Cybercrime and CyberSecurity Ch14,15,19

Question 1

What are the challenges of managing cybersecurity?

Answer 1

Determining the assets most at risk

Determining the threats and likelihood of a successful attack

Determining the technology solutions for cypersecurity

Question 2

What questions should you ask when you are planning for security?

Answer 2

What needs to be secured?

Who is responsible for it?

What are the technical requirements that should be in place?

How are the people supported?

What do we do if something goes run? How do we respond?

Question 3

Chief Information Security Officer

Answer 3

executive who is responsible for information security in a company

Question 4

What are security controls that should be in place?

Answer 4

IAM: Identity access management

• password policies
• credentialing

Network and host defenses:

• Firewalls
• IDS
• IPS
• anti-virus

VPN and BYOD

Vulnerability patching

User awareness and education

Question 5

What are some security policies that should be in place?

Answer 5

High level articulation of security objectives and goals

• legal, business, and regulatory rationale
• do’s and don’ts for users: password strengths and lengths, web and email policies, response to security threats
• Address prevention, detection, response and remediation as it impacts users

Ensure that no state and federal laws are violated

Question 6

How do we quantify cybersecurity risk?

Answer 6

Risk exposure = Prob(Adverse security event) * Impact of adverse event

Risk Leverage = Risk exposure without certain control - Risk exposure with certain control / cost of control

Question 7

What goes into assessing / reducing cyber risk?

Answer 7

Expected losses from cyber event

Deciding what to accept or transfer (to insurance)

Reduction via preventative measures

Question 8

What is a reactive security posture?

Answer 8

Security measures that react to:

• regulation and compliance
• customer demands
• In response to breach
• In response to events

Question 9

What is a proactive security posture?

Answer 9

Security measures that consist of the following:
- someone employed to handle cybersecurity
- Board-level conversations about cybersecurity
-

Question 10

What are the arguments for better cybersecurity?

Answer 10

• reducing costs in the long term

- better reputation

Question 11

What is cybercrime defined as?

Answer 11

Computer crime, or cybercrime, is a term used broadly to describe criminal activity in which computers or computer networks are a tool, a target, or a place of criminal activity.

Question 12

What are the categorizations of cybercrime?

Answer 12

Computers as targets
ie) attacks on data,system,privacy integrity
Computers as storage devices
ie) stolen passwords list
Computers as communication tools i.e) illegal sales online

Question 13

What are three types of intelletual property?

Answer 13

Real property - land and things attached to land

Personal property - tangible goods

Intellectual property - any intangible asset

Question 14

Name 3 types of Intellectual Property

Answer 14

Patents

Trademarks

Copyrights

Question 15

Name the reproduction rights a copywrite owner has:

Answer 15

Reproduction right: Lets the owner make copies of a work

Modification right: Also known as the derivative-works right; concerns modifying a work to create a new or derivative work

Distribution right: Lets the owner publicly sell, rent, lease, or lend copies of the work

Public-performance right: Applies mainly to live performances

Public-display right: Lets the owner publicly show a copy of the work directly or by means of a film, slide, or television image

Question 16

What are the three types of patents?

Answer 16

Utility patents: May be granted to anyone who invents or discovers any new and useful process, machine, article of manufacture, or composition of matter, or any new and useful improvement thereof;

Design patents: May be granted to anyone who invents a new, original, and ornamental design for an article of manufacture; and

Plant patents: May be granted to anyone who invents or discovers and asexually reproduces any distinct and new variety of plant.

Question 17

What are exempted from the provisions of the DMCA and other copywriter laws?

Answer 17

Fair use: This concept is not tightly defined. It is intended to permit others to perform, show, quote, copy, and otherwise distribute portions of the work for certain purposes. These purposes include review, comment, and discussion of copyrighted works.

Reverse engineering: Reverse engineering of a software product is allowed if the user has the right to use a copy of the program and if the purpose of the reverse engineering is not to duplicate the functionality of the program but rather to achieve interoperability.

Encryption research: “Good faith” encryption research is allowed. In essence, this exemption allows decryption attempts to advance the development of encryption technology.

Security testing: This is the access of a computer or network for the good faith testing, investigating, or correcting a security flaw or vulnerability, with the authorization of the owner or operator.

Personal privacy: It is generally permitted to bypass technological measures if that is the only reasonable way to prevent the access to result in the revealing or recording of personally identifying information.

Question 18

What objectives does the Digital Right Management model meet?

Answer 18

DRM systems should meet the following objectives:

Provide persistent content protection against unauthorized access to the digital content, limiting access to only those with the proper authorization.

Support a variety of digital content types (e.g., music files, video streams, digital books, and images).

Support content use on a variety of platforms (e.g., PCs, tablets, iPods, and mobile phones).

Support content distribution on a variety of media, including CD-ROMs, DVDs, and portable USB storage devices.

Question 19

What are some common requirements for privacy based on the Common Criteria specifications?

Answer 19

Anonymity: Ensures that a user may use a resource or service without disclosing the user’s identity. Specifically, this means that other users or subjects are unable to determine the identity of a user bound to a subject (e.g., process or user group) or operation. It further means that the system will not solicit the real name of a user. Anonymity need not conflict with authorization and access control functions, which are bound to computer-based user IDs, not to personal user information.

Pseudonymity: Ensures that a user may use a resource or service without disclosing its user identity, but can still be accountable for that use. The system shall provide an alias to prevent other users from determining a user’s identity, but the system shall be able to determine the user’s identity from an assigned alias.

Unlinkability: Ensures that a user may make multiple uses of resources or services without others being able to link these uses together.

Unobservability: Ensures that a user may use a resource or service without others, especially third parties, being able to observe that the resource or service is being used. Unobservability requires users and/or subjects cannot determine whether an operation is being performed. Allocation of information impacting unobservability requires the security function provide specific mechanisms to avoid the concentration of privacy related information within the system. Unobservability without soliciting information requires the security function does not try to obtain privacy-related information that might be used to compromise unobservability. Authorized user observability requires the security function to provide one or more authorized users with a capability to observe the usage of resources and/or services.

Question 20

Guidelines are used to manage the use and reuse of big data. What areas do the guidelines address?

Answer 20

Consent: Ensuring participants can make informed decisions about their participation in the research.

Privacy and confidentiality: Privacy is the control that individuals have over who can access their personal information. Confidentiality is the principle that only authorized persons should have access to information.

Ownership and authorship: Addresses who has responsibility for the data, and at what point does an individual give up their right to control their personal data.

Data sharing—assessing the social benefits of research: The social benefits that result from data matching and reuse of data from one source or research project in another.

Governance and custodianship: Oversight and implementation of the management, organization, access, and preservation of digital data.

Question 21

Explain the ethical hierarchy:

Answer 21

At the top of the hierarchy are the ethical values professionals share with all human beings, such as integrity, fairness, and justice. Being a professional with special training imposes additional ethical obligations with respect to those affected by his or her work. General principles applicable to all professionals arise at this level. Finally, each profession has associated with it specific ethical values and obligations related to the specific knowledge of those in the profession and the powers that they have to affect others. Most professions embody all of these levels in a professional code of conduct, a subject discussed subsequently.

Question 22

In which ways could computers pose as challenges to ethics?

Answer 22

Repositories and processors of information: Unauthorized use of otherwise unused computer services or of information stored in computers raises questions of appropriateness or fairness.

Producers of new forms and types of assets: For example, computer programs are entirely new types of assets, possibly not subject to the same concepts of ownership as other assets.

Instruments of acts: To what degree must computer services and users of computers, data, and programs be responsible for the integrity and appropriateness of computer output?

Symbols of intimidation and deception: The images of computers as thinking machines, absolute truth producers, infallible, subject to blame, and as anthropomorphic replacements of humans who err should be carefully considered.

Question 23

Name some general moral imperatives

Answer 23

1. 1Contribute to society and human well-being.
2. 2Avoid harm to others.
3. 3Be honest and trustworthy.
4. 4Be fair and take action not to discriminate.
5. 5Honor property rights including copyrights and patent.
6. 6Give proper credit for intellectual property.
7. 7Respect the privacy of others.
8. 8Honor confidentiality.

Question 24

What are topics that should be addressed with organizational security policy?

Answer 24

The scope and purpose of the policy

The relationship of the security objectives to the organization’s legal and regulatory obligations, and its business objectives

IT security requirements in terms of confidentiality, integrity, availability, accountability, authenticity, and reliability, particularly with regard to the views of the asset owners

The assignment of responsibilities relating to the management of IT security and the organizational infrastructure

The risk management approach adopted by the organization

How security awareness and training is to be handled

General personnel issues, especially for those in positions of trust

Any legal sanctions that may be imposed on staff, and the conditions under which such penalties apply

Integration of security into systems development and procurement

Definition of the information classification scheme used across the organization

Contingency and business continuity planning

Incident detection and handling processes

How and when this policy should be reviewed

The method for controlling changes to this policy

Question 25

What are the approaches to security risk assessment?

Answer 25

baseline approach - implement a basic general level of security controls on systems using baseline documents, codes of practice, and industry best practice.

informal approach - conducting some form of informal, pragmatic risk analysis for the organization’s IT systems. This analysis does not involve the use of a formal, structured process, but rather exploits the knowledge and expertise of the individuals performing this analysis.

Detailed risk analysis - to conduct a detailed risk assessment of the organization’s IT systems, using a formal structured process.

Combined approach - provide reasonable levels of protection as quickly as possible then to examine and adjust the protection controls deployed on key systems over time.

Question 26

What is the risk index formula?

Answer 26

Risk Index = Max Info Sensitivity - Min User Clearance

Question 27

What are the steps of detailed risk analysis?

Answer 27

Prepare for assessment

Identify threats and sources of threats

Identify vulnerabilities

Determine the likelihood of occurrence

Determine magnitude of impact

Determine risk

Question 28

What are the most vulnerable industries?

Answer 28

Government
Finance
Health Care
Transportation

Question 29

What is the risk formula?

Answer 29

Risk = Probability that threat occurs X Cost to organization

Question 30

What the levels of risk likelihood?

Levels of Risk consequences?

Answer 30

Rare 
Unlikely 
Possible 
Likely 
Almost Certain 

Insigificant 
Minor 
Moderate
Major 
Catastrophic 
Doomsday

Question 31

What are the possible judgements about risk treatments?

Answer 31

Risk acceptance - choosing to accept risk for business reasons

Risk avoidance - not proceeding with the activity or system that creates the risk

Risk Transfer - sharing responsibility with a third party

Reduce consequences - By modifying the structure or use of the assets at risk to reduce the impact on the organization should the risk occur

Reduce likelihood - By implementing suitable controls to lower the chance of the vulnerability being exploited.

Question 32

What is a security control?

What are the types of controls?

Answer 32

An action, device, procedure, or other measure that reduces risk by eliminating or preventing a security violation, by minimizing the harm it can cause, or by discovering and reporting it to enable corrective action

aka safeguard, countermeasure, procedure

Types:
Management
Operational
Technical

Question 33

What type of controls are included in the types of security controls?

Answer 33

Supportive controls: Pervasive, generic, underlying technical IT security capabilities that are interrelated with, and used by, many other controls.

Preventative controls: Focus on preventing security breaches from occurring, by inhibiting attempts to violate security policies or exploit a vulnerability.

Detection and recovery controls: Focus on the response to a security breach, by warning of violations or attempted violations of security policies or the identified exploit of a vulnerability and by providing means to restore the resulting lost computing resources.

Question 34

Give examples for each type of control family:

Answer 34

management - planning, program management, risk management, Security Assessment, System and Services Acquisition

operational - personnel security, physical protection, incident response, contingency planning, config management, etc.

Technical - access control, audit, identification/authentication, system and communication protection