Chapter 8 - Cyber Security Threats Flashcards

1
Q

Questions to ask about Cyber Risk:

A
  • How are data and operating systems protected from unauthorised access and manipulation?
  • How are breaches identified, analysed, remedied and reported?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is cyber security?

A
  • Practice of protecting systems, networks and programs from digital attacks
  • Cyberattacks are aimed at: accessing, changing or destroying sensitive info, extorting money from users or interrupting normal business processes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Examples of sensitive info:

A
  • Customers, suppliers and employee personal data
  • Org’s own financial records
  • Data stored within infrastructure and operating systems
  • Medical data from employees, customers and other stakeholders
  • Intellectual property which may be of value if it can be illegally accessed
  • Operational data – locations of sensitive assets
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Cybersecurity objectives:

A
  • Availability
  • Confidentiality
  • Integrity of data
  • Integrity of processing
  • Establishing, maintaining and approving objectives
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Cybersecurity objective - availability:

A
  • Availability objectives = opening data up to those who have the right to access it
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Cybersecurity objective - confidentiality:

A
  • There are legal requirements to maintain confidentiality over data across many jurisdictions
  • Confidentiality objectives = stopping data from being accessed by those who do not have the right to access it
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Cybersecurity objective - Integrity of data:

A
  • Objectives should ensure that data is kept secure and not lost or corrupted at all stages of life cycle
  • Objectives to verify reliability of data used for decisions (source), its intelligibility (what it is saying) and accuracy (is it valid?)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Cybersecurity objective - Integrity of processing:

A

Objectives should ensure:

  • processing does not abuse or lose data
  • encourages efficient usage and
  • ensures that data is only used for stated, legitimate purposes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Cybersecurity objective - establishing, maintaining and approving objectives:

A
  • Org’s need to have formal process for establishing, maintaining and approving cyber security objectives
  • Objectives would need board approval – dedicated cybersecurity expert or IT expertise
  • Support from third parties creates trust issues, which creates risk
  • Boards need to monitor success of objectives
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Organisational characteristics to consider when setting objectives:

A
  • Technologies
  • Connection types and service providers
  • Delivery channels
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Considering technologies used as part of business model:

A
  • Proportion of activity that is online
  • Amount of digital interaction with customers and other stakeholders
  • Type of data collected and way it is used + stored
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Considering connection types and service providers:

A
  • Connection types = physical or virtual, wired or wireless, networked or standalone, national or international
  • Reliance on service providers creates cybersecurity risks – cloud-based computing and managing valuable data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is cloud-based computing?

A

Solution for providing digital storage and processing that uses a separate org’s capacity and is only accessible online

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Risks of cloud-based computing:

A
  • Loss of data if provider is affected by an incident itself
  • Reliance on a functioning network to gain access to own data
  • Concerns over whether cloud computing provider is susceptible to cybersecurity breach
  • Legal action from org’s stakeholders if data is compromised while stored on a cloud computing provider
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Considering delivery channels for data:

A
  1. Website:
    * Collect data + interact with stakeholders
    * Creates risk to sensitive data
  2. Intranet:
    * Internal website that can be accessed remotely
    * Creates risk to digital data
  3. Email:
    * Spam is main risk – includes interception, eavesdropping and spoofing (impersonation to gain advantage)
    * Compromises integrity of email and requires controls to be in place
  4. Telephone:
    * Subject to eavesdropping and interception
    * Compromise confidentiality of discussions
  5. Instant messaging:
    * Spoofing as SPIM (IM equivalent of spam)
    * Could lead to service charges for users + highlights limited controls
  6. Social media:
    * Can be accessed illegally
    * Creates risk that messages are posted that org has not approved
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Cybersecurity objectives should be considered in terms of PESTEL:

A

Political:
* New legislation raising security standards
* Global geopolitical cybersecurity risks – state-sponsored data hacking and foreign investment in utility companies who can access personal data
Economic:
* Failure of systems due to hacking/ poor design and operation can cost org’s significant amounts of money
Social:
* Customers are increasingly sensitive to impact of security breaches – requires org’s to understand and meet social concerns for better protection of all data
Technological changes:
* Advances in tech is likely to be exploited by organised cybercriminality for profit
* Does provide opportunities as well such as artificial intelligence and big data to monitor digital activity more thoroughly
Environmental changes:
*Hurricane, earthquake or tsunami – org’s need contingency plans in place
Legal:
* New regulation to protect against cybercrime
* Sarbanes-Oxley = encourages org’s to be proactive in development of cybersecurity policies and this raises compliance levels which could be stipulated in contractual agreements

17
Q

Risks presented by systems and networks:

A
  • Remote access instead of physical – anyone can gain access if they have right credentials
  • Systems being left open to allow operations to occur – need to know who to let in and who to stop
  • Failure by third parties who provide systems and networks
  • Natural risks such as flood, power cuts, earthquake and accidents
18
Q

What is malware?

A

Attempts to gain unauthorised access to org’s in order to damage/ disrupt computers or networks and steal/affect sensitive info

19
Q

What is a virus?

A
  • Attaches itself to existing programme and spreads as that programme is used, shared or accessed across existing network
  • Require a target/host user to initiate it (user clicks on it)
20
Q

What is a worm?

A
  • Does not require user to launch it to cause damage
  • Standalone software – don’t attach themselves to host/target programmes
  • Operate independently – enter a systems via an existing vulnerability and spreads as host/target operates normally
21
Q

What is a trojan?

A
  • Will not spread once infiltrated a network and has been launched by user
  • It will sit within network and can operate functions such as harmless pop-up ads to more serious forms of malware that can allow access to external users
22
Q

What are bots?

A
  • Automated process
  • Web crawlers gather info and does not always represent a malware threat
  • Botnet = access a series of networks and allow malicious user to control them remotely
  • Some act as keyloggers = record keys pressed by users in an attempt to access password-protected content
23
Q

Transportation of malware:

A
  • Accidentally downloaded by users from internet
  • Unknowing attached to emails and then accidentally clicked
  • Inadvertently carried on storage devices (USB drives)
  • Sophisticated malware can spread independently across computers and networks
24
Q

Internal & External Malware threats:

A

Internal malware threats:
* Employees could fail to observe cybersecurity protocols
* Employees who hold a grudge could deliberately introduce malware either for financial gain or fun
External malware threats:
* Hacking for extortion, publicity, spyware or revenge

25
Q

Defences against malware:

A
  • Perimeter defences (firewalls) = spot threats as they pass through and monitor actions of emails once they have entered org’s systems for illegal activity
  • Segmentation into different compartmentalised parts to help contain infiltrated malware
  • Housekeeping activities = ensuring software and systems are regularly updated and taking regular back-up copies
  • Gatekeeping controls (e.g. I am not a robot)
26
Q

What is hacking?

A

Gaining access to info that you are not meant to access and without users knowledge (illegally)

27
Q

What is phishing?

A
  • Theft of login details, credit card numbers or passwords for personal gain
  • Requires personal info to be divulged willingly for a purpose that appears logical but is criminal
  • Incredibly effective method of using email to circumvent org’s controls
28
Q

What is ransomware?

A

Extorting money by blocking access to files or systems until a fee is paid

29
Q

What is Distributed denial-of-service attacks?

A
  • Disabling a system by bombarding it with more activity than it can cope with
  • They can focus on volume = sheer no of contacts made can disable systems
  • Some trigger certain applications, flooding target systems with requests that keep it busy
  • Protocol based DDoS generates requests that require specific responses, flooding the targets system with too much activity
30
Q

Examples of web application attacks:

A
  • Hacking
  • Phishing
  • Ransomware
  • DDoS
31
Q

Defences against web application attacks:

A
  • Firewalls
  • Antivirus software that is kept up to date
  • Other operating software that is legitimate and supported by developer
  • Encourage better user education
  • Filters to block potential malicious emails
  • Adaptive technology to spot new and emerging threats
  • Systems of trust
  • Certify emails by independent certification (McAfee)
32
Q

What is a white-hat hacker?

A
  • Work for owners of a system

* Look for gaps in the systems and informing owners of weaknesses to be improved

33
Q

What is a black-hat hacker?

A
  • Find gaps in cybersecurity and exploit them for own malicious purposes
34
Q

What is a grey-hat hacker?

A
  • Won’t be working for owner of a system
  • Flag weaknesses and fix them for a fee without exploitation
  • Or post details online for all users to see if there is no response from owner
35
Q

What is social engineering?

A
  • Exploiting someone’s trust to gain physical or virtual access to data
  • Occur digitally or in real world by blagging or somehow finding a way into company (fake identification, uniform or cover story)
  • Dumpster diving for old, disposed machinery
36
Q

Opportunities from white-, black- and grey-hat hackers:

A
  • Black-hat hackers can create malware threats that could lead to extra costs, lost data and additional work that could be prevented by having adequate defences
  • Security testing – using white-hat and grey-hat hackers to test security defences
  • Simulations – white-hat hackers can conduct simulation tests to train staff and raise awareness
  • Peer review – audits by peers can lead to comparative analysis to highlight areas for improvement (less resource intensive approach)
37
Q

Downside risks form cybersecurity breaches:

A
  • Lead to operational downtime while it is addresses – may lead to lost of sales
  • Cost of repairs/ upgrades can be significant
  • Adverse impact on company’s share price
  • Questions may emerge over quality of org’s leadership and management
  • May be loss of customers if dissatisfied with service
  • Loss of reputation
  • Legal and industry consequences – breaching GDPR can lead to fine of €20million or 4% of global revenues, which ever is higher