Questão | Responda |
risk assessment | determines level of risk to the firm if specific activity or process is not properly controlled |
security policy | ranks information risks, identifies acceptable security goals, and identifies mechanisms for achieving these goals |
acceptable use policy (AUP) | defines acceptable uses of firm's information resources and computing equipment |
authorization policies | determine differing levels of user access to information assets |
disaster recovery planning | devises plans for restoration of disrupted services |
backup | copies of critical systems and data, done on a regular basis |
hot site | separate and fully equipped facility where the firm can move immediately after a disaster and resume business |
cold site | separate facility without any computer equipment but is a place employees can move after a disaster |
business continuity planning | focuses on restoring business operations after disaster |
MIS audit | examines firm's overall security environment as well as controls governing individual information systems |
identity management systems | support the organization's security and authorization policies -include business processes and technologies for identifying valid users of systems |
authentication | the ability to know that a person is who he or she claims to be; a method of confirming users' identities. |
authorization | determines what actions, rights, or privileges the user has, based on the verified identity |
common types of access controls | user IDs, cognitive passwords, security profile, token/security token, smart card, biometrics, terminal resource security |
password | combination of numbers, characters, and symbols that's entered to allow access to a system |
passphrase | series of characters that is longer than a password but is still easy to memorize |
cognitive password | requires a user to answer a question to verify their identity; commonly used as a form of secondary access |
security profile | a unique picture and descriptive phrase chosen by you to verify that you are on a legitimate site |
token | a small device to change user passwords automatically |
smart card | a device about the same size as a credit card, containing a chip formatted with access permission and other data-a reader device interprets the data on the card and allows or denies access |
terminal resource security | software feature that erases the screen and signs of user off automatically after a specified length of activity |
biometrics | systems that read and interpret individual human traits to enhance security measures – are unique to a person and can’t be stolen or lost; may be physical or behavioral |
firewall | -Combination of hardware and software that controls the flow of incoming and outgoing network traffic -Combination of hardware and software that controls the flow of incoming and outgoing network traffic |
intrusion detection systems | -Monitor hot spots on corporate networks to detect and deter intruders. -Examine events as they are happening to discover attacks in progress |
antivirus and antispyware software | Check computers for presence of malware and can often eliminate it as well. |
(UTM) unified threat management systems | Combination of security tools including firewalls, intrusion detection systems, VPN’s, web content filtering, and anti-spam SW |
encryption | Process of encoding messages before they enter the network & then decoding at the receiving end |
two methods of encryption | 1.symmetric key encryption 2.public key encryption |
symmetric key encryption | sender and receiver use single,shared key |
public key encryption | -uses two, mathematically related keys: public key and private key -sender encrypts message with recipients' public key -recipient decrypts with private key |
two methods/protocols for encryption on networks | 1. secure sockets layer (SSL) 2. Transport layer security (TLS) |
TLS | enable client and server computers to manage encryption and decryption activities as they communicate with each other during a secure web session; establish a secure connection between two computers |
S-HTTP (secure hypertext transfer protocol) | is limited to individual messages |
digital certificate | -Data file or electronic document used to establish the identity of users and electronic assets for protection of online transactions -Uses a trusted third party, Certificate Authority (CA), to validate a user’s identity |
fault tolerant computer systems | Contain redundant hardware, software, and power supply components that create an environment that provides continuous, uninterrupted service |
high-availability computing | -Helps recover quickly from crash -Minimizes, does not eliminate, downtime |
DPI (deep packet inspection) | Sorts out low-priority online material (music and video downloads) while assigning a higher priority to business-critical files and data |
cloud computing | Accountability and responsibility for privacy and security reside with the Cloud user, although the Cloud provider is actually doing the hosting ... |
mobile computing device | must be secured like other in-house, non-mobile resources against malware, theft, accidental loss, unauthorized access, and hacking attempts |
software metrics | objective assessments of a system in the form of quantified measurements, such as: number of transactions processed per min, online response time, etc. |
walkthrough | review of specification or design documents by a group of qualified people |
debugging | process by which errors are discovered and eliminated |
WEP | initial security standard for 802.11- use is optional- users often fail to use its security features. |
Malware | SW written with malicious intent to cause annoyance or damage to a computer system or network |
viruses | rogue software program that attaches itself to other software programs or data files in order to be executed |
worms | -independent programs that copy themselves from one computer to others over a network -do not have to be attached to a host program |
Trojan horse | -software program that appears to be benign but then does something other than expected -contains code intended to disrupt a computer network, or website -malicious code hides inside a popular program or a program that appears useful |
SQL injection attacks | take advantage of vulnerabilities in poorly coded web application SW to introduce malicious program code into a company's systems and networks |
spyware | sw that secretly gathers information about users while they browse the web; can come hidden in free downloads and tracks online movements, mines the info stored on a computer, or uses the computer's |
keyloggers | monitor and record keystrokes and mouse clicks |
spoofing | -misrepresenting oneself by using fake e-mail addresses or masquerading as someone else -may involve forging return address of email so it appears to be from someone else. |
sniffer | -type of eavesdropping program that monitors information traveling over a network -SW used to capture and record network traffic |
DoS (denial of service attacks) | floods a network server or web server with thousands of false service requests to crash the network |
DDoS (distributed denial of service attack) | hundreds of thousands of computers work together to bombard a website with thousands of requests for information in a short period |
botnets | networks of "zombie" PC's infiltrated by bot malware |
phishing | a high tech scam in which an email requests the update or confirmation of sensitive personal information by masquerading as a legitimate request/website |
pharming | a type of phishing technique that redirects users to a bogus web page, even when an individual types correct web page address into his or her browser |
evil twins | a type of phishing technique where wireless networks that pretend to offer trustworthy wi-fi connections to the internet |
insiders | legitimate users who purposely or accidentally misuse their access to info or resources and cause some kind of business-affecting event |
hackers | people very knowledgeable about computers who use their skill to gain unauthorized access to a computer system |
patches | small pieces of software to be released by a SW vendor to repair flaws |
gramm-leach-biley act | requires financial institutions to ensure the security and confidentiality of customer data |
sarbanes-oxley act | imposes responsibility on companies and their management to safeguard the accuracy and integrity of financial information that is used internally and released externally |
computer forensics | scientific collection, examination, authentication, preservation, and analysis of data from computer storage media for use as evidence in court of law |
general controls | govern, design, security, and use of computer programs and security of data files in general throughout organization's information technoogy infrastructure |
application controls | specific controls unique to each computerized application, such as payroll or order processing include:-input controls -processing controls -output controls |
Security | policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems |
Controls | methods, policies, and organizational procedures that ensure safety of organization's assets; accuracy and reliability of its accounting records;and operational adherence to mgt standards |
Computer crime/fraud | "any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution" |
Identity Theft | -a crime in which an imposter obtains key pieces of personal information to impersonate someone else -the forging of someone's identity for the purpose of fraud |
Click fraud | occurs when an individual or computer program fraudulently clicks on an online ad without any intention of learning more about the advertiser or making a purchase |
Why systems are vulnerable | -hardware problems -software problems -disasters -user error or unauthorized access -use of networks and computers outside of firm's control |
hardware problems | breakdowns, configuration errors, damage from improper use of crime, theft of devices |
Software problems | programming errors, installation errors, unauthorized chnages |
disasters | power failures, flood, fires, others... |
War driving | eavesdroppers drive by buildings and try to intercept network traffic |
Rogue access point | access point on a different channel in a close physical location to force a users radio network interface controller to associate with the rogue access point instead of the official one |
Quer criar seus próprios Flashcards gratuitos com GoConqr? Saiba mais.