History of information security

Questions and Answers

What was a primary focus of early computer security efforts immediately following the development of the first mainframes?

• Creating software firewalls to protect against remote attacks.
• Developing sophisticated network intrusion detection systems.
• Physical controls limiting access to sensitive military locations. (correct)
• Implementing complex encryption algorithms.

Which of the following is the earliest known publication detailing password security in computer systems?

• Time-Sharing Computer Systems. (correct)
• The UNIX System: UNIX Operating System Security.
• Protection Analysis: Final Report.
• Security Controls for Computer Systems.

In what year did researchers develop what is now known as IPSEC security?

• 1979
• 1978
• 1992 (correct)
• 1984

What was the initial focus of the Advanced Research Projects Agency (ARPA) in the 1960s regarding networked communications?

Examining the feasibility of redundant networked communications. (D)

Which of the following represents a fundamental security problem identified with the early ARPANET?

A lack of safety procedures for dial-up connections. (C)

RAND Report R-609 is most notably recognized for initiating the study of what area?

Computer Security (B)

What security measure was NOT part of the expansion of computer security from physical security in the 1970s and 80s?

Implementing mandatory background checks for all employees. (D)

What key trend contributed significantly to the increased need for computer security in the 1990s?

Networks of computers became more common and connected to each other. (D)

What critical factor is influenced by the security of every computer to which it is connected?

The ability to secure a computer's data (A)

Which of the following best describes the concept of 'security' in the context of information systems?

The process of achieving a state of being secure and free from danger or harm. (B)

Which of the following is NOT one of the layers of security a successful organization should have in place?

Public perception (A)

Which of the following has become viewed as inadequate within the C.I.A. triad?

All of the above. (D)

What fundamental principle does the McCumber Cube emphasize in the context of information security?

The multidimensional nature of security, incorporating technology, policy, and human factors. (D)

In the context of information security, what constitutes an 'information system'?

The entire set of people, procedures, and technology that enable business to use information. (A)

Which statement best describes the balance between information security and accessibility?

Security should balance protection with reasonable access. (A)

What is the key disadvantage of a bottom-up approach to information security implementation?

It often lacks participant support and organizational staying power. (C)

Which approach to information security implementation is initiated by upper management?

Top-down approach (C)

What is the formal development strategy often associated with the most successful type of top-down approach?

Systems development life cycle (D)

What is the primary question addressed during the 'Investigation' phase of the Systems Development Life Cycle (SDLC)?

What problem is the system being developed to solve? (D)

In which phase of the SDLC are objectives, constraints, and project scope defined?

Investigation (B)

What primarily takes place during the Analysis phase of the Systems Development Life Cycle (SDLC)?

Assessments of the organization, current systems, and capabilities. (D)

Which of the following occurs during the Logical Design phase of the SDLC?

Identification of data support and structures for needed inputs. (B)

During which phase of the SDLC are specific technologies selected to support the alternatives identified?

Physical Design (B)

Which output is created during the Implementation phase of Systems Development Life Cycle (SDLC)?

Supporting documentation for users. (D)

Which SDLC phase is typically the most time-consuming and costly?

Maintenance and Change (C)

What is the primary goal of Software Assurance (SA)?

To create software more capable of being deployed in a secure fashion. (C)

What does the acronym SwA CBK stand for?

Secure Software Assurance Common Body of Knowledge (A)

Which of the following is NOT a section contained within the SwA CBK?

System Architecture Blueprints (B)

Which software design principle advocates for verifying authority for every access to every object?

Checking every access for authority. (C)

What recommendation does NIST Special Publication 800-64, rev. 2, make regarding security in the SDLC?

Integrate security early to maximize return on investment. (C)

According to NIST, what key security activity should be performed during the Initiation phase?

Delineating business requirements in terms of CIA. (B)

During which phase of the NIST approach to securing the SDLC is risk assessment conducted?

Development/Acquisition (B)

What action is performed during the NIST Implementation/Assessment phase?

Integrating information system into its environment. (B)

Which of the following activities takes place during the Operations and Maintenance phase of the NIST approach to securing the SDLC?

Conducting operational readiness review (B)

Which activity is associated with the Disposal phase of the NIST approach?

Building and executing a disposal/transition plan (B)

Which individual typically has primary responsibility for assessment, management, and implementation of IS in the organization?

Chief Information Security Officer (CISO) (B)

Which role is responsible for the security and use of a particular set of information?

Data Owners (A)

What perspective does security as a social science primarily consider?

The behavior of individuals interacting with systems. (A)

In the context of information security, the concept of the 'security artisan' suggests that:

Security implementation relies heavily on the skills and perception of system technologists. (D)

Which statement accurately reflects the perspective of security as a science?

Specific conditions lead to predictable actions in computer systems, allowing for fault resolution. (B)

Flashcards

Physical Controls

Controls that limit physical access to sensitive locations.

Rudimentary Defending

Security in the early stages focused on protecting physical locations.

Scope of Computer Security

A multi-faceted approach to security that includes data protection, access control, and personnel.

The Internet

The first global network, connecting numerous computer networks.

Information Security

The protection of information and its critical elements.

C.I.A. Triad

Confidentiality, Integrity, and Availability; a standard for security.

Availability

The state of being accessible and usable upon demand by an authorized user.

Vulnerability

A flaw or weakness in a system that could be exploited.

Threat

An event or condition that has the potential to cause harm.

Exploit

An action that takes advantage of a vulnerability.

Loss

A loss of some characteristic of information.

Authenticity

The characteristic of being genuine or authentic.

Accuracy

Reliability and correctness of information.

Availability

Ready and accessible when needed.

Confidentiality

Information is protected from disclosure.

Utility

Refers to the quality of having value for some purpose or objective.

Information System (IS)

An organized collection of components to support business functions.

Bottom-Up Approach

Systems administrators improving security from the ground up.

Top-Down Approach

Upper management initiates processes, policies, and procedures.

SDLC (Systems Development Life Cycle)

A methodology for the design and implementation of an information system.

Investigation Phase

The initial phase in the SDLC to define the problem.

Analysis Phase

Phase where assessments and system expectations are determined .

Logical Phase

Delineating specific technologies to implement solution.

Physical Phase

Entire solution presented to organization for approval.

Implementation Phase

The phase to order components for the solution.

Maintenance Phase

The longest, most expensive phase that supports the system's lifecycle.

Software Assurance (SA)

A common body of knowledge focused on secure software design.

NIST Special Publication 800-64

Early SDLC integration of security maximizes ROI through several benefits.

NIST Approach: Initiation

Security looked at in terms of business risks and security input.

NIST Approach: Development

Supplement security controls and analyze security requirements.

NIST Approach: Implementation

Integrating information system tests with security controls.

NIST Approach: Maintenance

Operating and enhancing operations.

NIST Approach: Disposal

Transition and disposal plans, archive info, sanitize, and dispose of hardware.

Chief Information Security Officer (CISO)

Leads assessment management and implementation of IS in organization.

Data Owners

Management accountable for information and data.

Data Custodians

Responsible for system data processes,transmissions, and storage.

Data Users

Have security role and use data.

Information Security

Art, Science, and Social Science.

Security as Art

No hard and fast rules. No manual through entire system.

Security as Science

Computer actions caused by specific software, hardware, faults, and systems.

Security as Social Science

End users reduce risks via acceptable, supportable security profiles.

Study Notes

History of Information Security

• Computer security started right after the construction of the first mainframes
• Code-breaking groups during WWII made the first modern computers with multiple levels of security
• Original security focused on physical controls and rudimentary defenses against physical threats like theft and sabotage

Key Dates in Information Security

• 1968: Password security discussed by by Maurice Wilkes in Time - Sharing Computer Systems
• 1970: Security Controls for Computer Systems report was written identifying the need for computer security by Willis H. Ware
• 1973: Schell, Downey, and Popek examined the needed security in military systems
• 1975: The Federal Information Processing Standards reviews the Digital Encryption Standard
• 1978: Bisbey and Hollingsworth published "Protection Analysis: Final Report:" describing ARPA's Protection Analysis project
• 1979: Dennis Ritchie publishes "On the Security of UNIX" discussing secure user IDs,secure group IDs, and the problems in systems
• 1982: The Department of Defense Computer Security Evaluation Center publishes Trusted Computer Security (TCSEC) documents
• 1982: Grampp and Morris write "The UNIX System: UNIX Operating System Security" examining four handles to security
• 1984: Reeds and Weinberger publish "File Security and the UNIX System Crypt Command" saying no technique can be secure
• 1992: The Simple Internet Protocol Plus (SIPP) Security protocols were developed creating what is now known as IPSEC security

Development in the 1960s

• Redundant networked communications examined the feasibility of the Advanced Research Projects Agency (ARPA)
• Larry Roberts developed ARPANET from its inception.

Advancements of the 1970s and 1980s

• ARPANET grew in popularity along with concerns of misuse
• Fundamental problems with ARPANET security were identified like nonexistent user ID and authentication
• Safeguarding of data was improved
• Efforts to limit unauthorized and random data access was advanced
• Involvement of multiple levels of personnel in security increased
• RAND Report R-609 started the study of computer security

Developments in the 1990s

• Networks of computers became more common, as did the need to connect them
• The Internet became the first global network
• Network connections initially used de facto standards
• Security was a low priority in the early Internet deployments
• DEFCON conference was established in 1993 for those interested in information security

Developments from 2000 to Present

• Millions of unsecured computer networks are brought together with the Internet continuously
• The Growing threat of cyber attacks has increased the awareness of the need for security
• There are now nation states engaging in information warfare
• The security of one computer impacts the overall security of connected computer networks

Defining Security

• Security is the state of being secure and free from danger or harm
• It is a necessary action taken to make someone or something secure
• Multiple layers should be in place within a successful organization to protect operations, infrastructure, people, functions, communications, and information

Information Security Defined

• Information security is the protection of information and its critical elements
• Includes systems and hardware that use, store, and transmit information
• Encompasses information security management, data security, and network security
• The C.I.A. triad is a confidentiality, integrity, and availability standard now viewed as inadequate
• An expanded model consists of a list of critical information characteristics

Key Information Security Concepts

• Access: Subject's ability to interact with an asset
• Asset: Resource being protected
• Attack: Potential risk to an organization's operations
• Control: Countermeasure to prevent exploit of vulnerability
• Exploit: Technique to compromise a system
• Exposure: Condition of vulnerability of informational assets
• Loss: Single instance of damage to information
• Protection profile: Security posture of an organization

Key Threats

• Risk: Probability of damage or loss if a vulnerability is exploited
• Subjects of attack: Agents used to conduct attack
• Threat: Potential risk to an asset
• Threat Agent: System or method used to conduct attack
• Threat event: Occurrence of threat
• Threat source: Category of object or person representing danger
• A computer can be either the subject, or the object of an attack

Critical Characteristics of Information

• Availability: Authorized users can access information in a timely manner
• Accuracy: Free from error with true and correct format
• Authenticity: Original and uncorrupted status
• Confidentiality: Shielding of data from unauthorized access
• Integrity: Uncorrupted and precise state
• Utility: Value for a purpose
• Possession: Ownership or control

Information Systems

• Information systems (IS) are the entire set of people, procedures, and technology
• IS enables business to use information through programs, hardware, data, people, procedures, and networks

Balancing Act

• Perfect security is impossible to achieve and as such, it is a process, not a goal
• Security should be a trade-off between protection and availability
• Reasonably accessible security should be implemented that can protect againts threats

Information Security Approaches

• Grassroots efforts are a process where system administrators improve security of their systems
• While it does make use of technical expertise, it lacks broad organizational support
• Top-down approaches involve formal development strategy implementing a systems development life cycle

SDLC Defined

• Systems development life cycle (SDLC) provides the methodology for the design and implementation of an information system
• They utilize formal problem solving approaches with a structured sequence of procedures with clearly defined goals
• It increases the probability of success implementing processes

SDLC Phases

• Investigation: What problem is the system being developed to solve?
• Objectives, constraints, and scope of project are specified
• Preliminary costs and benefits analysis is developed
• Analysis: Consists of assessments of the organization, current systems, and systems capability to support proposed systems
• Analysts determine what the new system is expected to do and how it will interact with existing systems
• Analysis ends with documentation of findings and an update of feasibility
• Logical Designs: Applications that are selected will provide needed services and data support
• Analysts generate estimates of costs and benefits
• Feasibility analysis is performed at the end
• Feasibility analysis is performed
• Physical Design: Specific technologies are selected to support alternatives identified and evaluated that have cost effective components
• It should be presented to management for approval
• Implementation: Needed software, components, and training should be done for acceptance after a performance review
• Maintenance and Change: Ongoing tasks must support and modify the system

Software Assurance

• Software assurance (SA) is an established procedure used to create deployable and secure software
• The U.S. Department of Defense and Department of Homeland Security supported the Software Assurance Initiative
• It resulted in the Secure Software Assurance (SwA) Common Body of Knowledge (CBK) Publication
• The SwA CBK, under development, contains info on Nature of Dangers, Concepts and Principles, Ethics, Law, and Governance

Software Design Principles

• Keep design simple and small
• Base access based on permission
• Verify every object for authority
• Possesion of keys and passwords
• Utilize 2 factor identification
• Limit access privilages

NIST and Securing SDLC

• Integrating with NIST enhances security in the SDLC
• Early identification and mitigation of security vulnerabilities
• Awareness of potential engineering challenges
• Facilitation of informed executive decision making

Implementing NIST

• NIST implements certain actions in the initiation, acquisition, system testing, operation, and disposal phases
• Security at this point is looked at in terms of business risks, with security office providing input
• They perform risk assessments, analyze security requirements, and design security architecture
• NIST also integrates information system into it's environment. Additionally, they are instituting process and procedure for assured operations
• NIST builds and executes disposal/transition plans with Archival of critical information

Security Professionals

• Wide range of professionals are required to support a diverse information security program
• Senior management and administrative support are key components along with technical expertise

Teams and Positions

• The Chief Information Officer (CIO) is a Senior technology officer responsible for advising senior executives on strategic planning
• The Chief Information Security Officer (CISO) has primary responsibility for assessment, management, and implementation of IS in the organization
• A team includes experts in technical, non technical security policies , and risk assessments
• Data owners are senior management responsible for the security and use of a particular set of information
• Data custodians are responsible for the information and systems that process, transmit, and store it

How is Security Viewed

• It is a Group of individuals united by similar interests/values within an organization
• It incorporates information security management, technology, and organizational management teams
• Implementation of information security is often described as a combination of art and science
• It has no hard and fast rules and virtually all actions in computer systems are the result of interacting hardware and software
• Security administrators should be aware of interactions between the system and its behaviors by individuals.
• This can greatly reduce the levels of risk caused by end users.