Chapter 8: Securing Information Systems

Question 1

Acceptable Use Policy (AUP)

Answer 1

Defines acceptable uses of the firm’s information resources and computing equipment, including desktop and laptop computers, wireless devices, telephones, and the Internet, and specifies consequences for noncompliance.

Question 2

Antivirus Software

Answer 2

Software designed to detect, and often eliminate, computer viruses from an information system.

Question 3

Application Controls

Answer 3

Specific controls unique to each computerized application that ensure that only authorized data are completely and accurately processed by that application.

Question 4

Authentication

Answer 4

The ability of each party in a transaction to ascertain the identity of the other party.

Question 5

Biometric Authentication

Answer 5

Technology for authenticating system users that compares a person’s unique characteristics such as fingerprints, face or retinal image, against a stored set profile of these characteristics.

Question 6

Botnet

Answer 6

A group of computers that have been infected with bot malware without users’ knowledge, enabling a hacker to use the amassed resources of the computers to launch distributed denial-of-service attacks, phishing campaigns or spam.

Question 7

Bugs

Answer 7

Software program code defects.

Question 8

Business Continuity Planning

Answer 8

Planning that focuses on how the company can restore business operations after a disaster strikes.

Question 9

Click Fraud

Answer 9

Fraudulently clicking on an online ad in pay per click advertising to generate an improper charge per click.

Question 10

Computer Crime

Answer 10

The commission of illegal acts through the use of a computer or against a computer system.

Question 11

Computer Forensics

Answer 11

The scientific collection, examination, authentication, preservation, and analysis of data held on or retrieved from computer storage media in such a way that the information can be used as evidence in a court of law.

Question 12

Computer Virus

Answer 12

Rogue software programs that attaches itself to other software programs or data files in order to be executed, often causing hardware and software malfunctions.

Question 13

Controls

Answer 13

All of the methods, policies, and procedures that ensure protection of the organization’s assets, accuracy and reliability of its records, and operational adherence to management standards.

Question 14

Cybervandalism

Answer 14

Intentional disruption, defacement, or destruction of a Web site or corporate information system.

Question 15

Cyberwarfare

Answer 15

State-sponsored activity designed to cripple and defeat another state or nation by damaging or disrupting its computers or networks.

Question 16

Deep Packet Inspection (DPI)

Answer 16

Technology for managing network traffic by examining data packets, sorting out low-priority data from higher priority business-critical data, and sending packets in order of priority.

Question 17

Denial-of-Service (DoS) Attack

Answer 17

Flooding a network server or Web server with false communications or requests for services in order too crash the network.

Question 18

Digital Certificates

Answer 18

An attachment to an electronic message to verify the identity of the sender and to provide the receiver with the means to encode a reply.

Question 19

Disaster Recovery Planning

Answer 19

Planning for the restoration of computing and communications services after they have been disrupted.

Question 20

Distributed Denial-of-Service (DDoS) Attack

Answer 20

Numerous computers inundating and overwhelming a network from numerous launch points.

Question 21

Downtime

Answer 21

Period of time in which an information system is not operational.

Question 22

Drive-By Download

Answer 22

Malware that comes with a downloaded file a user intentionally or unintentionally requests.

Question 23

Encryption

Answer 23

The coding and scrambling of messages to prevent their being read or accessed without authorization.

Question 24

Evil Twin

Answer 24

Wireless networks that pretend to be legitimate to entice participants to log on and reveal passwords or credit card numbers.

Question 25

Fault-Tolerant Computer Systems

Answer 25

Systems that contain extra hardware, software, and power supply components that can back a system up and keep it running to prevent system failure.

Question 26

Firewall

Answer 26

Hardware and software placed between an organization’s internal network and an external network to prevent outsiders from invading private networks.

Question 27

General Controls

Answer 27

Overal control environment governing the design, security, and use of computer programs and the security of data files in general throughout the organization’s information technology infrastructure.

Question 28

Gramm-Leach-Blilely Act

Answer 28

Requires financial institutions to ensure the security and confidentiality of customer data.

Question 29

Hacker

Answer 29

A person who gains unauthorized access to a computer network for profit, criminal mischief, or personal pleasure.

Question 30

High-Availability Computing

Answer 30

Tools and technologies, including backup hardware resources, to enable a system to recover quickly from a crash.

Question 31

HIPAA

Answer 31

Law outlining rules for medical security, privacy, and the management of health care records.

Question 32

Identity Management

Answer 32

Business processes and software tools for identifying the valid users of a system and controlling their access to system resources.

Question 33

Identity Theft

Answer 33

Theft of key pieces of personal information, such as credit card or Social Security numbers, in order to obtain false credentials.

Question 34

Intrusion Detection Systems

Answer 34

Tools to monitor the most vulnerable points in a network to detect and deter unauthorized intruders.

Question 35

Keyloggers

Answer 35

Spyware that records every keystroke made on a computer to steal personal information or passwords or to launch Internet attacks.

Question 36

Malware

Answer 36

Malicious software programs such as computer viruses, worms, and Trojan horses.

Question 37

Managed Security Service Providers (MSSPs)

Answer 37

Company that provides security management services for subscribing clients.

Question 38

MIS Audit

Answer 38

Identifies all the controls that govern individual information systems and assesses their effectiveness.

Question 39

Online Transaction Processing

Answer 39

Transaction processing mode in which transactions entered on-line are immediately processed by the computer.

Question 40

Password

Answer 40

Secret word or string of characters for authenticating users so they can access a resource such as a computer system.

Question 41

Patches

Answer 41

Small pieces of software to repair the software flaws without disturbing the proper operation of the software.

Question 42

Pharming

Answer 42

Phishing technique that redirects users to a bogus Web page, even when an individual enters the correct Web page address.

Question 43

Phishing

Answer 43

Form of spoofing involving setting up fake Web sites or businesses that ask users for confidential personal data.

Question 44

Public Key Encryption

Answer 44

Uses two keys: one shared (or public) and one private.

Question 45

Public Key Infrastructure (PKI)

Answer 45

System for creating public and private keys using a certificate authority (CA) and digital certificates for authentication.

Question 46

Recovery-Oriented Computing

Answer 46

Computer systems designed to recover rapidly when mishaps occur.

Question 47

Risk Assessment

Answer 47

Determining the potential frequency of the occurrence of a problem and the potential damage if the problem were to occur. Used to determine the cost/benefit of a control.

Question 48

Sarbanes-Oxley Act

Answer 48

Law passed in 2002 that imposes responsibility on companies and their management to protect investors by safeguarding the accuracy and integrity of financial information that is used internally and released externally.

Question 49

Secure Hypertext Transfer Protocol (S-HTTP)

Answer 49

Protocol used for encrypting data flowing over the Internet; limited to individual messages.

Question 50

Secure Sockets Layer (SSL)

Answer 50

Enables client and server computers to manage encryption and decryption activities as they communicate with each other during a secure Web session.

Question 51

Security

Answer 51

Policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems.

Question 52

Security Policy

Answer 52

Statements ranking information risks, identifying acceptable security goals, and identifying the mechanisms for achieving these goals.

Question 53

Smart Card

Answer 53

A credit-card-size plastic card that stores digital information and that can be used for electronic payments in place of cash.

Question 54

Sniffer

Answer 54

Type of eavesdropping program that monitors information traveling over a network.

Question 55

Social Engineering

Answer 55

Tricking people into revealing their passwords by pretending to rrbe legitimate users or members of a company in need of information.

Question 56

Spoofing

Answer 56

Tricking or deceiving computer systems or other computer users by hiding one’s identity or faking the identity of another user on the Internet.

Question 57

Spyware

Answer 57

Technology that aids in gathering information about a person or organization without their knowledge.

Question 58

SQL Injection Attack

Answer 58

Attacks against a Web site that take advantage of vulnerabilities in poorly coded SQL (a standard and common database software application) applications in order to introduce malicious program code into a company’s systems and networks.

Question 59

Token

Answer 59

Physical device similar to an identification card that is designed to prove the identity of a single user.

Question 60

Trojan Horse

Answer 60

A software program that appears legitimate but contains a second hidden function that may cause damage.

Question 61

Unified Threat Management (UTM)

Answer 61

Comprehensive security management tool that combines multiple security tools, including firewalls, virtual private networks, intrusion detection systems, and Web content filtering and anti-spam software.

Question 62

War Driving

Answer 62

Technique in which eavesdropper drive by buildings or pack outside outside and try to intercept wireless network traffic.

Question 63

Worms

Answer 63

Independent software programs that propagate themselves to disrupt the operation of computer networks or destroy data and other programs.

Question 64

Why are information systems vulnerable to destruction, error, and abuse?

Answer 64

Digital data are vulnerable to destruction, misuse, error, fraud, and hardware or software failure. The Internet is designed to be an open system and makes internal corporate systems more vulnerable to actions from outsiders. Hackers can unleash denial-of-service (DoS) attacks or penetrate corporate networks, causing serious system disruptions. Wi-Fi networks can easily be penetrated by intruders using sniffer programs to obtain an address to access the resources of the network. Computer viruses and worms can disable systems and Web sites. The dispersed nature of cloud computing makes it difficult to track unauthorized activity or to apply controls from afar. Software presents problems because software bugs may be impossible to eliminate and because software vulnerabilities can be exploited by hackers and malicious software. End users often introduce errors.

Question 65

What is the business value of security and control?

Answer 65

Lack of sound security and control can cause firms relying on computer systems for their core business functions to lose sales and productivity. Information assets, such as confidential employee records, trade secrets, or business plans, lose much of their value if they are revealed to outsiders or if they expose the firm to legal liability. New laws, such as HIPAA, the Sarbanes-Oxley Act, and the Gramm-Leach-Bliley Act, require companies to practice stringent electronic records management and adhere to strict standards for security, privacy, and control. Legal actions requiring electronic evidence and computer forensics also require firms to pay more attention to security and electronic records management.

Question 66

What are the components of an organization framework for security and control?

Answer 66

Firms need to establish a good set of both general and application controls for their information systems. A risk assessment evaluates information assets, identifies control points and control weaknesses, and determines the most cost-effective set of controls. Firms must also develop a coherent corporate security policy and plans for continuing business operations in the event of disaster or disruption. The security policy includes policies for acceptable use and identity management. Comprehensive and systematic MIS auditing helps organizations determine the effectiveness of security and controls for their information systems.

Question 67

What are the most important tools and technologies for safeguarding information resources?

Answer 67

Firewalls prevent unauthorized users from accessing a private network when it is linked to the Internet. Intrusion detection systems monitor private networks from suspicious network traffic and attempts to access corporate systems. Passwords, tokens, smart cards, and biometric authentication are used to authenticate system users. Antivirus software checks computer systems for infections by viruses and worms and often eliminates the malicious software, while antispyware software combats intrusive and harmful spyware programs. Encryption, the coding and scrambling of messages, is a widely used technology for securing electronic transmission over unprotected networks. Digital certificates combined with public key encryption provide further protection of electronic transactions by authenticating a user’s identity. Companies can use fault-tolerant computer systems or create high-availability computing environments to make sure that their information systems are always available. Use of software metrics and rigorous software testing help improve software quality and reliability.