One of the most crucial ongoing responsibilities in security management is Quizlet
Upgrade to remove ads Show
Only SGD 41.99/year
Terms in this set (130)involves making and using codes to keep messages private and secure for their intended recipient Cryptography any time you have an IF THEN statement Algorithm an encryption method that involves converting plain text to cipher-text one bit at a time Bit stream cipher dividing the plain text into blocks or sets of bits and then converting the plain text to cipher text one block time Block cipher unintelligible encrypted method resulting from encryption Ciphertext convert (information or data) into a cipher or code, especially to prevent unauthorized access. Encrypt hiding in an image Steganography the original unencrypted method Plaintext/cleartext ... Encryption = creation of ciphertext Hash function mathematical algorithm used to confirm 1) message identity and 2) that no content has changed NOT used to create ciphertext!!!!!! Hash value compared after transmission to ensure message is unmodified Like a checksum SHA-1 and SHA-2 are common **look at triangle diagram on ch 8 slides Encryption Algorithms Often grouped into two broad categories, symmetric and asymmetric in class video of encryption Symmetric asymmetric Symmetric Encryption Requires SAME "secret key" to encipher and decipher message; also known as PRIVATE-KEY ENCRYPTION pro of symmetric encryption Fast encryption con of symmetric encryption Have to send "out of band" Popular symmetric encryption AES Think PSK mode in WPA2 ... Asymmetric Encryption Also known as public-key encryption popular asymmetric RSA (bought by EMC Corp) Pro asymmetric 2 keys are better than 1 con asymmetric Have to manage more keys; also not as fast For encryption keys... size matters! Security does not depend on the secrecy of the cryptosystem... but the secrecy of the key. Public-Key Infrastructure (PKI) Integrated system of software, encryption methodologies, protocols, legal agreements, and third-party services enabling users to communicate securely PKI systems based on public-key cryptosystems PKI protects information assets in several ways: 1. Authentication Pen Pal example in class with his buddy 1. Authentication (wax seal with personal symbol) Typical PKI solution protects the transmission and reception of secure information by integrating: tec 1. A certificate authority (CA) think like technology, people, process when talking about PKI! ... Why do we even need these solutions? Not built into TCP/IP Digital Certificates Issued by CA (certificate authority) Digital signature attached to certificate's container file... certifies file's origin and integrity Secure Sockets Layer (SSL) protocol web traffic...uses public key encryption to secure channel over public Internet Secure Hypertext Transfer Protocol (S-HTTP) extended version of Hypertext Transfer Protocol; provides for encryption of individual messages between client and server across Internet Only secures web traffic! (in dr. jacks opinion, weakest one) how do you know encrypted site? get an icon lock sign and https... can view certificates by clicking on lock Top CA providers Go Daddy #1 Pretty Good Privacy (PGP): uses IDEA Cipher for message encoding VPN higher than SSL, end to end encryption Secure Multipurpose Internet Mail Extensions (S/MIME): builds on Multipurpose Internet Mail Extensions (MIME) encoding format and uses digital signatures based on public-key cryptosystems Wi-Fi Protected Access (WPA and WPA2) created to resolve issues with WEP You should only ever use WPA2! **video on Ch8 part 2 slides WPA ... •an open-source protocol framework for security development within the TCP/IP family of protocol standards •VPN Encrypts all traffic! Internet Protocol Security (IPSec): **Video on example of configuration (watch guard) ... **video on intro of cryptocurrency ... **video on bitcoin cryptocurrency ... **video TWITTV cryptolocker ... video expert hacker hacks mans bank account she only uses a crying baby and phone Physical security the protection of physical items, objects, or areas from unauthorized access and misuse logical security Physical security is as important as General management responsible for facility security (walls, lighting, locks, dogs, etc.) IT management and professionals responsible for environmental and access security (particularly for server room) Information security management and professionals perform risk assessments and implementation reviews of both!!! Physical Security Controls •Walls, fencing, and gates ID Cards and Badges -ID card is typically concealed but name badge is visible. Locks and keys -Four categories of locks: manual, programmable, electronic, biometric **never count on locks video ... Mantraps -Small enclosure that has an entry point and a different exit point closed-circuit television (CCT) systems recording equipment/cameras Drawbacks §Passive; does not prevent access or prohibited activity Alarms and alarm systems -Rely on sensors that detect an event, for example, motion detectors, thermal detectors, glass breakage detectors, weight sensors, and contact sensors Computer rooms and wiring closets Logical access controls are easily defeated if attacker gains physical access to computing equipment. Facility walls are typically either standard interior or firewall. ... High-security areas must have firewall-grade walls to provide physical security against potential intruders and fires. Why? fire Most serious threat to safety of people who work in an organization is ... **halon discharge video in class GFCI (just 3 prong outlet on wall) -capable of quickly identifying and interrupting a ground fault Overloading a circuit -can create a load exceeding electrical cable's rating, increasing the risk of overheating and fire. UPS is the backup power source for major computing systems. In case of power outage, Maintenance of Facility Systems Documentation of facility's configuration, operation, and function should be integrated into disaster recovery plans and standard operating procedures. Address physical security in EVERY project plan!! ... **watch YouTube video of the rest of chapter 9 lecture ... heating ventilation air conditioning HVAC stands for bake into SDLC The fundamental question - how do we implement good security??? SecSDLC implementation phase is accomplished by changing the configuration and operation of an organization's information systems. -Procedures (through policy) Implementation of SecSDLC includes changes to: project plan Organization translates blueprint for information security into a WBS Creation of a project plan can be done using 1.financial Special security considerations include •Regardless of existing information security needs, the amount of effort that can be expended depends on available funds. #1 Financial considerations •In general, the most important information security controls should be scheduled first. #2 Priority considerations •Time impacts project plans at dozens of points, including: #3 Time and scheduling considerations •Need for qualified, trained, and available personnel constrains project plan #4 Staffing considerations •Some organizations require use of particular service vendors/manufacturers/suppliers. #5 Procurement considerations •Transparent or disruptive? #6 Organizational feasibility considerations •Org size may preclude a large training program for new security procedures. #7 Training considerations •Project scope: description of project's features, capabilities, functions, and quality level, used as the basis of a project plan #8 Scope considerations a unique set of skills and thorough understanding of a broad body of specialized knowledge. Project management requires a 1.Direct changeover (highest risk!) •As components of new security system are planned, provisions must be made for changeover from the previous method Technology governance •guides how frequently technical systems are updated and how updates are approved/funded. -Improve communication, enhance coordination, reduce unintended consequences, improve quality of service, and ensure groups are complying with policies and increase trust! By managing the process of change, the organization can •the probability of mistakes or create vulnerabilities in systems. The stress of change can increase... change management •can lower resistance to change and build resilience. Baking in a security framework into a project plan is a recipe for success! •PMs have the opportunity to deliver more secure systems in a more secure manner." (Pruitt, 2013) By including security considerations in every phase of a project, •get your InfoSec department engaged EARLY! If you are a PM and you don't know how to go about this, Organization Changes Organizational changes that may occur DURING the SecSDLC process: management model must be adopted A _______________ to manage and operate ongoing security program frameworks frameworks that structure the tasks of managing particular set of activities or business functions. •Provides managerial guidance for establishing and implementing an information security program NIST SP 800-100 Information Security Handbook 13 There are ____ areas of information security management presented. •This includes: #1 InfoSec governance •System Development Life Cycle: the overall process of developing, implementing, and retiring information systems through a multistep process #2 SDLC •SETA never stops. #3 Awareness and Training •Prioritize business cases for portfolio management #4 Capital Planning and Investment Control •Interconnecting systems #5 Interconnecting Systems •Metrics should be used for monitoring the performance of information security controls. #6 Performance Measures •One of the most crucial ongoing responsibilities in security management #7 Security Planning CP = BIA + DRP + BCP #8 CP -1) risk identification, 2) analysis (likelihood and impact), and 3) mitigation plan #9 Risk Management Auditing: the review of a system's use to determine if misuse/malfeasance has occurred #10 Certification, accreditation, and security assessments •Importance of cost/benefit analysis #11 Sec Services and Products Acquisition •Importance of using knowledgebase #12 Incident Response Forgot Password What's the #1 problem reported to any help desk anywhere? •Often the role in the organization you want to avoid. J #13 Configuration and Change Management •you manage 13 processes (high level or "what") I think of it this way: 1.External monitoring •Recommended maintenance model based on five subject areas: •Objective to provide early awareness of new and emerging threats (chapter 2), threat agents, vulnerabilities, and attacks so organization can mount an effective defense #1 Monitoring the External Environment •Data sources #1 Monitoring the External Environment cont. •External monitoring collects raw intelligence, filters for relevance, assigns a relative risk impact, and communicates to decision makers in time to make a difference. #1 Monitoring the External Environment (cont'd) •Primary goal is informed awareness of state of organization's networks, systems, and security defenses. #2 Monitoring the Internal Environment •Primary objectives #3 Planning and Risk Assessment •Information security program planning and review #3 Planning and Risk Assessment (cont'd) •Large projects should be broken into smaller projects for many reasons... #3 Planning and Risk Assessment (cont'd) •Primary goal:
identification of specific, documented vulnerabilities and their timely remediation #4 Vulnerability Assessment and Remediation •Primary goal is to keep information security program functioning as designed and continuously improving. #5 Readiness and Review •Used to document what happened during attack on assets and how attack occurred Digital Forensics Evidentiary material (EM) any item or information that applies to an organization's legal or policy-based case Protect and forget (patch and proceed) Digital Forensics Organization chooses one of two approaches: Protect and forget (patch and proceed) defense of data and systems that house, use, and transmit it Apprehend and prosecute (pursue and prosecute) identification and apprehension of responsible individuals, with additional attention to collection and preservation of potential EM that might support administrative or criminal prosecution wireshark #1 security tool Other sets by this creatorCMIS 468 - Exam 2116 terms paigerouleau CMIS 468 (Exam 1)75 terms paigerouleau Anthropology Exam 469 terms paigerouleau Anthropology Exam 369 terms paigerouleau Recommended textbook solutionsElementary Number Theory7th EditionDavid Burton 776 solutions Numerical Analysis9th EditionJ. Douglas Faires, Richard L. Burden 873 solutions Book of Proof2nd EditionRichard Hammack 340 solutions Elementary Differential Geometry2nd EditionBarrett O'Neill 297 solutions Other Quizlet setsChapter 5 | Selecting & Testing Support Materials14 terms JaniaSimmons3 AMH2010 Unit One80 terms Lee4355_Playerpimp2 Exam 144 terms nikkibrean14PLUS IQT- C130H2 Electrical Limitations16 terms mhughey91PLUS What are the ongoing responsibilities security managers have in securing the SDLC?The ongoing responsibilities security managers have includes:Monitor security controls to ensure that they continue to be effective in theirs application through periodic testing and evaluation. Perform self-administered audits independent security audits, or other assessments periodically.
Which of these is the most important priority of the information security organization quizlet?The control policy is part of the information security strategy. Compliance with regulatory requirements, where relevant, is important, but ultimately, the safety of people has the highest priority.
What are the three primary aspects of information security risk management?The CIA triad refers to an information security model made up of the three main components: confidentiality, integrity and availability. Each component represents a fundamental objective of information security.
Which of the following is responsible for the approval of an information security policy?Senior Management is responsible for: Final approval of Information Security Policy. Final approval of risk tolerance and risk acceptance.
|