CHP. 12 Flashcards

1
Q

Identity theft

A

Stealing, misrepresenting, or hijacking the identity of another person or business.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Personal Information Protection and Electronic Documents Act (PIPEDA)

A

In Canada, PIPEDA gives individuals the right to know why an organization collects, uses, or discloses their personal information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Security threats

A

A problem with the security of information or the data therein, caused by:
1. Human errors and mistakes:
- Accidental problems
- Poorly written programs
- Poorly designed procedures
- Physical accidents
2. Malicious human activity
- Intentional destruction of data
- Destroying system components
- Hackers
- Virus and worm writers
- Criminals
- Terrorists
3. Natural events and disasters
- Fires, floods, hurricanes, earthquakes, tsunamis, avalanches, tornados, and other acts of nature
- Initial losses of capability and service
Plus losses from recovery actions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Spam

A

Unwanted email messages.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Unauthorized data disclosure

A

Can occur because of human error when someone inadvertently releases data in violation of policy, or when employees unknowingly or carelessly release proprietary data to competitors or the media.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Pretexting

A

A technique for gathering unauthorized information in which someone pretends to be someone else. A common scam involves a telephone caller who pretends to be from a credit card company and claims to be checking the validity of credit card numbers. Phishing is also a form of pretexting.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Phishing

A

A technique for obtaining unauthorized data that uses pretexting via email. The phisher pretends to be a legitimate company and sends an email requesting confidential data, such as account numbers, social insurance numbers, account passwords, and so forth.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Spoofing

A

When someone pretends to be someone else with the intent of obtaining unauthorized data. If you pretend to be your professor, you are spoofing your professor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

IP spoofing

A

A type of spoofing whereby an intruder uses another site’s IP address as if it were that other site.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Email spoofing

A

A synonym for phishing. A technique for obtaining unauthorized data that uses pretexting via email. The phisher pretends to be a legitimate company and sends email requests for confidential data, such as account numbers, social insurance numbers, account passwords, and so forth. Phishers direct traffic to their sites under the guise of a legitimate business.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Sniffing

A

A technique for intercepting computer communications. With wired networks, sniffing requires a physical connection to the network. With wireless networks, no such connection is required.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Drive-by sniffers

A

People who take computers with wireless connections through an area and search for unprotected wireless networks in an attempt to gain free internet access or to gather unauthorized data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Hacking

A

Occurs when a person gains unauthorized access to a computer system. Although some people hack for the sheer joy of doing it, other hackers invade systems for the malicious purpose of stealing or modifying data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Denial of service (DOS)

A

Security problem in which users are not able to access an information system; can be caused by human errors, natural disaster, or malicious activity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Technical safeguards

A

Safeguards that involve the hardware and software components of an information system.

  • Identification and authentication
  • Encryption
  • Firewalls
  • Malware protection
  • Application Design
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Identification

A

The process whereby an information system identifies a user by requiring the user to sign on with a user name and password.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Authentication

A

The process whereby an information system approves (authenticates) a user by checking the user’s password.

18
Q

Smart card

A

A plastic card similar to a credit card that has a microchip. The microchip, which holds much more data than a magnetic strip, is loaded with identifying data. Normally, it requires a PIN.

19
Q

Personal identification number (PIN)

A

A form of authentication whereby the user supplies a number that only he or she knows.

20
Q

Challenge/Response

A

A form of authentication that uses a varying form of numeric question and algorithmic response (usually involving sophisticated computerized tokens) to validate users.

21
Q

Biometric authentication

A

The use of personal physical characteristics, such as fingerprints, facial features, and retinal scans, to authenticate users.

22
Q

Malware

A

Viruses, worms, spyware, and adware.

23
Q

Spyware

A

Programs installed on the user’s computer without the user’s knowledge or permission that reside in the background and, unknown to the user, observe the user’s actions and keystrokes, modify computer activity, and report the user’s activities to sponsoring organizations. Malicious spyware captures keystrokes to obtain user names, passwords, account numbers, and other sensitive information. Other spyware is used for marketing analyses, observing what users do, websites visited, products examined and purchased, and so forth.

24
Q

Adware

A

Programs installed on the user’s computer without the user’s knowledge or permission that reside in the background and, unknown to the user, observe the user’s actions and keystrokes, modify computer activity, and report the user’s activities to sponsoring organizations. Most adware is benign in that it does not perform malicious acts or steal data. It does, however, watch user activity and produce pop-up ads.

25
Q

Malware definitions

A

Patterns that exist in malware code. Anti-malware vendors update these definitions continuously and incorporate them in their products in order to better fight against malware.

26
Q

Data safeguards

A

Steps taken to protect databases and other organizational data by means of data administration and database administration.

  • Data rights and responsibilities (Third party contracts
  • Passwords
  • Encryption
  • Backup and recovery
  • Physical security
27
Q

Data administration

A

A staff function that pertains to all of an organization’s data assets. Typical data administration tasks are** setting data standards, developing data policies, and providing for data security.**

28
Q

Database administration

A

The management, development, operation, and maintenance of the database so as to achieve the organization’s objectives. This staff function requires balancing conflicting goals—protecting the database while maximizing its availability for authorized use. In smaller organizations, this function is usually served by a single person. Larger organizations assign several people to an office of database administration.

29
Q

Key escrow

A

A control procedure whereby a trusted party is given a copy of a key used to encrypt database data.

30
Q

Human safeguard

A

Steps taken to protect against security threats by establishing appropriate procedures for users to follow for system use.

  • Hiring
  • Training
  • Education
  • Procedure design
  • Administration
  • Assessment
  • Compliance
  • Accountability
31
Q

Hardening

A

The process of taking extraordinary measures to reduce a system’s vulnerability. Hardened sites use special versions of the operating system, and they lock down or eliminate operating systems features and functions that are not required by the application. Hardening is a technical safeguard.

32
Q

Hot sites

A

Remote processing centres in an advanced state of readiness that have equipment companies need to continue operations in the event of a loss of their main computing sites (see Cold and Warm sites).

33
Q

Cold sites

A

Remote processing centres that provide office space and limited computer equipment for use by companies that need to continue operations after a loss of their primary computing site (see Warm and Hot sites).

34
Q

Five types of security problems are:

A
  1. Unauthorized data disclosure
  2. Incorrect data modification
  3. Faulty service
  4. Denial of service
  5. Loss of infrastructure
35
Q

Unauthorized data disclosure

A
  • Human error
    · Posting private information in public space
    · Placing restricted information on searchable Web sites
    · Inadvertent disclosure
    • Malicious release
      · Pretexting
      · Phishing
      · Spoofing
      Sniffing
36
Q

Incorrect data modification

A

Human errors
* Incorrect entries and information
Procedural problems
* Systems errors
* Hacking

37
Q

Faulty Service

A
  • Incorrect system operation
    Usurpation
38
Q

Loss of infrastructure

A
  • Accidental
  • Theft
  • Terrorism
  • Natural disasters
39
Q

Elements of a Security Program

A
  • Senior management involvement
    - Must establish a security policy
    - Manage risk
    · Balancing costs and benefits
  • Safeguards
    • Protections against security threats
  • Incident response
    -Must plan for prior to incidents
40
Q

Warm sites

A

Remote processing centres that have some equipment that may be used in the event that an organization loses its primary computing facility. Readiness is somewhere between a Cold site and a Hot site.