Chapters 1-3 Flashcards
Define CIA
Confidentiality - information cannot be read
Integrity - attackers cannot change or destroy info
Availability - info is always available for authorized people
What is a Compromise?
- Successful Attacks, breaches or incidents
What are Countermeasures?
- Used to Thwart attacks
What are the Types of Countermeasures?
- Preventative: cost-effective, prevents attacks
- Detective: keeps attacks from succeeding
- Corrective: minimize and restore systems after an attack
What are the Payment Card Industry-Data Security Standards?
- Build and Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
How are Employees and Ex-employees Dangerous?
- They have knowledge of internal systems
- Often have permission to access systems
- Know how to avoid detection
- Generally trusted
Define Employee Vulnerabilities
- Sabotage
- Hacking
- Financial Theft
- Intellectual Property Theft
- Extortion (employee is victim)
- Sexual or Racial Harassment of Other Employees
- Internet Abuse
- Carelessness
Define Potential Attackers Aside from Employees
- Contract Workers
What is a Virus
Malware that attaches itself to legitimate programs
What is a Direct-Propagation Worm?
Malware that doesn’t need humans to jump between computers
What is a nonmobile Malware?
Malware that needs humans to propagate
What is a RAT
Remote Access Trojan - allows a machine to be remotely controlled
What is a Downloader
A smaller trojan that downloads larger trojans
What is a Reconnaissance Probe?
scans to identify network vulnerabilities
What is an Exploit?
attacker breaks into a computer
What is a Chain of Attack?
An attacker attacks through a chain of victim computers to remain untraceable
Differentiate Expert Attackers and Script Kiddies
Expert hackers are technically skilled and persistent while script kiddies have low skill but are more numerous
What is Cyberwar
Attacks conducted by governments against financial and communication infrastructure
What is Cyberterror
Attacks conducted by terrorists against IT resources
What is Comprehensive Security
A state in which defenders have closed off all possible venues of attack
What makes Security Management a Disciplined Process?
- Complex
- Need Formal Processes
- Continuous Process
- Compliance Regulation
What is the Cycle for Security Management
Plan-protect-Respond
What is Vision
Understanding your role concerning the company
Strategies for IT Security planning
- Identify Current IT Security Gaps
- Identify Driving Forces
- Identify Corporate Resources Needing Protection
What is a Remediation Plan
Identifying and addressing threats and vulnerabilities to prevent and limit security breaches
What is an Investment Portfolio
investments made for protection methods to mitigate vulnerabilities based on risk
What are Compliance Laws and Regulations
Create requirements for corporate security
What is the Sarbanes-Oxley Act of 2002
Requires firms to report material deficiencies in financial reporting processes
What is the Data Breach Notification Laws
Requires notification of any California citizen whose private information is exposed
What is the CSO (CISO)
The Chief Security Officer (Chief Information Security Officer) oversees IT and cyber security
Differentiate Effects of IT Location
- Within IT: will be responsible for security
- Outside IT: gives independence
- Hybrid: planning and auditing outside IT but also firewall operation within IT
Define Top Forms of Management Support
- Budget
- Support in Conflicts
- Setting Personal Examples
What is an MSSP
Managed Security Service Providers are Outsourced IT security
What is Risk Analysis
Manage risk to be of reasonable threat
What is EF
Exposure Factor is the percentage loss in asset value if a compromise occurs
What is SLE
Single Loss Expectancy is the expected loss in case of a compromise
What is ARO
Annualized Rate of Occurrence is the annual probability of a compromise
What is ALE
Annualized Loss Expectancy is the expected loss per year of compromise
What are the Problems with Classic Risk Analysis Calculations
- Uneven Multilayer Cash Flows
- Total Cost of Incident (TCI): damage usually does not come from asset loss
- Impossibility of knowing Annualized Rate of Occurrence
- Problems with “Hard-Headed Thinking”
- Perspective
What is Risk Reduction
Implement countermeasures to reduce harm
What is Risk Acceptance?
Accepting loss when protecting against it would be too expensive
What is Risk Transference
Transferring loss to a different party (insurance)
What is Risk Avoidance
Avoiding risky actions
What are the 4 Choices when Encountering a Risk
- Risk Reduction
- Risk Acceptance
- Risk Transference
- Risk Avoidance
What is the Technical Security Architecture?
A company’s technical countermeasures and how these countermeasures are organized
What is legacy Technology?
Previously installed tech that may be too expensive to upgrade immediately fully
What is Depth in Defence
Multiple independent countermeasures must be defeated in series
What is the Weakest Link
Single countermeasure with multiple interdependent components that must all succeed for the countermeasure to succeed
What are Policies
Statements of what is to be done, provides clarity and implementation
What is an Acceptable Use Policy?
Summarizes key points of special importance for users
Factors to consider when Writing Policies
- IT security cannot act alone in policy-making
- There should be policy writing teams for each policy
- Team approach gives authority to policies
- Different viewpoints prevent mistakes
What is Implementation Guidance
Limits discretion of implementers
Standards vs Guidelines
Standards are mandatory while guidelines are not but must be considered
What are Procedures
Detailed specifications of how something should be done
What are Processes
Less detailed specifications of what actions should be taken
What are baselines?
Checklists of what should be done without processes or procedures
What are the Types of Implementation Guidance
- Best Practices: most appropriate actions in other companies
- Recommended Practices: normative guidance
Who Should Be Held Accountable
Owner of a resource
What are Ethics
Person’s system of values that can be guided by company code
What are Kickbacks
Given by sellers to secure orders or future orders
What is Oversight
Term for a group of tools for policy enforcement
What is Electronic Monitoring
Electronically-collected information on behaviour
What is Security Metrics
Indicators of compliance that are measured periodically
What is Auditing
Sampling information to develop an opinion about the adequacy of controls
What is an Anonymous Protected Hotline
An anonymous and protected hotline where employees can call in
What is the Fraud Triangle
- Opportunity
- Pressure
- Rationalization
What is a Vulnerability Test?
An attack on own systems to find vulnerabilities
Who is COSO
The Committee of Sponsoring Organizations of the Treadway Commission provides guidance on financial controls
Who is CobiT
The Control Objectives for Information and Related Technologies offers documents on how to improve IT management practices
Who is the main professional accrediting body of IT auditing
CobiT
What are the 4 Major CobiT Domains?
- Planning and Organization
- Acquisition and Implementation
- Delivery and Support
- Monitoring
What is the ISO/IEC 27000?
A family of IT security standards with several individual standards
Who is the ISO/IEC
The International Organization for Standardization and the International Electrotechnical Organization
