MIS Chapter 4: Information Security

Discuss the 10 types of deliberate attacks.

1. Espionage or trespass 2. Information extortion 3. Sabotage and vandalism 4. Theft of equipment and information 5. Identity theft 6. Compromises to intellectual property 7. Software attacks 8. Alien software 9. Supervisory control and data acquisition (SCADA) 10. Cyberterrorism and cyberwarfare

Identify the three major types of controls that organizations can use to protect their information resources.

1. Physical controls - prevent unauthorized individuals from gaining access to a company's facilities. - Examples: walls, doors, fencing, gates, locks, badges, guards, alarm systems, pressure sensors, temperature sensors, motion detectors 2. Access controls - restrict unauthorized individuals from using information resources. These controls involve two major functions: authentication and authorization. 3. Communication (network) controls - secure the movement of data across networks. - Examples: firewalls, anti-malware systems, whitelisting, blacklisting, encryption, virtual private networking, secure socket layer, vulnerability management systems

What are the three risk-mitigation strategies?

1. Risk acceptance 2. Risk limitation 3. Risk transference

Identify the five factors that contribute to the increasing vulnerability of information resources, and specific examples of each factor.

1. Today's interconnected, interdependent, wirelessly networked business environment. - Example: The Internet 2. Smaller, faster, cheaper computers and storage devices. - Examples: Netbooks, thumb drives, iPads 3. Decreasing skills necessary to be a computer hacker. - Example: Information system hacking programs circulating on the Internet 4. International organized crime taking over cybercrime. - Example: Organized crime has formed transnational cybercrime cartels. Because it is difficult to know exactly where cyberattacks originate, these cartels are extremely hard to bring to justice. 5. Lack of management support. - Example: Suppose that your company spent $10 million on information security countermeasures last year, and they did not experience any successful attacks on their information resources. Short-sighted management might conclude that the company could spend less during the next year and obtain the same results. Bad idea.

Privilege

A collection of related computer system operations that can be performed by users of the system.

Bot

A computer that has been compromised by, and under he control of, a hacker.

Zombie Computer

A computer that has been compromised by, and under the control of, a hacker.

Denial-Of-Service Attack

A cyberattack in which an attacker sends a flood of data packets to the target computer with the aim of overloading its resources.

Distributed Denial of Services (DDoS) Attack

A denial of service attack that send a flood of data packets from many compromised computers simultaneously.

Patent

A document that grants the holder exclusive rights on an invention or process for a specified period of time, currently 20 years.

Copyright

A grant from a governmental authority that provides the creator of intellectual property with ownership of it for a specified period of time, currently the life of the creator plus 70 years.

Botnet

A network of computers that have been compromised by, and under control of, a hacker, who is called the botmaster.

Least Privilege

A principle that users be granted the privilege for some activity only if there is a justifiable need to grant this authorization.

Password

A private combination of characters that only the user should know.

Virtual Private Network (VPN)

A private network that uses a public network (usually the Internet) to securely connect users by using encryption.

Whitelisting

A process in which a company identifies acceptable software and permits it to run, and either prevents anything else from running or lets new software run in a quarantined environment until the company can verify its validity.

Blacklisting

A process in which a company identifies certain types of software that are not allowed to run in the company environment.

Risk Transference

A process in which an organization transfers the risk by using other means to compensate for a loss, such as by purchasing insurance.

Authentication

A process that determines the identity of the person requiring access.

Authorization

A process that determines which actions, rights, or privileges the person has, based on verified identity.

Tunneling

A process that encrypts each data packet to be sent and places each encrypted packet inside another packet.

Risk Management

A process that identifies, controls, and minimizes the impact of threats, in an effort to reduce risk to manageable levels.

Risk Mitigation

A process whereby an organization takes concrete actions against risks, such as implementing controls and developing a disaster recovery plan.

Demilitarized Zone (DMZ)

A separate organizational local area network that is located between an organization's internal network and an external network, usually the Internet.

Trojan Horse

A software program containing a hidden function that presents a security risk.

Risk Acceptance

A strategy in which an organization accepts the potential risk, continues to operate with no controls, and absorbs any damages that occur.

Risk Limitation

A strategy in which an organization limits its risk by implementing controls that minimize the impact of a threat.

Firewall

A system (either hardware, software, or a combination of both) that prevents a specific type of information from moving between untrusted networks, such as the Internet, and private networks, such as your company's network.

Certificate Authority

A third party that acts as a trusted intermediary between computers (and companies) by issuing digital certificates and verifying the worth and integrity of the certificates.

Public-Key Encryption

A type of encryption that uses two different keys, a public key and a private key (also called asymmetric encryption).

Adware

Alien software designed to help pop-up advertisements appear on your screen.

Spyware

Alien software that can record your keystrokes or capture your passwords.

Spamware

Alien software that uses your computer as a launch platform for spammers.

Phishing Attack

An e-mail attack that uses deception to fraudulently acquire sensitive personal information by masquerading as an official looking e-mail.

Digital Certificate

An electronic document attached to a file certifying that this file is from the organization it claims to be from and has not been modified from its original format or content.

Secure Socket Layer (SSL) (Transport Layers Security)

An encryption standard used for secure transactions such as credit card purchases and online banking.

Transport Layer Security (TLS)

An encryption standard used for secure transactions such as credit card purchases and online banking.

Audit

An examination of information systems, their inputs, outputs, and processing.

Threat

Any danger to which an information resource may be exposed.

Cyberterrorism

Can be defined as a premeditated, politically motivated attack against information, computer systems, computer programs, and data that results in violence against noncombatant targets by subnational groups or clandestine agents.

Alien Software

Clandestine software that is installed on your computer through duplicitous methods.

Communication Controls (Network Controls)

Controls that deal with the movement of data across networks.

Network Controls

Controls that deal with the movement of data across networks.

Physical Controls

Controls that restrict unauthorized individuals from gaining access to a compnay's computer facilities.

Access Controls

Controls that restrict unauthorized individuals from using information resources and are concerned with user identification.

Piracy

Copying a software program (other than freeware, demo software, etc.) without making payment to the owner.

Identity Theft

Crime in which someone uses the personal information of others to create a false identity and then uses is fraudulently.

Controls

Defense mechanisms (also called countermeasures).

Worms

Destructive programs that replicate themselves without requiring another program to provide a safe environment for replication.

Social Engineering

Getting around security systems by tricking computer users inside a company into revealing sensitive information or gaining unauthorized access privileges.

Compare and contrast human mistakes and social engineering, along with specific examples of each one.

Human mistakes are unintentional errors. However, employees can also make unintentional mistakes as a result of actions by an attacker, such as social engineering. - Example: Tailgating Social engineering is an attack through which the perpetrator uses social skills to trick or manipulate a legitimate employee into providing confidential company information. - Example: When an attacker calls an employee on the phone and impersonates a superior in the company.

Cybercrime

Illegal activities executed on the Internet.

Trade Secret

Intellectual work, such as a business plan, that is a company secret and is not based on public information.

Malware

Malicious software such as viruses and worms.

Viruses

Malicious software that can attach itself to (or "infect") other computer programs without the owner of the program being aware of the infection.

Information Security

Protecting an organization's information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

Logic Bombs

Segments of computer code embedded within an organization's existing computer programs.

Cookie

Small amounts of information that websites store on your computer, temporarily or more or less permanently.

Anti-Malware Systems (Antivirus Software)

Software packages that attempt to identify and eliminate viruses, worms, and other malicious software.

Employee Monitoring Systems

Systems that monitor employees' computers, e-mail activities, and Internet surfing activities.

Business Continuity

The chain of events linking planning to protection and to recovery.

Security

The degree of protection against criminal activity, danger, damage, or loss.

Exposure

The harm, loss, or damage that can result if a threat compromises an information resource.

Intellectual Property

The intangible property created by individuals or corporations, which is protected under trade secret, patent, and copyright laws.

Risk

The likelihood that a threat will occur.

Vulnerability

The possibility that an information resource will be harmed by a threat.

Risk Analysis

The process by which an organization assesses the value of each asset being protected, estimates the probability that each asset might be compromised, and compares the probable costs of each being compromised with the costs of protecting it.

Encryption

The process of converting an original message in to a form that cannot be read by anyone except the intended recipient.

Biometrics

The science and technology of authentication (i.e., establishing the identity of an individual) by measuring the subject's physiological or behavioral characteristics.

Back Door

Typically a password, known only to the attacker, that allows the attacker to access the system without having to go through any security procedures.

Trap Doors

Typically a password, known only to the attacker, that allows the attacker to access the system without having to go through any security procedures.

Spam

Unsolicited e-mail.

Cyberwarfare

War in which a country's information systems could be paralyzed from a massive attack by destructive software.

A password system on a computer network is an example of which type of information security control? a. Access b. Communication c. Physical

a. Access

Computer programs like CAPTCHA are used to counter: a. Hackers using key loggers b. Websites leaving cookies on the local machine c. Malware d. Hackers using screen scrappers

a. Hackers using key loggers

An unintentional attack in which the perpetrator uses social skills to trick or manipulate a legitimate employee into providing confidential company information is known as: a. Social engineering b. Identity theft c. Information extortion d. Trespassing

a. Social engineering

Making and distributing information goods to which you do not own the __________ is referred to as __________. a. Intellectual property; theft b. Copyright; piracy c. Intellectual property; piracy d. Copyright; appropriation

b. Copyright; piracy

Which of the following factors that make information resources more vulnerable to attack can be most easily remedied? a. Decrease skill level of hackers b. Lack of management control c. Larger and cheaper storage d. Interconnected/dependent business environments e. None of these - all factors are exogenous f. Organized cyber crime

b. Lack of management control

Which type of remote software attack does not require user action? a. Virus b. Phishing attack c. Denial-of-service attack d. Worm

c. Denial-of-service attack

The threats to information security are ___________, and the greatest threat is ____________. a. Decreasing; technological b. Decreasing; human c. Increasing; human d. Increasing; technological e. Staying about the same; software

c. Increasing; human

Buying health insurance is an example of risk __________, whereas going without is an example of risk ___________. a. Limitation; acceptance b. Limitation; transference c. Transference; acceptance d. Transference; limitation

c. Transference; acceptance

Access controls consist of _________, which confirms user identity, and ________, which determines user access levels. a. Authorization; privileges b. Passwords; privileges c. Access; privileges d. Authentication; authorization

d. Authentication; authorization

Which of the following employees typically poses the most significant threat to information security? a. Consultants b. Janitors c. Contract labor d. IS employees

d. IS employees

Implementing controls to prevent threats from occurring and developing a recovery plan should the threats occur are two broad functions of: a. Risk acknowledgement b. All of these c. Risk acceptance d. Risk mitigation

d. Risk mitigation

Which of the following can be classified as unintentional threats to information systems caused by human errors? a. Both selecting a weak password and revealing your password b. None of these c. Leaking company data to others d. Selecting a weak password e. Revealing your password

d. Selecting a weak password