Chapter12 review.docx

9 Pages
Unlock Document

Simon Fraser University
Business Administration
BUS 237
Kamal Masri

Chapter12 Q1: What is identity theft and what types of security threats do organizations face? Identity theft is one of the fastest-growing crimes in Canada because it is relatively easy to do. This kind of theft involves stealing, misrepresenting, or hijacking the identity of another person or business, and provides an effective way to commit other crimes.  Security threats to organizations There are three sources of security threats: human error and mistakes, malicious human activity, and natural events and disasters. Human errors and mistakes include accidental problems caused by both employees and non- employees. Example: employee who misunderstands operating procedures and accidentally deletes customer records, or physical accidents like an employee driving a forklift through the wall of a computer room. Malicious human activity: This category includes employees and others who intentionally destroy data or other system components. For example: hackers who break into a system, virus and worm writers who infect computer systems, and people who send millions of unwanted emails (spam) Natural events and disasters: this category includes fires, floods, hurricanes, earthquakes, tsunamis, avalanches, and other acts of nature. Problems in this category include not only the initial loss of capability and service, but also losses stemming from actions to recover from the initial problem. Five types of security problems are listed:unauthorized data disclosure, incorrect data modification, faulty service, denial of service, loss of infrastructure  PIPEDA Unauthorized data disclosure Unauthorized data disclosure can occur by human error when someone inadvertently releases data in violation of policy. ----- In Canada, this type of disclosure is covered by the Personal Information Protection and Electronic Documents Act (PIPEDA). Personal information is defined under this Act as information about an identifiable individual, but does not include the name, title, business address, or telephone number of an employee of an organization. ----- The Act gives individuals the right to know why an organization collects, uses, or discloses their personal information. So organizations are required to identify why they are collecting information and how they will use it. ----- PIPEDA also requires organizations to identify anyone in the organization who is responsible for keeping personal information private and secure and allows other individuals to have access to this information, as necessary, to check its accuracy. The popularity and efficacy of search engines have created another source of inadvertent disclosure. Of course, proprietary and personal data can also be released maliciously. Pretexting occurs when someone deceives by pretending to be someone else. For example: A common scam involves a telephone caller who pretends to be from a credit card company and claims to be checking the validity of credit card number. Phishing is a similar technique for obtaining unauthorized data that uses pretexting via email.For example: the phisher pretends to be a legitimate company and sends an email requesting confidential data. Spoofing is another term for someone pretending to be someone else. For example: IP spoofing occurs when an intruder uses another site’s IP address as if it were that other site. Email Spoofing is a synonym for phishing. Sniffing is a technique for intercepting computer communications. For example: Drive-by sniffers simply take computers with wireless connections through an area and search for unprotected wireless networks.  Incorrect data modification Incorrect data modification can occur through human error when employees follow procedures incorrectly or when procedures have been incorrectly designed. A final type of incorrect data modification caused by human error includes system errors. An example is the lost-update problem discussed in chapter 5. Hacking occurs when a person gains unauthorized access to a computer system.  Faulty service Faulty service includes problems that result because of incorrect system operation. Faulty service could include incorrect data modification. For example: Human can inadvertently cause faulty service by making procedural mistakes. System developers can write programs incorrectly or make errors during the installation of hardware, software programs and data.  Denial of service Human error in following procedures or a lack of procedures can result in denial of service. For example, employee can inadvertently shut down a web server or corporate gateway router by starting a computationally intensive application.  Loss of infrastructure Human accidents can cause loss of infrastructure. Examples are a bulldozer cutting fibre-optic cable, or the floor polisher crashing into a rack of web servers. Question: why does not include viruses, worms, and zombies? Answer: viruses and worms are techniques for causing some of the problems in the figure. They can cause a denial-of-service attack, or they can be used to cause malicious, unauthorized data access or data loss. Q2: What are the elements of security program? A security program has three components: senior management involvement, safeguards of various kinds, and incident response. Senior management has two critical security functions: 1. Senior management must establish the security policy. This policy sets the stage for the organization’s response to security threats. 2. Manage risk by balancing the costs and benefits of the security program. Safeguards are protections against security threats. The final component of a security program consists of the organization’s planned response to security incidents. Q3: How can technical safeguards protect against security threat? Technical safeguards involve the hardware and software components of an information system.  Identification and authentication Every information system should require some form of authentication. For example: the user name identifies the user (the process of identification), and the password authenticates that user (the process of authentication). Note that authentication methods fall into three categories: what you know (password or PIN), what you have (smart card), and what you are (biometric). o Smart cards A smart card is a plastic card that is similar to a credit card. Unlike credit, debit, and ATM cards, which have a magnetic strip, however smart cards have a microchip. The microchip, which holds far more data than a magnetic strip, is loaded with identifying data; Users of smart cards are required to enter a personal identification number (PIN) in order to be authenticated. o Biometric authentication Biometric authentication uses personal physical characteristic such as fingerprints, facial features, and retinal scans to authenticate users. Biometric authentication provides strong authentication, but the required equipment is expensive. o Single Sign-On for multiple systems Information systems often require multiple sources of authentication. Today’s operating systems can authenticate you to networks and other servers.  Encryption and Firewalls (chapter6)  Malware protection Malware is viruses, worms, Trojan horses, spyware, and adware. Spyware and Adware Spyware programs are installed on the user’s computer without the user’s knowledge or permission. Spyware resides in the background and, unbeknownst to the user, observes the user’s actions and keystrokes, monitors computer activity, and reports that activity to sponsoring organizations. Adware is similar to spyware in that it’s installed without the user’s permission and resides in the background, in order to observe user behavior. Symptoms occur on your computer, you can remove the spyware or adware using anti-malware programs.  Slow system start-up  Sluggish system performance  Many pop-up advertisements  Suspicious browser homepage changes  Suspicious changes to the taskbar and other system interfaces  Unusual hard-disk activity Malware Safeguards 1. Install antivirus and anti-spyware programs on your computer. 2. Set up your anti-malware programs to scan your computer frequently. 3. Update malware definitions. Malware definitions—patterns that exist in malware code---should be downloaded frequently. 4. Open email at
More Less

Related notes for BUS 237

Log In


Don't have an account?

Join OneClass

Access over 10 million pages of study
documents for 1.3 million courses.

Sign up

Join to view


By registering, I agree to the Terms and Privacy Policies
Already have an account?
Just a few more details

So we can recommend you notes for your school.

Reset Password

Please enter below the email address you registered with and we will send you a link to reset your password.

Add your courses

Get notes from the top students in your class.