Class Notes (835,638)
Canada (509,305)
BUS 237 (106)
Lecture

BUS237 - Chp 12 Summary.pdf

9 Pages
102 Views
Unlock Document

Department
Business Administration
Course
BUS 237
Professor
Kamal Masri
Semester
Winter

Description
Chapter 12 Summary Managing Information Security and Privacy Q1: What is identity theft, and what can I do about it? Identity theft – vital info such as person’s name, address, date of birth, SIN, mother’s maiden name usually need to be acquired in order to complete impersonation • Identity theft one of fastest-growing crimes in Canada • Involves stealing, misrepresenting, or hijacking identity of another person/business Security Threats to Organizations Security threats – Problem w/ security of info or data therein, caused by human error, malicious activity, or natural disasters Three sources of security threats: 1. Human error and mistakes o Include accidental problems caused by employees / non-employees o Example: When employee misunderstands operating procedures and accidentally deletes customer records 2. Malicious human activity o Includes employees and others who intentionally destroy data or other system components o Also includes hackers who break into a system virus and worm writers who infect computer systems, and people who send millions of unwanted emails (spam) Spam – 3. Natural events and disasters o Includes fires, floods, hurricanes, earthquakes, tsunamis, avalanches, etc. o Problem: not only initial loss of capability and service, but also losses from actions to rover initial problem Threats by Type of Problem and Source: Source Human Error Malicious Activity Natural Disasters Unauthorized Procedural mistakes Pretexting Disclosure during data Phishing recovery disclosure Spoofing Sniffing Computer crime Incorrect data Procedural mistakes Hacking Incorrect data modification Incorrect Computer crime recovery procedures Ineffective Problem accounting controls System errors Faulty service Procedural mistakes Computer crime Service improperly Development and Usurpation restored installation errors Denial of Accidents DOS attacks Service interruption service Loss of Accidents Theft Property loss infrastructure Terrorist activity Protecting Yourself from Identity Theft (page 355) • List of simple things to do to limit risk of identity theft (from www.safecanada.ca): • Ask why our info is needed and how will the person use it • Buy a shedder and use it – shred all personal and financial info • Carry only ID and credit card(s) that you will need that day – no need to carry birth certificate, SIN card, health card, or passport • Cut up expired and unused credit cards • Don’t fill in forms for contests, rebates, or draws that ask for more info than you’re prepared to give • Use complex passwords • Don’t give personal info to anyone who phones/emails unless you know who they are • Destroy your old vehicle registration certificate when you get a new one PIPEDA Unauthorized Data Disclosure Unauthorized data disclosure – can occur by human error when someone inadvertently releases data in violation of policy Personal Information Protection and Electronic Documents Act (PIPEDA) – Canadian, gives individuals right to know why an organization collects, uses, or discloses personal info • Search engines also another source of inadvertent disclosure • Proprietary and personal data can be released maliciously Pretexting – Technique for gathering unauthorized info where someone pretends to be someone else; common scam involves telephone caller who pretends to be a credit card company Phishing – Also a form of pretexting; Technique for obtaining unauthorized data using pretexting via email; Phisher pretends to be legit company & sends email requesting confidential info Spoofing – When someone pretends to be someone else w/ intent of obtaining unauthorized Email spoofing – Synonym for phishing IP spoofing – Type of spoofing whereby intruder uses another site’s IP address for identity Sniffing – Technique for intercepting comp communications; requires physical connection to network with wired networks & no connection required with wireless networks Drive-by sniffers – People who take comps w/ wireless connections through an area and search for unprotected wireless networks in attempt to gain Internet access or to gather unauthorized data Incorrect Data Modification • Examples include incorrectly increasing customer’s discount or incorrectly modifying an employee’s salary, earned days of vacation, or annual bonus • Incorrect data can occur through human error when employees follow procedures incorrectly or when procures haven’t been correctly designed • Companies should ensure separation of duties and authorities and have multiple checks and balances in place • System errors also occur – i.e. lost-updated problem Hacking – occurs when a person gains unauthorized access to a computer system Faulty Service • Includes problems resulting because of incorrect system operation • Includes incorrect data modification, sending wrong goods to customer or ordered goods to wrong customer, incorrectly billing customers, sending wrong info to employees • Humans an cause fault service by making procedural mistakes • System developers can write programs incorrectly or make errors during installation, etc. Denial of Service Denial of service (DOS) – result of human error I following procedures or lack of procedures • Example: employees shutting down webs server or corporate gateway router by starting a computationally intensive app • DOS attacks often launched maliciously • Computer worms infiltrate a network w/ so much artificial traffic that system fails, resulting in DOS Loss of Infrastructure • Human examples can cause loss of infrastructure – i.e. bulldozer cutting fiber-topic cables • Theft and terrorist events also cause loss of infrastructure Q2: What are the elements of a security program? • Organizations must address security in a systematic way Security program has 3 components: 1. Senior management involvement o Has 2 critical security functions: o Must establish security policy o Mange risk by balancing costs and benefits of security program 2. Safeguards of various kinds o Safeguards = protection against security threats Hardware Software Data Procedure People Technical Safeguards Data Safeguards Human Safeguards • Identification and • Data rights and • Hiring authentication responsibilities • Training • Encryption • Passwords • Education • Firewalls • Encryption • Procedure design • Malware protection • Backup and • Administration • Application design recovery • Assessment • Physical • Compliance security • Accountability 3. Incident response o Discussed in Q7 Q3: How can technical safeguards protect against security threats? Technical safeguards - involve hardware and software components of an IS Identification and Authentication • Every IS should require some form of authentication Identification – Process whereby IS identifies user by requiring user to sign on w/ username & password Authentication – Process whereby an IS approves (authenticates) user by checking user’s password • Passwords have weaknesses such as o Users tend to be careless in their use o Users tend to be free in sharing passwords with others o Many servers choose ineffective, simple passwords • Intrusion systems can very effectively guess these easy passwords Smart Cards Smart card – plastic card that is similar to credit card, but has a microchip, which holds more data than a magnetic strip and is loaded with identifying data – users authenticate by entering PIN Personal identification number (PIN) – Form of authentication whereby user supplies number that only he/she knows Biometric Authentication Biometric authentication – uses personal physical characteristics (fingerprints, facial features, retinal scans) to authenticate users • Provides strong authentication • Required equipment is expensive • Users resist because usually feel it is invasive Single Sign-On for Multiple Systems • IS often require multiple sources of authentication • Today’s OS can authenticate to networks and other services • Example: SFU’s email, SIS system, WebCT, library system, etc. all use same user ID/pass Encryption and Firewalls • Refer to chapter 6 for firewalls and encryptions (VPN) Malware Protection Malware – viruses, worms, Trojan horses, spyware, and adware Spyware and Adware Spyware – programs installed on the user’s computer w/out the user’s knowledge or permission • Spyware resides in background and observes user’s actions/keystrokes, monitors computer activity, and reports activity to sponsoring organizations • Some spyware captures keystrokes to do identity theft Adware – similar to spyware b/c it’s installed w/out user’s permission and resides in background in order to observe user behaviour, but is more benign because does not perform malicious acts or steal data • Adware watches user activity and produces pop-up ads • Can also change user’s default window or modify search results • Can switch user’s search engine • Most part, is simply annoyin
More Less

Related notes for BUS 237

Log In


OR

Join OneClass

Access over 10 million pages of study
documents for 1.3 million courses.

Sign up

Join to view


OR

By registering, I agree to the Terms and Privacy Policies
Already have an account?
Just a few more details

So we can recommend you notes for your school.

Reset Password

Please enter below the email address you registered with and we will send you a link to reset your password.

Add your courses

Get notes from the top students in your class.


Submit