Chapter 8 Cybersecurity Concepts and Vulnerabilities Quiz

Questions and Answers

What are the two main types of security vulnerabilities that commercial software can have?

• Hidden bugs and program code defects (correct)
• Network intrusion and system hacking
• Hidden bugs and zero defects
• Data tampering and system hacking

Why is maintaining proper control of data valuable?

• It can save time and money when responding to legal discovery requests. (correct)
• It enables individuals to better understand and utilize financial data.
• It facilitates better data analysis and allows for the identification of trends.
• It enables the ability to store and retrieve information more efficiently.

What is the significance of 'computer forensics' in relation to security and control?

• It provides in-depth analysis of user behavior to prevent unauthorized system access.
• It facilitates the development of new technologies to improve security and control measures.
• It helps identify and mitigate weaknesses in a system's security architecture to improve control.
• It enables the collection and analysis of data from a computer system for use as evidence in court. (correct)

Which of these acts specifically imposes responsibility on companies for safeguarding the accuracy and integrity of financial information?

The Sarbanes-Oxley Act (B)

What is the main purpose of a key logger?

To record every keystroke on a computer to steal information like passwords and serial numbers. (D)

What measures are typically implemented to resolve flaws in commercial software?

Patches (B)

Which of the following is NOT a typical activity of hackers?

System repair (D)

Which of the following is not a direct consequence of inadequate security and control?

Increased costs of development (C)

What describes the act of misrepresenting oneself by using a fake email address or pretending to be someone else?

Spoofing (D)

Which of these options are considered sensitive data that needs to be protected?

All of the above (D)

What is the primary focus of 'patch management'?

Regularly updating software with bug fixes and security enhancements. (D)

What is the primary function of sniffing?

Monitoring network traffic to steal information such as emails and files. (B)

Which of the following is the most accurate description of a denial-of-service (DoS) attack?

A type of attack that uses multiple computers to flood a server with false requests. (A)

What is a botnet?

A network of compromised computers controlled by malware. (A)

What is the main difference between a DoS and a DDoS attack?

A DDoS attack uses a network of compromised computers to launch a coordinated attack, while a DoS attack uses a single computer. (C)

Which of the following is an example of malware discussed in the content?

All of the above (D)

What is the primary purpose of general controls in information systems?

To govern the design, security, and use of computer programs and data files across the organization's IT infrastructure (A)

Which of the following is NOT a type of general control?

Input controls (D)

What is the key difference between general and application controls?

General controls focus on the overall control environment, while application controls are specific to individual applications. (C)

Which of the following is an example of an application control aimed at ensuring data accuracy during processing?

Data validation checks to verify the completeness and accuracy of customer order information (B)

Why is a risk assessment a crucial step in establishing effective security controls?

Risk assessment allows businesses to prioritize controls based on the potential impact and likelihood of risks. (B)

What is the primary objective of output controls in application security?

To verify the completeness and accuracy of the application's output before it is delivered. (B)

Which of the following factors is NOT typically considered during a risk assessment for an online order processing system?

The effectiveness of the company's customer service department in resolving order issues. (D)

What is the role of a security framework like COSO in the context of information system security?

To offer a structured approach and guidance for establishing and maintaining an effective security posture. (D)

What is the purpose of a security policy?

To rank information risks, identify security goals, and mechanisms for achieving those goals. (A)

What is a key difference between a disaster recovery plan and a business continuity plan?

A business continuity plan focuses on restoring business operations after a disaster, while a disaster recovery plan focuses on restoring disrupted services. (C)

What is the purpose of an acceptable use policy (AUP)?

To define the acceptable uses of a firm's information resources and computing equipment. (D)

What is a key benefit of using an identity management system?

It helps to identify and authorize different categories of users. (A)

What is the purpose of a business impact analysis?

To determine the impact of an outage on a firm's critical systems. (C)

Authorization policies are primarily associated with which aspect of security?

Identity management. (A)

According to the provided content, what are security profiles used for?

To specify user access restrictions in organizations. (A)

Which of the following is NOT a key aspect of identity management?

Creating security profiles. (A)

What is the main purpose of Deep Packet Inspection (DPI)?

To identify and block low-priority traffic, such as video downloads. (D)

Which of these is NOT a responsibility of a company when using cloud services for data storage?

Ensuring the cloud provider is responsible for the security of the company's data. (A)

Which of the following is a key feature of mobile device management tools?

Enabling remote wipe functionality for lost or stolen devices. (B)

In the context of online transaction processing, why is 100% availability crucial?

To minimize downtime and prevent loss of revenue. (A)

What is the primary purpose of fault-tolerant computer systems?

To minimize the risk of data loss during power outages or hardware failures. (B)

What technology used by a firewall dynamically inspects network traffic based on the state of existing connections, allowing or blocking traffic based on this context?

Stateful inspection (B)

What is the primary purpose of an Intrusion Detection System (IDS)?

To monitor network traffic for malicious activity (B)

Which of the following encryption technologies is a successor to Secure Sockets Layer (SSL)?

Transport Layer Security (TLS) (B)

What is the primary function of Network Address Translation (NAT) in a firewall?

Translating private IP addresses to public IP addresses (B)

Which of the following is a characteristic of the Wi-Fi Protected Access 2 (WPA2) security standard?

It employs dynamic and changing encryption keys (D)

What is the primary goal of encryption in the context of information security?

To transform readable data into an unreadable form (A)

What is the main difference between a Denial of Service (DoS) attack and a Distributed Denial of Service (DDoS) attack?

A DoS attack targets a single computer, while a DDoS attack targets multiple computers. (C)

Which of the following is NOT a common security measure used to secure wireless networks?

Network Address Translation (NAT) (A)

Flashcards

Spyware

Small programs that monitor user activity and serve ads.

Key loggers

Programs that record every keystroke to steal information.

Cybervandalism

Intentional disruption or destruction of websites or systems.

Spoofing

Misrepresenting oneself online using fake identities.

Sniffing

Monitoring network traffic to steal information.

Denial-of-service attack (DoS)

Flooding a server with false requests to crash it.

Distributed denial-of-service attack (DDoS)

Multiple computers flooding a server to crash it.

Botnets

Networks of infected PCs controlled by malware.

Security Policy

A framework that ranks information risks, sets security goals, and outlines mechanisms to achieve them.

Acceptable Use Policy (AUP)

A policy that defines acceptable uses of an organization's information resources and computing equipment.

Authorization Policies

Policies that determine varying levels of user access to information assets based on roles.

Identity Management

Processes and tools for identifying valid users and controlling access in a system.

Identity Management Systems

Systems that capture access rules for different user levels based on identity management policies.

Disaster Recovery Planning

Plans focused on restoring disrupted services following a disaster or incident.

Business Continuity Planning

Focuses on maintaining business operations after a disaster or disruption.

Business Impact Analysis

Assessment to determine the impact of an outage on business operations and identify critical systems.

Information Systems Controls

Procedures to manage risks in information systems, including manual and automated controls.

General Controls

Broad regulatory measures for the overall IT environment, ensuring the security and functioning of all applications.

Types of General Controls

Includes software, hardware, operations, data security, system development, and administrative controls.

Application Controls

Specific measures that safeguard individual applications, ensuring only authorized data is processed.

Input Controls

Measures ensuring only valid data is entered into an application.

Processing Controls

Controls that ensure data is processed correctly within an application.

Risk Assessment

Evaluation of potential risks to an organization from inadequate controls on activities.

Expected Annual Loss

Projected financial loss due to specific risks occurring over a year.

Fault-tolerant systems

Systems designed for continuous availability without interruption.

Deep Packet Inspection (DPI)

A method to examine data files and prioritize or block certain content.

Security outsourcing

Using Managed Security Service Providers (MSSPs) for security measures.

Cloud security responsibilities

Security responsibilities lie with the data owner and cloud provider.

Mobile device management

Policies and tools to secure and manage mobile devices.

Software Vulnerability

Flaws in commercial software that create security risks.

Patches

Small software updates to fix vulnerabilities in programs.

Business Value of Security

Importance of safeguarding data to maintain business function and value.

Data Breaches

Incidents where confidential data is accessed without authorization.

HIPAA

Health Insurance Portability and Accountability Act for medical data security.

Gramm-Leach-Bliley Act

Regulation ensuring confidentiality of customer financial data.

Computer Forensics

The science of collecting and analyzing digital evidence for legal purposes.

Electronic Evidence

Digital information that can be used as evidence in legal cases.

Firewall

Combines hardware and software to block unauthorized access.

Static Packet Filtering

Analyzes packets at the network level without context.

Stateful Inspection

Keeps track of active connections for enhanced security.

Intrusion Detection System

Monitors networks for suspicious activity in real-time.

Antivirus Software

Identifies and eliminates malware from a computer.

WEP Security

Older wireless security with static encryption keys that are easy to crack.

WPA2 Specification

Current Wi-Fi standard with stronger, dynamic encryption keys.

Encryption

Transforms data into unreadable cipher text for protection.

Study Notes

Information Systems: Theory & Practice - TU8: Securing Information Systems

• Course instructor: Prof. Dr. Paul Drews
• Course title: Securing Information Systems
• This is a course about information systems security theory and practice.

Chapter 8 – Intro Case Study

• Business Challenges: Increasing cyber attacks, phishing attacks, and internal security threats.
• Management: Inform public, train employees, develop cyber-aware business processes, proactively manage data breaches, and maintain a database of previous breaches.
• Organization: Build web and social media pages to warn customers; security guarantees to customers.
• Technology: Implement a cyber defense system.
• Business Solutions: Reduce cyber attacks, implement public and employee awareness programs, and reduce internal breaches.

Learning Objectives

• Explain why information systems are vulnerable to destruction, error, and abuse.
• Describe the business value of security and control.
• Describe the components of an organizational framework for security and control.
• Describe the most important tools and technologies for safeguarding information resources.

Some Recent Cases

• University of Gießen Security Incident (December 2019): The university's systems were offline for several weeks due to a hacker attack.
• District of Vorpommern-Rügen (2023) and others: Various government entities experienced significant disruptions, and ongoing issues due to cyber attacks.
• Equifax Data Breach (2017): A major data breach affected millions of US citizens.
• Bundestag (German parliament) offline due to hacker attack (2015): The German parliament experienced a significant disruption due to a hacker attack, prompting improvements to the IT security structure.
• 1.3 Million Vodafone routers insecure (2015): Vulnerabilities in Vodafone routers enabled unauthorized access.
• Backdoors in network switches (2015) Critical vulnerabilities present in Juniper's network switches were found.
• Belgium network provider — hacked by British intelligence agency (2014): A major data privacy breach occurred, likely involving the GCHQ.

System Vulnerability and Abuse

• Why systems are vulnerable: Accessibility of networks, hardware problems, software problems, disasters, use of networks/computers outside of the firm's control, and loss of portable devices.
• Internet vulnerabilities: Network open to anyone, size of the internet, use of fixed internet addresses with cable/DSL modems, unencrypted VOIP, e-mail, P2P, IM, interception, and malicious software attachments.
• Wireless security challenges: Radio frequency bands are easy to scan, and SSIDs (service set identifiers) can be identified by sniffer programs.
• Malware (malicious software): Viruses, worms, downloads and drive by downloads, E-mail, IM attachments, mobile device and social network malware, key loggers, reset browser home page, redirect search requests, slow computer performance.
• Spoofing: Misrepresenting oneself through the use of fake email addresses or masquerading as someone else.
• Sniffing: Eavesdropping programmes on networks to gather information for hackers.
• Denial-of-service attacks (DoS) and Distributed denial-of-service attacks (DDoS): Flooding servers with thousands of false requests to crash the network. Using numerous computers to launch a DoS attack is a DDoS attack.
• Hackers and computer crime: System intrusion; system damage; cybervandalism; intentional disruption, defacement, destruction.
• Identity theft: Theft of personal information.
• Phishing: Setting up fake websites or sending fake emails to receive sensitive data.
• Evil twins: Wireless networks that pretend to be legitimate Wi-Fi connections.
• Pharming: Redirects users to fake websites.
• Click fraud: Fraudulent clicks on online ads.
• Cyberterrorism and Cyberwarfare:
• Internal Threats: Employee security threats, inside knowledge, sloppy security procedures, and social engineering (tricking employees into revealing passwords)

Organizational Frameworks for Security and Control

• Information systems controls: Manual and automated controls, general, and application controls.
• General controls: Governing design, security, and use of computer programs; security of data files; throughout the organizations' IT infrastructure. Using a combination of hardware, software, and manual procedures.
• Types of general controls: Software controls, hardware controls, computer operations controls, data security controls, implementation controls, administrative controls.
• Application controls: specific controls unique to computerized applications, also including both automated and manual procedures. Ensuring only authorized data are completely and accurately processed.
• Risk assessment: Determines level of risk to a firm, types of threats, probability of occurrence, potential losses, and annual loss.
• Security policy: Ranks information risks, identifies security goals, and mechanisms to achieve these goals and drives other policies.
• Acceptable use policy (AUP): Defines acceptable uses of firm's information resources and computing equipment.
• Authorization policies: Determine differing levels of user access to information assets.
• Identity management: Business processes and tools to identify valid users of systems, control access, identifiers, and authenticating users.
• Disaster recovery planning and Business continuity planning: Plans and procedures to restore business operation after disasters. Determining which systems most need to be restored first.

Tools and Technologies for Safeguarding Information Resources

• Identity management software: Automates tracking of users and privileges, authenticates users, and controls access.
• Authentication: Password systems, tokens, smart cards, biometric authentication, and two-factor authentication.
• Firewall: Combination of hardware and software to prevent unauthorized access to private networks. Technologies include static packet filtering, stateful inspection, network address translation (NAT), and application proxy filtering.
• Intrusion detection system: Monitors and detects intruders.
• Antivirus and antispyware software: Checks for malware and often eliminates it.
• Unified threat management (UTM) systems: Eliminates malware and other threats.
• Securing wireless networks: WEP security, Wi-Fi Alliance finalized WPA2 specification.
• Encryption: Using cipher text to protect data from unwanted eyes. Two-methods include Secure Sockets Layer (SSL) and Secure Hypertext Transfer Protocol (S-HTTP).
• Symmetric key encryption: Sender and receiver use single, shared key
• Public key encryption: Two mathematically related keys (public and private). Uses recipient's public key for encrypting messages, and private key for decrypting them.
• Digital certificates: Used to establish the identity of users and electronic assets.
• Public key infrastructure (PKI): Uses public key cryptography to work with certificate authority and is widely used in e-commerce.
• Ensuring System Availability: Important in online transaction processing. Fault-tolerant computer systems contain redundant hardware, software, and power supply components for uninterrupted service.
• Controlling network traffic: Deep packet inspection that sorts low-priority material and blocks video/music downloads.
• Security Outsourcing: Service providers to manage security efforts
• Security in the cloud: Company owning data is responsible for security. Firms must ensure providers provide adequate protection.
• Securing mobile platforms: Security policies should include special requirements for mobile devices and guidelines for use. Mobile device management tools include inventory records, controls for updates, methods to lock down/erase lost devices, and encryption.
• Ensuring software quality: Software metrics (quantitative measurements), walkthroughs (reviewing documents by qualified people), and debugging (elimination of errors).

Tasks for this Week

• Actively read chapter 8, including case studies (3-4 hours).
• Discuss the statement: "IT security isn't simply a technology issue, it's a business issue" (15 minutes).

Contact

• Professor Dr. Paul Drews
• Institute of Information Systems
• University of Lüneburg

Description

Test your knowledge on essential cybersecurity concepts, focusing on software vulnerabilities, data control, and the importance of computer forensics. This quiz will cover various aspects of cybersecurity, including hacker activities, sensitive data protection, and patch management.