Cyber Security
The OECD privacy protection guidelines contain ________ privacy principles.
8
Privacy refers to a person's right to control personal data. A. True B. False
A. True
Which of the following is an accidental threat? A. A backdoor into a computer system B. A hacker C. A well-meaning employee who inadvertently deletes a file D. An improperly redacted document E. A poorly written policy
C. A well-meaning employee who inadvertently deletes a file
What information security goal does a DoS attack harm? A. Confidentiality B. Integrity C. Authentication D. Availability E. Privacy
D. Availability
The Use Limitation Principle
Data should be used only for the purposes stated when it was collected.
A technical safeguard is also known as a ________.
Logical Control
The Accountability Principle
The entity collecting data must be held accountable for following the privacy principles.
Telecommunications and Network Security
This domain addresses how to secure communication networks, such as telephone and data systems.
Security Architecture and Design
This domain addresses how to securely design information systems. It covers the basic principles used to ensure the confidentiality, integrity, and availability of data used in information systems.
stroke logger
is a device or program that records keystrokes made on a keyboard or mouse. Spyware and keystroke loggers are designed to gather information secretly.
Malware
is a general term that refers to any type of software that performs some sort of harmful, unauthorized, or unknown activity. Malware includes computer viruses, worms, and Trojan horses. The term malware is a combination of the words malicious and software.
single point of failure i
is a piece of hardware or application that is key to the functioning of the entire system. If that single item fails, a critical portion of the system could fail. Single points of failure also can cause the whole system to fail. An easy example of a single point of failure is a modem. A modem connects an organization to the Internet. If the modem fails, the organization can't connect to the Internet. If the organization does most of its business online, the modem failure can really hurt its business.
Natural Threats
uncontrollable events such as earthquakes, tornadoes, fires, and flood. These types of threats aren't predictable. Organizations can't control these types of threats.
Logic Bombs
A logic bomb is harmful code intentionally left on a computer system. It lies dormant for a certain period. When specific conditions are met, it "explodes" and carries out its malicious function. Programmers can create logic bombs that explode on a certain day or when a specific event occurs
WAN Domain
A wide area network (WAN) is a network that spans a large geographical area. The most common example of a WAN is the Internet. Organizations with remote locations use a WAN to connect those locations.
What is a mantrap? A. A method to control access to a secure area B. A removable cover that allows access to underground utilities C. A logical access control mechanism D. An administrative safeguard E. None of the above
A. A method to control access to a secure area
What are the two types of cookies? A. First-party and third-party cookies B. Active and passive cookies C. First party and second party cookies D. Rational and irrational cookies
A. First-party and third-party cookies
Which of the following is an example of a model for implementing safeguards? A. ISO/IEC 27002 B. NIST SP 80-553 C. NIST SP 800-3 D. ISO/IEC 20072 E. ISO/IEC 70022
A. ISO/IEC 27002
What does a seal program verify? A. That an organization meets recognized privacy principles B. That an organization misfits recognized security principles C. That a third party is trusted D. That a Web site does not use cookies
A. That an organization meets recognized privacy principles
What is the window of vulnerability? A. The period between the discovery of a vulnerability and mitigation of the vulnerability B. The period between the discovery of a vulnerability and exploiting the vulnerability C. The period between exploiting a vulnerability and mitigating the vulnerability D. The period between exploiting a vulnerability and eliminating the vulnerability E. A broken window
A. The period between the discovery of a vulnerability and mitigation of the vulnerability
The Data Quality Principle
Any data collected must be correct.
What are the classification levels for U.S. national security information? A. Public, Sensitive, Restricted B. Confidential, Secret, Top Secret C. Confidential, Restricted, Top Secret D. Public, Secret, Top Secret E. Public, Sensitive, Secret
B. Confidential, Secret, Top Secret
Which principle means that an individual should be told the reason for data collection before the data is collected? A. The collection limitation principle B. The purpose specification principle C. The use limitation principle D. The openness principle E. The accountability principle
B. The purpose specification principle
Big Data
Big Data refers to large and complex data collections. Sophisticated applications review and analyze collected data, perhaps from many sources. The owners of these systems can accumulate large amounts of data about people. They can use the data for their own purposes.
1. What are the goals of an information security program? A. Authorization, integrity, and confidentiality B. Availability, authorization, and integrity C. Availability, integrity, and confidentiality D. Availability, integrity, and safeguards E. Access control, confidentiality, and safeguards
C. Availability, integrity, and confidentiality
Which safeguard is most likely violated if a system administrator logs into an administrator user account in order to surf the Internet and download music files? A. Need to know B. Access control C. Least privilege principle D. Using best available path E. Separation of duties
C. Least privilege principle
Which of the following isn't a threat classification? A. Human B. Natural C. Process D. Technology and Operational E. Physical and Environmental
C. Process
Which of the following is not a privacy tort? A. Intrusion into seclusion B. Portrayal in a false light C. Appropriation of likeness or identity D. Defamation E. Public disclosure of private facts
D. Defamation
Which amendment protects against unreasonable searches and seizures? A. First B. Third C. Fourth D. Fifth E. Seventh
D. Fifth
An organization obtains an insurance policy against cybercrime. What type of risk response is this? A. Risk mitigation B. Residual risk C.Risk elimination D. Risk transfer E. Risk management
D. Risk transfer
What is the source of legal authority for the U.S. government? A. The United States Code B. The common law C. Supreme Court decisions D. The U.S. Constitution E. The Declaration of Independence
D. The U.S. Constitution
It's hard to safeguard against which of the following types of vulnerabilities? A. Information leakage B. Flooding C. Buffer overflow D. Zero-day E. Hardware failure
D. Zero-day
14. Which of the following are vulnerability classifications? A. People B. Process C. Technology D. Facility E. All of the above
E. All of the above
What techniques are used to create a list of the Web pages that a computer user visits? A. Adware, malware, and phishing B. Malware, cookies, and Web beacons C. Web beacons, clickstreams, and spyware D. Malware, spyware, and cookies E. Clickstreams, cookies, and Web beacons
E. Clickstreams, cookies, and Web beacons
Which of the following is not a type of security safeguard? A. Corrective B. Preventive C. Detective D. Physical E. Defective
E. Defective
An employee can add other employees to the payroll database. The same person also can change all employee salaries and print payroll checks for all employees. What safeguard should you implement to make sure that this employee doesn't engage in wrongdoing? A. Need to know B. Access control lists C. Technical safeguards D. Mandatory vacation E. Separation of duties
E. Separation of duties
Encryption
Encryption converts information into code that makes it unreadable. Only people authorized to view the information can decode and use it
First-party cookies
Exchanged between a user's browser and the Web site the user is visiting.
Physical and Environmental
Facility-based threats. These types of threats can include a facility breach due to lax physical security. Loss of heating or cooling within a facility also is an environmental threat.
The Collection Limitation Principle
Individuals must know about and consent to the collection of their data.
How Is Privacy Different from Information Security
Information security and privacy are closely related. However, they're not the same. Privacy is defined here as an individual's right to control the use and disclosure of his or her own personal information. This means individuals have the opportunity to assess a situation and determine how their data is used. Information security is the process used to keep data private. Security is a process; privacy is a result. Just because information is secure doesn't mean it's private. Information security is about protecting data to ensure confidentiality, access, and integrity. Privacy with respect to information systems means that people have control over and can make choices about how their information will be used. Security is used to carry out those choices. Privacy can't exist in information systems without security.
The Openness Principle
People can contact the entity collecting their data. People can discover where their personal data is collected and stored.
The Individual Participation Principle
People must know if data about them has been collected. People also must have access to their collected information.
Phishing
Phishing is a form of Internet fraud in which attackers attempt to steal valuable information. Phishing attacks usually take place via e-mail. Phishers usually try to steal confidential information such as usernames and passwords, or financial account information.
Third-party cookies
Set by one Web site but readable by another site. Third-party cookies are set when the Web page a user visits has content on it that is hosted by another server.
Shoulder Surfing
Shoulder surfing occurs when an attacker looks over the shoulder of another person at a computer to discover sensitive information. This isn't a technical exploit. The attacker has no right to the information he or she is trying to see
the Security Safeguards Principle
The collected data must be protected from unauthorized access.
The Purpose Specification Principle
The purpose for data collection should be stated to individuals before their data is collected.
Wiretap Act (1968, amended)
These statutes forbid the use of eavesdropping technologies without a court order. The law protects all e-mail, radio communications, data transmission, and telephone calls. Amendments to the original Wiretap Act include protection for electronic communications.
Privacy Act (1974)7
This Act applies to records created and used by federal agencies. It states the rules for the collection, use, and transfer of personally identifiable information (PII). It requires federal agencies to tell people why they're collecting personal information. Federal agencies also must provide an annual public notice. The notice must describe their record-keeping systems and the data in them. The Act also requires federal agencies to have appropriate administrative, technical, and physical safeguards to protect the security of the systems and records they maintain.
Freedom of Information Act (1966)
This Act establishes the public's right to request information from federal agencies. Information that can be requested includes paper documents and electronic records. The law applies to federal executive branch agencies and offices. Federal agencies must comply with the law and provide requested information. There are nine FOIA exemptions. Data in these categories doesn't have to be provided to the requester. Agencies are required to provide information to the public about how to make a FOIA request. Anyone can file a FOIA request
Legal, Regulations, Investigations, and Compliance
This domain describes how laws and regulations might impact how an organization operates its information systems. It also explores forensic procedures that are used to determine if a crime has taken place.
Business Continuity and Disaster Recovery Planning
This domain describes how organizations can prepare to meet disruptions in business. It addresses the disaster recovery process.
Information Security Governance and Risk Management
This domain describes how proper governance can help protect information systems. It explores the different types of processes organizations must use at an operational level to protect information systems. It also explores the concepts of risk management and risk response.
Operations Security
This domain describes how to protect information systems resources during their normal operational state. It includes items such as vulnerability management and incident response activities.
Access Controls
This domain explores granting or denying permission to use a resource. Access control mechanisms protect resources from use by unauthorized persons. They also ensure that only people with appropriate permissions can modify or change information.
Software Development Security
This domain explores how good software development practices contribute to information security. Good development practices must be used during the entire systems development life cycle
Cryptography
This domain explores the science of hiding information. You can disguise information to protect it from unauthorized persons by encrypting it. There are many different ways to encrypt information in order to protect it.
User Domain
This domain refers to any users of an organization's IT system. It includes employees, consultants, contractors, or any other third party. These users are called end users.
System/Application Domain
This domain refers to the equipment and data an organization uses to support its IT infrastructure. It includes hardware, operating system software, database software, and client-server applications.
LAN-to-WAN Domain
This domain refers to the infrastructure that connects the organization's LAN to a WAN.
LAN Domain
This domain refers to the organization's local area network (LAN) technologies. A LAN is two or more computers connected together within a small area
Remote Access Domain
This domain refers to the processes and procedures that end users use to remotely access the organization's IT infrastructure and data.
separation of duties principle
This rule requires that two or more employees must split critical task functions so that no employee knows all of the steps of the critical task. When only one employee knows all of the steps of a critical task, they can use the information to harm the organization. The harm may go unnoticed if other employees can't access the same information or perform the same function.
distributed denial of service (DDoS) attack
This type of attack occurs when attackers use multiple systems to attack a targeted system. These attacks really challenge the targeted system. It often can't ward off an attack coming from hundreds or thousands of different computers. A DDoS attack sends so many requests for services to a targeted system that the system or Web site is overwhelmed and can't respond.
technological and Operational—
Threats that operate inside information systems to harm information security goals. Malicious code is an example of these threats. Hardware and software failures are technology threats. Improperly running processes are also threats.
reasonable person standard
a legal concept used to describe an ordinary person. This fictitious ordinary person represents how an average person would think and act. Courts use this standard to determine if conduct that is complained about in a lawsuit is offensive to an ordinary person. Conduct is wrongful if a reasonable person finds it offensive.
cookie
a small string of text that a Web site stores on a user's computer. Cookies contain text—you can't execute them like a program file. Cookies aren't considered spyware because they're not executable. A cookie by itself isn't dangerous or a privacy threat. However, other individuals and companies can use cookies in ways that invade your privacy
Backdoors
also called a trapdoor, is a way to access a computer program or system that bypasses normal mechanisms. Programmers sometimes install a backdoor to access a program quickly during development to troubleshoot problems. This is especially helpful in large and complex programs. Programmers usually remove backdoors when the programming process is over. However, they can easily forget about the backdoors if they don't follow good development practices.
Technical safeguards
also called logical safeguards, are applied in the hardware and software of information systems. They are the rules that state how systems will operate. Technical safeguards include automated logging and access-control mechanisms, firewalls, and antivirus programs. Using automated methods to enforce password strength is a technical control.
Administrative safeguards
are actions and rules implemented to protect information. Laws and regulations may influence these safeguards. They usually take the form of organizational policies, which state the rules of the workplace. These documents are usually specific
Industry sector
describes a group of organizations that share a similar industry type. They often do business in the same area of the economy. In the United States, Congress enacts laws by industry sector.
Social engineering
describes an attack that relies heavily on human interaction. It's not a technical attack. This type of attack involves tricking other people to break normal security procedures to gain sensitive information. These attackers take advantage of human nature.
denial of service (DoS) attack
disrupts information systems so they're no longer available to users. These attacks also can disable Internet-based services by consuming large amounts of bandwidth or processing power.
The U.S. Freedom of Information Act (FOIA)
governs access to public records of the U.S. federal government. Most states have similar laws for the public records of state government and agencies. These types of laws often are called "sunshine" laws because they shine light onto the inner workings of government agencies.
Web beacon
is a small, invisible electronic file that is placed on a Web page or in an e-mail message. It counts users who visit a Web page. A Web beacon also can tell if a user opened an e-mail message and took some action with it. It also can monitor user behavior. A Web beacon also is called a Web bug. A clear GIF (Graphics Interchange Format) is a type of image format that is often used as a Web beacon. This is because clear GIFs are invisible and very small.
Radio Frequency Identification (RFID)
is a technology that uses radio waves to transmit data to a receiver. RFID technology is wireless. It's a way to identify unique items using radio waves. The main purpose of RFID technology is to allow "tagged" items to be identified and tracked. Sometimes you will hear devices that use this technology called a RFID tag or chip.
Workplace privacy
is a term that describes privacy issues in the workplace. Privacy can be implicated in a number of ways in the workplace. Hiring, firing, performance reviews all have potential privacy concerns. How employers interact with employees in these matters can have privacy implications.
vulnerability
is a weakness or flaw in an information system. Vulnerabilities can be exploited (used in an unjust way) to harm information security. They may be construction or design mistakes. They also may be flaws in how an internal safeguard is used or not used. Not using antivirus software on a computer, for instance, is a vulnerability.
The Online Privacy Alliance (OPA)
is an organization of companies dedicated to protecting online privacy. OPA members agree to meet certain requirements for protecting personal information online. These members also agree to create a privacy policy for their customers that's easy to read and understand.
The Network Advertising Initiative (NAI)
is an organization of online advertising companies. NAI members want to make sure that consumers understand how online marketing works. The group has created self-regulatory standards to promote responsible online marketing. It also has created standards that address the proper use of marketing tools.
Spyware
is any technology that secretly gathers information about a person or system
computer worm
is similar to a virus. Unlike a virus, a computer worm is a self-contained program that doesn't require external assistance to propagate. Some well-known Internet worms include the Morris worm, SQL Slammer, and Blackworm.
Adware
is software that displays advertising to a user. It can display banner advertisements or redirect a person to other Web sites. It also can display pop-up advertisements on a person's computer. These types of advertisements open a new Web browser window to display ads. Some types of adware are also spyware. This adware displays targeted advertisements based on secretly collected user information.
Vulnerability management programs
make sure that vendors find any flaws in their products and quickly correct them. They also ensure that customers are made aware of problems so they can take protective action.
Integrity
means that information systems and their data are accurate. Integrity ensures that changes can't be made to data without appropriate permission. If a system has integrity, it means that the data in the system is moved and processed in predictable ways. It doesn't change when it's processed.
Confidentiality
means that only people with the right permission can access and use information. It also means protecting it from unauthorized access at all stages of its life cycle. You must create, use, store, transmit, and destroy information in ways that protect its confidentiality.
Whaling
new type of targeted phishing scam. In a whaling scam, attackers target corporate executives.
risk mitigation.
organizations also can mitigate risk to reduce a negative impact. They apply safeguards to vulnerabilities and threats. Safeguards lower risks to a level deemed acceptable, but do not eliminate it.
patch
piece of software or code that updates a program to address security problems. Patches are available for many types of software, including operating systems. Systems may be open to attack if patches are not properly applied.
safeguard
reduces the harm posed by information security vulnerabilities or threats. Safeguards may eliminate or reduce risk of harm. They are controls or countermeasures, and you can use these terms interchangeably.
Preventive controls
safeguards used to prevent security incidents. These controls keep an incident from happening. Door locks are a preventive safeguard. They help keep intruders out of the locked area. Fencing around a building is a similar preventive control. Teaching employees how to avoid information security threats is also a preventive control.
Spyware, Keystroke Loggers, and Adware
spyware, keystroke loggers, and adware raise privacy concerns because they are secretly downloaded onto a user's computer. People have no control over the software or data it collects. Some users unknowingly agree to download this type of software onto their computers. Sometimes these programs are part of a legitimate software application that a user wants to download. When users agree to End-User License Agreements (EULAs), they may also agree to install the spyware as well.
risk
the likelihood that a threat will exploit a vulnerability and cause harm. The harm is the impact to the organization. Impacts from threats vary. An information security impact includes a loss of confidentiality, integrity, and availability. Other impacts include a loss of life, productivity or profit, property, and reputation. You can measure impact in terms of money costs or by perceived harm to the organization.
Cryptography
the practice of hiding information so that unauthorized persons can't read it. ( Ceaser used this method)
Risk avoidance
the process of applying safeguards to avoid a negative impact. A risk avoidance strategy seeks to eliminate all risk. This is often very difficult or expensive. Organizations also can mitigate risk to reduce a negative impact
Availability
the security goal of making sure information systems operate reliably. It makes sure data is accessible when it needs to be. It also helps to ensure that individuals with proper permission can use systems and retrieve data in a dependable and timely manner.
Information Security
the study and practice of protecting information. The main goal of information security is to protect the confidentiality, integrity, and availability of information.
Workstation Domain
this area refers to the computing devices used by end users. This includes devices such as desktop or laptop computers.
Physical Security
this domain describes how to physically protect an organization's information systems. It includes how to design and secure facilities.
