IT Security and Control Frameworks Quiz

Questions and Answers

Which of the following is NOT a key aspect of a business impact analysis (BIA) in the context of disaster recovery and business continuity planning?

Identifying the firm's most critical systems

Evaluating the effectiveness of existing security controls (correct)

Assessing the potential impact of an outage on business operations

Determining the financial impact of an outage

What is the primary purpose of an information systems audit?

To train employees on best practices for data security

To identify and assess control weaknesses within a firm's information systems (correct)

To ensure compliance with industry regulations

To design and implement new security controls

Which of the following is considered a major benefit of implementing strong security and control frameworks within an organization?

Improved operational efficiency and reduced risk of disruptions (correct)

Reduced need for employee training on security practices

Increased reliance on external security providers

Elimination of all potential security threats and vulnerabilities

In the context of safeguarding information resources, what is the purpose of a vulnerability scan?

To identify potential security flaws in software and hardware (B)

Which of these is a recognized IT governance framework designed to help organizations manage and govern their information technology, including security and control aspects?

COBIT 5 (B)

Which of these is NOT a reason why information systems are vulnerable?

Appropriate use of systems (A)

Identify the most significant vulnerability of networks within an organization, as mentioned in the provided context.

Accessibility of networks (E)

What is the primary benefit of implementing robust security measures within an organization?

Protection of sensitive information and assets (D)

Which of these is NOT a key component of an organizational framework for security and control?

Customer relationship management (CRM) systems (D)

Which of the following is NOT a common tool or technology used to safeguard information resources?

Social media monitoring tools (D)

What is the main purpose of an intrusion detection system (IDS)?

To monitor network traffic for suspicious activity (C)

What is the business value of security and control?

All of the above (E)

What is a common method used by attackers to exploit vulnerabilities in organizations?

Gaining access to sensitive information by impersonating legitimate users (A)

What is the primary reason why businesses should prioritize security and control?

To protect confidential data and intellectual property (B)

What is the main purpose of patches in software security?

To fix security vulnerabilities and flaws (A)

What is the primary goal of a security breach response plan?

To ensure a quick and efficient recovery from a security incident (A)

What is a significant consequence of inadequate security and control?

All of the above (D)

Which legal Act requires financial institutions to protect customer data?

Gramm-Leach-Bliley Act (C)

What is a potential consequence of a data breach?

All of the above (D)

Which of the following is NOT a typical element of an organizational framework for security and control?

Marketing and advertising strategy (C)

Flashcards

Disaster Recovery Planning

Plans for restoration of services after a disruption.

Business Continuity Planning

Restoring business operations after a disaster occurs.

Business Impact Analysis

Determines the impact of an outage on crucial systems.

Information Systems Audit

Examines security and control of information systems.

Control Weaknesses

Vulnerabilities identified in systems that may cause risks.

Internal threats

Security threats that originate inside an organization, often from employees.

Social engineering

Manipulating individuals into revealing confidential information, like passwords.

Software vulnerability

Flaws in commercial software that create security vulnerabilities.

Patches

Small updates to software designed to fix known vulnerabilities.

Business Value of Security

Protecting data to prevent loss in business function and market value.

HIPAA

Regulations ensuring medical security and privacy for health information.

Gramm-Leach-Bliley Act

Laws requiring financial institutions to protect customer data security.

Sarbanes-Oxley Act

Legislation that requires companies to safeguard accuracy in financial reporting.

Information Systems Vulnerability

The susceptibility of information systems to destruction, errors, and abuse due to various factors.

Security Policies

Formal policies that outline procedures to prevent unauthorized access and ensure information protection.

Controls in Organizations

Methods and procedures ensuring safety, accuracy, and adherence to standards within an organization.

Reasons for System Vulnerability

Factors like accessibility, hardware failures, software errors, and disasters that contribute to risks.

Contemporary Security Challenges

Current difficulties in maintaining secure information systems due to evolving threats and dependency on technology.

Components of Security Architecture

Elements such as web clients, servers, and databases that together create a system's security posture.

Tools for Safeguarding Information

Technologies and measures used to protect information resources from unauthorized access and threats.

Study Notes

Chapter 8 - Intro Case Study

• Public awareness campaigns are crucial for cybersecurity
• Employee training programs are essential for cyber awareness
• Developing cyber-aware business processes is vital
• Building web and social media platforms for warnings to customers enhances awareness
• Security guarantees are essential for customer trust
• Proactive management of data breaches via databases of past breaches is a strong strategy
• Two-factor authentication apps strengthen security measures

Business Challenges

• Cyberattacks are increasing in frequency
• Phishing attacks are common
• Internal threats pose a significant risk

Business Solutions

• Reducing cyberattacks requires proactive measures
• Educating the public and employees is vital
• Reducing internal security breaches is important

Learning Objectives

• Understanding the vulnerabilities of information systems is crucial
• Recognizing the business value of security and control is vital
• Understanding organizational frameworks for security and control is key
• Identifying crucial tools and technologies for information resource protection is essential

Agenda

• System Vulnerability and Abuse
• Business Value of Security and Control
• Organizational Frameworks for Security and Control
• Tools and Technologies for Safeguarding Information Resources

System Vulnerability and Abuse

• Security: Policies, procedures, and technical measures for preventing unauthorized access, alteration, theft, or physical damage to information systems
• Controls: Methods, policies, and organizational procedures, ensuring the safety of assets, the accuracy and reliability of accounting records, and operational adherence to management standards

Why Systems are Vulnerable

• Accessibility of networks
• Hardware problems (breakdowns, configuration errors, damage from improper use or crime)
• Software problems (programming errors, installation errors, unauthorized changes)
• Disasters
• Use of networks/computers outside of firm's control
• Loss and theft of portable devices

Contemporary Security Challenges and Vulnerabilities

• Unauthorized access
• Hacking
• Errors
• Sniffing
• Malware
• Theft of data
• Copying data
• Theft and fraud
• Vandalism
• Denial-of-service attacks
• Alteration of data
• Hardware failure
• Software failure
• Radiation

System Vulnerability and Abuse – Internet Vulnerabilities

• Network open to anyone
• Size of the internet meaning vulnerabilities have a wide impact
• Use of fixed internet addresses with cable, DSL modems creating targets for hackers
• Unencrypted VOIP
• Email, P2P, IM
• Interception
• Attachments with malicious software
• Transmission of trade secrets

System Vulnerability and Abuse – Wireless Security Challenges

• Radio frequency bands being easily scanned
• SSIDs (service set identifiers)
• Identify access points, broadcast multiple times and can be ID by sniffer programs
• War driving
• Eavesdroppers drive by buildings to detect SSIDs and gain network access
• Network access point compromised by intruder
• Rogue access points

System Vulnerability and Abuse – Malware (malicious software)

• Viruses
• Rogue programs attaching to other programs or files to be executed
• Worms
• Independent programs replicating across networks
• Worms and viruses spreading by downloads, drive-by downloads
• Email, IM attachments
• Mobile device and social network malware

System Vulnerability and Abuse – Malware (cont.)

• Smartphones as vulnerable as computers
• 13,000 types of smartphone malware
• Trojan horses
• Software appearing benign but doing something unexpected
• SQL injection attacks
• Hackers exploiting unsecured web forms with SQL queries
• Ransomware

Ransomware: WannaCry

• Your files have been encrypted
• Information on how to recover files
• Payment method via Bitcoin and conditions to receive codes for decryption

System Vulnerability and Abuse - Malware (cont.)

• Spyware
• Small programs to monitor user web surfing activity
• Keyloggers – record every keystroke on a computer
• Types include:
  • Reset browser home page
  • Redirect search requests
  • Slow computer performance from memory usage

System Vulnerability and Abuse - Other Types

• Cryptolocker (Ransomware/Trojan) – Hijacking user data and requiring ransom payment for decryption
• Conficker (Worm) – Using vulnerabilities in Windows software, taking control of computers
• Sasser.ftp (Worm) – Computer viruses infecting and crashing large numbers of computers worldwide
• ILOVEYOU (Virus) – Script virus causing worldwide damage to files with a malicious email

System Vulnerability and Abuse - Hackers and Computer Crime

• Hackers vs crackers
• Activities include: System intrusion, system damage, and cyber vandalism, intentional disruption, defacement, destruction of website or corporate information systems
• Computer may be a target of crime (Breaching confidentiality of protected computerized data, Accessing computer systems without authorization)
• Computer may be an instrument of a crime (Theft of trade secrets, Using emails for threats or harassment)

System Vulnerability and Abuse – Spoofing and Sniffing

• Spoofing: Misrepresenting oneself, using fake email addresses or masquerading as someone else
• Redirecting Web links to different addresses
• Sniffing: Eavesdropping programs that monitor information travelling over a network, enabling hackers to steal proprietary information (emails, company files, etc.)

System Vulnerability and Abuse – Denial-of-Service Attacks (DoS)

• Flooding servers with false requests to crash networks
• Distributed Denial-of-Service Attacks (DDoS): Using numerous computers to launch a DoS attack.
• Botnets: Networks of "zombie" PCs, infiltrated by malware

System Vulnerability and Abuse - Computer Crime

• Any violations of criminal laws
• Computers as targets (Confidentiality breaches, unauthorized access to data)
• Computers as instruments (Theft, using emails for harassment)

System Vulnerability and Abuse – Identity Theft and Phishing

• Identity theft: Theft of personal information (social security ID, driver's license, credit card numbers) for impersonation
• Phishing: Setting up fake websites or sending emails to acquire confidential data
• Evil twins: Pretending to offer trustworthy Wi-Fi connections. A form of phishing.

System Vulnerability and Abuse – Pharming and Click Fraud

• Pharming: Redirecting users to fake websites.
• Click fraud: Fraudulent clicks on ads without any intention to learn or purchase

System Vulnerability and Abuse – Internal Threats: Employees

• Security threats originating within an organization
• Inside knowledge
• Sloppy security procedures
• User lack of knowledge
• Social engineering: Tricking employees into revealing passwords (pretending to be legitimate)
• Specialists and users as risk factors

System Vulnerability and Abuse – Software Vulnerability

• Commercial software containing flaws causing security vulnerabilities:
• Hidden Bugs (code defects)
• Zero defects not achievable in practice
• Flaws opening networks to intruders
• Patches: Small pieces of software used to fix flaws
• Patch management: Ensuring updates to fix problems

Business Value of Security and Control

• Failed computer systems leading to significant or total business loss
• Modern firms highly vulnerable to cyberattacks, especially regarding confidential financial data
• Trade secrets, new products, and business strategies jeopardized by breaches
• Security breaches can quickly decrease market value and lead to liability issues

Data Breaches - Examples

• Sweden: Government data breach from IBM upgrade project failure
• Singapore: SingHealth data breach compromising 1.5 million patients' data (and Prime Minister's).
• Malaysia: 46 million mobile account data breach.
• United Arab Emirates: Careem ride-sharing firm's massive data breach
• United Kingdom: British Airways data breach

Business Value of Security and Control – Legal and Regulatory Requirements

• HIPAA: Medical security and privacy rules/procedures
• Gramm-Leach-Bliley Act (GLBA): Requirements for financial institutions to establish data security
• Sarbanes-Oxley Act (SOX): Requires companies to ensure the accuracy and integrity of financial reporting

Business Value of Security and Control - Electronic Evidence

• Evidence for white-collar crimes is often digital (computers, emails, instant messaging, e-commerce)
• Proper data controls are vital for legal discovery
• Computer forensics: Scientific collection, examination, authentication, preservation, and analysis of digital data for use in legal discovery

Organizational Frameworks for Security and Control

• Information systems controls: Manual and automated controls, and general and application controls to protect computer operations, programs, system integrity, and data
  • General controls
  • Application controls
• Types of General Controls: Hardware, software, computer operations, data security, implementation, and administrative controls

Organizational Frameworks for Security and Control - Application Controls

• Specific to business applications (payroll, ordering) to ensure authorized data processing
• Input controls, processing controls, and output controls required for data accuracy

Organizational Frameworks for Security and Control – Risk Assessment

• Determining risks if specific activities or processes are not properly controlled
• Types of potential threats (probability/severity), associated potential losses
• Expected annual loss to assess the risk

Organizational Frameworks for Security and Control – Security Policy

• Ranking potential risks, defining security goals and strategies
• Other policies such as acceptable use policy (AUP) guidelines for hardware and software usage
• Defining authorization policies that specify differing user access levels

Organizational Frameworks for Security and Control – Identity Management

• Processes and tools to identify valid users of the system and define access controls
• Differentiates categories of users with their levels of access rights to specific information
• Management systems capturing these rules

Organizational Frameworks for Security and Control – Disaster Recovery Planning

• Creating plans to restore disrupted services after a disaster
• Business continuity planning focuses on restoring business operations after a disaster
• Identifying company critical systems
• Prioritizing systems for restoration effort

Organizational Frameworks for Security and Control – Information Systems Audit

• Examining overall security, control mechanisms, technologies, procedures, training, and personnel.
• Simulating disasters tests responses and identifies vulnerabilities and their probability
• Assessing financial and organizational impacts of each threat

Sample Auditor's List of Control Weaknesses

• Examples of recorded system weaknesses in a loan system that were evaluated and corrected by management

COBIT 5 – An IT Governance Framework

• A complex framework used for IT governance
• Processes for evaluating, directing, monitoring IT
• Key areas for IT Governance (Alignment, Planning, Organizing, Building....)

Tools and Technologies for Safeguarding Information Resources - Identity Management Software

• Automates user management, privileges, and access controls
• Authenticating users and protecting their identities, controlling access

Tools and Technologies for Safeguarding Information Resources - Authentication

• Password systems
• Tokens
• Smart cards
• Biometric authentication
• Two-factor authentication

Tools and Technologies for Safeguarding Information Resources - Firewalls

• Combination of hardware and software preventing unauthorized access to private networks
• Technologies include Static packet filtering, Stateful inspection, Network Address Translation (NAT), Application proxy filtering

Tools and Technologies for Safeguarding Information Resources – Intrusion Detection Systems

• Monitors for hot spots on corporate networks
• Detects and intervenes during active attacks

Tools and Technologies for Safeguarding Information Resources - Antivirus/Antispyware

• Checks for malware presence and often removes it
• Requires continual updating

Tools and Technologies for Safeguarding Information Resources – Unified Threat Management (UTM)

• Integrated security systems including virus protection, intrusion detection, and other security measures

Tools and Technologies for Safeguarding Information Resources - Securing Wireless Networks

• WEP Security vulnerabilities (easliy cracked keys)
• Wi-Fi Alliance finalized WPA2 specification. It improved encryption by replacing WEP with stronger standards that continually change and use longer encryption keys

Tools and Technologies for Safeguarding Information Resources – Encryption

• Transforming text into cipher text, unreadable to unauthorized recipients
• Methods: Secure Sockets Layer (SSL) and successor (TLS), Secure Hypertext Transfer Protocol (S-HTTP)

Tools and Technologies for Safeguarding Information Resources – Symmetric/Public Key Encryption

• Symmetric key encryption: Sender and receiver use a single shared key
• Public key encryption: Uses two mathematically related keys (public & private), one for encryption and one for decryption

Tools and Technologies for Safeguarding Information Resources – PGP

• Pretty Good Privacy – encryption and decryption procedure that uses public and private keys. It protects data in transit and at rest on a computer. It is a method of securing digital messages

Tools and Technologies for Safeguarding Information Resources - Digital Certificates

• Used to establish identities and protect assets in online transactions
• Trusted third parties, certification authorities (CAs), validate identities
• CA processes provide/issue certificates, secure data, and online transactions

Tools and Technologies for Safeguarding Information Resources - Public Key Infrastructure (PKI)

• Uses public key crypto with CA
• Widely used in e-commerce

Tools and Technologies for Safeguarding Information Resources - Ensuring System Availability

• Requires continuous availability (Online transaction processing) - high availability systems with fault tolerance
• Incorporate redundant hardware, software, and power supply components

Tools and Technologies for Safeguarding Information Resources - Controlling Network Traffic

• Deep packet inspection (DPI) to look at data streams
• Examining data streams to identify and block unwanted activity such as low priority materials, or block video and music downloads
• Security outsourcing (Managed security vendors (MSPs))

Tools and Technologies for Safeguarding Information Resources - Security in the Cloud

• Responsibility for security rests with the company owning the data
• Firms must ensure providers provide appropriate security protection (methods for segregation of data, adhering to legal privacy laws, security certifications)
• Use of service level agreements (SLAs) with cloud providers to protect data.

Tools and Technologies for Safeguarding Information Resources – Securing Mobile Platforms

• Security policies for mobility devices, platforms, and applications
• Using Mobile Device Management (MDM) tools to control devices, maintain inventory, control updates, and ensure secure practices
  • Enforce locks down/erase lost devices
  • Implement encryption procedures

Tools and Technologies for Safeguarding Information Resources - Ensuring Software Quality

• Use of software metrics for quantifiable performance measurements
• Techniques such as online response time, payroll transaction analysis, and known bugs per hundred lines of code
• Performing early and regular testing and code walkthroughs
• Debugging to correct program errors

Description

Test your knowledge on key aspects of business impact analysis, information systems audits, and IT governance frameworks. This quiz covers the essentials of security measures, vulnerabilities, and the benefits of implementing strong security protocols. Perfect for students and professionals in information technology and cybersecurity fields.