Chapter 8: Securing Information Systems Flashcards
Digital data is vulnerable to
destruction, misuse, error, fraud, and hardware of software failures
Spoofing
Tricking or deceiving computer systems by hiding or faking one’s identity (fake e-mail addresses or masquerading as someone else)
Sniffing
type of eavesdropping program that monitors information traveling over network (f.e. enables hackers to steal information)
Denial-of-Service attacks (DoS) & Distributed DOS (DDoS)
DoS: flooding server with thousands of false requests to crash the network
DDoS: use of numerous computers to launch a DoS
Botnets
networks of “zombie” PC’s infiltrated by bot malware, can perform spam attacks , DoS, etc.
Identity Theft
Theft of personal information (social security ID, driver’s license, or credit card numbers) to impersonate someone else
Phishing
setting up fake websites or sending e-mail messages that look like legitimate businesses to ask users for confidential personal data
Evil twins
wireless networks that pretend to offer trustworthy Wi-Fi connections to the Internet
Pharming
redirects users to a bogus web page, even when individual types correct Web page address into their browser
Click Fraud
occurs when individual or computer program fraudulently clicks on online ad without any intention of learning more about the advertiser or making a purchase - imitate users clicking on your system
Internal threats: Employees
- sloppy security procedures
- both end users and IS specialists are sources of risk
Software presents problems because
- software bugs may be impossible to eliminate
- software vulnerabilities can be exploited by hackers and malicious software
Malware
can disable systems and websites, with special focus on mobile devices
Firms relying on computer systems for their core business functions are at risk of
- losing sales and productivity due to lack of security and control
various information assets such as business plans lose value if
they are released to outsiders or of they expose the firm to legal liability
electronic evidence (probative digital material) and computer forensics also require firms to
pay more attention to security and electronic records management
General Controls (for IS)
- overall control environment governing the design, security, and use of computer programs and the security of data files in general throughout organisation’s information technology infrastructure
- types of general controls: software controls, hardware controls, computer operations controls, data security controls, system development controls, administrative controls
Application Controls (for IS)
- specific controls unique to each computerised application that ensure that only authorised data are completely and accurately processed by that application
- include: input controls, processing controls, output controls
Risk assessment
- evaluate information assets
- identify control points and control weaknesses
- determine the most cost-effective set of controls
Security policy
- includes policies for acceptable use and identity management
- ranks information risks
- identifies security goals
- mechanisms for achieving these goals
- having coherent and tailored corporate security policies and plans for continuing business operations in case of disruption is imperative
- AUP (acceptable use policy) defines acceptable uses of firm’s information resources & computing
Identity management software
- automates keeping track of all users and privileges
- authenticates users, protecting identities, controlling access
Authentication
password systems, tokens, smart cards, etc.
Firewall
combination of hardware and software that prevents unauthorised users from accessing private networks
Intrusion detection systems
- monitor networks to detect and deter intruders
- examines events as they are happening to discover attacks in progress
