Information Security Concepts Quiz

Questions and Answers

Which of the following is NOT a core component of an information system?

Financial capital (correct)

Data

Hardware

Software

What is a key disadvantage of the bottom-up approach to information security implementation?

It often results in excessive spending.

It relies too heavily on technical expertise.

It is difficult to implement quickly.

It lacks support from upper-management. (correct)

What is a primary focus when balancing information security and access?

Creating a system that is easy to use, regardless of security.

Ensuring perfect information security in every situation.

Finding a balance between protection and usability. (correct)

Avoiding any security breaches.

Which approach to information security implementation is characterized by strong upper management support, funding, and a clear plan?

Top-down approach (D)

Besides senior management, what other roles are required to support a diverse information security program?

A mix of administrative support and technical expertise. (A)

Which of the following best describes the primary focus of early computer security research?

The MULTICS operating system. (A)

What was the original purpose of the UNIX operating system according to the text?

Text processing. (A)

Which of these events prompted the expansion of computing capabilities and security threats?

The development of the microprocessor. (A)

What was the primary objective of the Computer Emergency Response Team (CERT) when it was created?

Addressing network security. (B)

What was a characteristic of early Internet deployments regarding security?

Security was treated as a low priority. (C)

What does the Committee on National Security Systems (CNSS) define information security as?

The protection of information and its critical elements. (A)

What is the central idea on why a computer's data security is affected by external connections?

The security of a computer's data is influenced by the security of every connected computer. (B)

Which of these documents was focused on security controls for computer systems?

Security Controls for Computer Systems: Report of Defense Science Board Task Force on Computer Security—RAND R.609. (A)

What does the C.I.A. triad focus on?

Confidentiality, integrity, and availability (B)

According to the provided text, what trend began in the late 1990s and into the 2000s regarding security?

The public integration of security into large corporations. (A)

Which of the following best represents an 'asset' in the context of information security?

Anything valuable to an organization, such as data, systems, or devices (A)

Which publication is considered a seminal work that highlighted the need for computer security?

Preliminary Notes on the Design of Secure Military Computer Systems (A)

What is the primary function of a 'control' or 'safeguard' in information security?

To reduce risks or protect systems from attacks. (D)

The Federal Information Processing Standards (FIPS) in 1975 focused on which of the following?

The Digital Encryption Standard (DES). (B)

Which concept describes the overall security level of an organization based on its defenses and protections?

Security posture or protection profile (C)

Which term describes the state of being at risk of harm due to system weaknesses?

Exposure (D)

What was the main objective of the Protection Analysis project, as described in the 1978 study by Bisbey and Hollingsworth?

To examine the possibility of automated vulnerability detection techniques. (B)

In an attack scenario, which of these roles does the 'object' represent?

The target resource or system (B)

In his publications, Dennis Ritchie focused on which specific aspects of system security?

Secure user IDs, secure group IDs, and problems inherent in the systems. (D)

What does 'loss' refer to within the realm of information security?

Damage or harm from a successful attack (C)

The Trusted Computer Security Evaluation Center published what document series in 1982?

The Rainbow Series (C)

According to Grampp and Morris, what are the key factors in achieving computer security?

Physical control, management commitment, employee education, and administrative procedures. (D)

According to Reeds and Weinberger, what is a key limitation regarding security techniques in relation to privileged users?

No technique can secure against the system administrator or other privileged users. (C)

What was the primary outcome of the research at the Naval Research Laboratory in 1992 regarding internet security?

The creation of the Simple Internet Protocol Plus (SIPP) Security protocols, now known as IPSEC. (D)

What was the primary focus of computer security immediately following the development of the first mainframes?

Establishing physical controls to limit access to sensitive locations (B)

Which of the following best represents the early goal of the Advanced Research Projects Agency (ARPA)?

Developing redundant networked communications (D)

What fundamental security problem was identified with early ARPANET implementations?

Absence of safety procedures for dial-up connections and user authorization (B)

What document is credited with beginning the formal study of computer security and emphasizing management and policy issues?

RAND Report R-609 (B)

How did the scope of computer security expand beyond physical security, according to the information provided?

By extending to include data security, access control, and organizational involvement (B)

What was a key motivation behind the initial development of computer security measures during WWII?

The need for code-breaking computations and secure communications (A)

What was Larry Roberts' main contribution to the field of computer networking in the context given?

Developed the ARPANET from its inception (B)

What important shift in perspective was marked by expanding the scope of computer security beyond physical measures?

The recognition that information security involves multiple layers of the organization (B)

Which of the following best describes a 'vulnerability' in the context of information security?

A weakness in a system or process that can be exploited by threats. (B)

If information is altered unintentionally, which of the following critical characteristics of information is primarily affected?

Accuracy (D)

Which of the following is a primary goal of ensuring information 'availability'?

To enable authorized users to access information without interference. (D)

What does 'authenticity' of information primarily ensure?

That information is genuine and original, not a fabrication. (D)

Which of the following scenarios is a direct example of a breach of 'confidentiality'?

Unauthorized access to sensitive company emails. (A)

Which statement about 'possession' is most accurate?

Possession of information is independent of its format or other characteristics. (D)

What is the primary function of the McCumber Cube when compared to the CIA Triad?

To introduce additional dimensions expanding upon the CIA Triad. (B)

In the context of information security, what does 'utility' refer to?

The value of information for a specific purpose or end. (C)

Flashcards

Origin of Computer Security

The field of computer security originated with the first mainframes and became more complex as technology advanced.

Early Security Measures

Early information security practices focused on physical access control, safeguarding sensitive military data, and preventing theft, espionage, and sabotage.

ARPANET Security Issues

The ARPANET, the precursor to the internet, presented challenges in security due to the lack of safe dial-up connections, user identification, and authorization methods.

RAND Report R-609

The RAND Report R-609, a landmark document, initiated the academic study of computer security, highlighting the critical role of management and policy in information protection.

Evolution of Computer Security

Computer security evolved from physical security to encompass securing data, restricting unauthorized access, and involving various organizational levels in information security.

Network Vulnerabilities Illustrated

The RAND Report R-609 illustrated vulnerabilities in network communication, emphasizing the need for secure connections and proper user authentication.

Increased Need for Security

The development of networking technologies, like the ARPANET, increased the need for information security measures to protect against unauthorized access and misuse.

Evolving Nature of Information Security

Information security is an evolving field, constantly adapting to new technologies and security threats, requiring ongoing attention and proactive measures.

Access

The ability to use or interact with a system, data, or resource.

Asset

Anything valuable to an organization, such as data, systems, or physical devices.

Attack

An intentional action to exploit vulnerabilities and harm a system or asset.

Control

Measures taken to reduce risks or protect systems from attacks.

Exploit

A method or tool used to take advantage of a system's vulnerability.

Exposure

The condition of being at risk of harm due to vulnerabilities.

Loss

Damage or harm resulting from a successful attack, such as stolen data or financial costs.

Protection profile

The overall security level of an organization, based on its protections and defenses.

What was the significance of MULTICS in computer security?

The MULTICS operating system was a major early effort in computer security, designed to integrate security into its core functions.

What was the importance of the RAND Report R-609?

The RAND Report R-609 was a landmark document that initiated the academic study of computer security, emphasizing the importance of management and policy in information protection.

Why was UNIX created?

UNIX was initially created by individuals who had worked on MULTICS, although it was not designed to be a secure operating system. It was initially focused on text processing.

What were the security concerns with ARPANET?

The ARPANET was a precursor to the internet and faced security challenges, such as the lack of secure dial-up connections and user identification methods.

How did networking advancements impact security?

The development of networking technologies like the ARPANET increased the need for information security measures to protect against unauthorized access and misuse.

Why was the Computer Emergency Response Team (CERT) created?

The Computer Emergency Response Team (CERT) was formed to address network security threats in response to the growing concerns about computer security.

What key security trends emerged in the 1990s?

The 1990s saw the rise of networks of computers and the internet, bringing increased security threats. DEFCON was established as a gathering place for those interested in information security.

What security challenges emerged with the internet in the 2000s?

The growth of the internet in the 2000s has created a global network of interconnected computers, raising the stakes for security. Nation-states engaging in information warfare are a growing concern.

Preliminary Notes on the Design of Secure Military Computer Systems

A 1973 paper by Schell, Downey, and Popek that highlighted the need for enhanced security in military computer systems, emphasizing the importance of protecting sensitive data.

FIPS Publication on DES (Digital Encryption Standard)

A 1975 publication by the Federal Information Processing Standards (FIPS) that focused on the Digital Encryption Standard (DES), a crucial step in establishing standardized encryption for data security.

Protection Analysis: Final Report

A 1978 report by Bisbey and Hollingsworth that detailed the results of the Protection Analysis project, examining the vulnerabilities of operating system security and proposing automated methods for vulnerability detection.

On the Security of UNIX

A 1979 paper by Dennis Ritchie that discussed the design and limitations of the Unix operating system in terms of security, covering aspects like user and group IDs and inherent security issues.

Trusted Computer Security Evaluation Criteria (TCSEC)

A 1982 publication by the US Department of Defense Computer Security Evaluation Center that introduced the Trusted Computer Security Evaluation Criteria (TCSEC), later known as the Rainbow Series, to assess the security of computer systems.

The UNIX System: UNIX Operating System Security

A 1982 report by Grampp and Morris that analyzed various aspects of security within the Unix operating system, emphasizing the importance of physical control, management commitment, employee education, and administrative procedures for security.

File Security and the UNIX System Crypt Command

A 1984 paper by Reeds and Weinberger that discussed the limitations of file security in the Unix system, highlighting the vulnerability to wiretapping and privileged users, emphasizing the importance of proper system administration.

Simple Internet Protocol Plus (SIPP) Security Protocols (Now IPSEC)

A 1992 project by researchers at the Naval Research Laboratory, working under the Internet Engineering Task Force (IETF), that led to the development of IPSEC security protocols, a crucial improvement in Internet security.

Vulnerability

The potential weakness in a system or process that can be exploited by threats.

Threat Source

The source from which a threat originates, such as hackers, malware, or natural disasters.

Accuracy

Information is considered accurate when it is free from mistakes or errors and meets user expectations. Modification unintentionally or intentionally compromises accuracy.

Authenticity

Information has authenticity when it is genuine, original, and not a copy or fabrication. Email spoofing is a common problem that compromises authenticity.

Confidentiality

Information is confidential when it is protected from unauthorized disclosure or exposure to individuals or systems.

Integrity

Ensuring information is whole, complete, and uncorrupted. It is critical to protect information from unauthorized modifications.

Utility

Information has utility when it is valuable for a specific purpose and presented in a meaningful format for the end user.

Possession

Possession refers to the ownership or control of information. While a breach of confidentiality always leads to a breach of possession, the reverse isn't always true.

Balancing Security and Access

Balancing information security and access means finding an appropriate level of protection that allows reasonable access while mitigating threats.

Bottom-Up Approach

The bottom-up approach involves system administrators proactively improving security within their respective systems. It often lacks organizational support and a comprehensive plan.

Top-Down Approach

The top-down approach is initiated by upper management, establishing policies, procedures, and goals for information security. It provides strong support, dedicated funding, and a clear plan.

Information Security Professionals

Information security professionals play a vital role in implementing and maintaining a robust security system, which includes the involvement of senior management and various technical experts.

Information System (IS)

Information systems (IS) are complex entities encompassing people, procedures, technology (like software, hardware, and networks), and data. They enable businesses to effectively use information.

Study Notes

Module 1: Computer Security

• CIS 475 course, Computer Security, Module 1
• Learning objectives include defining information security, recounting computer security history, defining key information security terms, describing information security roles within an organization.
• Enterprise information security must align with corporate expectations, culture, and leadership for risk identification and effective controls implementation.
• Information security professionals must understand the field's origins to appreciate its impact on contemporary security understanding.

The History of Information Security

• Computer security's origin was tied to the development of the first mainframes.
• World War II code-breaking computations led to the creation of early computers.
• Security initially involved physical controls, limiting access to sensitive military locations and preventing physical theft, espionage, and sabotage.

The 1960s

• The Advanced Research Projects Agency (ARPA) explored redundant network communications.
• Larry Roberts spearheaded the ARPANET's inception.

The 1970s and 1980s (Part 1)

• ARPANET's popularity attracted misuse.
• Fundamental security problems with ARPANET were identified.
  • Lack of safety procedures for dial-up connections.
  • No user identification and authorization system.

The 1970s and 1980s (Part 2)

• Information security emerged with the RAND Report R-609, which identified management and policy issues within computer security.
• The scope of computer security expanded beyond physical security to encompass data security, limiting unauthorized access, and involving personnel from various organizational levels in information security.

MULTICS (Part 1)

• Early computer security research focused on a system called Multiplexed Information and Computing Service (MULTICS).
• MULTICS was the first operating system to integrate security into its core functions.
• MULTICS was a mainframe, time-sharing operating system developed in the mid-1960s by General Electric (GE), Bell Labs, and the Massachusetts Institute of Technology (MIT).

MULTICS (Part 2)

• Key players in MULTICS development contributed to the creation of UNIX.
• The microprocessor's advancements in the late 1970s expanded computing capabilities and security threats.
• In the early 1980s the development of TCP/IP.
• In 1988, DARPA established the Computer Emergency Response Team (CERT) to address network security.

The 1990s

• Networks of computers increased, along with the need for interconnections.
• The internet emerged as the primary global network.
• Initially, network connections relied on de facto standards.
• Security was often a low priority in early Internet deployments.
• The DEFCON conference was established in 1993 to address information security.
• Large organizations integrated security into operations in the late 1990s and early 2000s.

2000 to Present

• The internet connected millions of unsecured networks, increasing cyber attack threats.
• Nation-states engaged in information warfare.
• The ability to secure a computer's data depends on its connected computers' security.

Key Dates in Information Security (1 of 2)

• Key dates and associated documents related to information security.
• Examples include ARPANET development, security control for computer systems report, identifying the need for computer security.

Key Dates in Information Security (2 of 2)

• Continued important dates and documents related to information security
• examples include UNIX security, trusted computer security (TCSEC), protection analysis report, and Simple Internet Protocol Plus (SIPP)

What is Security? (Part 1)

• "A protected state of being secure and free from danger or harm"
• Committee on National Security Systems defines information security/
• A successful organization protects multiple facets: operations, physical infrastructure, people, functions, communications, and information.

What is Security? (Part 2)

• Information and critical components are protected.
• Systems and hardware are included that transmit information.

Components of Information Security

• Information security management, data security, and network security.
• Confidentiality, integrity, and availability as main security components - governance and policy component

The CIA Triad

• Confidentiality, integrity, and availability.
• Inadequate for the dynamic information security landscape.
• More comprehensive model is needed to address threats like damage, theft, and unauthorized access.

Key Information Security Concepts

• Concepts covering access, assets, attacks, control, safeguarding, exploits, exposure, loss, and security posture.

Key Information Security Concepts (Part 2)

• Detailed information security concepts are covered, including protection profiles, risk, attack subjects and objects, threats, threat agents, threat events, threat source, and vulnerability.

Figure 1-7 Key Concepts

• Illustrative examples of threats, exploits, attacks, and assets.

Figure 1-8 Computer as the Subject and Object of Attack

• Depicts computers as both the subject (attacker) and the object (target).

Critical Characteristics of Information

• Essential qualities like confidentiality, integrity, availability, accuracy, authenticity, utility, and possession.

Critical Characteristics of Information (Part 2)

• Detailed explanations of availability, accuracy, and authenticity including their implications.

Critical Characteristics of Information (Part 3)

• A review of confidentiality, integrity, and utility.
• Possession's relationship to confidentiality is also included.

CNSS Security Model: The McCumber Cube

• Expand on the CIA Triad with two additional dimensions.
• Categorized into a 3x3x3 structure, representing different aspects crucial for securing information systems.
• Each section represents a combination of three things (identifying what are being protected).

Components of an Information System

• The complete system of people, procedures, and technology used to process information (software, hardware, data, people, procedures, and networks).

Balancing Information Security and Access

• Information security is a process, not a goal.
• A balance between security and accessibility is needed to protect against threats while allowing reasonable access.

Approaches to Information Security Implementation: Bottom-Up Approach

• Focuses on improvement through individual systems administrators.

Approaches to Information Security Implementation: Top-Down Approach

• Upper management initiates policy, procedures, and processes, aiming for organizational culture influence and top-down support.

Figure 1-12 Approaches

• Diagram compares top-down and bottom-up approaches to information security implementation.

Security Professionals and the Organization

• Numerous professionals are involved in a comprehensive information security program, including senior management as a significant component.
• Administrative and technical expertise is essential for program implementation.

Senior Management

• The Chief Information Officer (CIO) is the senior technology officer and advises on strategic planning.
• The Chief Information Security Officer (CISO) handles assessment, management, and implementation of organization-wide information systems.

Information Security Project Team

• Team composition, roles, and responsibilities, including champions, team leaders, security policy developers, risk assessment specialists, security professionals, Systems administrators, and end users.

Data Responsibilities

• Data owners, custodians, and users and their associated tasks.

Communities of Interest

• Individuals united by similar interests and values concerning information security, information technology, and organizational management.

Information Security: Is It an Art or a Science?

• Information security implementation combines aspects of both art and science. Security artisans ideas focus on the way individuals perceive and use resources and technology.

Security as Art / Science / Social Science

• Security's art aspects are presented.
• The science and social science aspects of security are also included.

Summary (Part 1 and 2)

• Broad overview of the covered material and main concepts.

References

 -  Whitman and Mattord's "Principles of Information Security" (2017, 6th ed).

Description

Test your knowledge on the core components of information systems and the various approaches to information security implementation. Explore the advantages and disadvantages of different strategies while understanding the historical context of security measures. Perfect for students or professionals in the field of information security.