Module 11 Network Security and Business Implications

In strategic risk analysis, what is the first step?

Identify information assets Identifying information assets are the first step.

What is a method of obtaining a password when the data is sent over a network and the data is sent without encryption?

Packet sniffing Packet sniffing is a means of obtaining a password if the data is sent without encryption.

Scenario #3: A Target employee is expecting word about her yearly holiday bonus. She receives an e-mail letting her know that before she can receive any bonus she must download a .pdf form which contains important information about the bonus. When she downloads the file a malware program is placed on her computer and begins to infect the company network. Which type of attack is described in the scenario above?

Phishing Phishing involves e-mails to people to redirect them to a website to perform some operation.

Phishing

Phishing is the process of targeting a specific individual, usually via email, under the guise of a reputable or trustworthy entity to reveal private or personal details such as usernames or password.

What type of information can present a threat if disclosed such as social security numbers?

Private Social security numbers are private information and could be a threat to privacy.

Dana has recently hired several temporary employees to assist with data entry for updating paper patient records to digital patient records at a medical center. Although, through necessity, the temporary employees will need access to the patient database in order to add records, Dana creates a special user type for the temporary employees so that they can add records to the patient database, but cannot access, modify, or view patient records already stored in the database.

Role-based Access Control By creating a type of user account that has limited access for the temporary employees, Dana is using role-based access control to protect her patient database.

grey-hat hackers

There are also grey-hat hackers who engage in both types of hacking activities.

Anti-viral software should be updated frequently.

True New releases of anti-viral software may come out daily or weekly.

The firewall software contains a list of rules that describe the types of incoming messages that should either be permitted or blocked from a computer.

True The firewall software contains a list of rules that types of messages should either be permitted or blocked to make it through the firewall.

Which of the following is not malware?

Unix Unix is an operating system.

Which of the following describes a denial of service (DOS) attack?

An attacker floods the server with so many messages that the server cannot function properly. The DOS attack attempts to flood a server with so many incoming messages that the server is unable to handle.

Networks can be used to organize and analyze data.

No Networks share files but cannot analyze data.

Trojan Horse

One type of virus is a Trojan Horse: this type of virus completely replaces an existing application and takes the name of the taken over file. The Trojan horse pretends to be one piece of software but is, in fact, another. Imagine that you download an application that you think will be very useful to you. However, the software, while pretending to be that application, actually performs malicious operations on your file system.

Student ID number

Private The Student ID number is private information.

Security classifications can be public, sensitive, private, or confidential. Information that can be found online or in the phone book is

Public Information that can be found online or in the phone book is public.

Online list of company Board of Directors

Public The online list of company Board of Directors is public information.

Public information

Public information might include names and addresses (since this information is available through the phone book).

Worms

Worms propagate across computers and computer networks.

Worms

Worms, on the other hand, are self-contained programs and do not need other programs to propagate across computers and computer networks.

Networks allow employees and contractors to share applications such as e-mail systems.

Yes Networks can share e-mail between the employees and the contractors.

Network communication applications, such as e-mail, can be used to improve communication.

Yes Using a network, employees can connect via e-mail and customers can send an e-mail to customer service.

Integrity

Integrity requires that data are correct. This requires at a minimum three different efforts. First, data gathering must include a component that ensures the accuracy of the collected data. Second, data must be entered into the system accurately. Third, and most importantly, data modification must be tracked. That is, once data are in a database, changes to that data will leave behind a record or trace to indicate who made the change, when the change was made, and what the change was. This permits auditing of the data and the ability to roll the data back if necessary. Furthermore, if a datum is being used by one individual, the datum should be secure from being altered by another. A lack of proper data synchronization may easily lead to corrupt data.

Trojan horse

The Trojan horse is a type of malware that replaces an application and pretends to be software.

buffer overflow

The buffer overflow is perhaps one of the oldest and well known forms of software exploit; software programmers should be able to protect against this when they write software. However, that is not always the case, and many pieces of software are still susceptible to this attack. The buffer is a specific address in a computer's memory where a variable is stored. The buffer is of limited size. If the software does not ensure that insertions into the buffer are limited to in size, then it is possible to insert into the buffer a sufficient amount so that the memory locations after the array are filled as well. Since memory stores both data and code, one could attempt to overflow a buffer with malicious code. Once stored in memory, the processor could potentially execute this code and thus perform the operations inserted by the attacker.

first step in the strategic risk analysis

The first step in the strategic risk analysis is to identify the organization's information assets.

fourth step in the strategic risk analysis

The fourth step in the strategic risk analysis is to prioritizing risks.

last step in strategic risk analysis

The last step is to develop and enact policies that will reduce the threats.

Amazing Games is doing very well and they have customers around the world that want to buy their computer games. The sales force will need to collect the appropriate information from the customers and then share the information with others within the company. Which of the following DOES NOT describe how the network improves the process of the sales force at Amazing Games in this task?

The network prevents hackers accessing secure information. The network cannot prevent hacking.

strategic risk analysis

The result of this analysis, known as strategic risk analysis, is that security policies are translated into mechanisms which support information security. We will focus on the risk management process.

second step in the strategic risk analysis

The second step in the strategic risk analysis is to identify vulnerabilities of assets.

third step in the strategic risk analysis

The third step in the strategic risk analysis is to determine threats.

All of the following are true about access rights except:

They are part of the risk management plan. Correct. Access rights are not a part of the risk management plan.

All of the following are true about biometrics except:

They can be a unique identifier like a social security number. Biometrics pertains to a personal physical characteristic such as a fingerprint.

Scenario #1: Wanting to listen to some motivational music while preparing the monthly board meeting report, Tom, a Target employee, downloads a music file from http://freemusic.com. Unbeknownst to him the music file actually contains malware to log the employee's keystrokes, thereby obtaining their employee username and password and access to secure information. Which type of attack is described in the scenario above?

Trojan horse One type of virus is a Trojan Horse. This type of virus completely replaces an existing application and takes the name of the taken over file. The Trojan horse pretends to be one piece of software, but is in fact another.

White-hat hackers

White-hat hackers are security professionals and hack for "good purposes" to find vulnerabilities and fix or protect against them. White-hat hackers inform companies of potential problems with software so companies can fix and send out patches, etc.

Which of the following will find vulnerabilities and fix or protect against them?

White-hat hacking White hats use techniques of black hats in order to detect and test against vulnerabilities.

Angelo is at a cocktail party. He gets in a conversation with an attractive woman who is very interested in his career. She asks detailed questions and expresses amazement at the importance of his position. She particularly focuses on how the company is able to keep their information secure. In his desire to impress the lady, Angelo is a little too free with his information. The next day, when he arrives at work, his file on a major account has been hacked. Is this an example of social engineering?

Yes In the social setting, Angelo is giving information that a clever hacker could use to break his password.

Felix receives an email on his work account indicating that he can get a large discount on a one-month pass at a new local gym - a deal said to be only available to a few select company employees. The email has been sent by the gym and does not include the company logo. If he is interested, he has 24 hours to purchase the deal. All he needs to do is send his name, address, and credit card information. Is this an example of social engineering?

Yes Phishing is an example of social engineering.

Networks can be used to share files that relate to the work being done by the contractors.

Yes Team members can review files on the shared drive.

Learning about social engineering and how to protect passwords is an example of ___.

education Users must be educated on how to protect passwords.

Black-hat hackers

Black-hat hackers are individuals with malicious intent who violate security in order to commit crimes or acts of terrorism.

What part of information assurance and security (IAS) requires that data is correct, data gathering ensures the accuracy of the data, data must be entered into the system accurately, and data modification must be tracked.

Integrity Integrity requires data is correct.

data integrity

Data integrity is when data cannot be changed/manipulated while it resides on a host or travels across a network, or if it is changed, manipulated, then the change can be detected

A certificate authority

A certificate authority will send secure information without concern of information being intercepted and accessed.

virus

A virus is software that attaches itself to another legitimate (or seemingly legitimate) software application.

Evan has recently purchased new laptops for employees at his company to take with them when they travel for business. Since confidential company information may need to be stored on the laptops for use while traveling, Evan installs a biometrics program that requires users to provide a fingerprint in order to login to the laptop.

Authentication The Biometrics systems that Evan has implemented helps ensure that people logging in to company laptops are authorized employees of the company.

First City Bank is preparing to roll out a new online banking system for its customers. Installing the new hardware and software has taken longer than expected, but the manager is confident customers will be thrilled with the new service. On the day of the launch, a seemingly minor programming error causes the system to shutdown and reboot each time the clock reaches a new hour. It takes about ten minutes for it to be up and running again. Which security goal is at risk?

Availability Availability is at risk because the system will shut down each time the clock reaches a new hour.

Distributed Denial of Service (DDOS)

Another DOS attack is the Distributed Denial of Service (DDOS), which is the same as a DOS, but instead of one hacker/host perpetrating the attack, the attack comes from many more hosts (possible controlled by one hacker) with all attacking hosts directed at a single target.

spyware

Another category of malware is spyware. Spyware is often downloaded unknown to the user when accessing websites. The spyware might spy on your browsing behavior at a minimum, or report back to a website sensitive information such as a credit card number that you entered into a web form.

anti-viral software

Anti-viral software attempts to identify if a file contains a virus or, more generally, some form of malware. Anti-viral software can be run on demand, or you can set it up so that all incoming messages are scanned. Unfortunately, anti-viral software will not necessarily catch every piece of malware. As programmers become more ingenious in how to attack an unsuspecting user, anti-viral software must become more sophisticated. However, the anti-viral software always lags behind the innovations of the attackers. Furthermore, you must be diligent in updating your antivirus software often (new releases may come out daily or weekly).

Wes manages an online subscription service that gives users access to a variety of media to stream over their computer system. Based on data analysis of the service usage, Wes suspects that people in addition to the account holder are accessing accounts. Thus, he implements password policies into the subscription service that requires users to create stronger passwords and change them every 60 days.

Authentication Password policies such as the ones that Wes has implemented makes it more difficult for unauthorized users to get into the system. However, password policies such as these will not prevent threats such as social engineering.

When one user is accessing some data and others are shut out of accessing that data, this is a problem for?

Availability Availability requires that information is available when needed.

Scenario #2: The computer memory set aside for accepting sales orders from Target's website is large enough for orders up to 9,999 units. However, an unscrupulous hacker wishing to crash the system enters a quantity of 999,999. Which type of attack is described in the scenario above?

Buffer overflow Buffer overflow will overflow a buffer with malicious code and perform operations by the attacker.

Project plan for new IT rollout

Confidential The project plan for the new IT rollout is confidential information that the organization would prefer not to make public.

What part of information assurance and security (IAS) requires that data be kept secure so that they are not accidentally provided to unauthorized individuals and cannot be obtained by unauthorized individuals?

Confidentiality

Mary works for a large school district. Her responsibility is to monitor the site containing student attendance records. Mary has created an elaborate security system with unique identification numbers for each student. She has built in a number of security controls and is continually monitoring for unauthorized users. Each day, Mary takes two 10-minute breaks at exactly 10 a.m. and 3 p.m. Since she is gone such a short time she leaves whatever project she is working on up on on her computer screen for anyone to see. Which security goal is at risk?

Confidentiality Confidentiality is at risk because Mary is leaving the project up on her computer screen.

Confidentiality

Confidentiality requires that data be kept secure so that they are not accidentally provided to unauthorized individuals and cannot be obtained by unauthorized users. Confidentiality goes beyond security mechanisms as it deals with policies that address who the authorized users of the data are, data storage, and privacy. An organization may have a policy that employee records will use social security numbers as unique identifiers. However, such a policy violates the employee's freedom to protect their social security number (which should only be made available for payroll purposes).

SQL injections

In the SQL injection, an attacker issues an SQL command to a web server as part of the URL or as input to a form on a company's website. The web server, which can accept queries as part of the URL, is not expecting an SQL command. If not protected against, the web server might pass the SQL command onto the database. The malicious SQL command could potentially do anything to the database from returning secure records to deleting records to changing the values in the records.

Randy runs a small consulting firm and keeps all of his business contacts in a computer database. When Randy turns on his computer on Monday morning, he gets a weird error message. He calls in his IT specialist who determines their system has been infected with a virus. After hours of work, they think they have the customer database cleaned up, but occasionally, over the next few weeks, small errors still are being found. Which security goal is at risk?

Integrity Integrity is at risk because the virus could easily lead to corrupt data.

In the strategic risk analysis, prioritizing risks is before which final step?

Develop and enact policies against threats Prioritizing risks comes before developing policies.

Lynda, who leads a technical support team for a moderately sized corporation, reads a report on a forum about the increase in phishing scams related to the local lottery which currently has a large, unclaimed jackpot. As a preventative measure, Lynda sends a resource to company employees reminding them how to identify phishing scams and protect their personal information.

Education Lynda is providing and educational resource to help inform employees and prevent social engineering threats.

What is required to verify authenticity of the recipient? Select three that apply.

Encryption Certificates Digital signatures All three of these will verify authenticity of the recipient. Encryption will indirectly verify authenticity of a private key exchange if the private key has not been compromised. Certificates can be used to verify digital signatures among other functions.

The process of encryption involves

Encryption will convert plain text to scrambled encrypted information.

business ecosystem

Every organization is part of a business ecosystem; it is dependent on its customers, suppliers, employees, and others to be successful. Apple would not be successful without manufacturers who produce the cases for their devices, or customers who purchase the devices. A marketing team plans campaigns while other groups track inventory and manage shipping.

packet sniffing

Packet sniffing is a means of obtaining a password; in reality, in addition to passwords, packet sniffing allows you to obtain anything being sent over the network if the data being transmitted is sent without encryption.

Private information

Private information is information that could be a threat if disclosed to others such as social security and credit card numbers, or health and education information. This information is often protected from disclosure by federal legislation.

IT personnel need to avoid redundancy when setting up security

False Information security will ensure CIA of information when it is stored, and redundancy will ensure proper storage.

What prevents certain traffic from coming into and out of the network?

Firewalls Firewalls prevent certain traffic from coming into or out of the network.

Maria is staring intently at the computer screen in front of her, her mind racing. She types in a few lines of code and sits back to see what happens. Yes! It is just as she thought! She has discovered a way to circumvent the security system of her company and gain access to all records without anyone knowing. Maria can also see an easy fix to this security glitch and she is surprised it hadn't already been implemented. Maria will receive a hefty bonus for finding this hole in security. That's her job! While Maria is in there, however, she decides to copy some personal information from the files of upper management. You just never know when it might come in handy! What type of hacking is described in this scenario?

Gray-hat Maria is a white-hat hacker when she sees an easy fix to the security glitch, but she is a black-hat hacker when she decides to copy some personal files. Being both a white-hat and black-hat hacker makes her a grey-hat hacker.

hacking

Hacking is when an individual obtains unauthorized access to a host. There are three different types of hackers: White-hat, black-hat, and grey-hat.

Malware

Malware is the term given to "malicious" software. There are different types of malware, but usually this refers to two types: viruses or worms

Amazing Games LAN network can be used to share hardware among the employees in the PA office and the contractors.

No Networks can share hardware only within an office.

Margo is afraid she will forget her work login and password, so she keeps them on a sticky note in her top desk drawer. Is this an example of social engineering?

No This is a security risk, but it is through Margo's own poor choices, not influenced by anyone else.

denial of service (DOS)

One final form of attack that is common today, particularly to websites, is the denial of service (DOS) attack. In the DOS attack, one or more attackers attempts to flood a server with so many incoming messages that the server is unable to handle legitimate business. One of the simplest ways to perform a DOS attack is to submit thousands or millions (or more) HTTP requests. However, this only increases the traffic; it does not necessarily restrict the server from responding to all requests over time.

Public-key encryption

Public-key encryption, on the other hand, uses two keys, a public and private key. In public-key encryption, there are two keys: the public/private key pair. The public key is known by anyone, but only the user knows the private key. So in the case of Bob and Alice, each will have their own public and private key. When Bob sends information to Alice he encrypts it with Alice's public key (which everyone knows) and then when Alice receives it she can decrypt the information with her private key. This method solves the first problem mentioned above - sending secure information. However, what if we want to ensure that Bob is really Bob; the second problem mentioned earlier (authentication). In this case, the plain-text information is encrypted with Bob's private key (only he knows it) and sent to Alice. Alice then uses Bob's public key to decrypt the information. Only if Bob is who he claims to be will his public key correctly decrypt the information. Unlike the problem with symmetric keys, the use of public-key encryption resides with the ability to maintain these pairs and with a mechanism for distributing the public-keys. This mechanism is a digital certificate.

What will ensure proper storage so that data are available even when storage devices are damaged or offline?

Redundancy Redundancy will ensure proper storage.

In order to access the corporate website, Target employees have to log-in with a username and password. However, unscrupulous hackers instead type in database commands in an effort to retrieve the company's password file. Which type of attack is described in the scenario above?

SQL injection With a SQL injection, an attacker issues a SQL command to a web server as part of the URL or as input to a form on a company's website.

What information is not public and will not be considered a threat to a person's privacy if others learned of it?

Sensitive Sensitive information will not be considered a threat to a person's privacy.

Sensitive information

Sensitive information might include e-mail addresses. Although this is not public information, it is information that will not be considered a threat to a person's privacy if others were to learn of it.

Social engineering

Social engineering is a threat that targets users. The idea is that a user is a weak link who can be tricked, and often fairly easily.

Spyware

Spyware is downloaded when a user is accessing websites and will spy on browsing behavior.

Which of the following types of information present a threat to someone's privacy?

Student IDs and credit card numbers are private information.Student ID and credit card numbers

Symmetric key encryption

Symmetric key encryption requires both parties in the communication have the same key.

Symmetric key encryption

Symmetric key encryption uses the same Symmetric key encryption requires that both parties in the communication have the same key, let's call them Bob and Alice. Bob sends a message to Alice by first encrypting it with a key that they both have. When Alice receives the message she can decrypt it with the same key. The obvious problem in this method is ensuring that only Bob and Alice have this key. key for performing the encryption and decryption.

The practice of packet sniffing involves

stealing unencrypted information. Packet sniffing will obtain passwords if the data being transmitted is sent without encryption.

availability

availability requires that information is available when needed. This seems like an obvious requirement, but it conflicts to some extent with both confidentiality and integrity. We would assume that most organizations will make their information available in a networked fashion so that users can obtain the data from computers positioned all over the organization, including remote access from off-site locations. To maintain confidentiality, proper security measures must then be taken including secure forms of login, encryption/decryption, and proper access controls (e.g., file permissions). Additionally, and in order to maintain integrity, if one user is accessing data then the other users are shut out of accessing that data, thus limiting their availability. To promote integrity, timely backups of data need to be made, but typically during the time that files are in the process of being backed up, they are not available. An additional complication for availability is any computer downtime, caused when doing computer upgrades, power outages, hardware failures, or denial of service attacks.

Ensuring that data is accessible and information is available when needed is an example of

availability. Availability is ensuring that data is accessible and information is available when needed.

confidential information

confidential information consists of information that an organization will keep secret, such as patentable information and business plans. The government goes beyond these four categories with a group of classified tags such as Confidential, Secret, and Top Secret.

The requirement that data be kept secure so that they cannot be obtained by unauthorized users is an example of

confidentiality. Confidentiality puts measures in place to ensure sensitive data should not be accessible to unauthorized individuals.

Challenges of using a computer network as a framework for the business ecosystem include

cost and security. Network security is a major concern among companies.

Buffer overflow, a technique used to attack computer systems is

easily preventable Software engineers can ensure that insertions into the buffer are limited to its size.

Which statement best completes the sentence: Black-hat hackers ______________

hack with malicious intent to commit crime or terrorism. Black-hat hackers hack with malicious intent.

A computer network supports a business's ecosystem by

improving efficiency. reducing costs. improving communication. A network supports a business by improving efficiency, reducing costs, and improving communication.

SQL injection is a method used for

inserting malicious commands into a system In a SQL injection, an attacker issues an SQL command to a web server. The web server might pass the SQL command onto the database, and the command could delete and change records.

Entering data into the system accurately is an example of

integrity. Integrity will ensure accuracy of the data, and enter the data into the system accurately. Integrity in terms of the CIA triad is ensuring that data has not been tampered with. An example would be running a hash against an original file to verify that it is identical.

A business ecosystem consists of its

interacting and interconnecting divisions or departments and partners of the company. retailers, manufacturers, and customers. hardware, software, and human resources. A business consists of interacting and interconnecting, retailers, manufacturers, customers, hardware, software, and human resources.

Complete the sentence: Public key encryption uses __________.

one public key & one private key Public key encryption uses one public key and one private key.

In ___, roles are defined that include a list of access methods.

role-based access control In a role-based access control, specific roles will have specific access rights.

Social engineering targets

users Social engineering is a threat that targets users.