Introduction to Information Security

Questions and Answers

What does information security primarily focus on?

• Implementing financial controls to safeguard organizational assets
• Protecting information and information systems from unauthorized actions (correct)
• Managing physical security measures for facilities
• Conducting training sessions for employees on technology use

Which factor contributes to the increasing vulnerability of organizational information resources?

• The adoption of only static networking infrastructure
• Outdated data storage devices being used
• The increasing capabilities of wireless technologies (correct)
• Limited access to the internet for employees

How has hacking skill accessibility changed in recent years?

• Hacking is now restricted to only a few expert individuals
• The skills required remain unchanged since the past decade
• The skill requirements have decreased due to available scripts online (correct)
• The skills needed have become more complex and advanced

What is a notable characteristic of modern computer and storage devices?

They are smaller, faster, and more portable with greater storage (A)

What has contributed to the rise of cybercrime among organized groups?

The lucrative nature of cybercriminal activities (C)

Which group of employees is considered to pose the greatest threat to information security?

Human resources employees (D)

What is social engineering primarily concerned with?

Tricking individuals into providing confidential information (C)

Which of the following is NOT considered an unintentional threat to information systems?

Social engineering (A)

What does 'ransomware-as-a-service' refer to?

Providing ransomware tools to other hackers (C)

Which of these methods is effective for protecting against ransomware?

Using anti-ransomware software (C)

Which situation exemplifies 'tailgating' in the context of security threats?

An unauthorized individual following someone into a secure area (B)

What is a consequence of ransomware attacks aside from direct ransom payments?

Loss of data and reputation (B)

What is the primary goal of risk management in an organization?

To identify, control, and minimize the impact of threats (C)

Which of the following is NOT a form of intellectual property protection?

Business strategy (C)

Which term describes the unlawful assumption of another person’s identity?

Identity theft (B)

What is a common consequence of identity theft?

Difficulty in obtaining credit (D)

What type of software is designed to collect personal information without consent?

Spyware (A)

Which threat demonstrates the potential for physical harm or disruption through computer systems?

Cyberterrorism (C)

Which of the following components is NOT involved in a standard SCADA system?

User terminal (D)

Which of the following best describes the function of keystroke loggers?

To record individual keystrokes and browsing history (B)

What is the primary role of risk mitigation in risk management?

To prevent identified threats and develop recovery means (A)

What is the primary purpose of risk transference in risk management?

To transfer the financial burden via insurance (B)

Which of the following best describes the role of an information systems auditor?

To assess and examine management controls over information systems (C)

What are COBIT 5 key principles designed to ensure?

Integrated security solutions across the organization (B)

Which of the following controls is categorized as a general control?

User passwords (A)

What distinguishes a hot site from a cold site in business continuity planning?

Hot sites are fully equipped for immediate operations (A)

What is the main function of access controls in information security?

To confirm user identity and define user privileges (A)

What does the term 'risk limitation' refer to?

Reducing the potential impact of threats by implementing controls (B)

Which of the following is a key component of business continuity planning?

Creating plans for operational continuity after a disaster (D)

Which physical control is NOT commonly used to secure a company's facilities?

Data encryption (D)

Flashcards

Information Security

Processes and policies protecting organizational information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

Threat to an Information Resource

Any danger to which a system may be exposed, potentially causing harm or loss.

Information Resource's Vulnerability

The possibility that a threat will harm a resource.

Increasing Vulnerability Factors

Five key factors contributing to easier attacks on organizational information including interconnected systems, wireless usage, decreasing hacking skills, cybercrime, and poor management support.

Cybercrime

Illegal activities conducted over computer networks, particularly the internet, often nonviolent but lucrative.

Unintentional Threats

Acts without malicious intent that still pose a risk to information security.

Human Error (Threat)

Mistakes by employees, due to laziness, carelessness, or lack of awareness about security.

Social Engineering

Tricking employees into revealing confidential information using social skills.

Tailgating

Unauthorized entry to a restricted area by following an authorized person and asking them to hold the door.

Ransomware

A type of cyberattack where attackers block access to a system or encrypt data until a ransom is paid.

Spear Phishing

A targeted phishing attack that appears very convincing, tailored to the victim.

Information Extortion

Threatening to steal information or actually stealing it, demanding payment to stop or return it.

Identity theft

Deliberately using someone else's identity, often for financial gain or to frame them for a crime.

Intellectual Property

Creations protected by laws like trade secrets, patents, and copyrights.

Software Attacks

Malicious actions targeting software or devices connected to the internet.

SCADA Systems

Systems controlling industrial processes, like power plants or water treatment.

Cyberterrorism

Attacks targeting computer systems for political disruption or harm.

Risk Management

Identifying, controlling, and minimizing the impact of threats to systems.

Risk Mitigation

Methods to prevent threats or recover if threats strike.

Risk Acceptance

Choosing to tolerate a risk and its possible negative outcomes.

Dumpster Diving

Rummaging through trash to find discarded personal information.

Risk transference

Shifting risk to another party, often through insurance.

Information Systems Audit

Evaluation and examination of information system controls affecting inputs, outputs, and processing.

General Controls

Controls that apply to multiple functional areas within an organization (e.g., passwords).

Application Controls

Controls specific to a particular application (e.g., payroll approval).

Hot Site

A fully configured backup site with all company systems and infrastructure.

Authentication

Verifying the identity of a person requesting access.

Authorization

Determining the access rights and privileges granted to a user.

Business Continuity Planning

A process for maintaining business operations after a disaster.

Study Notes

Introduction to Information Security

• Security is protection against loss, damage, or danger.
• Information security protects organizational data and systems from unauthorized actions.
• Information resources are exposed to various threats, vulnerabilities, and potential harm.

Increasing Vulnerability Factors

• Evolving IT Environment: Modern IT is complex, interconnected, and reliant on wireless networks, increasing exposure to external threats. Trusted networks are internal; untrusted are external. Wireless is vulnerable to interception.
• Advancements in Devices: Smaller, faster, cheaper, and more portable devices pose an easier target for theft, containing sensitive data.
• Decreasing Hacking Skills: Internet resources make hacking easier, enabling individuals with limited skills to attack systems.
• Rise of Organized Cybercrime: International organized crime groups increasingly involved in non-violent, lucrative cybercrime.
• Lack of Management Support: Senior management must prioritize security policies for organizational-wide adoption.

Unintentional Threats

• Unintentional threats are performed without malicious intent, but still pose a risk to information security.
• Human Error: A major unintentional threat, encompassing laziness, carelessness, and lack of security awareness. Employees at higher levels have greater access risk. Human Resources and Information Systems employees pose the greatest threat due to access to sensitive data. Contract workers and consultants also require consideration. Janitors and security guards also pose a threat due to their access and presence during off-hours, while not always accounted for in security plans.
• Social Engineering: Manipulating employees into revealing confidential information (passwords). Techniques include impersonation, tailgating (following employees into restricted areas), and shoulder surfing (observing screens).

Deliberate Threats

• Deliberate threats involve malicious intent.
• Espionage/Trespass: Unauthorized access attempts.
• Information Extortion: Threatening to steal or stealing information, demanding payment for avoiding harm, known as ransomware or digital extortion.
  • Methods of Attack: Spear phishing, whaling, ransomware;
  • Costs: Direct-ransom payment, indirect-file recovery costs, reputational damage, lawsuits.
  • Protection: User education, regular data backups, anti-ransomware software, the No More Ransom initiative, decryption tools.
• Sabotage/Vandalism: Deliberate acts such as defacing websites.
• Theft of Equipment/Information: Stealing devices containing sensitive data, like laptops, smartphones, and thumb drives. Dumpster diving is a technique involving searching through trash for discarded information.
• Identity Theft: Stealing another person's identity to gain access to financial information or implicating them in a crime.
• Intellectual Property: The unauthorized use of intellectual property, including trade secrets, patents, and copyrights. Trade secrets are confidential information, patents are inventions, and copyrights are creative works.
• Software Attacks: Malicious software targeting systems, including malware and evolving web-based attacks. Malware can target all connected devices like smart TVs.
• Alien Software: Clandestine software installations (not as damaging as viruses or worms). Examples include adware, spyware (including stalkerware for monitoring people), keyloggers, and spamware.
• Supervisory Control and Data Acquisition (SCADA) Attacks: Targeting industrial control systems, such as oil refineries, water treatment plants, and nuclear power plants. SCADA systems link physical operations with electronic control mechanisms, making access points vulnerable.
• Cyberterrorism/Cyberwarfare: Attackers using computer systems for physical harm or disruption to promote a political agenda.

Protecting Information Resources

• Risk Management: Identifying, controlling, minimizing the impact of threats, reducing risks to acceptable levels.
  • Risk Evaluation: Analyzing assets, their vulnerability to compromise, and costs of protection.
  • Risk Mitigation Strategies: Risk acceptance, transference (insurance), and limitation (controls) are three approaches.
• Information Systems Auditing: Evaluation and examination of information system controls and processes using established standards.
  • Types of Auditors: External, internal, government, specialist.
• COBIT 5: IT governance framework aligning IT with business needs, and managing risk. This involves five key principles to ensure stakeholder needs, an enterprise-wide approach, a single framework, holistic strategies, and separation of governance and management.

Information Security Controls

• Control Environment: Management’s attitude towards controls.
• General Controls: Apply to more than one functional area. Example, password management.
• Application Controls: Specific to an application, such as payroll approval.
• Physical Controls: Prevent unauthorized access to facilities (e.g., walls, locks).
• Business Continuity Planning: Prepare for disaster recovery, offering guidelines for responding to and recovering from disruptions affecting information security. This includes multiple-site and off-site data backups. Hot sites provide complete operations, warm sites offer operations without application software, while cold sites offer the basic utilities like electricity and building systems but do not provide IT operations.
• Access Controls: Restricting unauthorized use of information resources. Access Control has authentication and authorization.
• Authentication: Verifying user identity using various methods: something the user is (biometrics), has (ID card, token), does (voice, signature), or knows (passwords).
  • Password Managers: Generate and store complex passwords.
  • Multifactor Authentication (MFA): Combining multiple verification factors.
  • Passwordless Authentication: Password-free methods.
  • Adaptive Authentication: Authentication based on real-time risk assessments.
• Authorization: Establishing rights and privileges based on verified identity. Least privilege is a common principle.
• Communication Controls: Secure data transmission across networks.
  • Firewalls: Prevent unauthorized network traffic.
  • Anti-malware Systems: Detect and remove viruses and worms.
  • Whitelisting/Blacklisting: Controlling which software can run.
  • Encryption: Secure data transmission using public-key encryption and digital certificates.
  • Virtual Private Networks (VPNs): Securely extending networks over public networks.
  • Transport Layer Security (TLS): Secure communication protocol for online transactions (HTTPS).
• Application Controls: Security protection specific to applications (input, processing, and output controls).

Personal Information Asset Protection

• Protecting personal data is crucial when not connected to an organization's network.
• Inventorying/assessing sensitivity of data is the first step towards securing them.

Description

Explore the crucial aspects of information security in this quiz. Understand the various vulnerabilities and threats that organizations face in today's interconnected IT environment. Test your knowledge of how advancements in technology and the rise of cybercrime impact data protection.