Information Assurance and Security 1

Questions and Answers

What is the primary objective of defining key terms and explaining essential concepts in information security?

• To understand the history of computer security
• To facilitate a comprehensive understanding of information security (correct)
• To provide a review of the origins of the field
• To enumerate the phases of the security systems development life cycle

During which time period did the need for computer security arise?

• The 1970s and 80s
• World War II (correct)
• The 1990s
• The 1960s

What was the purpose of the project developed by Larry Roberts in the 1960s?

• To create a redundant networked communications system (correct)
• To design a facial recognition system
• To develop a mainframe for code breaking
• To build a secure physical location

What was the outcome of the growing need to maintain national security?

The development of more complex and technologically sophisticated computer security safeguards (C)

What was the primary concern during the 1970s and 80s regarding ARPANET?

Its potential for misuse (A)

What is the role of professionals within an organization in information security?

To play a critical role in maintaining the integrity of an organization's information (D)

What is the primary focus of the learning objectives in information security?

To define key terms and critical concepts (C)

What was the original purpose of the mainframes developed during World War II?

To aid computations for communication code breaking (D)

What is a community of interest in an organization?

A group of individuals united by similar interests or values (B)

What is the primary focus of the Information Security Management and Professionals community of interest?

Protecting the organization's information systems and stored information (A)

What is the main objective of the IT community of interest?

Reducing costs of system creation and operation, improving system user experience, and increasing transaction response time (B)

Why may there be conflict between the IT community and the information security community?

Because their goals are not always in complete alignment (B)

What is the Organizational Management and Professionals community of interest comprised of?

The organization's general management team and other resources (B)

What is the analogy used to describe the administrators and technicians who implement security?

A painter applying oils to canvas (A)

Why are there different communities of interest within an organization?

Because each community has its own unique culture and values (A)

What is the main goal of the communities of interest within an organization?

To help the organization meet its objectives (D)

What is the primary focus of Information Security?

Protecting information and its critical characteristics (B)

Which approach to information security implementation starts with identifying specific security threats?

Bottom-up approach (A)

What is the first phase of the Systems Development Life Cycle?

Investigation (A)

Who is responsible for overseeing the overall information security program?

Senior Management (D)

What is the primary goal of information security?

To ensure the confidentiality, integrity, and availability of information (A)

Which of the following is a component of an information system?

Procedures (A)

What is the focus of the Security Systems Development Cycle?

To implement security measures in an information system (D)

Who is responsible for managing data across an organization?

Data Owner (C)

What is the primary role of communities of interest?

To share knowledge and best practices (B)

What is the key characteristic of information that refers to its accuracy and completeness?

Integrity (C)

What type of insurance can mitigate the threat of flood to an information system?

Flood insurance and/or business interruption insurance (D)

What can cause direct damage to all or part of the information system?

All of the above (D)

What type of insurance is usually a separate policy for earthquakes?

Specific casualty insurance (B)

What can disrupt operations by interfering with access to the buildings that house all or part of the information system?

All of the above (D)

What is the downward sliding of a mass of earth and rock that can directly damage all or part of the information system?

Landslide or mudslide (A)

What type of insurance can mitigate the threat of lightning to an information system?

Multipurpose casualty insurance (B)

What is an overflowing of water onto an area that is normally dry, causing direct damage to all or part of the information system?

Flood (B)

What can cause fires or other damage to the building that houses all or part of the information system?

Lightning (A)

What is the primary goal of IP spoofing?

To gain unauthorized access to computers (B)

Which type of attack uses IP spoofing to impersonate another entity on the network?

Man-in-the-middle attack (C)

What is the primary consequence of spam?

Waste of computer and human resources (C)

What is mail bombing?

Routing large quantities of email to a target (B)

How can an attacker obtain trusted IP addresses for IP spoofing?

By using a variety of techniques (D)

What can be used to protect against IP spoofing?

Newer routers and firewall arrangements (D)

What is a variant of TCP hijacking?

Interception of encryption key exchanges (A)

What can be used to cope with the flood of spam?

E-mail filtering technologies (B)

Flashcards are hidden until you start studying

Study Notes

Introduction to Information Security

• Information security is a growing concern in today's digital age
• Key concepts of information security include:
  • Confidentiality: protecting sensitive information from unauthorized access
  • Integrity: ensuring the accuracy and completeness of information
  • Availability: ensuring that information is accessible when needed

History of Information Security

• The history of information security began with computer security during World War II
• The need for computer security arose from the need to secure physical locations, hardware, and software from threats
• Key events in the development of information security include:
  • 1960s: Advanced Research Procurement Agency (ARPA) began examining the feasibility of a redundant networked communications system
  • 1970s and 80s: ARPANET grew in popularity, leading to concerns about misuse and the development of security safeguards
  • 1973: Robert Metcalfe and David Boggs developed Ethernet, a local area network (LAN) technology

Information Security Concepts

• Key terms and critical concepts of information security include:
  • Information security: the practice of protecting information and its systems from unauthorized access, use, disclosure, disruption, modification, or destruction
  • Information system: a set of interconnected components that collect, process, store, and disseminate information
  • Components of an information system:
    • Software
    • Hardware
    • Data
    • People
    • Procedures
    • Networks
• Approaches to information security implementation include:
  • Bottom-up approach: focusing on individual components and building up to the system as a whole
  • Top-down approach: focusing on the system as a whole and breaking it down into individual components
• The systems development life cycle includes:
  • Investigation
  • Analysis
  • Logical design
  • Physical design
  • Implementation
  • Maintenance and change
• The security systems development cycle includes:
  • Investigation
  • Analysis
  • Logical design
  • Physical design
  • Implementation
  • Maintenance and change

Communities of Interest

• Communities of interest are groups of individuals united by similar interests or values within an organization, sharing a common goal of helping the organization meet its objectives
• Examples of communities of interest include:
  • Information Security Management and Professionals
  • Information Technology Management and Professionals
  • Organizational Management and Professionals

Information Security Roles

• Senior management: responsible for making strategic decisions about information security
• Information security project team: responsible for implementing and maintaining information security systems
• Data responsibilities: include managing and protecting sensitive data

Information Security: Art or Science?

• Security as art: involves implementing security measures in a creative and flexible way, similar to a painter applying oils to canvas
• Security as science: involves following a rigorous and systematic approach to implementing security measures

Threats to Information Security

• Natural disasters:
  • Flood: an overflowing of water onto an area that is normally dry, causing direct damage to all or part of the information system
  • Earthquake: a sudden movement of the earth's crust caused by the release of stress accumulated along geologic faults or by volcanic activity
  • Lightning: an abrupt, discontinuous natural electric discharge in the atmosphere
  • Landslide or mudslide: the downward sliding of a mass of earth and rock
• Spoofing: a technique used to gain unauthorized access to computers by forging IP addresses
• Man-in-the-middle attack: an attacker monitors or sniffs packets from the network, modifies them, and inserts them back into the network
• Spam: unsolicited commercial email
• Mail bombing: an e-mail attack where an attacker routes large quantities of e-mail to the target, overwhelming the system.