One of the most crucial ongoing responsibilities in security management is Quizlet

Upgrade to remove ads

Only SGD 41.99/year

• Flashcards

• Learn

• Test

• Match

• Flashcards

• Learn

• Test

• Match

Terms in this set (130)

involves making and using codes to keep messages private and secure for their intended recipient

Cryptography

any time you have an IF THEN statement

Algorithm

an encryption method that involves converting plain text to cipher-text one bit at a time

Bit stream cipher

dividing the plain text into blocks or sets of bits and then converting the plain text to cipher text one block time

Block cipher

unintelligible encrypted method resulting from encryption

Ciphertext

convert (information or data) into a cipher or code, especially to prevent unauthorized access.

Encrypt

hiding in an image

Steganography

the original unencrypted method

Plaintext/cleartext

...

Encryption = creation of ciphertext

Hash function

mathematical algorithm used to confirm 1) message identity and 2) that no content has changed

NOT used to create ciphertext!!!!!!

Hash value compared after transmission to ensure message is unmodified

Like a checksum

SHA-1 and SHA-2 are common

**look at triangle diagram on ch 8 slides

Encryption Algorithms

Often grouped into two broad categories, symmetric and asymmetric

in class video of encryption

Symmetric
- 1 private key
- can't share the key "in-band" (if you email me the key, you already compromised the key... you need to share out of band like via phone call, write it down had it to person)

asymmetric
-generate 2 keys (1 private, 1 public)

Symmetric Encryption

Requires SAME "secret key" to encipher and decipher message; also known as PRIVATE-KEY ENCRYPTION

pro of symmetric encryption

Fast encryption

con of symmetric encryption

Have to send "out of band"

Popular symmetric encryption

AES

Think PSK mode in WPA2

...

Asymmetric Encryption

Also known as public-key encryption
Uses two different but related keys
-Greatest value when one key serves as private
key and the other serves as public key

popular asymmetric

RSA (bought by EMC Corp)

Pro asymmetric

2 keys are better than 1

con asymmetric

Have to manage more keys; also not as fast

For encryption keys...

size matters!

Security does not depend on the secrecy of the cryptosystem...

but the secrecy of the key.

Public-Key Infrastructure (PKI)

Integrated system of software, encryption methodologies, protocols, legal agreements, and third-party services enabling users to communicate securely

PKI systems based on public-key cryptosystems

PKI protects information assets in several ways:

1. Authentication
2. Integrity
3. Privacy
4. Authorization
5. Nonrepudiation (you cant deny it wasn't you)

Pen Pal example in class with his buddy

1. Authentication (wax seal with personal symbol)
2. Integrity (wax seal not broken)
3. Privacy (encoded)
4. Authorization (burn)
5. Nonrepudiation (signature)

Typical PKI solution protects the transmission and reception of secure information by integrating:

tec

1. A certificate authority (CA)
2. A registration authority (RA)
3. Certificate directories
4. Management protocols
5. Policies and procedures

think like technology, people, process when talking about PKI!

...

Why do we even need these solutions?

Not built into TCP/IP
Not built into OS

Digital Certificates

Issued by CA (certificate authority)

Digital signature attached to certificate's container file...

certifies file's origin and integrity

Secure Sockets Layer (SSL) protocol

web traffic...uses public key encryption to secure channel over public Internet

Secure Hypertext Transfer Protocol (S-HTTP)

extended version of Hypertext Transfer Protocol; provides for encryption of individual messages between client and server across Internet

Only secures web traffic! (in dr. jacks opinion, weakest one)

how do you know encrypted site?

get an icon lock sign and https... can view certificates by clicking on lock

Top CA providers

Go Daddy #1

Pretty Good Privacy (PGP):

uses IDEA Cipher for message encoding

VPN

higher than SSL, end to end encryption

Secure Multipurpose Internet Mail Extensions (S/MIME):

builds on Multipurpose Internet Mail Extensions (MIME) encoding format and uses digital signatures based on public-key cryptosystems

Wi-Fi Protected Access (WPA and WPA2)

created to resolve issues with WEP

You should only ever use WPA2!

**video on Ch8 part 2 slides WPA

...

•an open-source protocol framework for security development within the TCP/IP family of protocol standards

•VPN Encrypts all traffic!

Internet Protocol Security (IPSec):

**Video on example of configuration (watch guard)

...

**video on intro of cryptocurrency

...

**video on bitcoin cryptocurrency

...

**video TWITTV cryptolocker

...

video expert hacker hacks mans bank account

she only uses a crying baby and phone

Physical security

the protection of physical items, objects, or areas from unauthorized access and misuse

logical security

Physical security is as important as

General management

responsible for facility security (walls, lighting, locks, dogs, etc.)

IT management and professionals

responsible for environmental and access security (particularly for server room)

Information security management and professionals

perform risk assessments and implementation reviews of both!!!

Physical Security Controls

•Walls, fencing, and gates
•Guards
•Dogs
•ID cards and badges
•Locks and keys
•Mantraps
•Electronic monitoring
•Alarms and alarm systems
•Computer rooms and wiring closets
•Interior walls and doors

ID Cards and Badges

-ID card is typically concealed but name badge is visible.
-Pro: Serve as a simple form of biometrics (facial recognition)
-Con: Should not be the only means of control -- easily duplicated, stolen, and modified
-Tailgating

Locks and keys

-Four categories of locks: manual, programmable, electronic, biometric
-Last two give better accountability!
-Locks fail in one of two ways:
Fail-safe lock
Fail-secure lock

**never count on locks video

...

Mantraps

-Small enclosure that has an entry point and a different exit point
-Individual enters mantrap, requests access, and, if verified, is allowed to exit mantrap into facility.
-Individual denied entry is not allowed to exit until the security official overrides automatic locks of the enclosure.

closed-circuit television (CCT) systems

recording equipment/cameras

Drawbacks

§Passive; does not prevent access or prohibited activity
§Recordings often are not monitored in real time; must be reviewed to have any value

Alarms and alarm systems

-Rely on sensors that detect an event, for example, motion detectors, thermal detectors, glass breakage detectors, weight sensors, and contact sensors

Computer rooms and wiring closets

Logical access controls are easily defeated if attacker gains physical access to computing equipment.

Facility walls

are typically either standard interior or firewall.

...

High-security areas must have firewall-grade walls to provide physical security against potential intruders and fires. Why?

fire

Most serious threat to safety of people who work in an organization is

...

**halon discharge video in class

GFCI (just 3 prong outlet on wall)

-capable of quickly identifying and interrupting a ground fault

Overloading a circuit

-can create a load exceeding electrical cable's rating, increasing the risk of overheating and fire.

UPS is the backup power source for major computing systems.

In case of power outage,

Maintenance of Facility Systems

Documentation of facility's configuration, operation, and function should be integrated into disaster recovery plans and standard operating procedures.

Address physical security in EVERY project plan!!

...

**watch YouTube video of the rest of chapter 9 lecture

...

heating ventilation air conditioning

HVAC stands for

bake into SDLC

The fundamental question - how do we implement good security???

SecSDLC

implementation phase is accomplished by changing the configuration and operation of an organization's information systems.

-Procedures (through policy)
-People (through training)
-Hardware (through firewalls)
-Software (through encryption)
-Data (through classification)

Implementation of SecSDLC includes changes to:

project plan

Organization translates blueprint for information security into a

WBS

Creation of a project plan can be done using

1.financial
2.priority
3.time and schedule
4.staff
5.procurement
6.organizational feasibility
7.training and indoctrination
8.Scope

Special security considerations include

•Regardless of existing information security needs, the amount of effort that can be expended depends on available funds.
•Cost-benefit analysis must be reviewed and verified prior to the development of a project plan

#1 Financial considerations

•In general, the most important information security controls should be scheduled first.
•Implementation of controls is guided by prioritization of threats and value of threatened information assets.

#2 Priority considerations

•Time impacts project plans at dozens of points, including:
-Time to order, receive, install, and configure security controls
-Time to realize control's return on investment
-Time to train the users

#3 Time and scheduling considerations

•Need for qualified, trained, and available personnel constrains project plan
•Experienced staff is often needed to implement technologies and develop and implement policies and training programs.

#4 Staffing considerations

•Some organizations require use of particular service vendors/manufacturers/suppliers.
•These constraints may limit which technologies can be acquired!
•Remember that security requirements need to be built into all contracts
•Risks of outsourcing

#5 Procurement considerations

•Transparent or disruptive?
•Additional authentication?
•Successful project requires that organization be able to assimilate proposed changes.
•New technologies sometimes require new policies, employee training, and education.

#6 Organizational feasibility considerations

•Org size may preclude a large training program for new security procedures.
•If so, the organization should conduct phased-in or pilot implementation.

#7 Training considerations

•Project scope: description of project's features, capabilities, functions, and quality level, used as the basis of a project plan
•Organizations should implement large information security projects in stages.
•But beware...

#8 Scope considerations

a unique set of skills and thorough understanding of a broad body of specialized knowledge.

Project management requires a

1.Direct changeover (highest risk!)
2.Phased implementation
3.Pilot implementation (just doing specific modules)
4.Parallel operations (lowest risk!)

•As components of new security system are planned, provisions must be made for changeover from the previous method
•Four basic approaches of conversion strategies:

Technology governance

•guides how frequently technical systems are updated and how updates are approved/funded.

-Improve communication, enhance coordination, reduce unintended consequences, improve quality of service, and ensure groups are complying with policies and increase trust!

By managing the process of change, the organization can

•the probability of mistakes or create vulnerabilities in systems.

The stress of change can increase...

change management

•can lower resistance to change and build resilience.

Baking in a security framework into a project plan

is a recipe for success!

•PMs have the opportunity to deliver more secure systems in a more secure manner." (Pruitt, 2013)

By including security considerations in every phase of a project,

•get your InfoSec department engaged EARLY!

If you are a PM and you don't know how to go about this,

Organization Changes
-Leaves
-Fired
-New Manager
-new policies
-tech changes
- customer demands
-top exec changes
-acquisition/merger

Organizational changes that may occur DURING the SecSDLC process:

management model must be adopted

A _______________ to manage and operate ongoing security program

frameworks

frameworks that structure the tasks of managing particular set of activities or business functions.

•Provides managerial guidance for establishing and implementing an information security program

NIST SP 800-100 Information Security Handbook

13
-Provides for specific monitoring activities for each task
-Tasks should be done on an ongoing basis

There are ____ areas of information security management presented.

•This includes:
1.Plans of Action and Milestones
2.Measurement and Metrics
3.Continuous Assessment
4.Configuration Management
5.Network Monitoring
6.Incident and Event Statistics
•Each one requires ongoing maintenance.
•Each one requires ongoing monitoring.
•Governance is never done.

#1 InfoSec governance

•System Development Life Cycle: the overall process of developing, implementing, and retiring information systems through a multistep process
•SecSDLC adds additional tasks to each phase
•This is what I call "baking it in"!

#2 SDLC

•SETA never stops.
•Have to measure your results here, too.
•Active not passive.

#3 Awareness and Training

•Prioritize business cases for portfolio management
•Investments require ongoing maintenance...never finished! (unless assets are retired...)

#4 Capital Planning and Investment Control

•Interconnecting systems
-Can expose the participating organizations to risk
-If one of the connected systems is compromised, interconnection could be used as conduit.
-Need Interconnection Security Agreement (ISA)

#5 Interconnecting Systems

•Metrics should be used for monitoring the performance of information security controls.

#6 Performance Measures

•One of the most crucial ongoing responsibilities in security management

#7 Security Planning

CP = BIA + DRP + BCP

#8 CP

-1) risk identification, 2) analysis (likelihood and impact), and 3) mitigation plan

#9 Risk Management

Auditing: the review of a system's use to determine if misuse/malfeasance has occurred

#10 Certification, accreditation, and security assessments

•Importance of cost/benefit analysis
•Build or buy
•RFPs
•Compliance with architecture
•"Hardening" new equipment

#11 Sec Services and Products Acquisition

•Importance of using knowledgebase

#12 Incident Response

Forgot Password

What's the #1 problem reported to any help desk anywhere?

•Often the role in the organization you want to avoid. J
•How hard would it be to maintain a record of the configuration of every device in your organization (with version #, date of install, etc.)
•How hard would it be to manage all the change requests, prioritize them, schedule them, document them...and then get blamed when things blow up?
•Gatekeeper role that is ongoing and thankless

#13 Configuration and Change Management

•you manage 13 processes (high level or "what")
•You maintain 5 systems (low level or "how")
•
•Remember this is the "NIST" way!

I think of it this way:

1.External monitoring
2.Internal monitoring
3.Planning and risk assessment
4.Vulnerability assessment and remediation
5.Readiness and review

•Recommended maintenance model based on five subject areas:

•Objective to provide early awareness of new and emerging threats (chapter 2), threat agents, vulnerabilities, and attacks so organization can mount an effective defense
•Entails collecting intelligence from data sources and giving that intelligence context and meaning for use by organizational decision makers

#1 Monitoring the External Environment

•Data sources
-Acquiring threat and vulnerability data is not difficult.
-Turning data into information decision makers can use is the challenge.
-External intelligence comes from...where?
•What's an example of a membership site??

#1 Monitoring the External Environment cont.

•External monitoring collects raw intelligence, filters for relevance, assigns a relative risk impact, and communicates to decision makers in time to make a difference.

#1 Monitoring the External Environment (cont'd)

•Primary goal is informed awareness of state of organization's networks, systems, and security defenses.
•Internal monitoring accomplished by:
1.Inventorying network devices and channels, IT infrastructure and applications, and information security infrastructure elements
2.Leading the IT governance process
3.Real-time monitoring of IT activity (includes IDPS - Chapter 7)
4.Monitoring the internal state of the organization's networks and systems

#2 Monitoring the Internal Environment

•Primary objectives
-Establishing a formal information security program review process
-Instituting formal project identification, selection, planning, and management processes
-Coordinating with IT project teams to introduce risk assessment and review for all IT projects
-Integrating a mindset of risk assessment throughout organization

#3 Planning and Risk Assessment

•Information security program planning and review
-A recommended approach takes advantage of the fact that most organizations have annual capital budget planning cycles and manage security projects as part of that process.

#3 Planning and Risk Assessment (cont'd)

•Large projects should be broken into smaller projects for many reasons...

#3 Planning and Risk Assessment (cont'd)

•Primary goal: identification of specific, documented vulnerabilities and their timely remediation
•Includes: Remediating vulnerabilities (accept, transfer risk, remove, or repair)

#4 Vulnerability Assessment and Remediation

•Primary goal is to keep information security program functioning as designed and continuously improving.
•Accomplished by:
-Policy review
-Program review
-Rehearsals / war games

#5 Readiness and Review

•Used to document what happened during attack on assets and how attack occurred
•Involves preservation, identification, extraction, documentation, and interpretation of digital media for evidentiary and/or root-cause analysis

Digital Forensics

Evidentiary material (EM)

any item or information that applies to an organization's legal or policy-based case

Protect and forget (patch and proceed)
Apprehend and prosecute (pursue and prosecute)

Digital Forensics Organization chooses one of two approaches:

Protect and forget (patch and proceed)

defense of data and systems that house, use, and transmit it

Apprehend and prosecute (pursue and prosecute)

identification and apprehension of responsible individuals, with additional attention to collection and preservation of potential EM that might support administrative or criminal prosecution

wireshark

#1 security tool

Other sets by this creator

CMIS 468 - Exam 2

116 terms

paigerouleau

CMIS 468 (Exam 1)

75 terms

paigerouleau

Anthropology Exam 4

69 terms

paigerouleau

Anthropology Exam 3

69 terms

paigerouleau

Recommended textbook solutions

Elementary Number Theory

7th EditionDavid Burton

776 solutions

Numerical Analysis

9th EditionJ. Douglas Faires, Richard L. Burden

873 solutions

Book of Proof

2nd EditionRichard Hammack

340 solutions

Elementary Differential Geometry

2nd EditionBarrett O'Neill

297 solutions

Other Quizlet sets

Chapter 5 | Selecting & Testing Support Materials

14 terms

JaniaSimmons3

AMH2010 Unit One

80 terms

Lee4355_Playerpimp2

Exam 1

44 terms

nikkibrean14PLUS

IQT- C130H2 Electrical Limitations

16 terms

mhughey91PLUS

What are the ongoing responsibilities security managers have in securing the SDLC?

Which of these is the most important priority of the information security organization quizlet?

What are the three primary aspects of information security risk management?

Which of the following is responsible for the approval of an information security policy?