COB 204 Chapter 7: Information Security

Controls (defense mechanisms)

- implemented to protect their information assets - designed to protect all of the components of an information system, including data, software, hardware, and networks

Two Types of Auditors and Audits

- internal - external

Business Continuity Plan (disaster recovery plan)

- provide guidance to people who keep the business operating after a disaster occurs - used to prepare for, react to, and recover from events that affect the security information of assets

Public-Key Encryption (asymmetric encryption)

- uses two different keys: public key (locking key) and private key (unlocking key) - both keys are created simultaneously using the same mathematical formula or algorithm

3 Most Common Risk Mitigation Strategies

1.) Risk Acceptance - accept potential risk, continue operating with no controls, and absorb any damages that occur 2.) Risk Limitation - limit the risk by implementing controls that minimize the impact of the threat 3.) Risk Transference - transfer the risk by using other means to compensate for the loss, such as by purchasing insurance

3 Categories of IS Auditing Procedures

1.) auditing around the computer 2.) auditing through the computer 3.) auditing with the computer

Two Major Functions of Access Controls

1.) authentication 2.) authorization

Five Key Factors contributing to increasing vulnerability of an organization's information resource

1.) interconnected, interdependent, wirelessly networked business environment 2.) smaller, faster, cheaper computers and storage devices 3.) decreasing skills necessary to be a computer hacker 4.) international organized crime taking over cybercrime 5.) lack of management support

Two Types of Spyware

1.) keystroke loggers 2.) screen scrapers

4 Identity Theft Techniques

1.) stealing mail or dumpster diving 2.) stealing personal information in computer databases 3.) infiltrating organizations that store large amounts of personal information 4.) impersonating a trusted organization in an electronic communication

Two Social Engineering Techniques

1.) tailgating 2.) shoulder surfing

Unintentional Threats

acts performed without malicious intent that nevertheless represent a serious threat to information security (major category = Human Error)

Social Engineering

an attack in which the perpetrator uses social skills to trick or manipulate legitimate employees into providing confidential company information such as passwords

Transport Layer Security (secure socket layer)

an encryption standard used for secure transactions such as crudity card purchases and online banking

Audit (in Information Systems)

an examination of information systems, their inputs, outputs, and processing

Trade Secret

an intellectual work, such as a business plan, that is a company secret and is not based on public information i.e. - formula for Coca Cola

Patent

an official document that grants the holder of exclusive rights on an invention or a process for a specified period of time

Threat (to an information resource)

any danger to which a system may be exposed

Something the user KNOWS

authentication mechanism that includes passwords and passphrases

Something the user HAS

authentication mechanism that includes regular ID cards, smart ID cards, and tokens

Something the user DOES

authentication mechanism that includes voice and signature recognition

Biometrics (something the user IS)

authentication method that examines a person's innate physical characteristics

Tracking Cookies

can be used to track your path through a Web site, the time you spend there, what links you click on, and other details that the company wants to record, usually for marketing purposes

Business Continuity

chain of events linking planning to protection and to recovery

Alien Software (pestware)

clandestine software that is installed on your computer through duplication methods

Privilege

collection of related computer system operations that a user is authorized to perform

Authentication

confirms the identity of the person requiring access

Sabotage or Vandalism

deliberate acts that involve defacing an organization's Web site, potentially damaging the organization's image and causing its customers to lose faith

Authorization

determines which actions, rights, or privileges

Digital Certificate

electronic document attached to a file that certifies that the file is from the organization it claims to be from and has not been modified from its original format

Internal Auditing

frequently performed by corporate internal auditors

Risk Management

goal is to identify, control, and minimize the impact of threats

Blacklisting

includes certain types of software that are not allowed to run in the company environment

Risk Analysis

involves three steps: 1.) assessing the value of each asset being protected 2.) estimating the probability that each asset will be compromised 3.) comparing the probable costs of the asset's being compromised with the costs of protecting that asset

Demilitarized Zone (DMZ)

located between the two firewalls

Shoulder Surfing

occurs when a perpetrator watches an employee's computer screen over the employee's shoulder

Information Extortion

occurs when an attacker threatens to steal, or actually steals, information from a company

Espionage or Trespass

occurs when an unauthorized individual attempts to gain illegal access to organizational information

Risk Mitigation

organization takes concrete actions agains risks and has two functions: 1.) implementing controls to prevent identified threats from occurring 2.) developing a means of recovery if the threat becomes a reality

Spamware

pest ware that uses your computer as a launch pad for spammers

Least Privilege

posits that users be granted the privilege for an activity only if there is a justifiable need for them to perform that activity

Passwords

present a huge information security problem in all organizations

Physical Controls

prevent unauthorized individuals from gaining access to a company's facilities i.e. - walls, doors, locks, guards, alarm systems

Virtual Private Network

private network that uses a public network (usually the Internet) to connect users

Whitelisting

process in which a company identifies the software that it will allow to run on its computers

Encryption

process of converting an original message into a form that cannot be read by anyone except the intended receiver

Tunneling

process that encrypts each data packet to be sent and places each encrypted packet inside another packet

Intellectual Property

property created by individuals or corporations that is protected under trade secret, patent, and copyright laws

Screen Scrapers (screen grabbers)

record a continuous "movie" of a screen's contents rather than simply recording keystrokes

Keystroke Loggers (keyloggers)

record both your individual keystrokes and your Internet Web browsing history

Cyberterrorism and Cyberwarfare

refer to malicious acts in which attackers use a target's computer systems, particularly via the Internet, to cause physical, real-world harm or severe disruption, often to carry out a political agenda

*Information Security*

refers to all of the processes and policies designed to protect an organization's information and information systems (IS) from unauthorized access, use, disclosure, disruption, modification, or destruction

Cybercrime

refers to illegal activities conducted over computer networks, particularly the Internet

Access Controls

restrict unauthorized individuals from using information resources

External Auditor

reviews the findings of the internal audit as well as the inputs, processing, and outputs of information systems

Employee Monitoring Systems

scrutinize their employees' computers, e-mail activities, and Internet surfing activities

Passphrase

series of characters that is longer than a password but is still easy to memorize

Cookies

small amounts of information that Web sites store on your computer, temporarily or more or less permanently

Anti-Malware Systems (antivirus software) (AV)

software packages that attempt to identify and eliminate viruses and worms, and other malicious software

Adware

software that causes pop-up advertisements to appear on your screen

Spyware

software that collects personal information about users without their consent

Copyright

statutory grant that provides the creators or owners of intellectual property with ownership of the property for a designated period of time

Firewall

system that prevents a specific type of information from moving between untrusted networks, such as the Internet, and private networks, such as your company's network External - faces the Internet Internal - faces the company network

Tailgating

technique designed to allow the perpetrator to enter restricted areas that are controlled with locks or card entry

Security

the degree of protection against criminal activity, danger, damage, and/or loss

Identity Theft

the deliverable assumption of another person's identity, usually to gain access to his or her financial information or to frame him or her for a crime

Exposure (to an information resource)

the harm, loss, or damage that can result if a threat compromises that resource

Vulnerability (of an information resource)

the possibility that the system will be harmed by a threat

Risk

the probability that a threat will impact an information resource

Privacy

the right to be left alone and to be free of unreasonable personal intrusion

Certificate Authority

third party that acts as a trusted intermediary between the companies that do business over the Internet

Spam

unsolicited e-mail, usually advertising for products and services