Card Set Information

2012-12-03 14:35:11
exam4 is430

Exam 4 Review for Is430
Show Answers:

  1. Implementing organization’s information systems includes changes to:
    • -Procedures (through policy)
    • -People (through training)
    • -Hardware (through firewalls)
    • -Software(through encryption)
    • -Data (through classification)
  2. Major steps in executing project plan are:
    • -Planning the project
    • -Supervising tasks and action steps
    • -Wrapping up
  3. Major project tasks in work breakdown structure (WBS) are:
    • -Work to be accomplished
    • -Assignees
    • -Start and end dates
    • -Amount of effort required
    • -Estimated capital and noncapital expenses
    • -Identification of dependencies between/among tasks
  4. Financial considerations
    • -No matter what information security needs exist, the amount of effort that can be expended depends on funds available
    • -Cost benefit analysis must be verified prior to development of project plan
    • -Both public and private organizations have budgetary constraints, though of a different nature
    • -To justify an amount budgeted for a security project at either public or for-profit organizations, it may be useful to benchmark expenses of similar organizations
  5. Priority considerations
    • -In general, the most important information security controls should be scheduled first
    • -Implementation of controls is guided by prioritization of threats and value of threatened information assets
  6. Time and scheduling considerations
    -Time impacts dozens of points in the development of a project plan, including:
    • -Time to order, receive, install, and configure security control
    • -Time to train the users
    • -Time to realize return on investment of control
  7. Staffing considerations
    • -Lack of enough qualified, trained, and available personnel constrains project plan
    • -Experienced staff is often needed to implement available technologies and develop and implement policies and training programs
  8. Procurement considerations
    • -IT and information security planners must consider acquisition of goods and services
    • -Many constraints on selection process for equipment and services in most organizations, specifically in selection of service vendors or products from manufacturers/suppliers
    • -These constraints may eliminate a technology from realm of possibilities
  9. Organizational feasibility considerations
    • -Policies require time to develop; new technologies require time to be installed, configured, and tested
    • -Employees need training on new policies and technology, and how new information security program affects their working lives
    • -Changes should be transparent to system users unless the new technology is intended to change procedures (e.g., requiring additional authentication or verification)
  10. Training and indoctrination considerations
    • -Size of organization and normal conduct of business may preclude a single large training program on new security procedures/technologies
    • -Thus, organization should conduct phased-in or pilot approach to implementation
  11. Project scope
    concerns boundaries of time and effort-hours needed to deliver planned features and quality level of project deliverables
  12. Supervised implementation
    • -Some organizations may designate champion from general management community of interest to supervise implementation of information security project plan
    • -An alternative is to designate senior IT manager or CIO to lead implementation
    • -Optimal solution is to designate a suitable person from information security community of interest
    • -It is up to each organization to find the most suitable leadership for a successful project implementation
  13. Executing the plan
    • -Negative feedback ensures project progress is measured periodically
    • -Often, project manager can adjust one of three parameters for task being corrected:
  14. Negative feedback ensures project progress is measured periodically
    • -Measured results compared against expected results
    • -When significant deviation occurs, corrective action taken
  15. -Often, project manager can adjust one of three parameters for task being corrected:
    • -Effort and money allocated
    • -Scheduling impact
    • -Quality or quantity of deliverable
  16. Project wrap-up
    • -Project wrap-up is usually handled as procedural task and assigned to mid-level IT or information security manager
    • -Collect documentation, finalize status reports, and deliver final report and presentation at wrap-up meeting
    • -Goal of wrap-up is to resolve any pending issues, critique overall project effort, and draw conclusions about how to improve process
  17. Four basic approaches in Conversion Strategies:
    • -Direct changeover
    • -Phased implementation
    • -Pilot implementation
    • -Parallel operations
  18. The Bull’s-Eye Model
    • Proven method for prioritizing program of complex change
    • Issues addressed from general to specific; focus is on systematic solutions and not individual problems
  19. The Bull’s-Eye Model Relies on process of evaluating project plans in progression through four layers:
    • -Policies
    • -Networks
    • -Systems
    • -Applications
  20. Technology governance
    -Complex process an organization uses to manage impact and costs from technology implementation, innovation, and obsolescence
  21. By managing the process of change, organization can:
    • -Improve communication;
    • -enhance coordination;
    • -reduce unintended consequences;
    • -improve quality of service;
    • -and ensure groups are complying with policies
  22. Lewin change model:
    • -Unfreezing
    • -Moving
    • -Refreezing
  23. Steps can be taken to make organization more amenable to change:
    • -Reducing resistance to change from beginning of planning process
    • -Develop culture that supports change
  24. Reducing resistance to change from the start
    • -The more ingrained the previous methods and behaviors, the more difficult the change
    • -Best to improve interaction between affected members of organization and project planners in early project phases
    • -Three-step process for project managers
    • -Joint application development
  25. Three-step process for project managers:
    • -communicate,
    • -educate,
    • -and involve
  26. Developing a culture that supports change
    • -Ideal organization fosters resilience to change
    • -Resilience
    • -To develop such a culture, organization must successfully accomplish many projects that require change
  27. Resilience:
    -is organization has come to expect change as a necessary part of organizational culture, and embracing change is more productive than fighting it
  28. When implementing information security, there are many human resource issues that must be addressed
    • -Positioning and naming
    • -Staffing
    • -Evaluating impact of information security across every role in IT function
    • -Integrating solid information security concepts into personnel practices
  29. The security function can be placed within:
    • -IT function
    • -Physical security function
    • -Administrative services function
    • -Insurance and risk management function
    • -Legal department
  30. The following factors for Qualifications and requirements must be addressed:
    • -General management should learn more about skills and qualifications for positions
    • -Upper management should learn about budgetary needs of information security function
    • -IT and general management must learn more about level of influence and prestige the information security function should be given to be effective
  31. Organizations look for information security professionals who understand:
    •   -How an organization operates at all levels
    •   -Information security is usually a management problem, not a technical problem
    •   -Strong communications and writing skills
    •   -The role of policy in guiding security efforts
    •   -Most mainstream IT technologies
    •   -The terminology of IT and information security
    •   -Threats facing an organization and how they can become attacks
    •   -How to protect organization’s assets from information security attacks
    •   -How business solutions can be applied to solve specific information security problems
  32. Entry into the information security profession
    -Many information security professionals enter the field through one of two career paths:
    • -Law enforcement and military
    • -Technical, working on security applications and processes
  33. Charles Cresson Wood’s book, Information Security Roles and Responsibilities Made Easy:
    -offers set of model job descriptions
  34. Chief Information Security Officer (CISO or CSO)
    • -Top information security position; frequently reports to Chief Information Officer (CIO)
    • -Manages the overall information security program
    • -Drafts or approves information security policies
    • -Works with the CIO on strategic plans
    • -Develops information security budgets
    • -Sets priorities for information security projects and technology
    • -Makes recruiting, hiring, and firing decisions or recommendations
    • -Acts as spokesperson for information security team
  35. Typical qualifications of Chief Information Security Officer (CISO or CSO)
    • -accreditation,
    • -graduate degree,
    • -experience
  36. Security manager
    • -Accountable for day-to-day operation of information security program
    • -Accomplish objectives as identified by CISO
  37. Typical qualifications of Security manager:
    • -not uncommon to have accreditation;
    • -ability to draft middle- and lower-level policies;
    • -standards and guidelines;
    • -budgeting, project management, and hiring and firing;
    • -manage technicians
  38. Security technician
    • -Technically qualified individuals tasked to configure security hardware and software
    • -Tend to be specialized
  39. Typical qualifications of Security technician:
    • -Varied; organizations prefer expert, certified, proficient technician
    •   -Some experience with a particular hardware and software package
    •   -Actual experience in using a technology usually required
  40. (ISC)2 Certifications
    • -Certified Information Systems Security Professional (CISSP)
    • -Systems Security Certified Practitioner (SSCP)
    • -Associate of (ISC)2
    • -Certification and Accreditation Professional (CAP)
  41. ISACA Certifications
    • -Certified Information Systems Auditor (CISA)
    • -Certified Information Security Manager (CISM)
  42. Related Certifications
    • -Prosoft
    • -RSA Security
    • -CheckPoint
    • -Cisco
  43. Advice: Always remember:
    -business before technology
  44. Never lose sight of goal: which is
  45. Advice:
    • Technology provides elegant solutions for some problems, but adds to difficulties for others
    • Be heard and not seen
    • Know more than you say; be more skillful than you let on
    • Speak to users, not at them
    • Your education is never complete
  46. Types of Background Checks
    • Identity checks
    • Education and credential checks
    • Previous employment verification
    • Reference checks
    • Worker’s compensation history
    • Motor vehicle records
    • Drug history
    • Credit history
    • Civil court history
    • Criminal court history
  47. Employees pay close attention to job performance evaluations
    -If evaluations include information security tasks, employees are more motivated to perform these tasks at a satisfactory level
  48. What to do in Hostile departures:
    • -Before employee is aware, all logical and keycard access is terminated
    • -Employee collects all belongings and surrenders all keys, keycards, and other company property 
    • -Employee is then escorted out of the building
  49. Hotile departures include
    • -termination for cause,
    • -permanentdownsizing,
    • -temporary lay-off,
    • -or some instances of quitting
  50. What to do in Friendly departures:
    • -Employee may be notified well in advance of departure date
    • -More difficult for security to maintain positive control over employee’s access and information usage
    • -Employee access usually continues with new expiration date
    • -Employees come and go at will, collect their own belongings, and leave on their own
  51. Friendly departures include
    • -resignation,
    • -retirement,
    • -promotion,
    • -or relocation
  52. Separation of duties:
    -is control used to reduce chance of individual violating information security; stipulates that completion of significant task requires at least two people
  53. Collusion:
    -is unscrupulous workers conspiring to commit unauthorized task
  54. Two-man control:
    -is two individuals review and approve each other’s work before the task is categorized as finished
  55. Job rotation:
    -is employees know each others’ job skills
  56. Least privilege:
    -ensures that no unnecessary access to data exists and that only those individuals who must access the data do so
  57. Organizational changes that may occur include:
    • -Acquisition of new assets;
    • -emergence of new vulnerabilities;
    • -business priorities shift;
    • -partnerships form or dissolve;
    • -organizational divestiture and acquisition;
    • -employee hire and turnover
  58. NIST SP 800-100 Information Security Handbook: A Guide for Managers
    -Provides managerial guidance for establishing and implementing of an information security program
  59. Thirteen areas of information security management
    • -Provide for specific monitoring activities for each task
    • -Tasks should be done on an ongoing basis
    • -Not all issues are negative
  60. Information security governance
    -Agencies should monitor the status of their programs to ensure that:
    •   -Ongoing information security activities provide support to agency mission
    •   -Current policies and procedures are technology-aligned
    •   -Controls are accomplishing the intended purpose
  61. System development life cycle:
    -The overall process of developing, implementing, and retiring information systems through a multistep process
  62. Awareness and training
    • -Tracking system should capture key information on program activities
    • -Tracking compliance involves assessing the status of the program
    • -The program must continue to evolve
  63. Capital planning and investment control
    • -Designed to facilitate and control the expenditure of agency funds
    • -Select-control-evaluate investment life cycle
  64. Interconnecting systems
    • -The direct connection of two or more information systems for sharing data and other information resources
    • -Can expose the participating organizations to risk
    • -When properly managed, the added benefits include greater efficiency, centralized access to data, and greater functionality
  65. Performance measures
    • -Metrics: tools that support decision making
    • -Six phase iterative process
  66. Security planning
    -is one of the most crucial ongoing responsibilities in security management
  67. Information technology contingency planning:
    -is consists of a process for recovery and documentation of procedures
  68. Risk management
    • -Ongoing effort
    • -Tasks include performing risk identification, analysis, and management
  69. Certification, accreditation, and security assessments
    • -An essential component in any security program
    • -The status of security controls is checked regularly
    • -Auditing: the process of reviewing the use of a system for misuse or malfeasance
  70. Incident response:
    -is incident response life cycle
  71. Configuration (or change) management:
    -is manages the effects of changes in configurations
  72. Recommended maintenance model based on five subject areas:
    • -External monitoring
    • -Internal monitoring
    • -Planning and risk assessment
    • -Vulnerability assessment and remediation
    • -Readiness and review
  73. Data sources
    • -Acquiring threat and vulnerability data is not difficult
    • -Turning data into information decision makers can use is the challenge
    • -External intelligence
    • -Regardless of where or how external monitoring data is collected, must be analyzed in context of organization’s security environment to be useful
  74. External intelligence comes from three classes of sources:
    • -vendors,
    • -computer emergency response teams (CERTs),
    • -public network sources
  75. Monitoring, escalation, and incident response
    • -Function of external monitoring process is to monitor activity, report results, and escalate warnings
    • -Monitoring process
  76. Monitoring process has three primary deliverables:
    •   -Specific warning bulletins issued when developing threats and specific attacks pose measurable risk to organization
    •   -Periodic summaries of external information
    •   -Detailed intelligence on highest risk warnings
  77. Data collection and management
    • -Over time, external monitoring processes should capture knowledge about external environment in appropriate formats
    • -External monitoring collects raw intelligence, filters for relevance, assigns a relative risk impact, and communicates to decision makers in time to make a difference
  78. Internal monitoring accomplished by:
    • -Doing inventory of network devices and channels, IT infrastructure and applications, and information security infrastructure elements
    • -Leading the IT governance process
    • -Real-time monitoring of IT activity
    • -Monitoring the internal state of the organization’s networks and systems
  79. Network characterization and inventory
    • -Organizations should have carefully planned and fully populated inventory for network devices, communication channels, and computing devices
    • -Once characteristics identified, they must be carefully organized and stored using a mechanism (manual or automated) that allows timely retrieval and rapid integration of disparate facts
  80. Making intrusion detection and prevention systems work
    • -The most important value of raw intelligence provided by the IDS is providing indicators of current or imminent vulnerabilities
    • -Log files from IDS engines can be mined for information
    • -Another IDS monitoring element is traffic analysis
    • -Analyzing attack signatures for unsuccessful system attacks can identify weaknesses in various security efforts
  81. Difference analysis:
    -is procedure that compares current state of network segment against known previous state of same segment
  82. Detecting differences
    • -Difference analysis:
    • -Differences between the current state and the baseline state that are unexpected could be a sign of trouble and need investigation
  83. Primary objectives of Planning and Risk Assessment
    • -Establishing a formal information security program review
    • -Instituting formal project identification, selection, planning, and management processes
    • -Coordinating with IT project teams to introduce risk assessment and review for all IT projects
    • -Integrating a mindset of risk assessment across organization
  84. Information security program planning and review
    • -Periodic review of ongoing information security program coupled with planning for enhancements and extensions is recommended
    • -Should examine IT needs of future organization and impact those needs have on information security
    • -A recommended approach takes advantage of the fact most organizations have annual capital budget planning cycles and manage security projects as part of that process
  85. Large projects should be broken into smaller projects for several reasons
    • -Smaller projects tend to have more manageable impacts on networks and users
    • -Larger projects tend to complicate change control process in implementation phase
    • -Shorter planning, development, and implementation schedules reduce uncertainty
    • -Most large projects can easily be broken down into smaller projects, giving more opportunities to change direction and gain flexibility
  86. Security risk assessments
    • -A key component for driving security program change is information security operational risk assessment (RA)
    • -RA identifies and documents risk that project, process, or action introduces to organization and offers suggestions for controls
    • -Information security group coordinates preparation of many types of RA documents
  87. Vulnerability Assessment and Remediation Primary goal:
    • -identification of specific,
    • -documented vulnerabilities and their timely remediation
  88. Vulnerability Assessment and Remediation Accomplished by:
    • -Using vulnerability assessment procedures
    • -Documenting background information and providing tested remediation procedures for vulnerabilities
    • -Tracking vulnerabilities from when they are identified
    • -Communicating vulnerability information to owners of vulnerable systems
    • -Reporting on the status of vulnerabilities
    • -Ensuring the proper level of management is involved
  89. Penetration testing
    • -A level beyond vulnerability testing
    • -Is a set of security tests and evaluations that simulate attacks by a malicious external source (hacker)
  90. Penetration test (pen test):
    -is usually performed periodically as part of a full security audit
  91. Penetration testing Can be conducted one of two ways:
    • -black box
    • -or white box
  92. Internet vulnerability assessment
    -Designed to find and document vulnerabilities present in organization’s public-facing network
  93. Steps in the Internet vulnerability assessment process include:
    • -Planning, scheduling, and notification
    • -Target selection
    • -Test selection
    • –Scanning
    • –Analysis
    • -Record keeping
  94. Intranet vulnerability assessment
    • -Designed to find and document selected vulnerabilities present on the internal network
    • -Attackers are often internal members of organization, affiliates of business partners, or automated attack vectors (such as viruses and worms)
    • -This assessment is usually performed against selected critical internal devices with a known, high value by using selective penetration testing
    • -Steps in process almost identical to steps in Internet vulnerability assessment
  95. Platform security validation (PSV)
    • -Designed to find and document vulnerabilities that may be present because of misconfigured systems in use within organization
    • -These misconfigured systems fail to comply with company policy or standards
    • -Fortunately, automated measurement systems are available to help with the intensive process of validating compliance of platform configuration with policy
  96. Wireless vulnerability assessment
    • -Designed to find and document vulnerabilities that may be present in wireless local area networks of organization
    • -Since attackers from this direction are likely to take advantage of any loophole or flaw, assessment is usually performed against all publicly accessible areas using every possible wireless penetration testing approach
  97. Modem vulnerability assessment
    • -Designed to find and document any vulnerability present on dial-up modems connected to organization’s networks
    • -Since attackers from this direction take advantage of any loophole or flaw, assessment is usually performed against all telephone numbers owned by the organization
    • -One element of this process, often called war dialing, uses scripted dialing attacks against pool of phone numbers
  98. Documenting vulnerabilities
    • -Vulnerability tracking database should provide details as well as a link to the information assets
    • -Low-cost and ease of use makes relational databases a realistic choice
    • -Vulnerability database is an essential part of effective remediation
  99. Remediating vulnerabilities
    • -Objective is to repair flaw causing a vulnerability instance or remove risk associated with vulnerability
    • -As last resort, informed decision makers with proper authority can accept risk
    • -Important to recognize that building relationships with those who control information assets is key to success
    • -Success depends on organization adopting team approach to remediation, in place of cross-organizational push and pull
  100. Acceptance or transference of risk
    • -In some instances, risk must simply be acknowledged as part of organization’s business process
    • -Management must be assured that decisions made to assume risk the organization are made by properly informed decision makers
    • -Information security must make sure the right people make risk assumption decisions with complete knowledge of the impact of the decision
  101. Threat removal
    • -In some circumstances, threats can be removed without repairing vulnerability
    • -Vulnerability can no longer be exploited, and risk has been removed
    • -Other vulnerabilities may be amenable to other controls that do not allow an expensive repair and still remove risk from situation
  102. Vulnerability repair
    • -Optimum solution in most cases is to repair vulnerability
    • -Applying patch software or implementing a workaround often accomplishes this
    • -In some cases, simply disabling the service removes vulnerability; in other cases, simple remedies are possible
    • -Most common repair is application of a software patch
  103. Readiness and Review Accomplished by:
    • -Policy review
    • -Program review
    • -Rehearsals
  104. 20 Notorious worms, viruses and botnets
    • 1. Creeper
    • 2. Elk Cloner
    • 3. Morris worm
    • 4. Michelangelo
    • 5. Melissa
    • 6. I Love You
    • 7. Anna Kournikova virus
    • 8. Code Red
    • 9. SQLslammer
    • 10. Sasser
    • 11. Mytob
    • 12. Storm botnet
    • 13. Koobface
    • 14. Zeus botnet
    • 15. Ikee
    • 16. Conficker
    • 17. Operation Aurora
    • 18. Flashback Trojan
    • 19. Stuxnet
    • 20. Flame malware