CH 13

Questions and Answers

What type of threat involves authorized users who may leak or tamper with data?

Careless Behavior

External Threat

Intentional Malicious Behavior (correct)

Phishing

Which of the following actions is considered careless behavior regarding cybersecurity?

Encrypting sensitive data

Regularly updating software

Using complex passwords

Failing to modify default passwords (correct)

What is social engineering primarily concerned with?

Gaining unauthorized access to physical locations

Collecting data through legitimate surveys

Obtaining private information by convincing users to share it (correct)

Infecting systems with viruses

Which type of malware is specifically designed to demand a ransom for access to data or systems?

Ransomware

What is phishing commonly associated with in cybersecurity threats?

Sending official sounding spam emails

Which of the following is NOT categorized as a type of malware?

Phishing

Which scenario best illustrates an intrusion threat?

A hacker gains unauthorized access to company systems

Which practice would likely help prevent careless behavior in cybersecurity policies?

Providing frequent cybersecurity training

What is the main purpose of Cryptography in ensuring confidentiality?

To ensure data cannot be read by unauthorized users

Which of the following is NOT a component of Access Control?

Encryption

What is a common vulnerability of passwords?

They can be shared intentionally or unintentionally

What does multi-factor authentication enhance?

The security of access controls

What is necessary for Integrity in information security?

Data must remain unaltered without knowledge

Which method is identified as the simplest for authentication?

Password

How can internal threats to cybersecurity be characterized?

As individuals with direct access to technology infrastructure

What two elements are necessary to ensure confidentiality aside from cryptography?

Access control and tracking

What immediate action is recommended to prevent overheating due to a server shutdown?

Invest in a new AC system

What is the consequence of a 2-hour website shutdown?

$20,000 loss

How is the risk associated with website shutdown rated?

Medium due to potential losses

What vulnerability rating is given to the system protecting against external threats?

Low because of updated firewall

What is the consequence of a server shutdown for 12 hours?

Significant operational disruptions

What is a primary responsibility of managers concerning cybersecurity?

To understand choices and trade-offs in security

What does IT risk management primarily aim to identify?

Information systems security risks

How should the investment in cybersecurity safeguards be determined?

Proportional to threat extent and potential negative effects

What is the focus of the risk assessment process?

To audit current resources and determine vulnerabilities

What does risk mitigation involve?

Choosing the best response to identified threats

Why have cybersecurity and IT risk management gained managerial attention?

Because of the increasing threat of cyberterrorism

What challenge do managers face regarding their efforts in security, privacy, and ethics?

Taking credit for avoiding negative incidents

What role does understanding current resources play in risk assessment?

It allows for a mapping of current vulnerabilities

What is one proposed method to reduce the risk of DDoS attacks?

Monitoring and regularly updating protection services

What is the consequence of insider threats related to data theft?

Potential financial loss and reputational damage

Why is the vulnerability to insider threats considered high?

Due to insufficient monitoring and poor access controls

What is the potential financial impact of a successful DDoS attack according to the content?

$20,000

What action is critical to maintaining effective DDoS attack protections?

Constant monitoring and regular updates

Why is it considered a mistake to delegate information systems security exclusively to IT professionals?

Security issues require input from general and functional managers.

What is meant by 'vulnerability' in the context of information security?

The likelihood that a threat will exploit a weakness in the system.

Which of the following best defines the term 'exposure' in information systems security?

The potential harm that could occur if a threat successfully breaches security.

What type of cybersecurity threat was exemplified by the WannaCry ransomware attack in 2017?

A malware attack that encrypts data for ransom.

Which of the following is an indirect effect of security failures in an organization?

Legal repercussions and damage to reputation.

What does the term 'threat' refer to in the context of information systems?

An actor or event that has the potential to cause harm.

How should organizations approach the management of IT risks?

By conducting risk assessment and mitigation processes.

What does ethical behavior entail in the context of information systems?

Making decisions that respect privacy and integrity.

In what way can security failures directly affect an organization?

By causing operational disruptions and system outages.

Which of the following is a safeguard developed to mitigate cybersecurity threats?

Regular security assessments and training.

Study Notes

Information Systems Security and Online Privacy

• Information systems security, privacy, and ethics are important for all managers, not just IT professionals.
• Delegating security solely to IT professionals is a mistake.
• Risk management processes include risk assessment and risk mitigation.
• Cybersecurity threats include both internal and external threats.
• Safeguards are developed to mitigate these risks.
• Ethics are defined and applied to information system decisions.

Key Information Security Terms

• Threat: A failure in security, privacy, or ethics that can have dramatic repercussions for an organization, including direct effects (e.g., computer outages) and indirect effects (e.g., legal issues).
• IS controls: Software, devices and procedures to help protect systems.
• Information Resources: Data that must be protected.
• Vulnerability: The likelihood a threat will harm the system.
• Exposure: Potential harm if a threat breaks the controls and compromises the resources.

Examples of Security Breaches

• WannaCry ransomware (May 12, 2017): Infected thousands of computers worldwide.
• Sony Entertainment Company data breach (November 24, 2014): Hackers stole 100 terabytes of sensitive data.

Components of Information Security

• Confidentiality: Information is kept secret, only accessible to authorized people.
• Integrity: Information remains unaltered, without unauthorized changes.
• Availability: Information is accessible when needed by authorized users.

Confidentiality

• To ensure confidentiality, two things are needed:
• Cryptography: Ensures only intended recipients can read data.
• Access Control: Verifies the identity of intended recipients.

Cryptography

• Plaintext: Original message.
• Ciphertext: Transformed message.
• Key: Secret used in transformation.
• Encryption: Algorithm for transforming plaintext into ciphertext.
• Decryption: Algorithm for transforming ciphertext into plaintext.
• Cipher: Algorithm for encryption/decryption.

Access Control

• Three components to control access:
• Authentication: Verifying the identity of a user.
• Authorization: Limiting access to specific information based on user roles.
• Accounting: Tracking user activities to monitor and detect malicious behaviour.
• Password security: Password should have complexity and should not be shared.

Multi-factor Authentication (MFA)

• Several businesses use MFA.
• Something you know (password).
• Something you have (token).
• Something you are (biometric).

Internal Threats

• Intentional Malicious Behavior: Disgruntled or ill-willed employees.
• Careless Behavior: Ignorance or disregard for security policies.
  • Failing to modify default passwords
  • Not following Internet and web usage guidelines
  • Not following guidelines for saving data on personal or portable devices
  • Failure to destroy sensitive data per schedule.

External Threats: The Intrusion Threat

• Hackers: Use coding errors or undocumented features to control IT systems or data.
• Social Engineering: Obtaining restricted information by convincing legitimate users or others to share it
• Phishing: Sending official-sounding spam through emails/links
• Online fake news: Targeted diffusion of false information.
• Troll factories: Organizations specializing in writing and posting fake articles to discredit or promote something.
• Mobile and IoT Cybersecurity Threats: Increased capability of mobile devices leads to more creative vulnerabilities.

Malware

• Malware: Any software with malicious intent.
  • Disrupt computer operation
  • Gain access to private systems
  • Steal personal information
  • Display advertisements
• Types of Malware: • Virus • Worm • Trojan Horse • Ransomware • Spyware

Phishing

• Phishing: Sending official-sounding spam to trick users into entering personal details or passwords through fabricated websites.
• Spear Phishing: Phishing targeting specific individuals.

Online Fake News

• Targeted diffusion of false information gaining traction.
• Ubiquitous social media access reduces entry barriers and speeds misinformation spread.
• Troll factories are new organizations specializing in fake messages to discredit or promote.

Mobile and IoT Cybersecurity Threats

• Smartphones and IoT devices (Internet of Things) are susceptible to the same cybersecurity threats as computers.
• Users of mobile devices are often more ignorant of cybersecurity risks.
• Hackers are finding creative ways to exploit new vulnerabilities on mobile devices.

Privacy

• Privacy: The right to be left alone from intrusions.
• Information Privacy: Related to info collection and dispersion

Cybersecurity is an IT Problem?

• Cybersecurity is a managerial concern and should not be solely the responsibility of the IT department.
• It's essential to have a thorough understanding of potential risks concerning IT, their likelihood, potential consequences, and how to mitigate them.

Cybersecurity = Negative Deliverable

• Cybersecurity is frequently underfunded due to its lack of direct revenue generation.

Managers Responsibility

• Security, privacy and ethics are important managerial concerns that should not be ignored.
• Managers must understand the various conditions under which decisions and trade-offs are made to appropriately manage security.
• Understanding threats and responses is crucial decision-making.

IT Risk Management and Cybersecurity

• Cybersecurity refers to defenses against threats to technology infrastructure and assets.
• IT risk management involves identifying and measuring risks and planning mitigation strategies.
• Cybersecurity has increased in importance due to the rising threat of cyberterrorism.

Risk Assessment

• The process audits current resources (technological and human) to identify the vulnerabilities in a company's information systems security posture.
• Understand the current set of vulnerabilities the firm faces.
• The amount invested in cybersecurity should be proportional to the threat's extent and potential negative consequences.

Risk Mitigation

• Matching the appropriate response to identified cybersecurity threats.
• Optimal strategy balances cybersecurity attainment with investment.

Three Mitigation Strategies

• Risk Acceptance: Not investing in countermeasures, potentially higher failure costs.
• Risk Reduction: Investing in safeguards to mitigate threats, higher anticipation costs.
• Risk Transference: Shifting risks to a third party (outsourcing).

Cybersecurity Responses: Internal Threats

• Comprehensive Assessment: Evaluating potential internal threats (scenarios, likelihood, harm).
• Security Policies: Guiding employee behavior to lessen risks.
• Monitoring: Limiting access to dangerous websites and unauthorized software
• Testing: Phishing to gauge response

Cybersecurity Responses: External Threats

• Intrusion Countermeasures: Passwords and firewalls
• Firewall: Screens and manages network traffic.
• Encryption: Prevents data understanding by unauthorized users.
• Malware Response: Antivirus and spyware software.
• Training and Policies: Helps mitigate malware threats.

Risk Assessment and Mitigation

• Example table highlighting threat, vulnerability, consequence, risk rating, action needed and explanation for specific threats (e.g., flooding, overheating servers).

Cybersecurity Responses: External Threat - Examples

• DDoS Attacks: Low vulnerability but medium risk; reduce by monitoring and updating.
• Insider Threats (Data Theft): Medium vulnerability, high risk; reduce by access control and monitoring.

Description

This quiz explores the essential aspects of information systems security, including the importance of ethical practices and the roles of various professionals in managing security risks. It covers key terminology and concepts related to cybersecurity threats and safeguards. Understanding these elements is crucial for any manager overseeing information resources.