Ch 4-Risk Management and Info security

Question 1

security

Answer 1

A degree of protection against criminal activity, danger, damage, or loss

Question 2

• Information security

Answer 2

Processes & policies that protect information and systems from unauthorized access, use, disclosure,
disruption, modification, or destruction

Question 3

• Threat

Answer 3

• Any danger to which a system may be exposed

Question 4

• Exposure
  *

Answer 4

Exposure of an information resource is the harm, loss, or damage that can result if a threat compromises
that resource

Question 5

• Vulnerability

Answer 5

• Is the possibility that a threat will harm that resource

Question 6

what 5 things make todays info resources vulnerable

Answer 6

1) interconnected interdependant business environemnt
2) smaller faster cheaper computers and storage devices
3) decreasing skills needed to be a hacker
4) intl org crim taking over cybercrime
5 )lack of management support

Question 7

human error
who poses higher risk in employee hierarchy

Answer 7

higher level employees! they have greater access priveleiges= greater threate

Question 8

what 2 areas in company structure pose signgiifcant threats

Answer 8

HR
IS

Question 9

what are general areas of threats in a company

Answer 9

contract labour
consutlatntls
janiotrs
guards

Question 10

what is social engingeering

Answer 10

An attack in which the perpetrator uses social skills to trick or manipulate
legitimate employees into providing confidential company information such as
passwords

Question 11

what are deliberate threats to info systems

Answer 11

• Espionage or trespass
• Information extortion
• Sabotage or vandalism
• Theft of equipment or information
• Identity theft
• Compromises to intellectual property
• Software attacks
• Alien software
• Supervisory control and data acquisition (SCADA) attacks
• Cyberterrorism and cyberwarfare

Question 12

what is alien softawre (pestware)

Answer 12

adware
spyware
spameware
cookies

Question 13

what are orgs trying to do to protect info resources

Answer 13

risk: prob that a threat will impact aninfo resource

THEY DO RISK MANAGEMENT, ANALYSIS, MITIGATION

Question 14

what is risk mitigation

Answer 14

risk acceptance, risk limitation, risk transference

acceptance: accept potential risk, absord damages

limitation: implement control to minimize impact

transferance: transfer the risk by getting insurance

Question 15

what are categories of controls

Answer 15

control environment

general controls: security controls

application controsl

Question 16

control environment

Answer 16

Encompasses management
attitudes toward controls,
as evidenced by
management actions, as
well as by stated policies
that address:
* Ethical issues
* Quality of supervision

Question 17

what are physical controls

Answer 17

• Prevent unauthorized individuals from gaining access to a company’s facilities

Examples:
* Walls, doors, fencing, gates, locks
* Badges, guards, alarm systems
* Pressure sensors, temperature sensors, motion sensors

Question 18

what are access controls

Answer 18

• Logical controls (implemented by software) help to provide controls such as:
• Authentication
• Authorization

can be physical or logical controls (softare)

Question 19

Access & Communications Controls Help to Prevent
Identity Theft

Answer 19

Using confidential information such as passwords, drivers
licences, or medical records to assume someone else’s identity
* The thief applies for credit cards, mortgages, or passports
* Example controls include: physical security, access security, and
encryption
* The Office of the Privacy Commissioner of Canada tells
businesses how to reduce the risk of identity theft and how to
respond (priv.gc.ca/en)

Question 20

Password Controls Need to be Supported at All 3 Control
Levels

Answer 20

1.Control environment: Policies that enforce the proper
management of user codes and passwords
2.General control: A security system that requires a user ID and
password to “log on”
3.Functional application control: Separate passwords for
sensitive functions, e.g., employee raises or write-off of
customer accounts

Question 21

Authentication

Answer 21

• Something the user is
• Something the user has
• Something the user does
• Something the user knows

Question 22

Communication Controls

Answer 22

• Firewalls: prevents specofic type of info moving
  -dmz: between 2 fireawalls
• Anti-malware systems/:
• Whitelisting and blacklisting
• Encryption
• Virtual private networking
• Transport layer security (TLS)
• Employee monitoring systems

Question 23

Application Controls

Answer 23

• Controls that apply to individual
  applications (functional areas), e.g.,
  payroll
• The text describes three categories:
  input, processing, output
• It is more common to consider the
  purpose of application controls for
  input, processing, and output using:
  accuracy, completeness,
  authorization, and an audit trail
  (documentation)

EXAMPLES OF APPLICATION CONTROLS
* Input: Edits that check for
reasonable data ranges (accuracy)
* Processing: Automatically check that
each line of an invoice adds to the
total (accuracy for total and
completeness of line items)
* Output: Supervisor reviews payroll
journal for unusual amounts
(exceptions) before cheques are
printed (authorization)

Question 24

Business Continuity Planning (BCP)
* Disaster recovery plan
* Hot site
* Warm site
* Cold site

• BCP’s purpose:
• Provide continuous availability
• Be able to recover in the event of
  a hardware or software failure or
  attack (e.g., due to ransomware)
• Ensure that critical systems are
  available and operating

Question 25

Personal Information Asset Protection

Answer 25

• Before deciding upon potential actions you need to take
• Do an inventory of information you are using, storing, or accessing
• Relate your inventory to a personal risk assessment
• Use Table 4.4 to help enable changes to your methods of
  protecting your personal information assets

Question 26

do small business or big business get hurt from data breach more

Answer 26

small!

Question 27

what is a ttrusted network

Answer 27

internal to your org

Question 28

what is untrusted network

Answer 28

external to your org

Question 29

fin 7 hakcing group

Answer 29

has hacked a bunch of shit

Question 30

2 categorities of threats to info system

Answer 30

intentional

uninteionaldr

Question 31

draw the cloud visual on cs

Question 32

Tailgating is a technique designed to allow the perpetrator to enter restricted areas that are controlled with locks or card entry. The perpetrator follows closely behind a legitimate employee and, when the employee gains entry, the attacker asks them to “hold the door.”

Question 33

Shoulder surfing occurs when a perpetrator watches an employee’s computer screen over the employee’s shoulder. This technique is particularly successful in public areas such as in airports and on commuter trains and airplanes.

Question 34

espionage and tresppass

Answer 34

when an unauthorized individual attempts to gain illegal access to organizational information

Competitive intelligence= legal information-gathering techniques, such as studying a company’s website and press releases, attending trade shows, and similar actions.

industrial espionage illegal

In

Question 35

info extortion

Answer 35

threats to steal/acually steals info ans asks for money

Question 36

sabotage/vandalism

Answer 36

defacing info systems and making customers lose faith in operationsw

Question 37

what is ransomware

Answer 37

yo uwont have access to data until u pay

Question 38

Spear phishing emails

Answer 38

carefully tailored to look as convincing as possible, so they appear no different from any other email the victim might receive.

Question 39

ransomware as a service

Answer 39

original creators publish the software on the Dark Web, allowing other criminals to use the code in return for receiving 40 to 50 percent of each ransom paid.

Question 40

2 types of ransom wares

Answer 40

-The first variant offers the decryption key to a victim if the victim provides a link to the ransomware to two other people or to companies that pay the ransom.

• hackers pretend to be job hunters in an effort to infect corporate human resources systems

Question 41

doxixng

Answer 41

threat to release data to public

Question 42

how to protect against ransomewarw

Answer 42

-training and education
-backup often
-real time monitoring

Question 43

alien software/pestware

Answer 43

not as bad as viruses but uses resources

ex: adware just ads

Question 44

spyawre

Answer 44

collecting data

Question 45

keyloggers

Answer 45

record individual keystrokes and personal info

Question 46

counter of keyloogers

Answer 46

captcha

Question 47

cookies

Answer 47

small amounts of info that are important for online shopping in carts

tracking cookies are tracking ur path through a website

Question 48

SCADA supervisory control and data acquistions

Answer 48

monitor control checmial phyiscal and transporot process

these attacks are on power plants

Question 49

what is risk analysis

Answer 49

1 assess value of each assset being protectd
2 estimaete prob that each asset will be compropomised
3 compare costs with compromise to cost of protect

Question 50

biometircs types

Answer 50

active: need to physcially particpate (eyes fingerpints)

passive: no need for active participation (voice recognition behavioural id)

Question 51

A passphrase is a series of characters that is longer than a password but is still easy to memorize

Question 52

white listing

Answer 52

only pseciifc softawre is allowed to run

Question 53

blaxkliat

Answer 53

everythign can run except xyz software

Question 54

encryption

Answer 54

converting og message into a form that cant be read by anyone except receiver

• publc key envryption/ assymetric encryption (2 keys) public key: lock private key: unlocking key

Question 55

Although this arrangement is adequate for personal information, organizations that conduct business over the Internet require a more complex system. In these cases, a third party, called a certificate authority, acts as a trusted intermediary between the companies. The certificate authority issues digital certificates and verifies the integrity of the certificates. A digital certificate is an electronic document attached to a file that certifies that the file is from the organization it claims to be from and has not been modified from its original format. As you can see in Figure 4.5,

Question 56

vpn

Answer 56

extend the reach of org network

no physical existence

tunneling: encrypts data packets to be sent and place each encrypted packet inside another packet (now packet can travel confidentially)

Question 57

transport layer security

Answer 57

for secure transaction (Credit card purchase/online banking)

HTTPS

Question 58

EMPLOYEE monitoring system

Answer 58

scrutiiznize employee online behvaiours and computers

Question 59

app controls

Answer 59

protect specific apps in FAs

automatoed or human directred

3 typesee

Input controls are programmed routines that edit input data for errors before they are processed. For example, social insurance numbers should not contain any alphabetical characters.
Processing controls are programmed routines that perform actions that are part of the record-keeping of the organization, reconcile and check transactions, or monitor the operation of applications. Processing controls, for example, might match entered quantities of goods received in the shipping area to amounts ordered on authorized purchase orders. Processing controls also balance the total number of transactions processed with the total number of transactions input or output.
Finally, output controls are programmed routines that edit output data for errors or help to ensure that output is provided only to authorized individuals. An example of output controls is documentation specifying that authorized recipients have received their reports, paycheques, or other critical documents.

Question 60

Business continuity planning is the chain of events linking planning to protection and to recovery. The purpose of the business continuity plan is to provide guidance to people who keep the business operating after a disaster occurs. Employees use this plan to prepare for, respond to, and recover from events that affect the security of information assets. The objective is to restore the business to normal operations as quickly as possible following an attack. The plan is intended to ensure that business functions continue.
In the event of a major disaster, organizations can employ several strategies for business continuity. These strategies include hot sites, warm sites, cold sites, and off-site data and program storage. A hot site is a fully configured computer facility with all of the company’s services, communications links, and physical plant operations. A hot site duplicates computing resources, peripherals, telephone systems, applications, and workstations. A warm site provides many of the same services and options as the hot site. However, it typically does not include the actual applications the company needs. A warm site includes computing equipment such as servers, but it often does not include user workstations. A cold site provides only rudimentary services and facilities, such as a building or a room with heating, air conditioning, and humidity control. This type of site provides no computer hardware or user workstations. Off-site storage means that the organization takes a duplicate copy of its data and software (including operating systems) so that it can be taken to another computer and used elsewhere.
Hot sites reduce risk to the greatest extent, but they are the most expensive option. Conversely, cold sites reduce risk the least, but they are the least expensive option. In addition to hot, warm, and cold sites, organizations also use off-site data storage services. Off-site data storage is a service that allows companies to store valuable data in a secure location geographically distant from the company’s data centre.
In our online, fast-paced world, being “down” or unavailable for a short period of time can cause financial losses for organizations or upset customers. On March 12, 2016, it was reported that Apple’s iTunes and app stores were offline for 11 hours. These types of problems cannot be dealt with using hot sites or warm sites. There is no time to take all the equipment elsewhere. Instead, organizations implement redundancy; in other words, they have duplicate servers. Organizations also need to implement good quality controls for testing their programs to prevent systems going do

Question 61

nformation Systems Auditing
Companies implement security controls to ensure that information systems function properly. These controls can be installed in the original system, or they can be added after a system is in operation. Installing controls is necessary but not sufficient to provide adequate security. People who are also responsible for security need to answer questions such as: Are all controls installed as intended? Are they effective? Has any breach of security occurred? If so, what actions are required to prevent future breaches?
These questions must be answered by independent and unbiased observers. Such observers perform the task of information systems auditing. An audit involves the accumulation and evaluation of evidence that is used to prepare a report about the information or controls that are being examined, using established criteria and standards. An information systems audit is an examination of information systems, their inputs, outputs, and processing. It can also include an assessment of the efficiency and effectiveness of the system.

Types of Auditors and Audits
There are several types of auditors and audits. External auditors, also referred to as independent auditors, work at a public accounting firm, auditing primarily financial statements. Government auditors work for the provincial or federal auditors’ general offices. Canada Revenue Agency auditors audit compliance with tax legislation. Internal auditors work for specific organizations, and may have the Certified Internal Auditor (CIA) designation. Specialist auditors can be from a variety of fields. Information systems auditors, for example, may work for any of the previously mentioned organizations, and may have a Certified Information Systems Auditor (CISA) designation.
IS auditing is usually conducted as part of the controls evaluation for the financial statement audit or as part of internal auditing, which looks at the efficiency or effectiveness of systems.
IS auditing is a broad topic, so we present only its essentials here. IS auditing focuses on topics such as operations, data integrity, software applications, security and privacy, budgets and expenditures, cost control, and productivity. Guidelines are available to assist auditors in their jobs, such as those from the Institute of Internal Auditors (www.theiia.org) or the Information Systems Audit and Control Association (www.isaca.org).

How IS Auditors Decide on Audits
IS auditors conduct their work using a risk-based approach. They consider the likelihood of errors or fraud, or the risk of organizations not following their procedures. Then, they design procedures to test compliance or the percentages of errors. Information systems audits could be part of the evaluation of controls for a financial statement audit, which is required by statute for organizations that sell shares to the public, or for publicly accountable organizations such as registered charities.
Internal auditors conduct their audits based on a plan approved by management. This plan may look at areas where there are high risks of theft, such as an electronic commerce system, or at new systems development projects where there is an elevated potential for error, such as a new point-of-sale system. Where legislation is relatively new, such as privacy legislation, auditors could conduct a privacy audit to evaluate whether the organization is in compliance with the legislation.
Auditors could use computers in the conduct of their audit, by using software to create reports or by creating test data that are run through systems to evaluate their functioning.