IS test 3

Description

Flashcards on IS test 3, created by ashleo92 on 11/04/2013.
ashleo92
Flashcards by ashleo92, updated more than 1 year ago
ashleo92
Created by ashleo92 over 11 years ago
69
1

Resource summary

Question Answer
risk assessment determines level of risk to the firm if specific activity or process is not properly controlled
security policy ranks information risks, identifies acceptable security goals, and identifies mechanisms for achieving these goals
acceptable use policy (AUP) defines acceptable uses of firm's information resources and computing equipment
authorization policies determine differing levels of user access to information assets
disaster recovery planning devises plans for restoration of disrupted services
backup copies of critical systems and data, done on a regular basis
hot site separate and fully equipped facility where the firm can move immediately after a disaster and resume business
cold site separate facility without any computer equipment but is a place employees can move after a disaster
business continuity planning focuses on restoring business operations after disaster
MIS audit examines firm's overall security environment as well as controls governing individual information systems
identity management systems support the organization's security and authorization policies -include business processes and technologies for identifying valid users of systems
authentication the ability to know that a person is who he or she claims to be; a method of confirming users' identities.
authorization determines what actions, rights, or privileges the user has, based on the verified identity
common types of access controls user IDs, cognitive passwords, security profile, token/security token, smart card, biometrics, terminal resource security
password combination of numbers, characters, and symbols that's entered to allow access to a system
passphrase series of characters that is longer than a password but is still easy to memorize
cognitive password requires a user to answer a question to verify their identity; commonly used as a form of secondary access
security profile a unique picture and descriptive phrase chosen by you to verify that you are on a legitimate site
token a small device to change user passwords automatically
smart card a device about the same size as a credit card, containing a chip formatted with access permission and other data-a reader device interprets the data on the card and allows or denies access
terminal resource security software feature that erases the screen and signs of user off automatically after a specified length of activity
biometrics systems that read and interpret individual human traits to enhance security measures – are unique to a person and can’t be stolen or lost; may be physical or behavioral
firewall -Combination of hardware and software that controls the flow of incoming and outgoing network traffic -Combination of hardware and software that controls the flow of incoming and outgoing network traffic
intrusion detection systems -Monitor hot spots on corporate networks to detect and deter intruders. -Examine events as they are happening to discover attacks in progress
antivirus and antispyware software Check computers for presence of malware and can often eliminate it as well.
(UTM) unified threat management systems Combination of security tools including firewalls, intrusion detection systems, VPN’s, web content filtering, and anti-spam SW
encryption Process of encoding messages before they enter the network & then decoding at the receiving end
two methods of encryption 1.symmetric key encryption 2.public key encryption
symmetric key encryption sender and receiver use single,shared key
public key encryption -uses two, mathematically related keys: public key and private key -sender encrypts message with recipients' public key -recipient decrypts with private key
two methods/protocols for encryption on networks 1. secure sockets layer (SSL) 2. Transport layer security (TLS)
TLS enable client and server computers to manage encryption and decryption activities as they communicate with each other during a secure web session; establish a secure connection between two computers
S-HTTP (secure hypertext transfer protocol) is limited to individual messages
digital certificate -Data file or electronic document used to establish the identity of users and electronic assets for protection of online transactions -Uses a trusted third party, Certificate Authority (CA), to validate a user’s identity
fault tolerant computer systems Contain redundant hardware, software, and power supply components that create an environment that provides continuous, uninterrupted service
high-availability computing -Helps recover quickly from crash -Minimizes, does not eliminate, downtime
DPI (deep packet inspection) Sorts out low-priority online material (music and video downloads) while assigning a higher priority to business-critical files and data
cloud computing Accountability and responsibility for privacy and security reside with the Cloud user, although the Cloud provider is actually doing the hosting ...
mobile computing device must be secured like other in-house, non-mobile resources against malware, theft, accidental loss, unauthorized access, and hacking attempts
software metrics objective assessments of a system in the form of quantified measurements, such as: number of transactions processed per min, online response time, etc.
walkthrough review of specification or design documents by a group of qualified people
debugging process by which errors are discovered and eliminated
WEP initial security standard for 802.11- use is optional- users often fail to use its security features.
Malware SW written with malicious intent to cause annoyance or damage to a computer system or network
viruses rogue software program that attaches itself to other software programs or data files in order to be executed
worms -independent programs that copy themselves from one computer to others over a network -do not have to be attached to a host program
Trojan horse -software program that appears to be benign but then does something other than expected -contains code intended to disrupt a computer network, or website -malicious code hides inside a popular program or a program that appears useful
SQL injection attacks take advantage of vulnerabilities in poorly coded web application SW to introduce malicious program code into a company's systems and networks
spyware sw that secretly gathers information about users while they browse the web; can come hidden in free downloads and tracks online movements, mines the info stored on a computer, or uses the computer's
keyloggers monitor and record keystrokes and mouse clicks
spoofing -misrepresenting oneself by using fake e-mail addresses or masquerading as someone else -may involve forging return address of email so it appears to be from someone else.
sniffer -type of eavesdropping program that monitors information traveling over a network -SW used to capture and record network traffic
DoS (denial of service attacks) floods a network server or web server with thousands of false service requests to crash the network
DDoS (distributed denial of service attack) hundreds of thousands of computers work together to bombard a website with thousands of requests for information in a short period
botnets networks of "zombie" PC's infiltrated by bot malware
phishing a high tech scam in which an email requests the update or confirmation of sensitive personal information by masquerading as a legitimate request/website
pharming a type of phishing technique that redirects users to a bogus web page, even when an individual types correct web page address into his or her browser
evil twins a type of phishing technique where wireless networks that pretend to offer trustworthy wi-fi connections to the internet
insiders legitimate users who purposely or accidentally misuse their access to info or resources and cause some kind of business-affecting event
hackers people very knowledgeable about computers who use their skill to gain unauthorized access to a computer system
patches small pieces of software to be released by a SW vendor to repair flaws
gramm-leach-biley act requires financial institutions to ensure the security and confidentiality of customer data
sarbanes-oxley act imposes responsibility on companies and their management to safeguard the accuracy and integrity of financial information that is used internally and released externally
computer forensics scientific collection, examination, authentication, preservation, and analysis of data from computer storage media for use as evidence in court of law
general controls govern, design, security, and use of computer programs and security of data files in general throughout organization's information technoogy infrastructure
application controls specific controls unique to each computerized application, such as payroll or order processing include:-input controls -processing controls -output controls
Security policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems
Controls methods, policies, and organizational procedures that ensure safety of organization's assets; accuracy and reliability of its accounting records;and operational adherence to mgt standards
Computer crime/fraud "any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution"
Identity Theft -a crime in which an imposter obtains key pieces of personal information to impersonate someone else -the forging of someone's identity for the purpose of fraud
Click fraud occurs when an individual or computer program fraudulently clicks on an online ad without any intention of learning more about the advertiser or making a purchase
Why systems are vulnerable -hardware problems -software problems -disasters -user error or unauthorized access -use of networks and computers outside of firm's control
hardware problems breakdowns, configuration errors, damage from improper use of crime, theft of devices
Software problems programming errors, installation errors, unauthorized chnages
disasters power failures, flood, fires, others...
War driving eavesdroppers drive by buildings and try to intercept network traffic
Rogue access point access point on a different channel in a close physical location to force a users radio network interface controller to associate with the rogue access point instead of the official one
Show full summary Hide full summary

Similar

Sociology
shattering.illus
Resistant Materials
Elisha
C4 - Formulae to learn
Tech Wilkinson
Macbeth Themes
cristiano.q982687
GCSE Astronomy Specification Flashcards
avanatalie
OCR AS Biology
joshbrown3397
AQA Biology 11.1 replication of DNA
Charlotte Hewson
Music symbols
Sarah Egan
Using GoConqr to study History
Sarah Egan
Flame tests
Joshua Rees
Network Hardware_PK
Paul Kluge