CHP. 12

Question 1

Identity theft

Answer 1

Stealing, misrepresenting, or hijacking the identity of another person or business.

Question 2

Personal Information Protection and Electronic Documents Act (PIPEDA)

Answer 2

In Canada, PIPEDA gives individuals the right to know why an organization collects, uses, or discloses their personal information.

Question 3

Security threats

Answer 3

A problem with the security of information or the data therein, caused by:
1. Human errors and mistakes:
- Accidental problems
- Poorly written programs
- Poorly designed procedures
- Physical accidents
2. Malicious human activity
- Intentional destruction of data
- Destroying system components
- Hackers
- Virus and worm writers
- Criminals
- Terrorists
3. Natural events and disasters
- Fires, floods, hurricanes, earthquakes, tsunamis, avalanches, tornados, and other acts of nature
- Initial losses of capability and service
Plus losses from recovery actions

Question 4

Spam

Answer 4

Unwanted email messages.

Question 5

Unauthorized data disclosure

Answer 5

Can occur because of human error when someone inadvertently releases data in violation of policy, or when employees unknowingly or carelessly release proprietary data to competitors or the media.

Question 6

Pretexting

Answer 6

A technique for gathering unauthorized information in which someone pretends to be someone else. A common scam involves a telephone caller who pretends to be from a credit card company and claims to be checking the validity of credit card numbers. Phishing is also a form of pretexting.

Question 7

Phishing

Answer 7

A technique for obtaining unauthorized data that uses pretexting via email. The phisher pretends to be a legitimate company and sends an email requesting confidential data, such as account numbers, social insurance numbers, account passwords, and so forth.

Question 8

Spoofing

Answer 8

When someone pretends to be someone else with the intent of obtaining unauthorized data. If you pretend to be your professor, you are spoofing your professor.

Question 9

IP spoofing

Answer 9

A type of spoofing whereby an intruder uses another site’s IP address as if it were that other site.

Question 10

Email spoofing

Answer 10

A synonym for phishing. A technique for obtaining unauthorized data that uses pretexting via email. The phisher pretends to be a legitimate company and sends email requests for confidential data, such as account numbers, social insurance numbers, account passwords, and so forth. Phishers direct traffic to their sites under the guise of a legitimate business.

Question 11

Sniffing

Answer 11

A technique for intercepting computer communications. With wired networks, sniffing requires a physical connection to the network. With wireless networks, no such connection is required.

Question 12

Drive-by sniffers

Answer 12

People who take computers with wireless connections through an area and search for unprotected wireless networks in an attempt to gain free internet access or to gather unauthorized data.

Question 13

Hacking

Answer 13

Occurs when a person gains unauthorized access to a computer system. Although some people hack for the sheer joy of doing it, other hackers invade systems for the malicious purpose of stealing or modifying data.

Question 14

Denial of service (DOS)

Answer 14

Security problem in which users are not able to access an information system; can be caused by human errors, natural disaster, or malicious activity.

Question 15

Technical safeguards

Answer 15

Safeguards that involve the hardware and software components of an information system.

• Identification and authentication
• Encryption
• Firewalls
• Malware protection
• Application Design

Question 16

Identification

Answer 16

The process whereby an information system identifies a user by requiring the user to sign on with a user name and password.

Question 17

Authentication

Answer 17

The process whereby an information system approves (authenticates) a user by checking the user’s password.

Question 18

Smart card

Answer 18

A plastic card similar to a credit card that has a microchip. The microchip, which holds much more data than a magnetic strip, is loaded with identifying data. Normally, it requires a PIN.

Question 19

Personal identification number (PIN)

Answer 19

A form of authentication whereby the user supplies a number that only he or she knows.

Question 20

Challenge/Response

Answer 20

A form of authentication that uses a varying form of numeric question and algorithmic response (usually involving sophisticated computerized tokens) to validate users.

Question 21

Biometric authentication

Answer 21

The use of personal physical characteristics, such as fingerprints, facial features, and retinal scans, to authenticate users.

Question 22

Malware

Answer 22

Viruses, worms, spyware, and adware.

Question 23

Spyware

Answer 23

Programs installed on the user’s computer without the user’s knowledge or permission that reside in the background and, unknown to the user, observe the user’s actions and keystrokes, modify computer activity, and report the user’s activities to sponsoring organizations. Malicious spyware captures keystrokes to obtain user names, passwords, account numbers, and other sensitive information. Other spyware is used for marketing analyses, observing what users do, websites visited, products examined and purchased, and so forth.

Question 24

Adware

Answer 24

Programs installed on the user’s computer without the user’s knowledge or permission that reside in the background and, unknown to the user, observe the user’s actions and keystrokes, modify computer activity, and report the user’s activities to sponsoring organizations. Most adware is benign in that it does not perform malicious acts or steal data. It does, however, watch user activity and produce pop-up ads.

Question 25

Malware definitions

Answer 25

Patterns that exist in malware code. Anti-malware vendors update these definitions continuously and incorporate them in their products in order to better fight against malware.

Question 26

Data safeguards

Answer 26

Steps taken to protect databases and other organizational data by means of data administration and database administration.

• Data rights and responsibilities (Third party contracts
• Passwords
• Encryption
• Backup and recovery
• Physical security

Question 27

Data administration

Answer 27

A staff function that pertains to all of an organization’s data assets. Typical data administration tasks are** setting data standards, developing data policies, and providing for data security.**

Question 28

Database administration

Answer 28

The management, development, operation, and maintenance of the database so as to achieve the organization’s objectives. This staff function requires balancing conflicting goals—protecting the database while maximizing its availability for authorized use. In smaller organizations, this function is usually served by a single person. Larger organizations assign several people to an office of database administration.

Question 29

Key escrow

Answer 29

A control procedure whereby a trusted party is given a copy of a key used to encrypt database data.

Question 30

Human safeguard

Answer 30

Steps taken to protect against security threats by establishing appropriate procedures for users to follow for system use.

• Hiring
• Training
• Education
• Procedure design
• Administration
• Assessment
• Compliance
• Accountability

Question 31

Hardening

Answer 31

The process of taking extraordinary measures to reduce a system’s vulnerability. Hardened sites use special versions of the operating system, and they lock down or eliminate operating systems features and functions that are not required by the application. Hardening is a technical safeguard.

Question 32

Hot sites

Answer 32

Remote processing centres in an advanced state of readiness that have equipment companies need to continue operations in the event of a loss of their main computing sites (see Cold and Warm sites).

Question 33

Cold sites

Answer 33

Remote processing centres that provide office space and limited computer equipment for use by companies that need to continue operations after a loss of their primary computing site (see Warm and Hot sites).

Question 34

Five types of security problems are:

Answer 34

1. Unauthorized data disclosure
2. Incorrect data modification
3. Faulty service
4. Denial of service
5. Loss of infrastructure

Question 35

Unauthorized data disclosure

Answer 35

• Human error
  · Posting private information in public space
  · Placing restricted information on searchable Web sites
  · Inadvertent disclosure
  
  • Malicious release
    · Pretexting
    · Phishing
    · Spoofing
    Sniffing

Question 36

Incorrect data modification

Answer 36

Human errors
* Incorrect entries and information
Procedural problems
* Systems errors
* Hacking

Question 37

Faulty Service

Answer 37

• Incorrect system operation
  Usurpation

Question 38

Loss of infrastructure

Answer 38

• Accidental
• Theft
• Terrorism
• Natural disasters

Question 39

Elements of a Security Program

Answer 39

• Senior management involvement
  - Must establish a security policy
  - Manage risk
  · Balancing costs and benefits
• Safeguards
  
  • Protections against security threats
• Incident response
  -Must plan for prior to incidents

Question 40

Warm sites

Answer 40

Remote processing centres that have some equipment that may be used in the event that an organization loses its primary computing facility. Readiness is somewhere between a Cold site and a Hot site.