ISMN Exam 2 Flashcards
GDPR (General Data Protection Regulation)
Toughest privacy and security law in the world
Security
Degree of protection against criminal activity, danger, damage, loss
Information Security
All the processes and policies designed to protect and organization’s information and information systems from unauthorized access, use, disclosure, disruption, modification, destruction
Threat to an information resource
Any danger to which a system may be exposed
Exposure of Information Resource
Harm, loss, damage that can result if a threat compromises that resource
Vulnerability to a information resource
Possibility that a threat will harm that will harm that resource
5 key contributors to the increasing vulnerability of organizational informational resources:
- Interconnected, wirelessly networked business environment
- Smaller, faster, cheaper computers/devices
- Decreasing skills necessary to be a computer hacker
- Int’l organized crime becoming cybercrime
- Lack of management support
Espionage/Trespass
Attacker/unauthorized individual attempts to gain illegal access to organizational information.
Information Extortion
Attacker threatens to steal or actually steals information from a company.
Sabotage/Vandalism
Deliberate acts that involve defacing an organization’s website [web defacement attack]
Intellectual Property
Property created by individuals or corporations that is protected under trade secret, patent, and copyright laws.
Identity Theft
Deliberate assumption of another person’s identity, usually to gain access to his/her financial information or to frame them for a crime
Malware
Malicious software designed to wreak havoc
What do Viruses do?
Damage programs, delete files, reformat hard drives and/or restrict access to programs/internet
What do Worms do?
Self replicate & spread to other computers (modifies/deletes files and/or depletes
system resources [hard drive space / bandwidth
Ransomware
[Form of digital extortion]
Blocks access to an individual computer or an organization’s computer system/network
Encrypts an organization’s data until the organization pays a sum
of money (usually in bitcoin).
Doxxing
Sometimes, rather than threatening to delete data if ransom isn’t
paid, cybercriminals threaten to release the data to the public
(private / sensitive customer data).
Botnets
collection of infected computers [bots] controlled by a remote player [bot
master/herder]
Distributed Denial of Service (DDoS)
Aims to make a website or network unusable by
flooding it with malicious traffic or data from multiple infected computers [botnets
Phishing Attacks
Use deception to acquire sensitive personal information by masquerading
as official-looking e-mails, instant messages or tex
Spear Phishing Attacks
Personalized phishing attacks that target specific individuals or
organizations
Whale Phishing Attacks
Spear phishing towards high-value individuals to steal sensitive info from
companies (usually targeting executives and HR department
Alien Software (Pestware)
Adware, spyware, Spamware, cookies
software secretly installed on a computer without the knowledge of the user
Typically, not as malicious as viruses/worms – mainly used for advertising/marketing
Allows others to track your web surfing habits and other personal behaviors
Spyware
collects personal information about users without their consent
Keystroke loggers (keyloggers)
Records your keyboard strokes & internet
browsing history
Screen scrapers
record a “movie” of screen contents and activities
Stalkerware
Powerful surveillance functions which include keylogging, making
screenshots, monitoring internet activity, recording location, recording video and
phone calls, and intercepting app (Skype, Facebook, WhatsApp, Snapchat
iMessage,etc) communications
Spamware
sends unsolicited emails to everyone in your email address book that looks
like it came from you. Mainly used for advertising but can include viruses/worms
Adware
Software that causes pop-ups
SCADA (Supervisory Control and Data Acquisition attacks)
Attacks big power grids and other infrastructure
Cyberterrorism/warfare
Use computer systems to harm real people/places, often for political agenda
Single Most Valuable Control is
User Education and Training
3 major ways companies protect against threats
Education
Information Security Controls
Risk Management
Information Security Controls
Designed to protect all of the
components of an information system – including data, software,
hardware, and networks.
3 main types of Information Security Control
Physical Controls
Access Controls
Communications Controls
Firewalls
Systems that prevent unauthorized internet users from accessing private networks
Anti-Malware Systems (Antivirus software):
Software that attempts to identify and eliminate viruses, worms and other
malicious software.
Whitelisting
Process in which a company (IT Dept) identifies the only applications/websites that it will allow to run/access on
Blacklisting
process in which a company IT Dept identifies applications/websites that it will not allow to run/access on
computers
Encryption
process of converting (scrambling) an original message into a form that cannot be read by anyone except the
intended receiver
Uses a public key (locking) and private key (unlocking)
Digital Certificates (certified by a 3rd party certificate authority)
Virtual Private Network (VPN)
private/secure network (out on
the internet) that remote users (internal employees/external
vendors/customers) can connect to & access/share information.
Transport Layer Security (TLS)
Secures transactions on the
internet (credit card purchases/online banking); encrypts and
decrypts data between a Web server and browser
Employee Monitoring Systems
proactive approach of protecting
against human mistakes. Monitors e-mail activities & internet
browsing activities.
Information System Auditing
Examination of information systems, their inputs, outputs, and processing. Considers all the potential hazards and controls in information systems. Focuses on issues such as operations, data integrity, software applications, security and privacy, budgets &
expenditures, cost control, and productivity.
What affects your organization’s cyber insurance costs?
Size and Industry
* Amount and Sensitivity of Data
* Annual Revenue
* Strength of Information Security Measures
Functions of Risk Mitigation
Implementing controls to prevent identified threats from
occurring (protect it from happening)
* Developing a means of recovery if the threat becomes a reality
(steps to take if it does happen)
3 Steps of Risk Analysis
Assessing the value of each asset being protected
* Estimating the probability that each asset will be compromised
* Comparing the probable costs of the asset’s being
compromised with the costs of protecting the asset
3 most common Risk Mitigation strategies:
Risk Acceptance
Risk Limitation
Risk Transference (Insurance)
