Shared Flashcard Set

Details

Test 1
Information Security and Assurance
100
Business
Graduate
02/12/2013

Additional Business Flashcards

 


 

Cards

Term
Access Control
Definition
A collection of mechanisms that work together to protect the assets of an enterprise.
Term
Access controls help protect against ______ and ______.
Definition
Threats and Vulnerabilities
Term
Access controls enable management to:
Definition

Specify which users can access the system

Specify what resources they can access

Specify whater operations they can perform

Provide individual accountabilty

Term
Separation of duties
Definition
Define and divide elements of a process or work function among different functions.
Term
Least privilege
Definition
Limit users and processes to access only resources necessary to perform assigned functions.
Term
The environment for access controls includes:
Definition

Facilities

Support Systems

Information Systems

Personnel -

management, users, customers, business partners

Term

Control categories:

 

Deterrent

Definition
Discourage incident
Term

Control Categories:

 

Preventive

Definition
Avoid incident
Term

Control categories:

 

Detective

Definition
Identify incident
Term

Control categories:

 

Corrective

Definition

Remedy circumstances

mitigate damage

Restore controls

Term

Control Categories:

 

Compensating

Definition

Alternative control

(for example, supervision)

Term

Control Categories:

 

Recovery

Definition
Restore conditions to normal
Term
Types of Controls
Definition

Administrative

Technical (Logical)

Physical

Term
Administrative controls
Definition
Policies and procedures, including personnel controls such as security clearances, background checks.
Term
Technical (logical) controls
Definition
Anti-virus software, password protection, firewalls, auditing
Term
Physical controls
Definition
locks, alarms, badge systems
Term
Social engineering
Definition
The use of influence and persuasion to deceive people by convincing them that the social engineer is someone he/she is not, or by manipulation.  As a result, the social engineer is able to take advantage of people to obtain information with or without use of technology.
Term
Acces Control Services
Definition
Identification, Authentication, Authorization, Accountability
Term
Identification
Definition
Asserts user identity
Term
Authentication
Definition
Verifies who the user is and whether access is allowed
Term
Authorization
Definition
What the user is allowed to do.
Term
Accountability
Definition
Tracks what the user did and when it was done.
Term
Types of Identification
Definition

User IDs

Username

Account Number

Personal Identification Number (PIN)

Badge System

Biometric Devices

Term
User Identification Guidelines
Definition

Unique

Standard naming convention

Non-indicative of job function

Secure and documented process for issuance

Term
Types of Authentication
Definition

Authentication by Knowledge

Authentication by Owernship

Authentication by Characteristic

Term
Authentication by Knowledge
Definition

What a person Knows

Passwords, Passphrases

(Password encryption schemes)

Term
Authentication by Ownership
Definition
What a person has.
Term
Authentication by Characteristic
Definition
What a person is/does.
Term
Asynchronous Token Device
Definition
A challenge-response technology/scheme.  Authentication servers provide a challenge to the remote entity that can only be answered by the token that the individual holds in his/her hands.  Two way communiction between the token and the server.
Term
Synchronous Token Device
Definition

Event, location, or time based.

Authentication server knows the expected value from the token and the user must input it or be in close proximity.

Like WoW Authenticator. 

Term
Biometric Devices
Definition

Identity is confirmed by either:

Physiological Trait (unique, fingerprint, retina, iris)

Behavioral characteristics (keystroke, signature pattern)

Term
Important elements of Biometric devices
Definition

Accuracy: Type I, Type II errors

Processing Speed: how fast the accept/reject is made

User acceptability

Protection of Biometric Data

Term
Biometric Devices
Definition
Fingerprint, Hand Geometry, Palm Scan, Voice Pattern, Retina Pattern/Scan, Iris Pattern/Recognition, Signature Dynamics, Facial Recognition, Keystroke Dynamics
Term

Authentication Methods

Risk Vs. Cost

Definition

Password - High Risk, Low Cost

Software Token - High/Medium Risk - Medium Cost

Hardware Token - Medium Risk, Medium/High Cost

Signing Action - High Cost, Medium/High Risk

Biometric - High Cost, Low Risk

Term
Single Sign-On
Definition
Enables a user to logon once to the enterprise and access all additional authorized network resources.
Term
Pros of Single Sign-on
Definition

Efficient log-on process

Users may create stronger password

No need for multiple passwords

Timeout and attempt thresholds enforced across entire platform

Centralized Administration

Term
Cons of Single Sign-On
Definition
  • Compromised password allows intruder into all authorized resources
  • Inclusion of unique platforms may be challenging
Term
Directory Service
Definition
Provides the means to heirarchically organize and manage information and to retrieve the information by name association.
Term
Network Directory Service
Definition

Contains a set of information about resources and services on the network, such as users, workstations, and servers. 

Used to simplify access and administration by providing a unified organization of the network resources.

Term
Security Domain
Definition

Domain of trust that shares a single security policy and single management.

Access parameters controlling which sets of objects a subject can access.

Think of a “security domain” as a concept where the principle of separation protects each resource and each domain is encapsulated into distinct address spaces.

Term
Discretionary Access Control
Definition
Owner determines who has access & what privileges they have
Term
Mandatory Access Control
Definition

Owner and System determine who has access.

Systems decision based on privilege (clearance) of subject (user) & sensitivity (classification) of object (file).

Term
Mandatory Access Control Features
Definition

For systems of highly sensitive data

Sensitivity labels to all objects and clearance labels to all subjects.

Objects's sensitivity level and the subjects clearance level determine success.

Permits processing of multiple levels on one system.

Term
Major difference between Mandatory Access Controls and Discretionary Access Controls
Definition
Discretionary Controls involve only the resource owner's permission, while Mandatory Controls require the system's and the owner's permission.
Term

Examples of Access Permissions

 

"No Access/Null"

Definition
No access permission granted
Term

Example of Access Permissions

 

Read (R)

Definition
Read but make no other changes.
Term

Example of Access Permissions

 

Write (W)

Definition
Write to File; includes change capability
Term

Example of Access Permissions

 

Execute (X)

Definition
Execute a Program
Term

Example of Access Permissions

 

Delete (D)

Definition
Delete File
Term

Example of Access Permissions

 

Change (C)

Definition
Read, write, execute and delete; may not change file permission
Term

Example of Access Permissions

 

Full Control

Definition
All abilities; including changing access control permission
Term
Rule-Based Access Control
Definition

Access based on a list of rules that determine authorization.

Owners create or authorize the rules.

Mediation mechanisms enforce the rules to ensure authorized access.

Term
Role-Based Access Control
Definition
  • Access Control decisions are based on job function.
  • Each role will have its own access capabilities.
  • Determination of role/job function is discretionary and is in compliance with security access control policy.
Term
Intrusion Prevention System (IPS)
Definition
Intrusions are prevented.
Term
Intrusion Detection Systems (IDS)
Definition
Intrusion attempts and any set of actions that attempt to gain unauthorized access are detected.  Need for auditing for intrusion attempts in a timely basis.
Term
To ensure an effective IDS (Intrusion Detection System):
Definition
  • Employ a technically knowledgable person to select, install, configure, operate, and maintain the IDS.
  • Update the system with new signature attacks and also to evaluate expected behavior profiles.
  • Be aware that the IDS itself may be vulnerable to attacks.
Term
Audit Trail
Definition
A record of system activities.
Term
Audit Trail Configuration
Definition
Capturing data generated by system, network, application, and user activities.
Term
Audit Trail Function
Definition
  • Alert staff to suspicious activity for investigation.
  • Provide details on extent of intruder activity
  • Provide information for legal proceedings.
Term
Audit Event Types
Definition
  • Network connection event data
  • System-level event data
  • Application-level event data
  • User-level event data - keystroke activity
Term
Penetration Testing
Definition

Series of activities undertaken to identify and exploit security vulnerabilities.

 

Term

Types of Penetration Testing

 

Zero-Knowledge

Definition

Team has no relevant information about target

Typically performed by independent third party

Term

Types of Penetration Testing

 

Partial Knowledge

Definition
Team may have some information about the target
Term

Types of Penetration Testing

 

Full Knowledge

Definition
Performed by team with intimate knowledge of target environment
Term

Examples of Pen Test Methods

 

Discovery

Definition
Identify and Document information about target
Term

Examples of Pen Test methods

 

Enumeration

Definition
Gain more information with intrusive methods
Term

Examples of Pen Test Methods

 

Vulerability Mapping

Definition
Map environment profile to known vulnerabilities
Term

Examples of Pen Test Methods

 

Exploitation

Definition
Attempt to gain user and privileged access.
Term
Application Security Testing
Definition
Evaluate controls over the application and its process flow.
Term
Denial of Service (DoS) Testing
Definition
Evaluate system's susceptibility to attacks that will render it inoperable.
Term
War Dialing
Definition
Identify, analyze, and exploit modems, remote access devices, and maintenance connections.
Term
Confidentiality
Definition
Prevents unauthorized disclosure of systems and information.
Term
Integrity
Definition
Prevents unauthorized modification of systems and information.
Term
Availability
Definition
Prevents disruption of service and productivity.
Term
Goals of Information Security
Definition

Confidentiality

Integrity

Availability

Term
Requirements fo Security Solutions
Definition
Functional Requirements & Assurance Requirements
Term
Functional Requirements
Definition
Define security behavior of the IT product or system.
Term
Assurance Requirements
Definition
Establish confidence that the security function will perform as intended.
Term
Security Blueprint
Definition
Tailored best practices that, in total, form a comprehensive security policy program and technical architecture.
Term
Individual security blueprints reflect
Definition

Tailored requirements meeting the organization's specific requirements.

 

Influenced by legal, regulatory, business, IT drivers.

Term
Policy
Definition
Documents and communicates management’s goals and objectives.
Defines the organization’s response to laws, regulations, and standards of due care.
Builds a foundation for a comprehensive and effective security program.
Defines what assets and principles the organization considers valuable.
Identifies organization goals and objectives.
Term
Elements of Policy
Definition

Standards

Procedures

Baselines

Guidelines

Term
Standards
Definition
Specific hardware and software mechanisms and products.
Term
Procedures
Definition
Step by step required actions, such as user registration, contracting for security purposes, information system material destruction, incident response.
Term

Organization Roles and Responsibilities

 

Executive Management

Definition
Assigned overall responsibility for asset protection.
Term

Organizational Roles and Responsibilities

 

Information Systems Security Professionals

Definition
Response for the design, implementation, management, and review of the organization's security policies, standards, baselines, procedures, and guidelines.
Term

Organizational Roles and Responsibilities

 

Owners

Definition

Responsible for:

  • Ensuring that appropriate security, consistent with the organization's security policy, is implemented in their information systems.
  • Determining appropriate sensitivity or classification levels
  • Determining access privileges
Term

Organizational Roles and Responsibilities

 

Custodian

Definition
A function who has "custody" of the system/databases, not necessarily belonging to them, for any period of time.  Usually network administration or operations.
Term

Organizational Roles and Responsibilities

 

Users

Definition
Responsible to use resources and preserve availability, integrity, and confidentiality of assets - responsible to adhere to security policy.
Term

Organizational Roles and Responsibilities

 

IS/IT Function

Definition
Responsible for implementing and adhering to security policies.
Term

Organizational Roles and Responsibilities

 

Information Systems Auditor

Definition

Responsible for:

  • Providing independent assurance to management on the appropriateness of the security objectives.
  • Determing whether the security policy, standards, baselines, procedures, and guidelines are appropriate and effective to comply with the organization's security objectives.
  • Identifying whether the objectives and controls are being achieved.
Term
Termination Procedures
Definition
  • Ensure all access cards and tools are returned.
  • Remove user access immediately upon departure.
  • Suspension/disciplinary procedures
Term
Good Practices
Definition
  • Clearly defined roles, job descriptions, and responsibilities
  • Least privilege/need to know basis
  • Separation of duties
  • Job rotation
  • Mandatory Vacations
Term
Key Points of Security Awareness
Definition

Awareness - reminder of security responsibilities

Training - provides skills needed for security

Education - decision making and security management skills

Term
Quantitative Risk Analysis
Definition
An attempt to assign independently objective numeric values to the elements of the risk assessment and to the assessment of potential losses.
Term
Qualitative Risk Analysis
Definition
Scenario Oriented, does not attempt to assign absolute numeric values to components, purely qualitative risk analysis is possible.
Term
List the Five Goals of Physical Security
Definition

1. Deter

2. Delay

3. Detect

4. Assess

5. Respond

Term
List the three key strategies of crime prevention through environmental design
Definition
  1. Territoriality - people protect territory that is their own
  2. Surveillance - high degree of visual control
  3. Access control - limit access and control the flow of access
Supporting users have an ad free experience!