Unit 7 Information security and strategies

Identification is a very important and flexible form of authentication. Which of the following is the most expensive method of identity authentication?

Biometrics

Out of the following three recommendations on how to protect yourself on the Internet from criminals, which is the best way to stay safe?

Careful online conduct

Which of the following are tactics that individuals might use to improve a personal security posture, as well as to mitigate many of these risks?

Configure your computer to receive automatic updates.

What is an important decision point for a business to implement controls or security for any risk?

Cost-benefit analysis

Cold sites

Offsite office space awaiting occupancy, equipment, personnel, and utility service, allowing recovery within days

Hot sites

Offsite office space with available and up-to-date systems and service connections, requiring only adequate or prioritized staffing, allowing recovery within minutes to hours

Warm sites

Offsite office space with available systems and service connections, requiring staffing and updates allowing recovery within hours to days.

What is one high profile example of a malware threat?

SQL injection

Protect your system

With each attack, software developers learn to plug holes in their defenses. The method that developers use to repair and update their software is by making security patches available.

Black Hat

a computer hacker with criminal intent.

Hacktivist

an individual or organization interested in vandalism, cyber-terrorism, or hacking for a stated cause or purpose.

Quid pro quo

An exchange of something of value for information

3 goals of Info Security

Confidentiality Integrity Availability

True or False. To steal someone's identity, an impostor must have as much information about that individual as possible before he or she can proceed to the Internet to conduct a more in-depth search for more detailed information about the victim.

False To steal an identity the impostor can start with a little information about the victim, such as the individual's name, address, or birth date.

Personal privacy can be protected while surfing the Internet using anonymous browsing. Which of the following is not true when it comes to anonymous browsing?

No personal information will be stored or available on the browser.

Shared hot sites

Offsite facilities shared with other organizations for the purpose of disaster recovery, requiring only adequate or prioritized staffing, but at a cost shared with another organization.

When dealing with information security, which of the following actions help organizations mitigate risks by protecting the data resources from unauthorized users?

Require users with a log-on access to change their passwords every 90 days.

One security policy is auditing. An outcome of an audit is the ___ which is a record showing how transactions were handled, starting from input to processing, and finally to output.

audit trail

Availability

ensures that access to resources is unimpeded.

Integrity

ensures that data is produced and modified in the correct way.

Confidentiality

ensures that only authorized personnel are admitted access.

To protect customer data and technology assets, there are three main reasons to enforce __. One of the three goals ____ is to ensure that only authorized personnel are allowed access to the appropriate information at the appropriate level.

information security confidentiality

There are three important reasons to protect information assets. For instance, one of the goals is ___ which serves to ensure that the data is produced and modified correctly. Another goal is ___ which serves to ensure that access to the appropriate data resources is unimpeded.

integrity availability

Public Company Accounting Reform and Investor Act (aka Sarbanes-Oxley Act) of 2002

which requires organizations to adhere to rules and procedures to ensure the accuracy, integrity, and security of financial information that leads to the creation and storage of financial statements.

Shoulder surfing

A low-tech attack that is as simple as watching someone type in their password or obtaining sensitive information from a computer screen

Vulnerabilities

A weakness in the technology, process, and procedure, or people involved with any given information asset

Guard against malware

Anti-malware applications provide constantly updated protections against malware, spam, common vulnerabilities, spyware, intrusion, and malicious websites

Zero-day attack

Attack between the time a software vulnerability is discovered and a patch to fix the problem is released.

People need to protect their personal information because criminals can easily steal identities without them knowing it. Why is identity theft one of the most frequent crimes?

Because of the anonymity of the Internet and the availability of information.

Organizations must implement different security policies to match the various levels of security. ____ identifies a business's critical processes and defines the plans to ensure the continuation of business operation. ___ jumps into action when an event occurs.

Business continuity planning Disaster recovery Planning

Organizations must implement auditing controls to mitigate risks from the collusion of multiple team members who might do what?

Circumvent security controls that otherwise may deny individuals from committing fraud.

Individuals can protect their Wi-Fi network access from neighbors and others by doing which of the following to their wireless router?

Configure a firewall.

Which of the following is NOT a concern for information security?

Dealing with factors that contribute to the failure of business practices

What threat refers to an attack that happens when a computer hacker uses several computers to overload a certain network, thereby preventing legitimate users from accessing that network?

Denial-of-service

To protect against all kinds of risks, threats, and vulnerabilities, every business must have a disaster recovery plan (DRP) that includes different types of measures. Installing network and physical security intrusion detection systems (IDS) falls into which of the following types of measures?

Detective measures

The value of security and control is an important question that organizations must address. What must organizations specifically address to protect their security?

Determine the likelihood a loss will occur, along with the target and the source.

Careful public Wi-Fi access

Due primarily to the existence of and potential for Evil Twin hacks or unethical business practices, many security professionals refuse to connect to freely available Wi-Fi, using their much more secure cell phone connections instead, or else do so only after using alternate security methods such as a Virtual Private Network connection, or a secure connection to a remote desktop.

Encryption intentionally converts useful information into an unreadable format. Which of the following is true about encrypting email messages?

Encryption is a common method used to send and receive messages.

Which kind of risk factor is simplest for an organization to mitigate?

Environmental factors

True or False. Businesses must protect their data resources from unauthorized access. They must have an information policy stipulating that employees must be either authorized or authenticated before they can have access to the corporate data resources.

FALSE Employees must be authorized and authenticated before they can access the company's data.

True or False. Online cloud storage such as Google Drive, Microsoft OneDrive, Dropbox, and iCloud provide a convenient way of storing and transferring data. However, cloud storage is not as secure as secondary storage, such as hard drives or flash drives.

False Just because storage is "on the cloud" does not mean that it is less safe or secure. Good online conduct helps determine the security of our data storage.

What kind of controls manage the arrangement, operation, and security of systems software, as well as the protection of data files throughout an organization's IT infrastructure?

General

It can be very easy for an impostor to commit identity theft. Which of the following factors does NOT make it easier to steal someone else's identity?

Having too many accounts

The United States government created legislation to protect the privacy of individuals. Which of the following legislation must organizations follow when dealing with the personal information of medical clients and customers?

Health Insurance Portability and Accountability Act (HIPAA) of 1996

A disaster recovery plan (DRP) is created to do what?

Identify the most important business processes and provide instructions on how to restore those processes, using a priority system.

Regularly ordering credit reports and reviewing them helps with what?

Identifying issues or identity theft early and going to the authorities.

You are studying ways to secure your business from having employee information stolen and misused by thieves. What is the crime in which an impostor obtains key pieces of personal information to impersonate someone else?

Identity theft

What does the United States government do to businesses that violate federal legislation?

Impose heavy penalties

What are the benefits of investing in information security?

Improved stakeholder confidence and trust

What are some actions that individuals can take to safeguard their computers against malware?

Install the latest anti-malware applications on their computers. Install the latest antivirus applications on their computers.

Organizations have written information policies that outline the measures to enforce information security, which are primarily concerned with what?

Managing and mitigating any threats, annoyances, and vulnerabilities to the organization's system.

There are several ways to steal data from innocent citizens. Which of the following is an innocent way of exchanging something, in which criminals can easily take advantage of the situation to steal personal information?

Quid pro quo

When you are using your computer at public places, such as a library or at the airport, you must pay attention to criminals who will steal your personal information by simply watching you type in your password or obtaining sensitive information from your computer screen. What is this method of identity theft called?

Shoulder surfing

Protecting your network from access by unauthorized users is a critical step in securing your information assets. How do you prevent your Wi-Fi network from being accessed by someone else illegally?

Specify a network name, password, and security strength

To facilitate the economic aspects of security and to implement a feasible risk assessment, what question must that organization address?

The cost of potentially lost resources

Individuals, as well as businesses, must identify which of the following to determine how exposed they are on the Internet?

The risks, vulnerabilities, and threats that they are exposed to.

Pretexting

The technique involves creating a believable scenario (whether innocuous or serious) for the purpose of obtaining information.

One way to protect our information assets is to implement personal security policies that restrict access to personal information. Which of the following is NOT considered sensitive personal information?

The university that you attended

Dumpster diving

This sometimes-illegal act is as simple as foraging through household or corporate garbage receptacles for information

Always-on hardware vulnerability

Turning your computer off will disconnect it from the network. Rebooting it and its router allows both to obtain new IP addresses. Shut down your computer when it is not in use and/or restart your computer and your Internet router

What are some precautions people need to take while accessing a public Wi-Fi?

Use a secure connection to a remote desktop. Use a virtual private network (VPN) connection.

Which of the following methods will NOT protect us from hackers on the Internet?

Use public Wi-Fi access

Protecting against failure

Whether from the cunning designs of malware, the eventual hardware or software failure, or merely common user errors, losing some or all information is inevitable

grey hat hackers

a computer hacker with the skills and intent to help organizations protect their networks and systems from others, but whose services may come at a price, or can be sold to the highest bidder.

identity theft

a criminal to masquerade as another to gain financial or another benefit to the detriment of the victim

Denial-of-service

a loss of access created by cut cables or power services, malware (see below), hoaxes, bots and botnets (i.e. a computer or groups of hijacked computers used to attack others, often without notice to their owners), smurf attacks, SYN floods, DNS poisoning, or outright hijacking and/or redirection of services.

Threat modelling

allows analysts to chart processes, identify vulnerabilities, threats, and potential countermeasures to the risks created

Cyber Criminal

an individual or organization interested in exploiting computers and networks for the purpose of generating revenue.

Application controls

are configured restrictions within a specific software application, such as restrictions on the employees handling and authorizing payments.

Behavioral actions

are measures taken by humans to help secure their personal data. Identifying and comprehending the risks, vulnerabilities, and dangers that exist or may exist.

General controls

are those that manage the arrangement, operation, and security of systems software and protect data files throughout an organization's IT infrastructure

Computer-based acts

are those that need the use of a computer. Awareness, recognizing dangers, limiting, or eliminating loss risks, and acting to restrict or eliminate fraud and abuse will lessen the potential for effect from computer-related sources

Careful online conduct

being careful about what sites are visited and what content is downloaded, opened, and installed, can make the difference between a clean computer and one that is loaded with malware

Attacks

damaging or potentially damaging acts that are the product of an attacker's process

data stored on secondary storage are considered ___ and can be protected using physical barriers to access. When an attachment is sent via email, indicating ___ the best form of protection is encryption. The best of form of protection for __ s authorization and authentication.

data at rest data in motion data in use

Data in motion

data that is being transferred over a network or is waiting in primary storage to be read or updated.

Information Security

deals predominantly with the understanding and management of risks of every kind that might affect the security of information assets

True or False. If your computer is off, it is still an active target and your personal security is at risk.

false A computer that is always on and/or always connected to the Internet is a potentially active target.

Nation state

government focused and funded individuals or organizations interested in cyber-warfare against other nations and economic infrastructures.

Social engineering

hackers use their social skills to trick people into revealing access credentials or other valuable information

Mitigations to risks in organizational factors can come from ___when the dismissal or death of a key executive created the potential of loss of business; or from __ when the implementation of an audit control can help to mitigate risk from collusion of multiple team members to circumvent security controls.

heirarchies procedures

Microsoft's STRIDE threat model,

helps to determine if it is possible for a malicious internal or external element to spoof, tamper, repudiate (i.e. deny), disclose information, deny service, or provide privilege escalation (e.g. from a normal user to an administrator user)

Threats

identified and unidentified actors that have the potential for attacking the information assets

Pharming

is a high-tech attack that is an act of using malicious code to redirect users to a fake website.

Tailgating

is a low-tech attack that allows unauthorized personnel access to sensitive or restricted areas

Baiting

is a low-tech attack where an attacker depends on the victim's greed or curiosity to provide sensitive information

Encryption

is a process by which data is encoded so that only persons with a decryption code may unlock and retrieve stored messages. Technologies used to encrypt messages have included the one-time pad.

white hat hackers

is an authorized and ethical computer hacker who helps organizations protect their networks and systems from others. This is done by penetration testing or the design and implementation of policies.

Risk

potential for loss, commonly associated with the monetary and non-monetary impact to such a risk, as well as the probability of occurrence.

Data in use

refers to data that is in the process of being created, updated, destroyed, or changed in some way

Data at rest

refers to data that is stored on secondary or tertiary storage, even if only temporarily, and is not being accessed by a CPU

There are several components available in an organizational framework to manage security and control. Organizations can implement ___ to address controversial areas where the company takes a given position on an issue. Companies also need to develop ___ in the event that a disaster occurs.

security policies recovery plans

Malware

software that is intended to damage or disable computers and computer systems.

There are three methods of authentication, which include knowledge, possession, and identity. The knowledge method refers to ___ The possession method refers ___ to . The identity method refers to ___.

something you know something you have who you are

ITIL and COBIT

which deal with the management of an information technology infrastructure.

ISO 27001

which deals with information security management.

ISO 9000

which deals with quality management.

Family Education Rights and Privacy Act (FERPA) of 1974

which requires educational institutions receiving certain federal funding to protect the information and privacy of certain aspects of a student record.

Financial Services Modernization Act (aka Gramm-Leach-Bliley Act) of 1999

which requires organizations and individuals to adhere to rules and procedures for storing and transferring financial information.

Health Insurance Portability and Accountability Act (HIPAA) of 1996

which requires organizations and individuals who handle medical information to adhere to rules and procedures for billing and information transfer.