Information Systems: Chapter 17

black hat hacker

A computer criminal.

Phishing

A con executed using technology, typically targeted at acquiring sensitive information or tricking someone into installing malicious software. leverage the reputation of a trusted firm or friend to trick the victim into performing an action or revealing information cost consumers upward of $3.2 billion a year

hacktivists

A protester seeking to make a political point by leveraging technology tools, often through system infiltration, defacement, or damage.

Honeypots

A seemingly tempting, but bogus target meant to draw hacking attempts. By monitoring infiltration attempts against a honeypot, organizations may gain insight into the identity of hackers and their techniques, and they can share this with partners and law enforcement.

Card skimmer

A software program that secretly captures data from a swipe card's magnetic strip.

firewalls

A system that acts as a control for network traffic, blocking unauthorized traffic while permitting acceptable use.

Intrusion detection systems

A system that monitors network use for potential hacking attempts. Such a system may take preventative action to block, isolate, or identify attempted infiltration, and raise further alarms to warn security personnel.

hack

A term that may, depending on the context, refer to either 1) breaking into a computer system, or 2) a particularly clever solution.

hacker

A term that, depending on the context, may be applied to either 1) someone who breaks into computer systems, or 2) to a particularly clever programmer.

Certificate Authority

A trusted third party that provides authentication services in public key encryption schemes.

Public Key Encryption

A two-key system used for securing electronic transmissions. One key distributed publicly is used to encrypt (lock) data, but it cannot unlock data. Unlocking can only be performed with the private key. The private key also cannot be reverse engineered from the public key. By distributing public keys, but keeping the private key, Internet services can ensure transmissions to their site are secure.

Most firms don't even know what they need to protect

A worldwide study by PricewaterhouseCoopers and Chief Security Officer magazine revealed _______________

23 percent

According to Accenture, the average cost of a data breach is up _______________ in a single year, to $11.7 million.

Bad guys

Account theft and illegal funds transfer Stealing personal or financial data Compromising computing assets for use in other crimes Extortion Intellectual property theft Espionage Cyberwarfare Terrorism Pranksters Protest hacking (hacktivism) Revenge (disgruntled employees)

Economic Hack Equation

Adversary ROI = Asset value to adversary - Adversary cost

CAPTACHA

An acronym standing for completely automated public Turing test to tell computers and humans apart. The Turing Test is, rather redundantly, an idea (rather than an official test) that one can create a test to tell computers apart from humans.

Stay vigilant

An appropriate level of questioning applies not only to computer use, but also to personal interactions, be it in person, on the phone, or electronically

brute-force attack

An attack that exhausts all possible password combinations in order to break into an account. The larger and more complicated a password or key, the longer a brute-force attack will take.

distributed denial of service (DDoS)

An attack where a firm's computer systems are flooded with thousands of seemingly legitimate requests, the sheer volume of which will slow or shut down the site's use. DDoS attacks are often performed via botnets.

Blended threats

Attacks combining multiple malware or hacking exploits

zero-day exploit

Attacks that are so new that they haven't been clearly identified, and so they haven't made it into security screening systems.

Surf smart

Avoid suspicious e-mail attachments and Internet downloads. Be on guard for phishing and other attempts to con you into letting in malware

True

Baby monitors, children's toys, smart TVs, networked printers, security cameras, and smart speakers, have all been used to perform illegal hacks.

Damaging cyberwarfare

Brazil has seen hacks that cut off power to millions; attacks in Spring 2018 cut off communications of at least seven US pipeline firms; and the 60 Minutes news program showed a demonstration by "white hat" hackers that could compromise a key component in an oil refinery, force it to overheat, and cause an explosion.

Key Encryption

Code that unlocks encryption.

dumpster diving

Combing through trash to identify valuable assets.

social engineering

Con games that trick employees into revealing information or performing other tasks that compromise a firm

social engineering

Con games that trick employees into revealing information or performing other tasks that compromise a firm are known as _____ in security circles. information fishing identity theft impostor scams social engineering artifices

phishing

Cons executed through technology and that often try to leverage the reputation of a trusted firm or friend to trick the victim into performing an action or revealing information constitute:

cash-out fraudsters

Criminals who purchase assets from data harvesters to be used for illegal financial gain. Actions may include using stolen credit card numbers to purchase goods, creating fake accounts via identity fraud, and more.

SamSam Ransomware Attacks

Crippled city of Atlanta's government websites

data harvesters

Cybercriminals who infiltrate systems and collect data for illegal resale.

Be settings smart

Don't turn on risky settings like unrestricted folder sharing that may act as an invitation for hackers to drop off malware payloads. Secure home networks with password protection and a firewall. Encrypt hard drives—especially on laptops or other devices that might be lost or stolen

a US government contractor thought whistle-blower by many, who released (in violation of US law) secret documents exposing state-run surveillance networks.

Edward Snowden is:

Lock down hardware

Firms in especially sensitive industries such as financial services may regularly re-image the hard drive of end-user PCs, completely replacing all the bits on a user's hard drive with a pristine, current version—effectively wiping out malware that might have previously sneaked onto a user's PC.

Patch

Firms must be especially vigilant to pay attention to security bulletins and install software updates that plug existing holes, (often referred to as patches). Firms that don't plug known problems will be vulnerable to trivial and automated attacks.

shoulder surfing

Gaining compromising information through observation (as in looking over someone's shoulder).

70 percent

Gartner estimates that ______________% of loss-causing security incidents involve insiders.

whitelists

Highly restrictive programs that permit communication only with approved entities and/or in an approved manner.

Botnets

Hordes of surreptitiously infiltrated computers, linked and controlled remotely, also known as zombie networks. capable of sending out 100 billion spam messages a day, and botnets as large as ten million zombies have been identified.

201 days and 70 days

IBM claims the average time to identify a breach in the study was ___________, and the average time to contain a breach was _____________.

SQL injection technique

It zeros in on a sloppy programming practice where software developers don't validate user input.

True

Keyloggers spyware can be either software-based or hardware-based. T/F

RAM scraping or storage scanning software

Malicious code that scans computing memory (RAM, hard drives, or other storage) for sensitive data, often looking for patterns such as credit card or Social Security numbers.

Mobile Phone Security

Malware might infiltrate a smartphone via e-mail, Internet surfing, MMS attachments, or even Bluetooth

Stay armed

Many vendors offer a combination of products that provide antivirus software that blocks infection, personal firewalls that repel unwanted intrusion, malware scanners that seek out bad code that might already be nesting on your PC, antiphishing software that identifies if you're visiting questionable websites, and more.

Equifax

One of three leading firms whose business it is to monitor the creditworthiness of adults in the US and abroad. Hackers exploiting a known vulnerability grabbed data on 143 million consumers. Pretty much everyone in the US with a bank account or credit card was compromised.

False

One way to enhance security against malware on smartphones is to modify the phone to work off network. T/F

Malicious adware

Programs installed without full user consent or knowledge that later serve unwanted advertisements.

blacklists

Programs that deny the entry or exit of specific IP addresses, products, Internet domains, and other communication restrictions.

Viruses

Programs that infect other software or files. They require an executable (a running program) to spread, attaching to other executables.

Worms

Programs that take advantage of security vulnerability to automatically spread, but unlike viruses, worms do not require an executable.

False

Public key encryption is considered far weaker than private key encryption, so most websites avoid using public key systems. T/F

Encryption

Scrambling data using a code or formula, known as a cipher, such that it is hidden from those who do not have the unlocking key.

white hacker

Someone who uncovers computer weaknesses without exploiting them. The goal of the white hat hacker is to improve system security.

False

Students are discouraged from using over-the-Internet backup services since these are known sources for security vulnerability. T/F

True

Stuxnet showed that with computers at the heart of so many systems, it's now possible to destroy critical infrastructure without firing a shot. T/F

Biometrics

Technologies that measure and analyze human body characteristics for identification or authentication. These might include fingerprint readers, retina scanners, voice and face recognition, and more.

voice-print

Technology that identifies users via unique characteristics in speech.

Spoofed

Term used in security to refer to forging or disguising the origin or identity. E-mail transmissions and packets that have been altered to seem as if they came from another source are referred to as being "______________."

worms do not need an executable to spread, unlike viruses.

The key difference between viruses and worms is that: viruses are spread over online technologies such as the Internet, unlike worms. viruses affect systems by pretending to be something they are not, unlike worms. viruses spread faster than worms. worms need a running program to spread, unlike viruses. worms do not need an executable to spread, unlike viruses.

Trojans

The payload is released when the user is duped into downloading and installing the malware cargo, oftentimes via phishing exploits.

tokenization

The phrase __________________ refers to security schemes that automatically send one-time use representations of a credit card which can be received and processed by banking and transaction firms at the time of payment. They are used in Apple Pay and Android Pay.

Network Threats

The retailer TJX (parent of Marshalls, HomeGoods, and T. J. Maxx stores) was hacked when a Wi-Fi access point was left open and undetected. A hacker just drove up and performed the digital equivalent of crawling through an open window. The crooks stole at least 45.7 million credit and debit card numbers and pilfered driver's licenses and other private information from an additional 450,000 customers, a breach that eventually inflicted over $1.35 billion in damages on the retailer.

spoof

The term _____________ refers to forging or disguising the origin or identity.

6.5

The typical Web user has ________ passwords,

Stay updated

Turn on software update features for your operating system and any application you use

Multi-factor authentication

When identity is proven by presenting more than one item for proof of credentials. Multiple factors often include a password and some other identifier such as a unique code sent via e-mail or mobile phone text, a biometric reading (e.g., fingerprint or iris scan), a swipe or tap card, or other form of identification.

All of the above

Which of the following factors is thought to have been at work during the Target security breach? Notifications from security software were ignored. The database for credit card transactions wasn't sufficiently isolated from other parts of the system. Target's security software could have automatically deleted detected malware, but this function was turned off. Malicious code was disguised by using the name of a legitimate software product. None of the above All of the above

Information security isn't just a technology problem.

Which of the following is a valid observation regarding information security? Procedural factors that lead to a security breach are impossible to control. Information security should be the sole responsibility of senior management. It is possible to make any security system hundred percent foolproof. Financial loss is the only fallout of a security breach in an organization. Information security isn't just a technology problem.

Adobe

Who is a bigger target for malware attacks, Microsoft or Adobe?

U.S. firms complain that the actions of surveillance agencies have put them at a disadvantage by damaging their reputation.

Why have US technology firms complained that U.S. government surveillance techniques put them at a disadvantage relative to foreign firms?

Be disposal smart

Wipe hard drives with an industrial strength software tool before recycling, donating, or throwing away—remember in many cases "deleted" files can still be recovered.

2M+ and $45B

____________ cyber incidents in 2018, resulting in losses topping __________.

SQL injection technique

_______________ is an example of an exploit in which hackers target security vulnerabilities caused by software developers not validating user input. CQL insertion technique Trojan technique. Unstructured validation technique SQL injection technique Data subversion technique

Heartbleed bug

a vulnerability in the OpenSSL security software used by about two-thirds of websites and which is embedded into all sorts of Internet-connected products exploited a bug in a common function that allowed servers to "handshake" or verify they exist and are open for communication

A 2018 indictment filed by the US Special Counsel

alleged a Russian government-linked conspiracy aimed at "impairing, obstructing and defeating the lawful governmental functions of the United States." The indictment claims a multi-year effort backed by tens of millions of dollars aimed at influencing American opinion. Alleged efforts were specifically designed to benefit campaigns of Bernie Sanders and underdog-turned-president Donald Trump. Russian-linked efforts allegedly included an army of false-fact-spewing fake social media personas, as well as social media groups posing as initiatives led by US citizen activists. It is believed some of these groups accrued over 100,000 followers.

Ransomware

allows criminals to move beyond extortion to take data assets hostage lock and encrypt infected computers, rendering them unusable and irrecoverable unless instructions are followed—often involving payment in untraceable bitcoin

service level agreements (SLAs)

build security expectations and commitments into performance guarantees

Rise of big data

corporations have become data pack rats, hoarding information in hopes of turning bits into bucks by licensing databases, targeting advertisements, or cross-selling products.

Bit.ly

criminals use to shorten and hide malicious links

Related programming exploits

cross-site scripting attacks, buffer overflow vulnerabilities, and HTTP header injection.

$2T

cybercrime and cyber espionage will cost the US economy ____________ by 2019.

former CIA employee and NSA contractor, Edward Snowden

disclosures revealed that several US government agencies, including the NSA and FBI, had data-monitoring efforts far more pervasive than many realized. These included mechanisms for the "direct access to audio, video, photographs, e-mails, documents and connection logs" at nine major US Internet companies, including Google, Facebook, Yahoo!, Microsoft, and Apple, and unlimited access to phone records from Verizon's US customers.

Back up

he most likely threat to your data doesn't come from hackers; it comes from hardware failure

Stuxnet

infiltrated Iranian nuclear facilities and reprogrammed the industrial control software operating hundreds of uranium-enriching centrifuges. The worm made the devices spin so fast that the centrifuges effectively destroyed themselves, in the process setting back any Iranian nuclear ambitions. The attack was so sophisticated that it even altered equipment readings to report normal activity so that operators didn't even know something was wrong until it was too late.

flatter organizations

lower-level employees may be able to use technology to reach deep into corporate assets—amplifying threats from operator error, a renegade employee, or one compromised by external forces.

Target

managed to install malware in Target's security and payments system. This code was designed to steal every credit card used in the company's 1,797 US stores. The bad guys' data-snarfing malware went operational on November 27. Reports say 40 million cards used at Target were stolen and additional personal information on 70 million customers was exposed.

Spyware

monitors user actions or network traffic, or scans for files.

1/3 and 48%

most organizations don't document enforcement procedures in their information security policies, that more than _________ do not audit or monitor user compliance with security policies, and that only __________% annually measure and review the effectiveness of security policies.

Credit card processor Heartland

nation's fifth largest payments processor It's been estimated that as many as 100 million cards issued by more than 650 financial services companies may have been compromised during the Heartland breach

Public wireless connections

pose significant security threats—they may be set up by hackers who pose as service providers while really launching attacks on or monitoring the transmissions of unwitting users.

malicious pranksters (sometimes called griefers or trolls)

posted seizure-inducing images on websites frequented by epilepsy sufferers

International Organization for Standards (ISO)

provides "a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System."

Screen capture

records the pixels that appear on a user's screen for later playback in hopes of identifying proprietary information.

Keylogger

records user keystrokes. __________ can be either software based or hardware based, such as a recording "dongle" that is plugged in between a keyboard and a PC

Children's Online Privacy Protection Act

regulates data collection on minors

Gramm-Leach-Bliley Act

regulates financial data

HIPAA (the Health Insurance Portability and Accountability Act)

regulates health data

Malware

seeks to compromise a computing system without permission. Client PCs and a firm's servers are primary targets, but as computing has spread, __________ now threatens nearly any connected system running software, including mobile phones, embedded devices, ATMs, point-of-sale equipment, and a firm's networking equipment.