Security Fundamentals

  1. Risk
    • an impediment preventing the achievement of an objective
    • Examples: Financial, Fraud, IT
    • Risk = Asset value x Threat value x Vulnerability value
  2. Threat (systems definition)
    • Any circumstance or event with the potential to cause harm to a system in theform of:
    • ◦ Destruction
    • ◦ Disclosure
    • ◦ Modification
    • ◦ Availability
    • Threats are ACTIVE and exploit vulnerabilities.
  3. Threat Agent
    A method used to exploit a vulnerability in an information system
  4. Threat Framwork
    • Human - Intentional / Unintentional
    • Environmental - Natural / Fabricated
  5. 3 Attributes of threats
    • 1. Source - country, location, sponsorship
    • 2. Capabilities - wanting to damage and being able to damage. Resources/Training/Methods/Reach/Sustainable.
    • 3. Intentions - Most problematic -Motivation? /Targets/Timing - Attack once or aften.
  6. Industrial Espionage in Canada (sectors)
    • 1. Oil and Gas
    • 2. Telecommunications
    • 3. Aerospace
    • 4. Biotechnology
    • 5. Chemical.
  7. Difference between Security Awareness and Security Training.
    • 1. Awareness programs seeks to inform and focus employees on issues related to security within the organization
    • 2. Training programs are designed to teach people the skills to perform the IS-related tasks more.  Teaches the WHAT and HOW.
  8. 4 stages of Information Life Cycle
    • 1. Initiation of a company record.
    • 2. Use of the Record.
    • 3. Storage of the Record.
    • 4. Disposal.
  9. The 4 Business / Security Services
    • Confidentiality – Information made only available to authorized individuals.
    • Integrity – Accuracy of Information and assets
    • Availability – Accessibility of Systems and services when required.
    • Accountability – Actions of person or process may be traced uniquely to that entity
  10. Define
    "Threat Assessment"
    Threat Assessment – To provide senior management information about an impending danger to their business system in time to make an informed decision.
  11. 4 Step Cycle for credible assessments. (Used by Government & Industry)
    • a. Direction – Get from management approval and type of info required.
    • b. Collection – Gather info from appropriate sources
    • c. Process – (1)Collation, (2)Evaluation, (3)Analysis (4)Integration (5)Interpretation
    • d. Dissemination - Timely distribution of an Assessment
  12. What are the 9 OECD  Principals

    Really Awesome Economics Does Reduce My Really Radical Decisions
    • 1. Responsibility – Participants should be Responsible for Security
    • 2. Awareness – Aware of the need for security
    • 3. Ethics – Respect the interests of others
    • 4. Design + Implementation – Incorporate security into the networks
    • 5. Risk Assessment – Conduct assessments proportional to the risks
    • 6. Management – Comprehensive approach to security
    • 7. Response – Reaction in a timely manner to incidents
    • 8. Reassessment – Review any changes to policy and procedures
    • 9. Democracy – Meet essential values of democratic society
  13. Information Systems Security
    A subset of information security that ensures the integrity and availability of information system assets
  14. IT Security (IT Sec)
    An integrated set of technological security measures designed to ensure the confidentiality, integrity and availability of information electronically stored, processed or transmitted by an information system
  15. Difference between IT Sec and ISS
    ISS/Information Security straddles the security issues associated with technology and people.

    IT Security (ITSec) focuses on system technology.
  16. IT Sec Sub components
    • Computer Security (Compusec)
    • Cryptographic Security (Cryptosec)* 
    • Transmission Security (Transsec)*
    • Emissions Security (Emsec)* 
    • Network Security (Netsec)

    3 *'s defines Communication Security (COMSEC)
  17. CompuSec
    operating system, applications and hardware remain intact to prevent modification or loss of information (deliberate or inadvertent)
  18. CrytopSec
    Protection resulting from the use of crypto systems or products to encode data making it unreadable to unauthorised persons
  19. TransSec
    A measure designed to protect transmissions from interception and exploitation
  20. EmSEC
    to confine information so to deny unauthorised access or analysis of the information, by the interception of electromagnetic emissions.
  21. NetSec
    Protection of the integrity of an information system network configuration to prevent unauthorised rerouting or modification
Card Set
Security Fundamentals
Computer Security Fundamentals