chapter 4 Flashcards
def. information security
Protecting an organization’s information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction
def. threat
Any danger to which an information resource may be exposed
def. vulnerability
The possibility that an information resource will be harmed by a threat
What are the five key factors contributing to the increasing vulnerability of organizational information sources?
- Today’s interconnected, interdependent, wirelessly networked business environment.
- Smaller, faster, cheaper computers and storage devices.
- Decreasing skills necessary to be a computer hacker.
- International organized crime taking over cybercrime.
- Lack of management support.
def. trusted network
any network within your organization
def. untrusted network
any network external to your organization
wireless is an inherently ____________ broadcast communications medium
nonsecure
def. cybercrime
Illegal activities executed on the Internet
what are the to major categories of threats?
unintentional threats
deliberate threats
what is a major category of unintentional threats?
human error
What are two important points about employees regarding threats?
- the higher the level of employee, the greater the threat he or she poses to information security
- - higher level employees typically have greater access to corporate data, and they enjoy greater privileges on organizational information systems - employees in two areas of the organization pose especially significant threats to information security: human resources and information systems (IS)
- -HR employees have access to sensitive personal information, IS employees not only have access to sensitive organizational data but also often control the means to create, store, transmit, and modify those data
who tends to be overlooked when considering threats
janitors and guards
as well as contract labour and consultants
what are human errors they result of?
typically the result of laziness, carelessness, or a lack of awareness concerning information security. This lack of awareness arises from poor education and training efforts by the organization.
def. social engineering
Getting around security systems by tricking computer users inside a company into revealing sensitive information or gaining unauthorized access privileges
-most common example is attacker impersonating someone else on the telephone, or impersonating other individuals
two other social engineering techniques
Tailgating: a technique designed to allow the perpetrator to enter restricted areas that are controlled with locks or card entry. The perpetrator follows closely behind a legitimate employee and, when the employee gains entry, the attacker asks him or her to “hold the door.”
Shoulder surfing: occurs when a perpetrator watches an employee’s computer screen over the employee’s shoulder. This technique is particularly successful in public areas such as in airports and on commuter trains and airplanes
def. espionage or trespass
occurs when an unauthorized individual attempts to gain illegal access to organizational information
-industrial espionage crosses the legal boundary such as theft of confidential data
def. information extortion
occurs when an attacker either threatens to steal or actually steals information from a company. The perpetrator demands payment for not stealing the information, for returning stolen information, or for agreeing not to disclose the information.
def. sabotage or vandalism
deliberate acts that involve defacing an organization’s website, potentially damaging the organization’s image and causing its customers to lose faith in the organization
-ex. hacktivist or cyberactivist operation
describe dumpster diving
involves rummaging through commercial or residential garbage to find discarded information. Paper files, letters, memos, photographs, IDs, passwords, credit cards, and other forms of information can be found in dumpsters
-this info can be used for fraudulent purposes
def. identity theft
Crime in which someone uses the personal information of others to create a false identity and then uses it for some fraud
techniques for illegally obtaining personal info
- Stealing mail or dumpster diving.
- Stealing personal information in computer databases.
- Infiltrating organizations that store large amounts of personal information (e.g., data aggregators such as Acxiom)
- Impersonating a trusted organization in an electronic communication (phishing).
def. intellectual property
The intangible property created by individuals or corporations, which is protected under trade secret, patent, and copyright laws
def. trade secret
Intellectual work, such as a business plan, that is a company secret and is not based on public information
def. patent
A document that grants the holder exclusive rights on an invention or process for a specified period of time, currently 20 years
def. copyright
A grant that provides the creator of intellectual property with ownership of it for a specified period of time, currently the life of the creator plus 50 years
def. piracy
Copying a software program (other than freeware, demo software, etc.) without making payment to the owner
What are the 3 general categories of cyberattacks?
(1) Remote Attacks Requiring User Action
(2) Remote Attacks Needing No User Action
(3) Attacks by a Programmer Developing a System
def. virus
Segment of computer code that performs malicious actions by attaching to another computer program
def. worm
Segment of computer code that performs malicious actions and will replicate, or spread, by itself (without requiring another computer program)
def. phising attack
Attack that uses deception to acquire sensitive personal information by masquerading as official-looking emails or instant messages
def. spear phishing
Attack that targets large groups of people. The perpetrators find out as much information as they can about an individual, tailoring their phishing attacks to improve their chances that they will obtain sensitive, personal information
def. denial-of-service attack
An attack where an attacker sends so many information requests to a target computer system that the target cannot handle them successfully and typically crashes (ceases to function)
def. distributed denial-of-service attack
An attack where an attacker first takes over many computers, typically by using malicious software. These computers are called zombies or bots. The attacker uses these bots—which form a botnet—to deliver a coordinated stream of information requests to a target computer, causing it to crash
def. bot or zombie
A computer that has been compromised by, and is under the control of, a hacker
def. botnet
A network of computers that has been compromised by, and is under the control of, a hacker, who is called the botmaster
def. trojan horse
Software programs that hide in other computer programs and reveal their designed behaviour only when they are activated
def. back door
Typically a password, known only to the attacker, that allows him or her to access a computer system at will, without having to go through any security procedures (also called a trap door
def. logic bomb
A segment of computer code that is embedded within an organization’s existing computer programs and is designed to activate and perform a destructive action under specific conditions, such as at a certain time or date
What are the four types of software attacks that are remote attacks requiring user action?
virus, worm, phishing attack, spear phishing
what are the two types of remote attacks needing no user action
denial-of-service attack
distributed denial-of-service attack
What are the three kinds of attacks by a programmer developing a system?
trojan horse, back door, logic bomb
def. alien software
Clandestine software that is installed on your computer through duplicitous methods
def. adware
Alien software designed to help pop-up advertisements appear on your screen
def. spyware
software that collects personal information about users without their consent
what are the two common types of spyare
keystroke loggers (record both your individual keystrokes and your web browsing history) and screen scrapers (his software records a continuous “movie” of a screen’s contents rather than simply recording keystrokes)
def. spamware
Alien software that uses your computer as a launch platform for spammers
def. spam
unsolicited email, usually advertising for products and services
what is an issue with spam
it wastes time and money. Spam costs companies around the world billions of dollars every year. These costs arise from productivity losses, clogged email systems, additional storage, user support, and anti-spam software. Spam can also carry viruses and worms, making it even more dangerous
def. cookies
Small amounts of information that websites store on your computer, temporarily or more or less permanently
-tracking cookies can be used to track your path through a website, the time you spend there, what links you click on, and other details that the company wants to record, usually for marketing purposes. Tracking cookies can also combine this information with your name, purchases, credit card information, and other personal data to develop an intrusive profile of your spending habits
def. Supervisory Control and Data Acquisition (SCADA)
large-scale, distributed measurement and control system. SCADA systems are used to monitor or to control chemical, physical, and transport processes such as those used in oil refineries, water and sewage treatment plants, electrical generators, and nuclear power plants. Essentially, SCADA systems provide a link between the physical world and the electronic world
def. cyberterrorism
A premeditated, politically motivated attack against information, computer systems, computer programs, and data that results in violence against noncombatant targets by subnational groups or clandestine agents
def. cyberwarfare
War in which a country’s information systems could be paralyzed from a massive attack by destructive software
Major difficulties in protecting information resources (10)
- Hundreds of potential threats exist.
- Computing resources may be situated in many locations.
- Many individuals control or have access to information assets.
- Computer networks can be located outside the organization, making them difficult to protect.
- Rapid technological changes make some controls obsolete as soon as they are installed.
- Many computer crimes are undetected for a long period of time, so it is difficult to learn from experience.
- People tend to violate security procedures because the procedures are inconvenient.
- The amount of computer knowledge necessary to commit computer crimes is usually minimal. As a matter of fact, a potential criminal can learn hacking, for free, on the Internet.
- The costs of preventing hazards can be very high. Therefore, most organizations simply cannot afford to protect themselves against all possible hazards.
- It is difficult to conduct a cost-benefit justification for controls before an attack occurs because it is difficult to assess the impact of a hypothetical attack.
def. risk
probability that a threat will affect an information resource
def. risk management
A process that identifies, controls, and minimizes the impact of threats, in an effort to reduce risk to manageable levels
what are the three processes involved in risk management?
risk analysis, risk mitigation, and controls evaluation
def. risk analysis (3 steps)
(1) assessing the value of each asset being protected, (2) estimating the probability that each asset will be compromised, and (3) comparing the probable costs of the asset’s being compromised with the costs of protecting that asset
def. risk mitigation
A process whereby the organization takes concrete actions against risks, such as implementing controls and developing a disaster recovery plan
two functions of risk mitigation
(1) implementing controls to prevent identified threats from occurring,
(2) developing a means of recovery if the threat becomes a reality
what are the three most common risk mitigation strategies
risk acceptance, risk limitation, and risk transference
def. risk acceptance
Accept the potential risk, continue operating with no controls, and absorb any damages that occur
def. risk limitation
Limit the risk by implementing controls that minimize the impact of the threat
def. risk transference
Transfer the risk by using other means to compensate for the loss, such as by purchasing insurance
what does an org do in controls evaluation?
the organization identifies security deficiencies and calculates the cost of implementing. If the costs of implementing a control are greater than the value of the asset being protected, the control is not cost-effective
def. controls (or countermeasures)
Defence mechanisms used to safeguard assets, optimize the use of the organization’s resources, and prevent or detect errors or fraud
what is the single most valuable control?
user education and training
def. control environment
Controls that encompass management attitudes toward controls, as evidenced by management actions, as well as by stated policies and procedures that address ethical issues and the quality of supervision
def. general controls
Controls that apply to more than one functional area
def. application controls
Security countermeasures that protect specific applications in functional areas
3 types of general controls
physical controls, access controls, and communications controls
def. physical controls
Controls that restrict unauthorized individuals from gaining access to a company’s computer facilities
(ie walls, doors, gates, locks, guards, alarm systems, etc.)q
what is a shortcoming of physical controls
can be inconvenient to employees
why do guards have a difficult job (two reasons)
- their jobs are boring and repetitive and generally do not pay well.
- if guards perform their jobs thoroughly, the other employees harass them, particularly if they slow up the process of entering the facility
def. access controls
Controls that restrict unauthorized individuals from using information resources and are concerned with user identification
-can be physical controls or logical controls
def. logical controls
controls that are implemented by software
what are the two main functions of access controls
authentication and authorization
def. authentication
confirms the identity of the person requiring access
def. authorization
process that determines which actions, rights, or privileges the person has, based on his or her verified identity
what do good control systmes do?
limit authorization to tasks needed to accomplish a person’s job
def. biometrics
The science and technology of authentication (i.e., establishing the identity of an individual) by measuring the subject’s physiological or behavioural characteristics
ex. fingerprints, retina scan
smart ID cards
have an embedded chip that stores pertinent information about the user
tokens
have embedded chips and a digital display that presents a login number that the employees use to access the organization’s network. The number changes with each login.
what are forms of authentication that the user does
voice recognition, signature recognition
what are authentication methods that the users knos?
passwords and passphrase
Basic guidelines for strong passwords? (6)
- They should be difficult to guess.
- They should be long rather than short.
- They should have uppercase letters, lowercase letters, numbers, and special characters.
- They should not be recognizable words.
- They should not be the name of anything or anyone familiar, such as family names or names of pets.
- They should not be a recognizable string of numbers, such as a social insurance number or a birthday
what is the difference between a password and pass phrase
passphrase is a series of characters that is longer than a password but is still easy to memorize
-passphrase can serve as a password itself, or it can help you create a strong password
what is using more than one type of authentication called
multifactor authentification
def. privilege (user profile)
A collection of related computer system operations that can be performed by users of the system
def. least privilege
A principle that users be granted the privilege for some activity only if there is a justifiable need to grant this authorization
def. communication controls (or network controls)
Controls that deal with the movement of data across networks
def. firewall
A system (either hardware, software, or a combination of both) that prevents a specific type of information from moving between untrusted networks, such as the Internet, and private networks, such as your company’s network
def. demilitarized zone (DMZ)
A separate organizational local area network that is located between an organization’s internal network and an external network, usually the Internet
The danger from viruses and worms is so severe that many organizations are placing firewalls at strategic points _________________
inside their private networks.
In this way, if a virus or worm does get through both the external and internal firewalls, then the internal damage may be contained
def. anti-malware systems (or antivirus software)
Software packages that attempt to identify and eliminate viruses, worms, and other malicious software
def. malware
Malicious software such as viruses and worms
Whereas firewalls filter network traffic according to categories of activities that are likely to cause problems, anti-malware systems filter traffic ____________
according to a database of specific problems
def. whitelisting
A process in which a company identifies acceptable software and permits it to run, and either prevents anything else from running or lets new software run in a quarantined environment until the company can verify its validity
def. blacklisting
A process in which a company identifies certain types of software that are not allowed to run in the company environment
Whereas whitelisting allows _______ to run unless it is on the whitelist, blacklisting allows _________ to run unless it is on the blacklist.
nothing
everything
def. encryption
The process of converting an original message into a form that cannot be read by anyone except the intended receiver
def. public-key encryption (or asymmetric encryption)
A type of encryption that uses two different keys: a public key (locking key) and a private key (unlocking key)
public key (locking key) and the private key (the unlocking key) are created simultaneously using the same mathematical formula or algorithm. Because the two keys are mathematically related, the data encrypted with one key can be decrypted by using the other key
def. certificate authority
third party that acts as a trusted intermediary between computers (and companies) by issuing digital certificates and verifying the worth and integrity of the certificates
def. digital certificate
An electronic document attached to a file certifying that this file is from the organization it claims to be from and has not been modified from its original format or content
def. Virtual private network (VPN)
A private network that uses a public network (usually the Internet) to securely connect users by using encryption
why are VPNs called virtual
they have no separate physical existence
advantages of VPNs
- they allow remote users to access the company network
- they provide flexibility. That is, mobile users can access the organization’s network from properly configured remote devices.
- organizations can impose their security policies through VPNs
def. tunnelling
A process that encrypts each data packet to be sent and places each encrypted packet inside another packet
VPN uses this
def. transport layer security (TLS) (or secure socket layer)
An encryption standard used for secure transactions such as credit card purchases and online banking
def. employee monitoring systems
Systems that monitor employees’ computers, email activities, and Internet surfing activities
application controls
security countermeasures that protect specific applications in functional areas
3 major categories of application controls
input controls, processing controls, and output controls.
input controls
programmed routines that edit input data for errors before they are processed
processing controls
programmed routines that perform actions that are part of the record-keeping of the organization, reconcile and check transactions, or monitor the operation of applications.
output controls
programmed routines that edit output data for errors, or help to ensure that output is provided only to authorized individuals.
def. business continuity planning
The chain of events linking planning to protection and to recovery
purpose:
provide guidance to people who keep the business operating after a disaster occurs
hot sites
fully configured computer facility with all of the company’s services, communications links, and physical plant operations. A hot site duplicates computing resources, peripherals, telephone systems, applications, and workstations
warm site
provides many of the same services and options as the hot site. However, it typically does not include the actual applications the company needs. A warm site includes computing equipment such as servers, but it often does not include user workstations
cold site
provides only rudimentary services and facilities, such as a building or a room with heating, air conditioning, and humidity control. This type of site provides no computer hardware or user workstations.
audit
The accumulation and evaluation of evidence that is used to prepare a report about the information or controls that are being examined, using established criteria and standards
information systems audit
An examination of information systems, their inputs, outputs, and processing
