BUS 237 Chapter Notes - Chapter 12: Email Spoofing, Personal Information Protection And Electronic Documents Act, Adware
37 views5 pages
15 Aug 2016
School
Department
Course
Professor
Ch. 12 – Managing Information Security and Privacy
Q1: What is identity theft?
- identity theft = vital info of person used to facilitate impersonation
involves stealing, misrepresenting, hijacking identity of another person/business & provides effective
way to commit other crimes
Q2: What is PIPEDA?
- PIPEDA = Personal Info Protection & Electronic Documents Act
balance indiv’s right to privacy of his/her personal info, which orgs need to collect, use & share
personal info for business purposes
- every business professional needs to be aware of PIPEDA b/c it governs how data are collected & used
- one of most critical elements of PIPEDA is principle that indivs have right to know what type of info an org
collects about them & also how that info is going to be used
- PIPEDA creates some protection of personal privacy
- orgs must protect info it collects
PIPEDA provides indiv right to know who in org is responsible for securing info
- orgs must collect info fairly
Q3: What types of security threats do organizations face?
- 3 sources of security threats:
1) human errors 2) malicious human activity 3) natural events & disasters
- human errors & mistakes: accidental problems caused by both employees others outside org
- malicious human activity: employees & others who intentionally destroy data/other sys components
incl. hackers
- natural events & disasters: fires, floods, hurricanes, earthquakes, etc
problems incl initial loss of capability & service and also losses stemming from actions to recover from
initial problem
- 5 types of security problems
1) unauthorized data disclosure
2) incorrect data modification
3) faulty service
4) denial of service
5) loss of infrastructure
- unauthorized data disclosure: can occur by human error when someone inadvertently releases data in violation
of policy
popularity & efficacy of search engines create another source of inadvertent disclosure
- pretexting = someone deceives by pretending to be someone else
telephone caller pretending to be from a credit card company
- phishing = uses pretexting via email = email spoofing
send email requesting confidential data
- spoofing = someone pretending to be someone else
- IP spoofing = intruder sues another site’s IP address as if it were that other site
- sniffing = technique for intercepting computer communications
w/ wired networks, sniffing requires physical connection to network
- drive-by sniffing = no connection required w/ wireless networks
take computers w wireless connections thru area & search for unprotected wireless networks
can monitor & intercept wireless traffic at will
- incorrect data modification: incorrectly increasing customer’s discount, incorrectly modifying employee’s
salary, etc
can occur thru human error
companies should ensure separation of duties & authorities & have multiple checks & balances in place
eg. system errors (lost-update problem)
find more resources at oneclass.com
find more resources at oneclass.com
- hacking = person gains unauthorized access to a computer system
- faulty service: problems that result b/c of incorrect system operation
- denial of service: results from human error in following procedures/lack of procedures
employees can inadvertently shut down web server by starting computationally intensive app
OLAP app using operational DMBS can consume so many DBMS resources that order-entry transactions
cannot get thru
denial-of-service attacks: mostly malicious, (eg) too many bogus service requests that occupy server &
cannot service legitimate requests
can be from natural disasters causing sys to fail
- loss of infrastructure: caused by human error (bulldozer cutting cables), theft & terrorist, natural disaster (fire
can destroy data centres)
- 3 components of security program:
1) senior management involvement
2) safeguards of various kinds
3) incident response
- senior management: must establish security policy & manage risk by balancing costs & benefits of security
program
- safeguards: protect against security threats
- org’s planned response to security incidents
Q4: How can technical safeguards protect against security threats?
- technical safeguards involve hardware & software components of info sys
- primary technical safeguards: ID & authentication, encryption, firewalls, malware protection, design for secure
apps
- identification & authentication: username & password
3 parts to authentication: 1) what you know (password)
2) what you have (smart card)
3) what you are (biometric)
- smart card = plastic card similar to credit card but has microchip
microchip hold far more data than magnetic strip, loaded w/ identifying data/algorithms
users of smart cards required to enter PIN to be authenticated
- biometric authentication = uses personal physical characteristics to authenticate users
provides strong authentication but equipment expensive
users feel it is invasive
- single sign-on for multiple systems
usu need to be authenticated for LAN, WAN, personal computer, etc
now OS can authenticate you to networks & other servers
- malware: incl. viruses, worms, spyware, adware, etc
spyware programs installed on user’s computer w/o user’s knowledge, resides in background &
observes user’s actions/monitors computer activity/reports activity to sponsoring orgs
some malicious spyware captures keystrokes to obtain passwords, others support marketing analyses
adware similar to spyware b/c installed w/o user’s permission & resides in background to observe user
behaviour but most adware does not perform malicious acts
find more resources at oneclass.com
find more resources at oneclass.com