Info Systems Quiz 2 Flashcards
Security
degree of protection against criminal activity, danger, damage, or loss
Information Security
all of the processes and policies designed to protect an organization’s information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction
Threat
any danger to which a system may be exposed
Exposure
harm, loss, or damage that can result if a threat compromises that resource
Vulnerability
possibility that a threat will harm that resource
Five key factors contributing to increasing vulnerability of organizational information resources
- today’s interconnected, interdependent, wirelessly networked business environment
- smaller, faster, cheaper computers and storage devices
- decreasing skills necessary to be a computer hacker
- International organized crime taking over cybercrime
- lack of management support
trusted vs untrusted network
trusted: any network within your organization
untrusted: any network external to your organization
Cybercrime
illegal activites conducted over computer networks, particularly the internet
Two categories of threats to information systems
unintentional threats and deliberate threats
Unintentional threats
acts performed without malicious intent that nevertheless represent a serious threat to information security
Human error
unintentional threat, higher level of employee=greater threat to security since more access to data
ex. carelessness with computing devices, opening questionable emails, careless internet surfing, poor passwords
Social engineering
Attack in which the perpetrator uses social skills to trick or manipulate legitimate employees into providing confidential company information, such as passwords
Social engineering techniques
tailgating: designed to allow the perpetrator to enter restricted areas that are controlled with locks or card entry
shoulder surfing: perpetrator watches an employee’s computer screen over the employee’s shoulder
Deliberate threats to Information systems (ten)
- espionage or trespass
- information extortion
- sabotage or vandalism
- theft of equipment or information
- identity theft
- compromises to intellectual property
- software attacks
- alien software
- supervisory control and data acquisition (SCADA) attacks
- cyberterrorism and cyber warfare
Espionage or trespass
unauthorized individual attempts to gain illegal access to organizational information
Information extortion
occurs when an attacker wither threatens to steal or actually steals information from a company
Sabotage or vandalism
deliberate acts that involve defacing an organization’s website, potentially damaging the organization’s image and causing its customer to lose faith
Threat of equipment or information
computing devices and storage devices are becoming smaller yet more powerful with vastly increased storage
Dumpster diving
involves rummaging through commercial or residential trash to find discarded information
Identity theft
deliberate assumption of another person’s identity, usually to gain access to his or her financial information or to frame him or her for a crime
techniques: stealing mail or dumpster diving, stealing personal information from computer databases
Intellectual property
property created by individuals or corporations that is protected under trade secret, patent, and copyright laws
Trade work
intellectual work, such as a business plan, that is a company secret and is not based on public information
patent
official document that grants the holder exclusive rights on an invention or a process for a specific period of time
Copyright
statutory grant that provides the creators or owners of intellectual property
Piracy
copying a software program without making payment to the owner-including giving a disc to a friend to install on his or her computer
Malware
when attackers used malicious software, to infect as many computers worldwide as possible, to the profit-driven web-based attacks of today
Three types of software attacks
remote attacks requiring user action, remote attacks requiring no user action, and software attacks initiated by programmers during the development of a system
Ransomware
digital extortion, blocks access to a computer system or encrypts an organization’s data until the organization pays a sum of money
Spear phishing
employees receive hundreds of emails everyday many of their roles require them to download and open attachments
Alien software
Clandestine software that is installed on your computer through duplicitous methods
Adware
software that causes pop-up advertisements to appear on your screen
Spyware
software that collects personal information about users without their consent; keystroke loggers and screen scrapers
Spamware
pestware that uses your computer as a launch pad for spammers
Spam
unsolicited e-mail, usually advertising for products and services
Cookies
small amounts of information that websites store on your computer, temporarily or more or less permanently
SCADA
Supervisory control and data acquisition; large-scale distributed measurement and control system
Cyberterrorism and cyber warfare
refer to malicious acts in which attackers use a target’s computer systems, particularly through the internet, to cause physical, real-world harm or severe disruption, often to carry out a political agenda
Controls
defense mechanisms designed to protect all of the components of an information system, including data, software, hardware, and networks
Three major information security controls
physical controls, access controls, and communications controls
Physical controls
prevent unauthorized individuals from gaining access to a company’s facilities ex. walls, doors, fencing, gates, locks
access controls
restrict unauthorized individuals from information resources
two functions of access controls
authentication: confirms the identity of the person requiring access
authorization: determines which actions, rights, or has, based on his or her verified identity
Biometrics
an authentication method that examines a person’s innate physical characteristics
Active and passive biometric authentication
active: require the user to physically participate in the verification process by taking an action like speaking, placing a finger or eye in proximity
passive: capable of identifying a person without their active participation ex. voice recognition and behavioral identification
Communication controls
secure movement of data across networks
firewall
system that prevents a specific type of information from moving between untrusted networks, such as the internet, and the private networks, such as your company’s network, demilitarized zone: two firewalls
Anti-malware systems
antivirus are software packages that attempt to identify and eliminate viruses and worms and other malicious software
Whitelisting
process in which a company identifies the software that it will allow to run on its computers
blacklisting
allows everything to run unless it is on the blacklist, includes certain types of software that are not allowed to run in the company environment
Virtual private network
private network that uses a public network to connect users
tunneling: encrypts each data packet to be sent and places each encrypted packet inside another packet
Transport layer security
encryption standard used for secure transactions such as credit card purchases and online banking
Public-key encryption
public key: publicly available in a directory that all parties can access
private key: kept secret, never shared with anyone, and never sent across the internet
Certificate authority
acts as a trusted intermediary between the companies
Digital certificate
electronic document attached to a file that certifies that the file is from the organization it claims to be from and has not been modified from its original format
Virtual private network (VPN)
private network that uses a public network to connect users
Tunneling
encrypts each data packet to be sent and places each encrypted packet inside another packet
Transport layer security
aka secure socket layer ; encryption standard used for secure transactions such was credit card purchases and online banking
Employee monitoring system
scrutinize their employees’ computers, email activities, and internet surfing activities
Business continuity
chain of events linking planning protection and to recovery
Bandwidth
transmission capacity of a network, stated in bits per second
Computer network
system that connects computers and other services through communications media so that data and information can be transmitted among them
Broadband
transmission capacity of communications medium faster than 25 megabits per second for download
Local area network
connects two or more devices in a limited geographical region, usually within the dame building, so that every device on the network can communicate with every other device
file/network server
contains various software and data for the network
Wide area network
WAN, network that covers a large geographical area ex. at and t
Routers
communications processor that routes messages from a LAN to the internet
Enterprise network
displays a model of enterprise computing
Backbone networks
high-speed central networks to which multiple smaller networks connect
Communication channel
consists of two types of media: cable and broadcast
wireline media
uses physical wires or cables to transmit data and information the alternative is broadcast media
Twisted pair wire
used for almost all business telephone wiring, relatively inexpensive, slow for transmitting data, can be easily tapped
Coaxial Cable
consist of insulated copper wire, less susceptible to electrical interference and carries more data, more expensive and harder to work with
Fiber-optic cable
consists of thousands of very thin filaments of glass fibers that transmit information through pulses of light generated by lasers, can transmit far more data,
Protocol
enable computing devices to communicate with one another
ethernet
network provides data transmission speeds of 100 gigabits
Transmission Control Protocol/internet protocol
IP, protocol of the internet, responsible for disassembling, delivering, and reassembling the data during transmission
Hypertext transfer protocol
defines how message are formulated and how they are interpreted by their receivers
Distributed processing
divides processing work among two or more computers, enables computers in different locations to communicate with one another through telecommunications links
Client/server computing
links two or more computers in an arrangement in some machines, called servers, provide computing services for user pc’s
Intranet
network that uses internet protocols so that users can take advantage of familiar applications and work habits
Extranet
connects parts of the intranets of different organizations, enables business partners to communicate securely over the internet using VPNs
IP address
distinguishes computer from all other ones, consists of sets of numbers, in four parts, separated by dots
World Wide Web
system of universally accepted standards for storing, retrieving, formatting, and displaying information through a client/server architecture
Seven domains
user domain -> workstation domain -> LAN domain-> LAN-to-WAN domain-> WAN domain-> system/application domain-> remote access domain
Packet switching
emails, never get sent in one “package”, easier to transmit data in parts rather than one place
Internet connection methods
Dial-up: still used in US where broadband is not available
DSL: broadband access through telephone companies
Cable modern: access over your cable TV coaxial cable. can have degraded performance if many of your neighbors are accessing the internet at once
Satellite: access where cable and DSL are not available
Wireless: very convenient, and WiMAX will increase the use of broadband wireless
Fiber-to-the-home (FTTH): expensive and usually placed only in new housing developments
