Information Security Fundamentals
43 Questions
0 Views

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to lesson

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

What are examples of environmental threats in the threat identification process?

  • Floods and earthquakes (correct)
  • Phishing and malware
  • Trojan horse and logic bomb
  • Hackers and criminals
  • Malicious software is a general term encompassing many types of software threats.

    True

    What is the purpose of the Kill Chain in cybersecurity?

    To select security controls to counter a particular threat.

    Social engineering is a __________ term for attackers trying to trick people into revealing sensitive information.

    <p>general</p> Signup and view all the answers

    Which category of controls affects the frequency and/or likelihood of encountering threats?

    <p>Avoidance controls</p> Signup and view all the answers

    Vulnerability identification is the process of identifying strengths in a system's security procedures.

    <p>False</p> Signup and view all the answers

    What is the formula to calculate the level of risk in a quantitative risk assessment?

    <p>(Probability of adverse event) × (Impact value)</p> Signup and view all the answers

    Capital planning is designed to facilitate and control the expenditure of the organization's _____.

    <p>funds</p> Signup and view all the answers

    Match the following security management roles with their responsibilities:

    <p>Chief Information Security Officer (CISO) = Establishing and maintaining an ISMS Information Security Manager (ISM) = Threat and incident management</p> Signup and view all the answers

    What is the purpose of a system security plan?

    <p>To provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements.</p> Signup and view all the answers

    Which of the following is a security policy category?

    <p>Change control policy</p> Signup and view all the answers

    What aspect does an Acceptable Use Policy define? It defines what behaviors are ______ and what behaviors are not ______.

    <p>acceptable</p> Signup and view all the answers

    Classification of information considers legal requirements, value, and criticality.

    <p>True</p> Signup and view all the answers

    Define risk in the context of information security.

    <p>Risk is the combination of likelihood of loss and the expected impact of loss on information assets like data.</p> Signup and view all the answers

    Match the following policies with their descriptions:

    <p>Physical access policy = Policy defining how access to the physical area is obtained Incident response policy = Policy detailing how incidents are reported and investigated Encryption policy = Policy explaining how data are encrypted Network security policy = Policy outlining how network systems are secured</p> Signup and view all the answers

    What is vulnerability in the context of information security?

    <p>A threat agent exploiting a weakness</p> Signup and view all the answers

    Risk is calculated as the probability of a threat occurring multiplied by the cost to the asset owner.

    <p>True</p> Signup and view all the answers

    ___ is the protection of networks and their services from unauthorized modifications, destruction, or disclosure.

    <p>Network security</p> Signup and view all the answers

    Match the following information security characteristics with their definitions:

    <p>Confidentiality = The quality or state of preventing disclosures to unauthorized individuals or systems Integrity = The quality or state of being whole, complete, or uncorrupted Availability = Enables users to access information without interference or obstruction</p> Signup and view all the answers

    What is the most common means of human-to-human identification based on facial characteristics?

    <p>Facial characteristics</p> Signup and view all the answers

    Which physical characteristic has been used as a means of identification for centuries?

    <p>Fingerprints</p> Signup and view all the answers

    Automated fingerprint recognition and matching systems store the full fingerprint pattern.

    <p>False</p> Signup and view all the answers

    The detailed structure of the ______ is considered a unique physical characteristic.

    <p>iris</p> Signup and view all the answers

    What are some common weaknesses of passwords?

    <p>All of the above</p> Signup and view all the answers

    What is the purpose of possession-based authentication?

    <p>user authentication</p> Signup and view all the answers

    What is the purpose of the categorization step in risk management processes?

    <p>To guide and inform subsequent risk management processes and tasks by determining the adverse impact or consequences to the organization with respect to the compromise or loss of organizational assets, including confidentiality, integrity, and availability.</p> Signup and view all the answers

    Memory cards store data but do not process it. The most common type of memory card is a bank card with a magnetic ____ on the back.

    <p>stripe</p> Signup and view all the answers

    What are the steps involved in the risk management process?

    <p>Authorize</p> Signup and view all the answers

    Privacy refers to the right of individuals to control or influence the collection and sharing of information about them.

    <p>True</p> Signup and view all the answers

    Match the type of card with its description:

    <p>Memory Card = Stores data but does not process it Smart Card = Includes an embedded microprocessor</p> Signup and view all the answers

    Smart cards require an electronic interface to communicate with compatible reader/writers.

    <p>True</p> Signup and view all the answers

    ______ involves the exposure to others of certain physical and emotional attributes about a person.

    <p>Exposure</p> Signup and view all the answers

    Match the following information types with their descriptions:

    <p>Information type = A specific category of information defined by an organization or specific law Security objective = Characteristic of security to be achieved (e.g., confidentiality, integrity, availability) Impact = Adverse change to the level of business objectives achieved Security classification = Grouping information into classes based on value and protection required</p> Signup and view all the answers

    What are the three general authentication factors?

    <p>Biometric</p> Signup and view all the answers

    What is the primary purpose of the identification step in user authentication?

    <p>Presenting an identifier to the security system</p> Signup and view all the answers

    Identity proofing establishes that a subject is who he or she claims to be to a stated level of __________.

    <p>certitude</p> Signup and view all the answers

    Authentication provides assurances that the subject accessing a digital service today is different from the subject that previously accessed the service.

    <p>False</p> Signup and view all the answers

    Match the possession factor with its description:

    <p>Connected hardware tokens = Items that connect to a computer logically or physically to authenticate identity Disconnected hardware tokens = Items that do not directly connect to the client computer and require user input to sign in</p> Signup and view all the answers

    What is the term used to describe the manipulation of the way a person is perceived and judged by others?

    <p>Distortion</p> Signup and view all the answers

    In terms of cybersecurity, intrusion involves incursions into a person's life or personal space.

    <p>False</p> Signup and view all the answers

    What does decisional interference involve in terms of privacy threats?

    <p>individual's interest in avoiding certain types of disclosure</p> Signup and view all the answers

    _______ involves ensuring that organizations identify the legal bases authorizing PII collection or activity that impacts privacy.

    <p>Authority and purpose</p> Signup and view all the answers

    Match the following privacy controls with their descriptions:

    <p>Accountability, audit, and risk management = Controls for governance, monitoring, risk management, and assessment to demonstrate compliance with privacy protection requirements. Data quality and integrity = Ensuring collected PII is accurate, relevant, timely, and complete, with procedures for confirming quality and maintaining integrity. Individual participation and redress = Making individuals active participants in decisions regarding their PII collection and use, including consent, access, redress, and complaint management. Security = Safeguards in place to protect PII against loss, unauthorized access, or disclosure, including inventory maintenance and incident response planning. Transparency = Providing public notice of information practices and privacy impacts, including procedures for notifying individuals and disseminating information. Use limitation = Ensuring limited scope of PII use, including policies to restrict internal and external access to authorized personnel only. Data minimization and retention = Controls for minimizing relevant and necessary PII, retention periods, and secure deletion methods.</p> Signup and view all the answers

    Study Notes

    What is Security?

    • A state of being secure and free from danger or harm
    • The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information

    Information Security

    • Managing and protecting a risk of information assets like data
    • Risk is the combination of likelihood of loss and expected impact of loss
    • Risk = probability that a threat occurs * cost to the asset owner

    Assets

    • Data contained in an information system or a system provided by a system
    • A system capability, such as processing power or communication bandwidth
    • An item of system equipment, such as hardware, firmware, software, or documentation

    Vulnerability

    • A flaw or weakness that allows a threat agent to bypass security
    • Exploit the vulnerability through an attack vector
    • An attack vector is a means by which an attack can occur, such as a threat actor stealing user passwords

    Threat Likelihood

    • The probability that a threat agent will exploit a vulnerability
    • Threat agent: A type of action with potential to cause harm
    • Person or element with power to carry out a threat

    Network Security

    • Protection of networks and their services from unauthorized modifications, destruction, or disclosure
    • Provision of assurance, from both internal and external threats, ensuring the confidentiality, integrity, and availability of data and resources

    Components of an Information System

    • An Information system is the entire set of hardware, software, data, people, procedures, and networks that enables a business to use information
    • Each component has its own strength, weakness, and characteristics
    • Each component has its own security requirements

    Characteristics of Information Security

    • Confidentiality: The quality or state of preventing disclosures or exposure to unauthorized individuals of systems
    • Integrity: The quality or state of being whole, complete, or uncorrupted
    • Availability: Enables users who need to access information to do so without interference or obstruction and in the required format

    Cybersecurity Objectives

    • Understanding the relationship between security and convenience (security is inversely proportional to convenience)

    Approaches to Information Security

    • Top-down approach: Initiated by upper management, involving policy, procedures, and processes
    • Implementation involves a formal development strategy, such as a systems development life cycle

    US Laws and Regulations

    • Computer Fraud and Abuse Act of 1986
    • National Information Infrastructure Protection Act of 1996
    • State and local regulations
    • International laws and legal bodies

    What is Information Security?

    • Protecting confidentiality, integrity, and availability of information in transmission, processing, and storage through the application of policy, education, training, and awareness of technology

    Standards and Practice Documents

    • NIST, ITU-T, ISO, ISOC
    • The Information Security Forum (ISF) produces a standard of good practice for information security

    Risk Management

    • A disciplined, structured, and flexible process for organizational asset valuation, security and privacy control selection, implementation, assessment, system and control authorizations, and continuous monitoring

    Information Security Risk Management and Assessment

    • Context establishment: Setting the basic criteria necessary for information security risk management
    • Risk identification: Identifying risk sources, events, their causes, and their potential consequences
    • Risk analysis: Providing the basis for risk evaluation and decisions about risk treatment
    • Risk evaluation: Determining whether the risk and/or its magnitude are acceptable or tolerable
    • Risk treatment: Involving the following: avoiding, taking, removing, changing, sharing, or retaining the risk

    Asset Identification

    • Hardware assets: Servers, workstations, laptops, mobile devices, removable media, networking equipment, etc.
    • Software assets: Stored in databases and file systems, both on-premises and remotely in the cloud
    • Information assets: Include organization assets that don’t fit into the other categories, such as human resources, business processes, and physical plant
    • Business assets: Intangible assets, such as organization control, know-how, reputation, and image of the organization

    Threat Identification

    • Threat sources: Environmental, business resources, and hostile actors
    • Threat types: Malicious software, social engineering, phishing, spam, logic bomb, Trojan horse, backdoor, mobile code, exploit, exploit kit, downloader, dropper, auto-rooter, kit, spammer program, flooder, keyloggers, rootkit, zombie or bot, spyware, adware, remote access attacks, denial-of-service (DoS) attack, distributed denial-of-service (DDoS) attack, DNS attacks, and hacker or cracker

    Phases of a Kill Chain

    • Reconnaissance: The adversary determines likely targets for attack
    • Phases of a cyber attack### Cybersecurity Fundamentals
    • Cyber kill chain:
      • Reconnaissance: determining what information is available for targeting
      • Weaponization: coupling an exploit with a means of gaining access to the specific system
      • Delivery: delivering the weaponized payload to the victim
      • Exploit: exploiting a vulnerability to enable installation
      • Installation: installing the malware package on the asset
      • Command and control: creating a command and control channel to operate the malware remotely
      • Actions: achieving the goals of the attack

    Threat Intelligence

    • Cisco Annual Cybersecurity Report: a source of threat information, organized along the lines of kill chain concepts

    Control Identification

    • Steps to identify controls:
      1. Review documents containing information about controls
      2. Check with people responsible for information security
      3. Conduct an on-site review of physical controls
      4. Review results of audits

    Risk Analysis

    • Types of controls:
      • Avoidance controls: affect the frequency and/or likelihood of encountering threats
        • Examples: firewall filters, physical barriers, relocation of assets
      • Deterrent controls: affect the likelihood of a threat acting in a manner that results in harm
        • Examples: policies, logging and monitoring, enforcement practices
      • Vulnerability controls: affect the probability that a threat's action will result in loss
        • Examples: authentication, access privileges, patching
      • Responsive controls: affect the amount of loss that results from a threat's action
        • Examples: backup and restore media and processes, forensics capabilities

    Vulnerability Identification

    • Types of vulnerabilities:
      • Technical vulnerabilities: flaws in software and/or hardware components
      • Human-caused vulnerabilities: key person dependencies, gaps in awareness and training
      • Physical and environmental vulnerabilities: insufficient physical access controls
      • Operational vulnerabilities: lack of change management, inadequate separation of duties

    Risk Assessment

    • Level of risk = (Probability of adverse event) × (Impact value)
    • Impact assessment: estimating the magnitude of the adverse consequence of a successful threat action
    • Estimating the primary loss: asset factors, threat factors, and possible threat actions (access, misuse, disclosure, modification, deny access)

    Risk Treatment

    • Risk reduction or mitigation: actions taken to lessen the probability and/or negative consequences associated with a risk
    • Risk retention: acceptance of the cost from a risk
    • Risk transfer: sharing or transferring risk to another organization
    • Risk avoidance: avoiding a circumstance leading to risk exposure### Information Security Policy
    • An information security policy relates to the rules and practices that enforce security.
    • It includes security plan, security controls, and security policy.

    Security Policy Categories

    • There are various categories of security policies, including:
      • Access control policy: how information is accessed
      • Contingency planning policy: how availability of data is provided 24/7
      • Data classification policy: how data are classified
      • Change control policy: how changes are made to directories or the file server
      • Wireless policy: how wireless infrastructure devices need to be configured
      • Incident response policy: how incidents are reported and investigated
      • Termination of access policy: how employee access to organization assets is handled during termination
      • Backup policy: how data is backed up
      • Virus policy: how virus infections need to be dealt with
      • Retention policy: how data can be stored
      • Physical access policy: how access to the physical area is obtained
      • Security awareness policy: how security awareness is carried out
      • Audit trail policy: how audit trails are analyzed
      • Firewall policy: how firewalls are named, configured, and so on
      • Network security policy: how network systems are secured
      • Encryption policy: how data are encrypted, the encryption method used, and so on
      • BYOD policy: what devices an employee may use both on premises and off to access organization assets
      • Cloud computing policy: security aspects of using cloud computing resources and service

    Security Policy Components

    • A security policy includes:
      • Overview: background information on what issue the policy addresses
      • Purpose: why the policy was created
      • Scope: what areas the policy covers
      • Targeted audience: to whom the policy is applicable
      • Policy: a complete but concise description of the policy
      • Noncompliance: consequences for violating the policy
      • Definitions: technical terms used in the document
      • Version: version number to keep track of the changes made to the document

    Capital Planning

    • The Select/Control/Evaluate framework defines a cyclical process consisting of three steps for deciding which projects to pursue or which investments to make:
      • Select: identify and analyze each project's risks and returns before committing significant funds to any project.
      • Control: ensure that as projects develop and investment expenditures continue, the project continues to meet mission needs at the expected levels of cost and risk.
      • Evaluate: compare actual results and expected results after a project was fully implemented.

    Information Classification

    • Information classification is the process of categorizing information based on its level of sensitivity, confidentiality, and importance.
    • It includes:
      • Information type: a specific category of information defined by an organization or by a specific law, directive, policy, or regulation.
      • Security objective: the characteristic of security to be achieved, which typically consists of confidentiality, integrity, and availability.
      • Impact: an adverse change to the level of business objectives achieved.
      • Security classification: the grouping of information into classes that reflect the value of the information and the level of protection required.

    Identification of Information Types

    • The identification process must cover all forms of information, including:
      • Electronic
      • Electronic communication
      • Spoken communication
      • Multimedia information
      • Physical information

    Assigning Security Priorities

    • Assigning security priorities involves naming each classification level in a way that makes sense in the context of the classification scheme's application.
    • Classifying information types and properly naming them provide people who deal with information with a concise indication of how to handle and protect that information.

    Information Handling

    • Information handling refers to processing, storing, communicating, or otherwise handling information consistent with its classification.
    • It includes considerations such as:
      • Access restrictions
      • Maintenance of a formal record of the authorized recipients of assets
      • Protection of temporary or permanent copies of information
      • Storage of IT assets
      • Clear marking of all copies of media for the attention of the authorized recipient

    Privacy

    • Privacy is the right of individuals to control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed.
    • Privacy threats can arise from:
      • Information collection
      • Information processing
      • Information dissemination
      • Invasions

    Studying That Suits You

    Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

    Quiz Team

    Description

    Learn about the basics of information security, including its definition, risk management, and protection of information assets. Understand the concept of risk and its components.

    More Like This

    Information Security Risk Management
    5 questions
    ICT Security Threats Level 6: Risk Management
    5 questions
    Use Quizgecko on...
    Browser
    Browser