chapter 4

Question 1

def. information security

Answer 1

Protecting an organization’s information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction

Question 2

def. threat

Answer 2

Any danger to which an information resource may be exposed

Question 3

def. vulnerability

Answer 3

The possibility that an information resource will be harmed by a threat

Question 4

What are the five key factors contributing to the increasing vulnerability of organizational information sources?

Answer 4

1. Today’s interconnected, interdependent, wirelessly networked business environment.
2. Smaller, faster, cheaper computers and storage devices.
3. Decreasing skills necessary to be a computer hacker.
4. International organized crime taking over cybercrime.
5. Lack of management support.

Question 5

def. trusted network

Answer 5

any network within your organization

Question 6

def. untrusted network

Answer 6

any network external to your organization

Question 7

wireless is an inherently ____________ broadcast communications medium

Answer 7

nonsecure

Question 8

def. cybercrime

Answer 8

Illegal activities executed on the Internet

Question 9

what are the to major categories of threats?

Answer 9

unintentional threats

deliberate threats

Question 10

what is a major category of unintentional threats?

Answer 10

human error

Question 11

What are two important points about employees regarding threats?

Answer 11

1. the higher the level of employee, the greater the threat he or she poses to information security
   - - higher level employees typically have greater access to corporate data, and they enjoy greater privileges on organizational information systems
2. employees in two areas of the organization pose especially significant threats to information security: human resources and information systems (IS)
   - -HR employees have access to sensitive personal information, IS employees not only have access to sensitive organizational data but also often control the means to create, store, transmit, and modify those data

Question 12

who tends to be overlooked when considering threats

Answer 12

janitors and guards

as well as contract labour and consultants

Question 13

what are human errors they result of?

Answer 13

typically the result of laziness, carelessness, or a lack of awareness concerning information security. This lack of awareness arises from poor education and training efforts by the organization.

Question 14

def. social engineering

Answer 14

Getting around security systems by tricking computer users inside a company into revealing sensitive information or gaining unauthorized access privileges

-most common example is attacker impersonating someone else on the telephone, or impersonating other individuals

Question 15

two other social engineering techniques

Answer 15

Tailgating: a technique designed to allow the perpetrator to enter restricted areas that are controlled with locks or card entry. The perpetrator follows closely behind a legitimate employee and, when the employee gains entry, the attacker asks him or her to “hold the door.”

Shoulder surfing: occurs when a perpetrator watches an employee’s computer screen over the employee’s shoulder. This technique is particularly successful in public areas such as in airports and on commuter trains and airplanes

Question 16

def. espionage or trespass

Answer 16

occurs when an unauthorized individual attempts to gain illegal access to organizational information
-industrial espionage crosses the legal boundary such as theft of confidential data

Question 17

def. information extortion

Answer 17

occurs when an attacker either threatens to steal or actually steals information from a company. The perpetrator demands payment for not stealing the information, for returning stolen information, or for agreeing not to disclose the information.

Question 18

def. sabotage or vandalism

Answer 18

deliberate acts that involve defacing an organization’s website, potentially damaging the organization’s image and causing its customers to lose faith in the organization

-ex. hacktivist or cyberactivist operation

Question 19

describe dumpster diving

Answer 19

involves rummaging through commercial or residential garbage to find discarded information. Paper files, letters, memos, photographs, IDs, passwords, credit cards, and other forms of information can be found in dumpsters
-this info can be used for fraudulent purposes

Question 20

def. identity theft

Answer 20

Crime in which someone uses the personal information of others to create a false identity and then uses it for some fraud

Question 21

techniques for illegally obtaining personal info

Answer 21

• Stealing mail or dumpster diving.
• Stealing personal information in computer databases.
• Infiltrating organizations that store large amounts of personal information (e.g., data aggregators such as Acxiom)
• Impersonating a trusted organization in an electronic communication (phishing).

Question 22

def. intellectual property

Answer 22

The intangible property created by individuals or corporations, which is protected under trade secret, patent, and copyright laws

Question 23

def. trade secret

Answer 23

Intellectual work, such as a business plan, that is a company secret and is not based on public information

Question 24

def. patent

Answer 24

A document that grants the holder exclusive rights on an invention or process for a specified period of time, currently 20 years

Question 25

def. copyright

Answer 25

A grant that provides the creator of intellectual property with ownership of it for a specified period of time, currently the life of the creator plus 50 years

Question 26

def. piracy

Answer 26

Copying a software program (other than freeware, demo software, etc.) without making payment to the owner

Question 27

What are the 3 general categories of cyberattacks?

Answer 27

(1) Remote Attacks Requiring User Action
(2) Remote Attacks Needing No User Action
(3) Attacks by a Programmer Developing a System

Question 28

def. virus

Answer 28

Segment of computer code that performs malicious actions by attaching to another computer program

Question 29

def. worm

Answer 29

Segment of computer code that performs malicious actions and will replicate, or spread, by itself (without requiring another computer program)

Question 30

def. phising attack

Answer 30

Attack that uses deception to acquire sensitive personal information by masquerading as official-looking emails or instant messages

Question 31

def. spear phishing

Answer 31

Attack that targets large groups of people. The perpetrators find out as much information as they can about an individual, tailoring their phishing attacks to improve their chances that they will obtain sensitive, personal information

Question 32

def. denial-of-service attack

Answer 32

An attack where an attacker sends so many information requests to a target computer system that the target cannot handle them successfully and typically crashes (ceases to function)

Question 33

def. distributed denial-of-service attack

Answer 33

An attack where an attacker first takes over many computers, typically by using malicious software. These computers are called zombies or bots. The attacker uses these bots—which form a botnet—to deliver a coordinated stream of information requests to a target computer, causing it to crash

Question 34

def. bot or zombie

Answer 34

A computer that has been compromised by, and is under the control of, a hacker

Question 35

def. botnet

Answer 35

A network of computers that has been compromised by, and is under the control of, a hacker, who is called the botmaster

Question 36

def. trojan horse

Answer 36

Software programs that hide in other computer programs and reveal their designed behaviour only when they are activated

Question 37

def. back door

Answer 37

Typically a password, known only to the attacker, that allows him or her to access a computer system at will, without having to go through any security procedures (also called a trap door

Question 38

def. logic bomb

Answer 38

A segment of computer code that is embedded within an organization’s existing computer programs and is designed to activate and perform a destructive action under specific conditions, such as at a certain time or date

Question 39

What are the four types of software attacks that are remote attacks requiring user action?

Answer 39

virus, worm, phishing attack, spear phishing

Question 40

what are the two types of remote attacks needing no user action

Answer 40

denial-of-service attack

distributed denial-of-service attack

Question 41

What are the three kinds of attacks by a programmer developing a system?

Answer 41

trojan horse, back door, logic bomb

Question 42

def. alien software

Answer 42

Clandestine software that is installed on your computer through duplicitous methods

Question 43

def. adware

Answer 43

Alien software designed to help pop-up advertisements appear on your screen

Question 44

def. spyware

Answer 44

software that collects personal information about users without their consent

Question 45

what are the two common types of spyare

Answer 45

keystroke loggers (record both your individual keystrokes and your web browsing history) and screen scrapers (his software records a continuous “movie” of a screen’s contents rather than simply recording keystrokes)

Question 46

def. spamware

Answer 46

Alien software that uses your computer as a launch platform for spammers

Question 47

def. spam

Answer 47

unsolicited email, usually advertising for products and services

Question 48

what is an issue with spam

Answer 48

it wastes time and money. Spam costs companies around the world billions of dollars every year. These costs arise from productivity losses, clogged email systems, additional storage, user support, and anti-spam software. Spam can also carry viruses and worms, making it even more dangerous

Question 49

def. cookies

Answer 49

Small amounts of information that websites store on your computer, temporarily or more or less permanently

-tracking cookies can be used to track your path through a website, the time you spend there, what links you click on, and other details that the company wants to record, usually for marketing purposes. Tracking cookies can also combine this information with your name, purchases, credit card information, and other personal data to develop an intrusive profile of your spending habits

Question 50

def. Supervisory Control and Data Acquisition (SCADA)

Answer 50

large-scale, distributed measurement and control system. SCADA systems are used to monitor or to control chemical, physical, and transport processes such as those used in oil refineries, water and sewage treatment plants, electrical generators, and nuclear power plants. Essentially, SCADA systems provide a link between the physical world and the electronic world

Question 51

def. cyberterrorism

Answer 51

A premeditated, politically motivated attack against information, computer systems, computer programs, and data that results in violence against noncombatant targets by subnational groups or clandestine agents

Question 52

def. cyberwarfare

Answer 52

War in which a country’s information systems could be paralyzed from a massive attack by destructive software

Question 53

Major difficulties in protecting information resources (10)

Answer 53

1. Hundreds of potential threats exist.
2. Computing resources may be situated in many locations.
3. Many individuals control or have access to information assets.
4. Computer networks can be located outside the organization, making them difficult to protect.
5. Rapid technological changes make some controls obsolete as soon as they are installed.
6. Many computer crimes are undetected for a long period of time, so it is difficult to learn from experience.
7. People tend to violate security procedures because the procedures are inconvenient.
8. The amount of computer knowledge necessary to commit computer crimes is usually minimal. As a matter of fact, a potential criminal can learn hacking, for free, on the Internet.
9. The costs of preventing hazards can be very high. Therefore, most organizations simply cannot afford to protect themselves against all possible hazards.
10. It is difficult to conduct a cost-benefit justification for controls before an attack occurs because it is difficult to assess the impact of a hypothetical attack.

Question 54

def. risk

Answer 54

probability that a threat will affect an information resource

Question 55

def. risk management

Answer 55

A process that identifies, controls, and minimizes the impact of threats, in an effort to reduce risk to manageable levels

Question 56

what are the three processes involved in risk management?

Answer 56

risk analysis, risk mitigation, and controls evaluation

Question 57

def. risk analysis (3 steps)

Answer 57

(1) assessing the value of each asset being protected, (2) estimating the probability that each asset will be compromised, and (3) comparing the probable costs of the asset’s being compromised with the costs of protecting that asset

Question 58

def. risk mitigation

Answer 58

A process whereby the organization takes concrete actions against risks, such as implementing controls and developing a disaster recovery plan

Question 59

two functions of risk mitigation

Answer 59

(1) implementing controls to prevent identified threats from occurring,
(2) developing a means of recovery if the threat becomes a reality

Question 60

what are the three most common risk mitigation strategies

Answer 60

risk acceptance, risk limitation, and risk transference

Question 61

def. risk acceptance

Answer 61

Accept the potential risk, continue operating with no controls, and absorb any damages that occur

Question 62

def. risk limitation

Answer 62

Limit the risk by implementing controls that minimize the impact of the threat

Question 63

def. risk transference

Answer 63

Transfer the risk by using other means to compensate for the loss, such as by purchasing insurance

Question 64

what does an org do in controls evaluation?

Answer 64

the organization identifies security deficiencies and calculates the cost of implementing. If the costs of implementing a control are greater than the value of the asset being protected, the control is not cost-effective

Question 65

def. controls (or countermeasures)

Answer 65

Defence mechanisms used to safeguard assets, optimize the use of the organization’s resources, and prevent or detect errors or fraud

Question 66

what is the single most valuable control?

Answer 66

user education and training

Question 67

def. control environment

Answer 67

Controls that encompass management attitudes toward controls, as evidenced by management actions, as well as by stated policies and procedures that address ethical issues and the quality of supervision

Question 68

def. general controls

Answer 68

Controls that apply to more than one functional area

Question 69

def. application controls

Answer 69

Security countermeasures that protect specific applications in functional areas

Question 70

3 types of general controls

Answer 70

physical controls, access controls, and communications controls

Question 71

def. physical controls

Answer 71

Controls that restrict unauthorized individuals from gaining access to a company’s computer facilities
(ie walls, doors, gates, locks, guards, alarm systems, etc.)q

Question 72

what is a shortcoming of physical controls

Answer 72

can be inconvenient to employees

Question 73

why do guards have a difficult job (two reasons)

Answer 73

1. their jobs are boring and repetitive and generally do not pay well.
2. if guards perform their jobs thoroughly, the other employees harass them, particularly if they slow up the process of entering the facility

Question 74

def. access controls

Answer 74

Controls that restrict unauthorized individuals from using information resources and are concerned with user identification
-can be physical controls or logical controls

Question 75

def. logical controls

Answer 75

controls that are implemented by software

Question 76

what are the two main functions of access controls

Answer 76

authentication and authorization

Question 77

def. authentication

Answer 77

confirms the identity of the person requiring access

Question 78

def. authorization

Answer 78

process that determines which actions, rights, or privileges the person has, based on his or her verified identity

Question 79

what do good control systmes do?

Answer 79

limit authorization to tasks needed to accomplish a person’s job

Question 80

def. biometrics

Answer 80

The science and technology of authentication (i.e., establishing the identity of an individual) by measuring the subject’s physiological or behavioural characteristics

ex. fingerprints, retina scan

Question 81

smart ID cards

Answer 81

have an embedded chip that stores pertinent information about the user

Question 82

tokens

Answer 82

have embedded chips and a digital display that presents a login number that the employees use to access the organization’s network. The number changes with each login.

Question 83

what are forms of authentication that the user does

Answer 83

voice recognition, signature recognition

Question 84

what are authentication methods that the users knos?

Answer 84

passwords and passphrase

Question 85

Basic guidelines for strong passwords? (6)

Answer 85

• They should be difficult to guess.
• They should be long rather than short.
• They should have uppercase letters, lowercase letters, numbers, and special characters.
• They should not be recognizable words.
• They should not be the name of anything or anyone familiar, such as family names or names of pets.
• They should not be a recognizable string of numbers, such as a social insurance number or a birthday

Question 86

what is the difference between a password and pass phrase

Answer 86

passphrase is a series of characters that is longer than a password but is still easy to memorize

-passphrase can serve as a password itself, or it can help you create a strong password

Question 87

what is using more than one type of authentication called

Answer 87

multifactor authentification

Question 88

def. privilege (user profile)

Answer 88

A collection of related computer system operations that can be performed by users of the system

Question 89

def. least privilege

Answer 89

A principle that users be granted the privilege for some activity only if there is a justifiable need to grant this authorization

Question 90

def. communication controls (or network controls)

Answer 90

Controls that deal with the movement of data across networks

Question 91

def. firewall

Answer 91

A system (either hardware, software, or a combination of both) that prevents a specific type of information from moving between untrusted networks, such as the Internet, and private networks, such as your company’s network

Question 92

def. demilitarized zone (DMZ)

Answer 92

A separate organizational local area network that is located between an organization’s internal network and an external network, usually the Internet

Question 93

The danger from viruses and worms is so severe that many organizations are placing firewalls at strategic points _________________

Answer 93

inside their private networks.

In this way, if a virus or worm does get through both the external and internal firewalls, then the internal damage may be contained

Question 94

def. anti-malware systems (or antivirus software)

Answer 94

Software packages that attempt to identify and eliminate viruses, worms, and other malicious software

Question 95

def. malware

Answer 95

Malicious software such as viruses and worms

Question 96

Whereas firewalls filter network traffic according to categories of activities that are likely to cause problems, anti-malware systems filter traffic ____________

Answer 96

according to a database of specific problems

Question 97

def. whitelisting

Answer 97

A process in which a company identifies acceptable software and permits it to run, and either prevents anything else from running or lets new software run in a quarantined environment until the company can verify its validity

Question 98

def. blacklisting

Answer 98

A process in which a company identifies certain types of software that are not allowed to run in the company environment

Question 99

Whereas whitelisting allows _______ to run unless it is on the whitelist, blacklisting allows _________ to run unless it is on the blacklist.

Answer 99

nothing

everything

Question 100

def. encryption

Answer 100

The process of converting an original message into a form that cannot be read by anyone except the intended receiver

Question 101

def. public-key encryption (or asymmetric encryption)

Answer 101

A type of encryption that uses two different keys: a public key (locking key) and a private key (unlocking key)

public key (locking key) and the private key (the unlocking key) are created simultaneously using the same mathematical formula or algorithm. Because the two keys are mathematically related, the data encrypted with one key can be decrypted by using the other key

Question 102

def. certificate authority

Answer 102

third party that acts as a trusted intermediary between computers (and companies) by issuing digital certificates and verifying the worth and integrity of the certificates

Question 103

def. digital certificate

Answer 103

An electronic document attached to a file certifying that this file is from the organization it claims to be from and has not been modified from its original format or content

Question 104

def. Virtual private network (VPN)

Answer 104

A private network that uses a public network (usually the Internet) to securely connect users by using encryption

Question 105

why are VPNs called virtual

Answer 105

they have no separate physical existence

Question 106

advantages of VPNs

Answer 106

1. they allow remote users to access the company network
2. they provide flexibility. That is, mobile users can access the organization’s network from properly configured remote devices.
3. organizations can impose their security policies through VPNs

Question 107

def. tunnelling

Answer 107

A process that encrypts each data packet to be sent and places each encrypted packet inside another packet

VPN uses this

Question 108

def. transport layer security (TLS) (or secure socket layer)

Answer 108

An encryption standard used for secure transactions such as credit card purchases and online banking

Question 109

def. employee monitoring systems

Answer 109

Systems that monitor employees’ computers, email activities, and Internet surfing activities

Question 110

application controls

Answer 110

security countermeasures that protect specific applications in functional areas

Question 111

3 major categories of application controls

Answer 111

input controls, processing controls, and output controls.

Question 112

input controls

Answer 112

programmed routines that edit input data for errors before they are processed

Question 113

processing controls

Answer 113

programmed routines that perform actions that are part of the record-keeping of the organization, reconcile and check transactions, or monitor the operation of applications.

Question 114

output controls

Answer 114

programmed routines that edit output data for errors, or help to ensure that output is provided only to authorized individuals.

Question 115

def. business continuity planning

Answer 115

The chain of events linking planning to protection and to recovery

purpose:
provide guidance to people who keep the business operating after a disaster occurs

Question 116

hot sites

Answer 116

fully configured computer facility with all of the company’s services, communications links, and physical plant operations. A hot site duplicates computing resources, peripherals, telephone systems, applications, and workstations

Question 117

warm site

Answer 117

provides many of the same services and options as the hot site. However, it typically does not include the actual applications the company needs. A warm site includes computing equipment such as servers, but it often does not include user workstations

Question 118

cold site

Answer 118

provides only rudimentary services and facilities, such as a building or a room with heating, air conditioning, and humidity control. This type of site provides no computer hardware or user workstations.

Question 119

audit

Answer 119

The accumulation and evaluation of evidence that is used to prepare a report about the information or controls that are being examined, using established criteria and standards

Question 120

information systems audit

Answer 120

An examination of information systems, their inputs, outputs, and processing