Mgmt Info Sec Notes Week1

1. List and describe an organization’s three communities of interest that engage in efforts to solve InfoSec problems. Give two or three examples of who might be in each community.

The three defined communities are decision makers in Information security, Information technology and non-technical staff. Examples of Information security professionals could include a risk manager or the CISO. The information technology group could include the CIO or a systems administrator. Some examples of Non-technical members could be the CEO or the Director of Human Resources.

2. What is the definition of Information Security? What essential protections must be in place to protect information systems from danger?

From the lecture material: “The protection of information and its critical elements (confidentiality, integrity and availability), including the systems and hardware that use, store, and transmit that information” Essential protections that must be in place include physical security, operations security, communications security and network security.

3. What is the C.I.A. triangle? Define each of its component parts.

  •  Confidentiality -only those who are granted access can get in
  •  Integrity- data is true and uncorrupted
  •  Availability – if granted access, data is available without obstruction

4. Describe the CNSS security model. What are its three dimensions?

• The McCumber Cube is a comprehensive information security model that covers the three dimensions of information security – the CIA triangle, data states (storage, processing and transmission) and controls (policy education and technology).

5. What is the definition of privacy as it relates to information security? How is this definition of privacy different from the everyday definition? Why is this difference significant?

The text describes privacy as “Information that is collected, used and stored by an organization is intended only for the purposes stated by the data owner at the time it was collected” and a dictionary describes it as “the state of being free from intrusion or disturbance in one’s private life or affairs”. The expectation of privacy does not extend into the Information Security model; it does not guarantee freedom from observation, only that any data gathered will be used in an expected and declared manner.

6. Define the InfoSec processes of identification, authentication, authorization and accountability.

  • Identification –An individual user or process is named and unique
  •  Authentication – A control verifies that he user is who they say they are, usually possessing something they have (example a certificate) or something they know (example: a password)
  •  Authorization – Explicit permission to an identifiable and authenticated user has been granted to access a resource.
  •  Accountability- A user or processes’ actions can be logged or otherwise tied back to the originating account.

7. What is management and what is a manager? What roles do manager play as they execute their responsibilities?

From the lecture notes: Management is “The process of achieving objectives using a given set of resources “A manager is “Someone who works with and through other people by coordinating their work activities in order to accomplish organizational goals“. Managers use different roles to accomplish objectives. In an informational role, managers collect process and use information. In an interpersonal role, managers work with people to achieve goals. In a decisional role, managers make choices as to the best path to take and address issues that arise while using problem solving skills.

8. How are leadership and management similar? How are they different?

Good leadership and management are intertwined. Management focuses on the planning and strategic decisions, and leadership provides the motivation to implement the planning and organizing functions.

9. What are the characteristics of management based on the popular approach to management? Define each characteristic.

The popular approach to management includes

  •  Planning- Goals, objectives, strategizing and plans
  •  Organizing- Structure, Human resource allocation
  •  Leading- Motivation, leading, communication, group dynamics
  •  Controlling- Standards, measurement, comparisons, action

10. What are the three types of general planning? Define each.

  • Strategic Planning- Long term goals, 5 or more years
  • Tactical Planning- Production planning, one to five years, smaller scope then enterprise planning
  • Operational Planning – Day to day operations, short term goals.

Mgmt Info Sec Chap 5 Notes

1. What is an information security program?

  • An information security program describes the structure and organization of the effort that strives to contain the risks to the information assets of a company.

2. What functions constitute a complete information security program?

  • A complete information security program is unique to the company, and takes into account business goals and the overall strategic plan, but still balances the need for protecting the assets of the organization.

3. What organizational variables can influence the size and composition of an information security program’s staff?

  • Organizational culture- the value placed on security by managerial staff can define the resources committed to security staff.
  •  Size- the size of the company influences the size of the security staff.
  •  Security personnel budget – Funds allocated to the program
  •  Security capital budget – Items in the capital budget can determine staffing needs.

4. What is the typical size of a security staff in a small organization? A medium sized organization? A large organization? A very large organization?

  •  Small – May be delegated to an IT staffer or manager
  •  Medium –  1 full time manager and assistance from IT staff
  • Large – approximately 17-22 employees is suggested by the text
  • Very Large –  49-65 members is suggested by the reading.

5. Where can an organization place the information security unit? Where should (and shouldn’t) it be placed?

  •  The text suggests many organizational locations for the InfoSec unit, and lists the pros and cons for each.  Recommended locations are Information technology, administrative services,  insurance and risk management , the legal department, or operations.
  •  Non recommended locations are security, internal auditing, help desk, accounting and finance, human resources, facilities management.
  •  The key to any successful placement will be the reporting chain of command and resource allocation.

6. Into what four areas should the information security
functions be divided?

  •  Functions performed outside of IT management and control, such as legal or training
  •  Functions performed by IT outside of InfoSec – example: network security administration.
  •  Functions performed by the infoSec department such as risk assessment or vulnerability assessment
  •  Functions performed by the InfoSec  department  as compliance enforcement- examples include policy creation, compliance audits

7. What are the five roles that an information security professional can assume?

  •  Chief Security Officer
  •  Security Manager
  •  Security Administrators And Analysts
  •  Security Technicians
  •  Security Staff

8. What are the three areas of the SETA program?

  •  Awareness, Training and Education

9. What can influence the effectiveness of a training program?

  •  Things that may influence the effectiveness of an information security training program include management support, training that is targeted to its audience, retention of information, information overload, and the style of information delivery.

10. What are some of the various ways to implement an awareness program?

  •  One way to implement security awareness if to use an array of items including training videos, posters, newsletters brochures, trinkets and computer based training. By varying method of delivery, the message does not become commonplace and lose its effectiveness.

TCP/IP Security Notes

Patterns
IP attacks typically follow a set pattern. This pattern can be recognized, and rules created to help thwart it – this pattern is refered to as an attack signature. Signatures may be used to create IDS rules.

Reconnaissance and Discovery
Would-be attackers usually engage in a well-understood sequence of activities, called reconnaissance and discovery.
During the reconaissance phase The attacker may ping sweep or port probe the target. The purpose of this reconnaissance is to find out what is running and what may be vulnerable.
PING sweep
Can identify active hosts on an IP network
Port probe
Detect UDP- and TCP-based services running on a host

The attack
Attacker focuses on the attack itself. A more seasoned attacker may cover their tracks by attempting to modify log files, or terminating any active direct connections.
One method of is a brute force attack that overwhelms a victim.

Denial of Service Attacks
Designed to interrupt or completely disrupt operations of a network device or communications
SYN Flood attack
Uses the three-way TCP handshake process to overload a device on a network
Broadcast amplification attack
Malicious host crafts and sends ICMP Echo Requests to a broadcast address

Distributed Denial of Service Attack (DDOS)
DoS attacks are launched from numerous devices,  such as acommand and control botnet.
DDoS attacks consist of four main elements
Attacker
Handler
Agent
Victim

Session Hijacking
The purpose of session hijacking is to impersonate an authenticated user in order to gain access to a system
Once a session is hijacked, the attacker can send packets to the server as the victim.

RFC 2401: The goal of IPSec are to provide the following kinds of security

  • Access control
  •  Connectionless integrity
  •  Data origin authentication
  •  Protection against replays
  •  Confidentiality
  •  Limited traffic flow confidentiality

RFC 2196: Indicated that the following documents are components of a good security policy

  • An access policy document
  •  An accountability policy document
  •  A privacy policy document
  •  A violations reporting policy document
  •  An authentication policy document
  •  An information technology system and network maintenance policy document

CDIA+ CompTIA Document Imaging Exam Notes

CompTIA CDIA+ Exam: 225-030
85 questions
Conventional, linear format.
90 minutes alloted time.
Passing Score: 700 out of 900 possible.
 
 Strategy

Goals define activities
Activities define documents and data
Documents and data define technology requirements

A process metric is an indicator of the process, ex: how many, how fast. Metrics are taken before, during and after an implementation.

Continue reading “CDIA+ CompTIA Document Imaging Exam Notes”

Comp-Tia’s Security+ Certification Exam Notes

Comp-Tia’s Security+ Exam
Exam Number SY0-101
Number of Questions 100
Time Allotted 90 Minutes
Passing Score 764/900
Exam Objectives: Available at the CompTia Site

Access Control Models

MAC Mandatory Access Control – An Administrator createds a predefined set of permissions and assigns them to users and objects (labels)
DAC Discretionary Acess Control – The resource owner established who or what has rights to an object (ACL)
RBAC Role Based Access Control – Rights are assigned per user role, roles are ususaly based on organizational structure.

Authentication and Identification Continue reading “Comp-Tia’s Security+ Certification Exam Notes”

CompTia Server+ Exam Notes

Exam Facts
CompTia Server+
Exam Number SK0-002
Number of Questions :80
Linear Exam
Minimum Passing Score :615/900
Time Alloted 90 Minutes

Exam Objectives: Available at the CompTia Site here (registration required)

Rack notes

A full rack is 42 U
One U is 1.75 inches
therefore a full rack has 73.5 inches of useable space.

Never move a full rack. Always remove all equipment first.
Install the heaviest parts towards the bottom. ( ex: UPS units)
Racks typically have wheels, and most have stabilizer feet. Continue reading “CompTia Server+ Exam Notes”

CompTIA A+ Exam Notes

  • The four basic components of any computer are input, output, storage and processing
  • ASCII = American Symbolic Code for Information Interchange. 128 char. Extended 255 char.
  • Six fundamental microcomputer components: processor, bus, memeory, disk, video, input/output
  • Old school bus types ISA,EISA,VESA, MCA
  • Another name for a system board is the planar board
  • The nucleus of the PC is the CPU
  • A measurement of speed is MegaHertz
  • Clock speeds are measured in megahertz
  • The larger the cache, the faster the processor
  • the 80286 is equated with the AT and ISA busses
  • The MCA bus was predominatly used by IBM
  • EISA took the most popular features from other busses and expanded on them.
  • the VESA bus is also klnown as the VLbus
  • PCMCIA cards were designed for notebook use
  • Memory is a storage area for fast access. Continue reading “CompTIA A+ Exam Notes”

Sas70 Choosing An Audit Firm

About The SAS70

SAS70 is short for Statement on Auditing Standards Number 70. It defines the standards used by an auditor to assess the internal controls of an organization that provides services. In many cases, the controls that are audited are related to transaction processing, and the transactions are specific to the type of service being provided.

A SAS70 type 1 report is concerned with the controls that are in place in an organization and the auditor’s opinion of the effectiveness of the controls. The type 1 SAS70 report may include background information about a business and its processes, along with a detailed list of controls (broken out into subsections) and information about how the processes are interrelated, along with information about how the controls meet the specified goals.

A SAS70 type 2 report is issues after a period of observation of the practices specified in the type 1 report. The type 2 SAS70 will also include an opinion issued by an auditor on whether the controls were in operation during the observation time period. Type 2 reports are usually issued on an annual basis. Continue reading “Sas70 Choosing An Audit Firm”