Information Assurance and Security I Quiz

Questions and Answers

What feature made the Enigma machine notable during its time?

• It used electrical circuits for enciphering messages. (correct)
• It relied solely on manual encryption methods.
• It was primarily used for public communications.
• It was the first personal computer.

Which individual is credited with developing ARPANET from its inception?

• Robert Kahn
• Larry Roberts (correct)
• Vinton Cerf
• Berners-Lee Tim

What was one of the identified security problems with ARPANET?

• Encryption keys were shared with unauthorized users.
• Dial-up connections were overly protected.
• User identification and authorization were non-existent. (correct)
• Physical security measures were too strict.

What contributed to the vulnerabilities in ARPANET's security?

Publicly distributed phone numbers for access. (D)

What early action did the Advanced Research Procurement Agency (ARPA) consider regarding network communications?

Feasibility of redundant networked communications. (C)

What is one definition of information security?

An assurance that information risks and controls are balanced. (C)

Which historical event significantly contributed to the development of information security?

Code-breaking during World War II. (B)

What was the primary purpose of physical controls in early information security?

To limit access to authorized individuals only. (C)

Which device was used extensively by Nazi Germany to secure communications during World War II?

The Enigma machine. (D)

What misconception did the Germans have regarding the Enigma machine?

It provided absolute security for communications. (B)

What is a key aspect of information security professionals' roles in organizations?

Planning and implementing information control strategies. (B)

What is a primary focus of the security systems development life cycle?

Continuous assessment of information risk management. (D)

What fundamental concept underlies information security?

A balanced understanding of risks and controls. (B)

Which characteristic of information ensures it is free from mistakes?

Accuracy (D)

What does the characteristic of timeliness refer to in the context of information?

Information must be provided when it is needed, or it loses its value. (A)

Which characteristic is considered the cornerstone of information integrity?

Integrity (D)

In the components of an information system, which element is NOT included?

Financial data (C)

Which of the following best describes the concept of authenticity in information?

Quality or state of being genuine, regarding the source of the information. (C)

Which component of an information system is often considered the weakest link in security?

People (C)

What is a primary characteristic of software in the context of information security?

It is often the most challenging to protect. (D)

Which aspect of an information system poses a threat to the integrity of information when neglected?

Procedures (B)

What is implied by the statement that achieving perfect security is impossible?

Security requires ongoing management and balance. (C)

Which of the following is a common target of intentional attacks within an information system?

Data assets (A)

What crucial role does securing hardware play in information security?

It protects the physical technology executing software. (C)

Which of the following is a challenge posed by networks in information security?

They introduce new security vulnerabilities. (B)

What best describes the approach to securing information assets?

It is a collaborative and incremental endeavor. (A)

What was the primary goal of the Multics operating system?

To ensure security (B)

How did the expansion of microprocessors in the late 1970s affect computing?

It increased security threats and capabilities (D)

What was a common issue with early Internet deployments regarding security?

Security being treated as a low priority (C)

What defines the quality of being secure in the context of information security?

Freedom from danger (A)

Which element is NOT part of the multiple layers of security an organization should have?

Social media security (C)

What does the C.I.A. in information security refer to?

Confidentiality, Integrity, Availability (D)

Why is the ability to secure a computer's data influenced by the security of connected computers?

Weak security can create vulnerabilities in the entire network (D)

What broad scope does information security encompass?

Protecting information and its critical elements (D)

What is the primary advantage of the bottom-up approach to information security?

Technical expertise of individual administrators (B)

Which of the following is a disadvantage of the bottom-up approach?

Lacks critical features such as participant support (C)

The top-down approach to information security typically starts with whom?

Upper-level managers (D)

What is a key feature of a successful top-down approach?

Formal development strategy (C)

What does the Systems Development Life Cycle (SDLC) provide for information security implementation?

A structured sequence of procedures (A)

Which phase of the Security Systems Development Life Cycle is primarily focused on analyzing existing threats?

Phase 2: Analysis (B)

In which phase does the project team select the technologies needed to support the security blueprint?

Phase 3: Logical Design (A)

What is one of the unique steps of Phase 5: Implementation in SecSDLC?

Document the system (A)

Which role in senior management is primarily responsible for implementing information security?

Chief Information Security Officer (CISO) (B)

What is the relationship between the Chief Information Officer (CIO) and the Chief Information Security Officer (CISO)?

CISO usually reports directly to the CIO. (D)

Which element is essential for an effective information security program?

Support from senior management (C)

Which factor indicates the need for constant updates in the maintenance phase?

Changing threats to information security (B)

What does the term 'scope' refer to in the initial phase of SDLC?

Limitations and boundaries of the project (D)

Which task is NOT part of the traditional SDLC?

Perform risk analysis (C)

Flashcards

Information Security Definition

A state of assurance that information risks and controls are balanced.

Early Computer Security

Emerged with the first mainframes, primarily for code-breaking during WWII.

Physical Controls

Early security measures that limit access to sensitive locations with badges, keys, and recognition.

Enigma Machine

A cipher device used to protect communications in the early-mid 20th century, notably by Nazi Germany.

Origins of InfoSec

Emerged alongside mainframes, focused on code breaking during WWII.

World War II & Security

A period that saw the development & use of early security measures, including cryptography.

Mainframes & Security

The development of mainframes coincided with the beginning of computer security.

Security Scope in Early Days

Early security measures primarily focused on physical protection and cryptography.

Enigma Machine Security

The Enigma machine was considered highly secure for encrypting top-secret messages.

Early ARPANET Security Problems

ARPANET's early stages lacked essential security measures like safeguards for dial-up connections, user identification, and authorization.

ARPANET Misuse Potential

As ARPANET gained popularity, there was a growing concern about potential misuse and the lack of security.

ARPANET Security Issues - Dial-Up

ARPANET's early design lacked safety procedures for dial-up access.

ARPANET Security Issues - User Access

Early ARPANET lacked user identification and authorization controls, creating risks for unauthorized access.

CIA Triad

A model of information security focusing on Confidentiality, Integrity, and Availability.

Information Timeliness

Information is valuable when it's available in a timely manner, relevant to the issues or decision at hand.

Information Availability

Data is accessible and usable to authorized people when needed and in usable form.

Critical Info Characteristics

Essential qualities of information, like timeliness, accuracy, and completeness.

Information Integrity

Data and systems are whole, complete, and uncorrupted.

Computer Security Origins

Computer security's roots trace back to Rand Report R-069, expanding beyond physical security to encompass data safety and limited unauthorized access.

Multics & Unix

Multics, an early operating system, prioritized security but faced limitations. Unix, developed out of Multics, became more widespread, but security wasn't a primary concern in its initial development.

1970s Microprocessor Impact

The rise of microprocessors decentralized computing, increased resource sharing, and dramatically changed computing, which made new security concerns paramount.

Network Security Need

The increasing prevalence of networked computers emphasized the need for security protocols to protect interconnected systems.

Early Internet Security

In the early days of the internet, security was often treated as a low priority, leading to problems in email and other communication.

Global Network Security

The internet's interconnected nature means that securing individual computers is greatly affected by the security of all connected systems.

Multi-Layered Security

Successful organizations require multiple layers of security encompassing physical, personal, operational, communication, network and information security to safeguard against threats.

Information Security Definition

Information security is the protection of information and critical elements like systems and hardware that handle it.

Software Security

Software is a prime target for attacks, often more difficult to secure than hardware.

Hardware Security

Physical security of hardware and the location housing it is crucial.

Data Security

Data is often the most valuable asset in an information system and a primary target of attacks.

People as Weakest Link

Human error and social engineering attacks make people the most vulnerable component in security.

Procedure Security

Procedures, if poorly managed, can be a critical security flaw.

Network Security Challenges

Connecting a Local Area Network (LAN) to other networks, like the internet, introduces new security complexity.

Security-Access Balance

Information security requires finding a balance between protection and availability.

Incremental Security

Implementing information security is a continuous process that can take time and effort.

Bottom-Up Approach

Security improvement by individual system administrators, focusing on technical details.

Top-Down Approach

Security strategies initiated by upper management, defining policies, procedures, and goals.

SDLC

Formal approach to implementing security, using a structured sequence of steps and phases.

SecSDLC

SDLC adapted for security projects, focusing on threats and controls.

Investigation Phase (SDLC/SecSDLC)

Defining the project scope and goals; assessing resources; evaluating feasibility.

Analysis Phase (SDLC/SecSDLC)

Understanding current systems and business needs, focusing on potential security risks.

Logical Design Phase (SDLC/SecSDLC)

Designing security architecture, systems, and processes.

Physical Design Phase (SDLC/SecSDLC)

Designing how security elements will be implemented; consider technologies & facilities.

Implementation Phase (SDLC/SecSDLC)

Putting software into place, testing, and training users.

Maintenance and Change Phase (SDLC/SecSDLC)

System updates, upgrades, and patches; ensuring continuous efficiency and compliance.

Senior Management (Security)

Key personnel like CIOs and CISOs who guide and oversee the security program.

Chief Information Officer (CIO)

Advises on the strategic use of information within the organization; often manages the IT department.

Chief Information Security Officer (CISO)

Oversees security implementation; often reports to the CIO.

Security Blueprint

A detailed plan outlining the security solutions.

Study Notes

Introduction to Information Security

• Course Title: Information Assurance and Security I (IT 107)
• Institution: Caraga State University - Main Campus, College of Computing and Information Sciences
• Information security is a "well-informed sense of assurance that the information risks and controls are in balance" (Jim Anderson, Inovant 2002)
• Understanding the origins of information security is necessary to grasp its importance today

Learning Objectives

• Understand the definition of information security.
• Comprehend the history of computer security and its evolution into information security.
• Understand key terms and critical information security concepts.
• Outline the security systems development life cycle.
• Understand the roles of security professionals within an organization.

The History of Information Security

• Began immediately after the first mainframes were developed.
• Created to aid code-breaking during World War II.
• Physical controls (badges, keys, facial recognition) were employed to limit access to sensitive military locations.
• Initial focus was on defending against physical theft, espionage, and sabotage

The Enigma Machine

• A cipher device used in the early to mid-20th century to protect communication.
• Employed extensively by Nazi Germany during World War II.
• The Germans believed it provided secure communication, although it was eventually cracked.

ARPANET

• One of the first documented computer security problems emerged in the early 1960s, with the increase in online mainframes.
• Advanced Research Projects Agency (ARPA) examined the feasibility of networked communications.
• Larry Roberts developed ARPANET.
• ARPANET became the first Internet.
• ARPANET faced growing popularity and misuse, leading to identified security issues.
• These issues included lack of safety procedures for dial-up connections, inadequate user identification and authorization, and the open sharing of login information.

The Origins of Computer Security

• Information security began with Rand Report R-069.
• Computer security grew from physical security to include data safety and limiting unauthorized access across organizational levels.

Late 1970s

• Microprocessors expanded computing capabilities and security concerns.
• The shift from mainframes to PCs created new threats and security concerns.
• The need for sharing computing resources increased.

1990s

• Networks of computers became more common, creating interconnection needs and security challenges.
• The Internet emerged as the first global network.
• Early Internet deployments often had low priority for security.
• Many Internet problems are a result of this early lack of adequate security measures.

The Present

• The Internet brings millions of computer networks into communication.
• The security of a computer's data is affected by the security of every connected computer.

What is Security?

• Security is defined as "the quality or state of being secure—to be free from danger."
• A successful organization requires multiple layers of security: physical, personal, operational, communications, network, and information.

What is Information Security?

• Protecting information and its critical elements (systems and hardware).
• Necessary tools include policy, awareness, training, education, and technology.
• Confidentiality, integrity, and availability (C.I.A.) were originally considered the key elements.
• Now expanded into a more extensive list of critical characteristics of information.

Components of Information Security

• The diagram shows interconnected components: information security, network security, computer & data security, and policy. Information security depends on all of them.

Critical Characteristics of Information

• Timeliness: Information's value is lost if it arrives too late.
• Availability: Uninterrupted access is crucial.
• Accuracy: Mistakes should be limited.
• Authenticity: The reliability and genuineness of the sender/information are important.
• Confidentiality: Information disclosure or exposure to unauthorized individuals.
• Integrity: The entirety, completeness, and accuracy of the information.
• Utility: Value for designated use, functionality, or application.
• Possession: Controlled access and ownership, including the responsibility of safeguarding data.

NSTISSC Security Model

• A framework that encompasses confidentiality, integrity, and availability.
• Encompasses the storage, processing, and transmission of data and includes consideration and implementation of suitable policies and procedures (e.g., education, technology).

Components of an Information System

• Information systems encompass software, hardware, data, people, procedures, and networks.
• Software is often the most difficult to secure and is a frequent target for attacks.
• Hardware concerns often involve physical security.
• Data is the most commonly targeted element in attacks. Data often contains valuable information.
• People compromise the security aspects the most often, and require security training to mitigate risks.
• Procedures are overlooked frequently in securing systems.
• Networks, especially connecting to the Internet, pose new security challenges; they are often insufficiently secured by relying only on local measures.

Balancing Information Security and Access

• Achieving perfect security is impossible; security is a continuous process, not an end goal.
• A balance must be struck between security protection and system availability.
• Security measures should permit reasonable access while safeguarding against threats.

Approaches to Information Security Implementation

• Bottom-up: System administrators attempt to improve system security. Technical expertise is the strength, but often lacks support and organization.
• Top-down: Upper-level managers dictate policy, procedures, goals, and outcomes.

The Systems Development Life Cycle (SDLC)

• A methodology and design for information security implementations, involving structured procedures and a defined goal.
• The methodology involves a sequence of phases (investigation, analysis, logical design, physical design, implementation, maintenance and change)

SDLC and SecSDLC

• Steps common to both SDLC and SecSDLC include outlining goals and estimating costs, examining feasibility, developing requirements and system plans, and performing further analysis to identify and document findings.
• Steps unique to SecSDLC include defining project processes, analyzing security policies and programs, identifying threats and controls, performing risk analyses, developing security blueprints, and planning strategies for handling incidents or disaster recovery.

Security Professionals and the Organization

• Implementing a comprehensive information security program requires a range of professionals, including senior management.
• Senior management plays a key role by creating policies, allocating resources, and overseeing program management.

Senior Management

• Senior Technology Officer (e.g., CIO) develops strategic plans for information management.
• Chief Information Security Officer (CISO) manages and implements information security initiatives.

Description

Test your knowledge on the fundamentals of information security as covered in IT 107 at Caraga State University. This quiz covers the definitions, history, and key concepts in the field of information security. Gain insight into the roles of security professionals and the evolution of security practices over time.