Mgmt Info Sec Chap 5 Notes

1. What is an information security program?

  • An information security program describes the structure and organization of the effort that strives to contain the risks to the information assets of a company.

2. What functions constitute a complete information security program?

  • A complete information security program is unique to the company, and takes into account business goals and the overall strategic plan, but still balances the need for protecting the assets of the organization.

3. What organizational variables can influence the size and composition of an information security program’s staff?

  • Organizational culture- the value placed on security by managerial staff can define the resources committed to security staff.
  •  Size- the size of the company influences the size of the security staff.
  •  Security personnel budget – Funds allocated to the program
  •  Security capital budget – Items in the capital budget can determine staffing needs.

4. What is the typical size of a security staff in a small organization? A medium sized organization? A large organization? A very large organization?

  •  Small – May be delegated to an IT staffer or manager
  •  Medium –  1 full time manager and assistance from IT staff
  • Large – approximately 17-22 employees is suggested by the text
  • Very Large –  49-65 members is suggested by the reading.

5. Where can an organization place the information security unit? Where should (and shouldn’t) it be placed?

  •  The text suggests many organizational locations for the InfoSec unit, and lists the pros and cons for each.  Recommended locations are Information technology, administrative services,  insurance and risk management , the legal department, or operations.
  •  Non recommended locations are security, internal auditing, help desk, accounting and finance, human resources, facilities management.
  •  The key to any successful placement will be the reporting chain of command and resource allocation.

6. Into what four areas should the information security
functions be divided?

  •  Functions performed outside of IT management and control, such as legal or training
  •  Functions performed by IT outside of InfoSec – example: network security administration.
  •  Functions performed by the infoSec department such as risk assessment or vulnerability assessment
  •  Functions performed by the InfoSec  department  as compliance enforcement- examples include policy creation, compliance audits

7. What are the five roles that an information security professional can assume?

  •  Chief Security Officer
  •  Security Manager
  •  Security Administrators And Analysts
  •  Security Technicians
  •  Security Staff

8. What are the three areas of the SETA program?

  •  Awareness, Training and Education

9. What can influence the effectiveness of a training program?

  •  Things that may influence the effectiveness of an information security training program include management support, training that is targeted to its audience, retention of information, information overload, and the style of information delivery.

10. What are some of the various ways to implement an awareness program?

  •  One way to implement security awareness if to use an array of items including training videos, posters, newsletters brochures, trinkets and computer based training. By varying method of delivery, the message does not become commonplace and lose its effectiveness.

Mgmt InfoSec Notes ch 3

1. What is an information security framework?

A framework is an outline of security controls that is part of creating or implementing a security model. The blueprint is based off of the framework, containing more detail on controls in place and controls that are needed.

3. What is a security model?

A security model is a generic blueprint that assists in creating a working security plan.

5. What is access control?

Access control enables an organization to define and regulate access to data, and is based on identification, authentication, authorization and accountability.

10. What is a data classification model? How is data classification different then clearance level?

Data classification attempts to categorize information based on the level of damage that would be done if the information is exposed. The more important the data, the higher the classification level.  Clearance level is a rating scheme that attempts to categorize a user’s role in an organization and access to information is granted to groups of users in each level.
11. Which international information security standards have evolved from the BS 7799 model? What do they include?
BS7799 was published by the British Standards
Institute. From this document, the ISO/IEC 27002 was released, and then later
renamed as ISO/IEC 27002. BS 7799’s second part became ISO/IEC 27001.These
purchasable standards include recommendations for information security
management for use by those who initiate, implement or maintain organizational
security.  The 2005 version includes the
Plan-Do-Check- Act cycle, also known as the Deming Quality assurance model.

13. What are the documents in the ISO/IEC 27000
series?

  • Risk Assessment and treatment
  • Security Policy
  • Organization of Information Security
  • Asset Management
  • Human Resource Security
  • Physical and Environmental security
  • Communications and Operations
  • Access Control
  • Information Systems Acquisition, Development and Management
  • Information Systems Incident Management
  • Business Continuity Management
  • Compliance

14. What is COBIT? Who is its sponsor? What does it accomplish?
COBIT stands for Control Objectives for Information and Related Technologies. It provides advice for implementation of sound controls and control objectives for Information Security.  COBIT provides a framework to support information security requirements and assessment needs, and breaks this into four domains: plan and organize, acquire and implement, deliver and support, and monitor and evaluate.
15. What are the two primary advantages of NIST
security models?

  • NIST documents are publicly available at no charge
  • Have been around for some time and are broadly reviewed, therefore close to proven.

TCP/IP Security Notes

Patterns
IP attacks typically follow a set pattern. This pattern can be recognized, and rules created to help thwart it – this pattern is refered to as an attack signature. Signatures may be used to create IDS rules.

Reconnaissance and Discovery
Would-be attackers usually engage in a well-understood sequence of activities, called reconnaissance and discovery.
During the reconaissance phase The attacker may ping sweep or port probe the target. The purpose of this reconnaissance is to find out what is running and what may be vulnerable.
PING sweep
Can identify active hosts on an IP network
Port probe
Detect UDP- and TCP-based services running on a host

The attack
Attacker focuses on the attack itself. A more seasoned attacker may cover their tracks by attempting to modify log files, or terminating any active direct connections.
One method of is a brute force attack that overwhelms a victim.

Denial of Service Attacks
Designed to interrupt or completely disrupt operations of a network device or communications
SYN Flood attack
Uses the three-way TCP handshake process to overload a device on a network
Broadcast amplification attack
Malicious host crafts and sends ICMP Echo Requests to a broadcast address

Distributed Denial of Service Attack (DDOS)
DoS attacks are launched from numerous devices,  such as acommand and control botnet.
DDoS attacks consist of four main elements
Attacker
Handler
Agent
Victim

Session Hijacking
The purpose of session hijacking is to impersonate an authenticated user in order to gain access to a system
Once a session is hijacked, the attacker can send packets to the server as the victim.

RFC 2401: The goal of IPSec are to provide the following kinds of security

  • Access control
  •  Connectionless integrity
  •  Data origin authentication
  •  Protection against replays
  •  Confidentiality
  •  Limited traffic flow confidentiality

RFC 2196: Indicated that the following documents are components of a good security policy

  • An access policy document
  •  An accountability policy document
  •  A privacy policy document
  •  A violations reporting policy document
  •  An authentication policy document
  •  An information technology system and network maintenance policy document