Security Systems Development Life Cycle

What is the difference between a threat agent and a threat?

• The word “threat” usually stands for a category of things that pose a potential danger. Viruses, worms, and other types of malware, for example, are threats. A “threat agent,” by contrast, is a specific threat, or a specific type of virus, worm, or other malware. For example, the Blaster Worm is a threat agent.

What is the difference between vulnerability and exposure? 

• Vulnerability is a fault within the system, such as software package flaws, unlocked doors or an unprotected system port. It leaves things open to an attack or damage. Exposure is a single instance when a system is open to damage. Vulnerabilities can in turn be the cause of exposure.

How is infrastructure protection (assuring the security of utility services) related to information security? 

• Information security is the protection of information and its critical elements, including the systems and hardware that are used, stored and transmitted. So, that makes the security of utility services a critical element in formation systems

What type of security was dominant in the early years of computing? 

• In early stages of computing, the only security concerned with computing is physical security.
• As the users were not rich in programming knowledge, there is less possibility of other security problems like hacking.

What are the three components of the C.I.A. triangle? What are they used for? 

• Confidentiality: Information’s should only be accessible to its intended recipients.
• Integrity: Information should arrive the same as it was sent.
• Availability: Information should be available to those authorized to use it.

If the C.I.A. triangle is incomplete, why is it so commonly used in security? 

• The CIA triangle is still used because it addresses the major concerns with the vulnerability of information systems

Describe the critical characteristics of information. How are they used in the study of computer security? 

• 1. Confidentiality – of information ensures that only those with sufficient privileges may access certain information. When unauthorized individuals or systems can access information, confidentiality is breached. To protect the confidentiality of information, a number of measures are used:
• Information classification
• Secure document storage 
• Application of general security policies
• Education of information custodians and end users Example, a credit card transaction on the Internet. 
• The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in data bases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored. 
• Giving out confidential information over the telephone is a breach of confidentiality if the caller is not authorized to have the information, it could result in a breach of confidentiality. 
• 1A. Integrity – is the quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state. Corruption can occur while information is being compiled, stored, or transmitted.
• Integrity means that data cannot be modified without authorization. 
• Eg: Integrity is violated when an employee deletes important data files, when a computer virus infects a computer, when an employee is able to modify his own salary in a payroll database, when an unauthorized user vandalizes a website, when someone is able to cast a very large number of votes in an online poll, and so on. 
• 2. Availability – is the characteristic of information that enables user access to information without interference or obstruction and in a required format. A user in this definition may be either a person or another computer system. Availability does not imply that the information is accessible to any user; rather, it means availability to authorized users.
• For any information system to serve its purpose, the information must be available when it is needed. 
• Eg: High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. 
• 2A. Privacy – The information that is collected, used, and stored by an organization is to be used only for the purposes stated to the data owner at the time it was collected. This definition of privacy does focus on freedom from observation (the meaning usually associated with the word), but rather means that information will be used only in ways known to the person providing it.
• 2B. Identification – An information system possesses the characteristic of identification when it is able to recognize individual users. Identification and authentication are essential to establishing the level of access or authorization that an individual is granted.
• 2C. Authentication – occurs when a control provides proof that a user possesses the identity that he or she claims
• In computing, e-Business and information security it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine (i.e. they have not been forged or fabricated) 
• 2D. Authorization – After the identity of a user is authenticated, a process called authorization provides assurance that the user (whether a person or a computer) has been specifically and explicitly authorized by the proper authority to access, update, or delete the contents of an information asset.
• 2E. Accountability – The characteristic of accountability exists when a control provides assurance that every activity undertaken can be attributed to a named person or automated process. For example, audit logs that track user activity on an information system provide accountability.
• 3 Accuracy – Information should have accuracy. Information has accuracy when it is free from mistakes or errors and it has the value that the end users expects. If information contains a value different from the user’s expectations, due to the intentional or unintentional modification of its content, it is no longer accurate.
• 3A. Utility – Information has value when it serves a particular purpose. This means that if information is available, but not in a format meaningful to the end user, it is not useful. Thus, the value of information depends on its utility.
• 3B. Possession – The possession of Information security is the quality or state of having ownership or control of some object or item.

Identify the six components of an information system. Which are most directly affected by the study of computer security? Which are most commonly associated with its study? 

• The six components are software, hardware, data, people, procedures, and networks.
• Software – Perhaps the most difficult part of the system to secure, because most software used is written by third parties. Also, since the software field is so competitive, many products are rushed to market before they have been thoroughly tested and debugged. These bugs and “security holes” quickly are discovered by members of the hacking community and soon information is spread about “exploits” that take advantage of those “holes,” which are then implemented by unscrupulous individuals.
• Hardware – This is specifically the computers themselves. While there are very few ways to use hardware directly to defeat security, the data stored on the hardware can be stolen by the simple expedient of stealing the hardware itself. Laptop computers are especially vulnerable to theft.
• Data – This is the primary target of thieves. Proprietary and confidential personal data is a particularly lucrative source of income for criminals, especially in the fields of industrial espionage and identity theft. 
• People – People are often overlooked as a part of an information system. However, they are as much a part as hardware, software or data. Without people, there would be no need for data or software, and no use for hardware. However, being human, people make mistakes, or deliberate acts, that can compromise the security of any system. Proper education and monitoring of people is necessary to prevent security breaches, whether they be accidental or deliberate. 
• Procedures – Procedures are also overlooked as potential security risks. Deficient design of procedures, as well as outsiders’ learning existing procedures, can lead to the compromise of critical data. 
• Networks – Information used by an organization needs to be shared among the members of that organization. Networking makes sharing of information easy, but at the cost of dramatically increasing the risk of compromising security. Wireless networks can be monitored by outsider’s computers with wireless capabilities. Similarly, wired networks can be tapped. Wide Area networks typically use public telephone or cable lines to transmit data, and these public lines can also be tapped. These facts, as well as others make it crucial to design procedures and protocols for users of networks that make data as secure as possible. 
• Of these six components, Data is the most critical, and therefore the most directly affected by the study of computer security. However, in order to make data secure, ire is necessary to study all six components, since they are all related parts of an integrated whole. 

What system is the father of almost all modern multiuser systems? 

• Mainframe computer systems

Which paper is the foundation of all subsequent studies of computer security? 

• Rand Report R-609

Why is the top-down approach to information security superior to the bottom-up approach? 

• Bottom up lacks a number of critical features such as participant support and organizational staying power, whereas top down has strong upper management support, dedicated funding, clear planning and the opportunity to influence organizations culture.

Why is a methodology important in the implementation of information security? How does a methodology improve the process? 

• A formal methodology ensures a rigorous process and avoids missing steps.

Which members of an organization are involved in the security system development life cycle? Who leads the process? 

• Security professionals are involved in the SDLC. Senior management, security project team and data owners are leads in the project.

How can the practice of information security be described as both an art and a science? How does security as a social science influence its practice? 

• Art because there are no hard and fast rules especially with users and policy.

• Science because the software is developed by computer scientists and engineers. Faults are a precise interaction of hardware and software that can be fixed given enough time.

Who is ultimately responsible for the security of information in the organization? 

• The Chief Information Security Officer (CISO)

What is the relationship between the MULTICS project and the early development of computer security? 

• It was the first and operating system created with security as its primary goal. Shortly after the restructuring of MULTICS, several key engineers started working on UNIX which did not require the same level of security.

How has computer security evolved into modern information security? 

• Computer security in the earlier days was concerned primarily with controlling access to the computer system itself. In today's modern era data is a commodity that everyone wants, so confidentiality is a way to control access to information.
• Information security has to control who has access to data, and this is not just via the computer or the network. So to answer the question, it started with computer access and evolved to ways of protecting confidential data that may be retrieved or accessed anywhere, not just via the computer.

 What was important about Rand Report R-609? 

• RR609 was the first widely recognized published document to identify the role of management and policy issues in computer security.

Who decides how and when data in an organization will be used or controlled? Who is responsible for seeing that these wishes are carried out? 

• Control and use of data in the Data owners are responsible for how and when data will be used, Data users are working with the data in their daily jobs.

Who should lead a security team? Should the approach to security be more managerial or technical? 

• A project manager with information security technical skills. The approach to security should be managerial, top down.