info Systems chapter 17

Ace your homework & exams now with Quizwiz!

Motivation for Information Security Attacks

- Extortion - Espionage - Cyber warfare - Terrorism - Pranksters - Protest hacking - revenge - Intellectual property theft

acceptable use policy (AUP)

Defines acceptable uses of firm's information resources and computing equipment

Security

Degree of Protection against criminal activity, damage or loss.

CAPTCHAs:

Scrambled character images to thwart automated account setup or ticket buying attempts.

encryption

Scrambling data using a code, thereby hiding it from those who do not have the unlocking key

identity theft

Theft of personal information (social security id, driver's license, or credit card numbers) to impersonate someone else (The Aberdeen Group has estimated that $221 billion a year is lost by businesses worldwide due to identity theft)

Five Factors Contributing to Vulnerability

Today's interconnected, interdependent, wirelessly networked business environment Smaller, faster, cheaper computers & storage devices Decreasing skills necessary to be a computer hacker International organized crime taking over cybercrime Lack of management support

false

VPN software should only be used on an organization's internal network. Never use VPN software on a public wireless network, as this could give hackers an entryway from your computer into your organization's secure network

honeypots

a security tool that is deployed by firms as a phony target to lure or distract attackers and gain information about them is known as a

Information Security

all of the processes, policies and technical measures designed to protect an organization's information and information systems (IS) from unauthorized access, use, disclosure, disruption, modification, or destruction.

SQL injection technique

an example of an exploit in which hackers target security vulnerabilities caused by software developers not validating user input

whitelists

are highly restrictive, permitting communication only with pre-approved entities.

tokenization

refers to security schemes that automatically send one-time use representations of a credit card which can be received and processed by banking and transaction firms at the time of payment. They are used in ApplePay and Android Wallet.

compliance

requirements: Legal or professionally binding steps that must be taken.

virtual private network

scrambles data passed across a network

data jarvesters

Cybercriminals who infiltrate systems and collect data for illegal resale

Passwords:

-Biometrics -multi-factor authentication

Anonymous

Anonymous is a loosely associated international network of activist and hacktivist entities. A website nominally associated with the group describes it as "an Internet gathering" with "a very loose and decentralized command structure that operates on ideas rather than directives". The group became known for a series of well-publicized publicity stunts and distributed denial-of-service (DDoS) attacks on government, religious, and corporate websites. [Wikipedia]

Threat

Any danger to which a system may be exposed

blended threats

Attacks combining multiple malware or hacking exploits.

trojans

Attempt to sneak in by masquerading as something they're not.

card skimmer

Captures data from a card's magnetic strip

key

Code that unlocks encryption.

dumpster diving

Combing through trash to identify valuable assets.

black hat hackers

Computer criminals who exploit a system's weakness for personal gain bad guys

Botnets or zombie networks:

Computers controlled by malware; Used in DoS attacks, click fraud, sending spam, to decipher accounts that use CAPTCHAs.

social engineering

Con games that trick employees into revealing information or performing other tasks that compromise a firm.

The CIA triad

Confidentiality -data confidentiality -privacy Integrity -data integrity -system integrity Availability

firewalls

Control network traffic, block unauthorized traffic.

spoofing

Email transmissions and packets that have been altered to forge or disguise their origin or identity.

brute force attacks

Exhausts all possible password combinations to break into an account.

denial-of-service attacks (DoS)

Flooding server with thousands of false requests to crash the network

shoulder surfing

Gaining compromising information through observation

viruses

Infect other software or files

malicious adware

Installed without full user consent or knowledge, later serve unwanted advertisements.

RAM scraping or storage scanning software

Malicious code that scans for sensitive data

signature

Malware _____ are a sort of electronic fingerprint often used to recognize malicious code.

ransomware

Malware that encrypts user's files with demands that a user pay to regain control of their data and/or device.

biometrics

Measure and analyze human body characteristics for identification or authentication.

Intrusion detection systems:

Monitor network use for hacking attempts and take preventive action

spyware

Monitors user actions, network traffic, or scans for files.

zero day exploits

New attacks that haven't been clearly identified and haven't been incorporated into security screening systems.

hacktivists

One challenge for Facebook Mobile is newsfeed ads. Users tend to ignore ads in their newsfeed even more than they do ads that appear on the side of conventional web pages.

Constant vigilance regarding security needs to be

Part of one's individual skill set. A key component in an organization's culture.

Factors that can amplify a firm's vulnerability to a breach

Personnel issues Technology problems Procedural factors Operational issues

cash-out fraudsters

Purchase assets from data harvesters to buy goods using stolen credit cards or create false accounts

security policy

Ranks information risks, identifies acceptable security goals, and identifies mechanisms for achieving these goals

audits

Real-time monitoring of usage: announced and surprise.

screen capture

Records pixels that appear on a user's screen to identify proprietary information.

keylogger

Records user keystrokes. software-based or hardware-based.

pharming

Redirects users to a bogus web page, even when the individual types correct Web page address into his or her browser

INSIDERS (BAD APPLES)

Rogue employees who steal secrets, install malware, or hold a firm hostage.

malicious software

Seeks to compromise a computing system without permission

distributed denial of service (DDoS) attacks

Shutting down Web sites with a crushing load of seemingly legitimate requests. an attack where a firms computer system is flooded with thousands of seemingly legitimate requests, the sheer volume of which will slow or shut down the system

spear Phishing

Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data

Countermeasures

Specific steps or actions taken to reduce probability of a threat becoming a vulnerability and breach

botnets

Surreptitiously infiltrated computers, controlled remotely

worms

Take advantage of security vulnerability to automatically spread

certificate authority

Trusted third party that provides authentication services in public key encryption schemes.

public key encryption

Two key system used for securing electronic transmissions.

white hat hackers

Uncover computer weaknesses without exploiting them. Contribute to improving system security the good guys who probe for weaknesses, but don't exploit them.

Distributed denial-of-service attacks (DDoS)

Use of numerous computers to launch a DoS

authentication

confirms the identity of the person requiring access to use the system

phishing

cons executed through technology and that often try to leverage the reputation of a trusted firm or friend to trick the victim into performing an action or revealing information constitute:

blacklists

denying the entry or exit of specific IP addresses, products, Internet domains, and other communication restrictions. block known bad guys

authorization

determined which actions rights or privileges the person has based on his or her verified identity

iso27000

framework represents a series of standards for best practices in implementing, maintaining and improving organizational security

Exposure

is the harm, loss, or damage that can result if a threat compromises an information resource

Vulnerability

is the possibility that the system will be harmed by a threat

multi-factor authentication

when identity is proven by presenting more than one item for proof of credentials.

difference between virus and worms

worms do not need an executable to spread, unlike viruses


Related study sets

Emergency/Disaster Preparedness Ch 12

View Set

Group Life Insurance Retirement Plans & Social Security Disability Progdram

View Set

NURS 3120: Intro to health assessment; powerpoint questions

View Set

Foundations of Nursing II - Unit 6

View Set

Folder.Chapter 6A: Agency Fundamentals

View Set