Information Security Fundamentals

Questions and Answers

What is the primary focus of information security?

• Maintaining a state of well-being for information and infrastructure (correct)
• Maximizing data storage capacity
• Ensuring rapid data transmission
• Enhancing network speed

Focusing solely on ease of use without considering security can lead to increased vulnerabilities.

True (A)

Name the three elements of the information security 'triangle'.

Security, Functionality, and Usability

A lack of ________ and ________ cybersecurity professionals is a security challenge for organizations.

qualified, skilled

Match the following motivations with the corresponding potential impact of information security attacks:

Disrupting business continuity = Loss of operational efficiency Stealing information = Financial losses or competitive disadvantage Creating fear and chaos = Erosion of public trust and confidence Damaging reputation = Decline in customer loyalty and partnerships

Which of the following best describes a passive attack?

Intercepting data without altering it (C)

A distribution attack involves tampering with hardware or software after it has already been installed.

False (B)

What is the primary goal of Advanced Persistent Threats (APTs)?

Stealing information

Attacks that _________ access to a computer system's files and demand an online ransom payment are known as _________.

restrict, ransomware

Match each attack vector with its corresponding description:

Botnet = A network used by an intruder to perform attacks. Insider attack = Performed on a single computer by an untrusted person. Phishing = Sending an illegitimate email from a legitimate site. Web application threats = Attacks targeting web applications.

Which standard is designed to protect cardholder data?

PCI DSS (B)

ISO/IEC 27001:2013 specifies requirements for reacting to security incidents, rather than establishing security management systems.

False (B)

Which law in the United States ensures the confidentiality, integrity, and availability of protected health information?

HIPAA

The Sarbanes-Oxley Act (SOX) was enacted to protect _________ and the _________ by increasing the accuracy and reliability of corporate disclosures.

investors, public

Match the following titles of the Sarbanes-Oxley Act (SOX) with their descriptions:

Title I = Provides independent oversight of public accounting firms. Title II = Establishes standards for external auditor independence. Title III = Mandates that senior executives take responsibility for financial reports. Title IV = Describes enhanced reporting requirements for financial transactions.

Which law defines legal prohibitions against the circumvention of technological protection measures?

DMCA (A)

The Federal Information Security Management Act (FISMA) applies primarily to private sector organizations.

False (B)

What type of penalties can the GDPR levy against organizations that violate its privacy and security standards?

Harsh fines

The _______ is an Act to make provisions for the regulation of processing of information relating to individuals.

DPA

Match the following principles with their corresponding data protection principles:

Lawfulness, fairness, and transparency = Processing must be done legally and honestly. Purpose limitation = Data can only be used for a specific reason. Data minimization = Focusing on only what is necessary. Accuracy = Data must be accurate and kept up-to-date.

Which of the following best describes the term 'Integrity' in the context of Information Security?

Maintaining the accuracy and completeness of information (D)

Non-repudiation ensures that the sender of a message can deny having sent it.

False (B)

What term describes attacking vulnerabilities in a computer system or its security policy and controls in order to fulfill an attacker's motives?

Exploit

Direct impact of _______ on the _________ and goodwill is a need for security.

security breach, corporate asses

Match the type of attack with the correct example:

Passive Attack = Eavesdropping Active Attack = SQL injection Close-In Attack = Dumpster diving

Which of the following is a goal of information security attacks?

Damaging the reputation of the target (D)

An insider attack involves external attackers gaining access to a system to compromise data.

False (B)

What type of threat exploits the increasing reliance on mobile devices for both business and personal purposes?

Mobile threat

In a ________ attack, an intruder uses _______ to gain access to a multitude of systems.

botnet, compromised systems

Match the following term with the correct description:

Data Minimization = Limiting the amount of data processed to what is adequate, relevant, and necessary. Transparency = Providing clear and easily accessible information about how personal data is processed. Storage Limitation = Retaining personal data only for as long as necessary to fulfill the purpose for which it was collected.

Flashcards

Information Security

A state where information and infrastructure have a low possibility of theft, tampering, and disruption.

Confidentiality

A state where information is accessible only to authorized individuals.

Integrity

A state where data or resources are trustworthy and protected from unauthorized changes.

Availability

A state where systems can deliver, store and process information, when required by authorized users.

Authenticity

Ensures a communication is genuine and authentic.

Non-Repudiation

Guarantees a sender can't deny message sending and the recipient can't deny recieveing it.

Security Triangle

The level of security is defined by the sum of security, functionality, and usability.

Motive (Goal)

An event that originates from the desire to target valuable systems or processes, leading to a system attack.

Attack

Using tools and techniques to exploit computer system vulnerabilities, fulfilling their motives.

Passive Attacks

Attacks which do not modify the data and intercept the data flow or monitoring network traffic.

Active Attacks

Attacks that involves tampering data in transit, disrupts communication or bypasses secured systems.

Close-in Attacks

An attack performed when an attacker is physically close to the target system or network.

Insider Attacks

Attacks which involves the use of privileged access to violate rules or threat an Org.

Distribution Attacks

Attacks that tamper with hardware or software, before it is delivered.

Cloud Computing Threats

An on-demand delivery of IT capabilities that have sensitive data of Orgs stored which can leave attackers to access other client's data.

Advanced Persistent Threats

An attack focused on stealing information from the victim machine, without the victim being aware of it.

Viruses and Worms

The most prevalent networking threat that is capabale of infecting a network rapidly.

Ransomware

An attack that restricts access to a computer resources and demands payment to restore access.

Mobile Threats

Focus shift onto mobile devices where attackers are able to perform malicius operations.

Botnet

A network of compromised systems used by an intruder to perform various network attacks.

Insider Attack

An attack performed on a corporate network/single computer by an entrusted person.

Phishing

Sending a malicious email that appears as legitimate to aqcuire personal data.

Web Application Threats

Attacks that target web apps to steal credentials, private data or hamper security.

IoT Threats

Attacks that involve several software applications in an IoT device being accessed remotely for malicious intent.

PCI DSS

An information security standard for orgs handling cardholder data.

ISO/IEC 27001:2013

Ensures establishment, implementation and maitenance of security systems.

HIPAA

US law for health info privacy ensuring same transactions, code sets, and identifiers

Sarbanes Oxley Act

Act to protect investors and ensures corporate disclosures are accurate.

DMCA

A US copyright law that implements treaties, defines legal prohibitions.

FISMA

A framework for ensuring the effectiveness of info security.

Study Notes

Module 01: Information Security Fundamentals

Module Objectives

• Understanding the need for security
• Understanding the elements of information security
• Understanding the security, functionality, and usability triangle
• Understanding the motives, goals, and objectives of information security attacks
• Overview of classification of attacks
• Overview of information security attack vectors
• Overview of various information security laws and regulations

What is Information Security

• Information security refers to the state of well-being of information and infrastructure
• The theft, tampering, and disruption of information and services is low or tolerable

Need for Security

• Evolution of technology focuses on ease of use, increasing security needs
• Reliance on computers for accessing, providing, or storing information
• Increased network environment and network-based applications raises security concerns
• Security breaches directly impact corporate asset base and goodwill
• Increasing complexity of computer infrastructure administration and management

Elements of Information Security

• Confidentiality ensures information is accessible only to authorized individuals.
• Integrity ensures the trustworthiness of data or resources, preventing unauthorized changes
• Availability ensures systems responsible for delivering, storing, and processing information are accessible when required by authorized users
• Authenticity is a characteristic ensuring the quality of a communication, document, or data as genuine
• Non-Repudiation guarantees that the sender of a message cannot deny sending it, and the recipient cannot deny receiving it

Security, Functionality, and Usability Triangle

• Level of security in any system is defined by the strength of three components.

Security Challenges

• Compliance to government laws and regulations
• Lack of qualified and skilled cybersecurity professionals
• Difficulty in centralizing security in a distributed computing environment
• Fragmented and complex privacy and data protection regulations
• Compliance issues due to the implementation of Bring Your Own Device (BYOD) policies in companies
• Relocation of sensitive data from legacy data centers to the cloud without proper configuration

Motives, Goals, and Objectives of Information Security Attacks

• Attacks are driven by a motive or goal, combined with a method to exploit a vulnerability
• Attackers aim to exploit vulnerabilities in computer systems or security policies/controls
• Common motives behind information security attacks:
• Disrupting business
• Stealing information or manipulating data
• Creating fear and chaos
• Causing financial loss
• Damaging reputation

Classification of Attacks

• Passive attacks involve monitoring network traffic without tampering with data.
• Active attacks involve tampering with data in transit or disrupting communication or services, such as DoS, session hijacking, and SQL injection.
• Close-in attacks occur when the attacker is physically close to the target system or network, such as social engineering, eavesdropping, and dumpster diving.
• Insider attacks involve using privileged access to violate rules or intentionally cause harm to the organization's information or information systems.
• Distribution attacks occur when attackers tamper with hardware or software before installation.

Information Security Attack vectors

• Cloud Computing Threats involve attacks in cloud environments that lead to sensitive data.
• Advanced Persistent Threats (APT) focus on stealing information from a victim without their awareness.
• Viruses and Worms are networking threats that can infect a network within seconds.
• Ransomware restricts access to a computer system's files and folders and demands payment for removal of the restrictions
• Mobile Threats: shifting focus to mobile devices, due to their increased adoption and lower security controls.
• Botnet - large network of comprised systems used by an intruder to perform various network attacks.
• Insider Attack - Attack performed on a corporate network that is committed by an entrusted person.
• Phishing - Practice of sending an illegitimate email claiming to be from a legitimate site in an attempt to acquire a user's personal or account information.
• Web Application Threats - Attackers target web applications to steal credentials, set up phishing sites or acquire private information to threaten.
• IoT Threats - flaws in the IoT devices allows attacker access locally and remotely to preform various attacks

Payment Card Industry Data Security Standard (PCI DSS)

• PCI DSS is an information security standard for organizations handling cardholder data
• PCI DSS applies to entities involved in payment card processing
• PCI DSS high-level overview:
• Build and maintain a secure network
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy

ISO/IEC 27001:2013

• Specifies requirements for establishing, implementing, maintaining, and improving an information security management system
• Used to formulate security requirements and objectives.
• Assists organization management in determining the status of information security management activities.
• Aids in implementing business-enabling information security.
• Provides relevant information about information security to customers.

Health Insurance Portability and Accountability Act (HIPAA)

• HIPAA includes Administrative Simplification Statute and Rules
• Requires providers to use the same health care transactions, code sets, and identifiers
• Grants federal protections for personal health information and array of rights to information
• Specifies safeguards for covered entities to ensure confidentiality, integrity, and availability of protected health information
• Requires standard national numbers for healthcare providers, etc.
• Provides the standards for enforcing all administration Simplification Rules

Sarbanes-Oxley Act (SOX)

• Enacted in 2002
• Designed to protect the public and investors
• Organized into 11 titles
• Title I - Public Company Accounting Oversight Board
• Title II - Auditor Independence
• Title III - Corporate Responsibility
• Title IV - Enhanced Financial Disclosures
• Title V - Analyst Conflicts of Interest
• Title VI - Commission Resources and Authority
• Title VII - Studies and Reports
• Title VIII - Corporate and Criminal Fraud Accountability
• Title X - White Collar Crime Penalty Enhancement
• Title IX - Corporate Tax Returns
• Title XI - Corporate Fraud Accountability

The Digital Millennium Copyright Act (DMCA)

• DMCA defines the legal prohibitions against the circumvention of technological protection measures
• Implements two treaties of the World Intellectual Property Organization (WIPO)

The Federal Information Security Management Act (FISMA)

• FISMA provides a framework for ensuring the effectiveness of information security controls.
• Standards for categorizing information and information systems by mission impact
• Standards for minimum security requirements for information and information systems
• Guidance for selecting appropriate security controls for information systems
• Guidance for assessing security controls in information systems and determining security control effectiveness
• Guidance for security authorization of information systems

GDPR (General Data Protection Regulation)

• The GDPR regulation was put into effect on May 25, 2018
• Considered one of the most stringent privacy and security laws globally
• Will levy harsh fines against those who violate privacy and security standards
• Penalties reaching tens of millions of euros
• Data protection principles:
  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

Data Protection Act 2018 (DPA)

• The DPA regulates the processing of information related to individuals
• Makes provisions for protecting individuals
• It's also a specific regulation related to information commissioner functions
• Requires personal data to be processed lawfully and fairly
• Conference rights on the data subject to obtain information about data processing and correct inaccurate data
• Conference functions on the commissioner giving the responsibility to monitor and enforce the provisions

Cyber Law in Different Countries (Examples)

• Laws/Acts in the United States:
  • Section 107 of the Copyright Law
  • Online Copyright Infringement Liability Limitation Act
  • The Lanham (Trademark) Act
  • The Electronic Communications Privacy Act.
  • Foreign Intelligence Surveillance Act
  • Protect America Act of 2007
  • Privacy Act of 1974
  • National Information Infrastructure Protection Act of 1996
  • Computer Security Act of 1987
  • Freedom of Information Act (FOIA)
  • Computer Fraud and Abuse Act
  • Federal Identity Theft and Assumption Deterrence Act
• Laws/Acts in Australia -. The Trade Marks Act 1995 -. The Patents Act 1990 -. The Copyright Act 1968 -. Cybercrime Act 2001
• Laws/Acts in the United Kingdom:
  • The Copyright, Etc. and Trademarks (Offenses And Enforcement) Act 2002
  • Trademarks Act 1994 (TMA)
  • Computer Misuse Act 1990
  • The Network and Information Systems Regulations 2018
  • Communications Act 2003
  • The Privacy and Electronic Communications (EC Directive) Regulations 2003
  • Investigatory Powers Act 2016
  • Regulation of Investigatory Powers Act 2000
• Laws/Acts in China:
  • Copyright Law and the people's Republic of China (Amendments on October 27, 2001)
  • Trademark Law of the People's Republic of China (Amendments on October 27, 2001)
• Laws/Acts in India:
  • The Patents (Amendment) Act, 1999, Trade Marks Act, 1999, The Copyright Act, 1957
  • Information Technology Act
• Laws/Acts In Germany:
  • Section 202a. Data Espionage, Section 303a. Alteration of Data, Section 303b. Computer Sabotage
• Laws/Acts in Italy:
  • Penal Code Article 615 ter
• Laws/Acts in Japan:
  • The Trademark Law (Law No. 127 of 1957), Copyright management Business Law
• Laws/Acts in Canada:
  • Copyright Act Trademark Law Canadian Criminal Code Section 342.1
• Laws/Acts in Singapore:
  • Computer Misuse Act
• Laws/Acts in South Africa:
  • Trademarks Act 194 of 1993
  • Copyright Act 1978
• Laws/Acts in South Korea:
  • Copyright Law Act No. 3916
  • Industrial Design Protection Act
• Laws/Acts in Belgium:
  • Computer Hacking
• Laws/Acts in Brazil:
  • Unauthorized modification or alteration of the information system
• Laws/Acts in Hong Kong:
  • Article 139 of the Basic Law