Chapter 12 In Class Notes

Question 1

A person or organization that seeks to obtain
data or other assets illegally, without the
owner’s permission and often without the
owner’s knowledge

Answer 1

Threat

Question 2

An opportunity for threats to gain access to

individual or organizational assets.

Answer 2

vulnerability

Question 3

A measure that individuals or organizations
take to block the threat from obtaining an
asset.

Answer 3

Safeguards. Safeguards are not always effective.
Some threats achieve their goal in spite of
safeguards.

Question 4

An asset that is desired by the threat.

Answer 4

Target

Question 5

SOURCES OF THREATS? 3 of them

Answer 5

HUMAN ERROR
COMPUTER CRIME
 NATURAL EVENTS AND
DISASTERS

Question 6

 Accidental problems caused by both

employees and nonemployees.

Answer 6

 Procedures not followed
 Increasing a customer’s discount
 Incorrectly modifying employee’s salary
 Placing incorrect data on company Web site
 System errors
 Systems working incorrectly
 Programming errors
7
g g
 IT installation errors
 Faulty recovery actions after a disaster

Question 7

 Includes employees and former employees who
intentionally destroy data or other system
components.

Answer 7

Computer Crime

Question 8

A technique for gathering unauthorized
information in which someone pretends to be
someone else.

Answer 8

Pretexting

Question 9

When someone pretends to be
someone else with the intent of obtaining
unauthorized data.

Answer 9

Spoofing

Question 10

A type of spoofing whereby an
intruder uses another site’s IP address as if it were
that other site.

Answer 10

IP Spoofing

Question 11

What is needed for your reset password information?

Answer 11

 Victim’s Email Address

 Answer to victim’s security question!

Question 12

A technique for intercepting computer

communications.

Answer 12

Sniffing. With wired networks, sniffing
requires a physical connection to the network.
With wireless networks, no such connection is
required.

Question 13

People who take computers
with wireless connections through an area an
search for unprotected wireless networks in an
attempt to gain free Internet access or to gather
16 unauthorized data.

Answer 13

Drive by sniffer

Question 14

A form of computer crime in which a person gains

unauthorized access to a computer system.

Answer 14

Hacking. Although
some people hack for the sheer joy of doing it, other
hackers invade systems for the malicious purpose of
stealing or modifying data.

Question 15

Occurs when unauthorized programs invade a
computer system and replace legitimate programs.
Such unauthorized programs typically shut down
the legitimate system and substitute their own
processing.

Answer 15

Usurpation

Question 16

A computer program that senses when another
computer is attempting to scan the disk or
otherwise access a computer.

Answer 16

Intrusion Detection System (IDS)

Question 17

Management’s policy for computer security,
consisting of a general statement of the
organization’s security program, issue-specific
policy, and system-specific policy.

Answer 17

Security Policy

Question 18

What Are the Elements of a

Security Policy? 3 of them

Answer 18

1. General statement of organizations security program
2. Issue-specific policy
3. System-specific policy

Question 19

threats & consequences we know about

Answer 19

risk

Question 20

things we do not know that we do not know

Answer 20

Uncertainty

Question 21

The “bottom line”
of risk assessment; the likelihood
of loss multiplied by the cost of the
loss consequences (both tangible
and intangible).

Answer 21

Probable loss

Question 22

• Given probable loss, what to protect?
• Which safeguards inexpensive and easy?
• Which vulnerabilities expensive to eliminate?
• How to balance cost of safeguards with benefits of
probable loss reduction?
You should ask these questions when making what kind of decision?

Answer 22

Risk-Management Decisions

Question 23

Protects consumer financial data stored by
financial institutions (banks, securities firms,
insurance companies, and organizations) that
provide financial advice, prepare tax returns, and
provide similar financial services.

Answer 23

Gramm-Leach-Bliley (GLB) Act (1999) -

Question 24

ederal law that provides
protections to individuals regarding records
31 maintained by the U.S. government

Answer 24

Privacy Act of 1974

Question 25

Give
individuals the right to access health data created
by doctors and other health-care providers.
HIPAA also sets rules and limits on who can
read and receive a person’s health information.

Answer 25

Health Insurance Portability and
Accountability Act (HIPAA) (1996)

Question 26

A wireless
security standard developed by the IEEE 802.11
committee that was insufficiently tested before it
was deployed in the communications equipment.
IT has serious flaws.

Answer 26

WEP (Wired-Equivalent Privacy)

Question 27

An
improved wireless security standard developed
by the IEEE 802.11 committee to fix the flaws
34 of the Wired Equivalent Privacy (WEP) standard

Answer 27

WPA & WPA2 (WiFI Protected Access)

Question 28

What Technical Safeguards

Are Available?

Answer 28

1. Identification and authentication
2. Encryption
3. Firewalls
4. Malware protection
5. Design for secure applications

Question 29

The process whereby an information
system identifies a user by requiring the user to sign on
with a username and password.

Answer 29

Identification

Question 30

The process whereby and information
system verifies (validates) a user.

Answer 30

Authentication

Question 31

A form of
authentication whereby the user supplies a number that
only he or she knows.

Answer 31

Personal Identification Number (PIN)

Question 32

The use of personal physical
characteristics, such as fingerprints, facial features, and
36 retinal scans, to authenticate users.

Answer 32

Biometric authentication

Question 33

A system, developed at MIT that authenticates
users without sending their passwords across a
computer network. It uses a complicated system
of “tickets” to enable users to obtain services
from networks and other servers.

Answer 33

Kerberos

Question 34

The process of transforming clear text into
coded, unintelligible text for secure storage or
communication.

Answer 34

Encryption

Question 35

Algorithms used to transform
clear text into coded, unintelligible text for secure storage or
communication. Commonly used methods are DES, 3DES,
and AES.

Answer 35

Encryption algorithms

Question 36

A number used to encrypt data. The encryption
algorithm applies the key to the original message to produce
the coded message. Decoding (decrypting) the message is
similar; a key is applied to the coded message to recover the
original text.

Answer 36

Key

Question 37

An encryption method whereby

the same key is used to encode and to decode the message.

Answer 37

Symmetric Encryption

Question 38

An encryption method
whereby different keys are used to encode and to
decode the message; one key encodes the message,
and the other key decodes the message.

Answer 38

Asymmetric encryption

Question 39

A special version of
asymmetric encryption that is popular on the Internet.
With this method, each side has a public key for
encoding messages and a private key for decoding
42 them.

Answer 39

Public Key/Private Key

Question 40

used for full disk encryption
– All hard drives contents are encrypted
• If stolen, nothing can be recovered!

Answer 40

Truecrypt

Question 41

used for single file encryption
– Make .exe file to send to others
• Taxes, SSN, PHI, etc

Answer 41

Axcrypt

Question 42

A computer program that replicates itself.

Answer 42

Virus

Question 43

The program codes of a virus that causes
unwanted or hurtful actions, such as deleting programs
or data, or even worse, modifying data in ways that are
undetected by the user.

Answer 43

Payload

Question 44

Virus that masquerades as a useful

program or file.

Answer 44

Trojan horses. A typical Trojan horse appears to be a
computer game, an MP3 music file, or some other
useful, innocuous program.

Question 45

A virus that propagates itself using the

Internet or some other computer network.

Answer 45

Worms. Worm code
is written specifically to infect another computer as
quickly as possible.

Question 46

Tiny files that gather demographic

information

Answer 46

Beacon. Beacons are often image files that install
malware code when users open images in junk mail.
Most are not malicious and simply verify users’ email
addresses, activities, and preferences.

Question 47

captures keystrokes to obtain user
names, passwords, account numbers, and other
sensitive information.

Answer 47

Spyware. Other spyware is used for
marketing analysis observing what users do, Web
sites visited, products examined and purchased,
and so forth.

Question 48

most is benign in that it does not
perform malicious acts or steal data. It does,
however, watch user activities and produce pop50
up ads.

Answer 48

Adware

Question 49

Security problem in which users are not able to
access an information system; can be caused by
human errors, natural disasters, or malicious
activity.

Answer 49

Denial of Service (DOS)

Question 50

A term used to describe server operating
systems that have been modified to make them
especially difficult for them to be infiltrated by
malware

Answer 50

Hardening

Question 51

A password-cracking
program that tries every possible combination
of characters.

Answer 51

Brute Force Attack

Question 52

False targets for computer criminals to attack

Answer 52

Honeypots

Question 53

A utility company that can take over
another company’s processing with no
forewarning.

Answer 53

Hot Site. Hot sites are expensive;
organizations pay $250,000 or more per month
for such services.

Question 54

Remote processing centers that
provide office space, and possibly computer
equipment, for use by a company to use to
continue operations after a disaster.

Answer 54

Cold Sites

Question 55

2022?

Answer 55

• Challenges likely to be iOS and other intelligent
portable devices
• Harder for the lone hacker to find vulnerability to
exploit
• Continued investment in safeguards
• Continued problem of electronically porous
national borders