Intro to Information Security Management Part 1

Questions and Answers

What was a primary focus of computer security efforts immediately following the development of the first mainframes?

• Implementing encryption for online transactions
• Securing physical access to sensitive military locations (correct)
• Developing antivirus software for personal computers
• Preventing unauthorized access to social media accounts

In the early stages of the Internet, security was given high priority in deployments

False (B)

What is the primary goal of information security?

To be free from danger

The C.I.A. triangle is based on confidentiality, integrity, and ______.

availability

Match the following security layers with their descriptions:

Products = Physical security around the data; intrusion-detection systems. People = Those who implement security products to protect data. Procedures = Policies to ensure people correctly use security products.

Which of the following is the BEST description of an 'asset' in information security terminology?

Something of value that needs protection. (C)

Risk can ever be entirely eliminated.

False (B)

What is the role of the Data Custodian?

Responsible for storage maintenance and protection of information

A ______ is someone who promotes a project and ensures its support, both financially and administratively

Champion

Match the characteristic to its description

Availability = Information is accessible when needed. Accuracy = Information is correct and free from errors. Confidentiality = Information is protected from unauthorized access.

According to the information presented, what is most accurate about security?

It is a process of balancing protection and availability. (B)

Implementation of information security is purely a science.

False (B)

Name any 3 components of Information Systems.

Software, Hardware, Data

The threat agent is a ______ that has the power to carry out the threat.

Person or Thing

Match the following descriptions with the correct role.

Security Analyst = Monitors security events in order to detect threats. Incident Responder = Works to contain and mitigate potential damage. Security Engineer = Designs and implements security solutions.

Which of the following BEST describes the principle of 'Defense in Depth'?

Implementing multiple layers of security controls. (D)

The Chief Information Officer usually reports directly to the Chief Information Security Officer.

False (B)

What is the job of a penetration tester?

Simulates attacks in order to find weaknesses.

The principle of least privilege involves giving users the ______ level of access necessary to perform their duties.

minimum

Match the following security terms with their corresponding descriptions:

Vulnerability = A weakness in a system that can be exploited. Threat = A potential danger that could harm a system or asset. Risk = The likelihood that a threat will exploit a vulnerability.

Bisbey and Hollingworth wrote a report on the vulnerabilities of operating systems, what project was this for?

The Protection Analysis Project (C)

It is possible to achieve perfect information security.

False (B)

Who should security administrators interact with, to reduce the risk caused by end-users?

The People Interacting with the System

According to Reeds and Weinberger, 'No ______ can be secure against wiretapping or its equivalent on the computer.

Technique

Select all items that are reasons why information security is essential:

Data Protection = Safe-guarding personal, financial, and confidential business information. Business Continuity = Protecting businesses from attacks that could disrupt operations. Legal Requirements = Many industries are regulated and required to meet certain cybersecurity standards.

What made computer security more important starting in the 2000s?

The growing cyber attack threat. (A)

Cybersecurity is a subset of Information Security.

True (A)

According to the OSI Model, what is a security attack?

Any action that compromises an organization's secured information.

In Information Security Terminology, is a weakness that allows a threat agent to bypass security.

Vulnerability

Match the following roles in an information security team to their descriptions:

Data Owner = Responsible for the security and use of a particular set of information. Security Policy Developer = Understands organizational security culture and works to develop useful, applicable policies. Risk Assessment Specialist = Understands financial risk assessment techniques and the valuation of organizational assets.

What is 'Separation of Duties' and why is an important security principle?

Dividing tasks and privileges ensures that no single individual has control, this protects from malicious intent. (C)

A 'Threat' is a weakness in a system that makes it vulnerable to attack.

False (B)

According to the OSI model, what is a Security Mechanism?

A process that is designed to detect, prevent, or recover from a security attack

In computer security, controls are to intended to limit acces to sensitive military locations to authorized personnel.

Physical

Match the Security Professionals to their descriptions:

Security Technician = Provides hardware and software support and troubleshoots problems. Security Manager = Supervises technicians, administrators, and staff. Security Administrator = Manages daily security technology.

According to Dennis Ritchie what is important in computer security?

Secure user and group IDs. (B)

The Chief Information Security Officer is primarily responsible for strategic planning.

False (B)

In the OSI model, the services intended to counter security what is the correct term?

Security Attacks

The internet brings millions of computer networks into ______ that are often unsecured.

Communication

What are the 3 aspects of information security according to the OSI model?

Security Attack = Any action that compromises the security of information. Security Service = A processing or communication service. Security Mechanism = A process or device incorporating such a process.

Flashcards

Physical Controls

Limiting access to military locations to authorized personnel only.

Security

The quality of being secure from danger

Information Security

Guards data during use, storage, and transmission

Types of Security

Physical, personal, operations, communications, network, information.

Necessary Security Tools

Policy, awareness, training, education, technology

C.I.A. Triangle

Confidentiality, integrity, and availability

Subject of an Attack

A computer used to conduct an attack.

Object of an Attack

The computer that is the target of activity.

Critical Info Characteristics

Characteristics include availability, accuracy, authenticity, confidentiality, integrity, and utility

Information System (IS)

IS is a set of components to use information as a resource

Importance of Info Security

Essential for data protection and business continuity

Data Protection

Safeguarding financial, personal, and business information

Security Champion

A senior executive who champions and supports the project.

Data Owner

Responsible for the security and use of data.

Data Custodian

Responsible for storage, maintenance, and protection of data.

Data Users

End users who handle information for their job.

What is Info Security?

Knowing the why and who in info security

Security Defined

Freedom from danger through protective measures.

Comprehensive Info Security

A more comprehensive definition includes protecting the confidentiality, integrity and availability of information of devices.

Asset

Something of value.

Threat

An event that undermines security measures.

Threat Agent

The one who carries out a threat

Vulnerability

A weakness allowing agent to bypass security.

Risk

Likelihood of a threat agent exploiting vulnerability

Information Security (InfoSec)

Protects info in digital, physical, and intellectual form

Cybersecurity

Protects digital systems and data from cyberattacks

Security Attack

Compromises info security

Security Mechanism

Detects, prevents, or recovers from a security attack

Security Service

Enhances security of data processing and transmissions

Least Privilege

Minimum level of access to perform duties.

Separation of Duties

Tasks separated so that no no individual has total control.

Defense in Depth

Using many tools to protect from threats

Zero Trust

No one is trusted by default inside or outside the network

Security by Design

Security measures built from the start into systems

Study Notes

• Introduction to Information Security Management - Part 1

History of Information Security

• Computer security started immediately after the development of the first mainframes.
• Multiple levels of security were implemented on mainframes.
• Physical controls limited access to sensitive military locations to authorized personnel.
• Rudimentary measures defended against physical theft, espionage, and sabotage.

Key Dates in Early Computer Security

• 1968: Maurice Wilkes discussed password security in Time-Sharing Computer Systems.
• 1973: Schell, Downey, and Popek examined the need for additional security in military systems in "Preliminary Notes on the Design of Secure Military Computer Systems."
• 1975: The Federal Information Processing Standards (FIPS) examined Digital Encryption Standard (DES) in the Federal Register.
• 1978: Bisbey and Hollingworth published "Protection Analysis: Final Report", discussing the Protection Analysis project created by ARPA to better understand operating system security vulnerabilities and explore automated vulnerability detection techniques.
• 1979: Morris and Thompson authored "Password Security: A Case History", examining the history of password security design for remote access systems.
• 1979: Dennis Ritchie published "On the Security of UNIX" and "Protection of Data File Contents", discussing secure user IDs, group IDs, and their related problems.
• 1984: Grampp and Morris wrote "UNIX Operating System Security", examining physical control of premises, management commitment, employee education, and administrative procedures concerning security.
• 1984: Reeds and Weinberger published "File Security and the UNIX System Crypt Command", emphasizing that no technique is secure against wiretapping or privileged users.

The 1990s

• Networks of computers became more common, increasing the need to interconnect them.
• The Internet was the first manifestation of a global network of networks.
• Initial Internet infrastructure relied on de facto standards.
• Security was a low priority in early Internet deployments.

2000 to Present

• The Internet connected millions of computer networks, many of which were unsecured.
• The security of a computer’s data is influenced by the security of every connected computer.
• The growing threat of cyber attacks has increased the need for improved security.

What is Security?

• Security is "The quality or state of being secure to be free from danger".
• A successful organization should have multiple layers of security.
• These include physical, personal, operations, communications, network, and information security.
• Security includes the protection of information and its critical elements like systems and hardware.
• Essential tools include policy, awareness, training, education, and technology.
• The C.I.A. triangle focuses on confidentiality, integrity, and availability.
• The C.I.A. triangle has now expanded into list of critical characteristics of information.

Key Information Security Concepts

• A computer can be the subject of an attack, the object of an attack, or both.
• When it is the subject, the computer is used as an active tool to conduct the attack.
• When it is the object, the computer is the target being attacked.

Critical Characteristics of Information

• Availability: Information is accessible when needed.
• Accuracy: Information is correct and without error.
• Authenticity: Information is genuine and verifiable.
• Confidentiality: Information is protected from unauthorized access.
• Integrity: Information is complete and uncorrupted.
• Utility: Information is useful and serves a purpose.

Components of an Information System (IS)

• An information system is the set of components necessary to use information as a resource.
• These components include software, hardware, data, people, procedures, and networks.

Balancing Information Security and Access

• Achieving perfect security is impossible, it is a process.
• Security should balance protection and availability.
• The level of security should allow reasonable access while protecting against threats.

Why is Information Security Important?

• Data protection is about safeguarding personal, financial, and confidential business information.
• It maintains business continuity protecting businesses from attacks that disrupt operations.
• It is also about preventing financial loss, as cyber attacks can result in significant losses.
• It preserves business reputation, because a cyber attack can damage an organization’s reputation.
• Legal requirements dictate that many industries are regulated and need to meeet cybersecurity standards.

Security Professionals and the Organization

• A wide range of professionals support a diverse information security program.
• Senior management plays a key role in information security.
• Additional administrative support and technical expertise are required.

Senior Management Roles

• Chief Information Officer (CIO) is the senior technology officer.
• CIOs advise senior executives on strategic planning.
• Chief Information Security Officer (CISO) is responsible for assessment, management, and implementation of information security (IS).
• CISOs usually report directly to the CIO.

Information Security Project Team

• This is a group of individuals experienced in technical and non-technical aspects.
• The Champion is a senior executive who promotes and supports the project financially and administratively.
• Security policy developers understand the organizations culture, policies, and requirements needed to develop and implement successful policies.
• Risk assessment specialists understand financial risk techniques, the worth of organizational assets, and the security methods to be used.

Data Responsibilities

• The Data owner is responsible for the security and use of a particular set of information.
• The Data custodian is responsible for storage, maintenance, and protection of information.
• Data users are end users who leverage the information to perform their daily tasks.

Communities of Interest

• Are groups of individuals united by similar interests/values within an organization.
• These include information security management and professionals, IT management and professionals and organizational management and professionals.

Information Security: Art or Science?

• Implementing information security is a combination of art and science.
• The "Security artesian" idea is based on the way people perceive systems technologists.

Security as Art

• Security has no hard and fast rules, nor universally accepted solutions.
• There is no one manual for implementing security across an entire system.

Security as Science

• Security involves dealing with technology designed to operate at high-performance levels.
• Specific conditions cause virtually all actions in computer systems.
• Nearly every fault, security hole, and system malfunction results from interaction of specific hardware and software.
• With sufficient time, developers could resolve and eliminate faults.

Security as a Social Science

• Social science examines the behavior of individuals interacting with systems.
• Security begins and ends with the people that interact with the system.
• Security administrators can greatly reduce levels of risk by understanding behaviors of end users and build better security postures.

Defining Information Security

• Security is the state of freedom from danger or risk, achieved through protective measures.
• Information security is the task of safeguarding of digital information.
• Information security ensures protective measures are correctly implemented.
• Information security cannot completely prevent attacks or guarantee a totally secure system.

Defining Information Security (Continued)

• Information security is to protect information that is of value to people and organizations.
• This value comes from confidentiality, integrity, and availability.
• Information security is achieved through a combination of people, products and procedures.

Information Security Terminology

• Asset: Something that has a value.
• Threat: An event or object that may defeat the security measures in place and result in a loss.
• Threat agent: A person or thing that has a power to carry out a threat
• Vulnerability: Is a weakness that allows a threat agent to bypass security.
• Risk: The likelihood that a threat agent will exploit a vulnerability.
• Realistically, risk cannot ever be entirely eliminated.

Information Security (InfoSec)

• InfoSec focuses on protecting all types of information, digital, physical, or intellectual, from unauthorized access, misuse, destruction, or alteration.
• The goal is to preserve confidentiality, integrity, and availability (CIA) of information.
• InfoSec includes both physical security (server rooms, locking file cabinets) and technical security (encryption, access controls).

Cyber Security

• Cybersecurity is a subset of information security that focuses on protecting digital systems and data from cyberattacks.
• It secures computers, networks, servers, and data from breaches, hacks, or malicious attacks.

OSI Security Architecture

• Aspects of information security include security attack, security mechanism, and security service.
• Security attack is any action that compromises the security of an organizations information.
• Security mechanism is a process or device to detect, prevent, or recover from a security attack.
• Security service is a processing or communication service that enhances system security and information transfers.
• The services are for countering security attacks, and use one or more security mechanisms.

Information Security Careers

• Careers in information security support business operations by covering security administrators, access coordinators, security architects, security consultants and security testers.

Key Roles in Information Security

• Security Analyst: Monitors and investigates security incidents and threats.
• Security Engineer: Designs and implements security solutions.
• Penetration Tester (Ethical Hacker): Simulates attacks to find weaknesses before malicious actors do.
• Chief Information Security Officer (CISO): Oversees an organization’s entire cybersecurity strategy.
• Incident Responder: Responds to cybersecurity incidents and works to contain and mitigate damage.

Information Security Principles

• Least Privilege: Users should have only the necessary access to perform duties.
• Separation of Duties: Dividing tasks so no individual controls all aspects of a critical function.
• Defense in Depth: Using multiple security controls to protect against threats.
• Zero Trust: No one should be trusted by default, whether inside or outside the network.
• Security by Design: Incorporating security measures into systems from the ground up.