Mgmt Info Sec Notes Week1

1. List and describe an organization’s three communities of interest that engage in efforts to solve InfoSec problems. Give two or three examples of who might be in each community.

The three defined communities are decision makers in Information security, Information technology and non-technical staff. Examples of Information security professionals could include a risk manager or the CISO. The information technology group could include the CIO or a systems administrator. Some examples of Non-technical members could be the CEO or the Director of Human Resources.

2. What is the definition of Information Security? What essential protections must be in place to protect information systems from danger?

From the lecture material: “The protection of information and its critical elements (confidentiality, integrity and availability), including the systems and hardware that use, store, and transmit that information” Essential protections that must be in place include physical security, operations security, communications security and network security.

3. What is the C.I.A. triangle? Define each of its component parts.

  •  Confidentiality -only those who are granted access can get in
  •  Integrity- data is true and uncorrupted
  •  Availability – if granted access, data is available without obstruction

4. Describe the CNSS security model. What are its three dimensions?

• The McCumber Cube is a comprehensive information security model that covers the three dimensions of information security – the CIA triangle, data states (storage, processing and transmission) and controls (policy education and technology).

5. What is the definition of privacy as it relates to information security? How is this definition of privacy different from the everyday definition? Why is this difference significant?

The text describes privacy as “Information that is collected, used and stored by an organization is intended only for the purposes stated by the data owner at the time it was collected” and a dictionary describes it as “the state of being free from intrusion or disturbance in one’s private life or affairs”. The expectation of privacy does not extend into the Information Security model; it does not guarantee freedom from observation, only that any data gathered will be used in an expected and declared manner.

6. Define the InfoSec processes of identification, authentication, authorization and accountability.

  • Identification –An individual user or process is named and unique
  •  Authentication – A control verifies that he user is who they say they are, usually possessing something they have (example a certificate) or something they know (example: a password)
  •  Authorization – Explicit permission to an identifiable and authenticated user has been granted to access a resource.
  •  Accountability- A user or processes’ actions can be logged or otherwise tied back to the originating account.

7. What is management and what is a manager? What roles do manager play as they execute their responsibilities?

From the lecture notes: Management is “The process of achieving objectives using a given set of resources “A manager is “Someone who works with and through other people by coordinating their work activities in order to accomplish organizational goals“. Managers use different roles to accomplish objectives. In an informational role, managers collect process and use information. In an interpersonal role, managers work with people to achieve goals. In a decisional role, managers make choices as to the best path to take and address issues that arise while using problem solving skills.

8. How are leadership and management similar? How are they different?

Good leadership and management are intertwined. Management focuses on the planning and strategic decisions, and leadership provides the motivation to implement the planning and organizing functions.

9. What are the characteristics of management based on the popular approach to management? Define each characteristic.

The popular approach to management includes

  •  Planning- Goals, objectives, strategizing and plans
  •  Organizing- Structure, Human resource allocation
  •  Leading- Motivation, leading, communication, group dynamics
  •  Controlling- Standards, measurement, comparisons, action

10. What are the three types of general planning? Define each.

  • Strategic Planning- Long term goals, 5 or more years
  • Tactical Planning- Production planning, one to five years, smaller scope then enterprise planning
  • Operational Planning – Day to day operations, short term goals.

Mgmt Info Sec Chap 5 Notes

1. What is an information security program?

  • An information security program describes the structure and organization of the effort that strives to contain the risks to the information assets of a company.

2. What functions constitute a complete information security program?

  • A complete information security program is unique to the company, and takes into account business goals and the overall strategic plan, but still balances the need for protecting the assets of the organization.

3. What organizational variables can influence the size and composition of an information security program’s staff?

  • Organizational culture- the value placed on security by managerial staff can define the resources committed to security staff.
  •  Size- the size of the company influences the size of the security staff.
  •  Security personnel budget – Funds allocated to the program
  •  Security capital budget – Items in the capital budget can determine staffing needs.

4. What is the typical size of a security staff in a small organization? A medium sized organization? A large organization? A very large organization?

  •  Small – May be delegated to an IT staffer or manager
  •  Medium –  1 full time manager and assistance from IT staff
  • Large – approximately 17-22 employees is suggested by the text
  • Very Large –  49-65 members is suggested by the reading.

5. Where can an organization place the information security unit? Where should (and shouldn’t) it be placed?

  •  The text suggests many organizational locations for the InfoSec unit, and lists the pros and cons for each.  Recommended locations are Information technology, administrative services,  insurance and risk management , the legal department, or operations.
  •  Non recommended locations are security, internal auditing, help desk, accounting and finance, human resources, facilities management.
  •  The key to any successful placement will be the reporting chain of command and resource allocation.

6. Into what four areas should the information security
functions be divided?

  •  Functions performed outside of IT management and control, such as legal or training
  •  Functions performed by IT outside of InfoSec – example: network security administration.
  •  Functions performed by the infoSec department such as risk assessment or vulnerability assessment
  •  Functions performed by the InfoSec  department  as compliance enforcement- examples include policy creation, compliance audits

7. What are the five roles that an information security professional can assume?

  •  Chief Security Officer
  •  Security Manager
  •  Security Administrators And Analysts
  •  Security Technicians
  •  Security Staff

8. What are the three areas of the SETA program?

  •  Awareness, Training and Education

9. What can influence the effectiveness of a training program?

  •  Things that may influence the effectiveness of an information security training program include management support, training that is targeted to its audience, retention of information, information overload, and the style of information delivery.

10. What are some of the various ways to implement an awareness program?

  •  One way to implement security awareness if to use an array of items including training videos, posters, newsletters brochures, trinkets and computer based training. By varying method of delivery, the message does not become commonplace and lose its effectiveness.

Mgmt InfoSec Notes ch 3

1. What is an information security framework?

A framework is an outline of security controls that is part of creating or implementing a security model. The blueprint is based off of the framework, containing more detail on controls in place and controls that are needed.

3. What is a security model?

A security model is a generic blueprint that assists in creating a working security plan.

5. What is access control?

Access control enables an organization to define and regulate access to data, and is based on identification, authentication, authorization and accountability.

10. What is a data classification model? How is data classification different then clearance level?

Data classification attempts to categorize information based on the level of damage that would be done if the information is exposed. The more important the data, the higher the classification level.  Clearance level is a rating scheme that attempts to categorize a user’s role in an organization and access to information is granted to groups of users in each level.
11. Which international information security standards have evolved from the BS 7799 model? What do they include?
BS7799 was published by the British Standards
Institute. From this document, the ISO/IEC 27002 was released, and then later
renamed as ISO/IEC 27002. BS 7799’s second part became ISO/IEC 27001.These
purchasable standards include recommendations for information security
management for use by those who initiate, implement or maintain organizational
security.  The 2005 version includes the
Plan-Do-Check- Act cycle, also known as the Deming Quality assurance model.

13. What are the documents in the ISO/IEC 27000
series?

  • Risk Assessment and treatment
  • Security Policy
  • Organization of Information Security
  • Asset Management
  • Human Resource Security
  • Physical and Environmental security
  • Communications and Operations
  • Access Control
  • Information Systems Acquisition, Development and Management
  • Information Systems Incident Management
  • Business Continuity Management
  • Compliance

14. What is COBIT? Who is its sponsor? What does it accomplish?
COBIT stands for Control Objectives for Information and Related Technologies. It provides advice for implementation of sound controls and control objectives for Information Security.  COBIT provides a framework to support information security requirements and assessment needs, and breaks this into four domains: plan and organize, acquire and implement, deliver and support, and monitor and evaluate.
15. What are the two primary advantages of NIST
security models?

  • NIST documents are publicly available at no charge
  • Have been around for some time and are broadly reviewed, therefore close to proven.

TCP/IP Security Notes

Patterns
IP attacks typically follow a set pattern. This pattern can be recognized, and rules created to help thwart it – this pattern is refered to as an attack signature. Signatures may be used to create IDS rules.

Reconnaissance and Discovery
Would-be attackers usually engage in a well-understood sequence of activities, called reconnaissance and discovery.
During the reconaissance phase The attacker may ping sweep or port probe the target. The purpose of this reconnaissance is to find out what is running and what may be vulnerable.
PING sweep
Can identify active hosts on an IP network
Port probe
Detect UDP- and TCP-based services running on a host

The attack
Attacker focuses on the attack itself. A more seasoned attacker may cover their tracks by attempting to modify log files, or terminating any active direct connections.
One method of is a brute force attack that overwhelms a victim.

Denial of Service Attacks
Designed to interrupt or completely disrupt operations of a network device or communications
SYN Flood attack
Uses the three-way TCP handshake process to overload a device on a network
Broadcast amplification attack
Malicious host crafts and sends ICMP Echo Requests to a broadcast address

Distributed Denial of Service Attack (DDOS)
DoS attacks are launched from numerous devices,  such as acommand and control botnet.
DDoS attacks consist of four main elements
Attacker
Handler
Agent
Victim

Session Hijacking
The purpose of session hijacking is to impersonate an authenticated user in order to gain access to a system
Once a session is hijacked, the attacker can send packets to the server as the victim.

RFC 2401: The goal of IPSec are to provide the following kinds of security

  • Access control
  •  Connectionless integrity
  •  Data origin authentication
  •  Protection against replays
  •  Confidentiality
  •  Limited traffic flow confidentiality

RFC 2196: Indicated that the following documents are components of a good security policy

  • An access policy document
  •  An accountability policy document
  •  A privacy policy document
  •  A violations reporting policy document
  •  An authentication policy document
  •  An information technology system and network maintenance policy document

Common Computer Attack Types

Common computer attack types defined

Access Attacks– the attacker’s goal is to gain unauthorized access to information or services.
Dumpster Diving Literally picking the corporate dumpster for information. Also called Information Diving
Eavesdropping Simply listening in in an effort to gain knowledge.
Snooping Peeking around for information.
Interception The attacker positions himself covertly, either physically or in a digital sense, in the middle of a transaction or conversation.
Modification Attacks The attacker’s goal is to alter information for gain.
Repudiation Attacks Modifying with the purpose of discrediting or invalidating information.
Back Doors by design or surreptiously inserted, allows the attacker a ‘back door’ into a system or application for purposes of control Continue reading “Common Computer Attack Types”

Sonicwall NSA 2400 Review

Upgrading from a Sonicwall Pro 2040 Enhanced

I recently had the opportunity to use the new Sonicwall NSA 2400. The Sonicwall name has been around for a while, known for making low-to-mid level network firewalls with available security service options. In the past I had used a Sonicwall Pro 2040 with the enhanced firmware – providing IDS/IPS, gateway antivirus, gateway antispyware and content filtering in addition to the firewall function. This new Sonicwall NSA 2400 was going to replace the Pro in a production environment.

The unit arrived Fed-Ex, in good shape. Sonicwall seems to double box their products, and then cushion the device in a layer of protective foam. The kit included the NSA 2400, a console cable, some ethernet cables, a power cord and documentation. Rack mount ears are also included- interestingly enough, these are a different hole pattern than past Sonicwall devices I have encountered. The NSA 2400 was preloaded with SonicOS Enhanced 5.0.2.0 from the factory. Continue reading “Sonicwall NSA 2400 Review”

MASS CMR 201 17.00

New Regulations for Protection of Massachusetts Residents’ Personal Information

Code of Massachusetts 201 17.00 deals with the protection of personally identifying information. These guidelines were enacted as law, and deal with information security standards and notification of security breaches. The laws apply to businesses that “own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts “. Massachusetts is not the first state to enact such laws, but rather has followed along with the new trend- creating regulations based around information security and the protection of state residents.

Personally Identifiable Information (referred to as PII) is loosely defined as a data entity including the first name or first initial, last name and combined with other non-public information such as financial account numbers, social security numbers, driver’s license numbers, or PIN numbers that when combined, create a unique profile of a person. The combination of these factors would be useful in assuming an identity or committing fraud using another party’s name. The Commonwealth of Massachusetts declares that lawfully obtained publically accessible information is excluded from being categorized as PII, as is information gathered in good faith. Oddly enough, Mass CMR 201 17.00 does not apply to state government, but a separate executive order (501) does. Continue reading “MASS CMR 201 17.00”

Sniffer Cable Pinout

The sniffer cable is needed to connect a sniffer to an ethernet hub, but not transmit any data that may reveal the sniffer’s existence. This cable will return an inverted version of anything sent to the interface. The pinout for this cable is from the book Windows Forensics, by Chad Steel (ISBN 0-470-03862-4), but can also be found at dgonzalez.net, along with other useful pinouts for receive-only cables.

Orange White TD+ (pin 1)
Orange TD- (pin 2)
Green White RD+ (pin 3)
Green RD- (pin 6)

Hub Side:
Orange White is spliced into Green
Orange is spliced into Green White

Sniffer Side
Orange White is cut and sealed.
Orange is cut and sealed.

Comp-Tia’s Security+ Certification Exam Notes

Comp-Tia’s Security+ Exam
Exam Number SY0-101
Number of Questions 100
Time Allotted 90 Minutes
Passing Score 764/900
Exam Objectives: Available at the CompTia Site

Access Control Models

MAC Mandatory Access Control – An Administrator createds a predefined set of permissions and assigns them to users and objects (labels)
DAC Discretionary Acess Control – The resource owner established who or what has rights to an object (ACL)
RBAC Role Based Access Control – Rights are assigned per user role, roles are ususaly based on organizational structure.

Authentication and Identification Continue reading “Comp-Tia’s Security+ Certification Exam Notes”

Vertical TeleVantage Password Security

Easy to guess passwords are the Achilles heel of all phone systems. Vertical TeleVantage combats this by offering the administrator the ability to enforce the use of strong passwords for system users. Other options, such as lockout and password expiration make the job of guessing a password much harder.

Requiring Password Complexity
Options for strong passwords include minimum password length, prevent passwords that contain the account’s extension, and a list item entitled ‘Prevent passwords from the following list’. This final option includes a long group of strings such as ‘000’, ‘123’ etc built in, and also allows the administrator to add to, edit, and delete entries from this list.

Passwords Automatically Expire Option
An option to expire passwords after x amount of days is available as a global setting. This option can be overridden for users on an individual basis. Additionally, the user’s properties screen in TeleVantage Administrator has a ‘user must change password on next logon’ option, which allows the forced expiration at any time.

Account Lockout Options
TeleVantage has an “Automatically lock out accounts after X failed logon attempts” option. After the threshold for failed attempts is exceeded, the user may not log in until the account is unlocked. The option to have this account unlocked after X minutes is available, or alternately, the user must wait for an Administrator unlocks the account.

Hang Up On Failed Login Attempts
After an account is locked, the TeleVantage system can be configured to hang up on a caller who fails to log in after X attempts.

Tools>System Security
TeleVantage has a scanning tool built in that looks for common weaknesses in the system. Running Tools>System Security will create a report of users with weak or default passwords. By clicking on individual items in the report, the administrator can address these vulnerable accounts directly.