Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
175 Cards in this Set
- Front
- Back
Two fundamental requirements for every human activity:
|
Coordination
Division of Labor |
|
Coordination of various tasks for a purposeful outcome defines the nature of organizations. What is at the crux of any coordinating activity?
|
Communication
|
|
Definition of an organization?
|
A series of information-handling activities
|
|
Information Handling can be undertaken at three levels:
|
Technical - limit access
Formal - alter organizational hierarchy Informal - security awareness program |
|
The system for handling information at the three levels:
|
An organization's information system.
|
|
Core Argument of System Security:
|
Information systems need to be secured at a technical, formal and informal level.
|
|
How is a formal system formed?
|
When messages arrive from external parties, suppliers, customers, regulatory agencies, and financial institutions. Messages are usually very explicit and are transcribed by an organization to get its own work done.
Plays a supportive role to the largely informal setting. |
|
What is the information flow loop for formal systems?
|
from external to internal and then to external - completed when messages are transmitted by the organization to external parties from which it originally received the messages or other additional parties.
|
|
Informal system
|
The natural means to augment the formal system. In ensuring the formal system works, people generally engage in informal communications.
the informal system represents a subculture where meanings are established, intentions are understood, beliefs are formed, and commitments and responsibilities are made, altered, and discharged. |
|
Base of formal systems:
|
Formal systems are rule based and tend to bring about uniformity; generally insensitive to local problems and as a consequence there may often be discordance between rules advocated by the formal system and realities created by cohesive informal groupings.
|
|
Boundary between Formal and Informal
|
Best determined by decision-makers, who base their assessment on identifying those factors that can be handled routinely and those that would be best left informal.
|
|
Technical
|
The technical system essentially automates a part of the formal system; presupposes that a formal system exists at all times; plays a supportive role to the formal, perhaps bureaucratic, rule-based environment.
|
|
Results of a lack of coordination
|
Results in either substandard management practices or it opens up the organization to a range of vulnerabilities.
|
|
Security in Threes
|
Managing information system security to a large extent equates to maintaining integrity of the three systems - formal, technical, and informal.
|
|
Control
|
the use of interventions by a controller to promote a preferred behavior of a system being controlled.
|
|
Controls can be:
|
technical, formal or informal.
|
|
Controls have ______________________ effects.
|
dysfunctional
|
|
Most important reason controls can be dysfunctional:
|
isolated solutions (i.e., controls) may be provided for specific problems; tend to ignore other existing controls and their contexts.
|
|
_______________ _______________ in each of the three categories, though important, must complement each other.
|
Individual controls
Necessitates an overarching policy that determines the nature of controls being implemented and therefore provides comprehensive security to the organization. |
|
Focus of a security policy:
|
to create a shared vision and an understanding of how various controls will be used such that the data and information is protected in an organization.
|
|
Why does a business implement complex technological controls?
|
To protect the information held in their computer systems, most of these controls have been in the area of access control and authentication.
|
|
What are some of the authentication controls?
|
Ultimately dependent on cost justification of controls.
challenge-response box technology block ciphers message authentication voice analysis digital signatures |
|
Reason a rule-based formal structure needs to be put in place:
|
determine the consequences of misinterpretation of data and misapplication of rules in an organization and help in allocating specific responsibilities.
Should address not only the hiring procedures, but also the structures of responsibility during employment. Helps in the attribution of blame, responsibility, accountability and authority. |
|
Key principle in assessing how much resources to allocate to security(technical or formal controls) is that the amount spent should be in proportion to the criticality of the system,
|
cost of remedy, and the likelihood of the breach of security occurring.
Also necessary for the management of organizations to adopt appropriate controls to protect themselves from claims of negligent duty and also to comply with the requirements of data protection legislation. |
|
Coordination in threes refers to what three aspects of information security?
|
Formal Aspect
Informal Aspect Technical Aspect |
|
When an organization implements controls to limit access to buildings, rooms or computer systems, these are referred to as _________________ controls.
|
Formal
|
|
The organizational hierarchy can be considered a part of _________ controls.
|
formal
|
|
Training and an employee awareness program could be considered a part of what type of control?
|
Informal
|
|
The first step in developing good management practices and reducing the risk of a security breach is by adopting some ______________ _____________ standards
|
base line
|
|
Most breaches of information system security occur shortly _______________ the terminated employee leaves the organization.
|
before
|
|
Formal controls should address not only the hiring procedures but also the structures of ______________ during employment.
|
responsibility
|
|
Training and awareness programs are extremely important in developing a ___________________ core of members of the organization
|
trusted
|
|
An organization can therefore be defined as a series of _____________ - _______________ ________________.
|
information-handling activities
|
|
The informal system represents a _____________ where meanings are established, _____________ are understood, ____________ are formed, and _______________ and _________________ are made, altered and discharged.
|
subculture
intentions beliefs commitments and responsibilities |
|
The key principle in assessing how much resources to allocate to security (technical and formal controls) is:
|
the amount spent should be in proportion to the criticality of the system. cost of remedy, and the likelihood of the breach of security occurring.
|
|
Managing security is the implementation of a __________ of ____________.
|
range of controls
|
|
____________ is “the use of interventions by a controller to promote a preferred behavior of a system being controlled”
|
Control
|
|
Authentication and access control
|
Smart card technology is extensively being used in the financial firms
‘challenge-response box’ technology Voice analysis Digital signatures |
|
Implementation of technological solutions is dependent upon:
|
cost justifying the controls
|
|
Task-force’ approach at the organizational level:
|
Carrying out security management
Giving strategic direction Representatives from a wide range of functional areas |
|
Personnel issues
|
Hiring procedures
Structures of responsibility Sub-culture which promotes fair practices and moral leadership Termination practices of the employees |
|
Security awareness is a cost effective control by:
|
Increased awareness should be supplemented with an ongoing education and training program
Training and awareness are extremely important in developing ‘trusted’ core of members of the firm Emphasizing sub-culture An environment of developing a common belief system |
|
Coordination in threes still applies, but a further layer of _____________ is added when organizations establish relationships with each other.
|
complexity
|
|
A firewall is an example of a(n) _________________ control.
|
technical
|
|
The core information system security requirements of an organization are:
|
confidentiality, integrity, availability, authenticity, and nonrepudiation
|
|
Data is usually protected from ________________ such as being modified, destroyed, disclosed, intercepted, interrupted, or fabricated.
|
vulnerabilities
|
|
Perpetrators generally stick to the __________ and ______________ means of penetration.
|
easiest and cheapest
|
|
Principles of __________ ______________, ______________, and ______________________ are the basis for establishing information system security.
|
easiest penetration
timeliness effectiveness |
|
At a technical level, name the six threats to hardware, software, and the data that resides in computer systems - Data Security Requirements.
|
Modification
Destruction Disclosure Interception Interruption Fabrication |
|
Name the three critical security requirements for protecting data.
|
Confidentiality
Integrity Availability |
|
Name two other security requirements that have become important. especially in a networked environment.
|
Authentication
Nonrepudiation |
|
The use of the need-to-know principle is the most acceptable form of ensuring ______________.
|
confidentiality
|
|
What requirement assures that the message is from the source it claims to be from?
|
Authenticity
|
|
Denial-of-service attacks are to a large extent a consequence of which security requirement not having been adequately addressed?
|
Availability
|
|
What requirement ensures that data and programs are changed in an authorized manner?
|
Integrity
|
|
Privacy of data is ensured by what requirement?
|
Confidentiality
|
|
What requirement prevents an individual or entity from denying having performed a particular action related to data?
|
Nonrepudiation
|
|
A digital signature scheme is one means to ensure ________________.
|
Authentication
|
|
The _____________ point is considered to be the most serious vulnerability. This relates to the Principle of ______________ ________________.
|
Weakest
Easiest Penetration |
|
Perpetrators generally stick to the ______________, ______________, _________________ means to accomplishing their objectives.
|
easiest
safest simplest |
|
The principle of easiest penetration suggests that organizations:
|
need to systematically consider all possible means of penetration since strengthening one might make another means more attractive to a perpetrator.
|
|
Need-to-know principle:
|
Both users and systems should have access to and receive data only on a need-to-know basis. This is the most acceptable form of ensuring confidentiality.
|
|
Confidentiality
|
Requirement that ensures privacy of data
Protection mechanisms may include: encryption, lock and keys and related password mechanisms, cryptography |
|
Integrity
|
Requirement that ensures that data and programs are changed in an authorized manor. Integrity refers to an unimpaired condition, a state of completeness and wholeness, and adherence to a code of values. "All data is present and accounted for" (irrespective of accuracy)
|
|
Availability
|
requirement that ensures proper functioning of all systems such that there is no denial of service to authorized users.
|
|
Authentication
|
requirement that assures that the message is from the source it claims to be from. Timeliness is an important attribute, since obsolete data is not nessarily true and correct.
|
|
Nonrepudiation
|
requirements that prevents an individual or entity from denying having performed a particular action related to data
|
|
Disclosure
|
when any of the access control mechanisms fail and it becomes possible to view confidential data.
|
|
Modification
|
May be a cause of loss of confidentiality , even though the information was not disclosed, but happens when someone secretly modifies the data.
|
|
Vulnerability of Computing Resources:
Hardware Software Data |
Hardware - Destruction; interception; interruption
Software - Modification; interception; interruption (logic bomb - new routine inserted in the software; trojan horse, virus, trapdoor) Data - Destruction; interception; interruption; fabrication; modification; disclosure |
|
Confidentiality Attributes and Protection of Data and Software:
Confidentiality Kinds of Controls Possible Losses |
Confidentiality
Data - a set of rules to determine if a subject has access to an object Software - Limited access to code Kinds of controls Data - Labels, encryption, discretionary and mandatory access control, reuse prevention Software - Copyright, patents, labels, physical access control locks. Possible Losses Data - Disclosure, inference, espionage Software - Piracy, trade secret loss, espionage |
|
Integrity Attributes and Protection of Data and Software
Integrity Kinds of controls Possible Losses |
Integrity
Data - Unimpaired, complete, whole, correct Software - Unimpaired, everything present and in an ordered manner Kinds of controls Data - Hash totals, check bits, sequence number checks, missing data checks Software - Hash totals pedigree checks, escrow, vendor assurance sequencing Possible losses Data - Larceny, fraud, concatenation Software - Theft, fraud, concatenation |
|
Need-to-Withhold Principle
|
default situation in business in which the information is freely available to all employees because the Need-to-Know principle can be stifling to the conduct of business
|
|
Integrity checks
|
relate to identification of missing data in fields and files, checks for variable length and number, hash total, transaction sequence checks, and so on. At a higher level, integrity is checked in terms of completeness, compatibility, consistency of performance and failure reports. 2 broad categories: prevention mechanisms and detection mechanisms.
|
|
Prevention Mechanisms
|
seek to maintain integrity by blocking unauthorized attempts to change the data or change the data in an unauthorized manner.
|
|
Detection Mechanisms
|
Simply report violations of integrity - do not stop violations from taking place; usually analyze data to see if the required constraints still hold.
|
|
Availability Attributes and Protection of Data and Software:
Availability Kinds of controls Possible Losses |
Availability
Data - Present and accessible when and where needed Software - Usable and accessible when and where needed Kinds of controls Data - Redundancy, backup, recovery plan, statistical pattern recognition Software - Escrow, redundancy, backup, recovery plan Possible losses Data - Denial of service, failure to provide, sabotage, larceny Software - Larceny, failure to act, interference |
|
Authentication Attributes and Protection of Data and Software:
Authentication Kinds of controls Possible Losses |
Authentication
Data - Genuine; accepted as conforming to a fact Software - Genuine; unquestioned origin Kinds of controls Data - Audit log, verification validation Software - Vendor assurances, pedigree documentation, hash totals, maintenance log, serial checks Possible losses Data - Replacement, false data entry, failure to act, repudiation, deception, misrepresentation Software - Piracy, misrepresentation, replacement, fraud |
|
Nonrepudiation Attributes and Protection of Data and Software
Nonrepudiation: Kinds of controls Possible Losses |
Nonrepudiation
Data - Genuine, true, and authentic communication Software - Genuine, true Kinds of controls Data - Authentiacation, validation checks Software - Integrity controls, nonmodification controls Possible losses Data - Monetary, loss of identity, disclosure of private information Software - Vulnerability of software code, fraud, misconstrued software |
|
Encryption
|
involves the task of transforming data such that it is unintelligible to an outside observer; significantly reduces chances of outside interception and any possibility of data modification. If not used properly, may result in a limited effect on security, and the performance of the whole system may be compromised.
|
|
Software Controls - three categories
|
Software development controls
Operating system controls Program controls Each of the three categories of controls could be instituted at the input, processing and output levels. |
|
Software development controls
|
essentially a consequence of good systems development; conformance to standards and methodologies helps in establishing controls that go a long way in correct specification of systems and development of software.
Good testing, coding and maintenance are the cornerstones of such controls |
|
Operating system controls
|
Limitations built into operating systems such that each user is protected from others; many times these controls are developed by establishing extensive checklists.
|
|
Program controls
|
controls internal to the software, where specific access limitations are built into the system and include access limitations to data.
|
|
Role of Prevention Mechanisms
|
seek to maintain integrity by blocking unauthorized attempts to change the data or change the data in an unauthorized manner.
|
|
Integrity Checks
|
relate to identification of missing data in fields and files, checks for variable length and number, hash total, transaction sequence checks, and more. Higher level - checked in terms of completeness compatibility, consistency of performance and failure reports.
|
|
Usually the most difficult attaches to detect:
|
Availability attacks
|
|
Methods of Defense:
|
Encryption
Software Controls Physical and Hardware Controls |
|
Principle of Timeliness
|
triggers the delay in cracking a system, such that the data that a perpetrator might access is no longer useful.
|
|
Principle of Effectiveness
|
ensures the right balance between controls, such that the controls are not a hindrance to the normal workings of the business.
|
|
Basis for establishing information system security:
|
Principles of easiest penetration, timeliness, and effectiveness
|
|
Data is usually protected from vulnerabilities such as:
|
being modified, destroyed, disclosed, intercepted, interrupted, or fabricated.
|
|
The Trusted Computer System Evaluation Criteria (TCSEC) was originally developed by ____________________.
|
DoD (Department of Defense
|
|
What are the two levels at which any function of computer-based system can be viewed?
|
The user view
The implementation view |
|
Access controls generally address which of the three critical security requirements for protecting data?
|
confidentiality
integrity availability |
|
Access controls could be either _________________ or ___________________.
|
mandatory
discretionary |
|
The notion of integrity deals with individual _____________, ______________, and _______________.
|
accountability
auditability separation of duties |
|
The no read up rule is one of the two axioms for which model:
|
Bell La Padula
|
|
The no write down rule dictates that a subject cannot move information from an object with a higher security _________________ to a lower security ________________.
|
classification
classification |
|
The _________________ monitor concept was conceived so that all interactions within the computer system occur with some type of mediation that implements the security policy at all times.
|
reference
|
|
The philosophy of need-to-know is based on efforts to classify information and maintain strict segregation of people, and was developed by the military as a means of restricting _____________ access to data.
|
unauthorized
|
|
An example of a model created for a particular organization is the Bell La Padula model, and that is why it works well for the __________________ organization, because it was developed with that structure and culture in mind.
|
military
|
|
In the nonmilitary organization, ________________ of the information is key to the well being of the organization.
|
integrity
|
|
Any function of a computer based system can be viewed at two levels, one is the user view:
|
elicited during requirement analysis for a system and records what a system should do.
|
|
The second level the function of a computer based system can be viewed is:
|
the view is built during system design and records how the system is to be constructed.
|
|
Models tend to be simple, abstract, and easy to comprehend and prove mathematically, and hence have ______________ ______________ in specifying ________________ _____________ measures alone.
|
limited utility
technical security |
|
Trusted System
|
a system that disallows an unauthorized transfer of information.
|
|
The Bell La Padula model deals with controlling ________________ to _______________ .
|
access
objects |
|
The current access set addresses the abilities to extract or insert information in a specified object. base on four modes:
|
execute - neither observe nor alter
read - Observe, but do not alter. append - alter but do not observe. write - observe and alter |
|
The Denning Information Flow model is concerned with the security of _________________ ________________.
|
Information Flows
|
|
The _______________ ________________ is the critical part of the Denning model since it determines if information will be allowed to flow from a top secret file to an existing secret file.
|
flow operator
|
|
The science of _______________________ seeks to ensure that the messages transmitted are kept confidential, their integrity is maintained, and are available to the right people at the right time.
|
Cryptology
|
|
The field of ____________________ includes methods and techniques to ensure secrecy and authenticity of message transmissions.
|
Cryptography
|
|
The range of methods used to break the encrypted messages is referred to as _________________.
|
Cryptanalysis
|
|
Once a document has been encrypted it is referred to as ________________ text.
|
cipher
|
|
A ______________ text document is any document in its native format.
|
plain
|
|
The ________________ algorithm is designed to produce a cipher text document that cannot be returned to its plain text form without the use of the algorithm and the associated key(s).
|
encryption
|
|
In __________________ encryption, a single key is used to encrypt and decrypt a document.
|
symmetric
|
|
It is the _______________ that holds the means to decrypt, and therefore it becomes important to establish a secure channel for sending and receiving it.
|
key
|
|
Ciphers that use the same key for both encrypting and decrypting plain text are referred to as ________________ ciphers.
|
symmetric
|
|
Ciphers using a different key to encrypt and decrypt the plain text are termed as ___________________ ciphers.
|
asymmetric
|
|
A brute force attack where the opponent will typically undertake a range of statistical an analyses on the text in order to understand the inherent patterns is called a _____________ text attack.
|
cipher
|
|
An attack that utilizes information regarding the placement of text, such as in the header of an accounting document or a disclaimer statement, is referred to as a ______________ text attack.
|
plain
|
|
Encryption can be carried out in two forms ________________ and ___________________.
|
substitution
transposition |
|
In any language there are certain letters that have a high frequency of appearing together. These are referred to as _____________________.
|
digrams
|
|
Ciphers which generally convert one symbol of plain text at at time into a symbol of cipher text are referred to as _________________ ciphers.
|
stream
|
|
Ciphers that convert a group (fixed-length) block of plain text into cipher text through the use of a secret key are referred to as ____________________ ciphers.
|
block
|
|
Initially developed by IBM, ___________________ was later adopted by the US government in 1977. (Hint: It inputs a block of 64 bits, but only uses 56 bits in the encryption process).
|
DES (Data Encryption Standard)
|
|
A cryptographic _______________ function such as SHA-1 or MD4/MD5 is a one-way process that produces a fixed length digest of the original plain text document.
|
hash
|
|
The ___________________ of the identity of the sender requires verification by a third party as to the identity of the sender.
|
authentication
|
|
The ___________ (____________ ______________ ______________) model provides for authentication through a process known as a web-of-trust.
|
PGP
Pretty Good Privacy |
|
Frames use 48-bit ___________________ addresses to identify the source and destination stations within a network.
|
MAC - Medium Access Control
|
|
Thirty-two-bit _________________ addresses of the source and destination station are added to the packets in a process called encapsulation.
|
IP
|
|
Which Transport layer standard that runs on top of IP networks has no effective error recovery service and is commonly used for broadcasting messages over the network?
|
UDP - User Datagram Protocol
|
|
A ________________ is considered the first line of defense in protecting private information and denying access by intruders to a secure system on the internal network.
|
firewall
|
|
What technique serves the dual purpose of hiding the internal IP addresses of critical systems as well as allowing multiple hosts on a private internal LAN to access the internet using a single public IP address?
|
NAT Network Address Translation
|
|
Most common break-ins exploit specific services that are running with ___________ configuration settings and are left unattended.
|
default
|
|
What technique can attackers use to identify the kinds of services that are running on the targeted hosts?
|
Port Scanning
|
|
What type of attack is the most commonly used mode of attack against an operating system?
|
Password Attacks
|
|
An advanced form of Web site-based attack where a DNS server is compromised and the attacker is able to redirect traffic of a popular Web site to another alternative Web site, where user login information is collected, is called _______________ .
|
Pharming
|
|
A packet sniffer attached to any network card on the LAN can run in a _____________ mode, silently watching all packets and logging the data.
|
promiscuous
|
|
A(n) _______________ attack relies on malformed messages directed at a target system with the intention of flooding the victim with as many packets as possible in a short duration of time.
|
DOS - Denial of service
|
|
An ___________________ attack uses multiple compromised host systems to participate in attacking a single target or target site, all sending IP address spoofed packets to the same destination system.
|
distributed DoS (DDoS)
|
|
Computer users should ensure that folders are made network sharable only on a cneed basis and are _______________ whenever they are not required.
|
disabled
|
|
From a security perspective, it is important that not all user accounts are made a member of the _________________ group
|
administrator
|
|
An account __________________ policy option disables user accounts after a set number of failed login attempts.
|
lockout
|
|
What steps should be taken to secure the file system?
|
Stay Current with System Updates
Use Antivirus Software Protect File Shares (shared folders) Turn Off Unnecessary Services Disable or Delete Unnecessary Accounts Secure User Accounts Rename or Disable Administrator Account Limit Membership to Administrator Group Set Account Lockout |
|
What steps should be taken to secure access from the Network?
|
Use a Personal Firewall
Install Anti-spyware Software disable Remote Access Adjust Internet Application Settings Checking Security Network Scanners |
|
When responsibility and authority structures are ill-
defined or not defined at all, it results in a breakdown of the ______________ control systems. |
formal
|
|
The most important element of interpreting structures of responsibility is the ability to understand the
underlying patterns of __________________. |
behavior
|
|
Usually security problems are a consequence of
____________ breakdowns and lack of understanding of behaviors of various stakeholders. |
communication
|
|
4. The security management structure looks from the
top down. Substantive actions required of members of the organization in the course of using the computer systems in place should take a(n) ______________ approach. |
bottoms up
|
|
5. The effectiveness of the security policy is a function
of the level of support it has from an organization’s ______________ ____________________. |
executive leadership
|
|
6. A strategy of locks and keys becomes inadequate if
people __________ the organization open those locks (i.e., subvert the controls). |
inside
|
|
7. The security policies determine the processes and
techniques required to provide the security but not the ____________________. |
technology
|
|
8. Following the implementation there is a constant
need to ______________ the security processes and techniques. |
monitor
|
|
9. Staff and users also need to be ________________ on methods to identify new threats.
|
trained
|
|
10. An important aspect of the security model is the
______________ approach. |
layered
|
|
Identification and development of _________________ ____ __________________ are a key aspect of formal information system security
|
structures of responsibility
|
|
Structures of responsibility define the _______________ ____ _____________________, which is so essential in ensuring management of access.
|
pattern of authority
|
|
_________________________ _______-____ at all levels is key to the success of the information system security program in any organization.
|
Organization buy-in
|
|
Security policies are an important ingredient of the ____________ security program.
|
overall
|
|
Proper security policy ___________________ and __________________ is essential for the success of overall security.
|
formulation
implementation |
|
In business management practices, the term __________ was in use long before ____________ but the two are often used interchangeably, despite having very different meanings.
|
Policy
Strategy |
|
In practice, implementing a(n) __________ can be delegated, while for implementing a(n) __________ executive judgment is required.
|
policy
strategy |
|
At a(n) ____________ level the security strategy determines key decisions regarding investment, diversification, and integration of computing resources in line with other business objectives.
|
corporate
|
|
At a(n) __________ level, the security strategy looks into
the threats and weaknesses of the IT infrastructure. |
business
|
|
The emphasis should be to develop a(n) __________
security vision that brings the issue of security to center stage and binds it to the organizational objectives, but this does not mean that organizations should not have any security policies sketching out __________ procedures. |
broad
specific |
|
Relegating IS security decisions to the operational
levels of the firm could result in lack of ______________ by top management. |
ownership
|
|
One of the fundamental problems with respect to
security is for a firm to choose the right kind of a(n) ____________ to function in. |
environment
|
|
8. Allocation of ______________ among competing needs can
become a critical problem in terms of strategizing about security. |
resources
|
|
While many organizations have engaged in identifying security issues and created relevant security policies, there is a clear mismatch between what the __________ mandates and what is done in practice.
|
policy
|
|
To a large extent high __________ processes are a
consequence of adequate planning and policy implementation. |
integrity
|
|
Careful __________ and establishing proper checks and
balances are perhaps the cheapest of the operational-level security practices. |
planning
|
|
Maintaining integrity of business processes is a
function of adequate ______________ and ______________ structures. |
responsibility
accountability |