Exam 4: Chapter 4- Information Security Flashcards
the degree of protection against criminal activity, danger, damage, or loss.
security
all of the processes and policies designed to protect an organization’s information and information systems (IS) from unauthorized access, use, disclosure, disruption, modification, or destruction.
information security
any danger to which a system may be exposed.
Threat (to an information resource)
the harm, loss, or damage that can result if a threat compromises that resource.
Exposure (of an information resource)
the possibility that a threat will harm that resource.
Vulnerability (of an information resource)
What are the 5 key factors contributing to the increasing vulnerability of organizational information resources?
- Today’s interconnected, interdependent, wirelessly networked business environment.
- Smaller, faster, cheaper computers and storage devices
- Decreasing skills necessary to be a computer hacker
- International organized crime taking over cybercrime
- Lack of management support
any network within your organization
trusted network
any network external to your organization.
untrusted network
________ _________ enable employees to compute, communicate, and access the Internet anywhere and at any time.
wireless technologies
__________ is an inherently unsecure broadcast communications medium.
wireless
users with limited skills can download and use to attack any information system that is connected to the Internet.
scripts
illegal activities conducted over computer networks, particularly the Internet.
cybercrime
T or F: cybercrimes are typically nonviolent; however, they are quite lucrative. Losses from computer crimes can average hundreds of thousands of dollars. Computer crimes can be committed from anywhere in the world at any time, effectively providing an international safe haven for cybercriminals.
True
What are the 2 major categories of threats?
Unintentional and deliberate threats
acts performed without malicious intent that nevertheless represent a serious threat to information security. A major category of this is human error.
unintentional threats
the higher the level of employee, the (smaller/greater) the threat he or she poses to information security
greater
Employees in two areas of the organization pose especially significant threats to information security:
Why are these two significant threats?
- human resources and information systems
- H.R. employees generally have access to sensitive personal information about all employees.
- IS employees not only have access to sensitive organizational data, but they also frequently control the means to create, store, transmit, and modify those data.
What are 3 other relevant employees in regard to information security?
- Contract labor (such as temporary hires)
- Consultants
- Janitors and guards
an attack in which the perpetrator uses social skills to trick or manipulate legitimate employees into providing confidential company information such as passwords.
social engineering
What are 2 social engineering techniques?
Tailgating and shoulder surfing
a technique designed to allow the perpetrator to enter restricted areas that are controlled with locks or card entry. The perpetrator follows closely behind a legitimate employee and, when the employee gains entry, the attacker asks him or her to “hold the door.”
tailgating
occurs when a perpetrator watches an employee’s computer screen over the employee’s shoulder. This technique is particularly successful in public areas such as in airports and on commuter trains and airplanes.
shoulder surfing
What are 10 common types of deliberate attacks?
- Espionage or trespass
- Information extortion
- Sabotage or vandalism
- Theft of equipment/information
- Identity theft
- Compromises to intellectual property
- Software attacks
- Alien software
- SCADA attacks
- Cyberterrorism and cyberwarfare
occurs when an unauthorized individual attempts to gain illegal access to organizational information
espionage or trespass
occurs when an attacker either threatens to steal, or actually steals, information from a company. The perpetrator demands payment for not stealing the information, for returning stolen information, or for agreeing not to disclose the information
information extortion
An increasingly serious type of information extortion is _________.
ransomware
blocks access to a computer system or encrypts an organization’s data until the organization pays a sum of money. Victims are told to pay the ransom, usually in Bitcoin. Attackers typically use the anonymizing Tor network.
ransomware
Most commonly, ransomware attacks use _____ ______ and _______ attacks. These emails are carefully tailored to look as convincing as possible.
sphear phishing; whaling
Some ransomware developers distribute ransomware to any hacker who wants to use it. This process is called
ransomware-as-a-service
Rather than threatening to delete encrypted data, some cybercriminals are beginning to threaten to release it to the public, a strategy known as
doxxing
What are the 5 things to do to protect against ransomware?
- all organizations must provide education and training
- Organizations must install the latest versions of software and apply patches immediately.
- Organizations must back up crucial data and information often
- Organizations should employ anti-ransomware software.
- Organizations should utilize the No More Ransom initiative
deliberate acts that involve defacing an organization’s website, potentially damaging the organization’s image and causing its customers to lose faith.
sabotage or vandalism
T or F: not all attacks on organizations involve sophisticated software.
true
a form of theft that involves rummaging through commercial or residential trash to find discarded information
dumpster diving
the deliberate assumption of another person’s identity, usually to gain access to his or her financial information or to frame him or her for a crime.
identity theft
T or F: Recovering from identity theft is costly, time consuming, and burdensome.
true
the property created by individuals or corporations that is protected under trade secret, patent, and copyright laws.
intellectual property
an intellectual work, such as a business plan, that is a company secret and is not based on public information. (ex: formula for Coca Cola)
trade secret
an official document that grants the holder exclusive rights on an invention or a process for a specified period of time.
patent
a statutory grant that provides the creators or owners of intellectual property with ownership of the property, also for a designated period.
copyright
Current U.S. laws award patents for ____ years and copyright protection for the life of the creator plus ____ years. Owners are entitled to collect fees from anyone who wants to copy their creations.
20; 70
The most common intellectual property related to IT deals with _________.
software
copying a software program without making payment to the owner—including giving a disc to a friend to install on his or her computer
piracy
Software attacks have evolved from the early years of the computer era, when attackers used malicious software—called ________—to infect as many computers worldwide as possible, to the profit-driven, Web-based attacks of today.
malware
T or F: Not all cybercriminals are sophisticated.
true
segment of computer code that performs malicious actions by attaching to another computer program
virus
segment of computer code that modifies itself (ex: changes its computer code) to avoid detection by anti-malware systems, while keeping its same functionality
polymorphic virus
segment of computer code that performs malicious actions and will replicate, or spread, by itself (without requiring another computer program)
worm
attacks that use deception to acquire sensitive personal information by masquerading as official looking emails or instant messages
phishing attack
phishing attacks target large groups of people. In these phishing attacks, the attackers find out as much information about an individual as possible to improve their chances that phishing techniques will be successful and obtain sensitive, personal information.
spear phishing
attack that targets high-value individuals such as senior executives in an attempt to steal sensitive information from a company such as financial data or personal details about employees
whaling attack
an attacker sends so many information requests to a target computer system that the target cannot manage them successfully and typically ceases to function (crashes)
denial-of-service attack
an attacker first takes over many computers, typically by using malicious software. These computers are called zombies or bots. The attacker uses these bots—which form a botnet—to deliver a coordinated stream of information requests to a target computer, causing it to crash.
Distributed denial-of-service attack
Software programs that hide in other computer programs and reveal their designed behavior only when they are activated.
trojan horse
Typically a password, known only to the attacker, that allows him or her to access a computer system at will, without having to go through any security procedures (also called a trap door)
back door
A segment of computer code that is embedded within an organization’s existing computer programs and is designed to activate and perform a destructive action at a certain time or date
logic bomb
clandestine software that is installed on your computer through duplicitous methods. It typically isn’t as malicious as viruses, worms, or Trojan horses, but it does use up valuable system resources. It can also enable other parties to track your Web surfing habits and other personal behaviors
alien software (or pestware)
The vast majority of pestware is _______
adware
software that causes pop-up advertisements to appear on your screen; common because it works
adware
software that collects personal information about users without their consent.
spyware
3 common types of spyware:
- stalkerware
- keystroke loggers
- screen scrapers
spyware used to monitor people close to the perpetrator. Victims typically don’t know it is on their device unless they run an antivirus scan. Developers of this market their apps as child safety or anti-theft tools. However, these apps can easily be used for the purpose of spying on a partner.
stalkerware
record both your individual keystrokes and your Web browsing history. The purposes range from criminal—for example, theft of passwords and sensitive personal information such as credit card numbers—to annoying—for example, recording your Internet search history for targeted advertising.
keystroke loggers (or keyloggers)
How have companies attempted to counter keyloggers?
By using CAPTCHA
software that records a continuous “movie” of a screen’s contents rather than simply recording keystrokes.
screen scrapers (screen grabbers)
pestware that uses your computer as a launch pad for spammers.
spamware
unsolicited email, usually advertising for products and services.
spam
T or F: Spam wastes time and money; costs U.S. companies billions of dollars every year.
True
small amounts of information that websites store on your computer, temporarily or more or less permanently. In many cases, they are useful and innocuous.
cookies
can be used to track your path through a website, the time you spend there, what links you click on, and other details that the company wants to record, usually for marketing purposes. They can also combine this information with your name, purchases, credit card information, and other personal data to develop an intrusive profile of your spending habits.
tracking cookies
a large-scale distributed measurement and control system.
SCADA
used to monitor or to control chemical, physical, and transport processes such as those used in oil refineries, water and sewage treatment plants, electrical generators, and nuclear power plants; provide a link between the physical world and the electronic world.
SCADA systems
malicious acts in which attackers use a target’s computer systems, particularly through the Internet, to cause physical, real-world harm or severe disruption, often to carry out a political agenda. These actions range from gathering data to attacking critical infrastructure; for example, through SCADA systems.
cyberterrorism/cyberwarfare
Which describes cyberterrorism and which describes cyberwarfare?
1. typically carried out by individuals or groups
2. carried out by nation-states or non-state actors such as terrorists.
- cyberterrorism
- cyberwarfare
T or F: IT security is the business of everyone in an organization.
true
the probability that a threat will impact an information resource.
risk
The goal of _______ _______ is to identify, control, and minimize the impact of threats. In other words, it seeks to reduce risk to acceptable levels.
risk management
What are the 3 types of Information Security controls?
- Physical controls
- Access controls
- Communications (network controls)
What are the two parts of access controls?
- Authentification (identification)
- Authorization
Security is almost all (good/bad) news; the bad guys only have to be right ____ time and the good guys (defenders) have to be right _____ time.
bad; one; every
T or F: Cybersecurity people make a lot of money, but it is a very difficult proposition.
True
As computer code software has gotten more complex, the number of errors that bad guys can exploit (increase/decrease).
increase
Unfortunately, we are almost totally _______, not proactive.
reactive
People are backing up their data now in ____ _____. To backup your data, you’ve got to back it up in almost real time, which connects your backup with your main site. The issue is: the bad guys know this, so they encrypt both.
hot sites
an off-premises location where an organization can resume normal operations during a commercial disaster. All the equipment needed for the work to resume is available there, including phones, backup data, and computers.
hot site
A backup facility that has the necessary electrical and physical components of a computer facility, but does not have the computer equipment in place.
cold site
consists of elements providing power, networking capability, and cooling. It doesn’t include other hardware elements such as servers and storage.
cold site
T or F: Using a cold site is very limiting to a business since before it can be used, backup data and some additional hardware must be sent to the site and installed
true
contain all the elements of a cold site while adding additional elements, including storage hardware such as tape or disk drives, servers, and switches. Warm sites are “ready to go” in one sense, but they still need to have data transported for use in recovery should a disaster occur
warm sites
Who drives the process of risk optimization?
You
As security increase, productivity (decreases/increases)
decreases
SCADA attacks are ________ attacks
infrastructure
T or F: SCADA systems are critical
true
Cyber crime is being taken over by the _______
cartel
Most ransomeware attacks come from _________
Russia
What is the biggest white collar theft right now?
Identity theft
What is the cheapest software attack? Most expensive?
- Cheapeast= cyberwarfare
- Most expensive = nuclear
T or F: Risk analysis is the MIS’s job.
False; it is YOUR job
What are the 4 steps of risk management?
- Risk
- Risk management
- Risk analysis
- Risk Mitigation
What are 3 ways to avoid risk (aka risk mitigation)?
- Risk acceptance (not rlly used anymore)
- Risk limitation (control measures)
- Risk transference (insurance)
T or F: risk optimization has nothing to do with MIS
True
Less potential loss = spending (less/more) on countermeasures
more
Who handles communication controls?
MIS
