COB 204 Chapter 7: Information Security
Controls (defense mechanisms)
- implemented to protect their information assets - designed to protect all of the components of an information system, including data, software, hardware, and networks
Two Types of Auditors and Audits
- internal - external
Business Continuity Plan (disaster recovery plan)
- provide guidance to people who keep the business operating after a disaster occurs - used to prepare for, react to, and recover from events that affect the security information of assets
Public-Key Encryption (asymmetric encryption)
- uses two different keys: public key (locking key) and private key (unlocking key) - both keys are created simultaneously using the same mathematical formula or algorithm
3 Most Common Risk Mitigation Strategies
1.) Risk Acceptance - accept potential risk, continue operating with no controls, and absorb any damages that occur 2.) Risk Limitation - limit the risk by implementing controls that minimize the impact of the threat 3.) Risk Transference - transfer the risk by using other means to compensate for the loss, such as by purchasing insurance
3 Categories of IS Auditing Procedures
1.) auditing around the computer 2.) auditing through the computer 3.) auditing with the computer
Two Major Functions of Access Controls
1.) authentication 2.) authorization
Five Key Factors contributing to increasing vulnerability of an organization's information resource
1.) interconnected, interdependent, wirelessly networked business environment 2.) smaller, faster, cheaper computers and storage devices 3.) decreasing skills necessary to be a computer hacker 4.) international organized crime taking over cybercrime 5.) lack of management support
Two Types of Spyware
1.) keystroke loggers 2.) screen scrapers
4 Identity Theft Techniques
1.) stealing mail or dumpster diving 2.) stealing personal information in computer databases 3.) infiltrating organizations that store large amounts of personal information 4.) impersonating a trusted organization in an electronic communication
Two Social Engineering Techniques
1.) tailgating 2.) shoulder surfing
Unintentional Threats
acts performed without malicious intent that nevertheless represent a serious threat to information security (major category = Human Error)
Social Engineering
an attack in which the perpetrator uses social skills to trick or manipulate legitimate employees into providing confidential company information such as passwords
Transport Layer Security (secure socket layer)
an encryption standard used for secure transactions such as crudity card purchases and online banking
Audit (in Information Systems)
an examination of information systems, their inputs, outputs, and processing
Trade Secret
an intellectual work, such as a business plan, that is a company secret and is not based on public information i.e. - formula for Coca Cola
Patent
an official document that grants the holder of exclusive rights on an invention or a process for a specified period of time
Threat (to an information resource)
any danger to which a system may be exposed
Something the user KNOWS
authentication mechanism that includes passwords and passphrases
Something the user HAS
authentication mechanism that includes regular ID cards, smart ID cards, and tokens
Something the user DOES
authentication mechanism that includes voice and signature recognition
Biometrics (something the user IS)
authentication method that examines a person's innate physical characteristics
Tracking Cookies
can be used to track your path through a Web site, the time you spend there, what links you click on, and other details that the company wants to record, usually for marketing purposes
Business Continuity
chain of events linking planning to protection and to recovery
Alien Software (pestware)
clandestine software that is installed on your computer through duplication methods
Privilege
collection of related computer system operations that a user is authorized to perform
Authentication
confirms the identity of the person requiring access
Sabotage or Vandalism
deliberate acts that involve defacing an organization's Web site, potentially damaging the organization's image and causing its customers to lose faith
Authorization
determines which actions, rights, or privileges
Digital Certificate
electronic document attached to a file that certifies that the file is from the organization it claims to be from and has not been modified from its original format
Internal Auditing
frequently performed by corporate internal auditors
Risk Management
goal is to identify, control, and minimize the impact of threats
Blacklisting
includes certain types of software that are not allowed to run in the company environment
Risk Analysis
involves three steps: 1.) assessing the value of each asset being protected 2.) estimating the probability that each asset will be compromised 3.) comparing the probable costs of the asset's being compromised with the costs of protecting that asset
Demilitarized Zone (DMZ)
located between the two firewalls
Shoulder Surfing
occurs when a perpetrator watches an employee's computer screen over the employee's shoulder
Information Extortion
occurs when an attacker threatens to steal, or actually steals, information from a company
Espionage or Trespass
occurs when an unauthorized individual attempts to gain illegal access to organizational information
Risk Mitigation
organization takes concrete actions agains risks and has two functions: 1.) implementing controls to prevent identified threats from occurring 2.) developing a means of recovery if the threat becomes a reality
Spamware
pest ware that uses your computer as a launch pad for spammers
Least Privilege
posits that users be granted the privilege for an activity only if there is a justifiable need for them to perform that activity
Passwords
present a huge information security problem in all organizations
Physical Controls
prevent unauthorized individuals from gaining access to a company's facilities i.e. - walls, doors, locks, guards, alarm systems
Virtual Private Network
private network that uses a public network (usually the Internet) to connect users
Whitelisting
process in which a company identifies the software that it will allow to run on its computers
Encryption
process of converting an original message into a form that cannot be read by anyone except the intended receiver
Tunneling
process that encrypts each data packet to be sent and places each encrypted packet inside another packet
Intellectual Property
property created by individuals or corporations that is protected under trade secret, patent, and copyright laws
Screen Scrapers (screen grabbers)
record a continuous "movie" of a screen's contents rather than simply recording keystrokes
Keystroke Loggers (keyloggers)
record both your individual keystrokes and your Internet Web browsing history
Cyberterrorism and Cyberwarfare
refer to malicious acts in which attackers use a target's computer systems, particularly via the Internet, to cause physical, real-world harm or severe disruption, often to carry out a political agenda
*Information Security*
refers to all of the processes and policies designed to protect an organization's information and information systems (IS) from unauthorized access, use, disclosure, disruption, modification, or destruction
Cybercrime
refers to illegal activities conducted over computer networks, particularly the Internet
Access Controls
restrict unauthorized individuals from using information resources
External Auditor
reviews the findings of the internal audit as well as the inputs, processing, and outputs of information systems
Employee Monitoring Systems
scrutinize their employees' computers, e-mail activities, and Internet surfing activities
Passphrase
series of characters that is longer than a password but is still easy to memorize
Cookies
small amounts of information that Web sites store on your computer, temporarily or more or less permanently
Anti-Malware Systems (antivirus software) (AV)
software packages that attempt to identify and eliminate viruses and worms, and other malicious software
Adware
software that causes pop-up advertisements to appear on your screen
Spyware
software that collects personal information about users without their consent
Copyright
statutory grant that provides the creators or owners of intellectual property with ownership of the property for a designated period of time
Firewall
system that prevents a specific type of information from moving between untrusted networks, such as the Internet, and private networks, such as your company's network External - faces the Internet Internal - faces the company network
Tailgating
technique designed to allow the perpetrator to enter restricted areas that are controlled with locks or card entry
Security
the degree of protection against criminal activity, danger, damage, and/or loss
Identity Theft
the deliverable assumption of another person's identity, usually to gain access to his or her financial information or to frame him or her for a crime
Exposure (to an information resource)
the harm, loss, or damage that can result if a threat compromises that resource
Vulnerability (of an information resource)
the possibility that the system will be harmed by a threat
Risk
the probability that a threat will impact an information resource
Privacy
the right to be left alone and to be free of unreasonable personal intrusion
Certificate Authority
third party that acts as a trusted intermediary between the companies that do business over the Internet
Spam
unsolicited e-mail, usually advertising for products and services