Information Security Flashcards Answers

Faulty service includes problems that result because of incorrect system operation. It could include incorrect data modification. It also could include systems that work incorrectly by sending wrong goods to a customer or the ordered goods to a wrong customer, inaccurately billing customers, or sending the wrong information to employees. Humans can inadvertently cause faulty service by making procedural mistakes. System developers can write programs incorrectly or make errors during installation of hardware, software programs, and data. Usurpation is also a type of faulty service. Faulty service can also result when a service is improperly restored during recovery from natural disasters.

Human errors in a procedure or a lack of procedures in information management can result in denial of service (DOS). For example, humans can inadvertently shut down a Web server or corporate gateway router by starting a computationally intensive application. Denial-of-service attacks can be launched maliciously. A malicious hacker can flood a Web server, for example, with millions of bogus service requests that so occupy the server that it cannot service legitimate requests. Computer worms can infiltrate a network with so much artificial traffic that legitimate traffic cannot get through. Natural disasters may also cause systems to fail, resulting in denial of service.

Following are some of the recommended personal security safeguards against security threats: 1. Create strong passwords. 2. Use multiple passwords. 3. Send no valuable data via email or IM. 4. Use https at trusted, reputable vendors. 5. Remove high-value assets from computers. 6. Clear browsing history, temporary files, and cookies. 7. Update antivirus software. 8. Demonstrate security concern to fellow workers. 9. Follow organizational security directives and guidelines. 10. Consider security for all business initiatives

Senior management in an organization needs to address two critical security functions: security policy and risk management. Considering the first, senior management must establish company-wide security policies. Take, for example, a data security policy that states the organization's posture regarding data it gathers about its customers, suppliers, partners, and employees. At a minimum, the policy should stipulate: what sensitive data the organization will store, how it will process that data, whether data will be shared with other organizations, how employees and others can obtain copies of data stored about them, and how employees and others can request changes to inaccurate data. The specifics of a policy depend on whether the organization is governmental or nongovernmental, on whether it is publically held or private, on the organization's industry, on the relationship of management to employees, and other factors. The second senior management security function is to manage risk. Risk cannot be eliminated, so to manage risk means to proactively balance the trade-off between risk and cost. This trade-off varies from industry to industry and from organization to organization.

Biometric authentication uses personal physical characteristics such as fingerprints, facial features, and retinal scans to authenticate users. It provides a strong authentication, but the required equipment is expensive. Often, too, users resist biometric identification because they feel it is invasive. Biometric authentication is in the early stages of adoption. Because of its strength, it likely will see increased usage in the future. It is also likely that legislators will pass laws governing the use, storage, and protection requirements for biometric data.

Most secure communication over the Internet uses a protocol called https. With https, data are encrypted using a protocol called the Secure Sockets Layer (SSL), which is also known as Transport Layer Security (TLS). SSL/TLS uses a combination of public key encryption and symmetric encryption. Symmetric encryption is fast and is preferred. But the two parties, the user and a Web site, do not share a symmetric key. So, they use public key encryption to share the same symmetric key. The following are the steps involved in this secure communication: 1. A user's computer obtains the public key of a Web site to which it will connect. 2. The user's computer generates a key for symmetric encryption. 3. The user's computer encodes that key using the Web site's public key. It sends the encrypted symmetric key to the Web site. 4. The Web site then decodes the symmetric key using its private key. 5. From that point forward, the user's computer and the Web site communicate using symmetric encryption. At the end of the session, the user's computer and the secure site discard the keys. Using this strategy, the bulk of the secure communication occurs using the faster symmetric encryption.

A packet-filtering firewall examines each part of a message and determines whether to let that part pass. To make this decision, it examines the source address, the destination addresses, and other data. Packet-filtering firewalls can prohibit outsiders from starting a session with any user behind the firewall. They can also disallow traffic from particular sites, such as known hacker addresses. They can prohibit traffic from legitimate, but unwanted, addresses, such as competitors' computers, and filter outbound traffic as well. They can keep employees from accessing specific sites, such as competitors' sites, sites with pornographic material, or popular news sites.

Users should open email attachments only from known sources. Also, even when opening attachment from known sources, users should do so with great care. With a properly configured firewall, email is the only outside-initiated traffic that can reach user computers. Most antimalware programs check email attachments for malware code. However, all users should form the habit of never opening an email attachment from an unknown source. Also, if users receive an unexpected email from a known source or an email from a known source that has a suspicious subject, odd spelling, or poor grammar, they should not open the attachment without first verifying with the known source that the attachment is legitimate.

Data safeguards protect databases and other organizational data. Two organizational units are responsible for data safeguards-data administration and database administration. Data administration refers to an organization-wide function that is in charge of developing data policies and enforcing data standards. Database administration refers to a function that pertains to a particular database. ERP, CRM, and MRP databases each have a database administration function. Database administration develops procedures and practices to ensure efficient and orderly multiuser processing of the database, to control changes to the database structure, and to protect the database. Both data and database administration are involved in establishing data safeguards. First, data administration should define data policies. Then, data administration and database administrations work together to specify user data rights and responsibilities. Third, those rights are enforced by user accounts that are authenticated at least by passwords.

Effective human safeguards begin with definitions of job tasks and responsibilities. In general, job descriptions should provide a separation of duties and authorities. For example, no single individual should be allowed to both approve expenses and write checks. Instead, one person should approve expenses, another pay them, and a third should account for the payment. Similarly, in an inventory, no single person should be allowed to authorize an inventory withdrawal and also to remove the items from the inventory. Given appropriate job descriptions, user accounts should be defined to give users the least possible privilege needed to perform their jobs. Similarly, user accounts should prohibit users from accessing data their job description does not require. Because of the problem of semantic security, access to even seemingly innocuous data may need to be limited. Finally, security sensitivity should be documented for each position. Some jobs involve highly sensitive data. Other positions involve no sensitive data. Documenting position sensitivity enables security personnel to prioritize their activities in accordance with the possible risk and loss.

Business requirements may necessitate opening information systems to nonemployee personnel - temporary personnel, vendors, partner personnel (employees of business partners), and the public. In the case of temporary, vendor, and partner personnel, a contract that governs an activity should call for security measures appropriate to the sensitivity of data and information system resources involved. Companies should require vendors and partners to perform appropriate screening and security training. The contract also should mention specific security responsibilities that are particular to the work to be performed. Companies should provide accounts and passwords with the least privilege and remove those accounts as soon as possible. Although temporary personnel can be screened, to reduce costs the screening will be abbreviated from that for employees. But in most cases, companies cannot screen either vendor or partner personnel. Public users cannot be screened at all.

Every organization should have an incident-response plan as part of its security program. The plan should include how employees are to respond to security problems, whom they should contact, the reports they should make, and steps they can take to reduce further loss. The plan should provide centralized reporting of all security incidents that will enable an organization to determine if it is under systematic attack or whether an incident is isolated. Centralized reporting also allows the organization to learn about security threats, take consistent actions in response, and apply specialized expertise to all security problems. Viruses and worms can spread very quickly across an organization's networks, and a fast response will help to mitigate the consequences. Because of the need for speed, preparation pays. The incident-response plan should identify critical personnel and their off-hours contact information. These personnel should be trained on where to go and what to do when they get there. Finally, organizations should periodically practice incident response.