CH04 - Information security and controls Flashcards
What is a rogue access point?
unauthorized access point to a WLAN
What is an evil twin attack?
An imposter with a computer connects to your computer pretending to be your normal access point
What is war driving?
walking around to find unsecure WLANS to connect to
What is eavesdropping?
Trying to access data traveling over wireless networks
5 key factors that increase the vulnerability and impact security of organizational information resources:
- Today’s interconnected, interdependent, wirelessly networked business environment;
- Smaller, faster, cheaper computers and storage devices;
- Decreasing skills necessary to be a computer hacker
;4.International organized crime taking over cybercrime;
5.Lack of management support
What are the 2 main types of information security threats
Unintentional and deliberate
What is information security?
All of the processes and policies designed to protect an organization’s information and information systems (IS) from unauthorized access, use, disclosure, disruption, modification, or destruction.
What is a threat to an information resource?
any danger to which a system may be exposed
Define exposure of an information system
the harm, loss, or damage that can result if a threat compromises that resource.
Give at least 4 manifestations of human error
- Carelessness with device
- Opening questionable e-mails
- Poor password use and selection
- Carelessness with one’s office
- Carelessness using unmanaged devices
- Carelessness with discarded equipment
- Carelessness monitoring of environmental hazard
Define social engineering and name its 3 forms
Attack where the person uses social skills in order to get an employee to provide confidential company information
- Impersonation: pretending to be a company manager of an IS employee
- Tailgating: following an employee to enter restricted areas
- Shoulder surfing: watching over someone’s shoulder to peek at private information
Give 4 deliberate threats to IS
- Espionage or trespass
- Information extortion
- Sabotage or vandalism
- Theft of equipment or information
- Identity theft6.Compromises to intellectual property
- Software attacks
- Alien software
- Supervisory control and data acquisition (SCADA) attacks
- Cyberterrorism and cyberwarfare
Explain what you know of espionnage or trespass
- Unauthorized individual attempts to access organizational information illegally
- Competitive intelligence: legal information-gathering techniques
- Ex: studying a company’s website > hiring page > new projects
- Industrial espionage crosses the legal boundaries
Explain what theft of equipment or information is
- Small, powerful devices with increased storage are easier to steal or easier to use to steal info
- Dumpster diving: going through industrial thrash to find organizational information.
Name the main causes of identity theft
- stealing mail or dumpster diving;
- stealing personal info. in computer databases;
- infiltrating organizations that store large amounts of personal information
- impersonating a trusted organization in an electronic communication (phishing).
What is a virus?
Segment of a computer code that performs malicious actions by attaching to another computer program
What is a worm?
segment of a computer that performs malicious actions, and will replicate or spread by itself
What is a Phishing attack
attack that uses deception to acquire sensitive personal information by masquerading as official-looking email or IM
What is spear-phishing?
Attack that targets large groups of people. perpetrators find out as much as possible about someone to tailor their Phishing o increase chances of obtaining sensitive personal info
What is denial-of-service-attack?
an attack where the attacker sends so many infomation request to a target computer system that the target usually cannot handle thme succesfully and typically shuts down
What is distributed denial of service attack?
an attack where the attacker takes over many computers, , that are either called zombies or bots, and uses them to form a botnet, to deliver a coordinated stream of information requests to a target computer, causing it to crash
What is trojan horse?
software programs that hide in other computer programs and reveal their designated behavior only when activated
What is a back door attack?
Typically a password, known only to the attacker, that allows him or her to acces a computer system at will, without having to go through any security protocols
What is Logic Bomb?
a segment of computer code that is embedded within an organization’s existing computer programs and is designed to activate and perform a destructive action under specific conditions, such as a time and date
Explain what you know of ransomware
- Also called digital extortion
- Malicious software blocking access to computer system or encrypts data and holds it until org pays sum of money
- Personal health info 50 times more valuable than financial info
- Any internet-connected device is potential target for ransomware
- Some distribute it to hackers, it is called ransomware-as-a-service
- Doxing: threaten companies to release data
Define cyberterrorism and cyberwarfare
- Malicious acts in which perpetrators uses target’s computer system to cause real world physical harm, or severe disruption, usually to carry out political agenda
What does risk management do?
identify, control and minimize the impact of threats
What are the 3 processes to manage risk?
- Risk analysis
- Risk mitigation
- Controls evaluation
The 3 steps of risk anlysis
- Assessing the value of each protected asset
- Estimating the probability that each asset will be compromised
- Compare the cost of that asset being compromised compared to the cost of protecting it
Risk mitigation functions and common strategies
- Functions:
- Implementing controls to prevent identified threats from happening
- Identify means of recovery should the threat become a reality
- 3 common stategies
- Risk acceptance: no controls
- Risk limitation: with controls to minimize impacts
- Risk transference: use other means like insurance
Name the control categories
- Physical controls
- Stop unauthorized individuals from accessing company facilities
- Access controls
- Authentication: are you an authorized user
- Authorization: what are your rights and privileges
- Principle of least privilege is based on justifiable need
- Communication/network controls
- Firewalls, anti-malware systems, whitelisting and blacklisting, encryption, VPNs, transport layer security, employee monitoring systems.
Elaborate on authentification
- Something the user is (biometrics)
- Active vs passive methods
- Something the user has (ID)
- Something the user does (signature)
- Something the user knows (PIN)
- Single vs multi-factor authentication
Name 3 communication controls
- Firewalls
- Anti-malware systems, (Norton)
- Whitelisting and blacklisting
- Encryption
- VPN
- Transport layer security (TLS – formerly secure socket layer SSL) provided by Symantec
- Employee monitoring systems
- Application controls
Define communications control
A system (either hardware, software, or a combination of both) that prevents a specific type of information from moving between untrusted networks, such as the Internet, and private networks, such as your company’s network.
What is encrytpion?
Encryption is the process of converting an original message into a form that cannot be read by anyone except the intended receiver.
All encryption systems use a key, which is the code that scrambles and then decodes the messages.
What is a firewall?
Network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
What is digital certificate?
- Digital document attached to a file that certifies this file is from the organization it claims to be from, and has not been modified from the original
- Used dominantly by businesses engaged in data transfer over the internet
- A third party (certificate authority) is necessary
- Certificate authority roles:
- Issues digital certificates
- Verifies certificate integrity
What is applications controls
- Security countermeasure to protect specific or individual applications, ex payroll
- You can control inputs to or outputs from an application
- You can control the processing of an application
- Input controls: to edit input data or errors
- Reasonable data ranges in an invoice
- Processing controls: to monitor operation of an application
- Automatically check that each line of an invoice adds to the total
- Output controls: to edit output data for errors and that output goes to intended
- Did …’s check go to him/her?
What is Business continuity planning (or) Disaster recovery plan?
- The chain of events linking planning to protection to recovery.•
- Objectives:
- To provide guidance to people who keep the business operating after a disaster happens
- •To restore the business to normal operations as quickly as possible after an attack
- .•To ensure that business functions continue
What are the Business continuity planning (or) Disaster recovery plan’s strategies in case of major disasters?
- hot sites: a fully-configured computer facility… a duplication of key resources, •warm sites: It includes computing equipment (e.g., servers) but not all actual applications and user workstations.
- cold sites: only rudimentary services and facilities like a building or a room
- off-site data and program storage: a duplicate of company data and its software programs to be transferred to another computer elsewhere.
