Chapter 1-Introduction to Information Security: Principles of Information Security

In: Computers and Technology

Submitted By yeni2002
Words 965
Pages 4
Chapter 1-Introduction to Information Security:

1. What is the difference between a threat and a threat agent?

A threat is a constant danger to an asset, whereas a threat agent is the facilitator of an attack.

2. What is the difference between vulnerability and exposure?

Vulnerability: is a fault within the system, such as software package flaws, unlocked doors or an unprotected system port. It leaves things open to an attack or damage.

Exposure: is a single instance when a system is open to damage. Vulnerabilities can in turn be the cause of exposure.

3. How is infrastructure protection (assuring the security of utility services) related to information security?

The organization needs to have clear parameters and set regulation when it comes to the protection of itself. Clear goals and objectives when it comes to protection will lead to a better protection on regards to the information security.

4. What type of security was dominant in the early years of computing?

Early security was entirely physical security.
- EX: Lock and Key

5. What are the 3 components of the CIA triangle and what are they used for?

Confidentiality: Information should only be accessible to its intended recipients.

Integrity: Information should arrive the same as it was sent.

Availability: Information should be available to those authorized to use it.

6. If the CIA triangle is incomplete, why is it so commonly used in security?

The CIA triangle is still used because it addresses the major concerns with the vulnerability of information systems.

7. Describe the critical characteristics of information. How are they used in the study of computer security?

Availability: Authorized users can access the information

Accuracy: free from errors
- if info has been intentionally or unintentionally modified it is no longer accurate…...

Similar Documents

Principles of Information Security: Chapter 1 End-of-Chapter Questions

...Chapter 1 Assignmnet Ryan M. Kethcart INFOST-491 SEC-OL Exercises 1. Look up “the paper that started the study of computer security.” Prepare a summary of the key points. What in this paper specifically addresses security in areas previously unexamined? a. A paper titled the “Rand Report R-609” was sponsored by the Department of Defense and initiated the movement toward security that went beyond protecting physical locations. It attempted to define multiple controls and mechanisms necessary for the protection of a multilevel computer system; identifying the role of management and policy issues in computer security. This report/paper significantly expanded the scope of computer security to include the following: securing the data, limiting random and unauthorized access to said data, and involving personnel from multiple levels of the organization in matters pertaining to information security. 3. Consider the information stored on your personal computer. For each of the terms listed, find an example and document it: threat, threat agent, vulnerability, exposure, risk, attack, and exploit. a. Threat: i. Theft of Media b. Threat Agent: ii. Hacker (Ex: Ima Hacker) c. Vulnerability: iii. Unprotected system port d. Exposure: iv. Using a website monitored by malicious hackers, reveals a vulnerability – i.e. Unprotected system port e. Risk: v. Low level risk – The probability......

Words: 790 - Pages: 4

Principles of Information Security Chapter 3 Review

...Chapter 3 Review 1. What is the difference between law and ethics? The difference between law and ethics is that law is a set of rules and regulations that are universal and should be accepted and followed by society and organizations. Ethics on the other hand was derived from the latin word mores and Greek word Ethos means the beliefs and customs that help shape the character of individuals and how people interact with one another 2. What is civil law, and what does it accomplish? A wide variety of laws that govern a nation or state and deal with the relationships and conflicts between organisational and entities and people. 3. What are the primary examples of public law? Criminal, administrative and constitutional law. 4. Which law amended the Computer Fraud and Abuse Act of 1986, and what did it change? The National Information Infrastructure Protection of 1996 amended the Computer Fraud and Abuse Act of 1986. It modified several sections of the CFA Act, and increased the penalties for selected crime. 5. Which law was specifically created to deal with encryption policy in the United States? The Security and Freedom through Encryption Act of 1999. 6. What is privacy in an information security context? Privacy is not absolute freedom from observation, but rather it is a more precise “State of being free from unsanctioned intrusion”. 7. What is another name for the Kennedy-Kassebaum Act(1996), and why is it important to organisations......

Words: 1285 - Pages: 6

Principles of Information Security

...1. What is risk management? Why is the identification of risks, by listing assets and their vulnerabilities, so important to the risk management process? Risk management is the process of identifying risk, as represented by vulnerabilities, to an organization’s information assets and infrastructure, and taking steps to reduce this risk to an acceptable level. Each of the three elements in the C.I.A. triangle, introduced in Chapter 1, is an essential part of every IT organization’s ability to sustain long-term competitiveness. When an organization depends on IT-based systems to remain viable, information security and the discipline of risk management must become an integral part of the economic basis for making business decisions. These decisions are based on trade-offs between the costs of applying information systems controls and the benefits realized from the operation of secured, available systems. 2. According to Sun Tzu, what two key understandings must you achieve to be successful in battle? Know Yourself First, you must identify, examine, and understand the information and systems currently in place within your organization. This is self-evident. To protect assets, which are defined here as information and the systems that use, store, and transmit information, you must know what they are, how they add value to the organization, and to which vulnerabilities they are susceptible. Once you know what you have, you can identify what you are already doing to protect it....

Words: 307 - Pages: 2

Principles of Information Security Chapter 2 Review Questions

...1. Management is responsible for implementing information security to protect the ability of the organization to function. They must set policy and operate the organization in a manner that complies with the laws that govern the use of technology. Technology alone cannot solve information security issues. Management must make policy choices and enforce those policies to protect the value of the organization’s data. 2. Data is important to an organization because without it an organization will lose its record of transactions and/or its ability to furnish valuable deliverables to its customers. Other assets that require protection include the ability of the organization to function, the safe operation of applications, and technology assets. 3. Both general management and IT management are responsible for implementing information security. 4. The implementation of networking technology has created more risk for businesses that use information technology because business networks are now connected to the internet and other networks external to the organization. This has made it easier for people to gain unauthorized access to the organization’s networks. 5. Information extortion is when an attacker steals information from a computer system and demands compensation for its return or for an agreement not to disclose it. One example could be someone that gains access to PII such as SSN’s through a company’s database and ransoms the information for money. If not paid, he......

Words: 1112 - Pages: 5

Principles of Information Security

... Principles of Information Security Fourth Edition Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Principles of Information Security Fourth Edition Michael E. Whitman, Kennesaw State University Ph.D., CISM, CISSP Herbert J. Mattord, CISM, CISSP Australia • Brazil • Japan • Korea • Mexico • Singapore • Spain • United Kingdom • United States Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed......

Words: 318245 - Pages: 1273

Principles of Information Security

...1. What is the difference between a threat agent and a threat? Answer Threat agent: A specific instance or component that represents a danger to an organization’s assets. Threats can be accidental or purposeful, for example lightning strikes or hackers. Threat: An object, person, or other entity that represents a constant danger to an asset. Or A threat is a constant danger to an asset, whereas a threat agent is the facilitator of an attack. 2. What is the difference between vulnerability and exposure? Vulnerability: A weakness in a controlled system, where controls are not present or no longer effective. Exposure: A single instance of a system being open to damage. Or Vulnerability is a fault within the system, such as software package flaws, unlocked doors or an unprotected system port. It leaves things open to an attack or damage. Exposure is a single instance when a system is open to damage. Vulnerabilities can in turn be the cause of exposure. 3. How is infrastructure protection (assuring the security of utility services) related to information security? Answer Infrastructure protection is related to information in the sense that assets of an organization (infrastructure utility services that is offered to customers) are secured from intrusion, exploitation and threats. 4. What type of security was dominant in the early years of computing? Answer Early security was entirely physical security. 5. What are the three components of......

Words: 6364 - Pages: 26

Nt2580 Introduction to Information Security

...NT2580 Introduction to Information Security STUDENT COPY: FINAL EXAM 30. What does risk management directly affect? a. b. c. d. Company investments Security policy framework Security controls Number of employees 31. Which of the following is a cipher that shifts each letter in the English alphabet a fixed number of positions, with Z wrapping back to A? a. b. c. d. Transposition Vigenere Caesar Vernam 32. Identify a security objective that adds value to a business. a. b. c. d. Revocation Authorization Anonymity Message authentication 33. Which of the following is an asymmetric encryption algorithm? a. b. c. d. AES 3DES RSA RC4 34. Identify a security principle that can be satisfied with an asymmetric digital signature and not by a symmetric signature. a. b. c. d. Nonrepudiation Integrity Authorization Access control 35. Which of the following is a mechanism for accomplishing confidentiality, integrity, authentication, and nonrepudiation? a. b. c. d. Cipher text Cryptography Access control Hashing © ITT Educational Services, Inc. All Rights Reserved. -8- 02/12/2012 NT2580 Introduction to Information Security STUDENT COPY: FINAL EXAM 36. In which OSI layer do you find FTP, HTTP, and other programs that end users interact with? a. b. c. d. Application Network Physical Data Link 37. Identify the configuration that is best for networks with varying security levels, such general users, a group of users working on a secret research project,......

Words: 658 - Pages: 3

Introduction to Information Security Student

...IT414 - Principles of Information Security Sherwin R. Pineda Introduction to Information Security Do not figure on opponents not attacking; worry about your own lack of preparation. Learning Outcomes 嗗Define information security 嗗Recount the history of computer security, and explain how it evolved into information security 嗗Define key terms and critical concepts of information security Introduction 嗗The History of Information Security –The 1960 –The 1970 to 80 –The 1990 –2000 to present The History of Information Security The need for computer security — that is, the need to secure physical locations, hardware, and software from threats arose during World War II when the first mainframes, developed to aid computations for communication code breaking were put to use The History of Information Security 嗗 Multiple levels of security were implemented to protect these mainframes and maintain the integrity of their data. 嗗 Access to sensitive military locations was controlled by means of badges, keys, and the facial recognition of authorized personnel by security guards. 嗗 The growing need to maintain national security eventually led to more complex and more technologically sophisticated computer security safeguards. The History of Information Security During these early years, information security was a straightforward process composed predominantly of physical security and simple document classification schemes. The primary threats to security were......

Words: 1230 - Pages: 5

Chapter 1 Information Security

...event that has an effect on an asset. In the context of IT security, an asset can be a computer, a database, or a piece of information. Examples of risk include the following: • Losing data • Losing business because a disaster has destroyed your building • Failing to comply with laws and regulations A threat is any action that could damage an asset. Information systems face both natural and human-induced threats. The threats of flood, earthquake, or severe storms require organizations to have plans to ensure that business operation continues and that the organization can recover. A business continuity plan (BCP) gives priorities to the functions an organization needs to keep going. A disaster recovery plan (DRP) defines how a business gets back on its feet after a major disaster like a fire or hurricane. Human-caused threats to a computer system include viruses, malicious code, and unauthorized access. A virus is a computer program written to cause damage to a system, an application, or data. Malicious code or malware is a computer program written to cause a specific action to occur, such as erasing a hard drive. These threats can harm an individual, business, or organization. ability Availability is a common term in everyday life. For example, you probably pay attention to the availability of your satellite TV service, your cell phone service, or a business colleague for a meeting. In the context of information security, availability is generally expressed as the......

Words: 12482 - Pages: 50

Chapter 2 Review Questions Principles of Information Security

...1. Information security is more of a management issue because it is up to management to decide what end users should have access to and what they should not. Also technology can only do what it is told to do but if management sets up training to teach end users about the threats of say opening an unknown email then the company is safer. 2. Without data an organization loses its record of transactions and/or its ability to deliver value to its customers. Page 42 Principles of Information Security 3. Both general and It management 4. It has created more and the reason why is it is much easier to spread viruses, worms, etc. now that the can get from system to system without having to attach to a physical disc. 5. Information extortion occurs when an attacker or trusted insider steals information from a computer system and demands compensation for its return or for an agreement not to disclose it. Page 60 Principles of Information Security. An example would be if someone would steal the latest album from a well-known artist before its release date and demanded to be paid or it would be released onto the internet. 6. Employees are one of the biggest threats for several reasons the can accidently allow someone access to the system by installing a back door or it is possible for them to become angry with the company and just hand out IP to rival companies. It is also possible that they could accidently delete valuable data from the system that has no backup. 7. Make sure......

Words: 908 - Pages: 4

Principles of Information Security

... Principles of Information Security Fourth Edition Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Principles of Information Security Fourth Edition Michael E. Whitman, Herbert J. Mattord, Kennesaw State University Ph.D., CISM, CISSP CISM, CISSP Australia • Brazil • Japan • Korea • Mexico • Singapore • Spain • United Kingdom • United States Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has......

Words: 318246 - Pages: 1273

Principles of Information Security Chapter 1

...Principles of Information Security, 4th Edition 1 Chapter 1 1 Review Questions 1. What is the difference between a threat agent and a threat? A threat agent is the facilitator of an attack, whereas a threat is a category of objects, persons, or other entities that represents a potential danger to an asset. Threats are always present. Some threats manifest themselves in accidental occurrences and others are purposeful. Fire is a threat; however, a fire that has begun in a building is an attack. If an arsonist set the fire then the arsonist is the threat agent. If an accidental electrical short started the fire, the short is the threat agent. 2. What is the difference between vulnerability and exposure? Vulnerability is a weaknesses or fault in a system or protection mechanism that opens it to attack or damage. Exposure is a condition or state of being exposed. In information security, exposure exists when a vulnerability known to an attacker is present. 3. How is infrastructure protection (assuring the security of utility services) related to information security? The availability of information assets is dependent on having information systems that are reliable and that remain highly available. 4. What type of security was dominant in the early years of computing? In the early years of computing when security was addressed at all, it dealt only with the physical security of the computers themselves and not the data......

Words: 4896 - Pages: 20

Principles of Information Security 4th Ed Chapter 1 Review Questions

...Kevin Kovack Chapter 1 Review Questions 1. What is the difference between a threat agent and a threat? A threat is a constant danger to an asset, whereas a threat agent is the facilitator of an attack. 2. What is the difference between vulnerability and exposure? Vulnerability is a fault within the system, such as software package flaws, unlocked doors or an unprotected system port. It leaves things open to an attack or damage. Exposure is a single instance when a system is open to damage. Vulnerabilities can in turn be the cause of exposure. 3. How is infrastructure protection (assuring the security of utility services) related to information security? You need to have infrastructure protection in order to have effective information security. 4. What type of security was dominant in the early years of computing? Security was entirely physical in the early years because physical access was the primary threat. 5. What are the three components of the C.I.A. triangle? What are they used for? Confidentiality: Information should only be accessible to its intended recipients. Integrity: Information should arrive the same as it was sent. Availability: Information should be available to those authorized to use it. 6. If the C.I.A. triangle is incomplete, why is it so commonly used in security? The CIA triangle is still used because it addresses the major concerns with the vulnerability of information systems. 7. Describe the critical......

Words: 801 - Pages: 4

Introduction to Information Security

...Identified at least three IT infrastructure domains affected by "Internal Use Only" data classification standard. THE SEVEN DOMAINS OF A TYPICAL IT INFRASTRUCTURE 1. User Domain defines the people who access an organization’s information system. 2. Work Station Domain is where most users connect to the IT infrastructure. It can be a desktop computer, or any device that connects to your network. 3. Local Area Network (LAN) DOMAIN is a collection of computers connected to one another or to a common connection medium. Network connection mediums can include wires, fiber optic cables, or radio waves. 4. LAN-TO-WAN DOMAIN is where the IT infrastructure links to a wide area network and the Internet. 5. Wide Area Network (WAN) DOMAIN connects remote locations. WAN services can include dedicated Internet access and managed services for customer’s routers and firewalls. Networks, routers, and equipment require continuous monitoring and management to keep WAN service available. 6. REMOTE ACCESS DOMAIN connect remote users to the organization’s IT infrastructure. The scope of this domain is limited to remote access via the Internet and IP communications. 7. System/Applications Domain an application domain is the CLR equivalent of an operation system’s process. An application domain is used to isolate applications from one another. This is the same way an operating system process works. The separation is required so that applications do not affect one another. This......

Words: 652 - Pages: 3

Introduction to Information System Security

...Statistical Methods for HCI HCI: Human factors & security HCI: Design-oriented HCI HCI: Mixed, Augmented and Virtual Reality 4 4 Core-Tier2 hours Includes Electives N N HC/Foundations [4 Core-Tier1 hours, 0 Core-Tier2 hours] Motivation: For end-users, the interface is the system. So design in this domain must be interaction-focussed and human-centred. Students need a different repertoire of techniques to address this than is provided elsewhere in the curriculum. Topics: • • • Contexts for HCI (anything with a user interface: webpage, business applications, mobile applications, games, etc.) Processes for user-centered development: early focus on users, empirical testing, iterative design. Different measures for evaluation: utility, efficiency, learnability, user satisfaction. Strawman draft version: February 2012 • • • • • • Physical capabilities that inform interaction design: colour perception, ergonomics Cognitive models that inform interaction design: attention, perception and recognition, movement, and memory. Gulfs of expectation and execution. Social models that inform interaction design: culture, communication, networks and organizations. Principles of good design and good designers; engineering tradeoffs Accessibility: interfaces for differently-abled populations (e.g blind, motion-impaired) Interfaces for differently-aged population groups (e.g. children, 80+) Learning Outcomes: Students should be able to: 1. Discuss why human-centered software......

Words: 1936 - Pages: 8