Unit 7 Information security and strategies
Identification is a very important and flexible form of authentication. Which of the following is the most expensive method of identity authentication?
Biometrics
Out of the following three recommendations on how to protect yourself on the Internet from criminals, which is the best way to stay safe?
Careful online conduct
Which of the following are tactics that individuals might use to improve a personal security posture, as well as to mitigate many of these risks?
Configure your computer to receive automatic updates.
What is an important decision point for a business to implement controls or security for any risk?
Cost-benefit analysis
Cold sites
Offsite office space awaiting occupancy, equipment, personnel, and utility service, allowing recovery within days
Hot sites
Offsite office space with available and up-to-date systems and service connections, requiring only adequate or prioritized staffing, allowing recovery within minutes to hours
Warm sites
Offsite office space with available systems and service connections, requiring staffing and updates allowing recovery within hours to days.
What is one high profile example of a malware threat?
SQL injection
Protect your system
With each attack, software developers learn to plug holes in their defenses. The method that developers use to repair and update their software is by making security patches available.
Black Hat
a computer hacker with criminal intent.
Hacktivist
an individual or organization interested in vandalism, cyber-terrorism, or hacking for a stated cause or purpose.
Quid pro quo
An exchange of something of value for information
3 goals of Info Security
Confidentiality Integrity Availability
True or False. To steal someone's identity, an impostor must have as much information about that individual as possible before he or she can proceed to the Internet to conduct a more in-depth search for more detailed information about the victim.
False To steal an identity the impostor can start with a little information about the victim, such as the individual's name, address, or birth date.
Personal privacy can be protected while surfing the Internet using anonymous browsing. Which of the following is not true when it comes to anonymous browsing?
No personal information will be stored or available on the browser.
Shared hot sites
Offsite facilities shared with other organizations for the purpose of disaster recovery, requiring only adequate or prioritized staffing, but at a cost shared with another organization.
When dealing with information security, which of the following actions help organizations mitigate risks by protecting the data resources from unauthorized users?
Require users with a log-on access to change their passwords every 90 days.
One security policy is auditing. An outcome of an audit is the ___ which is a record showing how transactions were handled, starting from input to processing, and finally to output.
audit trail
Availability
ensures that access to resources is unimpeded.
Integrity
ensures that data is produced and modified in the correct way.
Confidentiality
ensures that only authorized personnel are admitted access.
To protect customer data and technology assets, there are three main reasons to enforce __. One of the three goals ____ is to ensure that only authorized personnel are allowed access to the appropriate information at the appropriate level.
information security confidentiality
There are three important reasons to protect information assets. For instance, one of the goals is ___ which serves to ensure that the data is produced and modified correctly. Another goal is ___ which serves to ensure that access to the appropriate data resources is unimpeded.
integrity availability
Public Company Accounting Reform and Investor Act (aka Sarbanes-Oxley Act) of 2002
which requires organizations to adhere to rules and procedures to ensure the accuracy, integrity, and security of financial information that leads to the creation and storage of financial statements.
Shoulder surfing
A low-tech attack that is as simple as watching someone type in their password or obtaining sensitive information from a computer screen
Vulnerabilities
A weakness in the technology, process, and procedure, or people involved with any given information asset
Guard against malware
Anti-malware applications provide constantly updated protections against malware, spam, common vulnerabilities, spyware, intrusion, and malicious websites
Zero-day attack
Attack between the time a software vulnerability is discovered and a patch to fix the problem is released.
People need to protect their personal information because criminals can easily steal identities without them knowing it. Why is identity theft one of the most frequent crimes?
Because of the anonymity of the Internet and the availability of information.
Organizations must implement different security policies to match the various levels of security. ____ identifies a business's critical processes and defines the plans to ensure the continuation of business operation. ___ jumps into action when an event occurs.
Business continuity planning Disaster recovery Planning
Organizations must implement auditing controls to mitigate risks from the collusion of multiple team members who might do what?
Circumvent security controls that otherwise may deny individuals from committing fraud.
Individuals can protect their Wi-Fi network access from neighbors and others by doing which of the following to their wireless router?
Configure a firewall.
Which of the following is NOT a concern for information security?
Dealing with factors that contribute to the failure of business practices
What threat refers to an attack that happens when a computer hacker uses several computers to overload a certain network, thereby preventing legitimate users from accessing that network?
Denial-of-service
To protect against all kinds of risks, threats, and vulnerabilities, every business must have a disaster recovery plan (DRP) that includes different types of measures. Installing network and physical security intrusion detection systems (IDS) falls into which of the following types of measures?
Detective measures
The value of security and control is an important question that organizations must address. What must organizations specifically address to protect their security?
Determine the likelihood a loss will occur, along with the target and the source.
Careful public Wi-Fi access
Due primarily to the existence of and potential for Evil Twin hacks or unethical business practices, many security professionals refuse to connect to freely available Wi-Fi, using their much more secure cell phone connections instead, or else do so only after using alternate security methods such as a Virtual Private Network connection, or a secure connection to a remote desktop.
Encryption intentionally converts useful information into an unreadable format. Which of the following is true about encrypting email messages?
Encryption is a common method used to send and receive messages.
Which kind of risk factor is simplest for an organization to mitigate?
Environmental factors
True or False. Businesses must protect their data resources from unauthorized access. They must have an information policy stipulating that employees must be either authorized or authenticated before they can have access to the corporate data resources.
FALSE Employees must be authorized and authenticated before they can access the company's data.
True or False. Online cloud storage such as Google Drive, Microsoft OneDrive, Dropbox, and iCloud provide a convenient way of storing and transferring data. However, cloud storage is not as secure as secondary storage, such as hard drives or flash drives.
False Just because storage is "on the cloud" does not mean that it is less safe or secure. Good online conduct helps determine the security of our data storage.
What kind of controls manage the arrangement, operation, and security of systems software, as well as the protection of data files throughout an organization's IT infrastructure?
General
It can be very easy for an impostor to commit identity theft. Which of the following factors does NOT make it easier to steal someone else's identity?
Having too many accounts
The United States government created legislation to protect the privacy of individuals. Which of the following legislation must organizations follow when dealing with the personal information of medical clients and customers?
Health Insurance Portability and Accountability Act (HIPAA) of 1996
A disaster recovery plan (DRP) is created to do what?
Identify the most important business processes and provide instructions on how to restore those processes, using a priority system.
Regularly ordering credit reports and reviewing them helps with what?
Identifying issues or identity theft early and going to the authorities.
You are studying ways to secure your business from having employee information stolen and misused by thieves. What is the crime in which an impostor obtains key pieces of personal information to impersonate someone else?
Identity theft
What does the United States government do to businesses that violate federal legislation?
Impose heavy penalties
What are the benefits of investing in information security?
Improved stakeholder confidence and trust
What are some actions that individuals can take to safeguard their computers against malware?
Install the latest anti-malware applications on their computers. Install the latest antivirus applications on their computers.
Organizations have written information policies that outline the measures to enforce information security, which are primarily concerned with what?
Managing and mitigating any threats, annoyances, and vulnerabilities to the organization's system.
There are several ways to steal data from innocent citizens. Which of the following is an innocent way of exchanging something, in which criminals can easily take advantage of the situation to steal personal information?
Quid pro quo
When you are using your computer at public places, such as a library or at the airport, you must pay attention to criminals who will steal your personal information by simply watching you type in your password or obtaining sensitive information from your computer screen. What is this method of identity theft called?
Shoulder surfing
Protecting your network from access by unauthorized users is a critical step in securing your information assets. How do you prevent your Wi-Fi network from being accessed by someone else illegally?
Specify a network name, password, and security strength
To facilitate the economic aspects of security and to implement a feasible risk assessment, what question must that organization address?
The cost of potentially lost resources
Individuals, as well as businesses, must identify which of the following to determine how exposed they are on the Internet?
The risks, vulnerabilities, and threats that they are exposed to.
Pretexting
The technique involves creating a believable scenario (whether innocuous or serious) for the purpose of obtaining information.
One way to protect our information assets is to implement personal security policies that restrict access to personal information. Which of the following is NOT considered sensitive personal information?
The university that you attended
Dumpster diving
This sometimes-illegal act is as simple as foraging through household or corporate garbage receptacles for information
Always-on hardware vulnerability
Turning your computer off will disconnect it from the network. Rebooting it and its router allows both to obtain new IP addresses. Shut down your computer when it is not in use and/or restart your computer and your Internet router
What are some precautions people need to take while accessing a public Wi-Fi?
Use a secure connection to a remote desktop. Use a virtual private network (VPN) connection.
Which of the following methods will NOT protect us from hackers on the Internet?
Use public Wi-Fi access
Protecting against failure
Whether from the cunning designs of malware, the eventual hardware or software failure, or merely common user errors, losing some or all information is inevitable
grey hat hackers
a computer hacker with the skills and intent to help organizations protect their networks and systems from others, but whose services may come at a price, or can be sold to the highest bidder.
identity theft
a criminal to masquerade as another to gain financial or another benefit to the detriment of the victim
Denial-of-service
a loss of access created by cut cables or power services, malware (see below), hoaxes, bots and botnets (i.e. a computer or groups of hijacked computers used to attack others, often without notice to their owners), smurf attacks, SYN floods, DNS poisoning, or outright hijacking and/or redirection of services.
Threat modelling
allows analysts to chart processes, identify vulnerabilities, threats, and potential countermeasures to the risks created
Cyber Criminal
an individual or organization interested in exploiting computers and networks for the purpose of generating revenue.
Application controls
are configured restrictions within a specific software application, such as restrictions on the employees handling and authorizing payments.
Behavioral actions
are measures taken by humans to help secure their personal data. Identifying and comprehending the risks, vulnerabilities, and dangers that exist or may exist.
General controls
are those that manage the arrangement, operation, and security of systems software and protect data files throughout an organization's IT infrastructure
Computer-based acts
are those that need the use of a computer. Awareness, recognizing dangers, limiting, or eliminating loss risks, and acting to restrict or eliminate fraud and abuse will lessen the potential for effect from computer-related sources
Careful online conduct
being careful about what sites are visited and what content is downloaded, opened, and installed, can make the difference between a clean computer and one that is loaded with malware
Attacks
damaging or potentially damaging acts that are the product of an attacker's process
data stored on secondary storage are considered ___ and can be protected using physical barriers to access. When an attachment is sent via email, indicating ___ the best form of protection is encryption. The best of form of protection for __ s authorization and authentication.
data at rest data in motion data in use
Data in motion
data that is being transferred over a network or is waiting in primary storage to be read or updated.
Information Security
deals predominantly with the understanding and management of risks of every kind that might affect the security of information assets
True or False. If your computer is off, it is still an active target and your personal security is at risk.
false A computer that is always on and/or always connected to the Internet is a potentially active target.
Nation state
government focused and funded individuals or organizations interested in cyber-warfare against other nations and economic infrastructures.
Social engineering
hackers use their social skills to trick people into revealing access credentials or other valuable information
Mitigations to risks in organizational factors can come from ___when the dismissal or death of a key executive created the potential of loss of business; or from __ when the implementation of an audit control can help to mitigate risk from collusion of multiple team members to circumvent security controls.
heirarchies procedures
Microsoft's STRIDE threat model,
helps to determine if it is possible for a malicious internal or external element to spoof, tamper, repudiate (i.e. deny), disclose information, deny service, or provide privilege escalation (e.g. from a normal user to an administrator user)
Threats
identified and unidentified actors that have the potential for attacking the information assets
Pharming
is a high-tech attack that is an act of using malicious code to redirect users to a fake website.
Tailgating
is a low-tech attack that allows unauthorized personnel access to sensitive or restricted areas
Baiting
is a low-tech attack where an attacker depends on the victim's greed or curiosity to provide sensitive information
Encryption
is a process by which data is encoded so that only persons with a decryption code may unlock and retrieve stored messages. Technologies used to encrypt messages have included the one-time pad.
white hat hackers
is an authorized and ethical computer hacker who helps organizations protect their networks and systems from others. This is done by penetration testing or the design and implementation of policies.
Risk
potential for loss, commonly associated with the monetary and non-monetary impact to such a risk, as well as the probability of occurrence.
Data in use
refers to data that is in the process of being created, updated, destroyed, or changed in some way
Data at rest
refers to data that is stored on secondary or tertiary storage, even if only temporarily, and is not being accessed by a CPU
There are several components available in an organizational framework to manage security and control. Organizations can implement ___ to address controversial areas where the company takes a given position on an issue. Companies also need to develop ___ in the event that a disaster occurs.
security policies recovery plans
Malware
software that is intended to damage or disable computers and computer systems.
There are three methods of authentication, which include knowledge, possession, and identity. The knowledge method refers to ___ The possession method refers ___ to . The identity method refers to ___.
something you know something you have who you are
ITIL and COBIT
which deal with the management of an information technology infrastructure.
ISO 27001
which deals with information security management.
ISO 9000
which deals with quality management.
Family Education Rights and Privacy Act (FERPA) of 1974
which requires educational institutions receiving certain federal funding to protect the information and privacy of certain aspects of a student record.
Financial Services Modernization Act (aka Gramm-Leach-Bliley Act) of 1999
which requires organizations and individuals to adhere to rules and procedures for storing and transferring financial information.
Health Insurance Portability and Accountability Act (HIPAA) of 1996
which requires organizations and individuals who handle medical information to adhere to rules and procedures for billing and information transfer.