Chapter 4: Information Security and Controls

Question 1

Define Information security

Answer 1

Information security: refers to all of the processes and policies designed to protect an organization’s information and information systems (IS) from unauthorized access, use, disclosure, disruption, modification, or destruction

Question 2

What’s the difference between a threat, an exposure, vulnerability

Answer 2

Threat: to an information resource is any danger to which a system may be exposed.

Vulnerability: is the possibility that a threat will harm that information resource.

Exposure: is the harm, loss, or damage that can result if a threat compromises an information resource

Question 3

What are the five key factors contributing to the increasing vulnerability of organizational information resources?

Answer 3

1. Today’s interconnected, interdependent, wirelessly networked business environment
2. Smaller, faster, inexpensive computers and storage devices
3. Decreasing skills necessary to be a computer hacker
   
   • Internet contains information and computer programs called scripts that users with limited skills can download and use to attack any information system that is connected to the Internet
4. International organized crime taking over cybercrime
   
   • Cybercrime: refers to illegal activities conducted over computer networks, particularly the Internet.
5. Lack of management support

Question 4

What are the two major categories of threats?

Answer 4

unintentional threats and deliberate threats

Question 5

Define Unintentional threats and what are the two categories of it?

Answer 5

Unintentional threats: are acts performed without malicious intent that nevertheless represent a serious threat to information security.

Catergories: Human Error and Social Engineering

Question 6

Unintentional threats: Explain two points to be made about employees? What about contract labour, consultants, and janitors and guards?

Answer 6

1.The higher the level of employee, the greater the threat they pose to information security

• Have greater access to corporate data, and they enjoy greater privileges on organizational information systems

2.Employees in human resources and information system pose especially significant threats to information security:

• Human resources employees generally have access to sensitive personal information about all employees
• IS employees have access to sensitive organizational data, and also have control to create, store, transmit, and modify those data

Other relevant but overlooked employees include contract labour, consultants, and janitors and guards (have access to the sensitive places in office)

• These people have access to company’s network, information systems, and information assets.

Question 7

Unintentional Threats: Social Engineering as well as tailgating and shoulder surfing

Answer 7

Social engineering: is an attack in which the perpetrator uses social skills to trick or manipulate legitimate employees into providing confidential company information such as passwords

• Ex. occurs when the attacker impersonates someone else on the telephone, such as a company manager or an IS employee

Tailgating: is a technique designed to allow the perpetrator to enter restricted areas that are controlled with locks or card entry
Shoulder surfing: occurs when a perpetrator watches an employee’s computer screen over the employee’s shoulder

Question 8

Deliberate Threats: define Identity Theft and how could a criminal do it?

Answer 8

Identity theft: is the deliberate assumption of another person’s identity, usually to gain access to their financial information or to frame them for a crime.

Techniques for illegally obtaining personal information include the following:
* Stealing mail or dumpster diving
* Stealing personal information in computer database
* Impersonating a trusted organization in an electronic communication (phishing)

Question 9

Deliberate Threats, Software Attacks: define Malware and Ransomware

Answer 9

Malware: malicious software

• Modern cybercriminals use sophisticated, blended malware attacks, typically through the Web, to make money

Ransomware: or digital extortion, blocks access to a computer system or encrypts an organization’s data until the organization pays a sum of money

• Types of ransomware include Locky, Cryptolocker, Cryptowall, TeslaCrypt, CTB Locker, WannaCry, Petya, and many more variants.

Question 10

Explain the common method for ransomware attacks

Starts with S and another one is D

Answer 10

Employees receive hundreds of emails every day, and many of their roles require them to download and open attachments

• Spear phishing: emails are carefully tailored to look as convincing as possible, so they appear no different from any other email the victim might receive.

Cybercriminals are beginning to threaten to release data to the public, a strategy known as doxing

• For organizations that deal with private and sensitive customer data, such as financial services, hospitals, and law firms, such attacks can have severe consequences.

Question 11

What is Alien Software?

Answer 11

Alien software: or pestware, is software that is installed secretly onto your computer through duplicitous methods. Can also enable other parties to track your Web surfing habits and other personal behaviours

Question 12

Alien Software: define Adware, Spyware (Keystroke loggers, Screen scrapers) Tracking Cookies

Answer 12

Adware: software that causes pop-up advertisements to appear on your screen.

Spyware: is software that collects personal information about users without their consent.
Types are keystroke loggers and screen scrapers:

• Keystroke loggers: records both your individual keystrokes and your Internet Web browsing history.
  • Can keep track of passwords and sensitive personal information such as credit card numbers
• Screen scrapers: records a continuous “movie” of a screen’s contents rather than simply recording keystrokes.

Cookies: are small amounts of information that websites store on your computer, temporarily or more or less permanently
Tracking cookies— an be used to track your path through a website, the time you spend there, what links you click on, and other details that the company wants to record, usually for marketing purposes.

Question 13

What is Supervisory Control and Data Acquisition (SCADA)?

Answer 13

SCADA refers to a large-scale distributed measurement and control system.

• SCADA systems are used to monitor or to control chemical, physical, and transport processes such as those used in oil refineries, water and sewage treatment plants, electrical generators, and nuclear power plants

Question 14

Define Cyberterrorism/cyberwarfare

Answer 14

Cyberterrorism and cyberwarfare: refer to malicious acts in which attackers use a target’s computer systems, particularly through the Internet, to cause physical, real-world harm or severe disruption, often to carry out a political agenda

• Ex. attack on Saudi Arabia’s chemical plant - could’ve caused an exposition - agenda was to discourage investors to associate with Saudi Arabia (was an act of war from another country)

Question 15

What are some reasons why is it difficult to protect information reasources?

Answer 15

• Hundreds of potential threats exist
• Many individuals control or have access to information assets.
• Computer networks can be located outside the organization, making them difficult to protect.
• Rapid technological changes make some controls obsolete as soon as they are installed.
• Many computer crimes are undetected for a long period of time, so it is difficult to learn from experience.
• People tend to violate security procedures because the procedures are inconvenient.

Question 16

Compare Risk management and Risk analyses

and explain each one

Answer 16

Risk management: is to identify, control, and minimize the impact of threats.
* Risk management consists of three processes: risk analysis, risk mitigation, and controls evaluation.

Risk analysis: ensure that their IS security programs are cost effective
* Involves three steps:
1. Assessing the value of each asset being protected,
2. Estimating the probability that each asset will be compromised,
3. Comparing the probable costs of the asset’s being compromised with the costs of protecting that asset.

Question 17

What is the purpose of control?

Answer 17

The purpose of controls is to safeguard assets, optimize the use of the organization’s resources, and prevent or detect errors or fraud

• designed to protect all of the components of an information system
• Because there are so many diverse threats, organizations utilize layers of controls, or defense-in-depth.

Question 18

The single most valuable control is —– and —-

Answer 18

The single most valuable control is user education and training - makes every member of the organization aware of the vital importance of information security.

Question 19

Define Access controls and its two major functions: authentication and authorization

Answer 19

Access controls: restrict unauthorized individuals from using information resources
* Access controls can be physical controls or logical controls

Authentication: confirms the identity of the person requiring access
Authorization: determines which actions, rights, or privileges the person has, based on their verified identity

Question 20

Define Communications Controls

Answer 20

Communications controls: secure the movement of data across networks.
* consist of firewalls, anti-malware systems, whitelisting and blacklisting, encryption, virtual private networks (VPNs), transport layer security (TLS), and employee monitoring systems.

Question 21

Communications Controls: Define Firewalls, Anti-malware Systems, Whitelisting and Blacklisting, Encryption, Virtual Private Networking, Transport Layer Security, Employee Monitoring Systems, Application Controls

Answer 21

Firewall: is a system that prevents a specific type of information from moving between untrusted networks, such as the Internet, and private networks, such as your company’s network.

Anti-malware systems: also called antivirus or AV, software, are software packages that attempt to identify and eliminate viruses and worms, and other malicious software

Whitelisting: is a process in which a company identifies the software that it will allow to run on its computers (only certain/select software is allowed to run on computer)

• Allows an acceptable software to run and prevents any other software from running

Blacklisting: allows everything to run unless it is on the blacklist

• states which types of software are not allowed to run in the company environment.

Encryption: is the process of converting an original message into a form that cannot be read by anyone except the intended receiver.
* All encryption systems use a key, which is the code that scrambles and then decodes the messages
* uses two different keys: a public key and a private key; The public key (locking key) and the private key (the unlocking key)

Virtual private network (VPN): is a private network that uses a public network (usually the Internet) to connect users

Transport layer security (TLS): is an encryption standard used for secure transactions such as credit card purchases and online banking

• TLS encrypts and decrypts data between a Web server and a browser end to end.

Employee monitoring systems: scrutinize their employees’ computers, email activities, and Internet surfing activities.

Application controls: are security countermeasures that protect specific applications in functional areas

• Application controls fall into three major categories: input controls, processing controls, and output controls.

Question 22

People who are responsible for security need to answer questions such as: Are all controls installed as intended? Are they effective? Has any breach of security occurred?

What is IS audit?

Answer 22

Information systems audit: is an examination of information systems, their inputs, outputs, and processing. It can also include an assessment of the efficiency and effectiveness of the system.

• IT perfoms internal auditing, which looks at the efficiency or effectiveness of systems.
  
  • focuses on topics such as operations, data integrity, software applications, security and privacy, budgets and expenditures, cost control, and productivity

Question 23

What is the purpose of a diaster recovery plan?

define Business continuity planning

Answer 23

Business continuity planning: is the chain of events linking planning to protection and to recovery.
* The purpose of the business continuity plan is to provide guidance to people who keep the business operating after a disaster occurs.
These strategies include hot sites, warm sites, cold sites, and off-site data and program storage.