Information Security and the CIA Triad

Questions and Answers

Which of the following is NOT a part of what information security involves?

• Preventing unlawful use of data
• Promoting devaluation of information (correct)
• Mitigating information risks
• Controlling unauthorized access to data

InfoSec is a rarely used term that describes a very specific subset of information security practices.

False (B)

In the context of information security, what does 'mitigating' information risks involve?

Reducing risks

Information security is a part of information ______ management.

risk

In the context of ATM security, which element of the CIA triad is primarily addressed by using two-factor authentication with a PIN code?

Confidentiality (D)

Data integrity, in the context of ATM systems, is maintained solely through physical security measures.

False (B)

Explain how the availability aspect of the CIA triad is demonstrated by ATMs.

public use and accessible at all times

The CIA triad includes confidentiality, integrity, and ______.

availability

What is the primary goal of 'confidentiality' within the CIA Triad?

Protecting data from unauthorized access (A)

Integrity, as part of the CIA Triad, primarily focuses on ensuring data is accessible, even if it has been slightly modified by unauthorized users.

False (B)

Define the term 'availability' in the context of the CIA Triad.

timely and reliable access

The CIA Triad ensures that information is protected with respect to confidentiality, integrity, and ______.

availability

Which of the following best defines information assurance (IA)?

The practice of mitigating risks related to information, including integrity, availability, and confidentiality. (D)

Information assurance only includes digital protections, not physical techniques.

False (B)

Define what is meant by 'data in transit' in the context of information assurance.

data being transmitted

______ is best thought of as a superset of information security, encompassing both digital and physical protections.

IA

Which of the following is NOT considered a core pillar of Information Assurance?

Obfuscation (A)

Non-repudiation assures that someone can deny the validity of something.

False (B)

Briefly describe the purpose of 'confidentiality' as a pillar of information assurance.

protect access to data/information

______ is the pillar of information assurance that guards against improper information modification or destruction.

Integrity

Which perspective best describes information security when considering the implementation of complex systems with no single correct solution?

As an art requiring creative problem-solving. (A)

There is a universally accepted manual for implementing security throughout an entire computer system.

False (B)

Describe why some aspects of information security can be considered an 'art'.

no hard and fast rules

Implementation of information security is a mixture of art and ______.

science

How does the 'science' aspect of information security manifest?

Via the resolution of faults by developers. (B)

Virtually every computer fault and security hole is unpredictable and cannot be traced back to interactions of specific hardware and software.

False (B)

According to the content, what creates nearly every fault, security hole, and systems malfunction?

hardware and software interaction

The science behind information security involves dealing with technology designed to operate at high levels of ______.

performance

Which element does social science bring to the understanding of information security?

The behavior of individuals interacting with systems. (B)

Security begins and ends with technology, not the individuals interacting with the system.

False (B)

How can security administrators reduce risks caused by end users, according to a social science perspective?

acceptable and supportable security profiles

Social science examines the behavior of individuals ______ with systems.

interacting

What concept emphasizes the importance of individuals having autonomy over their information and not leaving it solely in the hands of corporations?

Data ownership (C)

According to the content, the Cambridge Analytica scandal demonstrated the benefits of strong data protection measures.

False (B)

According to the content, what was the Cambridge Analytica scandal a misuse of?

data

The concept underlines the right of individuals to own and control their ______.

data

According to the provided content, which of the following is a potential consequence of the 'black market' for personal information?

Identity theft and financial fraud (A)

In the black market of personal information, the trading of medical records poses no risk to individuals.

False (B)

Name one activity through which black market thrives in personal information.

data breaches.

The black market for personal information involves the illegal buying, selling, or trading of ______ data.

sensitive

Flashcards

Information Security (InfoSec)

Protecting information by mitigating information risks.

CIA Triad

Framework for security policies: Confidentiality, Integrity, Availability.

Confidentiality

Protecting sensitive data from unauthorized access or disclosure.

Integrity

Maintaining the accuracy and completeness of data.

Availability

Ensuring timely and reliable access to data for authorized users.

Information Assurance (IA)

Managing risks related to the use, processing, storage, and transmission of information.

Non-repudiation

Making sure someone can't deny the validity of something.

Authenticiation

Verifying that someone or something is who or what they claim.

Data Ownership

Individuals have the right to own and control their data.

Psychographic profiles

Building a profile bases on psychological characteristics, and demographic data.

Black market for personal information

The illegal buying, selling, or trading of sensitive information.

Identity Theft

Stolen data is used to impersonate individuals for illicit purposes.

Cyder

Browser extension to protects your privacy, blocking trackers, cookies, and ads.

Encryption Tools

Protect data by converting it into an unreadable format that only authorized parties can decrypt.

Password Management Tools

Generate, store, and manage strong, unique passwords for accounts securely

VPN Services

Mask IP addresses and encrypt internet traffic to protect data from being intercepted.

Secure Cloud Storage

Store and share files securely with end-to-end encryption and strict data ownership policies.

Privacy-Focused Browsers:

Privacy-Focused Browsers provide data protection by blocking trackers, ads, and other invasive technologies.

Ad and Tracker Blockers

Prevent websites from tracking users' activities and collecting data.

Data Monitoring and Control Tools

Help users monitor, manage, and control the data they share online.

File Sharing and Collaboration Tools with Privacy.

Share and collaborate on files securely without compromising data ownership

Operating Systems and Software Focused on Privacy

Avoid traditional operating systems that collect telemetry data.

Decentralized Identity Tools.

Provide users control over their identity and personal data, reducing reliance on centralized platforms.

Study Notes

Information Security

• Also known as InfoSec.
• The practice of protecting information by mitigating information risks.
• A part of information risk management.
• Involves preventing unauthorized access to data, or the unlawful use, disclosure, disruption, deletion, corruption, modification, inspection, recording, or devaluation.
• Involves actions intended to reduce the adverse impacts of such incidents.

CIA Triad

• CIA Triad is Confidentiality, Integrity, and Availability.
• Confidentiality is the protection of sensitive information from unauthorized access or disclosure.
• Integrity is the protection of data from unauthorized modification or destruction.
• Availability is the assurance of timely and reliable access to data and systems by authorized users.
• ATMs are an example of CIA triad in practice:
  • Two-factor authentication addresses confidentiality by using a debit card combined with a PIN code which ensure only authorized individuals access financial account information.
  • ATM and bank software maintain data integrity by record-keeping of all ATM transfers and withdrawals, ensuring that information is accurate and up-to-date.
  • ATMs offer availability for public use and accessibility at all times.

Information Assurance (IA)

• IA is also known as also known as IA.
• IA is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information.
• IA includes protection of the integrity, availability, authenticity, nonrepudiation, and confidentiality of user data.
• IA encompasses not only digital protections but also physical techniques that apply to data in transit, both physical and electronic forms, as well as data at rest.
• IA is considered a superset of information security and the business outcome of information risk management; an umbrella term

5 Pillars of Information Assurance

• Non-repudiation: Assurance that someone cannot deny the validity of something.
• Confidentiality: Preserving authorized restrictions on information access & disclosure, e.g., protecting personal privacy & proprietary information.
• Integrity: Guarding against improper information modification or destruction and includes ensuring information non-repudiation & authenticity.
• Availability: Ensuring timely and reliable access to and use of information by authorized users.
• Authentication: The process of determining whether someone or something is, in fact, who or what it declares itself to be.

Information Security: Art or Science?

• Implementation of information security is often described as a combination of art and science.
• "Security artisan" idea is based on how individuals perceive systems technologists since computers became commonplace.
• As an Art, there are no hard and fast rules nor many universally accepted complete solutions.
• As an Art, there is no manual for implementing security through the entire system.
• As Science, it deal with technology designed to operate at high levels of performance.
• Specific conditions cause virtually all actions that occur in computer systems.
• Nearly every fault, security hole, and systems malfunction results from interaction of specific hardware and software.
• Developers could resolve and eliminate faults if they had sufficient time.
• As Social Science, it examines the behavior of individuals interacting with systems.
• Security begins and ends with the people that interact with the system.
• Security administrators can greatly reduce levels of risk caused by end-users and create more acceptable and supportable security profiles.

Data Ownership

• Data ownership is the concept that individuals should have the right to own and have control over their data.
• Data ownership emphasizes the importance of autonomy over one's information rather than leaving it in the hands of corporations or third parties.

Why Data Ownership Matters

• There are are risks associated with the misuse of data.
• Data misuse occurred in the Cambridge Analytica scandal, where the political consulting firm figured out a loophole to harvest the data of 87 million Facebook users to try to influence the 2016 election.
• This scandal highlighted vulnerabilities in data protection and led to a global demand for stricter data protection measures.
• A third-party app called "This Is Your Digital Life," developed by Dr. Aleksandr Kogan, was a personality quiz on Facebook.
• The app collected data from users who took the quiz and from their Facebook friends without explicit consent.
• Approximately 270,000 users took the quiz, but the app accessed data from over 87 million Facebook users globally.
• Kogan shared this data with Cambridge Analytica, a political consulting firm, violating Facebook's policies.
• Cambridge Analytica used the harvested data to build psychographic profiles of individuals which helped craft highly targeted political ads and messages to influence voting behavior.
• There is a lack of control on data collection.
• Mozilla Foundation examined the privacy policies of 25 car brands and found they are the "worst product category for privacy".
• Nissan's privacy policy indicates it can collect deeply personal data, from genetic information to sexual activity.
• Users are often unaware of the extent of data collected or why sensitive data is necessary for products like cars, such as in Nissan's case.
• Individuals ownership is often assumed by companies once data is collected through vague or one-sided privacy policies.
• Companies like Nissan collect data through vague or one-sided privacy policies
• Many users do not fully understand or review privacy policies; therefore, they effectively give up ownership and control of their data without informed consent.
• Black market of personal information exists where companies make millions collecting, packaging, and selling our data.
• Acxiom, a leading global data broker, made $617M in revenue in 2022 from processing personal information.
• The black market for personal information involves the illegal buying, selling, or trading of sensitive data, including names, addresses, credit card details, medical records, and login credentials.
• This shadowy economy thrives on data breaches, hacking, phishing, and insider theft, posing significant risks to individuals, businesses, and governments.

Threats

• Identity Theft: Stolen data can be used to impersonate individuals, access bank accounts, or commit fraud.
• Financial Fraud: Credit card numbers and bank details are sold to carry out unauthorized transactions.
• Privacy Violations: Sensitive personal data (e.g., medical history or intimate details) can be exploited for blackmail or harassment.
• Corporate Espionage: Competitors may purchase stolen intellectual property, trade secrets, or customer data.
• Cybersecurity Risks: Stolen credentials (e.g., usernames and passwords) enable attackers to access secure systems or launch ransomware attacks.

Top Cybercrime Organizations/Groups (as of 2024)

• REvil (Ransomware Group): A cybercrime organization involved in ransomware attacks, where they steal sensitive data and sell it on black markets or extort victims.
• Fin7 (Carbanak Group): A cybercriminal organization specializing in hacking financial institutions and selling stolen credit card information.
• DarkMarket: Once the largest dark web marketplace where stolen data, drugs, and illegal services were traded.
• Genesis Market: Notorious online marketplace selling stolen credentials and digital fingerprints, enabling buyers to impersonate individuals online.
• Conti Group: A ransomware group known for exfiltrating sensitive corporate data and either selling it or using it for extortion.

Solutions for better data ownership

• Privacy Tools such as Cyder empower users to take control of their data, Cyder is a browser extension that protects your privacy by blocking trackers, cookies, and ads.
• Privacy Legislation need improved laws to set standards and hold entities accountable for their privacy practices and for better privacy laws as technology advances.
• Must set strict guidelines for data collection to to give individuals greater control over their privacy, and (c) impose heavy fines on organizations that do not comply.
• Blockchain Technology: It is decentralized, secure, and transparent.

Tools for Data Security

• Encryption Tools: Protect data by converting it into an unreadable format that only authorized parties can decrypt.
  • ProtonMail (secure email with end-to-end encryption)
  • Signal (encrypted messaging platform)
  • VeraCrypt (data encryption for files and drives)
• Password Management Tools: Generate, store, and manage strong, unique passwords for accounts securely
  • LastPass
  • 1Password
  • Bitwarden
• Virtual Private Network (VPN) Services: Mask IP addresses and encrypt internet traffic to protect data from being intercepted.
  • NordVPN
  • ExpressVPN
  • ProtonVPN
• Secure Cloud Storage: Store and share files securely with end-to-end encryption and strict data ownership policies.
  • Tresorit
  • Sync.com
  • pCloud
• Privacy-Focused Browsers: Protect user data by blocking trackers, ads, and other invasive technologies.
  • Brave Browser
  • Tor Browser
  • Firefox with privacy extensions
• Ad and Tracker Blockers: Prevent websites from tracking users' activities and collecting data.
  • uBlock Origin
  • Privacy Badger
  • Ghostery
• Data Monitoring and Control Tools: Help users monitor, manage, and control the data they share online.
  • MyPermissions (track apps accessing your data)
  • Jumbo Privacy (manage digital footprints)
  • DeleteMe (remove personal data from public databases)
• File Sharing and Collaboration Tools with Privacy Share and collaborate on files securely without compromising data ownership
  • OnionShare
  • Nextcloud
• Operating Systems and Software Focused on Privacy: Avoid traditional operating systems that collect telemetry data.
  • Tails OS (privacy-focused operating system)
  • Qubes OS (compartmentalized operating system)
• Decentralized Identity Tools: Provide users control over their identity and personal data, reducing reliance on centralized platforms.
  • Microsoft Entra Verified ID
  • uPort
  • Sovrin Network