TEST REVIEW OUTLINE – Test #4
Chapter 10 – Information Systems Security
Threat, Vulnerability, Safeguard, Target*
- Threat – A person or organization that seeks to obtain or alter data or other IS assets illegally,
without the owner’s permission or knowledge.
- Vulnerability – An opportunity for threats to gain access to individual or organizational assets.
Some vulnerabilities exist because there are no safeguards or the existing safeguards are
- Safeguard – Any action, device, procedure, technique, or other measure that reduces a system’s
vulnerability to a threat.
- Target – The asset that is desired by a security threat.
Three sources of security threats*
- Human error, computer crime, natural events and disasters.
Five types of security loss*
- Unauthorized data disclosure
- Incorrect data modification
- Faulty service
- Denial of service (DoS)
- Loss of infrastructure
Pretexting, Phishing, Spoofing (IP and Email), Sniffing, War-drivers, Hacking, Usurpation*
- Pretexting – Deceiving someone over the internet by pretending to be another person or
- Phishing – A technique for obtaining unauthorized data that uses pretexting via email. The
phisher pretends to be a legitimate company and sends an email requesting confidential
- Spoofing – Another term for pretending to be someone else.
o IP Spoofing – A type of spoofing where an intruder uses another sites IP address as if it
were that other site.
o Email Spoofing – A synonym for phishing.
- Sniffing – A technique for intercepting computer communication. With wired connections
sniffing require a physical connection to the network. With wireless connections no such
connection is required.
- War-drivers – People who use computers with wireless connections to search for computers
with unprotected wireless networks.
- Hacking – A form of computer crime in which a person gains unauthorized access to a computer
system. Although some people hack for the sheer joy of it, others do it to try and steal or modify
data. - Usurpation – Occurs when unauthorized programs invade a computer system and replace
legitimate programs. Such unauthorized programs typically shut down the legitimate system
and replace it with their own processing to spy, steal, or manipulate data.
Denial of Service attacks*
- Security problem in which users are not able to access information in an information system;
can be caused by human errors, natural disaster, or malicious activity.
Advanced Persistent Threat (ATP)
- A sophisticated, possibly long running computer hack that is perpetrated by large, well-funded
organizations like governments. APTs are a means to engage in cyber warfare.
List of personal security threat responses (Figure 10-7)
Intrusion Detection System (IDS)*
- A computer program that senses when another computer is attempting to scan the disc or
otherwise access a computer.
Brute Force Attack*
- A password-cracking program that tries every possible combination of characters.
Three types of Security Safeguards – Technical Safeguards, Data Safeguards, Human Safeguards*
- Technical Safeguards – Involve the software and hardware components of an information
- Data Safeguards – Involves data component.
- Human Safeguards – Involves human component.
Identification and Authentication
- Identification – The process whereby an information system identifies a user by requiring the
user to sign in with a username and password.
- Authentication – The process whereby a system verifies or validates a user.
- Plastic cards similar to credit cards that have microchips. The microchip, which holds a lot more
data than a magnetic strip, is loaded with identifying data. Usually requires a PIN.
- The use of personal physical characteristics, such as fingerprints, facial features, and retinal
scans, to authenticate users. Single Sign-on
- When one authentication logs you in to multiple things to avoid having to do several different
Encryption, Encryption Key, Key Escrow*
- Encryption – The process of transforming clear text into coded, unintelligible text for secure
storage or communication.
- Encryption Key – A number used to encrypt data or “unlock” data that needs to be decrypted.
- Key Escrow – A control procedure where a trusted party is given a copy of a key used to encrypt
Symmetric vs. Asymmetric Encryption; Public Key Encryption*
- Symmetric Encryption – An encryption method whereby the same key is used to code and
decode the message.
- Asymmetric Encryption – An encryption method whereby two different keys are used to code
and decode the message. One key encodes and one key decodes.
- Public Key Encryption – A special version of asymmetric encryption that is popular on the
internet. With this method each site has a public key for encoding them and a private key for
Firewall – Perimeter and Internal*
- Firewall – a computing device that prevents unauthorized access.
- Perimeter Firewall – A firewall that sits outside the organizational network; it is the first device
that Internet traffic encounters.
- Internal Firewall – Firewalls that sit inside the organizational network.
- A firewall that examines each packet and determines whether to let the packet pass. To make
this decision, it examines the source address, the destination addresses, and other data.
Malware, Virus, Payload, Worm, Spyware, Key Loggers*
- Malware – A broad category of software that includes viruses, spyware, and adware.
- Virus – A computer program that replicates itself.
- Payload – The program code of a virus that causes unwanted or harmful actions, such as
deleting programs or data, or even worse, modifying data in ways that are undetected by the
- Worm – A virus that propagates itself using the Internet or some other computer network.
Worm code is written to infect another computer as quickly as possible.
- Spyware – Programs installed on the user’s computer without their knowledge or permission
that reside in the background and, unknown to the user, observe the user’s actions and
keystrokes, modify computer activity, and report the user’s activities to sponsoring
- Key Loggers – Malicious spyware that captures keystrokes without the user’s knowledge. Used
to steal usernames, passwords, account numbers, and other sensitive data. Malware definitions
- Patterns that exist in Malware code. Antimalware vendors update these definitions continuously
and incorporate them into their products to better fight against malware.
SQL Injection Attack*
- The situation that occurs when a user obtains unauthorized access to data by entering a SQL
statement into a form in which one is supposed to enter a name or other data. If the program is
improperly designed, it will accept this statement and make it part of the SQL command that
issues to the DBMS.
Data Administration; Database Administration
- Data Administration – An organization-wide function that develops and enforces data policies
- Database Administration – A person or department that develops procedures and practices to
ensure efficient and orderly multiuser processing of the database to control changes to the
database structure, and to protect the database.
Hardening of Sites*
- Taking extraordinary measures to reduce a system’s vulnerability.
- False targets for computer criminals to attack. To an intruder, a honeypot looks like a
particularly valuable resource, such as an unprotected website, but in actuality the only site
content is a program that determines the attackers IP address.
Lists of Technical, Data and Human Safeguards (Figures 10-8, 10-9, 10-13, 10-14)
Key factors in Security Incident Response Plan (Figure 10-17) Chapter Extension 14 – Data Breaches
- Happens when an unauthorized person views, alters, or steals secured data.
List of direct costs for handling a data breach*
- Notification, detection, escalation, remediation, and legal fees/consultation.
Description of how hackers make money – Personally Identifiable Information (PII), Carding*
- PII – Information that can be used to identify a person.
- Carding – Validation where a small charge is placed on a stolen credit card to ensure it is
Attack Vectors, Exploit*
- Attack Vectors – Ways of attacking a target.
- Exploit – Software used to take advantage of a newly discovered vulnerability in a target’s
application or operating system.
- A targeted phishing attack.
Three guidelines for responding to a data breach
- Respond quickly
- Plan for a data breach
- Be honest about the breach.
- Illegally transferring data out of the organization.
Business Continuity Planning
- A planning session that discusses how to return the organization to normal operations as quickly
as possible following a data breach.
Computer Security Incident Response Team (CSIRT)
- A team consisting of staff from the legal and public relations departments as well as executives
and systems administrators.
Best Practices for Notifying Users of a Data Breach (Figure CE 14-3) Payment Card Industry Data Security Standards (PCI DSS) (Figure CE 14-4)*
Ways to prevent Data Loss (Figure CE 14-5)
Network Intrusion Detection System (NDIS), Data Loss Prevention Systems (DLP)*
- NDIS – An intrusion detections system that examines traffic passing within a network to identify
- DLP – A system designed to prevent sensitive data from being released to unauthorized persons.
Chapter 11 – Information Systems Management
Five functions of Information Systems Departments*
- Plan use of IS to accomplish organizational goals and strategy
- Manage outsourcing relationships
- Protect information assets
- Develop, operate, and maintain the organization’s computing infrastructure
- Develop, operate, and maintain applications
CIO, CTO, CSO/CISO*
- Chief Information Officer (CIO) – The title of the principle manager of the IS department.
- Chief Technology Officer (CTO) – The head of the technology group. The CTO filters new ideas
and products to identify those that are most relevant to the organization.
- Chief Security Officer (CSO) – The title of the person who manages security for all of the
organizations assets: physical plant and equipment, employees, intellectual property, and
digital. - Chief Information Security Officer (CISO) – The title of the person who manages security for the
organizations information systems and information.
Functions of the IT support organization units – Technology, Operations, Development, Outsourcing
Relations, Security, Data Administration*
IT job position descriptions (Figure 11-2)* Ways Organizations plan for the use of IS (Figure 11-3)
- A group of senior managers from a company’s major business functions that work with the CIO
to set the IS priorities and decide among major IS projects and alternatives.
- The process of hiring another organization to perform a service. Outsourcing is done to save
time, money, and to gain expertise.
Advantages and Risks of Outsourcing (Figures 11-4 and 11-6)*
Outsourcing alternatives (Figure 11-5)
Lists of IT Department user rights and responsibilities (Figure 11-7)* Chapter Extension 15 – International MIS
Impact of the global economy on the competitive environment (industry fo