IAS 102 Unit 1 Security & Risk Management

Questions and Answers

What are the elements of the CIA Triad?

Confidentiality, Integrity, Availability

Which of the following are key principles of Security Governance? (Select all that apply)

Decrease

Acquisition (correct)

Performance (correct)

Responsibility (correct)

What does confidentiality in the CIA Triad refer to?

Protecting information from unauthorized access.

What risks does Security and Risk Management focus on?

Identifying, assessing, and controlling risks to capital, earnings, and critical assets.

A cyberattack is an attempt by _____ to access a computer network or system.

cybercriminals

Which of the following is an example of malware?

Spyware

Integrity in the CIA Triad means data are trustworthy and complete.

True

What is the primary purpose of a Denial-of-Service (DoS) attack?

To disrupt business operations by flooding a network with false requests.

Match the following cyber threats with their descriptions:

Phishing = Uses emails or messages to trick victims into sharing sensitive information Ransomware = Encrypts victim's data and demands a payment for decryption Trojan = Disguised as legitimate software but is harmful Worm = Self-replicating program that spreads itself across networks

Study Notes

Security and Risk Management Overview

• Security and risk management involves identifying, assessing, and controlling risks to an organization's capital, earnings, and critical assets.
• Risks can originate from financial uncertainties, legal liabilities, strategic management errors, accidents, and natural disasters.
• Cyber risk management specifically targets information systems to mitigate the impact of cyberattacks, employee errors, and natural disasters.

CIA Triad

• The CIA Triad stands for Confidentiality, Integrity, and Availability, a foundational model in information security.
• Confidentiality involves protecting information from unauthorized access.
• Integrity ensures data is trustworthy and complete without unauthorized alterations.
• Availability guarantees that data is accessible when required.

Security Governance Principles

• Six critical security governance principles guide organizational cybersecurity:
  • Responsibility: Clearly defined roles for security across the organization.
  • Strategy: Align security initiatives with the overarching business strategy.
  • Acquisition: Assess security implications when acquiring technologies or services.
  • Performance: Continually monitor security performance.
  • Conformance: Ensure compliance with relevant regulations and standards.
  • Human Behavior: Encourage secure behaviors among employees.

Cyberattacks

• Cyberattacks are attempts to access computer networks or systems for malicious purposes, such as altering, stealing, or destroying information.
• Types of Cyberattacks:
  • Malware: Malicious software targeting networks or servers.
  • Ransomware: Encrypts victim data and demands payment for decryption.
  • Fileless Malware: Utilizes legitimate tools in a system to execute attacks.
  • Spyware: Infects devices to stealthily collect user data.
  • Adware: Watches online activity to display targeted ads, can degrade device performance.
  • Trojan: Appears as harmless software but facilitates unauthorized access.
  • Worm: Replicates itself across networks to spread malicious payloads.
  • Rootkits: Software designed to access and control a computer unnoticed.
  • Keylogger: Records user keystrokes to capture sensitive information.

Specialized Attack Methods

• Denial-of-Service (DoS): Overloads a network with false requests, disrupting operations.
• Phishing: Utilizes various communication methods to trick victims into revealing sensitive information.
• Spear Phishing: Targets specific individuals or organizations with personalized phishing attempts.
• Whaling: Targets high-level executives to steal sensitive information or access systems.
• Smishing: Fraudulent texts aimed at extracting sensitive data.
• Vishing: Phone call scams that impersonate reputable organizations to gather private information.
• Spoofing: Cybercriminals disguise as trusted sources to deceive victims.
• Man-in-the-Middle Attack: Eavesdrops on communications to collect personal data.
• Social Engineering: Psychological manipulation to induce victims to perform desired actions.
• Tailgating/Piggybacking: Unauthorized individuals gain access to secured areas by following permitted individuals.

Description

Explore the fundamentals of Security and Risk Management in IAS 102, covering the essential elements of the CIA triad, security governance principles, and various control frameworks. This quiz will help you understand the nuances of due care and due diligence, as well as the legal aspects of information security. Test your knowledge on CISSP related to regulatory compliance and security policies.