Cob 204 ( Test 3 Review for Tom Dillon)
Specific Data Safeguards (DS)
- Data Policies (Admin/DB Admin) - Data Rights/Responsibilities > (Order/laws/structure) - Enforced Rights (Via user account/authenticated passwords) - Data Encryption - Backup/Recovery Procedures - Physical Security > (Walls, locked/fireprood doors, locks, badges, guards, alarm systems, fencing, gates, etc.)
Support Activity Examples
(A&M) - Legal, Accounting, Finance, and Management > Ex: (Hiring a lawyer/using quickbooks) (HR) - Personnel, Recruiting, Training, Career Development > Ex: (Using the internet to advertise job openings) (TD) - Engineering, Software, Hardware, Research, and Development > Ex: N/A, we leave this space blank (PR) = Supplier management; purchasing products we buy but don't sell > Ex: Ordering office supplies online
Assets/Target Threat Vulnerabilities Safeguards/Controls
- A) Resource of information that needs to be protected. (Cost of repair or replacement) - T) Capabilities, intentions, and methods for harm to an asset. (Can be human error, computer crime, or natural event) - V) Weaknesses in an information system that allows a threat the opportunity to compromise or gain access to an asset - S) Used to block or minimize the impact of threats *Use the acronym ATVS!
Vulnerabilities (V)
- Built in weaknesses considered too expensive or not undertaken for another reason (Often Human Error) - Mistakes IT & Non-IT people make - Socially engineering a person out of security knowledge - Unknown holes that only become visibile after the attack (Human error, mistakes, engineering, holes)
Big Picture Organization (BPO)
- Industry Structure - Competitive Strategy - Value Chain - Business Process - Information Systems
Hardening (HS)
- Special versions of an operating system; made to lock down features and functions not required by application. - Protects users from internal company security problems
Ransomware
A type of malicious software designed to block access to a computer system until a sum of money is paid.
General Data Protection Regulation (GDPR)
An EU privacy law enacted in 2018 that outlines data protection regulations designed to protect personal data
Data Administration
An organization-wide function that develops and enforces data policies and standards
Human Safeguard Examples (HS)
Hiring, Training, Education, Procedure Design, Administration, Assessment, Compliance
Human Safeguards
Hiring, training, education, procedure design, administration, assessment, compliance, accountability
Pretexting
Occurs when someone deceives by pretending to be someone else
SQL Injection Attack
Occurs when users enter a SQL statement into a form in which they are supposed to enter a name or other data
Perimeter Firewall
Restrict unauthorized access to internal data and prevent outside intrusion
Adware
Similar to spyware in that it is installed without the user's permission and resides in the background and observes user behavior
Symmetric Encryption
The same key is used to encode and decode.
Business Process (Porter's Model) (#4)
A network of activities that generate value by transforming inputs into outputs.
Value Chain
A network of value-creating activities (Primary + Support)
Advanced Persistent Threat (APT)
A sophisticated, possibly long-running computer hack that is perpetrated by large, well-funded organizations such as governments
Phishing
A technique to gain personal information for the purpose of identity theft, usually by means of fraudulent e-mail
Key Escrow
A trusted party handles a copy of the encryption key of encrypted data
ERP
Enterprise Resource Planning
Payment Card Industry Data Security Standard (PCI DSS)
Governs (ensures) the secure storage and processing of credit card data
Denial of Service (DoS)
Hackers use an application to overrun a system's DBMS and cease transactions/access
Assets/Targets (A)
Hardware, Software, Data, Procedures, People + Network Infrastructure & Intellectual Property
Non-employees that work for you (HS)
- Temporary personnel, vendors, business partners, and the public - Requires appropriate screening/training - Contract specific security responsibilities - Provide accounts and passwords w/ least privilege and remove accounts asap
Losses Categorized As:
- Unauthorized data disclosure - Incorrect Data Modification - Faulty Service - Denial of Service - Loss of Infrastructure
Malware Symptoms
- slow system startup - sluggish system performance - many pop-up advertisements - suspicious browser homepage changes - suspicious changes to the taskbar and other system interfaces - unusual hard-disk activity
Non employees w/ Access (HS) (Continued)
1.) Account Management --> Standards for new user accounts, modification of account permissions, removal of unneeded accounts, etc. 2.) Password Management --> Users change passwords frequently 3.) Help Desk Policies --> Provide means of authenticating users
Industry Structure (Porter's Competitive Model) (#1)
1.) Bargaining power of customers 2.) Bargaining power of suppliers 3.) Firms - (Existing Rivalry Firms & Your firm) 4.) Threat of Substitutes 5.) Threat of New Entrants
Competitive Advantage Strategies (Examples)
1.) Cost Leadership - "Walmart's Everyday Low Prices" 2.) Differentiation - "Southwest Airlines offering low-cost, short-haul, express flights" 3.) Innovation - "Apple Watch" (Traditional to Smart Watches) 4.) Organizational Effectiveness - "Fed-ex fastest delivery option" 5.) Customer Orientation - "Amazon's Customer Ordering System"
Business Process Overlap & Integration
1.) Execute a process (i.e, input for one process is the output for another) 2.) BP creates the need for "enterprise-wide" systems 3.) Capture and store process data (Dates, times, prices, etc.) 4.) Monitor process performance/identify problems
Value Chain (Porter's Model for Structural Change) (#3)
9 Total Support and Primary activities. (In order of chart) 4 Support Activities - Contribute to competitive advantage by supporting the primary activities, but don't directly add value directly to the firm's products or services - Administration & Management (A&M) - Human Resources (HR) - Technology Development (TD) - Procurement (PR) 5 Primary Activities - The production and distribution of products and services. Purpose: To create value for which customers are willing to pay. - Inbound Logistics - Operations/Manufacturing - Outbound Logistics - Marketing and Sales - Customer Service
Non-employees w/ access (HS)
> Public users, websites and other openly accurate information systems > Hardening
Activity
A business function that receives inputs and produces outputs (Human, computer, or both)
Repository
A collection of something (Ex: Database is a repository of Data)
Virus
A computer program that replicates itself and consumers computer resources using a PAYLOAD (Main host/brain) to alter data.
Intrusion Detection System (IDS)
A computer program that senses when another computer is attempting to scan or access a computer or network
Packet-filtering firewall
A firewall that examines each packet and determines whether to let the packet pass. To make this decision, it examines the source address, the destination addresses, and other data.
Spoofing
Another term for someone pretending to be someone else. Types: IP spoofing, email spoofing, etc.
Customer Service
Assisting customer's use of the product and thus maintaining and enhancing the product's value
Hacking
Bringing down computers, servers, or networks to steal important data/information/money...
Business Process Improvement
Changes that consider where the input came from and where the output was going. - Improves EFFICIENCY (faster/error-free) and EFFECTIVENESS (allows for better decision-making -Increases customer/employee satisfaction
Outbound Logistics
Collecting, storing, and physically distributing the products to buyers
Usurpation
Computer criminals invade a computer system and replace legitimate programs with their own, unauthorized ones (Categorized under faulty service)
Authentication (TS)
Confirms the identity of the person requiring access
Cost of Business Process
Cost of Inputs + Cost of Activities
Competitive Strategy (Porter's Model w/in Industry Structure) (#2)
Cost/Industry-wide: - Lowest cost across the industry Differentiation/Industry-wide: - Better product/service across the industry Cost/Focus: - Lowest cost within an industry segment Differentiation/Focus: - Better product/service within an industry segment
Data Safeguard Examples (DS)
Data Rights & Responsibilities, Passwords, Encryption, Backup & Recovery, Physical Security
Authorization (TS)
Determines which actions, rights, or privileges the person has, based on his or her verified identity
Malware Protection (TS)
How to protect data from malware - Install Anti-virus and Anti-Spyware - Scan devices frequently - Update malware definitions - Open email attachments only from known sources - Install software updates - Browse only reputable internet neighborhoods
Threats (T)
Human Error/Action > Entering the wrong data or accidentally changing the data > Normally effects the 5 com. of a CIS Computer Crime > Person or Org. that seeks to obtain or alter data or assets > Includes viruses, worms, phishing, terrorism, extortion, etc. Natural Events or Disasters > Problems result from initial loss of capability, service, and then recovery methods > Includes fire, floods, hurricanes, earthquakes, etc.
Technical Safeguard Examples (TS)
ID & Authorization, Encryption, Firewalls, Malware Protection, Application Design
Primary Activity Examples
Inbound logistics - Tasks: Quality control, raw materials control, supply scheduling (Ex --> Automated Warehouse Systems) Operations/Manufacturing - Tasks: Manufacturing, packaging, production control, quality control (Ex --> Computer controlled & aided equipment) Outbound Logistics - Tasks: Finishing goods, order handling, dispatch, delivery, invoicing (Ex --> Automated shipping/scheduling systems) Sales & Marketing - Tasks: Customer management, order taking, advertising/promotion, sales analysis, market research (Ex --> Data per target audience marketing) Customer serviceterm-19 - Warranty, education & training, upgrades, service on products (Ex --> Customer relationship management systems)
Sales and Marketing
Inducing buyers to purchase the products and providing a means for them to do so
BPO Components (Simplified)
Industry Structure (1) - (Competitive forces in your industry) Competitive Strategy (2) - (How you decide to respond to the forces) Value Chains (3) - (Changes you make to your structure) Business Process (4) - (How those changes effect your process) Information Systems (5) - (Hardware, Software, Data, Procedures, People)
Typical Business Process Format
Input - Process - Output (Ex: Online website - placed order - shipped product)
Linkages
Interactions across value activities
Gramm-Leach-Bliley Act (GLBA)
Passed by congress in 1999, the doctrine protects consumer financial data stored by financial institutions such as banks, securities firms, insurance companies, and organizations that supply financial advice, prepare tax returns, etc.
Health Insurance Portability and Accountability Act (HIPAA)
Passed in 1996, this doctrine gives individuals the right to access health data created by doctors and other health care providers, as well as limits/rules on who can read or receive your health information.
Malware Definitions
Patterns that exist in malware code
(HS) Examples
Postition definition > Separate duties & authorities > Determine least privilege > Document position sensitivity Hiring & Screening > Processes to ensure trust, knowledge, and capability of employees > Most JMU CIS majors acquire a security clearance for gov. jobs Disemination & Enforcement > Responsibility, Accountability, and Compliance Termination > Friendly or Unfriendly
Internal Firewall
Prevent the leak of or retrieval of suspicious data/malware
Spyware
Programs that are installed on the user's computer without the user's knowledge or permission to track key strokes for account info, passwords, etc.
Data Safeguards (DS)
Protect databases and other organizational data. (The organization units are responsible for data safeguards)
Push vs pull Publishing
Push- Data does not need to be requested Pull- data needs to be requested
Inbound Logistics
Receiving, storing, and disseminating inputs to the products
Authentication Methods (TS)
Something the user is (Biometrics) > Examines a person's innate physical characteristics > (Ex: fingerprint/palm/retina scans, iris & facial recognition) Something the user has > A mechanism that includes regular identification > ID Cards, Smart ID Cards, (mag strip w/ microchip that requires a pin) Something the user does > A mechanism that includes voice and signature recognition, giving off body heat, or perspiration Something the user knows > A mechanism that includes passwords and phrases
Firewalls (TS)
Special purpose computer, regular computer, or router
Safeguards (S)
Technical Safeguards - Hardware & Software Data Safeguards - Data Human Safeguards - Procedures & People
Value
The amount of money that a customer is willing to pay for a resource, product, or service
Credential Stuffing
The automated injection of breached username/password pairs to gain user accounts access fraudulently.
Margin
The difference between the value that an activity generates and the cost of the activity
Brute-Force Attack
The password cracker tries every possible combination of characters
Encryption (TS)
Transforming clean text into coded text. (For secure storage and communication)
Operations/Manufacturing
Transforming inputs into the final products
Asymmetric Encryption
Two keys are used; one key encodes the message, and the other key decodes the message
Private key encryption
Used to decrypt or decode (the combination for the lock)
Public key encryption
Used to encrypt or encode (the lock)
Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
Uses a combo of public key and symmetric encryption
Sniffling
Using IP packets and wardrivers to take advantage of vulnerabl networks
Worm
Virus that SELF-PROPAGATES using the INTERNET or other computer network
Trojan horses
Viruses that MASQUERADES as useful programs or files