CIS Chapter 3

public-key encryption

(also called asymmetrical encryption) a type of encryption that uses two different keys, a public key and a private key.

network controls

(see communication controls)

Bot

A computer that has been compromised by, and under that control of a hacker.

Distributed denial of service (DDoS)

A denial of service attack that sends a flood of data packets from many compromised computers simultaneously.

hot sites

A fully configured computer facility, with all information resource and services, communications links, and physical plant operations, that duplicates your companies computing resources and provides near-real-time recovery of IT operations.

Authentication

A process that determines the identity of the person requiring access.

Demilitarized zone (DMZ)

A separate organizational local area network that is located between an organizations internal network and an external network, usually the internet.

communication controls (also network controls)

Controls that deal with the movement of data across networks.

Controls

Defense mechanisms (also called countermeasures)

Cookie

Small amounts of information that websites store on your computer, temporarily or more or less permanently

Start of Chapter 4

Start of Chapter 4

Cyber Terrorism/Cyberwarfare

Terms of internet attacks

Scripts

The reason is that the internet contains information and computer programs called ____ that users with few skills can download and use to attack any information system connected to the internet.

Cold site

a backup location that provides only rudimentary services and facilities

privilage

a collection of related computer systems operations that can be performed by users of the system

Denial-of-service attack

a cyber attack in which an attacker sends a flood of data packets to the target computer, with the aim of overloading its resources

Botnet

a network of computers that have been compromised by, and under control of a hacker, who is called the botmaster

least privilege

a principle that users be granted the privilege for some activity only if there is a justifiable need to grant this authorization.

password

a private combination of characters that only the user should know.

virtual private network (VPN)

a private network that uses a public network (usually the internet) to securely connect user by using encryption

whitelisting

a process in which a company identifies accept-able software and permits it to run, and either prevents anything else from running or lets new software run in quarantined environment until the company can verify its validity.

Blacklisting

a process in which a company identifies certain types of software that are not allowed to run in the company environment.

risk transference

a process in which the organization transfers the risk by using other means to compensate for a loss, such as by purchasing insurance.

Authorization

a process that determines which actions, , rights or privileges the person has, based on verified identity.

tunnelling

a process that encrypts each data to be sent and places each encrypted packet inside another packet.

risk management

a process that identifies, controls, and minimizes the impact of threats, in an effort to reduces risk to manageable levels.

risk mitigation

a process whereby the organization takes concrete action against risks, such as implementing controls and developing a disaster recovery plan.

platform for privacy

a protocol that automatically communicates privacy policies between and electronic commerce website and and a visitor to that site.

Trojan Horse

a software program containing a hidden function that presents security risks.

risk limitation

a strategy in which organization limits its risk by implementing controls that minimize the impact of a threat

risk acceptance

a strategy in which the organization accepts the potential risk, continues to operate with no controls,a d absorbs amy damages that occur.

Tailgating

a technique designed to allow the perpetrator to enter restricted areas that are controlled with locks or card entry.

certificate authority

a third party that acts as a trusted intermediary between computers (and companies) by issuing digital certificates and verifying the worth and integrity of the certificates.

adware

alien software designed to help pop up advertisements appear on your screen

spyware

alien software that can record your keystrokes and/or capture your passwords.

spamware

alien software that uses your computer as a launch platform for spammers.

secure socket layer (SSL) (Transport Layer Security)

also know as transport layer security, an encryption standard use for secure transactions such as credit card purchases and online banking.

phishing attack

an attack that uses deception to fraudulently acquire sensitive personal information by masquerading as an official looking email

digital certificate

an electronic document attached to a file certifying that this file is from the organization it claims to be from and has not been modified from its original format or content.

Audit

an examination of information systems, their inputs, outputs, and processing.

Patent

an official document that grants the holders exclusive rights on an invention or a process for a specified period of time.

Security

can be defined as the degree of protection against criminal activity, danger, damage, and/or loss.

alien software

clandestine software that is installed on your computer through duplicitous methods.

physical control

controls that restrict unauthorized individuals from gaining access to a companies computer facility

access controls

controls that restrict unauthorized individuals from using information resources and are concerned with user identity.

Piracy

copying a software program without making a payment to the owner - including giving a disc to a friend to install on his or her own computer.

worms

destructive programs that replicate themselves without requiring another program to provide a safe environment for replication

geotag

embedding images with with longitude and latitude of the location shown in the image.

Photo tagging

facial recognition software then indexes facial feature.

social engineering

getting around security systems by tricking computer users inside a company into revealing sensitive information or gaining unauthorized access privileges.

Common good approach

highlights the interlocking relationships that underlie all societies.

Cybercrime

illegal activity executed on the internet

untrusted network

in general, is any network external to your organization

Trusted Network

in general, is any network within your organization.

Privacy issues

involve collecting, storing, and disseminating information about individuals.

Accuracy issues

involve the authenticity, fidelity, and correctness of information that is collected and processed.

property issues

involve the ownership and value of information

Copyright

is a statutory grant that provides the creators or owners of intellectual property with ownership of the property, also for a designated period.

Trade Secret

is an intellectual work, such as a business plan, that is a company secret and is not based on public information.

unethical legal

is not necessarily illegal. For example, a banks decision to foreclose on a home can be technically legal, but it can raise many ethical questions.

Identity Theft

is the deliberate assumption of another persons identity, usually to gain access to his or her financial information or to frame him or her for a crime.

Vulnerability

is the possibility that the system will be harmed by a threat.

Intellectual property

is the property that is created by individual or corporations that is protected under trade secret, patent, and copyright law.

rights approach

maintains that an ethical action is the one that best protects and respects the moral rights of the affected person.

malware

malicious software such as viruses and worms

viruses

malicious software that can attach itself to (or infect) other computer programs without the owner of the program being aware of infection.

Responsibility

means that you accept consequences of your decisions and actions

Shoulder surfing

occurs when a perpetrator watches an employees computer screen over the employees shoulder.

Exposure

of an information resource is the harm, loss or damage that can result if a threat compromises that resource.

Dumpster Diving

one form of theft, ____, involves the practice of rummaging through commercial or residential trash to find information that has been discarded.

Fairness approach

posits that ethical actions treat all human beings equally, or if unequally, then fairly, based on some defensible standard.

Information security

refers to all of the processes and policies designed to protect an organizations information and information systems (IS) from unauthorized access, use, disclosure, disruption, modification, or destruction.

Accountability

refers to determining who is responsible for actions that were taken.

accessibility issues

revolve around who should have access to information and whether a fee should be paid for this access

logics bombs

segments of computer code embedded within an organizations existing computer program.

blogs

short for weblog an informal, personal journal that is frequently updated and is intended for general public reading.

Anti-malware systems (antivirus system)

software packages that attempt to identify and eliminate viruses, worms, and other malicious software.

Utilitarian Approach

states than an ethical action is the best one that provides the most good or does the least harm.

Employee monitoring system

systems that monitor employees computers, email activities, and internet surfing activities.

transborder data flow

the absence of consistent or uniform standards for privacy and security obstructs the flow of information among countries.

security

the degree of protection against criminal activity, damage, and/or loss

risk

the likely hood that a threat will occur

customer chum

the loss of business caused by increased customer turnover

vulnerability

the possibility that an information resource will be harmed by a threat.

risk analysis

the process by which an organization assesses the value of each asset being protected, estimates the probability that each asset might be compromised, and compares the probable costs of each being compromised with the cost of protecting it

encryption

the process of converting an original message into a form that cannot be read by anyone except the intended receiver.

privacy

the right to be left alone and to be free of unreasonable personal intrusion

biometrics

the science and technology of authentication (i.e, establishing the identity of an individual) by measuring the subjects physiological or behavioral characteristics.

networking sites

these sites appear on the internet , with corporate intranets, and on blogs

Threat

to an information resource is any danger to which the system may be exposed.

Back door (trap door)

typically a password, known only to the attacker, that allows the attacker to access the system without having to go through any security procedures.

spam

unsolicited email

URL filtering

using software to block connections to inappropriate websites.