Chapter 4- Ethics and Information Security: MIS Business Concerns

Ace your homework & exams now with Quizwiz!

Authentication and authorization techniques fall into three categories

1) Something the user knows, such as a user ID and password 2) Something the user has, such as a smart card or token 3) Something that is part of the user, such as a fingerprint or voice signature

social media policy

Companies can protect themselves by implementing a *BLANK* outlining the corporate guidelines or principles governing employee online communications. Having a single social media policy might not be enough to ensure that the company's online reputation is protected -Employee online communication policy detailing brand communication. -Employee blog and personal blog policies. -Employee social network and personal social network policies. -Employee Twitter, corporate Twitter, and personal Twitter policies. -Employee LinkedIn policy. -Employee Facebook usage and brand usage policy. -Corporate YouTube policy.

employee monitoring policy

The best path for an organization planning to engage in employee monitoring is open communication, including an *BLANK* stating explicitly how, when, and where the company monitors its employees (state the consequences of violating the policy, and always enforce the policy the same for everyone)

Information security

a broad term encompassing the protection of information from accidental or intentional misuse by persons inside or outside an organization also the primary tool an organization can use to combat the threats associated with downtime

Drive-by hacking

a computer attack by which an attacker accesses a wireless computer network, intercepts data, uses network services, and/or sends attack instructions without entering the office or organization that owns the network

Competitive click-fraud

a computer crime in which a competitor or disgruntled employee increases a company's search advertising costs by repeatedly clicking the advertiser's link

Nonrepudiation

a contractual stipulation to ensure that ebusiness participants do not deny (repudiate) their online actions (typically contained in an acceptable use policy)

digital certificate

a data file that identifies individuals or organizations online and is comparable to a digital signature

smart card

a device about the size of a credit card, containing embedded technologies that can store information and small amounts of software to perform some limited processing

Ransomware

a form of malicious software that infects your computer and asks for money

Pretexting

a form of social engineering in which one individual lies to obtain confidential data about another individual

zombie farm

a group of computers on which a hacker has planted zombie programs

Authentication

a method for confirming users' identities

downtime

a period of time when a system is unavailable

Spear phishing

a phishing expedition in which the emails are carefully designed to target a particular person or organization

Vishing (voice phishing)

a phone scam that attempts to defraud people by asking them to call a bogus telephone number to confirm their account information

voiceprint

a set of measurable characteristics of a human voice that uniquely identifies an individual

Spyware

a special class of adware that collects data about the user and transmits it over the Internet without the user's knowledge or permission programs collect specific data about the user, ranging from general demographics such as name, address, and browsing habits to credit card numbers, Social Security numbers, and user names and passwords clear threat to privacy

Phishing

a technique to gain personal information for the purpose of identity theft, usually by means of fraudulent emails that look as though they came from legitimate businesses

Digital rights management

a technological solution that allows publishers to control their digital media to discourage, limit, or prevent illegal copying and distribution

certificate authority

a trusted third party, such as VeriSign, that validates user identities by means of digital certificates

Information compliance

act of conforming, acquiescing, or yielding information

information property

an ethical issue that focuses on who owns information about individuals and how information can be sold and exchanged

Cyberwar

an organized attempt by a country's military to disrupt or destroy information and communication systems for another country

Teergrubing

anti-spamming approach by which the receiving computer launches a return attack against the spammer, sending email messages back to the computer that originated the suspected spam

confidentiality

assurance that messages and information remain available only to those authorized to view them

information secrecy

category of computer security that addresses the protection of data from unauthorized disclosure and confirmation of data source authenticity

Time bombs

computer viruses that wait for a specific date before executing their instructions

Identity theft

consists of forging someone's identity for the purpose of fraud (often financial because thieves apply for and use credit cards or loans in the victim's name. Two means of stealing an identity are phishing and pharming)

Internet use policy

contains general principles to guide the proper use of the Internet (essential for such use to be legitimate) -Describes the Internet services available to users. -Defines the organization's position on the purpose of Internet access and what restrictions, if any, are placed on that access. -Describes user responsibility for citing sources, properly handling offensive material, and protecting the organization's good name. -States the ramifications if the policy is violated

advanced encryption standard (AES)

designed to keep government information secure

information security plan

details how an organization will implement the information security policies

email privacy policy

details the extent to which email messages may be read by others Email is so pervasive in organizations that it requires its own specific policy. Most working professionals use email as their preferred means of corporate communications

why organizations should develop written policies

establish organizational rules, employee procedures, and employee guidelines

information management

examines organizational resource of information and regulates its definitions, uses, value, and distribution ensuring it has the types of data/information required to function and grow effectively

Hackers

experts in technology who use their knowledge to break into computers and computer networks, either for profit or simply for the challenge (use smoking entrances, pose as employees, plug in laptop)

Intrusion detection software (IDS)

features full-time monitoring tools that search for patterns in network traffic to identify intruders

ethical computer use policy

general principles to guide computer user behavior (Ex.) might explicitly state that users should refrain from playing computer games during working hours. After appropriate warnings, the company may terminate an employee who spends significant amounts of time playing computer games at work)

Information ethics

govern the ethical and moral issues arising from the development and use of information technologies as well as the creation, collection, duplication, distribution, and processing of information itself (with or without the aid of computer technologies)

Internet censorship

government attempts to control Internet traffic, thus preventing some material from being viewed by a country's citizens

social engineering

hackers use their social skills to trick people into revealing access credentials or other valuable information

firewall

hardware and/or software that guard a private network by analyzing incoming and outgoing information for the correct markings

Information security policies

identify the rules required to maintain information security, such as requiring users to log off before leaving for lunch or meetings, never sharing passwords with anyone, and changing passwords every 30 days

Cyberbullying

includes threats, negative remarks, or defamatory comments transmitted through the Internet or posted on the website

association between information and ethics

information has no ethics

decrypt

information is to decode it and is the opposite of encrypt

Fair information practices

is a general term for a set of standards governing the collection and use of personal data and addressing issues of privacy and accuracy

phishing expedition

is a masquerading attack that combines spam with spoofing

Typosquatting

is a problem that occurs when someone registers purposely misspelled variations of well-known domain names (sometimes lure consumers who make typographical errors when entering a URL)

zombie

is a program that secretly takes over another computer for the purpose of launching attacks on other computers (Zombie attacks are almost impossible to trace back to the attacker)

threat

is an act or object that poses a danger to assets

patent

is an exclusive right to make, use, and sell an invention and is granted by a government to the inventor (ethical issues surrounding copyright infringement and the violation of intellectual property rights are consuming the ebusiness world)

Intellectual property

is intangible creative work that is embodied in physical form and includes copyrights, trademarks, and patents.

virus

is software written with malicious intent to cause annoyance or damage (different because must attach to something such as a file to spread)

Click-fraud

is the abuse of pay-per-click, pay-per-call, and pay-per-conversion revenue models by repeatedly clicking a link to increase charges or costs for the advertiser

Website name stealing

is the theft of a website's name that occurs when someone, posing as a site's administrator, changes the ownership of the domain name assigned to the website to another website owner

The goal of multifactor authentication

is to make it difficult for an unauthorized person to gain access to a system because, if one security level is broken, the attacker will still have to break through additional levels.

Insiders

legitimate users who purposely or accidentally misuse their access to the environment and cause some kind of business-affecting incident

Dumpster diving

looking through people's trash, is another way hackers obtain information

Destructive agents

malicious agents designed by spammers and other Internet attackers to farm email addresses off websites or deposit spyware on machines

information governance

method or system of government for information management or control

Content filtering

occurs when organizations use software that filters content, such as emails, to prevent the accidental or malicious transmission of unauthorized information

organizations address security risks through two lines of defense

people and technology

social media manager

person within the organization who is trusted to monitor, contribute, filter, and guide the social media presence of a company, individual, product, or brand

Epolicies

policies and procedures that address information management along with the ethical use of computers and the Internet in the business environment

bring your own device (BYOD)

policy allows employees to use their personal mobile devices and computers to access enterprise data and applications -Unlimited access for personal devices. -Access only to nonsensitive systems and data. -Access, but with IT control over personal devices, apps, and stored data. -Access, but preventing local storage of data on personal devices

opt in

receive emails by choosing to allow permissions to incoming emails

acceptable use policy (AUP)

requires a user to agree to follow it to be provided access to corporate email, information systems, and the Internet - -Not using the service as part of violating any law. -Not attempting to break the security of any computer network or user. -Not posting commercial messages to groups without prior permission. -Not performing any nonrepudiation.

Multifactor authentication

requires more than two means of authentication such as what the user knows (password), what the user has (security token), and what the user is (biometric verification)

Two-factor authentication

requires the user to provide two means of authentication, what the user knows (password) and what the user has (security token)

Pharming

reroutes requests for legitimate websites to false websites For example, if you were to type in the URL to your bank, pharming could redirect to a fake site that collects your information

Privacy

right to be left alone when you want to be, to have control over your personal possessions, and not to be observed without your consent

Antivirus software

scans and searches hard drives to prevent, detect, and remove known viruses, adware, and spyware (must be frequently updated to protect against newly created viruses)

Encryption

scrambles information into an alternative form that requires a key or password to decrypt

mail bomb

sends a massive amount of email to a specific person or system that can cause that user's server to stop functioning

anti-spam policy

simply states that email users will not send unsolicited emails (or spam) (difficult to write)

Tokens

small electronic devices that change user passwords automatically

Counterfeit software

software that is manufactured to look like the real thing and sold as such

Adware

software that, although purporting to serve some useful function and often fulfilling that function, also allows Internet advertisers to display advertisements without the consent of the computer user

worm

spreads itself not only from file to file but also from computer to computer

opt out

stop receiving emails by choosing to deny permission to incoming emails

Physical security

tangible protection such as alarms, guards, fireproof doors, fences, and vaults New technologies enable employers to monitor many aspects of their employees' jobs, especially on telephones, computer terminals, through electronic and voice mail, and when employees are using the Internet

Ediscovery (or electronic discovery)

the ability of a company to identify, search, gather, seize, or export digital information in responding to a litigation, audit, investigation, or information inquiry

Cybervandalism

the electronic defacing of an existing website

Biometrics

the identification of a user based on a physical characteristic, such as a fingerprint, iris, face, voice, or handwriting

Copyright

the legal protection afforded an expression of an idea, such as a song, book, or video game

ethics

the principles and standards that guide our behavior toward other people

Social media monitoring

the process of monitoring and responding to what is being said about a company, individual, product, or brand

Authorization

the process of providing a user with permission, including access levels and abilities such as file access, hours of access, and amount of allocated storage space

Cryptography

the science that studies encryption, which is the hiding of messages so that only the sender and receiver can read them

Single-factor authentication

the traditional security process, which requires a user name and password

Cyberterrorism

the use of computer and networking technologies against persons or property to intimidate or coerce governments, individuals, or any segment of society to attain political, religious, or ideological goals

Workplace MIS monitoring

tracks people's activities by such measures as number of keystrokes, error rate, and number of transactions processed

Hackers and viruses

two of the hottest issues currently facing information security

Pirated software

unauthorized use, duplication, distribution, or sale of copyrighted software

Spam

unsolicited email (plagues employees at all levels within an organization)

pharming attack

uses a zombie farm, often by an organized crime association, to launch a massive phishing attack

Public key encryption (PKE)

uses two keys: a public key that everyone can have and a private key for only the recipient

Child Online Protection Act (COPA)

was passed to protect minors from accessing inappropriate material on the Internet

information privacy policy

which contains general principles regarding information privacy (protect its information)


Related study sets

Proteiners opbygning og funktion II

View Set

Chapter 10-Cultural Psych Emotion

View Set

Leadership in Management - Chapter 8

View Set

NTA - Lesson 2 - Networking - The Layers of the OSI Model

View Set