Tuesday, February 24, 2009

Live CDs Assignment - 2

1. What is the National Institute for Standards and Technology (NIST)?

Founded in 1901, NIST is a non-regulatory federal agency within the U.S. Department of Commerce. NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.


2. What role does NIST play in information assurance?

This guide provides a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems. The ultimate goal is to help organizations to better manage IT-related mission risks.


3. What is the purpose of NIST Special Publication 800-30?

NIST Special Publication 800-30 is the document which provide guidelines that can used by Federal organization or may be, by non-governmental organizations which process sensitive information. These guidelines are not mandatory and binding standards.


4. What is the principal goal of an organization’s risk management process?

The objective of performing risk management is to enable the organization to accomplish its mission(s) (1) by better securing the IT systems that store, process, or transmit organizational information; (2) by enabling management to make well-informed risk management decisions to justify the expenditures that are part of an IT budget; and (3) by assisting management in authorizing (or accrediting) the IT systems3 on the basis of the supporting documentation resulting from the performance of risk management.


5. According to NIST, what three processes compose risk management?

Risk assessment
Risk mitigation
Evaluation and assessment.


6. How does risk management relate to the System Development Life Cycle (SDLC)?

Minimizing negative impact on an organization and need for sound basis in decision making are the fundamental reasons organizations implement a risk management process for their IT systems. IT system’s SDLC has five phases: initiation, development or acquisition, implementation, operation or maintenance, and disposal. Risk management is an iterative process that can be performed during each major phase of the SDLC.
For example, in phase 1 of the SDCL the need for an IT system is expressed and the purpose and scope of the IT system is documented. Here, identified risks can be used to support the development of the system requirements, including security requirements, and a security concept of operations.


7. NIST 800-30 defines seven Information Assurance “key roles”. Name and briefly describe them.

i. Senior management: Basically, senior management is key stakeholders who involve supports and provides all required resources for successful risk management.
ii. Chief Information officer (CIO): Responsible for organization’s IT planning, budgeting and performance where decisions made are based on effective risk management.
iii. System and Information Owners: Responsible for ensuring the proper controls are in place to address integrity, confidentiality and availability of IT systems, approves changes in systems and should support risk management.
iv. Business and functional managers: These are the individuals with the authority and responsibility for making the trade-off decisions essential to mission accomplishment.
v. ISSO: These are the leaders who introduce an appropriate, structured methodology to help identify, evaluate and minimize risks to the IT systems for risk management.
vi. IT security practitioners: Security analysts, computer specialists, application and database administrators, who properly implement security requirements in their IT systems.
vii. Security Awareness Trainers: They are responsible for developing appropriate training materials and incorporate risk assessment into training programs to educate the end users.


8. How does NIST 800-30 define risk?

Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.


9. How does NIST 800-30 define a threat?

A threat is the potential for a particular threat-source to successfully exercise a particular vulnerability


10. How is a threat source defined? In your answer, name three common threat sources.

A threat-source is defined as any circumstance or event with the potential to cause harm to an IT system. The common threat sources can be natural, human, or environmental.


11. How does NIST 800-30 define vulnerability?

A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.


12. According to NIST, whose responsibility is IT Security? (Technical or management)

IT security program managers and computer security officers are responsible for their organizations’ IT security.


13. Used appropriately, what does a security control accomplish?

As it is impractical or close to impossible to eliminate all risks, properly applied security controls could decrease project/mission risk to an acceptable level, with minimal adverse impact on the organization’s resources and mission.


14. Define, compare, and contrast technical controls, management controls, and operational controls.

Technical security controls for risk mitigation can be configured to protect against given types of threats. These controls may range from simple to complex measures and usually involve system architectures; engineering disciplines; and security packages with a mix of hardware, software, and firmware.

Management security controls, in conjunction with technical and operational controls, are implemented to manage and reduce the risk of loss and to protect an organization’s mission. Management controls focus on the stipulation of information protection policy, guidelines, and standards, which are carried out through operational procedures to fulfill the organization’s goals and missions.

Operational controls, implemented in accordance with a base set of requirements (e.g., technical controls) and good industry practices, are used to correct operational deficiencies that could be exercised by potential threat-sources. To ensure consistency and uniformity in security operations, step-by-step procedures and methods for implementing operational controls must be clearly defined, documented, and maintained.


15. How can the adverse impact of a security event be described?

The adverse impact of a security event can be described in terms of loss or degradation of any, or a combination of any, of three security goals:
• Integrity of system and data
• Availability of the critical system to the end users
• Confidentiality i.e. the protection of system and data from unauthorized disclosure.


16. Describe the difference between quantitative and qualitative assessment?

Qualitative techniques are easier to apply and generally require less effort. Qualitative risk assessment is often sufficient for rank-ordering risks, allowing you to select the most significant ones for application of management techniques. But it does not provide specific quantifiable measurements of the magnitude of the impacts, therefore making a cost-benefit analysis of any recommended controls difficult.

Quantitative methods strive for greater precision, and they reveal more about each risk. These methods require more work, but, in addition to allowing you to sequence the risks from most of least significant. Quantitative analysis also provides data you can use to assess overall project risk and to estimate schedule and/or budget reserves for projects. Depending on the numerical ranges used to express the measurement, the meaning of the quantitative impact analysis may be unclear, requiring the result to be interpreted in a qualitative manner.


17. Name and describe six risk mitigation options.

Risk Assumption: To accept the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level
Risk Avoidance: To avoid the risk by eliminating the risk cause and/or consequence (e.g., forgo certain functions of the system or shut down the system when risks are identified)
Risk Limitation: To limit the risk by implementing controls that minimize the adverse impact of a threat’s exercising a vulnerability (e.g., use of supporting preventive, detective controls)
Risk Planning: To manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains controls
Research and Acknowledgment: To lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability
Risk Transference: To transfer the risk by using other options to compensate for the loss, such as purchasing insurance.


18. Name and describe the three control categories.

Support Controls: Supporting controls are generic and underlie most IT security capabilities. These controls must be in place in order to implement other controls.
Preventive Controls: Preventive controls focus on preventing security breaches from occurring in the first place.
Detection and Recovery: These controls focus on detecting and recovering from a security breach.


19. Define residual risk.

The risk remaining after the elimination of most of the risks or after the implementation new or enhanced controls is the residual risk.

Monday, February 23, 2009

Assignment 4

Dangerous Bug in Adobe Reader

Link to article: (http://www.idm.net.au/story.asp?id=16621)

I selected this article because of the product. Adobe is the maker of a wide variety of software products. Adobe Reader I would say would have to be their most widely used application. It is not only used by business, but also home users. Adobe Reader is to pdf what Windows is to operating systems. Yes there are other products out there but the majority of consumers only know the big names. With this being one if not Adobe's mostly widely used application it would be hard to believe the effects of someone exploiting this bug.

This article was important to me, because Adobe came out and informed everyone of the issue. Not only did they inform the public, but they also posted a temporary fix for the problem until they release a patch.

"Adobe has warned that a critical flaw has been discovered in its Acrobat reader, and has recommended users disable Javascript until the bug has been fixed."



Assignment 2


Malware in disguise

Link to article: (http://www.pcworld.com/businesscenter/article/159974/scam_antivirus_app_spreads_malware.html)

One of the biggest issues in the online world today is malware. Malware, also known as Malicious Software, is software designed to infiltrate or damage a computer system without the owner's informed consent. Hard to believe that someone or something can destroy your computer without being right in front of it. Many computer buyers know what viruses are, and how you get them. Yet the figure that there avntivirus software will catch and stop all of that stuff. Well what happens when the software you install knowingly is the actual issue. Who would install a virus or malware program knowingly on their own machine? Well when it is in disguise many people would and have been, especially in this case.

I choose this article because I like to keep people informed about the threats and issues out there and how to avoid them. This article talks about the variety of antivirus software out there on the web for download that does not do what it says, but in fact it does the opposite.


"Web users have been warned about a new scam that posts fake product reviews in a bid to encourage people to buy a rogue security application called Anti-virus-1. The app is one of a number of bogus security products which promise to provide protection against the latest online threats, but instead have been designed to spread malware or hold users' PCs to ransom."

I believe the article I choose is important because it lets people know that what they think is safe might not be truly safe. When it comes to the Internet it is always good to try and get your information from viable sources and not random websites. Sadly in the case of Anti-virus-1 the fake reviews did make their way to well know review sites.

So what can you do to try and help keep your machine and personal items safe. You can stick with the products that you know. Now I am not saying that these will stop 100% of everything out there but they will help, and running more than one on your machine at a time will help increase your protection chances.

I have included a list of antiviruse software I have used and currently use. I am not saying these are the best, because there are alot out there. I am only saying these are the ones I have used in the past and am currently using certain ones still.



Antivirus Software:

Free
Avast: http://www.avast.com/
AVG: http://free.avg.com/

Commerical
Norton: http://www.symantec.com/norton/index.jsp
McAfee:
http://www.mcafee.com/us/

References:

en.wikipedia.org/wiki/Malware

Saturday, January 31, 2009

Live CD

What is a Live CD?


A Live CD or LiveCD or CD Live Distro is a computer operating system that is executed upon boot, without installation to a hard disk drive. Typically, the LiveDistro is named after the bootable medium it is stored on, such as a CD-ROM or DVD (Live CD/DVD) or a USB flash drive (Live USB).

The term "live" comes from the fact that these "distros", or software distributions, each contain a complete, functioning and operational Operating System on the distribution medium. A LiveDistro does not change the Operating System or files already installed on the computer hard drive unless told to do so.


Benefits and Disadvantages.


The benefits and disadvantages are about the same on all the Live Distro media types, but there are some advantage and disadvantage variances pending on the media being used.


I myself prefer Live Usbs over CD because the data contained on the usb can be changed and additional data stored on the same device. This allows me to add additional information to my usb that would not be allowed on a CD. With my Usb I can actually save all my setting so next time I boot to it no matter the machine, my past setting and preferences are saved. This is a big benefit because there are more and more open source tools being developed every day, along with updates for existing ones. This allows me to capture those updates and install the newer software without the worry of having to do it all over again the next time I sit down at a machine. Also with the right size usb I can leave additional space on it for my own personal items that need to be used outside of the Live environment. This is one of the disadvantages to Live CDs.


Due to the size of alot of USBs they can be take anywhere you go, because they can be slipped into a shirt or pants pocket or even worn around the neck with a lanyard. Sadly CDs do not travel as conviently. The disadvantage to this wonderful portability is the loss factor. USBs become easier to loose and with them getting smaller and smaller, it makes them that much easier to loose than before. So as a precaution I would recommmend encryption when using USBs if you choose to carry any personal data on them.


With USBs being a solid state form of storage there are no moving parts involved which allows for faster performance when reading and writting data to them. We have stated that a LiveCD can not be modified by when it comes to reading the data from it, there is alot more invovled with it. The CD Rom drive, the spinning of the CD, where the USB is directly accessed so performance is much faster. Sadly there is a difference between USB 1 and USB 2 but with USB 3 on it's way out, the newer the computer the better the performance you will see with your LiveUsb.


Lastly not that it will happen over night, but alot of laptops are moving away from CD from drives and only have USB ports as the primary means of transfering and storing data. One of the most popular laptops without a CD Rom drive would have to be the MacBook Air and then the whole category of NetBooks.




Variety


There are many flavors of Operating Systems that can be installed on LiveCDs and LiveUSBs.

Pending on the purpose or who you ask you will get different opinions on which is the best. I myself could not say eith but I can say which ones are the most noted for their features and performance.







Knoppix - is an operating systemoperating system based on Debian designed to be run directly from a CD /DVD. Knoppix was developed by Linux consultant Klaus Knopper.






Slax - is a Linux Live CD operating system based on Slackware. It does not need to be installed on a computer system's hard drive; it boots and runs from either a CD or USB drive. There is also an option to run Slax from RAM. SLAX was developed by Tomáš Matějíček in Czech republic using the Linux Live scripts.









Ubuntu - is a computer operating system based on Debian GNU/Linux, a popular Linux distribution. Its name comes from the Zulu word "ubuntu", translated as "humanity to others", describing the ubuntu philosophy: "I am who I am because of those around me," a positive aspect of community. Ubuntu's goals include providing an up-to-date, stable operating system for the average user, with a strong focus on usability and ease of installation. Ubuntu has been rated as the most popular Linux distribution for the desktop, claiming approximately 30% of desktop Linux installations in 2007. Ubuntu is also used on some high profile servers, including those belonging to the Wikimedia Foundation.





References:


http://en.wikipedia.org/wiki/Live_CD

http://en.wikipedia.org/wiki/Live_USB






Monday, January 26, 2009

Assignment 1


ID Theft


Link to article: http://www.kristv.com/Global/story.asp?S=9696493

For my first journal/blog entry I chose not to write about a signal identity theft incident, but about ways to protect yourself from identity theft. During my first class a slide was shown of some of the most notorious hackers ever, and then the next slide encompassed a variety of individuals called defenders. That is why I chose this article because as a future defender I am tasked with finding and educating people on ways to protect themselves from the attackers/hackers.
This article describes 11 different ways to protect yourself from identity theft. Signally each one is very helpful but together it makes it very difficult for someone to obtain your identity, which makes it that much harder for someone to steal it. Not only did I choose this article because of the tips it gives, but for the brief reason why taking that step is important. It gives a very brief description of how an identity thief could apply each step if no precautions are taken.
With identity theft affecting millions of individuals a year; it is very important for people to know how to protect themselves.