Exam 1 (Material from Chapters 1 - 4) Flashcards
Internet vs World Wide Web
The World Wide Web is a specific subset of the Internet.
A _____ is the level of exposure to some event that has an effect on an asset
risk
Definition of a vulnerability
A weakness that allows a threat to be realized or to have an effect on an asset
Definition of a threat
Any action, either natural or human induced, that could damage an asset
_____ are hardware, operating system, and application software that work together to collect, process, and store data for individuals and organizations.
Information systems
What is the collection of activities that protect the information system and the data stored in it?
Information systems security
What are some of the things we are securing?
Privacy of individuals
Corporate intellectual property
Online B2C and B2B transactions
Government intellectual property
(More examples on slide 11 from CH01 slides)
What is confidentiality?
Only authorized users can view information
What is integrity?
Only authorized users can change information
What is availability?
Information is accessible by authorized users whenever they request the information
Confidential information includes?
- Private data of individuals
- Intellectual property of businesses
- National security for countries and governments
What is cryptography?
Practice of hiding data and keeping it away from unauthorized users
What is encryption?
The process of transforming data from cleartext into ciphertext
What is ciphertext?
The scrambled data that results from encrypting cleartext
Availability Time Measurements
Uptime
Downtime
Availability [A = (Total Uptime)/(Total Uptime + Total Downtime)]
Mean time to failure (MTTF)
Mean time to repair (MTTR)
Mean time between failures (MTBF)
Recovery point objective (RPO)
Recovery time objective (RTO)
What are the seven domains of a typical IT infrastructure?
- User Domain
- Workstation Domain
- LAN Domain
- LAN-to-WAN Domain
- WAN Domain
- Remote Access Domain
- System/Application Domain
Common Threats in the User Domain
- Unauthorized access
- Lack of user awareness
- User apathy toward policies
- Security policy violations
- User inserting CD/DVD/USB with personal files
- User downloading photos, music, or videos
- User destroying systems, applications, and data
- Disgruntled employee attacking organization or committing sabotage
- Employee romance gone bad
- Employee blackmail or extortion
Common Threats in the Workstation Domain
- Unauthorized workstation access
- Unauthorized access to systems, applications, and data
- Desktop or laptop operating system and software vulnerabilities
- Desktop or laptop application software vulnerabilities and patches
- Viruses, malicious code, and other malware
- User inserting CD/DVD/USB with personal files
- User downloading photos, music, or videos
- Security risk due to user violation of acceptable use policy (AUP)
- Bring Your Own Device (BYOD)
Common Threats in the LAN Domain
- Unauthorized access to LAN
- Unauthorized access to systems, applications, and data
- LAN server operating system software vulnerabilities
- LAN server application software vulnerabilities and software patch updates
- Unauthorized access by rogue users on wireless LANs (WLANs)
- Compromised confidentiality of data on WLANs
- LAN servers with different hardware, operating systems, and software make them difficult to manage and troubleshoot
Common Threats in the LAN-to-WAN Domain
- Unauthorized network probing and port scanning
- Unauthorized access through the LAN-to-WAN Domain
- Denial of service (DoS)/distributed denial of service (DDoS) attacks
- IP router, firewall, and network appliance operating system vulnerability
- IP router, firewall, and network appliance configuration file errors or weaknesses
- Remote user download of sensitive data
- Download of unknown file type attachments from unknown sources
- Unknown email attachments and embedded URL links received by local users
- Lost productivity due to local users surfing the web
Common Threats in the WAN Domain (Internet)
- Open, public, and accessible data
- Most Internet traffic sent as cleartext
- Vulnerable to eavesdropping
- Vulnerable to malicious attacks
- Vulnerable to DoS and DDoS attacks, TCP synchronize (SYN) flooding, and IP spoofing attacks
- Vulnerable to corruption of information/data
- Insecure Transmission Control Protocol/Internet Protocol (TCP/IP) applications
- Hackers, attackers, and perpetrators email Trojans, worms, and malicious software
Common Threats in the WAN Domain (Connectivity)
- Commingling of WAN IP traffic on the same service provider router and infrastructure
- Maintaining high WAN service availability
- Maximizing WAN performance and throughput
- Using Simple Network Management Protocol (SNMP) applications and protocols maliciously (ICMP, Telnet, SNMP, DNS, etc.)
- SNMP alarms and security monitoring 24/7/365
Common Threats in the Remote Access Domain
- Brute-force user ID and password attacks
- Multiple logon retries and access control attacks
- Unauthorized remote access to IT systems, applications, and data
- Private or confidential data compromised remotely
- Data leakage in violation of data classification standards
- A mobile worker’s laptop is stolen
- Mobile worker token or other authentication stolen
Common Threats in the System/Application Domain
- Unauthorized access to data centers, computer rooms, and wiring closets
- Downtime of servers to perform maintenance
- Server operating systems software vulnerability
- Insecure cloud computing virtual environments by default
- Susceptibility of client-server and web applications
- Unauthorized access to systems
- Data breach where private data is compromised
- Corrupt or lost data
- Loss of backed-up data as backup media are reused
- Recovery of critical business functions potentially too time consuming to be useful
- Downtime of IT systems for an extended period after a disaster
What is the weakest link in security?
Humans
What are some strategies for reducing risk?
- Check background of job candidates carefully
- Evaluate staff regularly
- Rotate access to sensitive systems, applications, and data among staff positions
- Test applications and software and review for quality
- Regularly review security plans
- Perform annual security control audits
Who defined a policy regarding acceptable use of Internet geared toward U.S. citizens
U.S. government and Internet Architecture Board (IAB)
A _____ is a short written statement that defines a course of action that applies to entire organization
policy
A ____ is a detailed written definition of how software and hardware are to be used
standard
___ are written instructions for how to use policies and standards.
Procedures
A ______ is a suggested course of action for using policy, standard, or procedure
guideline
Data Classification Standards
- Private data
— Data about people that must be kept private - Confidential
— Information or data owned by the organization - Internal use only
— Information or data shared internally by an organization - Public domain data
— Information or data shared with the public
U.S. federal government data classification standards:
- Top secret
— Applies to information that the classifying authority finds would cause grave damage to national security if it were disclosed - Secret
— Applies to information that the classifying authority finds would cause serious damage to national security if it were disclosed - Confidential
— Applies to information that the classifying authority finds would cause damage to national security
____ activities should align with the organization’s strategic goals
Risk Management
T/F: Risks can be positive or negative
True
What is a common pitfall when building a risk management plan?
Limiting the scope of the risk identification process to just inside the organization. Organizations sometimes forget to consider vendors or supply chain.
Risk = ______ x _________
Risk = Threat x Vulnerability
A ___ is an opportunity to exploit a vulnerability.
Threat
An exploited vulnerability results in an ___.
Impact
A ____ is a description of how you will manage risk.
Risk methodology
What is a risk register?
A list of identified risk
The process of identifying, assessing, prioritizing, and addressing risks is apart of what?
Risk Management
This is an analysis of an organization’s functions and activities that classifies them as critical or noncritical
Business impact analysis
This identifies the impact to the business if one or more IT functions fails and identifies the priority of different critical systems
Business impact analysis
What are the BIA Recovery Goals and Requirements?
Recovery point objective (RPO)
Recovery time objective (RTO)
Business recovery requirements
Technical recovery requirements
This is the target state of recovered data that allows an organization to continue normal processing; the maximum amount of data loss that is acceptable
Recovery Point Objective (RPO)
What is the maximum allowable time in which to recover the function
Recovery Time Objective (RTO)
This identifies any other business functions that must already be in place for the specified recovery function to occur and help in determining the recovery sequence
Business recovery requirements
This defines technical prerequisites that are needed to support each critical business function
Technical recovery requirements
This is a written plan for a structured response to any events that result in an interruption to critical business activities or functions
Business continuity plan (BCP)
What are the order of priorities for a business continuity plan?
Order of priorities:
Safety and well-being of people
Continuity of critical business functions and operations
Continuity of components within the seven domains of an IT infrastructure
What are the elements of a complete BCP?
- Statement defining the policy, standards, procedures, and guidelines for deployment
- Project team members with defined roles, responsibilities, and accountabilities
- Emergency response procedures and protection of life, safety, and infrastructure
- Situation and damage assessment
- Resource salvage and recovery
- Alternate facilities or triage for short- or long-term emergency mode of operations and business recovery
This directs the actions necessary to recover resources after a disaster
Disaster Recovery Plan (DRP)
This extends and supports the BCP by identifying events that could cause damage to resources that are necessary to support critical business functions
Disaster Recovery Plan (DRP)
Explain a hot site, warm site, cold site, and mobile site.
Hot site
– Has environmental utilities, hardware, software, and data like original data center
Warm site
– Has environmental utilities and basic computer hardware
Cold site
– Has basic environmental utilities but no infrastructure components
Mobile site
– Trailer with necessary environmental utilities that can operate as warm or cold site
What are the 5 DRP tests?
Checklist test
Structured walk-through
Simulation test
Parallel test
Full-interruption test
The difference between the security controls in place and controls you need to address vulnerabilities
Security gap
The comparison of the security controls in place and the controls you need to address all identified threats
Gap analysis
What are the steps for conducting gap analysis?
- Identify the applicable elements of the security policy and other standards
- Assemble policy, standard, procedure, and guideline documents
- Review and assess the implementation of the policies, standards, procedures, and guidelines
- Collect inventory information for all hardware and software components
- Interview users to assess knowledge of and compliance with policies
- Compare the current security environment to policies in place
- Prioritize identified gaps for resolution
- Document and implement the remedies to conform to policies
Name the compliance laws
- Family Education Rights and Privacy Act (FERPA)
- Federal Financial Institutions Examination Council (FFIEC)
- Children’s Online Privacy Protection Act of 1998 (COPPA)
- Gramm-Leach-Bliley Act (GLBA)
- Government Information Security Reform Act (Security Reform Act) of 2000
- The USA PATRIOT Act of 2001
- Federal Information Security Management Act (FISMA)
- Sarbanes-Oxley Act (SOX)
- California Security Breach Information Act (SB 1386) of 2003
- Health Insurance Portability and Accountability Act (HIPAA)
- Federal Information Security Modernization Act (FISMA)
- European Union General Data Protection Regulation (GDPR) of 2016
- Payment Card Industry Data Security Standard (PCI DSS)
- California Consumer Privacy Act (CCPA) of 2018
T/F: Cannot undo a confidentiality violation
True
Give examples of how to keep data confidential.
Authentication controls:
– Passwords and PINs
– Smart cards and tokens
– Biometric devices
– Digital certificates
– Challenge-response handshakes
– Kerberos authentication
– One-time passwords
Authorization controls:
– Authentication server rules and permissions
– Access control lists
– Intrusion detection and prevention
– Physical access control
– Connection and access policy filters
– Network traffic filters
What are some BYOD Concerns?
Data ownership
Support ownership
Patch management
Antivirus management
Forensics
Privacy
Acceptable use policy
Onboard camera/video
Onboarding/ offboarding
Adherence to corporate policies
User acceptance
Architecture/ infrastructure considerations
Legal concerns
What are the risk management key principles?
- Do not spend more to protect an asset than it is worth.
- Every countermeasure requires resources to implement and therefore should be aligned with a specific risk.
Definition: The likelihood that something bad will happen to an asset
risk
Something bad that might happen to an organization is a what?
Threat
Any exposure that could allow a threat to be realized is a what?
Vulnerability
The amount of risk or harm caused by a threat or vulnerability that is exploited by a perpetrator is the definition of what?
Impact
A measurable occurrence that has an impact on the business is a ____?
Event
Any event that violates or threatens to violate your security policy is a ____.
Incident
___ includes both safeguards and countermeasures.
Control
____ address gaps or weaknesses in controls that could lead to a realized threat.
Safeguards
Counters or addresses a specific threat is the definition of what?
Countermeasure
Component parts of risk:
- Assets
- Vulnerabilities
- Threats
Perform ___ to identify new or changed risks over time
risk assessments
More than a quarter of all reported attacks are by _______
insiders
The impact of insider attacks is proportionately _____ than attacks by outsiders
worse
T/F: Risk can be reduced to zero
False. Risk can never be reduced to zero.
_____ focuses on planning to anticipate and respond to risk without interrupting the most critical business functionality
Contingency planning
Explain the risk management process.
- Identify risks
- Assess and prioritize risks
- Plan risk response
- Implement Risk Responses
- Monitor and Control Risk Responses
How do you identify risks?
- Brainstorming
- Surveys
- Interviews
- Working groups
- Checklists
- Historical information
What are the risk register components?
- A description of the risk
- The expected impact if the associated event occurs
- The probability of the event’s occurring
- Steps to mitigate the risk
- Steps to take should the event occur
- Rank of the risk
______ assessments are where the cost or value of the identified risk and its financial impact are examined
Quantitative risk
This attempts to describe risk in financial terms and put a dollar value on each risk
Quantitative risk assessment
______ risk assessments are examined by assigning a rating for each identified risk
Qualitative
_____ assessments ranks risks based on their probability of occurrence and impact on business operations
Qualitative risk
Quantitative assessments are hard or soft data?
hard
Qualitative assessments are hard or soft data?
soft
What is the formula for single loss expectancy(SLE)?
SLE = Asset Value * Exposure Factor
What is the formula for annualized rate of occurrence (ARO)?
ARO = Number of incidents per year
What is the formula for annualized loss expectancy (ALE)?
ALE = Single loss expectancy(SLE) * annualized rate of occurrence (ARO)
In Qualitative Risk Analysis you judge risk on two scales. What are these two scales?
- Probability or likelihood
- Impact
What are some examples of negative risks?
Reduce (reduction/mitigation)
Transfer (transference/assignment)
Accept (acceptance)
Avoid (avoidance)
What are some examples of positive risks?
Exploit (exploitation)
Share (sharing)
Enhance (enhancement)
Accept (acceptance)
______ = Total Risk - Mitigating controls
Residual Risk
_____ manage the activity phase of security—the things people do
Administrative controls
___ controls correspond to the life cycle of a security program
Activity phase
T/F: Countermeasures might pose new risk to the organization
True
Protecting ______ is a top-of-mind consideration for any organization
intellectual property
The central asset of many organizations are:
Patents
Drug formulas
Engineering plans
Sales and marketing plans
Scientific formulas
Recipes
____ assets are among highest-profile assets in any organization
Financial
Loss of ___ assets due to malicious attacks is a worst-case scenario for all organizations
financial
_____ can have long-term effects on a company’s reputation and brand image
Finances and Financial Data breaches
_____ must be available for use when organizations need them
critical services
____ is the time during which a service is not available due to failure or maintenance
downtime
____ is the result of technical failure, human error, or attack
Unintentional downtime
___ is the amount of money a company loses due to either intentional or unintentional downtime
Opportunity cost
T/F: Companies that suffer from security breaches and malicious attacks that expose assets are likely to face serious negative consequences in the public eye even if the company’s response were swift and solved the problem effectively
True
____ hackers try to break IT security and gain access to systems with no authorization to prove technical prowess or potentially steal sensitive data
Black-hat
____ hackers are information systems security professionals who have authorization to identify vulnerabilities and perform penetration testing
White-hat
White-hat hackers are also known as what?
ethical hackers
____ hackers are with average abilities who may one day become black-hat hackers but could also choose to become white-hat hackers
Gray-hat
____ transfers software companies’ risk to its end users from having vulnerable software and being held liable for a software vulnerability
End-User Licensing Agreement (EULA)
Hackers continuously look for known software ____ as a means to find an exploitable weakness
vulnerabilities
____ is the gap in time between the announcement of a vulnerability and the application of a patch
Vulnerability window
____ is a vulnerability window of zero days because there is no patch yet for a known software vulnerability
Zero day
What are the three threat types listed in the slides?
Disclosure threats
Alteration threats
Denial or destruction threats
What are the four categories of attacks?
Fabrications
Interceptions
Interruptions
Modifications
What Are Common Attack Vectors?
Attacks on availability
Attacks on people
Attacks on IT assets
Focus on _____ and implement security controls that can help mitigate the risk caused by threats and vulnerabilities
countermeasures
Best strategy for countermeasures is to identify _____ and reduce them to avoid attacks
vulnerabilities
What are two ways that people like to communicate?
Real-time communications
– Occurs instantaneously
Store-and-forward communications
– Acceptable delay in transmitting communication
IoT Applications That Impact Humans
Health monitoring and updating
Home security and smart home control systems
Online calendars
Near real-time tracking and monitoring via global positioning systems (GPS)
Online banking, bill paying, and financial transactions
Online e-commerce purchases
Automobiles with smart computers and always-on Wi-Fi Internet access
IoT’s Impact on Business
Retail stores
Virtual workplace
Remote sensors
Traffic-monitoring applications
Business-to-consumer (B2C) service delivery model
Anything as a Service (AaaS) IoT applications
What is B2C?
Business-to-consumer
Customers purchase goods and services directly from their website describes what?
Business-to-consumer (B2C)
What is B2B?
Business-to-business
Businesses conduct sales with other businesses describes what?
Business-to-business(B2B)
Payment Card Industry Data Security Standard (PCI DSS) protects what?
private customer data
What are some internet business challenges?
Growing the business through the Internet
Changing an existing conventional business into an e-business
Building secure and highly available websites and e-commerce portals
Building a web-enabled customer-service strategy
Finding new customers with Internet marketing
What are some issues with mobile computing?
Network speed
Usability
Security
T/F: Mobile IP enables user to move between local area network (LAN) segments and stay connected without interruption
True
What is a MN?
Mobile Node
What is a HA?
Home agent
What is a FA?
Foreign Agent
What is a COA?
Care of address
What is a CN?
Correspondent node
A mobile node connect to what?
A Foreign Agent
A home agent assigns a ____ to a mobile node?
Care of address (COA)
A care of address is a ____ for the mobile node?
Local address
A correspondent node sends a message to the ____?
Mobile node
Privacy challenges must be addressed by manufacturers and defined in the right-of-use and software ______?
End-User Licensing Agreement (EULA)
The End-User Licensing Agreement (EULA) must contain:
- Privacy policy statement
- Definition of data, metadata, or analytical data use and rights
- Ability for a user to provide consent to a manufacturer’s or application service provider’s privacy policy statement
- Determine the domain of privacy
_____ ensures interoperability and standards can be pursued for IoT solutions
Internet Engineering Task Force (IETF)
______ has significant financial impacts if not properly addressed
Interoperability
T/F: Goal is to bring down the cost of IoT devices and supporting applications so they are affordable
True
Privacy data is subject to the ____ of state you live in as well as state that the IoT hosting company resides in
privacy laws
T/F: IoT vendor or solutions provider are required to adhere to security control requirements and data protection laws
True
A void in _____ and ______ for IoT devices can create an environment of bad IoT devices
interoperability
standards
