43169
| Question | Answer |
| risk assessment | determines level of risk to the firm if specific activity or process is not properly controlled |
| security policy | ranks information risks, identifies acceptable security goals, and identifies mechanisms for achieving these goals |
| acceptable use policy (AUP) | defines acceptable uses of firm's information resources and computing equipment |
| authorization policies | determine differing levels of user access to information assets |
| disaster recovery planning | devises plans for restoration of disrupted services |
| backup | copies of critical systems and data, done on a regular basis |
| hot site | separate and fully equipped facility where the firm can move immediately after a disaster and resume business |
| cold site | separate facility without any computer equipment but is a place employees can move after a disaster |
| business continuity planning | focuses on restoring business operations after disaster |
| MIS audit | examines firm's overall security environment as well as controls governing individual information systems |
| identity management systems | support the organization's security and authorization policies -include business processes and technologies for identifying valid users of systems |
| authentication | the ability to know that a person is who he or she claims to be; a method of confirming users' identities. |
| authorization | determines what actions, rights, or privileges the user has, based on the verified identity |
| common types of access controls | user IDs, cognitive passwords, security profile, token/security token, smart card, biometrics, terminal resource security |
| password | combination of numbers, characters, and symbols that's entered to allow access to a system |
| passphrase | series of characters that is longer than a password but is still easy to memorize |
| cognitive password | requires a user to answer a question to verify their identity; commonly used as a form of secondary access |
| security profile | a unique picture and descriptive phrase chosen by you to verify that you are on a legitimate site |
| token | a small device to change user passwords automatically |
| smart card | a device about the same size as a credit card, containing a chip formatted with access permission and other data-a reader device interprets the data on the card and allows or denies access |
| terminal resource security | software feature that erases the screen and signs of user off automatically after a specified length of activity |
| biometrics | systems that read and interpret individual human traits to enhance security measures – are unique to a person and can’t be stolen or lost; may be physical or behavioral |
| firewall | -Combination of hardware and software that controls the flow of incoming and outgoing network traffic -Combination of hardware and software that controls the flow of incoming and outgoing network traffic |
| intrusion detection systems | -Monitor hot spots on corporate networks to detect and deter intruders. -Examine events as they are happening to discover attacks in progress |
| antivirus and antispyware software | Check computers for presence of malware and can often eliminate it as well. |
| (UTM) unified threat management systems | Combination of security tools including firewalls, intrusion detection systems, VPN’s, web content filtering, and anti-spam SW |
| encryption | Process of encoding messages before they enter the network & then decoding at the receiving end |
| two methods of encryption | 1.symmetric key encryption 2.public key encryption |
| symmetric key encryption | sender and receiver use single,shared key |
| public key encryption | -uses two, mathematically related keys: public key and private key -sender encrypts message with recipients' public key -recipient decrypts with private key |
| two methods/protocols for encryption on networks | 1. secure sockets layer (SSL) 2. Transport layer security (TLS) |
| TLS | enable client and server computers to manage encryption and decryption activities as they communicate with each other during a secure web session; establish a secure connection between two computers |
| S-HTTP (secure hypertext transfer protocol) | is limited to individual messages |
| digital certificate | -Data file or electronic document used to establish the identity of users and electronic assets for protection of online transactions -Uses a trusted third party, Certificate Authority (CA), to validate a user’s identity |
| fault tolerant computer systems | Contain redundant hardware, software, and power supply components that create an environment that provides continuous, uninterrupted service |
| high-availability computing | -Helps recover quickly from crash -Minimizes, does not eliminate, downtime |
| DPI (deep packet inspection) | Sorts out low-priority online material (music and video downloads) while assigning a higher priority to business-critical files and data |
| cloud computing | Accountability and responsibility for privacy and security reside with the Cloud user, although the Cloud provider is actually doing the hosting ... |
| mobile computing device | must be secured like other in-house, non-mobile resources against malware, theft, accidental loss, unauthorized access, and hacking attempts |
| software metrics | objective assessments of a system in the form of quantified measurements, such as: number of transactions processed per min, online response time, etc. |
| walkthrough | review of specification or design documents by a group of qualified people |
| debugging | process by which errors are discovered and eliminated |
| WEP | initial security standard for 802.11- use is optional- users often fail to use its security features. |
| Malware | SW written with malicious intent to cause annoyance or damage to a computer system or network |
| viruses | rogue software program that attaches itself to other software programs or data files in order to be executed |
| worms | -independent programs that copy themselves from one computer to others over a network -do not have to be attached to a host program |
| Trojan horse | -software program that appears to be benign but then does something other than expected -contains code intended to disrupt a computer network, or website -malicious code hides inside a popular program or a program that appears useful |
| SQL injection attacks | take advantage of vulnerabilities in poorly coded web application SW to introduce malicious program code into a company's systems and networks |
| spyware | sw that secretly gathers information about users while they browse the web; can come hidden in free downloads and tracks online movements, mines the info stored on a computer, or uses the computer's |
| keyloggers | monitor and record keystrokes and mouse clicks |
| spoofing | -misrepresenting oneself by using fake e-mail addresses or masquerading as someone else -may involve forging return address of email so it appears to be from someone else. |
| sniffer | -type of eavesdropping program that monitors information traveling over a network -SW used to capture and record network traffic |
| DoS (denial of service attacks) | floods a network server or web server with thousands of false service requests to crash the network |
| DDoS (distributed denial of service attack) | hundreds of thousands of computers work together to bombard a website with thousands of requests for information in a short period |
| botnets | networks of "zombie" PC's infiltrated by bot malware |
| phishing | a high tech scam in which an email requests the update or confirmation of sensitive personal information by masquerading as a legitimate request/website |
| pharming | a type of phishing technique that redirects users to a bogus web page, even when an individual types correct web page address into his or her browser |
| evil twins | a type of phishing technique where wireless networks that pretend to offer trustworthy wi-fi connections to the internet |
| insiders | legitimate users who purposely or accidentally misuse their access to info or resources and cause some kind of business-affecting event |
| hackers | people very knowledgeable about computers who use their skill to gain unauthorized access to a computer system |
| patches | small pieces of software to be released by a SW vendor to repair flaws |
| gramm-leach-biley act | requires financial institutions to ensure the security and confidentiality of customer data |
| sarbanes-oxley act | imposes responsibility on companies and their management to safeguard the accuracy and integrity of financial information that is used internally and released externally |
| computer forensics | scientific collection, examination, authentication, preservation, and analysis of data from computer storage media for use as evidence in court of law |
| general controls | govern, design, security, and use of computer programs and security of data files in general throughout organization's information technoogy infrastructure |
| application controls | specific controls unique to each computerized application, such as payroll or order processing include:-input controls -processing controls -output controls |
| Security | policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems |
| Controls | methods, policies, and organizational procedures that ensure safety of organization's assets; accuracy and reliability of its accounting records;and operational adherence to mgt standards |
| Computer crime/fraud | "any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution" |
| Identity Theft | -a crime in which an imposter obtains key pieces of personal information to impersonate someone else -the forging of someone's identity for the purpose of fraud |
| Click fraud | occurs when an individual or computer program fraudulently clicks on an online ad without any intention of learning more about the advertiser or making a purchase |
| Why systems are vulnerable | -hardware problems -software problems -disasters -user error or unauthorized access -use of networks and computers outside of firm's control |
| hardware problems | breakdowns, configuration errors, damage from improper use of crime, theft of devices |
| Software problems | programming errors, installation errors, unauthorized chnages |
| disasters | power failures, flood, fires, others... |
| War driving | eavesdroppers drive by buildings and try to intercept network traffic |
| Rogue access point | access point on a different channel in a close physical location to force a users radio network interface controller to associate with the rogue access point instead of the official one |
Want to create your own Flashcards for free with GoConqr? Learn more.