Information Security Principles Quiz

Questions and Answers

Which author wrote a book specifically focused on the practical approach to information security planning?

• Susan Lincke (correct)
• Michael Nieles
• Mark Stamp
• Victoria Yan Pillitteri

What year was 'Information Security Principles and Practice' published?

• 2013
• 2005 (correct)
• 2010
• 2017

Which of the following is NOT one of the authors of 'An Introduction to Information Security'?

• Michael Nieles
• Susan Lincke (correct)
• Kelley Dempsey
• Victoria Yan Pillitteri

Which title was published most recently?

An Introduction to Information Security (A)

Which topic does the book 'Information Security Principles and Practice' primarily cover?

Fundamental concepts of information security (D)

What is the primary goal of information security?

To maintain integrity, availability, and confidentiality (D)

Which of the following best describes integrity in information security?

The protection of data from unauthorized changes (C)

How does availability contribute to information security?

By allowing data to be easily accessible to authorized users (B)

Which feature of information security focuses on protecting data from interception and unauthorized viewing?

Confidentiality (D)

What is a key characteristic of information security related to unauthorized modifications?

Integrity (B)

Who is responsible for the management of information systems?

Information system manager (B)

What is one of the main purposes of regulation under law number 5651?

To regulate internet broadcasting (A)

Which statement best reflects the concept of information security mentioned?

A chain is only as strong as its weakest link. (B)

What does the term 'information owner' refer to?

The entity responsible for managing and protecting information (A)

Under what legislative act are the responsibilities of information users defined?

Law number 5651 (D)

What does the attack surface of a software application refer to?

The potential vulnerabilities and entry points that can be exploited by attackers. (D)

Which component is NOT typically considered part of a software's attack surface?

Encryption algorithms (A)

Why is it important to understand the attack surface of an application?

To identify potential vulnerabilities that need to be mitigated. (C)

Which of the following represents a way an attacker might access a system?

By exploiting software vulnerabilities. (B)

What is a primary focus when analyzing a software's attack surface?

Minimizing the number of entry points for attackers. (A)

What is the primary function of a vulnerability scanner?

To identify and verify security vulnerabilities in an IP host device (C)

How does a vulnerability scanner operate?

It compares information it gathers to known software vulnerabilities in its database (B)

What types of vulnerabilities can be prioritized by a vulnerability scanner?

Vulnerabilities are categorized as critical, major, or minor (B)

Which of the following statements is false about vulnerability scanners?

They operate independently of existing software installations. (D)

What is a likely output of a vulnerability scanner after it completes a scan?

A detailed report of detected vulnerabilities, categorized by severity (D)

What type of attack aims to prevent access to critical systems or data?

Availability Attacks (B)

Which tactic involves convincing someone using the principle of authority?

Authority (A)

Which of the following best describes the tactic of dumpster diving?

Searching for sensitive information in discarded materials (B)

What is a common purpose of social engineering attacks?

To steal or manipulate information (B)

Which method relies on creating a false narrative to extract information?

Hoaxes (B)

Flashcards

Information Security Principles

Fundamental concepts and guidelines for protecting information assets.

Information Security Planning

Structured approach to manage security risks and implement controls.

Information Security Practice

Active implementation of security principles and plans.

Information Assets

Data, systems, and resources needing protection.

The Internet

Global network connecting computers and devices.

Information Security

Ensuring the continuous protection of data integrity, availability, and confidentiality.

Integrity

Protection of data from unauthorized changes to keep it accurate and reliable.

Availability

Ensuring authorized users have access to information when needed.

Confidentiality

Protecting data from unauthorized access.

Data Security

Protecting data from all threats, ensuring it meets the standards of integrity, availability, and confidentiality

Information owner

Individual responsible for information within a system.

Information users

Individuals who access and utilize information.

Information system manager

Person responsible for a system that uses information.

Law 5651

Law regulating online content and combating crimes.

Chain strength

The weakest link determines the whole system's strength.

Attack surface

All potential points of access by attackers for exploitation of systems or applications.

Software attack surface

All potential vulnerabilities and entry points where software might be attacked.

Targets of attack components

Systems, applications, and users susceptible to attack.

Access methods for targets

Any way an attacker gains access to their target.

Software Weak Points

Weaknesses within software that attackers could possibly exploit.

Vulnerability Scanner

Software program used to identify and possibly verify security weaknesses in an IP host device.

Scanning Principle

Comparing found information with known software vulnerabilities from a database to identify flaws.

Vulnerability Severity

Classifies detected security flaws as critical, important, or insignificant.

IP Host Device

A computer or network device connected to a network.

Security Weakness

A flaw in a computer program or system that allows unauthorized access or damage.

Social Engineering Attack Types

Techniques used to manipulate people into revealing sensitive information or performing actions that compromise information systems.

Authority Social Engineering

Exploiting perceived authority to trick individuals into acting against their best interest or giving up sensitive information.

Consensus Social Engineering

Manipulating individuals into compliance by creating a sense of perceived societal pressure.

Availability Attacks

Attackers' actions aimed at preventing access to critical systems, applications, or data.

Dumpster Diving

Searching and retrieving sensitive information from discarded materials, like trash cans or discarded documents.

Study Notes

Information Security and Cyber Security Introduction

• The course covers topics like Information System Security, Internet of Things (IoT) Security, Malicious Attacks, Threats, and Vulnerabilities.
• Key security concepts include Confidentiality, Integrity, and Availability (CIA).
• Practical examples of cyberattacks like internet banking fraud, website content modification, and denial-of-service attacks are discussed.

Course Topics

• Information System Security
• Internet of Things (IoT) and Security
• Malicious Attacks, Threats and Security Vulnerabilities
• Information Security Operations and Management
• Access Control
• Risk, Response, and Recovery

Resources

• Aldatma Sanatı (Kevin D. Mitnick)
• Hacking Interface (Hamza Elbahadır)
• Information Security Principles and Practice (Mark Stamp)
• Information Security Planning: A Practical Approach (Susan Lincke)
• An Introduction to Information Security (Michael Nieles, Kelley Dempsey, Victoria Van Pillitteri)
• Adli Bilişim: Dijital Delillerin Elde Edilmesi ve Analizi (Türkay Henkoğlu)
• Yazılım Güvenliği Saldırı ve Savunma (Bünyamin Demir)
• Ethical Hacking (Ömer Çıtak)

Key Concepts

• Integrity (ensures data accuracy and consistency)
• Availability (guarantees legitimate access to data and systems)
• Confidentiality (protects data from unauthorized access)

Fundamental Concepts

• Internet banking account compromise is a confidentiality violation
• Modifying a website's content is an integrity violation
• Blocking access to a website is an availability violation

Information Security Responsibilities

• Everyone (users) is responsible for information security.
• Information owners
• Information users
• Information system administrators
• Current legislation includes the relevant and important legal and regulatory requirements.

Suspicions of Information Security Violations

• System slowdown without user intervention can indicate a security breach
• Data loss or unauthorized changes suggest a security issue
• Malfunctioning security software can signal a breach
• Unusual web page behavior can indicate a problem

What is Information?

• Information is the source that eliminates uncertainty about a subject.
• Processed data is known as information.
• Information is a valuable asset like critical resources within an organization.

What is Security?

• Security involves availability, stability, access control, data integrity, and verification.
• Security is essentially risk management.
• A system is considered secure if it meets users' requirements and expectations.

Computer System Access Security

• Physical security of the computer environment
• Risk of theft for portable devices
• Unauthorized access attempts
• Network-based access to information
• Security precautions, such as password protection
• Anti-virus and firewall software

Password Security

• Strong passwords (difficult to guess) are crucial.
• Never share passwords.
• Change passwords regularly.
• Avoid writing down passwords.
• Anti-virus and firewall regularly updated.

Software Installation and Updates

• Operating system updates are essential for security.
• Regularly updating installed applications is necessary.
• Avoid installing software from untrusted sources.
• Do not visit suspicious websites.

Cyber Crimes and Motivations

• Cybercrime refers to illegal activities conducted through computer systems, networks and the internet
• Ransomware encrypts data and demands payment for its release
• DDoS attacks overwhelm systems with excessive traffic.
• SQL injection attacks exploit vulnerabilities to manipulate databases
• Cyber-spying for personal or state intelligence is a serious threat

Cyber-Espionage and Malicious Actors

• Cyber-espionage aims at acquiring sensitive information through unauthorized access to computer systems or networks.
• Advanced Persistent Threats (APTs) are complex, sustained cyber-attacks usually orchestrated by state-sponsored groups or organized criminal entities.
• Supply-chain attacks exploit vulnerabilities in the supply chains of organizations to compromise the target. This often involves third party software or service providers.

Real-World Cyberattacks

• Historical notable cyberattacks (e.g., the 1988 Jerusalem virus, 1991 Michelangelo virus, 2010 Anonymous attack on financial institutions and WikiLeaks)
• Major cybercrime incidents (e.g., the theft of 2008, 2009, 2013, 2016, and later credit card information).
• Case studies on notable attacks, including those targeting specific organizations (e.g., Uber and others).

Network Attacks

• Packet-dropping attacks
• Packet delay attacks
• Network congestion attacks
• Connection-based protocol attacks

Network Message Content Attacks

• Packet modification attacks
• Packet injection attacks
• Man-in-the-Middle attacks

Protocol-Specific Attacks

• Specific exploit attacks targeting software or network protocol vulnerabilities (e.g., TCP sequence prediction attacks, ARP spoofing)
• Denial-of-Service (DoS) attacks, distributed denial-of-service (DDoS) attacks

DoS (Denial of Service) and DDoS (Distributed Denial of Service) Attacks

• DoS attacks aim to flood and overwhelm a service or system with excessive traffic to render it unavailable
• DDoS attacks coordinate multiple devices to flood the target system

DoS Attack Mechanisms and Types

• SYN Flood (TCP connection attacks)
• Ping of Death (ICMP attacks that exceed the max packet size)
• HTTP Flood (HTTP attacks)

DDoS Attack Structure and Effects

• Botnets, networks of compromised devices (bots), are used to coordinate attacks
• Attackers command and control bots to launch attacks simultaneously
• Attacks disrupt services, damage reputations, and cause financial losses for victim organizations

DoS and DDoS Countermeasures

• Intrusion detection systems
• Load balancers
• Rate limiting
• DDoS protection services from service providers like Akamai, Cloudflare

Network Security Classifications

• Network Security
• Endpoint Security
• Data Security
• Application Security
• Identity and Access Management
• Security Management
• Virtualization and Cloud

Network Security Components

• Content Security
• Email Security
• Firewall/VPN
• Intrusion Prevention System (IPS)
• Unified Threat Management (UTM)
• Network Access Control (NAC)
• Wireless
• Monitoring
• Forensics
• Managed Services
• Management

Endpoint/User Security

• Endpoint Defense
• Anti-Malware
• Host Firewall
• Host Intrusion Prevention System (HIPS)
• Application Whitelisting
• Disk Encryption
• Device Control
• Mobile Security
• Remote Access/VPN

Data Security

• Database Security
• Database Assessment
• Database Activity Monitoring
• Database Encryption
• Data Loss Prevention
• DLP Solutions (full suite)
• Network DLP
• Endpoint DLP
• Content Discovery
• DLP Features

Data Encryption

• File/Folder encryption
• Distributed encryption
• Key Management
• SAN/NAS
• Application Encryption
• Access Management
• Entitlement Management
• File Activity Monitoring

Application Security

• Web Application Firewalls
• Application Testing (dynamic, static)
• Secure Development
• Threat Modeling
• Development Processes
• Testing Methodologies

Identity and Access Management

• Directories
• Authentication
• Provisioning
• Web Access Management

Security Management

• Compliance (e.g., IT-GRC, PCI, SOX, HIPAA, NERC-CIP)
• Privacy
• Security Operations
• Security Information and Event Management (SIEM)
• Log Management

System Management

• System Management
• Patch Management
• Configuration Management
• Vulnerability Management
• Vulnerability Assessment
• Penetration Testing
• Incident Response

Virtualization and Cloud

• Virtualization Security
• Virtual Machine Security
• Virtualization Infrastructure Security
• Cloud Security
• Cloud Security Services
• Cloud Hardening
• Cloud Risk Management

Information Security Failures

• Inadequate antivirus or firewall software
• Disregard for security policies
• Lack of understanding of computer systems
• Failure to take security precautions when using a computer

Information Security and Users

• Information security awareness is critical
• User errors are a significant cause of security breaches
• Attackers frequently exploit user vulnerabilities
• A single security vulnerability can affect the entire system
• Technical controls alone are not sufficient, user education is essential

Computer Networks

• OSI and TCP/IP models
• Network protocols: functions (data transmission, data generation, resource management)

Computer Network Attacks

• Basic attack types
• Attack applicability and complexity
• Attack types focusing on data transmission
• Methods of network-message content attacks
• Protocol-specific attacks focusing on weaknesses in protocols

Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks

• Goal of DoS/DDoS to overwhelm a service or system
• Common techniques: flooding, congestion

DoS Attack Mechanisms and Types

• SYN Flood
• Ping of Death
• HTTP Flood

DDoS Attack Structure and Effects

• Botnets are used to coordinate attacks
• Coordination allows for large-scale attacks

DoS/DDoS Countermeasures

• Intrusion Detection Systems (IDS)
• Load Balancing
• Rate Limiting
• DDoS Protection services

Real-World Information Security Breaches

• Detailed examples of real-world information security breaches with potential effects on various organizations and industries.
• Focus on specific attacks and their repercussions, including financial and reputational losses.

Security Risks and Threats

• Risks are vulnerabilities that can potentially cause harm, and threats are the actions taken to exploit vulnerabilities.
• Security flaws and weaknesses, either intentional or unintentional, can negatively affect businesses and individuals.
• Risks and threats are assessed before a security plan is developed.
• Data loss, changes, and disruption can severely impact operations and users.

Types of Threats

• Disclosure: Unauthorized access to sensitive information
• Alteration: Unauthorized modification of data or system configuration
• Denial/Destruction: System or data disruption or deletion

IT Infrastructure Areas

• Local area network (LAN)
• Wide area network (WAN)
• Demilitarized zone (DMZ)
• Virtual local area networks (VLANs)
• Remote access

Information Security Policies and Procedures

• Policies and Procedures for Data Classification
• Policies and Procedures for Access Control
• Polices and Procedures for Data Security
• Policies and Procedures for System Security
• Policies and Procedures for Incident Response

Other Models of Access Control

• Bell-La Padula Model (security property)
• Brewer and Nash Model

Access Control Lists

Role-Based Access Control (RBAC)

Content-Based Access Control

Restricted User Interfaces

Network Security Policies

Laws and Regulations on Data Security

• Examples of existing laws and regulations (e.g., SOX, HIPAA, etc.)
• Key points for organizations regarding complying with local and international regulations.

Information Security Policies

• Policies for handling data breaches, including incident response

Data Security

• Methods for ensuring security standards

Data Classification and Security Requirements

• Considerations for data classification, security, and access issues

Data Classification Criteria

• Value
• Sensitivity
• Criticality

Data Classification Objectives

Data Classification Examples

Data Classification Procedures and Security

Configuration Management and Security

• Network changes over time
• Ensuring security changes via a structured process
• Preventing accidental or malicious configurations changes

Patch/Updates and Service Package Management

• Ensuring systems are up to date via defined schedule
• Testing procedures for patches
• Tools for managing patches and their delivery.

Change Management and Configuration Control

• Establishing processes for changes in configurations
• Assessing the impact of changes on the system

Change Management and Security

• The importance of having a committee review and approve changes (e.g., Security Impact Assessment Committee)
• Processes for change control, including procedures, approvals, testing, implementation etc.

Application and Monitoring

• Testing procedures of applications
• Monitoring ensures systems operate correctly and warns of issues.

Issues and Solutions Related to Change Control

• Issues that are common during review process involving problems like oversight or failure to identify risks
• Solutions to problems for effective implementation

Software Development Life Cycle (SDLC)

• Model stages involved in designing, developing and implementing application software

System Life Cycle (SLC)

• Defines the entire process for developing software, from initial planning through final deployment and maintenance
• Provides a framework for structured approaches
• Helps in better management and control over development projects

Relevant Testing and Certification Processes

• Importance of testing procedures used to identify system vulnerabilities and verify compliance with security standards
• Certification processes for software and systems

Secure Software Development Practices

• Security considerations during program design development
• Use of secure coding practices and development tools
• Implementing validation tests for security purposes

Software Development Models

• Waterfall and Agile

Waterfall Model

Agile Model

Discussion about Different Models

• Benefits and challenges for each model
• Factors to consider when choosing a model

Information Security Breaches

• Information security breaches and how to mitigate them

Access Control Policies

• Policies dealing with user access, permissions, and responsibilities.

Access Control Methods

• Methods for enforcing access control policies, including passwords, tokens, and biometric authentication.

Security Policies and Procedures

• Policies and procedures to ensure operational effectiveness and continuity

Data Storage, Media Disposal, and Compliance Requirements

• Local and international laws and regulations regarding data storage and disposal
• Guidelines for securely disposing of sensitive material

Remote Access

Distributed Access Control (DAC)

• Advantages and disadvantages
• Implementation aspects

Mandatory Access Control

• Principles behind this method and its role in controlling access
• Considerations and policies that are needed
• Advantages and disadvantages

Access Control Lists (ACLs)

Role-Based Access Control (RBAC)

Content-Based Access Control