REVISION OF CONTENT (30/04/24)

CHAPTERS TO GET KNOWLEDGE ON IN ORDER TO PREP

ACCURATE QUESTIONS

TABLE OF CONTENTS:

1. Introduction to Information Security

2. The Need for Information Security

3. Legal, Ethical And Professional Issues In Information Security

4. Incident Response And Contingency Planning

5. Risk Management And Access Controls

1|Page
 CHAPTER 1: INTRODUCTION TO INFORMATION SECURITY

STUDY OUTCOMES:

 Define information security.

 Discuss the history of computer security and explain how it evolved into information security.
 Define key terms and critical concepts of information security.
 Describe the information security roles of professionals within an organization.

CONTENT SUMMARY:

• Information security evolved from the early field of computer security.

• Security is protection from danger. There are many types of security: physical security,
personal security, operations security, communications security, national security, and
network security, to name a few.

• Information security is the protection of information assets that use, store, or transmit
information through the application of policy, education, and technology.

• The critical characteristics of information, including confidentiality, integrity, and

availability (the C.I.A. triad), must be protected at all times. This protection is
implemented by multiple measures that include policies, education, training and
awareness, and technology.

• Information systems are made up of the major components of hardware, software,

data, people, procedures, and networks.

• Upper management drives the top-down approach to security implementation, in

contrast with the bottom-up approach or grassroots effort, in which individuals choose
security implementation strategies.

• The control and use of data in the organization is accomplished by the following parties:

2|Page
 • Data owners, who are responsible for the security and use of a particular set of
information.

• Data custodians, who are responsible for the storage, maintenance, and protection of
the information.

• Data trustees, who are appointed by data owners to oversee the management of a
particular set of information and to coordinate with data custodians for its storage,
protection, and use.

• Data users, who work with the information to perform their daily jobs and support the
mission of the organization.

• Each organization has a culture in which communities of interest are united by similar
values and share common objectives. The three communities in information security are
general management, IT management, and information security management.

• Information security has been described as both an art and a science, and it comprises
many aspects of social science as well.

CHAPTER 2: THE NEED FOR INFORMATION SECURITY

STUDY OUTCOMES:

 Discuss the need for information security.

 Explain why a successful information security program is the shared responsibility of
the entire organization.
 List and describe the threats posed to information security and common attacks
associated with those attacks.
 List the common information security issues that that result from poor software
development efforts.

CONTENT SUMMARY:

 Information security performs four important functions:

3|Page
  Information security performs four important functions to ensure that information
assets remain safe and useful: protecting the organization’s ability to function, enabling
the safe operation of applications implemented on the organization’s IT systems,
protecting the data an organization collects and uses, and safeguarding the
organization’s technology assets.

 To make sound decisions about information security, management must be informed

about threats to its people, applications, data, and information systems, and the attacks
they face.

 Threats are any events or circumstances that have the potential to adversely affect
operations and assets. An attack is an intentional or unintentional act that can damage
or otherwise compromise information and the systems that support it. A vulnerability is
a potential weakness in an asset or its defensive controls.

 Threats or dangers facing an organization’s people, information, and systems fall into
the following categories:

o Compromises to intellectual property—Intellectual property, such as trade

secrets, copyrights, trademarks, or patents, are intangible assets that may be
attacked via software piracy or the exploitation of asset protection controls.

o Deviations in quality of service—Organizations rely on services provided by

others. Losses can come from interruptions to those services.

o Espionage or trespass—Asset losses may result when electronic and human

activities breach the confidentiality of information.

o Forces of nature—A wide range of natural events can overwhelm control

systems and preparations to cause losses to data and availability.

o Human error or failure—Losses to assets may come from intentional or

accidental actions by people inside and outside the organization.

• Threats or dangers facing an organization’s people, information, and systems fall into
the following categories:

− Information extortion—Stolen or inactivated assets may be held hostage to

extract payment of ransom.

4|Page
 − Sabotage or vandalism—Losses may result from the deliberate sabotage of a
computer system or business, or from acts of vandalism. These acts can either
destroy an asset or damage the image of an organization.

− Software attacks—Losses may result when attackers use software to gain

unauthorized access to systems or cause disruptions in systems availability.

− Technical hardware failures or errors—Technical defects in hardware systems

can cause unexpected results, including unreliable service or lack of availability.

• Threats or dangers facing an organization’s people, information, and systems fall into
the following categories:

− Technical software failures or errors—Software used by systems may have

purposeful or unintentional errors that result in failures, which can lead to loss
of availability or unauthorized access to information.

− Technological obsolescence—Antiquated or outdated infrastructure can lead to

unreliable and untrustworthy systems that may result in loss of availability or
unauthorized access to information.

− Theft—Theft of information can result from a wide variety of attacks.

CHAPTER 3: LEGAL, ETHICAL AND PROFESSIONAL ISSUES IN INFORMATION SECURITY

STUDY OUTCOMES:

 Explain the differences between laws and ethics.

 Describe the relevant laws, regulations, and professional organizations of
importance to information security.
 Identify major national and international laws that affect the practice of information
security.
 Discuss the role of privacy as it applies to law and ethics in information security.
 Explain the roles of some U.S. national law enforcement agencies with an interest in
information security.

CONTENT SUMMARY:

 Laws are formally adopted rules for acceptable behavior in modern society. Ethics are
socially acceptable behavior. The key difference between laws and ethics is that laws
carry the authority of a governing body and ethics do not.

 Organizations formalize desired behavior in documents called policies. Policies must be

read and agreed to before they are binding.

5|Page
  Civil law comprises a wide variety of laws that govern a nation or state. Criminal law
addresses violations that harm society and is enforced by agents of the state or nation.

 Private law focuses on individual relationships, and public law governs regulatory
agencies. Key U.S. laws to protect privacy include the Federal Privacy Act of 1974, the
Electronic Communications Privacy Act of 1986, and the Health Insurance Portability
and Accountability Act of 1996.

• The desire to protect national security, trade secrets, and a variety of other state and
private assets has led to the passage of several laws that restrict what information,
information management resources, and security resources may be exported from the
United States.

• Intellectual property is recognized as a protected asset in this country. U.S. copyright

law extends this privilege to published works, including electronic media.

• Studies have determined that people of differing nationalities have varying perspectives
on ethical practices with the use of computer technology.

• Deterrence can prevent an illegal or unethical activity from occurring. Deterrence

requires significant penalties, a high probability of apprehension, and an expectation
that penalties will be enforced.

• As part of an effort to encourage ethical behavior, many professional organizations have

established codes of conduct or codes of ethics that their members are expected to
follow.

• Several U.S. federal agencies are responsible for protecting American information
resources and investigating threats against them.

CHAPTER 4: INCIDENT RESPONSE AND CONTINGENCY PLANNING

STUDY OUTCOMES:

 Discuss the need for contingency planning.

 Describe the major components of incident response, disaster recovery, and
business continuity.
 Define the components of crisis management.
 Discuss how the organization would prepare and execute a test of
contingency plans.

CONTENT SUMMARY:

6|Page
 • Planning for unexpected events is usually the responsibility of managers from both the
information technology and the information security communities of interest.

• For a plan to be seen as valid by all members of the organization, it must be sanctioned
and actively supported by the general business community of interest.

• Some organizations are required by law or other mandate to have contingency planning
procedures in place at all times, but all business organizations should prepare for the
unexpected.

• Contingency planning (CP) is the process by which the information technology and
information security communities of interest position their organizations to prepare for,
detect, react to, and recover from events that threaten the security of information
resources and assets, both human and artificial.

• CP is made up of four major components: the data collection and documentation

process known as the business impact analysis (BIA), the incident response (IR) plan,
the disaster recovery (DR) plan, and the business continuity (BC) plan.

• Organizations can either create and develop the three planning elements of the CP
process (the IR, DR, and BC plans) as one unified plan, or they can create the three
elements separately in conjunction with a set of interlocking procedures that enable
continuity.

• To ensure continuity during the creation of the CP components, a seven-step CP process

is used:

• Develop the contingency planning policy statement.

• Conduct the BIA.
• Identify preventive controls.
• Create contingency strategies.
• Develop a contingency plan.
• Ensure plan testing, training, and exercises.
• Ensure plan maintenance.

• Four teams of individuals are involved in contingency planning and contingency

operations: the CP team, the IR team, the DR team, and the BC team. The IR team
ensures the CSIRT is formed.

7|Page
 • The IR plan is a detailed set of processes and procedures that plan for, detect, and
resolve the effects of an unexpected event on information resources and assets.

• For every scenario identified, the CP team creates three sets of procedures—for before,
during, and after the incident—to detect, contain, and resolve the incident.

• Incident classification is the process by which the IR team examines an incident

candidate and determines whether it constitutes an actual incident.

• Three categories of incident indicators are used: possible, probable, and definite.

• When any one of the following happens, an actual incident is in progress: loss of
availability of information, loss of integrity of information, loss of confidentiality of
information, violation of policy, or violation of law.

• Digital forensics is the investigation of wrongdoing in the arena of information security.

Digital forensics requires the preservation, identification, extraction, documentation,
and interpretation of computer media for evidentiary and root cause analysis.

• DR planning encompasses preparation for handling and recovering from a disaster,

whether natural or human-made.

• BC planning ensures that critical business functions continue if a catastrophic incident

or disaster occurs. BC plans can include provisions for hot sites, warm sites, cold sites,
timeshares, service bureaus, and mutual agreements.

• Because the DR and BC plans are closely related, most organizations prepare the two at
the same time and may combine them into a single planning document called the
business resumption (BR) plan.

• The DR plan should include crisis management, the action steps taken during and after a
disaster. In some cases, the protection of human life and the organization’s image are
such high priorities that crisis management may deserve its own policy and plan.

• All plans must be tested to identify vulnerabilities, faults, and inefficient processes.
Several testing strategies can be used to test contingency plans: desk check, structured
walk-through, simulation, and full interruption.

8|Page
 CHAPTER 5: RISK MANAGEMENT AND ACCESS CONTROLS

STUDY OUTCOMES:

 Define risk management and describe its importance.

 Explain the risk management framework and process model, including major
components.
 Define risk appetite and explain how it relates to residual risk.
 Describe how risk is identified and documented.
 Discuss how risk is assessed based on likelihood and impact.
 Describe various options for a risk treatment and risk control strategy.
 Discuss conceptual frameworks for evaluating risk controls and formulate a cost-
benefit analysis.
 Compare and contrast the dominant risk management methodologies.

CONTENT SUMMARY:

• Risk management examines and documents an organization’s information assets.

• Management is responsible for identifying and controlling the risks that an organization
encounters. In the modern organization, the InfoSec group often plays a leadership role
in risk management.
• Risk appetite defines the quantity and nature of risk that organizations are willing to
accept as they evaluate the trade-offs between perfect security and unlimited
accessibility.

• Residual risk is the amount of risk unaccounted for after the application of controls.
• A key component of a risk management strategy is the identification, classification, and
prioritization of the organization’s information assets.

• Assessment is the identification of assets, including all the elements of an organization’s

system: people, procedures, data, software, hardware, and networking elements.
• The human resources, documentation, and data information assets of an organization
are not as easily identified and documented as tangible assets, such as hardware and
software. Less tangible assets should be identified and described using knowledge,
experience, and judgment.

• You can use the answers to the following questions to develop weighting criteria for
information assets:
• Which information asset is the most critical to the success of the organization?
• Which information asset generates the most revenue?
• Which information asset generates the highest profitability?
• Which information asset is the most expensive to replace?

9|Page
 • Which information asset is the most expensive to protect?
• Which information asset’s loss or compromise would be the most embarrassing
or cause the greatest liability?

• After an organization identifies and performs a preliminary classification of information

assets, the threats facing the organization should be examined. There are 12 general
categories of threats to InfoSec.

• Each threat must be examined during a threat assessment process that addresses the
following questions:
• Which of the threats exist in the organization’s environment?
• Which are the most dangerous to the organization’s information?
• Which require the greatest expenditure for recovery?
• Which require the greatest expenditure for protection?

• Each information asset is evaluated for each threat it faces; the resulting information is
used to create a list of the vulnerabilities that pose risks to the organization. This
process results in an information asset and vulnerability list, which serves as the starting
point for risk assessment.

• A threats-vulnerabilities-assets (TVA) worksheet lists assets in priority order along one

axis and threats in priority order along the other axis. The resulting grid provides a
convenient method of examining the “exposure” of assets, allowing a simple
vulnerability assessment.

• The human resources, documentation, and data information assets of an organization

are not as easily identified and documented as tangible assets, such as hardware and
software. Less tangible assets should be identified and described using knowledge,
experience, and judgment.

• You can use the answers to the following questions to develop weighting criteria for
information assets:
• Which information asset is the most critical to the success of the organization?
• Which information asset generates the most revenue?
• Which information asset generates the highest profitability?
• Which information asset is the most expensive to replace?
• Which information asset is the most expensive to protect?
• Which information asset’s loss or compromise would be the most embarrassing
or cause the greatest liability?
• After an organization identifies and performs a preliminary classification of
information assets, the threats facing the organization should be examined.
There are 12 general categories of threats to InfoSec.
• Each threat must be examined during a threat assessment process that
addresses the following questions:
• Which of the threats exist in the organization’s environment?
• Which are the most dangerous to the organization’s information?
• Which require the greatest expenditure for recovery?

10 | P a g e
 • Which require the greatest expenditure for protection?

• Each information asset is evaluated for each threat it faces; the resulting
information is used to create a list of the vulnerabilities that pose risks to the
organization. This process results in an information asset and vulnerability list,
which serves as the starting point for risk assessment.

• The goal of risk assessment is the assignment of a risk rating or score that
represents the relative risk for a specific vulnerability of a specific information
asset.

• It is possible to perform risk analysis using estimates based on a qualitative

assessment.

• If any specific vulnerability is completely managed by an existing control, it no

longer needs to be considered for additional controls.

• The risk identification process should designate what function the resulting
reports serve, who is responsible for preparing them, and who reviews them.
The TVA worksheet and other risk worksheets are working documents for the
next step in the risk management process: treating and controlling risk.

• Once vulnerabilities are identified and ranked, a strategy to control the risks
must be chosen. Four control strategies are mitigation, transference,
acceptance, and termination.

• Economic feasibility studies determine and compare costs and benefits from
potential controls (cost-benefit analysis, or CBA). A CBA determines whether a
control alternative is worth its associated cost.

• CBA calculations are based on costs before and after controls are implemented
and the cost of the controls.
• Other forms of feasibility analysis include analyses based on organizational,
operational, technical, and political factors.

• An organization must be able to place a dollar value on each collection of

information and information assets it owns. There are several methods an
organization can use to calculate these values.

• Single loss expectancy (SLE) is calculated from the value of the asset and the
expected percentage of loss that would occur from a single successful attack.
Annualized loss expectancy (ALE) represents the potential loss per year.

11 | P a g e
 • Alternative approaches to risk management include the OCTAVE Method, ISO
27005, the NIST risk management approach, and FAIR.

CHAPTER 6: LEGAL, ETHICAL AND PROFESSIONAL ISSUES IN INFORMATION SECURITY

STUDY OUTCOMES:

 Explain the differences between laws and ethics.

 Describe the relevant laws, regulations, and professional organizations of importance
to information security.
 Identify major national and international laws that affect the practice of information
security.
 Discuss the role of privacy as it applies to law and ethics in information security.
 Explain the roles of some U.S. national law enforcement agencies with an interest in
information security.

CONTENT SUMMARY:

• Laws are formally adopted rules for acceptable behavior in modern society. Ethics are
socially acceptable behavior. The key difference between laws and ethics is that laws
carry the authority of a governing body and ethics do not.

• Organizations formalize desired behavior in documents called policies. Policies must be

read and agreed to before they are binding.

• Civil law comprises a wide variety of laws that govern a nation or state. Criminal law
addresses violations that harm society and is enforced by agents of the state or nation.

• Private law focuses on individual relationships, and public law governs regulatory
agencies. Key U.S. laws to protect privacy include the Federal Privacy Act of 1974, the
Electronic Communications Privacy Act of 1986, and the Health Insurance Portability
and Accountability Act of 1996.

• The desire to protect national security, trade secrets, and a variety of other state and
private assets has led to the passage of several laws that restrict what information,
information management resources, and security resources may be exported from the
United States.

• Intellectual property is recognized as a protected asset in this country. U.S. copyright

law extends this privilege to published works, including electronic media.

• Studies have determined that people of differing nationalities have varying perspectives
on ethical practices with the use of computer technology.

• Deterrence can prevent an illegal or unethical activity from occurring. Deterrence

requires significant penalties, a high probability of apprehension, and an expectation
that penalties will be enforced.

12 | P a g e
 • As part of an effort to encourage ethical behavior, many professional organizations have
established codes of conduct or codes of ethics that their members are expected to
follow.

• Several U.S. federal agencies are responsible for protecting American information
resources and investigating threats against them.

CHAPTER 8: ACCESS CONTROLS, FIREWALLS AND VPNS

STUDY OUTCOMES:

 Discuss the role of access control in information systems, and identify and discuss the four
fundamental functions of access control systems.
 Define authentication and explain the three commonly used authentication factors.
 Describe firewall technologies and the various categories of firewalls.
 Explain the various approaches to firewall implementation.
 Identify the various approaches to control remote and dial-up access by authenticating and
authorizing users.
 Describe virtual private networks (VPNs) and discuss the technology that enables them.

CONTENT SUMMARY:

• Access control is a process by which systems determine if and how to admit a user into a
trusted area of the organization.

• Mandatory access controls offer users and data owners little or no control over access to
information resources. MACs are often associated with a data classification scheme in which
each collection of information is rated with a sensitivity level. This type of control is
sometimes called lattice-based access control.

• Nondiscretionary access controls are strictly enforced versions of MACs that are managed by
a central authority, whereas discretionary access controls are implemented at the discretion
or option of the data user.

• All access control approaches rely on identification, authentication, authorization, and

accountability.

• Authentication is the process of validating an unauthenticated entity’s purported identity.

The three widely used types of authentication factors are something a person knows,
something a person has, and something a person is or can produce.

• Strong authentication requires a minimum of two authentication mechanisms drawn from

two different authentication factors.

• Biometrics is the use of a person’s physiological characteristics to provide authentication for

system access.

13 | P a g e
 • Security access control architecture models illustrate access control implementations and
can help organizations quickly make improvements through adaptation. Some models, like
the trusted computing base, ITSEC, and the Common Criteria, are evaluation models used to
demonstrate the evolution of trusted system assessment. Models such as Bell–LaPadula and
Biba ensure that information is protected by controlling the access of one part of a system on
another.

• A firewall is any device that prevents a specific type of information from moving between the
outside network, known as the untrusted network, and the inside network, known as the
trusted network.

• Firewalls can be categorized into four groups: packet filtering, MAC layers, application
gateways, and hybrid firewalls.

• Packet-filtering firewalls can be implemented as static filtering, dynamic filtering, and stateful
packet inspection firewalls.

• The three common architectural implementations of firewalls are single bastion hosts,
screened hosts, and screened subnets.

• Firewalls operate by evaluating data packet contents against logical rules. This logical set is
most commonly referred to as firewall rules, a rule base, or firewall logic.

• Content filtering can improve security and assist organizations in improving the
manageability of their technology.

• Dial-up protection mechanisms help secure organizations that use modems for remote
connectivity. Kerberos and SESAME are authentication systems that add security to this
technology.

• Virtual private networks enable remote offices and users to connect to private networks
securely over public networks.

CHAPTER 9: INTRUSION DETECTION AND PREVENTION SYSTEMS AND OTHER SECURITY

TOOLS

STUDY OUTCOMES:

 Identify and describe the categories and models of intrusion detection and prevention
systems.
 Describe the detection approaches employed by modern intrusion detection and prevention
systems.
 Define and describe honeypots, honeynets, and padded cell systems.
 List and define the major categories of scanning and analysis tools, and describe the specific
tools used within each category.

14 | P a g e
 CONTENT SUMMARY:

• Intrusion detection systems (IDSs) identify potential intrusions and sound an alarm. The
more recently developed intrusion detection and prevention systems (IDPSs) also detect
intrusions and can take action to defend the network.

• An IDPS works like a burglar alarm by detecting network traffic that violates the system’s
configured rules and activating an alarm.

• A network-based IDPS (NIDPS) monitors network traffic and then notifies the appropriate
administrator when a predefined event occurs. A host-based IDPS (HIDPS) resides on a
particular computer or server and monitors activity on that system.

• Signature-based IDPSs, also known as knowledge-based IDPSs, examine data traffic for
patterns that match signatures, preconfigured, predetermined attack patterns. Anomaly-
based IDPSs, also known as behavior-based IDPSs, collect data from normal traffic and
establish a baseline. When an activity is found to be outside the baseline parameters (or
clipping level), these IDPSs activate an alarm to notify the administrator.

• Selecting IDPS products that best fit an organization’s needs is a challenging and complex
process. A wide array of products and vendors are available, each with different approaches
and capabilities.

• Deploying and implementing IDPS technology is a complex undertaking that requires

knowledge and experience. After deployment, each organization should measure the
effectiveness of its IDPS and then continue with periodic assessments over time.

• Honeypots are decoy systems designed to lure potential attackers away from critical systems.
In the security industry, these systems are also known as decoys, lures, or flytraps. Two
variations on this technology are known as honeynets and padded cell systems.

• Trap-and-trace applications are designed to react to an intrusion event by tracing it back to

its source. This process is fraught with professional and ethical issues: some people in the
security field believe that the back hack in the trace process is as significant a violation as the
initial attack.

• Active intrusion prevention seeks to limit the damage that attackers can perpetrate by
making the local network resistant to inappropriate use.

• Scanning and analysis tools are used to pinpoint vulnerabilities in systems, holes in security
components, and unsecured aspects of the network. Although these tools are used by
attackers, they can also be used by administrators to learn more about their own systems
and to identify and repair system weaknesses before they result in losses.

CHAPTER 10: CRYPTOGRAPHY

15 | P a g e
 STUDY OUTCOMES:

 Chronicle the most significant events and discoveries in the history of cryptology.
 Explain the basic principles of cryptography.
 Describe the operating principles of the most popular cryptographic tools.
 List and explain the major protocols used for secure communications.

CONTENT SUMMARY:

• Encryption is the process of converting a message into a form that is unreadable to

unauthorized people.

• The science of encryption, known as cryptology, encompasses cryptography (making and

using encryption codes) and cryptanalysis (breaking encryption codes).

• Cryptology has a long history and continues to change and improve.

• Two basic processing methods are used to convert plaintext data into encrypted data: bit
stream and block ciphering. The other major methods used for scrambling data include
substitution ciphers, transposition ciphers, the XOR function, the Vigenère cipher, and the
Vernam cipher.

• Hash functions are mathematical algorithms that generate a message summary or “digest”
that can be used to confirm the identity of a specific message and confirm that the message
has not been altered.

• Most cryptographic algorithms can be grouped into two broad categories: symmetric and
asymmetric. In practice, most popular cryptosystems are hybrids that combine symmetric
and asymmetric algorithms.

• The strength of many encryption applications and cryptosystems is determined by key size.
All other things being equal, the length of the key directly affects the strength of the
encryption.

• Public key infrastructure (PKI) is an integrated system of software, encryption methodologies,

protocols, legal agreements, and third-party services that enables users to communicate
securely. PKI includes digital certificates and certificate authorities.

• Digital signatures are encrypted messages that are independently verified by a central facility
and provide nonrepudiation. A digital certificate is an electronic document, similar to a
digital signature, which is attached to a file to certify it came from the organization that
claims to have sent it and was not modified from its original format.

• Steganography is the hiding of information. It is not technically a form of cryptography but is

similar in that it protects confidential information while in transit.

• Secure Hypertext Transfer Protocol (HTTPS), Secure Electronic Transactions (SET), and Secure
Sockets Layer (SSL) are protocols designed to enable secure communications across the
Internet. IPSec is the protocol used to secure communications across any IP-based network.
Secure/ Multipurpose Internet Mail Extensions (S/MIME), Privacy-Enhanced Mail (PEM), and

16 | P a g e
 Pretty Good Privacy (PGP) are protocols that are used to secure electronic mail. PGP is a
hybrid cryptosystem that has become the open-source de facto standard for encryption and
e-mail and file storage applications.

• Wireless networks require their own cryptographic protection. Originally protected with WEP
and WPA, most modern Wi-Fi networks are now protected with WPA2. Bluetooth—a short-
range wireless protocol used predominantly for wireless phones and PDAs—can be exploited
by anyone within its 30-foot range.

17 | P a g e