Tuesday, February 24, 2009

Live CDs Assignment - 2

1. What is the National Institute for Standards and Technology (NIST)?

Founded in 1901, NIST is a non-regulatory federal agency within the U.S. Department of Commerce. NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.


2. What role does NIST play in information assurance?

This guide provides a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems. The ultimate goal is to help organizations to better manage IT-related mission risks.


3. What is the purpose of NIST Special Publication 800-30?

NIST Special Publication 800-30 is the document which provide guidelines that can used by Federal organization or may be, by non-governmental organizations which process sensitive information. These guidelines are not mandatory and binding standards.


4. What is the principal goal of an organization’s risk management process?

The objective of performing risk management is to enable the organization to accomplish its mission(s) (1) by better securing the IT systems that store, process, or transmit organizational information; (2) by enabling management to make well-informed risk management decisions to justify the expenditures that are part of an IT budget; and (3) by assisting management in authorizing (or accrediting) the IT systems3 on the basis of the supporting documentation resulting from the performance of risk management.


5. According to NIST, what three processes compose risk management?

Risk assessment
Risk mitigation
Evaluation and assessment.


6. How does risk management relate to the System Development Life Cycle (SDLC)?

Minimizing negative impact on an organization and need for sound basis in decision making are the fundamental reasons organizations implement a risk management process for their IT systems. IT system’s SDLC has five phases: initiation, development or acquisition, implementation, operation or maintenance, and disposal. Risk management is an iterative process that can be performed during each major phase of the SDLC.
For example, in phase 1 of the SDCL the need for an IT system is expressed and the purpose and scope of the IT system is documented. Here, identified risks can be used to support the development of the system requirements, including security requirements, and a security concept of operations.


7. NIST 800-30 defines seven Information Assurance “key roles”. Name and briefly describe them.

i. Senior management: Basically, senior management is key stakeholders who involve supports and provides all required resources for successful risk management.
ii. Chief Information officer (CIO): Responsible for organization’s IT planning, budgeting and performance where decisions made are based on effective risk management.
iii. System and Information Owners: Responsible for ensuring the proper controls are in place to address integrity, confidentiality and availability of IT systems, approves changes in systems and should support risk management.
iv. Business and functional managers: These are the individuals with the authority and responsibility for making the trade-off decisions essential to mission accomplishment.
v. ISSO: These are the leaders who introduce an appropriate, structured methodology to help identify, evaluate and minimize risks to the IT systems for risk management.
vi. IT security practitioners: Security analysts, computer specialists, application and database administrators, who properly implement security requirements in their IT systems.
vii. Security Awareness Trainers: They are responsible for developing appropriate training materials and incorporate risk assessment into training programs to educate the end users.


8. How does NIST 800-30 define risk?

Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.


9. How does NIST 800-30 define a threat?

A threat is the potential for a particular threat-source to successfully exercise a particular vulnerability


10. How is a threat source defined? In your answer, name three common threat sources.

A threat-source is defined as any circumstance or event with the potential to cause harm to an IT system. The common threat sources can be natural, human, or environmental.


11. How does NIST 800-30 define vulnerability?

A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.


12. According to NIST, whose responsibility is IT Security? (Technical or management)

IT security program managers and computer security officers are responsible for their organizations’ IT security.


13. Used appropriately, what does a security control accomplish?

As it is impractical or close to impossible to eliminate all risks, properly applied security controls could decrease project/mission risk to an acceptable level, with minimal adverse impact on the organization’s resources and mission.


14. Define, compare, and contrast technical controls, management controls, and operational controls.

Technical security controls for risk mitigation can be configured to protect against given types of threats. These controls may range from simple to complex measures and usually involve system architectures; engineering disciplines; and security packages with a mix of hardware, software, and firmware.

Management security controls, in conjunction with technical and operational controls, are implemented to manage and reduce the risk of loss and to protect an organization’s mission. Management controls focus on the stipulation of information protection policy, guidelines, and standards, which are carried out through operational procedures to fulfill the organization’s goals and missions.

Operational controls, implemented in accordance with a base set of requirements (e.g., technical controls) and good industry practices, are used to correct operational deficiencies that could be exercised by potential threat-sources. To ensure consistency and uniformity in security operations, step-by-step procedures and methods for implementing operational controls must be clearly defined, documented, and maintained.


15. How can the adverse impact of a security event be described?

The adverse impact of a security event can be described in terms of loss or degradation of any, or a combination of any, of three security goals:
• Integrity of system and data
• Availability of the critical system to the end users
• Confidentiality i.e. the protection of system and data from unauthorized disclosure.


16. Describe the difference between quantitative and qualitative assessment?

Qualitative techniques are easier to apply and generally require less effort. Qualitative risk assessment is often sufficient for rank-ordering risks, allowing you to select the most significant ones for application of management techniques. But it does not provide specific quantifiable measurements of the magnitude of the impacts, therefore making a cost-benefit analysis of any recommended controls difficult.

Quantitative methods strive for greater precision, and they reveal more about each risk. These methods require more work, but, in addition to allowing you to sequence the risks from most of least significant. Quantitative analysis also provides data you can use to assess overall project risk and to estimate schedule and/or budget reserves for projects. Depending on the numerical ranges used to express the measurement, the meaning of the quantitative impact analysis may be unclear, requiring the result to be interpreted in a qualitative manner.


17. Name and describe six risk mitigation options.

Risk Assumption: To accept the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level
Risk Avoidance: To avoid the risk by eliminating the risk cause and/or consequence (e.g., forgo certain functions of the system or shut down the system when risks are identified)
Risk Limitation: To limit the risk by implementing controls that minimize the adverse impact of a threat’s exercising a vulnerability (e.g., use of supporting preventive, detective controls)
Risk Planning: To manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains controls
Research and Acknowledgment: To lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability
Risk Transference: To transfer the risk by using other options to compensate for the loss, such as purchasing insurance.


18. Name and describe the three control categories.

Support Controls: Supporting controls are generic and underlie most IT security capabilities. These controls must be in place in order to implement other controls.
Preventive Controls: Preventive controls focus on preventing security breaches from occurring in the first place.
Detection and Recovery: These controls focus on detecting and recovering from a security breach.


19. Define residual risk.

The risk remaining after the elimination of most of the risks or after the implementation new or enhanced controls is the residual risk.

Monday, February 23, 2009

Assignment 4

Dangerous Bug in Adobe Reader

Link to article: (http://www.idm.net.au/story.asp?id=16621)

I selected this article because of the product. Adobe is the maker of a wide variety of software products. Adobe Reader I would say would have to be their most widely used application. It is not only used by business, but also home users. Adobe Reader is to pdf what Windows is to operating systems. Yes there are other products out there but the majority of consumers only know the big names. With this being one if not Adobe's mostly widely used application it would be hard to believe the effects of someone exploiting this bug.

This article was important to me, because Adobe came out and informed everyone of the issue. Not only did they inform the public, but they also posted a temporary fix for the problem until they release a patch.

"Adobe has warned that a critical flaw has been discovered in its Acrobat reader, and has recommended users disable Javascript until the bug has been fixed."



Assignment 2


Malware in disguise

Link to article: (http://www.pcworld.com/businesscenter/article/159974/scam_antivirus_app_spreads_malware.html)

One of the biggest issues in the online world today is malware. Malware, also known as Malicious Software, is software designed to infiltrate or damage a computer system without the owner's informed consent. Hard to believe that someone or something can destroy your computer without being right in front of it. Many computer buyers know what viruses are, and how you get them. Yet the figure that there avntivirus software will catch and stop all of that stuff. Well what happens when the software you install knowingly is the actual issue. Who would install a virus or malware program knowingly on their own machine? Well when it is in disguise many people would and have been, especially in this case.

I choose this article because I like to keep people informed about the threats and issues out there and how to avoid them. This article talks about the variety of antivirus software out there on the web for download that does not do what it says, but in fact it does the opposite.


"Web users have been warned about a new scam that posts fake product reviews in a bid to encourage people to buy a rogue security application called Anti-virus-1. The app is one of a number of bogus security products which promise to provide protection against the latest online threats, but instead have been designed to spread malware or hold users' PCs to ransom."

I believe the article I choose is important because it lets people know that what they think is safe might not be truly safe. When it comes to the Internet it is always good to try and get your information from viable sources and not random websites. Sadly in the case of Anti-virus-1 the fake reviews did make their way to well know review sites.

So what can you do to try and help keep your machine and personal items safe. You can stick with the products that you know. Now I am not saying that these will stop 100% of everything out there but they will help, and running more than one on your machine at a time will help increase your protection chances.

I have included a list of antiviruse software I have used and currently use. I am not saying these are the best, because there are alot out there. I am only saying these are the ones I have used in the past and am currently using certain ones still.



Antivirus Software:

Free
Avast: http://www.avast.com/
AVG: http://free.avg.com/

Commerical
Norton: http://www.symantec.com/norton/index.jsp
McAfee:
http://www.mcafee.com/us/

References:

en.wikipedia.org/wiki/Malware