IT Security & Application Development Flashcards
The difficulty of maintaining the integrity of the data is
The most significant limitation of computer-based audit tools
Limit who can physically enter the data center
Physical access controls
Are designed to protect the organization’s physical information assets.
Environmental controls
Are needed because of the use of communications networks and connections to external systems.
Logical security controls
Connection to the internet presents security issues. Thus, the organization-wide network security policy should at the very least include:
1) A user account management system,
2) Installation of an Internet firewall, and
3) Methods such as encryption to ensure that only the intended user receives the information and that the information is complete and accurate.
The responsibility for creating, maintaining, securing, and restricting access to the database belongs to the
Database administrator (DBA)
The five IT business assurance objectives include:
1) Availability
2) Capability
3) Functionality
4) Protectability, and
5) Accountability
May exploit a known hole or weakness in an application or operating system program to evade security measures.
Malicious software
Types of server attacks:
1) Password attacks
2) Man-in-the-middle attack
3) Denial-of-service (DOS) attack
A brute-force attack uses password-cracking software to try large numbers of letter and number combinations to access a network.
Password attacks
Passwords also may be discovered by Trojan horses, IP spoofing, and packet sniffers.
Takes advantage of networking, packet sniffing, and routing and transport protocols.
Man-in-the-middle attack
Is an attempt to overload a system with false messages so that it cannot function.
Denial-of-service (DOS) attack
Is needed to respond to security breaches if an organization’s computer system has external connections.
Intrusion Detection System (IDS)
Works by using sensors to examine packets traveling on the network.
Network IDS
Internal auditors often assess the organization’s information
Integrity and reliability practices
Is responsible for ensuring that an organization’s privacy framework is in place
Management
Primary role is to ensure that relevant privacy laws and other regulations are being properly communicated to the responsible parties
Internal auditors’
Is a means of taking a user’s identity from the operating system on which the user is working and passing it to an authentication server for verification.
Application authentication
Technology converts data into a code. A program codes data prior to transmission. Another program decodes it after transmission. Unauthorized users still may be able to access the data, they cannot decode the information
Encryption
Requires two keys, one public and one private. These pairs of keys are issued by a trusted third party called a certificate authority.
Public-key (asymmetric) encryption
Is a means of authentication of an electronic document, for example, a purchase order, acceptance of a contract, or financial information
Digital signature
Is another means of authentication used in e-business. The certificate authority issues a coded electronic certificate that contains the holder’s name, a copy of its public key, a serial number, and an expiration date. The certificate verifies the holder’s identity.
Digital certificate
Is less secure than the public-key method because it requires only a single (secret) key for each pair of parties that want to send each other coded messages.
Private-key encryption
Involves user-created or user-acquired systems that are maintained and operated outside of traditional information systems controls
End-User Computing (EUC)
