Chapter 12: Managing Information Security and Privacy Flashcards
Identity Theft
Stealing, misrepresenting, or hijacking the identity of another person or business
vital information, such as a person’s name, address, date of birth, social insurance number, and mother’s maiden name, are often all that is needed to facilitate impersonation
The Personal Information Protection and Electronic Documents Act (PIPEDA)
In Canada, PIPEDA gives individuals the right to know why an organization collects, uses, or discloses their personal information
PIPEDA does not, however, facilitate individuals suing organizations
Secruity threats
A problem with the security of information or the data therein, caused by human error, malicious activity or natural disaster
Three sources of security threats
(1) human error and mistakes,
(2) malicious human activity,
(3) natural events and disasters.
Human errors and mistakes
Include accidental problems caused by both employees and others outside the organization.
An example is an employee who misunderstands operating procedures and accidentally deletes customer records
malicious human activity
This category includes employees and others who intentionally destroy data or other system components. It also includes hackers who break into a system, virus and worm writers who infect computer systems, and people who send millions of unwanted emails
Spam
Unwanted email messages
Natural events and disasters
Category includes fires, floods, hurricanes, earthquakes, tsunamis, avalanches, and other acts of nature or accidents.
Problems in this category include not only the initial loss of capability and service but also losses stemming from actions to recover from the initial problem.
Five types of security problems
(1) unauthorized data disclosure,
(2) incorrect data modification,
(3) faulty service,
(4) denial of service,
(5) loss of infrastructure
Unauthorized data disclosure
Can occur by human error when someone inadvertently releases data in violation of policy.
An example at a college or university would be a new department administrator who posts student names, numbers, and grades in a public place
In Canada, this type of disclosure is covered by PIPEDA
Pretexting
Occurs when someone deceives by pretending to be someone else.
A common scam involves a telephone caller who pretends to be from a credit card company and claims to be checking the validity of credit card numbers
Phishing
technique for obtaining unauthorized data, and it uses pretexting via email. The phisher pretends to be a legitimate company and sends an email requesting confidential data, such as account numbers, social insurance numbers, account passwords, and so on
Spoofing
term for someone pretending to be someone or somewhere else. If you pretend to be your professor, you are spoofing your professor
IP spoofing
occurs when an intruder uses another site’s IP (Internet Protocol) address as if it were that other site
Sniffing
technique for intercepting computer communications. With wired networks, sniffing requires a physical connection to the network.
drive-by sniffers
simply access computers with wireless connections through an area and search for unprotected wireless networks. They can monitor and intercept wireless traffic at will.
Incorrect Data Modification
Incorrectly increasing a customer’s discount or incorrectly modifying an employee’s salary, earned days of vacation, or annual bonus are actions that might fall under this category
can occur through human error when employees follow procedures incorrectly or when procedures have been incorrectly designed
Hacking
when a person gains unauthorized access to a computer system. Although some people hack for the sheer joy of doing it, other hackers invade systems for the malicious purpose of stealing or modifying data.
Faulty Service
Includes problems due to incorrect system operations. Faulty service encompasses incorrect data modification, as well as systems that incorrectly send the wrong order to customers, programs that incorrectly bill customers, and software that sends erroneous information to employees.
denial of service (DOS)
Security problems in which users are not able to access an information system; can be caused by human errors, natural disaster, or malicious activity
Loss of Infrastructure
Examples are a bulldozer cutting fibre-optic cables, or the maintenance staff unplugging an important device in order to plug in a vacuum cleaner.
A security program has three components:
(1) senior management involvement,
(2) safeguards of various kinds,
(3) incident response
(1) senior management involvement,
First, senior management must establish the security policy. This policy sets the stage for the organization’s response to security threats.
Senior management’s second function, therefore, is to manage risk by balancing the costs and benefits of the security program.
Technical safeguards
involve the hardware and software components of an information system
primary technical safeguards
1) identification and authentication
2) Encryption
3) Firewalls
4) Malicious protection
5) Design for secure applications
1) identification and authentication
Every non-trivial information system should require some form of authentication.
identification
The process whereby an informing system identifies a user by requiring the user to sign on with a user name and password
authentication
The process whereby an information system approves (authenticates) a user by checking the user’s password
authentication methods fall into three categories:
(1) what you know (password or PIN),
(2) what you have (smart card),
(3) what you are (biometric).
Passwords
- users tend to be careless in their use
- users tend to be free in sharing their passwords with others
- many users choose ineffective, simple passwords or use the same password for many systems
Smart card
Plastic card that is similar to a credit card. Unlike credit, debit, and ATM (automatic teller machine) cards, which have a magnetic strip, smart cards have a microchip. The microchip holds far more data than a magnetic strip and has identifying data or algorithms.
personal identification number (PIN)
Form of authentication whereby the user supplies a number that only they know
challenge-response authentication
Form of authentication that uses a varying form of numeric question and algorithmic response (usually involving sophisticated computerized tokens) to validate users
Biometric authentication
uses personal physical characteristics, such as fingerprints, facial features, and retinal scans, to authenticate users.
malware
malware includes viruses, worms, Trojan horses, spyware, and adware
Broad definition, has many def’s
Spyware
Programs are installed on the user’s computer without the user’s knowledge or permission. Spyware resides in the background and, without the user’s knowledge, observes the user’s actions and keystrokes, monitors computer activity, and reports that activity to sponsoring organizations
Adware
Similar to spyware in that it is installed without the user’s permission and resides in the background to observe user behaviour. Most adware is benign in that it does not perform malicious acts or steal data. It does, however, watch user activity and produce pop-up ads
Malware Safeguards
1) Install antivirus and anti-spyware programs
2) Set up your anti-malware programs to scan your computer frequently.
3) Update malware definitions
4) Open email attachments only from known sources
5) Promptly install software updates from legitimate sources.
6) Browse only in reputable Internet neighbourhoods
Malware definitions
patterns that exist in malware code—should be downloaded frequently. Anti-malware vendors update these definitions continually, and you should install these updates as they become available.
Data safeguards
Steps taken to protect databases and other organizational data by means of data administration and database administration
Two organizational units are responsible for data safeguards
1) data administration
2) database administration
Data administration
refers to an organization-wide function that is in charge of developing data policies and enforcing data standards
typically a staff function reporting to the chief information officer (CIO).
Database administration
refers to a function that pertains to a particular database.
The enterprise resource planning (ERP), customer relationship management (CRM), and supply chain management (SCM) databases each have a database administration function
key escrow
Control procedure whereby a trusted party is given a copy of a key used to encrypt database data
Human safeguards
involve the people and procedures components of information systems. In general, human safeguards result when authorized users follow appropriate procedures for system use and recovery.
Position Definitions
Effective human safeguards begin with creating definitions of job tasks and responsibilities.
In general, job descriptions should provide a separation of duties and authorities.
Hiring and Screening
Security considerations should be part of the hiring process. Of course, if a position involves no sensitive data and no access to information systems, then screening for information systems security purposes will be minimal.
Dissemination and Enforcement
Employees cannot be expected to follow security policies and procedures that they are not aware of. Therefore, employees need to be made aware of the security policies and procedures and of their responsibilities.
Enforcement consists of three interdependent factors:
(1) responsibility,
(2) accountability,
(3) compliance
Termination
Standard human resources policies should ensure that system administrators receive notification in advance of the employee’s last day so that they can remove accounts and passwords
Human Safeguards for Non-employees
Business requirements may necessitate opening information systems to non-employees—temporary personnel, vendors, partner personnel (employees of business partners), volunteers, and the public.
Hardening a site
means to take extraordinary measures to reduce a system’s vulnerability. Hardened sites use special versions of the operating system and lock down or eliminate operating system features and functions that are not required by the application
Account Administration
The administration of user accounts, passwords, and help-desk policies and procedures is an important component of the security system.
Account Management
Account management concerns the creation of new user accounts, the modification of existing account permissions, and the removal of unneeded accounts.
System Procedures
normal operation, backup, and recovery
Security Monitoring
Important monitoring functions are analysis of activity logs, security testing, and investigating and learning from security incidents.
What Is Disaster Preparedness?
The best safeguard against a disaster is appropriate location
place computing centres, Web farms, and other computer facilities in locations not prone to floods, earthquakes, hurricanes, tornados, or avalanches
Disaster Preparedness Guidelines
1) locate infrastructure in safe location
2) Identify mission-critical systems
3) Identify resources needed to run those systems
4) Prepare remote backup facilities
5) Train and rehearse
hot sites
remote processing centres and may be run by commercial disaster-recovery services. For a monthly fee, they provide all the equipment needed to continue operations following a disaster and there may be minimal downtime or unavailability following a disaster
Cold sites
provide space and limited technology and customers provide and install the equipment needed to continue operations following a disaster. Recovery time is considerably longer
Warm sites
somewhere in the middle of the two extremes.
Factors in Incident Response
1) Have plan in place
2) Centralized reporting
3) Specific responses (speed, preparation pays, dont make problems worse)
4) Practice
____________________ provides useful information about what identity theft is and who to contact if it happens to you.
The Public Safety Canada website
Equifax, a global technology company specializing in proving credit scores and personal privacy protection, had a cybersecurity incident and 1,000,000 Canadian customers were impacted. Compromised personal information included all the following, except:
email addresses.
An easy way to remember information systems safeguards is to arrange them according to the ______ components of an information system.
5
What two critical factors do organizations need to address when responding to security threats?
security policy and risk management
What should data administration define initially?
Data policies
Which of the following is not an example of a data safeguard?
Virus protection
The organizational function that pertains to developing and enforcing data policies and standards is called ________.
Data administration
Which is the single most important safeguard that an individual computer user can implement?
Using strong passwords
Human safeguards involve the ___________ and ___________ components of information systems.
people, procedure
All the following are major disaster preparedness tasks, except:
Monitor security
Preparing a ________________ facility is very expensive; however, the costs of establishing and maintaining that facility are a form of insurance.
backup
__________________ allows the organization to learn about security threats, take consistent actions in response, and apply specialized expertise to all security problems.
Centralized reporting
________ will enable an organization to determine whether it is under systemic attack or whether an incident is isolated.
Centralized reporting
When an incident does occur, ____________ is of the essence.
speed
