chapter 4 Flashcards
1
Q
def. information security
A
Protecting an organization’s information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction
2
Q
def. threat
A
Any danger to which an information resource may be exposed
3
Q
def. vulnerability
A
The possibility that an information resource will be harmed by a threat
4
Q
What are the five key factors contributing to the increasing vulnerability of organizational information sources?
A
- Today’s interconnected, interdependent, wirelessly networked business environment.
- Smaller, faster, cheaper computers and storage devices.
- Decreasing skills necessary to be a computer hacker.
- International organized crime taking over cybercrime.
- Lack of management support.
5
Q
def. trusted network
A
any network within your organization
6
Q
def. untrusted network
A
any network external to your organization
7
Q
wireless is an inherently ____________ broadcast communications medium
A
nonsecure
8
Q
def. cybercrime
A
Illegal activities executed on the Internet
9
Q
what are the to major categories of threats?
A
unintentional threats
deliberate threats
10
Q
what is a major category of unintentional threats?
A
human error
11
Q
What are two important points about employees regarding threats?
A
- the higher the level of employee, the greater the threat he or she poses to information security
- - higher level employees typically have greater access to corporate data, and they enjoy greater privileges on organizational information systems - employees in two areas of the organization pose especially significant threats to information security: human resources and information systems (IS)
- -HR employees have access to sensitive personal information, IS employees not only have access to sensitive organizational data but also often control the means to create, store, transmit, and modify those data
12
Q
who tends to be overlooked when considering threats
A
janitors and guards
as well as contract labour and consultants
13
Q
what are human errors they result of?
A
typically the result of laziness, carelessness, or a lack of awareness concerning information security. This lack of awareness arises from poor education and training efforts by the organization.
14
Q
def. social engineering
A
Getting around security systems by tricking computer users inside a company into revealing sensitive information or gaining unauthorized access privileges
-most common example is attacker impersonating someone else on the telephone, or impersonating other individuals
15
Q
two other social engineering techniques
A
Tailgating: a technique designed to allow the perpetrator to enter restricted areas that are controlled with locks or card entry. The perpetrator follows closely behind a legitimate employee and, when the employee gains entry, the attacker asks him or her to “hold the door.”
Shoulder surfing: occurs when a perpetrator watches an employee’s computer screen over the employee’s shoulder. This technique is particularly successful in public areas such as in airports and on commuter trains and airplanes
16
Q
def. espionage or trespass
A
occurs when an unauthorized individual attempts to gain illegal access to organizational information
-industrial espionage crosses the legal boundary such as theft of confidential data
17
Q
def. information extortion
A
occurs when an attacker either threatens to steal or actually steals information from a company. The perpetrator demands payment for not stealing the information, for returning stolen information, or for agreeing not to disclose the information.
18
Q
def. sabotage or vandalism
A
deliberate acts that involve defacing an organization’s website, potentially damaging the organization’s image and causing its customers to lose faith in the organization
-ex. hacktivist or cyberactivist operation
19
Q
describe dumpster diving
A
involves rummaging through commercial or residential garbage to find discarded information. Paper files, letters, memos, photographs, IDs, passwords, credit cards, and other forms of information can be found in dumpsters
-this info can be used for fraudulent purposes
20
Q
def. identity theft
A
Crime in which someone uses the personal information of others to create a false identity and then uses it for some fraud
21
Q
techniques for illegally obtaining personal info
A
- Stealing mail or dumpster diving.
- Stealing personal information in computer databases.
- Infiltrating organizations that store large amounts of personal information (e.g., data aggregators such as Acxiom)
- Impersonating a trusted organization in an electronic communication (phishing).
22
Q
def. intellectual property
A
The intangible property created by individuals or corporations, which is protected under trade secret, patent, and copyright laws
23
Q
def. trade secret
A
Intellectual work, such as a business plan, that is a company secret and is not based on public information
24
Q
def. patent
A
A document that grants the holder exclusive rights on an invention or process for a specified period of time, currently 20 years
25
def. copyright
A grant that provides the creator of intellectual property with ownership of it for a specified period of time, currently the life of the creator plus 50 years
26
def. piracy
Copying a software program (other than freeware, demo software, etc.) without making payment to the owner
27
What are the 3 general categories of cyberattacks?
(1) Remote Attacks Requiring User Action
(2) Remote Attacks Needing No User Action
(3) Attacks by a Programmer Developing a System
28
def. virus
Segment of computer code that performs malicious actions by attaching to another computer program
29
def. worm
Segment of computer code that performs malicious actions and will replicate, or spread, by itself (without requiring another computer program)
30
def. phising attack
Attack that uses deception to acquire sensitive personal information by masquerading as official-looking emails or instant messages
31
def. spear phishing
Attack that targets large groups of people. The perpetrators find out as much information as they can about an individual, tailoring their phishing attacks to improve their chances that they will obtain sensitive, personal information
32
def. denial-of-service attack
An attack where an attacker sends so many information requests to a target computer system that the target cannot handle them successfully and typically crashes (ceases to function)
33
def. distributed denial-of-service attack
An attack where an attacker first takes over many computers, typically by using malicious software. These computers are called zombies or bots. The attacker uses these bots—which form a botnet—to deliver a coordinated stream of information requests to a target computer, causing it to crash
34
def. bot or zombie
A computer that has been compromised by, and is under the control of, a hacker
35
def. botnet
A network of computers that has been compromised by, and is under the control of, a hacker, who is called the botmaster
36
def. trojan horse
Software programs that hide in other computer programs and reveal their designed behaviour only when they are activated
37
def. back door
Typically a password, known only to the attacker, that allows him or her to access a computer system at will, without having to go through any security procedures (also called a trap door
38
def. logic bomb
A segment of computer code that is embedded within an organization's existing computer programs and is designed to activate and perform a destructive action under specific conditions, such as at a certain time or date
39
What are the four types of software attacks that are remote attacks requiring user action?
virus, worm, phishing attack, spear phishing
40
what are the two types of remote attacks needing no user action
denial-of-service attack
| distributed denial-of-service attack
41
What are the three kinds of attacks by a programmer developing a system?
trojan horse, back door, logic bomb
42
def. alien software
Clandestine software that is installed on your computer through duplicitous methods
43
def. adware
Alien software designed to help pop-up advertisements appear on your screen
44
def. spyware
software that collects personal information about users without their consent
45
what are the two common types of spyare
keystroke loggers (record both your individual keystrokes and your web browsing history) and screen scrapers (his software records a continuous “movie” of a screen's contents rather than simply recording keystrokes)
46
def. spamware
Alien software that uses your computer as a launch platform for spammers
47
def. spam
unsolicited email, usually advertising for products and services
48
what is an issue with spam
it wastes time and money. Spam costs companies around the world billions of dollars every year. These costs arise from productivity losses, clogged email systems, additional storage, user support, and anti-spam software. Spam can also carry viruses and worms, making it even more dangerous
49
def. cookies
Small amounts of information that websites store on your computer, temporarily or more or less permanently
-tracking cookies can be used to track your path through a website, the time you spend there, what links you click on, and other details that the company wants to record, usually for marketing purposes. Tracking cookies can also combine this information with your name, purchases, credit card information, and other personal data to develop an intrusive profile of your spending habits
50
def. Supervisory Control and Data Acquisition (SCADA)
large-scale, distributed measurement and control system. SCADA systems are used to monitor or to control chemical, physical, and transport processes such as those used in oil refineries, water and sewage treatment plants, electrical generators, and nuclear power plants. Essentially, SCADA systems provide a link between the physical world and the electronic world
51
def. cyberterrorism
A premeditated, politically motivated attack against information, computer systems, computer programs, and data that results in violence against noncombatant targets by subnational groups or clandestine agents
52
def. cyberwarfare
War in which a country's information systems could be paralyzed from a massive attack by destructive software
53
Major difficulties in protecting information resources (10)
1. Hundreds of potential threats exist.
2. Computing resources may be situated in many locations.
3. Many individuals control or have access to information assets.
4. Computer networks can be located outside the organization, making them difficult to protect.
5. Rapid technological changes make some controls obsolete as soon as they are installed.
6. Many computer crimes are undetected for a long period of time, so it is difficult to learn from experience.
7. People tend to violate security procedures because the procedures are inconvenient.
8. The amount of computer knowledge necessary to commit computer crimes is usually minimal. As a matter of fact, a potential criminal can learn hacking, for free, on the Internet.
9. The costs of preventing hazards can be very high. Therefore, most organizations simply cannot afford to protect themselves against all possible hazards.
10. It is difficult to conduct a cost-benefit justification for controls before an attack occurs because it is difficult to assess the impact of a hypothetical attack.
54
def. risk
probability that a threat will affect an information resource
55
def. risk management
A process that identifies, controls, and minimizes the impact of threats, in an effort to reduce risk to manageable levels
56
what are the three processes involved in risk management?
risk analysis, risk mitigation, and controls evaluation
57
def. risk analysis (3 steps)
(1) assessing the value of each asset being protected, (2) estimating the probability that each asset will be compromised, and (3) comparing the probable costs of the asset's being compromised with the costs of protecting that asset
58
def. risk mitigation
A process whereby the organization takes concrete actions against risks, such as implementing controls and developing a disaster recovery plan
59
two functions of risk mitigation
(1) implementing controls to prevent identified threats from occurring,
(2) developing a means of recovery if the threat becomes a reality
60
what are the three most common risk mitigation strategies
risk acceptance, risk limitation, and risk transference
61
def. risk acceptance
Accept the potential risk, continue operating with no controls, and absorb any damages that occur
62
def. risk limitation
Limit the risk by implementing controls that minimize the impact of the threat
63
def. risk transference
Transfer the risk by using other means to compensate for the loss, such as by purchasing insurance
64
what does an org do in controls evaluation?
the organization identifies security deficiencies and calculates the cost of implementing. If the costs of implementing a control are greater than the value of the asset being protected, the control is not cost-effective
65
def. controls (or countermeasures)
Defence mechanisms used to safeguard assets, optimize the use of the organization's resources, and prevent or detect errors or fraud
66
what is the single most valuable control?
user education and training
67
def. control environment
Controls that encompass management attitudes toward controls, as evidenced by management actions, as well as by stated policies and procedures that address ethical issues and the quality of supervision
68
def. general controls
Controls that apply to more than one functional area
69
def. application controls
Security countermeasures that protect specific applications in functional areas
70
3 types of general controls
physical controls, access controls, and communications controls
71
def. physical controls
Controls that restrict unauthorized individuals from gaining access to a company's computer facilities
(ie walls, doors, gates, locks, guards, alarm systems, etc.)q
72
what is a shortcoming of physical controls
can be inconvenient to employees
73
why do guards have a difficult job (two reasons)
1. their jobs are boring and repetitive and generally do not pay well.
2. if guards perform their jobs thoroughly, the other employees harass them, particularly if they slow up the process of entering the facility
74
def. access controls
Controls that restrict unauthorized individuals from using information resources and are concerned with user identification
-can be physical controls or logical controls
75
def. logical controls
controls that are implemented by software
76
what are the two main functions of access controls
authentication and authorization
77
def. authentication
confirms the identity of the person requiring access
78
def. authorization
process that determines which actions, rights, or privileges the person has, based on his or her verified identity
79
what do good control systmes do?
limit authorization to tasks needed to accomplish a person's job
80
def. biometrics
The science and technology of authentication (i.e., establishing the identity of an individual) by measuring the subject's physiological or behavioural characteristics
ex. fingerprints, retina scan
81
smart ID cards
have an embedded chip that stores pertinent information about the user
82
tokens
have embedded chips and a digital display that presents a login number that the employees use to access the organization's network. The number changes with each login.
83
what are forms of authentication that the user does
voice recognition, signature recognition
84
what are authentication methods that the users knos?
passwords and passphrase
85
Basic guidelines for strong passwords? (6)
* They should be difficult to guess.
* They should be long rather than short.
* They should have uppercase letters, lowercase letters, numbers, and special characters.
* They should not be recognizable words.
* They should not be the name of anything or anyone familiar, such as family names or names of pets.
* They should not be a recognizable string of numbers, such as a social insurance number or a birthday
86
what is the difference between a password and pass phrase
passphrase is a series of characters that is longer than a password but is still easy to memorize
-passphrase can serve as a password itself, or it can help you create a strong password
87
what is using more than one type of authentication called
multifactor authentification
88
def. privilege (user profile)
A collection of related computer system operations that can be performed by users of the system
89
def. least privilege
A principle that users be granted the privilege for some activity only if there is a justifiable need to grant this authorization
90
def. communication controls (or network controls)
Controls that deal with the movement of data across networks
91
def. firewall
A system (either hardware, software, or a combination of both) that prevents a specific type of information from moving between untrusted networks, such as the Internet, and private networks, such as your company's network
92
def. demilitarized zone (DMZ)
A separate organizational local area network that is located between an organization's internal network and an external network, usually the Internet
93
The danger from viruses and worms is so severe that many organizations are placing firewalls at strategic points _________________
inside their private networks.
In this way, if a virus or worm does get through both the external and internal firewalls, then the internal damage may be contained
94
def. anti-malware systems (or antivirus software)
Software packages that attempt to identify and eliminate viruses, worms, and other malicious software
95
def. malware
Malicious software such as viruses and worms
96
Whereas firewalls filter network traffic according to categories of activities that are likely to cause problems, anti-malware systems filter traffic ____________
according to a database of specific problems
97
def. whitelisting
A process in which a company identifies acceptable software and permits it to run, and either prevents anything else from running or lets new software run in a quarantined environment until the company can verify its validity
98
def. blacklisting
A process in which a company identifies certain types of software that are not allowed to run in the company environment
99
Whereas whitelisting allows _______ to run unless it is on the whitelist, blacklisting allows _________ to run unless it is on the blacklist.
nothing
everything
100
def. encryption
The process of converting an original message into a form that cannot be read by anyone except the intended receiver
101
def. public-key encryption (or asymmetric encryption)
A type of encryption that uses two different keys: a public key (locking key) and a private key (unlocking key)
public key (locking key) and the private key (the unlocking key) are created simultaneously using the same mathematical formula or algorithm. Because the two keys are mathematically related, the data encrypted with one key can be decrypted by using the other key
102
def. certificate authority
third party that acts as a trusted intermediary between computers (and companies) by issuing digital certificates and verifying the worth and integrity of the certificates
103
def. digital certificate
An electronic document attached to a file certifying that this file is from the organization it claims to be from and has not been modified from its original format or content
104
def. Virtual private network (VPN)
A private network that uses a public network (usually the Internet) to securely connect users by using encryption
105
why are VPNs called virtual
they have no separate physical existence
106
advantages of VPNs
1. they allow remote users to access the company network
2. they provide flexibility. That is, mobile users can access the organization's network from properly configured remote devices.
3. organizations can impose their security policies through VPNs
107
def. tunnelling
A process that encrypts each data packet to be sent and places each encrypted packet inside another packet
VPN uses this
108
def. transport layer security (TLS) (or secure socket layer)
An encryption standard used for secure transactions such as credit card purchases and online banking
109
def. employee monitoring systems
Systems that monitor employees' computers, email activities, and Internet surfing activities
110
application controls
security countermeasures that protect specific applications in functional areas
111
3 major categories of application controls
input controls, processing controls, and output controls.
112
input controls
programmed routines that edit input data for errors before they are processed
113
processing controls
programmed routines that perform actions that are part of the record-keeping of the organization, reconcile and check transactions, or monitor the operation of applications.
114
output controls
programmed routines that edit output data for errors, or help to ensure that output is provided only to authorized individuals.
115
def. business continuity planning
The chain of events linking planning to protection and to recovery
purpose:
provide guidance to people who keep the business operating after a disaster occurs
116
hot sites
fully configured computer facility with all of the company's services, communications links, and physical plant operations. A hot site duplicates computing resources, peripherals, telephone systems, applications, and workstations
117
warm site
provides many of the same services and options as the hot site. However, it typically does not include the actual applications the company needs. A warm site includes computing equipment such as servers, but it often does not include user workstations
118
cold site
provides only rudimentary services and facilities, such as a building or a room with heating, air conditioning, and humidity control. This type of site provides no computer hardware or user workstations.
119
audit
The accumulation and evaluation of evidence that is used to prepare a report about the information or controls that are being examined, using established criteria and standards
120
information systems audit
An examination of information systems, their inputs, outputs, and processing
