Chapter 13: Information Security and Controls
worms
destructive programs that replicates themselves without requiring another program to provide a safe environment for replication.
trojan horse
a software program containing a hidden function that presents a security risk.
cold site
a backup location that provides only rudimentary services and facilities.
denial-of-service attack
a cyber attack in which an attacker sends a flood of data packets to the target computer, with the aim of overloading its resources.
distributed denial-of-service (DDoS) attack
a denial-of-service attack that sends of flood of data packets from many compromised computers simultaneously.
patent
a document that grants the holder exclusive rights on an invention or process for a specified period of time, currently 20 years.
hot sites
a fully configured computer facility, with all information resources and services, communications links, and physical plant operations, that duplicates your company's computing resources and provides near real time recovery of IT operations.
copyright
a grant that provides the creator of intellectual property with ownership of it for a specified period of time, currently the life of the creator plus 50 years.
back door (trap door)
a password, known only to the attacker, that allows the attacker to access the system without having to go through any security procedures.
cyber-terrorism
a premeditated, politically motivated attack against information, computer systems, computer programs, and data that result in physical attacks against noncombatant targets by subnational groups or clandestine agents.
least privilege
a principle that users be granted the privilege for some activity only if there is a justifiable need to grant this authorization.
virtual private network (VPN)
a private network that uses a public network (usually the internet) to securely connect users by using encryption.
whitelisting
a process in which a company identifies acceptable software and permits it to run, and either prevents anything else from running or lets new software run in a quarantined environment until the company can verify its validity.
blacklisting
a process in which a company identifies certain types of software that are not allowed to run in the company environment.
risk transference
a process in which the organization transfers the risk by using other means to compensate for a loss, such as by purchasing insurance.
authentication
a process that determines the identity of the person requiring access.
authorization
a process that determines which actions, rights, or privileges the person has, based on verified identity.
tunnelling
a process that encrypts each data packet to be sent and places each encrypted packet in another packet.
risk management
a process that identifies, controls, and minimizes the impact of threats, in an effort to reduce risk to manageable levels.
risk mitigation
a process whereby the organization takes concrete actions against risks, such as implementing controls and developing a disaster recovery plan.
demilitarized zone (DMZ)
a separate organizational local area network that is located between an organization's internal network and an external network, usually the internet.
warm site
a site that provides many of the same services and option of the hot site, but does not include the company's applications.
certificate authority
a third party that acts as a trusted intermediary between computers by issuing digital certificates and verifying the worth and integrity of the certificate.
adware
alien software designed to help pop up advertisements appear on your screen.
spyware
alien software that can record your keystrokes and/or capture your passwords.
spamware
alien software that uses you computer as a launch platform for spammers.
phishing attack
an attack that uses deception to fraudulently acquire sensitive personal information by masquerading as an official looking email.
digital certificate
an electronic document attacked to a file certifying that this file is from the organization it claims to be from and had not been modified from its original format or content.
secure socket layer (SSL)
an encryption standard used for secure transactions such as credit card purchases and online banking.
general controls
automated controls that affect multiple IS, such as access control.
alien software
clandestine software that is installed on your computer through duplication methods.
control environment
controls that affect multiple functional IS or the entire organization and include management attitudes towards controls.
application controls
controls that apply to input, processing or output for a particular functional information system.
communication controls (network controls)
controls that deal with the movement of data across networks.
physical control
controls that restrict unauthorized individuals from gaining access to a company's computer facilities.
access controls
controls that restrict unauthorized individuals from using information resources and are concerned with user identification.
controls
defense mechanisms (also called countermeasures) are actions used to safeguard assets, optimize the use of the organization's resources, and prevent or detect errors or fraud.
social engineering
getting around security systems by tricking computer users inside a company into revealing sensitive information or gaining unauthorized access privileges.
cyber-crime
illegal activities executed on the internet.
audit
in an IS environment, an examination of information systems, their inputs, outputs, and processing.
trade secret
intellectual work, such as a business plan, that is a company secret and is not based on public information.
malware
malicious software such as viruses and worms.
viruses
malicious software that can attach itself to other computer programs without the owner of the program being aware of the infection.
spear phishing attack
phishing attacks that use specific personal information.
logic bombs
segments of computer code embedded within an organization's existing computer program.
cookie
small amounts of information that websites store on your computer, temporarily or permanently.
intellectual property
the intangible property created by individuals or corporations, which is protected under trade secret, patent, and copyright laws.
risk analysis
the process by which an organization assesses the value of each asset being protected, estimates the probability that each asset might be compromised, and compares the probable costs of each being compromised with costs of protecting it.
encrytion
the process of converting an original message into form that cannot be read by anyone except the intended receiver.
logical controls
those that are implemented by software.