Module 10: Information Security and Controls

Question 1

What does information security refer to?

Answer 1

It refers to all of the processes and policies designed to protect an organization’s information and information systems (IS) from an unauthorized access. use, disclosure, disruption, modification, or destruction

Question 2

What is a threat to an information resource?

Answer 2

It is any danger to which a system may be exposed

Question 3

What is exposure?

Answer 3

It is the harm, loss, or damage to a compromised resource

Question 4

What is an information resource’s vulnerability?

Answer 4

It is the possibility that the system will be harmed by a threat

Question 5

What are the two major categories of threats?

Answer 5

Unintentional threats are acts performed without malicious intent
Deliberate threats

Question 6

What are the ten common types of deliberate threats to information systems?

Answer 6

Espionage or trespass
Information extortion
Sabotage or vandalism
Theft of equipment or information
Identify theft
Compromises to intellectual property
Software attacks
Alien software
Supervisory control and data acquisition (SCADA) attacks
Cyberterrorism and cyberwarfare

Question 7

What are organizations doing to protect themselves?

Answer 7

Developing security management strategies
Allocating sufficient resources managed by a Chief Security Office or CIO
Developing software and services that deliver early warnings
Early warning systems are proactive, they can scan the Web for new viruses. alert companies to danger

Question 8

What are the categories of controls?

Answer 8

Security is not only aspect of operational controls
Controls come in layers: control environment, general controls, application controls

Question 9

What are the five key factors that threaten cybersecurity?

Answer 9

1. Today’s interconnected, interdependent, wirelessly networked business environment
2. Smaller, faster, cheaper computers and storage devices
3. Decreasing skills necessary to be a computer hacker
4. International organized crime taking over cybercrime
5. Lack of management support

Question 10

Why are Human Errors relevant to IT?

Answer 10

There are two important points to be made about employees
The higher the level of the employee, the greater the threat they pose to information security
Employees in two areas of the organization pose especially significant threats to information security: human resources and information systems (IS)

Question 11

What are some Human Erros?

Answer 11

Carelessness with laptops and other computing devices
Opening questionable e-mails
Careless internet surfing
Poor password selection and use
Carelessness with one’s office
Carelessness using unmanaged devices
Carelessness with discarded equipment
Carelessness monitoring of environmental hazards

Question 12

What is social engineering?

Answer 12

It is an attack in which the perpetrator uses social skills to trick or manipulate a legitimate employee into providing confidential company information such as passwords

Question 13

What are some techniques of social engineering?

Answer 13

Impersonation: presenting to be a company manager of an information systems employee
Tailgating: following behind an employee to enter restricted areas
Shoulder surfing: watching over someone’s shoulder to view data or passwords

Question 14

When does espionage or trespass occur?

Answer 14

It occurs when an unauthorized individual attempts to gain illegal access to organizational information

Question 15

What is competitive intelligence?

Answer 15

Legal information-gathering techniques

Question 16

What is industrial espionage?

Answer 16

It crosses the legal boundary

Question 17

What is theft of equipment or information?

Answer 17

Small, powerful devices with increased storage such as laptops, smart phones, digital cameras, thumb drives, and iPods are becoming easier for attackers to use to steal information

Question 18

What are the causes of identity theft?

Answer 18

Stealing mail or dumpster diving
Stealing personal information in computer databases
Infiltrating organizations that store large amounts of personal information
Impersonating a trusted organization in an electronic communication

Question 19

What is intellectual property?

Answer 19

It is a property created by individuals or corporations which is protected under trade secret, patent or copyright laws

Question 20

What is a trade secret?

Answer 20

Intellectual work that is a company secret and is not based on public information

Question 21

What is a patent?

Answer 21

Grants the holder exclusive rights on an invention or process for 20 years

Question 22

What is copyright?

Answer 22

Provides creators of intellectual property with ownership of the property for life of the creator plus 50 years

Question 23

What is piracy?

Answer 23

It is copying a software program without making payment to the owner

Question 24

What are the types of software attacks?

Answer 24

Remote attacks requiring user action: virus, worm, phishing attack, spear phishing attack
Remote attacks needing no user action: denial-of-service attack, distributed denial-of-service attack
Attacks by a programmer developing a system: Trojan horse, back door, logic bomb

Question 25

What is Alien Software?

Answer 25

It is clandestine software that is installed on your computer without your knowledge also known as pestware

Question 26

What is adware?

Answer 26

It is software that causes pop-up advertisements to appear on your screen

Question 27

What is spyware?

Answer 27

Collects personal information about users without their consent

Question 28

What are keystroke loggers?

Answer 28

They record your individual keystrokes (including passwords) and your browsing history

Question 29

What are screen scrapers (screen grabbers)?

Answer 29

Record your screen activity

Question 30

What is spamware?

Answer 30

It is unsolicited e-mail, usually advertising for products and services

Question 31

What are cookies?

Answer 31

They are small amounts of information that Web sites store on your computer, temporarily or more or less permanently; are used to enable you to log in to your favourite web sites

Question 32

What are tracking cookies?

Answer 32

Track your actions on a particular web site, such as what you looked at and how long you were there

Question 33

What are SCADA systesm?

Answer 33

They are used to monitor or to control chemical, physical, and transport processes

Question 34

What is cyberterrorism and cyberwarfare?

Answer 34

It refers to malicious acts in which attackers use a target’s computer systems, particularly via the internet, to cause physical real-world harm or sever disruption, usually to carry out a political agenda

Question 35

What are the difficulties in protecting information resources?

Answer 35

100s of threats
Many locations of computing resources
Broad access to information assets
Difficult to protect distributed networks
Rapid technological changes
Crimes can go undetected for long periods of time
Violation of “inconvenient” security procedures
Minimal knowledge needed to commit crimes
High costs of prevention
Difficult to conduct a cost-benefit justification

Question 36

What does risk management consist of?

Answer 36

Risk analysis
Risk mitigation
Controls evaluation

Question 37

What are the 3 steps of risk analysis?

Answer 37

1. Assessing the value of each asset being protected
2. Estimating the probability that each asset will be compromised
3. Comparing the probable costs of the assets being compromised with the costs of protecting that asset

Question 38

What are the 2 functions of risk mitigation?

Answer 38

Implementing controls to prevent identified threats from occurring
Developing a means of recovery should the threat become a reality

Question 39

What are the three most common risk mitigation strategies?

Answer 39

Risk acceptance: accept the potential risk, continue operating with no controls, and absorb any damages that occur
Risk limitation: limit the risk by implementing controls that minimize the impact of the threat
Risk transference: transfer the risk by using other means to compensate for the loss, such as by purchasing insurance

Question 40

What are evaluation controls?

Answer 40

The organization identifies security deficiencies and calculates the cost of implementing controls
If the costs of implementing a control is greater than the value of the asset being protected, the control is not cost effective
Effective management reporting improves an organization’s ability to design and evaluate controls

Question 41

What is a control environment?

Answer 41

It encompasses management attitudes towards controls, as evidenced by management actions, as well as by stated policies that address ethical issues and quality of supervision

Question 42

What are the categories of general controls?

Answer 42

Physical: walls, doors, fencing, gates, locks, badges, guards, alarm systems, pressure sensors, and motion detectors
Access controls: can be physical or logical
Communication: firewalls, anti-malware systems, whitelisting and blacklisting, encryption, virtual private networks, transport layer security (TLS), and employee monitoring systems

Question 43

What is authentication?

Answer 43

To authenticate authorized personnel, an organization can use one or more of the following types of methods: something the user is, something the user has, something the user does, or something the user knows

Question 44

What are the basic guidelines for making strong passwords?

Answer 44

Difficult to guess
Long rather than short
Uppercase letters, lowercase letters, numbers, and special characters, do not use recognizable words
do not use the name of anything or anyone familiar
do not use a recognizable string of numbers

Question 45

What is authorization?

Answer 45

It determines which actions, rights, or privileges the person has, based on his or her verified identity

Question 46

What is a privilege?

Answer 46

It is the computer operations that a user is allowed to perform

Question 47

What is least privileg?

Answer 47

Users are granted the privilege for activities only if they need it for their job

Question 48

What are the advantaged of VPNs?

Answer 48

Allow remote users to access the company network
Provide flexibility to access the network remotely
Organizations can impose their security policies through VPNs

Question 49

What is input?

Answer 49

Edits that check for reasonable data ranges

Question 50

What is processing?

Answer 50

Automatically checks that each line of an invoice adds to the total

Question 51

What is output?

Answer 51

Supervisor reviews payroll journal ofr unisual amounts

Question 52

What is the purpose of Business Continuity Planning?

Answer 52

Provide continuous availability

Question 53

What are the strategies that organizations commonly use in the event of a major disaster?

Answer 53

Hot sites
Warm sites
Cold sites
Off-site data storage

Question 54

What are the types and examples of auditors?

Answer 54

External: public accounting firm
Government: Canada Revenue Agency
Internal: work for specific organizations
Specialist: IT auditors