Chapter 4 Flashcards
What factors contribute to increasing vulnerability of organizational information resources?
- Interconnected wireless networks
- Cheaper, faster storage devices
- Skills necessary to be a hacker decreasing in skills
- International organized crime taking over cybercrime (cybercrime becoming international organized crime???)
- lack of management support
threat
any danger to which a system may be exposed
security
the degree of protection against criminal activity and danger/ loss.
information security
all of the processes and policies designed to protect an organizations information and information systems from unauthorized access.
exposure
damage that can result if a threat compromises that resource.
vulnerability
the possibility that the system will be harmed by a threat
What are some of the unintentional threats to information systems?
1) Human error,
2) social engineering (pretending to be someone else to obtain a password).
social engineering
attach in which the perpetrator uses social skills to trick or manipulate a legitimate employee into providing confidential company info (such as passwords).
Espionage/trespass
unauthorized individual attempts to gain illegal access to organizational information.
Information extortion
threatening to steal or actually stealing information from a company, the perpetrator usually demands payment to either not steal the info, to return the info, or to not disclose the information.
Sabotage/vandalism
defacing an organizations website and ruining their reputation.
theft of equipment or information
stealing mobile devices, laptops, tablets, etc.
identity theft
assumption of another persons identity usually to gain access to the financial info.
compromises to intellectual property
infringing on the rights of an individual or organization to a specific property ie patent, trade mark, trade secret.
software attacks
malicious software to infect other computers. Virus, worms, phishing, Trojan horse, back door, logic bomb….
alien software
clandestine software (pestware) that run on computers. Adware, spyware, spamware, cookies.
supervisory control and data acquisition (SCADA) attacks
worms that target to interfere with the computers that are used for operations in chemical control and transportation processes. Ie oil refineries, water and sewage treatment plants, etc.
What are some of the deliberate threats to information systems?
- Espionage/trespass
- Information extortion
- Sabotage/vandalism
- theft of equipment or information
- identity theft
- compromises to intellectual property
- software attacks
- alien software
- supervisory control and data acquisition (SCADA) attacks
- cyberterrorism/cyberwarfare
intellectual property
property created by individuals or corporations. protected under trade secret, patent, and copyright laws.
trade secret
an intellectual work not based on public information
patent
official document that grants the holder exclusive rights for an invention for a specified period of time.
copyright
statutory grant that provides the creators or owners with ownership.
piracy
copying a software or program without making payment to the owner
alien software
clandestine software that is installed on your computer through duplicitous methods.
adware
software that causes pop ups. a vast majority of pastware
spyware
software the collects personal information about users without their consent. keystroke loggers and screen scrapers.
spamware
pestware the uses your computer as a launch pad for spammers
spam
unsolicited email
cookies
small amounts of information that websites store on your computer (usually temporary)
cyberterrorism/ cyberwarfare
malicious acts in which attackers use a targets computer systems to cause physical, real world harm usually to carry out a political agenda.
risk
probability that a threat will impact an information resource.
risk management
identify, control, and minimize the impact of threats.
risk analysis
ensures IS programs are cost effective. 1) ass the value of each asset 2) estimate the probability that each asset may be compormised 3)compoaring the probable costs of the assets being compromised with the costs of proteting that asset 4) mitigates risks
risk mitigation
concrete actions against risks. 1) implementing controls to prevent identified threats from occurring 2) develpoing a means of recovery
risk mitigation strategies
1) risk acceptance
2) risk limitation
3) risk transference
risk acceptance
accept the potential risk, continue operating with no controls, and absorb any damages that occur.
risk limitation
limit the risk by implementing controls that minimize the impact of the threat.
risk transference
transfer the risk by using other means to compensate for the loss (ie purchasing insurance).
What can organizations do to protect information resources?
risk mitigation
risk controls
- physical controls
- access controls
- communication (network) controls
- Business continuity planning (disaster recovery plan)
- Information systems auditing
physical controls
prevent unauthorized individuals form gaining access to a company’s facilities.
access controls
restricts unauthorized individuals from using information resources. Implements authentication and authorization.
authentication
confirms the identity of a person requiring access
authorization
determines which actions a person has based on their verified identity.
biometrics
authenticates based on something the user is ie physical characteristics. (finger print, retina scan, etc)
passwords
authentication through something a user knows
privilege
collection of related computer system operations that a user is authorized to perform.
least privilege
users be granted the privilege for an activity only if there is a justifiable need for them to perform that activity.
communication controls aka…
network controls
firewall
prevents a specific type of information from moving between untrusted networks. such as the internet, private networks, and business networks.
demilitarized zone
located between the two firewalls.
whitelisting
a company identifies the software that it will allow to run on its computers.
blacklisting
a company identifies softwares that it will not allow its computers to run
encryption
process of converting an original message into a format that cannot be read by anyone except the intended receiver.
public key encryption
uses public key and private key. both created simultaneously.
certificate authority
acts as a trusted intermediary between companies.
digital certificate
electronic document attached to a file that certifies the file is from the organization it claims to be and has not been modified from its orginial format.
Virtual Private Network (VPN)
private network that uses a public network (ie internet) to connect to users
tunneling
process used in Virtual Private Networks (VPN’s). Encrypts data packets to be sent. places each encrypted packet inside another encrypted packet.
secure socket layer
encryption standard used for secure transactions such as credit card purchases or online banking.
hot site
fully configured computer facility. Has all services, comm links, and physical plant operations.
warm site
proves many services that hot sites do, but does include all the applications the company needs.
cold site
provides only rudiementary services and facilities. such as a building or a room with a/c. has no computer hardware or user workstations.
