Chapter 8 management 142
fraudulently clicking on an online ad in pay per click advertising to generate an improper charge per click
Click fraud
The intentional disruption, defacement, or even destruction of a website or corporate information system
Cybervandalism
Period of time in which an information system is not operational.
Downtime
Law outlining rules for medical security, privacy, and the management of health care records.
HIPAA
Identifies all the controls that govern individual information systems and assesses their effectiveness.
MIS audit
attacks against a web site that take advantage of vulnerabilities in poorly coded SQL (a standard and common database software application) applications in order to introduce malicious program code into a company's systems and networks
SQL injection attack
a type of eavesdropping program that monitors information traveling over a network
Sniffer
Technique in which eavesdroppers drive by buildings or park outside and try to intercept wireless network traffic.
War driving
Defines acceptable use of the firm's information resources and computing equipment, including desktop and laptop computers wireless devices telephones, and the internet, and specifies consequences for noncompliance.
Acceptable use policy (AUP)
specifically designed to detect viruses and protect your computer and files from harm
Antivirus software
The ability of each party in a transaction to ascertain the identity of the other party.
Authentication
Technology for authenticating system users that compares a person's unique characteristics such as fingerprints, face, or retinal image, against a stored set profile of these characteristics.
Biometric Authentication
A group of computers that have been infected with bot malware without users' knowledge, enabling a hacker to use the amassed resources of the computers to launch distributed denial-of-service attacks, phishing campaigns or spam.
Botnet
software program code defects
Bugs
planning that focuses on how the company can restore business operations after a disaster strikes.
Business continuity planning
the commission of illegal acts through the use of a computer or against a computer system
Computer crime
the scientific collection, examination, authentication, preservation, and analysis of data held on or retrieved from computer storage media in such a way that the information can be used as evidence in a court of law
Computer forensics
rogue software program that attaches itself to other software programs or data files in order to be executed, usually without user knowledge or permission
Computer virus
All of the methods, policies, and procedures that ensure protection of the organization's assets, accuracy and reliability of its records, and operational adherence to management standards.
Controls
Technololgy for managing network traffic by examining data packets, sorting out low-priority data from higher priority business-critical data, and sending packets in order of priority.
Deep packet inspection (DPI)
Flooding a network server or Web server with false communications or requests for services in order to crash the network.
Denial-of-service (DoS) attack
Attachments to an electronic message to verify the identity of the sender and to provide the receiver with the means to encode a reply.
Digital certificates
Planning for the restoration of computing and communications services after they have been disrupted.
Disaster recovery planning
numerous computers inundating and overwhelming a network from numerous launch points
Distributed denial-of-service (DDoS) attack
The coding and scrambling of messages to prevent their being read or accessed without authorization.
Encryption
Wireless networks that pretend to be legitimate to entice participants to log on & retrieve passwords or credit card numbers.
Evil Twins
Systems that contain extra hardware, software, and power supply components that can back a system up and keep it running to prevent system failure.
Fault-tolerant computer systems
Hardware and software place between an organization's internal network and an external network to prevent outsiders from invading private networks.
Firewall
overall control environment governing the design, security, and use of computer programs and the security of data files in general throughout the organization's information technology infrastructure
General controls
requires financial institutions to ensure the security and confidentiality of customer data
Gramm-Leach Bliley Act
a person who gains unauthorized access to a computer network for profit, criminal mischief, or personal pleasure
Hacker
tools and technologies, including backup hardware resources, to enable a system to recover quickly from a crash
High availability computing
business process and software tools for identifying the valid users of a system and controlling their access to system resources
Identity management
Theft of key pieces of personal information, such as credit card or Social Security Numbers, in order to obtain merchandise and services in the name of the victim or to obtain false credentials.
Identity theft
tools to monitor the most vulnerable points in a network to detect and deter unauthorized intruders.
Intrusion detection systems
spyware that records every keystroke made on a computer to steal personal information or passwords or to launch internet attacks
Keyloggers
Malicious software programs such as viruses, worms, and trojan horses.
Malware
companies that provide security management services for subscribing clients.
Managed security service providers (MSSPs)
transaction processing mode in which transactions entered online are immediately processed by the computer.
Online transaction processing
small pieces of software that repair flaws in programs without disturbing the proper operation of the software
Patches
phishing technique that redirects users to a bogus Web page, even when the individual enters the correct Web page address
Pharming
From of spoofing involving setting up fake web sites or sending email messages that resemble those of legitimate businesses that ask users for confidential personal data.
Phishing
system for creating public and private keys using a certificate authority (CA) and digital certificates for authentication.
Public Key infrastructure (PKI)
uses two keys, one shared (or public) and one private
Public key encryption
computer system designed to recover rapidly when mishaps occur.
Recovery-oriented computing
determining the potential frequency of the occurrence of a problem and the potential damage if the problem were to occur. Used to determine the cost/benefit of a control
Risk assessment
law passed in 2002 that imposes responsibility on companies and their management to protect investors by safeguarding the accuracy and integrity of financial information that is used internally and released externally.
Sarbanes-Oxley Act
protocol used for encrypting data flowing over the Internet; limited to individual messages.
Secure Hypertext Transfer Protocol (S-HTTP)
Policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems.
Security
statements ranking information risks, identifying acceptable security goals, and identifying the mechanisms for achieving these goals
Security policy
a credit-card-size plastic card that stores digital information and that can be used for electronic payments in place of cash.
Smart card
tricking people into revealing their passwords by pretending to be legitimate users or members of a company in need of information.
Social engineering
the forging of the return address on an email so that the email message appears to come from someone other than the actual sender
Spoofing
Technology that aids in gathering information about a person or organization without their knowledge.
Spyware
physical device similar to an identification card that is designed to prove the identity of a single user
Token
a software program that appears legitimate but contains a second hidden function that may cause damage
Trojan Horse
Comprehensive security management tool that combines multiple security tools, including firewalls, virtual private networks, intrusion detection systems, and Webcontent filtering and anti-spam software.
Unified threat management (UTM)
independent software programs that propagate themselves to disrupt the operation of computer networks or destroy data and other programs
Worms
specific controls unique to each computerized application that ensure that only authorized data are completely and accurately processed by that application
application controls
A sequence of characters that must be keyed in to gain access to all or part of a computer system or program
password
enables client and server computers to manage encryption and decryption activities as they communicate with each other during a secure Web session.
secure sockets layer (ssl)
