MIS CH 15
PHISHING
- Con executed using technology, in order to: - Acquire sensitive information. - Trick someone into installing malicious software.
Taking Action as a User
- Surf smart. - Stay vigilant. - Stay updated. - Install a full suite of security software. - Secure home networks and encrypt hard drives. - Regularly update passwords. - Be disposal smart. - Regularly back up your system. - Check with your administrator.
Which of the following factors is thought to have been at work during the Target security breach: Notifications from security software were ignored.
- The database for credit card transactions wasn't sufficiently isolated from other parts of the system. - Malicious code was disguised by using the name of a legitimate software product. - Target's security software could have automatically deleted detected malware, but this function was turned off. All of the above.
White hat hackers
- Uncover computer weaknesses without exploiting them. - Contribute to improving system security.
DUMPSTER DIVING
Combing through trash to identify valuable assets.
BRUTE-FORCE ATTACKS
Exhausts all possible password combinations to break into an account.
Security Breach
Factors that can amplify a firm's vulnerability of a breach: - Personnel issues - Technology problems - Procedural factors - Operational issues - Constant vigilance regarding security needs to be: - Part of one's individual skill set. - A key component in an organization's culture.
SHOULDER SURFING
Gaining compromising information through observation.
PASSWORDS
Most users employ inefficient and insecure password systems
Programs that use _____ are highly restrictive, permitting communication only with pre-approved entities.
Whitelists
Edward Snowden is:
a U.S. government contractor thought whistle-blower by many, who released secret documents exposing state-run surveillance networks
An attack in which a firm's computer systems are flooded with thousands of seemingly legitimate requests, the sheer volume of which will slow or shut down the site, is known as:
distributed denial of service.
Cons executed through technology and that often try to leverage the reputation of a trusted firm or friend to trick the victim into performing an action or revealing information constitute:
phishing.
Malware _____ are a sort of electronic fingerprint often used to recognize malicious code.
signatures
Motivation for Information Security Attacks
Account theft and illegal funds transfer. Some hackers steal data for personal use. Data harvesters sell to cash-out fraudsters. Data harvesters: - Cybercriminals who infiltrate systems and collect data for illegal resale. Cash-out fraudsters: - Purchase assets from data harvesters to buy goods using stolen credit cards or create false accounts. Stealing personal or financial data. Compromising computing assets for use in other crimes. Botnets send spam, launch click fraud efforts or stage distributed denial of service (DDoS) attacks. Botnets: - Surreptitiously infiltrated computers, controlled remotely. Distributed denial of service (DDoS) attacks: - Shutting down Web sites with a crushing load of seemingly legitimate requests.
Goals of Malware
Botnets or zombie networks: - Used in click fraud, sending spam, to decipher accounts that use CAPTCHAs. CAPTCHAs: - Scrambled character images to thwart automated account setup or ticket buying attempts. Malicious adware: - Installed without full user consent or knowledge, later serve unwanted advertisements. Spyware: - Monitors user actions, network traffic, or scans for files. Keylogger: - Records user keystrokes. Software-based or hardware-based. Screen capture: - Records pixels that appear on a user's screen to identify proprietary information. Card skimmer: - Captures data from a card's magnetic strip. RAM scraping or storage scanning software: - Malicious code that scans for sensitive data. Blended threats: - Attacks combining multiple malware or hacking exploits.
Technology Threats
Compromising poorly designed software. SQL injection technique: Targeting sloppy programming practices that do not validate user input. Cross-site scripting attacks and HTTP header injection. Push-Button hacking: - Tools designed to easily automate attacks. Network threats: - Network itself is a source of compromise
Black hat hackers
Computer criminals who exploit a system's weakness for personal gain.
SOCIAL ENGINEERING
Con games that trick employees into revealing information or performing other tasks that compromise a firm.
SPOOFED
Email transmissions and packets that have been altered to forge or disguise their origin or identity.
Students are discouraged from using over-the-Internet backup services since these are known sources for security vulnerability.
False; The most likely threat to your data doesn't come from hackers; it comes from hardware failure. Yet most users still don't regularly back up their systems. Internet backup services can provide off-site storage and access if disaster strikes.
Lock down networks:
Firewalls: -Control network traffic, block unauthorized traffic. Intrusion detection systems: - Monitor network use for hacking attempts and take preventive action. Honeypots: - Tempting, bogus targets meant to lure hackers. Blacklists: - Deny the entry of specific IP addresses and other entities. Whitelists: - Permit communication only with approved entities or in an approved manner.
How protected?
Firms should avoid: - Spending money targeting unlikely exploits. - Underinvesting in methods to thwart common infiltration techniques. Risk assessment team: - Consider vulnerabilities and countermeasure investments. Lobbying for legislation that imposes severe penalties on crooks helps: - Raise adversary costs. - Lower one's likelihood of becoming a victim.
Taking Action as an Organization
Follow frameworks, standards, and compliance. ISO27k or ISO 27000 series: - Establishing, operating, maintaining, and improving an Information Security Management System. Compliance requirements: - Legal or professionally binding steps that must be taken. Education, audit, and enforcement. Functions of research and development: - Understanding emerging threats and updating security techniques. Working on broader governance issues. Employees should: - Know a firm's policies and be regularly trained. - Understand the penalties for failing to meet their obligations. Audits: - Real-time monitoring of usage: announced and surprise.
_____ refer to protesters seeking to make a political point by leveraging technology tools, often through system infiltration, defacement, or damage.
Hacktivists
The ______________ framework represents a series of standards for best practices in implementing, maintaining and improving organizational security.
ISO 27000
Technology's role 2
Lock down partners: - Insist on partner firms being compliant with security guidelines and audit them regularly. - Use access controls to control data access on a need-to-know basis. - Use recording, monitoring, and auditing to hunt for patterns of abuse. - Maintain multiple administrators to jointly control key systems. - Lock down systems: Audit for SQL injection and other application exploits. Have failure and recovery plans: - Employ recovery mechanisms to regain control if key administrators are incapacitated or uncooperative. - Broad awareness reduces organizational stigma in coming forward. - Share knowledge on hacking techniques with technology partners.
Biometrics:
Measure and analyze human body characteristics for identification or authentication.
ZERO-DAY EXPLOITS
New attacks that haven't been clearly identified and haven't been incorporated into security screening systems.
Technology's Role
Patches: - Software updates that plug existing holes Lock down hardware: - Prevent unapproved software installation. - Force file saving to hardened, backed-up, and monitored servers. - Reimage hard drives of end-user PCs. - Disable boot capability of removable media. - Prevent Wi-Fi use and require VPN encryption for network transmissions.
BAD APPLES
Rogue employees who steal secrets, install malware, or hold a firm hostage.
_______________ is an example of an exploit in which hackers target security vulnerabilities caused by software developers not validating user input.
SQL injection technique.
HACKER
Someone who breaks into computer systems
The term _____________ refers to forging or disguising the origin or identity.
Spoof
Public key encryption is considered far weaker than private key encryption, so most websites avoid using public key systems.
false
VPN software should only be used on an organization's internal network. Never use VPN software on a public wireless network, as this could give hackers an entryway from your computer into your organization's secure network
false; Public wireless connections pose significant security threats. The use of VPN (virtual private network) software can reduce threats by making Internet transmissions unreadable if they are intercepted. VPN networks use encryption to scramble data, making it difficult for hackers to access.
The encryption math behind OpenSSL is so solid and would require such an extensive amount of computing power to execute a brute-force attack, that OpenSSL had (as of the writing of the textbook) never been compromised.
false; While encryption math is quite strong, that does not mean that all software using this math can't have other bugs that create vulnerabilities. The Heartbleed bug, a weakness in the OpenSSL security software, may have created a vulnerability in software used by two-thirds of Web sites and which is embedded into all sorts of Internet-connected products.
A security tool that is deployed by firms as a phony target to lure or distract attackers and gain information about them is known as a:
honeypot
Which of the following is a valid observation regarding information security?
information security isn't just a technology problem.
Con games that trick employees into revealing information or performing other tasks that compromise a firm are known as _____ in security circles.
social engineering
Although the attack on Target was one of the largest credit card breaches in US business history, the software that executed the attack was not considered to be especially sophisticated.
true; The malware used to breach Target was described by one security expert as "absolutely unsophisticated and uninteresting."
A white hat hacker looks for weaknesses in security mechanisms, with a view to help plug the holes that might be exploited by cyber-criminals.
true; White hats are the good guys who probe for weaknesses, but don't exploit them. Instead, they share their knowledge in hopes that the holes they've found will be plugged and security will be improved. Many firms hire consultants to conduct "white hat" hacking expeditions on their own assets as part of their auditing and security process. "Black hats" are the bad guys.
The key difference between viruses and worms is that:
worms do not need an executable to spread, unlike viruses.
Exploits that attempt to infiltrate a computer system by masquerading as something that they are not are called:
Trojans
Why have US technology firms complained that U.S. government surveillance techniques put them at a disadvantage relative to foreign firms?
U.S. firms complain that the actions of surveillance agencies have put them at a disadvantage by damaging their reputation.
