This action might not be possible to undo. Are you sure you want to continue?
Key Terms Access - a subject or object’s ability to use, manipulate, modify, or affect another subject or object. Asset - the organizational resource that is being protected. Attack - an act that is an intentional or unintentional attempt to cause damage or compromise to the information and/or the systems that support it. Control, Safeguard, or Countermeasure - security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the security within an organization. Exploit - to take advantage of weaknesses or vulnerability in a system. Exposure - a single instance of being open to damage. Hack - Good: to use computers or systems for enjoyment; Bad: to illegally gain access to a computer or system. Object - a passive entity in the information system that receives or contains information. Risk - the probability that something can happen. Security Blueprint - the plan for the implementation of new security measures in the organization. Security Model - a collection of specific security rules that represents the implementation of a security policy. Security Posture or Security Profile - a general label for the combination of all policies, procedures, technologies, and programs that make up the total security effort currently in place. Subject - an active entity that interacts with an information system and causes information to move through the system for a specific end purpose Threats - a category of objects, persons, or other entities that represents a potential danger to an asset. Threat Agent - a specific instance or component of a more general threat. Vulnerability - weaknesses or faults in a system or protection mechanism that expose information to attack or damage. Critical Characteristics of Information: The value of information comes from the characteristics it possesses.
a breach of possession does not always result in a breach of confidentiality. Hardware. Integrity – The quality or state of being whole. Data. or other disruption of its authentic state. Data owners usually determine the level of data classification associated with the data. destruction. Data Custodian – Responsible for the storage. or transferred. While a breach of confidentiality always results in a breach of possession. People. it is no longer accurate. maintenance. If information contains a value different from the user’s expectations due to the intentional or unintentional modification of its content. Authenticity –The quality or state of being genuine or original.Availability – Enables users who need to access information to do so without interference or obstruction and in the required format. damage. and reporting to the data owner. Accuracy – Free from mistake or error and having the value that the end user expects. Data Owner – Responsible for the security and use of a particular set of information. This means that if information is available. Procedures. independent of format or other characteristic. as well as changes to that classification required by organization change. Utility – The quality or state of having value for some purpose or end. complete. and protection of the information. Information has value when it serves a particular purpose. Components of network systems: Software. but not in a format meaningful to the end user. . placed. The information is said to be available to an authorized user when and where needed and in the correct format. Information is said to be in possession if one obtains it. and uncorrupted. stored. Confidentiality – The quality or state of preventing disclosure or exposure to unauthorized individuals or systems. The duties of a data custodian often include overseeing data storage and backups. The integrity of information is threatened when the information is exposed to corruption. it is not useful. implementing the specific procedures and policies laid out in the security policies and plans. Possession – The quality or state of having ownership or control of some object or item. we can define the roles of those who own and safeguard the data. Networks Data Responsibilities Now that you understand the responsibilities of both senior management and the security project team. rather than a reproduction or fabrication. Information is authentic when it is the information that was originally created.
or deny service to the target systems. Safeguards the technology assets in use at the organization Threat: an object. and database applications. The macro virus is embedded in the automatically executing macro code. Trojan horses.Business Software Alliance (BSA) Deliberate Software Attacks Deliberate software attacks occur when an individual or group designs software to attack an unsuspecting system. Protects the data the organization collects and uses 4. or sometimes malware. Everyone in the organization is responsible for the security of data. Enables the safe operation of applications implemented on the organization’s IT systems 3. Chapter 2 Information security performs four important functions for an organization: 1. This code behaves very much like a virus pathogen attacking animals and plants. or other entity that represents a constant danger to an asset • 1. Intellectual property (IP): “ownership of ideas and control over the tangible or virtual representation of those ideas” The most common IP breaches involve software piracy. common in office productivity software like word processors. The virus-controlled target program then carries out the virus’s plan by replicating itself into additional targeted systems. and denial-of-services attacks. person. The code attaches itself to the existing program and takes control of that program’s access to the targeted computer. Some of the more common instances of malicious code are viruses and worms. logic bombs. Software & Information Industry Association (SIIA) . back doors. Computer viruses are segments of code that perform malicious actions. These software components or programs are designed to damage. using the cell’s own replication machinery to propagate and attack. destroy. so data users are included here as individuals with an information security role. . Protects the organization’s ability to function 2.Data Users – The end systems users who work with the information to perform their daily jobs supporting the mission of the organization. spread sheets. Most of this software is referred to as malicious code or malicious software.
Software programs that hide their true nature and reveal their designed behavior only when activated. The classic perpetrator of deliberate acts of espionage or trespass is the hacker. hard drive space.A virus or worm can have a payload that installs a back door or trap door component in a system. such as readme. changing their size and appearance to elude detection by antivirus software programs. making detection more of a challenge. Password Crack . and network bandwidth. interesting.Attempting to reverse calculate a password. representing a new threat not detectable by techniques that are looking for a preconfigured signature.The dictionary password attack narrows the field by selecting specific accounts to attack and uses a list of commonly used passwords (the dictionary) to guess with. perhaps more time and money is spent on resolving virus hoaxes. Trojan horses . Brute Force . Virus and Worm Hoaxes . Polymorphism . Dictionary .The dictionary password attack narrows the field by selecting specific accounts to attack and uses a list of commonly used passwords (the dictionary) to guess with.Attempting to reverse calculate a password. Worms can continue replicating themselves until they completely fill available resources.A threat that changes its apparent shape over time. Trojan horses are frequently disguised as helpful. Well-meaning people spread the viruses and worms when they send e-mails warning of fictitious or virus laden threats.As frustrating as viruses and worms are. that act is categorized as a deliberate act of espionage or trespass. These threats actually evolve. This allows the attacker to access the system at will with special privileges.The application of computing and network resources to try every possible combination of options of a password. Worms . Back door or Trap door .exe files often included with shareware or freeware packages. such as memory. Password Crack . .Malicious programs that replicate themselves constantly without requiring another program to provide a safe environment for replication. Dictionary .The application of computing and network resources to try every possible combination of options of a password. Brute Force . or necessary pieces of software.The boot virus infects the key operating systems files located in a computer’s boot sector. When an unauthorized individual gains access to the information an organization is trying to protect.
. • • • • • • • .A program and/or device that can monitor data travelling over a network. browser requests) to an illegitimate site for the purpose of obtaining private information.An attempt to gain personal or financial information from an individual. continually maintaining level of effort Jurisdiction: court's right to hear a case if the wrong was committed in its territory or involved its citizenry Long arm jurisdiction: right of any court to impose its authority over an individual or organization if it can establish jurisdiction Civil law represents a wide variety of laws that are recorded in volumes of legal “code” available for review by the average citizen. Pharming – “The redirection of legitimate Web traffic (e. Sniffers can be used both for legitimate network management functions and for stealing information from a network. usually by posing as a legitimate entity. Phishing . includes legal obligation to make restitution Restitution: to compensate for wrongs committed by an organization or its employees Due care: insuring that employees know what constitutes acceptable behavior and know the consequences of illegal or unethical actions Due diligence: making a valid effort to protect others. Another attack by the same name involves attempting to intercept cryptographic elements to determine keys and encryption algorithms.Relatively new.Sniffers .g. Timing Attack . Criminal law addresses violations harmful to society and is actively enforced through prosecution by the state. Secure software development Software principles Software development problems Chapter-3 • Liability: legal obligation of an entity extending beyond criminal or contract law. This could allow the designer to collect information to access to password-protected sites. works by exploring the contents of a Web browser’s cache.
and constitutional law. The Electronic Communications Privacy Act of 1986 regulates the interception of wire. Congress passed the Economic Espionage Act (EEA) in 1996. impacts all health-care organizations including small doctor practices. which provides protections from unlawful search and seizure. electronic. physical. and encompasses family law. . In an attempt to protect American ingenuity. as well as some organizations which have self-insured employee health programs. The ECPA works in conjunction with the Fourth Amendment of the US Constitution. commercial law. The Health Insurance Portability & Accountability Act Of 1996 (HIPAA).• Tort law allows individuals to seek recourse against others in the event of personal. Examples of public law include criminal. and other governments. Acts: laws Is a “state of being free from unsanctioned intrusion” National Information Infrastructure Protection Act of 1996 USA PATRIOT Act of 2001 Computer Security Act of 1987 • • • Is a “state of being free from unsanctioned intrusion” Acts: The Federal Privacy Act of 1974 regulates the government in the protection of individual privacy and was created to insure that government agencies protect the privacy of individuals’ and businesses’ information and to hold those agencies responsible if any portion of this information is released without permission. also known as the KennedyKassebaum Act. administrative. health clinics. The Financial Services Modernization Act or Gramm-Leach-Bliley Act of 1999 requires all financial institutions to disclose their privacy policies on the sharing of non-public personal information. and labor law. intellectual property. and competitive advantage. This law attempts to prevent trade secrets from being illegally shared. employees. It also requires due notice to customers so that they can request that their information not be shared with third parties. and oral communications. providing careful checks and balances. Public law regulates the structure and administration of government agencies and their relationships with citizens. or financial injury. life insurers and universities. Private law regulates the relationship between the individual and the organization.
Risk identification is conducted within the larger process of identifying and justifying risk controls. Risk Management Process • • • • Evaluating the risk controls Determining which control options are cost effective for the organization Acquiring or installing the needed controls Ensuring that the controls remain effective .S.The Security And Freedom Through Encryption Act of 1997 (SAFE) was an attempt by Congress to provide guidance on the use of encryption and provided measures of public protection from government intervention. • • • • Sarbanes-Oxley Act of 2002 – financial reporting: The Freedom of Information Act 1966 Digital Millennium Copyright Act (DMCA) Directive 95/46/EC Organisations: ACM first educational and scientific computing society” International Information Systems Security Certification Consortium. Inc. known as risk management. (ISC)2 Information Systems Audit and Control Association (ISACA) Department of Homeland Security (DHS) Federal Bureau of Investigation’s National InfraGard Program National Security Agency (NSA) U. Secret Service Chapter 4 Risk identification is the formal process of examining and documenting the current information technology security situation.
as it seeks to avoid risk in its entirety rather than deal with it after it has been realized. The terminate control strategy directs the organization to avoid those business activities that introduce uncontrollable risks. Programs. Risk appetite is used to describe the degree to which an organization is willing to accept risk as a tradeoff to the expense of applying controls Acceptance: Doing nothing to protect a vulnerability and accepting the outcome of its exploitation. We can determine the relative risk for each of the vulnerabilities through a process called risk assessment. other processes. This is the preferred approach. and/or adding protective safeguards. avoidance through application of policy. or other organizations.The clean desk policy requires each employee to secure any and all information in its appropriate storage container at the end of each day. CBA. proper care should be taken to destroy any unneeded copies through shredding. Avoidance is accomplished through countering threats. or transfer to an authorized document destruction service. removing vulnerabilities in assets. limiting access to assets. and Technologies Strategies for risk control: Defend is the risk control strategy that attempts to prevent the realization or exploitation of the vulnerability. Residual risk is the risk that remains to the information asset even after the existing control has been applied. There are three general categories of controls: Policies. Risk determination = vulnerabilities+ potential threats (uncertainty) + times value impact – risk covered. The most common methods of avoidance involve three areas of controls. burning. There are those individuals who would not hesitate to engage in dumpster diving to retrieve information that could prove embarrassing or compromise the security of information in the organization. Transfer is the control approach that attempts to shift the risk to other assets. When classified information is no longer valuable or excessive copies exist. and technology. training and education. • Expected loss per risk stated in the following equation: – Annualized loss expectancy (ALE) = single loss expectancy (SLE) × annualized rate of occurrence (ARO) • SLE = asset value × exposure factor (EF) .
It is insufficient to just implement these standards and then ignore them. Due diligence is the demonstration that the organization is diligent in ensuring that the implemented standards continue to provide the required level of protection. Other feasibility studies.” When organizations adopt levels of security for a legal defense. Process-based measures In information security. Within best practices is a subcategory of practices referred to as the gold standard. they may need to show that they have done what any prudent organization would do in similar circumstances. Chapter 5 Preparation of security blue print IS planning and governance outcomes: Strategic alignment. Value delivery Policy: course of action used by organization to convey instructions from management to those who perform duties Standards: more detailed statements of what must be done to comply with policy . Base lining is the comparison of security activities and events against the organization’s future performance. provided it can be shown that the organization was negligent in its application or lack of application of information protection. two categories of benchmarks are used: standards of due care/due diligence and best practices. those practices typically viewed as “the best of the best. The application of controls at or above the prescribed levels and the maintenance of those standards of due care show that the organization has performed due diligence. Resource management Performance measures. Failure to support a standard of due care or due diligence can open an organization to legal liability. This is referred to as a standard of due care.Benchmarking: process of seeking out and studying practices in other organizations that one’s own organization desires to duplicate Procedures: Metrics-based measures. Risk management.
Defense in depth requires that the organization establish sufficient security controls and safeguards. scope. Generally Accepted Principles and Practices for Securing IT Systems SP 800-18. so that an intruder faces multiple layers of controls. or information security policy. SysSPs are frequently codified as standards and procedures used when configuring or maintaining systems.A security program policy (SPP) is also known as a general security policy. operational. IETF Security Architecture. Issue-Specific Security Policy (ISSP) As the organization executes various technologies and processes to support routine operations. The ISO/IEC 27001: 2005 Plan-Do-Check-Act Cycle NIST guide: – – – – – SP 800-12. and tone for all security efforts within the organization. distributed to users. certain guidelines are needed to instruct employees to use these technologies and processes properly. Security Perimeter – The point at which an organization’s security protection ends and the outside world begins is referred to as the security perimeter.technical. The Computer Security Handbook SP 800-14. RFC 2196: Site Security Handbook provides an overview of five basic areas of security with detailed discussions on development and implementation. but provide less detail than a complete methodology Security architechture: managerial. IT security policy. This policy sets the strategic direction. and agreed to in writing. Policy management ISO 27000 security standard and This Code of Practice was adopted as an international standard by the International Organization for Standardization (ISO) and the International Electro technical Commission (IEC) as ISO/IEC 17799 in 2000 as a framework for information security. . Defense in Depth – One of the foundations of security architectures is the requirement to implement security in layers. Systems-Specific Policy (SysSP) While issue-specific policies are formalized as written documents. Security Self-Assessment Guide for Information Technology Systems SP 800-30. Baselining and best practices are solid methods for collecting security practices. The Guide for Developing Security Plans for IT Systems SP 800-26. Risk Management Guide for Information Technology Systems NIST Special Publication 800-14 – explains security principles 33.
or on individual machines. • • • • • • A Business Impact Analysis is an investigation and assessment of the impact that various attacks can have on the organization and takes up where the risk assessment process leaves off. Stages of BIA Incident classification is the process of examining a potential incident or incident candidate and determining whether or not the candidate constitutes an actual incident. training. Business continuity planning (BCP) is the planning process associated with ensuring that critical business functions continue if a catastrophic incident or disaster occurs. Incidence detection Incident response: stop and repair Incidence recovery Damage assessment: Incident damage assessment is the immediate determination of the scope of the breach of CIA of information and assets after an incident. organization may wish to implement an IDS • • • Security education. whether natural or man-made.• Firewall: device that selectively discriminates against information flowing in or out of organization DMZs: no-man’s land between inside and outside networks where some place Web servers Proxy servers: performs actions on behalf of another system Intrusion detection systems (IDSs): in effort to detect unauthorized activity within inner network. react to. classification. Disaster recovery planning (DRP) is the planning process associated with the preparation for and recovery from a disaster. Champion: top managementsupport Project manager: dictate the project Team members: managers from different departments. . awareness • Stategies: Contingency planning (CP) is the entire planning conducted by the organization to prepare for. Incident response planning (IRP) is the planning process associated with the identification. and recover from events that threaten the security of information and information assets in the organization. and recovery from an incident. response. and the subsequent restoration to normal modes of business operations.
only transactions are transferred. Crisis management: preparation. rehearsal Model for contingency plan Enforcement of law Chapter 6 • Access control: method by which systems determine whether and how to admit a user into a trusted area of the organization Mandatory access controls (MACs): use data classification schemes Nondiscretionary controls: strictly-enforced version of MACs that are managed by a central authority Discretionary access controls (DACs): implemented at the discretion or option of the data user Identification: mechanism whereby an unverified entity that seeks access to a resource proposes a label by which they are known to the system Supplicant: entity that seeks a resource Authentication: the process of validating a supplicant’s purported identity and supplicant has Smart card: contains a computer chip that can verify and validate information. : time-share. and mutual agreements Data transfer or port strategies: Electronic vaulting . service bureaus. analyzing. Business continuity planning: hot. Asynchronous tokens Authorization: the matching of an authenticated entity to a list of information assets and corresponding access levels • • • • • • • . the transfer is real-time.The bulk batch-transfer of data to an off-site facility. Database shadowing . but also duplicating the databases at the remote site to multiple servers.Computer forensics is the process of collecting. warm. and preserving computer-related evidence. training.not only processing duplicate real-time data storage. cold sites strategies. Evidence proves an action or intent. Synchronous tokens. Remote journaling .The transfer of live transactions to an off-site facility. not archived data.
also known as a proxy server Since proxy server is often placed in unsecured area of the network (e. it is exposed to higher levels of risk from less trusted networks--.g.put more filters behind it. • Circuit gateway firewall – Operates at transport layer. DMZ). don’t allow connections between networks create tunnels to divert the traffic. • • • • Hybrid firewalls First generation: static packet filtering firewalls Second generation: application-level firewalls or proxy servers Third generation: stateful inspection firewalls .• Accountability (auditability): ensures that all actions on a system—authorized or unauthorized— can be attributed to an authenticated identity Firewalls: Packet filtering firewalls examine header information of data packets • Static filtering: requires that filtering rules governing how the firewall decides which packets are allowed and which are denied are developed and installed Dynamic filtering: allows firewall to react to emergent event and update or create rules to deal with event Stateful inspection: firewalls that keep track of each network connection between internal and external systems using a state table • • • • Application gateways – – Frequently installed on a dedicated computer..
• Remote access : Unsecured.• Fourth generation: dynamic packet filtering firewalls. such as an application proxy server. the screened subnet firewall. and port addresses to enter Fifth generation: kernel proxies. provides a DMZ. it can be a rich target for external attacks and should be very secured. allowing the router to prescreen packets to minimize the network traffic and load on the internal proxy. When security rules conflict with the performance of business. security often loses Best practices for firewalls chap6 slide42. dedicated firewall. A content filter is a software filter—technically not a firewall—that allows administrators to restrict access to content from within a network. allow only packets with particular source. specialized form working under kernel of Windows NT Firewalls: hardware reliable. SOCKS is the protocol for handling TCP traffic via a proxy server Cost is a issue. – Packet firewalls: Many of these routers can be configured to reject packets that organization does not allow into network Drawbacks include a lack of auditing and strong authentication • – Screened Host Firewalls – This architecture combines the packet filtering router with a separate. destination. one connected to internal network The dominant architecture used today. dial-up connection points represent a substantial exposure to attack Attacker can use device called a war dialer to locate connection points War dialer: automatic phone-dialing program that dials every number in a configured range and records number if modem picks up Some technologies (RADIUS systems. TACACS. This separate host is often referred to as a bastion host or sacrificial host. Dual-homed host firewalls : Bastion host contains two network interface cards (NICs): one connected to external network. CHAP password systems) have improved authentication process – • • • . which can be a dedicated port on the firewall device linking a single bastion host or it can be connected to a screened subnet.
encrypting all traffic that will traverse an unsecured network. Secure VPN. Hybrid VPN – – – Encapsulation of incoming and outgoing data Encryption of incoming and outgoing data Authentication of remote computer and (perhaps) remote user as well In tunnel mode.• RADIUS): centralizes management of user authentication system in a central RADIUS server Diameter: emerging alternative derived from RADIUS Terminal Access Controller Access Control System (TACACS): validates user’s credentials at centralized server (like RADIUS). based on client/server configuration • • Kerberos uses symmetric key encryption to validate an individual user to various network resources. the organization establishes two perimeter tunnel servers. Kerberos keeps a database containing the private keys of clients and servers—in the case of a client. Secure European System for Applications in a Multivendor Environment (SESAME) is similar to Kerberos A VPN is a private and secure network connection between systems that uses the data communication capability of an unsecured and public network. Trusted VPN. this key is simply the client’s encrypted password. . These servers serve as the encryption points.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.