p.34
#1: A threat is an objet, person, or other entity that represents a constant danger to an asset and a threat agent is a specific instance or component that represents a danger to an organization's assets. Threats can be accidental or purposeful, for example lightning strikes or hackers. In summary, the difference between a threat and a threat agent is that a threat is a constant danger to an asset, whereas a threat agent is the facilitator of an attack.
#4: The early security was entirely physical security.
#5: Confidentiality: Informations should only be accessible to its intended recipients.
Integrity: Information should arrive the same as it was sent.
Availablility: Information should be available to those authorized to use it.
#10: Rand Report R-609
#11: Bottom-up lacks a number of critical features such as participant support and organizational staying power, whereas top-down has strong upper management support, dedicated funding, clear planning, and the oppertunity to influence organizations culture.
p.83-84
#3: Both general management and IT management are responsible for implementing information security that protects the organization's ability to function.
#9: A skilled hacker develops software and code exploits, and masters many technologies like programming, network protocols and operating systems. The unskilled hacker uses expert written software to exploit a system, ususally with little knowledge of how it works. The good news for protection against skilled hackers is that there are very few of them but if they decide to attack your system there is not much one can do to stop him. On the other hand, unskilled hackers who attacks a certain system will usually get stop by the protection because they are predicable and easy to defend against.
#13: Force Majeure = Force of Nature.
LA might be dust and fire, tornadoes would be a concern in Atlanta, hurricanes might be a problem in Oklahoma, etc...
#17: Denial-of-service attacks are a single user sending a large number of connections in a attempt to overwhelm a target server. Distributed denial-of-seervice is when many users (or many compramized systems) simultaniously perform a denial-of-service attack.
The distributed denial-of-service is more dangerous because unlike a denial-of-service, there is no single user you can block, no easy way to overcome it.
#20: A buffer overflow occurs when more data is sent then the receivers buffer can handle - usually resulting in non-buffer application memory being overwritten. Buffer overflow on a webserver may allow an attacker to run executable code on the webserver either maniuplating files directly or creating a backdoor for later use.
p.114-115
#4: The National Information Infrastructure Protection Act of 1996 amended the Computer Fraud and Abuse Act of 1986. It changed many sections of the CFA Act and increased the penalties for selected crimes.
#9: USA PATRIOT Act of 2001 modified a wide range of existinglaws to provide law enforcement agencies with boarder latitude in order to combat terrorism-related activities.
#12: Executives working in firms covered by this law will seek assurance on the reliability and quality of information systems from senior information technology managers. Then, IT managers will probably ask information security managers to verify the confidentiality and integrity of those same information systmes in a process known in the industry as subcertification.
#17: Deterrence is the best method for preventing and illegal or unethical activity. In order for deterrence to be effective, those affected by the defference must either: -fear the penalty -have an expectation of detection/apprehension -expect that if apprehended, the penalty will be applied
#19: The Information Systems Audit