IS 303 Chapter 4

Tools to prevent information misuse:

- Information Secrecy - Information Governance - Information Management - Information Compliance - Information Property

Information security

- a broad term encompassing the protection of information from accidental or intentional misuse by persons inside or outside an organization

Nonrepudiation

- a contractual stipulation to ensure that ebusiness participants do not deny their online actions

Smart card

- a device about the size of a credit card, containing embedded technologies that can store information and small amounts of software to perform some limited processing

Ransomware

- a form of malicious software that infects your computer and asks for money

Pretexting

- a form of social engineering in which one individual lies to obtain confidential data about another individual

Spam

- a form of unsolicited email

Authentication

- a method for confirming users' identities

Information governance

- a method or system of government for information management or control

Privilege Escalation

- a network intrusion attack that takes advantage of programming errors or design flaws to grant the attacker elevated access to the network and its associated data and applications

Sniffer

- a program or device that can monitor data traveling over a network

Spyware

- a special class of adware that collects data about the user and transmits it over the Internet without the user's knowledge or permission

Phishing

- a technique to gain personal information for the purpose of identity theft, usually by means of fraudulent e-mail

Scareware

- a type of malware that's downloaded onto your computer and that tries to convince you that your computer is infected with a virus or other type of malware.

Information property

- an ethical issue that focuses on who owns information about individuals and how information can be sold and exchanged

Personally Identifiable Information (PII)

- any data that can be used to identify, locate, or contact an individual

Nonsensitive PII

- is information transmitted without encryption and includes information collected from public records, phone books, corporate directories, websites, etc.

Organizational information

- is intellectual capital- it must be protected

Adware

- is software that, although purporting to serve some useful function and often fulfilling that function, also allows Internet advertisers to display advertisements without the consent of the computer user.

Insiders

- legitimate users who purposely or accidentally misuse their access to the environment and cause some kind of business-affecting incident

Backdoor programs

- open a way into the network for future attacks

Dumpster diving

- or looking through people's trash, is another way hackers obtain information.

Social media policy

- outlining the corporate guidelines or principles governing employee online communications

Content filtering

- prevents emails containing sensitive information from transmitting and stops spam and viruses from spreading

Downtime

- refers to a period of time when a system is unavailable

Acceptable Use Policy (AUP)

- requires a user to agree to follow it to be provided access to corporate email, information systems, and the Internet

Pharming

- reroutes requests for legitimate websites to false websites

Cyberterrorists

- seek to cause harm to people or to destroy critical systems or information and use the internet as a weapon of mass destruction

Tokens

- small electronic devices that change user passwords automatically

Malware

- software that is intended to damage or disable computers and computer systems.

Virus

- software written with malicious intent to cause annoyance or damage

Worm

- spreads itself not only from file to file but also from computer to computer

Employee monitoring policy

- stating explicitly how, when, and where the company monitors its employees

Information compliance

- the act of conforming, acquiescing, or yielding information

Confidentiality

- the assurance that messages and information are available only to those who are authorized to view them

Information secrecy

- the category of computer security that addresses the protection of data from unauthorized disclosure and confirmation of data source authenticity

Biometrics

- the identification of a user based on a physical characteristic, such as a fingerprint, iris, face, voice, or handwriting

Astroturfing

- the practice of artificially stimulating online conversation and positive reviews about a product

ethics

- the principles and standards that guide our behavior toward other people

Authorization

- the process of giving someone permission to do or have something

Privacy

- the right to be left alone when you want to be, to have control over your own personal possessions, and not to be observed without your consent

Sock puppet marketing

- the use of a false identity to artificially stimulate demand for a product, brand or service

Workplace MIS monitoring

- tracks people's activities by such measures as number of keystrokes, error rate, and number of transactions processed

White-hat hackers

- work at the request of the system owners to find system vulnerabilities and plug the holes

Sensitive PII

- is information transmitted with encryption and, when disclosed, results in a breach of an individual's privacy and can potentially cause the individual harm

Splogs (spam blogs)

- are fake blogs created solely to raise the search engine rank of affiliated websites. Even blogs that are legitimate are plagued by spam, with spammers taking advantage of the Comment feature of most blogs to comments with links to spam sites.

Hoaxes

- attack computer systems by transmitting a virus hoax, with a real virus attached

Vertical privilege escalation

- attackers grant themselves a higher access level such as administrator, allowing the attacker to perform illegal actions such as running unauthorized code or deleting data

Horizontal privilege escalation

- attackers grant themselves the same access levels they already have but assume the identity of another user

Distributed denial-of-service attack (DDoS)

- attacks from multiple computers that flood a website with so many requests for service that it slows down or crashes. A common type is the Ping of Death, in which thousands of computers try to access a website at the same time, overloading it and shutting it down.

Common types of hackers:

- black-hat hackers - crackers - cyberterrorists - hactivists - script kiddies - white-hat hackers

Black-hat hackers

- break into other people's computer systems and may just look around or may steal and destroy information

Polymorphic viruses and worms

- change their form as they propagate

Packet tampering

- consists of altering the contents of packets as they travel over the internet or altering data on computer disks after penetrating a network

Identity theft

- consists of forging someone's identity for the purpose of fraud

Spoofing

- consists of forging the return address on an email so that the message appears to come from someone other than the actual sender

Information privacy policy

- contains general principles regarding information privacy - the unethical use of information happens not through the malicious scheming of a rogue marketer but, rather, unintentionally

Ethical computer use policy

- contains general principles to guide computer user behavior - the users should be informed by the rules and, by agreeing to use the system on that basis, consent to abide by them

Internet use policy

- contains general principles to guide the proper use of the internet

Information security plan

- details how an organization will implement the information security policies

Email privacy policy

- details the extent to which email messages may be read by others - companies can mitigate many of the risks of using electronic messaging systems by implementing and adhering to an email privacy policy

Organizations strive to build a corporate culture based on ethical principles that employees can understand and implement:

- ethical computer use - information privacy policy - acceptable use policy - email privacy policy - social media policy - workplace monitoring policy

Information management

- examines the organizational resource of information and regulates its definitions, uses, value, and distribution ensuring it has the types of data/information required to function and grow effectively

Hacker

- experts in technology who use their knowledge to break into computers and computer networks, either for profit or just motivated by the challenge

Intrusion detection software (IDS)

- features full-time monitoring tools that search for patterns in network traffic to identify intruders

Script kiddies

- find hacking code on the internet and click-and-point their way into systems to cause damage or spread viruses

Denial-of-service attack (DoS)

- floods a website with so many requests for service that it slows down or crashes the site

Information ethics

- govern the ethical and moral issues arising from the development and use of information technologies, as well as the creation, collection, duplication, distribution, and processing of information itself

Social engineering

- hackers use their social skills to trick people into revealing access credentials or other valuable information

Crackers

- have criminal intent when hacking

Hacktivists

- have philosophical and political reasons for breaking into systems and will often deface the website as a protest

Trojan-horse virus

- hides inside other software, usually as an attachment or a downloadable file

Information security policies

- identify the rules required to maintain information security, such as requiring users to log off before leaving for lunch or meetings, never sharing passwords with anyone, and changing passwords every 30 days

Malicious code

- includes a variety of threats such as viruses, worms, and Trojan horses

The first line of defense an organization should follow to help combat insider issues to develop information security policies and an information security plan:

- information security policies - information security plan

The biggest issue surrounding information security is not a technical issue, but a people issue:

- insiders - social engineering - dumpster diving - pretexting

Intellectual property

- intangible creative work that is embodied in physical form and includes copyrights, trademarks, and patents

Firewall

- is a hardware and/or software that guards a private network by analyzing the information leaving and entering the network

Elevation of Privilege (EoP)

- is a process by which a user misleads a system into granting unauthorized rights, usually for the purpose of compromising or destroying the system

The most secure type of authentication involves:

1) something user knows (most common and ineffective) ID and password 2) something user has -- chips on credit cards 3) something that is part of the user --fingerprint

Technologies available to help prevent and build resistance to attacks include:

1. Content filtering 2. Encryption 3. Firewall

Three areas of information security:

1. People (Authentication and Authorization) 2. Data (Prevention and Resistance) 3. Attacks (Detection and Response)

Business issues related to information ethics:

1. intellectual property 2. copyright 3. pirated software 4. counterfeit software 5. digital rights management

Security threats to Ebusiness include:

Elevation of privilege Hoaxes Malicious code Packet tampering Sniffer Spoofing Splogs Spyware