Chapter 5️⃣ Q&A
How is expected loss calculated?
Expected loss = P1 x P2 x L where P1 = probability of attack (estimate, based on judgment) P2 = probability of attack being successful (estimate, based on judgment) L = loss occurring if attack is successful
What is the number one cause of data loss or breaches?
Hacking is the number one cause of data loss.
What was the biggest data breach in history?
In October 2013 a data breach at Adobe exposed the account information of up to 152 million users—the largest data breach in history.
What are two red flags of internal fraud?
Internal fraud may be indicated by anomalous patterns, such as excessive hours worked, deviations in patterns of behavior, copying huge amounts of data, attempts to override controls, unusual transactions, and inadequate documentation about a transaction.
How are phishing attacks done?
Phishing is a deceptive method of stealing confidential information by pretending to be a legitimate organization, such as PayPal, a bank, credit card company, or other trusted source. Phishing messages include a link to a fraudulent phish website that looks like the real one. When the user clicks the link to the phish site, he or she is asked for a credit card number, social security number, account number, or password. Successful attacks depend on untrained or unaware users responding to phishing scams.
Explain rogue app monitoring.
Rogue app monitoring is a type of defense to detect and destroy malicious apps in the wild. Several vendors offer 24/7 monitoring and detection services to monitor major app stores and shut down rogue apps to minimize exposure and damage.
Why is social engineering a technique used by hackers to gain access to a network?
Social engineering, also known as human hacking, is tricking users into revealing their credentials and then using those credentials to gain access to networks or accounts. It is a hacker's clever use of deception or manipulation of people's tendency to trust, be helpful, or simply follow their curiosity. Powerful IT security systems cannot defend against what appears to be authorized access. Humans are easily hacked, making them and their social media posts high-risk attack vectors. For instance, it is often easy to get users to infect their corporate network or mobiles by tricking them into downloading and installing malicious apps or backdoors.
Give an example of a weak password and a strong password.
Some examples are: "1234546", "password", "mypassword". Weak passwords are easily guessable, short, common, or a word in the dictionary. They should contain some combination of upper- and lowercase letters, numbers, and/or punctuation marks, and be at least eight characters long.
Explain the three components of the CIA triad.
The CIA triad consists of three key cybersecurity principles: confidentiality, integrity, availability. 🔹 CONFIDENTIALITY: No unauthorized data disclosure. 🔹 INTEGRITY: Data, documents, messages, and other files have not been altered in any unauthorized way. 🔹 AVAILABILITY: Data is accessible when needed by those authorized to do so.
Why do the SEC and FTC impose huge fines for data breaches?
The SEC and FTC impose huge fines for data breaches to deter companies from underinvesting in data protection.
What federal law requires effective internal controls?
The Sarbanes-Oxley Act (SOX) requires companies to set up comprehensive internal controls.
What are the four steps in the defense-in-depth IT security model?
The four steps are: STEP 1️⃣ Senior management commitment and support. STEP 2️⃣ Acceptable use policies and IT security training. STEP 3️⃣ IT security procedures and enforcement. STEP 4️⃣ Hardware and software.
What causes or contributes to data breaches?
The main cause of a data breach is hacking, but the reason hacking is so successful is negligence—management not doing enough to defend against cyber-threats. Even high-tech companies and market leaders appear to be detached from the value of the confidential data they store and the threat that highly motivated hackers will try to steal them.
What are the two types of controls in a defense strategy?
The major categories of general controls are physical controls, access controls, data security controls, communication network controls, and administrative controls.
What are two types of mobile biometrics?
Two types of biometrics which can be implemented on mobile devices are voice and fingerprint.
What is a critical infrastructure? List three types of critical infrastructures.
Critical infrastructure is defined as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. Some examples are commercial facilities; defense industrial base; transportation systems; national monuments and icons; banking and finance; and agriculture and food.
What are the risks caused by data tampering?
🔹 Data tampering refers to an attack during which someone enters false or fraudulent data into a computer, or changes or deletes existing data. 🔹 Data tampering is extremely serious because it may not be detected. This introduces dirty data with all of its inherent issues.
Explain why data on laptops and computers need to be encrypted.
🔹 Encryption is a part of a defense-in-depth approach to information security. 🔹 The basic principle is that when one defense layer fails, another layer provides protection. 🔹 For example, if a wireless network's security was compromised, then having encrypted data would still protect the data, provided that the thieves could not decrypt it.
Explain fraud and occupational fraud.
🔹 FRAUD is nonviolent crime because fraudsters use deception, confidence, and trickery. Fraudsters carry out their crime by abusing the power of their position or by taking advantage of the trust, ignorance, or laziness of others. 🔹 OCCUPATIONAL FRAUD refers to the deliberate misuse of the assets of one's employer for personal gain.
Define and give an example of an intentional threat.
🔹 Intentional threats are those where the individual(s) have intention to do harm or some illegal activity. 🔹 Examples of intentional threats include data theft; inappropriate use of data (e.g., manipulating inputs); theft of mainframe computer time; theft of equipment and/or programs; deliberate manipulation in handling, entering, processing, transferring, or programming data; labor strikes, riots, or sabotage; malicious damage to computer resources; destruction from viruses and similar attacks; and miscellaneous computer abuses and Internet fraud.
How do social networks and cloud computing increase vulnerability?
🔹 Social networks and cloud computing increase vulnerabilities by providing a single point of failure and attack for organized criminal networks. 🔹 Critical, sensitive, and private information is at risk, and like previous IT trends, such as wireless networks, the goal is connectivity, often with little concern for security.
Explain spear phishing.
🔹 Spear phishers often target select groups of people with something in common—they work at the same company, bank at the same financial institution, or attend the same university. ▪️ The scam e-mails appear to be sent from organizations or people the potential victims normally receive e-mails from, making them even more deceptive. 🔹 Spear phish creators gather information about people's companies and jobs from social media or steal it from computers and mobile devices, and then use that same information to customize messages that trick users into opening an infected e-mail. ▪️ They then send e-mails that look like the real thing to targeted victims, offering all sorts of urgent and legitimate-sounding explanations as to why they need your personal data. ▪️ Finally, the victims are asked to click on a link inside the e-mail that takes them to a phony but realistic-looking website, where they are asked to provide passwords, account numbers, user IDs, access codes, PINs, and so on.
What are threats, vulnerabilities, and risk?
🔹 THREAT: Someone or something that can cause loss, damage, or destruction. 🔹 VULNERABILITY: Weakness or flaw in a system that allows an attack to be successful. 🔹 RISK: Probability of a threat exploiting a vulnerability and the resulting cost of the loss, damage, disruption, or destruction. Risk = f (Threat, Vulnerability, Cost of the impact)
What defenses help prevent internal fraud?
🔹 The single-most effective fraud prevention tactic is making employees know that fraud will be detected by IT monitoring systems and punished, with the fraudster possibly turned over to the police or FBI. 🔹 The fear of being caught and prosecuted is a strong deterrent. IT must play a visible and major role in detecting fraud.
What is an exploit? Give an example.
🔹 The term exploit has more than one meaning. 1️⃣ An exploit is a hacker tool or software program used to break into a system, database, or device. 2️⃣ An attack or action that takes advantage of a vulnerability is also called an exploit. 🔸1️⃣ An example of the first is BlackPOS. 🔸2️⃣ An example of the second is a DDoS.
Why are patches and service packs needed?
🔹 They are needed to keep software up to date and protected as fully as possible. 🔹 When new vulnerabilities are found in operating systems, applications, or wired and wireless networks, patches are released by the vendor or security organization. 🔹 Patches, sometimes called service packs, are software programs that users download and install to fix a vulnerability.
Define and give an example of an unintentional threat.
🔹 Unintentional threats fall into three major categories: human error, environmental hazards, and computer system failures. Examples: 🔸 Human error can occur in the design of the hardware or information system. ▪️ It can also occur during programming, testing, or data entry. ▪️ Not changing default passwords on a firewall or failing to manage patches creates security holes. Human errors also include untrained or unaware users responding to phishing scams or ignoring security procedures. 🔸 Environmental hazards include volcanoes, earthquakes, blizzards, floods, power failures or strong fluctuations, fires (the most common hazard), defective air conditioning, explosions, radioactive fallout, and water-cooling system failures. ▪️ In addition to the primary damage, computer resources can be damaged by side effects, such as smoke and water. ▪️ Such hazards may disrupt normal computer operations and result in long waiting periods and exorbitant costs while computer programs and data files are recreated. 🔸 Computer systems failures can occur as the result of poor manufacturing, defective materials, and outdated or poorly maintained networks. ▪️ Unintentional malfunctions can also happen for other reasons, ranging from lack of experience to inadequate testing.
List and define three types of malware.
🔹 Viruses, worms, trojans, rootkits, backdoors, botnets, and keyloggers are types of malware. 🔹 Most viruses, trojans, and worms are activated when an attachment is opened or a link is clicked. 🔹 Remote access trojans, or RATS, create an unprotected backdoor into a system through which a hacker can remotely control that system.
Why was 2013 dubbed the "Year of the Breach"?
2013 has been dubbed the "Year of the Breach" because there were 2,164 reported data breaches that exposed an estimated 823 million records. Almost half of the 2013 breaches occurred in the United States, where the largest number of records were exposed—more than 540 million data records or 66 percent.
What is a contract hacker?
A contract hacker is a hacker available for hire and may supply complete hack attacks and 24/7 support through hacking help desks.
What are the motives of hacktivists?
A hacktivist is someone who does hacking as a way to protest for a cause.
Why is a mobile kill switch or remote wipe capability important?
A mobile kill switch or remote wipe capability is needed in the event of loss or theft of a device.
Explain why APT attacks are difficult to detect.
APT is a stealth network attack in which an unauthorized person gains access to a network and remains undetected for a long time. Skilled hackers launch APT attacks to steal data continuously (e.g., daily) over months or year—rather than to cause damage that would reveal their presence. APTs require a new information-protection model that focuses on continuous monitoring of network activity and high-value information. Most U.S organizations lack these capabilities.
What is consumerization of information technology (COIT)?
Consumerization of information technology (COIT) is a trend where users are obtaining for personal use an increasing amount of information technology (e.g., personal mobile devices, such as smartphones and tablets, and powerful home PCs and laptops) which often is mobile, unsecured, and in some cases, better than that provided by their employer.
What are the two categories of crime?
Crime can be divided into two categories depending on the tactics used to carry out the crime: VIOLENT and NONVIOLENT.
Explain how identity theft can occur.
Criminals have always obtained information about other people—by stealing wallets or dumpster digging. But widespread electronic sharing and databases have made the crime worse. A variety of cybercrime, including the use of botnets, have been used to steal identities.
Why are cybercriminals so successful?
Current cybersecurity technologies and policies are simply not keeping pace with fast-evolving threats. Reasons for their success include...... Defending yesterday. Relying on yesterday's cybersecurity practices is ineffective at combating today's threats. Bigger attack surface. The attack surface—consisting of business partners, suppliers, customers, and others—has expanded due to larger volumes of data flowing through multiple channels. Implementing before securing. Popular technologies like cloud computing, mobile, and BYOD (bring your own device) are implemented before they are secured. Not ready for next-generation cyberthreats. Few organizations are prepared to manage future threats. According to Gary Loveland, a principal in PwC's security practice, "What's needed is a new model of information security, one that is driven by knowledge of threats, assets, and the motives and targets of potential adversaries" (PWC, 2014). Unsafe cloud. While 47 percent of respondents use cloud computing, only 18 percent include provisions for cloud in their security policy. Unprepared for advanced persistent threats (APT). APTs require a new information-protection model that focuses on continuous monitoring of network activity and high-value information. Most U.S organizations lack these capabilities. Social engineering. Powerful IT security systems cannot defend against what appears to be authorized access. Robust data security is not the responsibility of IT alone, but the ongoing duty of everyone in an organization.
What are the objectives of cybersecurity?
The objectives of cybersecurity are to..... ▪️ Make data and documents available and accessible 24/7 while simultaneously restricting access. ▪️ Implement and enforce procedures and acceptable use policies (AUPs) for data, networks, hardware, and software that are company- or employee-owned, as discussed in the opening case. ▪️ Promote secure and legal sharing of information among authorized persons and partners. Ensure compliance with government regulations and laws. ▪️ Prevent attacks by having network intrusion defenses in place. ▪️ Detect, diagnose, and respond to incidents and attacks in real time. ▪️ Maintain internal controls to prevent unauthorized alteration of data and records. ▪️ Recover from business disasters and disruptions quickly.
What are the purposes of do-not-carry rules?
The purposes of do-not-carry rules are to prevent compromise, not only of the device but of the company and/or government network, as a response to mobile security threats. Travelers can bring only "clean" devices and are forbidden from connecting to the government's network while abroad.
Describe the basic method of a distributed denial-of-service (DDoS) attack.
The textbook answer of "A distributed denial-of-service (DDoS) attack bombards a network or website with traffic (i.e., requests for service) to crash it and leave it vulnerable to other threats." actually describes any DoS attack. The difference between a DoS attack and a DDoS attack is the word, distributed - the attack originates from multiple sources.
What are two BYOD security risks?
The user-owned device may become infected due to personal use, at home or mobile. If an employee's device is lost, the company can suffer a data breach if the device is not encrypted.
What are biometric controls? Give an example.
_____ A biometric control is an automated method of verifying the identity of a person, based on physical or behavioral characteristics. _____ Most biometric systems match some personal characteristic against a stored profile. _____ The most common biometrics are a thumbprint or fingerprint, voice print, retinal scan, and signature.
Why should websites be audited?
_____ Auditing a website is a good preventive measure to manage the legal risk. _____ Legal risk is important in any IT system, but in Web systems it is even more important due to the content of the site, which may offend people or be in violation of copyright laws or other regulations (e.g., privacy protection).
Why do organizations need a business continuity plan?
_____ Organizations need a business continuity plan to maintain or quickly restore business functions when there is a major disruption. _____ The plan covers business processes, assets, human resources, business partners, and more. _____ Fires, earthquakes, floods, power outages, malicious attacks, and other types of disasters hit data centers. Like insurance, it is a cost without a return on the investment unless and until a disaster happens.
Why are internal controls needed?
_____ The internal control environment is the work atmosphere that a company sets for its employees. _____ Internal control (IC) is a process designed to achieve: 🔹 Reliability of financial reporting, to protect investors 🔹 Operational efficiency 🔹 Compliance with laws 🔹 Regulations and policies 🔹 Safeguarding of assets
Define botnet and explain its risk.
🔹 A botnet is a collection of bots, which are malware-infected computers. Infected computers, called zombies, can be controlled and organized into a network of zombies on the command of a remote botmaster. 🔹 Embedding a botnet agent within thousands or even millions of computers increases processing power of the attack to that of a supercomputer. 🔹 Zombies can be commanded to monitor and steal personal or financial data—acting as spyware. 🔹 Botnets are used to send spam and phishing e-mails and launch DDoS attacks. 🔹 Botnets are extremely dangerous because they scan for and compromise other computers, and then can be used for every type of crime and attack against computers, servers, and networks.
Explain business impact analysis.
🔹 A business impact analysis (BIA) estimates the consequences of disruption of a business function and collects data to develop recovery strategies. 🔹 The BIA identifies both operational and financial impacts resulting from a disruption. Several examples of impacts to consider include (Ready.gov, 2014): ◾️ Lost sales and income ◾️ Delayed sales or income ◾️ Increased expenses (e.g., overtime labor, outsourcing, expediting costs, etc.) ◾️ Regulatory fines ◾️ Contractual penalties or loss of contractual bonuses ◾️ Customer dissatisfaction or defection ◾️ Delay of new business plans ◾️ These costs and losses should be compared with the costs for possible recovery strategies. The BIA report should prioritize the order of events for restoration of the business, with processes having the greatest operational and financial impacts being restored first.
What are the functions of an IDS and IPS?
🔹 An Intrusion Detection System (IDS) scans for unusual or suspicious traffic. ▪️ An IDS can identify the start of a DoS attack by the traffic pattern, alerting the network administrator to take defensive action, such as switching to another IP address and diverting critical servers from the path of the attack. 🔹 An Intrusion Prevention System (IPS) is designed to take immediate action—such as blocking specific IP addresses—whenever a traffic-flow anomaly is detected. ▪️ An application-specific integrated circuit-based (ASIC) IPS has the power and analysis capabilities to detect and block DDoS attacks, functioning somewhat like an automated circuit breaker.
What is an attack vector? Give an example.
🔹 Attack vectors are entry points for malware, hackers, hacktivists, and organized crime. 🔹 An example is anyone's improperly secured mobile device.
Explain authentication and two methods of authentication.
🔹 Authentication, also called user identification, is proving that the user is who he claims to be and is a part of access control. 🔹 Authentication methods include: ◾️ Something only the user knows, such as a password ◾️ Something only the user has, for example, a smart card or a token ◾️ Something only the user is, such as a signature, voice, fingerprint, or retinal (eye) scan; implemented via biometric controls, which can be physical or behavioral
Why does BYOD raise serious and legitimate areas of concern?
🔹 BYOD raises serious and legitimate areas of concern. Hackers break into employees' mobile devices and leapfrog into employers' networks—stealing secrets without a trace. 🔹 New vulnerabilities are created when personal and business data and communications are mixed together. 🔹 All cybersecurity controls—authentication, access control, data confidentiality, and intrusion detection—implemented on corporate-owned resources can be rendered useless by an employee-owned device. 🔹 Also, the corporation's mobile infrastructure may not be able to support the increase in mobile network traffic and data processing, causing unacceptable delays or requiring additional investments.