IAS Midterm Reviewer PDF

Summary

This document is a reviewer for an Information Assurance and Security (IAS) midterm exam. It covers fundamental concepts of information security including the CIA triad (Confidentiality, Integrity, Availability), the scope of computer security, different layers of security, and components of an Information System (IS).

Full Transcript

LESSON 1 *C.I.A. Triangle- Confidentiality, Integrity,
Availability
*Jim Anderson, Inovant (2002) — Information
security: a “well-informed sense of assurance that
the information risks and controls are in balance.”
*WW II- 1st modern computers
1930
*The Enigma- cipher machine, German code solved
by Alan Turing
1960
*ARPANET (Advanced Research Project Agency *Subject of attack: computer is used
Network)- developed by Larry Roberts
*Object of attack: computer is attacked
Late 70s & 80s
CHARACTERISTICS OF INFORMATION
*expanded computing capabilities
1. Availability
*Rand Report R-609 (study of computer security) 2. Accuracy
3. Authenticity
SCOPE OF COMPUTER SECURITY
4. Confidentiality
1. Safety of data 5. Integrity
2. Limiting unauthorized access to data 6. Utility
3. Involvement of personnel from multiple 7. Possession
levels of an organization
*Information System (IS)- set of components
*MULTICS (Multiplexed Information and Computing necessary to use info. within an org.
Service)- 1st OS with security as its primary goal
COMPONENTS OF AN INFO. SYSTEM
- developed mid 60s by: General Electric
1. Software
(GE), Bell Labs, & Massachusetts Institute of
2. Hardware
Technology (MIT)
3. Data
*UNIX- created by several key players of MULTICS 4. People
5. Procedures
- primary purpose is text processing
6. Networks
1990
Information Security Implementation
*networks of computers are common
1. Bottom-Up- grassroots effort; seldom works
*manifestation of internet 2. Top-Down- upper management; most
successful
2000-Present
*internet LESSON 2
*threat of cyber attacks *SDLC (Systems Development Life Cycle)-
methodology of IS within an org.
*Security- quality of being secure; be free from
danger TRADITIONAL SECSDLC PHASES
LAYERS OF SECURITY 1. Investigation- outcomes, goals, feasibility
analysis
1. Physical security
2. Analysis- documents, risk management
2. Personal security
3. Logical Design- blueprint, should project be
3. Operations security
continued/outsourced
4. Communications security
4. Physical Design- final design
5. Network security
5. Implementation- tested, implemented, testes
6. Information security
again
6. Maintenance & Change- most important *Threat- something that represents danger
*Senior Management- key component CATEGORIES OF THREATS TO INFOSEC

 CIO (Chief Info. Officer)- senior, strategic 1. Compromises to Intellectual Property
planning - ownership of ideas
 CISO (Chief Info. Security Officer)- assess, 2. Deviations in Quality of Service
manage, implement, reports to the CIO - not delivered as expected
3. Espionage/Trespass
INFORMATION SECURITY PROJECT TEAM
- access of protected info
1. Champion 4. Forces of Nature
2. Team leader 5. Human Error/Failure
3. Security policy developers - acts w/out malicious intent
4. Risk assessment specialists 6. Information Extortion
5. Security professionals - steals & demands compensation
6. Systems administrators 7. Sabotage/Vandalism
7. End users 8. Software Attacks
- malware
DATA RESPONSIBILITIES
9. Technical Hardware Failures/Errors
1. Data owner- security & use 10. Technical Software Failures/Errors
2. Data custodian- storage & maintenance 11. Technological Obsolescence
3. Data users- end users - untrustworthy systems
12. Theft
*Security is a combination of art & science
- Stealing
*Security artesan- the way individuals perceive
*Attack- acts that exploit vulnerability
systems technologists
TYPES OF ATTACKS
Security as:
1. Malicious code
1. Art- no rules and universally accepted
2. Hoaxes- real virus
2. Science- technology-designed
3. Back door- accessing a system/network
3. Social Science- behavior of individuals
4. Password crack- reverse calculate
interacting with systems
5. Brute force- trying all possible combination
6. Dictionary- specific accounts
LESSON 3 7. DoS- spamming requests
*Information Asset- focus of infosec, info that has 8. DDoS
value 9. Spoofing- intruder assumes a trusted ip add
10. Man-in-the-middle- monitors network
*Media- subset of info asset 11. Spam
*Data- items of fact 12. Mail bombing
13. Sniffers- monitors data
*Information- organized data 14. Phishing- attempt to steal private info
3 Communities of Interest 15. Pharming- web traffic
16. Social engineering- social skills
1. General Management 17. Timing attack- malicious cookie
2. IT Management
3. Information Security LESSON 4
Database Security *Laws- rules
1. Managerial controls- governance *Ethics- socially accepted behavior
2. Technical controls- knowledge of access
control *Cultural mores- moral attitudes/customs of a
3. Physical controls particular group

*The Art of War by Sun Tzu Wu: (1) know yourself
(2) know your enemy
ORGANIZATIONAL LIABILITY AND THE NEED FOR 9. Thou shalt think about the social consequences
COUNSEL of the program you are writing or the system
you are designing
1. Liability- legal obligation
10. Thou shalt always use a computer in ways that
2. Restitution- compensate for wrongs
ensure consideration and respect for your
3. Due care- knowing what acceptable
fellow humans
behavior is
4. Due diligence- effort
5. Jurisdiction- authority in their territory
6. Long arm jurisdiction- right of any court
(reach)
TYPES OF LAW
1. Civil- nation/state
2. Criminal- violations
3. Private- individuals & org.
4. Public- citizens, employees, public interest
3 CAUSES OF UNETHICAL & ILLEGAL BEHAVIOR
1. Ignorance
2. Accident
3. Intent

RELEVANT PH LAWS IN INFOSEC
1. 2011-2016 National Security Policy
2. R.A. 9775 (Anti-Child Pornography Act of
2009)
3. R.A. 9995 (Anti-Photo and Video Voyeurism
Act of 2009)
4. R.A. 10173 (Data Privacy Act of 2012)
5. R.A. 10175 (Cybercrime Prevention Act of
2012)
10 COMMANDMENTS OF COMPUTER ETHICS
1. Thou shalt not use a computer to harm other
people
2. Thou shalt not interfere with other people’s
computer work
3. Thou shalt not snoop around in other people’s
computer files
4. Thou shalt not use a computer to steal
5. Thou shalt not use a computer to bear false
witness
6. Thou shalt not copy or use proprietary software
for which you have not paid
7. Thou shalt not use other people’s computer
resources without authorization or proper
compensation
8. Thou shalt not appropriate other people’s
intellectual output