Chapter 12

imissyou419's version from 2017-04-20 00:52


Question Answer
Identity theftfastest growing crime; stealing, misrepresenting, or hijacking the identity of another person; vital information (name, address, date of birth, sin) is acquired to complete impersonation; with this information, the identity thief takes over a victim's financial accounts, open new bank accounts, transfer bank balances, apply for loans, credit cards, and other services
Security threat 3 sourceshuman error, malicious activity, natural disasters
Security threat 5 problemsunauthorized data disclosure, incorrect data modifications, faulty service, denial of service, loss of infrastructure
Malwareshort for malicious software; software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems; malware includes: computer viruses (computer program that replicates itself), ransomware, worms (a virus that propagates using the internet or other computer), trojan horses (viruses that masquerade as useful programs or files), keyloggers, spyware, adware
Spywareis software that aids in gathering information about a person or organization without their knowledge and that may send such information to another entity without the consumer's consent, or that assert control over a computer without the consumer's knowledge; Spyware is classified into 4 types: system monitors, trojans, adware, tracking cookies; Program observes user's actions & keystrokes, monitor computer activity; report activity to sponsoring organization (market analyses, websites visited, products examined & purchased); malicious spyware used to obtain names, passwords, account numbers, sensitive information
Adwareadvertising-supported software; any software package which automatically renders advertisements in order to generate revenue for its author; the advertisements may be in the user interface of the software or on a screen presented to the user during the installation process; the function may be designed to analyze which internet sites the user visits and to present advertising pertinent to the type of goods or service featured there; similar to spyware but typically not malicious; watches user activity, produces pop-up ads, not illegal but many find it objectionable, can modify defaults (Window, search results, search engines)
Source of security threat: human errors and mistakesaccidental problems, poorly written programs, poorly designed procedures, physical accidents
Source of security threat: malicious human activityintentional destruction of data, destroy system components, hackers, virus and worm writers, criminals, terriorists
Source of security threat: natural events and disastersfires, floods, hurricanes, earthquakes, tsunamis, avalanches, tornados; initial loss of capability; loss from recovery actions
What does PIPEDA stand for?Personal Information Protection and Electronic Documents Act
Personal information defined under PIPEDAinformation about an identifiable individual; not including name, title, business address, or telephone number of an employee of an organization
PIPEDA purposegives individuals the right to know why an organization collects, uses, or discloses their personal information; requires organizations to identify anyone who is responsible for keeping personal information private and secure
PIPEDA Unauthorized data disclosure x Human Errorposting private information in public places, placing restricted information on serachable Web sites, inadvertent disclosure
PIPEDA Unauthorized data disclosure x Malicious releasepretexting, phishing, spoofing, sniffing
Pretextingsomeone pretending to be someone else; e.g. credit card call
Phishingobtaining unauthorized data using pretexting (pretending to be someone else) via email e.g. bank information
Phishing procedurecreate a replica of an existing web page to fool a user into submitting personal, financial, or password data; email is sent to direct you to the website that appears to be from a legitimate company; you are advised that information or security check is needed on your account, and advised to click on a link to the company's website to provide the information; Link connects to a website that is an imitation of the spoofed company's actual website; these counterfeit websites and emails appear very authentic
Phishing for credit card accountsusually initiated by email request (designed to cause you to click, asks for personal data, may install spyware, malware, adware; Defenses: know your purchases and deal directly with vendors, implausibility of email, don't be misled by legitimate-looking graphics, addresses
Sniffinginterception of computer communications, wired network (requires physical connection), wireless network (access gained through unprotected network, "drive-by"; packet sniffers (programs capture data from information packets as they travel over the Internet or company networks, confidential information taken from the captured data
Malicious release - Breaking into networksstealing data (customer lists, product information, employee information, other confidential data)
Incorrect data modifications x human errorincorrect entries and information, procedure problems, system errors
Faulty serviceincorrect system operation, usurpation (taking someone else's property by force - systems that work incorrectly by sending the wrong goods to customers or ordered goods to wrong customers, incorrectly billing customers, or sending wrong information to employees)
Hacking (Incorrect data modifications x Malicious human activity)unauthorized access to and use of computer systems - usually by means of a personal network and a telecommunications network; most hackers break into systems using known flaws in the operating system, application programs, or access controls; some are simply motivated by curiosity and a desire to overcome a challenge, while some have malicious intent and do damage
Denial of service (DOS)human error, denial-of-service attacks, service interruptions
Loss of infrastructureaccidental, theft, terrorism, natural disasters
Denial of service howforce the victim's computers to reset or consume its resources such that it can no longer provide its intended service; obstruct the communication media between the intended users and the victim so that they can no longer communicate adequately; e.g. overloading and shutting down an ISP's email system by sending email "bombs" at a rate of thousand/s - often from randomly generated email addresses; shutting down a web server by sending a load of requests for webpages; in both cases, the system performance degrades until the system freezes up or crashes
Elements of a security programsenior management involvement (must establish a security policy, manage risks by balancing costs and benefits), safeguard (protections against security threats), incident response (must plan for prior to incidents)
Technical safeguardsHardware and software; identification and authorization, encryption, firewalls, malware protection, design for secure applications
Data safeguardsData; Data rights and responsibilities, passwords, encryption, backup and recovery, physical security
Human safeguardsProcedure and people; hiring, training, education, procedure design, administration, assessment, compliance, accountability
Effective security requiresbalanced attention to all 5 components of IS
Technical safeguard - Identification and authorizationUser names & passwords/PIN (identification & authorization) - what you know?, smart cards - what you have?, biometric authorization - what you are?, single sign-on
Effective passwordssatisfies a number of requirements: length, multiple character types, randomness, changed frequently, secret; deficiencies increase security threats
Smart cardsnormally size of credit card; magnetic strip or microchip contains identification information; can be used with Personal Identification Number (PIN) to be more effective
Biometric authorizationauthenticates with physical characteristics: fingerprints, facial scans, retina scans
Single Sign-onsystem provide single authentication (rather than typically multiple levels of authentication - Personal computer, LAN, database)
Spywareprograms installed on the user's computer without the user's knowledge
Program observes user actions & keystrokes, monitors computer activity
Reports activity to sponsoring organization (marketing analyses, websites visited, products examined & purchased)
Malicious spyware used to obtain names, passwords, account info, sensitive information
Spyware & Adware symptomsslow system start up, sluggish system performance, many pop-up ads, suspicious browser homepage changes, suspicious changes to taskbar and other system interfaces, unusual hard-disk activity
Malware safeguards & Antivirus, Antispywarescan your system frequently (once a week automatically), update software definitions (install as they are available), never open an email attachment from an unknown source, install software updates/patches from proper sources, browse only reputable internet sites
Data safeguarddefine data policies, data rights and responsibilities, rights enforced by user accounts authenticated by passwords, data encryption, backup and recovery procedures, physical security
encryption keys (key escrow)
backup copies (store off-premise, check validity)
Physical security (lock and control access to facility, maintain entry log)
Third party contracts (safeguards are written into contracts, right to inspect premise and interview personnel)
Data administrationorganization-wide function, develops data policies (sharing of data, not sharing of data, enforce data standards)
Database administrationspecific database function, procedures for multi-user processing, control of changes to database structure, protection of database
Database & Database administrationestablish user data (rights, responsibilities), enforce rights (user accounts & passwords)
Encryptionprotection for sensitive data, key escrow (safety procedure, trusted party hold the encryption key)
Backup copiesstore-off premise, check validity, effective recovery procedures exists
Physical securitylock and control access to facility, maintain entry log
Third party contractssafeguard must be part of the contract, periodically inspect premises and interview personnel
Human safeguardsinvolve people and procedure components of information systems, users access restriction requires authentication and account management, design appropriate security procedures, security considerations for: employees, non-employee personnel
Human safeguards for employeeposition definition, hiring and screening, dissemination and enforcement, termination
Human safeguards for non-employee for temporary personnel and vendorsscreen personnels, training and compliance, contract should include specific security, provide accounts and passwords with the least priviledges
Spoofingsomeone pretending to be someone else - IP spoofing occurs when an intruder uses another site's IP address as if it were that site
Key escowan arrangement in which the keys needed to decrypt encrypted data that are in escrow (an arrangement between parties) to allow 3rd party access to those keys
Hardeningtake extraordinary measures to reduce a system's vulnerability
Primary system proceduresnormal operations, back up, recovery
Hot sitesremote processing centres run by commercial disaster-recovery services (they provide all necessary equipment after a disaster on a monthly basis for a fee)
Cold sitesprovide off space but the customers provide and install all necessary equipment to continue operations

Recent badges