Information Security Overview

Questions and Answers

Within the context of BS ISO 27002:2015, which statement most accurately encapsulates the strategic perspective on information security?

• Information is uniformly protected irrespective of its specific value to the organization.
• Information security is primarily concerned with preventing unauthorized physical access to data storage facilities.
• Information security should be adapted dynamically based on an organization's risk profile, embracing a continuous improvement paradigm. (correct)
• Information should be protected solely based on its market value and potential revenue generation capabilities.

According to the principles outlined, real-time monitoring (24x7) of integrated security appliances, systems, and solutions obviates the need for periodic vulnerability assessments.

False (B)

Elaborate on the nuanced distinction between 'security' as a static purchase versus 'security' as a dynamic, ongoing process, and how this paradigm shift influences organizational approaches to information protection.

Security as a purchase implies a one-time investment in protective measures, whereas security as a process emphasizes continuous monitoring, adaptation, and improvement to address evolving threats and vulnerabilities.

Within the tripartite framework of information security components, ______________ encompasses the tangible assets like cabling, data/voice networks, and telecommunications services, illustrating the foundational infrastructure that underpins secure operations.

technology

Match the access control principle with its correct application in securing information:

Confidentiality = Limiting information access to authorized individuals only. Integrity = Ensuring information accuracy and completeness throughout processing stages. Accessibility = Providing authorized users timely and reliable access to necessary information assets.

Given an organization's acknowledgment of the dictum that 'business survival depends on information security,' which strategic imperative aligns most directly with translating this awareness into actionable outcomes?

Integrating information security considerations into all facets of strategic planning and operational execution. (A)

In the context of risk management pertaining to information security, a vulnerability inherently constitutes an immediate threat to an asset.

False (B)

Articulate the complex interplay between 'Threat,' 'Vulnerability,' and 'Risk,' and provide a detailed scenario illustrating how these elements converge to compromise an organization's information security posture.

A threat exploits a vulnerability in an asset, leading to risk. For example, a phishing email (threat) exploits a lack of employee training (vulnerability) to compromise sensitive data (risk).

In the realm of threat actors, ______________ insiders are often considered particularly dangerous due to their implicit understanding of organizational infrastructure and heightened access privileges, which can lead to substantial data breaches.

internal

Match the correct motivation with a corresponding threat actor:

External Hackers = Game Playing/Ego Internal Hackers = Disenchantment Terrorist = Revenge/Political

Within the context of BS 7799 and its subsequent iterations, what critical paradigm shift occurred in the transition from a UK standard to an internationally recognized standard (ISO 17799)?

A harmonization of terminology and frameworks to facilitate global interoperability and comparability. (B)

According to the provided materials, 'Social Engineering' is categorized as a minor threat.

False (B)

Elaborate on why the vast majority of firms confess their inability to verify if their systems are currently compromised.

The inability to determine compromises stems from inadequate monitoring tools, lack of expertise, and the sophistication of modern attack vectors.

As an element of threat, the ______________ represents the causal agent that instigates the undesirable event, encompassing human entities, automated systems, or natural forces.

agent

Match the identified category of threat with a relevant example:

Human Errors or failures = Accidents, Employee mistakes Deliberate Acts of espionage or trespass = Unauthorized Access and/or data collection Technical hardware failures or errors = Equipment failures / errors

In the context of organizational security breaches, which factor most significantly exacerbates the potential for 'Loss of Goodwill,' thereby undermining an organization's long-term viability?

The inadvertent disclosure of sensitive customer data due to inadequate encryption protocols. (C)

According to the material presented, an organization only has one strategy for security.

False (B)

Delineate the roles of People, Processes, and Technology in ensuring robust information security, and offer examples of how each component contributes to safeguarding an organization's assets.

People (employees with security awareness), Processes (incident response protocols), and Technology (firewalls) are all important. All work together.

______________, systems and solutions, software, alarms and vulnerability scans working together and monitored 24x7

appliances

Match the type of information with its impact on the organization:

Corrupted = Data integrity is breached. Stolen = Breach of confidentiality and potential misuse. Destroyed = Loss of availability and impact on business continuity.

Assuming an organization aims to enhance its Information Security Management System (ISMS) to align with BS ISO 27002:2015, which step directly contributes to mitigating risks associated with human factors, particularly unintentional errors?

Establish a comprehensive security awareness training program targeting diverse employee roles. (A)

Security breaches only result in financial losses.

False (B)

How would you mitigate against remote access vulnerabilities?

Multi-factor authentication.

According to the document, information is an ______________and should be given appropriate protection.

asset

Match the type of service with the method of delivery:

Software = SaaS

When considering organizational security, what does 'business survival depends on information security' mean in practice?

Invest appropriately in security so you can survive as a business. (A)

Social Engineering is a minor threat.

False (B)

What percentage of threats are internal?

70

A ____________ is something that can potentially cause damage to the organisation, IT Systems or network.

threat

Match the type of threat actor with potential motivations:

External Hackers = Challenge, Ego, Game Playing Internal Hackers = Deadline, Financial Problems, Disenchantment

From the categories of threats listed, identify the one whose example is "Accidents, Employee Mistakes".

Human errors or failures (C)

Poor documentation is solely a consequence of poorly trained staff.

False (B)

How do you protect against the theft of information?

Encryption.

The loss of _______________ can occur due to customers losing confidence.

goodwill

Match components of Network Infrastructure:

Communications equipment = Related hardware

Which of these is a physical security component?

CCTV camera (B)

According to the material, biggest risk is greatest asset, people.

True (A)

Why is it dangerous that greater than 2/3 express lack of knowing the state of their systems?

It is dangerous when security risks are not identified.

According to the text on threat identification, the ______________ is the catalyst that performs the threat.

agent

Match the threat with it's type:

Employee = Internal External Parties = External

Flashcards

Information

An asset with value to an organization that needs suitable protection.

Information Security

The quality of being secure and free from danger.

People (in Information Security)

Shareholders, management, employees, business partners, service providers, contractors, customers and regulators.

Processes (in Information Security)

Work practices/workflows that use repeatable steps to accomplish business objectives.

Technology (in Information Security)

Network infrastructure, telecommunications, servers, software, and internet connections used to improve what we do.

Confidentiality

Ensuring information is accessible only to those authorized.

Integrity

Safeguarding the accuracy and completeness of information & processing methods.

Accessibility

Ensuring authorized users have access to information when required.

Security Breaches

Reputational, financial, or intellectual property decline.

Risk

A possibility that a threat exploits a vulnerability, causing damage or loss.

Threat

Something that can potentially cause damage to the organization or its systems.

Vulnerability

A weakness in the organization's systems that can be exploited by a threat.

Agent (of a Threat)

The 'catalyst' that performs the threat. It can be Human, Machine or Nature.

Motive (of a Threat)

Something that causes the agent to act, either Accidental or Intentional.

Results (of a Threat)

The product of the applied threat that normally gives rise to the loss of CIA.

Study Notes

• Information is an asset with organizational value, requiring suitable protection

• It should be appropriately protected, regardless of its form, method of storage, or sharing

• Information can be:

• Created

• Stored

• Destroyed

• Processed

• Transmitted

• Used (Properly or Improperly)

• Corrupted

• Lost

• Stolen

• Printed or written on paper

• Transmitted by post or electronic means

• Shown on corporate videos

• Displayed or published online

• Verbal

• Information security constitutes a state of being secure and free from danger

• Security is attainable through various strategies, individually or in combination

• Security is vital for protecting essential processes and their underlying systems

• Security goes beyond a purchase; it requires a proactive approach

• An integrated framework of appliances, systems, software, alarms and vulnerability scans, monitored 24/7

• Security encompasses people, processes, technology, policies and procedures

• Security is relevant for PPT (PowerPoint presentations) and all appliances or devices

Security Components

• Involves People, Processes, and Technology

• People are the users or those who interact with the information

• Shareholders/Owners

• Management

• Employees

• Business Partners

• Service Providers

• Contractors

• Customers/Clients

• Regulators

• Processes constitute the "work practices" or workflow

• Involve "repeatable steps" to achieve business objectives

• Examples

• Helpdesk or Service Management

• Incident Reporting and Management

• Change Request Process

• Request Fulfillment

• Access Management

• Identity Management

• Service Level/Third-party Services Management

• IT procurement process

• Technology is used to improve operations

• Includes network infrastructure:

• Cabling, Data/Voice Networks and equipment

• Telecommunications (PABX), VoIP, ISDN Video Conferencing

• Server computers and associated storage devices

• Operating software for servers

• Communications equipment and hardware

• Intranet and Internet connections

• VPNs and Virtual environments

• Remote access services

• Wireless connectivity

• Application software:

• Finance and assets systems, including Accounting packages, Inventory Management, HR and reporting

• Software as a Service (SaaS) instead of Software

• Physical security components:

• CCTV cameras

• Clock in/biometrics

• Environmental management: humidity, ventilation, air conditioning and fire control

• Electricity/power backup

• Access devices:

• Desktop computers

• Laptops and ultra-mobile laptops

• Thin client computing

• Digital cameras, printers, scanners and photocopiers

• Information security protects against a range of threats

• It ensures business continuity, minimizes financial loss, optimizes returns on investments and increases business opportunities

• Business survival relies on information security

ISO 27002

• ISO 27002:2005 emphasizes confidentiality
  • Ensure information accessibility only to those authorized
• Integrity
  • Safeguard accuracy and completeness of information and processing methods
• Accessibility
  • Authorized users must have access when required

Security Breaches

• Result in:
• Reputation or Financial loss
• Intellectual property loss
• Legal actions (Cyber Law), loss of customer confidence and business interruption costs, "Loss of Goodwill"
• Information security is an organizational rather than an IT problem
• Over 70% of threats are internal, and over 60% of culprits are first-time offenders
• People is the biggest risk and the biggest asset
• Social engineering poses a major threat More than 2/3 express inability to determine "Whether my systems are currently compromised?"

Risk, Threat & Vulnerability

• Risk is the potential for a threat to exploit a vulnerability in an asset, causing damage or loss
• Threat is something that can damage the organization, IT systems or network
• Vulnerability is a weakness that can be exploited by a threat

Threat Identification

• Agent is the catalyst of a threat
• Can be human, machine, or nature
• Motive is what causes the agent to act, whether accidental or intentional
• Only motivating factor that can be both accidental and intentional is HUMAN
• Results are the outcome of the applied threat, typically leading to CIA loss
• Threats consists of Employees, External parties, low awareness of security issues, growth in networking, complexity of hacking tools & viruses and natural disasters

Threat Sources

• External hackers are motivated by challenges, ego and game playing, leading to system hacking and social engineering
• Internal hackers driven by deadlines, financial problems and disenchantment, resulting in backdoors, fraud and poor documentation
• Terrorists driven by revenge and political motives conduct system attacks, social engineering, letter bombs and viruses
• Poorly trained individuals unintentionally cause errors in data and programming, leading to system bugs and corruption of data

Brief History

• Early 1990s: DTI (UK) formed a working group, resulting in BSI-DISC publication
• 1995: BS 7799 published as UK Standard
• 1999: BS 7799-1:1999 second revision published
• 2000: BS 7799-1 accepted by ISO -17799, BS 7799-2:2002 published