Information Assurance and Security-Reviewer
Information Assurance and Security-Reviewer
Information Assurance and Security-Reviewer
A. What is Security?
Security is “the quality or state of being secure—to be free from danger.”
Layers of security in place to protect its operations:
1. Physical security - to protect physical items, objects, or areas from unauthorized access and
misuse.
2. Personnel security - to protect the individual or group of individuals who are authorized to
access the organization and its operations
3. Operations security - to protect the details of a particular operation or series of activities
4. Communications security - to protect communications media, technology, and content
5. Network security - to protect networking components, connections, and contents
6. Information security - to protect the confidentiality, integrity and availability of information
assets, whether in storage, processing, or transmission. It is achieved via the application of
policy, education, training and awareness, and technology.
Bottom-up Approach - Information security can begin as a grassroots effort in which systems
administrators attempt to improve the security of their systems. This is often referred to as a bottom-up
approach.
Top-down approach—in which the project is initiated by upper-level managers who issue policy,
procedures and processes, dictate the goals and expected outcomes, and determine accountability for
each required action—has a higher probability of success.
The waterfall model illustrates that each phase begins with the results and information gained from
the previous phase.
Investigation
The first phase, investigation, is the most important. What problem is the system being developed to
solve? The investigation phase begins with an examination of the event or plan that initiates the process.
Analysis
The analysis phase begins with the information gained during the investigation phase. This phase
consists primarily of assessments of the organization, its current systems, and its capability to support
the proposed systems.
Logical Design
In the logical design phase, the information gained from the analysis phase is used to begin creating a
systems solution for a business problem.
Physical Design
During the physical design phase, specific technologies are selected to support the alternatives identified
and evaluated in the logical design. The selected components are evaluated based on a make-or-buy
decision (develop the components in-house or purchase them from a vendor).
Implementation
In the implementation phase, any needed software is created. Components are ordered, received, and
tested. Afterward, users are trained and supporting documentation created.
The maintenance and change phase is the longest and most expensive phase of the process. This phase
consists of the tasks necessary to support and modify the system for the remainder of its useful life
cycle.
Investigation
The investigation phase of the SecSDLC begins with a directive from upper management, dictating the
process, outcomes, and goals of the project, as well as its budget and other constraints.
Analysis
In the analysis phase, the documents from the investigation phase are studied. The development team
conducts a preliminary analysis of existing security policies or programs, along with that of documented
current threats and associated controls.
Logical Design
The logical design phase creates and develops the blueprints for information security, and examines and
implements key policies that influence later decisions.
Physical Design
The physical design phase evaluates the information security technology needed to support the
blueprint outlined in the logical design generates alternative solutions, and determines a final design.
Implementation
The implementation phase in of SecSDLC is also similar to that of the traditional SDLC. The security
solutions are acquired (made or bought), tested, implemented, and tested again.
Maintenance and change is the last, though perhaps most important, phase, given the current ever-
changing threat environment. Today’s information security systems need constant monitoring, testing,
modification, updating, and repairing.
B. Threats
a threat is an object, person, or other entity that presents an ongoing danger to an asset.
C. Attacks
2) Hoaxes
A more devious attack on computer systems is the transmission of a
virus hoax with a real virus attached.
3) Back Doors
Using a known or previously unknown and newly discovered access
mechanism, an attacker can gain access to a system or network
resource through a back door. Sometimes these entries are left behind
by system designers or maintenance staff, and thus are called trap
doors.
4) Password Crack
Attempting to reverse-calculate a password is often called cracking. A
cracking attack is a component of many dictionary attacks (to be
covered shortly). It is used when a copy of the Security Account
Manager (SAM) data file, which contains hashed representation of the
user’s password, can be obtained.
5) Brute Force
The application of computing and network resources to try every
possible password combination is called a brute force attack. Since the
brute force attack is often used to obtain passwords to commonly used
accounts, it is sometimes called a password attack.
6) Dictionary
The dictionary attack is a variation of the brute force attack which
narrows the field by selecting specific target accounts and using a list of
commonly used passwords (the dictionary) instead of random
combinations.
8) Spoofing
Spoofing is a technique used to gain unauthorized access to computers,
wherein the intruder sends messages with a source IP address that has
been forged to indicate that the messages are coming from a trusted
host.
9) Man-in-the-Middle
In the well-known man-in-the-middle or TCP hijacking attack, an
attacker monitors (or sniffs) packets from the network, modifies them,
and inserts them back into the network.
10) Spam
Spam is unsolicited commercial e-mail. While many consider spam a
trivial nuisance rather than an attack, it has been used as a means of
enhancing malicious code attacks.
12) Sniffers
A sniffer is a program or device that can monitor data traveling over a
network. Sniffers can be used both for legitimate network management
functions and for stealing information.
15) Pharming
Pharming is “the redirection of legitimate Web traffic (e.g., browser
requests) to an illegitimate site for the purpose of obtaining private
information. Pharming often uses Trojans, worms, or other virus
technologies to attack the Internet browser’s address bar so that the
valid URL typed by the user is modified to that of the illegitimate Web
site.