Ch. 4 - Information Security and Controls Flashcards
Security
degree of protection against criminal activity, danger, damage, or loss
information security
processes & policies that protect information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction
threat
any danger to which a system may be exposed
exposure
exposure of an information resource is the harm, loss, or damage that can result if a threat compromises that resource
vulnerability
the possibility that a threat will harm the resource
5 factors contributing to vulnerability of organizational information resources
- today’s interconnected, interdependent, wirelessly networked business environment
- smaller, faster, cheaper computers + storage devices
- decreasing skills necessary to be a computer hacker
- international organized crime taking over cybercrime
- lack of management support
unintentional threats
- human errors
- social engineering
human errors
higher level employees + greater access privileges = greater threat
ex. HR and IS
examples of human mistakes
- carelessness with computing devices
- opening questionable emails
- careless internet surfing
- poor password selection and use
- carelessness with one’s office
- carelessness using unmanaged devices
- carelessness with discarded equipment
- careless monitoring of environmental hazards
social engineering
attack where the perpetrator uses social skills to trick or manipulate legitimate employees into providing confidential company information such as passwords
ex. Kevin Mitnick (famous hacker)
deliberate threats
- espionage / trespass
- information extortion
- sabotage or vandalism
- theft of equipment or information
- identity theft
- compromises to intellectual property
- software attacks
- alien software
- supervisory control and data acquisition (SCADA) attacks
- cyberterrorism and cyberwarfare
virus
segment of computer code that performs malicious actions by attaching to another computer program
worm
segment of computer code that performs malicious actions and will replicate, or spread by itself (without requiring another computer program)
phishing attack
uses deception to acquire sensitive personal information by masquerading as official-looking emails or instant messages
spear phising
targets large groups of people
- perpetrators find as much information on the individual, tailoring their phishing attacks to improve the chances they will obtain sensitive, private information
denial-of-service attack
attacker sends so many information requests to a target computer system that the target cannot handle them successful and typical crashes (ceases to function)
distributed denial-of-service attack
attacker takes over many computers. These computers are called zombies or bots. The attacker uses bots to deliver coordinated stream of information requests to a target computer, causing it to crash
trojan horse
software programs that hide in other computer programs and reveal their designed behaviour only when they are activiated
back door (trap door)
typically a password (known only to the attacker), allowing them to access a computer system at will, without having to go through any security procedures
logic bomb
segment of computer code that is embedded within an organizations existing computer programs and is designed to activate and perform a destructive action under specific conditions, such as at a certain time or date
alien software (pestware)
- adware
- spyware
- ex. keyloggers, screen scrapers
- spam ware
- cookies
- tracking cookies
risk
probability that a threat will impact on information resources
How to protect information resources
- risk management
- risk analysis
- risk mitigation
risk mitigation
- risk acceptance
- risk limitation
- risk transference
categories of control
- control environment
- general controls
- application control
control environment
encompasses management attitudes toward controls, as evidenced by management actions, as well as by stated policies that address:
- ethical issues
- quality of supervision
physical controls
prevent unauthorized individuals from gaining access to a company’s facilities
ex. walls, doors, fencing, gates, locks, badges, guards, alarm systems, pressure/temperature/motion sensors
access controls
logical controls (implemented by software) help to provide controls such as
- authentication
- authorization
general controls
security is only one aspect of operational control (part of general controls)
password controls
- control environment: policies that enforce the proper management of user codes and passwords
- general control: security system that requires a user ID and password to “log on”
- functional application control: separate passwords for sensitive functions
authentication
something the user is, has, does and knows
ex. passwords
communication controls
- firewalls
- anti-malware systems
- whitelisting and blacklisting
- encryption
- virtual private networking
- transport layer security (TLS)
- employee monitoring systems
application controls
controls that apply to individual applications
- input, processing and output
business continuity planning (BCP)
- provide continuous availability
- be able to recover in the event of a hardware or software failure or attack
- ensure that critical systems are available and operating
disaster recovery plan
how to respond to unintentional hazards
- hot site
- warm site
- cold site
