Management Information Systems Chapter 7 Information Security (WileyPlus) (IS 312)
Risk analysis involves three steps:
(1) assessing the value of each asset being protected, (2) estimating the probability that each asset will be compromised, and (3) comparing the probable costs of the asset's being compromised with the costs of protecting that asset.
Communication controls (also called network controls)
(Blank) secure the movement of data across networks. (blank) consist of firewalls, anti-malware systems, whitelisting and blacklisting, encryption, virtual private networks, secure socket layer, and employee monitoring systems.
Public-key encryption (also called asymmetric encryption)
(also called asymmetric encryption) A type of encryption that uses two different keys, a public key and a private key.
warm site
A (blank) provides many of the same services and options as the hot site. However, it typically does not include the actual applications the company needs. A (blank) includes computing equipment such such as servers, but it often does not include user workstations.
Privilege
A collection of related computer system operations that can be performed by users of the system
Denial-of-service attack
A cyberattack in which an attacker sends a flood of data packets to the target computer, with the aim of overloading its resources.
Distributed denial-of-service attack
A denial-of-service attack that sends a flood of data packets from many compromised computers simultaneously. These computers are called zombies or bots. The attacker uses these bots—which form a botnet—to deliver a coordinated stream of information requests to a target computer, causing it to crash
Least privilege
A principle that users be granted the privilege for some activity only if there is a justifiable need to grant this authorization.
(VPN) Virtual private network
A private network that uses a public network (usually the Internet) to securely connect users by using encryption.
Tunneling
A process that encrypts each data packet to be sent and places each encrypted packet inside another packet.
Risk mitigation
A process whereby the organization takes concrete actions against risks 2 functions: (1) implementing controls to prevent identified threats from occurring, and (2) developing a means of recovery if the threat becomes a reality.
Demilitarized zone (DMZ)
A separate organizational local area network that is located between an organization's internal network and an external network, usually the Internet.
Trojan horse
A software program containing a hidden function that presents a security risk.
Certificate authority
A third party that acts as a trusted intermediary between computers (and companies) by issuing digital certificates and verifying the worth and integrity of the certificates.
Risk acceptance
Accept the potential risk, continue operating with no controls, and absorb any damages that occur.
Adware
Alien software designed to help pop-up advertisements appear on your screen.
Spyware
Alien software that can record your keystrokes and/or capture your passwords.
Spamware
Alien software that uses your computer as a launch platform for spammers.
Distributed Denial-of-service attack
An attacker takes over many computers, typically by using malicious software. These computers are called zombies or bots. The attacker uses these bots--which form a botnet--to deliver a coordinated stream of information requests to a target computer, causing it to crash.
Digital certificate
An electronic document attached to a file certifying that this file is from the organization it claims to be from and has not been modified from its original format or content.
Transport Layer Security formerly known as Secure socket layer
An encryption standard used for secure transactions such as credit card purchases and online banking. TLS is indicated by a URL that begins with "https" rather than "http," and it often displays a small padlock icon in the browser's status bar.
vulnerability
An information resource (blank) is the possibility that the system will be harmed by a threat.
Cyberterrorism
Can be defined as a premeditated, politically motivated attack against information, computer systems, computer programs, and data that results in violence against noncombatant targets by subnational groups or clandestine agents.
Alien software
Clandestine software that is installed on your computer through duplicitous methods.
Theft of Equipment or Information
Computing devices and storage devices are becoming smaller yet more powerful with vastly increased storage
Communications (Network) controls
Controls that deal with the movement of data across networks.
Physical controls
Controls that restrict unauthorized individuals from gaining access to a company's computer facilities.
Identity Theft
Crime in which someone uses the personal information of others to create a false identity and then uses it for some fraud.
Controls
Defense mechanisms (also called countermeasures).
Worm
Destructive programs that replicate themselves without requiring another program to provide a safe environment for replication.
10 types of deliberate attacks
Espionage or trespass Information extortion Sabotage and vandalism Theft of equipment and information Identity theft Compromises to intellectual property Software attacks Alien software Supervisory control and data acquisition Cyberterrorism and cyberwarfare
10 common types of deliberate threats
Espionage or trespass Information extortion Sabotage or vandalism Theft of equipment or information Identity theft Compromises to intellectual property Software attacks Alien software Supervisory control and data acquisition (SCADA) attacks Cyberterrorism and cyberwarfare
Social engineering
Getting around security systems by tricking computer users inside a company into revealing sensitive information or gaining unauthorized access privileges.
Compare and contrast human mistakes and social engineering, and provide a specific example of each one.
Human mistakes are unintentional errors. However, employees can also make unintentional mistakes as a result of actions by an attacker, such as social engineering. Social engineering is an attack where the perpetrator uses social skills to trick or manipulate a legitimate employee into providing confidential company information. An example of a human mistake is tailgating. An example of social engineering is when an attacker calls an employee on the phone and impersonates a superior in the company.
Information Extortion
Information extortion occurs when an attacker either threatens to steal, or actually steals, information from a company. The perpetrator demands payment for not stealing the information, for returning stolen information, or for agreeing not to disclose the information.
Trade secret
Intellectual work, such as a business plan, that is a company secret and is not based on public information.
Risk limitation
Limit the risk by implementing controls that minimize the impact of the threat.
Virus
Malicious software that can attach itself to (or "infect") other computer programs without the owner of the program being aware of the infection.
certificate authority
Organizations that conduct business over the internet require a more complex system from a third party, called a (blank), which acts as a trusted intermediary between the companies.
3 risk mitigation strategies
Risk acceptance Risk limitation Risk transference
SCADA (Supervisory Control and Data Acquisition Attacks)
SCADA refers to a large-scale, distributed measurement and control system. SCADA systems are used to monitor or to control chemical, physical, and transport processes such as those used in oil refineries, water and sewage treatment plants, electrical generators, and nuclear power plants.
Sabotage or Vandalism
Sabotage and vandalism are deliberate acts that involve defacing an organization's Web site, potentially damaging the organization's image and causing its customers to lose faith. One form of online vandalism is a hacktivist or cyberactivist operation.
Logic bomb
Segments of computer code embedded within an organization's existing computer programs.
Cookies
Small amounts of information that Web sites store on your computer, temporarily or more or less permanently.
Software Attacks
Software attacks have evolved from the early years of the computer era, when attackers used malicious software to infect as many computers worldwide as possible, to the profit-driven, Web-based attacks of today. Types below:
Anti-malware systems
Software packages that attempt to identify and eliminate viruses, worms, and other malicious software.
risk mitigation strategies
The 3 most common (blank) that organizations can adopt. 1. risk acceptance- Accept the potential risk, continue operating with no controls, and absorb any damages that occur 2. risk limitation - Limit the risk by implementing controls that minimize the impact of the threat. 3. risk transference - Transfer the risk by using other means to compensate for the loss, such as by purchasing insurance
Business Continuity plan aka Disaster Recovery plan
The chain of events linking planning to protection and to recovery. In the event of a major disaster, organizations can employ several strategies for business continuity. These strategies include hot sites, warm sites, and cold sites
risk management
The goal of (blank) is to identify, control, and minimize the impact of threats.
Screen scraper or screen grabbers
This software records a continuous "movie" of a screen's contents rather than simply recording keystrokes.
Five factors that contribute to the increasing vulnerability of information resources
Today's interconnected, interdependent, wirelessly networked business environment. Example: The Internet. Smaller, faster, cheaper computers and storage devices. Examples: Netbooks, thumb drives, iPads. Decreasing skills necessary to be a computer hacker. Examples: Information system hacking programs circulating on the Internet. International organized crime taking over cybercrime.Examples: Organized crime has formed transnational cybercrime cartels. Because it is difficult to know exactly where cyberattacks originate, these cartels are extremely hard to bring to justice. Lack of management support. Examples: Suppose that your company spent $10 million on information security countermeasures last year, and they did not experience any successful attacks on their information resources. Short-sighted management might conclude that the company could spend less during the next year and obtain the same results. Bad idea.
Risk transference
Transfer the risk by using other means to compensate for the loss, such as by purchasing insurance.
Attacks by a Programmer Developing a System
Trojan Horse Back Door Logic Bomb
Back door
Typically a password, known only to the attacker, that allows the attacker to access the system without having to go through any security procedures.
Remote Attacks Requiring User Action
Virus, Worm, Phishing attack, Spear phishing
Cyberwarfare
War in which a country's information systems could be paralyzed from a massive attack by destructive software.
Something the user is
also known as biometrics, is an authentication method that examines a person's innate physical characteristics.
Security
can be defined as the degree of protection against criminal activity, danger, damage, and/or loss.
Auditing through the computer
checks inputs, outputs, and processing. They review program logic, and test the data contained within the system.
Competitive intelligence
consists of legal information-gathering techniques, such as studying a company's Web site and press releases, attending trade shows, etc.
Authorization
determines which actions, rights, or privileges the person has, based on his or her verified identity.
Transport layer security
formerly called secure socket layer, is an encryption standard used for secure transactions such as credit card purchases and online banking.
Risk analysis
involves three steps Assessing the value of each asset being protected Estimating the probability that each asset will be compromised Comparing the probable costs of the asset's being compromised with the costs of protecting the asset
privilege
is a collection of related computer system operations that a user is authorized to perform.
hot site
is a fully configured computer facility with all of the company's services, communications links, and physical plant operations. A hot site duplicates computing resources, peripherals, telephone systems, applications, and workstations.
virtual private network
is a private network that uses a public network (usually the internet) to connect users.
Copyright
is a statutory grant that provides the creators or owners of intellectual property with ownership of the property, also for a designated period.
Tailgating
is a technique designed to allow the perpetrator to enter restricted areas that are controlled with locks or card entry. The perpetrator follows closely behind a legitimate employee and, when the employee gains entry, the attacker asks him or her to "hold the door."
Something the user knows
is an authentication mechanism that includes passwords and passphrases.
Something the user has
is an authentication mechanism that includes regular identification cards, smart ID cards, and tokens.
Something the user does
is an authentication mechanism that includes voice and signature recognition.
patent
is an official document that grants the holder exclusive rights on an invention or a process for a specified period of time.
demilitarized zone (DMZ)
is located between the two firewalls (internal & external). Messages from the internet must first pass through the external firewall.
Malware
is malicious software such as viruses and worms.
risk
is the probability that a threat will impact an information resource.
Auditing with the computer
means using a combination of client data, auditor software, and client and auditor hardware. This approach enables the auditor to perform tasks such as simulation payroll program logic using live data.
Auditing around the computer
means verifying processing by checking for known outputs using specific inputs. This approach is most effective for systems with limited outputs
Shoulder surfing
occurs when a perpetrator watches an employee's computer screen over the employee's shoulder. This technique is particularly successful in public areas such as in airports and on commuter trains and airplanes.
Espionage or trespass
occurs when an unauthorized individual attempts to gain illegal access to organizational information.
exposure
of an information resource is the harm, loss, or damage that can result if a threat compromises that resource.
3 major types of controls
physical controls access controls communication / network controls
Physical controls
prevent unauthorized individuals from gaining access to a company's facilities. Ex., walls doors, fencing, gates, locks, badges, guards, alarm systems, pressure sensors, temperature sensors, motion detectors
cold site
provides only rudimentary services and facilities, such as a building or a room with heating, air conditioning, and humidity control. This type of site provides no computer hardware or user workstations.
keyloggers
record both your individual keystrokes and your Internet Web browsing history
Information security
refers to all of the processes and policies designed to protect an organization's information and information systems (IS) from unauthorized access, use, disclosure, disruption, modification, or destruction.
Access controls
restrict unauthorized individuals from using information resources. These controls involve two major functions: authentication and authorization.
Spear phishing
target large groups of people. In (blank) attacks, the perpetrator attempt to find out as much information about an individual as possible to improve their chances that phishing techniques will obtain sensitive, personal information.
CAPTCHA
the fact that you can transcribe them means that you are probably not a software program run by an unauthorized person, such as a spammer. As a result, attackers have turned to screen scrapers, or screen grabbers.
risk mitigation
the organization takes concrete actions against risks. (blank) has 2 functions: Implementing controls to prevent identified threats from occurring Developing a means of recovery if the threat becomes a reality
threat
to an information resource is any danger to which a system may be exposed.
Public-key encryption (also known as asymmetric encryption)
uses two different keys: a public and a private key. The public key (locking key) and the private key (the unlocking key) are created simultaneously using the same mathematical formula or algorithm.