CH 13

Questions and Answers

What type of threat involves authorized users who may leak or tamper with data?

• Careless Behavior
• External Threat
• Intentional Malicious Behavior (correct)
• Phishing

Which of the following actions is considered careless behavior regarding cybersecurity?

• Encrypting sensitive data
• Regularly updating software
• Using complex passwords
• Failing to modify default passwords (correct)

What is social engineering primarily concerned with?

• Gaining unauthorized access to physical locations
• Collecting data through legitimate surveys
• Obtaining private information by convincing users to share it (correct)
• Infecting systems with viruses

Which type of malware is specifically designed to demand a ransom for access to data or systems?

Ransomware (A)

What is phishing commonly associated with in cybersecurity threats?

Sending official sounding spam emails (A)

Which of the following is NOT categorized as a type of malware?

Phishing (C)

Which scenario best illustrates an intrusion threat?

A hacker gains unauthorized access to company systems (A)

Which practice would likely help prevent careless behavior in cybersecurity policies?

Providing frequent cybersecurity training (B)

What is the main purpose of Cryptography in ensuring confidentiality?

To ensure data cannot be read by unauthorized users (C)

Which of the following is NOT a component of Access Control?

Encryption (A)

What is a common vulnerability of passwords?

They can be shared intentionally or unintentionally (D)

What does multi-factor authentication enhance?

The security of access controls (C)

What is necessary for Integrity in information security?

Data must remain unaltered without knowledge (D)

Which method is identified as the simplest for authentication?

Password (A)

How can internal threats to cybersecurity be characterized?

As individuals with direct access to technology infrastructure (A)

What two elements are necessary to ensure confidentiality aside from cryptography?

Access control and tracking (D)

What immediate action is recommended to prevent overheating due to a server shutdown?

Invest in a new AC system (D)

What is the consequence of a 2-hour website shutdown?

$20,000 loss (D)

How is the risk associated with website shutdown rated?

Medium due to potential losses (C)

What vulnerability rating is given to the system protecting against external threats?

Low because of updated firewall (A)

What is the consequence of a server shutdown for 12 hours?

Significant operational disruptions (B)

What is a primary responsibility of managers concerning cybersecurity?

To understand choices and trade-offs in security (C)

What does IT risk management primarily aim to identify?

Information systems security risks (C)

How should the investment in cybersecurity safeguards be determined?

Proportional to threat extent and potential negative effects (A)

What is the focus of the risk assessment process?

To audit current resources and determine vulnerabilities (A)

What does risk mitigation involve?

Choosing the best response to identified threats (A)

Why have cybersecurity and IT risk management gained managerial attention?

Because of the increasing threat of cyberterrorism (D)

What challenge do managers face regarding their efforts in security, privacy, and ethics?

Taking credit for avoiding negative incidents (D)

What role does understanding current resources play in risk assessment?

It allows for a mapping of current vulnerabilities (C)

What is one proposed method to reduce the risk of DDoS attacks?

Monitoring and regularly updating protection services (B)

What is the consequence of insider threats related to data theft?

Potential financial loss and reputational damage (D)

Why is the vulnerability to insider threats considered high?

Due to insufficient monitoring and poor access controls (C)

What is the potential financial impact of a successful DDoS attack according to the content?

$20,000 (B)

What action is critical to maintaining effective DDoS attack protections?

Constant monitoring and regular updates (C)

Why is it considered a mistake to delegate information systems security exclusively to IT professionals?

Security issues require input from general and functional managers. (D)

What is meant by 'vulnerability' in the context of information security?

The likelihood that a threat will exploit a weakness in the system. (D)

Which of the following best defines the term 'exposure' in information systems security?

The potential harm that could occur if a threat successfully breaches security. (A)

What type of cybersecurity threat was exemplified by the WannaCry ransomware attack in 2017?

A malware attack that encrypts data for ransom. (D)

Which of the following is an indirect effect of security failures in an organization?

Legal repercussions and damage to reputation. (B)

What does the term 'threat' refer to in the context of information systems?

An actor or event that has the potential to cause harm. (A)

How should organizations approach the management of IT risks?

By conducting risk assessment and mitigation processes. (B)

What does ethical behavior entail in the context of information systems?

Making decisions that respect privacy and integrity. (D)

In what way can security failures directly affect an organization?

By causing operational disruptions and system outages. (D)

Which of the following is a safeguard developed to mitigate cybersecurity threats?

Regular security assessments and training. (D)

Flashcards

Intentional Malicious Behavior

Threats from employees with malicious intent, who have authorized access and a reason to leak or tamper with data.

Careless Behavior

Threats from employees unaware or uninterested in cybersecurity policies.

External Threat (Intrusion)

Unauthorized attackers gaining access to organizational IT resources.

Social Engineering

Tricking legitimate users into sharing private information.

Malware

Malicious software designed to harm or disrupt computer systems.

Phishing

Sending deceptive emails pretending to be a legitimate institution.

Virus

Malware that replicates itself and spreads to other files.

Ransomware

Malware that encrypts files and demands payment for decryption.

Information Systems Security

Protecting information systems from threats and vulnerabilities.

IT Risk Management

Processes to identify, assess, and mitigate potential security risks.

Risk Assessment

Evaluating the likelihood and potential impact of risks.

Risk Mitigation

Taking steps to reduce the likelihood or impact of risks.

Cybersecurity Threats

External and internal dangers to computer systems and data.

Vulnerability

Weakness in a system that can be exploited by a threat.

Exposure

Potential harm if a threat exploits a vulnerability.

IS Controls

Safeguards to protect information systems resources (software, devices, procedures).

Threat

A possible security breach or a failure of security, privacy, or ethics.

Information Resources

Computer systems, data, and other assets that an organization relies on.

Website Shutdown

A website is unavailable for a specific duration due to a security incident or technical issue.

Vulnerability Rating

A measure of how easily a system or asset can be exploited by a threat.

Consequence Rating

A measure of the impact of a successful attack on a system or asset.

Risk Rating

A combined measure of vulnerability and consequence, indicating the likelihood and severity of a security threat.

Reduce Risk

Implementing measures to minimize the likelihood and impact of security threats.

Manager's Responsibility

Managers are accountable for security, privacy, and ethics decisions. They must understand trade-offs and potential threats.

Cybersecurity

Actions organizations take to prevent threats to their technology.

Cyberterrorism

A type of attack on digital assets, a serious threat to security in the modern world.

Security investments

Resources dedicated to mitigating threats based on the level of risk and potential impact.

DDoS Attack

A cyberattack where multiple compromised computers flood a target server with traffic, making it unavailable to legitimate users.

Insider Threat

A security risk posed by authorized individuals within an organization, such as employees or contractors.

Confidentiality

Keeping information secret, only accessible to authorized individuals.

Integrity

Ensuring information remains unchanged and accurate.

Availability

Guaranteeing information is accessible when needed.

Cryptography

Transforming data into secret code to protect it from unauthorized access.

Access Control

Process of managing who can access information and resources.

Authentication

Verifying someone's identity.

Authorization

Granting access to specific resources or information based on identity.

Internal Threat

Security risks posed by individuals with legitimate access to a company's systems.

Study Notes

Information Systems Security and Online Privacy

• Information systems security, privacy, and ethics are important for all managers, not just IT professionals.
• Delegating security solely to IT professionals is a mistake.
• Risk management processes include risk assessment and risk mitigation.
• Cybersecurity threats include both internal and external threats.
• Safeguards are developed to mitigate these risks.
• Ethics are defined and applied to information system decisions.

Key Information Security Terms

• Threat: A failure in security, privacy, or ethics that can have dramatic repercussions for an organization, including direct effects (e.g., computer outages) and indirect effects (e.g., legal issues).
• IS controls: Software, devices and procedures to help protect systems.
• Information Resources: Data that must be protected.
• Vulnerability: The likelihood a threat will harm the system.
• Exposure: Potential harm if a threat breaks the controls and compromises the resources.

Examples of Security Breaches

• WannaCry ransomware (May 12, 2017): Infected thousands of computers worldwide.
• Sony Entertainment Company data breach (November 24, 2014): Hackers stole 100 terabytes of sensitive data.

Components of Information Security

• Confidentiality: Information is kept secret, only accessible to authorized people.
• Integrity: Information remains unaltered, without unauthorized changes.
• Availability: Information is accessible when needed by authorized users.

Confidentiality

• To ensure confidentiality, two things are needed:
• Cryptography: Ensures only intended recipients can read data.
• Access Control: Verifies the identity of intended recipients.

Cryptography

• Plaintext: Original message.
• Ciphertext: Transformed message.
• Key: Secret used in transformation.
• Encryption: Algorithm for transforming plaintext into ciphertext.
• Decryption: Algorithm for transforming ciphertext into plaintext.
• Cipher: Algorithm for encryption/decryption.

Access Control

• Three components to control access:
• Authentication: Verifying the identity of a user.
• Authorization: Limiting access to specific information based on user roles.
• Accounting: Tracking user activities to monitor and detect malicious behaviour.
• Password security: Password should have complexity and should not be shared.

Multi-factor Authentication (MFA)

• Several businesses use MFA.
• Something you know (password).
• Something you have (token).
• Something you are (biometric).

Internal Threats

• Intentional Malicious Behavior: Disgruntled or ill-willed employees.
• Careless Behavior: Ignorance or disregard for security policies.
  • Failing to modify default passwords
  • Not following Internet and web usage guidelines
  • Not following guidelines for saving data on personal or portable devices
  • Failure to destroy sensitive data per schedule.

External Threats: The Intrusion Threat

• Hackers: Use coding errors or undocumented features to control IT systems or data.
• Social Engineering: Obtaining restricted information by convincing legitimate users or others to share it
• Phishing: Sending official-sounding spam through emails/links
• Online fake news: Targeted diffusion of false information.
• Troll factories: Organizations specializing in writing and posting fake articles to discredit or promote something.
• Mobile and IoT Cybersecurity Threats: Increased capability of mobile devices leads to more creative vulnerabilities.

Malware

• Malware: Any software with malicious intent.
  • Disrupt computer operation
  • Gain access to private systems
  • Steal personal information
  • Display advertisements
• Types of Malware: • Virus • Worm • Trojan Horse • Ransomware • Spyware

Phishing

• Phishing: Sending official-sounding spam to trick users into entering personal details or passwords through fabricated websites.
• Spear Phishing: Phishing targeting specific individuals.

Online Fake News

• Targeted diffusion of false information gaining traction.
• Ubiquitous social media access reduces entry barriers and speeds misinformation spread.
• Troll factories are new organizations specializing in fake messages to discredit or promote.

Mobile and IoT Cybersecurity Threats

• Smartphones and IoT devices (Internet of Things) are susceptible to the same cybersecurity threats as computers.
• Users of mobile devices are often more ignorant of cybersecurity risks.
• Hackers are finding creative ways to exploit new vulnerabilities on mobile devices.

Privacy

• Privacy: The right to be left alone from intrusions.
• Information Privacy: Related to info collection and dispersion

Cybersecurity is an IT Problem?

• Cybersecurity is a managerial concern and should not be solely the responsibility of the IT department.
• It's essential to have a thorough understanding of potential risks concerning IT, their likelihood, potential consequences, and how to mitigate them.

Cybersecurity = Negative Deliverable

• Cybersecurity is frequently underfunded due to its lack of direct revenue generation.

Managers Responsibility

• Security, privacy and ethics are important managerial concerns that should not be ignored.
• Managers must understand the various conditions under which decisions and trade-offs are made to appropriately manage security.
• Understanding threats and responses is crucial decision-making.

IT Risk Management and Cybersecurity

• Cybersecurity refers to defenses against threats to technology infrastructure and assets.
• IT risk management involves identifying and measuring risks and planning mitigation strategies.
• Cybersecurity has increased in importance due to the rising threat of cyberterrorism.

Risk Assessment

• The process audits current resources (technological and human) to identify the vulnerabilities in a company's information systems security posture.
• Understand the current set of vulnerabilities the firm faces.
• The amount invested in cybersecurity should be proportional to the threat's extent and potential negative consequences.

Risk Mitigation

• Matching the appropriate response to identified cybersecurity threats.
• Optimal strategy balances cybersecurity attainment with investment.

Three Mitigation Strategies

• Risk Acceptance: Not investing in countermeasures, potentially higher failure costs.
• Risk Reduction: Investing in safeguards to mitigate threats, higher anticipation costs.
• Risk Transference: Shifting risks to a third party (outsourcing).

Cybersecurity Responses: Internal Threats

• Comprehensive Assessment: Evaluating potential internal threats (scenarios, likelihood, harm).
• Security Policies: Guiding employee behavior to lessen risks.
• Monitoring: Limiting access to dangerous websites and unauthorized software
• Testing: Phishing to gauge response

Cybersecurity Responses: External Threats

• Intrusion Countermeasures: Passwords and firewalls
• Firewall: Screens and manages network traffic.
• Encryption: Prevents data understanding by unauthorized users.
• Malware Response: Antivirus and spyware software.
• Training and Policies: Helps mitigate malware threats.

Risk Assessment and Mitigation

• Example table highlighting threat, vulnerability, consequence, risk rating, action needed and explanation for specific threats (e.g., flooding, overheating servers).

Cybersecurity Responses: External Threat - Examples

• DDoS Attacks: Low vulnerability but medium risk; reduce by monitoring and updating.
• Insider Threats (Data Theft): Medium vulnerability, high risk; reduce by access control and monitoring.

Description

This quiz explores the essential aspects of information systems security, including the importance of ethical practices and the roles of various professionals in managing security risks. It covers key terminology and concepts related to cybersecurity threats and safeguards. Understanding these elements is crucial for any manager overseeing information resources.