Chapter 4 - Information Security and Controls Quiz

Introduction to Information Security

• Information security refers to the processes and policies designed to protect an organization's information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
• A threat to an information resource is any danger to which a system may be exposed.
• Exposure is the harm, loss, or damage to a compromised resource.
• An information resource's vulnerability is the possibility that the system will be harmed by a threat.

Vulnerability of Organizational Information Resources

• Five factors contribute to vulnerability:
  • Today's interconnected, interdependent, wirelessly networked business environment.
  • Smaller, faster, cheaper computers and storage devices.
  • Decreasing skills necessary to be a computer hacker.
  • International organized crime taking over cybercrime.
  • Lack of management support.

Unintentional Threats to IS

• Human Errors:
  • Higher-level employees pose a greater threat to information security.
  • Lost or stolen phones and laptops.
  • Opening questionable emails and attachments.
  • Poor passwords.
• Social Engineering:
  • Attack in which the perpetrator uses social skills to trick or manipulate employees into providing confidential company information.
• Dumpster Diving:
  • Discarding documents and equipment with confidential information.
• Unauthorized use of computer systems and networks:
  • Time and resource theft (e.g., private consulting, personal finances, playing video games).

Deliberate Threats to IS

• Hacking:
  • Illegal use of computers or unauthorized access and use of networked computer systems.
  • Types of hackers:
    • White hat: security expert working for a legitimate company to make computers more secure.
    • Black hat: does so for monetary/malicious purposes.
    • Grey hat: a combination of white and black hat.
    • Script kiddie: non-computer expert who uses ready packages and scripts to hack into the system without understanding how it works.
• Espionage or Trespass:
  • Unauthorized outsider attempts to gain illegal access to organizational information.
• Information Extortion:
  • Attacker demands money in exchange for not stealing or revealing information.
• Ransomware:
  • Blocks access to a system or encrypts data until the organization pays, usually in Bitcoin.
• Doxing (or Doxxing):
  • Stealing sensitive information/documents and threatening to reveal them to the public.
• Sabotage or Vandalism:
  • Deliberate acts that involve defacing an organization's website, potentially damaging the organization's image.
• Identity Theft:
  • Deliberate assumption of another person's identity, usually to gain access to their financial information or to frame them for a crime.
• Phishing:
  • Tricking individuals into revealing sensitive information.

Compromises to Intellectual Property

• Copyright:
  • Statutory grant that provides creators or owners of intellectual property with ownership of the property for the life of the creator plus 70 years.
• Software Piracy:
  • Many sources claim that 30% - 50% of the software industry's revenues are lost to piracy, but these claims are often overstated.

What Organizations Are Doing to Protect Information Resources

• Risk Management:
  • Identifying, controlling, and minimizing the impact of threats.
• Business Continuity Planning, Backup, and Recovery:
  • Guidance on how to keep the business operating in the event of a disaster.
• Information System Auditing:
  • Examining information systems, their inputs, outputs, and processing to assess efficiency, effectiveness, and security.

Information Security Controls

• Physical Controls:

  • Preventing unauthorized individuals from gaining access to a company's facilities.

• Access Controls:

  • Authentication:
    • Something the user is (biometrics).
    • Something the user has (ID card or smartphone).
    • Something the user does (signing a name on a keypad).
    • Something the user knows (password, PIN, secret question).
  • Authorization:
    • Which actions, rights, or privileges the user has based on their verified identity.

• Communications Controls:

  • Secure movement of data across networks.
  • Firewall:
    • Prevents specific types of information from moving between untrusted networks.
  • Anti-malware systems:
    • Identify and eliminate viruses and worms, and other malicious software.
  • Encryption:
    • Public key, locking key, private key, unlocking key, digital signature.### Types of Deliberate Threats to IS Software Attacks

• Virus: a segment of computer code that performs malicious actions by attaching to another computer program

• Worm: a segment of computer code that performs malicious actions and replicates itself without requiring another computer program

• Denial-of-service (DOS) attack: a deliberate attempt to make a computer system unavailable by flooding it with traffic

• Distributed denial-of-service (DDOS) attack: a DOS attack that involves multiple computers

• Trojan horse: software programs that hide in other computer programs and reveal their designed behavior only when activated

• Back door: a password, known only to the attacker, that allows access to a computer system at will

• Logic bomb: a segment of computer code that is embedded within existing computer programs to activate and perform a particular action under specific conditions

• Alien software: unauthorized software that allows unauthorized access to a computer system

• Adware: software that displays advertisements on a computer

• Spyware: software that secretly monitors a computer user's activities

• Key loggers: software that records keyboard strokes

• Screen grabbers: software that captures screenshots

• Stalkerware: software that monitors a computer user's activities without their consent

• Spamware: software that uses a computer to send spam emails

Deliberate Threats to IS Software Attacks

• Cookies: small amounts of information that websites store on a computer to make it easier to visit the site again

SCADA Attacks

• Supervisory Control and Data Acquisition (SCADA) systems: a link between the physical and electronic worlds that monitors and controls chemical, physical, and transport processes
• SCADA attacks: attacks that target SCADA systems to cause harm and carry out a political agenda

Cyberterrorism and Cyberwarfare

• Cyberterrorism: the use of the internet to cause harm and carry out a political agenda
• Cyberwarfare: the use of the internet to attack and defend against cyberattacks

Protecting Information Resources

• Risk Management: a process to identify, control, and minimize the impact of threats
• Risk Analysis: a process to assess the value of each asset being protected, estimate the probability of each asset being compromised, and compare protection costs vs. probability of the asset being compromised

Business Continuity Planning, Backup, and Recovery

• Business continuity plan: a plan to keep the business operating in the event of a disaster
• Disaster recovery plan: a plan to restore operations as soon as possible after an attack or event
• Redundancies: duplicate servers and systems to ensure business continuity
• Alternate physical and data storage location: a backup location to store data and equipment
• Power backup: a backup power source to ensure business continuity

Information System Auditing

• Information system audit: an examination of information systems, their inputs, outputs, and processing to assess their efficiency and effectiveness as well as their security
• Internal auditors: employees who examine the efficiency or effectiveness of systems
• External auditors: independent auditors who examine the information systems of an organization
• Certified Information Systems Auditor (CISA): a professional certification for information systems auditors

Information Security Controls

• Physical controls: measures to prevent unauthorized individuals from gaining access to a company's facilities, such as walls, doors, fencing, gates, locks, badges, guards, and alarm systems
• Access controls: measures to control who has access to a system, including authentication, authorization, and multifactor authentication
• Adaptive authentication: AI-based authentication that identifies patterns of typical user behavior and triggers additional authentication actions if behavior deviates from the pattern
• Communications controls: measures to secure the movement of data across networks, including firewalls, anti-malware systems, encryption, and virtual private networks (VPN)

Access Controls

• Multifactor authentication (MFA): a process that requires multiple forms of verification, such as something the user is (biometrics), has (ID card or smartphone), does (signing a name), or knows (password)
• Single-factor authentication (SFA): a process that requires only one form of verification
• Two-factor authentication (2FA): a process that requires two forms of verification
• Three-factor authentication (3FA): a process that requires three forms of verification