Chapter 8 Securing Information Systems – Flashcards

defines acceptable uses of the firm's information resources and computing equipment, including desktop and laptop computers, wireless devices, telephones, and the Internet.

prevents, detects, and removes malware, including computer viruses, computer worms, Trojan horses, spyware, and adware.

are specific controls unique to each computerized application, such as payroll or order processing.

refers to the ability to know that a person is who he or she claims to be.

uses systems that read and interpret individual human traits, such as fingerprints, irises, and voices, in order to grant or deny access.

Perpetrators of DDoS attacks often use thousands of "zombie" PCs infected with malicious software without their owners' knowledge and organized into a

or program code defects.

focuses on how the company can restore business operations after a disaster strikes.

occurs when an individual or computer program fraudulently clicks on an online ad without any intention of learning more about the advertiser or making a purchase.

Most hacker activities are criminal offenses, and the vulnerabilities of systems we have just described make them targets for other types of

is the scientific collection, examination, authentication, preservation, and analysis of data held on or retrieved from computer storage media in such a way that the information can be used as evidence in a court of law.

is a rogue software program that attaches itself to other software programs or data files in order to be executed, usually without user knowledge or permission. Most computer viruses deliver a "payload."

are methods, policies, and organizational procedures that ensure the safety of the organization's assets, the accuracy and reliability of its records, and operational adherence to management standards.

the intentional disruption, defacement, or even destruction of a Web site or corporate information system.

is a state-sponsored activity designed to cripple and defeat another state or nation by penetrating its computers or networks for the purposes of causing damage and disruption.

helps solve this problem. DPI examines data files and sorts out low-priority online material while assigning higher priority to business-critical files.

attack uses numerous computers to inundate and overwhelm the network from numerous launch points.

are data files used to establish the identity of users and electronic assets for protection of online transactions

devises plans for the restoration of computing and communications services after they have been disrupted

hackers flood a network server or Web server with many thousands of false communications or requests for services to crash the network

refers to periods of time in which a system is not operational.

consisting of malware that comes with a downloaded file that a user intentionally or unintentionally requests.

is the process of transforming plain text or data into cipher text that cannot be read by anyone other than the sender and the intended receiver.

are wireless networks that pretend to offer trustworthy Wi-Fi connections to the Internet, such as those in airport lounges, hotels, or coffee shops.

contain redundant hardware, software, and power supply components that create an environment that provides continuous, uninterrupted service.

prevent unauthorized users from accessing private networks. A firewall is a combination of hardware and software that controls the flow of incoming and outgoing network traffic.

govern the design, security, and use of computer programs and the security of data files in general through- out the organization's information technology infrastructure.

after its congressional sponsors. This act requires financial institutions to ensure the security and confidentiality of customer data.

is an individual who intends to gain unauthorized access to a computer system

Fault tolerance should be distinguished from

outlines medical security and privacy rules and procedures for simplifying the administration of health care billing and automating the transfer of health care data between health care providers, payers, and plans.

consists of business processes and software tools for identifying the valid users of a system and controlling their access to system resources

is a crime in which an imposter obtains key pieces of personal information, such as social security identification numbers, driver's license numbers, or credit card numbers, to impersonate some- one else.

feature full-time monitoring tools placed at the most vulnerable points or "hot spots" of corporate networks to detect and deter intruders continually.

record every keystroke made on a computer to steal serial numbers for software, to launch Internet attacks, to gain access to e-mail accounts, to obtain passwords to protected computer systems, or to pick up personal information such as credit card numbers.

and include a variety of threats, such as computer viruses, worms, and Trojan horses.

that monitor network activity and perform vulnerability testing and intrusion detection.

examines the firm's overall security environment as well as controls governing individual information systems.

transactions entered online are immediately processed by the computer.

known only to authorized users

To correct software flaws once they are identified, the software vendor creates small pieces of software called

redirects users to a bogus Web page, even when the individual types the correct Web page address into his or her browser.

involves setting up fake Web sites or sending e-mail messages that look like those of legitimate businesses to ask users for confidential personal data.

uses two keys: one shared (or public) and one totally private

the use of public key cryptography working with a CA, is now widely used in e-commerce

Researchers are exploring ways to make computing systems recover even more rapidly when mishaps occur, an approach called

determines the level of risk to the firm if a specific activity or process is not properly controlled.

after its sponsors Senator Paul Sarbanes of Maryland and Representative Michael Oxley of Ohio.

is another protocol used for encrypting data flowing over the Internet, but it is limited to individual messages, whereas SSL and TLS are designed to establish a secure connection between two computers.

its successor Transport Layer Security (TLS) enable client and server computers to manage encryption and decryption activities as they communicate with each other during a secure Web session.

refers to the policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems.

consists of statements ranking information risks, identifying acceptable security goals, and identifying the mechanisms for achieving these goals.

is a device about the size of a credit card that contains a chip formatted with access permission and other data. (Smart cards are also used in electronic payment systems.)

is a type of eavesdropping program that monitors information traveling over a network.

Malicious intruders seeking system access sometimes trick employees into revealing their passwords by pretending to be legitimate members of the company in need of information

also may involve redirecting a Web link to an address different from the intended one, with the site masquerading as the intended destination.

annoying, and some critics worry about its infringement on computer users' privacy.

have become a major malware threat. SQL injection attacks take advantage of vulnerabilities in poorly coded Web application software to introduce malicious program code into a company's systems and networks.

is a physical device, similar to an identification card, that is designed to prove the identity of a single user.

is a software program that appears to be benign but then does something other than expected.

To help businesses reduce costs and improve manageability, security vendors have combined into a single appliance various security tools, including firewalls, virtual private networks, intrusion detection systems, and Web content filtering and antispam software.

in which eavesdroppers drive by buildings or park outside and try to intercept wireless network traffic.

which are independent computer programs that copy themselves from one computer to other computers over a network.