Advertisement Upgrade to remove ads

Chapters 1-5

Availability

enables authorized users to access information without interference or obstruction
and to receive it in the required format.

Accuracy

free from mistakes or errors and has the value that the end
user expects.

Authenticity

Information is the quality or state of being genuine or original, rather than a reproduction or fabrication.

Confidentiality

When information is protected from disclosure or exposure to
unauthorized individuals or systems.

Integrity

When information is whole, complete, and uncorrupted

Utility

information is the quality or state of having value for some purpose or end.

Possession

the quality or state of ownership or control.

C.I.A. triangle

Confidentiality, Integrity and Accessibility

NSTISSC model evolved from:

C.I.A. triangle

NSTISSC model

accuracy, authenticity, utility and possession

information system includes

software, hardware, data, people, procedures and networks

Systems Development Life Cycle (SDLC)

Investigation, Logical Design, Physical Design, Implementation, Maintenance and change

Investigation

Objectives, constraints and scope of the project is defined.

Analysis

Assessment of current systems and ability to support proposed changes.

Logical Design

Blueprint for the desired system.

Physical Design

Specific technologies evaluated, selected and acquired.

Implementation

Technology is installed and tested and training is done.

Maintenance and change

Corrections, updates and modifications performed

Software attacks:

Viruses, worms, macros, denial-of-service

Deviations in quality of service:

ISP, power or WAN service issues

Espionage or trespass:

Unauthorized access and/or data collection

Forces of nature:

Fire, flood, earthquake, lightning

Human error or failure:

Accidents, employee mistakes

Information extortion:

Blackmail of information disclosure

No backup policy

Missing, inadequate, or incomplete organizational policy or planning:

Missing, inadequate, or incomplete controls:

No firewall security controls

Sabotage or vandalism:

Destruction of systems or information

Theft:

Illegal acts of confiscation of equipment or information

Technical hardware failures or errors:

Equipment failure

Technical software failures or errors:

Bugs, code problems, unknown loopholes

Technical obsolescence:

Antiquated or outdated technologies

Champion:

Promotes the project

Team Leader:

Manages the Project

Security Policy Developers:

Develop and implement policies

Risk Assessment Specialist:

valuate assets and suggest security methods

Security Professionals:

provide input from technical and non-technical standpoints

System Administrators:

Administrate systems that house the organization's information

End Users:

Users of the information, directly affected by the system.

Expert or Elite Hacker:

Master of programming languages, Operating systems, network protocols

Unskilled Hacker, Script Kiddie, or Packet Monkey:

Use programs and scripts developed by expert hackers to carry out attacks

Cracker:

One who removes software protection designed to prevent unauthorized duplication

Phreaker:

Hacks the public telephone network

Hacktivist or cyberactivist:

hacks to protest the operations, policies or actions of an or government agency

Cyberterrorism:

Politically motivated attack which results in violence against noncombatant targets

Malicious code (or software) or malware:

Viruses, worms, Trojan horses

Hoaxes:

Warning of a non-existent virus or a virus embedded in a warning

Back Doors:

Methods of access which bypass security checks

Password Crack:

Applying a dictionary to a Security Account Manager (SAM) file

Brute Force:

Trying all combinations of passwords

Dictionary Attack:

Like brute force but using common passwords

Denial-of-Service (DoS):

flooding a target with an overwhelming number of requests

Distributed Denial-of-Service (DDoS):

coordinated DoS from multiple locations using zombies

Spoofing:

Using forged source IP addresses to gain access

Man-in-the-Middle:

Intercepting, modifying and re-inserting packets on a network

Spam:

Unsolicited e-mail

Mail Bombing:

Flooding a target with an overwhelming number of e-mail messages

Sniffers:

Monitors data traveling on the network

Social Engineering:

Using social skills to get people to reveal personal information

Phishing:

Using e-mail messages with links to bogus sites to gain personal information

Pharming:

Redirecting legitimate Web traffic to bogus sites

Timing Attack:

Attacking a Web browser's cache to store malicious forms of cookies

Laws

are rules that mandate or prohibit certain behavior in society. Ethics define socially acceptable behavior. The key difference between laws and ethics is that laws carry the sanctions of a governing authority and ethics do not.

Due care

has been taken when an organization makes sure that every employee what is acceptable or unacceptable behavior, and knows the consequences of illegal or unethical behavior.

Due diligence

requires that an organization makes a valid effort to protect others and continually maintain this level of effort.

Civil law

deals with the relationships and conflicts between organizational entities and people.

Criminal law

addresses violations harmful to society and is actively enforced by the state.

Private law

encompasses civil law, family law, commercial law and labor law.

Public law

encompasses criminal law, administrative law and constitutional law.

Computer Fraud and Abuse act of 1986

The cornerstone of many computer-related federal laws and enforcement efforts.

National Information Infrastructure Protection Act of 1996

modified several provisions of the Computer Fraud and Abuse act of 1986. The severity of penalties under this act depends on the value of the information obtained and whether the offense is judged to have been committed, 1. for the purposes of commercial advantage 2. for private financial gain 3. in furtherance of a criminal act

USA Patriot Act and USA Patriot Act Improvement and Reauthorization Act

expanded the powers of the Department of Homeland Security and FBI in investigating terrorist activity. It also expanded the penalties for many computer related crimes.

The Privacy of Customer Information Section of the common carrier regulation states

that proprietary information shall be used explicitly for providing services, and not for any marketing purposes, and that carriers cannot disclose information except when necessary to provide their services.

The Electronic Communications Privacy Act of 1986

is a collection of statutes that regulate the interception of wire, electronic and oral communications.
The Financial Services Modernization Act (Gramm-Leach-Bliley Act of 1999) requires all financial institutions to disclose their privacy policies on the sharing of nonpublic personal information.

Sarbanes-Oxley Act of 2002

seeks to improve the reliability and accuracy of financial reporting, as well as increase the accountability of corporate governance, in publicly traded companies.

The Economic Espionage Act in 1996

attempts to prevent trade secrets from being illegally shared.

Ignorance, Accident, and Intent

Three general causes of unethical and illegal behavior

Ignorance

not an excuse for violating a law, but can be for a policy.

Accident

.

Intent

criminal or unethical intent goes to the state of mind of an individual performing the act.

Deterrence

Fear of penalty. Probability of being caught abd Probability of penalty being administered

Risk management

is the process of identifying vulnerabilities in an organization's information system and taking careful reasoned steps to insure the confidentiality, integrity and availability of all the components in the organization's information system.

Risk identification

is the process of examining and documenting the security posture of an organization's information technology and the risks it faces.

Risk control

is the process of applying controls to reduce the risks to an organization's data and information system.

Risk is

(the likelihood of an occurrence of a vulnerability) X (by
the value of the information asset) - (the percentage of risk mitigated by current controls) + (the uncertainty of current knowledge of the vulnerability)

Defend (Avoid)

attempt to prevent the exploitation of the vulnerability

Transfer

shift the risk to other asset, process or organization

Mitigate

reduce the impact through planning and preparation

Accept

do nothing; accept the outcome of exploitations

Terminate

direct the organization to avoid those business activities that introduce uncontrollable risks

Asset values can be ranked using

both quantitative (actual value) and qualitative (relative value) methods.

best practices (or recommended practices)

Security efforts that seek to provide a superior level of performance in the protection of information

Baselining

is a "value or profile of a performance metric against which changes in the performance metric can be usefully compared".

Risk appetite

the quantity and nature of risk that organizations are willing to accept.

Residual risk

the risk that remains even after the vulnerabilities have been controlled as much as possible.

A policy is

a plan or course of action used to convey instructions from an organization's senior-most management to those who make decisions, take actions and perform other duties.

Standards

more detailed statements of what must be done to comply with policy.

Informal standards, as in de facto standards

are part of the organizational culture.

Formal standards, i.e., dejour standards

may be published, scrutinized and ratified by a group.

Managerial controls

are security processes that are designed by strategic planners and implemented by the security administration of the organization.

Operational controls

are management and lower-level planning functions that deal with the operational functionality of security in the organization, such as disaster recovery and incident response planning.

Technical controls

are the tactical and technical implementations of security in the organization.

Technical Controls Include

access controls, such as, identification, authentication, authorization, accountability, cryptography and the classifications of assets and users.

Gateway router

used as a front-line defense against external attacks, since it can be configured to filter incoming data packets based on protocol.

A firewall

a device that selectively discriminates against information flowing into or out of the organization.

DMZ (demilitarized zone)

a no-man's-land between the inside and outside networks.

Proxy server

performs actions on behalf of another system.

Security Policy Management requires

the policy stay visible
• Individuals responsible for policy reviews
• A schedule of reviews
• A method for making recommendations for changes
• The policy issuance date
• Policy revision date

Intrusion Detection Systems (IDSs)

detect unauthorized activity within the inner network or on
individual machines.

The security blueprint

is the basis for the design, selection and implementation of all security program elements including policy implementation, on-going policy management, risk management programs, education and training programs, technological controls and maintenance of the security program.

The security framework

is an outline of the overall information security strategy for the organizationand a roadmap for planned changes to the information security environment of an organization.

The blueprint

specifies the tasks and the order in which they are to be accomplished.

Continuity Strategies

• Incident response (IR) plan
• Disaster recovery (DR) plan
• Business continuity (BC) plan

attack profile

a detailed description of the activities that occurred during an attack.

Business unit analysis -

the analysis and prioritization of the business functions within the organization's departments, sections, divisions, groups or other units to determine which are most vital to continued operations.

attack scenario end case.

estimate the cost of the best, worst and most likely cases; the final result

Subordinate plan classification

once the potential damage has been assessed, and each
scenario and attack scenario end case has been evaluated, a subordinate plan must be
developed or identified from among existing plans already in place.

An incident

is any clearly identified attack on the organization's information assets that would threaten
the assets' confidentiality, integrity or availability.

Incident Response (IR):

Planning
Detection
Reaction
Recovery

(IR) Planning

Must be organized in such a way to support quick and easy access to required information
o The information in the IR plan is sensitive and must be protected
o The plan should be readily available to those who must respond to the incident
o The plan should be tested using one or more of the common strategies of checklists,
structured walk-through, simulations, parallel testing and even full interruption

(IR)Detection

o Check for incident indicators such as, Presence of unfamiliar files, presence or execution
of unknown programs or processes, unusual consumption of computer resources and
unusual system crashes.

(IR)Reaction

o Notify key personnel through the use of an alert roster document containing contact
information for the individuals to be notified in the event of an incident
o Alert message - a scripted description of the incident, usually just enough information
so each individual on the alert roster knows what portion of the IR plan to implement
o Document the incident - as soon as an incident or disaster, has been declared, the
documentation of the event is begun

(IR)Recovery

o Prioritization of Efforts - After the dust settles, people must be kept focused on the task
ahead, and make sure that the necessary personnel begin recovery operations as per
the Incident Response Plan.
o Damage assessment - Incident damage assessment is the rapid determination of the
scope of the breach of the confidentiality, integrity and availability of information and
information assets during or just following an incident.
o Recovery - Identify and resolve vulnerabilities. Install, replace or upgrade failed
safeguards. Improve monitoring capabilities. Restore data from backups. Restore
services. Continue monitoring for a similar attack. Restore the confidence of the
communities of interest.
o Perform an after-action review.

Hot sites

fully configured computer facility

Warm sites

like a hot site but without the applications installed and configured

Cold sites

provides rudimentary services and facilities, no computer hardware provided

Time-share

a hot, warm or cold site leased in conjunction with a business partner or sister organization

Service bureau

an agency that provides a service for a fee

Mutual agreements

a contract between two or more organizations that specifies how each will assist the other in a disaster Other options include a rolling mobile site configured in the payload area of a tractor or trailer

Off-site disaster data storage

needed to get an alternate site up and running

Electronic vaulting

the electronic transfer of large batches of data to an off-site facility

Remote journaling

the electronic transfer of live transactions to an off-site facility

Database shadowing

like remote journaling, but not only processes duplicate, realtime data storage, but also duplicates the databases at the remote site to multiple servers

Please allow access to your computer’s microphone to use Voice Recording.

Having trouble? Click here for help.

We can’t access your microphone!

Click the icon above to update your browser permissions above and try again

Example:

Reload the page to try again!

Reload

Press Cmd-0 to reset your zoom

Press Ctrl-0 to reset your zoom

It looks like your browser might be zoomed in or out. Your browser needs to be zoomed to a normal size to record audio.

Please upgrade Flash or install Chrome
to use Voice Recording.

For more help, see our troubleshooting page.

Your microphone is muted

For help fixing this issue, see this FAQ.

Star this term

You can study starred terms together

NEW! Voice Recording

Create Set