IT Security Incident Overview

Questions and Answers

Why is the increasing complexity of computing environments a significant factor in the prevalence of computer incidents?

• It centralizes all security protocols into a single manageable system.
• It decreases the number of potential entry points for attacks.
• It reduces the need for regular software updates.
• It increases the number of potential entry points for attacks. (correct)

Which type of exploit is characterized by its ability to spread independently across networks without requiring a host file?

• Virus
• Worm (correct)
• Trojan Horse
• Rootkit

What is the primary difference between a 'hacker' and a 'cracker'?

• Hackers always work for government agencies.
• Crackers use their skills for personal gain or to cause harm, while hackers often aim to test system limitations out of curiosity. (correct)
• Crackers report vulnerabilities to improve security, whereas hackers exploit them for malicious purposes.
• Hackers only target large corporations, while crackers focus on individual users.

In the context of IT security, what does a 'zero-day attack' refer to?

An attack that exploits a vulnerability before a patch or fix is available. (D)

What is the role of 'intrusion prevention systems' in an organization's security infrastructure?

To block viruses and other threats. (A)

Which of the following best describes the term 'phishing'?

A fraudulent attempt to obtain sensitive information by disguising as a trustworthy entity. (B)

What is the main objective of a 'Distributed Denial of Service' (DDoS) attack?

To overwhelm a target system with traffic, making it unavailable. (B)

Which of the following actions best describes the role of an 'industrial spy'?

Infiltrating a rival company to steal trade secrets. (D)

What is the purpose of 'risk assessment' in the context of computer security?

To assess security-related risks and focus security efforts on areas of highest payoff. (B)

What is the primary goal of 'computer forensics'?

To identify, collect, examine, and preserve data so that it is admissible as evidence in court. (B)

What is the significance of implementing a 'layered security' approach?

It provides multiple security measures, so that if one fails, others are in place to provide protection. (A)

What is the main purpose of establishing a security policy?

To define an organization's security requirements, controls, and expected behavior. (B)

Which of the following best describes the 'principle of least privilege'?

Limiting user access to only the resources necessary to perform their job duties. (D)

Why is it important for organizations to educate employees about security policies?

To ensure employees understand and follow the policies, helping to protect information systems. (B)

What is the primary focus of the 'containment and eradication' phase in responding to a security incident?

To act quickly to collect evidence, verify backups, and limit the scope of the incident. (D)

An employee receives an email that appears to be from their bank, asking them to verify their account details. Which type of exploit does this scenario likely represent?

Phishing (A)

A group of activists defaces a government website to protest against a policy. What type of perpetrator are they considered?

Hacktivist (D)

Delays in installing updates on commercial software can lead to what type of security vulnerability?

Exposed systems to known vulnerabilities (B)

Which security measure limits network access to only authorized users?

Corporate Firewall (B)

Which of the following is a critical element of trustworthy computing?

Secure computing (C)

High user expectations for seamless access and support can lead to what in terms of IT security?

Security lapses (D)

What is the potential risk of users sharing login IDs and passwords?

Compromised security (C)

What is the role of patches in maintaining computer security?

They fix known vulnerabilities. (B)

Which type of exploit disguises as legitimate software to trick users into installing it?

Trojan horse (B)

Which type of perpetrator is motivated by testing system limits?

Hacker (A)

What is the key factor to consider when implementing security measures?

Ease of use vs. increased security (B)

What should automated system policies mirror?

Written policies (A)

What is a primary goal to achieve after a security breach?

To prevent recurrence. (C)

What should Businesses do after an IT incident?

All of the above (D)

Rapid technological changes affect computer incidents by making it hard for organizations to ____.

Keep up with security measures (D)

What should a Risk Assessment identify to best protect from most likely and serious threats?

Security investments (A)

When help desks skip verifying user IDs or authorizations under pressure it leads to ____.

Verification lapses (B)

What can delays in installing updates lead to?

System exposure (C)

A set of tools that enables unauthorized access to a computer while hiding its presence is a ____.

Rootkit (C)

What does a computer forensics investigation require?

Extensive training and certification (C)

Which of the following poses the most risk to IT security?

Private customer and employee data (D)

Cloud computing and virtualization affects computer incidents by ____.

Adding new layers of complexity and vulnerabilities (B)

What is a critical element of implementing trustworthy computing?

Sound business practices (D)

What does IT security safeguard?

Confidential business data (D)

Flashcards

Safeguarding in IT Security

Protecting confidential business, customer, and employee data against theft or disruption, balanced with business needs.

Complex IT Environment

The computing environment's increasing complexity offers more entry points for cyber attacks.

Cloud and Virtualization Risks

Technologies that introduce new layers of complexity and potential vulnerabilities.

User Expectations vs. Security

High demands for easy access which can lead to security oversights.

Dangers of Shared Credentials

Sharing logins compromises security.

Verification Lapses

Skipping user ID checks can lead to security breaches.

Network Era Risks

Connecting to vast networks shares information widely increasing vulnerabilities.

Technological advancements vs. Security

Rapid advancements challenge security measure updates.

Known Software Vulnerabilities

Many software products contain flaws that can be exploited.

Software Exploits

Attackers exploit known flaws in software.

Dangers of Delaying Patches

Delaying updates leaves systems open to exploits.

Zero-Day Attacks

Attacks occurring before vulnerabilities are known and fixed.

Virus

Malicious code that attaches to a host file and spreads when executed.

Worm

Self-replicating program spreading across networks without needing a host file.

Trojan Horse

Malicious program disguised as legitimate software.

Distributed Denial of Service (DDoS)

Overwhelming a system with traffic from multiple sources.

Rootkit

Tools enabling unauthorized access while hiding their presence.

Spam

Unsolicited, irrelevant messages sent over the internet.

Phishing

Fraudulent attempts to get sensitive information by pretending to be trustworthy.

Spear-phishing

Fraudulent emails targeting specific organization employees.

Smishing

Phishing via text messages.

Vishing

Phishing via voice mail messages.

Hacker

Someone who uses technical skills to gain unauthorized access, often to test system limits.

Cracker

Similar to hackers but with malicious intent for harm or gain.

Malicious Insider

Someone within an organization who misuses access to cause harm or steal data.

Industrial Spy

Gathering confidential information from rivals, to gain a business advantage.

Cybercriminal

Engaging in illegal online activities like fraud and identity theft.

Hacktivist

Using hacking to promote political or social causes.

Cyberterrorist

Using the internet to conduct terrorist activities causing widespread disruption.

Trustworthy Computing

Delivering secure, private, and reliable computing.

Security System Elements

Combining technology, policy, and trained people.

Risk Assessment

Process assesses computer risks, identifying potential security investments.

Security Policy Definition

A security plan that defines an organizations security needs.

Security education for employees

Motivating & teaching users policy, discussing incidents, enforcing security.

Layered Security

Using many security measures across an IT system.

Corporate Firewall

Network traffic control that limits access points.

Antivirus Software

Programs scanning for virus signatures.

IT Security Audits

Evaluating policies and testing safeguards.

Intrusion Detection

Catching the threat actor during an active attack.

Containment and Eradication

Act quickly, collect evidence, and verify backups

Computer Forensics

Combine law and computer science to examine data.

Study Notes

IT Security Incidents

• Information technology security is paramount.
• It is vital to safeguard confidential business, customer, and employee data.
• Protection from malicious theft or disruption must be counterbalanced with business demands.
• Data breaches in corporations such as Facebook and LinkedIn exemplify potential risks.

Prevalence of Computer Incidents

• The computing environment's increasing complexity raises the likelihood of attacks.
• Shared credentials and verification lapses jeopardize security.
• Cloud computing and virtualization add complexity and vulnerabilities.
• User expectations for quick support may cause security oversights.
• Personal computers connect to networks and broadly share information.
• Rapid technological advancements can make staying up-to-date with security measures difficult.
• The presence of known software flaws are exploited by attackers.
• Delayed software updates expose systems.
• Zero-day attacks use vulnerabilities that are unfixed.
• Companies use software with known vulnerabilities.

Types of Exploits

• Viruses: Malicious code that attaches to a host file and spreads when executed, and can use email attachments.
• Worms: Self-replicating programs spread across networks and can encrypt files on infected systems.
• Trojan Horses: Malicious software disguised as legitimate programs and can lead to banking information theft.
• Distributed Denial of Service (DDoS): Overwhelms systems with traffic, disrupting major websites - such as the 2016 attack on Dyn that disrupted Twitter and Netflix
• Rootkits: Tools enabling unauthorized access to a computer, targeting industrial control systems.
• Spam: Irrelevant messages sent over the internet, typically promoting dubious products.
• Phishing: Fraudulently obtaining sensitive information by impersonating a trustworthy entity.
• In spear-phishing, fraudulent emails are sent to an organization's employees.
• Smishing is phishing via text messages.
• Vishing is phishing via voice mail messages.

Types of Perpetrators

• Perpetrators include thrill seekers, common criminals, industrial spies, and terrorists.
• They all have different objectives, access to resources, and willingness to take risks.
• Hackers use technical skills to gain unauthorized access and test systems.
• Crackers are similar to hackers but are malicious.
• Malicious Insiders use their organizational roles to harm systems.
• Industrial Spies steal confidential information from competing companies.
• Cybercriminals engage in fraud, identity theft, and malware distribution.
• Hacktivists use hacking to promote ideologies.
• Cyberterrorists use the internet to conduct terrorist activities.

Classifying Perpetrators of Computer Crime

• Hackers test system limits or gain publicity.
• Crackers cause problems, steal data, and corrupt systems.
• Malicious insiders can cause financial loss and disrupt company functions.
• Industrial spies capture trade secrets and achieve competitive advantages.
• Cybercriminals aim to gain financially.
• Hacktivists endorse political ideology.
• Cyberterrorists aim to destroy infrastructure components of institutions

Implementing Trustworthy Computing

• Trustworthy computing delivers secure, private, and reliable computing, based on sound business practices.
• Security of any system is a mix of technology, policy, and people.
• Systems have to monitored to detect potential intrusion.
• A clear reaction plan includes notification, containment, eradication, and recovery.

Risk Assessment

• Risk assessments apply to organizations' computers and networks, covering internal and external threats.
• Process identifies investments that protect from most dangerous threats.
• Security focuses where the payoff is highest.
• The risk assessment process has eight steps

1. Identify assets of most concern
2. Identify loss events that could occur
3. Assess the likelihood of potential threats
4. Determine the impact of each threat
5. Figure out how each threat could be mitigated
6. Assess feasibility of mitigation options
7. Perform cost-benefit analysis
8. Decide on which countermeasures to implement

Security Policy

• A security policy defines security requirements, controls, and sanctions
• It delineates responsibilities and expected behavior
• The policy outlines what needs to be done
• Automated system policies and written policies should mirror each other
• Security policies must find a balance between ease of use and increased security
• Areas of concern include email attachments and wireless devices

Employee Education

• Educate and motivate users to follow policy.
• Discussions must include recent security incidents.
• Keeping information systems secure involves protecting passwords.
• Protection also requires controls to protect data, reporting unusual activity, and safeguarding portable devices

Prevention

• Layered Security: Use multiple security measures.
• Corporate Firewall: Limits network access.
• Intrusion Prevention Systems: Blocks viruses and threats.
• Antivirus Software: Scans for virus signatures.
• Insider Safeguards: -Delete departing accounts, -Define roles, -Separate duties and limit user authority.
• IT Security Audits
  • Evaluate policies.
  • Review access levels.
  • Test safeguards.

Detection

• Detection systems catch intruders.
• Intrusion detection systems watch system/network resources and activities
• Those systems notify the authority when it identifies an threat
• This could be a possible intrusions that originate from outside or misuse from within.
• Knowledge and behavior-based approaches are utilized.

Response

• Responses should be developed in advance, approved by legal and senior management.
• The primary goals are to regain control and limit the threat/damage.
• Define who to notify and avoid public disclosure.
• Record all events and actions for documentation.
• Act quickly, collect evidence, and verify backups by containing and eradicating.
• Determine the cause of the event and prevent recurrence with follow-up actions.
• Review, assess the incident and response
• Efforts need to capture perpetrator
• Negative publicity and legal accountability need to be considered.

Computer Forensics

• Combines elements of law and computer science to ensure admissible evidence.
• Investigation requires extensive training, certification, and knowledge of relevant laws.

Key Summary Points

• Ethical decisions determining information systems and data involve safeguarding.
• Prevalent computer exploits include viruses, worms, Trojan horses, DDoS, rootkits, spam, and phishing.
• Perpetrators encompass hackers, crackers, malicious insiders, industrial spies, cybercriminals, hacktivists, and cyberterrorists.
• Multilayer processes should manage security vulnerabilities through assessment, action, and education.
• IT leadership is essential for implementing security policies, procedures, hardware, and software.
• Computer forensics is vital for justice in computer crime cases.