CS406 Study Guide

Unit 1: Introduction to Information Security

1a. Discuss how the need for information security has changed as information technology has evolved

  • How did the Department of Defense (DoD) influence the evolution of information security?
  • What prompted the three elements of information security?
  • Why is the focus of information security today mostly concerned with the protection of personal information?

The Department of Defense (DoD) developed the first computer network by linking computers over telephone lines in the Advanced Research Projects Agency Network (ARPANET). This network is attributed as being the predecessor of the Internet. As the internet evolved into a global network the systems on the network began storing information that needed protection, invoking the development of information security methods.

Before the invention of the network, the protection of systems was more focused on preventing access to systems. The DoD developed the first network, and due to the nature of defense was primarily concerned with the confidentiality of data. When commercial systems came online the concern shifted to integrity. When the Morris Worm was successful in bringing down the internet using the first denial of service (DoS) attack, more concern became apparent for system availability.

The focus today is primarily on protecting personal information. As e-commerce has grown exponentially, more personal data has been collected and stored online raising more concern for personal privacy and the protection of data stored by information systems. Hacking has become more widespread, heightening the demand for information systems security.

To review, see Information Security History and Timeline of the History of Information Security.

 

1b. Explain how confidentiality, integrity, and availability (CIA triad) applies to information security

  • What are the three main categories of harm that can occur with information systems?
  • What are the three elements that are the basis of information security and what is the difference between the elements?
  • What are the limitations of security in respect to the CIA triad?

The three main categories of harm to information systems are the theft or loss of data, the alteration of data, and the denial of access to data or systems that contain the data. The three elements of information security are confidentiality, integrity, and availability. These three terms collectively are known as the CIA triad. Confidentiality addresses the protection of data from unauthorized access. Integrity addresses the inadvertent modification of data, and availability addresses protecting the system to ensure the data is readily accessible.

The limitations of security are that there must be a balance between information security and functionality. Locking a system down to conform to the tenets of the CIA triad so tightly that it cannot function appropriately is unacceptable. Also, when attempting to secure a system by conforming to one element of the CIA triad, another element may suffer. For instance, the most secure way to protect a system's confidentiality is to unplug it from the internet and lock it away so it cannot be accessed. Of course, this is not feasible as then the system does not provide for availability.

To review, watch The CIA Triad.

 

1c. Compare threats, vulnerabilities, and risks

  • What is the difference between threats, vulnerabilities, and risks?
  • What are two ways to reduce risk?
  • What can be used to protect against threats and vulnerabilities?

A threat is the possibility of a system exploit, and a vulnerability is a weakness in a system. A risk is the result of a threat exploiting a vulnerability. A threat agent can be a person or hacker that attacks a system through a vulnerability. Vulnerabilities can be weaknesses in procedures such as a weak password policy or a back door in the software.

Risk is the sum of threats and vulnerabilities, and the asset value is sometimes added. The asset value does not change, but controls can be used to decrease threats and vulnerabilities. To reduce risk either threats, vulnerabilities, or both threats and vulnerabilities must be decreased.

Controls are used to mitigate threats and vulnerabilities. This means that safeguards are put in place to protect the confidentiality, integrity, and availability of a system. Just as was discussed in the previous section, controls must not protect one tenet of the CIA triad while another element suffers. Controls must be effective while still providing a balance between security and system functionality.

To review, see Threats and Vulnerabilities and The Elements of Security: Vulnerability, Threat, Risk.

 

1d. List steps in the risk management process

  • Why is risk management important in information systems?
  • What are the four steps of the risk management process?
  • What are the basic activities that occur in each of the four steps?

As we have seen in previous units, it is not possible to eliminate all risk in a system. The level of threats and vulnerabilities can change over time and can vary when there are changes in the system environment. Therefore, it is important to have a continuous process to manage and monitor risk.

The risk management process defined by NIST SP 800-39 identifies the four steps of the risk management process as risk framing, risk assessment, risk response, and risk monitoring. Risk framing is evaluating an organization's risk management approach such as the acceptable level of risk tolerance, organizational policies, laws, and regulations. The most important part of this step is getting senior leadership's commitment to implement the risk management strategy.

Risk assessment is where the risk is identified and classified, and the value of the assets is determined. In this step, risk is determined by identifying the threats and the vulnerabilities that can affect the organization. Risk assessment measures the impact of a potential risk to an organization using either a qualitative or a quantitative method.

How to address or mitigate the risk is called risk response. This is the step where a determination is made about the appropriate controls needed to mitigate risks. Risk can be accepted, avoided, mitigated, shared, or transferred. If a risk is less than the acceptable risk tolerance level of the organization the risk can be accepted. If a risk level is too high, it can be avoided by removing the software or product that is responsible for the risk. Mitigating a risk means to fix or close a vulnerability. Sharing risk means to lessen the level of the risk by sharing it with another organization, possibly by outsourcing. Transferring risk can occur by purchasing insurance.

Risk monitoring is the perpetual evaluation of the controls and of the changes needed to manage the risk. In this step, an organization will determine the appropriate type of monitoring such as compliance monitoring to determine if the risk response or risk controls are being implemented correctly, effectiveness monitoring to determine if the controls selected are effective, and a determination on monitoring changes due to changes in the system hardware, software, or the environment. The organization will document changes and identify weaknesses in new technology and will continue to evaluate the effectiveness of the controls.

To review, see Risk Management, NIST SP 800-39, and More on Risk Management.

 

1e. Assess the stages of the incident response process

  • Why is there a need for incident response?
  • What are the four steps of the incident response process?
  • What are the main activities that occur in each of the four steps of the incident response process?

The need for incident response is due to the frequency of attacks on systems. When a breach occurs, an organization should have a plan that outlines the steps to take to respond to the attack quickly and systematically. Knowing how to respond and being able to respond quickly helps to minimize the effect of the attack on the system and to secure system data. The information gained when responding to the attack should be used to protect from future events and to strengthen the methods used to secure the system.

The four steps of the incident response process are; preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity. To prepare for incident response, all elements of the system should first be secured to protect against an attack. An incident response team is established as well as the tools the team may need to respond to an incident such as forensic software, laptops, and cell phones for communication.

In the detection and analysis phase, detection occurs first and then the attack is analyzed. Detection may occur through automated capabilities such as intrusion detection systems (IDSs), security information and event management (SIEM), antivirus or file checking software, monitoring services, and system logs, or manually by users or technicians. Incident analysis is where the detected attack is analyzed, and a determination is made if an attack is occurring or if the indicator detected a false positive. Another option is that the indicator is positive but an attack did not actually occur, such as in a system failure. The team should record all facts of the incident, should prioritize incidents, and should notify those that need to respond to the incident.

In the containment, eradication, and recovery phase the team determines the containment strategy and stops the attack from occurring. Evidence is gathered and documented, and the attacking host may be identified if there is time. Once contained, the systems are recovered by restoring them to normal operating condition and eradicating the components of the attacker, such as removing malware.

The post-incident activity consists of reviewing the incident to ensure it does not again occur. A meeting is held to review the lessons learned and to determine what could have been done better by the incident response team. The documents collected may be important for the risk assessment process that was reviewed in the previous section.

To review, read NIST SP 800-61 and watch Incident Response.

 

1f. Categorize security controls by type (administrative, physical, or technical) and function (preventive, detective, deterrent, or compensating)

  • What are some examples of the three types of security controls?
  • What type of controls can be preventive, detective, deterrent, and compensating?
  • What is an example of a physical control that is a deterrent?

The three types of security controls are administrative, physical, and technical controls. Administrative controls are the development of written policies and procedures for an organization. Some examples of administrative controls are hiring and disciplinary policies, or security awareness training. Physical controls protect the system resources and can be locked doors, access controls to a server room, or environmental controls. Technical controls protect the hardware and software resources and can be encryption or authentication and access controls for the software and hardware.

The most known functions of controls are preventive, detective, deterrent, and compensating. A preventive control is used to prevent an attack from occurring. An example of a preventive control is a lock on a server room door. The lock will prevent unauthorized access to the server room that contains system resources. A detective control identifies an event or identifies that there is the risk that an event could occur. Intrusion detection system (IDS) software is an example of a detective control. A deterrent is used to discourage an event from occurring. The threat of being disciplined keeps most people from stealing, so it is a deterrent for theft. The last function is compensating and can be explained using the example of insurance. If data that is insured is lost and is insured, the insurance provider will pay to have the data restored or for legal proceedings.

Control types and functions are combined and they work together. For instance, an administrative control type with a deterrent function is the consequence given when an employee violates a policy. A preventive and technical action could be a firewall. A physical control that is a deterrent could be a high fence or lights at night.

To review, see Security Control Types, Security Control, and Security Control Functions.

 

1g. Propose a defense-in-depth security strategy

  • What is the purpose of the multiple layers of security controls in the defense-in-depth principle?
  • What typically occurs with the number and placement of security devices with the defense-in-depth strategy?
  • What is a typical defense-in-depth security strategy?

The principle of defense-in-depth provides for multiple layers of security, so that if one layer fails there is another layer beneath the failed layer to protect the system. The principle of defense-in-depth is often compared to the layers of an onion; just as in the onion, when you peel back one layer there is another layer underneath. Each layer protects against a system breach and each layer provides additional protection.

The layers of defense are placed at different levels and in different places in the network. If the layers are all in the same place there can still be a point of failure. This means that there may be redundancy with equipment and controls, such as more than one firewall to protect the system.

A typical defense-in-depth strategy could be routers that secure the perimeter, and the next layer might be firewalls that use stateful packet filtering, and the last layer is intrusion detection and intrusion protection systems.


To review, see Introduction to Defense-in-Depth, Defense-in-Depth Example, and Defense-in-Depth.

 

1h. Explain why humans are the weakest link in security and how human behavior can be modified through security awareness and training programs

  • What is the main reason that humans are the weakest link in security?
  • What is the easiest way for a hacker to obtain login information?
  • What is the best way to modify human behavior to prevent an attack?

Humans are the weakest link in security because of human behavioral issues. The most common issue with humans is that they are prone to making errors. For instance, human error can be attributed to system viruses due to antivirus software being disabled by users, the leaking of a company's sensitive information by sharing data on devices that are lost or stolen, the use of unapproved devices and software by employee's, or the lack of technical knowledge to appropriately secure a system.

If a hacker plans to attack a system, the simplest way is to obtain the login information from a user through social engineering. The reason that social engineering is so successful is that humans are prone to be trusting of other humans. Attackers using social engineering techniques may obtain system credentials from authorized users that will allow them unauthorized access to a system.

Security awareness and training programs are the best way to modify human behavior and to prevent an attack. An organization usually has policies and standards written to prevent a security breach, but employees must be made aware of the policies for them to be effective. The type of training for employees should be geared toward position types, such as managerial, administrative, or technical. 

To review, see The Human Factor, Humans are the Weakest Link, Security Awareness, Training, and Education, and Security Threats and the Human Factor.

 

1i. Describe the purpose of prominent security frameworks

  • What are five of some of the main security regulations and security frameworks in information security?
  • Of the five security regulations, which one is the standard used across the information technology (IT) industry?
  • Which regulation would be of primary concern in an industry that processes payment cards?
  • Which regulation is of most concern for state and local governments?

Five of the main security regulations and frameworks in information security are ISO/IEC 27001, Federal Information Processing Standards (FIPS), Control Objectives for Information and Related Technologies (COBIT) 5, Payment Card Industry Data Security Standard (PCI DSS), and the Center for Internet Security (CIS) Top 20 Controls.

ISO/IEC 27001 is an international standard that provides best practices for information security management systems. The standard addresses people, processes, and technology. The document provides 114 controls in 35 control categories. A control is a way to counter or to safeguard against a security risk. 

The payment card industry strictly follows the guidance of the Payment Card Industry Data Security Standard (PCI DSS). This guidance is for all organizations that process credit or debit cards. The reason that those in the industry closely abide by this standard is because of the penalties that can be dealt with when abusing the system. Those that follow the guidance of PCI DSS also adhere to the Top 20 Controls. As is stated in the name of the framework, there is a list of 20 controls, and these controls map to PCI DSS. Twenty controls were chosen because they protect against approximately 91% of attacks.

State and local governments pay more attention to the Federal Information Processing Standards (FIPS), although FIPS is required for all U.S. government agencies. FIPS compliance means that an organization complies with the Federal Information Security Management Act of 2002, also known as FISMA. This regulation requires organizations to reduce risk in information technology to an acceptable level but doing so at a cost that is considered reasonable.

To review, see Security Frameworks, Center for Internet Security (CIS) Controls, and Payment Card Industry Data Security Standard (PCI DSS).

 

Unit 1 Vocabulary

This vocabulary list includes the terms you will need to know to successfully complete the final exam.

  • administrative
  • analysis
  • asset
  • availability
  • awareness
  • behavior
  • confidentiality
  • containment
  • controls
  • detection
  • detective
  • deterrent
  • eradication
  • exploit
  • hacker
  • incident
  • integrity
  • intrusion
  • mitigate
  • physical
  • policy
  • recovery
  • regulation
  • risk
  • technical
  • tenet
  • threat
  • vulnerability