Ch. 4 - Information Security and Controls

Question 1

Security

Answer 1

degree of protection against criminal activity, danger, damage, or loss

Question 2

information security

Answer 2

processes & policies that protect information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction

Question 3

threat

Answer 3

any danger to which a system may be exposed

Question 4

exposure

Answer 4

exposure of an information resource is the harm, loss, or damage that can result if a threat compromises that resource

Question 5

vulnerability

Answer 5

the possibility that a threat will harm the resource

Question 6

5 factors contributing to vulnerability of organizational information resources

Answer 6

1. today’s interconnected, interdependent, wirelessly networked business environment
2. smaller, faster, cheaper computers + storage devices
3. decreasing skills necessary to be a computer hacker
4. international organized crime taking over cybercrime
5. lack of management support

Question 7

unintentional threats

Answer 7

• human errors

- social engineering

Question 8

human errors

Answer 8

higher level employees + greater access privileges = greater threat

ex. HR and IS

Question 9

examples of human mistakes

Answer 9

• carelessness with computing devices
• opening questionable emails
• careless internet surfing
• poor password selection and use
• carelessness with one’s office
• carelessness using unmanaged devices
• carelessness with discarded equipment
• careless monitoring of environmental hazards

Question 10

social engineering

Answer 10

attack where the perpetrator uses social skills to trick or manipulate legitimate employees into providing confidential company information such as passwords

ex. Kevin Mitnick (famous hacker)

Question 11

deliberate threats

Answer 11

• espionage / trespass
• information extortion
• sabotage or vandalism
• theft of equipment or information
• identity theft
• compromises to intellectual property
• software attacks
• alien software
• supervisory control and data acquisition (SCADA) attacks
• cyberterrorism and cyberwarfare

Question 12

virus

Answer 12

segment of computer code that performs malicious actions by attaching to another computer program

Question 13

worm

Answer 13

segment of computer code that performs malicious actions and will replicate, or spread by itself (without requiring another computer program)

Question 14

phishing attack

Answer 14

uses deception to acquire sensitive personal information by masquerading as official-looking emails or instant messages

Question 15

spear phising

Answer 15

targets large groups of people

• perpetrators find as much information on the individual, tailoring their phishing attacks to improve the chances they will obtain sensitive, private information

Question 16

denial-of-service attack

Answer 16

attacker sends so many information requests to a target computer system that the target cannot handle them successful and typical crashes (ceases to function)

Question 17

distributed denial-of-service attack

Answer 17

attacker takes over many computers. These computers are called zombies or bots. The attacker uses bots to deliver coordinated stream of information requests to a target computer, causing it to crash

Question 18

trojan horse

Answer 18

software programs that hide in other computer programs and reveal their designed behaviour only when they are activiated

Question 19

back door (trap door)

Answer 19

typically a password (known only to the attacker), allowing them to access a computer system at will, without having to go through any security procedures

Question 20

logic bomb

Answer 20

segment of computer code that is embedded within an organizations existing computer programs and is designed to activate and perform a destructive action under specific conditions, such as at a certain time or date

Question 21

alien software (pestware)

Answer 21

• adware
• spyware
  
  • ex. keyloggers, screen scrapers
• spam ware
• cookies
  
  • tracking cookies

Question 22

risk

Answer 22

probability that a threat will impact on information resources

Question 23

How to protect information resources

Answer 23

• risk management
• risk analysis
• risk mitigation

Question 24

risk mitigation

Answer 24

• risk acceptance
• risk limitation
• risk transference

Question 25

categories of control

Answer 25

• control environment
• general controls
• application control

Question 26

control environment

Answer 26

encompasses management attitudes toward controls, as evidenced by management actions, as well as by stated policies that address:

• ethical issues
• quality of supervision

Question 27

physical controls

Answer 27

prevent unauthorized individuals from gaining access to a company’s facilities

ex. walls, doors, fencing, gates, locks, badges, guards, alarm systems, pressure/temperature/motion sensors

Question 28

access controls

Answer 28

logical controls (implemented by software) help to provide controls such as

• authentication
• authorization

Question 29

general controls

Answer 29

security is only one aspect of operational control (part of general controls)

Question 30

password controls

Answer 30

1. control environment: policies that enforce the proper management of user codes and passwords
2. general control: security system that requires a user ID and password to “log on”
3. functional application control: separate passwords for sensitive functions

Question 31

authentication

Answer 31

something the user is, has, does and knows

ex. passwords

Question 32

communication controls

Answer 32

• firewalls
• anti-malware systems
• whitelisting and blacklisting
• encryption
• virtual private networking
• transport layer security (TLS)
• employee monitoring systems

Question 33

application controls

Answer 33

controls that apply to individual applications

- input, processing and output

Question 34

business continuity planning (BCP)

Answer 34

• provide continuous availability
• be able to recover in the event of a hardware or software failure or attack
• ensure that critical systems are available and operating

Question 35

disaster recovery plan

Answer 35

how to respond to unintentional hazards

• hot site
• warm site
• cold site