CIS301 Final

drive-by download

The use of malicious software to attack a computer by downloading harmful programs onto a computer, without the user's knowledge, while they are surfing a website.

Public Key Encryption

Used prevalently on the web, it allows for secure messages to be sent between parties without having to agree on, or share, a secret key. It uses an asymmetric encryption scheme in which the encryption key is made public, but the decryption key is kept private. uses two keys: one shared (or public) and one totally private as shown in Figure 8.6. The keys are mathematically related so that data encrypted with one key can be decrypted using only the other key. To send and receive messages, communicators first create separate pairs of private and public keys. The public key is kept in a directory, and the private key must be kept secret. The sender encrypts a message with the recipient's public key. On receiving the message, the recipient uses his or her private key to decrypt it.

zero-day vulnerabilities

security vulnerabilities in software, unknown to the creator, that hackers can exploit before the vendor becomes aware of the problem

Sarbanes-Oxley Act

A law passed by Congress that requires the CEO and CFO to certify that their firm's financial statements are accurate.

Spyware

software that enables a user to obtain covert information about another's computer activities by transmitting data covertly from their hard drive.

Malware

software that is intended to damage or disable computers and computer systems.

application controls

specific controls unique to each computerized application that ensure that only authorized data are completely and accurately processed by that application Can be classified as: 1. input controls 2. processing controls 3. output controls

Push-based model

supply chain driven by production master schedules based on forecasts or best guesses of demand for products, and products are "pushed" to customers The difference between push- and pull-based models is summarized by the slogan "Make what we sell, not sell what we make."

supply chain planning systems

systems that enable a firm to generate demand forecasts for a product and to develop sourcing and manufacturing plans for that. Such systems help companies make better decisions such as determining how much of a specific product to manufacture in a given time period; establishing inventory levels for raw materials, intermediate products, and finished goods; determining where to store finished goods; and identifying the transportation mode to use for product delivery.

Public Key Infrastructure (PKI)

the system for issuing pairs of public and private keys and corresponding digital certificates

biometric authentication

uses systems that read and interpret individual human traits, such as fingerprints, irises, and voices to grant or deny access.

Authentication

verifying the identity of the person or device attempting to access the system

Passwords

Authentication is often established by using passwords known only to authorized users

Network Address Translation (NAT)

A technique that allows private IP addresses to be used on the public Internet. NAT conceals the IP addresses of the organization's internal host computer(s) to prevent sniffer programs outside the firewall from ascertaining them and using that information to penetrate internal systems.

Evil Twins

A wireless network with the same name as another wireless access point. Users unknowingly connect to the evil twin; hackers monitor the traffic looking for useful information.

Distributed Denial of Service (DDoS)

An attack that uses multiple zombie computers (even hundreds or thousands) in a botnet to flood a device with requests.

Debugging

Finding and fixing problems in your algorithm or program.

denial-of-service (DoS) attack

Flooding a network server or Web server with false communications or requests for services in order to crash the network.

controls

Methods, policies, and organizational procedures that ensure safety of organization's assets; accuracy and reliability of its accounting records; and operational adherence to management standards

cracker

a hacker with criminal intent

Unified Threat Management (UTM)

comprehensive security management tool that combines multiple security tools, including firewalls, virtual private networks, intrusion detection systems, and web content filtering and anti-spam software. UTM products are available for all sizes of networks. Leading UTM vendors include Fortinent, Sophos, and Check Point, and networking vendors such as Cisco Systems and Juniper Networks provide some UTM capabilities in their products.

identity management

consists of business processes and software tools for identifying the valid users of a system and controlling their access to system resources

security policy

consists of statements ranking information risks, identifying acceptable security goals, and identifying the mechanisms for achieving these goals

Partner relationship management (PRM)

focuses on keeping vendors satisfied by managing alliance partner and reseller relationships that provide customers with the optimal sales channel

General Controls

govern the design, security, and use of computer programs and the security of data files in general throughout the organization's information technology infrastructure

Sales Force Automation (SFA)

modules in CRM systems help sales staff increase productivity by focusing sales efforts on the most profitable customers, those who are good candidates for sales and services. SFA modules provide sales prospect and contact information, product information, product configuration capabilities, and sales quote generation capabilities. Such software can assemble information about a particular customer's past purchases to help the salesperson make personalized recommendations.

managed security service providers (MSSPs)

monitor network activity and perform vulnerability testing and intrusion detection. SecureWorks, AT&T, Verizon, IBM, Perimeter eSecurity, and Symantec are leading providers of MSSP services.

token

physical device similar to an identification card that is designed to prove the identity of a single user

click fraud

the abuse of pay-per-click, pay-per-call, and pay-per-conversion revenue models by repeatedly clicking a link to increase charges or costs for the advertiser

downtime

Refers to a period of time when a system is unavailable

hacker

a person who uses computers to gain unauthorized access to data.

Examples of major data breaches

- Anthem Health Insurance - Sony - Home Depot - Target - eBay

Types of general controls

- Software controls - Hardware controls - Computer operations controls - Data security controls - Implementation controls - Administrative controls

business processes supported by enterprise systems

- financial and accounting processes, - human resources processes, - manufacturing and production processes, - sales and marketing processes,

Why systems are vulnerable

-Accessibility of networks - internet vulnerabilities -Hardware problems (breakdowns, configuration errors, damage from improper use or crime) -Software problems (programming errors, installation errors, unauthorized changes) -Disasters -Use of networks/computers outside of firm's control -wireless security challenges

Secure Sockets Layer (SSL)

A Protocol developed by Netscape for securely transmitting documents over the Internet that uses a private key to encrypt data. Two methods for encrypting network traffic on the web are SSL and S-HTTP. Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), enable client and server computers to manage encryption and decryption activities as they communicate with each other during a secure web session.

identity theft

A crime that involves someone pretending to be another person in order to steal money or obtain benefits

smart card

A device that is around the same size as a credit card, containing embedded technologies that can store information and small amounts of software to perform some limited processing

Botnet

A logical computer network of zombies under the control of an attacker; a group of compromised computers or mobile devices connected to a network

computer crime

Any violation of criminal law that involves knowledge of computer technology for its perpetration, investigation, or prosecution.

Examples of computer crimes

COMPUTERS AS TARGETS OF CRIME - Breaching the confidentiality of protected computerized data - Accessing a computer system without authority - Knowingly accessing a protected computer to commit fraud - Intentionally accessing a protected computer and causing damage negligently or deliberately - Knowingly transmitting a program, program code, or command that intentionally causes damage to a protected computer - Threatening to cause damage to a protected computer COMPUTERS AS INSTRUMENTS OF CRIME - Theft of trade secrets - Unauthorized copying of software or copyrighted intellectual property, such as articles, books, music, and video - Schemes to defraud - Using e-mail or messaging for threats or harassment - Intentionally attempting to intercept electronic communication - Illegally accessing stored electronic communications, including e-mail and voice mail - Transmitting or possessing child pornography by using a computer

Online Transaction Processing (OLTP)

Capturing of transaction and event information using technology to process, store, and update

operational CRM

Customer-facing applications such as sales force automation, call center and customer service support, and marketing automation

Acceptable Use Policy (AUP)

Defines acceptable uses of firm's information resources and computing equipment, including desktop and laptop computers, wireless devices, telephones, and the internet.

Gramm-Leach-Bliley Act

requires financial institutions to ensure the security and confidentiality of customer data

ambient data

Hidden data on a computer, such as deleted files and file fragments, as well as information about who has accessed that data and when.

just-in-time (JIT) strategy

If a manufacturer had perfect information about exactly how many units of product customers wanted, when they wanted them, and when they could be produced, it would be possible to implement a highly efficient just-in-time strategy. Components would arrive exactly at the moment they were needed, and finished goods would be shipped as they left the assembly line.

Worms

Independent computer programs that copy themselves from one computer to other computers over a network

supply chain execution systems

Manage flow of products through distribution centers and warehouses to ensure that products are delivered to the right locations in the most efficient manner. They track the physical status of goods, the management of materials, warehouse and transportation operations, and financial information involving all parties.

HIPAA (Health Insurance Portability and Accountability Act)

Outlines medical security and privacy rules and procedures for simplifying the administration of healthcare billing and automating the transfer of healthcare data between healthcare providers, payers, and plans. It requires members of the healthcare industry to retain patient information for six years and ensure the confidentiality of those records.

Encryption

Process of converting readable data into unreadable characters to prevent unauthorized access.

Pharming

Reroutes requests for legitimate websites to false websites

computer virus

Rogue software program that attaches itself to other software programs or data files in order to be executed, often causing hardware and software malfunctions.

war driving

Searching for wireless signals from an automobile or on foot using a portable computing device.; Deliberately searching for Wi-Fi signals while driving by in a vehicle

patches

Small pieces of software to repair flaws released by vendors

Ransomware

Software that encrypts programs and data until a ransom is paid to remove it.

Cyberwarfare

State-sponsored activity designed to cripple and defeat another state or nation by damaging or disrupting its computers or networks

Pull-based model

Supply chain driven by actual customer orders or purchases so that members of the supply chain produce and deliver only what customers have ordered. The difference between push- and pull-based models is summarized by the slogan "Make what we sell, not sell what we make."

computer forensics

The application of computer systems and techniques to gather potential legal evidence; a law enforcement specialty used to fight high-tech crime.

Intrusion Detection System (IDS)

a computer program that senses when another computer is attempting to scan or access a computer or network. The system generates an alarm if it finds a suspicious or anomalous event. Scanning software looks for patterns indicative of known methods of computer attacks such as bad passwords, checks to see whether important files have been removed or modified, and sends warnings of vandalism or system administration errors.

digital certificate

a data file that identifies individuals or organizations online and is comparable to a digital signature. digital certificate system uses a trusted third party, known as a certificate authority (CA), to validate a user's identity. There are many CAs in the United States and around the world, including Symantec, GoDaddy, and Comodo.

touch points

a method of interaction with a customer, such as telephone, email, customer service desk, conventional mail, FB, Twitter, web site, or retail store

supply chain

a network of organizations and facilities that transforms raw materials into products delivered to customers. It links suppliers, manufacturing plants, distribution centers, retail outlets, and customers to supply goods and services from source through consumption. Materials, information, and payments flow through the supply chain in both directions.

Trojan Horse

a program that appears desirable but actually contains something harmful The term Trojan horse is based on the huge wooden horse the Greeks used to trick the Trojans into opening the gates to their fortified city during the Trojan War. Once inside the city walls, Greek soldiers hidden in the horse revealed themselves and captured the city.

Spoofing

a technique intruders use to make their network or internet transmission appear legitimate to a victim computer or network

Phishing

a technique to gain personal information for the purpose of identity theft, usually by means of fraudulent e-mail

sniffer

a type of eavesdropping program that monitors information traveling over a network

Wired Equivalent Privacy (WEP)

an encryption algorithm designed to protect wireless transmission data. (WEP), is not very effective because its encryption keys are relatively easy to crack. WEP provides some margin of security, however, if users remember to enable it. Corporations can further improve Wi-Fi security by using it in conjunction with virtual private network (VPN) technology when accessing internal corporate data.

Customer Lifetime Value (CLV)

approximate worth of a customer to a company in economic terms; overall profitability of an individual consumer

Enterprise Software

built around thousands of predefined business processes that reflect best practices. Leading enterprise software vendors include SAP, Oracle, IBM, Infor Global Solutions, and Microsoft.

Input Controls

check data for accuracy and completeness when they enter the system

Fault-tolerant computer systems

contain redundant hardware, software, and power supply components that create an environment that provides continuous, uninterrupted service. Fault-tolerant computers use special software routines or self-checking logic built into their circuitry to detect hardware failures and automatically switch to a backup device. Parts from these computers can be removed and repaired without disruption to the computer or downtime.

Examples of Malicious Code

cryptolocker --> ransomeware/trojan conficker --> worm sasser.ftp --> worm ILOVEYOU --> virus

bugs

defects in the code of an information system

risk assessment

determines the level of risk to the firm if a specific activity or process is not properly controlled

disaster recovery planning

devises plans for the restoration of computing and communications services after they have been disrupted For example, MasterCard maintains a duplicate computer center in Kansas City, Missouri, to serve as an emergency backup to its primary computer center in St. Louis. Rather than build their own backup facilities, many firms contract with disaster recovery firms such as SunGard Availability Services and Acronis. These disaster recovery firms provide hot sites housing spare computers at locations around the country where subscribing firms can run their critical applications in an emergency.

Cybervandalism

disrupting, damaging, or destroying a website or computer network

output controls

ensure that the results of computer processing are accurate, complete, and properly distributed

Processing Controls

establish that data are complete and accurate during updating

Deep Packet Inspection (DPI)

examines data files and sorts out low-priority online material while assigning higher priority to business-critical files. Based on the priorities established by a network's operators, it decides whether a specific data packet can continue to its destination or should be blocked or delayed while more important traffic proceeds.

packet filtering

examines selected fields in the headers of data packets flowing back and forth between the trusted network and the Internet, examining individual packets in isolation

security

refers to the policies, procedures and technical measures used to prevent unauthorized access, alteration, theft or physical damage to information systems

application proxy filtering

examines the application content of packets; stops data packets originating outside the organization, inspects them, and passes a proxy to the other side of the firewall. If a user outside the company wants to communicate with a user inside the organization, the outside user first communicates with the proxy application, and the proxy application communicates with the firm's internal computer. Likewise, a computer user inside the organization goes through the proxy to talk with computers on the outside.

information systems audit

examines the firm's overall security environment as well as controls governing individual information systems

Business Continuity Planning

focuses on restoring business operations after a disaster strikes. The business continuity plan identifies critical business processes and determines action plans for handling mission-critical functions if systems go down. For example, Deutsche Bank, which provides investment banking and asset management services in 74 countries, has a well-developed business continuity plan that it continually updates and refines. It maintains full-time teams in Singapore, Hong Kong, Japan, India, and Australia to coordinate plans addressing loss of facilities, personnel, or critical systems so that the company can continue to operate when a catastrophic event occurs.

Social Engineering

hackers use their social skills to trick people into revealing access credentials or other valuable information

Analytical CRM

includes applications that analyze customer data generated by operational CRM applications to provide information for improving business performance. Analytical CRM applications are based on data from operational CRM systems, customer touch points, and other sources that have been organized in data warehouses or analytic platforms for use in online analytical processing (OLAP), data mining, and other data analysis techniques

two-factor authentication

increases security by validating users through a multistep process To be authenticated, a user must provide two means of identification, one of which is typically a physical token, such as a smartcard or chip-enabled bank card, and the other of which is typically data, such as a password or personal identification number (PIN).

SQL injection attack

inserting a malicious SQL query in input such that it is passed to and executed by an application program

Secure hypertext transfer protocol (SHTTP or HTTPS)

is another protocol used for encrypting data flowing over the Internet, but it is limited to individual messages, whereas SSL and TLS are designed to establish a secure connection between two computers.

cross-selling

is the marketing of complementary products to customers. (For example, in financial services, a customer with a checking account might be sold a money market account or a home improvement loan.) CRM tools also help firms manage and execute marketing campaigns at all stages, from planning to determining the rate of success for each campaign.

Customer Relationship Management (CRM)

managing detailed information about individual customers and carefully managing customer touch points to maximize customer loyalty. a company-wide business strategy designed to optimize profitability, revenue, and customer satisfaction by focusing on highly defined and precise customer groups

bullwhip effect

occurs when distorted product-demand information ripples from one partner to the next throughout the supply chain. A slight rise in demand for an item might cause different members in the supply chain—distributors, manufacturers, suppliers, secondary suppliers (suppliers' suppliers), and tertiary suppliers (suppliers' suppliers' suppliers)—to stockpile inventory so each has enough just in case. These changes ripple throughout the supply chain, magnifying what started out as a small change from planned orders and creating excess inventory, production, warehousing, and shipping costs

Demand Planning

one of the most important and complex supply chain planing functions. Determines how much product a business needs to make to satisfy all of its customers' demands. JDA Software, SAP, and Oracle all offer supply chain management solutions.

Firewalls

prevent unauthorized users from accessing private networks A firewall is a combination of hardware and software that controls the flow of incoming and outgoing network traffic. It is generally placed between the organization's private internal networks and distrusted external networks, such as the Internet, although firewalls can also be used to protect one part of a company's network from the rest of the network.

antivirus software

prevents, detects, and removes malware, including computer viruses, computer worms, Trojan horses, spyware, and adware. However, most antivirus software is effective only against malware already known when the software was written. To remain effective, the antivirus software must be continually updated. Even then it is not always effective because some malware can evade antivirus detection.

Enterprise Systems

provide enterprise wide support and data access for a firm's operations and business processes. The database collects data from many divisions and departments in a firm and from a large number of key business processes in manufacturing and production, finance and accounting, sales and marketing, and human resources, making the data available for applications that support nearly all an organization's internal business activities. When new information is entered by one process, the information is made immediately available to other business processes

Stateful Inspection

provides additional security by determining whether packets are part of an ongoing dialogue between a sender and a receiver. It sets up state tables to track information over multiple packets. Packets are accepted or rejected based on whether they are part of an approved conversation or attempting to establish a legitimate connection.

Employee relationship management (ERM)

provides employees with a subset of CRM applications available through a web browser. provides web-based self-service tools that streamline and automate the human resource department

keyloggers

records every keystroke made on a computer to steal serial numbers for software, to launch internet attacks, to gain access to email accounts, to obtain passwords to protected computer systems, or to pick up personal information such as credit card or bank account numbers.