The Best Quiz Questions about Ethics and Accountability of Employees in an Organization!

Part 1:

 

  1. The term Accountability is used to describe the process to answer what information security questions? What tools can be used to accomplish accountability?  

 

The duties and responsibilities of all employees, as they relate to information assurance, need to be specified in detail. Otherwise, the attempt of establishing and maintaining information security is haphazard and virtually absent. The tasks for which an individual is responsible are part of the overall information security plan and are readily measurable by a person who has managerial responsibility for information assurance. One example is the policy statement that all employees must avoid installing outside software on a company-owned information infrastructure. The person in charge of information security should perform periodic checks to be certain that the policy is being followed.

 

  1. What factors can be used to verify identification? List four. Give an example of each? In what scenarios should each of them be used? 

There are various methods of verification like two factor, three factor and multi-factor authentications. The real life usage of those factor depends on the situation a user is in.

 

Possession factors: these factors are used in scenario where a user has his credentials on him, that can be either in form of an ID card or like a security token or a cell phone utilized as a part of conjunction with a product token
Knowledge factors: these factors are used in a scenario when a user possesses credentials based on information, like as a username, PIN code, secret question and password

 

Inherence factors: these factors are used in a scenario where user credentials are based on the person in question like an eye scan or biometric data.

 

Two-Factor Identification: Two-factor verification is a security procedure in which the client gives two methods for proof from partitioned classes of certifications; one is regularly a physical token, for example, a card, and the other is commonly something retained, for example, a security code.

 

 

 

  1. Explain what is meant by whitelisting and blacklisting. What are the differences? In what scenarios should each of them be used? 

 

To allow/block any unauthorized or authorize user access to any privileges. It basically depends on the environment or scenario you’re in to determine which strategy to use. White listing provides access to users automatically while Blacklisting blocks or denies user access.

 

 

The whitelisting strategy comprises upon:

  • Deny-default
  • List of allowed applications, websites, messages, domains and software etc.
  • Based on company needs things that are not in list of allowed apps are restricted.

 

The blacklist approach includes:

  • Allow-default
  • List of blocked/restricted applications, websites, messages, domains and software etc.
  • Items that are not in blocked/disallowed list can be used without any special control.

 

 

  1. What is multi-factor verification?

 

Multifactor verification consolidates at least three free approvals: what the client knows which gets to be password, what the client has like a security token and who the client is i.e. biometric verification. Common examples include:

  • Plugging a USB equipment token to a desktop that creates a one-time password to login on a VPN
  • Swiping a card and entering a PIN.
  • Signing into a site and being asked for to enter an extra one-time secret key (OTP) sent on telephone through glimmer content
  • Swiping a card, checking a unique finger impression and noting a security address

 

 

  1. The CIA Triad is used to outline the goals of information security. List the components of the CIA Triad and explain what specific goal is covered by each?

 

Confidentiality:

Confidentiality is around identical to privacy. Measures attempted to guarantee confidentiality are intended to keep sensitive information from contacting the wrong individuals, while ensuring that the right individuals can in certainty get it. A decent case of techniques used to guarantee confidentiality is a record number or directing number when keeping money on the web. Data encryption is a typical technique for guaranteeing confidentiality.

 

Integrity:

Integrity includes keeping up the consistency, exactness, and reliability of data over its whole life cycle. Data must not be changed in travel, and steps must be taken to guarantee that data can’t be adjusted by unapproved individuals for instance, in confidentiality breach. What’s more, a few means must be set up to identify any adjustments in data that may happen as a consequence of non-human-created occasions, for example, an EMP or server crash.

 

Availability:

 

Availability is best guaranteed by thoroughly keeping up all equipment, performing equipment repairs promptly when required and keeping up an effectively working framework environment that is free of programming clashes. Quick and adaptable disaster recovery is key for the most pessimistic scenario situations; that limit is dependent on the presence of a complete disaster recovery plan (DRP). Shields against data misfortune or intrusions in associations must incorporate erratic occasions, for example, regular disasters and fire. Additional security hardware or programming, for example, firewalls and intermediary servers can prepare for downtime and inaccessible data because of malignant attack.

 

  1. The term Authentication is used to describe the process that answers the question “Who is trying to access the information?”. There are two parts to this process. What are they and explain each?

At the point when a connection is made, it’s imperative to recognize what record is making that connection. Confirmation is the way toward approving who that connection is. Verification is likewise utilized by a client when the client needs to realize that the server is the framework it ceases to be. Confirmation by a client, as a rule, includes the server giving an endorsement to the client in which a trusted outsider that the server has a place with the substance, for example, a bank that the client anticipates that it will. Though, validation by a server involves the utilization of a username and password. Different approaches to validate can be through cards, retina checks, voice acknowledgment, and fingerprints. Confirmation does not figure out what errands the individual can do or what records the individual can see. Confirmation just recognizes and checks who the individual or framework is.

 

  1. The term Authorization is used to describe the process of answering what questions? What information is required to answer these questions?

Authorization is a procedure by which a server figures out whether the client has consent to utilize a resource or get to a file. Authorization is generally coupled with verification so that the server has some idea of who the client is that is asking to get. The sort of validation required for authorization may change; passwords might be required at times however not in others. At times, there is no authorization; any user might utilize a resource or get to a file just by requesting it. The vast majority of the website pages on the Internet require no confirmation or authorization.

For instance, Authorization is utilized when a man demonstrates his or her ticket to the flight chaperon so he or she can load up the particular plane he or she should fly on. A flight chaperon must approve a man so individual can then observe within the plane and utilize the resources the plane needs to fly starting with one place then onto the next.

 

  1. Explain how the 3 A’s help us in accomplishing the goal of Integrity?

3A’s: Authentication, Authorization & Auditing

  • These three key things assist accomplishing integrity by beginning to secure data and holding it in line, essentially making a framework secure as a safe framework guarantees that the data it contains is legitimate. Data integrity implies that data is shielded from erasure and debasement, both while it dwells inside the database, keeping in mind it is being transmitted over the system. In light of these 3 A’s, Integrity has these perspectives:
  • Referential integrity is the capacity to keep up substantial connections between qualities in the database, as indicated by guidelines that have been characterized.
  • A database must be ensured against infections intended to degenerate the data.
  • The system activity must be shielded from deletion, eavesdropping and corruption.
  • Object privilege & system control access to application tables and framework summons so that only approved users can change data.

 

  1. Compare and contrast PCI-DSS and HIPAA? 

 

HIPAA covers all health care suppliers who have admittance to and store sensitive medical data; PCI-DSS covers any individual who procedures and stores credit card information.

PCI has levels for those secured by the requirements. The level of a secured substance is resolved principally by the measure of sensitive data secured. As an organization with 3 credit card numbers, or PANs, is a great deal less luring focus than one that has 3MM PANs.

HIPAA has no such idea. Or maybe, the models are “versatile”, which means they apply, from the exceptionally biggest of health plans to the extremely littlest of supplier practices.

PCI requires certain activities; HIPAA sets a refinement between Required (R) and Addressable (A).

PCI has particular requirements; HIPAA has general rules.

Dissimilar to limited PCI requirements, HIPAA incorporates security, privacy, and rights, wellbeing, quality change and wiping out misrepresentation, waste and manhandle.

HIPAA security may incorporate hazard examination, remediation advance, and occasional weakness filters.

 

  1. Explain how the 3 A’s help us in reaching out goal of Confidentiality?

 

Confidentiality is about keeping somebody from perusing information they’re not approved to peruse. In nowadays of ended frameworks, bots, and worms, it’s imperative to remember that private information must be shielded from malignant individuals as well as their operators, which can be pernicious programming, a bargained PC, or another traded off network part. Confidentiality concerns appear on any network. The files on file servers and workstations are the essential resources that require confidentiality. Before pondering Windows-level security controls, think physical security. Anybody with physical access to a PC can at last access the files put away on that PC. Clearly when any data is secured its marginal secret. Consolidating the three A’s with our practices to store and get to data, it prompts confidentiality i.e. At the point when sensitive data is put away locally, get to control systems may be adequate to secure it on the supposition that the data can’t be perused in the event that it can’t be gotten to.

Encode sensitive data when it is transmitted over a correspondences network, particularly over an uncertain network, for example, the Internet. In a networking domain, get to control systems are not powerful against endeavors to capture the data, for example, wiretapping.

 

 

Part 2:

  1. Within the last twenty years there has been increased concern in the area of information security. Why? Give five examples.

1.    OpenSSL Heartbleed Vulnerability

 

The Heartbleed Bug in the OpenSSL cryptographic library uncovered SSL-based websites and programming to assaults that would have permitted information burglary on a remarkable scale. Almost 33% of every real website were trusted powerless against the issue when Heartbleed was initially revealed in April 2014.

 

Since the powerlessness existed in the SSL/TLS encryption that websites and programming use to ensure information, the bug gave aggressors a chance to spy on Web traffic, spoof users and servers and take data straightforwardly from them. Heartbleed, is ostensibly a standout amongst the most serious and broadly referenced vulnerabilities to date. Heartbleed influenced more than 600,000 websites alone and permitted assailants to siphon private keys and advantaged accreditations that could be utilized to listen in, take data, and mimic users without leaving a criminological trail.

 

2.    DNS Cache Poisoning Issue (aka Kaminsky Bug)

 

In 2008, a Security analyst Dan Kaminsky unveiled a DNS Cache Poisoning Flaw which activated across the board worry over the security of the Internet’s center underpinnings and provoked a remarkable, concurrent fixing effort by scores of innovation sellers around the globe. The crucial imperfection, at the DNS convention level, offered assailants a generally clear approach to utilize spoofed data to divert Web traffic to goals of their decision.

 

DNS is the means by which the Internet works crosswise over hierarchical limits i.e. it’s the way Google can mail Microsoft, so when DNS has an issue, everything based on the Internet does as well.

 

3.    Remote Code Execution Vulnerability in Microsoft Server Service

This support flood defenselessness in the Server Service in numerous forms of Windows including Windows 2000 SP4, XP SP2 and SP3 and Server 2008 gave aggressors an approach to remotely execute malevolent code on helpless frameworks utilizing uniquely created remote system call. What made the blemish perilous was the way that assailants could run subjective code on helpless frameworks with no confirmation.

 

Microsoft’s out-of-cycle release reporting the blemish in October 2008 cautioned of the weakness permitting aggressors to make wormable endeavors. Under six months after the fact, the notice was borne out as the Conficker worm, which tainted a huge number of frameworks worldwide and incited the SANS Institute to mark it the biggest and quickest developing risk since the Sasser danger of 2004.

 

4.    Java Serialization Bug

 

News a year ago of a helplessness in a Java procedure known as protest deserialization created little of the buzz that different defects like Heartbleed and Stagefright did. However, numerous security specialists consider it to be a basic issue that influences for all intents and purposes all Java applications that acknowledge serialized objects. Fox Glove Security indicated how the bug could be abused in major middleware items like WebLogic, WebSphere, JBoss, Jenkins and OpenNMS.

 

The issue exists in the way that Java applications acknowledge serialized objects without approving or without checking the dependability of the articles first. Fox Glove indicated how aggressors could exploit this reality to embed malevolent items into a flood of data and have it execute on the server.

 

5.    ENOM Vulnerability

 

The Virtualized Environment Neglected Operations Manipulation (VENOM) weakness unveiled by CrowdStrike in 2015 was another of those basic vulnerabilities that evoked a fairly blended reaction from security scientists. While some portrayed the danger as being more troubling than Heartbleed, others noticed that VENOM was a great deal harder to misuse than the previous and consequently was probably going to be utilized for focused assaults as opposed to mass assaults.

 

The blemish existed in a floppy-circle controller of the QEMU (Quick Emulator) hypervisor and different hypervisors like Xen and KVM that utilization some of its code. The motivation behind why VENOM pulled in significant consideration when it was declared (and why it merits say as a noteworthy imperfection) was on account of the weakness offered aggressors an approach to reprieve out of the limits of a virtual machine. It permitted them to execute vindictive code on a host machine and on other virtual machines on the same, shared host. VENOM empowered definitely the sort of assault that numerous had conjectured could never be conceivable in a safe cloud environment.

 

Over the previous decade, in any case, the fast advancement of online dangers and the negative attention got by organizations that were broken has created an about unquenchable interest for more IT security ability. Not just does the business require more bodies a few evaluations say that upwards of 1.5 million new security occupations will be made throughout the following five years yet the abilities necessity has expanded, as ventures do less straightforward frameworks organization and more post-bargain investigation of approaching dangers. Be that as it may, following ten years of purchasing and sending new security advancements and breaking new IT security spending records a seemingly endless amount of time, most security specialists are starting to think about whether the layered security logic is the best approach. The occurrence and cost of data ruptures proceed to increment, and some business officials have started to recoil from the idea of constantly expanding spending on innovation and individuals with no certification of data security. Numerous undertakings and security specialists are reconsidering a portion of the essential statutes of IT security, however a reasonable new logic has yet to develop.

 

  1. The CIA Triad is Confidentiality, Integrity, and Availability. Explain what is meant by each of these terms.

Confidentiality:

Confidentiality is around identical to privacy. Measures attempted to guarantee confidentiality are intended to keep sensitive information from contacting the wrong individuals, while ensuring that the right individuals can in certainty get it. A decent case of techniques used to guarantee confidentiality is a record number or directing number when keeping money on the web. Data encryption is a typical technique for guaranteeing confidentiality.

 

Integrity:

Integrity includes keeping up the consistency, exactness, and reliability of data over its whole life cycle. Data must not be changed in travel, and steps must be taken to guarantee that data can’t be adjusted by unapproved individuals for instance, in confidentiality breach. What’s more, a few means must be set up to identify any adjustments in data that may happen as a consequence of non-human-created occasions, for example, an EMP or server crash.

 

Availability:

 

Availability is best guaranteed by thoroughly keeping up all equipment, performing equipment repairs promptly when required and keeping up an effectively working framework environment that is free of programming clashes. Quick and adaptable disaster recovery is key for the most pessimistic scenario situations; that limit is dependent on the presence of a complete disaster recovery plan (DRP). Shields against data misfortune or intrusions in associations must incorporate erratic occasions, for example, regular disasters and fire. Additional security hardware or programming, for example, firewalls and intermediary servers can prepare for downtime and inaccessible data because of malignant attack.

 

 

  1. What is social engineering?

Social engineering is an attack vector that depends intensely on human connection and frequently includes deceiving individuals into breaking ordinary security strategies. Numerous social engineering misuses just depend on individuals’ readiness to be useful. For instance, the attacker may put on a show to be a collaborator who has some sort of critical issue that obliges access to extra network resources.

 

Prevalent sorts of social engineering attacks include:

 

Baiting: Baiting is the point at which an attacker leaves a malware-contaminated physical gadget, for example, a USB streak drive in a place it is certain to be found. The discoverer then grabs the gadget and burdens it onto his or her PC, inadvertently introducing the malware.

 

Spear phishing: Spear phishing resemble phishing, yet custom fitted for a particular individual or association.

 

Phishing: Phishing is the point at which a vindictive gathering sends a deceitful email camouflaged as a genuine email, regularly implying to be from a trusted source. The message is intended to trap the beneficiary into sharing individual or monetary information or tapping on a connection that introduces malware.

 

 

  1. Describe the process of “phishing”. List the various sub-categories and give examples of each.

Phishing: Phishing is the point at which a vindictive gathering sends a deceitful email camouflaged as a genuine email, regularly implying to be from a trusted source. The message is intended to trap the beneficiary into sharing individual or monetary information or tapping on a connection that introduces malware.

 

Spear phishing: Spear phishing resemble phishing, yet custom fitted for a particular individual or association.

Misleading Phishing: The expression “phishing” initially alluded to record robbery utilizing texting yet the most widely recognized communicate strategy today is a tricky email message. Messages about the need to check account information, undesirable record changes, invented account charges,system disappointment obliging users to re-enter their information and so forth.

Web Trojans appear imperceptibly when users are endeavoring to sign in. They gather the user’s qualifications locally and transmit them to the phisher.

Key loggers: are specific assortments of malware that track console input and send pertinent information to the hacker by means of the Internet. They can insert themselves into users’ programs as little utility projects known as aide protests that run consequently when the program is begun and also into framework files as gadget drivers or screen screens.

Man-in-the-Middle Phishing is harder to distinguish than numerous different types of phishing. In these attacks, hackers position themselves between the user and the honest to goodness website or framework. They record the information being entered however keep on passing it on so that users’ exchanges are not influenced.

  1. Describe the concept of identification in information security.

Identification proof is an attestation of someone’s identity or what something is. If a user claims about their name, they are making a claim of their identity. In any case, their claim could possibly be valid. Before username can be conceded access to ensure the information it will be important to check that the individual guaranteeing to be genuine user truly is registered user. Ordinarily, the claim is as a username. By entering that username, you are asserting I am the individual the username has a place with.

 

  1. Describe the term authentication in information security. How is it accomplished?

Authentication is the demonstration of checking an identity claim. Solid authentication requires giving more than one sort of authentication information i.e. two-consider authentication. The username is the most widely recognized type of identification on PC frameworks today and the password is the most well-known type of authentication. Usernames and passwords have filled their need however in our cutting edge world they are no more extended sufficient. Usernames and passwords are gradually being supplanted with more advanced authentication systems.

 

  1. Describe the term authorization. How is it accomplished?

After a man, program or PC has effectively been identified and authenticated then it must be resolved what informational resources they are allowed to get to and what activities they will be permitted to perform like run, view, make, erase, or change, this process is known as authorization. Authorization to get to information and other processing administrations starts with managerial approaches and methodology. The approaches endorse what information and figuring administrations can be gotten to, by whom, and under what conditions. The get to control components are then designed to uphold these arrangements.

 

  1. Explain what is meant by protecting privacy in corporate information security.

 

Data privacy or information privacy is the part of information innovation that arrangements with the capacity an association or individual needs to figure out what data in a PC system can be imparted to outsiders. Data privacy is obviously characterized as the fitting utilization of data. Whenever organizations and dealers utilize data or information that is given or depended on to them, the data ought to be utilized by concurred purposes. The Federal Trade Commission authorizes punishments against organizations that have refuted to guarantee the privacy of a client’s data. Now and again, organizations have sold, unveiled or leased volumes of the shopper information that was endowed to them to different gatherings without getting an earlier endorsement.

  1. Why is security a pest?

I’ll answer this in one line “No System is Ever Safe”. As in today’s high innovation environment, associations are turning out to be increasingly subject to their information systems. General society is progressively worried about the best possible utilization of information, especially individual data. The dangers to information systems from terrorists and criminals are expanding. Numerous associations will distinguish information as a range of their operation that should be secured as a major aspect of their system of inner control.

 

  1. Describe the “Onion” model of protection.

 

As a rule, the more levels an attacker must infiltrate with a specific end goal to access a significant resource, the better the shot is that an attack won’t be effective. Engineers ought to endeavor to carefully build numerous layers of insurance for any sensitive data, so as to guarantee that in the event that one security measure is broken, others deterrents will keep an attacker under control. The main layer of protection is everything outside of the database server, all of which falls into the domain of authentication. Once a user is validated, SQL Server’s definitive authorizations system kicks in, and a login is approved to access at least one databases, in light of user mappings.

From that point, every user is approved to access resources in the database; another layer that can be included for extra security here is the utilization of putting away methodology. By doling out authorizations just by means of stored procedure methodology, it is conceivable to keep up more prominent control over when and why acceleration ought to happen. Obviously, the stored procedure itself must have admittance to whatever tables and segments are required, and these resources can further be secured if vital, utilizing encryption or line level security plans.

 

  1. Why is non-repudiation an important goal in information security?

Nonrepudiation is the confirmation that somebody can’t deny something. Ordinarily, nonrepudiation alludes to the capacity to guarantee that a gathering to an agreement or a correspondence can’t prevent the realness from securing their mark on a record or the sending of a message that they started. Email nonrepudiation includes techniques, for example, email following that is intended to guarantee that the sender can’t deny having communicated something specific and additionally that the beneficiary can’t deny having gotten it.

 

  1. Describe an access control list. What information it contains, how it is used

 

Directories & Files have authorization sets for the proprietor of the file, the gathering connected with the file, and every single other user of the system. So, these authorization sets have restrictions. For instance, unique authorizations can’t be arranged for various users. In this way, ACLs were actualized. At the end of the day, an access control list is a table that tells a PC working system which access rights every user has to a specific system protest, for example, a file catalog or individual file. Every protest has a security characteristic that recognizes its access control list. The list has a passage for every system user with access benefits.

LEAVE A REPLY

Please enter your comment!
Please enter your name here