These are the most common Frequently Asked Questions (FAQs) on Information Assurance:
1. What is Risk Management?
Risk Management is the process of assessing and discovering the risks to an organization’s operations and determining how those risks can be controlled or mitigated. By identifying the vulnerabilities in an organization’s information systems and taking steps to assure that the losses experienced by the systems are within the risk appetite of the organization, we can implement or repair controls to assure the confidentiality, integrity and availability of the organization’s information. There is no such thing as a 100% secure environment. Every environment has a certain degree of vulnerabilities. The skill is in identifying these threats, assessing the probability of them actually occurring, and the damage they can cause, and then taking the right steps to reduce the overall level of risk in the environment up to where the organization considers acceptable.
2. What two things must be achieved to secure information assets successfully?
According to Sun Tzu an organization should know itself and know its enemy. This means that all managers from the three communities of interest in an organization must know how its information is processed, stored and transmitted, and identify what resources are available, in order to know itself. This will help to implement an in-depth risk management program by implementing safeguards, controls, and other mechanisms which should be maintained and kept current. This also implies that an organization should locate the weaknesses of the organizations operations, and recognize them as the potential enemy. By discovering and assessing the risks of the organization, operations managers can determine how those risks can be controlled or mitigated. The levels of risk should be identified and assessed.
3. In risk management strategies, why must periodic review be part of the process?
Periodic review must be part of the risk management strategies because risks from security threats create competitive disadvantage to organizations. It is a constant process for safeguards and controls to be devised and implemented, and not to be install-and-forget devices.
4. What are four risk control strategies?
There are four basic strategies that control the risks that arise from the vulnerabilities:
Avoidance - Applying safeguards that eliminate or reduce the remaining uncontrolled risks.
Transference - Shifting the risks to other areas or to outside entities.
Reducing the impact should an attacker successfully exploit the vulnerability
Acceptance - Understanding the consequences and acknowledging the risk without any attempts at control or mitigation.
5. What is the strategy of risk avoidance?
Risk avoidance is the risk control strategy that attempts to prevent the exploitation of the vulnerabilities. It is the preferred approach, as it seeks to avoid risk rather than deal with it after it has been realized. Avoidance can be accomplished through the following techniques:
6. What is the strategy of risk transference?
Transference is the control approach that attempts to shift risk to other assets, other processes, or other organizations. This goal may be accomplished by rethinking how services are offered, revising deployment models, outsourcing to other organizations, purchasing insurance, or implementing service contracts with providers.
7. How many categories should a data classification scheme include? Why?
Corporate and military organizations may use a variety of data classification schemes. Some as the military are more complex, while corporations could have more simple schemes with fewer categories. Private enterprise schemes may have only three categories: Confidential, Internal, and External. Another scheme has four categories: Public, For Official Use Only, Sensitive, and Classified. On the contrary, the Military has the most complex data scheme, with five categories: Unclassified, Sensitive But Unclassified (SBU), Confidential, Secret, and Top Secret. To properly implement data classification schemes a company must first decide upon the sensitive scheme its going to use. One company may choose to use only two layers of classification, while another company may choose to use more. Some classifications are used for commercial and business, while others are for the military. It is important to not go overboard and come up with a long list of classifications, which will only cause confusion and frustration for the individuals who are going to use the system. The classification should not be too restrictive and detail-oriented either, because many types of data may need to be classified. Each classification should be unique and separate from the other so as to not have an overlapping effect. Each organization should select the most appropriate for their data classification.
8. What is IP spoofing and social engineering?
IP spoofing is a technique used to gain unauthorized access to computers, whereby the attacker sends messages to a computer with a forged IP address indicating that the message is coming from a trusted host. The target host may accept the packet and act upon it. It will allow the attacker to access the target system. The attacker can use tools such as hping2 and nessuss, among others, to initialize the attack. Hping2 is notable because it contains a host of other features besides OS fingerprinting, such as TCP, UDP, ICMP, and a raw of IP ping protocols, traceroute mode, and the ability to send files between the source and the target system. Hping2 can be used to traceroute hosts behind a firewall that blocks attempts using the standard traceroute utilities. Also, hping2 can use the TCP to verify if a host is up even if ICMP packets are being blocked. Hping2 has the ability to camouflage the last step of a three-way handshake. This kind of scan is known as a SYN or stealth scan (also known as a halt-upon scan). It is stealthy because a full TCP connection is not opened. The advantage of the SYN stealth attack is that fewer IDS systems log this as an attack or connection attack.
Social Engineering is the art of tricking someone into giving you something that they are not supposed to. Social Engineering is one of the most potentially dangerous attacks, as it does not directly target technology. An organization can have the best firewalls, IDS, network design, authentication system, or access control and still be successfully attacked by a social engineer.
Detection of IP spoofing: IP spoofing can be controlled by monitoring packets using Network-monitoring software. There are some tips that should be used to detect spoofing. A packet on an external interface that has both its source and destination IP addresses in the local domain is an indication of IP spoofing. This attempt of intrusion is known as a LAND attack, resulting in a Denial of Service (DoS).
Prevention of IP spoofing: To prevent IP spoofing in your network, the following common practices should be taken into consideration:
Avoid using the source address authentication. Implement cryptographic authentication system-wide.
Configure your network to reject packets from the net that claim to originate from a local address.
Implement ingress and egress filtering on the border routers and implement an ACL (Access Control List) that blocks private IP addresses on your downstream interface. If outside connection of trusted hosts is allowed, enable encryption session at the router.
There are a few good ways to defer and prevent social engineering. The best means are user awareness, policies and procedures. User training is important as it helps build awareness levels. The best defense against social engineering attacks is an information security policy addressing such attacks and educating the user about these types of attacks:
For policies to be effective, they must clarify information access controls, details of the rules for setting up accounts, and define access approval for changing passwords.
User training must cover what types of information a social engineer will typically be after, and what types of questions should trigger employees to become suspicious.
9. How is the application layer firewall different from a packet filtering firewall? Why an application layer firewall is sometimes called a proxy server?
The packet filtering firewall is a router used as the first generation firewall. These are simple devices that filter by examining every incoming and outgoing packet header. They can selectively filter packets based on values in the packet header, accepting or rejecting packets as needed. These devices can be configured to filter based on an IP address, type of packet, port request, and/or other elements present in the packet. The filtering process examines packets for compliance with or violation of rules configured into the firewalls database. The rules most commonly implemented in packet filtering firewalls are based on a combination of IP source and destination address, direction (inbound or outbound) and/or source and destination port requests.
The second generation of firewalls is known as application-level firewalls. These often consist of dedicated computers kept separate from the first filtering router (called an edge router); they are commonly used in conjunction with the second or internal filtering router. This second router is often called a proxy server, because it serves as a proxy, authorizing external service requests to internal services. Because packet filtering looks only at the header information, it is not application dependent, as many proxy firewalls are.
Pros and cons of Proxy firewalls:
10. What is the key difference between symmetric and asymmetric encryption. Which can the computer process faster? Which lowers the costs associated with key management?
Symmetric encryption systems use a single key both to encrypt and decrypt a message, while the asymmetric encryption uses two differential keys; either key can be used to encrypt or decrypt the message. The computer can process the symmetric encryption faster because it does not require so much of the CPU’s resources when performing the extensive mathematical calculations as does the asymmetric encryption. As the number of organizations in the conversation or message exchange continues to grow, asymmetric encryption provides a mayor burden to the CPU when performing the extensive mathematical calculations. Symmetric encryption lowers the costs associated with key management.
11. What are the general criteria for selecting information security personnel?
By standardizing job descriptions an organization can increase the degree of professionalism in the field of information security. Information security positions can be classified into three areas:
Those that define- these are usually the more senior personnel that provide the policies, guidelines, and standards by consulting and doing risk assessment. They develop the product and technical architectures. Example: Chief Information Security Officer (CISO). The most common qualification for the CISO is the CISSP.
The Builders- these are the more technical personnel that create and install the security solutions. Example: Security Technician. Technical qualifications vary, IT technician experience is usually necessary. Usually pursues GIAC certifications or a SCP.
Operators and administrators of Security Tools- these are in charge of the security monitoring function, and continually improve the process. They are usually trained to do a specific task. Example: Security Manager. It is not uncommon for security managers to have a CISSP
By dividing information security personnel into these three groups they can be recruited more effectively for the different security positions.
Some criteria are within the control of the organization, others like supply and demand of varied skills and experience levels is not. Many organizations use work experience, security education and professional certifications from recognizable sources to identify the level of proficiency of a candidate associated to a security position.
12. What are some of the factors that influence an organization’s hiring decisions?
Some of the factors that influence an organization’s hiring decisions are the law of supply and demand, and the company budget that can affect contracts and employment. Organizations need to pay a premium for these security skills until the new supply of skilled professionals entering the job market can meet the demand. Then the organization can be more selective and pay less for the position, or create more positions. This all depends on the real economy. Others that concern the selection process are the candidate interviews, results of the background checks, candidate education, certifications that document the qualifications through a professional association’s assessment of skills and knowledge, work experience, and the level of proficiency the candidate demonstrates towards a standard job description that describes the position to be filled.
13. What attributes do organizations seek in a candidate when hiring information security professionals?
In most cases, organizations look for a technically qualified information security generalist with a solid understanding of how organizations operate. Also considered is security education and experience in security.
Organizations frequently look for individuals able to (in order of ranking):
Perceive the threats facing an organization, understand how these threats can become transformed into attacks, and safeguard the organization from information security attacks. This is the most important part of the IT security role in an organization.
Understand how organizations are structured and operated. Only in this way can a security professional know itself and the enemy, as Sun Tuz once said.
Work well with people in general, including users, and communicate effectively using both strong written and verbal communication skills. Communication is an important part in the role of security professionals.
Acknowledge the role of policy in guiding security efforts. The implementation of policies should be one of the priorities in the organization, once the security program is in place.
Understand how technical controls (Firewalls, IDS, and antivirus software) can be applied to solve specific information security problems. Technical skills are very important to implement security tools.
Understand the essential role of information security education training. Life-long learning and educational training is a must for security professionals.
Understand IT and Info Sec terminology and concepts. Terminology and concepts are important to keep up with the new technologies and security forums.
14. What do National Security Agency (NSA) computer scientists do?
In NSA Computer Scientists work in two major categories: development and support. Within these two categories, a multitude of jobs are available with NSA. Computer Scientists at NSA solve the Nation's most difficult Information Assurance and Signals Intelligence challenges:
Network Vulnerability Analysis; Public Key Infrastructure (PKI); Security Testing/Red Teaming; Firewalls; Intrusion Detection; Security Software Design/Development; (object oriented programming: C++/JAVA); Security Hardware Design/Development; Customer Support; Defense Information Operations (DIO); Special Processing Laboratory (SPL); Microelectronics Research Laboratory (MRL).
Mathematics Research; Information Assurance Research; Cryptology Research; Secure Network Technology; Biometrics; Intrusion Detection; Wireless Security; High Speed Networking Security; Secure Systems Research; Laboratory for Physical Sciences; Electronics Research; Physics Research; Laboratory for Telecommunications Sciences; SIGINT Research; Scientific Linguists; Algorithm Research and Development.
There are also career paths for Computer/Electrical Engineering
Design of special-purpose computers and antenna systems
Pattern recognition technologies
Design, development, and testing of electronic communications
The following technical skills are needed throughout NSA:
Network Engineering - Design/Analysis of LANs/WANs, Routers, Switches, Firewalls, Protocol.
Software Engineering - JAVA, C++, XML, HTML, Web Applications, Object Oriented Analysis and Design, Rapid Prototyping, Algorithm Development.
Communications - Digital and Analog, Fixed and Mobile Wireless, Satellite, Antenna Design.
Systems Engineering - End-to-End Realtime Operating Systems, Signals Processing, VHDL/Hardware Development.
Microelectronics - VHDL, FPGA, Microelectronic Manufacturing and Testing (MCM, SOC), Electronic Packaging, VLSI.
15. What would be a generic job description for a Security Manager Position?
Security Manager Job description and Qualifications
The Security Manager will report to the CISO and assist in the drafting of security policies and plans, and identified objectives. The candidate will accomplish the day to day operations of the information security program resolving issues identified by technicians, administrators, analysts or staffers whom the position will supervise. The Security Manager should have experience working with the components of the security program, especially those that are defined in the SP 800-12 and the NIST 800 -14 documents, and other NIST publications. The candidate should also have knowledge of the SecSDLC model, and ISO/IEC security management models. Have full knowledge of information security policies such as the EISP, ISSP, and SSSP, and know how to develop and maintain the guidelines for effective policy. This includes policy distribution, compliance and enforcement methods and security awareness programs.
The candidate must have:
1. Five years of information security work experience, with at least three years of proved experience in information security management in three or more of the defined areas of practice such as
a. Information Security Governance
b. Risk Management
c. Information Security Programs Management
d. Information Security management
e. Response Management
2. Preferably, but not necessarily have the CISM certification.
3. Preferably be a CISSP, or be willing to certify once hired and complete the ISSMP concentration for additional knowledge in the area of information security management.
4. Should have experience in budgeting and project management.
5. Must be able to draft middle and lower level policies as well as standards and guidelines.
6. Experience with Business Continuity Planning is a must.
Responsibilities include but are not limited to:
1. Establish and maintain a framework to provide assurance that information security strategies are aligned with business objectives and consistent with applicable laws and regulations
2. Identify and manage information security risks to achieve business objectives
3. Design , develop and manage an information security program to implement the information security governance framework
4. Oversee the direct information security activities to execute the information security program
5. Develop and manage a capability to respond to and recover from disruptive and destructive information security events.
6. Design of physical security
7. Management of Technology
8. Supervise operational and tactical planning for the security function.
16. What is the difference between the CISSP and the SSCP standards?
The SSCP is considered more technically oriented than its bigger brother the CISSP.
CISSP Common Body of Knowledge (CBK) has 10 domains as presented in the web-site https://www.isc2.org/cgi-bin/index.cgi :
1. Access Control
2. Application Security
3. Business Continuity and Disaster Recovery Planning
5. Information Security and Risk Management
6. Legal, Regulations, Compliance and Investigations
7. Operations Security
8. Physical (Environmental) Security
9. Security Architecture and Design
10. Telecommunications and Network Security
The SSCP Common Body of Knowledge (CBK) has 7 domains as presented in the web-site https://www.isc2.org/cgi-bin/index.cgi :
1. Access Controls
2. Analysis and Monitoring
4. Malicious Code
5. Networks and Telecommunications
6. Risk, Response, and Recovery
7. Security Operations and Administration