Chapter 2 Need for security
Threats: you don’t need to memorize the twelve categories, but should know what each category is. Giving a scenario, should be able to tell the category or categories involved.
Attacks: understand the different attacks, giving a description of an attack, should be able to tell what attack it is.
The six replication vector of malicious softwares
Chapter 3: laws and ethics
The difference between law and ethics: laws carry the sanctions of a governing authority and ethics do not.
______is the cornerstone of many computer-related federal laws and enforcement efforts. Different states have different laws and regulation on organizational use of computer technology. USA Patriot Act: defines stiffer penalties for prosecution of terrorist crimes.
Aggregate information: by combining pieces of data that are not considered private, sometimes you can get private data
Federal Privacy Act of 1974: regulate the government, HIPAA: health-care data, affects doctor’s practices, life insurers, and universities, etc.
Intellectual property is recognized as a protected asset in the United States.
People from different countries have different perspectives on ethics and computer use. Three conditions for the laws and policies and their associated penalties to deter unethical and illegal behavior: fear of penalty, probability of being caught, probability of penalty being administered.
Chapter 4 risk management
Risk identification, assessment, and control: what are the activities involved in each stage.
The main goal of risk identification is to identify the risks, to do that, first identify the asset inventory, list them in order of importance, and begin with the most important asset, identify the risks.
Risk assessment is to calculated a weighted score for all risks and sort them in order of severeness.
Risk control: control the risk by applying one of the four risk control strategies: avoidance, transference, mitigation, and acceptance
Transference of risk doesn’t mean you are risk free, for example, when a company outsources its website to an outside company, there are still risks that the company may not be able to maintain the website to the organization’s expectation.
Acceptance should only be considered when thoroughly analysis (including CBA) has been performed.
Mitigation: three type of plans, what they deal with
Organizational, operational, technical, political feasibility, benchmarking (best practice, due care, due diligence) and baselining
Risk appetite, residual risk
Calculations: weighted factor analysis, risk determination, CBA(know how to do the calculation, also need to understand the concept behind them)
Terminologies: threat, threat agent, attack, risk, asset, control, security, vulnerability, exploit, clean desk policy
Not all vulnerabilities are exploitable.