management information systems chapter 8
8-3 what are the components of an organizational framework for security and control?
-general and application controls -risk assessment -corporate security policy -comprehensive/systematic IS auditing
8-1 wireless security challenges
-radio frequency bands easy to scan -SSIDs can be identified by sniffer programs -war driving: eavesdroppers drive by buildings and try to detect SSID and gain access to network -rogue access points
8-3 define application controls and describe each type of application control
application controls - controls unique to each computerized application input - check data for accuracy and completeness when they enter the system processing - establish that data are complete and accurate during updating output - ensure results of computer processing are accurate, complete, and properly distributed
8-1 other types of computer crime
click fraud - individual/computer program fraudulently clicks an online ad w/o intention of learning more about advertiser or making a purchase cyberwarfare - state-sponsored activity designed to cripple and defeat another state/nation by penetrating its computers or networks to cause damage and disruption
8-1 list and describe the most common threats against contemporary IS
client level: unauthorized access, errors comms lines: tapping, sniffing, message alteration, theft/fraud, radiation corporate servers: hacking, malware, theft/fraud, vandalism, denial-of-service attacks corporate systems: theft of data, copying data, alteration of data, hardware failure, software failure
8-1 define computer crime. provide 2 examples of crime in which computers are targets and two examples in which computers are used as instruments of crime
computer crime - any violations of criminal law that involve a knowledge of computer tech for their perpetration, investigation, or prosecution computers are targets: -breaching confidentiality of protected computerized data -accessing a computer system w/o authority computers as instruments: -theft of trade secrets -unauthorized copying of software or copyrighted intellectual property
8-1 types of computer crime
denial of service (DoS) attack - hackers flood network server/web server w/ thousands of false comms or requests for services to crash network distributed DoS (DDoS) attack - uses numerous computers to inundate and overwhelm network from numerous launch points botnet - thousands of zombie PCs infected w/ malicious software w/o owners' knowledge and organized into one bot
8-4 describe the role of encryption and digital certificates in a public key infrastructure
digital certificate - data file used to establish identity of users and electronic assets for protection of online transactions -uses trusted 3rd party (certification authority) to validate user's identity -CA verifies user's identity, stores info in CA serve, which generate encrypted digital certificate containing owner ID info and copy of owner's public key public key infrastructure - use of public key cryptography working w/ certificate authority - widely used in e-commerce
8-4 distinguish between disaster recovery planning and business continuity planning
disaster recovery planning - devises plans for restoration of disrupted services business continuity planning - focuses on restoring business operations after disaster both plans needed to identify firm's most critical systems
8-4 explain how encryption protections information
encryption - process of transforming plain text/data into cipher text that cannot be read by anyone other than sender and intended receiver two methods for encryption on networks: 1. secure sockets layer (SSL) and transport layer security (TLS) - enable client/server computers to manage encryption/decryption activities as they comm w/ each other during web session 2. secure hypertext transfer protocol (S-HTTP) - used for encrypting data flowing over internet but is limited to individual messages symmetric key - sender and receiver use single, shared key public key - uses two mathematically related keys: public and private; sender encrypts message w/ recipient's public key and recipient decrypts w/ private key
8-3 explain how IS auditing promotes security and control
examines firm's overall security env. as well as controls governing individual IS -reviews technologies, procedures, documentation, training, and personnel; even simulates disaster to test responses -lists and ranks control weaknesses and probability of occurrence -assess financial and organizational impact of each threat
8-4 describe the roles of firewalls, intrusion detection systems, and antivirus software in promoting security
firewalls - hardware and software that prevent unauthorized users from accessing a private network intrusion detection systems - monitor private networks for suspicious network traffic and attempts to access corporate systems antivirus software - checks computer software for infection by viruses/worms and often eliminates malicious software
8-4 what are the most important tools and technologies for safeguarding info resources?
firewalls prevent unauthorized users from accessing a private network when it is linked to the internet. intrusion detection systems monitor private networks for suspicious network traffic and attempts to access corporate systems
8-3 define general controls and describe each type of general control
general controls - govern design, security, and use of computer programs and security of data files in general throughout org software - monitor use of system software and prevent unauthorized access and use of programs hardware - ensure that computer hardware is physically secure and check for equipment malfunction computer operations - oversee work of computer department to ensure that programmed procedures are consistently and correctly applied to storage/processing of data data security - ensure that valuable business data files maintained internally or by an external hosting service are not subject to unauthorized access system development - audit system development process at various points to ensure that the process is properly controlled/managed administrative - formalize standards, rules, procedures, and control disciplines to ensure org's general and application controls are properly executed and enforced
8-1 define a hacker and explain how hackers create security problems and damage systems
hacker - an individual who intends to gain unauthorized access to a computer system hackers intrude on system, then damage system by intentional disruption, defacement, and destruction of website or corporate IS spoofing - redirecting a web link to an address different from the intended one, w/ site masquerading as intended destination sniffing - eavesdropping program that monitors info traveling over a network
8-1 define identity theft and phishing and explain why identity theft is such a big problem today
identity theft - imposter obtains key pieces of personal info to impersonate someone else phishing - setting up fake sites/sending emails that look like those of legitimate businesses to ask users to update/confirm records by providing confidential data evil twins - wireless networks that pretend to offer trustworthy wi-fi connections to internet pharming - redirects users to bogus web page even when user types correct web page address into their browser
8-2 describe the relationship b/w security and control and recent US government regulatory requirements and computer forensics
inadequate security and control may result in serious legal liability, since businesses must protect info assets of customers, EEs, and business partners. HIPAA - medical security and privacy rules and procedures Gramm-Leach-Bliley Act - requires financial institutions to ensure the security and confidentiality of customer data Sarbanes-Oxley Act - imposes responsibility on companies and their mgmt. to safeguard the accuracy and integrity of financial info that is used internally and released externally computer forensics - scientific collection, examination, authentication, preservation, and analysis of data from computer storage media for use as evidence in court of law
8-2 what is the business value of security and control?
lack of sound security and control can cause firms relying on computer systems for their core business functions to lose sales and productivity. info assets lose much of their value if they are revealed to outsiders or if they expose the firm to legal liability. failed computer systems can lead to significant or total loss of business function.
8-1 describe the security and system reliability problems employees create
lack of user knowledge is single greatest cause of network security breaches social engineering - intruders trick EEs into revealing their passwords by pretending to be legitimate members of the company in need of info end users introduce errors by entering faulty data or by not following the proper instructions for processing data and using computer equipment
8-1 define malware and distinguish among a virus, a worm, and a Trojan horse
malware - malicious software programs virus - rogue software program that attaches itself to other software programs or data files to be executed worms - independent computer programs that copy themselves from one computer to others over a network ; can operate on their own w/o attaching to other program files Trojan horse - software program that appears benign but then does something other than expected
8-4 name and describe three authentication methods
passwords - used to log on to computer system or for accessing specific files; some are easy to guess or can be sniffed token - physical device that is designed to prove the identity of a single user biometrics - reads and interprets individual human traits, such as fingerprints, face, or retinal image
8-4 identify and describe the security problems cloud computing poses
responsibility for security resides w/ company owning the data firms must ensure providers provide adequate protection: -where data are stored -meeting corporate requirements and legal privacy laws -segregation of data from other clients -audits and security certifications service level agreements - controls written in before signing w/ cloud provider
8-3 describe the function of risk assessment and explain how it is conducted for IS
risk assessment - determines level of risk to firm if specific activity or process is not properly controlled shows types of threat (exposure), probability of that threat occurring during year, potential loss range, and expected annual loss
8-2 explain how security and control provide value for businesss
security - policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to IS control - methods, policies, and organizational procedures that ensure safety of org's assets; accuracy and reliability of its accounting records' and operational adherence to mgmt. standards
8-3 define and describe the following: security policy, acceptable use policy, and identity mgmt.
security policy - ranks info risks, identifies security goal and mechanisms for achieving goals acceptable use policy - defines acceptable uses of firm's info resources and computing equipment identity mgmt. - identifying valid users and controlling access
8-4 describe measures for improving software quality and reliability
software metrics - objective assessments of system in form of quantified measurements -number of transactions -online response time -payroll checks printed per hour -known bugs per hundred lines of code early and regular testing walkthroughs - review of specification or design document by small group of qualified people debugging - process by which errors are eliminated
8-1 explain how software defects affect system reliability and security
software that contains flaws creates security vulnerabilities: -bugs - hidden program code defects -zero-day vulnerabilities - holes in software unknown to its create that hackers exploit before vendor becomes aware of it
8-1 why are IS vulnerable to destruction, error, and abuse?
the internet is designed to be an open system and makes internal corporate systems more vulnerable to actions from outsiders
8-4 securing transactions w/ blockchain
type of distributed ledger that stores a permanent and tamper-proof record of transactions and shares them among a distributed network of computers managed through peer-to-peer architecture and do not have a centralized data store
