Introduction to Information Security

Questions and Answers

What does the term 'Defense in Depth' refer to in information security?

• A single security measure used to protect assets.
• An approach that uses multiple layers of security. (correct)
• Monitoring user access to secure areas.
• Restricting access to sensitive data only.

What is the main purpose of the DREAD Model in risk assessment?

• To rank risks based on specific criteria. (correct)
• To evaluate cost versus benefit of security measures.
• To determine the annualized loss expectancy.
• To compare security practices against benchmarks.

Which method is used to calculate the financial impact of a single incident?

• Exposure Factor (EF).
• Qualitative Risk Analysis.
• Annualized Loss Expectancy (ALE).
• Single Loss Expectancy (SLE). (correct)

What is meant by 'Residual Risk'?

Risk remaining after controls have been applied. (C)

What is the significance of conducting a Cost-Benefit Analysis (CBA) in risk management?

To compare the costs of security controls against their benefits. (A)

In what phase of Risk Management is the identification of threats conducted?

Identification Phase. (C)

What is the main focus of the importance of Baselining in risk management?

Identifying gaps in security practices over time. (A)

What does 'Risk Appetite' define for an organization?

The level of risk that is acceptable to the organization. (B)

What is the primary focus of Information Security?

Protecting information and its critical elements (A)

Which of the following is NOT one of the Five Pillars of Information Assurance?

Cost-effectiveness (C)

Which component is NOT considered part of an Information System?

Cost (C)

How do threats differ from vulnerabilities?

Threats are potential dangers; vulnerabilities are weaknesses to be exploited. (D)

Which of the following describes Security as a Science?

Utilizes data-driven approaches for risk identification and mitigation. (C)

What is the role of non-repudiation in information security?

Proving the origin and integrity of actions taken (A)

Which layer is NOT part of the three layers of security in an organization?

Operational (A)

Which of the following is an example of a physical security control?

Access badges (D)

What is the primary purpose of a vulnerability assessment?

To identify and quantify system vulnerabilities (A)

Which of the following best describes penetration testing?

A simulation of attacks to exploit vulnerabilities (B)

What does OWASP ZAP primarily help with?

Identifying vulnerabilities in web applications (B)

What is a critical step to take before conducting a vulnerability assessment?

Asset identification and defining scope (A)

What is the difference between proactive and reactive approaches in risk management?

Proactive aims to prevent potential issues, while reactive responds to incidents after they occur. (B)

Which of the following is NOT classified as one of the top 10 OWASP web vulnerabilities?

Data Theft (D)

What is the role of configuration management in vulnerability mitigation?

To maintain secure and consistent system configurations (A)

Why is regular vulnerability assessment important?

To ensure emerging vulnerabilities are identified and addressed promptly (A)

What is the primary difference between due care and due diligence?

Due care involves acting legally and ethically, while due diligence is about ensuring ongoing compliance. (C)

Which of the following describes the role of a CISO?

Overseeing information security strategy, implementation, and compliance. (D)

What serves as the framework for protecting information assets?

Security Policy (D)

What are the five criteria for enforceable policies?

Dissemination, Review, Comprehension, Compliance, Uniform Enforcement (B)

How does GDPR enhance personal data control for individuals?

By providing individuals the rights to control their personal data usage. (D)

What distinguishes EISP, ISSP, and SysSP from one another?

EISP consists of broad policies, ISSP targets specific issues, and SysSP offers technical guidance. (D)

What is the main purpose of the USA PATRIOT Act?

To improve surveillance capabilities to combat terrorism. (C)

Which statement accurately describes personally identifiable information (PII)?

PII is any data that can be used to identify an individual, like names and social security numbers. (B)

Flashcards

What is Information Assurance (IA)?

Measures to protect information and systems by ensuring availability, integrity, authenticity, confidentiality, and non-repudiation.

What are the core principles of the C.I.A. Triangle?

Confidentiality: Preventing unauthorized access. Integrity: Ensuring data accuracy and unaltered state. Availability: Information accessible when needed.

What is Information Security?

Protecting information assets, including systems that use, store, and transmit it.

What's the difference between Information Security and Cybersecurity?

Information Security focuses on protecting information assets, while Cybersecurity focuses on protecting internet-connected systems from cyber threats.

What are the six components of an Information System?

Hardware, Software, Networks, Data, People, Procedures.

What is Network Security?

Protecting networking components, connections, and content from unauthorized access.

What is a Threat?

A potential danger to information or systems.

What is a Vulnerability?

A weakness that can be exploited by a threat.

Information Security Blueprint

A detailed plan outlining security measures for protecting information and systems.

ISO 27000

An internationally recognized standard for establishing, implementing, maintaining, and improving information security management systems.

Defense in Depth

Multiple layers of security controls, like a castle with moats, walls, guards, and alarms, to protect information and assets.

Security Perimeter

The boundary separating secure areas from non-secure areas, like a secure perimeter around a building.

Risk Management

The process of identifying, assessing, and managing potential risks to information and systems.

Qualitative Risk Analysis

A method of analyzing risks based on a subjective assessment of factors like damage, reproducibility, exploitability, and affected users.

Quantitative Risk Analysis

A method of analyzing risks using numerical calculations to estimate potential financial losses.

Single Loss Expectancy (SLE)

The potential financial impact of a single security incident or breach.

Vulnerability Assessment

A process to identify, evaluate, and prioritize vulnerabilities within a system or application.

Penetration Testing

Simulates real-world attacks to discover vulnerabilities that could be exploited by hackers.

Top 10 OWASP Web Vulnerabilities

A set of common security flaws in web applications, categorized by OWASP.

OWASP ZAP

A tool designed to find vulnerabilities in web apps through automated scanning and manual testing.

Configuration Management in Vulnerability Mitigation

Maintaining secure and consistent configurations across systems to minimize vulnerabilities.

Reactive Approach to Vulnerability Mitigation

Addressing vulnerabilities and risks after they've been exploited.

Proactive Approach to Vulnerability Mitigation

Proactively identifying and addressing potential vulnerabilities before they can be exploited.

Security Patch

Software updates that patch known vulnerabilities and security flaws.

Study Notes

Module 1: Introduction to Information Security

• Information Assurance (IA) protects information systems, ensuring availability, integrity, authentication, confidentiality, and non-repudiation.
• Five pillars of IA: confidentiality, integrity, authentication, availability, and non-repudiation.
• Information security protects information and its systems from threats.
• Information security differs from cybersecurity, focusing on general information assets versus internet-connected systems.
• Six components of an information system: hardware, software, networks, data, people, and procedures.
• C.I.A. Triangle components: confidentiality (preventing unauthorized access), integrity (ensuring accuracy and unalteration), and availability (ensuring accessibility when needed).
• Security as an art involves creative problem-solving for unique organizational challenges.
• Security as a science relies on scientific principles and data-driven approaches to mitigate risks.
• Security as a social science examines how human behavior interacts with systems to improve security.
• Three layers of security in organizations: physical, technical, and administrative.
• A threat is a potential danger to information or systems, while a vulnerability is a weakness that a threat can exploit.
• Physical security controls include locks, badges, and surveillance cameras.
• Network security protects network components, connections, and content from unauthorized access.
• Operations security protects the details of operations to prevent exploitation.

Module 2: Legal, Ethical, and Professional Issues

• Due care involves acting legally and ethically, while due diligence continually ensures compliance.
• Policies are internal rules, while laws are legally enforceable.
• Criteria for enforceable policies include dissemination, review, comprehension, compliance, and uniform enforcement.
• Privacy protects personal information from unauthorized access.
• GDPR provides control over personal data and simplifies regulations.
• Personally Identifiable Information (PII) is data identifying an individual (name, SSN, financial details).
• Principles of the PH Data Privacy Act of 2012 include transparency, accountability, consent, and data minimization.
• Sarbanes-Oxley Act ensures accurate financial reporting and accountability.
• USA PATRIOT Act enhances tools to combat terrorism, including surveillance.
• Major U.S. Identity Theft Laws include the Identity Theft Enforcement and Restitution Act, Computer Fraud and Abuse Act, and Financial Modernization Act.

Module 3: Planning for Security

• Strategic planning in information security sets long-term directions for allocating resources and achieving objectives.
• Security policies provide a framework for protecting information assets.
• Differences exist between EISP (broad policies), ISSP (specific issues), and SysSP (technical guidance).
• Access Control Lists (ACLs) define access permissions for resources.
• Configuration rules govern system reactions to specific inputs.
• Policy administrators manage policy reviews, updates, and enforcement.
• Information Security blueprints detail plans for implementing security measures.
• ISO 27000 is an international standard for information security management.
• Defense in depth utilizes multiple layers of security for asset protection.
• A security perimeter separates secure and non-secure areas.

Module 4: Risk Management

• Risk management is the process of identifying, assessing, and controlling risks.
• Three phases of risk management include identification, assessment, and control.
• Qualitative risk analysis uses subjective assessments, while quantitative analysis uses numeric calculations.
• Single Loss Expectancy (SLE) calculates the financial impact of a single incident.
• Annualized Loss Expectancy (ALE) considers the frequency of occurrences.
• Exposure Factor (EF) represents the proportion of asset loss due to a threat.
• Risk control strategies include defense, transfer, mitigation, acceptance, and termination.
• Mitigation reduces impact through preparation.
• Cost-benefit analysis weighs control costs against benefits.
• DREAD model rates risks based on damage, reproducibility, exploitability, affected users, and discoverability.
• Benchmarking compares security practices against standards to identify gaps.
• Baselining establishes reference points for performance comparisons over time.
• Organizational and technical feasibility ensures alignment with objectives and resources.
• Residual risk remains after implementing feasible controls.
• Risk management frameworks provide structure for consistent risk assessment and control.
• Operational feasibility ensures user acceptance and integration of security into daily operations.
• Risk appetite is the level of risk an organization is willing to accept.
• Defense strategies prevent exploitation through safeguards and policies.
• Risk termination avoids activities that introduce unmanageable risks

Module 5: Overview of Vulnerability Assessment

• Vulnerability assessment identifies, quantifies, and prioritizes vulnerabilities.
• Vulnerability assessment distinguishes from penetration testing.
• Vulnerability assessment identifies and measures weaknesses, while penetration testing simulates attacks.
• Top 10 OWASP web vulnerabilities cover broken access control, cryptographic failures, injection, insecure design, security misconfiguration, vulnerable components, identification and authentication failures, software and data integrity failures, security logging and monitoring failures, server-side request forgery.
• OWASP ZAP is a tool for identifying web application vulnerabilities.
• Assessment steps include asset identification, defining scope, prioritizing systems.
• Regular assessments identify emerging vulnerabilities.
• Configuration management ensures consistent system configurations.
• Reactive approaches respond to incidents after occurrence.
• Proactive approaches identify and address potential issues before exploitation.
• OWASP documentation provides best practices.
• Security patches fix vulnerabilities in software.