Information Security Basics

Questions and Answers

[Blank] is the protection of information systems against unauthorized access to or modification of information.

Information security

[Blank] includes network and communications security, ensuring data is protected during transmission and storage.

Information security

The industry standard for computer security since the development of the mainframe is known as the ______.

C.I.A. triangle

[Blank] refers to limiting information access and disclosure to authorized users/persons only, ensuring data is not exposed to unauthorized individuals.

Confidentiality

In Ghana, the ______ can be referenced as a reason to keep data confidential, highlighting legal requirements for data protection.

Data Protection Act

[Blank] means information is whole, complete, and uncorrupted, ensuring accuracy and reliability.

Integrity

[Blank] enables authorized users to access information without interference or obstruction, ensuring timely and reliable access.

Availability

A situation or activity that could cause harm or danger is defined as a ______ in information security.

threat

[Blank] is malicious software that creates inconvenience for users and includes computer viruses, worms, and trojan horses.

Malware

A ______ is a potentially damaging program that affects or infects computers or mobile devices, altering their functions without permission.

virus

A ______ copies itself repeatedly, using up resources and possibly shutting down computers, devices, or networks.

worm

A ______ hides within or looks like a legitimate program but does not replicate itself to other computers or devices.

Trojan horse

A ______ hides in a computer or mobile device, allowing remote control of the device.

rootkit

[Blank] secretly collects information about users and communicates it to an outside source while the user is online.

Spyware

[Blank] displays online advertisements in banners, pop-up windows, or pop-under windows on webpages and email messages.

Adware

[Blank] involves unsolicited and mostly irrelevant messages sent on the internet to a large number of users.

Spamming

[Blank] occurs when an attacker attempts to obtain personal or financial information using fraudulent means, often by posing as another individual or organization.

Phishing

[Blank] relies on human interaction and psychological manipulation to trick users into making security mistakes or giving away sensitive information.

Social Engineering

Pretending to be someone they are not, such as technical support or law enforcement to gain trust, is a characteristic of ______.

Pretexting

Offering something of value, such as free software or a gift card, in exchange for personal information or clicking on a malicious link aligns with ______.

Quid pro quo

Using scare tactics, such as warning of a virus or compromised account, to create a sense of urgency and panic is indicative of ______.

Scare tactics

Social engineers may leave enticing objects such as USB drives in public places in the ______ technique.

baiting

Being skeptical of emails and text messages that ask for personal information or contain links is a method to protect yourself from ______.

social engineering

Never giving out your ______ to anybody is a key recommendation to protect yourself from social engineering.

password

An strategy of trying common passwords to gain access to a secure system is known as ______.

Password Guessing

[Blank] Attacks involve checking all known common terms to attempt to gain access to a computer.

Dictionary

To prevent anyone from guessing your passwords, you should always create and use ______ passwords.

strong

A strong password consists of at least ______ characters of upper- and lowercase letters and numbers.

eight

The digital age has raised a lot of issues about ______ because of capturing data is easy and difficult to detect with mobile phone cameras.

privacy

[Blank] can be described as freedom from observation, intrusion, or attention of others.

Privacy

Organizations with CCTV cameras at thier premises warn users of thier facilities they are being watched to implement organization ______

privacy policies

Acts of human error or failure such as Accidents and employee mistakes are categorized as a threat to ______

information security

[Blank] is categorized as piraxy and copyright infringment, and can affect many different companies.

Compromises to intellectual property

Viruses, worms, macros, denial of service are categorized as ______ and are very harmful.

Deliberate software attacks

Fire, flood, earthquake, lightning is categorized as what in Information Security?

Forces of nature

Equipment failure is categorized as a what in Information Security?

Technical hardware failures or errors

IS Policies & Strategies, awareness, training, education, technology are needed to keep ______

information secured

Flashcards

Information Security

The protection of information systems against unauthorized access, modification, or denial of service.

Security

The quality or state of being secure; freedom from danger.

Confidentiality

Limiting information access and disclosure to authorized personnel only.

Integrity

Ensuring information is whole, complete, and uncorrupted.

Availability

Enables authorized users to access information without interference or obstruction, in the required format.

Threat

A situation or activity that could cause harm or danger.

Malware

Malicious software that creates inconvenience or harm to the user.

Virus

A potentially damaging program that affects a computer negatively.

Worm

A program that copies itself repeatedly, using up resources.

Trojan Horse

A program that hides within or looks like a legitimate program.

Rootkit

A program that hides and allows remote control of a system.

Spyware

A program that collects information without the user's knowledge.

Adware

A program that displays online advertisements.

Spamming

Unsolicited and irrelevant messages sent to a large number of users.

Phishing

Attempting to obtain personal information using fraudulent means.

Social Engineering

Manipulating individuals into divulging confidential information.

Password Attacks

Password attacks involve guessing passwords to gain unauthorized access.

Privacy

Freedom from observation, intrusion, or attention of others.

Human Error

Acts of human error or failure that compromise information security.

Intellectual Property Compromise

Unauthorized acts that involve piracy or copyright infringement.

Espionage or Trespass

Unauthorized access and/or data collection efforts.

Information Extortion

The act of trying to hold information for ransom.

Sabotage or Vandalism

Destroying information or computer systems as an act of vandalism.

Theft

Illegal confiscation of equipment or digital information.

Forces of Nature

Events like fire, flood, earthquake, affecting information security.

Technical Failures

Hardware failures or software errors causing security breaches.

IS Management Tools

Policies & Strategies, awareness, training to protect information security.

Strong Password

A security measure where you should create variety in upper case and lower case characters along with symbols.

Study Notes

Session Objectives

• The session aims to define information security.
• The session aims to familiarize individuals with related threats
• Another objective is to demonstrate knowledge of securing information in the digital age.
• The session aims to highlight the importance of information security (I.S.).
• Failure to secure information presents an opportunity for malicious actors.

Introduction to Information Security

• Information security is a key aspect of information management (IM) receiving significant focus.
• Securing information is essential.
• Methods exist to secure information.

Defining Security

• Security refers to being free from danger.
• Successful organizations employ multiple security layers.
• These include physical, personal, and operations security.
• Computer security differs from information security.
• Information security incorporates network and communications security.

Detailed Definition of Information Security

• Information security involves protecting systems against unauthorized access or modification.
• This protection extends to information in storage, processing, or transit.
• It also guards against denial of service to authorized users or provision of service to unauthorized ones.
• This encompasses measures to detect, document, and counter threats.

Core Elements of Information Security

• Information security ensures protection of information, and its core components like software, hardware, and personnel
• A successful model for information security includes both electronic and physical safeguards.

CIA Triad

• Tools like policy, awareness, training, education, and technology are vital for information security.
• The C.I.A. triangle has been an industry standard for computer security since mainframe development.
• The C.I.A. triangle focuses on confidentiality, integrity, and availability.
• The C.I.A. triangle has expanded into various critical characteristics of information.
• Three elements of information security, confidentiality, integrity, and availability form the "CIA Triad".

Elements of CIA Triad

• Confidentiality restricts information access/disclosure to authorized individuals.
• Data privacy is related to confidentiality.
• In Ghana, the Data Protection Act is a reason to keep data confidential.
• Authentication methods utilizing user-IDs & passwords control access to data systems.
• Integrity indicates the information is whole, complete, and uncorrupted.
• A threat to integrity occurs when data faces corruption, damage, destruction, or disruption.
• Data corruption is possible while information is being stored or transmitted.
• It includes data that was not inappropriately changed, whether accidentally or deliberately.
• Integrity assures data originates from the expected source, not an imposter.
• Availability enables authorized access to information without interference in the required format.
• Research libraries requiring ID for entrance exemplify availability.
• Libraries protect content for access only by authorized persons.
• An unavailable information system is as bad as none at all.
• Maintaining the right levels of Confidentiality, Integrity, and Availability is important.
• Confidentiality should not hinder access (availability) when access is vital for business.
• Security measures can make access time-consuming, compromising accessibility/availability.

Information Security Threats - An Overview

• A threat can be a situation or activity that could cause harm or danger
• A threat is an object, person, or entity presenting a constant danger to an asset.
• Security threats include spamming and phishing.

Common Types of Threats

• Spams are unsolicited and mostly irrelevant messages sent to many internet users.
• Phishing involves attackers fraudulently attempting to get personal or financial information.
• Attackers often pose as individuals or organizations. -Phishing includes pharming and identity theft.
• Pharming can be a threat
• Other threats include social engineering, password attacks, threats to privacy, network attacks and identity theft.
• Malware, short for malicious software, is programs that act without a user's knowledge and alter the operations of devices.
• Common types of malware include viruses, worms, trojan horses, rootkits, spyware, and adware.

Social Engineering Explained

• Social engineering relies on human interaction and manipulation to trick users into compromising security.
• Exploit human vulnerabilities such as fear, urgency, curiosity, and trust.
• Techniques: Phishing, pretexting, quid pro quo, baiting, and scare tactics.
• Phishing emails or texts appear from legitimate sources attempting to trick users into clicking malicious links.
• Pretexting involves social engineers pretending to be someone they are not to gain trust and sensitive information.
• Baiting involves leaving objects such as USB drives for unsuspecting users.
• Quid pro quo involves social engineers offering something of value for personal information or clicking on a malicious link.
• Scare tactics are used to make users think there is a virus or compromised account and to take action.

Examples of Attacks

• In 2016, hackers stole $81 million from the Bangladesh central bank using social engineering.
• In 2013, Target was hacked due to employees clicking on a phishing email containing malware.
• In 2011, Sony Pictures Entertainment was hacked after employees clicked a phishing email that had malware.

Protection Against Threats

• Be skeptical of emails and texts asking for personal information or containing links.
• Avoid clicking links or replying with personal information if unsure of legitimacy.
• Limit the amount of information shared on social media.
• Use strong passwords and change them regularly.
• Avoid repeating passwords for multiple accounts.
• Limit the amount of information you share with strangers even if they seem legitimate.
• If you witness suspicious activity report it.

Practical Advice for Individuals

• It involves manipulating people into divulging confidential information.
• Attackers are sophisticated and are not dumb.
• Social Engineers are coming up with better schemes.
• Corporate executives can be tricked into revealing VERY secret info.
• Never share your password with anyone.
• System administrators should be able to change a password without needing to know the old one.

Online Chat Example - Lessons

• Example conversation highlights password compromise through social engineering.

Password Vulnerabilities and Defenses

• Password attacks involve guessing, which is ineffective except in targeted cases.
• Dictionary attacks involve passwords stored as hashes in computers, which can be exposed.
• Checking all known words against stored hashes can reveal passwords.

Password Security

• Websites require usernames and passwords for access.
• Create and use strong passwords to prevent guessing.
• A strong password has at least eight characters with upper and lowercase letters, and numbers.
• Passwords should have eight or more characters, and not contain your name or other identifiers.
• Passwords should not be complete dictionary word in any language.
• It should differ from past passwords.
• It should contain upper and lowercase letters, numbers, and special characters.

Privacy Considerations during the Digital Age

• Privacy has generated several issues during the digital age.
• Recording devices, such as mobile phones, increase the risk of information being captured.
• Privacy comes from the freedom of observation/intrusion/attention of others.
• Personal rights are not absolute and society has needs too.
• Achieving this requires a balance between individual rights vs society's needs.
• Privacy is linked to the concept of “due process”.
• Personal information is often gathered through forms, online orders, subscriptions, applications, and registrations.
• Sources of personal information include legal and involuntary means such as filling out standard forms
• Legal and involuntary sources include demographics, change of address, government records and directories.
• Companies include a privacy notice to inform users of their data collection (Amazon).
• Organizations using CCTV warn users they are being recorded.