Chapter 12 In Class Notes

Question 1

A person or organization that seeks to obtain
data or other assets illegally, without the
owner’s permission and often without the
owner’s knowledge

Answer 1

Threat

Question 2

An opportunity for threats to gain access to

individual or organizational assets.

Answer 2

vulnerability

Question 3

A measure that individuals or organizations
take to block the threat from obtaining an
asset.

Answer 3

Safeguards. Safeguards are not always effective.
Some threats achieve their goal in spite of
safeguards.

Question 4

An asset that is desired by the threat.

Answer 4

Target

Question 5

SOURCES OF THREATS? 3 of them

Answer 5

HUMAN ERROR
COMPUTER CRIME
 NATURAL EVENTS AND
DISASTERS

Question 6

 Accidental problems caused by both

employees and nonemployees.

Answer 6

 Procedures not followed
 Increasing a customer’s discount
 Incorrectly modifying employee’s salary
 Placing incorrect data on company Web site
 System errors
 Systems working incorrectly
 Programming errors
7
g g
 IT installation errors
 Faulty recovery actions after a disaster

Question 7

 Includes employees and former employees who
intentionally destroy data or other system
components.

Answer 7

Computer Crime

Question 8

A technique for gathering unauthorized
information in which someone pretends to be
someone else.

Answer 8

Pretexting

Question 9

When someone pretends to be
someone else with the intent of obtaining
unauthorized data.

Answer 9

Spoofing

Question 10

A type of spoofing whereby an
intruder uses another site’s IP address as if it were
that other site.

Answer 10

IP Spoofing

Question 11

What is needed for your reset password information?

Answer 11

 Victim’s Email Address

 Answer to victim’s security question!

Question 12

A technique for intercepting computer

communications.

Answer 12

Sniffing. With wired networks, sniffing
requires a physical connection to the network.
With wireless networks, no such connection is
required.

Question 13

People who take computers
with wireless connections through an area an
search for unprotected wireless networks in an
attempt to gain free Internet access or to gather
16 unauthorized data.

Answer 13

Drive by sniffer

Question 14

A form of computer crime in which a person gains

unauthorized access to a computer system.

Answer 14

Hacking. Although
some people hack for the sheer joy of doing it, other
hackers invade systems for the malicious purpose of
stealing or modifying data.

Question 15

Occurs when unauthorized programs invade a
computer system and replace legitimate programs.
Such unauthorized programs typically shut down
the legitimate system and substitute their own
processing.

Answer 15

Usurpation

Question 16

A computer program that senses when another
computer is attempting to scan the disk or
otherwise access a computer.

Answer 16

Intrusion Detection System (IDS)

Question 17

Management’s policy for computer security,
consisting of a general statement of the
organization’s security program, issue-specific
policy, and system-specific policy.

Answer 17

Security Policy

Question 18

What Are the Elements of a

Security Policy? 3 of them

Answer 18

1. General statement of organizations security program
2. Issue-specific policy
3. System-specific policy

Question 19

threats & consequences we know about

Answer 19

risk

Question 20

things we do not know that we do not know

Answer 20

Uncertainty

Question 21

The “bottom line”
of risk assessment; the likelihood
of loss multiplied by the cost of the
loss consequences (both tangible
and intangible).

Answer 21

Probable loss

Question 22

• Given probable loss, what to protect?
• Which safeguards inexpensive and easy?
• Which vulnerabilities expensive to eliminate?
• How to balance cost of safeguards with benefits of
probable loss reduction?
You should ask these questions when making what kind of decision?

Answer 22

Risk-Management Decisions

Question 23

Protects consumer financial data stored by
financial institutions (banks, securities firms,
insurance companies, and organizations) that
provide financial advice, prepare tax returns, and
provide similar financial services.

Answer 23

Gramm-Leach-Bliley (GLB) Act (1999) -

Question 24

ederal law that provides
protections to individuals regarding records
31 maintained by the U.S. government

Answer 24

Privacy Act of 1974

Question 25

Give individuals the right to access health data created by doctors and other health-care providers. HIPAA also sets rules and limits on who can read and receive a person’s health information.

Answer 25

``` Health Insurance Portability and Accountability Act (HIPAA) (1996) ```

Question 26

A wireless security standard developed by the IEEE 802.11 committee that was insufficiently tested before it was deployed in the communications equipment. IT has serious flaws.

Answer 26

WEP (Wired-Equivalent Privacy)

Question 27

An improved wireless security standard developed by the IEEE 802.11 committee to fix the flaws 34 of the Wired Equivalent Privacy (WEP) standard

Answer 27

WPA & WPA2 (WiFI Protected Access)

Question 28

What Technical Safeguards | Are Available?

Answer 28

1. Identification and authentication 2. Encryption 3. Firewalls 4. Malware protection 5. Design for secure applications

Question 29

The process whereby an information system identifies a user by requiring the user to sign on with a username and password.

Answer 29

Identification

Question 30

``` The process whereby and information system verifies (validates) a user. ```

Answer 30

Authentication

Question 31

A form of authentication whereby the user supplies a number that only he or she knows.

Answer 31

Personal Identification Number (PIN)

Question 32

The use of personal physical characteristics, such as fingerprints, facial features, and 36 retinal scans, to authenticate users.

Answer 32

Biometric authentication

Question 33

A system, developed at MIT that authenticates users without sending their passwords across a computer network. It uses a complicated system of “tickets” to enable users to obtain services from networks and other servers.

Answer 33

Kerberos

Question 34

The process of transforming clear text into coded, unintelligible text for secure storage or communication.

Answer 34

Encryption

Question 35

Algorithms used to transform clear text into coded, unintelligible text for secure storage or communication. Commonly used methods are DES, 3DES, and AES.

Answer 35

Encryption algorithms

Question 36

A number used to encrypt data. The encryption algorithm applies the key to the original message to produce the coded message. Decoding (decrypting) the message is similar; a key is applied to the coded message to recover the original text.

Answer 36

Key

Question 37

An encryption method whereby | the same key is used to encode and to decode the message.

Answer 37

Symmetric Encryption

Question 38

An encryption method whereby different keys are used to encode and to decode the message; one key encodes the message, and the other key decodes the message.

Answer 38

Asymmetric encryption

Question 39

A special version of asymmetric encryption that is popular on the Internet. With this method, each side has a public key for encoding messages and a private key for decoding 42 them.

Answer 39

Public Key/Private Key

Question 40

used for full disk encryption – All hard drives contents are encrypted • If stolen, nothing can be recovered!

Answer 40

Truecrypt

Question 41

used for single file encryption – Make .exe file to send to others • Taxes, SSN, PHI, etc

Answer 41

Axcrypt

Question 42

A computer program that replicates itself.

Answer 42

Virus

Question 43

The program codes of a virus that causes unwanted or hurtful actions, such as deleting programs or data, or even worse, modifying data in ways that are undetected by the user.

Answer 43

Payload

Question 44

Virus that masquerades as a useful | program or file.

Answer 44

Trojan horses. A typical Trojan horse appears to be a computer game, an MP3 music file, or some other useful, innocuous program.

Question 45

A virus that propagates itself using the | Internet or some other computer network.

Answer 45

Worms. Worm code is written specifically to infect another computer as quickly as possible.

Question 46

Tiny files that gather demographic | information

Answer 46

Beacon. Beacons are often image files that install malware code when users open images in junk mail. Most are not malicious and simply verify users’ email addresses, activities, and preferences.

Question 47

captures keystrokes to obtain user names, passwords, account numbers, and other sensitive information.

Answer 47

Spyware. Other spyware is used for marketing analysis observing what users do, Web sites visited, products examined and purchased, and so forth.

Question 48

most is benign in that it does not perform malicious acts or steal data. It does, however, watch user activities and produce pop50 up ads.

Answer 48

Adware

Question 49

Security problem in which users are not able to access an information system; can be caused by human errors, natural disasters, or malicious activity.

Answer 49

Denial of Service (DOS)

Question 50

A term used to describe server operating systems that have been modified to make them especially difficult for them to be infiltrated by malware

Answer 50

Hardening

Question 51

A password-cracking program that tries every possible combination of characters.

Answer 51

Brute Force Attack

Question 52

False targets for computer criminals to attack

Answer 52

Honeypots

Question 53

A utility company that can take over another company’s processing with no forewarning.

Answer 53

Hot Site. Hot sites are expensive; organizations pay $250,000 or more per month for such services.

Question 54

Remote processing centers that provide office space, and possibly computer equipment, for use by a company to use to continue operations after a disaster.

Answer 54

Cold Sites

Question 55

2022?

Answer 55

• Challenges likely to be iOS and other intelligent portable devices • Harder for the lone hacker to find vulnerability to exploit • Continued investment in safeguards • Continued problem of electronically porous national borders