Chapter 4 - Information Security and Controls Quiz
17 Questions
0 Views

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to lesson

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

What is the purpose of a firewall?

  • To scan for malware
  • To prevent unauthorized access to a network (correct)
  • To encrypt data transmissions
  • To authenticate users
  • Which of the following is NOT a function of anti-malware systems?

  • Identifying and eliminating other malicious software
  • Encrypting data transmissions (correct)
  • Identifying and eliminating worms
  • Identifying and eliminating viruses
  • What is the purpose of whitelisting?

  • To encrypt data transmissions
  • To identify software that is allowed to run (correct)
  • To authenticate users
  • To identify software that is not allowed to run
  • Which key is used to encrypt a message in asymmetric encryption?

    <p>Private key</p> Signup and view all the answers

    What is the purpose of a digital signature?

    <p>To authenticate the sender of a message</p> Signup and view all the answers

    What is the purpose of a digital certificate?

    <p>To authenticate the identity of a person or organization</p> Signup and view all the answers

    Which of the following is NOT a component of a virtual private network (VPN)?

    <p>Biometric authentication</p> Signup and view all the answers

    What is the purpose of blacklisting?

    <p>To identify software that is not allowed to run</p> Signup and view all the answers

    What is the purpose of multi-factor authentication (MFA)?

    <p>To provide an additional layer of security beyond a single authentication factor</p> Signup and view all the answers

    Which of the following is NOT a communications control mentioned in the text?

    <p>Intrusion detection system (IDS)</p> Signup and view all the answers

    What does a firewall prevent from moving between untrusted networks?

    <p>Data</p> Signup and view all the answers

    In the context of anti-malware systems, what is the purpose of whitelisting?

    <p>Identifying allowed software to run</p> Signup and view all the answers

    What is the purpose of a digital signature in the context of information security?

    <p>Confirming sender's identity and message integrity</p> Signup and view all the answers

    Which component relies on the Internet, firewalls, passwords, and encryption?

    <p>VPN</p> Signup and view all the answers

    What type of key is used for unlocking data encrypted with a public key?

    <p>Private key</p> Signup and view all the answers

    What action triggers additional authentication actions if user behavior deviates from a pattern?

    <p><strong>MFA</strong></p> Signup and view all the answers

    In the context of information security controls, what is the purpose of blacklisting?

    <p><strong>Identifying malicious software</strong></p> Signup and view all the answers

    Study Notes

    Introduction to Information Security

    • Information security refers to the processes and policies designed to protect an organization's information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
    • A threat to an information resource is any danger to which a system may be exposed.
    • Exposure is the harm, loss, or damage to a compromised resource.
    • An information resource's vulnerability is the possibility that the system will be harmed by a threat.

    Vulnerability of Organizational Information Resources

    • Five factors contribute to vulnerability:
      • Today's interconnected, interdependent, wirelessly networked business environment.
      • Smaller, faster, cheaper computers and storage devices.
      • Decreasing skills necessary to be a computer hacker.
      • International organized crime taking over cybercrime.
      • Lack of management support.

    Unintentional Threats to IS

    • Human Errors:
      • Higher-level employees pose a greater threat to information security.
      • Lost or stolen phones and laptops.
      • Opening questionable emails and attachments.
      • Poor passwords.
    • Social Engineering:
      • Attack in which the perpetrator uses social skills to trick or manipulate employees into providing confidential company information.
    • Dumpster Diving:
      • Discarding documents and equipment with confidential information.
    • Unauthorized use of computer systems and networks:
      • Time and resource theft (e.g., private consulting, personal finances, playing video games).

    Deliberate Threats to IS

    • Hacking:
      • Illegal use of computers or unauthorized access and use of networked computer systems.
      • Types of hackers:
        • White hat: security expert working for a legitimate company to make computers more secure.
        • Black hat: does so for monetary/malicious purposes.
        • Grey hat: a combination of white and black hat.
        • Script kiddie: non-computer expert who uses ready packages and scripts to hack into the system without understanding how it works.
    • Espionage or Trespass:
      • Unauthorized outsider attempts to gain illegal access to organizational information.
    • Information Extortion:
      • Attacker demands money in exchange for not stealing or revealing information.
    • Ransomware:
      • Blocks access to a system or encrypts data until the organization pays, usually in Bitcoin.
    • Doxing (or Doxxing):
      • Stealing sensitive information/documents and threatening to reveal them to the public.
    • Sabotage or Vandalism:
      • Deliberate acts that involve defacing an organization's website, potentially damaging the organization's image.
    • Identity Theft:
      • Deliberate assumption of another person's identity, usually to gain access to their financial information or to frame them for a crime.
    • Phishing:
      • Tricking individuals into revealing sensitive information.

    Compromises to Intellectual Property

    • Copyright:
      • Statutory grant that provides creators or owners of intellectual property with ownership of the property for the life of the creator plus 70 years.
    • Software Piracy:
      • Many sources claim that 30% - 50% of the software industry's revenues are lost to piracy, but these claims are often overstated.

    What Organizations Are Doing to Protect Information Resources

    • Risk Management:
      • Identifying, controlling, and minimizing the impact of threats.
    • Business Continuity Planning, Backup, and Recovery:
      • Guidance on how to keep the business operating in the event of a disaster.
    • Information System Auditing:
      • Examining information systems, their inputs, outputs, and processing to assess efficiency, effectiveness, and security.

    Information Security Controls

    • Physical Controls:

      • Preventing unauthorized individuals from gaining access to a company's facilities.
    • Access Controls:

      • Authentication:
        • Something the user is (biometrics).
        • Something the user has (ID card or smartphone).
        • Something the user does (signing a name on a keypad).
        • Something the user knows (password, PIN, secret question).
      • Authorization:
        • Which actions, rights, or privileges the user has based on their verified identity.
    • Communications Controls:

      • Secure movement of data across networks.
      • Firewall:
        • Prevents specific types of information from moving between untrusted networks.
      • Anti-malware systems:
        • Identify and eliminate viruses and worms, and other malicious software.
      • Encryption:
        • Public key, locking key, private key, unlocking key, digital signature.### Types of Deliberate Threats to IS Software Attacks
    • Virus: a segment of computer code that performs malicious actions by attaching to another computer program

    • Worm: a segment of computer code that performs malicious actions and replicates itself without requiring another computer program

    • Denial-of-service (DOS) attack: a deliberate attempt to make a computer system unavailable by flooding it with traffic

    • Distributed denial-of-service (DDOS) attack: a DOS attack that involves multiple computers

    • Trojan horse: software programs that hide in other computer programs and reveal their designed behavior only when activated

    • Back door: a password, known only to the attacker, that allows access to a computer system at will

    • Logic bomb: a segment of computer code that is embedded within existing computer programs to activate and perform a particular action under specific conditions

    • Alien software: unauthorized software that allows unauthorized access to a computer system

    • Adware: software that displays advertisements on a computer

    • Spyware: software that secretly monitors a computer user's activities

    • Key loggers: software that records keyboard strokes

    • Screen grabbers: software that captures screenshots

    • Stalkerware: software that monitors a computer user's activities without their consent

    • Spamware: software that uses a computer to send spam emails

    Deliberate Threats to IS Software Attacks

    • Cookies: small amounts of information that websites store on a computer to make it easier to visit the site again

    SCADA Attacks

    • Supervisory Control and Data Acquisition (SCADA) systems: a link between the physical and electronic worlds that monitors and controls chemical, physical, and transport processes
    • SCADA attacks: attacks that target SCADA systems to cause harm and carry out a political agenda

    Cyberterrorism and Cyberwarfare

    • Cyberterrorism: the use of the internet to cause harm and carry out a political agenda
    • Cyberwarfare: the use of the internet to attack and defend against cyberattacks

    Protecting Information Resources

    • Risk Management: a process to identify, control, and minimize the impact of threats
    • Risk Analysis: a process to assess the value of each asset being protected, estimate the probability of each asset being compromised, and compare protection costs vs. probability of the asset being compromised

    Business Continuity Planning, Backup, and Recovery

    • Business continuity plan: a plan to keep the business operating in the event of a disaster
    • Disaster recovery plan: a plan to restore operations as soon as possible after an attack or event
    • Redundancies: duplicate servers and systems to ensure business continuity
    • Alternate physical and data storage location: a backup location to store data and equipment
    • Power backup: a backup power source to ensure business continuity

    Information System Auditing

    • Information system audit: an examination of information systems, their inputs, outputs, and processing to assess their efficiency and effectiveness as well as their security
    • Internal auditors: employees who examine the efficiency or effectiveness of systems
    • External auditors: independent auditors who examine the information systems of an organization
    • Certified Information Systems Auditor (CISA): a professional certification for information systems auditors

    Information Security Controls

    • Physical controls: measures to prevent unauthorized individuals from gaining access to a company's facilities, such as walls, doors, fencing, gates, locks, badges, guards, and alarm systems
    • Access controls: measures to control who has access to a system, including authentication, authorization, and multifactor authentication
    • Adaptive authentication: AI-based authentication that identifies patterns of typical user behavior and triggers additional authentication actions if behavior deviates from the pattern
    • Communications controls: measures to secure the movement of data across networks, including firewalls, anti-malware systems, encryption, and virtual private networks (VPN)

    Access Controls

    • Multifactor authentication (MFA): a process that requires multiple forms of verification, such as something the user is (biometrics), has (ID card or smartphone), does (signing a name), or knows (password)
    • Single-factor authentication (SFA): a process that requires only one form of verification
    • Two-factor authentication (2FA): a process that requires two forms of verification
    • Three-factor authentication (3FA): a process that requires three forms of verification

    Studying That Suits You

    Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

    Quiz Team

    Description

    Test your knowledge on the fundamentals of information security, including processes, policies, threats, exposures, and vulnerabilities. Learn about protecting an organization's information and systems from unauthorized access, use, and more.

    More Like This

    Use Quizgecko on...
    Browser
    Browser