信息安全其中考试复习.docx
《信息安全其中考试复习.docx》由会员分享,可在线阅读,更多相关《信息安全其中考试复习.docx(23页珍藏版)》请在冰点文库上搜索。
信息安全其中考试复习
Tutorial1
1.Whattypeofsecuritywasdominantintheearlyyearsofcomputing?
Answer:
Intheearlyyearsofcomputingwhensecuritywasaddressedatall,itdealtonlywiththe
physicalsecurityofthecomputersthemselvesandnotthedataorconnectionsbetweenthe
computers.
2.WhoisknownasthefounderoftheInternet?
Towhatprojectdoesittraceitsorigin?
Whoinitiatedthisprojectandforwhatpurpose?
Answer:
LarryRoberts,knownasthefounderoftheInternet.
Theoriginoftoday'sInternet,tracestotheARPANETproject.
DuringtheColdWar,manymoremainframeswerebroughtonlinetoaccomplishmorecom-
plexandsophisticatedtasks.Itbecamenecessaryto_ndawaytoenablethesemainframesto
communicatewitheachbymeansofalesscumbersomeprocessthanmailingmagnetictapes
betweencomputercenters.Inresponsetothisneed,theDepartmentofDefensesAdvanced
ResearchProjectAgency(ARPA)beganexaminingthefeasibilityofaredundant,networked
communicationssystemtosupportthemilitarysexchangeofinformation.
3.Whatlayersofsecurityshouldasuccessfulorganizationhaveinplacetoprotectitsoperations?
Answer:
(a)Security,toprotectphysicalitems,objects,orareasfromunauthorizedaccessandmis-
use.
(b)Personalsecurity,toprotecttheindividualorgroupofindividualswhoarePhysical
authorizedtoaccesstheorganizationanditsoperations.
(c)Operationssecurity,toprotectthedetailsofaparticularoperationorseriesofactivities.
(d)Communicationssecurity,toprotectcommunicationsmedia,technology,andcontent.
(e)Networksecurity,toprotectnetworkingcomponents,connections,andcontents.
(f)Informationsecurity,toprotectinformationassets.
4.WhatarethethreecomponentsoftheCIAtriangle?
Whataretheyusedfor?
Answer:
ThethreecomponentsoftheC.I.A.are:
(a)Con_dentiality(assurancethattheinformationissharedonlyamongauthorizedpersons
ororganizations);
(b)Integrity(assurancethattheinformationiscompleteanduncorrupted);
(c)Availability(assurancethattheinformationsystemsandthenecessarydataareavailable
forusewhentheyareneeded).
Thesethreecomponentshavebeenconsideredastheindustrystandardforcomputersecurity.
5.IftheC.I.A.Triangleisincomplete,whyisitsocommonlyusedinsecurity?
Answer:
TheCIAtriangleiscommonlyusedinsecuritybecauseitaddressesthefundamentalconcerns
ofinformationsecurity(i.e.con_dentiality,integrity,andavailability).Itisstillusedwhennot
completebecauseitaddressesallofthemajorconcernswiththevulnerabilityofinformation
systems.
6.Describethecriticalcharacteristicsofinformation.Howaretheyusedinthestudyofcom-
putersecurity?
Answer:
Thecriticalcharacteristicsofinformationde_nethevalueofinformation.Changinganyone
ofitscharacteristicschangesthevalueoftheinformationitself.Therearesevencharacteristics
ofinformation:
(a)Availabilityenablesauthorizedusers(i.e.personsorcomputersystems)toaccessinfor-
mationwithoutinterferenceorobstruction,andtoreceiveitintherequiredformat.
(b)Accuracyoccurswheninformationisfreefrommistakesorerrorsandithasthevalue
thattheenduserexpects.
(c)Authenticityofinformationisthequalityorstateofbeinggenuineororiginal,rather
thanareproductionorfabrication.Informationisauthenticwhenitisinthesamestate
inwhichitwascreated,placed,stored,ortransferred.
(d)Con_dentialityisachievedwhendisclosureorexposureofinformationtounauthorized
individualsorsystemsisprevented.Con_dentialityensuresthatonlythosewiththe
rightsandprivilegestoaccessinformationareabletodoso.
(e)Integrityofinformationismaintainedwhenitiswhole,complete,anduncorrupted.
(f)Utilityofinformationisthequalityorstateofthatinformationhavingvalueforsome
purposeorend.Informationhasvaluewhenitservesaparticularpurpose.
(g)Possessionofinformationisthequalityorstateofownershiporcontrolofsomeobject
oritem.Informationissaidtobeinonespossessionifoneobtainsit,independentof
formatorothercharacteristics.
7.Identifythesixcomponentsofaninformationsystem.
Whicharemostdirectlyimpactedbythestudyofcomputersecurity?
Whicharemostcommonlyassociatedwiththisstudy?
Answer:
Sixcomponentsofaninformationsystemare:
software,hardware,data,people,procedures,
andnetworks.
Peoplewouldbeimpactedmostbythestudyofcomputersecurity.Peoplecanbetheweakest
linkinanorganization'sinformationsecurityprogram.Andunlesspolicy,educationand
training,awareness,andtechnologyareproperlyemployedtopreventpeoplefromaccidentally
orintentionallydamagingorlosinginformation,theywillremaintheweakestlink.Social
engineeringcanbeusedtomanipulatetheactionsofpeopletoobtainaccessinformation
aboutasystem.
Procedures(i.e.writteninstructionsforaccomplishingaspeci_ctask)couldbeanother
component,whichwillbeimpacted.Theinformationsystemwillbee_ectivelysecuredby
teachingemployeestobothfollowandsafeguardtheprocedures.Followingprocedurereduces
thelikelihoodofemployeeserroneouslycreatinginformationinsecurities.Propereducation
abouttheprotectionofprocedurescanavoidunauthorizedaccessgainedusingsocialengi-
neering.
Hardwareandsoftwarearethecomponentsthatarehistoricallyassociatedwiththestudyof
computersecurity.However,theIScomponentthatcreatedmuchoftheneedforincreased
computerandinformationsecurityisnetworking.
Tutorial2
1.Howisthetopdownapproachtoinformationsecuritysuperiortothebottomupapproach?
Answer:
Thetop-downapproach,inwhichtheprojectisinitiatedbyupper-levelmanagerswhoissue
policy,proceduresandprocesses,dictatethegoalsandexpectedoutcomes,anddetermine
accountabilityforeachrequiredaction,hasahigherprobabilityofsuccess.Thisapproach
hasstrongupper-managementsupport,adedicatedchampion,usuallydedicatedfunding,
aclearplanningandimplementationprocess,andthemeansofinuencingorganizational
culture.Themostsuccessfulkindoftop-downapproachalsoinvolvesaformaldevelopment
strategyreferredtoasasystemsdevelopmentlifecycle(SDLC).
2.Whyisamethodologyimportantintheimplementationofinformationsecurity?
Howdoesamethodologyimprovetheprocess?
Answer:
Amethodologyisaformaltechniquethathasastructuredsequenceofproceduresthatisused
tosolveaproblem.Methodologyisimportantintheimplementationofinformationsecurity
becauseitensuresthatdevelopmentisstructuredinanorderly,comprehensivefashion.The
methodologyuni_estheprocessofidentifyingspeci_cthreatsandthecreationofspeci_c
controlstocounterthosethreatsintoacoherentprogram.Thus,amethodologyisimportant
intheimplementationofinformationsecurityfortwomainreasons.
(a)First,itentailsalltherigorousstepsfortheorganizations'employeestofollow,therefore
avoidinganyunnecessarymistakesthatmaycompromisetheendgoal(i.e.,tohavea
comprehensivesecurityposture).
(b)Second,methodologyincreasestheprobabilityofsuccess.Onceamethodologyisadopted,
thepersonnelselectedwillberesponsibleforestablishingkeymilestonesandmadeac-
countableforachievingtheprojectgoals.
Themethodologycangreatlyimprovetheprocess.Forexample,followingthesixstepsof
theSDLC(SystemsDevelopmentLifeCycle)allowsdevelopmentstoproceedinanorderly,
comprehensivefashion.Individualsorgroupsassignedtodotheanalysisstepdonothave
toinitiatetheirworkuntiltheinvestigationstepiscompletely_nished.Moreover,eachstep
ofthemethodologymaydeterminewhethertheprojectshouldbecontinued,discontinued,
outsourced,orpostponed.Forexample,thephysicaldesignstepmayneedtobepostponed
oroutsourcediftheorganizationdoesnotpossessthetechnologyneeded.
3.Whoisinvolvedinthesecuritysystemdevelopmentlifecycle?
Wholeadstheprocess?
Answer:
InitiationandcontroloftheSecSDLCistheresponsibilityofuppermanagement.Responsible
managers,contractorsandemployeesarethenutilizedtoexecutetheSecSDLC.
Theprocessisusuallyledbyaseniorexecutive,sometimescalledthechampion,thatpromotes
theprojectandsecures_nancial,administrative,andcompanywidebackingoftheproject,
thenaprojectmanagerisassignedthetaskofmanagingtheproject.
4.Howdoesthepracticeofinformationsecurityqualifyasbothanartandascience?
Howdoessecurityasasocialscienceinuenceitspractice?
Answer:
Thepracticeofinformationsecurityisanever-endingprocess.Ane_ectiveinformation
securitypracticemustbeconsideredasatripodthatrelatestothreeimportantaspects
(science,art,andsocialscience):
(a)First,informationsecurityisasciencebecauseitrequiresvariouskindsoftoolsand
technologiesusedfortechnicalpurposes.Itcanalsoincludesoundinformationsecurity
plansandpoliciesthatmaydictatetheneedsofparticulartechnologies.
(b)Second,informationsecurityisalsoanartbecausetherearenoclear-cutrulesonhow
toinstallvarioussecuritymechanisms.Di_erentfactorssuchasbudgets,time,threats,
risks,vulnerabilities,andassetvaluescansigni_cantlya_ectthenumbersandtypesof
passiveandactivecontrolsanorganizationneeds.Theoverallgoalisfortheorganization
tohaveasoundinformationsecurityposturethatcanreducetherisksofbeingattacked
asmuchaspossible.
(c)Third,andmostimportantly,informationsecuritymustbelookedatasasocialscience
mainlybecausesocialscienc