality or state of having value for some purpose or end.
the quality or state of ownership or control.
Confidentiality, Integrity and Accessibility
NSTISSC model evolved from:
accuracy, authenticity, utility and possession
information system includes
software, hardware, data, people, procedures and networks
Systems Development Life Cycle (SDLC)
Investigation, Logical Design, Physical Design, Implementation, Maintenance and change
Objectives, constraints and scope of the project is defined.
Assessment of current systems and ability to support proposed changes.
Blueprint for the desired system.
Specific technologies evaluated, selected and acquired.
Technology is installed and tested and training is done.
Maintenance and change
Corrections, updates and modifications performed
Viruses, worms, macros, denial-of-service
Deviations in quality of service:
ISP, power or WAN service issues
Espionage or trespass:
Unauthorized access and/or data collection
Forces of nature:
Fire, flood, earthquake, lightning
Human error or failure:
Accidents, employee mistakes
Blackmail of information disclosure
No backup policy
Missing, inadequate, or incomplete organizational policy or planning:
Missing, inadequate, or incomplete controls:
No firewall security controls
Sabotage or vandalism:
Destruction of systems or information
Illegal acts of confiscation of equipment or information
Technical hardware failures or errors:
Technical software failures or errors:
Bugs, code problems, unknown loopholes
Antiquated or outdated technologies
Promotes the project
Manages the Project
Security Policy Developers:
Develop and implement policies
Risk Assessment Specialist:
valuate assets and suggest security methods
provide input from technical and non-technical standpoints
Administrate systems that house the organization's information
Users of the information, directly affected by the system.
Expert or Elite Hacker:
Master of programming languages, Operating systems, network protocols
Unskilled Hacker, Script Kiddie, or Packet Monkey:
Use programs and scripts developed by expert hackers to carry out attacks
One who removes software protection designed to prevent unauthorized duplication
Hacks the public telephone network
Hacktivist or cyberactivist:
hacks to protest the operations, policies or actions of an or government agency
Politically motivated attack which results in violence against noncombatant targets
Malicious code (or software) or malware:
Viruses, worms, Trojan horses
Warning of a non-existent virus or a virus embedded in a warning
Methods of access which bypass security checks
Applying a dictionary to a Security Account Manager (SAM) file
Trying all combinations of passwords
Like brute force but using common passwords
flooding a target with an overwhelming number of requests
Distributed Denial-of-Service (DDoS):
coordinated DoS from multiple locations using zombies
Using forged source IP addresses to gain access
Intercepting, modifying and re-inserting packets on a network
Flooding a target with an overwhelming number of e-mail messages
Monitors data traveling on the network
Using social skills to get people to reveal personal information
Using e-mail messages with links to bogus sites to gain personal information
Redirecting legitimate Web traffic to bogus sites
Attacking a Web browser's cache to store malicious forms of cookies
are rules that mandate or prohibit certain behavior in society. Ethics define socially acceptable behavior. The key difference between laws and ethics is that laws carry the sanctions of a governing authority and ethics do not.
has been taken when an organization makes sure that every employee what is acceptable or unacceptable behavior, and knows the consequences of illegal or unethical behavior.
requires that an organization makes a valid effort to protect others and continually maintain this level of effort.
deals with the relationships and conflicts between organizational entities and people.
addresses violations harmful to society and is actively enforced by the state.
encompasses civil law, family law, commercial law and labor law.
encompasses criminal law, administrative law and constitutional law.
Computer Fraud and Abuse act of 1986
The cornerstone of many computer-related federal laws and enforcement efforts.
National Information Infrastructure Protection Act of 1996
modified several provisions of the Computer Fraud and Abuse act of 1986. The severity of penalties under this act depends on the value of the information obtained and whether the offense is judged to have been committed, 1. for the purposes of commercial advantage 2. for private financial gain 3. in furtherance of a criminal act
USA Patriot Act and USA Patriot Act Improvement and Reauthorization Act
expanded the powers of the Department of Homeland Security and FBI in investigating terrorist activity. It also expanded the penalties for many computer related crimes.
The Privacy of Customer Information Section of the common carrier regulation states
that proprietary information shall be used explicitly for providing services, and not for any marketing purposes, and that carriers cannot disclose information except when necessary to provide their services.
The Electronic Communications Privacy Act of 1986
is a collection of statutes that regulate the interception of wire, electronic and oral communications.
The Financial Services Modernization Act (Gramm-Leach-Bliley Act of 1999) requires all financial institutions to disclose their privacy policies on the sharing of nonpublic personal information.
Sarbanes-Oxley Act of 2002
seeks to improve the reliability and accuracy of financial reporting, as well as increase the accountability of corporate governance, in publicly traded companies.
The Economic Espionage Act in 1996
attempts to prevent trade secrets from being illegally shared.
Ignorance, Accident, and Intent
Three general causes of unethical and illegal behavior
not an excuse for violating a law, but can be for a policy.
criminal or unethical intent goes to the state of mind of an individual performing the act.
Fear of penalty. Probability of being caught abd Probability of penalty being administered
is the process of identifying vulnerabilities in an organization's information system and taking careful reasoned steps to insure the confidentiality, integrity and availability of all the components in the organization's information system.
is the process of examining and documenting the security posture of an organization's information technology and the risks it faces.
is the process of applying controls to reduce the risks to an organization's data and information system.
(the likelihood of an occurrence of a vulnerability) X (by
the value of the information asset) - (the percentage of risk mitigated by current controls) + (the uncertainty of current knowledge of the vulnerability)
attempt to prevent the exploitation of the vulnerability
shift the risk to other asset, process or organization
reduce the impact through planning and preparation
do nothing; accept the outcome of exploitations
direct the organization to avoid those business activities that introduce uncontrollable risks
Asset values can be ranked using
both quantitative (actual value) and qualitative (relative value) methods.
best practices (or recommended practices)
Security efforts that seek to provide a superior level of performance in the protection of information
is a "value or profile of a performance metric against which changes in the performance metric can be usefully compared".
the quantity and nature of risk that organizations are willing to accept.
the risk that remains even after the vulnerabilities have been controlled as much as possible.
A policy is
a plan or course of action used to convey instructions from an organization's senior-most management to those who make decisions, take actions and perform other duties.
more detailed statements of what must be done to comply with policy.
Informal standards, as in de facto standards
are part of the organizational culture.
Formal standards, i.e., dejour standards
may be published, scrutinized and ratified by a group.
are security processes that are designed by strategic planners and implemented by the security administration of the organization.
are management and lower-level planning functions that deal with the operational functionality of security in the organization, such as disaster recovery and incident response planning.
are the tactical and technical implementations of security in the organization.
Technical Controls Include
access controls, such as, identification, authentication, authorization, accountability, cryptography and the classifications of assets and users.
used as a front-line defense against external attacks, since it can be configured to filter incoming data packets based on protocol.
a device that selectively discriminates against information flowing into or out of the organization.
DMZ (demilitarized zone)
a no-man's-land between the inside and outside networks.
performs actions on behalf of another system.
Security Policy Management requires
the policy stay visible
• Individuals responsible for policy reviews
• A schedule of reviews
• A method for making recommendations for changes
• The policy issuance date
• Policy revision date
Intrusion Detection Systems (IDSs)
detect unauthorized activity within the inner network or on
The security blueprint
is the basis for the design, selection and implementation of all security program elements including policy implementation, on-going policy management, risk management programs, education and training programs, technological controls and maintenance of the security program.
The security framework
is an outline of the overall information security strategy for the organizationand a roadmap for planned changes to the information security environment of an organization.
specifies the tasks and the order in which they are to be accomplished.
• Incident response (IR) plan
• Disaster recovery (DR) plan
• Business continuity (BC) plan
a detailed description of the activities that occurred during an attack.
Business unit analysis -
the analysis and prioritization of the business functions within the organization's departments, sections, divisions, groups or other units to determine which are most vital to continued operations.
attack scenario end case.
estimate the cost of the best, worst and most likely cases; the final result
Subordinate plan classification
once the potential damage has been assessed, and each
scenario and attack scenario end case has been evaluated, a subordinate plan must be
developed or identified from among existing plans already in place.
is any clearly identified attack on the organization's information assets that would threaten
the assets' confidentiality, integrity or availability.
Incident Response (IR):
Must be organized in such a way to support quick and easy access to required information
o The information in the IR plan is sensitive and must be protected
o The plan should be readily available to those who must respond to the incident
o The plan should be tested using one or more of the common strategies of checklists,
structured walk-through, simulations, parallel testing and even full interruption
o Check for incident indicators such as, Presence of unfamiliar files, presence or execution
of unknown programs or processes, unusual consumption of computer resources and
unusual system crashes.
o Notify key personnel through the use of an alert roster document containing contact
information for the individuals to be notified in the event of an incident
o Alert message - a scripted description of the incident, usually just enough information
so each individual on the alert roster knows what portion of the IR plan to implement
o Document the incident - as soon as an incident or disaster, has been declared, the
documentation of the event is begun
o Prioritization of Efforts - After the dust settles, people must be kept focused on the task
ahead, and make sure that the necessary personnel begin recovery operations as per
the Incident Response Plan.
o Damage assessment - Incident damage assessment is the rapid determination of the
scope of the breach of the confidentiality, integrity and availability of information and
information assets during or just following an incident.
o Recovery - Identify and resolve vulnerabilities. Install, replace or upgrade failed
safeguards. Improve monitoring capabilities. Restore data from backups. Restore
services. Continue monitoring for a similar attack. Restore the confidence of the
communities of interest.
o Perform an after-action review.
fully configured computer facility
like a hot site but without the applications installed and configured
provides rudimentary services and facilities, no computer hardware provided
a hot, warm or cold site leased in conjunction with a business partner or sister organization
an agency that provides a service for a fee
a contract between two or more organizations that specifies how each will assist the other in a disaster Other options include a rolling mobile site configured in the payload area of a tractor or trailer
Off-site disaster data storage
needed to get an alternate site up and running
the electronic transfer of large batches of data to an off-site facility
the electronic transfer of live transactions to an off-site facility
like remote journaling, but not only processes duplicate, realtime data storage, but also duplicates the databases at the remote site to multiple servers