Security Part 2

Question 1

What is computer security?

Answer 1

the policies, procedures and technical measures used to prevent unauthorized access, alteration, theft, interruption or physical damage to information systems

Question 2

What are the 6 security services?

Answer 2

authentication
access control
data confidentiality
data integrity
availability
non-repudiation

Question 3

Define authetication

Answer 3

assurance that the other party is the one

claimed (i.e. not an imposter)

Question 4

Define access control

Answer 4

prevention of the unauthorized use of a

resource

Question 5

Define data confidentiality

Answer 5

protection of data from unauthorized

disclosure

Question 6

Define data integrity

Answer 6

assurance that data received is exactly what authorized entity sent (i.e. it has not been tampered with).

Question 7

Define availability

Answer 7

assurance that services are available when needed

Question 8

Define non-repudiation and two types

Answer 8

protection against denial by one of the
parties in a communication

1) the sender denies sending the data
2) the receiver denies receiving the data

Question 9

How to password crackers work? (3)

Answer 9

-try common passwords
-words with a suffix + variations
to target a specific person gather info about them

Question 10

What are the 3 authentication approaches to control access?

Answer 10

1. something you know (password)
2. something you have (card, token)
3. something you are (biometrics)

Question 11

Best method for passwords (2)

Answer 11

Use a password manager or convert a phrase meaningful to you

Question 12

What are 4 ways to secure your system? (bare minimum)

Answer 12

• software/hardware firewalls
• look for unusual activities
• antivirus software -> look for bit patterns in programs called a signature

Question 13

What are 2 best practices for securing your system?

Answer 13

isolate and encrypt sensitive data

minimize your attack surface

Question 14

how can you effectively isolate and encrypt sensitive data?

Answer 14

AES-256 encrypted documents are safe

have a separate user account for banking and financial activities

Question 15

how can you minimize your attack surface?

Answer 15

configure the firewall in your OS and your modem/router

disconnect from internet when not in use

Question 16

Explain the business value of security and control

Answer 16

Inadequate security and control can result in lost of business and may create serious legal liabilities.

Failure to do so can lead to costly litigation for data exposure or theft.

Question 17

What are the legal and regulatory requirements for security/control?

Answer 17

companies must be able to respond to legal requests for electronic documents relevant to a civil case (a discovery request)

Internal controls must be put in place to govern the accuracy of information in financial statements

Question 18

What is the bottom line for the security and control network?

Answer 18

Many companies assume that a disaster too improbable and so security and control is not worth the investment in time and
money

Question 19

What is the greatest cause of computer security breaches?

Answer 19

Lack of knowledge or lack of motivation

Question 20

What are the 6 tools for the security and control framework?

Answer 20

Risk assessment
security policy
acceptable use policy
disaster recovery planning 
business continuity planning
security auditing

Question 21

Explain a risk assessment

Answer 21

To do a risk assessment is to determine the level of risk to the firm for various classes of risks

Question 22

explain security policy (3)

Answer 22

A security policy identifies:

• main security risks (e.g. power failures)
• acceptable security goals (downtime ≤ 3 minutes per year)
• mechanisms to achieve these goals (uninterruptible power supplies + diesel generator backup)

Question 23

Explain acceptable use policy

Answer 23

Acceptable Use Policy (AUP) states the acceptable uses and
users of information and computers

For example:
-privacy, user responsibility, personal use of devices, access rules for different employees

• technical measures used to enforce the policies

Question 24

Explain disaster recovery planning

Answer 24

Getting the IT systems (computing and communication) up and running after a disruption

Example: back-up files and maintain back-up systems

Question 25

Explain business continuity planning

Answer 25

Getting the business up and running after a disaster

Question 26

What are the 3 steps in business continuity planning?

Answer 26

• Identify and document critical business processes
- not relying on people who may be unavailable.

• Create action plans for these processes.
• Line up offsite resources, e.g. the cloud.

Question 27

Explain security auditing

Answer 27

A security audit investigates if the current security and control framework is adequate

Question 28

Explain how to perform a security audit

Answer 28

Create a comprehensive assessment of a company’s computer security policies, procedures, technical measures, personnel, training, documentation

May even simulate an attack.