Information Security Basics

Questions and Answers

__________ is the protection of information systems against unauthorized access to or modification of information.

Information Security

The protection of information and its critical elements, including software, hardware, and the persons that use, store, and transmit that information, defines __________.

information security

The industry standard for computer security based on confidentiality, integrity, and availability is known as the __________.

C.I.A triangle

__________ refers to limiting information access and disclosure to authorized users/persons only.

Confidentiality

Information has __________ when it is whole, complete, and uncorrupted.

integrity

__________ enables authorized users to access information without interference or obstruction and to receive it in the required format.

Availability

A situation or an activity that could cause harm or danger is known as a __________.

threat

__________ consists of programs that act without a user's knowledge and deliberately alter the operations of computers and mobile devices.

Malware

A program that hides within or looks like a legitimate program but does not replicate itself to other computers or devices is known as a __________.

Trojan horse

__________ are unsolicited and mostly irrelevant messages sent on the Internet to a large number of users.

Spamming

__________ occurs when an attacker attempts to obtain personal or financial information using fraudulent means, often by posing as another individual or organization.

Phishing

__________ relies on human interaction and psychological manipulation to trick users into making security mistakes or giving away sensitive information.

Social engineering

Pretending to be someone they are not, such as a technical support representative, to gain trust and divulge sensitive information is a characteristic of __________.

social engineers

Social engineers leaving enticing objects, such as USB drives or CDs, in public places is a technique called __________.

Baiting

To prevent anyone from guessing your passwords, you should always create and use __________ passwords.

strong

A strong password consists of at least __________ characters of upper- and lowercase letters and numbers.

eight

__________ consists of freedom from observation, intrusion, or attention of others.

Privacy

Many web sites require a __________ and password to access the information stored on it.

username

A strong password consists of at least eight characters of upper- and lowercase __________ and numbers.

letters

Data __________ can occur while information is being stored or transmitted, threatening the integrity of the information.

corruption

Data that have not been changed inappropriately, whether by accident or on purpose, are considered to have __________.

integrity

Exploiting human vulnerabilities, such as fear, urgency, or curiosity, is a key tactic used by _____ engineers.

social

When unauthorized individuals gain access to a system or data, it's a breach of _____ and can lead to information theft or corruption.

confidentiality

In the context of information security, the term _____ refers to ensuring that systems and data are accessible when needed.

availability

A program that disguises itself as legitimate software to trick users into installing it, often containing malicious code, is called a _____.

trojan horse

Sending unsolicited bulk messages, often for advertising or malicious purposes, is known as _____.

spamming

Trying to trick individuals into providing sensitive information through deceptive emails or websites is called _____.

phishing

When an attacker uses tactics like intimidation or persuasion to manipulate individuals into divulging confidential information, it's termed _____.

social engineering

Using personal details, such as family names or birthdates, in passwords makes them vulnerable to _____ attacks.

password guessing

Implementing measures to ensure that personal data is used only for the intended purposes and is protected from unauthorized access is essential for maintaining _____.

privacy

Creating separate user _____ with limited privileges can help prevent unauthorized access to critical system resources.

accounts

When a system experiences unexpected downtime or errors due to a surge in user requests or malicious attacks leading to not being accessible is a threat to __________.

availability

Organizations that implement security _____ and consistently train their employees are better equipped to mitigate cyber threats and maintain a strong security posture.

policies

Maintaining data _____ ensures that all relevant information is recorded and made accessible when needed, enabling organizations to track, audit, and respond to security incidents effectively.

logs

To prevent unauthorized access and protect sensitive data, organizations utilize __________ to restrict entry at building entrances and data centers.

access controls

Implementing multifactor __________, requiring individuals to present two or more credentials before gaining access, adds a layer of security to computer systems and sensitive information.

authentication

When a social engineer offers something of value, such as a gift card, to users to entice them to provide personal information or click on a malicious link, it is referred to as __________.

quid pro quo

Sending a seemingly official email with deceptive content that looks legitimate, designed to trick users into divulging personal data represents a form of __________.

phishing

A type of social engineering in which an attacker fabricates a scenario to convince a victim to divulge information or perform an action, usually involving a fraudulent situation or request is called __________.

pretexting

Sending scare tactics like warning messages about a supposed virus infection to creating a sense of urgency, making users more likely to make mistakes or comply with attacker's demands, can be referred to as __________.

scare tactics

Flashcards

What is Security?

The quality or state of being secure—to be free from danger.

Information Security

Protects information systems against unauthorized access, modification, or denial of service.

Information Security Defined

Protect information and critical elements like software, hardware, and the people using them.

C.I.A. Triad

Confidentiality, integrity, and availability, the core principles of information security.

Confidentiality

Limiting information access and disclosure to authorized users only.

Integrity

Ensuring information is whole, complete, and uncorrupted.

Availability

Enabling authorized users to access information without interference or obstruction, in the required format.

What constitutes a threat?

A situation or activity that could cause harm or danger.

Malware

Malicious software that creates inconvenience or harm to the user, includes viruses, worms and spyware.

Worm (Malware)

A program that copies itself repeatedly, using up resources and possibly shutting down the system.

Trojan horse

A program that hides within or looks like a legitimate program. Does not replicate itself.

Rootkit

A program that hides and allows remote control of a computer or mobile device.

Spyware

A program that secretly collects information about the user and communicates it to an outside source.

Adware

A program that displays online advertisements, often unwanted.

Spamming

Unsolicited and irrelevant messages sent on the internet to a large number of users.

Phishing

An attacker attempts to obtain personal or financial information using fraudulent means.

Social Engineering

Relies on human interaction to trick users into making security mistakes or divulging sensitive information.

Pretexting

Social engineers pretend to be someone they are not to gain trust and information.

Quid pro quo

Social engineers offer something of value in exchange for information or action.

Scare Tactics

Employing scare tactics, to create an urgency and panic to elicit an immediate response.

Password Attacks

Attempting to guess passwords or using dictionary attacks to crack them.

Privacy

Freedom from observation, intrusion, or attention of others.

How data is collected

Filling forms, placing orders, subscriptions: sharing data creates exposure.

Why Is Information Security Important?

Protects the organization's ability to function with accurate information and enables safe computer applications.

How to Keep Information Secure.

At the personal level, passwords. At the organization level include policies, awareness, training, education, technology

Study Notes

Session Objectives

• Understand Information Security.
• Familiarize with some of the threats to I.S.
• Demonstrate knowledge of the security in the digital age.
• Appreciate the importance of I. S.
• Failure to secure creates opportunity to fail. Casey W. O'Brien said

Introduction

• Security of information is a key aspect of Information Management.
• Information needs to be kept secured.

What Is Security

• Security: The quality or state of being secure-to be free from danger.
• A successful organization will implement multiple layers of security.
• Security layers include Physical, personal, and operations security
• Computer security should not be confused with Information Security.
• Information security includes network and communications security.

What Is Information Security?

• It is the protection of information systems against unauthorized access or modification of information, whether in storage, processing or transit.
• Also protects against denial of service to authorized users or the provision of service to unauthorized users.
• Detection, documentation, and countering such threats is part of information Security.
• Includes both Electronic and Physical Security.
• Tools such as policy, awareness, training, education, and technology are necessary.
• The C.I.A. triangle has been considered the industry standard for computer security since the development of the mainframe, based on: confidentiality, integrity, and availability.
• The C.I.A. triangle can be expanded into a list of critical characteristics of information.
• Three widely accepted elements of information security are referred to as the "CIA Triad" / "CIA triangle".

Confidentiality

• Confidentiality limits information access and disclosure to authorized users/persons only.
• It is related to the broader concept of data privacy: limiting access to individuals' personal information.
• In Ghana one can refer to the Data Protection Act as a reason to keep data confidential.
• Use authentication methods, user-IDs & passwords can be used to control data systems access.

Integrity

• Information has integrity when it is whole, complete, and uncorrupted.
• It is threatened when exposed to corruption, damage, destruction, or other disruption.
• Data corruption can occur while information is being stored or transmitted.
• It includes, data that have not been changed inappropriately, be it by accident or on purpose.
• Means data came from correct entity, rather than impostor.

Availability (Recoverability)

• Availability enables authorized users-persons or computer systems-to access information without interference or obstruction, and to receive it in the required format.
• A research library identifying patrons, contents are protected allowing only authorized patrons is an example.
• An unavailable information system, makes it bad as if there was none at all

Maintaining A Balance

• A balance between confidentiality, integrity, and availability, should always be ensured.
• Confidentiality should not hinder access (availability) if access is paramount for business transactions.
• Security measure to ensure confidentiality may makes access to that information time-consuming, compromising accessibility/availability.

Information Security Threats

• Threat: A situation or an activity that could cause harm or danger (Macmillan English Dictionary, 2007).
• A threat is an object, person, or other entity that presents a constant danger to an asset.

Threats In Security

• Malware (a malicious software that creates inconvenience for the user. They include computer viruses, worms, trojan horses, bots, spyware, adware, etc).
• Malware, short for malicious software, consists of programs that act without a user's knowledge and deliberately alter the operations of computers and mobile devices.
• Spamming (Spams are unsolicited and mostly irrelevant messages sent on the internet to a large number of users).
• Phishing (occurs when an attacker attempts to obtain personal or financial information using fraudulent means, most often by posing as another individual or organization).
• Pharming

Other Information Security Threats

• Social Engineering:
• Password Attacks
• Threats to Privacy
• Network Attacks
• Identity Theft
• Each of these attacks could leverage one or more of the malware that were discussed earlier.

Social Engineering

• Relies on human interaction and psychological manipulation to trick users into making security mistakes or giving away sensitive information.
• Used to exploit human vulnerabilities, such as fear, urgency, curiosity, and trust.
• Common social engineering techniques, include phishing, pretexting, quid pro quo, baiting, and scare tactics
• Phishing emails or text messages, appear from legitimate source, such as a bank/ credit card company, to trick users into clicking on a malicious link or entering personal information.
• Pretexting, is when engineers pretend to be someone else such as a technical support representative/a law enforcement officer to gain the trust.
• In Baiting, engineers leave enticing objects, such as USB drives or CDs, in public places, hoping that someone will pick them up and plug them into their computer.
• Quid pro quo is when engineers offer value in exchange for something else such a gift card.
• Scare Tactic, warning of a virus or a compromised account creates urgency/panic

Examples Of Engineering Attacks

• In 2016, hackers used social engineering to steal $81 million from the Bangladesh central bank.
• Hackers sent phishing emails to bank employees, tricking them into revealing their login credentials.
• In 2013, Target was hacked after employees clicked on a phishing email that contained installed malware used to steal personal information.
• In 2011, Sony Pictures Entertainment was hacked after employees clicked phishing email that contained malware and stole personal information.

Protecting Yourself from Social Engineering.

• Be skeptical of emails/text messages that ask for personal information or contain unusual links and attachments.
• Be careful of what you share on social media.
• Use strong passwords and change them regularly.
• Be careful about what information you share with people you don't know and report any suspicious activity.
• Attackers are ALSO not dumb so attackers make better elaborate schemes to attack users
• Even corporate executives can be tricked into revealing information, never give out your password to ANYBODY.
• Password Guessing & Dictionary Attacks

Password Security

• Many Web sites require a username and password to access the information stored.
• Passwords prevent guessing
• Use strong passwords.
• Strong password has at least eight characters of upper- and lowercase letters and numbers.

Strong Password

• Characteristics includes at least eight or more characters
• It should not contain username, real name, or company name
• Is different from previous passwords used
• Contains upper- and lowercase letters, numbers, and special characters
• Does not contain complete dictionary word in any language

Class Activity

• "I was born in Accra, before 1990."
• Substituting the character < for the word before = IwbiA,<1990 COMPARE WITH THE PASSWORD YOU CREATED
• Born at 3:00 A.M. in Accra" = "Iwb@3:00AMIA”

Privacy

• The digital age has raised a lot of issues about privacy.
• Devices make data capturing easy and difficult to detect such as mobile

What Is Privacy?

• Freedom from observation, intrusion, or attention of others
• Society's needs sometimes trump individual privacy
• Privacy rights are not absolute
• A Balance is needed.
• Privacy and "due process”

Data Collection

• Forms like (Loans, insurance claims, magazine subscriptions, Schools, jobs)
• Voluntary Forms such as filling out a form, registering for a prize, supermarket "Rewards” cards
• Legal Involuntary sources (Demographics, Change of address, Various directories, Government records)

Privacy Policies

• Organizations usually warn public about cameras at premises. CCTV closed circuit television
• Beware, ALWAYS CHECK THE KEYPAD. use purse or wallet to obscure view from behind.

Categories Of Information Security

• Acts of human error or failure, Compromises to intellectual property, Deliberate acts of espionage or trespass, Deliberate acts of information extortion
• Deliberate acts of sabotage or vandalism, Deliberate acts of theft, Deliberate software attacks, Forces of nature, Deviations in quality of service from service providers
• Technical hardware failures or errors, Technical software failures or errors, Technological obsolescence

Why Is Information Security Important

• Organizations cannot function well with untrue information
• Enables safe operation of computer application that runs on IT network, prevent data theft
• Protect data collected by organizations, and law require companies to protects customer.

How Do We Keep Information Secured?

• At personal and Organizational level.
• Suggestions, passwords, ID Cards CCTV
• Policies and Strategies, awareness, training, education, technology

Summary

• Some specialist theorized that the bearer of info can not be protected 100%.
• Some specialist in the field, CIA triad is no longer sufficient, proposing an extended version for computer security.
• Information security is about people management focus should not be technology focused, and the like) alone.