Chapter 8
Explain how software defects affect system reliability and security.
- eliminating all hidden bugs or program code defects is virtually impossible - cannot prove that a piece of software is dependable until after much operational use - hackers can exploit bugs to access personal data and encryption keys - maintaining patches is time-consuming and costly
Describe measures for improving software quality and reliability.
- employing software metrics, which are objective assessments of the system in form of quantified measurements - conducting regular testing will contribute significantly to system quality - testing can prove the correctness of work and uncover errors that may exist in the software
Describe the security and system reliability problems employees create.
- many employees forget their passwords to access computer systems or allow coworkers to use them, which compromises the system - social engineering: malicious intruders tricking employees into revealing their passwords by pretending to be legitimate members of the company in need of information.
List and describe the most common threats against contemporary information systems.
- unauthorized access - tapping - sniffing: using a sniffer (eavesdropping program) - theft and fraud - DoS attack - DDoS attack - malware - radiation
Explain how information systems auditing promotes security and control.
An information systems audit examines the firm's overall security environment as well as controls governing individual information systems. Security audits review technologies, procedures, documentation, training, and personnel. The audit lists and ranks all control weaknesses and estimates the probability of their occurrence.
Define application controls and describe each type of application control.
Application controls: specific controls unique to each computerized application, such as payroll or order processing. includes both automated and manual procedures that ensure only authorized data are completely and accurately processed by that application a. Input controls: check data for accuracy and completeness when they enter the system b. Processing controls: establish that data are complete and accurate during updating c. Output controls: ensure that the results of computer processing are accurate, complete, and properly distributed
Name and describe three authentication methods.
Authentication: the ability to know that a person is who he or she claims to be. - Password-based - Token: a small gadget that is designed to prove the identity of a single user; displays passcodes that change frequently - Biometric: uses systems that read and interpret individual human traits to grant or deny access - Two-factor: validates user through a multi-step process (ex. a bank card and its pin)
Identify and describe the security problems cloud computing poses.
Cloud computing is highly distributed. - When you use the cloud, you may not know precisely where your data is being hosted In case of disaster striking... - Will the provider be able to restore your data completely? Is the data being protected? - Will the provider submit to external audits and security certifications?
Define computer crime. Provide two examples of crime in which computers are targets and two examples in which computers are used as instruments of crime.
Computer crime: any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution. (p.304) a. Targets of crime: - breaching the confidentiality of protected computerized data - accessing a computer system without authority b. Instrument of crime - theft of trade secrets - schemes to defraud
Describe the relationship between security and control and recent U.S. government regulatory requirements and computer forensics.
Computer forensics: the scientific collection, examination, authentication, preservation, and analysis of data held on or retrieved from computer storage media in such a way that the information can be used as evidence in a court of law. U.S. government regulations are forcing companies to take security and control more seriously by mandating the protection of data from abuse, exposure, and unauthorized access. ex. HIPPA, Gramm-Leach-Biley Act, Sarbanes-Oxley Act
Describe the role of encryption and digital certificates in a public key infrastructure.
Digital certificates: data files used to establish the identity of users and electronic assets for protection of online transactions - a digital certificate system uses a trusted third, known a certificate authority, to validate a user's identity - CA makes its own public key Public key infrastructure: system for creating public and private keys using a certificate authority and digital certificates for authentication
Distinguish between disaster recovery planning and business continuity planning.
Disaster recovery planning - devises plans for the restoration of disrupted computing and communications services - focus primarily on the technical issues involved in keeping systems up and running Business continuity planning - focuses on how the company can restore business operations after a disaster strikes - identifies critical business processes and determines action plans for handling mission-critical functions if systems go down
Explain how encryption protects information.
Encryption: the process of transforming plain text or data into cipher text that cannot be read by anyone other than the sender and intended receiver - offers protection by keeping messages or packets hidden from the view of unauthorized readers - crucial for ensuring the success of electronic commerce between the organization and its customers and between the organization and its vendors
Describe the roles of firewalls, intrusion detection systems, and anti-malware software in promoting security.
Firewalls - prevent unauthorized users from accessing private networks - combinations of hardware and software that controls the flow of incoming and outgoing traffic - examines each user's credentials before it grants access to a network Intrusion Detection Systems - feature full-time monitoring tools placed at the most vulnerable points or hot spots or corporate networks to detect and deter intruders continually - generates an alarm if it finds a suspicious or anomalous event - can be customized to shut down a particularly sensitive part of a network if it receives unauthorized traffic Anti-malware Software - prevents, detects, and removes malware, including computer viruses, computer worms, Trojan horses, spyware, and adware - most is effective only against malware already known when the software was written - must be continually updated
Explain how security and control provide value for businesses.
Firms relying on computer systems for their core business functions can lose sales and productivity. Information assets lose much of their value if they are revealed to outsiders or if they expose the firm to legal liability.
Define general controls and describe each type of general control.
General controls: govern the design, security, and use of computer programs and the security of data files in general throughout the organization's information technology infrastructure. (p. 312) - software controls - hardware controls - computer operations controls - data security controls - implementation controls - administrative controls
Define a hacker and explain how hackers create security problems and damage systems.
Hacker: an individual who intends to gain unauthorized access to a computer system. Problems: - system intrusion - theft of goods and information - system damage and cybervandalism - intentional disruption, defacement, or even destruction of a website or corporate information system
Define identity theft and phishing and explain why identity theft is such a big problem today.
Identity theft: a crime in which an imposter obtains key pieces of personal information, such as social security numbers, driver's license numbers, or credit card numbers, to impersonate someone else. Phishing: Setting up fake websites or sending email messages that look like those of legitimate businesses to ask users for confidential personal data. Identity theft is such a big problem today because the Internet has made it easy for identity thieves to use stolen information to purchase goods online. E-commerce sites also hold a lot of personal information.
Explain how security and control provide value for businesses.
Information assets have tremendous value, and the repercussions can be devastating if they are lost, destroyed, or placed in the wrong hands. Inadequate security and control may result in serious legal liability. Security: the policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or damage to information systems Controls: all methods, policies, and procedures that ensure the safety of the organization's assets
Define malware and distinguish among a virus, a worm, and a Trojan horse.
Malware: malicious software programs such as computer viruses, worms, and Trojan horses Virus: a rogue software program that attaches itself to other software programs or data files to be executed; most deliver a payload Worm: independent computer program that copies itself from one computer to another over a network Trojan horse: a software program that appears to be benign but then does something other than expected; does not replicate
Describe the function of risk assessment and explain how it is conducted for information systems.
Risk assessment: determines level of risk to the firm in the case of improper controls 1. identify the assets 2. identify the threats The essential point is to list all things that could be affected by a security problem
Define and describe the following: security policy, acceptable use policy, and identity management.
Security policy: consists of statements ranking information risks, identifying acceptable security goals, and identifying and the mechanisms for achieving these goals; drives other policies Acceptable use policy: defines acceptable uses of the firm's information resources and computing equipment Identity management: business processes and software tools for identifying the valid users of a system and controlling their access to system resources