MIS Chapter 8

smart card

A credit-card-size plastic card that stores digital information and that can be used for electronic payments in place of cash.

controls

All of the methods, policies, and procedures that ensure protection of the organization's assets, accuracy and reliability of its records, and operational adherence to management standards.

security

Policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems

Cyberwarfare

State-sponsored activity designed to cripple and defeat another state or nation by damaging or disrupting its computers or networks

Deep Packet Inspection (DPI)

Technology for managing network traffic by examining data packets, sorting out low-priority data from higher priority business-critical data, and sending packets in order of priority.

evil twin

Wireless networks that pretend to be legitimate to entice participants to log on and reveal passwords or credit card numbers.

sniffer

a type of eavesdropping program that monitors information traveling over a network

identity management

business processes and software tools for identifying the valid users of a system and controlling their access to system resources

phishing

form of spoofing involving setting up fake websites or sending email messages that resemble those of legitimate businesses that ask users for confidential personal data

click fraud

fraudulently clicking on an online ad in pay per click advertising to generate an improper charge per click

firewall

hardware and software placed between an organization's internal network and an external network to prevent outsiders from invading private networks

token

physical device similar to an identification card that is designed to prove the identity of a single user

botnet

A group of computers that have been infected with bot malware without users' knowledge, enabling a hacker to use the amassed resources of the computers to launch distributed denial-of-service attacks, phishing campaigns or spam.

Trojan horse

A software program that appears legitimate but contains a second hidden function that may cause damage.

Acceptable Use Policy (AUP)

Defines acceptable uses of the firm's information resources and computing equipment, including desktop and laptop computers, wireless devices, telephones, and the Internet, and specifies consequences for noncompliance.

risk assessment

Determining the potential frequency of the occurrence of a problem and the potential damage if the problem were to occur. Used to determine the cost/benefit of a control.

Denial of Service (DoS) attack

Flooding a network server or Web server with false communications or requests for services in order to crash the network.

information systems audit

Identifies all the controls that govern individual information systems and assesses their effectiveness.

malware

Malicious software programs such as computer viruses, worms, and Trojan horses.

drive-by download

Malware that comes with a downloaded file a user intentionally or unintentionally requests

downtime

Period of time in which an information system is not operational.

pharming

Phishing technique that redirects users to a bogus Web page, even when an individual enters the correct Web page address.

Business Continuity Planning

Planning that focuses on how the company can restore business operations after a disaster strikes.

Secure Hypertext Transfer Protocol (S-HTTP)

Protocol used for encrypting data flowing over the Internet; limited to individual messages.

computer virus

Rogue software program that attaches itself to other software programs or data files in order to be executed, often causing hardware and software malfunctions.

antivirus software

Software designed to detect, and often eliminate, computer viruses from an information system.

Public Key Infrastructure (PKI)

System for creating public and private keys using a certificate authority (CA) and digital certificates for authentication.

Fault-tolerant computer systems

Systems that contain extra hardware, software, and power supply components that can back a system up and keep it running to prevent system failure.

war driving

Technique in which eavesdroppers drive by buildings or park outside and try to intercept wireless network traffic.

biometric authentication

Technology for authenticating system users that compares a person's unique characteristics such as fingerprints, face, or retinal image, against a stored set profile of these characteristics.

spyware

Technology that aids in gathering information about a person or organization without their knowledge.

computer crime

The commission of illegal acts through the use of a computer or against a computer system.

identity theft

Theft of key pieces of personal information, such as credit card or Social Security numbers, in order to obtain merchandise and services in the name of the victim or to obtain false credentials.

spoofing

Tricking or deceiving computer systems or other computer users by hiding one's identity or faking the identity of another user on the Internet.

social engineering

Tricking people into revealing their passwords by pretending to be legitimate users or members of a company in need of information.

hacker

a person who gains unauthorized access to a computer network for profit, criminal mischief, or personal pleasure

digital certificates

an attachment to an electronic message to verify the identity of the sender and to provide the receiver with the means to encode a reply

SQL injection attack

attacks against a web site that take advantage of vulnerabilities in poorly coded SQL (a standard and common database software application) applications in order to introduce malicious program code into a company's systems and networks

managed security service providers (MSSPs)

company that provides security management services for subscribing clients

Unified Threat Management (UTM)

comprehensive security management tool that combines multiple security tools, including firewalls, virtual private networks, intrusion detection systems, and web content filtering and anti-spam software

Secure Sockets Layer (SSL)

enables client and server computers to manage encryption and decryption activities as they communicate with each other during a secure Web session.

worms

independent software programs that propagate themselves to disrupt the operation of computer networks or destroy data and other programs

HIPAA

law outlining rules for medical security, privacy, and the management of health care records

Sarbanes-Oxley Act

law passed in 2002 that imposes responsibility on companies and their management to protect investors by safeguarding the accuracy and integrity of financial information that is used internally and released externally.

ransomware

malware that extorts money from users by taking control of their computers or displaying annoying pop-up messages

distributed denial-of-service (DDoS) attack

numerous computers inundating and overwhelming a network from numerous launch points

general controls

overall control environment governing the design, security, and use of computer programs and the security of data files in general throughout the organization's information technology infrastructure

disaster recovery plan

planning for the restoration of computing and communications services after they have been disrupted

Gramm-Leach-Bliley Act

requires financial institutions to ensure the security and confidentiality of customer data

password

secret word or string of characters for authenticating users so they can access a resource such as a computer system

zero-day vulnerabilities

security vulnerabilities in software, unknown to the creator, that hackers can exploit before the vendor becomes aware of the problem

patches

small pieces of software to repair the software flaws without disturbing the proper operation of the software

bugs

software program code defects

application controls

specific controls unique to each computerized application that ensure that only authorized data are completely and accurately processed by that application

keyloggers

spyware that records every keystroke made on a computer to steal personal information or passwords or to launch internet attacks

security policy

statements ranking information risks, identifying acceptable security goals, and identifying the mechanisms for achieving these goals

Authentication

the ability of each party in a transaction to ascertain the identity of the other party

encryption

the coding and scrambling of messages to prevent their being read or accessed without authorization

Cybervandalism

the intentional disruption, defacement, or even destruction of a website or corporate information system

computer forensics

the scientific collection, examination, authentication, preservation, and analysis of data held on or retrieved from computer storage media in such a way that the information can be used as evidence in a court of law

Intrusion Detection System (IDS)

tools to monitor the most vulnerable points in a network to detect and deter unauthorized intruders

Online Transaction Processing (OLTP)

transaction processing mode in which transactions entered online are immediately processed by the computer.

Public Key Encryption

uses two keys, one shared (or public) and one private

two-factor authentication

validating user identity with two means of identification, one of which is typically a physical token, and the other of which is typically data