7 Securing Information Systems

Question 1

What are the different parts of the security triangle?

Answer 1

1. Availability
2. Integrity
3. Confidentiality

Question 2

What are some reasons why systems are vulnerable?

Answer 2

• Accessibility of networks
• Hardware problems (breakdowns, configuration errors, damage from improper use or crime)
• Software problems (programming errors, installation errors, unauthorised changes)
• Disasters
• Use of networks/computers outside of firm’s control
• Loss and theft of portable devices

Question 3

Why is the internet vulnerable?

Answer 3

• Network open to anyone
• Size of Internet means abuses can have wide impact
• Use of fixed Internet addresses with cable / DSL modems creates fixed targets for hackers
• Unencrypted VOIP
  
  • Email, IM
  • Interception
  • Attachments with malicious software
  • Transmitting trade secrets

Question 4

What are some security threats?

Answer 4

• Malware (malicious software).
• Viruses.
• Worms.
• Mobile Device Malware
• Social Network Malware.

Question 5

Who can be an internal threat?

Answer 5

Employees

Question 6

Why can employees be an internal threat?

Answer 6

• Security threats often originate inside an organisation
• Inside knowledge
• Sloppy security procedures
• User lack of knowledge
• Social engineering
• Both end users and information systems specialists are sources of risk

Question 7

Why can software be vulnerable?

Answer 7

• Commercial software contains flaws that create security vulnerabilities
• Patches

Question 8

What are some other security threats?

Answer 8

• Trojan Horse
• Ransomware
• Spyware
• Identity Theft
• Click Fraud
• Cyberterrorism
• Cyberwarfare
• Spoofing
• Denial-of-service attack
• Rogue Security Software
• Phishing Scams

Question 9

What are some flaws in commercial software?

Answer 9

• Bugs (programme code defects)
  
  • Zero defects cannot be achieved
  • Flaws can open networks to intruders

Question 10

What are patches?

Answer 10

• Small pieces of software to repair flaws

* Patch management

Question 11

What is the Business Value of Security and Control?

Answer 11

• Failed computer systems can lead to significant or total loss of business function.
• Firms now are more vulnerable than ever.
• A security breach may cut into a firm’s market value almost immediately.
• Inadequate security and controls also bring forth issues of liability.

Question 12

Why are firms now more vulnerable than ever?

Answer 12

Because of..
• Confidential personal and financial data.
• Trade secrets, new products, strategies.

Question 13

What are some Legal and Regulatory Requirements for Electronic Records Management?

Answer 13

• HIPAA
• Gramm-Leach-Bliley Act
• Sarbanes-Oxley Act
• GDPR (General Data Protection Regulation)

Question 14

What is HIPAA?

Answer 14

Medical security, privacy rules and procedures.

Question 15

What is the Gramm-Leach-Bliley Act?

Answer 15

Requires financial institutions to ensure the security and confidentiality of customer data.

Question 16

What is the Sarbanes-Oxley Act?

Answer 16

Imposes responsibility on companies and their management to safeguard the accuracy and integrity of financial information that is used internally and released externally.

Question 17

What is Electronic Evidence?

Answer 17

• Evidence for white collar crimes often in digital form.

* Proper control of data can save time and money when responding to legal discovery request.

Question 18

What is Computer Forensics?

Answer 18

• Scientific collection, examination, authentication, preservation, and analysis of data from computer storage media for use as evidence in court of law.
• Recovery of ambient data.

Question 19

What are some Information Systems Controls

Answer 19

1. Physical Controls.
2. Administrative Controls.
3. Technical Controls.

Question 20

What are Physical Controls?

Answer 20

• Who can access the building, data centre

* Fences around buildings, lock

Question 21

What are Administrative Controls?

Answer 21

Concerned with humans.
• Backup checks
• Policies
• Security awareness training

Question 22

What are Technical Controls?

Answer 22

Implementing the security policies.
• An access control list at a gateway or firewall
• Access controls inside a database

Question 23

What is Risk Assessment?

Answer 23

• Determines level of risk to firm if specific activity or process is not properly controlled
  
  • Types of threat
  • Probability of occurrence during year
  • Potential losses, value of threat
  • Expected annual loss

Question 24

What is disaster recovery planning?

Answer 24

Devises plans for restoration of disrupted services.

Question 25

What is Business continuity planning?

Answer 25

Focuses on restoring business operations after disaster.

Question 26

Why is Disaster Recovery Planning and Business Continuity Planning needed?

Answer 26

- Needed to identify firm’s most critical systems • Business impact analysis to determine impact of an outage • Management must determine which systems restored first

Question 27

What is information systems audit?

Answer 27

Examines firm’s overall security environment as well as controls governing individual information systems.

Question 28

What are security audits?

Answer 28

* Review technologies, procedures, documentation, training, and personnel * May even simulate disaster to test responses

Question 29

What is the role of auditing?

Answer 29

* List and rank control weaknesses and the probability of occurrence. * Assess financial and organisational impact of each threat. * To conduct information systems audit and security audits.

Question 30

What is authentication?

Answer 30

The ability to know that a person is who he or she claims to be.

Question 31

What does identity management software do?

Answer 31

* Automates keeping track of all users and privileges. | * Authenticates users, protecting identities, controlling access.

Question 32

What are some forms of authentication?

Answer 32

* Password systems * Tokens * Smart cards * Biometric authentication * Two-factor authentication

Question 33

What is a firewall?

Answer 33

A combination of hardware and software that controls the flow of incoming and outgoing network traffic and are used to prevent unauthorised users from accessing private networks.

Question 34

What are the two methods for encryption on networks?

Answer 34

* Secure Sockets Layer (SSL) and successor Transport Layer Security (TLS) * Secure Hypertext Transfer Protocol (S-HTTP)

Question 35

What are the two methods of encryption of messages?

Answer 35

- Symmetric key encryption. | - Public key encryption.

Question 36

What is symmetric key encryption?

Answer 36

Sender and receiver use single, shared key.

Question 37

What is public key encryption?

Answer 37

* Uses two, mathematically related keys: public key and private key. * Sender encrypts message with recipient’s public key. * Recipient decrypts with private key.

Question 38

What are software metrics and some examples?

Answer 38

``` Objective assessments of system in form of quantified measurements. • Number of transactions • Online response time • Payroll checks printed per hour • Known bugs per hundred lines of code ```

Question 39

How do we ensure software quality?

Answer 39

- Software metrics - Early and regular testing - Walkthrough - Debugging

Question 40

How can you protect yourself?

Answer 40

- Change your password every now and then. - Use words not found in the dictionary. - Use a combination of words, numbers and special symbols. - Use two-step authentication. - Nobody will ever ask you for your password.

Question 41

What is confidentiality (as a concept in network security)?

Answer 41

Only authorised individuals/systems can view sensitive or classified info.

Question 42

What is integrity (as a concept in network security)?

Answer 42

Only authorised individuals/systems are allowed to modify the data.

Question 43

What is availability (as a concept in network security).

Answer 43

Able to serve info when it is needed to authorised individuals/systems.

Question 44

What are Controls?

Answer 44

All of the methods, policies, and organisational procedures that ensure the safety of the organisation's assets, the accuracy and reliability of its accounting records, and operational adherence to management standards

Question 45

What is a DDoS attack?

Answer 45

Using numerous computers to inundate and overwhelm the network from numerous launch points.