Chapter 8: Securing Information Systems

Question 1

Why is is the Internet vulnerable?

Answer 1

Because it is an open system that contains digital data, which is vulnerable to destruction, misuse, error, fraud & hardware/ software failings

Question 2

Name potential harmful actions against IS

Answer 2

• Spoofing: Hiding one’s identy or faking identity of another user
• Sniffing: monitors information travelling over a (WiFi) network
• Denial-of-service attacks (DoS) & distributed-Dos (DDoS): crashing network by flooding server with false requests
• Botnet: group of Internet-connected devices with bots(spam attacks, DDoS etc.)
• Identity theft
• Evil twins: wireless networks pretending to offer secure WiFi
• Pharming: automatically leading to incorrect webpage

Question 3

Why is countering harmful actions difficult?

Answer 3

• dispersed nature of cloud computung hinders tracking
• software often contains bugs & vulnerabilities that can be exploited by hackers
• end users often introduce errors by mistake

Question 4

What is the business value of security & control?

Answer 4

• ensuring sales & productivity are not negatively impacted
• some information uses value if leaked to outsiders or exposing firm to legal liability
• several laws (HIPAA etc.) require firms to practice electronic records management & maintain high data security standards
• electronic evidence & computer forensics

Question 5

What does the control framework for IS consist of?

Answer 5

• general control: overall control environment governing design, security & use of computer programs & data file security throughout firm’s IT infrastructure
• application control: specific controls unique to each computerized application, ensuring only authorized data are processed (Input/Process/Output-Control)

Question 6

What does risk assessment mean?

Answer 6

• evaluating information assets
• identifying control points & weaknesses
• determining most effective set of controls

Question 7

What does security policy mean?

Answer 7

• policies for acceptable use & identity management(validation & control over users)
• ranknig informtion risks
• identifying security goals
• mechanisms for achieving these goals
  –> Systematic IS auditing to determine security effectiveness

Question 8

Tools for safeguarding information resources

Answer 8

• firewalls: combination of hard- & software preventing unauthorized users from accessing private networks
• intrusion detection systems: monitoring private networks for suspicious network traffic
• authentication through passwords, tokens, smart cards, biometric athentication or two-factor processes
• anti-malware software

Question 9

Name the different types of malware

Answer 9

• viruses: rogue software attaching itself to other programs
• worms: independent programs copying themselves over to other computers/ networks
• trojan horses: software does other as expected
• SQL injection hacks: hackers submit data to web forms that exploit site’s unprotected software & send rogue SQL query to database
• ransomware: encrypting files & demanding ransom for decryption
• spyware: gathering info without someone’s knowledge

Question 10

Technologies for safeguarding information resources

Answer 10

• encryption
• blockchain tech: create & verify transactions on a decentralized network
• digital certificates combined with public key encryption (based on public key infrastructure (PKI) & private key)
• fault-tolerant computer systems: able to still operate although parts of system fail
• use of software metrics & testing