In this chapter, we explained the fundamental information security concepts and principles, looked at what constitutes good security architectures and practices, and learned that good practices include people, processes, and technology working in concert. We also discussed the concepts of accountability, authentication, authorization, privacy, confidentiality, integrity, and non-repudiation, as well as types and functionalities of information security controls and the importance of information systems governance.
Here are some of the key points from the certification objectives in Chapter 1.
Information security is the confidentiality, integrity, and availability of information.
Confidentiality is the prevention of unauthorized disclosure of information.
Integrity is the means of ensuring that information is protected from unauthorized or unintentional alteration, modification, or deletion.
Availability ensures that information is readily accessible to authorized viewers at all times.
Identification is the means by which a user (human, system, or process) provides a claimed unique identity to a system.
Authentication is a method for proving that you are who you say you are.
Strong authentication is the use of two or more different authentication methods, such as a smart card and PIN, or a password and a form of biometrics, such as a fingerprint or retina scan.
Authorization is the process of ensuring that a user has sufficient rights to perform the requested operation and preventing those without sufficient rights from doing the same.
The principle of least privilege stipulates that one should not be assigned any more privileges than those absolutely necessary to do the required job.
The purpose of the segregation (or separation) of duties is to avoid the possibility of a single person being responsible for a variety of functions within an organization. Rotation of duties is a similar control that is intended to detect abuse of privileges or fraud and is a practice that helps the organization avoid becoming overly dependent on a single member of staff. By rotating staff, the organization has more chances of discovering violations or fraud.
The following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully because there might be more than one correct answer. Choose all correct answers for each question.
What is the purpose of audit trails and logs?
| ||
Fingerprints can be used for
| ||
What type of control is intended to offset deficiencies of other controls?
| ||
What is strong authentication?
| ||
The principle of least privilege applies only to user accounts.
| ||
The principle of isolating process spaces from each other is known as
| ||
Surveys show that most organizations are at which level of the information security maturity model?
| ||
Privacy is a concern in which of the following industries?
| ||
What is assurance?
| ||
Information security policies and procedures are a(n)
| ||
In information security context, names must be
| ||
What risks apply to what you have authentication methods? (Choose all that apply.)
|
Answers
þ C. The purpose of the audit trail and logs is to provide accountability in information systems. ý A is correct but is not the best answer; choices B and D are wrong. The issue of whether audit trails and logs can be used in court proceedings would depend on particular jurisdiction and is outside the scope of this book; audit trails and logs are detective controls but may function as deterrent controls as well when their existence is known to potential attackers. |
|
þ B. Fingerprints can be used for what you are, or biometric, authentication. ý A is wrong because what you have authentication refers to token-based authentication mechanisms. C is wrong because there is no such term as biological identification in information security. D is wrong because use of fingerprints does not simplify authentication or identification since this requires additional configuration and tuning. |
|
þ C. Compensating controls offset deficiencies of other controls. ý There is no such term as defensive controls in information security, so that rules out B. Choices A and D are incorrect because preventive controls aim to prevent security violations and recovery controls are not intended to offset deficiencies of other controls. |
|
þ C. At least two different authentication methods are necessary for strong authentication. ý Long passwords do not provide strong authentication on their own, so answer A is not correct. Strong authentication does not necessarily require use of smart cards, as stated in B. And C is wrong because biometrics does not necessarily provide strong authentication on its own. |
|
þ B. The principle of least privilege does not only apply to user accounts but is a universally applicable principle. ý The answers are incorrect because the principle of least privilege has no relation to use of good passwords and is not dependent on a particular operating system or environment. |
|
þ D. Compartmentalization is the isolation of process spaces from each other in order to minimize the effect of security violation in one compartment on another. ý Answer A, virtualization, is a related concept but is not the correct answer. B is wrong because compartmentalization is the correct term. C is wrong because defense in depth is about using several types and/or layers of defense. |
|
þ D. Most organizations are at the repeatable level of the information security maturity model. ý C is inappropriate because it refers to a type of control. Other choices are wrong because surveys show that most organizations are at the repeatable level. |
|
þ D. All of the above. Privacy is a concern in all industries, because organizations in all industries collect, process, and store personal information of employees, clients, and partners. |
|
þ C. Assurance is about the trustworthiness of a system. ý A is wrong because there is no such type of insurance. B is wrong because, although written security policy is always required, it is not a guarantee of assurance. D is wrong because the use of MAC does not guarantee assurance. |
|
þ B. Information security policies and procedures are an administrative control. ý A is wrong because policies and procedures are not a technical control. C is wrong because policies and procedures are not a form of access control. D is wrong because, although policies and procedures address operational controls, choice B is a better answer. |
|
þ A. Names must be unique locally. ý B is wrong because names may be unique globally, but it's not necessary. C is wrong because names may be standardized, but that is not mandatory. D is wrong because names are not necessarily secret. |
|
þ B and C are correct because what you have authentication methods are subject to the same risks (such as theft and damage) as regular keys, and they are subject to the same general risks that apply to all authentication methods (such as unauthorized access). ý A is wrong because risks of what you are and what you have authentication methods are different, and D is wrong because it doesn't make sense. |
Who must be ultimately responsible for information security within organizations?
| ||
Fundamental security principles
| ||
Information systems governance is about what?
| ||
What is the advantage of Role-Based Access Control (RBAC) over Discretionary Access Control (DAC)?
| ||
Which authentication method is the most complex to administer?
| ||
What is the purpose of choke points?
| ||
What is the purpose of authentication?
| ||
What is the benefit of cost-benefit analysis? (Choose all that apply.)
|
Answers
þ C. Top management must be ultimately responsible for information security within an organization. ý A is incorrect because information security professionals advise management and implement management's decisions. B is wrong because information systems auditors report on the organization's security to the board of directors and/or the stockholders. D is incorrect because stockholders appoint management and are not involved in day-to-day management. |
|
þ B. Fundamental security principles apply to most information systems. ý A is wrong because it is not the best available answer. C is wrong because fundamental security principles do not apply only in enterprise systems, and D is wrong because fundamental security principles are not system dependent. |
|
þ E. All of the answers are correct. |
|
þ C. RBAC improves management of access control and authorizations by introducing the concept of roles distinct from individual users. ý A is wrong because RBAC has advantages over DAC; B is wrong because RBAC is not an improved version of DAC; D is wrong because it doesn't make sense. |
|
þ C. What you are (biometrics) is inherently more complex to administer than what you have or what you know authentication methods. ý A, B, and D are incorrect because none of these methods is as difficult to administer as what you are. |
|
þ D. Choke points are logical "narrow channels" that can be easily monitored and controlled. ý A is wrong because choke points are not used to isolate firewalls. Choke points do not affect confidentiality of information, so B is wrong. And C is not the answer because choke points are not protocol-dependent. |
|
þ E. All of the above. Authentication is needed to obtain proof of claimed identity, to implement access control, to establish accountability, and to allow for different users with different authorizations. |
|
þ A, B, and D. Cost-benefit analysis is necessary because organizations cannot reduce all risks to zero, it increases an organization's return on investment, and it is a good governance practice. ý C is wrong because cost-benefit analysis is not related to, and does not prevent, denial of service attacks. |