ISA final exam
Smart card
A credit-card-size plastic card that stores digital information and can be used for electronic payments in place of cash.
Phishing
A form of spoofing involving setting up fake websites or sending email messages that look like those of legitimate businesses to ask users for confidential personal data.
Botnet
A group of computers that have been infected with bot malware without users' knowledge, enabling a hacker to use the amassed resources of the computers to launch distributed denial-of-service attacks, phishing campaigns, or spam.
Patent
A patent grants the owner an exclusive monopoly on the ideas behind an invention for a certain period of time, typically 20 years
Hacker
A person who gains unauthorized access to a computer network for profit, criminal mischief, or personal pleasure.
Trojan horse
A software program that appears legitimate but contains hidden functionality that may cause damage.
Sniffer
A type of eavesdropping program that monitors information traveling over a network.
Slippery slope rule
An action may bring about a small change now that is acceptable, but if it is repeated, it would bring unacceptable changes in the long run
Liability
An amount owed by a business
Trade secret
Any intellectual work product—a formula, device, pattern, or compilation of data—used for a business purpose can be classified as a trade secret, provided that it is not based on information in the public domain.
Ethical no-free-lunch rule
Assume that virtually all tangible and intangible objects are owned by someone else unless there is a specific declaration otherwise. If something someone else has created is useful to you, it has value, and you should assume the creator wants compensation for this work.
SQL injection attack
Attack against a website that takes advantage of vulnerabilities in poorly coded SQL applications to introduce malicious program code into a company's systems and networks.
Unified threat management (UTM)
Comprehensive security management tool that combines multiple security tools, including firewalls, virtual private networks, intrusion detection systems, and web content filtering and anti-spam software
Risk assessment
Determining the potential frequency of the occurrence of a problem and the potential damage if the problem were to occur. Used to determine the cost/benefit of a control.
Golden Rule
Do unto others as you would have them do unto you
Transport Layer Security (TLS)
Enables client and server computers to manage encryption and decryption activities as they communicate with each other during a secure web session; successor to the Secure Sockets Layer (SSL) protocol.
Public key encryption
Encryption using two keys: one shared (or public) and one private.
Immanuel Kant's categorical imperative
If an action is not right for everyone to take, it is not right for anyone
General Data Protection Regulation (GDPR)
It applies to all firms and organizations that collect, store, or process personal information of EU citizens, and these protections apply worldwide regardless of where the processing takes place (European Commission, 2018).
HIPAA
Law outlining medical security and privacy rules and procedures for simplifying the administration of healthcare billing and automating the transfer of healthcare data among healthcare providers, payers, and plans
Sarbanes-Oxley Act
Law that imposes responsibility on companies and their management to protect investors by safeguarding the accuracy and integrity of financial information that is used internally and released externally.
Malware
Malicious software programs are referred to as malware and include a variety of threats such as computer viruses, worms, and Trojan horses
Drive-by download
Malware that comes with a downloaded file that a user unintentionally opens.
Ransomware
Malware that extorts money from users by taking control of their computers, blocking access to files, or displaying annoying pop-up messages.
Opt-out
Model of informed consent permitting the collection of personal information until the consumer specifically requests that the data not be collected.
Opt-in
Model of informed consent prohibiting an organization from collecting any personal information unless the individual specifically takes action to approve information collection and use.
Fair Information Practices (FIP)
Most US and European privacy law is based on a set of principles. FIP is a set of principles governing the collection and use of information about individuals.
Nonobvious relationship awareness (NORA)
NORA can take information about people from many disparate sources, such as "watch" lists, incident and arrest systems, consumer transaction systems, telephone records, and human resources systems, and correlate relationships to find obscure connections that might help identify criminals or terrorists.
General controls
Overall control environment governing the design, security, and use of computer programs and the security of data files in general throughout the organization's information technology infrastructure.
Pharming
Phishing technique that redirects users to a bogus web page even when the users type the correct web page address into their browser.
Security token
Physical device, similar to an identification card, designed to prove the identity of a single user.
Business continuity planning
Planning that focuses on how the company can restore business operations after a disaster strikes.
Security
Policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems.
Repetitive stress injury (RSI)
RSI occurs when muscle groups are forced through repetitive actions that are often made with high-impact loads (such as playing tennis) or tens of thousands of repetitions under low-impact loads (such as working at a computer keyboard)
Gramm-Leach-Bliley Act
Requires financial institutions to ensure the security and confidentiality of customer data.
Responsibility
Responsibility means that you accept the potential costs, duties, and obligations for the decisions you make
Password
Secret word or string of characters for authenticating users so that they can access a resource such as a computer system.
HTTPS
Secure version of the HTTP protocol that uses TLS for encryption and authentication.
Anti-malware software
Software designed to detect, and often eliminate, malware from an information system.
Bugs
Software program code defects.
Patches
Software that repairs flaws in programs without disturbing the proper operation of the software.
Application controls
Specific controls unique to each application that ensure that only authorized data are completely and accurately processed by that application.
Security policy
Statements ranking information risks, identifying acceptable security goals, and identifying the mechanisms for achieving these goals.
Utilitarian principle
Take the action that achieves the higher or greater value
Risk aversion principle
Take the action that produces the least harm or the least potential cost
Spyware
Technology that aids in gathering information about a person or organization without their knowledge.
Carpal tunnel syndrome (CTS)
The most common kind of computer-related RSI is carpal tunnel syndrome (CTS), in which pressure on the median nerve through the wrist's bony structure, called a carpal tunnel, produces pain. The pressure is caused by the constant repetition of keystrokes. Symptoms of CTS include numbness, shooting pain, inability to grasp objects, and tingling
Computer forensics
The scientific collection, examination, authentication, preservation, and analysis of electronically stored information (ESI) in such a way that the information can be used as evidence in a court of law.
Identity theft
Theft of key pieces of personal information, such as credit card or social security numbers, to obtain merchandise and services in the name of the victim or to obtain false credentials.
Multi-factor authentication (MFA)
Tools that increase security by validating users via a multistep process.
Online transaction processing
Transaction processing mode in which transactions entered online are immediately processed by the computer.
Spoofing
Tricking or deceiving computer systems or other computer users by hiding one's identity or faking the identity of another user on the Internet
Social engineering
Tricking people into revealing their passwords by pretending to be legitimate users or members of a company in need of information.
Two-factor authentication (2FA)
Validating user identity with two means of identification, one of which is typically a physical token and the other of which is typically data.
Information rights
What information rights do individuals and organizations possess with respect to themselves? What can these rights protect?
Accountability
Who can and will be held accountable and liable for the harm done to individual and collective information and property rights?
Ethics
a concern of humans who have freedom of choice. Ethics is about individual choice: When faced with alternative courses of action, what is the correct moral choice? What are the main features of ethical choice?
Safe harbor
a private self-regulating policy and enforcement mechanism that meets the objectives of government regulators and legislation but does not involve government regulation or enforcement.
Computer virus
a rogue software program that attaches itself to other software programs or data files to be executed, usually without user knowledge or permission. Most computer viruses deliver a payload
Cyberwarfare
a state-sponsored activity designed to cripple and defeat another state or nation by penetrating its computers or networks to cause damage and disruption.
Web beacons
also called a web bug (or simply tracking file), is a tiny image that keeps a record of users' online clickstreams. They report these data back to whoever owns the tracking file, which can be invisibly embedded in an email message or web page to monitor the behavior of the user visiting the website or receiving the email.
Informed consent
an ethical principle that research participants be told enough to enable them to choose whether they wish to participate
Cryptocurrencies
are digital assets that use blockchain technology and cryptography to create a medium of exchange (currency).
Cookies
are one method used to monitor and track online users. When a user visits a website, the website's web server places a small text file (a "cookie") on the user's computer or mobile device. Cookies identify the visitor's web browser software, as well as other information, and track visits to the website
Controls
are the methods, policies, and organizational procedures that ensure the safety of the organization's assets, the accuracy and reliability of its records, and operational adherence to management standards.
Evil twins
are wireless networks that pretend to offer trustworthy Wi-Fi connections to the Internet, such as those in airport lounges, hotels, or coffee shops. The bogus network looks identical to a legitimate public network.
Computer crime
can be generally defined as the commission of illegal acts by using a computer or against a computer system
Adware
can secretly install itself on an Internet user's computer by piggybacking on larger applications. Once installed, adware calls out to websites to send ads and other unsolicited material to the user
Fault-tolerant computer systems
contain redundant hardware, software, and power supply components that create an environment that provides continuous, uninterrupted service
Digital certificates
data files used to establish the identity of users and digital assets to protect online transactions.
Digital resiliency
deals with maintaining and increasing the resilience of an organization and its business processes in an all-pervasive digital environment, not just the resilience of the IT function.
Acceptable use policy (AUP)
defines acceptable uses of the firm's information resources and computing equipment, including desktop and laptop computers, mobile devices, telephones, and the Internet.
Disaster recovery planning
devises plans for the restoration of disrupted computing and communications services.
Digital divide
differing access to computing devices and the Internet, based on socioeconomic, geographic, or demographic characteristics
Information systems audit
examines the firm's overall security environment as well as the controls governing individual information systems
Intrusion detection systems (IDS)
feature full-time monitoring tools placed at the most vulnerable points or hot spots of corporate networks to detect and deter intruders continuously. The system generates an alarm if it finds a suspicious or anomalous event.
Denial-of-service attack (DoS attack)
hackers flood a network server or web server with many thousands of false communications or requests for services in order to crash the network
Distributed denial-of-service attack (DDoS attack)
hackers flood a network server or web server with many thousands of false communications or requests for services in order to crash the network. The network receives so many queries that it cannot keep up with them and is thus unavailable to service legitimate requests.
Intrusion prevention systems (IPS)
has all the functionalities of an IDS, with the additional ability to take steps to prevent and block suspicious activities.
Due process
is a related feature of law-governed societies and is a process in which laws are known and understood, and ability exists to appeal to higher authorities to ensure that the laws are applied correctly.
Privacy
is the claim of individuals to be left alone, free from surveillance or interference from other individuals or organizations, including the state.
Encryption
is the process of transforming plain text or data into cipher text that cannot be read by anyone other than the sender and the intended receiver.
Data breach
occurs whenever an organization loses control over corporate information to outsiders.
Firewalls
prevent unauthorized users from accessing private networks. A firewall is a combination of hardware and software that controls the flow of incoming and outgoing network traffic.
Copyright
protects creators of intellectual property from having their work copied by others for any purpose for a certain period of time, depending on several factors. As a general rule, copyright protection lasts for the life of the author, plus an additional 70 years after the author's death
Digital Millennium Copyright Act (DMCA)
provides some copyright protection. The DMCA implemented a World Intellectual Property Organization Treaty that makes it illegal to circumvent technology-based protections of copyrighted materials
Keyloggers
record every keystroke made on a computer to steal serial numbers for software, to launch Internet attacks, to gain access to email accounts, to obtain passwords to protected computer systems, or to pick up personal information such as credit card or bank account numbers.
Computer vision syndrome (CVS)
refers to any eyestrain condition related to display screen use with desktop computers, laptops, e-readers, smartphones, and handheld video game players. CVS affects about 90 percent of people who spend three hours or more per day using a display screen.
Downtime
refers to periods of time in which a system is not operational.
Intellectual property
refers to products of the mind created by individuals or corporations. Information technology has made it difficult to protect intellectual property because digital information can be so easily copied or distributed
Authentication
refers to the ability to know that people are who they claim to be. Authentication is often established by using passwords known only to authorized users.
Identity and access management (IAM)
software automates the process of keeping track of all these users and their system privileges, assigning each user a unique digital identity for accessing each system.
Computer abuse
the commission of acts involving a computer that may not be illegal but are considered unethical. The popularity of the Internet, email, and mobile devices has turned one form of computer abuse—spamming—into a serious problem for both individuals and businesses
Cybervandalism
the intentional disruption, defacement, or even destruction of a website or corporate information system
Trademarks
the marks, symbols, and images used to distinguish products in the marketplace. Trademark laws protect consumers by ensuring that they receive what they paid for.
Public key infrastructure (PKI)
the use of public key encryption working with a CA, is now widely used in e-commerce.
Profiling
use of computers to combine data from multiple sources and create digital dossiers of detailed information on individuals is called profiling.
Biometric authentication
uses systems that read and interpret individual human traits, such as facial features, fingerprints, irises, and voices, to grant or deny access. Biometric authentication is based on the measurement of a physical or behavioral trait that makes each individual unique
Spam
was junk email that an organization or individual sent to a mass audience who had expressed no interest in the product or service being marketed. Today, spam typically tries to entice users to select malicious links or may market fraudulent deals and services, outright scams, pornography, illegal or counterfeit drugs, or other objectionable products.
Managed security service providers (MSSPs)
which monitor network activity and perform vulnerability testing and intrusion detection.
