CIS 2200 INFORMATION SECURITY |B6 QUESTIONS AND ANSWERS|GUARANTEED SUCCESS

Information security line of defense The First Line of Defense-People The Second Line of Defense-Technology The top 20 percent of their customers usually produce 80 percent of the revenues. Insiders are legitimate users who purposely or accidentally misuse their access to the environment and cause some kind of business affecting incident. EX) Many individuals freely give up their passwords or write them on sticky notes next to their computers, leaving the door wide open for hackers. Social Engineering Hackers use their social skills to trick people into revealing access credentials or other valuable information Dumpster Diving or looking through people's trash, is another way hackers obtain information Pretexting is a form of social engineering in which one individual lies to obtain confidential data about another individual Information security policies identify the rules required to maintain information security, such as requiring users to log off before leaving for lunch or meetings, never sharing passwords with anyone, and changing passwords every 30 days EX) Acceptable Encryption Policy Clean Desk Policy Disaster Recovery Plan Policy Digital Signature Acceptance Policy Password Protection Policy Password Construction Guidelines Security Response Plan Policy Information security plan details how an organization will implement the information security policies. The best way a company can safeguard itself from people is by implementing and communicating its information security plan. A few details managers should consider surrounding people and information security policies include defining the best practices for: -Applications allowed to be placed on the corporate network, especially various file sharing applications, IM software, and entertainment or freeware created by unknown sources -Corporate computer equipment used for personal reason on personal networks -Password creation and maintenance including minimum password length, characters to be included, and frequency for password changes -Personal computer equipment allowed to connect to the corporate network -Virus protection including how often the system should be scanned and how frequently the software should be updated. Acceptable Encryption Policy On-premise network servers must be encrypted and kept behind locked doors at a minimum. Limit employee access to servers. Clean Desk Policy All employees should be required to adhere to a ______ ______, _____ ______ policy. When they leave their work computer, they should sign off to prevent an unauthorized user from accessing. You can set up a password protected screensaver that will activate after 10 minutes in case the employee forgets to sign out. In addition ensure that employees do not leave sensitive printed information on their desks unattended. Disaster Recovery Plan Policy All networked computers must be accessed via a firewall. Digital Signature Acceptance Policy Keep filing cabinets locked at all times, and if feasible keep them behind locked doors. Keep keys locked in a single location with limited access. Password Construction Guidelines Require all employees to use password authentication to access their computers, the corporate network, and email. Password Protection Policy Set computer passwords to expire every 90 days. Security Response Plan Policy Client confidential information is defined as proprietary and confidential information received from customers. An example of this type of information is customer bank account info. This information type is restricted to management approved internal access only. Destructive agents are malicious agents designed by spammers and other Internet attackers to farm email addresses off websites or deposit spyware on machines. Identity theft is the forging of someone's identity for the purpose of fraud. The fraud is often financial, because thieves apply for and use credit cards or loans in the victim's name. Two means of stealing an identity are phishing and pharming Information secrecy is the category of computer security that addresses the protection of data from unauthorized disclosure and confirmation of data source authenticity. Three Areas of Information Security People: Authentication and Authorization Data: Prevention and Resistance Attacks: Detection and Response Phishing is a technique to gain personal information for the purpose of identity theft, usually by means of fraudulent emails that look as thought they came from legitimate businesses. The messages appear to be genuine, with official-looking formats and logos, and typically ask for verification of important information such as passwords and account numbers, ostensibly for accounting or auditing purposes. Up to one in five recipients responds and become a victim of identity theft. Phishing expedition is a masquerading attack that combines spam with spoofing. The perpetrator sends millions of spam emails that appear to be from a respectable company. The email contains a link to a website that is designed to look exactly like the company's website. The victim is encouraged to enter username, password, and sometimes credit card information. Spear phishing is a phishing expedition in which the emails are carefully designed to target a particular person or organization. Vishing (voice phishing) is a phone scam that attempts to defraud people by asking them to call a bogus telephone number to "confirm" their account information. Pharming reroutes requests for legitimate websites to false websites. For example: if you were to type in the URL to your bank, pharming could redirect you to a fake site that collects your information. Zombie is a program that secretly takes over another computer for the purpose of launching attacks on other computers. ___ attacks are almost impossible to trace back to the attacker. Zombie farm is a group of computers on which a hacker has planted zombie programs. Pharming attack uses a zombie farm, often by an organized crime association, to launch a massive phishing attack. Authentication and Authorization technologies can prevent identity theft, phishing, and pharming scams Authorization is the process of providing a user with permission including access levels and abilities such as file access, hours of access and amount of allocated storage space. Authentication is a method for confirming users' identities. Once a system determines the authentication of a user, it can then determine the access privileges for that user Authentication and authorization techniques fall into 3 categories: The most secure procedures combine all 3: 1. Something the user knows, such as User ID and password 2. Something the user has, such as a smart card or token 3. Something that is part of the user, such as a fingerprint or voice signature Password is a string of alphanumeric characters used to authenticate a user and provide access to a system. The first type of authentication, usually something the user knows, is the most common way to identify individual users and typically consists of a unique user ID and password. However, this is actually one of the most ineffective ways for determining authentication because passwords are not secure. All it typically takes to crack one is enough time. More than 50 percent of help desk calls are password related, which can cost an organization significant money, and a social engineer can coax a password from almost anybody