Information Assurance and Security 3

Hackers are individuals that use legal means to obtain trade secrets from competitors of their sponsor. It can involve the theft of new product designs, production data, marketing information, or new software source code.

• True
• False

is a program in which malicious code is hidden inside a seemingly harmless program

• Trojan horse

Assure that the information has not been tempered

• Integrity

DES exhibits strong __.

• AVALANCHE

Hash functions

• no key

the access to the whole or any part of a computer system without right.

• Illegal Access

algorithm for transforming plaintext to ciphertext

• cipher

__ a way to classify and refer to threats (and attacks) by names/categories

• TAXONOMY

Assure that authenticated party has indeed done something and it can not deny it

• Non-Repudiation

the coded message

• ciphertext

Data security is concerned with vulnerabilities pertaining to unauthorized access to data.

• True
• False

_____________ look like an extremely large substitution

• Rail Fence Cipher
• Block Cipher Principles
• Substitution-Permutation Ciphers

Outline of what the organization considers to be the appropriate / inappropriate use of company resources.

• Service Level Agreement (SLA)
• Acceptable Use Policy (AUP)

Cyber criminals are motivated by the potential for monetary gain and hack into corporate computers to steal, often by transferring money from one account to another to another

• True
• False

Hackers penetrate a computer system for a number of reasons and uses a variety of techniques. Using the skills they have, they download attack scripts and protocols from the Internet and launch them against victim sites

• True
• False

Private/secret/single key cryptography uses two keys – a public & a private key

• True
• False

RSA stand for

• Rivest, Shamir, Adelman
• Rivest, Shamir, Adleman
• Rivest, Shamira, Adleman

Information security includes the integrity, confidentiality, and availability of information at the servers, including information in files and databases and in transition between servers and between clients and servers. The security of information can be ensured in a number of ways.

• True
• False

RA 10175 punishes content-related offenses such as cybersex, child pornography and libel which may be committed through a computer system. It also penalizes unsolicited commercial communication or content that advertises or sells products or services.

• True
• False

Denial of service attacks, commonly known as distributed denial of service (DDoS) attacks, are a new form of computer attacks. They are directed at computers connected to the Internet. They are not penetration attacks, and therefore, they do not change, alter, destroy, or modify system resources. However, they affect the system by diminishing the system’s ability to function; hence, they are capable of bringing a system down without destroying its resources.

• True
• False

Passwords – it is a string of usually six or more to verify a user to an information system facility, usually digital system. Therefore, system security is the responsibility of every individual user of the system.

• True
• False

DES stands for

• DATA ENCRYPTION STANDARD

confidentiality is to prevent unauthorized disclosure of information to third parties. This is important in a number of areas including the disclosure of personal information such as medical, financial, academic, and criminal records.

• True
• False

Authentication is a process whereby the system gathers and builds up information about the user to assure that the user is genuine. In computer systems, authentication protocols based on cryptography use either secret-key or public-key schemes to create an encrypted message digest that is appended to a document as a digital signature.

• True
• False

Companies are exposed to a wide range of fraud risks, including diversion of company funds, theft of assets, fraud connected with bidding processes, invoice and payment fraud, computer fraud, and credit card fraud. Often, frauds involve some form of collusion, or cooperation, between an employee and an outsider

• True
• False

Flaws in system and/or networks that could be exploited to violate the security policy of system or network

• Intrusion Detection (ID)
• Intrusion
• Vulnerability

The step in an attack which exploit service

• Ping Sweeps (ping/whois)
• Port Scans (nmap)
• Bypass firewall
• Bypass IDS & IPS: Avoid detection / logs

study of encryption principles/methods

• cryptography

The digital signature is similar to a handwritten signature in printed documents. Just like handwritten signatures, digital signatures ensure that the person whose signature the system is authenticating is indeed the true person, but digital signatures provide a greater degree of security than handwritten signatures.

• True
• False

Prevent information from being exposed to unintended party

• Confidentiality

Firewalls - it is hardware or software used to isolate the sensitive portions of an information system facility from the outside world and limit the potential damage that can be done by a malicious intruder.

• True
• False

is a piece of programming code, usually disguised as something else, that causes a computer to behave in an unexpected and usually undesirable manner.

• Viruses

What is Malware?

• Malicious Software
• Includes “Viruses” & “Worms”
• All of the above
• Protect using Anit-virus software & System Patching

Ensure computer systems are secure

• Information Assurance (IA) & Security
• Computer Security (COMPUSEC)
• Network Security

Private-Key Cryptography

• symmetric

The Operational Model of Computer Security

• Prevention = Detection + Protection + Response
• Protection = Detection + Response + Prevention
• Protection = Prevention + Detection + Response
• Prevention = Detection + Response + Protection =

is a harmful program that resides in the active memory of the computer and duplicates itself.

• Worm

MD5 stand for

• MESSAGE DIGEST VERSION 5

converting plaintext to ciphertext

• encipher (encrypt)

Often referred to as the secret-key encryption, it uses a common key and the same cryptographic algorithm to scramble and unscramble the message. One problem with symmetric encryption is the security of the keys which must be passed from the sender to the receiver.

• Symmetric encryption
• Asymmetric encryption

Insiders are a major source of computer crimes because they do not need a great deal of knowledge about the victim computer system. Insiders are not necessarily employees; they can also be consultants and contractors.

• True
• False

In the Philippines it is known as Republic Act No. 10175 or the Cybercrime Prevention Act of 2012. It was signed into law by President Aquino on Sept. 12, 2012. Its original goal was to penalize acts like cybersex, child pornography, identity theft and unsolicited electronic communication in the country.

• True
• False

Electronic terrorism by individuals or groups are targeting enterprise systems, institutions and governments. But cyber terrorism is not only about obtaining information; it is also about instilling fear and doubt and compromising the integrity of the data, which leads to extortion.

• True
• False

Control what a subject can perform or what objects the subject can interact with.

• Access
• Authentication
• Authorization

an example of cyber technology vulnerability is unauthorized access to data, which are either resident in or exchanged between computer systems.

• True
• False

Encryption is a method that protects the communications channel from sniffers — programs written for and installed on the communication channels to eavesdrop on network traffic, examining all traffic on selected network segments.

• True
• False

Stream ciphers process messages in into blocks, each of which is then en/decrypted

• True
• False

Public key cryptography

• two keys - public, private

Secret key cryptography

• one key

These hide the message by rearranging the letter order, without altering the actual letters used

• Monoalphabetic Cipher Security
• Caesar Cipher
• Transposition Ciphers

The step in an attack which identify targets

• Ping Sweeps (ping/whois)
• Denial of Service (DoS)
• Port Scans (nmap)
• Distributed Denial of Service (DDoS)

the intentional alteration or reckless hindering or interference with the functioning of a computer or computer network by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data or program, electronic document, or electronic data message, without right or authority, including the introduction or transmission of viruses.

• SYSTEM INTERFERENCE

Verifies what a subject is authorized to do.

• Authentication
• Authorization
• Access

Contractual agreements between entities that describe specified levels of service.

• Bell-LaPadula Confidentiality Security Model
• Acceptable Use Policy (AUP)
• Service Level Agreement (SLA)

The physical barrier can be a fence made of barbed wire, brick walls, natural trees, mounted noise or vibration sensors, security lighting, close circuit television (CCTV), buried seismic sensors, or different photoelectric and microwave systems.

• True
• False

Child pornography via computer carries a penalty one degree higher than that provided by RA 9775, or the Anti-Child Pornography Act of 2009. Under RA 9775, those who produce, disseminate or publish child pornography will be fined from P50,000 to P5 million, and slapped a maximum jail term of reclusion perpetua, or 20 to 40 years.

• True
• False

Block ciphers process messages a bit or byte at a time when en/decrypting

• True
• False

integrity is to prevent unauthorized modification of files and maintain the status quo. It includes system, information, and personnel integrity. The alteration of information may be caused by a desire for personal gain or a need for revenge.

• True
• False

info used in cipher known only to sender/receiver

• key

the interception made by technical means without right of any non-public transmission of computer data to, from, or within a computer system including electromagnetic emissions from a computer system carrying such computer data.

• Illegal Interception

Availability is to prevent unauthorized withholding of information from those who need it when they need it.

• True
• False

the original message

• plaintext

AES stands for

• ADVANCED ENCRYPTION STANDARDS

Persons found guilty of unsolicited communication face arresto mayor (imprisonment for 1 month and 1 day to 6 months) or a fine of at least P50,000 but not more than P250,000, or both.

• True
• False

Rotation individuals through jobs / tasks.

• Layered Security
• Job Rotation
• Separation of Duties

The protection of systems that store, transmit, and process information.

• INFORMATION SYSTEMS SECURITY

Emphasis on the data; Our assurance (confidence) in the protection of our information / Information Security Services.

• Network Security
• Computer Security (COMPUSEC)
• Information Assurance (IA) & Security

Where a change of one input or key bit results in changing more than half output bits

• RSA
• DES
• Avalanche Effect
• AES

the field of both cryptography and cryptanalysis

• cryptology

The art and science of identify attempted intrusions

• Intrusion Detection (ID)
• Vulnerability
• Intrusion

A penetration attack involves breaking into a computer system using known security vulnerabilities to gain access to a cyberspace resource. Penetration can be done in both local (using a computer on a LAN) or global (by means of the internet).

• True
• False

Protection of multiple connected (networked) computer systems

• Information Assurance (IA) & Security
• Network Security
• Computer Security (COMPUSEC)

Assure that the identity of some party is remain anonymous

• Anonymity

the use, production, sale, procurement, importation, distribution, or otherwise making available, without right.

• MISUSE OF DEVICES

recovering ciphertext from plaintext

• decipher (decrypt)

A facility is physically secure if it is surrounded by a barrier such as a fence, has secure areas both inside and outside the facility, and can resist penetration by intruders.

• True
• False

Public-Key Cryptography

• asymmetric

the study of principles/ methods of deciphering ciphertext without knowing key

• cryptanalysis (codebreaking)

the acquisition of a domain name on the Internet in bad faith or with the intent to profit, mislead, destroy one’s reputation or deprive others from registering the same domain name.

• CYBER-SQUATTING

Individuals found guilty of cybersex face a jail term of prision mayor (6 years and one day to 12 years) or a fine of at least P200,000 but not exceeding P1 million.

• True
• False

If we can’t completely prevent attack from happening, detection is the only option

• True
• False

is the act of using e-mail fraudulently to try to get the recipient to reveal personal data. In a phishing scam, con artists send legitimate looking e- mails urging the recipient to take action to avoid a negative consequence or to receive a reward.

• Phishing

Ensures tasks are broken down and are accomplished / involve by more than one individual.

• Job Rotation
• Separation of Duties
• Layered Security

Hash used to detect changes to message

• True
• False

It uses two different keys, a public key known by all and a private key known by only the sender and the receiver. Both the sender and the receiver each have a pair of these keys, one public and one private. It is commonly known as public-key encryption.

• Symmetric encryption
• Asymmetric encryption

Assure that unused service or resource is available to legitimate users

• Availability

the intentional or reckless alteration, damaging, deletion or deterioration of computer data, electronic document, or electronic data message, without right, including the introduction or transmission of viruses.

• DATA INTERFERENCE

Cracking is a form of hacking that is clearly criminal activity. Crackers break into other people’s networks and systems to cause harm.

• True
• False

Assure that the party of concern is authentic - it is what it claims to be

• Authentication

is a set of programs that enables its user to gain administrator level access to a computer without the end user’s consent or knowledge.

• Rootkit