Chapter 1

Key Terms Access - a subject or objects ability to use, manipulate, modify, or affect another subject or object. Asset - the organizational resource that is being protected. Attack - an act that is an intentional or unintentional attempt to cause damage or compromise to the information and/or the systems that support it. Control, Safeguard, or Countermeasure - security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the security within an organization. Exploit - to take advantage of weaknesses or vulnerability in a system. Exposure - a single instance of being open to damage. Hack - Good: to use computers or systems for enjoyment; Bad: to illegally gain access to a computer or system. Object - a passive entity in the information system that receives or contains information. Risk - the probability that something can happen. Security Blueprint - the plan for the implementation of new security measures in the organization. Security Model - a collection of specific security rules that represents the implementation of a security policy. Security Posture or Security Profile - a general label for the combination of all policies, procedures, technologies, and programs that make up the total security effort currently in place. Subject - an active entity that interacts with an information system and causes information to move through the system for a specific end purpose Threats - a category of objects, persons, or other entities that represents a potential danger to an asset. Threat Agent - a specific instance or component of a more general threat. Vulnerability - weaknesses or faults in a system or protection mechanism that expose information to attack or damage. Critical Characteristics of Information: The value of information comes from the characteristics it possesses.

Availability Enables users who need to access information to do so without interference or obstruction and in the required format. The information is said to be available to an authorized user when and where needed and in the correct format. Accuracy Free from mistake or error and having the value that the end user expects. If information contains a value different from the users expectations due to the intentional or unintentional modification of its content, it is no longer accurate. Authenticity The quality or state of being genuine or original, rather than a reproduction or fabrication. Information is authentic when it is the information that was originally created, placed, stored, or transferred. Confidentiality The quality or state of preventing disclosure or exposure to unauthorized individuals or systems. Integrity The quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state. Utility The quality or state of having value for some purpose or end. Information has value when it serves a particular purpose. This means that if information is available, but not in a format meaningful to the end user, it is not useful. Possession The quality or state of having ownership or control of some object or item. Information is said to be in possession if one obtains it, independent of format or other characteristic. While a breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality. Components of network systems: Software, Hardware, Data, People, Procedures, Networks Data Responsibilities Now that you understand the responsibilities of both senior management and the security project team, we can define the roles of those who own and safeguard the data. Data Owner Responsible for the security and use of a particular set of information. Data owners usually determine the level of data classification associated with the data, as well as changes to that classification required by organization change. Data Custodian Responsible for the storage, maintenance, and protection of the information. The duties of a data custodian often include overseeing data storage and backups, implementing the specific procedures and policies laid out in the security policies and plans, and reporting to the data owner.

Data Users The end systems users who work with the information to perform their daily jobs supporting the mission of the organization. Everyone in the organization is responsible for the security of data, so data users are included here as individuals with an information security role.

Chapter 2
Information security performs four important functions for an organization: 1. Protects the organizations ability to function 2. Enables the safe operation of applications implemented on the organizations IT systems 3. Protects the data the organization collects and uses 4. Safeguards the technology assets in use at the organization Threat: an object, person, or other entity that represents a constant danger to an asset 1. Intellectual property (IP): ownership of ideas and control over the tangible or virtual representation of those ideas The most common IP breaches involve software piracy. Software & Information Industry Association (SIIA) ,Business Software Alliance (BSA) Deliberate Software Attacks Deliberate software attacks occur when an individual or group designs software to attack an unsuspecting system. Most of this software is referred to as malicious code or malicious software, or sometimes malware. These software components or programs are designed to damage, destroy, or deny service to the target systems. Some of the more common instances of malicious code are viruses and worms, Trojan horses, logic bombs, back doors, and denial-of-services attacks. Computer viruses are segments of code that perform malicious actions. This code behaves very much like a virus pathogen attacking animals and plants, using the cells own replication machinery to propagate and attack. The code attaches itself to the existing program and takes control of that programs access to the targeted computer. The virus-controlled target program then carries out the viruss plan by replicating itself into additional targeted systems. The macro virus is embedded in the automatically executing macro code, common in office productivity software like word processors, spread sheets, and database applications.

The boot virus infects the key operating systems files located in a computers boot sector. Worms - Malicious programs that replicate themselves constantly without requiring another program to provide a safe environment for replication. Worms can continue replicating themselves until they completely fill available resources, such as memory, hard drive space, and network bandwidth. Trojan horses - Software programs that hide their true nature and reveal their designed behavior only when activated. Trojan horses are frequently disguised as helpful, interesting, or necessary pieces of software, such as readme.exe files often included with shareware or freeware packages. Back door or Trap door - A virus or worm can have a payload that installs a back door or trap door component in a system. This allows the attacker to access the system at will with special privileges. Polymorphism - A threat that changes its apparent shape over time, representing a new threat not detectable by techniques that are looking for a preconfigured signature. These threats actually evolve, changing their size and appearance to elude detection by antivirus software programs, making detection more of a challenge. Virus and Worm Hoaxes - As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus hoaxes. Well-meaning people spread the viruses and worms when they send e-mails warning of fictitious or virus laden threats. The classic perpetrator of deliberate acts of espionage or trespass is the hacker. When an unauthorized individual gains access to the information an organization is trying to protect, that act is categorized as a deliberate act of espionage or trespass. Password Crack - Attempting to reverse calculate a password. Brute Force - The application of computing and network resources to try every possible combination of options of a password. Dictionary - The dictionary password attack narrows the field by selecting specific accounts to attack and uses a list of commonly used passwords (the dictionary) to guess with. Password Crack - Attempting to reverse calculate a password. Brute Force - The application of computing and network resources to try every possible combination of options of a password. Dictionary - The dictionary password attack narrows the field by selecting specific accounts to attack and uses a list of commonly used passwords (the dictionary) to guess with.

Sniffers - A program and/or device that can monitor data travelling over a network. Sniffers can be used both for legitimate network management functions and for stealing information from a network. Phishing - An attempt to gain personal or financial information from an individual, usually by posing as a legitimate entity. Pharming The redirection of legitimate Web traffic (e.g., browser requests) to an illegitimate site for the purpose of obtaining private information. Timing Attack - Relatively new, works by exploring the contents of a Web browsers cache. This could allow the designer to collect information to access to password-protected sites. Another attack by the same name involves attempting to intercept cryptographic elements to determine keys and encryption algorithms. Secure software development Software principles Software development problems

Chapter-3

Liability: legal obligation of an entity extending beyond criminal or contract law; includes legal obligation to make restitution Restitution: to compensate for wrongs committed by an organization or its employees Due care: insuring that employees know what constitutes acceptable behavior and know the consequences of illegal or unethical actions Due diligence: making a valid effort to protect others; continually maintaining level of effort Jurisdiction: court's right to hear a case if the wrong was committed in its territory or involved its citizenry Long arm jurisdiction: right of any court to impose its authority over an individual or organization if it can establish jurisdiction Civil law represents a wide variety of laws that are recorded in volumes of legal code available for review by the average citizen. Criminal law addresses violations harmful to society and is actively enforced through prosecution by the state.

Tort law allows individuals to seek recourse against others in the event of personal, physical, or financial injury. Private law regulates the relationship between the individual and the organization, and encompasses family law, commercial law, and labor law. Public law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments, providing careful checks and balances. Examples of public law include criminal, administrative, and constitutional law. Acts: laws Is a state of being free from unsanctioned intrusion National Information Infrastructure Protection Act of 1996 USA PATRIOT Act of 2001 Computer Security Act of 1987

Is a state of being free from unsanctioned intrusion

Acts: The Federal Privacy Act of 1974 regulates the government in the protection of individual privacy and was created to insure that government agencies protect the privacy of individuals and businesses information and to hold those agencies responsible if any portion of this information is released without permission. The Electronic Communications Privacy Act of 1986 regulates the interception of wire, electronic, and oral communications. The ECPA works in conjunction with the Fourth Amendment of the US Constitution, which provides protections from unlawful search and seizure. The Health Insurance Portability & Accountability Act Of 1996 (HIPAA), also known as the KennedyKassebaum Act, impacts all health-care organizations including small doctor practices, health clinics, life insurers and universities, as well as some organizations which have self-insured employee health programs. The Financial Services Modernization Act or Gramm-Leach-Bliley Act of 1999 requires all financial institutions to disclose their privacy policies on the sharing of non-public personal information. It also requires due notice to customers so that they can request that their information not be shared with third parties. In an attempt to protect American ingenuity, intellectual property, and competitive advantage, Congress passed the Economic Espionage Act (EEA) in 1996. This law attempts to prevent trade secrets from being illegally shared.

The Security And Freedom Through Encryption Act of 1997 (SAFE) was an attempt by Congress to provide guidance on the use of encryption and provided measures of public protection from government intervention. Sarbanes-Oxley Act of 2002 financial reporting: The Freedom of Information Act 1966 Digital Millennium Copyright Act (DMCA) Directive 95/46/EC Organisations: ACM first educational and scientific computing society International Information Systems Security Certification Consortium, Inc. (ISC)2 Information Systems Audit and Control Association (ISACA) Department of Homeland Security (DHS) Federal Bureau of Investigations National InfraGard Program National Security Agency (NSA) U.S. Secret Service

Chapter 4
Risk identification is the formal process of examining and documenting the current information technology security situation. Risk identification is conducted within the larger process of identifying and justifying risk controls, known as risk management. Risk Management Process Evaluating the risk controls Determining which control options are cost effective for the organization Acquiring or installing the needed controls Ensuring that the controls remain effective

The clean desk policy requires each employee to secure any and all information in its appropriate storage container at the end of each day. When classified information is no longer valuable or excessive copies exist, proper care should be taken to destroy any unneeded copies through shredding, burning, or transfer to an authorized document destruction service. There are those individuals who would not hesitate to engage in dumpster diving to retrieve information that could prove embarrassing or compromise the security of information in the organization. We can determine the relative risk for each of the vulnerabilities through a process called risk assessment. Risk determination = vulnerabilities+ potential threats (uncertainty) + times value impact risk covered. Residual risk is the risk that remains to the information asset even after the existing control has been applied. There are three general categories of controls: Policies, Programs, and Technologies Strategies for risk control: Defend is the risk control strategy that attempts to prevent the realization or exploitation of the vulnerability. This is the preferred approach, as it seeks to avoid risk in its entirety rather than deal with it after it has been realized. Avoidance is accomplished through countering threats, removing vulnerabilities in assets, limiting access to assets, and/or adding protective safeguards. The most common methods of avoidance involve three areas of controls, avoidance through application of policy, training and education, and technology. Transfer is the control approach that attempts to shift the risk to other assets, other processes, or other organizations. Risk appetite is used to describe the degree to which an organization is willing to accept risk as a tradeoff to the expense of applying controls Acceptance: Doing nothing to protect a vulnerability and accepting the outcome of its exploitation. The terminate control strategy directs the organization to avoid those business activities that introduce uncontrollable risks. CBA, Expected loss per risk stated in the following equation: Annualized loss expectancy (ALE) = single loss expectancy (SLE) annualized rate of occurrence (ARO)

SLE = asset value exposure factor (EF)

Benchmarking: process of seeking out and studying practices in other organizations that ones own organization desires to duplicate Procedures: Metrics-based measures, Process-based measures In information security, two categories of benchmarks are used: standards of due care/due diligence and best practices. Within best practices is a subcategory of practices referred to as the gold standard, those practices typically viewed as the best of the best. When organizations adopt levels of security for a legal defense, they may need to show that they have done what any prudent organization would do in similar circumstances. This is referred to as a standard of due care. It is insufficient to just implement these standards and then ignore them. The application of controls at or above the prescribed levels and the maintenance of those standards of due care show that the organization has performed due diligence. Due diligence is the demonstration that the organization is diligent in ensuring that the implemented standards continue to provide the required level of protection. Failure to support a standard of due care or due diligence can open an organization to legal liability, provided it can be shown that the organization was negligent in its application or lack of application of information protection. Base lining is the comparison of security activities and events against the organizations future performance. Other feasibility studies.

Chapter 5
Preparation of security blue print IS planning and governance outcomes: Strategic alignment, Risk management, Resource management Performance measures, Value delivery Policy: course of action used by organization to convey instructions from management to those who perform duties Standards: more detailed statements of what must be done to comply with policy

A security program policy (SPP) is also known as a general security policy, IT security policy, or information security policy. This policy sets the strategic direction, scope, and tone for all security efforts within the organization. Issue-Specific Security Policy (ISSP) As the organization executes various technologies and processes to support routine operations, certain guidelines are needed to instruct employees to use these technologies and processes properly. Systems-Specific Policy (SysSP) While issue-specific policies are formalized as written documents, distributed to users, and agreed to in writing, SysSPs are frequently codified as standards and procedures used when configuring or maintaining systems. Policy management ISO 27000 security standard and This Code of Practice was adopted as an international standard by the International Organization for Standardization (ISO) and the International Electro technical Commission (IEC) as ISO/IEC 17799 in 2000 as a framework for information security. The ISO/IEC 27001: 2005 Plan-Do-Check-Act Cycle NIST guide: SP 800-12, The Computer Security Handbook SP 800-14, Generally Accepted Principles and Practices for Securing IT Systems SP 800-18, The Guide for Developing Security Plans for IT Systems SP 800-26, Security Self-Assessment Guide for Information Technology Systems SP 800-30, Risk Management Guide for Information Technology Systems

NIST Special Publication 800-14 explains security principles 33. IETF Security Architecture, RFC 2196: Site Security Handbook provides an overview of five basic areas of security with detailed discussions on development and implementation. Baselining and best practices are solid methods for collecting security practices, but provide less detail than a complete methodology Security architechture: managerial, operational,technical. Defense in Depth One of the foundations of security architectures is the requirement to implement security in layers. Defense in depth requires that the organization establish sufficient security controls and safeguards, so that an intruder faces multiple layers of controls. Security Perimeter The point at which an organizations security protection ends and the outside world begins is referred to as the security perimeter.

Firewall: device that selectively discriminates against information flowing in or out of organization DMZs: no-mans land between inside and outside networks where some place Web servers Proxy servers: performs actions on behalf of another system Intrusion detection systems (IDSs): in effort to detect unauthorized activity within inner network, or on individual machines, organization may wish to implement an IDS

Security education, training, awareness Stategies: Contingency planning (CP) is the entire planning conducted by the organization to prepare for, react to, and recover from events that threaten the security of information and information assets in the organization, and the subsequent restoration to normal modes of business operations. Incident response planning (IRP) is the planning process associated with the identification, classification, response, and recovery from an incident. Disaster recovery planning (DRP) is the planning process associated with the preparation for and recovery from a disaster, whether natural or man-made. Business continuity planning (BCP) is the planning process associated with ensuring that critical business functions continue if a catastrophic incident or disaster occurs. Champion: top managementsupport Project manager: dictate the project Team members: managers from different departments.

A Business Impact Analysis is an investigation and assessment of the impact that various attacks can have on the organization and takes up where the risk assessment process leaves off. Stages of BIA Incident classification is the process of examining a potential incident or incident candidate and determining whether or not the candidate constitutes an actual incident. Incidence detection Incident response: stop and repair Incidence recovery Damage assessment: Incident damage assessment is the immediate determination of the scope of the breach of CIA of information and assets after an incident.

Computer forensics is the process of collecting, analyzing, and preserving computer-related evidence. Evidence proves an action or intent. Business continuity planning: hot, warm, cold sites strategies, : time-share, service bureaus, and mutual agreements Data transfer or port strategies: Electronic vaulting - The bulk batch-transfer of data to an off-site facility. Remote journaling - The transfer of live transactions to an off-site facility; only transactions are transferred, not archived data; the transfer is real-time. Database shadowing - not only processing duplicate real-time data storage, but also duplicating the databases at the remote site to multiple servers. Crisis management: preparation, training, rehearsal Model for contingency plan Enforcement of law

Chapter 6
Access control: method by which systems determine whether and how to admit a user into a trusted area of the organization Mandatory access controls (MACs): use data classification schemes Nondiscretionary controls: strictly-enforced version of MACs that are managed by a central authority Discretionary access controls (DACs): implemented at the discretion or option of the data user Identification: mechanism whereby an unverified entity that seeks access to a resource proposes a label by which they are known to the system Supplicant: entity that seeks a resource Authentication: the process of validating a supplicants purported identity and supplicant has Smart card: contains a computer chip that can verify and validate information, Synchronous tokens, Asynchronous tokens Authorization: the matching of an authenticated entity to a list of information assets and corresponding access levels

Accountability (auditability): ensures that all actions on a systemauthorized or unauthorized can be attributed to an authenticated identity Firewalls: Packet filtering firewalls examine header information of data packets Static filtering: requires that filtering rules governing how the firewall decides which packets are allowed and which are denied are developed and installed Dynamic filtering: allows firewall to react to emergent event and update or create rules to deal with event Stateful inspection: firewalls that keep track of each network connection between internal and external systems using a state table

Application gateways Frequently installed on a dedicated computer; also known as a proxy server Since proxy server is often placed in unsecured area of the network (e.g., DMZ), it is exposed to higher levels of risk from less trusted networks--- put more filters behind it.

Circuit gateway firewall Operates at transport layer, dont allow connections between networks create tunnels to divert the traffic.

Hybrid firewalls First generation: static packet filtering firewalls Second generation: application-level firewalls or proxy servers Third generation: stateful inspection firewalls

Fourth generation: dynamic packet filtering firewalls; allow only packets with particular source, destination, and port addresses to enter Fifth generation: kernel proxies; specialized form working under kernel of Windows NT Firewalls: hardware reliable. Packet firewalls: Many of these routers can be configured to reject packets that organization does not allow into network Drawbacks include a lack of auditing and strong authentication

Screened Host Firewalls This architecture combines the packet filtering router with a separate, dedicated firewall, such as an application proxy server, allowing the router to prescreen packets to minimize the network traffic and load on the internal proxy. This separate host is often referred to as a bastion host or sacrificial host; it can be a rich target for external attacks and should be very secured. Dual-homed host firewalls : Bastion host contains two network interface cards (NICs): one connected to external network, one connected to internal network The dominant architecture used today, the screened subnet firewall, provides a DMZ, which can be a dedicated port on the firewall device linking a single bastion host or it can be connected to a screened subnet. SOCKS is the protocol for handling TCP traffic via a proxy server Cost is a issue. When security rules conflict with the performance of business, security often loses Best practices for firewalls chap6 slide42. A content filter is a software filtertechnically not a firewallthat allows administrators to restrict access to content from within a network. Remote access : Unsecured, dial-up connection points represent a substantial exposure to attack Attacker can use device called a war dialer to locate connection points War dialer: automatic phone-dialing program that dials every number in a configured range and records number if modem picks up Some technologies (RADIUS systems; TACACS; CHAP password systems) have improved authentication process

RADIUS): centralizes management of user authentication system in a central RADIUS server Diameter: emerging alternative derived from RADIUS Terminal Access Controller Access Control System (TACACS): validates users credentials at centralized server (like RADIUS); based on client/server configuration

Kerberos uses symmetric key encryption to validate an individual user to various network resources. Kerberos keeps a database containing the private keys of clients and serversin the case of a client, this key is simply the clients encrypted password. Secure European System for Applications in a Multivendor Environment (SESAME) is similar to Kerberos A VPN is a private and secure network connection between systems that uses the data communication capability of an unsecured and public network. Trusted VPN, Secure VPN, Hybrid VPN Encapsulation of incoming and outgoing data Encryption of incoming and outgoing data Authentication of remote computer and (perhaps) remote user as well

In tunnel mode, the organization establishes two perimeter tunnel servers. These servers serve as the encryption points, encrypting all traffic that will traverse an unsecured network.