CIS Chapter 3
public-key encryption
(also called asymmetrical encryption) a type of encryption that uses two different keys, a public key and a private key.
network controls
(see communication controls)
Bot
A computer that has been compromised by, and under that control of a hacker.
Distributed denial of service (DDoS)
A denial of service attack that sends a flood of data packets from many compromised computers simultaneously.
hot sites
A fully configured computer facility, with all information resource and services, communications links, and physical plant operations, that duplicates your companies computing resources and provides near-real-time recovery of IT operations.
Authentication
A process that determines the identity of the person requiring access.
Demilitarized zone (DMZ)
A separate organizational local area network that is located between an organizations internal network and an external network, usually the internet.
communication controls (also network controls)
Controls that deal with the movement of data across networks.
Controls
Defense mechanisms (also called countermeasures)
Cookie
Small amounts of information that websites store on your computer, temporarily or more or less permanently
Start of Chapter 4
Start of Chapter 4
Cyber Terrorism/Cyberwarfare
Terms of internet attacks
Scripts
The reason is that the internet contains information and computer programs called ____ that users with few skills can download and use to attack any information system connected to the internet.
Cold site
a backup location that provides only rudimentary services and facilities
privilage
a collection of related computer systems operations that can be performed by users of the system
Denial-of-service attack
a cyber attack in which an attacker sends a flood of data packets to the target computer, with the aim of overloading its resources
Botnet
a network of computers that have been compromised by, and under control of a hacker, who is called the botmaster
least privilege
a principle that users be granted the privilege for some activity only if there is a justifiable need to grant this authorization.
password
a private combination of characters that only the user should know.
virtual private network (VPN)
a private network that uses a public network (usually the internet) to securely connect user by using encryption
whitelisting
a process in which a company identifies accept-able software and permits it to run, and either prevents anything else from running or lets new software run in quarantined environment until the company can verify its validity.
Blacklisting
a process in which a company identifies certain types of software that are not allowed to run in the company environment.
risk transference
a process in which the organization transfers the risk by using other means to compensate for a loss, such as by purchasing insurance.
Authorization
a process that determines which actions, , rights or privileges the person has, based on verified identity.
tunnelling
a process that encrypts each data to be sent and places each encrypted packet inside another packet.
risk management
a process that identifies, controls, and minimizes the impact of threats, in an effort to reduces risk to manageable levels.
risk mitigation
a process whereby the organization takes concrete action against risks, such as implementing controls and developing a disaster recovery plan.
platform for privacy
a protocol that automatically communicates privacy policies between and electronic commerce website and and a visitor to that site.
Trojan Horse
a software program containing a hidden function that presents security risks.
risk limitation
a strategy in which organization limits its risk by implementing controls that minimize the impact of a threat
risk acceptance
a strategy in which the organization accepts the potential risk, continues to operate with no controls,a d absorbs amy damages that occur.
Tailgating
a technique designed to allow the perpetrator to enter restricted areas that are controlled with locks or card entry.
certificate authority
a third party that acts as a trusted intermediary between computers (and companies) by issuing digital certificates and verifying the worth and integrity of the certificates.
adware
alien software designed to help pop up advertisements appear on your screen
spyware
alien software that can record your keystrokes and/or capture your passwords.
spamware
alien software that uses your computer as a launch platform for spammers.
secure socket layer (SSL) (Transport Layer Security)
also know as transport layer security, an encryption standard use for secure transactions such as credit card purchases and online banking.
phishing attack
an attack that uses deception to fraudulently acquire sensitive personal information by masquerading as an official looking email
digital certificate
an electronic document attached to a file certifying that this file is from the organization it claims to be from and has not been modified from its original format or content.
Audit
an examination of information systems, their inputs, outputs, and processing.
Patent
an official document that grants the holders exclusive rights on an invention or a process for a specified period of time.
Security
can be defined as the degree of protection against criminal activity, danger, damage, and/or loss.
alien software
clandestine software that is installed on your computer through duplicitous methods.
physical control
controls that restrict unauthorized individuals from gaining access to a companies computer facility
access controls
controls that restrict unauthorized individuals from using information resources and are concerned with user identity.
Piracy
copying a software program without making a payment to the owner - including giving a disc to a friend to install on his or her own computer.
worms
destructive programs that replicate themselves without requiring another program to provide a safe environment for replication
geotag
embedding images with with longitude and latitude of the location shown in the image.
Photo tagging
facial recognition software then indexes facial feature.
social engineering
getting around security systems by tricking computer users inside a company into revealing sensitive information or gaining unauthorized access privileges.
Common good approach
highlights the interlocking relationships that underlie all societies.
Cybercrime
illegal activity executed on the internet
untrusted network
in general, is any network external to your organization
Trusted Network
in general, is any network within your organization.
Privacy issues
involve collecting, storing, and disseminating information about individuals.
Accuracy issues
involve the authenticity, fidelity, and correctness of information that is collected and processed.
property issues
involve the ownership and value of information
Copyright
is a statutory grant that provides the creators or owners of intellectual property with ownership of the property, also for a designated period.
Trade Secret
is an intellectual work, such as a business plan, that is a company secret and is not based on public information.
unethical legal
is not necessarily illegal. For example, a banks decision to foreclose on a home can be technically legal, but it can raise many ethical questions.
Identity Theft
is the deliberate assumption of another persons identity, usually to gain access to his or her financial information or to frame him or her for a crime.
Vulnerability
is the possibility that the system will be harmed by a threat.
Intellectual property
is the property that is created by individual or corporations that is protected under trade secret, patent, and copyright law.
rights approach
maintains that an ethical action is the one that best protects and respects the moral rights of the affected person.
malware
malicious software such as viruses and worms
viruses
malicious software that can attach itself to (or infect) other computer programs without the owner of the program being aware of infection.
Responsibility
means that you accept consequences of your decisions and actions
Shoulder surfing
occurs when a perpetrator watches an employees computer screen over the employees shoulder.
Exposure
of an information resource is the harm, loss or damage that can result if a threat compromises that resource.
Dumpster Diving
one form of theft, ____, involves the practice of rummaging through commercial or residential trash to find information that has been discarded.
Fairness approach
posits that ethical actions treat all human beings equally, or if unequally, then fairly, based on some defensible standard.
Information security
refers to all of the processes and policies designed to protect an organizations information and information systems (IS) from unauthorized access, use, disclosure, disruption, modification, or destruction.
Accountability
refers to determining who is responsible for actions that were taken.
accessibility issues
revolve around who should have access to information and whether a fee should be paid for this access
logics bombs
segments of computer code embedded within an organizations existing computer program.
blogs
short for weblog an informal, personal journal that is frequently updated and is intended for general public reading.
Anti-malware systems (antivirus system)
software packages that attempt to identify and eliminate viruses, worms, and other malicious software.
Utilitarian Approach
states than an ethical action is the best one that provides the most good or does the least harm.
Employee monitoring system
systems that monitor employees computers, email activities, and internet surfing activities.
transborder data flow
the absence of consistent or uniform standards for privacy and security obstructs the flow of information among countries.
security
the degree of protection against criminal activity, damage, and/or loss
risk
the likely hood that a threat will occur
customer chum
the loss of business caused by increased customer turnover
vulnerability
the possibility that an information resource will be harmed by a threat.
risk analysis
the process by which an organization assesses the value of each asset being protected, estimates the probability that each asset might be compromised, and compares the probable costs of each being compromised with the cost of protecting it
encryption
the process of converting an original message into a form that cannot be read by anyone except the intended receiver.
privacy
the right to be left alone and to be free of unreasonable personal intrusion
biometrics
the science and technology of authentication (i.e, establishing the identity of an individual) by measuring the subjects physiological or behavioral characteristics.
networking sites
these sites appear on the internet , with corporate intranets, and on blogs
Threat
to an information resource is any danger to which the system may be exposed.
Back door (trap door)
typically a password, known only to the attacker, that allows the attacker to access the system without having to go through any security procedures.
spam
unsolicited email
URL filtering
using software to block connections to inappropriate websites.