Flashcards in Exam 3 Deck (46):
1. A firewall is a computing device that prevents unauthorized network access. A firewall can be a special- purpose computer, or it can be a program on a general- purpose computer or on a router. In essence, a firewall is simply a filter. It can filter traffic in a variety of ways including where network traffic is coming from, what types of packets are being sent, the content of the packets, and if the packets are part of an authorized connection.
Summary: A firewall are computing devices located between public and private networks that prevent unauthorized access to or form the internal network.
• This sits outside the organizational network; it is the first device that Internet traffic encounters.
• - In addition to perimeter firewalls, some organizations employ internal firewalls inside the organizational network.
A packet-filtering firewal
- Examines each part of a message and determines whether to let that part pass. To make this decision, it examines the source address, the destination address(es), and other data. Simplest type of firewall. Other firewalls filter on a more sophisticated basis. Packet-filtering firewalls can prohibit outsiders from starting a session with any user behind the firewall. As manager, you can use this type of firewall to prevent your employees to accessing any suspicious site.
1. - A SQL injection attack occurs when users enter a SQL statement into a form in which they are supposed to enter a name or other data. If the program is improperly designed, it will accept this code and make it part of the database command that it issues. Improper data disclosure and data damage and loss are possible consequences. A well- designed application will make such injections ineffective.
1. Deceiving someone over the internet by pretending to be someone else. A common scam like this occurs when a telephone caller who pretends to be from a credit card company and claims to be checking the validity of credit cards: “I’m checking your Mastercard number and begins with 5491, can you tell me the rest of it?”
Occurs when computer criminals invade a computer system and replace legitimate programs with their own, unauthorized ones that shut down legitimate applications and substitute their own processing to spy, steal, and manipulate data, or achieve other purposes.
1. : Another type of computer crime in which a person gains unauthorized access to a computer system. Where you break into computers, servers, or networks to steal data such as customer lists, product inventory data, employee data, and other proprietary and confidential data.
1. A technique used for intercepting computer communications. With wired networks, sniffing requires a physical connection to the network. With Wireless networks, no such connection is needed.
1. Wardrivers simply take computers with wireless connections through an area and search for unprotected wireless networks. They use packet sniffers, which are programs that capture network traffic to monitor and intercept traffic on unsecured wireless (or wired) networks. Even protected wireless networks are vulnerable. Summary: People who use computers with wireless connections to search for unprotected wireless networks.
1. This is a similar technique to pretexting. Similar in the way that phishing is used for obtaining unauthorized data that uses pretexting via email. The Phisher pretends to be a legitimate company and sends an email requesting confidential data, such as account numbers, Social security numbers, account passwords, etc.
- a Broad category of software that includes viruses, spyware, and adware. software that is intended to damage or disable computers and computer systems
1. Adware is another other sniffing technique. Programs installed on the user’s computer without the user’s knowledge or permission that reside in the background and, unknown to the user, observe the user’s actions and keystrokes, modify computer activity, and report the user’s activities to sponsoring organizations. Most adware is benign in that it does not perform malicious acts or steals data. It does, however, watch user activity and produce pop- up ads.
Denial of Service (DoS)-
1. Human error in following procedures or a lack of procedures can result in DoS, the fourth type of loss. For ex., Humans can inadvertently shut down a Web server or corporate gateway router by starting a computationally intensive application. An OLAP application that uses the operational DBMS can consume so many DBMS resources that order-entry transactions cannot get through. Summary: Security problem in which users are not able to access an information system; can be caused by human errors, natural disaster, or malicious activity.
- When someone pretends to be someone else with the intent of obtaining unauthorized data. If you pretend to be your professor (Johnny), you are spoofing your professor. IP Spoofing occurs when an intruder uses another site’s IP address to masquerade as that other site. Email Spoofing is a synonym for phishing. - When someone pretends to be someone else with the intent of obtaining unauthorized data. If you pretend to be your professor (Johnny), you are spoofing your professor. IP Spoofing occurs when an intruder uses another site’s IP address to masquerade as that other site. Email Spoofing is a synonym for phishing.
• • How do natural disasters impact IT systems?
Natural events and disasters are the third type of security threat. This category includes fires, floods, hurricanes, earthquakes, tsunamis, avalanches, and other acts of nature. Problems in this category include no only the initial loss of capability and service, but also losses stemming from actions to recover from the initial problem.
What are cookies and how do they relate to information security.
Cookies Definition- Small files that your browser receives when you visit websites. A cookie is a small file that is stored on the user’s computer by a browser. Cookies can be used for authentication, for strong shopping cart contents, and user preferences, and for other legitimate purposes. Cookies can also be used to implement spyware.
How it relates to information security- Cookies enable you to access Web sites without having to sign in every time, and they speed up processing of some sites. Unfortunately, some cookies also contain sensitive security data. The best safeguard is to remove your browsing history, temporary files, and cookies from your computer and to set your browser to disable history and cookies. Removing and disabling cookies presents an excellent example of the trade-off between improved security and cost. Your security will be substantially improved, but your computer will be more difficult to use.
What is the benefit to using https?
• Https is an indication that a Web browser is using SSL/ TLS protocol to provide secure communication. Most secure communications over the Internet uses a protocol called https. With https, data are encrypted using a protocol called the Secure Sockets Layer (SSL), which is also known as Transport Layer Security (TLS). SSL/ TLS uses a combination of public key encryption and symmetric encryption.
1. Your computer obtains the public key of the web site to which they will connect.
2. Your computer generates a key for symmetric encryption.
3. Your computer encodes that key using the Web site’s public key. It sends the encrypted symmetric key to the Web Site.
4. The Web site then decodes the symmetric key using its private key.
5. From that point forward, your computer and the Web site communicate using symmetric encryption.
The use of SSL/ TLS makes it safer to send sensitive data such as credit card numbers and bank balances. Just be certain that you see https:// in your browser and not just http://
Most browsers have additional plug- ins of add-ons (Like HTTPS Everywhere) that can force https connections when available.
Who develops security policies in an organization?
• Data Administrations- Refers to an organization- wide function that is in charge of developing data policies and enforcing data standards. It refers to the function that pertains to a particular database. ERP, CRM, MRP databases each have a database administration function. Database administration is where a person or department develops procedures and practice to ensure efficient and orderly multiuser processing of the database, to control changes to the database structure, and to protect the database.
• What is the privacy act of 1974?
• The Privacy Act of 1974 provide protections to the individuals regarding records maintained by the U.S. government
What is HIPPA?-
The privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 gives individuals the right to access health data created by doctors and other healthcare providers. HIPAA also sets the rules and limits on who can read and receive a person’s health information.
What are technical safeguards?
• Technical Safeguard are the technologies and related policies and procedures that protect electronic protected health information (ePHI) that is created, processed, stored, or transmitted by a Covered Entity (CE) or Business Associate (BA). Procedures designed to protect the hardware and software components of an information systems. What are some examples? Programs that are used to combat malware and numerous viruses. Ex. Identification and authorization, encryption, firewalls, malware protection, and application design.
What are human safeguards?
• Human Safeguard are steps taken to protect against security threats by establishing appropriate procedures for users to following during systems use.
What are some examples?
1. Position Definition
- Separate duties and authorities
- Determine least privilege
- -Document position sensitivity
2. Hiring and screening
- Where did you last work. What experience do you have, etc.
3. Dissemination and enforcement. “Lets talk security”.
- Friendly- Retirement, found a new job, leaving on good terms.
Unfriendly- Getting fired, arrested. Leaving on bad terms.
An encryption method whereby different keys are used to encode and to decode the message; one key encodes the message, and the other key decodes the message. Asymmetric Encryption is slower and more complicated than Symmetric Encryption.
An encryption method whereby the same key is used to encode and to decode messages.
What is outsourcing? Explain the management advantages of outsourcing.
Outsourcing- The process of hiring another organization to perform a service. Summary: Outsourcing is done to save costs, to gain expertise, and to free up management time. Outsourcing can be an easy way to gain expertise. Another reason for outsourcing is to avoid management problems. At ARES systems, building a large development and test team may be more than the company needs and requires management skills that neither Henri nor Raj has. Outsourcing the development function saves them from needing that expertise. Some companies choose to outsource to save management time and attention. Toshio at Falcon Security has the skills to manage a new software development project, but he may choose not to invest the time. Note that it is not only Toshio’s time. It is also time for more senior managers who approve the purchase and hiring requisitions for that activity. And those senior managers, will need to devote the time necessary to learn enough about server infrastructure to approve or reject the requisitions. Outsourcing saves both direct and indirect management time.
How does outsourcing help reduce costs?
A common reason for choosing to outsource concern const reductions. With outsourcing, organizations can obtain part- time services. Another benefit of outsourcing is to gain economies of scale. If 25 organizations develop their own payroll application in- house, then when the tax law changes 25 different groups will have to learn the new law, change their software to meet the law, test the changes, and write the documentation to explain the changes. However, if those same 25 organizations outsource to the same payroll vendor, then that vendor can make all of the adjustments once, and the cost of change can be amortized over all of them (thus lowering the cost that the vendor must charge).
Summary: Obtain part-time services. Gain economies of scale.
• How does outsourcing facilitate risk reduction?
Another reason for outsourcing is to reduce risk. First, outsourcing can cap financial risk. In a typical outsourcing contract, the outsource vendor will agree to a fixed price contract for services. This occurs, for example, when companies outsource their hardware to cloud vendors. Another way to cap financial risk is as Henri recommends, delay paying the bulk of the fee until the world is completed and the software (or other components) is working. In the first case, it reduces risk by capping the total due; in the second, it ensures that little money need be spent until the job is done.
Second, outsourcing can reduce risk by ensuring a certain level of quality or avoiding the risk of having substandard quality. A company that specializes in food service knows what to do to provide a certain level of quality. It has the expertise to ensure, for example, that only healthy food is served. So, too, a company that specializes in, say cloud- server hosting knows what to do to provide a certain level of reliability for a given workload.
Note that there is no guarantee that outsourcing will provide a certain level of quality or quality better than could be achieved in- house. If it doesn’t outsource the cafeteria, Google might get lucky and hire only great chiefs. Henri might get lucky and hire the best software developer. But, in general, a professional outsourcing firm knows how to avoid giving everyone food poisoning or how to develop new mobile applications. And, if that minimum level of quality is not provided, it is easier to hire another vendor than it is to fire and rehire internal staff.
Finally, Organizations choose to outsource IS in order to reduce implementation risk. Hiring an outside cloud vendor reduces the risk of picking the wrong brand of hardware or the wrong virtualization software or implementing tax law changes incorrectly. Outsourcing gathers all of these risks into the risk of choosing the right vendor.
Summary: Cap financial exposure, improve quality, reduce implementation risk.
• What are some benefits to human labor?
1. Unique problem solving.
2. Create new products.
3. Adaptable to rapidly changing environment.
4. Integrative systems thinking.
5. Question poorly made decision.
6. Prior Experience to predict future events.
7. Ethical decision making (hopefully).
8. Interact well with other humans (i.e. sales).
• • What are some benefits to automated labor?
1. No health care expenses.
2. No time off, breaks, sick days, or vacations.
3. No accidents, injuries, workman’s compensation claims.
4. No unions, arguments, complaints, bad attitudes, layoffs, severance packages.
5. No smoke breaks, drinking on the job, sexual harassment, lawsuits.
6. No minimum wage, raises, or paychecks.
7. Work 24 hours a day, 365 days a year.
8. Safer, more accurate, and more consistent work than humans.
What is a business process and how does information systems pay a role?
• Definition- 1. A network of activities that generate value by transforming inputs into outputs. 2. A network of activities, repositories, roles, resources, and flows that interact to achieve some business function; sometimes called a business system.
What is a business analyst?-
. A person who understands business strategies, goals, and objectives and who helps businesses develop and manage business processes and information systems. 2. Someone who is well versed in Porter’s models, organizational strategy, and system alignment theory like COBIT (Control Objectives for Information and related technology), and who also understands technology sufficiently well to communicate with systems analysts and developers.
• What is a systems analyst?
IS professionals who understand both business and technology. They are active throughout the systems development process and play a key role in moving the project from conception to conversion and, ultimately, maintenance. Systems analysts integrate the work of the programmers, testers, and users. Compare with business analyst.
1. A network of activities that generate value by transforming inputs into outputs. 2. A network of activities, repositories, roles, resources, and flows that interact to achieve some business function; sometimes called a business system.
In a business process, collections of activities.
People or information system applications that are assigned to roles in the business process.
A BPMN symbol that documents the movement of data among activities and repositories in a business process
• What is Brooks’s law?
The adage that states: “Adding more people to a late project makes the project later.” Brook’s Law is true not only because a larger staff requires increased coordination, but also because new people need to be trained. The only people who can train the new employees are the existing team members, who are thus taken off productive tasks. The costs of training new people can overwhelm the benefit of their contributions. Named after Fred Brooks, author of The Mythical Man- Month.
What is a Gantt chart?
- A timeline graphical chart that shows tasks, dates, dependencies possibly resources.
What is a SDLC? Describe each of its main phases?
Systems Development Life Cycle (SDLC)- The classical process used to develop information systems. The basic tasks of systems development are combined into the following phases: system definition, requirement analysis, component design, implementation, and system maintenance (fix or enhance) pg. 463
1. In response to the need for the new systems, the organization will assign a few employees, possibly on a part- time basis, to define the new systems, assess its feasibility, and plan the project. Differs between small and large organizations based off management.
The second phase of the SDLC, in which developers conduct user interviews; evaluate existing systems; determine new forms/ reports/ queries; identify new features and functions, including security; and create the data model.
1. Each of the five components are designed in this stage. Typically, the team designs each component by developing alternatives, evaluating each of those alternatives against the requirements, and then selecting from among those alternatives. Accurate requirements are critical here; if they are incomplete or wrong, then they will be poor guidelines for evaluation. For hardware- the team determines specifications for what the system will need. Program design depends on the source of the programs. There’s honestly a lot of shit and I don’t feel like fucking write more for something that we just probably have to write down as a list on the test. Feel free to read on page 470. I’ve been working on this shit for too long.
1. In the context of the systems development life cycle, the phase following the design phase consisting of tasks to build, test, and convert users to the new system.
1. Maintenance is a misnomer; the work done during this phase is either to fix the system so that it works correctly to adapt it to changes in requirements.