Recent

  • Show all results for ""
quiz image
By @firmbee

Information Security Fundamentals

IntuitiveSpruce avatar
IntuitiveSpruce
·
·
Download

Start Quiz

Study Flashcards

43 Questions

What are examples of environmental threats in the threat identification process?

Floods and earthquakes

Malicious software is a general term encompassing many types of software threats.

True

What is the purpose of the Kill Chain in cybersecurity?

To select security controls to counter a particular threat.

Social engineering is a __________ term for attackers trying to trick people into revealing sensitive information.

general

Which category of controls affects the frequency and/or likelihood of encountering threats?

Avoidance controls

Vulnerability identification is the process of identifying strengths in a system's security procedures.

False

What is the formula to calculate the level of risk in a quantitative risk assessment?

(Probability of adverse event) × (Impact value)

Capital planning is designed to facilitate and control the expenditure of the organization's _____.

funds

Match the following security management roles with their responsibilities:

Chief Information Security Officer (CISO) = Establishing and maintaining an ISMS Information Security Manager (ISM) = Threat and incident management

What is the purpose of a system security plan?

To provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements.

Which of the following is a security policy category?

Change control policy

What aspect does an Acceptable Use Policy define? It defines what behaviors are ______ and what behaviors are not ______.

acceptable

Classification of information considers legal requirements, value, and criticality.

True

Define risk in the context of information security.

Risk is the combination of likelihood of loss and the expected impact of loss on information assets like data.

Match the following policies with their descriptions:

Physical access policy = Policy defining how access to the physical area is obtained Incident response policy = Policy detailing how incidents are reported and investigated Encryption policy = Policy explaining how data are encrypted Network security policy = Policy outlining how network systems are secured

What is vulnerability in the context of information security?

A threat agent exploiting a weakness

Risk is calculated as the probability of a threat occurring multiplied by the cost to the asset owner.

True

___ is the protection of networks and their services from unauthorized modifications, destruction, or disclosure.

Network security

Match the following information security characteristics with their definitions:

Confidentiality = The quality or state of preventing disclosures to unauthorized individuals or systems Integrity = The quality or state of being whole, complete, or uncorrupted Availability = Enables users to access information without interference or obstruction

What is the most common means of human-to-human identification based on facial characteristics?

Facial characteristics

Which physical characteristic has been used as a means of identification for centuries?

Fingerprints

Automated fingerprint recognition and matching systems store the full fingerprint pattern.

False

The detailed structure of the ______ is considered a unique physical characteristic.

iris

What are some common weaknesses of passwords?

All of the above

What is the purpose of possession-based authentication?

user authentication

What is the purpose of the categorization step in risk management processes?

To guide and inform subsequent risk management processes and tasks by determining the adverse impact or consequences to the organization with respect to the compromise or loss of organizational assets, including confidentiality, integrity, and availability.

Memory cards store data but do not process it. The most common type of memory card is a bank card with a magnetic ____ on the back.

stripe

What are the steps involved in the risk management process?

Authorize

Privacy refers to the right of individuals to control or influence the collection and sharing of information about them.

True

Match the type of card with its description:

Memory Card = Stores data but does not process it Smart Card = Includes an embedded microprocessor

Smart cards require an electronic interface to communicate with compatible reader/writers.

True

______ involves the exposure to others of certain physical and emotional attributes about a person.

Exposure

Match the following information types with their descriptions:

Information type = A specific category of information defined by an organization or specific law Security objective = Characteristic of security to be achieved (e.g., confidentiality, integrity, availability) Impact = Adverse change to the level of business objectives achieved Security classification = Grouping information into classes based on value and protection required

What are the three general authentication factors?

Biometric

What is the primary purpose of the identification step in user authentication?

Presenting an identifier to the security system

Identity proofing establishes that a subject is who he or she claims to be to a stated level of __________.

certitude

Authentication provides assurances that the subject accessing a digital service today is different from the subject that previously accessed the service.

False

Match the possession factor with its description:

Connected hardware tokens = Items that connect to a computer logically or physically to authenticate identity Disconnected hardware tokens = Items that do not directly connect to the client computer and require user input to sign in

What is the term used to describe the manipulation of the way a person is perceived and judged by others?

Distortion

In terms of cybersecurity, intrusion involves incursions into a person's life or personal space.

False

What does decisional interference involve in terms of privacy threats?

individual's interest in avoiding certain types of disclosure

_______ involves ensuring that organizations identify the legal bases authorizing PII collection or activity that impacts privacy.

Authority and purpose

Match the following privacy controls with their descriptions:

Accountability, audit, and risk management = Controls for governance, monitoring, risk management, and assessment to demonstrate compliance with privacy protection requirements. Data quality and integrity = Ensuring collected PII is accurate, relevant, timely, and complete, with procedures for confirming quality and maintaining integrity. Individual participation and redress = Making individuals active participants in decisions regarding their PII collection and use, including consent, access, redress, and complaint management. Security = Safeguards in place to protect PII against loss, unauthorized access, or disclosure, including inventory maintenance and incident response planning. Transparency = Providing public notice of information practices and privacy impacts, including procedures for notifying individuals and disseminating information. Use limitation = Ensuring limited scope of PII use, including policies to restrict internal and external access to authorized personnel only. Data minimization and retention = Controls for minimizing relevant and necessary PII, retention periods, and secure deletion methods.

Study Notes

What is Security?

  • A state of being secure and free from danger or harm
  • The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information

Information Security

  • Managing and protecting a risk of information assets like data
  • Risk is the combination of likelihood of loss and expected impact of loss
  • Risk = probability that a threat occurs * cost to the asset owner

Assets

  • Data contained in an information system or a system provided by a system
  • A system capability, such as processing power or communication bandwidth
  • An item of system equipment, such as hardware, firmware, software, or documentation

Vulnerability

  • A flaw or weakness that allows a threat agent to bypass security
  • Exploit the vulnerability through an attack vector
  • An attack vector is a means by which an attack can occur, such as a threat actor stealing user passwords

Threat Likelihood

  • The probability that a threat agent will exploit a vulnerability
  • Threat agent: A type of action with potential to cause harm
  • Person or element with power to carry out a threat

Network Security

  • Protection of networks and their services from unauthorized modifications, destruction, or disclosure
  • Provision of assurance, from both internal and external threats, ensuring the confidentiality, integrity, and availability of data and resources

Components of an Information System

  • An Information system is the entire set of hardware, software, data, people, procedures, and networks that enables a business to use information
  • Each component has its own strength, weakness, and characteristics
  • Each component has its own security requirements

Characteristics of Information Security

  • Confidentiality: The quality or state of preventing disclosures or exposure to unauthorized individuals of systems
  • Integrity: The quality or state of being whole, complete, or uncorrupted
  • Availability: Enables users who need to access information to do so without interference or obstruction and in the required format

Cybersecurity Objectives

  • Understanding the relationship between security and convenience (security is inversely proportional to convenience)

Approaches to Information Security

  • Top-down approach: Initiated by upper management, involving policy, procedures, and processes
  • Implementation involves a formal development strategy, such as a systems development life cycle

US Laws and Regulations

  • Computer Fraud and Abuse Act of 1986
  • National Information Infrastructure Protection Act of 1996
  • State and local regulations
  • International laws and legal bodies

What is Information Security?

  • Protecting confidentiality, integrity, and availability of information in transmission, processing, and storage through the application of policy, education, training, and awareness of technology

Standards and Practice Documents

  • NIST, ITU-T, ISO, ISOC
  • The Information Security Forum (ISF) produces a standard of good practice for information security

Risk Management

  • A disciplined, structured, and flexible process for organizational asset valuation, security and privacy control selection, implementation, assessment, system and control authorizations, and continuous monitoring

Information Security Risk Management and Assessment

  • Context establishment: Setting the basic criteria necessary for information security risk management
  • Risk identification: Identifying risk sources, events, their causes, and their potential consequences
  • Risk analysis: Providing the basis for risk evaluation and decisions about risk treatment
  • Risk evaluation: Determining whether the risk and/or its magnitude are acceptable or tolerable
  • Risk treatment: Involving the following: avoiding, taking, removing, changing, sharing, or retaining the risk

Asset Identification

  • Hardware assets: Servers, workstations, laptops, mobile devices, removable media, networking equipment, etc.
  • Software assets: Stored in databases and file systems, both on-premises and remotely in the cloud
  • Information assets: Include organization assets that don’t fit into the other categories, such as human resources, business processes, and physical plant
  • Business assets: Intangible assets, such as organization control, know-how, reputation, and image of the organization

Threat Identification

  • Threat sources: Environmental, business resources, and hostile actors
  • Threat types: Malicious software, social engineering, phishing, spam, logic bomb, Trojan horse, backdoor, mobile code, exploit, exploit kit, downloader, dropper, auto-rooter, kit, spammer program, flooder, keyloggers, rootkit, zombie or bot, spyware, adware, remote access attacks, denial-of-service (DoS) attack, distributed denial-of-service (DDoS) attack, DNS attacks, and hacker or cracker

Phases of a Kill Chain

  • Reconnaissance: The adversary determines likely targets for attack
  • Phases of a cyber attack### Cybersecurity Fundamentals
  • Cyber kill chain:
    • Reconnaissance: determining what information is available for targeting
    • Weaponization: coupling an exploit with a means of gaining access to the specific system
    • Delivery: delivering the weaponized payload to the victim
    • Exploit: exploiting a vulnerability to enable installation
    • Installation: installing the malware package on the asset
    • Command and control: creating a command and control channel to operate the malware remotely
    • Actions: achieving the goals of the attack

Threat Intelligence

  • Cisco Annual Cybersecurity Report: a source of threat information, organized along the lines of kill chain concepts

Control Identification

  • Steps to identify controls:
    1. Review documents containing information about controls
    2. Check with people responsible for information security
    3. Conduct an on-site review of physical controls
    4. Review results of audits

Risk Analysis

  • Types of controls:
    • Avoidance controls: affect the frequency and/or likelihood of encountering threats
      • Examples: firewall filters, physical barriers, relocation of assets
    • Deterrent controls: affect the likelihood of a threat acting in a manner that results in harm
      • Examples: policies, logging and monitoring, enforcement practices
    • Vulnerability controls: affect the probability that a threat's action will result in loss
      • Examples: authentication, access privileges, patching
    • Responsive controls: affect the amount of loss that results from a threat's action
      • Examples: backup and restore media and processes, forensics capabilities

Vulnerability Identification

  • Types of vulnerabilities:
    • Technical vulnerabilities: flaws in software and/or hardware components
    • Human-caused vulnerabilities: key person dependencies, gaps in awareness and training
    • Physical and environmental vulnerabilities: insufficient physical access controls
    • Operational vulnerabilities: lack of change management, inadequate separation of duties

Risk Assessment

  • Level of risk = (Probability of adverse event) × (Impact value)
  • Impact assessment: estimating the magnitude of the adverse consequence of a successful threat action
  • Estimating the primary loss: asset factors, threat factors, and possible threat actions (access, misuse, disclosure, modification, deny access)

Risk Treatment

  • Risk reduction or mitigation: actions taken to lessen the probability and/or negative consequences associated with a risk
  • Risk retention: acceptance of the cost from a risk
  • Risk transfer: sharing or transferring risk to another organization
  • Risk avoidance: avoiding a circumstance leading to risk exposure### Information Security Policy
  • An information security policy relates to the rules and practices that enforce security.
  • It includes security plan, security controls, and security policy.

Security Policy Categories

  • There are various categories of security policies, including:
    • Access control policy: how information is accessed
    • Contingency planning policy: how availability of data is provided 24/7
    • Data classification policy: how data are classified
    • Change control policy: how changes are made to directories or the file server
    • Wireless policy: how wireless infrastructure devices need to be configured
    • Incident response policy: how incidents are reported and investigated
    • Termination of access policy: how employee access to organization assets is handled during termination
    • Backup policy: how data is backed up
    • Virus policy: how virus infections need to be dealt with
    • Retention policy: how data can be stored
    • Physical access policy: how access to the physical area is obtained
    • Security awareness policy: how security awareness is carried out
    • Audit trail policy: how audit trails are analyzed
    • Firewall policy: how firewalls are named, configured, and so on
    • Network security policy: how network systems are secured
    • Encryption policy: how data are encrypted, the encryption method used, and so on
    • BYOD policy: what devices an employee may use both on premises and off to access organization assets
    • Cloud computing policy: security aspects of using cloud computing resources and service

Security Policy Components

  • A security policy includes:
    • Overview: background information on what issue the policy addresses
    • Purpose: why the policy was created
    • Scope: what areas the policy covers
    • Targeted audience: to whom the policy is applicable
    • Policy: a complete but concise description of the policy
    • Noncompliance: consequences for violating the policy
    • Definitions: technical terms used in the document
    • Version: version number to keep track of the changes made to the document

Capital Planning

  • The Select/Control/Evaluate framework defines a cyclical process consisting of three steps for deciding which projects to pursue or which investments to make:
    • Select: identify and analyze each project's risks and returns before committing significant funds to any project.
    • Control: ensure that as projects develop and investment expenditures continue, the project continues to meet mission needs at the expected levels of cost and risk.
    • Evaluate: compare actual results and expected results after a project was fully implemented.

Information Classification

  • Information classification is the process of categorizing information based on its level of sensitivity, confidentiality, and importance.
  • It includes:
    • Information type: a specific category of information defined by an organization or by a specific law, directive, policy, or regulation.
    • Security objective: the characteristic of security to be achieved, which typically consists of confidentiality, integrity, and availability.
    • Impact: an adverse change to the level of business objectives achieved.
    • Security classification: the grouping of information into classes that reflect the value of the information and the level of protection required.

Identification of Information Types

  • The identification process must cover all forms of information, including:
    • Electronic
    • Electronic communication
    • Spoken communication
    • Multimedia information
    • Physical information

Assigning Security Priorities

  • Assigning security priorities involves naming each classification level in a way that makes sense in the context of the classification scheme's application.
  • Classifying information types and properly naming them provide people who deal with information with a concise indication of how to handle and protect that information.

Information Handling

  • Information handling refers to processing, storing, communicating, or otherwise handling information consistent with its classification.
  • It includes considerations such as:
    • Access restrictions
    • Maintenance of a formal record of the authorized recipients of assets
    • Protection of temporary or permanent copies of information
    • Storage of IT assets
    • Clear marking of all copies of media for the attention of the authorized recipient

Privacy

  • Privacy is the right of individuals to control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed.
  • Privacy threats can arise from:
    • Information collection
    • Information processing
    • Information dissemination
    • Invasions

Learn about the basics of information security, including its definition, risk management, and protection of information assets. Understand the concept of risk and its components.

Make Your Own Quizzes and Flashcards

Convert your notes into interactive study material.

Get started for free

More Quizzes Like This

Cybersecurity Risk Management
30 questions

Cybersecurity Risk Management

LowRiskBlack avatar
LowRiskBlack
Security and Risk Management Fundamentals
12 questions

Security and Risk Management Fundamentals

RemarkableNarcissus avatar
RemarkableNarcissus
ICT Security Threats Level 6: Risk Management
5 questions

ICT Security Threats Level 6: Risk Management

DistinguishedAphorism avatar
DistinguishedAphorism
IPS Log Analysis and Security Risk Management
24 questions

IPS Log Analysis and Security Risk Management

GoodlyYew6069 avatar
GoodlyYew6069
Use Quizgecko on...
Browser
Open
Browser
Browser