Chapter 17: Securing Information Systems

Question 1

Security

Answer 1

Refers to the policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems

Question 2

Controls

Answer 2

Specific method of ensuring security. Think of as gates in order to enter system. (passwords)

Methods, policies, and organizational procedures that ensure the safety of the organization’s assets; the accuracy and reliability of its records; and operational adherence to management standards

Question 3

Worms

Answer 3

Independent computer programs that copy themselves from one computer to other computers over a network

Question 4

Trojan Horse

Answer 4

A software program that appears to be benign but then does something other than expected. The Trojan horse is not itself a virus because it does not replicate, but it is often away for viruses or other malicious code to be introduced into your computer system

Question 5

SQL Injection Attacks

Answer 5

The largest malware threat. SQL injection attacks take advantage of vulnerabilities in poorly coded Web application software to introduce malicious program code into a company’s systems and networks

Question 6

Spyware

Answer 6

These small programs install themselves surreptitiously on computers to monitor user Web surfing activity and serve up advertising

Question 7

Keyloggers

Answer 7

Record every keystroke made on a computer to steal serial numbers for software, to launch Internet attacks, to gain access to email accounts, to obtain passwords to protected computer systems, or to pick up personal information such as credit cards

Question 8

Hacker

Answer 8

A individual who intends to gain unauthorized access to a computer system

Question 9

Cybervandalism

Answer 9

The intentional disruption, defacement, or even deactivation of a Web site or corporate information system

Question 10

Spoofing

Answer 10

Involves redirecting a Web link to an address different from the intended one, with the site masquerading as the intended destination

Question 11

Sniffer

Answer 11

A type of eavesdropping program that monitors information traveling over a network

Question 12

Denial-of-service (DoS) Attack

Answer 12

Hackers flood a network server or Web server with many thousands of false communications or requests for service to crash the network

Question 13

Distributed Denial-of-Service (DoSS)

Answer 13

Uses numerous computers to inundate an overwhelm the network from numerous launch points

Question 14

Botnet

Answer 14

Perpetrators of DoS attacks often use thousands of “zombie” PCs infected with malicious software without their owner’s knowledge and organized into a botnet

Question 15

Computer Crime

Answer 15

Any violation of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution

Question 16

Identity Theft

Answer 16

A crime in which an impostor obtains key pieces of personal information, such as social security identification numbers, driver’s license numbers, or credit card numbers, to impersonate someone else

Question 17

Phishing

Answer 17

Involves setting up fake Web sites or sending emails or text messages that look like those of legitimate businesses to ask users for confidential personal information

Question 18

Evil Twins

Answer 18

Wireless networks that pretend to offer trustworthy Wifi connections to the Internet, such as those in airier lounges, hotels, or coffee shops

Question 19

Pharming

Answer 19

Redirects users to a bogus web page, even when the individual types the correct web page address into his or her browser

Question 20

Click Fraud

Answer 20

Occurs when an individual or computer program fraudulently clicks on an online ad without any intention of learning more about the advertiser or making a purchase

Question 21

Social Engineering

Answer 21

Malicious intruders seeking system access sometimes trick employees into revealing their passwords by pretending to be legitimate members of the company in need of information

Question 22

Bugs

Answer 22

Program code defects

Question 23

Patches

Answer 23

Small pieces of software to repair the flaws without distributing the proper operation of the software

Question 24

HIPAA

Answer 24

Outlines the media security and privacy rules and procedures for simplifying the administration of health care providers, payers, and plans

Question 25

Gramm-Leach-Biley Act

Answer 25

Requires financial institutions to ensure the security and confidentiality of customer data

Question 26

Sarbanes-Oxley Act

Answer 26

Designed to protect investors after the financial scandals at Enron, WorldCom, and other public companies. Imposes responsibility to safeguard the accuracy and integrity of financial information that is used internally and released externally

Question 27

Computer Forensics

Answer 27

The scientific collection, examination, authentication, preservation, and analysis of data held on or retrieved in computer storage media in such a way that the information can be used as evidence in a court of law

Question 28

General Control

Answer 28

Governs the design, security, and use of computer programs and the security of data files in general throughout the organization's information technology infrastructure

Question 29

Application Controls

Answer 29

Specific controls unique to each computerized application, such as payroll or order processing

Question 30

Risk Assessment

Answer 30

Determines the level of risk to the firm if a specific activity or process is not properly controlled (like sensitivity analysis for Security)

Question 31

Security Policy

Answer 31

Identify security risks, identify goals to mitigate risks, then figure out how to actually mitigate risks Consists of statements ranking information risks, identifying acceptable security goals, and identifying the mechanisms for achieving these goals

Question 32

Acceptable Use Policy (AUP)

Answer 32

Defines acceptable uses of the firm's information resources and computing equipment, including desktop and laptop computers, wireless devices, telephones, and the Internet

Question 33

Identity Management

Answer 33

Different ways to validate that that person is actually that person and control/grant them access to different levels of shit Consists of business processes and software tools for identifying the valid users of a system and controlling their access to system resources

Question 34

Disaster Recovery Planning

Answer 34

Devises plans for the restoration of computing and communications services after the have been disrupted

Question 35

Business Continuity Planning

Answer 35

Focuses on how the company restore business operations after a disaster strikes

Question 36

MIS Audit

Answer 36

Examines the firm's overall security environment as well as controls governing individual information systems

Question 37

Authentication

Answer 37

Refers to the ability to know that a person is who he or she claims to be

Question 38

Passwords

Answer 38

Known only to authorized users

Question 39

Token

Answer 39

A physical device, like a small keychain PIN generator, that is designed to prove the identity of a single user

Question 40

Smart Card

Answer 40

A device about the size of a credit card that contains a chip formatted with access permissions and other data

Question 41

Biometric Authentication

Answer 41

Uses systems that read and interpret individual human traits, such as finger prints, irises, and voices, in order to grant or deny access

Question 42

Firewalls

Answer 42

Prevent unauthorized users from accessing private networks

Question 43

Intrusion Detection Systems

Answer 43

Feature full-time monitoring tools placed at the most vulnerable points or "hot spots" of corporate networks to detect and deter intruders continually

Question 44

Antivirus Software

Answer 44

Designed to check computer systems and drives for the presence of computer viruses

Question 45

Unified threat Management

Answer 45

A single appliance with various security tools, including firewalls, virtual private networks, intrusion detection systems, and Web content filtering and antispam software

Question 46

Encryption

Answer 46

The process of transforming plain text or data into cipher text (coded text) that cannot be read by anyone other than the sender and the intended receiver

Question 47

Secure Sockets Layer (SSL)

Answer 47

** between two computers (ex. between retailers and consumer computers) ** Enable client and server computers to manage encryption and decryption activities as they communicate with each other during a secure Web session

Question 48

Secure Sockets Protocol (S-HTTP)

Answer 48

Another protocol used for encrypting data flowing over the Internet, but is limited to individual messages, whereas SSL and TLS are designed to establish a secure connection between two computers ** Further security for authentication. **

Question 49

Public Key Encryption

Answer 49

Uses two keys: one shared (or public) to send, and one totally private, to open and decrypt

Question 50

Digital Certificates

Answer 50

Data files used to establish the identity of users and electronic assets for protection of online transactions

Question 51

Online Transaction Processing

Answer 51

Transactions entered online are immediately processed by the computer. Multitudinous changes to the database, reporting, and requests for information occur each instance

Question 52

Fault-Tolerant Computer Systems

Answer 52

Contain redundant hardware, software, and power supply components that create an environment that provides continuos, uninterrupted service

Question 53

High-availability Computing

Answer 53

Helps firms recover quickly from a system crash, whereas fault tolerance promises continuous availability and the elimination of recovery time altogether

Question 54

Downtime

Answer 54

Refers to the period of time in which a system is not operational

Question 55

Recovery-oriented Computing

Answer 55

Researchers are exploring ways to make computing systems recover even more rapidly when mishaps occur

Question 56

Deep Packet Inspection (DPI)

Answer 56

DPI examines data files and sorts out low-priority online material while assigning higher priority to business-critical files

Question 57

Managed Security Service Providers (MSSPs)

Answer 57

Monitor network activity and perform vulnerability testing and intrusion detection (like home security network but for your company)