40 Questions
A threat is a weakness or absence of safeguards.
False
Risk is the probability of a threat crossing or touching a vulnerability.
True
Exploits are aimed at performing unauthorized operations.
False
Passive threats modify information or change the system state.
False
Network intrusion risks include information theft and data loss.
True
Social Engineering and Phishing are types of network threats.
True
Identity theft involves breaking into a computer to destroy or alter data records.
False
Security aims to totally eliminate risk.
False
A Distributed Denial of Service (DDoS) is a type of Brute Force Attack.
False
Spyware can gather personal information from a computer without the user's permission.
True
Tracking Cookies are always considered a form of malware.
False
Adware is a type of spyware used to collect information about a user based on websites visited.
True
Pop-ups are a type of spyware used to collect information about a user.
False
Spam is a type of malware that can harm a computer.
False
Spammers use secure email servers to forward email.
False
DDoS attacks are designed to saturate and overwhelm network links with useless data.
True
Malware can only destroy data and leak confidential information.
False
Removable media is a propagation technique for malware.
True
Malware scanners are used to monitor activity.
False
A Security Policy is only for network security.
False
Anti-spyware software can only detect spyware applications.
False
Patches and updates are the same thing.
False
Anti-virus software can only detect and remove viruses.
False
Firewalls only filter incoming packets based on IP addresses.
False
Firewall products are only available as software.
False
Anti-spam software can only be loaded on email servers.
False
Security risks can be completely eliminated with effective risk management.
False
Best practices for using a firewall include physically securing servers and network equipment.
True
Updating antivirus software files is not necessary for security.
False
Firewalls can only block incoming packets.
False
The SANS Institute lists common security mistakes to educate users on security best practices.
True
Popup stopper software is only used to block pop-ups.
False
End users should always open e-mail attachments without verifying their source and content.
False
Installing security patches for Microsoft Office and Microsoft Internet Explorer is not important for end users.
False
Senior executives should assign untrained people to maintain security without providing training or time to learn.
False
Relying primarily on a firewall is a sufficient security measure for senior executives.
False
IT people should connect systems to the Internet before hardening them.
False
Updating systems when security holes are found is not necessary for IT people.
False
Implementing firewalls with rules that stop malicious or dangerous traffic is not important for IT people.
False
Educating users on what to look for and what to do when they see a potential security problem is not necessary.
False
Study Notes
Information Security Assets
- Assets include personals, hardware, software, physical devices, and documents
- Identifying assets is crucial for creating an information security system
Security Terminologies
- Threat: a person, thing, event, or idea that poses danger to an asset's confidentiality, integrity, availability, or legitimate use
- Vulnerability: a weakness or absence of safeguards
- Risk: a measure of the cost of a realized vulnerability
- Exploits: programs, scripts, or code that perform unauthorized operations
- Impacts: results of an exploited vulnerability (e.g., deleted files, loss of information, loss of company image)
Focus of Security
- Security deals with managing risk to critical assets
- Security is an exercise in loss reduction
- Risk is the probability of a threat crossing or touching a vulnerability
- Risk = Threat x Vulnerability
Threats
- Accidental threats: natural disasters
- Intentional threats: active and passive threats
- Passive threats: do not modify information or system state
- Active threats: alter information or system state
Network Threats
- Risks of network intrusion: information theft, data loss and manipulation, identity theft
- Sources of network intrusion: social engineering, phishing
- Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
- Brute force attacks: guessing passwords using a fast computer
- Spyware and tracking cookies: collecting personal information without permission
- Spam: sending unsolicited emails, overloading ISPs, email servers, and individual systems
Malware Capabilities
- Destruction of data
- Leaking confidential information
- Providing backdoor access
- Countless other opportunities
Propagation Techniques
- Removable media
- E-mail attachments
- Web browsing
- Social networking
- Network vulnerabilities
- Instant messaging applications
- Peer-to-peer networks
Malware Defense Techniques
- Activity monitoring programs
- Malware scanners
- File and resource integrity checking
- Stripping e-mail attachments
- Defense-in-depth
- Patching all systems
Common Security Measures
- Security Policy: a formal statement of rules for accessing technology and information assets
- Updates and Patches: fixing specific problems and adding functionality to software
- Anti-virus Software: preventing infection, detecting, and removing viruses, worms, and Trojan horses
- Anti-Spam: identifying spam and performing an action
- Anti-Spyware: detecting and deleting spyware applications
Firewalls
- What is a Firewall?: a security tool that controls traffic between networks and prevents unauthorized access
- Types of Firewall:
- Packet Filtering
- Application/Web Site Filtering
- Stateful Packet Inspection (SPI)
- Best Practices:
- Define security policies
- Physically secure servers and network equipment
- Set login and file access permissions
- Update OS and applications
- Change permissive default settings
- Run anti-virus and anti-spyware
- Update antivirus software files
- Activate browser tools
Mistakes People Make
- The SANS Institute's lists of mistakes that lead to security breaches
- The Four Worst Security Mistakes End Users Make
- The Six Worst Security Mistakes Senior Executives Make
- The Eight Worst Security Mistakes Information Technology People Make
This quiz covers key terms and concepts in information security, including assets, threats, vulnerabilities, and risk.
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free