Information Assurance Flashcards by FUENTES DIANE SOPHIA G.

is data endowed with relevance and purpose

Information

How well did you know this?

Not at all

Perfectly

Useful characteristics that the information should possess

Timely
Accurate
Complete
Verifiable
Consistent
Available

How well did you know this?

Not at all

Perfectly

the following are all aspects of
system quality:

functionality
adequacy
interoperability
correctness
security
reliability
usability
efficiency
maintainability
portability

How well did you know this?

Not at all

Perfectly

what characteristics should information possess to be useful?

accurate,
timely,
complete,
verifiable,
consistent,
available

How well did you know this?

Not at all

Perfectly

all distinct
conceptual resources:

Noise
Data
Information
Knowledge

How well did you know this?

Not at all

Perfectly

raw facts with an unknown coding system

Noise

How well did you know this?

Not at all

Perfectly

raw facts with a known coding system

Data

How well did you know this?

Not at all

Perfectly

processed data

Information

How well did you know this?

Not at all

Perfectly

: accepted facts, principles, or rules of thumb that are
useful for specific domains. Knowledge can be the
result of inferences and implications produced from
simple information facts.

Knowledge

How well did you know this?

Not at all

Perfectly

Actions taken that protect and defend information and
information systems by ensuring their availability,
integrity, authentication, confidentiality and
non-repudiation. This includes providing for restoration
of information systems by incorporating protection,
detection and reaction capabilities.

How well did you know this?

Not at all

Perfectly

is the study of how to protect your
information assets from destruction, degradation, manipulation and
exploitation. But also, how to recover should any of those happen.
Notice that it is both proactive and reactive.

Information Assurance

How well did you know this?

Not at all

Perfectly

According to the DoD definition, these are some aspects of
information needing protection:

Availability
Integrity
Confidentiality
Authentication
Non-repudation

How well did you know this?

Not at all

Perfectly

assurance that the sender is provided with proof
of a data delivery and recipient is provided with proof
of the sender’s identity, so that neither can later deny
having processed the data.

Non-repudiation:

How well did you know this?

Not at all

Perfectly

security measures to establish the validity of a
transmission, message, or originator.

Authentication:

How well did you know this?

Not at all

Perfectly

assurance that information is not disclosed to
unauthorized persons;

Confidentiality:

How well did you know this?

Not at all

Perfectly

protection against unauthorized modification or
destruction of information;

Integrity:

How well did you know this?

Not at all

Perfectly

timely, reliable access to data and information
services for authorized users;

Availability:

How well did you know this?

Not at all

Perfectly

According to Debra Herrmann (Complete Guide to Security and
Privacy Metrics), IA should be viewed as spanning four security
engineering domains:

physical security
personnel security
IT security
operational security

How well did you know this?

Not at all

Perfectly

The simple truth is that IT security cannot be
accomplished in a vacuum, because there are a multitude
of dependencies and interactions among all four security
engineering domains

(Herrmann, p. 10

How well did you know this?

Not at all

Perfectly

refers to the protection of hardware, software,
and data against physical threats to reduce or prevent disruptions
to operations and services and loss of assets.

“Physical security

How well did you know this?

Not at all

Perfectly

is a variety of ongoing measures taken to
reduce the likelihood and severity of accidental and intentional
alteration, destruction, misappropriation, misuse, misconfiguration,
unauthorized distribution, and unavailability of an organization’s
logical and physical assets, as the result of action or inaction by
insiders and known outsiders, such as business partners.”

“Personnel security

How well did you know this?

Not at all

Perfectly

is the inherent technical features and functions that
collectively contribute to an IT infrastructure achieving and
sustaining confidentiality, integrity, availability, accountability,
authenticity, and reliability.

“IT security

How well did you know this?

Not at all

Perfectly

involves the implementation of standard
operational security procedures that define the nature and
frequency of the interaction between users, systems, and system
resources, the purpose of which is to
1 achieve and sustain a known secure system state at all times,
and
2 prevent accidental or intentional theft, release, destruction,
alteration, misuse, or sabotage of system resources.”

Operational security

How well did you know this?

Not at all

Perfectly

According to Raggad’s taxonomy of information security, a
computing environment is made up of five continuously interacting
components:

activities,
people,
data,
technology,
networks.

How well did you know this?

Not at all

Perfectly

According to Blyth and Kovacich, IA can be thought of as protecting information at three distinct levels:

Physical Information Infrastructure perceptual

knowledge and understanding in human decision space.

perceptual

data and data processing activities in physical space;

Physical

information and data manipulation abilities in cyberspace;

information infrastructure:

The lowest level focus of IA , computers, physical networks, telecommunications and supporting systems such as power, facilities and environmental controls. Also at this level are the people who manage the systems.

Physical Level

The second level focus of IA, This covers information and data manipulation ability maintained in cyberspace, including: data structures, processes and programs, protocols, data content and databases

information structure level

The third level focus of IA, also called social engineering. This is abstract and concerned with the management of perceptions of the target, particularly those persons making security decisions.

perceptual level,

COMPSEC

computer security

COMSEC

communications and network security;

ITSEC: (which includes both COMPSEC and COMSEC);

Information Technology Security Evaluation Criteria

OPSEC

operations security

An attacker on any information system will use the simplest means of subverting system security.

Principle of Easiest Penetration

The flip side of Information Assurance

Information Warfare (IW)

involves managing an opponent’s perception through deception and psychological operations. In military circles, this is called Truth Projection

Type 1

involves denying, destroying, degrading, or distorting the opponent’s information flows to disrupt their ability to carry out or co-ordinate operations.

Type II

gathers intelligence by exploiting the opponent’s use of information systems.

Type III

the offensive players in the world of IW come in six types:

Insider Hacker Criminals Corporations Governments and agencies Terrorists

usually politically motivated and may seek to cause maximal damage to information infrastructure as well as endanger lives and property.

Terrorists

seek the military, diplomatic, and economic secrets of foreign governments, foreign corporations, and adversaries. May also target domestic adversaries.

Governments and agencies

target information that may be of value to them: bank accounts, credit card information, intellectual property, etc.

Criminals:

actively seek intelligence about competitors or steal trade secrets.

Corporations

consists of employees, former employees and contractors.

Insiders

one who gains unauthorized access to or breaks into information systems for thrills, challenge, power, or profit

Hackers

While experts may disagree on the definition of cyber war, there is significant evidence that nations around the world are developing, testing and in some cases using or encouraging cyber means as a method of obtaining political advantage.

–McAfee Virtual Criminology Report 2009

A plausible worst-case worm could cause $50 billion or more in direct economic damage by attacking widely used services in Microsoft Windows and carrying a highly destructive payload.”

–Nicholas Weaver and Vern Paxson, 6/14/04

America’s failure to protect cyberspace is one of the most urgent national security problems facing the new administration that will take office in January 2009. ... It is a battle we are losing. Losing this struggle will wreak serious damage on the economic health and national security of the United States.

–CSIS report on Securing Cyberspace for the 44th Presidency, Dec. 2008

Note that IA is both proactive and reactive involving:

: protection, detection, capability restoration, and response

“ensure the availability, integrity, authenticity, confidentiality, and non-repudiation of information”

IA environment protection pillars:

“timely attack detection and reporting is key to initiating the restoration and response processes.”

Attack detection:

“relies on established procedures and mechanisms for prioritizing restoration of essential functions. Capability restoration may rely on backup or redundant links, information system components, or alternative means of information transfer.” “A post-attack analysis should be conducted to determine the command vulnerabilities and recommended security improvements.

Capability restoration:

“involves determining actors and their motives, establishing cause and complicity, and may involve appropriate action against perpetrators... contributes ... by removing threats and enhancing deterrence.”

Attack response

If adversaries intended to attack nations in cyber space, they would select targets which would cause the largest impacts and losses to their opponents with the least effort. It is therefore a very reasonable assumption that adversaries would attack critical infrastructure systems via the Internet. –

–McAfee Virtual Criminology Report 2009, p. 16

“worldwide interconnection of communication networks, computers, databases, and consumer electronics that make vast amounts of information available to users.”

Global Information Infrastructure:

those within or serving the U.S., for government, commerce and research

National Information Infrastructure:

those within or serving the DoD (e.g. nodes on SIPRNET and NIPRNET)

Defense Information Infrastructure:

Civilian systems are “essential to the minimum operations o f the economy and government” Examples: telecommunications, energy, banking, transportation and emergency services

Presidential Decision Directive (PDD-63) of 1998

is the resource being protected,

Physical assets Logical assets system assets

devices, computers, people

Physical Assets

: information, data (in transmission, storage, or processing), and intellectual property;

Logical Assets

any software, hardware, data, administrative, physical, communications, or personnel resource within an information system

System assets

Often a security solution/policy is phrased in terms of the following three categories:

Objects Subjects Actions

: the items being protected by the system (documents, files, directories, databases, transactions, etc.)

Objects

entities (users, processes, etc.) that execute activities and request access to objects.

Subjects

operations, primitive or complex, that can operate on objects and must be controlled

Actions

is the possibility that a particular threat will adversely impact an information system by exploiting a particular vulnerability. The assessment of risk must take into account the consequences of an exploit.

Risk

is a process for an organization to identify and address the risks in their environment.

Risk management

is the implementation (policy, procedures, technology) of the security effort within an organization.

security posture or security profile

is a type of consequence, involving accidental exposure of information to an agent not authorized access.

Inadvertant disclosure

is the outcome of an attack. In a purposeful threat, the threat actor has typically chosen a desired consequence for the attack, and selects the IA objective to target to achieve this.

consequence

targets availability

Disruption

targets integrity

Corruption

targets confidentiality

Exploitation

is an instance when the system is vulnerable to attack.

Exposure

is a situation in which the attacker has succeeded.

compromise

is a recognized action—specific, generalized or theoretical—that an adversary (threat actor) might be expected to take in preparation for an attack.

indicator

is an attempt to gain access, cause damage to or otherwise compromise information and/or systems that support it.

Attack

an attack in which the attacker observes interaction with the system.

Passive attack

at attack in which the attacker directly interacts with the system.

Active attack

an attack where there is not a deliberate goal of misuse

Unintentional attack

the active entity, usually a threat actor, that interacts with the system.

Attack subject

the targeted information system asset.

Attack object:

is the set of ways in which an adversary can enter the system and potentially caus e damage

attack surface

is an instance when the system is vulnerable to attack

Exposure

is a situation in which the attacker has succeeded.

compromise

is a recognized action—specific, generalized or theoretical—that an adversary (threat actor) might be expected to take in preparation for an attack.

indicator

is one for which there is no known threat (vulnerability is there but not exploitable).

dangling vulnerability

is one that does not pose a danger as there is no vulnerability to exploit (threat is there, but can’t do damage).

dangling threat

is a weakness or fault in a system that exposes information to attack.

vulnerability

is a method for taking advantage of a known vulnerability

exploit

is a collection of computing environments connected by one or more internal networks under the control of a single authority and security policy, including personnel and physical security.

enclave

is a nonhostile environment that may be protected from external hostile elements by physical, personnel, and procedural countermeasures.

benign environment

for assets is one that has known threats. Example: locating an asset in a war zone or a flood zone, or placing an unprotected machine on the Internet.

hostile environment

is a specific instance of a threat, e.g. a specific hacker, a particular storm, etc.

threat actor

is a category of entities, or a circumstance, that poses a potential danger to an asset (through unauthorized access, destruction, disclosure, modification or denial of service).

threat

is the process by which an asset is managed from its arrival or creation to its termination or destruction.

lifecycle

is a generic term that implies a mechanism in place to provide a basis for confidence in the reliability/security of the system.

Trust

are the security features of a system that provide enforcement of a security policy

Trust mechanisms

is a collection of all the trust mechanisms of a computer system which collectively enforce the policy.

trusted computing base (TCB)

is a measure of confidence that the security features, practices, procedures, and architecture of a system accurately mediates and enforces the security policy

Assurance

risks not avoided or transferred are retained by the organization. E.g. sometimes the cost of insurance is greater than the potential loss. Sometimes the loss is improbable, though catastrophic.

Risk acceptance

not performing an activity that would incur risk. E.g. disallow remote login.

Risk avoidance

taking actions to reduce the losses due to a risk; many technical countermeasures fall into this category

Risk mitigation:

: shift the risk to someone else. E.g. most insurance contracts, home security systems

Risk transfer

Information Assurance Flashcards

(107 cards)