1.7 Resources

Important Terms Introduced

  • active attack

  • administrator

  • antivirus software

  • app

  • attack

  • attack matrix

  • attack surface

  • attack vector

  • attacker

  • availability

  • back door

  • backup copy

  • basic principle

  • black-hat hacker

  • botnet

  • CIA properties

  • compromised system

  • computer virus

  • confidentiality

  • Continuous Improvement

  • cracker

  • defense

  • defense in depth

  • disclosure

  • forgery

  • hacker

  • hacktivist

  • high motivation

  • hunter’s dilemma

  • identity theft

  • information security architecture

  • insider threat

  • integrity

  • layered defense

  • least privilege

  • low motivation

  • malware

  • masquerade

  • moderate motivation

  • passive attack

  • phone phreak

  • physical theft

  • risk assessment

  • risk matrix

  • router

  • scant motivation

  • script kiddie

  • security domains

  • security plan

  • security policy

  • social forgery

  • stealth motivation

  • subversion

  • systems engineering process

  • threat agent

  • unmotivated

  • vulnerability

  • white-hat hacker

  • worm

  • zero-day

Abbreviations Introduced

  • ACM—Association for Computing Machinery

  • AUP—acceptable use policy

  • CIA—confidentiality, integrity, availability

  • CISSP—Certified Information Systems Security Professional

  • DMCA—Digital Millennium Copyright Act

  • DOS—denial of service

  • DRM—digital rights management

  • FIPS—Federal Information Processing Standards

  • IoT—internet of things

  • ISP—internet service provider

  • IT—information technology

  • MIT—Massachusetts Institute of Technology

  • MO—modus operandi

  • MPAA—Motion Picture Association of America

  • NA—not applicable

  • NIST—National Institute of Standards and Technology

  • NSA—National Security Agency

  • PLC—programmable logic controller

  • POS—point of sale

  • PRMF—Proprietor’s Risk Management Framework

  • RIAA—Recording Industry Association of America

  • RMF—Risk Management Framework

  • SC—security category

  • SCADA—supervisory control and data acquisition

  • SP—Special Publication

  • UPS—uninterruptable power supply

  • USB—universal serial bus

*Including the Preface.

1.7.1 Review Questions

  1. R1.     Explain the difference between possession, ownership, and control of software and media on a modern mobile device.

  2. R2.     What is the hunter’s dilemma?

  3. R3.     Give an example of “security theater.”

  4. R4.     Describe the six steps in NIST’s Risk Management Framework.

  5. R5.     Describe the four steps in the Proprietor’s Risk Management Framework.

  6. R6.     How do the Risk Management Frameworks compare to continuous quality improvement?

  7. R7.     What is the difference between requirements and controls in the security process?

  8. R8.     Describe the relationship between assets, boundaries, threat agents, vulnerabilities, attacks, and defenses.

  9. R9.     Identify some typical information assets.

  10. R10.     Explain the concept of Least Privilege.

  11. R11.     What are the four things to assess when looking at boundaries?

  12. R12.     Describe the three security properties of information (hint: “CIA”).

  13. R13.     Explain the significant features we see in threat agents.

  14. R14.     Summarize the levels of motivation with which we assess threat agents.

  15. R15.     Describe the six general types of attacks on information. Which are passive attacks and which are active attacks?

  16. R16.     Explain the purpose and use of an attack matrix.

  17. R17.     Explain the purpose and use of a risk matrix.

  18. R18.     Explain the process for comparing the relative significance of different risks.

  19. R19.     List the five properties of a good security policy statement.

  20. R20.     Briefly describe the process for constructing a list of requirements from a list of assets, threat agents, and risks.

  21. R21.     Summarize the recommended ethical steps a security analyst takes when performing a security assessment.

  22. R22.     Summarize the recommended process for disclosing a security vulnerability.

1.7.2 Exercises

  1. E1.     Give a specific example of a file you own that you can retrieve and share, but that you can’t actually use without special hardware or software. Describe the type of file, the actions you can perform, and actions you cannot perform.

  2. E2.     Give examples of how individuals can act as vulnerabilities, defenses, or threats to an information system.

  3. E3.     Write a summary of how computers are used in your organization. The organization may be a particular portion of a larger site, like a school or college, or a department within the organization.

  4. E4.     Who do you call if something goes wrong with your computer? Provide contact information and a summary of which problems are covered by which contacts.

  5. E5.     Draw a diagram of the physical security boundary around your current living space. Identify possible points of entry. Describe how the physical boundary is kept secure if you are not present.

  6. E6.     Select a commercial space like a store or restaurant with which you are familiar. Draw a diagram of its physical security boundary. Identify possible points of entry or exit, including emergency exits. Describe the rules (the “policy”) for opening, closing, and locking those entrances. Pay special attention to public, employee-only, and emergency exits, if any.

  7. E7.     Make a list of the really important tasks performed by your personal computer, as discussed in Section 1.2.2. If you do not own your own computer, describe one that you regularly use for class work. List the physical and information assets you rely upon to perform these tasks.

  8. E8.     Following the basic procedures described in Section 1.4, do a risk assessment of your own personal computer. Be sure to answer Exercise E7 first, and be sure that your risk assessment reflects your most important tasks and assets. Show the result as a list of risks.

  9. E9.     TABLE 1.6 lists five security policy statements. Compare the statements against the five properties of properly formed policy statements. For each statement, indicate which properties the statement fails to fulfill, if any.

  10. E10.   Write the first part of a security plan for your own cybersecurity assets or another small set of assets. The plan includes the following:

    1. A list of security assets risks. This may reuse information produced in earlier assignments, as appropriate.

    2. A list of security requirements for your assets.

TABLE 1.6 Policy for Exercise E9
# Policy Statement Risks
1 Bob is granted full access to all files on his computer. 2
2 Alice shall have full access to files she creates. 2, 3
3 Access shall never be granted to thieves. 1
4 Installation disks for proprietary software shall be kept in a locked drawer in Alice’s room.
5 The laptop shall regularly check for system security updates and install those updates.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset