Chapter 4
What are 3 types of software attacks?
- Remote attacks requiring user action - Remote attacks requiring no user action - Attacks by a programmer developing a system
Risk analysis
1. Assessing the value of each asset being protected 2. Estimating the probability that each asset will be compromised 3. Comparing the probable costs of the asset's being compromised with the costs of protecting that asset
Risk Mitigation Strategies
1. Risk acceptance • Accept the potential risk 2. Risk limitation • Limit risk by control 3. Risk transferring • Transferring risk, e.g., insurance
Risk _______________ means absorbing any damages that occur.
Acceptance
Which of the following is NOT one of the most dangerous employees to information security?
Accountants
Information Security
All of the processes and policies designed to protect an organization's information and information systems (IS) from unauthorized access, use, disclosure, disruption, modification, or destruction.
Social Engineering
An attack in which the perpetrator uses social skills to trick or manipulate legitimate employees into providing confidential company information such as passwords
Unintentional Threat
An unintentional threat represents a serious threat to information security but appear without malicious intent. Many of the unintentional threats are results of human error.
Threat
Any danger to which a system may be exposed
Authentication and Authorization
Authentication confirms the identity of the person requiring access while authorization determines which actions, rights, or privileges the person has, based on his or her verified identity. Authentication is always performed first.
A ___________ is an attack by a programmer developing a system.
Back Door
Which of the following is NOT an example of alien software?
Blockware
If you have an empty building you can move into if your primary location is destroyed, you've implemented a _________ site.
Cold
A firewall is a _______ control.
Communication
Risk Mitigation
Concrete actions against risks: - implementing controls to prevent identified threats from occurring - developing a means of recovery if the threat becomes a
A ___________ is a remote attack needing no user action.
Denial-of-service attack
__________ is an identity theft technique.
Dumpster diving
Weak passwords are a(n) ___________ threat.
Employee
_________ is one common example of SSL.
HTTPS
The airport's self check-in computers are a(n) __________ threat.
Hardware
A smart ID card is something the user _______.
Has
Biometrics is something the user _______.
IS
Risk Management
Identifies, controls, and minimizes the impact of threats. In other words, risk management seeks to reduce risk to acceptable levels
___________ is threatening to steal or actually stealing information from a company and then demanding payment to not use or release that information.
Information extortion
If you hire a cybersecurity company like FireEye to identify security weaknesses in your information systems, you are using a risk _________ strategy.
Limitation
Which of the following is FALSE?
Mainframes make it easy to communicate freely and seamlessly with everyone.
The Heartbleed bug is an encryption security flaw in the ___________ software package that was an _____________ mistake by the software developer.
OpenSSL; unintended
A ___________ is a remote attack requiring user action.
Phishing Attack
_______________ is a process whereby the organization takes concrete actions against risks, such as implementing controls and developing a disaster recovery plan.
Risk Mitigation
You start browsing your favorite home improvement company's website and notice someone has changed all the logos to their main competitor's logos. This is an example of ___________.
Sabotage
_____________________ is an attack in which the perpetrator uses social skills to trick or manipulate legitimate employees into providing confidential company information such as passwords.
Social Engineering
Phishing is an example of __________.
Software Attack
Exposure
The harm, loss, or damage that can result if a threat compromises that resource.
Vulnerability
The possibility that the system will be harmed by a threat
Risk
The probability that a threat will impact an information resource.
_________ is any danger to which a system may be exposed.
Threat
Coca-Cola's formula is an example of a ___________.
Trade Secret
You have a small business that has had problems with malware on your employees' computers. You decide to hire a third-party company such as GFI Software to implement security controls and then monitor your company's systems. You are adopting a risk ________ strategy.
Transference
The goal of risk management is to reduce risk to acceptable levels.
True
Wireless is a(n) inherently _________ network.
Untrusted
Which of the following is NOT an unintentional threat to information systems?
Viruses
_________ is the possibility that the system will be harmed by a threat.
Vulnerability
Cybercriminals _________
target known software security weaknesses.