Ch 4-Risk Management and Info security Flashcards
security
A degree of protection against criminal activity, danger, damage, or loss
- Information security
Processes & policies that protect information and systems from unauthorized access, use, disclosure,
disruption, modification, or destruction
- Threat
- Any danger to which a system may be exposed
- Exposure
*
Exposure of an information resource is the harm, loss, or damage that can result if a threat compromises
that resource
- Vulnerability
- Is the possibility that a threat will harm that resource
what 5 things make todays info resources vulnerable
1) interconnected interdependant business environemnt
2) smaller faster cheaper computers and storage devices
3) decreasing skills needed to be a hacker
4) intl org crim taking over cybercrime
5 )lack of management support
human error
who poses higher risk in employee hierarchy
higher level employees! they have greater access priveleiges= greater threate
what 2 areas in company structure pose signgiifcant threats
HR
IS
what are general areas of threats in a company
contract labour
consutlatntls
janiotrs
guards
what is social engingeering
An attack in which the perpetrator uses social skills to trick or manipulate
legitimate employees into providing confidential company information such as
passwords
what are deliberate threats to info systems
- Espionage or trespass
- Information extortion
- Sabotage or vandalism
- Theft of equipment or information
- Identity theft
- Compromises to intellectual property
- Software attacks
- Alien software
- Supervisory control and data acquisition (SCADA) attacks
- Cyberterrorism and cyberwarfare
what is alien softawre (pestware)
adware
spyware
spameware
cookies
what are orgs trying to do to protect info resources
risk: prob that a threat will impact aninfo resource
THEY DO RISK MANAGEMENT, ANALYSIS, MITIGATION
what is risk mitigation
risk acceptance, risk limitation, risk transference
acceptance: accept potential risk, absord damages
limitation: implement control to minimize impact
transferance: transfer the risk by getting insurance
what are categories of controls
control environment
general controls: security controls
application controsl
control environment
Encompasses management
attitudes toward controls,
as evidenced by
management actions, as
well as by stated policies
that address:
* Ethical issues
* Quality of supervision
what are physical controls
- Prevent unauthorized individuals from gaining access to a company’s facilities
Examples:
* Walls, doors, fencing, gates, locks
* Badges, guards, alarm systems
* Pressure sensors, temperature sensors, motion sensors
what are access controls
- Logical controls (implemented by software) help to provide controls such as:
- Authentication
- Authorization
can be physical or logical controls (softare)
Access & Communications Controls Help to Prevent
Identity Theft
Using confidential information such as passwords, drivers
licences, or medical records to assume someone else’s identity
* The thief applies for credit cards, mortgages, or passports
* Example controls include: physical security, access security, and
encryption
* The Office of the Privacy Commissioner of Canada tells
businesses how to reduce the risk of identity theft and how to
respond (priv.gc.ca/en)
Password Controls Need to be Supported at All 3 Control
Levels
1.Control environment: Policies that enforce the proper
management of user codes and passwords
2.General control: A security system that requires a user ID and
password to “log on”
3.Functional application control: Separate passwords for
sensitive functions, e.g., employee raises or write-off of
customer accounts
Authentication
- Something the user is
- Something the user has
- Something the user does
- Something the user knows
Communication Controls
- Firewalls: prevents specofic type of info moving
-dmz: between 2 fireawalls - Anti-malware systems/:
- Whitelisting and blacklisting
- Encryption
- Virtual private networking
- Transport layer security (TLS)
- Employee monitoring systems
Application Controls
- Controls that apply to individual
applications (functional areas), e.g.,
payroll - The text describes three categories:
input, processing, output - It is more common to consider the
purpose of application controls for
input, processing, and output using:
accuracy, completeness,
authorization, and an audit trail
(documentation)
EXAMPLES OF APPLICATION CONTROLS
* Input: Edits that check for
reasonable data ranges (accuracy)
* Processing: Automatically check that
each line of an invoice adds to the
total (accuracy for total and
completeness of line items)
* Output: Supervisor reviews payroll
journal for unusual amounts
(exceptions) before cheques are
printed (authorization)
Business Continuity Planning (BCP)
* Disaster recovery plan
* Hot site
* Warm site
* Cold site
- BCP’s purpose:
- Provide continuous availability
- Be able to recover in the event of
a hardware or software failure or
attack (e.g., due to ransomware) - Ensure that critical systems are
available and operating
Personal Information Asset Protection
- Before deciding upon potential actions you need to take
- Do an inventory of information you are using, storing, or accessing
- Relate your inventory to a personal risk assessment
- Use Table 4.4 to help enable changes to your methods of
protecting your personal information assets
do small business or big business get hurt from data breach more
small!
what is a ttrusted network
internal to your org
what is untrusted network
external to your org
fin 7 hakcing group
has hacked a bunch of shit
2 categorities of threats to info system
intentional
uninteionaldr
draw the cloud visual on cs
Tailgating is a technique designed to allow the perpetrator to enter restricted areas that are controlled with locks or card entry. The perpetrator follows closely behind a legitimate employee and, when the employee gains entry, the attacker asks them to “hold the door.”
Shoulder surfing occurs when a perpetrator watches an employee’s computer screen over the employee’s shoulder. This technique is particularly successful in public areas such as in airports and on commuter trains and airplanes.
espionage and tresppass
when an unauthorized individual attempts to gain illegal access to organizational information
Competitive intelligence= legal information-gathering techniques, such as studying a company’s website and press releases, attending trade shows, and similar actions.
industrial espionage illegal
In
info extortion
threats to steal/acually steals info ans asks for money
sabotage/vandalism
defacing info systems and making customers lose faith in operationsw
what is ransomware
yo uwont have access to data until u pay
Spear phishing emails
carefully tailored to look as convincing as possible, so they appear no different from any other email the victim might receive.
ransomware as a service
original creators publish the software on the Dark Web, allowing other criminals to use the code in return for receiving 40 to 50 percent of each ransom paid.
2 types of ransom wares
-The first variant offers the decryption key to a victim if the victim provides a link to the ransomware to two other people or to companies that pay the ransom.
- hackers pretend to be job hunters in an effort to infect corporate human resources systems
doxixng
threat to release data to public
how to protect against ransomewarw
-training and education
-backup often
-real time monitoring
alien software/pestware
not as bad as viruses but uses resources
ex: adware just ads
spyawre
collecting data
keyloggers
record individual keystrokes and personal info
counter of keyloogers
captcha
cookies
small amounts of info that are important for online shopping in carts
tracking cookies are tracking ur path through a website
SCADA supervisory control and data acquistions
monitor control checmial phyiscal and transporot process
these attacks are on power plants
what is risk analysis
1 assess value of each assset being protectd
2 estimaete prob that each asset will be compropomised
3 compare costs with compromise to cost of protect
biometircs types
active: need to physcially particpate (eyes fingerpints)
passive: no need for active participation (voice recognition behavioural id)
A passphrase is a series of characters that is longer than a password but is still easy to memorize
white listing
only pseciifc softawre is allowed to run
blaxkliat
everythign can run except xyz software
encryption
converting og message into a form that cant be read by anyone except receiver
- publc key envryption/ assymetric encryption (2 keys) public key: lock private key: unlocking key
Although this arrangement is adequate for personal information, organizations that conduct business over the Internet require a more complex system. In these cases, a third party, called a certificate authority, acts as a trusted intermediary between the companies. The certificate authority issues digital certificates and verifies the integrity of the certificates. A digital certificate is an electronic document attached to a file that certifies that the file is from the organization it claims to be from and has not been modified from its original format. As you can see in Figure 4.5,
vpn
extend the reach of org network
no physical existence
tunneling: encrypts data packets to be sent and place each encrypted packet inside another packet (now packet can travel confidentially)
transport layer security
for secure transaction (Credit card purchase/online banking)
HTTPS
EMPLOYEE monitoring system
scrutiiznize employee online behvaiours and computers
app controls
protect specific apps in FAs
automatoed or human directred
3 typesee
Input controls are programmed routines that edit input data for errors before they are processed. For example, social insurance numbers should not contain any alphabetical characters.
Processing controls are programmed routines that perform actions that are part of the record-keeping of the organization, reconcile and check transactions, or monitor the operation of applications. Processing controls, for example, might match entered quantities of goods received in the shipping area to amounts ordered on authorized purchase orders. Processing controls also balance the total number of transactions processed with the total number of transactions input or output.
Finally, output controls are programmed routines that edit output data for errors or help to ensure that output is provided only to authorized individuals. An example of output controls is documentation specifying that authorized recipients have received their reports, paycheques, or other critical documents.
Business continuity planning is the chain of events linking planning to protection and to recovery. The purpose of the business continuity plan is to provide guidance to people who keep the business operating after a disaster occurs. Employees use this plan to prepare for, respond to, and recover from events that affect the security of information assets. The objective is to restore the business to normal operations as quickly as possible following an attack. The plan is intended to ensure that business functions continue.
In the event of a major disaster, organizations can employ several strategies for business continuity. These strategies include hot sites, warm sites, cold sites, and off-site data and program storage. A hot site is a fully configured computer facility with all of the company’s services, communications links, and physical plant operations. A hot site duplicates computing resources, peripherals, telephone systems, applications, and workstations. A warm site provides many of the same services and options as the hot site. However, it typically does not include the actual applications the company needs. A warm site includes computing equipment such as servers, but it often does not include user workstations. A cold site provides only rudimentary services and facilities, such as a building or a room with heating, air conditioning, and humidity control. This type of site provides no computer hardware or user workstations. Off-site storage means that the organization takes a duplicate copy of its data and software (including operating systems) so that it can be taken to another computer and used elsewhere.
Hot sites reduce risk to the greatest extent, but they are the most expensive option. Conversely, cold sites reduce risk the least, but they are the least expensive option. In addition to hot, warm, and cold sites, organizations also use off-site data storage services. Off-site data storage is a service that allows companies to store valuable data in a secure location geographically distant from the company’s data centre.
In our online, fast-paced world, being “down” or unavailable for a short period of time can cause financial losses for organizations or upset customers. On March 12, 2016, it was reported that Apple’s iTunes and app stores were offline for 11 hours. These types of problems cannot be dealt with using hot sites or warm sites. There is no time to take all the equipment elsewhere. Instead, organizations implement redundancy; in other words, they have duplicate servers. Organizations also need to implement good quality controls for testing their programs to prevent systems going do
nformation Systems Auditing
Companies implement security controls to ensure that information systems function properly. These controls can be installed in the original system, or they can be added after a system is in operation. Installing controls is necessary but not sufficient to provide adequate security. People who are also responsible for security need to answer questions such as: Are all controls installed as intended? Are they effective? Has any breach of security occurred? If so, what actions are required to prevent future breaches?
These questions must be answered by independent and unbiased observers. Such observers perform the task of information systems auditing. An audit involves the accumulation and evaluation of evidence that is used to prepare a report about the information or controls that are being examined, using established criteria and standards. An information systems audit is an examination of information systems, their inputs, outputs, and processing. It can also include an assessment of the efficiency and effectiveness of the system.
Types of Auditors and Audits
There are several types of auditors and audits. External auditors, also referred to as independent auditors, work at a public accounting firm, auditing primarily financial statements. Government auditors work for the provincial or federal auditors’ general offices. Canada Revenue Agency auditors audit compliance with tax legislation. Internal auditors work for specific organizations, and may have the Certified Internal Auditor (CIA) designation. Specialist auditors can be from a variety of fields. Information systems auditors, for example, may work for any of the previously mentioned organizations, and may have a Certified Information Systems Auditor (CISA) designation.
IS auditing is usually conducted as part of the controls evaluation for the financial statement audit or as part of internal auditing, which looks at the efficiency or effectiveness of systems.
IS auditing is a broad topic, so we present only its essentials here. IS auditing focuses on topics such as operations, data integrity, software applications, security and privacy, budgets and expenditures, cost control, and productivity. Guidelines are available to assist auditors in their jobs, such as those from the Institute of Internal Auditors (www.theiia.org) or the Information Systems Audit and Control Association (www.isaca.org).
How IS Auditors Decide on Audits
IS auditors conduct their work using a risk-based approach. They consider the likelihood of errors or fraud, or the risk of organizations not following their procedures. Then, they design procedures to test compliance or the percentages of errors. Information systems audits could be part of the evaluation of controls for a financial statement audit, which is required by statute for organizations that sell shares to the public, or for publicly accountable organizations such as registered charities.
Internal auditors conduct their audits based on a plan approved by management. This plan may look at areas where there are high risks of theft, such as an electronic commerce system, or at new systems development projects where there is an elevated potential for error, such as a new point-of-sale system. Where legislation is relatively new, such as privacy legislation, auditors could conduct a privacy audit to evaluate whether the organization is in compliance with the legislation.
Auditors could use computers in the conduct of their audit, by using software to create reports or by creating test data that are run through systems to evaluate their functioning.
