Premium Essay

It-255

In:

Submitted By pepoccc01
Words 799
Pages 4
IT255 Introduction to Information Systems Security
Unit 5 Importance of Testing, Auditing, and Monitoring
© ITT Educational Services, Inc. All rights reserved.

Learning Objective
Explain the importance of security audits, testing, and monitoring to effective security policy.

IT255 Introduction to Information Systems Security

© ITT Educational Services, Inc. All rights reserved.

Page 2

Key Concepts
 Role of an audit in effective security baselining and gap analysis  Importance of monitoring systems throughout the IT infrastructure  Penetration testing and ethical hacking to help mitigate gaps  Security logs for normal and abnormal traffic patterns and digital signatures  Security countermeasures through auditing, testing, and monitoring test results
IT255 Introduction to Information Systems Security
© ITT Educational Services, Inc. All rights reserved. Page 3

EXPLORE: CONCEPTS

IT255 Introduction to Information Systems Security

© ITT Educational Services, Inc. All rights reserved.

Page 4

Purpose of an IT Security Assessment
Check effectiveness of security measures. Verify access controls.

Validate established mechanisms.

IT255 Introduction to Information Systems Security

© ITT Educational Services, Inc. All rights reserved.

Page 5

IT Security Audit Terminology
 Verification  Validation  Testing  Evaluation

IT255 Introduction to Information Systems Security

© ITT Educational Services, Inc. All rights reserved.

Page 6

Purpose of an IT Infrastructure Audit
Verify that established controls perform as planned.
Internal audits examine local security risks and countermeasures. External audits explore attacks from outside.

IT255 Introduction to Information Systems Security

© ITT Educational Services, Inc. All rights reserved.

Page 7

IT Security Assessment vs. Audit

Security

Similar Documents

Premium Essay

It 255

...Hana Laplant 4/12/12 Unit 4 Assignment 1&2 Enhance an existing it security policy framework Security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes computers running Windows 7 or Windows Server 2008 R2. Organizations invest a large portion of their information technology budgets on security applications and services, such as antivirus software, firewalls, and encryption. But no matter how much security hardware or software you deploy, how tightly you control the rights of users, or carefully you configure security permissions on your data, you should not consider the job complete unless you have a well-defined, timely auditing strategy to track the effectiveness of your defenses and identify attempts to circumvent them. To be well defined and timely, an auditing strategy must provide useful tracking data on an organization's most important resources, critical behaviors, and potential risks. In a growing number of organizations, it must also provide absolute proof that IT operations comply with corporate and regulatory requirements. Unfortunately, no organization has unlimited resources to monitor every single resource and activity on a network. If you do not plan well enough, you will likely have gaps in your auditing strategy. However, if you try to audit every resource and activity, you may find yourself with far too much monitoring data, including thousands of benign audit...

Words: 1876 - Pages: 8

Premium Essay

It 255

...Rock Laguerre IT255 Homework Instructor: Nicole Taylor 1. _____________ offers a mechanism to accomplish four security goals: confidentiality, integrity, authentication, and non-repudiation. A. Security association (SA) B. Secure socket layer (SSL) * C. Cryptography D. None of the above 2. A strong hash function is designed so that a message cannot be forged that will result in the same hash as a legitimate message. * True B. False 3. The act of scrambling plaintext into ciphertext is known as __________ A. Decryption * B. Encryption C. Plaintext D. Cleartext 4. An algorithm used for cryptographic purposes is known as a ______________ A. Hash B. Private key C. Public key * D. Cypher 5. Encryption ciphers fall into two general categories: symmetric (private) key and asymmetric (public) key * True B. False 6. An encryption cipher that uses the same key to encrypt and decrypt is called a ____________ key * Symmetric (private) B. Asymmetric (public) C. Key encrypting D. None of the above 7. ______________ corroborates the identity of an entity, whether the sender, the sender’s computer, some device, or some information. A. Non-repudiation B. Confidentiality C. Integrity * D. Authentication 8. Which of the following is one of the four basic forms of a cryptographic attack? A. Ciphertest-only attack B. Known-plaintext attack C. Chosen-plaintext attack D. Chosen-ciphertext attack ...

Words: 309 - Pages: 2

Free Essay

9.2 It-255

...Network nodes are not directly aware that switches handle the traffic they send and receive, making switches the silent workhorse of a network. Other than offering an administrative interface, switches do not maintain layer three IP addresses, so hosts cannot send traffic to them directly. The primary attack against a switch is the ARP poisoning attack described earlier in the “Switches” section of this chapter. However, the possibility of an ARP attack doesn’t mean switches cannot be used as security control devices. As mentioned earlier, MAC addresses are unique for every network interface card, and switches can be configured to allow only specific MAC addresses to send traffic through a specific port on the switch. This function is known as port security, and it is useful where physical access over the network port cannot be relied upon, such as in public kiosks. With port security, a malicious individual cannot unplug the kiosk, plug in a laptop, and use the switch port, because the laptop MAC will not match the kiosk’s MAC and the switch would deny the traffic. While it is possible to spoof a MAC address, locking a port to a specific MAC creates a hurdle for a would-be intruder. Switches can also be used to create virtual local area networks (VLANs). VLANs are layer two broadcast domains, and they are used to further segment LANs. As described earlier, ARP broadcasts are sent between all hosts within the same VLAN. To communicate with a host that is not in your...

Words: 399 - Pages: 2

Premium Essay

Itt 255

...Ken Schmid Unit 3 Assignment 1 Remote Access Control Policy for Richman Investments Authorization- Richman Investments must define rules as to who has access to which computer and network resources. My suggestion is that RI implements either a group membership policy or an authority-level policy to achieve this. Group policy would allow the administrator to assign different privileges to different groups. The admin would then assign different individual users to those different groups. So the users permissions would depend on the permissions of the group they were a member of. With authority-level policy the admin would assign different permissions to individual users based on their position and authority level within the company and what access that position requires. Identification- Richman Investments needs to assign a unique identifier to each user in order to have accurate records of who is accessing, or trying to access, what applications, which network resource, and what data. The most common ID is the username, account number, or PIN Authentication- In order to keep the remote access to Richman Investments secure, there must be proof that the person trying to gain access to the network remotely is the same person who has been granted access by identification. To do this RI can choose one of the following knowledge type authentications: PIN, password, or passphrase along with one of the following ownership type of authentication: smart card, key, badge...

Words: 312 - Pages: 2

Premium Essay

Itt 255

...Exercise 3: Access Controls Scenarios: 1. Shovels and Shingles is a small construction company consisting of 12 computers that have Internet access. For this scenario, I would implement Software controls. With software controls you can determine who has the appropriate permissions to access the 12 computers. 2. Top Ads is a small advertising company consisting of 12 computers that have Internet Access. All employees communicate using smart phones. I would again implement Software controls. With software controls you can determine who has the appropriate permissions to access the 12 computers as well as the smartphones that will be used. 3. NetSecIT is a multinational IT services company consisting of 120,000 computers that have Internet access and 45,000 servers. All employees communicate smartphones and email. Many employees work from home and travel extensively. Software controls for computers and smartphones, but I would also apply Logical/technical controls to provent human error for when employees work from home. Also Physical controls to protect the room the servers will be placed in. 4. Backordered Parts is a defense contractor that builds communications parts for the military. All employees communicate using smartphones and email. I would apply Physical controls to protect the parts as well as Software controls for the smartphone and email use. 5. Confidential Services Inc. is a military-support branch consisting of 14,000,000 computers with...

Words: 310 - Pages: 2

Free Essay

Biostat 255 1

...subset of B and write A ⊂ B . Dorota M. Dabrowska (UCLA) Biostatistics 255 September 21, 2011 1 / 49 In what follows all sets will be subsets of a larger set Ω. The complement of A in Ω is denoted by Ac and represents elements of Ω which do not belong to A: Ac = { ω ∈ Ω : ω ∈ A} / The complement of the set Ω is given by the empty set ∅. Dorota M. Dabrowska (UCLA) Biostatistics 255 September 21, 2011 2 / 49 For any sets A ⊆ Ω, B ⊆ Ω, we denote by A ∪ B and A ∩ B their union and intersection. The union represents points which belong to A or B : A ∪ B = {ω ∈ Ω : ω ∈ A or ω ∈ B } while intersection corresponds to points which belong to both sets A ∩ B = {ω ∈ Ω : ω ∈ A and ω ∈ B } If A and B are disjoint sets, i.e. A ∩ B = ∅, then their union will be denoted by A + B . Finally, the difference and the symmetric difference are defined as B − A = B ∩ Ac = {ω : ω ∈ B and ω ∈ A} − difference / A∆B = (A − B ) ∪ (B − A) − symmetric difference Dorota M. Dabrowska (UCLA) Biostatistics 255 September 21, 2011 3 / 49 The operations of union and intersection are governed by certain laws. They are given by (i) identity laws: A∪∅ = A and A∩Ω = A (ii) domination laws: A∪Ω=Ω and A∩∅=∅ A∪A = A and A∩A=A A∪B =B∪A and A∩B =B∩A (iii) idempotent laws (iv) commutative laws: Dorota M. Dabrowska (UCLA) Biostatistics 255 September 21, 2011 4 / 49...

Words: 3741 - Pages: 15

Free Essay

It 255 Assignment 8

...Network Hardening Assignment 8 The Internet is vulnerable to myriads kinds of attacks, due to: 1. Vulnerabilities in the TCP-IP protocol 2. No global flow control mechanisms The above two problems lead to many TCP exploits and the dreaded DDoS attacks. We have devised a method of incrementally upgrading the network infrastructure at the transport level that solves the above problems and makes the network significantly more resilient to attacks, particularly the DDoS attack. The approach uses "hardened routers" -- routers that can do simple cryptographic functions (encryption, signatures) on all packets flowing int he network, as well as to participate in a hierarchical control network. We show how incremental deployment of such routers can make the Internet safer. Like all things dynamic, change is inevitable. Such is the case with your network environment. Upgrades and modifications to the network architecture can sometimes expose (or create) security holes. As such, it is important to consistently evaluate the Making a Business Case for Network Hardening Hardening a network does not always translate into spending large quantities of money. However, money will be required in some form or fashion. Whether that means spending it on new hardware, software, or man hours really depends on what needs to be addressed. It may include all of the above. The time may come when a cost/benefit analysis will be required by those in charge before hardening activities can move forward...

Words: 362 - Pages: 2

Premium Essay

W9 Assessment It 255

...[pic] Martin’s Inc. Ethics Policy Created by or for the SANS Institute. Feel free to modify or use for your organization. If you have a policy to contribute, please send e-mail to stephen@sans.edu 1. Overview Martin’s Inc. purpose for this ethics policy is to establish a culture of openness, trust and integrity in business practices. Effective ethics is a team effort involving the participation and support of every Martin’s Inc. employee. All employees should familiarize themselves with the ethics guidelines that follow this introduction. Martin’s Inc. is committed to protecting employees, partners, vendors and the company from illegal or damaging actions by individuals, either knowingly or unknowingly. When Martin’s Inc. addresses issues proactively and uses correct judgment, it will help set us apart from competitors. Martin’s Inc. will not tolerate any wrongdoing or impropriety at anytime. Martin’s Inc. will take the appropriate measures act quickly in correcting the issue if the ethical code is broken. Any infractions of this code of ethics will not be tolerated. 2. Purpose Our purpose for authoring a publication on ethics is to emphasize the employee’s and consumer’s expectation to be treated to fair business practices. This policy will serve to guide business behavior to ensure ethical conduct. 3. Scope This policy applies to employees, contractors, consultants, temporaries, and other workers at Martin’s Inc., including...

Words: 661 - Pages: 3

Premium Essay

Rst 255 Term Paper

...Blake Groesbeck RST 255-B Term Paper 5/4/15 grosbck2 Term Paper: Bigger Stronger Faster In our everyday lives every action has a positive and negative effect, where individuals are constantly using ethical lenses to judge their stance on a certain situation, whether they know it or not. After having the chance to watch the ESPN 30 for 30 Bigger Stronger Faster, it was an extremely eye opening experience. The documentary took an objective stance on the use of anabolic steroids where the National Institute on Drug Abuse defines anabolic-androgenic steroids as, “a synthetic variant of the male sex hormone testosterone and that “anabolic” refers to muscle-building and “androgenic” refers to increased male sexual characteristics.” The use of anabolic steroids for sports/recreation is illegal and is considered by the United States as a controlled substance, however the use of anabolic steroids for medical use is legal. The ethical question I am asking is, “how can the United States “claim” that the use of anabolic steroids for medical reasons be ethical and can “help” someone when they “claim” that the use of anabolic steroids for sports/recreation to be unethical and will “hurt” someone?” In order to take an objective stance I will use three of the five ethical lenses provided in class. The five ethical lenses that were provided in class are: the Utilitarian Approach, the Rights Approach, the Fairness or Justice Approach, the Common Good Approach, and the Virtue Approach. ...

Words: 1505 - Pages: 7

Free Essay

Apa Paper for Psyc 255

...Lessons Learned About Writing Style Beth A. Buser Liberty University Author Note Beth A. Buser, Department of Psychology, Liberty University. Beth A. Buser is now at the Department of Psychology, Liberty University. This research was supported by a Pell Grant given by the United States government. Correspondences concerning this article should be addressed to Beth A. Buser, Department of Psychology, Liberty University, Lynchburg, VA 24515. E-mail: bbuser1@liberty.edu Questions and Answers If an individual wants to know where to find the official criteria for proper APA style, the best source to refer to would be the Publication Manual of the American Psychological Association, 6th Edition. This manual provides in depth information on the proper ways to construct documents in writing which includes the structure, the style, and citing all sources properly in text or via a reference page. The manual also provides numerous examples for each form of documentation as well as detailed examples of structure for publication. There are five levels of headings used in the APA manuscript format. A level one heading is presented by centering the heading in bold face type while using upper and lowercase letters. A level two heading is presented by aligning the heading flush to the left margin and typing the letters in bold face type while using upper and lowercase letters. A level three heading is presented by indenting the heading and typing the letters...

Words: 670 - Pages: 3

Premium Essay

Pscy 255 Case Study

...Case Study Kimberly Greenway Liberty University What is a case study? In psychology a case study is an observation technique in which one person is studied in depth in the hope of revealing universal principles. A case study analyzes the subject’s life to understand pattern and causes of behavior. What are some reasons for using a case study approach? Case studies can be used to collect data that involves a person’s individual behavior. This allows a person to obtain a detailed profile of the person being studied. This can provide clear insight for further or future research. Case studies allow researchers a possibility to investigate which is impossible in a laboratory where other research may be conducted. What are advantages and disadvantages of this approach? Some advantage of case studies can help generate new methods that may help or be tested later by other research methods. Case studies can provide detailed information, as wells as in depth information on individuals. Also, some unusual cases can help give a clear understanding on some situations or problems that are unethical so they may be studied in other ways. Some disadvantages of this approach are that vital information may be missing, or may be difficult to interpret. Someone’s memory may be selective or even inaccurate. The case study may also be difficult to replicate and can be very time consuming. Another disadvantage is it may also be difficult to draw definite cause-effect conclusions from your...

Words: 480 - Pages: 2

Premium Essay

Case Study Psyc 255

...Case Study Question 1 What is a Case Study? “A case study is an observational method that provides a description of an individual” (Cozby & Bates, 2012). The sample size in a case study usually only consists of a single person or organization, but by design only studies one single social phenomenon. They typically use field-related research to produce qualitative data and help to prepare for future qualitative research. Question 2 What are Some Reasons for Using a Case Study Approach? Case studies are useable within the social sciences to help explain rare circumstances or behaviors. In the world of music, the ability to name correctly and consistently an audible pitch without relating it to any other pitches is an extremely coveted talent. One case study by Lucinda Pearl Boggs (1907) provided qualitative data on a participant known as Miss C. Disinukes, who possessed the gift of perfect pitch. Boggs discovered that Miss Disinukes began learning about music at an extremely young age, and that she had very talented, musical grandparents. This research sparked further quantitative research to test whether having early musical education aids in the development of perfect pitch. Question 3 What are Some Advantages and Disadvantages of Using this Approach? Like pilot studies, case studies are very helpful in exploring a topic on a smaller scale initially and beginning a larger product using the data gathered in the case study. For example, a researcher may be studying...

Words: 516 - Pages: 3

Premium Essay

Psyc 255 Discussion Board 4

...All research must have careful observations no matter what type of research is being conducted. It is important to understand the differences between qualitative and quantitative methods in order to better understand the specific behavior being studied. Sometimes it is important to use both methods for the same study. "Qualitative research methods are the best!" “Qualitative research focuses on people behaving in natural settings and describing their own words” (Cozby and Bates, p. 114. 2012). This research method is the best because it does not manipulate variables in any way. The results are completely reliant on the participant’s reactions in a natural settings. This method offers first hand experiences for researchers to be a part of the study. Qualitative research describes the behaviors being studied without giving a mathematical analysis, which can save time due to the drawn out mathematical analysis. "Quantitative research methods are the best!" “Quantitative research tends to focus on specific behaviors that can be easily quantified” (Cozby and Bates, p. 115, 2012). Quantitative research draws it conclusions based off of the statistical analysis of data. Therefore, the results are in numerical form and then analyzed using statistics. Qualitative research cannot be converted to numerical form so the results cannot be analyzed using statistics. I find that this is the best method for research because it proves that there is a truth in things. Unlike quantitative...

Words: 256 - Pages: 2

Premium Essay

Chm 255 Lab Report 2

...How can Extraction Be Used to Isolate a Natural Product from Nutmeg? Due Date: September 26, 2013 Date Submitted: September 26, 2013 Purpose of the Experiment: We want isolate trimyristin which is a natural product found in nutmeg by using extraction techniques. Reaction Equations: Calculations: (Percent Recovery of Trimyristin) Results: - Recovered trimyrisitn which appeared to be a light orange color. Very brittle when touched. (Trimyristin is an ester formed from glycerol and myristic acid.) - Started with 8 grams of nutmeg but only about 20 percent was actual trimyristin. The rest is made of many different ingredients. -Actual start of trimyristin in the Nutmeg was 1.6 grams and we extracted .320 grams of the Trimyristin. -As a result, the percent Recovery of trimyristin from nutmeg was 20 percent. -Melting Point was 52.3 degrees Celsius of the substance we isolated (trimyristin) -When measuring the melting point of the trimyristin we took three temperatures and averaged them (51.3 degrees Celsius, 52.2 degrees Celsius, 53.4 degrees Celsius) Discussion: a.) Questions: 1. After recovering our sample of trimyristin, we tested to see what the melting point of our product would be. According to chem-info.com, the melting point for trimyristin is between 56 and 57 degrees Celsius. However, our product melted at a temperature of about 52.3 degrees Celsius, which is five degrees lower than the expected melting point of trimyristin. One...

Words: 762 - Pages: 4

Free Essay

It 255 Project Part 2 Richman Investments Project Part Ii

...Richman Investments Removable Media Acceptable Use Policy Policy statement It is the goal of Richman Investments to implement the controlled use of removable media devices that transfer information by all users who have access to any means of data within the company. Objective This form is an official Richman Investments document pertaining to the establishment of principles and working practices that are to be abided by all users in order for data to be safely stored and transferred by means of a removable device. The importance of controlling removable media and the objective of this policy is to: 1. Prohibit any unauthorized disclosure of information as may be necessary to company policy. 2. Maintain data integrity. 3. Build network integrity by instilling confidence and trust with data on the network. 4. Keep high standards of security with the use of protected and restricted data. 5. Avoid malicious network intusions. 6. Prevent unintended or malicious harm on the Richman Investments data network. Applicable Parties This policy applies to all Richman Investment employees, members, committees, business partners, third party IT services, guests, or anyone who is approved access to the data network, IT hardware resources, or any equipment with means of access to files within Richman Investments. Removable Devices Defined 1. USB Memory sticks (flash drive) 2. USB or external hard drive 3. Media Card Readers 4. Embedded microchips...

Words: 1105 - Pages: 5