Podcast
Questions and Answers
What are examples of environmental threats in the threat identification process?
What are examples of environmental threats in the threat identification process?
Malicious software is a general term encompassing many types of software threats.
Malicious software is a general term encompassing many types of software threats.
True
What is the purpose of the Kill Chain in cybersecurity?
What is the purpose of the Kill Chain in cybersecurity?
To select security controls to counter a particular threat.
Social engineering is a __________ term for attackers trying to trick people into revealing sensitive information.
Social engineering is a __________ term for attackers trying to trick people into revealing sensitive information.
Signup and view all the answers
Which category of controls affects the frequency and/or likelihood of encountering threats?
Which category of controls affects the frequency and/or likelihood of encountering threats?
Signup and view all the answers
Vulnerability identification is the process of identifying strengths in a system's security procedures.
Vulnerability identification is the process of identifying strengths in a system's security procedures.
Signup and view all the answers
What is the formula to calculate the level of risk in a quantitative risk assessment?
What is the formula to calculate the level of risk in a quantitative risk assessment?
Signup and view all the answers
Capital planning is designed to facilitate and control the expenditure of the organization's _____.
Capital planning is designed to facilitate and control the expenditure of the organization's _____.
Signup and view all the answers
Match the following security management roles with their responsibilities:
Match the following security management roles with their responsibilities:
Signup and view all the answers
What is the purpose of a system security plan?
What is the purpose of a system security plan?
Signup and view all the answers
Which of the following is a security policy category?
Which of the following is a security policy category?
Signup and view all the answers
What aspect does an Acceptable Use Policy define? It defines what behaviors are ______ and what behaviors are not ______.
What aspect does an Acceptable Use Policy define? It defines what behaviors are ______ and what behaviors are not ______.
Signup and view all the answers
Classification of information considers legal requirements, value, and criticality.
Classification of information considers legal requirements, value, and criticality.
Signup and view all the answers
Define risk in the context of information security.
Define risk in the context of information security.
Signup and view all the answers
Match the following policies with their descriptions:
Match the following policies with their descriptions:
Signup and view all the answers
What is vulnerability in the context of information security?
What is vulnerability in the context of information security?
Signup and view all the answers
Risk is calculated as the probability of a threat occurring multiplied by the cost to the asset owner.
Risk is calculated as the probability of a threat occurring multiplied by the cost to the asset owner.
Signup and view all the answers
___ is the protection of networks and their services from unauthorized modifications, destruction, or disclosure.
___ is the protection of networks and their services from unauthorized modifications, destruction, or disclosure.
Signup and view all the answers
Match the following information security characteristics with their definitions:
Match the following information security characteristics with their definitions:
Signup and view all the answers
What is the most common means of human-to-human identification based on facial characteristics?
What is the most common means of human-to-human identification based on facial characteristics?
Signup and view all the answers
Which physical characteristic has been used as a means of identification for centuries?
Which physical characteristic has been used as a means of identification for centuries?
Signup and view all the answers
Automated fingerprint recognition and matching systems store the full fingerprint pattern.
Automated fingerprint recognition and matching systems store the full fingerprint pattern.
Signup and view all the answers
The detailed structure of the ______ is considered a unique physical characteristic.
The detailed structure of the ______ is considered a unique physical characteristic.
Signup and view all the answers
What are some common weaknesses of passwords?
What are some common weaknesses of passwords?
Signup and view all the answers
What is the purpose of possession-based authentication?
What is the purpose of possession-based authentication?
Signup and view all the answers
What is the purpose of the categorization step in risk management processes?
What is the purpose of the categorization step in risk management processes?
Signup and view all the answers
Memory cards store data but do not process it. The most common type of memory card is a bank card with a magnetic ____ on the back.
Memory cards store data but do not process it. The most common type of memory card is a bank card with a magnetic ____ on the back.
Signup and view all the answers
What are the steps involved in the risk management process?
What are the steps involved in the risk management process?
Signup and view all the answers
Privacy refers to the right of individuals to control or influence the collection and sharing of information about them.
Privacy refers to the right of individuals to control or influence the collection and sharing of information about them.
Signup and view all the answers
Match the type of card with its description:
Match the type of card with its description:
Signup and view all the answers
Smart cards require an electronic interface to communicate with compatible reader/writers.
Smart cards require an electronic interface to communicate with compatible reader/writers.
Signup and view all the answers
______ involves the exposure to others of certain physical and emotional attributes about a person.
______ involves the exposure to others of certain physical and emotional attributes about a person.
Signup and view all the answers
Match the following information types with their descriptions:
Match the following information types with their descriptions:
Signup and view all the answers
What are the three general authentication factors?
What are the three general authentication factors?
Signup and view all the answers
What is the primary purpose of the identification step in user authentication?
What is the primary purpose of the identification step in user authentication?
Signup and view all the answers
Identity proofing establishes that a subject is who he or she claims to be to a stated level of __________.
Identity proofing establishes that a subject is who he or she claims to be to a stated level of __________.
Signup and view all the answers
Authentication provides assurances that the subject accessing a digital service today is different from the subject that previously accessed the service.
Authentication provides assurances that the subject accessing a digital service today is different from the subject that previously accessed the service.
Signup and view all the answers
Match the possession factor with its description:
Match the possession factor with its description:
Signup and view all the answers
What is the term used to describe the manipulation of the way a person is perceived and judged by others?
What is the term used to describe the manipulation of the way a person is perceived and judged by others?
Signup and view all the answers
In terms of cybersecurity, intrusion involves incursions into a person's life or personal space.
In terms of cybersecurity, intrusion involves incursions into a person's life or personal space.
Signup and view all the answers
What does decisional interference involve in terms of privacy threats?
What does decisional interference involve in terms of privacy threats?
Signup and view all the answers
_______ involves ensuring that organizations identify the legal bases authorizing PII collection or activity that impacts privacy.
_______ involves ensuring that organizations identify the legal bases authorizing PII collection or activity that impacts privacy.
Signup and view all the answers
Match the following privacy controls with their descriptions:
Match the following privacy controls with their descriptions:
Signup and view all the answers
Study Notes
What is Security?
- A state of being secure and free from danger or harm
- The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information
Information Security
- Managing and protecting a risk of information assets like data
- Risk is the combination of likelihood of loss and expected impact of loss
- Risk = probability that a threat occurs * cost to the asset owner
Assets
- Data contained in an information system or a system provided by a system
- A system capability, such as processing power or communication bandwidth
- An item of system equipment, such as hardware, firmware, software, or documentation
Vulnerability
- A flaw or weakness that allows a threat agent to bypass security
- Exploit the vulnerability through an attack vector
- An attack vector is a means by which an attack can occur, such as a threat actor stealing user passwords
Threat Likelihood
- The probability that a threat agent will exploit a vulnerability
- Threat agent: A type of action with potential to cause harm
- Person or element with power to carry out a threat
Network Security
- Protection of networks and their services from unauthorized modifications, destruction, or disclosure
- Provision of assurance, from both internal and external threats, ensuring the confidentiality, integrity, and availability of data and resources
Components of an Information System
- An Information system is the entire set of hardware, software, data, people, procedures, and networks that enables a business to use information
- Each component has its own strength, weakness, and characteristics
- Each component has its own security requirements
Characteristics of Information Security
- Confidentiality: The quality or state of preventing disclosures or exposure to unauthorized individuals of systems
- Integrity: The quality or state of being whole, complete, or uncorrupted
- Availability: Enables users who need to access information to do so without interference or obstruction and in the required format
Cybersecurity Objectives
- Understanding the relationship between security and convenience (security is inversely proportional to convenience)
Approaches to Information Security
- Top-down approach: Initiated by upper management, involving policy, procedures, and processes
- Implementation involves a formal development strategy, such as a systems development life cycle
US Laws and Regulations
- Computer Fraud and Abuse Act of 1986
- National Information Infrastructure Protection Act of 1996
- State and local regulations
- International laws and legal bodies
What is Information Security?
- Protecting confidentiality, integrity, and availability of information in transmission, processing, and storage through the application of policy, education, training, and awareness of technology
Standards and Practice Documents
- NIST, ITU-T, ISO, ISOC
- The Information Security Forum (ISF) produces a standard of good practice for information security
Risk Management
- A disciplined, structured, and flexible process for organizational asset valuation, security and privacy control selection, implementation, assessment, system and control authorizations, and continuous monitoring
Information Security Risk Management and Assessment
- Context establishment: Setting the basic criteria necessary for information security risk management
- Risk identification: Identifying risk sources, events, their causes, and their potential consequences
- Risk analysis: Providing the basis for risk evaluation and decisions about risk treatment
- Risk evaluation: Determining whether the risk and/or its magnitude are acceptable or tolerable
- Risk treatment: Involving the following: avoiding, taking, removing, changing, sharing, or retaining the risk
Asset Identification
- Hardware assets: Servers, workstations, laptops, mobile devices, removable media, networking equipment, etc.
- Software assets: Stored in databases and file systems, both on-premises and remotely in the cloud
- Information assets: Include organization assets that don’t fit into the other categories, such as human resources, business processes, and physical plant
- Business assets: Intangible assets, such as organization control, know-how, reputation, and image of the organization
Threat Identification
- Threat sources: Environmental, business resources, and hostile actors
- Threat types: Malicious software, social engineering, phishing, spam, logic bomb, Trojan horse, backdoor, mobile code, exploit, exploit kit, downloader, dropper, auto-rooter, kit, spammer program, flooder, keyloggers, rootkit, zombie or bot, spyware, adware, remote access attacks, denial-of-service (DoS) attack, distributed denial-of-service (DDoS) attack, DNS attacks, and hacker or cracker
Phases of a Kill Chain
- Reconnaissance: The adversary determines likely targets for attack
- Phases of a cyber attack### Cybersecurity Fundamentals
- Cyber kill chain:
- Reconnaissance: determining what information is available for targeting
- Weaponization: coupling an exploit with a means of gaining access to the specific system
- Delivery: delivering the weaponized payload to the victim
- Exploit: exploiting a vulnerability to enable installation
- Installation: installing the malware package on the asset
- Command and control: creating a command and control channel to operate the malware remotely
- Actions: achieving the goals of the attack
Threat Intelligence
- Cisco Annual Cybersecurity Report: a source of threat information, organized along the lines of kill chain concepts
Control Identification
- Steps to identify controls:
- Review documents containing information about controls
- Check with people responsible for information security
- Conduct an on-site review of physical controls
- Review results of audits
Risk Analysis
- Types of controls:
- Avoidance controls: affect the frequency and/or likelihood of encountering threats
- Examples: firewall filters, physical barriers, relocation of assets
- Deterrent controls: affect the likelihood of a threat acting in a manner that results in harm
- Examples: policies, logging and monitoring, enforcement practices
- Vulnerability controls: affect the probability that a threat's action will result in loss
- Examples: authentication, access privileges, patching
- Responsive controls: affect the amount of loss that results from a threat's action
- Examples: backup and restore media and processes, forensics capabilities
- Avoidance controls: affect the frequency and/or likelihood of encountering threats
Vulnerability Identification
- Types of vulnerabilities:
- Technical vulnerabilities: flaws in software and/or hardware components
- Human-caused vulnerabilities: key person dependencies, gaps in awareness and training
- Physical and environmental vulnerabilities: insufficient physical access controls
- Operational vulnerabilities: lack of change management, inadequate separation of duties
Risk Assessment
- Level of risk = (Probability of adverse event) × (Impact value)
- Impact assessment: estimating the magnitude of the adverse consequence of a successful threat action
- Estimating the primary loss: asset factors, threat factors, and possible threat actions (access, misuse, disclosure, modification, deny access)
Risk Treatment
- Risk reduction or mitigation: actions taken to lessen the probability and/or negative consequences associated with a risk
- Risk retention: acceptance of the cost from a risk
- Risk transfer: sharing or transferring risk to another organization
- Risk avoidance: avoiding a circumstance leading to risk exposure### Information Security Policy
- An information security policy relates to the rules and practices that enforce security.
- It includes security plan, security controls, and security policy.
Security Policy Categories
- There are various categories of security policies, including:
- Access control policy: how information is accessed
- Contingency planning policy: how availability of data is provided 24/7
- Data classification policy: how data are classified
- Change control policy: how changes are made to directories or the file server
- Wireless policy: how wireless infrastructure devices need to be configured
- Incident response policy: how incidents are reported and investigated
- Termination of access policy: how employee access to organization assets is handled during termination
- Backup policy: how data is backed up
- Virus policy: how virus infections need to be dealt with
- Retention policy: how data can be stored
- Physical access policy: how access to the physical area is obtained
- Security awareness policy: how security awareness is carried out
- Audit trail policy: how audit trails are analyzed
- Firewall policy: how firewalls are named, configured, and so on
- Network security policy: how network systems are secured
- Encryption policy: how data are encrypted, the encryption method used, and so on
- BYOD policy: what devices an employee may use both on premises and off to access organization assets
- Cloud computing policy: security aspects of using cloud computing resources and service
Security Policy Components
- A security policy includes:
- Overview: background information on what issue the policy addresses
- Purpose: why the policy was created
- Scope: what areas the policy covers
- Targeted audience: to whom the policy is applicable
- Policy: a complete but concise description of the policy
- Noncompliance: consequences for violating the policy
- Definitions: technical terms used in the document
- Version: version number to keep track of the changes made to the document
Capital Planning
- The Select/Control/Evaluate framework defines a cyclical process consisting of three steps for deciding which projects to pursue or which investments to make:
- Select: identify and analyze each project's risks and returns before committing significant funds to any project.
- Control: ensure that as projects develop and investment expenditures continue, the project continues to meet mission needs at the expected levels of cost and risk.
- Evaluate: compare actual results and expected results after a project was fully implemented.
Information Classification
- Information classification is the process of categorizing information based on its level of sensitivity, confidentiality, and importance.
- It includes:
- Information type: a specific category of information defined by an organization or by a specific law, directive, policy, or regulation.
- Security objective: the characteristic of security to be achieved, which typically consists of confidentiality, integrity, and availability.
- Impact: an adverse change to the level of business objectives achieved.
- Security classification: the grouping of information into classes that reflect the value of the information and the level of protection required.
Identification of Information Types
- The identification process must cover all forms of information, including:
- Electronic
- Electronic communication
- Spoken communication
- Multimedia information
- Physical information
Assigning Security Priorities
- Assigning security priorities involves naming each classification level in a way that makes sense in the context of the classification scheme's application.
- Classifying information types and properly naming them provide people who deal with information with a concise indication of how to handle and protect that information.
Information Handling
- Information handling refers to processing, storing, communicating, or otherwise handling information consistent with its classification.
- It includes considerations such as:
- Access restrictions
- Maintenance of a formal record of the authorized recipients of assets
- Protection of temporary or permanent copies of information
- Storage of IT assets
- Clear marking of all copies of media for the attention of the authorized recipient
Privacy
- Privacy is the right of individuals to control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed.
- Privacy threats can arise from:
- Information collection
- Information processing
- Information dissemination
- Invasions
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Description
Learn about the basics of information security, including its definition, risk management, and protection of information assets. Understand the concept of risk and its components.