1. Physical 2. Infrastructure 3. Perceptual

IA 2 - UNIT 1 Flashcards by Mary Forro

is data endowed with relevance and purpose.
Converting data into information thus requires knowledge.
Knowledge by definition is specialized

Information

How well did you know this?

Not at all

Perfectly

And what characteristics should information possess to be useful

accurate,
timely,
complete,
verifiable,
consistent,
available

How well did you know this?

Not at all

Perfectly

raw facts with an unknown coding system

Noise

How well did you know this?

Not at all

Perfectly

raw facts with a known coding system

Data

How well did you know this?

Not at all

Perfectly

processed data

Information

How well did you know this?

Not at all

Perfectly

accepted facts, principles, or rules of thumb that are useful for specific domains. Knowledge can be the result of inferences and implications produced from simple information facts

Knowledge

How well did you know this?

Not at all

Perfectly

Actions taken that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality and non-repudiation.
This includes providing for restoration of information systems by incorporating protection, detection and reaction capabilities

assurance

How well did you know this?

Not at all

Perfectly

study of how to protect your information assets from destruction, degradation, manipulation and exploitation. But also, how to recover should any of those happen

Information Assurance (IA)

How well did you know this?

Not at all

Perfectly

timely, reliable access to data and information services for authorized users

Availability

How well did you know this?

Not at all

Perfectly

protection against unauthorized modification or destruction of information

Integrity

How well did you know this?

Not at all

Perfectly

assurance that the sender is provided with proof of a data delivery and recipient is provided with proof of the sender’s identity, so that neither can later deny having processed the data

Non-repudiation

How well did you know this?

Not at all

Perfectly

assurance that information is not disclosed to unauthorized persons

Confidentiality

How well did you know this?

Not at all

Perfectly

broad field that there is no universally accepted definition.
Researchers often give their own
spin to IA, usually reflecting their own concerns.

Information Assurance

How well did you know this?

Not at all

Perfectly

security measures to establish validity of a transmission, message, or originator

Authentication

How well did you know this?

Not at all

Perfectly

According to Debra Herrmann, IA has four major categories

physical security
personnel security
IT security
operational security

How well did you know this?

Not at all

Perfectly

Four Security Domains

Physical security
Personnel security
IT security
Operational security

How well did you know this?

Not at all

Perfectly

a variety of ongoing measures taken to reduce the likelihood and severity of accidental and intentional alteration, destruction, misappropriation, misuse, misconfiguration, unauthorized distribution, and unavailability of an organization’s logical and physical assets, as the result of action or inaction by insiders and known outsiders, such as business partners

Personnel security

How well did you know this?

Not at all

Perfectly

refers to the protection of hardware, software, and data against physical threats to reduce or prevent disruptions to operations and services and loss of assets

Physical security

How well did you know this?

Not at all

Perfectly

inherent technical features and functions that collectively contribute to an IT infrastructure achieving and sustaining confidentiality, integrity, availability, accountability,
authenticity, and reliability

IT security

How well did you know this?

Not at all

Perfectly

involves the implementation of standard operational security procedures that define the nature and frequency of the interaction between users, systems, and system resources, the purpose which to

achieve and sustain a known secure system state at all times, and
prevent accidental or intentional theft, release, destruction, alteration, misuse, or sabotage of system resources

Operational security

How well did you know this?

Not at all

Perfectly

IA Levels

Physical
Infrastructure
Perceptual

How well did you know this?

Not at all

Perfectly

The second level focus of IA is the information structure level.
This covers information and data manipulation ability maintained in cyberspace, including: data structures, processes and programs, protocols, data content and databases.
Desired Effects: to influence the effectiveness and performance of information functions supporting perception, decision making, and control of physical processes.
Attacker’s Operations: impersonation, piggybacking, spoofing, network attacks, malware, authorization attacks, active misuse, and denial of service attacks.
Defender’s Operations: information security technical measures such as: encryption and key management, intrusion detection, anti-virus software, auditing, redundancy, firewalls, policies and standards.

IA Levels: Infrastructure

How well did you know this?

Not at all

Perfectly

The third level focus of IA also called social engineering.
This is abstract and concerned with the management of perceptions of the target, particularly those persons making security decisions.
Desired Effects: to influence decisions and behaviors. Attacker’s Operations: psychological operations such as: deception, blackmail, bribery and corruption, social engineering, trademark and copyright infringement, defamation, diplomacy, creating distrust.
Defender’s Operations: personnel security including psychological testing, education, and screening such as biometrics, watermarks, keys, passwords.

IA Levels: Perceptual

How well did you know this?

Not at all

Perfectly

The lowest level focus of IA: computers, physical networks, telecommunications and supporting systems such as power, facilities and environmental controls.
Also at this level are the people who manage the systems.
Desired Effects: to affect the technical performance and the capability of physical systems, to disrupt the capabilities of the defender.
Attacker’s Operations: physical attack and destruction, including: electromagnetic attack, visual spying, intrusion, scavenging and removal, wiretapping, interference, and eavesdropping.
Defender’s Operations: physical security, OPSEC, TEMPEST.

IA Levels: the Physical

How well did you know this?

Not at all

Perfectly

Note that IA is both proactive and reactive involving:

1. protection, 2. detection, 3. capability restoration, 4. response.

IA Functional Components

1. IA environment protection pillars 2. Attack detection: 3. Capability restoration: 4. Attack response:

ensure the availability, integrity, authenticity, confidentiality, and non-repudiation of information”

IA environment protection pillars

timely attack detection and reporting is key to initiating the restoration and response processes

Attack detection

relies on established procedures and mechanisms for prioritizing restoration of essential functions. Capability restoration may rely on backup or redundant links, information system components, or alternative means of information transfer

Capability restoration

involves determining actors and their motives, establishing cause and complicity, and may involve appropriate action against perpetrators... contributes ... by removing threats and enhancing deterrence

Attack response

a computing environment is made up of five continuously interacting components

1. activities, 2. people, 1. data, 2. technology, 2. networks.

types of assets

1. physical asset 2. logical assets: 3. system assets:

logical assets

information, data (in transmission, storage, or processing), and intellectual property;

physical assets:

devices, computers, people;

the items being protected by the system (documents, files, directories, databases, transactions, etc.)

Objects

system assets

any software, hardware, data, administrative, physical, communications, or personnel resource within an information system.

entities (users, processes, etc.) that execute activities and request access to objects.

Subjects

operations, primitive or complex, that **can operate on objects and must be controlled.**

Actions

the information is genuine

authenticity

authorized users are able to access it

availability

Threats can be categorized by ____: accidental or purposeful (error, fraud, hostile intelligence);

intent

the information is free of error and has the value expected

accuracy

Examples of Threats

1. Interruption 2. Interception 3. Modification 4. Fabrication

assets is one that has **known threats.** Example: locating an asset in a war zone or a flood zone, or placing an unprotected machine on the Internet.

A hostile environment

is a category of entities, or a circumstance, that poses a **potential danger to an asset** (through unauthorized access, destruction, disclosure, modification or denial of service).

threat

the information has **value for the intended purpose**

utility

the information has not been disclosed to unauthorized parties;

confidentiality

Threats can be categorized by ____: type of asset, consequences.

impact

Threats can be categorized by the kind of ____ involved: human (hackers, someone flipping a switch), processing (malicious code, sniffers), natural (flood, earthquake);

entity

is a specific instance of a threat, e.g. a specific hacker, a particular storm, etc.

threat actor

the information is whole, complete and uncorrupted;

Integrity

the data is **under authorized ownership** and control.

possession:

an unauthorized party tampers with an asset.

Modification

an **asset becomes unusable,** unavailable, or lost

Interruption

an **unauthorized party gains access to an information asset.**

Interception:

an asset has been counterfeit.

Fabrication:

a nonhostile environment that may be protected from external hostile elements by physical, personnel, and procedural countermeasures.

A benign environment

a **collection of computing environments connected by one or more internal networks** under the control of a single authority and security policy, including personnel and physical security.

An enclave

**weakness or fault in a system** that **exposes** **information** to attack.

vulnerability

a method for **taking** **advantage** of a **known vulnerability.**

exploit

one for which there is **no known threat (vulnerability is there but not exploitable).**

A dangling vulnerability

one that does **not pose a danger as there is no vulnerability to exploit** (threat is there, but can’t do damage).

A dangling threat

Three types of attacks

1. passive attack 2. active attack 3. unintentional attack

an attack in which the **attacker observes interaction with the system.**

Passive attack

an **attempt to gain access, cause damage to or otherwise compromise information** and/or systems that support it.

An attack

an attack where there is not a deliberate goal of misuse

Unintentional attack:

attack in which the attacker directly interacts with the system.

Active attack

the active entity, usually a threat actor, that interacts with the system.

Attack subject

an organization/entity is the set of ways in which **an adversary can enter the system and potentially cause damage.**

The attack surface

the targeted information system asset.

Attack object

an instance when the **system is vulnerable to attack.**

Exposure

is a situation in which the attacker has succeeded.

compromise

**is a recognized action**—specific, generalized or theoretical—that an adversary (threat actor) might be expected to take in preparation for an attack.

indicator

**is the outcome of an attack.** In a purposeful threat, the threat actor has typically chosen a desired consequence for the attack, and selects the IA objective to target to achieve this.

consequence

Disruption: targets availability

Disruption

targets confidentiality

Exploitation:

targets integrity

Corruption:

is a type of consequence, involving accidental exposure of information to an agent not authorized access.

Inadvertant disclosure

process for an **organization to identify and address the risks in their environment.**

Risk management

are any actions, devices, procedures, techniques and other measures that reduce the vulnerability of an information system.

Controls, safeguards and countermeasures

kindsn of controls, safeguards and countermeasures

1. technical 1. policy, procedures and practices education, training and awareness cover and deception (camouflage) 1. human intelligence (HUMINT), e.g. disinformation 1. monitoring of data and transmissions 1. surveillance countermeasures that detect or neutralize sensors, 1. e.g. TEMPEST 1. assessments and inspections.

A **security profile** is the implementation (policy, procedures, technology) of the **security effort within an organization.**

security posture

* is the possibility that a particular threat will adversely **impact an information system by exploiting a particular vulnerability.** * The assessment of risk must take into account the consequences of an exploit.

Risk

One particular risk management procedure (from Viega and McGraw) consists of six steps:

1. Assess assets 1. Assess threats 1. Assess vulnerabilities 1. Assess risks 1. Prioritize countermeasure options 1. Make risk management decisions

* **risks not avoided or transferred** are retained by the organization. * E.g. sometimes the cost of insurance is greater than the potential loss. * Sometimes the loss is improbable, though catastrophic.

Risk acceptance:

**not performing an activity** that would incure risk.

Risk avoidance

* shift the risk to someone else. * E.g. most insurance contracts, home security systems.

Risk transfer:

taking actions to **reduce the losses due to a risk;** many technical countermeasures fall into this category.

Risk mitigation:

are the security features of a system that provide enforcement of a security policy.

Trust mechanisms

is about **preventing the risk from being actualized.** E.g., not parking in a high crime area.

Risk avoidance

is about limiting the damage should the risk be actualized. E.g., having a LoJack or cheap car stereo.

Risk mitigation

generic term that implies a mechanism in place to provide a basis for confidence in the reliability/security of the system. Failure of the mechanism may destroy the basis for trust.

Trust

is a **collection of all the trust mechanisms** of a computer system which collectively enforce the policy.

The trusted computing base (TCB)

a measure of confidence that the security features, practices, procedures, and architecture of a system accurately mediates and enforces the security policy.

Assurance

The concept of ____ provides a **unified approach to conceptualizing (parts of) IA.**

trust management

waterfall model

1. Requirements 2. Design 1. Coding 1. Testing 2. Deployment 3. Production 4. Decommission

the process by which an asset is managed from its arrival or creation to its termination or destruction.

lifecycle

is a process by which the **project managers for a system will ensure that appropriate information assurance** safeguards are incorporated into a system.

Security systems lifecycle management