ITM100 CHAPTER 8 QUIZ

Questions and Answers

What type of malware can be transmitted to a smartphone without user intervention?

• Worm (correct)
• Adware
• Trojan horse
• Spyware

Which mobile operating system is targeted by most hackers according to the text?

• Windows Mobile
• iOS
• BlackBerry OS
• Android (correct)

What is the reported increase in malicious mobile malware attacks from 2017 to 2018 according to Kaspersky Lab?

• 125%
• 75%
• 50%
• 100% (correct)

Which social networking site is mentioned as a conduit for malware in the text?

LinkedIn (C)

What percentage of the world's spam is delivered by botnets?

90% (A)

Which type of attack involved the Mirai botnet in October 2016?

DDoS (D)

What is the average annualized cost of cybercrime security for organizations in 2018?

$13 million (A)

Which type of computer crime involves gaining unauthorized access?

Phishing (C)

What is a major concern that prevents many companies from reporting computer crimes?

Fear of reputational damage (D)

What type of attack involves activities of malicious insiders?

DDoS attacks (D)

In 2019, what were the fraud losses in the United States due to identity theft?

$16.9 billion (B)

Which phishing technique involves redirecting users to a bogus web page by gaining access to Internet address information?

Pharming (D)

What is the primary goal of phishing?

Obtaining personal data (A)

Which attack involves infecting computers with bot malware to open a back door for attackers to give instructions?

Botnet (A)

What type of attack involves launching a DDoS attack against Dyn in October 2016?

DDoS (A)

What is the primary concern for small and midsize businesses with less protected networks in relation to DDoS attacks?

Financial damage (D)

Which type of attack involves misrepresenting oneself through fake email addresses or redirecting web links to steal sensitive information?

Spoofing (D)

What type of malware appears benign but performs unexpected actions, allowing the introduction of viruses or malicious code?

Trojan horse (C)

What type of attack exploits vulnerabilities in web application software to introduce malicious code into a company’s systems?

SQL injection (A)

Which type of attack floods network servers with false communications to crash the network?

Denial-of-service (DoS) attacks (A)

What type of attack extorts money by taking control of computers and encrypting data?

Ransomware (B)

What serves advertising and monitors user web-surfing activity, with keyloggers being a particularly nefarious type?

Spyware (A)

Which type of attack involves unauthorized access to computer systems, and criminal hackers, or crackers, engage in theft, system damage, and cybervandalism?

Hackers (B)

What involves using numerous computers to overwhelm the network with false communications?

Distributed denial-of-service (DDoS) attacks (C)

Which type of malware steals banking login credentials and infected 3.6 million computers in 2009?

ZeuS (Zbot) Trojan (A)

What type of attack can steal proprietary information from networks when used for criminal purposes?

Sniffers (D)

What poses security challenges from devices, platforms, communications, and connected systems?

The Internet of Things (IoT) (D)

What is needed to protect IoT devices and platforms from information attacks and physical tampering, and to encrypt their communications?

New security tools (A)

What is the average cost of a data breach among 507 surveyed companies globally, according to the 2019 Cost of a Data Breach Report?

$3.92 million (C)

When did the U.S. Congress address computer crime threats?

1986 (B)

What is the main focus of cyberwarfare?

Penetrating computers or networks to cause damage and disruption (A)

Which entities are considered targets of cyberwarfare?

Military, power grids, financial systems, and communication networks (A)

What did foreign hackers steal from the United States?

Source code, blueprints, and plans for critical infrastructure (C)

Which countries are reported to be developing offensive cyberattack capabilities?

Russia, China, Iran, and North Korea (A)

What is the role of the U.S. Cyber Command?

Coordinates and directs operations and defense of Department of Defense information networks (B)

What does cyberwarfare pose a serious threat to?

Infrastructure of modern societies, including major financial, health, government, and industrial institutions (C)

What is a significant cause of network security breaches according to the text?

User lack of knowledge (C)

How might employees inadvertently compromise systems?

Forgetting passwords or falling victim to social engineering tactics (A)

What may failure to comply with legal and regulatory requirements for electronic records management lead to?

Costly litigation (B)

What is the primary focus of the Sarbanes-Oxley Act of 2002?

Ensuring the accuracy and integrity of financial information (A)

What is the main focus of disaster recovery planning?

Restoration of disrupted computing and communications services (C)

What is the purpose of business continuity planning?

Restoring business operations after a disaster (A)

What is the goal of business impact analysis?

Identifying critical systems and determining the maximum amount of downtime (B)

What do information systems audits primarily examine?

The firm’s security environment and controls (C)

What is the main focus of audits in relation to Sarbanes-Oxley?

Internal controls to govern the creation and documentation of financial information (C)

What is the purpose of using duplicate computer centers or cloud-based disaster recovery services?

Restoring computing and communications services (D)

What is the focus of PricewaterhouseCoopers LLP (PwC) UK's business continuity plans?

Providing resilient and recoverable operations in the event of crises (B)

What is the primary purpose of an information systems audit?

Examine the firm’s security environment and controls (A)

What is the main goal of business impact analysis?

Identify critical systems and determine the maximum amount of time the business can survive with its systems down (D)

What is the primary purpose of disaster recovery planning?

Restore disrupted computing and communications services (C)

What is the main focus of business continuity planning?

Restore business operations after a disaster (A)

Flashcards

Average Cost of a Data Breach (2019)

The average cost of a data breach in 2019 among 507 surveyed companies globally was $3.92 million.

Computer Fraud and Abuse Act

A U.S. law passed in 1986 that makes unauthorized access to computer systems illegal.

Cyberwarfare

State-sponsored activities designed to cripple and defeat other nations by infiltrating their computers or networks to cause damage and disruption.

Cyberwarfare Targets

Military, power grids, financial systems, and communication networks are all potential targets of cyberwarfare.

Non-State Actors in Cyberwarfare

Non-state actors like terrorists or criminal groups can also engage in cyberwarfare.

Theft of Critical Infrastructure Information

Foreign hackers have stolen vital information like source code, blueprints, and plans for critical infrastructure from the U.S.

Cyberattack Capabilities

Intelligence reports suggest over 30 countries, including Russia, China, Iran, and North Korea, are developing offensive cyberattack capabilities.

U.S. Cyber Command

The U.S. Cyber Command coordinates and directs operations and defense of Department of Defense information networks and prepares for military cyberspace operations.

Cyberwarfare Threat to Infrastructure

Cyberwarfare poses a significant threat to the infrastructure of modern societies, including their major financial, health, government, and industrial institutions.

Insider Threats

Insiders, such as employees with access to company systems, pose a major threat to cybersecurity due to their insider knowledge and potential for misuse.

User Lack of Knowledge

Employee lack of knowledge, such as forgetting passwords or falling victim to social engineering, is a major cause of network security breaches.

Electronic Records Management Regulations

Companies must comply with legal and regulatory requirements for managing electronic records, such as GDPR in the EU, to avoid costly litigation.

HIPAA (Health Information Security)

HIPAA (Health Insurance Portability and Accountability Act) outlines security and privacy rules for healthcare data, including privacy, security, and electronic transaction standards.

Gramm-Leach-Bliley Act (Financial Data Security)

The Gramm-Leach-Bliley Act requires financial institutions to ensure the security and confidentiality of customer data, including storage and transmittal.

Sarbanes-Oxley Act (Financial Transparency)

Sarbanes-Oxley Act focuses on protecting investors in public companies by ensuring the accuracy and integrity of financial information.

Sarbanes-Oxley & Information Systems Security

Sarbanes-Oxley focuses on internal controls to govern the creation and documentation of financial information, including information systems security and controls.

Disaster Recovery Planning

Disaster recovery planning focuses on restoring disrupted computing and communications services.

Business Continuity Planning

Business continuity planning focuses on restoring business operations after a disaster.

Disaster Recovery Methods

Companies use various methods for disaster recovery, including duplicate computer centers, cloud-based services, and spare computers.

Identifying Critical Business Processes

Business continuity plans identify critical business processes and action plans for handling mission-critical functions if systems go down.

Business Impact Analysis

Business impact analysis determines the maximum amount of time a business can survive with its systems down, identifying critical systems.

Information Systems Audits

Information systems audits examine the firm’s security environment and controls, trace the flow of transactions, and may simulate an attack or disaster to test the response.

Control Weaknesses Assessment

Audits identify and rank control weaknesses, estimating their likelihood and assessing their financial and organizational impacts.

UK Records Management Regulations

The UK regulations such as the Records Management Code of Practice for Health and Social Care and the Companies Act 2006, impose specific requirements for managing records and corporate governance.

Compliance with Regulations

Companies need to comply with various regulations to manage their electronic records and ensure data security.

PwC UK Business Continuity Plans

PwC UK has developed business continuity plans to provide resilient and recoverable operations in the event of crises.

Identifying Critical Systems

To understand the potential impact of a security breach, companies need to identify critical systems and assess their importance.

Study Notes

Cybersecurity and Cyberwarfare Threats

• The 2019 Cost of a Data Breach Report found that the average cost of a data breach among 507 surveyed companies globally was $3.92 million.
• The U.S. Congress addressed computer crime threats in 1986 with the Computer Fraud and Abuse Act, making unauthorized computer system access illegal.
• European nations and most U.S. states have similar laws addressing computer crimes.
• Cyberwarfare involves state-sponsored activities designed to cripple and defeat other nations by penetrating their computers or networks to cause damage and disruption.
• Cyberwarfare targets include military, power grids, financial systems, and communication networks, and can be conducted by nonstate actors such as terrorists or criminal groups.
• Foreign hackers have stolen source code, blueprints, and plans for critical infrastructure from the United States.
• U.S. intelligence reports that over 30 countries are developing offensive cyberattack capabilities, including Russia, China, Iran, and North Korea.
• The U.S. Cyber Command coordinates and directs operations and defense of Department of Defense information networks and prepares for military cyberspace operations.
• Cyberwarfare poses a serious threat to the infrastructure of modern societies, including their major financial, health, government, and industrial institutions that rely on the Internet for daily operations.
• Insiders pose serious security problems for businesses, with user lack of knowledge being the greatest cause of network security breaches.
• Employees may inadvertently compromise systems by forgetting passwords or falling victim to social engineering tactics.
• Companies face legal and regulatory requirements for electronic records management, such as the General Data Protection Regulation (GDPR) in the EU, and failure to comply may lead to costly litigation.

Information Security Regulations and Auditing

• HIPAA (Health Insurance Portability and Accountability Act) of 1996 outlines security and privacy rules for healthcare data, including privacy, security, and electronic transaction standards.
• The U.S. Financial Services Modernization Act (Gramm-Leach-Bliley Act) requires financial institutions to ensure the security and confidentiality of customer data, including storage and transmittal.
• The Sarbanes-Oxley Act of 2002 is designed to protect investors in public companies by ensuring the accuracy and integrity of financial information.
• In the UK, regulations such as the Records Management Code of Practice for Health and Social Care and the Companies Act 2006 impose specific requirements for managing records and corporate governance.
• Sarbanes-Oxley focuses on internal controls to govern the creation and documentation of financial information, requiring consideration of information systems security and controls.
• Disaster recovery planning focuses on the restoration of disrupted computing and communications services, while business continuity planning focuses on restoring business operations after a disaster.
• Firms may use duplicate computer centers, cloud-based disaster recovery services, or firms providing spare computers for emergency backup.
• Business continuity plans identify critical business processes and action plans for handling mission-critical functions if systems go down.
• PricewaterhouseCoopers LLP (PwC) UK has developed business continuity plans to provide resilient and recoverable operations in the event of crises.
• Business impact analysis is conducted to identify critical systems and determine the maximum amount of time the business can survive with its systems down.
• Information systems audits examine the firm’s security environment and controls, trace the flow of transactions, and may simulate an attack or disaster to test the response.
• Audits list and rank control weaknesses, estimating the probability of their occurrence and assessing financial and organizational impacts.