ISACA CYBERSECURITY FUNDAMENTALS CERTIFICATE

Are you looking to Pass ISACA Cybersecurity Fundamentals Certificate

Than You are at right place!

Created by the industry's leading minds, ISACA's® Cybersecurity Nexus™ is the only one-stop global resource for everything cyber security. CSX is designed to help fortify and advance the industry by educating, training and certifying a stronger, more informed workforce—from recent college graduates to C-suite level executives.

We will provide you Complete book and 100% Exam Questions to pass your exam.

Send an email on moonintdubai@gmail.com for details....

CEH Exam Questions Latest 2017 (Pass CEH Exam)

A virus that attempts to install itself inside of the file it is infecting is called?

Polymorphic virus
Tunneling virus
Stealth virus
Cavity virus

Answer: D

You are a security officer of a company. You had an alert from IDS that indicate one PC on your Intranet connected to a blacklisted IP address(C2 Server) on the Internet. The IP address was blacklisted just before of the alert. You are starting investigation to know the severity of situation roughly. Which of the following is appropriate to analyze?

IDS log
Event logs on the PC
Event logs on domain controller
Internet Firewall/Proxy log

(Answer: D)

Firewalls are the software or hardware systems that are able to control and monitor the traffic coming in and out the target network based on pre-defined set of rules. Which of the following types of firewalls can protect against SQL injection attacks?

Web application firewall
Packet firewall
Stateful firewall
Data-driven firewall

Answer: A

A hacker is an intelligent individual with excellent computer skills that grant them the ability to explore a computer’s software and hardware without the owner’s permission. Their intention can either be to simply gain knowledge or to illegally make changes. Which of the following class of hacker refers to individual who work both offensively and defensively at various times?

Gray Hat
Black Hat
Suicide Hacker
White Hat

Answer: A

Which of the following is considered as one of the most reliable forms of TCP scanning?

NULL Scan
Half-open Scan
TCP Connect / Full Open Scan
Xmas Scan

Answer: C

Which of the following Secure Hashing Algorithm (SHA) produces a 160-bit digest from a message with a maximum length of (264 − 1) bits, and resembles the MD5 algorithm?

SHA-2
SHA-1
SHA-3
SHA-0

Answer: B

Which of the following scanning method splits the TCP header into several packets and makes it difficult for packet filters to detect the purpose of the packet?

IPID scanning
ICMP Echo scanning
ACK flag probe scanning
SYN/FIN scanning using IP fragments

Answer: D

An unauthorized individual enters a building following an employee through the employee entrance after the lunch rush. What type of breach has the individual just performed?

Announced
Piggybacking
Reverse Social Engineering
Tailgating

(Answer: D)

Provided this log, What sentences are true? Mar 1, 2016, 7:33:28 AM 10.240.250.23 - 54373 10.249.253.15 - 22 tcp_ip
Application is SSH and 10.240.250.23 is the server and 10.249.253.15 is the client.

SSH communications are encrypted it’s impossible to know who is the client or the server.
Application is FTP and 10.240.250.23 is the client and 10.249.253.15 is the server.
Application is SSH and 10.240.250.23 is the client and 10.249.253.15 is the server.

Answer: B


Which Nmap option would you use if you were not concerned about being detected and wanted to perform a very fast scan?

-T0
-O
-T5
-A

(Answer: C)

Security Policy is a definition of what it means to be secure for a system, organization or other entity. For Information Technologies, there are sub-policies like; Computer Security Policy, Information Protection Policy, Information Security Policy, Network Security Policy, Physical Security Policy, Remote Access Policy, User Account Policy. What is main theme of the sub-policies for Information Technologies?

Authenticity, Confidentiality, Integrity
Confidentiality, Integrity, Availability
Availability, Non-repudiation, Confidentiality
Authenticity, Integrity, Non-repudiation Answer: B You perform a scan of your company's network and discover that TCP port 123 is open. What services by default run on TCP port 123?
POP3
Telnet
DNS
Network Time Protocol Answer: D

For complete questions Email us at moonintdubai@gmail.com

ISACA CYBERSECURITY NEXUS

In enterprise IT, there is a single point where everything that matters in information, technology and business converges: Cybersecurity Nexus (CSX), a new security knowledge platform and professional program from ISACA.

CSX is helping shape the future of cybersecurity through cutting-edge thought leadership, as well as training and certification programs for the professionals who are leading it there. Building on the strength of ISACA’s globally-recognized expertise, it gives cybersecurity professionals a smarter way to keep organizations and their information more secure.

With CSX, business leaders and cyber professionals can obtain the knowledge, tools, guidance and connections to be at the forefront of a vital and rapidly changing industry. Because Cybersecurity Nexus is at the center of everything that’s coming next.

Prince2 Vs PMP

What do the qualifications stand for?

PRINCE2® stands for PRojects IN Controlled Environments. ITIL® stands for Information Technology Infrastructure Library®. PMP® is the acronym for Project Management Professional.

Who owns PRINCE2, ITIL and PMP?

AXELOS now owns the intellectual property of the whole Best Management Practice portfolio including PRINCE2 and ITIL. PMP is owned by the Project Management Institute (PMI)®.

How do you get PRINCE2, PMP and ITIL?

All three have certification programmes that you can work towards. PRINCE2 has Foundation, Practitioner and Professional levels. ITIL has several levels of certification: Foundation, Intermediate, Managing Across The Lifecycle (MALC), Expert and Master. While the Project Management Institute also offers several certifications – the most commonly sought after being the PMP – they do not, however, split them into expertise levels.

How do individuals and organisations use them?

PRINCE2 and PMP are two of the most respected project management approaches in the world today, and are designed to manage projects and improve project performance. If you are completely new to project management, a project is a unique, temporary event with a defined start and finish. Almost anything can be a project. It could be something domestic, like creating a garden; something physical, like building a school; or something more abstract like organising and running a conference.

ITIL is the most recognised framework for IT service management in the world. It is essentially a cohesive set of best practices, providing guidance for developing, delivering and managing IT services for an organisation.

How do the three qualifications differ in their approach?

PRINCE2 is a practical, process-based methodology which provides detailed, step-by-step guidance on delivering a successful project with clear processes, steps and templates.

PMP is based on the Project Management Institute’s A Guide to the Project Management Body of Knowledge, (PMBOK® Guide). The PMBOK® Guide provides you with the tools and techniques of project management.

ITIL comes from the same stable as PRINCE2 so, unsurprisingly, is also process-based. It aims to give you the ability to improve how IT is delivered and managed within an organisation. Using ITIL you can continually improve efficiency, effectiveness, quality and cost management. ITIL has traditionally been used for IT but increasingly organisations are finding it can be used in a variety of settings for a variety of purposes. CERN – the location of the Large Hadron Collider – is using ITIL for non-IT situations as reported by Computer Weekly.

What is the market for each of the qualifications?

As part of a suite of best practice products originally developed by the Office of Government Commerce in the UK, PRINCE2 has become the de facto standard there but is recognised and valued worldwide because of its practicality and scalability – in particular enjoying a strong presence in Europe, Australia and other countries outside North America.

PMI qualifications have their origins in the USA and as such PMP is the predominant certification in the US, though it is still valued throughout the world for the comprehensive content of the PMBOK® Guide.

ITIL is accepted globally as an effective and efficient way to identify, plan, deliver and support IT services in the business.

In fact, the demand for all these certifications is growing all the time; for instance, more than 1 million PRINCE2 examinations have been taken around the world and the qualification’s popularity continues to grow.

Which certifications should I do first and which are welcomed by which industries or employers?

When considering which certifications to take, you will no doubt be concerned with how each will enhance your employment prospects.

You’ll find that different industries often favour one accreditation over another. So to better target the industry area and employer type you are interested in, ensure that you do your research! You could look at their job adverts and on their websites for information on what abilities, skills and knowledge they favour. Once you have your initial qualification, you can look at the others as career aspirations, as time and budget dictate.

Is it worth doing more than one?

Indeed it is, on several fronts:

PRINCE2 is concerned with the framework in which to manage projects, whereas the PMP focuses on the skills and knowledge required by the Project Manager to manage the project through the lifecycle. You would therefore actually benefit from having knowledge of both, providing a more rounded approach to project management.

Also the adoption of the PMBOK to a PRINCE2-based organisation will help to identify the additional areas which need to be addressed in order to give projects the best chance of success, such as the soft skills needed – the PMBOK identifies needs to be covered in human resource management. In another example, PRINCE2 offers a complete change control approach, whereas PMBOK just talks of the need for it.

So where does ITIL come in? Our recent blog, PRINCE2: still got the “IT” factor for ITSM, examines one area. If, for instance, you implement ITIL within an organisation, then you are effectively undertaking a project. As such, it would make sense to use project management.

Ideally, you would use the theory and competencies you had gained from PMP and the methodology learnt from PRINCE2 to ensure the project is successful. Since not one of these certifications does everything, it makes sense, in the long run, to get all three to make you an all-round professional. It can also pay: PRINCE2 commands healthy salaries as PayScale.com shows and both PMP and ITIL are amongst the certifications that are expected to pass the test of time according to IT Business Edge.

What is Risk? Cyber Scurity

Risk in Cyber Security

The core duty of cybersecurity is to identify, mitigate and manage cyberrisk to an organization’s digital assets. While most people have an inherent understanding of risk in their day-to-day lives, it is important to understand risk in the context of cybersecurity, which means knowing how to determine, measure and reduce risk effectively.

Assessing risk is one of the most critical functions of a cybersecurity organization. Effective policies, security implementations, resource allocation and incident response preparedness are all dependent on understanding the risk and threats an organization faces. Using a risk-based approach to cybersecurity allows more informed decision-making to protect the organization and to apply limited budgets and resources effectively. If controls are not implemented based on awareness of actual risk, then valuable organizational assets will not be adequately protected while other assets will be wastefully overprotected.

Yet, too often, cybersecurity controls are implemented with little or no assessment of risk. ISACA’s recent worldwide survey of IT management, auditors and security managers consistently shows that over 80 percent of companies believe “information security risks are either not known or are only partially assessed” and that “IT risk illiteracy and lack of awareness” are major challenges in managing risk.4 Therefore, understanding risk and risk assessments are critical requirements for any security practitioner.

Approaches to Cybersecurity

Generally, there are three different approaches to implementing cybersecurity. Each approach is described briefly below.

• Compliance-based—Also known as standards-based security, this approach relies on regulations or standards to
determine security implementations. Controls are implemented regardless of their applicability or necessity, which
often leads to a “checklist” attitude toward security.
• Risk-based—Risk-based security relies on identifying the unique risk a particular organization faces and designing and
implementing security controls to address that risk above and beyond the entity’s risk tolerance and business needs.
• Ad hoc—An ad hoc approach simply implements security with no particular rationale or criteria. Ad hoc
implementations may be driven by vendor marketing, or they may reflect insufficient subject matter expertise,
knowledge or training when designing and implementing safeguards.
In reality, most organizations with mature security programs use a combination of risk-based and compliance-based
approaches. In fact, most standards or regulations such as the Payment Card Industry Data Security Standard
(PCIDSS) or the US Health Insurance Portability and Accountability Act (HIPAA) require risk assessments to drive
the particular implementation of the required controls.

Key Terms and Definitions

There are many potential definitions of risk—some general and others more technical. Additionally, it is important to distinguish between a risk and a threat. Although many people use the words threat and risk synonymously, they have two very different meanings. As with any key concept, there is some variation in definition from one organization to another. For the purposes of this guide, we will define terms as follows:

Risk—The combination of the probability of an event and its consequence (International Organization for
Standardization/International Electrotechnical Commission [ISO/IEC] 73). Risk is mitigated through the use of controls or safeguards.
Threat—Anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm. ISO/IEC 13335 defines a threat broadly as a potential cause of an unwanted incident. Some organizations make a further distinction between a threat source and a threat event, classifying a threat source as the actual process or agent attempting to cause harm, and a threat event as the result or outcome of a threat agent’s malicious activity.

Asset—Something of either tangible or intangible value that is worth protecting, including people, information,
infrastructure, finances and reputation
Vulnerability—A weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events
Although much of cybersecurity is focused on the design, implementation and management of controls to mitigate risk, it is critical for security practitioners to understand that risk can never be completely eliminated. Beyond the general definition of risk provided above, there are other, more specific types of risk that apply to cybersecurity.

Residual risk—Even after safeguards are in place, there will always be residual risk, defined as the remaining risk after management has implemented a risk response.
Inherent risk—The risk level or exposure without taking into account the actions that management has taken or might take (e.g., implementing controls)

Likelihood and Impact

When assessing a threat, cybersecurity professionals often analyze the threat’s likelihood and impact in order to rank and prioritize it among other existing threats.

In some cases where clear, statistically sound data are available, likelihood can be a matter of mathematical probability.

This is true with situations such as weather events or natural disasters. However, sometimes accurate data are simply not available, as is often the case when analyzing human threat agents in cybersecurity environments. There will also be factors that create situations where the likelihood of certain threats is more or less prevalent for a given organization. For example, a connection to the Internet will predispose a system to port scanning. Typically, qualitative rankings such as
“High, Medium, Low” or “Certain, Very Likely, Unlikely, Impossible” can be used to rank and prioritize threats stemming from human activity. When using qualitative rankings, however, the most important step is to rigorously define the meaning of each category and use definitions consistently throughout the assessment process.

For each identified threat, the impact or magnitude of harm expected to result should also be determined. The impact of a threat can take many forms, but it often has an operational consequence of some sort, whether financial, reputational or legal. Impacts can be described either qualitatively or quantitatively, but as with likelihoods, qualitative rankings are most often used in cybersecurity risk assessment. Likewise, each ranking should be well-defined and consistently used. In
cybersecurity, impacts are also evaluated in terms of confidentiality, integrity and availability.

Topic 5 Cybersecurity Domains

Topic 5 Cybersecurity Domains

The cybersecurity domains covered in this guide are as follows:

• Cybersecurity Concepts
• Security Architecture Principles
• Security of Networks, Systems, Applications and Data
• Incident Response
• Security Implications and Adoption of Evolving Technology

Why Cyber Security is Important?

Why Cyber Security is Important?

We live in an increasingly networked world, from personal banking to government infrastructure. Protecting those networks is no longer optional.

Cyber risk is now firmly at the top of the international agenda as high-profile breaches raise fears that hack attacks and other security failures could endanger the global economy.

The Global Risks 2015 report, published in January by the World Economic Forum (WEF), included this rather stark warning: "90 percent of companies worldwide recognize they are insufficiently prepared to protect themselves against [cyber attacks]."

Cyber crime costs the global economy over US$400 billion per year, according to estimates by the Center for Strategic and International Studies. In 2013, some 3,000 companies in the United States had their systems compromised by criminals, the Center reports.

High-profile US retailers Target and Home Depot were among many organizations that lost customer data and credit card information. In other companies, cyber criminals stole money from accounts, carried out industrial espionage and in some cases even took over company systems and demanded ransom money to unlock them.

It's not surprising that governments and businesses around the world are searching for better cyber defense strategies. The European Network and Information Security Agency held a cyber security exercise in October 2014, involving 29 countries and more than 200 organizations, including government bodies, telecoms companies, energy suppliers, financial institutions and Internet service providers.

The tests included simulating more than 2,000 separate incidents: denial of service attacks, website defacements, access to sensitive information and attacks on critical infrastructure. Software and hardware failures were judged the biggest security threats.

In February, President Barack Obama addressed the Summit on Cybersecurity and Consumer Protection at Stanford University. It was attended by senior US political leaders, CEOs and representatives from computer security companies, major retailers, law enforcement and technical experts, to "collaborate and explore partnerships that will help develop the best ways to bolster our cyber security."

There is clearly still much work to be done, and the people behind the attacks have a significant head start. For those playing catch-up, cyber security has become a matter of urgency.

The consequences of cyber crime

Cyber attacks fall into two broad categories: breaches in data security and sabotage. Personal data, intellectual property, trade secrets and information relating to bids, mergers and prices are tempting targets for a data security breach. Sabotage can take the form of denial of service attacks, which flood web services with bogus messages, as well as more conventional efforts to disable systems and infrastructure.

In addition to commercial losses and public relations problems, disruption of operations and the possibility of extortion, cyber attacks may also expose an organization to regulatory action, negligence claims, the inability to meet contractual obligations and a damaging loss of trust among customers and suppliers.

Most cyber crime incidents go unreported, and few companies come forward with information on their losses. That is not surprising given the risk to an organization's reputation and the prospect of legal action against those that own up to cyber crime. Few of the biggest cyber criminals have been caught—many have yet to be identified.

A significant proportion of cyber crime also goes undetected, particularly industrial espionage where access to confidential documents and data is difficult to spot. There is a danger that a business might trade at a disadvantage for months or even years as a result of a continuing, but undetected, security breach.

"Criminals operate across borders, so must companies and the experts that assist them, including their lawyers," says Bertrand Liard, a Paris-based partner at White & Case. "Responding to cyber attacks requires both a global vision and a fine knowledge of local regulations and law enforcement agencies."

Vulnerability is on the rise

Cyber crime is only likely to increase, despite the best efforts of government agencies and cyber security experts. Its growth is being driven by the expanding number of services available online and the increasing sophistication of cyber criminals who are engaged in a cat-and-mouse game with security experts.

Technical innovation throws up new online dangers. For example, the migration of data to third-party cloud providers has created a centralization of data and therefore more opportunities for criminals to misappropriate critical information from a single target attack. Similarly, the emphasis on mobile services has opened up corporate systems to more users—multiplying the opportunities to penetrate security measures.

Applications that involve the collection and analysis of data in large quantities—so-called Big Data—put additional pressure on security managers. Mountains of sensitive data about buyer decisions, their habits and other personal information must be kept safe, but until recently security was not a top priority in systems handling Big Data.

The development of an Internet of Things, which enables communication between machines, raises the possibility of appliances being manipulated by hackers. The widespread use of machine-to-machine (M2M) communication is only likely to boost the possibility of information misuse.

Much of the world's critical infrastructure, controlling services such as power generation, transport and utilities, already depends on M2M. Protecting the networks that carry the communications that control these services is vital, especially since decision making is often done without human involvement.

Countering cyber risk

"Cyber security is regarded as a board-level responsibility," says Detlev Gabel, a partner at White & Case in Frankfurt and leader of the Firm's Data, Privacy and Cyber Security Group. "Similar to other compliance areas, board directors can be held liable for not discharging their duty to prevent harm to the corporation. In performing their oversight role, directors should stay informed about the corporation's cyber security defenses. They must ask what the risks are and determine what needs to be done to mitigate them. In today's connected world, it is unfortunately becoming a question of ‘when' rather than ‘if' some sort of data breach will occur."

Furthermore, under guidance from the US Securities and Exchange Commission, public companies are required to disclose the material risks they face from cyber attacks and include specific detail to enable an investor to assess the magnitude of those risks.

US companies are also required to consider disclosure about the potential costs associated with preventing cyber attacks and any contingent liabilities or asserted claims related to prior breaches. In sum, a failure to make adequate disclosures can lead to additional liability in the event of a cyber attack.

There is no shortage of advice available to organizations to help them assess risks and develop suitable plans to counter them. Governments around the world are developing cyber security guidelines.

Last year, at the behest of President Obama, the National Institute of Standards and Technology (NIST) in the United States issued a Framework for Improving Critical Infrastructure Security. Critical infrastructure not only includes energy supply networks and telecommunications, but financial services and retail facilities as well.

The Framework is a set of standards and best practices drawn up with the input of thousands of security experts and designed to help organizations manage the risks of a cyber security breach. With the aid of the Framework, they chart their current security profile, work out what profile they should be aiming for and create a plan for reaching it.

"Similar to financial and reputational risk, cyber security risk affects a company's bottom line. It can drive up costs and impact revenue. It can harm an organization's ability to innovate and to gain and maintain customers," warns NIST.

The UK intelligence agency, Government Communications Headquarters (GCHQ), which provides advice and services to protect national voice and data networks, estimates 81 percent of UK businesses have experienced some kind of security breach. To help stem the tide, the organization has published detailed guidance for businesses, "10 Steps to Cyber Security."

The critical first step is to establish an information risk management regime that identifies the security risks it faces and the policy for dealing with them. Businesses should protect their information and communications technology by adopting standard security measures and managing how the systems are configured and used. They should also disable unnecessary functions and keep security patches up to date.

Malware protection is an important security consideration. Businesses should not only have policies that cover email, web browsing and the use of personal devices, but also install antivirus software and regularly scan for malware.

Networks are often a weak point in cyber defenses, so it's crucial for businesses to follow recognized network design principles and ensure all devices are configured to the security standards they have adopted.

Removable media policies that control the use of media for the import and export of information are vital. Not only should removable media be scanned for malware, but the type of media and the sort of information that can be transferred should be limited.

Users should only be given the privileges they need to do their job. Accounts used by system or database administrators should not be used for high-risk user activities. User activity should be monitored; particularly those involving access to sensitive information and account actions such as changing passwords and deleting accounts.

The same can be said for vendors, who are often not perceived as a threat or lacking in security measures of their own—many breaches in recent years were via vendors.

"The point is you can't just draft all these fantastic policies and apply them internally, but then not be strict with all vendors," says Daren Orzechowski, a partner at White & Case in New York. "You need to ensure that these cyber policies are also imposed on vendors by way of a contract."

Equally, security policies should be part of employment terms and conditions. All users should receive regular training on the cyber risks they face.

Businesses are also urged to scan inbound and outbound traffic continuously to detect suspicious activity. They should also monitor all ICT systems using specialized intrusion detection and prevention systems.

Legal aspects of cyber risk

Governments are tightening laws to ensure organizations take greater responsibility for cyber security and report cyber breaches. The reporting of breaches is important in that it enables government agencies to take action to strengthen security, allows individuals to mitigate harm and encourages organizations to adopt effective security measures.

In the United States, 47 states have enacted laws that require security breaches involving personal data to be reported.  The US Congress is also considering various proposals, including one from the Obama Administration, concerning a national breach notification law. The Data Security and Breach Notification Act of 2015 is a companion to the Consumer Privacy Bill of Rights Act of 2015 unveiled by President Obama in February, governing the collection and dissemination of consumer data. According to a White House spokesperson, these will "provide customers with more control over their data, companies with clearer ways to signal their responsible stewardship over data, and everyone with the flexibility to continue innovating in the digital age."

While such legislative moves are welcome, they have their critics: fines are not particularly prohibitive and it's not clear how they would be enforced, and businesses would be allowed to draft their own codes of conduct, leaving room for loopholes.

The European Union and several of its member states have introduced similar regulations, some of which are specific to particular industries, with the result that organizations operating across different legal jurisdictions have the added burden of making sure they comply with the different laws.

Meanwhile, the EU is developing a proposal for a General Data Protection Regulation to replace and harmonize current data protection legislation. The new regime would require organizations to report data breaches promptly to both the competent authorities and the affected individuals. If it were up to the European Parliament, as one of the legislative bodies deciding on the proposal, failure to comply with this requirement could lead to penalties equivalent to 5 percent of an offender's global turnover.

Preparing for a breach in security, therefore, is particularly important when incidents can result in fines, legal action or measures by government agencies. An effective plan reduces the risks of financial losses and damage to an organization's reputation while ensuring compliance with the relevant legal requirements.

"Looking proactively, you should get input from IT professionals, lawyers, technologists and privacy experts. And it only makes sense that the same team that builds the plan should help prepare for a problem," says Orzechowski.

In the event of an incident, Orzechowski recommends that a lawyer be included on the team in charge of any fact-finding mission so that the company can claim attorney-client privilege and work-product protection. These protections, at least under US law, might prevent the disclosure of information that could be detrimental to their client if future litigation arises following an incident.

Conclusion

Cyber security is one of the most urgent issues of the day. Computer networks have always been the target of criminals, and it is likely that the danger of cyber security breaches will only increase in the future as these networks expand, but there are sensible precautions that organizations can take to minimize losses from those who seek to do harm.

With the right level of preparation and specialist external assistance, it is possible to control damages, and recover from a cyber breach and its consequences.

What is Certified Ethical Hacker?

Certified Ethical Hacking Certification

A Certified Ethical Hacker is a skilled professional who understands and knows how to look for weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker, but in a lawful and legitimate manner to assess the security posture of a target system(s). The CEH credential certifies individuals in the specific network security discipline of Ethical Hacking from a vendor-neutral perspective.

The purpose of the CEH credential is to:

• Establish and govern minimum standards for credentialing professional information security specialists in ethical hacking measures.
• Inform the public that credentialed individuals meet or exceed the minimum standards.
• Reinforce ethical hacking as a unique and self-regulating profession.

About the Exam

• Number of Questions: 125
• Test Duration: 4 Hours
• Test Format: Multiple Choice
• Test Delivery: ECC EXAM, VUE
• Exam Prefix: 312-50 (ECC EXAM), 312-50 (VUE)

#CEH, #CEH V9

Importance of Information Security

The Value of Information

To understand the value of information, let’s start by examining some typical information held by both businesses and individuals. At the very least, businesses will hold sensitive information on their employees, salary information, financial results, and business plans for the year ahead. They may also hold trade secrets, research and other information that gives them a competitive edge. Individuals usually hold sensitive personal information on their home computers and typically perform online functions such as banking, shopping and social networking; sharing their sensitive information with others over the internet.

As more and more of this information is stored and processed electronically and transmitted across company networks or the internet, the risk of unauthorised access increases and we are presented with growing challenges of how best to protect it.

Protecting Information

When you leave your house for work in the morning, you probably take steps to protect it and the contents from unauthorised access, damage and theft (e.g. turning off the lights, locking the doors and setting the alarm). This same principle can be applied to information – steps must be put in place to protect it. If left unprotected, information can be accessed by anyone. If information should fall into the wrong hands, it can wreck lives, bring down businesses and even be used to commit harm. Quite often, ensuring that information is appropriately protected is both a business and legal requirement. In addition, taking steps to protect your own personal information is a matter of privacy retention and will help prevent identity theft.

Information Breaches

When information is not adequately protected, it may be compromised and this is known as an information or security breach. The consequences of an information breach are severe. For businesses, a breach usually entails huge financial penalties, expensive law suits, loss of reputation and business. For individuals, a breach can lead to identity theft and damage to financial history or credit rating. Recovering from information breaches can take years and the costs are huge. According to the Ponemon institute, the average cost of an information breach during 2008 was $202 per record breached. So, if 100,000 records were breached, the average cost for this breach would be $20 million! 70% of this cost is down to lost business as a result of the breach.

A recent, well publicised information breach occurred at the popular TJX clothing company during 2006/7, when over 45 million credit/debit cards and nearly 500,000 records containing customer names, social security and drivers license numbers were compromised. This information is believed to have been compromised due to inadequate protection on their wireless networks, leaving the information exposed. The final costs of the breach are expected to run into the $100s of millions and possibly over $1 billion.