Management and Information Security

Questions and Answers

Which of the following is the MOST accurate depiction of management, according to Henry Mintzberg?

• A purely scientific endeavor.
• A craft perfected through years of practice.
• An artistic expression with elements of craft.
• A practice blending art, science, and craft. (correct)

Why is it crucial for organizations to recognize that information security planning extends beyond the IT department?

• To limit access to security information, preventing insider threats.
• To ensure only IT professionals handle sensitive data.
• To reduce the budget allocated to information security.
• To engage various management and professional groups for comprehensive security. (correct)

Which of the following BEST describes the role of the general business community in relation to information security?

• Providing technical support for IT infrastructure.
• Protecting the organization's information assets from threats.
• Articulating organizational policy, objectives, and resource allocation. (correct)
• Supporting the business objectives of the organization through IT.

Why is a multilayered approach important for organizational security?

It acknowledges that a single security measure cannot address all threats effectively. (D)

Which specialized area of security focuses primarily on protecting data during transmission?

Communications security (C)

What is the primary focus of information security (InfoSec)?

Protecting information and its characteristics of confidentiality, integrity, and availability. (B)

What is a key limitation of the NSTISSC model despite it covering the three dimensions of information security?

It lacks discussion of detailed guidelines and policies for control implementation. (D)

Why is the concept of privacy important in the context of information security?

It gives individuals or groups the right to protect information from unauthorized access and dictates its approved usage. (B)

How does the concept of 'identification' function within access control mechanisms?

By providing a label by which entities seeking access are known to the system. (B)

Which of the following BEST describes the role of 'authorization' after a user has been authenticated?

To define specifically and explicitly what an authenticated user is permitted to do. (B)

What is the significance of 'accountability' in the context of information systems?

Linking actions on a system to an authenticated identity, often via audit logs. (B)

According to Sun Tzu, what is the MOST critical element in protecting an organization's information?

Understanding both your own assets and the threats you face. (C)

What is the distinction between a 'threat' and an 'attack' in the context of information security?

A threat is a potential risk, while an attack is an ongoing act that could cause loss. (C)

How do threat agents exploit vulnerabilities to damage or steal an organization's assets?

By using exploits when controls are ineffective or absent. (D)

Which of the following BEST describes 'Compromises to intellectual property' as a category of threat?

Unauthorized use, duplication, or distribution of copyrighted material. (B)

What is the primary impact of 'deviations in quality of service' on an organization's information systems?

Disruptions in Internet, communications, and power supplies, affecting system availability. (A)

Which of the following is the MOST likely result of industrial espionage?

Unauthorized access to protected information. (B)

How do organizations primarily mitigate the threats posed by 'forces of nature'?

Purchasing insurance and creating contingency plans. (B)

What is a common contributing factor to 'human error or failure' in information security?

Inadequate training and incorrect assumptions (D)

Which of the following BEST exemplifies 'information extortion'?

A hacker demanding payment to prevent the release of stolen credit card numbers. (A)

Which of the following BEST describes 'sabotage or vandalism' as a threat to information systems?

Destruction of an asset or damaging the reputation of an organization. (B)

What is a key characteristic of 'software attacks'?

They involve the use of malicious code to compromise systems or data. (D)

What is the primary difference between Mean Time Between Failures (MTBF) and Mean Time To Failure (MTTF) in assessing technical hardware failures?

MTBF presumes the item can be repaired, while MTTF presumes the item must be replaced. (D)

What constitutes the most significant risk associated with 'technological obsolescence'?

A risk of losing data integrity from attacks. (B)

Which of the following threat categories often overlaps with software attacks and espionage?

Theft (B)

According to the provided content, what is management?

The process of achieving objectives using available resources. (A)

What is the key role of a manager within an organization, as described in the content?

To marshal resources, coordinate tasks, and handle necessary roles. (C)

According to the content, what is the primary way in which a leader influences employees?

By demonstrating personal traits that inspire others to follow. (C)

In the context of management characteristics, what does the acronym 'POSDC' stand for?

Planning, Organizing, Staffing, Directing, Controlling. (A)

What is the primary focus of the 'organizing' function in management according to the material?

Structuring resources to support accomplishing objectives. (C)

What is the main goal of the 'controlling' function in management?

To ensure progress, resolve impediments, and confirm resource adequacy. (A)

According to the content, what does governance emphasize in the context of InfoSec?

Escalating the importance of InfoSec to the highest organizational levels. (C)

In problem solving, what is the purpose of 'Feasibility Analyses'?

To compare and analyze the developed solutions. (A)

What are the 'six Ps' in principles of Information Security Management?

Planning, Policy, Programs, Protection, People, Project Management. (B)

According to the information provided, how should InfoSec strategic plans support an organization?

By supporting the entire organization, therefore it is imperative the CISO work closely with all senior managers. (A)

Which of the following is NOT identified as a type of InfoSec plan?

Technology development planning. (B)

In the context of InfoSec, what is the purpose of a 'policy'?

To dictate certain behaviors within the organization. (D)

Which of the following BEST describes an Enterprise Information Security Policy (EISP)?

A high-level policy that sets the strategic direction for information security. (B)

Which of the following represents a security education training and awareness (SETA) program?

It's a separate entity as part of InfoSec operations. (B)

What is the role of 'protection mechanisms' in information security?

To manage specific controls of overall information security. (C)

Why are 'people' considered a critical link in the information security program?

Because they are the main ones to ensure the human aspect of personnel security and SETA. (A)

What aspect of project management should be applied to all elements of the security program?

Application of management discipline. (D)

Why can information security be seen as both a process and a project?

Because all elements of an information security program must be managed as a project, even if the overall program is perpetually ongoing. (A)

What is the importance of management being informed about threats to its 'people' when making decisions about information security?

To make sound decisions about threats to the people. (A)

Why is software development so crucial for security?

Poor developed practices has a significant risk (D)

Flashcards

Security

Being free from danger; protected from loss, damage, or unwanted modification.

Information Security (InfoSec)

Focuses on protecting information and its value through confidentiality, integrity, and availability.

Availability (in InfoSec)

Ensuring information is accessible and correctly formatted for use without interference.

Privacy (in InfoSec)

The right of individuals or groups to control their personal information and prevent unauthorized access.

Identification

The access control mechanism by which users provide a unique label to the system.

Authentication

Confirming identity with a personal identifier, like a password.

Authorization

Matching an authenticated user to a list of information assets and access levels.

Accountability

Ensuring actions on a system can be traced to an authenticated identity, for audit purposes.

Threat

Represents a potential risk to an information asset.

Attack

The ongoing act against an asset that could cause a loss.

Attack (direct definition)

The intentional or unintentional act that damages or compromises systems.

Threat Agents

Damaging or stealing information using exploits where security controls are lacking.

Vulnerability

A potential weakness in an asset or its defensive control systems.

Compromises to Intellectual Property

Violations of copyrights, trademarks, and patents.

Deviations in Quality of Service

Irregularities that affect internet, communications, or power supplies.

Espionage or Trespass

Unauthorized access to protected information.

Cracking

Password guessing or reverse-calculation to gain access.

Forces of Nature

These can be dangerous, with little warning and being beyond control.

Human Error or Failure

Unintentional acts or ignorance by authorized users.

Information Extortion

Using data theft for extortion.

Sabotage or Vandalism

Deliberate destruction of systems or images.

Software Attacks

Viruses, worms, and denial of service.

Technical Hardware Failures

Distributing flawed hardware that causes unreliable service.

Technical Software Failures

Exploiting vulnerabilities in the code.

Technological Obsolescence

Using outdated tech leading to data loss.

Theft

Copying information w/o knowledge.

Management

Achieving objectives using given resources.

Leadership

Influencing employees to achieve objectives.

Planning

Developing strategies to achieve objectives.

Organizing

Structuring resources to support goals.

Leading

Encouraging implementation of the plan.

Controlling

Ensuring the validity of the plan.

Governance

Exercising responsibilities to provide strategic direction.

Policy (in InfoSec)

A set of organizational guidelines that dictates certain behavior.

Protection

Risk management activities.

Projects

Applying project discipline to all elements.

Study Notes

• Management is the practice where art, science, and craft meet, as articulated by Henry Mintzberg.

Learning Objectives

• Critical characteristics of information security needs review.
• Dominant categories of threats to information security is agenda to be discussed.
• Importance of the manager’s role in securing an organization’s information assets needs to discussed.
• Understand characteristics of leadership and management.
• Information security management needs to separate from general business management.

Introduction

• IT enables storage and transfer of vital company information across business units.
• Disruptions in IT systems can critically impact operations.
• Managers increasingly value information security for protecting organizational data.
• Executive-level InfoSec managers lead dedicated teams focused on safeguarding information assets.
• Organizations must recognize that information security planning and funding decisions extend beyond information managers, security teams, and IT managers.
• Planning and funding decisions must engage the entire organization, represented by three distinct management and professional groups, or communities of interest, consisting of:
• Those in the field of information security.
• Those in the field of IT.
• Those from the rest of the organization.
• These three groups should engage in a constructive effort to reach consensus on an overall plan.
• The IT community supports the business objectives of the organization by supplying and supporting IT that is appropriate to the organization's needs.
• The general business community articulates and communicates organizational policy and objectives.
• Working together, these communities of interest make recommendations to executive management about how to secure an organization's information assets effectively.

What is Security

• Security means being free from danger; to be secure is to be protected from the risk of loss damage, unwanted modification, or other hazards.
• Achieving an appropriate level of security for an organization also depends on the implementation of a multilayered system.
• Security is often achieved by means of several strategies undertaken simultaneously or used in combination with one another.
• It is the role of management to ensure that each strategy is properly planned, organized, staffed, directed, and controlled.

Specialized Areas of Security Include

• Physical security
• Operations security
• Communications security
• Cyber (or computer) security
• Network security

Information Security

• InfoSec focuses on the protection of information and the characteristics that give it value, such as confidentiality, integrity, and availability.
• InfoSec includes the technology that houses and transfers that information through a variety of protection mechanisms such as policy, training and awareness programs, and technology.
• The NSTISSI Security Model (also known as the McCumber Cube) provides a more detailed perspective on security.
• While the NSTISSC model covers the three dimensions of information security, it omits discussion of detailed guidelines and policies that direct the implementation of controls.
• Another weakness of using this model with too limited an approach is to view it from a single perspective.

The C.I.A Triad

• The C.I.A. triad - confidentiality, integrity, and availability has expanded into a comprehensive list of critical characteristics of information.

Confidentiality

• Confidentiality is "an attribute of information that describes how data is protected from disclosure or exposure to unauthorized individuals or systems."
• Confidentiality means limiting access to information only to those who need it and preventing access by those who do not.
• Protection of the confidentiality of information can be done in many ways:
• Information classification
• Secure document (and data) storage
• Application of general security policies.
• Education of information custodians and end users
• Cryptography (encryption)

Integrity

• Integrity is "an attribute of information that describes how data is whole, complete, and uncorrupted."
• The integrity of information is threatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state.
• Corruption can occur while information is being entered, stored, or transmitted.

Availability

• Availability is "an attribute of information that describes how data is accessible and correctly formatted for use without interference or obstruction."
• Availability of information means that users, either people or other systems, have access to it in a usable format.
• Availability does not imply that the information is accessible to any user, rather, it means it can be accessed when needed by authorized users.

Privacy

• Privacy is “in the context of information security, the right of individuals or groups to protect themselves and their information from unauthorized access, providing confidentiality."
• Information that is collected, used, and stored by an organization is used only for the purposes stated by the data owner at the time it was collected.
• Privacy does not mean freedom from observation (the meaning usually associated with the word); it means that the information is used only in ways approved by the person who provided it.

Information Aggregation

• Many organizations collect, swap, and sell personal information as a commodity.
• Collecting and combining personal information is done from different sources (known as information aggregation) that resulted in databases that could be used in ways the original data owner had not agreed to or even knows about.

Identification

• Identification is “the access control mechanism whereby unverified entities who seek access to a resource provide a label by which they are known to the system."
• An information system possesses the characteristic of identification when it can recognize individual users
• Identification and authentication are essential to establishing the level of access or authorization that an individual is granted.
• Identification is typically performed by means of a user name or other ID.

Authentication

• Authentication is "the access control mechanism that requires the validation and verification of an unauthenticated entity's purported identity."
• It is the process by which a control establishes whether a user (or system) has the identity it claims to have.
• Individual users may disclose a personal identification number (PIN), a password, or a passphrase to authenticate their identities to a computer system.

Authorization

• Authorization is "the access control mechanism that represents the matching of an authenticated entity to a list of information assets and corresponding access levels."
• After the identity of a user is authenticated, authorization defines what the user (whether a person or a computer) has been specifically and explicitly allowed by the proper authority to do, such as access, modify, or delete the contents of an information asset.

Accountability

• Accountability is "the access control mechanism that ensures all actions on a system authorized or unauthorized can be attributed to an authenticated identity" and is also known as auditability
• Accountability of information happens when a control gives assurance that every activity undertaken can be attributed to a named person or automated process.
• Accountability is most commonly associated with system audit logs.

Key Concepts of Information Security

• One who knows the enemy and knows himself will not be in danger in a hundred battles (Art of War - Sun Tzu).
• Familiarize yourself with the information assets to be protected and the systems, mechanisms, and methods used to store, transport, process, and protect them to protect your organization's information.
• Know your enemy; that is, know the threats your organization faces.
• A threat represents a potential risk to an information asset, whereas an attack represents an ongoing act against the asset that could result in a loss.
• Threat agents damage or steal an organization's information or physical assets by using exploits to take advantage of a vulnerability where controls are not present or are no longer effective.
• Attack is defined as "an intentional or unintentional act that can damage or otherwise compromise information and the systems that support it."
• Exploit is defined as "technique used to compromise a system where Threat agents may attempt to exploit a system or other information asset by using it illegally for their personal gain."
• Vulnerability is defined as “a potential weakness in an asset or its defensive control system(s)."

12 Categories of Threats to Information Security

• Compromises to intellectual property
• Deviations in quality of service
• Espionage or trespass
• Forces of nature
• Human error or failure
• Information extortion
• Sabotage or vandalism
• Software attacks
• Technical hardware failures or errors
• Technical software failures or errors
• Technological obsolescence
• Theft

Compromises to Intellectual Property

• Intellectual property (IP) can be trade secrets, copyrights, trademarks, and patents.
• IP is protected by U.S. Copyright and other laws.
• IP carries the expectation of proper attribution or credit to its source, and potentially requires the acquisition of permission for its use, as specified in those laws.
• The unauthorized appropriation of IP constitutes a threat to information security.
• Includes topics like:
• Software piracy
• Copyright protection and user registration.

Deviations in Quality of Service

• An organization's information system depends on the successful operation of many interdependent support systems, including power grids, data and telecommunications networks, parts suppliers, service vendors, and even janitorial staff.
• Garbage haulers interrupted by severe weather, employee illnesses, or unforeseen events can hinder a running system.

Internet

• Irregularities in Internet service, communications, and power supplies can dramatically affect the availability of information and systems.
• Subcategories of this threat include Internet service issues, communications and service provider issues, and power irregularities.

Espionage or Trespass

• When an unauthorized person wants access to information that an organization is trying to protect, the act is categorized as espionage or trespass.
• When information gatherers employ techniques that cross a legal or ethical threshold, they conduct industrial espionage.
• Hackers spend long hours examining the types and structures of targeted systems and uses skill, guile, and/or fraud to attempt to bypass controls placed on information owned by someone else.
• Gaining root-level control involves increasing privileges (privilege escalation) once an attacker enters a system.
• Password attacks fall under espionage or trespass, just like lock-picking falls under breaking and entering.
• Attempting to guess or reverse-calculate a password is often called cracking.
• There are alternative approaches to password cracking, including brute force attack, dictionary password attack, rainbow tables, and social engineering password attack.

Forces of Nature

• Forces of nature can present some of the most dangerous threats because they usually happen with little warning and are beyond the control of people.
• Because it is not possible to avoid these threats, organizations must implement controls to limit damage and prepare contingency plans for continued operations.
• Force majeure, or “superior force,” includes forces of nature as well as civil disorder and acts of war.
• Most forces of nature can only be mitigated through insurance, although careful facilities design and placement can reduce the likelihood of damage.
• Force of nature attacks include:
• Fire
• Flood
• Earthquake
• Lightning
• Landslide or mudslide
• Tornados or severe windstorms
• Hurricanes, typhoons, and tropical depressions.
• Tsunami
• Electrostatic discharge (ESD)
• Dust contamination

Human Error or Failure

• This category includes acts performed without intent or malicious purpose or ignorance by an authorized user.
• Mistakes happen, or errors happen when people fail to follow established policy when using information systems.
• Causes of failure can include:
• Inexperience
• Improper training
• Incorrect assumptions
• The greatest threat to an organization's information security is its employees, as they are the threat agents closest to the information.
• Human error can often be prevented with training and ongoing awareness activities.
• Attacks include:
• Social Engineering
• Advance-fee fraud
• Phishing
• URL Manipulation
• Web Site Forgery
• Spear phishing
• Pretexting.

Information Extortion

• Information extortion, or cyberextortion, is common in the theft of credit card numbers.
• Recent information extortion attacks have involved specialized forms of malware known as ransomware that encrypt the user's data and offer to unlock it if the user pays the attacker.

Sabotage or Vandalism

• Sabotage happens when the deliberate sabotaging of a computer either from external forces or by acts of vandalism to destroy an asset or damage the image of an organization.
• These acts can range from petty vandalism by employees to organized sabotage.
• Vandalizing a Web site could erode consumer confidence, which leads to lower sales, net worth, and/or reputation.
• Activism in the digital age can include cyberterrorism and cyberwarfare, or online activism or positive online activism.

Software Attacks

• Deliberate software attacks occur when an individual or group designs and deploys software to attack a system.
• This software can overwhelm the processing capabilities or gain access to protected systems by hidden means.
• Back doors, trap doors, and maintenance hooks are a software attack.
• Email attacks spam, mail bombs, and social engineering attacks, or a denial of service attacks
• Malware like viruses, worms, Trojan horses, or interception attacks like packet sniffers are also included.

Technical Hardware Failures

• Failures happen when a manufacturer distributes equipment containing a known or unknown flaw, which leads to bad system performance and/or availability.
• In hardware terms, failures are measured in mean time between failure (MTBF) and mean time to failure (MTTF).
• MTBF indicates the item can be fixed, MTTF indicates its replaced.

Technical Software Failures

• Many amounts of computer code is created and pushed before all bugs are detected and resolved.
• Sometimes, certain computer and hardware combos will reveal things that might affect other systems. These bugs are not always errors, as a result of purposeful shortcuts left by programmers for benign or malign reasons.
• The most popular bug document is Bugtraq hosted by Security Focus

More Technical Software Failures

• Open Web Application Security Project (OWASP) listed web application security risks for 2017:
• Injection
• Broken authentication and session management
• Cross-site scripting (XSS)
• Broken access control
• Security misconfiguration
• Sensitive data exposure
• Insufficient attack protection
• Cross-site request forgery (CSRF)
• Using components with known vulnerabilities
• Underprotected APIs

Deadly Sins of Software Security

• Web Application Sins
• SQL Injection
• Web server related vulnerabilities
• Web client related vulnerabilities
• Use of magic URL's, predictable cookies and hidden form fields
• Implementation Sins
• Buffer Overflow
• Format string problems
• Integer Overflows
• CAT+ catastrophes
• Catching exceptions
• Command Injection
• Failure to handle errors correctly
• Information Leakage
• Race Conditions
• Poor usability
• Not updating easily
• Executing code with too much privilege
• The sings of mobile code
• Failure to protect stored data

Deadly Sins of Software Security part 2

• Crypto Sins
• Use of weak passworded based systems
• Weak Random numbers
• Using the wrong cryptography
• Networking Sins
• Failure to protect network traffic
• Improper use of PKI Especially SSL
• Trusting network name resolution

Technological Obsolecence

• Antiquated or outdated infrastructure can lead to unreliable and untrustworthy systems.
• Management must recognize the risk of losing data integrity when technology grows old and outdated.
• One most significant case of technology obsolescence in recent years is Microsoft's Windows XP.

Theft

• The value of information diminishes when it is copied without the owner's knowledge.
• Physical theft can be controlled easily using a wide variety of measures, from locked doors to trained security personnel and the installation of alarm systems.
• Electronic theft, however, is a more complex problem to manage and control.
• Theft is often an overlapping category with software attacks, espionage or trespass, and compromises to intellectual property.

Management and Leadership

• Management is the process of achieving objectives using a given set of resources.
• Managers are assigned to marshal and administer resources, coordinate the completion of tasks, and handle roles necessary to complete the desired objective.
• Managerial roles include informational, interpersonal, and decisional tasks.
• Leaders influence employees so that achieve goals.
• Managers creates budgets, manages resources, and terminates/hires employees.
• Leaders are often the people that employees want to follow.
• A manager can be an effective leader

Management Characteristics

• 2 Basic Approaches to management:
• Traditional management uses planning, organizing, staffing, directing, and controlling
• (POSDC).
• Popular management uses planning, organizing, leading, and controlling (POLC).

Definitions of the Terms

• Planning: develops or creates an implementation of objective strategies.
• Organizing: structuring management to support objectives.
• Leading: includes all of the above and supervising behavior.
• Controlling: ensures validation and supports progress towards project objective.

Governance

• Governance encompasses responsibilities, practices by the top levels of a company, and verifying that any risks are managed appropriately.
• Governance emphasizes the importance of InfoSec to management.

Solving Problems Steps

• Recognise and define the problem
• Gather facts nd assumptions
• Develop possible solutions
• Analyse and compare possible solutions (feasibility analyses)
• Select, implement and evaluate a solution

Principles of IT Security Management

• Known as the 6 P's:
• Planning
• Policy
• Protection
• People
• Programs
• Project Management

InfoSec Planning

• The basic planning module can also extend and be used for InfoSec planning.
• Included int he infoSec model are activities necessary to create information security strategies.
• It is imperative for a CISO to work closely with senior managers to develop strategies.
• Types of plans:
• Incident response plan
• Business continuity plan
• Disaster recovery plan
• Policy planning
• Personnel planning
• Tech rollout planning
• Security program including education and training etc.

Policy

• Dictation that states certain behaviours in the organisation
• Three kinds
• Enterprise information security policy
• Issue specific policy
• System specific policies

Programs

• Managed as separate operations
• Security eduction
• Training and awareness, SETA
• Other programs with fire and guard protection

Protection

• Executed with risk and management analysis
• Protection of special aspects to overall plans

People

• Most critical link to infoSec
• InfoSec includes personnel security and the SETA program

Projects

• Application of project management to all elements of infoSec
• Control resources for the project so it will progress as desired
• IS is series of projects

Summary

• Fluidity of business needs now makes IS as a broad InfoSec.
• The InfoSec involves manager and professionals that are technical but also non-tech.
• Good traits of information includes confidentiality, integrity
• Making sound security decisions requires all info on what info systems need protecting.
• Threats and dangers against IT infrastructure includes a vast list of problems from trespass to vandalism.
• The best attack is a failure in security that causes exploitation.
• Poor software is risky to a business but QA and testing can prevent this.
• Good leaders promote employees and promote good habits but managers direct business resources.
• Core parts of management are planning, organizing and good directing.
• Operations and InfoSec goal focus on secure operations .