CHAPTER 8 SECURING INFORMATION SYSTEMS Flashcards
Protocol used for encrypting data flowing over the internet; limited to individual messages
S-HTTP (Secure Hypertext Transfer Protocol)
Enables client and server computers to manage encryption and decryption activities as they communicate with each other during a web session
SSL (Secure Sockets Layer)
Data file used to establish the identity of users and electronic assets for protection of online transactions. Uses certification authority (CA) to validate a user’s identity. CA verifies user’s identity, stores information in CA server, which generates encrypted digital certificate containing owner ID information and copy of owner’s public key
Digital certificate
- Uses two, mathematically related keys: public key and private key
- Sender encrypts message with recipient’s public key
- Recipient decrypts with private key
Public key encryption
Use of public key cryptography working with certificate authority. Widely used in e-commerce
Public key infrastructure (PKI)
Sender and receiver use single, shared key
Symmetric key encryption
Two methods of encryptions are:
- Symmetric key encryption
- Public key encryption
Transforming text or data into cipher text that cannot be read by unintended recipients
Encryption
Are products that include multiple security features integrated into one box
Unified Threat Management (UTM) systems
Check computers for presence of malware and can often eliminate it as well. Require continual updating.
Antivirus and antispyware software
Monitor hot spots on corporate networks to detect and deter intruders. Examine events as they are happening to discover attacks in progress.
Intrusion detection systems
Combination of hardware and software that prevents unauthorized access to network
Firewall
Uses systems that read and interpret individual human traits, such as fingerprints, irises, and voices, in order to grant or deny access
Biometric authentication
A device about the size of a credit card that contains a chip formatted with access permission and other data
Smart card
A physical device, similar to an identification card, that is designed to prove the identity of a single user
Token
Authentication is often established by using passwords known only to authorized users
Passwords
Refers to the ability to know that a person is who he or she claims to be
Authentication
Business process and technologies for identifying valid users of system. Creates different levels or roles of system user and access. Allows each user access only to those portions of system under that user role
Identity management
A policy that a user must agree to follow in order to be provided access to a network or to the internet
Acceptable use policy (AUP)
Ranks information risks, Identifies acceptable security goals, Identifies mechanisms for achieving these goals, Drives other policies
Security policy
Determines level of risk to firm if specific activity or process is not properly controlled
Risk management
Application controls
Specific controls unique to each computerized application, such as payroll or order processing.
* Includes both automated and manual procedures.
* Ensure that only authorized data are completely and accurately processed by that application.
- Includes: Input controls, processing controls, Output controls
Tricking employees into revealing their passwords by pretending to be legitimate members of the company in need of information
Social engineering
What is click fraud?
Fraudulent clicks on online ads
What is cyberwarfare?
Actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption
Redirects users to a bogus Web page, even when individual types correct Web page address into his or her browser
Pharming
Wireless networks that pretend to offer trustworthy Wi-Fi connections to the Internet
Evil twins
Setting up fake Web sites or sending e-mail messages that look like legitimate businesses to ask users for confidential personal data
Phishing
Networks of “zombie” PCs infiltrated by bot malware
Botnets
Use of numerous computers to launch a DoS
Denial-of-service attacks (DoS)
Eavesdropping program that monitors information traveling over network; Enables hackers to steal proprietary information such as e-mail, company files, and so on
Sniffer
Misrepresenting oneself by using fake e-mail addresses or masquerading as someone else; Redirecting Web link to address different from intended one, with site masquerading as intended destination
Spoofing
Intentional disruption, defacement, destruction of Web site or corporate information system
Cybervandalism
Record every keystroke on computer to steal serial numbers, passwords, launch Internet attacks
Keyloggers
Small programs install themselves surreptitiously on computers to monitor user Web surfing activity and serve up advertising
Spyware
Software program that appears to be benign but then does something other than expected
Trojan horses
Independent computer programs that copy themselves from one computer to other computers over a network
Worms
Rogue software program that attaches itself to other software programs or data files in order to be executed
Viruses
What is war driving?
Eavesdroppers drive by buildings and try to intercept network traffic; With access to SSID, has access to network’s resources
Power failures, flood, fires, and so on
Disasters
Breakdowns, configuration errors, damage from improper use or crime
Hardware problems
Programming errors, installation errors, unauthorized changes
Software problems
