ITSAC - midterms

Question 1

What is Information Security?

Answer 1

A set of security procedures and tools that broadly protect sensitive enterprise information from misuse, unauthorized access, disruption, or destruction. – Microsoft
It refers to the processes and tools designed and deployed to protect sensitive business information from modification, disruption, destruction, and inspection. – Cisco
Information security in today’s enterprise is a “well-informed sense of assurance that the information risks and controls are in balance.” – Jim Anderson, Inovant (2002)

Question 2

History

Answer 2

Began immediately after the first mainframes were developed.
Created to aid code-breaking computations during World War II.
Physical controls to limit access to sensitive military locations to authorized personnel: badges, keys, and facial recognition.
Rudimentary in defending against physical theft, espionage, and sabotage.

Question 3

History
Early 1960s

Answer 3

One of the first documented security problems occurred.
A software glitch mixed the two files (Message of the Day and password file)
The entire password file was printed on every output file.

Question 4

History
Early 1970s

Answer 4

The microprocessor brought in a new age of computing capabilities and security threats as these microprocessors were networked.
Late 1970s: microprocessor expanded computing capabilities and security threats.
From mainframe to PC
Decentralized computing
Need for sharing resources increased
Major changed computing

Question 5

History
RAND Report R-609

Answer 5

The first widely recognized published document to identify the role of management and policy issues in computer security.
It attempted to define multiple controls and mechanisms necessary for the protection of a multi-level computer system.

Question 6

History
The 1990s

Answer 6

At the close of the 20th century, as networks of computers became more common, as did the need to connect the networks to each other.
Gave rise to the Internet - first global network of networks
Early Internet deployment treated security as a low priority

Question 7

History
In the late 1990s and into the 2000s

Answer 7

Many large corporations began publicly integrating security into their organizations.
Antivirus products became extremely popular, and information security began to emerge as an independent discipline.

Question 8

History
2000 to present

Answer 8

The Internet brings millions of computer networks into communication with each other—many of them unsecured.
Ability to secure a computer’s data influenced by the security of every computer to which it is connected.

Question 9

What is Security?

Answer 9

A successful organization should have the following multiple layers of security in place for the protection of its operations.

1. Physical security - to protect the physical items, objects, or areas of an organization from unauthorized access and misuse.
2. Personal security - to protect the individual or group of individuals who are authorized to access the organization and its operations.
3. Operations security - to protect the details of a particular operation or series of activities.
4. Communications security - to protect an organization’s communications media, technology, and content.
5. Network security - to protect networking components, connections, and contents.

Question 10

Critical Characteristics of Information

Answer 10

1. Availability - enables users who need to access information to do so without interference or obstruction and in the required format.
2. Accuracy - free from mistake or error and having the value that the end-user expects.
3. Authenticity - the quality or state of being genuine or original, rather than a reproduction or fabrication.
4. Confidentiality - the quality or state of preventing disclosure or exposure to unauthorized individuals or systems.
5. Integrity - the quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state.
6. Utility - the quality or state of having value for some purpose or end. Information has value when it serves a particular purpose. This means that if information is available, but not in a format meaningful to the end-user, it is of no use.
7. Possession - the quality or state of having ownership or control of some object or item. Information is said to be in possession if one obtains it, independent of format or another characteristic. While a breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality.

Question 11

Information system (IS)

Answer 11

– is the entire set of software, hardware, data, people, procedures, and networks that enable the use of information resources in the organization.

Question 12

Components of an Information System

Answer 12

1. Software: Includes applications (programs), operating systems, and assorted command utilities.
   Perhaps the most difficult IS component to secure.
   Easy target of accidental or intentional attacks.
2. Hardware: Physical technology that houses and executes the software, stores and transports the data, and provides interfaces for the entry and removal of information from the system.
   Physical security policies deal with hardware as a physical asset and with the protection of physical assets from harm or theft.
3. Data: Often the most asset
Main target of intentional attacks
4. People: People have always been a threat to information security
   Social engineering
   Must be well trained and informed
5. Procedures: Procedures are written instructions for accomplishing a specific task.
   Threat to integrity of data
6. Networks: Locks and keys won’t work

Question 13

Balancing Information Security and Access

Answer 13

To operate an information system that satisfies the end-user and the security professional, the security level must allow reasonable access yet protect against threats to achieve a balanced scale.
An imbalance can occur when the needs of the end user are undermined by obsessive focus on protecting and administering the information systems.

Question 14

Computer as the Subject and Object of an Attack

Answer 14

Hacker using a computer as the subject of attack
Remote system that is the object of an attack

Question 15

Approaches to Information Security Implementation: Bottom-Up Approach

Answer 15

Bottom-up approach:

A method of establishing security policies and/or practices that begins as a grassroots effort in which systems administrators attempt to improve the security of their systems.
The key advantage is the technical expertise of individual administrators.

Question 16

Advantages & Disadvantages of
Bottom-Up Approach

Answer 16

Advantages:

1. Flexibility: Bottom-up approach allows for changes to be made at any stage of the process.
2. Empowerment: It gives individuals and smaller groups the power to make decisions.
3. Robustness: This approach can result in more robust solutions, as each component can be thoroughly tested and debugged.

Disadvantages:

1. Slow Progress: The bottom-up approach can be slow, as each component must be completed before moving on to the next.
2. Lack of Coherence: The final solution may lack coherence, as it is assembled from individual parts.
3. Difficulty in Managing Complex Projects: This approach can be difficult to manage for complex projects with many components.

Question 17

What Companies Use a Bottom-up Approach?

Answer 17

Many companies use the bottom-up approach in their management and decision-making processes, including:

Toyota
Hyundai
Ford
Volkswagen
Samsung
Nokia
Dell
Hewlett-Packard
Cisco Systems
Oracle

Question 18

Approaches to Information Security Implementation: Top-down Approach

Answer 18

A methodology of establishing security policies and/or practices that is initiated by upper management.
Higher probability of success.
The project is initiated by upper-level managers.

Question 19

Advantages & Disadvantages of
Top-Down Approach

Answer 19

Advantages:

• Easy to understand and implement.
• Provides clear objectives and expectations.
• Supports effective allocation of resources.

Disadvantages:

• Inflexible to change.
• Limited to pre-determined solutions.
• Can lead to missed opportunities or inefficiencies.
• Can result in lower motivation and participation from lower-level employees.

Question 20

What Companies Use the Top-Down Approach?

Answer 20

Many companies use the top-down approach in their management and decision-making processes, including:

IBM
Microsoft
Google
Apple
Amazon
GE
Intel
JPMorgan Chase
Goldman Sachs
Procter & Gamble

Question 21

4 FUNCTIONS OF INFO SECURITY IN ORG

Answer 21

• Protecting the ability to function
• Enabling safe operation
• Protecting data
• Safeguarding technology assets

Question 22

• object, person, or either entity that represents a consant danger to an asset

Answer 22

threat

Question 23

includes acts done without malicious content
caused by inexperience, improper training, and incorrect assumptions
other circumtances - Employees are the greatest threats — closest to org’s data

Answer 23

acts of human error or failure

Question 24

• broad category
• unauthorized accessing of info
• competitive advantage vs espionage
• shoulder surfing can occur any place a person is accessing confidential info
• Controls implemented to mark the boundaries of an organization’s virtual territory giving notice to trespassers that they are encroaching on the organization’s cyberspace​
• Hackers uses skill, guile, or fraud to steal the property of someone else​

Answer 24

espionage/trespass

Question 25

**`Espionage` vs. `Tresspass`**

Answer 25

**Espionage** - getting other's recipe (`illegal`) **Tresspass** - buying other's product and determining what ingredients are needed (`legal`)

Question 26

* an attacker or formerly trusted insider **stealing information** from a computer system and **demands compensation** for its return or non-use * extortion found in credit card number theft

Answer 26

**Information Extortion**

Question 27

* indiv or group wo want to sabotage/destroy the operation * petty vandalism to organized sabotage * orgs rely on image so web defacing can lead to droppiung consumer * higher threat of hactivist or cyberactivist operations * * most extreme of cyber-terrorism

Answer 27

**sabotage or vandalism**

Question 28

illegal taking another's property --- physical, electronic, intellectual

Answer 28

**Deliberate acts of Theft**

Question 29

**Physical, electronic & intellectual theft**

Answer 29

- **Physical Theft**: Stealing tangible objects (e.g., money, jewelry, or cars). `locked doors/alarm system` - **Electronic Theft**: Unauthorized access or hacking to steal digital assets (e.g., credit card info, passwords). `more complex problem, org may not know it has occured` - **Intellectual Theft**: Stealing ideas, inventions, or creative works (e.g., plagiarism, patent infringement).

Question 30

* these are unexpected and can occuer with very little warning * can disrupt not only lives of indiv, but also the storage, transmission and use of info * management ---- prepare contigency plans and limit damage

Answer 30

**Forces of Nature**

Question 31

* occur when a manifacturer distributes to user's equipment containing flaws * can cause the system to perform outside of expected parameters (unreliable, lack of available) *

Answer 31

**Technical Hardware Failures or Errors**

Question 32

**`Terminal` vs `Intermittent` Error**

Answer 32

A **terminal error** is a critical issue that stops a system or process completely. `unrecoverable loss of equipment` An **intermittent error** occurs occasionally and does not permanently disrupt the system. `faults not easily repeated`

Question 33

attack system, creates malware

Answer 33

**Software Attacks**

Question 34

* harmful software designed to damage, disrupt, or steal data from computers or networks. `malicious code/software` * designed to damage, destroy, or denyservice to the target systems

Answer 34

**malware**

Question 35

spread with user interaction (needs host)

Answer 35

**virus**

Question 36

spread automatically (no host)

Answer 36

**worms**

Question 37

disguised as legitimate software

Answer 37

**trojan**

Question 38

hides deep within PC

Answer 38

**rootkit**

Question 39

monitors your activity

Answer 39

**spyware**

Question 40

multiple malware in one attack

Answer 40

**blended threat**

Question 41

controls your PC form a distance

Answer 41

**remote access**

Question 42

maliciously feeds you ads

Answer 42

**adware**

Question 43

hunts software vulnerabilities (not expert but can steal info using this)

Answer 43

**exploit kit**

Question 44

tool to exploit info * is a type of malicious software that blocks access to a computer system or encrypts data until a sum of money is paid

Answer 44

**ransomware**

Question 45

rekords key stroke

Answer 45

**keylogger**

Question 46

denial of service

Answer 46

pc/s ---> server

Question 47

**Protect yourself from keylogger**

Answer 47

* enable two-factor authentication * don't download unknown files * consider a virtual keyboard * use a password manager * install antivirus software * consider voice-to-text conversion software

Question 48

is software that detects, prevents, and removes malware from computers and devices.

Answer 48

**Antivirus**

Question 49

Refers to the practice of `protecting digital devices, systems, and networks from unauthorized access, theft, damage, or other malicious activities`. It includes various methods and technologies that are used to safeguard information, such as firewalls, encryption, authentication, and intrusion detection systems.

Answer 49

**Cyber Security**

Question 50

`Malicious software` designed to `harm, exploit, or disrupt` devices, networks, or data. Examples include viruses, ransomware, and spyware.

Answer 50

**malware**

Question 51

A cyber attack where `attackers impersonate legitimate entities` (e.g., banks, companies) to trick users into providing sensitive information like passwords or credit card details.

Answer 51

**phishing**

Question 52

A `targeted form of phishing` where attackers customize messages to a specific individual or organization to gain access to confidential data.

Answer 52

**Spear phishing**

Question 53

An attack where a `hacker intercepts and alters communication` between two parties without their knowledge, often to steal sensitive information.

Answer 53

**Man-in-the-middle attacks**

Question 54

An attack that `overwhelms a system`, network, or website with excessive traffic, causing it to slow down or crash, making services unavailable.

Answer 54

**Denial of Service**

Question 55

A cyber attack that `exploits vulnerabilities`in a website�s `database` by injecting malicious SQL code to gain unauthorized access to sensitive data.

Answer 55

**SQL injection**

Question 56

A type of cyber attack that manipulates the Domain Name System (DNS) to `redirect users to fraudulent websites` or disrupt network services.

Answer 56

**DNS attack**

Question 57

is `constantly evolving and changing as new threats` and vulnerabilities emerge. In recent years, there has been a significant increase in cyber attacks, data breaches, and other cyber threats, which has led to a heightened focus on cyber security.

Answer 57

**Cyber Security Landscape**

Question 58

the most prevalent emerging business risk

Answer 58

**ransomware**

Question 59

**THE ANATOMY OF RANSOMWARE**

Answer 59

1. **Reconnaissance** - gathering and analyzing infos to select vulnerabiities to enter the org 2. **Delivery** - gaining access to org's networks and data (phishing, SQL inject, web) 3. **Exploitation** - installing backdoors, exploiting alternative vulnerabilities, and exfiltrating or destroying data 4. **Impact** - demand for ransom and operational capabilities after recovery efforts

Question 60

� refers to adhering to laws, Regulations, and industry standards that govern the use and protection of digital data

Answer 60

**Compliance**

Question 61

- Developing and implementing strategies to prevent, detect, respond, and recover from cyber attacks - requires testing and updating security measures regularly to adapt to new threats and vulnerabilities

Answer 61

**Resilience**

Question 62

**THE NIST CYBERSECURITY FRAMEWORK**

Answer 62

1. **Identify** - what procecesses and assets need protection? 2. **Protect** - implement appropriate safeguards to ensure protection of the enterprise's assets 3. **Detect** - implement approriate mechanisms to identify the occurence of cybersecurity incidents 4. **Respond** - develop techniques to contain the impacts of cybersecurity events 5. **Recover** - implement the appropriate proccesses to restore capabilities and services impaired due to cybersecurity events

Question 63

- what procecesses and assets need protection?

Answer 63

**Identify**

Question 64

- implement appropriate safeguards to ensure protection of the enterprise's assets

Answer 64

**Protect**

Question 65

- implement approriate mechanisms to identify the occurence of cybersecurity incidents

Answer 65

**Detect**

Question 66

- develop techniques to contain the impacts of cybersecurity events

Answer 66

**Respond**

Question 67

- implement the appropriate proccesses to restore capabilities and services impaired due to cybersecurity events

Answer 67

**Recover**

Question 68

- high-level overview or the org - long term plan (5+ years) - forward looking - each level of division translates plan objectives into more specific objectives - executive team (CEO, COO, CFO, CIO)

Answer 68

**Strategic Planning**

Question 69

- methods used to achieve the strategy - short term plan (1-2 year or less) - includes specific goals, budget, resources - breaks down strategil goals - eg. `project plans`, resource acquisition, project budgets, project reviews - Chief Information Security Officer (CISO) and security managers

Answer 69

**Tactical Planning**

Question 70

- plan day to day running - controlled via `daily/weekly/monthly/annual` - inclued necessary `tasks for all departments`, communication, and reporting requirements

Answer 70

**Operational Planning**

Question 71

`High-level statements` which define roles, responsibilities, and expectations for specific domain areas. - general - what to do & not to do in org - "all company data should be protected from unauthorized access"

Answer 71

**Policies**

Question 72

`Specific low-level`, mandatory controls that help enforce and support policies. - how to comply to a certain policy

Answer 72

**Standards**

Question 73

`Recommended controls` that help support standards or serve as a reference for when no applicable standard is available. - not mandatory - "use password manager"

Answer 73

**Guidelines**

Question 74

`Step-by-step` instructions to accomplish policies, standards, and guidelines. - specific - how to change password

Answer 74

**Procedures**

Question 75

- is a `management-level document`, often written by the company's `CIO`, detailing the company's `philosophy on security`. - general policy to a whole

Answer 75

**1. Enterprise information security policies**

Question 76

–  is developed by an `organization` to outline the guidelines that govern the `use of` individual `technologies` in that organization. - specific

Answer 76

**2. Issue-specific security policies** (ISSP)

Question 77

- focus on the information security `policies of particular systems`. For example, policies for customer-facing applications, payroll systems, or data archive systems. - identtify security needed

Answer 77

**3. Systems-specific security policies**