Chapter 12 In Class Notes Flashcards
A person or organization that seeks to obtain
data or other assets illegally, without the
owner’s permission and often without the
owner’s knowledge
Threat
An opportunity for threats to gain access to
individual or organizational assets.
vulnerability
A measure that individuals or organizations
take to block the threat from obtaining an
asset.
Safeguards. Safeguards are not always effective.
Some threats achieve their goal in spite of
safeguards.
An asset that is desired by the threat.
Target
SOURCES OF THREATS? 3 of them
HUMAN ERROR
COMPUTER CRIME
NATURAL EVENTS AND
DISASTERS
Accidental problems caused by both
employees and nonemployees.
Procedures not followed
Increasing a customer’s discount
Incorrectly modifying employee’s salary
Placing incorrect data on company Web site
System errors
Systems working incorrectly
Programming errors
7
g g
IT installation errors
Faulty recovery actions after a disaster
Includes employees and former employees who
intentionally destroy data or other system
components.
Computer Crime
A technique for gathering unauthorized
information in which someone pretends to be
someone else.
Pretexting
When someone pretends to be
someone else with the intent of obtaining
unauthorized data.
Spoofing
A type of spoofing whereby an
intruder uses another site’s IP address as if it were
that other site.
IP Spoofing
What is needed for your reset password information?
Victim’s Email Address
Answer to victim’s security question!
A technique for intercepting computer
communications.
Sniffing. With wired networks, sniffing
requires a physical connection to the network.
With wireless networks, no such connection is
required.
People who take computers
with wireless connections through an area an
search for unprotected wireless networks in an
attempt to gain free Internet access or to gather
16 unauthorized data.
Drive by sniffer
A form of computer crime in which a person gains
unauthorized access to a computer system.
Hacking. Although
some people hack for the sheer joy of doing it, other
hackers invade systems for the malicious purpose of
stealing or modifying data.
Occurs when unauthorized programs invade a
computer system and replace legitimate programs.
Such unauthorized programs typically shut down
the legitimate system and substitute their own
processing.
Usurpation
A computer program that senses when another
computer is attempting to scan the disk or
otherwise access a computer.
Intrusion Detection System (IDS)
Management’s policy for computer security,
consisting of a general statement of the
organization’s security program, issue-specific
policy, and system-specific policy.
Security Policy
What Are the Elements of a
Security Policy? 3 of them
- General statement of organizations security program
- Issue-specific policy
- System-specific policy
threats & consequences we know about
risk
things we do not know that we do not know
Uncertainty
The “bottom line” of risk assessment; the likelihood of loss multiplied by the cost of the loss consequences (both tangible and intangible).
Probable loss
• Given probable loss, what to protect?
• Which safeguards inexpensive and easy?
• Which vulnerabilities expensive to eliminate?
• How to balance cost of safeguards with benefits of
probable loss reduction?
You should ask these questions when making what kind of decision?
Risk-Management Decisions
Protects consumer financial data stored by
financial institutions (banks, securities firms,
insurance companies, and organizations) that
provide financial advice, prepare tax returns, and
provide similar financial services.
Gramm-Leach-Bliley (GLB) Act (1999) -
ederal law that provides
protections to individuals regarding records
31 maintained by the U.S. government
Privacy Act of 1974
Give
individuals the right to access health data created
by doctors and other health-care providers.
HIPAA also sets rules and limits on who can
read and receive a person’s health information.
Health Insurance Portability and Accountability Act (HIPAA) (1996)
A wireless
security standard developed by the IEEE 802.11
committee that was insufficiently tested before it
was deployed in the communications equipment.
IT has serious flaws.
WEP (Wired-Equivalent Privacy)
An
improved wireless security standard developed
by the IEEE 802.11 committee to fix the flaws
34 of the Wired Equivalent Privacy (WEP) standard
WPA & WPA2 (WiFI Protected Access)
What Technical Safeguards
Are Available?
- Identification and authentication
- Encryption
- Firewalls
- Malware protection
- Design for secure applications
The process whereby an information
system identifies a user by requiring the user to sign on
with a username and password.
Identification
The process whereby and information system verifies (validates) a user.
Authentication
A form of
authentication whereby the user supplies a number that
only he or she knows.
Personal Identification Number (PIN)
The use of personal physical
characteristics, such as fingerprints, facial features, and
36 retinal scans, to authenticate users.
Biometric authentication
A system, developed at MIT that authenticates
users without sending their passwords across a
computer network. It uses a complicated system
of “tickets” to enable users to obtain services
from networks and other servers.
Kerberos
The process of transforming clear text into
coded, unintelligible text for secure storage or
communication.
Encryption
Algorithms used to transform
clear text into coded, unintelligible text for secure storage or
communication. Commonly used methods are DES, 3DES,
and AES.
Encryption algorithms
A number used to encrypt data. The encryption
algorithm applies the key to the original message to produce
the coded message. Decoding (decrypting) the message is
similar; a key is applied to the coded message to recover the
original text.
Key
An encryption method whereby
the same key is used to encode and to decode the message.
Symmetric Encryption
An encryption method
whereby different keys are used to encode and to
decode the message; one key encodes the message,
and the other key decodes the message.
Asymmetric encryption
A special version of
asymmetric encryption that is popular on the Internet.
With this method, each side has a public key for
encoding messages and a private key for decoding
42 them.
Public Key/Private Key
used for full disk encryption
– All hard drives contents are encrypted
• If stolen, nothing can be recovered!
Truecrypt
used for single file encryption
– Make .exe file to send to others
• Taxes, SSN, PHI, etc
Axcrypt
A computer program that replicates itself.
Virus
The program codes of a virus that causes
unwanted or hurtful actions, such as deleting programs
or data, or even worse, modifying data in ways that are
undetected by the user.
Payload
Virus that masquerades as a useful
program or file.
Trojan horses. A typical Trojan horse appears to be a
computer game, an MP3 music file, or some other
useful, innocuous program.
A virus that propagates itself using the
Internet or some other computer network.
Worms. Worm code
is written specifically to infect another computer as
quickly as possible.
Tiny files that gather demographic
information
Beacon. Beacons are often image files that install
malware code when users open images in junk mail.
Most are not malicious and simply verify users’ email
addresses, activities, and preferences.
captures keystrokes to obtain user
names, passwords, account numbers, and other
sensitive information.
Spyware. Other spyware is used for
marketing analysis observing what users do, Web
sites visited, products examined and purchased,
and so forth.
most is benign in that it does not
perform malicious acts or steal data. It does,
however, watch user activities and produce pop50
up ads.
Adware
Security problem in which users are not able to
access an information system; can be caused by
human errors, natural disasters, or malicious
activity.
Denial of Service (DOS)
A term used to describe server operating
systems that have been modified to make them
especially difficult for them to be infiltrated by
malware
Hardening
A password-cracking
program that tries every possible combination
of characters.
Brute Force Attack
False targets for computer criminals to attack
Honeypots
A utility company that can take over
another company’s processing with no
forewarning.
Hot Site. Hot sites are expensive;
organizations pay $250,000 or more per month
for such services.
Remote processing centers that
provide office space, and possibly computer
equipment, for use by a company to use to
continue operations after a disaster.
Cold Sites
2022?
• Challenges likely to be iOS and other intelligent
portable devices
• Harder for the lone hacker to find vulnerability to
exploit
• Continued investment in safeguards
• Continued problem of electronically porous
national borders
