Principles of Information security textbook problems Chapter 1 & 2 …
Study this se t o nline at: http://www.cram.co m/cards/136 20 58

What is the dif f erence between a threat and a threat agent?

A threat is a constant danger to an asset, whereas a threat agent is the facilitator of an attack.

What is the dif f erence between vulnerability and exposure?

Vu l n e r a b i l i ty i s a fa u l t wi ti n th e s ys te m , s u ch a s s o ftwa r e p a cka g e fl a ws , u n l o cke d d o o r s o r a n u n p r o te cte d s ys te m p o r t. It l e a ve s th i n g s o p e n to a n a tta ck o r d a m a g e . Exp o s u r e i s a s i n g l e i n s ta n ce wh e n a s ys te m i s o p e n to d a m a g e . Vu l n e r a b i l i ti e s ca n i n tu r n b e th e ca u s e o f e xp o s u r e .

Who has the def inition of hack evolved over the last 30 years?

In te e a r l y d a ys o f co m p u ti n g , e n th u s i a s ts we r e ca l l e d h a cks o r h a cke r s , b e ca u s e th e y co u l d te a r a p a r t th e i n s tr u cti o n co d e o r e ve n th e co m p tu e r i ts e l f to m a n i p u l a te i ts o u tp u t. Th e te r m h a cke r a t o n e ti m e e xp r e s s e d r e s p e ct fo r a n o th e r s a b i l i ty. In r e ce n t ye a r s th e a s s o ci a ti o n wi th a n i l l i g a l a cti vi ty h a s n e g a ti vl y ti n g e d th e te r m .

What type of security was dominant in the early years of computing?

Early security was entirely physical security.
C o n fi d e n ti a l i ty: In fo rma ti o n s s h o u l d o n l y b e a c c e s s i b l e to i ts i n te n d e d re c i p i e n ts . In te g ri ty: In fo rma ti o n s h o u l d a rri ve th e s a me a s i t wa s s e n t. Ava i l a b l i l i ty: In fo rma ti o n s h o u l d b e a va i l a b l e to th o s e a u th o ri z e d to u s e i t.

What re the tree components of te CIA triangle and what are they used for?

If the CIA triangle is incomplete, why is it so commonly used in security?

The CIA trianle is still used because it addresses the major concerns with the vulnerability of information systems

Describe the critical characteristics of inf ormation. How are they used in the study of computer security?

Ava i l a b i l i ty: Au th o ri s e d u s e rs c a n a c c e s s th e i n fo rma ti o n Ac c u ra c y: fre e fro m e rro rs Au th e n ti c i ty: g e n u i n e C o n fi d e n ti a l i ty: p re ve n ti n g d i s c l o s u re to u n a u th o ri z e d i n d i vi d u a l s . In te g ri ty: wh o l e a n d u n c o rru p te d . U ti l i ty: h a s a va l u e fo r s o me p u rp o s e Po s s e s s i o n : O wn e rs h i p

Identify the five components of an information system. Which are most directly affected by the study of computer security? Which are most commonly associated with its study?

Software, Hardware, Data, People, Procedures

Principles of Information security textbook problems Chapter 1 & 2 …
Study this se t o nline at: http://www.cram.co m/cards/136 20 58

In the history of the study of computer security, what system is the father of almost all modern multiuser systems?

Mainframe computer systems

What paper is the foundation of all subsequent studies of computer security?

Rand Report R-609
Bottom up lacks a number of critical features s uch as participant s upport and organiz ational s taying power, whereas top down has s trong upper management s upport, dedicated funding, clear planning and the oppertunity to influence organiz ations culture.

How is the top down approach to information security suerior to the bottom up approach?

Why is a methodology important in the implementation of inf ormation security? How does a methodology imporve the process?

A formal methodology ensures a rigorus process and avoids missing steps.

Who is involved in the security development life cycle? Who leads the process?

Security professionals are involved in the SDLC. Senior magagement, security project team and data owners are leads in the project.

How does the practice of information security qualify as both an art and a science? How does security as a social science influence its practice?

Ar t b e ca u s e th e r e a r e n o h a r d a n d fa s t r u l e s e s p e ci a l l y wi th u s e r s a n d p o l i cy. S ci e n ce b e ca u s e th e s o ftwa r e i s d e ve l o p e d b y co m p u te r s ci e n ti s ts a n d e n g i n e e r s . Fa u l ts a r e a p r e ci s e i n te r a cti o n o f h a r d wa r e a n d s o ftwa r e th a t ca n b e fi xe d g i ve n e n o u g h ti m e .

Who is ultimatly responsible for the security of information in the organization?

The Cheif Information Security Officer (CISO)
It was the firs t and operating s ys tem created with s ecurity as its primary goal. Shortly after the res tructuring of MULTICS, s everal key engineers s tarted working on UNIX which did not require the s ame level of s ecurity.

What is the relationship between the MULTICS project and early development of computer society?

Principles of Information security textbook problems Chapter 1 & 2 …
Study this se t o nline at: http://www.cram.co m/cards/136 20 58

Who has computer security evolved into modern information security?

In the early days before ARPANET machines were only physically secured. After ARPANET it was realised that this was just one componen.

What was important about Rand Report R-609?
Who decides how and when data in an organiz ation will be used and or controlled? Who is responsible for seeing these wishes are carried out?

RR609 was the first widly recogniz ed published document to identify the role of management and policy issues in computer security.

Control and use of data in the Data owners are responsible for how and when data will be used, Data users are working with the data in their daily jobs.

Who should lead a security team? Should the approach to security be more magerial or technical?

A project manager with information security technical skills. The approach to security should be managerial, top down.

How is inf ormat ion securit y a management problem? What can management do t hat t echnology cannot ?

Managment need to perform detailed ris k as s es s ments and s pend hudreds of thous ands of dollars to protect the the day to day functioning of the organiz ation. Technology s et policy, nor fix s ocial is s ues .

Why is data the most important asset and organization possesses? What other assets in an organization require protection?

Da ta i n a n o r g a n i z a ti o n r e p r e s e n ts i ts tr a n s a cti o n r e co r d s a n d i ts a b i l i ty to d e l i ve r va l u e to i ts cu s to m e r s , wi th o u t th i s th e o r g a n i z a ti o n wo u l d n o t b e a b l e to ca r r y o u t d a y to d a y wo r ki n g s . O th e r a s s e s ts th a t r e q u i r e p r o te cti o n i n cl u d e th e a b i l i ty o f th e o r g a n i z a ti o n to fu n cti o n a n d th e s a fe o p e r a ti o n o f a p p l i ca ti o n s , te ch n o l o g y a s s e ts a n d p e o p l e .

It is important to protect data in motion and data at resst. In what other state must data be Protected? In which of the three states is data most difficult to protect?

Data being processed is the third state of data. Data in motion is the most difficult to protect, because once it leaves the organiz ation anything could happen to it.

How does a threat to information security differ from an attack? How can the two overlap?

A threat is a weaknes s in the s ys tem that could potentially be exploited, an attack is the realiz ation of the thread that caus es damage to the s ys tem. They overlap becaus e a Threat agent attacks a s ys tem us ing a threat

Principles of Information security textbook problems Chapter 1 & 2 …
Study this se t o nline at: http://www.cram.co m/cards/136 20 58

How can dual controls, such as two person conformation, reduce the threats from acts of human error and failure? What other controls can reduce this threat?

Emp l o ye e s a re o n e o f th e g re a te s t th re a ts i n i n fo rma ti o n s e c u ri ty, e i th e r i n te n ti o n a l o r vi a h u ma n e rro r. D u a l c o n tro l s re d u c e th i s b e c a u s e a d d i ti o n a l p e o p l e a re re q u i re d to c h e c k wh i c h p re ve n ts mi s ta k e s a n d re q u i re s c o l l a b o ra ti o n b e twe e n p e o p l e i n te n ti o n a l l y d o i n g h a rm. O th e r me th o d s i n c l u d e b a c k u p s , a p p ro ve b e fo re d e l e te , l i mi t a c c e s s o f d ri ve s a n d a p p l i c a ti o n s to e mp l o ye e s wh o ' n e e d -to k n o w'

Why do employees constitute one of the greatest threats to information security?

Because they have access to all inf ormation, they can maliciously or unintentionally cause damage to data and hardware.

What measures can individuals take to protect against shoulder surfing?

- B e a wa r e o f wh o i s a r o u n d wh e n a cce s s i n g co n fi d e n ti a l i n fo r m a ti o n - l i m i t th e n u m b e r o f ti m e s yo u a cce s s co n fi d e n ti a l i n fo r m a ti o n - Avo i d a cce s s i n g co n fi d e n ti a l i n fo r m a ti o n wh i l e o th e r s a r e p r e s e n t.

How has the perception of the hacker changed in recent years? What is the prof ile of the hacker today?

Classical is 14-18 year old male with little parental supervision. Modern is 13-70 male or female well educated person.

What is the difference between a skilled hacker and an unskilled hacker?

A s kille d ha c ke r d e ve lo p s s o ftwa re a nd c o d e e xp lo its , a nd ma s te rs ma ny te c hno lo g ie s like p ro g ra mming , ne two rk p ro to c o ls a nd o p e ra ting s ys te ms . The uns kille d ha c ke r us e s e xp e rt writte n s o ftwa re to e xp lo it a s ys te m, us us a lly with little kno wle d g e o f ho w it wo rks .

What are the various types of malware? How do worms differ from viruses? Do trojan horses carry viruses or worms?

Typ e s o f m a l wa r e : Vi r u s e s , wo r m s , tr o j a n h o r s e s , l o g i c b o m b s a n d b a ck d o o r s . Vi r u s e s a n d wo r m s b o th r e p l i ca te a n d ca n d o d a m a g e , b u t wo r m s a r e typ i ca l l y s ta n d a l o n e p r o g r a m s . A tr o j a n h o r s e m a y ca r r y e i th e r .

Why does polymorphism cause greater concern than traditional malware? How does it affect detection?

Because it changes over time making it more difficult to detect.

What is the most common form of violation of intellectual property? How does an organiz ation protect against it? What agencies fight it?

Software Piracy. Software licencing helps to fight this . Software information indus try as s ociation (SIIA) and Bus ines s Software Alliance (BSA) both fight agains t IP Violations .

Principles of Information security textbook problems Chapter 1 & 2 …
Study this se t o nline at: http://www.cram.co m/cards/136 20 58

What are the various types of force majeure? Which type might be of greatest concern to an organiz ation in Las vegas? Oklahoma City? Miami? LA?

Force Majeure = Force of Nature. LA might be dust, tornadoes would be a concern in Atlanta etc...

How does technological obsolence constitue a threat to inf ormation security? How can an organization protect against it?

It o ccurs whe n te chno lo gy be co me s o utdate d, and re sults in an incre ase d thre at. Pro pe r planning is the be st way to fight it, o utdate d te chno lo gie s must be re place d in a timle y fashio n.

What is the dif f erence between an exploit and a vulnerability?

A vulnerability is a weakness in a system. An exploit takes advantage of a vulnerability to perf orm some unintended action.

What are the types of password attacks? What can an admin do to prevent them?

Cr a cki n g , B r u te fo r ce a n d Di cti o n a r y a tta cks a r e th e 3 typ e s o f p a s s wo r d a tta cks . Li m i t th e n u m b e r o f p a s s wo r d a tte m p ts , e n fo r ce m i n i m u m co m p l e xi ty p o l i cy ( n u m b e r s , ca p i ta l s e tc) , d i s s a l o w d i cti o n a r y wo r d s i n p a s s wo r d s .

What is the dif f erence between a DOS and a DDOS? Which is potentially more devastating? Why?

D O S a tta c k s a re a s i n g l e u s e r s e n d i n g a l a rg e n u mb e r o f c o n n e c ti o n s i n a a tte mp t to o ve rwh e l m a ta rg e t s e rve r. D D O S i s wh e n ma n y u s e rs (o r ma n y c o mp ra mi z e d s ys te ms ) s i mu l ta n i o u s l y p e rfo rm a D O S a tta c k . Th e D D O S i s mo re d a n g e ro u s b e c a u s e u n l i k e a D O S th e re i s n o s i n g l e u s e r yo u c a n b l o c k , n o e a s y wa y to o ve rc o me i t.

For a sinffer attack to succeed, what must the attacker do? How can an attacker gain access to a netowrk to use the sniffer system?

The attacker must first gain access to a network to install the sniffer. Usually this is done using social engineering to get into the building to plant a physical sniffer device.

What are s ome ways a s ocial engineering hacker can attempt to gain information about a us er's login and pas s word? How would this type of attack differ if it were targeted towards adminis trators as s is tant vers us a data entry clerk?

Mo s t co m m o n l y i t i s d o n e b y r o l e p l a yi n g s o m e o n e e l s e , e g a m a i n ta n e n ce te a m o r a j a n i to r to g e t p h ys i ca l a cce s s to a s s e ts . A d a ta e n tr y cl e r k m a y b e e a s i l y s wa ye d b y m e n ti o n i n g th e CEO wo u l d g e t p i s s e d , wh e r e a s s o m e o n e h i g h e r u p wo u l d r e q u i r e m o r e co n vi n ci n g .

What is a buffer overflow and how is it used against a webserver?

A b u ffe r o ve r fl o w o ccu r s wh e n m o r e d a ta i s s e n t th e n th e r e ce i ve r s b u ffe r ca n h a n d l e - u s u a l l y r e s u l ti n g i n n o n -b u ffe r a p p l i ca ti o n m e m o r y b e i n g o ve r wr i tte n . B u ffe r o ve r fl o w o n a we b s e r ve r m a y a l l o w a n a tta cke r to r u n e xe cu ta b l e co d e o n th e we b s e r ve r e i th e r m a n i u p l a ti n g fi l e s d i r e ctl y o r cr e a ti n g a b a ckd o o r fo r l a te r u s e .