What is the difference between a threat agent and a threat?

What is the difference between vulnerability and exposure?

How is infrastructure protection (assuring the security of utility services) related to information
security?

What type of security was dominant in the early years of computing?

encrypt to protect information by putting it into a special code that only some people can
read, especially information that is on a computer

RAND Report R-609

Access: A subject or object's ability to use, manipulate, modify, or affect another sub- ject
or object. Authorized users have legal access to a system, whereas hackers must gain illegal
access to a system. Access controls regulate this ability.

Asset The organizational resource that is being protected. An asset can be logical, such as a
Web site, software information, or data; or an asset can be physical, such as a person, computer
system, hardware, or other tangible object. Assets, particularly infor- mation assets, are the focus
of what security efforts are attempting to protect.

Attack An intentional or unintentional act that can damage or otherwise compromise information
and the systems that support it. Attacks can be active or passive, inten- tional or unintentional,
and direct or indirect. Someone who casually reads sensitive information not intended for his or
her use is committing a passive attack. A hacker attempting to break into an information system
is an intentional attack. A lightning strike that causes a building fire is an unintentional attack. A
direct attack is perpe- trated by a hacker using a PC to break into a system. An indirect attack is a
hacker compromising a system and using it to attack other systems—for example, as part of a
botnet (slang for robot network). This group of compromised computers, running software of the
attacker's choosing, can operate autonomously or under the attacker's direct control to attack
systems and steal user information or conduct distributed denial-of-service attacks. Direct attacks
originate from the threat itself. Indirect attacks originate from a compromised system or resource
that is malfunctioning or working under the control of a threat

ExploitA technique used to compromise a system. This term can be a verb or a noun. Threat
agents may attempt to exploit a system or other information asset by using it illegally for their
personal gain. Or, an exploit can be a documented process to take advantage of a vulnerability or
exposure, usually in software, that is either inherent in the software or created by the attacker.
Exploits make use of existing software tools or custom-made software components.

Exposure A condition or state of being exposed; in information security, exposure exists

when a vulnerability is known to an attack
Loss A single instance of an information asset suffering damage or destruction, unintended or
unauthorized modification or disclosure, or denial of use. When an organization's information is
stolen, it has suffered a loss.

Protection profile or security posture The entire set of controls and safeguards, includ- ing
policy, education, training and awareness, and technology, that the organization implements to
protect the asset. The terms are sometimes used interchangeably with the term security program,
although a security program often comprises managerial aspects of security, including planning,
personnel, and subordinate programs.

Risk The probability of an unwanted occurrence, such as an adverse event or loss.

Organizations must minimize risk to match their risk appetite—the quantity and nature of risk
they are willing to accept.

Threat Any event or circumstance that has the potential to adversely affect operations and assets.
The term threat source is commonly used interchangeably with the more generic term threat.
While the two terms are technically distinct, in order to simplify discussion, the text will
continue to use the term threat to describe threat sources.

C.I.A. triad The industry standard for computer security; confidentiality, integrity, and
availability.

communications security The protection of all communications media, technology, and cont

information security Protection of the confidentiality, integrity, and availability of information

assets, whether in storage, processing, or transmission, via the application of policy, education,
training and awareness, and technology. The protection of information and its critical elements,
including the systems and hardware that use, store, and transmit the information.

network security A subset of communications security; the protection of voice and data
networking components, connections, and content

security A state of being secure and free from danger or harm. Also, the actions taken to
make someone or something secure. Protection

Threat agent The specific instance or a component of a threat. For example, the threat source of
"trespass or espionage" is a category of potential danger to information assets, while "external
professional hacker" (like Kevin Mitnick, who was convicted of hacking into phone systems) is a
specific threat agent. A lightning strike, hailstorm, or tornado is a threat agent that is part of the
threat source known as "acts of God/acts of na

Threat event An occurrence of an event caused by a threat agent. An example of a threat event
might be damage caused by a storm. This term is commonly used inter- changeably with the
term attack.
Subjects and objects of attack A computer can be either the subject of an attack an agent entity
used to conduct the attack—or the object of an attack: the target entity, as shown in Figure 1-8. A
computer can also be both the subject and object of an attack. For example, it can be
compromised by an attack (object) and then used to attack other systems (subject).

Threat source A category of objects, people, or other entities that represents the origin of danger
to an asset—in other words, a category of threat agents. Threat sources are always present and
can be purposeful or undirected. For example, threat agent "hackers," as part of the threat source
"acts of trespass or espionage," purposely threaten unprotected infor- mation systems, while
threat agent "severe storms," as part of the threat source "acts of God/acts of nature," incidentally
threaten buildings and their contents.

Vulnerability A potential weakness in an asset or its defensive control system(s). Some

examples of vulnerabilities are a flaw in a software package, an unprotected system port, and an
unlocked door. Some well-known vulnerabilities have been examined, documented, and
published; others remain latent (or undiscovered).

the expanded C.I.A. triad or 7 critical characteristicsaccuracy An attribute of information that

describes how data is free of errors and has the value that the user expects.

authenticity An attribute of information that describes how data is genuine or original rather than
reproduced or fabricated.

availability An attribute of information that describes how data is accessible and correctly
formatted for use without interference or obstruction.

confidentiality An attribute of information that describes how data is protected from disclosure
or exposure to unauthorized individuals or systems.

integrity An attribute of information that describes how data is whole, complete, and
uncorrupted.
personally identifiable information (PII) A set of information that could uniquely identify an
individual.

possession An attribute of information that describes how the data's ownership or control is
legitimate or authorized.

utility An attribute of information that describes how data has value or usefulness for an end
purpose.

availability enables authorized users—people or computer systems—to access information

without interference or obstruction and to receive it in the required for- mat.

accuracy free from mistakes or errors and has the value that the end user expects.
Authenticity the quality or state of being genuine or original, rather than a reproduction or
fabrication.

confidentiality information is protected from disclosure or exposure to unauthorized individuals

or systems.

integrity information that is whole, complete, and uncorrupted.

McCumber Cube A graphical representation of the architectural approach widely used in

computer and information security; commonly shown as a cube composed of 3x3x3 cells, similar
to a Rubik's Cube.
Policy Education Technology x Storage Processing Transmission x Confidentiality Integrity
Availability

information system (IS) The entire set of software, hardware, data, people, procedures, and
networks that enable the use of information resources in the organization. Much more than
computer hardware; it is the entire set of people, procedures, and technology that enable business
to use information. The six critical components of hardware, software, networks, people,
procedures, and data enable information to be input, processed, output, and stored. Each of these
IS compo- nents has its own strengths and weaknesses, as well as its own characteristics and
uses. Each component of the IS also has its own security requirements.

physical security The protection of physical items, objects, or areas from unauthorized
access and misuse.

Software component of an IS includes applications (programs), operating systems, and

assorted command utilities. Most difficult to secure.

Hardware the physical technology that houses and executes the software, stores and trans-
ports the data, and provides interfaces for the entry and removal of information from the system.

Data what is stored, processed, and transmitted by a computer system must be protected. Often
the most valuable asset of an organization and therefore is the main target of intentional attacks.

People the weakest link in an organization's information security program.

Procedures another frequently overlooked component of an IS, written instructions for

accomplishing a specific task.

Networks IS component that created much of the need for increased computer and
information security. When information systems are connected to each other to form LANs,

top-down approach A methodology of establishing security policies and/or practices that is

initiated by upper managemen
bottom-up approach A method of establishing security policies and/or practices that begins as a
grassroots effort in which systems administrators attempt to improve the security of their
systems.

systems development life cycle (SDLC) A methodology for the design and implementation
of an information system. The SDLC contains different phases depending on the methodology
deployed, but generally the phases address the investigation, analysis, design, implementation,
and maintenance of an information system.

methodology A formal approach to solving a problem based on a structured sequence of

procedures.

waterfall model A type of SDLC in which each phase of the process "flows from" the
information gained in the previous phase, with multiple opportunities to return to previous
phases and make adjustments.

software assurance (SA) A methodological approach to the development of software that

seeks to build security into the development life cycle rather than address it at later stages. SA
attempts to intentionally create software free of vulnerabilities and provide effective, efficient
software that users can deploy with confidence