Chapter 6
quantitative & qualitative
2 basic approaches to analyzing system vulnerabilities and threats: ________ & ___________
passive & active
2 categories of threats: _______ & __________
1. systems personnel 2. users 3. intruders
3 groups of individuals differ in their normal ability to access things
threat
A _____ is a potential exploitation of a vulnerability
trojan horse
A _____ is malware that either is contained within benign software or is masquerading as benign software
botnet
A ______ is a collection of computers that are infected with malware and controlled by a hacker
vulnerability
A _______ is a weakness in a system
trojan backdoor
A _______ might allow a hacker to remotely take control of the victim's computer'; once under the hacker's control, the computer is wide open so that the hacker can access all of its software and data
backdoor (or trapdoor)
A _________ is a method of covertly eluding normal authentication procedures while accessing a computer system
denial-of-service attacks
A botnet might be used to conduct __________ against web sites, e-mail servers, and distributed name servers
present reports
A primary duty of the chief security officer (CSO) should be to _____ to the Board of Directors for approval
largest loss exposure
A significant benefit of the quantitative approach to risk assessment is that it often shows that the most likely threat to occur is not the threat with the __________
1. hardware 2. sensitive data files 3. critical programs
A successful attack on an information system requires access to:
intruders
Anyone who accesses equipment, electronic data, files, or any kind of privileged information without proper authorization is an ___________
Control Objectives for Information and related Technology
COBIT
Systems analysis report
Chief Security Officer's report to the Board: A summary of all relevant loss exposures
systems design report
Chief Security Officer's report to the Board: Detailed plan for controlling and managing losses, including a complete security system budget
systems implementation report; systems operation, evaluation, and control report
Chief Security Officer's report to the Board: Specifics on security system performance, including an itemization of losses and security breaches, an analysis of compliance, and costs of operating the security system
white-collar crime
Computer-based crimes are part of the general problem of ___________
enterprise risk management
ERM
Enterprise risk management system (ERM)
Given that the ISMS is an internal control process and manages risks, it is part of the larger _________
information security management system
ISMS
27000
ISO ____ includes ISMS-related vocabulary and definitions
27001
ISO ____ involves a general ISMS development structure consistent with the life-cycle approach of security systems
27001
ISO _____ defines standards for building, operating, and maintaining ISMSs
27003-27005
ISO _____ provide guidance for implementation, measuring ISMS performance and general risk management with the ISMS
27001 and 27002
ISO ______ & ______ are the center of the ISO 27000 family of standards
27002
ISO ______ defines a code of best practices for ISMSs
chief security officer (CSO)
If the information security system is to be effective, it must be managed by a ________
replacement costs, service denial costs, third-party liability costs; business interruption costs
If the quantitative approach is used, costs might be estimated using __________________ resulting from the company's inability to meet contracts and ____________
monitoring and improvement
In ISO 27001, the checking phase involves continuous _______ of the ISMS
quantitative
In the ________ approach to risk assessment, each loss exposure is computed as the product of the cost of an individual loss X the likelihood of its occurance
social engineering
In the context of information security, the term _________ involves manipulating victims in order to trick them into divulging privileged information
internal control weaknesses
In the vast majority of cases, detected frauds are never brought to the attention of law enforcement officials because this would lead to public disclosure of ____________
network operators
Individuals who oversee and monitor the immediate operation of the computer and communications network are called ___________
to provide confidentiality, integrity, and availability of information
Information security management system's objectives coincide with those of information security in general: ______
1. analysis 2. design 3. implementation 4. operation, evaluation, and control
Information security systems are developed by applying the established methods of systems life cycle phases: _____________
Hackers
Intruders who use electronic and other means to break into or attack information systems for fun, challenge, profit, revenge, or other nefarious motives are referred to as _________
systems analysis
Life cycle phase objective: Analyze system vulnerabilities in terms of relevant threats and their associated loss exposures
systems design
Life cycle phase objective: Design security measures and contingency plans to control the identified loss exposures
systems implementation
Life cycle phase objective: Implement the security measures as designed
systems operation, evaluation, and control
Life cycle phase objective: Operate the system and assess its effectiveness and efficiency. Make changes as circumstances require
override accounting controls
Management fraud is committed by those who are high enough in an organization to __________
financial statement manipulations
Management might commit other types of errors or omissions that could potentially defraud employees or investors, but the term management fraud generally refers to ___________
social skills
Many people tend to think that hackers always possess significant technical prowess, but really hackers rely heavily on ________ and other nontechnical means to carry out their exploits
COBIT
Promulgated by the ISACA and ITGI, ______ provides a set of best practices for IT management
1. Business interruption 2. Loss of software 3. Loss of data 4. Loss of hardware 5. Loss of facilities 6. Loss of service and personnel 7. Loss of reputation
Regardless of the method used, any analysis must include loss exposures for at least the following 7 areas:
1. identifying relevant costs per loss and associated likelihoods can be difficult 2. Estimating the likelihood of a given failure requires predicting the future in a rapidly changing technological environment 3. In assessing the likelihood of intentional attacks, one must estimate the costs and benefits of such attacks to potential perpetrators
Several difficulties in applying the quantitative approach to risk assessment:
human interaction
Social engineering relies on ________ rather than technical prowess
fraud and embezzlement
Statistics have shown that corporate losses due to ________ exceed total losses due to bribery, burglary, and shoplifting by a wide margin
1. computer maintenance persons 2. programmers 3. operators 4. information systems administrative personnel 5. data control clerks
Systems personnel include:
planning
The ISO 27001 term ______ corresponds to analysis and design
checking and acting
The ISO 27001 term ______ corresponds to evaluation and control
doing
The ISO 27001 term ______ corresponds to implementation and operation
intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements
The Treadway Commission defined fraudulent financial reporting as:
computer-based information systems
The Treadway Commission noted that _________ multiply the potential for misusing or manipulating information, thus increasing the risk of fraudulent financial reporting
qualitative
The _______ approach to risk assessment lists out the system's vulnerabilities and threats, subjectively ranking them in order of their contribution to the company's total loss exposure
Gramm-Leach-Bliley Act
The _______ makes it a federal crime, with a maximum sentence of up to _____ in prison, to pretext any kind of information that concerns a relation between a consumer and a financial institution
Nigerian bank email scam
The _______ was of the earliest phishing scams
relevant cost of a loss
The ________ is the decrease in the company's profitability as a result of the loss's occurance
National Commission on Fraudulent Financial Reporting (Treadway Commission)
The ________ linked management fraud to computer crime
Telephone Records and Privacy Protection Act of 2006
The _________ makes it a federal felony for anyone other than law enforcement or intelligence officers to pretext phone records
Computer Fraud and Abuse Act of 1986
The __________ makes it a federal crime to knowingly and with intent fraudulently gain unauthorized access to data stored in the computers of financial institutions, computers owned or used by the federal government, or computers operating in interstate commerce
board of directors
The chief security officer (CSO) should report directly to the ______ so as to maintain complete independence
vulnerability and threat analysis report
The objective of the first phase of the security systems life cycle is to produce a ___________
comprehensive set of risk-control measures
The objective of the second phase of the security systems life cycle is to design a ______________, including both security measure to prevent losses and contingency plans to deal with losses should they occur
malicious & software
The term malware is a contraction of the words _______ & _______
data control clerks
Those responsible for the manual and automated inputting of data into the computer are called __________
20 years
Under the Computer Fraud and Abuse Act of 1986, first offenders could be sentenced up to ______ in prison
10 years
Under the Telephone Records and Privacy Protection Act of 2006, almost any type of fraud or deception in relation to obtaining another's phone records is punishable by up to ______ in prison
malware
Viruses, spyware, logic bombs, and worms are _______
viruses
_____ are designed to replicate themselves and thus spread throughout a computer or network
intruders & hackers
_____ are given no access at all, but they are often highly determined individuals who are capable of inflicting great losses on a company
information security
_____ is a much broader concept than computer security in that it deals with the security of all information in the organization, regardless of whether it is computerized
information security management system (ISMS)
_____ is an organizational internal control process that controls the special risks associated with information within the organization
systems personnel
_____ often pose a potential threat because they are often given wide-ranging access privileges to sensitive data and programs
keyboard loggers
_____ secretly record and transmit to the hacker all the victim's keystrokes
users
______ are given a much narrower access, but they still find ways to commit fraud
maintenance persons
______ install hardware and software, repair hardware, and correct minor errors in software; they must have high-level security access to do their jobs
Information Security
______ involves protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability
malware
______ is a hostile, intrusive, or annoying software that was specifically designed to be so by its creator
management fraud
______ is deliberate fraud committed by managers with the intent of deceiving investors and creditors using materially misleading financial reports
ERM
______ is the process by which management balances risks versus opportunities
system faults
______ represent component equipment failures such as disk failures and power outages
black hat
_______ hackers attack systems for illegitimate reasons
white hat
_______ hackers legitimately probe systems for weaknesses in order to help with security
phishing
_______ is a form of social engineering but differs from pretexting in that it aims to trick victims into giving passwords, money, or other valuable
pretexting
_______ is a form of social engineering in which the perpetrator impersonates another person, typically in a phone call or electronic communication
active
_______ threats include information systems fraud and computer sabotage
users
________ are composed of heterogeneous groups of people and can be distinguished from the others because their functional area does not lie in the data processing or information technology
systems programmers
________ often write programs to modify and extend the network, network operating systems, workstations, and so on; and they are typically given accounts with universal access to all the company's files
passive
________ threats include system faults, as well as natural disasters
gray hat
_________ hackers are white hat hackers that skirt along the edges of the law
Denial-of-service (DoS) attacks
_________ involve fooding the victim with such enormous amounts of illegitimate network traffic that the victims become so overloaded that they can no longer process legitimate traffic
phishing scams
_________ often involve the perpetrator sending large numbers of e-mail messages that appear to come from a bank or other financial institution that contain links to perpetrator-controlled fake web pages that are made to look exactly like the real web pages
spyware
__________ is covertly installed on a victim's computer and then collects and relays to the perpetrator personal information about the victim
Information systems administrative personnel
_______________ normally has access to security secrets, files, programs and so on
availability
ensuring timely and reliable access to and use of information
integrity
guarding against improper information modification or destruction, and ensuring information nonrepudiation and authenticity
confidentiality
preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information
