Management Information Systems Chapter 7 Information Security (WileyPlus) (IS 312)

¡Supera tus tareas y exámenes ahora con Quizwiz!

Risk analysis involves three steps:

(1) assessing the value of each asset being protected, (2) estimating the probability that each asset will be compromised, and (3) comparing the probable costs of the asset's being compromised with the costs of protecting that asset.

Communication controls (also called network controls)

(Blank) secure the movement of data across networks. (blank) consist of firewalls, anti-malware systems, whitelisting and blacklisting, encryption, virtual private networks, secure socket layer, and employee monitoring systems.

Public-key encryption (also called asymmetric encryption)

(also called asymmetric encryption) A type of encryption that uses two different keys, a public key and a private key.

warm site

A (blank) provides many of the same services and options as the hot site. However, it typically does not include the actual applications the company needs. A (blank) includes computing equipment such such as servers, but it often does not include user workstations.

Privilege

A collection of related computer system operations that can be performed by users of the system

Denial-of-service attack

A cyberattack in which an attacker sends a flood of data packets to the target computer, with the aim of overloading its resources.

Distributed denial-of-service attack

A denial-of-service attack that sends a flood of data packets from many compromised computers simultaneously. These computers are called zombies or bots. The attacker uses these bots—which form a botnet—to deliver a coordinated stream of information requests to a target computer, causing it to crash

Least privilege

A principle that users be granted the privilege for some activity only if there is a justifiable need to grant this authorization.

(VPN) Virtual private network

A private network that uses a public network (usually the Internet) to securely connect users by using encryption.

Tunneling

A process that encrypts each data packet to be sent and places each encrypted packet inside another packet.

Risk mitigation

A process whereby the organization takes concrete actions against risks 2 functions: (1) implementing controls to prevent identified threats from occurring, and (2) developing a means of recovery if the threat becomes a reality.

Demilitarized zone (DMZ)

A separate organizational local area network that is located between an organization's internal network and an external network, usually the Internet.

Trojan horse

A software program containing a hidden function that presents a security risk.

Certificate authority

A third party that acts as a trusted intermediary between computers (and companies) by issuing digital certificates and verifying the worth and integrity of the certificates.

Risk acceptance

Accept the potential risk, continue operating with no controls, and absorb any damages that occur.

Adware

Alien software designed to help pop-up advertisements appear on your screen.

Spyware

Alien software that can record your keystrokes and/or capture your passwords.

Spamware

Alien software that uses your computer as a launch platform for spammers.

Distributed Denial-of-service attack

An attacker takes over many computers, typically by using malicious software. These computers are called zombies or bots. The attacker uses these bots--which form a botnet--to deliver a coordinated stream of information requests to a target computer, causing it to crash.

Digital certificate

An electronic document attached to a file certifying that this file is from the organization it claims to be from and has not been modified from its original format or content.

Transport Layer Security formerly known as Secure socket layer

An encryption standard used for secure transactions such as credit card purchases and online banking. TLS is indicated by a URL that begins with "https" rather than "http," and it often displays a small padlock icon in the browser's status bar.

vulnerability

An information resource (blank) is the possibility that the system will be harmed by a threat.

Cyberterrorism

Can be defined as a premeditated, politically motivated attack against information, computer systems, computer programs, and data that results in violence against noncombatant targets by subnational groups or clandestine agents.

Alien software

Clandestine software that is installed on your computer through duplicitous methods.

Theft of Equipment or Information

Computing devices and storage devices are becoming smaller yet more powerful with vastly increased storage

Communications (Network) controls

Controls that deal with the movement of data across networks.

Physical controls

Controls that restrict unauthorized individuals from gaining access to a company's computer facilities.

Identity Theft

Crime in which someone uses the personal information of others to create a false identity and then uses it for some fraud.

Controls

Defense mechanisms (also called countermeasures).

Worm

Destructive programs that replicate themselves without requiring another program to provide a safe environment for replication.

10 types of deliberate attacks

Espionage or trespass Information extortion Sabotage and vandalism Theft of equipment and information Identity theft Compromises to intellectual property Software attacks Alien software Supervisory control and data acquisition Cyberterrorism and cyberwarfare

10 common types of deliberate threats

Espionage or trespass Information extortion Sabotage or vandalism Theft of equipment or information Identity theft Compromises to intellectual property Software attacks Alien software Supervisory control and data acquisition (SCADA) attacks Cyberterrorism and cyberwarfare

Social engineering

Getting around security systems by tricking computer users inside a company into revealing sensitive information or gaining unauthorized access privileges.

Compare and contrast human mistakes and social engineering, and provide a specific example of each one.

Human mistakes are unintentional errors. However, employees can also make unintentional mistakes as a result of actions by an attacker, such as social engineering. Social engineering is an attack where the perpetrator uses social skills to trick or manipulate a legitimate employee into providing confidential company information. An example of a human mistake is tailgating. An example of social engineering is when an attacker calls an employee on the phone and impersonates a superior in the company.

Information Extortion

Information extortion occurs when an attacker either threatens to steal, or actually steals, information from a company. The perpetrator demands payment for not stealing the information, for returning stolen information, or for agreeing not to disclose the information.

Trade secret

Intellectual work, such as a business plan, that is a company secret and is not based on public information.

Risk limitation

Limit the risk by implementing controls that minimize the impact of the threat.

Virus

Malicious software that can attach itself to (or "infect") other computer programs without the owner of the program being aware of the infection.

certificate authority

Organizations that conduct business over the internet require a more complex system from a third party, called a (blank), which acts as a trusted intermediary between the companies.

3 risk mitigation strategies

Risk acceptance Risk limitation Risk transference

SCADA (Supervisory Control and Data Acquisition Attacks)

SCADA refers to a large-scale, distributed measurement and control system. SCADA systems are used to monitor or to control chemical, physical, and transport processes such as those used in oil refineries, water and sewage treatment plants, electrical generators, and nuclear power plants.

Sabotage or Vandalism

Sabotage and vandalism are deliberate acts that involve defacing an organization's Web site, potentially damaging the organization's image and causing its customers to lose faith. One form of online vandalism is a hacktivist or cyberactivist operation.

Logic bomb

Segments of computer code embedded within an organization's existing computer programs.

Cookies

Small amounts of information that Web sites store on your computer, temporarily or more or less permanently.

Software Attacks

Software attacks have evolved from the early years of the computer era, when attackers used malicious software to infect as many computers worldwide as possible, to the profit-driven, Web-based attacks of today. Types below:

Anti-malware systems

Software packages that attempt to identify and eliminate viruses, worms, and other malicious software.

risk mitigation strategies

The 3 most common (blank) that organizations can adopt. 1. risk acceptance- Accept the potential risk, continue operating with no controls, and absorb any damages that occur 2. risk limitation - Limit the risk by implementing controls that minimize the impact of the threat. 3. risk transference - Transfer the risk by using other means to compensate for the loss, such as by purchasing insurance

Business Continuity plan aka Disaster Recovery plan

The chain of events linking planning to protection and to recovery. In the event of a major disaster, organizations can employ several strategies for business continuity. These strategies include hot sites, warm sites, and cold sites

risk management

The goal of (blank) is to identify, control, and minimize the impact of threats.

Screen scraper or screen grabbers

This software records a continuous "movie" of a screen's contents rather than simply recording keystrokes.

Five factors that contribute to the increasing vulnerability of information resources

Today's interconnected, interdependent, wirelessly networked business environment. Example: The Internet. Smaller, faster, cheaper computers and storage devices. Examples: Netbooks, thumb drives, iPads. Decreasing skills necessary to be a computer hacker. Examples: Information system hacking programs circulating on the Internet. International organized crime taking over cybercrime.Examples: Organized crime has formed transnational cybercrime cartels. Because it is difficult to know exactly where cyberattacks originate, these cartels are extremely hard to bring to justice. Lack of management support. Examples: Suppose that your company spent $10 million on information security countermeasures last year, and they did not experience any successful attacks on their information resources. Short-sighted management might conclude that the company could spend less during the next year and obtain the same results. Bad idea.

Risk transference

Transfer the risk by using other means to compensate for the loss, such as by purchasing insurance.

Attacks by a Programmer Developing a System

Trojan Horse Back Door Logic Bomb

Back door

Typically a password, known only to the attacker, that allows the attacker to access the system without having to go through any security procedures.

Remote Attacks Requiring User Action

Virus, Worm, Phishing attack, Spear phishing

Cyberwarfare

War in which a country's information systems could be paralyzed from a massive attack by destructive software.

Something the user is

also known as biometrics, is an authentication method that examines a person's innate physical characteristics.

Security

can be defined as the degree of protection against criminal activity, danger, damage, and/or loss.

Auditing through the computer

checks inputs, outputs, and processing. They review program logic, and test the data contained within the system.

Competitive intelligence

consists of legal information-gathering techniques, such as studying a company's Web site and press releases, attending trade shows, etc.

Authorization

determines which actions, rights, or privileges the person has, based on his or her verified identity.

Transport layer security

formerly called secure socket layer, is an encryption standard used for secure transactions such as credit card purchases and online banking.

Risk analysis

involves three steps Assessing the value of each asset being protected Estimating the probability that each asset will be compromised Comparing the probable costs of the asset's being compromised with the costs of protecting the asset

privilege

is a collection of related computer system operations that a user is authorized to perform.

hot site

is a fully configured computer facility with all of the company's services, communications links, and physical plant operations. A hot site duplicates computing resources, peripherals, telephone systems, applications, and workstations.

virtual private network

is a private network that uses a public network (usually the internet) to connect users.

Copyright

is a statutory grant that provides the creators or owners of intellectual property with ownership of the property, also for a designated period.

Tailgating

is a technique designed to allow the perpetrator to enter restricted areas that are controlled with locks or card entry. The perpetrator follows closely behind a legitimate employee and, when the employee gains entry, the attacker asks him or her to "hold the door."

Something the user knows

is an authentication mechanism that includes passwords and passphrases.

Something the user has

is an authentication mechanism that includes regular identification cards, smart ID cards, and tokens.

Something the user does

is an authentication mechanism that includes voice and signature recognition.

patent

is an official document that grants the holder exclusive rights on an invention or a process for a specified period of time.

demilitarized zone (DMZ)

is located between the two firewalls (internal & external). Messages from the internet must first pass through the external firewall.

Malware

is malicious software such as viruses and worms.

risk

is the probability that a threat will impact an information resource.

Auditing with the computer

means using a combination of client data, auditor software, and client and auditor hardware. This approach enables the auditor to perform tasks such as simulation payroll program logic using live data.

Auditing around the computer

means verifying processing by checking for known outputs using specific inputs. This approach is most effective for systems with limited outputs

Shoulder surfing

occurs when a perpetrator watches an employee's computer screen over the employee's shoulder. This technique is particularly successful in public areas such as in airports and on commuter trains and airplanes.

Espionage or trespass

occurs when an unauthorized individual attempts to gain illegal access to organizational information.

exposure

of an information resource is the harm, loss, or damage that can result if a threat compromises that resource.

3 major types of controls

physical controls access controls communication / network controls

Physical controls

prevent unauthorized individuals from gaining access to a company's facilities. Ex., walls doors, fencing, gates, locks, badges, guards, alarm systems, pressure sensors, temperature sensors, motion detectors

cold site

provides only rudimentary services and facilities, such as a building or a room with heating, air conditioning, and humidity control. This type of site provides no computer hardware or user workstations.

keyloggers

record both your individual keystrokes and your Internet Web browsing history

Information security

refers to all of the processes and policies designed to protect an organization's information and information systems (IS) from unauthorized access, use, disclosure, disruption, modification, or destruction.

Access controls

restrict unauthorized individuals from using information resources. These controls involve two major functions: authentication and authorization.

Spear phishing

target large groups of people. In (blank) attacks, the perpetrator attempt to find out as much information about an individual as possible to improve their chances that phishing techniques will obtain sensitive, personal information.

CAPTCHA

the fact that you can transcribe them means that you are probably not a software program run by an unauthorized person, such as a spammer. As a result, attackers have turned to screen scrapers, or screen grabbers.

risk mitigation

the organization takes concrete actions against risks. (blank) has 2 functions: Implementing controls to prevent identified threats from occurring Developing a means of recovery if the threat becomes a reality

threat

to an information resource is any danger to which a system may be exposed.

Public-key encryption (also known as asymmetric encryption)

uses two different keys: a public and a private key. The public key (locking key) and the private key (the unlocking key) are created simultaneously using the same mathematical formula or algorithm.


Conjuntos de estudio relacionados

Fun Exam 3 Practice Test/Questions/Study

View Set

Key vocab chromosomes and meiosis

View Set

Chapter 1: Database Systems Vocab

View Set

Chapter 7. Communicating in Social and Professional Relationships

View Set

Ch. 13: The Nekton-Swimmers of the Sea

View Set

Chapter 16 review Spanish American Revolutions

View Set

Management/Strategy Exam 1 (I-Core)

View Set