Information Security Top-Down Approach Quiz

Need for Security

• Common Attack Pattern Enumeration and Classification (CAPEC) is a website hosted by Mitre that serves as a tool for security professionals to understand attacks.
• 12 categories of threats include:
  • Compromises to Intellectual Property
  • Software Piracy
  • Deviations in Quality of Service
  • Communications and other Provider Issues
  • Power Irregularities
  • Espionage or Trespass
  • Hackers
• Expert Hackers are masters of several programming languages, networking protocols, and operating systems, exhibiting a mastery of the technical environment of the targeted system.

Risk Assessment

• Likelihood is the probability that a specific vulnerability within an organization will be successfully attacked, assigned a number between 0.1 and 1.
• Attack Success Probability is the probability that an organization's information assets will be successfully compromised if attacked.
• Loss Event Frequency is the probability that an organization will be the target of an attack, multiplied by the probability that the organization's information assets will be successfully compromised if attacked.
• Loss Magnitude determines how much of an information asset could be lost in a successful attack.
• Documenting Results of Risk Assessment involves summarizing the risk assessment results in a report, including asset impact, vulnerability, and likelihood.

Risk Control Strategies

• 5 basic strategies for controlling risk include:
  • Defend: Attempt to prevent the exploitation of the vulnerability.
  • Transfer: Shift the risk to other areas or outside entities.
  • Mitigate: Reduce the impact should the vulnerability be exploited.
  • Accept: Choose to do nothing.
  • Terminate: Avoid those business activities that introduce uncontrollable risk.

Legal, Ethical, and Professional Issues in Information Security

• Laws are rules that mandate or prohibit certain behavior and are enforced by the state.
• Ethics regulate and define socially acceptable behavior.
• Organizational Liability and the Need for Counsel involve liability beyond criminal or contract law, including the legal obligation to make restitution.
• Due Care is the legal standard requiring a prudent organization to act legally and ethically and know the consequences of actions.
• Due Diligence is the legal standard requiring a prudent organization to maintain the standard of due care and ensure actions are effective.

Security Systems Development Life Cycle (SecSDLC)

• It is adapted to support the implementation of an IS project.
• It identifies specific threats and creates controls to counter them.
• It involves a coherent program, not a series of random, seemingly unconnected actions.
• It begins with Enterprise Information Security Policy (EISP) and involves an organizational feasibility analysis.

Information Security Project Team

• A team of individuals experienced in one or more facets of required technical and nontechnical areas.
• 3 types of data ownership include:
  • Data Owner: responsible for the security and use of a particular set of information.
  • Data Custodian: responsible for storage, maintenance, and protection of information.
  • Data Users: end users who work with information to perform their daily jobs.

Security as Art, Science, and Social Science

• Security as Art: no hard and fast rules, nor many universally accepted complete solutions.
• Security as Science: dealing with technology designed to operate at high levels of performance, with specific conditions causing virtually all actions that occur in computer systems.
• Security as a Social Science: security begins and ends with the people that interact with the system, and security administrators can greatly reduce levels of risk caused by end users, and create more acceptable and supportable security profiles.