IAS Midterm Reviewer PDF
Document Details
Uploaded by SeasonedMetonymy
Tags
Summary
This document is a reviewer for an Information Assurance and Security (IAS) midterm exam. It covers fundamental concepts of information security including the CIA triad (Confidentiality, Integrity, Availability), the scope of computer security, different layers of security, and components of an Information System (IS).
Full Transcript
LESSON 1 *C.I.A. Triangle- Confidentiality, Integrity, Availability *Jim Anderson, Inovant (2002) — Information security: a “well-informed sense of assurance that the information risks and controls are...
LESSON 1 *C.I.A. Triangle- Confidentiality, Integrity, Availability *Jim Anderson, Inovant (2002) — Information security: a “well-informed sense of assurance that the information risks and controls are in balance.” *WW II- 1st modern computers 1930 *The Enigma- cipher machine, German code solved by Alan Turing 1960 *ARPANET (Advanced Research Project Agency *Subject of attack: computer is used Network)- developed by Larry Roberts *Object of attack: computer is attacked Late 70s & 80s CHARACTERISTICS OF INFORMATION *expanded computing capabilities 1. Availability *Rand Report R-609 (study of computer security) 2. Accuracy 3. Authenticity SCOPE OF COMPUTER SECURITY 4. Confidentiality 1. Safety of data 5. Integrity 2. Limiting unauthorized access to data 6. Utility 3. Involvement of personnel from multiple 7. Possession levels of an organization *Information System (IS)- set of components *MULTICS (Multiplexed Information and Computing necessary to use info. within an org. Service)- 1st OS with security as its primary goal COMPONENTS OF AN INFO. SYSTEM - developed mid 60s by: General Electric 1. Software (GE), Bell Labs, & Massachusetts Institute of 2. Hardware Technology (MIT) 3. Data *UNIX- created by several key players of MULTICS 4. People 5. Procedures - primary purpose is text processing 6. Networks 1990 Information Security Implementation *networks of computers are common 1. Bottom-Up- grassroots effort; seldom works *manifestation of internet 2. Top-Down- upper management; most successful 2000-Present *internet LESSON 2 *threat of cyber attacks *SDLC (Systems Development Life Cycle)- methodology of IS within an org. *Security- quality of being secure; be free from danger TRADITIONAL SECSDLC PHASES LAYERS OF SECURITY 1. Investigation- outcomes, goals, feasibility analysis 1. Physical security 2. Analysis- documents, risk management 2. Personal security 3. Logical Design- blueprint, should project be 3. Operations security continued/outsourced 4. Communications security 4. Physical Design- final design 5. Network security 5. Implementation- tested, implemented, testes 6. Information security again 6. Maintenance & Change- most important *Threat- something that represents danger *Senior Management- key component CATEGORIES OF THREATS TO INFOSEC CIO (Chief Info. Officer)- senior, strategic 1. Compromises to Intellectual Property planning - ownership of ideas CISO (Chief Info. Security Officer)- assess, 2. Deviations in Quality of Service manage, implement, reports to the CIO - not delivered as expected 3. Espionage/Trespass INFORMATION SECURITY PROJECT TEAM - access of protected info 1. Champion 4. Forces of Nature 2. Team leader 5. Human Error/Failure 3. Security policy developers - acts w/out malicious intent 4. Risk assessment specialists 6. Information Extortion 5. Security professionals - steals & demands compensation 6. Systems administrators 7. Sabotage/Vandalism 7. End users 8. Software Attacks - malware DATA RESPONSIBILITIES 9. Technical Hardware Failures/Errors 1. Data owner- security & use 10. Technical Software Failures/Errors 2. Data custodian- storage & maintenance 11. Technological Obsolescence 3. Data users- end users - untrustworthy systems 12. Theft *Security is a combination of art & science - Stealing *Security artesan- the way individuals perceive *Attack- acts that exploit vulnerability systems technologists TYPES OF ATTACKS Security as: 1. Malicious code 1. Art- no rules and universally accepted 2. Hoaxes- real virus 2. Science- technology-designed 3. Back door- accessing a system/network 3. Social Science- behavior of individuals 4. Password crack- reverse calculate interacting with systems 5. Brute force- trying all possible combination 6. Dictionary- specific accounts LESSON 3 7. DoS- spamming requests *Information Asset- focus of infosec, info that has 8. DDoS value 9. Spoofing- intruder assumes a trusted ip add 10. Man-in-the-middle- monitors network *Media- subset of info asset 11. Spam *Data- items of fact 12. Mail bombing 13. Sniffers- monitors data *Information- organized data 14. Phishing- attempt to steal private info 3 Communities of Interest 15. Pharming- web traffic 16. Social engineering- social skills 1. General Management 17. Timing attack- malicious cookie 2. IT Management 3. Information Security LESSON 4 Database Security *Laws- rules 1. Managerial controls- governance *Ethics- socially accepted behavior 2. Technical controls- knowledge of access control *Cultural mores- moral attitudes/customs of a 3. Physical controls particular group *The Art of War by Sun Tzu Wu: (1) know yourself (2) know your enemy ORGANIZATIONAL LIABILITY AND THE NEED FOR 9. Thou shalt think about the social consequences COUNSEL of the program you are writing or the system you are designing 1. Liability- legal obligation 10. Thou shalt always use a computer in ways that 2. Restitution- compensate for wrongs ensure consideration and respect for your 3. Due care- knowing what acceptable fellow humans behavior is 4. Due diligence- effort 5. Jurisdiction- authority in their territory 6. Long arm jurisdiction- right of any court (reach) TYPES OF LAW 1. Civil- nation/state 2. Criminal- violations 3. Private- individuals & org. 4. Public- citizens, employees, public interest 3 CAUSES OF UNETHICAL & ILLEGAL BEHAVIOR 1. Ignorance 2. Accident 3. Intent RELEVANT PH LAWS IN INFOSEC 1. 2011-2016 National Security Policy 2. R.A. 9775 (Anti-Child Pornography Act of 2009) 3. R.A. 9995 (Anti-Photo and Video Voyeurism Act of 2009) 4. R.A. 10173 (Data Privacy Act of 2012) 5. R.A. 10175 (Cybercrime Prevention Act of 2012) 10 COMMANDMENTS OF COMPUTER ETHICS 1. Thou shalt not use a computer to harm other people 2. Thou shalt not interfere with other people’s computer work 3. Thou shalt not snoop around in other people’s computer files 4. Thou shalt not use a computer to steal 5. Thou shalt not use a computer to bear false witness 6. Thou shalt not copy or use proprietary software for which you have not paid 7. Thou shalt not use other people’s computer resources without authorization or proper compensation 8. Thou shalt not appropriate other people’s intellectual output