6) A Trojan horse is a software program that appears threatening but is really benign. 6) Answer: True False

Size: px
Start display at page:

Download "6) A Trojan horse is a software program that appears threatening but is really benign. 6) Answer: True False"

Transcription

1 Exam Name TRUE/FALSE. Write 'T' if the statement is true and 'F' if the statement is false. 1) The potential for unauthorized access is usually limited to the communications lines of a network. 2) Large public networks, such as the Internet, are less vulnerable than internal networks because they are virtually open to anyone. 3) Malicious software programs are referred to as badware and include a variety of threats, such as computer viruses, worms, and Trojan horses. 4) A computer bacteria is a rogue software program that attaches itself to other software programs or data files in order to be executed, usually without user knowledge or permission. 5) Web 2.0 applications, such as blogs, wikis, and social networking sites such as Facebook and MySpace, have are not conduits for malware or spyware. 1) 2) 3) 4) 5) 6) A Trojan horse is a software program that appears threatening but is really benign. 6) 7) Keyloggers record every keystroke made on a computer to steal serial numbers for software, to launch Internet attacks, to gain access to accounts, to obtain passwords to protected computer systems, or to pick up personal information such as credit card numbers. 7) 8) A hacker is an individual who intends to gain unauthorized access to a computer system. 8) 9) The term cracker is typically used to denote a hacker with criminal intent. 9) 10) The term cybervandalism, is the intentional disruption, defacement, or even destruction of a Web site or corporate information system. 11) Computer crime is defined as any criminal activity involving the copy of, use of, removal of, interference with, access to, manipulation of computer systems, and/or their related functions, data or programs. 12) Identity theft is a crime in which an imposter obtains key pieces of personal information, such as social insurance numbers, driver s licence numbers, or credit card numbers, to impersonate someone else. 10) 11) 12)

2 13) Pharming redirects users to a bogus Web page, even when the individual types the correct Web page address into his or her browser. 13) 14) One increasingly popular tactic is a form of spoofing called phishing. 14) 15) Social Bookmarking is tricking people into revealing their passwords or other information by pretending to be legitimate users or members of a company in need of information. 16) Software errors are no threat to information systems, that could cause untold losses in productivity. 15) 16) 17) Many firms spend heavily on security because it is directly related to sales revenue. 17) 18) Computer forensics is the scientific collection, examination, authentication, preservation, and analysis of data held on or retrieved from computer storage media in such a way that the information can be used as evidence in a court of law. 19) General controls govern the design, security, and use of computer programs and the security of data files throughout the organization s IT infrastructure. 20) Application controls are specific controls unique to each computerized application, such as payroll or order processing. 18) 19) 20) 21) Output controls check data for accuracy and completeness when they enter the system. 21) 22) A risk audit includes statements ranking information risks, identifying acceptable security goals, and identifying the mechanisms for achieving these goals. 23) Disaster recovery planning devises plans for the restoration of computing and communications services before they have been disrupted. 24) An MIS audit examines the firm s overall security environment as well as controls governing individual information systems. 22) 23) 24) 25) Authentication refers to the ability to know that a person is who he or she claims to be. 25) 26) An MIS audit examines the firm s overall security environment as well as controls governing individual information systems. 26)

3 27) A firewall is a combination of hardware and software that controls the flow of incoming and outgoing network traffic. 28) Computers using cable modems to connect to the Internet are more open to penetration than those connecting via dial-up. 27) 28) 29) Wireless networks are vulnerable to penetration because radio frequency bands are easy to scan. 29) 30) The range of Wi-Fi networks can be extended up to two miles by using external antennae. 30) 31) The WEP specification calls for an access point and its users to share the same 40-bit encrypted password. 31) 32) Viruses can be spread through . 32) 33) Computer worms spread much more rapidly than computer viruses. 33) 34) One form of spoofing involves forging the return address on an so that the message appears to come from someone other than the sender. 35) Sniffers enable hackers to steal proprietary information from anywhere on a network, including messages, company files, and confidential reports. 36) DoS attacks are used to destroy information and access restricted areas of a company's information system. 34) 35) 36) 37) The most economically damaging kinds of computer crime are viruses. 37) 38) Zero defects cannot be achieved in larger software programs because fully testing programs that contain thousands of choices and millions of paths would require thousands of years. 39) An acceptable use policy defines the acceptable level of access to information assets for different users. 40) Biometric authentication is the use of physical characteristics such as retinal images to provide identification. 38) 39) 40)

4 41) Packet filtering catches most types of network attacks. 41) 42) NAT conceals the IP addresses of the organization's internal host computers to deter sniffer programs. 42) 43) SSL is a protocol used to establish a secure connection between two computers. 43) 44) Public key encryption uses two keys. 44) 45) Fault-tolerant computers contain redundant hardware, software, and power supply components. 45) 46) High-availability computing is also referred to as fault tolerance. 46) MULTIPLE CHOICE. Choose the one alternative that best completes the statement or answers the question. 47) are methods, policies, and organizational procedures that ensure the safety of the 47) organization s assets, the accuracy and reliability of its records, and operational adherence to management standards. A) "Algorithms" B) "Controls" C) "Security" D) "Benchmarking" 48) John clicks into his online banking website. He is already to type in his password when he notices that something is just not right. Upon further examination he notices that it is not the actual bank site but one that looks almost identical. John was almost a victim of. A) a Trojan horse B) spoofing C) worms D) keyloggers 49) Betty downloaded a peer to peer file sharing program. She is worried that it might have come with spyware attached to it. She had a friend who had a spyware problem where all of her keystrokes were stolen which included her bank passwords. Betty's friend was a victim of. A) spoofing B) a Trojan horse C) worms D) keyloggers 50) Helen downloaded a greeting card program from the internet. She was surprised that it really didn't do what it was supposed to do. What the program did was send nasty, profane s to all the people in her contact list. Helen is the victim of. A) spoofing B) a Trojan horse C) keyloggers D) worms 51) Robert knows that he got an independent program off of his network on his computer. It deleted all of his spreadsheet files on his hard drive. Robert feels that this problem may have resulted from him opening up an attachment file on his . Robert is the victim of. A) spoofing B) worms C) a Trojan horse D) keyloggers 48) 49) 50) 51)

5 52) A is a type of eavesdropping program that monitors information travelling over a network. A) worms B) keyloggers C) sniffer D) a Trojan horse 53) involves setting up fake Web sites or sending messages that look like those of legitimate businesses to ask users for confidential personal data. A) Fishing B) Farming C) Phishing D) Pharming 54) Jimmy Clark is sitting home one night and is very bored. He gets on his computer and starts to surf the net. He comes to a military site. He thinks he might be able to get around the security of the site and into the military computer system. He spends the next two hours trying to find his way into their system. Jimmy is. A) a dumpster diver B) a cracker C) a social engineer D) a hacker 55) Daniel is sitting home one night and is very bored. He gets on his computer and starts to surf the net. He comes to a bank site. He thinks he might be able to get around the security of the site and into the bank computer system. He spends the next two hours trying to find his way into their system. Daniel gets into the system and puts $200 into his account from just some random name he found in the banking system. Daniel is. A) a dumpster diver B) a hacker C) a social engineer D) a cracker 56) Bart Black walks into a local bank. He does not work there but he has a tag on his shirt that reads "IT Department". He goes up to a loans officer and tells him he needs to check the security on the loan officer's computer. Bart sits in front of the keyboard and asks the officer for his username and password. The loan officer gives him the information. Bart then thanks him and leaves the bank. Outside in his car Bart Black gets into the bank system using the information. This loan officer is a victim of. A) a hacker B) a cracker C) social engineering D) dumpster diving 52) 53) 54) 55) 56) 57) defects cannot be achieved in larger programs. 57) A) Zero B) Thirty C) Two D) One hundred Answer: A 58) Many firms are reluctant to spend heavily on security because. 58) A) it is not directly related to sales expense. B) it is not directly related to sales forecasting. C) it is not directly related to sales revenue D) it is not directly related to sales tax. 59) govern the design, security, and use of computer programs and the security of data files throughout the organization s IT infrastructure. A) Application controls B) Input controls C) General controls D) Output controls 59)

6 60) are specific controls unique to each computerized application, such as payroll or order processing. A) Output controls B) Application controls C) Input controls D) General controls 61) consists of all the policies and procedures a company uses to prevent improper access to systems by unauthorized insiders and outsiders. A) Output control B) Access control C) Input control D) General control 62) is the process of transforming plain text or data into cipher text that cannot be read by anyone other than the sender and the intended receiver. A) Risk audit B) Encryption C) Application control D) Spoofing 63) refers to policies, procedures, and technical measures used to prevent unauthorized access, alternation, theft, or physical damage to information systems. A) "Controls" B) "Benchmarking" C) "Security" D) "Algorithms" 64) refers to all of the methods, policies, and organizational procedures that ensure the safety of the organization's assets, the accuracy and reliability of its accounting records, and operational adherence to management standards. A) "SSID standards" B) "Vulnerabilities" C) "Controls" D) "Legacy systems" 65) Large amounts of data stored in electronic form are than the same data in manual form. A) more critical to most businesses B) vulnerable to many more kinds of threats C) less vulnerable to damage D) more secure 66) Electronic data are more susceptible to destruction, fraud, error, and misuse because information systems concentrate data in computer files that A) are not secure because the technology to secure them did not exist at the time the files were created. B) have the potential to be accessed by large numbers of people and by groups outside of the organization. C) are frequently available on the Internet. D) are usually bound up in legacy systems that are difficult to access and difficult to correct in case of error. 67) Specific security challenges that threaten the communications lines in a client/server environment include 60) 61) 62) 63) 64) 65) 66) 67)

7 A) hacking; vandalism; denial of service attacks. B) theft, copying, alteration of data; hardware or software failure. C) unauthorized access; errors; spyware. D) tapping; sniffing; message alteration; radiation. 68) Specific security challenges that threaten clients in a client/server environment include 68) A) hacking; vandalism; denial of service attacks. B) tapping; sniffing; message alteration; radiation. C) theft, copying, alteration of data; hardware or software failure. D) unauthorized access; errors; spyware. 69) Specific security challenges that threaten corporate servers in a client/server environment include A) tapping; sniffing; message alteration; radiation. B) theft, copying, alteration of data; hardware or software failure. C) unauthorized access; errors; spyware. D) hacking; vandalism; denial of service attacks. 69) 70) The Internet poses specific security problems because 70) A) Internet standards are universal. B) everyone uses the Internet. C) it changes so rapidly. D) it was designed to be easily accessible. 71) The main security problem on the Internet is 71) A) hackers. B) bandwidth theft. C) natural disasters, such as floods and D) radiation. fires. Answer: A 72) An independent computer program that copies itself from one computer to another over a network is called a A) bug. B) Trojan horse. C) pest. D) worm. 72) 73) Sobig.F and MyDoom.A are 73) A) worms attached to that spread from computer to computer. B) multipartite viruses that can infect files as well as the boot sector of the hard drive. C) viruses that use Microsoft Outlook to spread to other systems. D) Trojan horses used to create bot nets. Answer: A 74) In 2004, ICQ users were enticed by a sales message from a supposed anti-virus vendor. On the vendor's site, a small program called Mitglieder was downloaded to the user's machine. The program enabled outsiders to infiltrate the user's machine. What type of malware is this an example of? A) spyware B) worm C) Trojan horse D) virus 74) 75) Redirecting a Web link to a different address is a form of 75)

8 A) sniffing. B) war driving. C) spoofing. D) snooping. 76) A key logger is a type of 76) A) spyware. B) worm. C) Trojan horse. D) virus. Answer: A 77) How do hackers create a botnet? 77) A) by infecting Web search bots with malware B) by causing other people's computers to become "zombie" PCs following a master computer C) by using Web search bots to infect other computers D) by infecting corporate servers with "zombie" Trojan horses that allow undetected access through a back door 78) Using numerous computers to inundate and overwhelm the network from numerous launch points is called a attack. A) DDoS B) pharming C) phishing D) DoS Answer: A 78) 79) Which of the following is NOT an example of a computer used as a target of crime? 79) A) threatening to cause damage to a protected computer B) accessing a computer system without authority C) illegally accessing stored electronic communication D) knowingly accessing a protected computer to commit fraud 80) Which of the following is NOT an example of a computer used as an instrument of crime? 80) A) breaching the confidentiality of protected computerized data B) intentionally attempting to intercept electronic communication C) unauthorized copying of software D) theft of trade secrets Answer: A 81) Phishing is a form of 81) A) sniffing. B) spinning. C) spoofing. D) snooping. 82) Phishing involves 82) A) using s for threats or harassment. B) pretending to be a legitimate business's representative in order to garner information about a security system. C) setting up bogus Wi-Fi hot spots. D) setting up fake Web sites to ask users for confidential information. 83) Evil twins are 83) A) fraudulent Web sites that mimic a legitimate business's Web site. B) messages that mimic the messages of a legitimate business. C) Trojan horses that appears to the user to be a legitimate commercial software application. D) bogus wireless networks that look legitimate to users.

9 84) Pharming involves 84) A) using s for threats or harassment. B) pretending to be a legitimate business's representative in order to garner information about a security system. C) redirecting users to a fraudulent Web site even when the user has typed in the correct address in the Web browser. D) setting up fake Web sites to ask users for confidential information. 85) You have been hired as a security consultant for a legal firm. Which of the following constitutes the greatest threat, in terms of security, to the firm? A) employees B) wireless network C) authentication procedures D) lack of data encryption Answer: A 86) Tricking employees to reveal their passwords by pretending to be a legitimate member of a company is called A) social engineering B) phishing C) sniffing D) pharming Answer: A 85) 86) 87) How do software vendors correct flaws in their software after it has been distributed? 87) A) re-release software B) issue patches C) issue updated versions D) issue bug fixes 88) The most common type of electronic evidence is 88) A) voic . B) instant messages. C) . D) spreadsheets. 89) Electronic evidence on computer storage media that is not visible to the average user is called data. A) recovery B) ambient C) forensic D) defragmented 89) 90) Application controls 90) A) can be classified as input controls, processing controls, and output controls. B) include software controls, computer operations controls, and implementation controls. C) apply to all computerized applications and consist of a combination of hardware, software, and manual procedures that create an overall control environment. D) govern the design, security, and use of computer programs and the security of data files in general throughout the organization. Answer: A 91) controls ensure that valuable business data files on either disk or tape are not subject to unauthorized access, change, or destruction while they are in use or in storage. A) Data security B) Administrative C) Software D) Implementation Answer: A 91)

10 92) Analysis of an information system that rates the likelihood of a security incident occurring and its cost is included in a(n) A) risk assessment. B) security policy. C) AUP. D) business impact analysis. Answer: A 92) 93) Statements ranking information risks and identifying security goals are included in a(n) 93) A) business impact analysis. B) security policy. C) risk assessment. D) AUP. 94) An analysis of the firm's most critical systems and the impact a system's outage would have on the business is included in a(n) A) AUP. B) business impact analysis. C) risk assessment. D) security policy. 94) 95) Rigorous password systems 95) A) are often disregarded by employees. B) are costly to implement. C) are one of the most effective security tools. D) may hinder employee productivity. 96) An authentication token is a(n) 96) A) type of smart card. B) gadget that displays passcodes. C) electronic marker attached to a digital authorization file. D) device the size of a credit card that contains access permission data. 97) Biometric authentication 97) A) only uses physical traits as a measurement. B) is used widely in Europe for security applications. C) can use a person's face as a unique, measurable trait. D) is inexpensive. 98) A firewall allows the organization to 98) A) check the content of all incoming and outgoing messages. B) check the accuracy of all transactions between its network and the Internet. C) enforce a security policy on traffic between its network and the Internet. D) create an enterprise system on the Internet. 99) In which technique are network communications are analyzed to see whether packets are part of an ongoing dialogue between a sender and a receiver? A) application proxy filtering B) stateful inspection C) intrusion detection system D) packet filtering 99) 100) use scanning software to look for known problems such as bad passwords, the removal of impor

11 tant files, 100) security _ attacks in progress, and system administ ration errors. A) Stateful inspections B) Application proxy filtering technologies C) Intrusion detection systems D) Packet filtering technologies 101) Currently, the protocols used for secure information transfer over the Internet are 101) A) SSL, TLS, and S-HTTP. B) S-HTTP and CA. C) TCP/IP and SSL. D) HTTP and TCP/IP. Answer: A 102) Most antivirus software is effective against 102) A) any virus. B) any virus except those in wireless communications applications. C) only those viruses active on the Internet and through . D) only those viruses already known when the software is written. 103) In which method of encryption is a single encryption key sent to the receiver so both sender and receiver share the same key? A) symmetric key encryption B) private key encryption C) public key encryption D) SSL Answer: A 103) 104) A digital certificate system 104) A) uses tokens to validate a user's identity. B) uses third-party CAs to validate a user's identity. C) uses digital signatures to validate a user's identity. D) are used primarily by individuals for personal correspondence. 105) Downtime refers to periods of time in which a 105) A) computer is not online. B) corporation or organization is not operational. C) computer system is malfunctioning. D) computer system is not operational. 106) Online transaction processing requires 106) A) more processing time. B) dedicated phone lines. C) fault-tolerant computer systems. D) a large server network. 107) In controlling network traffic to minimize slow-downs, a technology called is used to examine data files and sort low-priority data from high-priority data. 107)

12 A) application proxy filtering B) stateful inspection C) deep-packet inspection D) high availability computing 108) The development and use of methods to make computer systems recover more quickly after mishaps is called A) fault tolerant computing. B) disaster recovery planning. C) high availability computing. D) recovery oriented computing. 108) 109) Smaller firms can outsource security functions to 109) A) CSOs B) MISs C) CAs D) MSSPs SHORT ANSWER. Write the word or phrase that best completes each statement or answers the question. 110) A practice in which eavesdroppers drive by buildings or park outside and try to 110) intercept wireless network traffic is referred to as. Answer: war driving 111) refers to the policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems. Answer: Security 112) are methods, policies, and organizational procedures that ensure the safety of the organization s assets, the accuracy and reliability of its records, and operational adherence to management standards. ontrols 113) Large public networks, such as the Internet, are more than internal networks because they are virtually open to anyone. Answer: vulnerable 111) 112) 113) 114) A fixed Internet address creates a target for hackers. 114) Answer: fixed 115) Malicious software programs are referred to as. 115) Answer: malware 116) A is a rogue software program that attaches itself to other software programs or data files in order to be executed, usually without user knowledge or permission. Answer: virus 117) are independent computer programs that copy themselves from one computer to other computers over a network. Answer: Worms 118) A is a software program that appears to be benign but then does something other than expected. Answer: Trojan horse 119) A is an individual who intends to gain unauthorized access to a computer system. 116) 117) 118) 119)

13 Answer: hacker 120) The term is typically used to denote a hacker with criminal intent. 120) Answer: cracker 121) is the intentional disruption, defacement, or even destruction of a Web site or corporate information system. ybervandalism 122) also may involve redirecting a Web link to an address different from the intended one, with the site masquerading as the intended destination. Answer: Spoofing 123) A is a type of eavesdropping program that monitors information travelling over a network. Answer: sniffer 124) In a,hackers flood a network server or Web server with many thousands of false communications or requests for services to crash the network. Answer: denial-of-service (DoS) attack 125) involves setting up fake Web sites or sending messages that look like those of legitimate businesses to ask users for confidential personal data. Answer: Phishing 126) redirects users to a bogus Web page, even when the individual types the correct Web page address into his or her browser. Answer: Pharming 127) occurs when an individual or computer program fraudulently clicks on an online ad without any intention of learning more about the advertiser or making a purchase. lick fraud 128) is tricking people into revealing their passwords or other information by pretending to be legitimate users or members of a company in need of information. Answer: Social engineering 129) Growing complexity and size of software programs, coupled with demands for timely delivery to markets, have contributed to an increase in software or vulnerabilities. Answer: flaws 121) 122) 123) 124) 125) 126) 127) 128) 129) 130) defects cannot be achieved in larger programs. 130) Answer: Zero 131) Many firms are reluctant to spend heavily on security because it is not directly related to. Answer: sales revenue 132) controls are specific controls unique to each computerized application, such as payroll or order processing. 131) 132)

14 Answer: Application 133) controls establish that data are complete and accurate during updating. 133) Answer: Processing 134) controls ensure that the results of computer processing are accurate, complete, and properly distributed. Answer: Output 135) A determines the level of risk to the firm if a specific activity or process is not properly controlled. Answer: risk assessment 136) A includes statements ranking information risks, identifying acceptable security goals, and identifying the mechanisms for achieving these goals. Answer: security policy 137) An defines acceptable uses of the firm s information resources and computing equipment, including desktop and laptop computers, wireless devices, telephones, and the Internet. Answer: acceptable-use policy (AUP) 138) devises plans for the restoration of computing and communications services after they have been disrupted. isaster recovery planning 139) A is a physical device, similar to an identification card, that is designed to prove the identity of a single user. Answer: token 140) A is a device about the size of a credit card that contains a chip formatted with access permission and other data. Answer: smart card 141) uses systems that read and interpret individual human traits, such as fingerprints, irises, and voices, in order to grant or deny access. iometric authentication 142) A is a combination of hardware and software that controls the flow of incoming and outgoing network traffic. Answer: firewall 143) examines selected fields in the headers of data packets flowing back and forth between the trusted network and the Internet, examining individual packets in isolation. Answer: Packet filtering 144) feature full-time monitoring tools placed at the most vulnerable points or hot spots of corporate networks to detect and deter intruders continually. Answer: Intrusion detection systems 145) is designed to check computer systems and drives for the presence of computer viruses. 134) 135) 136) 137) 138) 139) 140) 141) 142) 143) 144) 145)

15 Answer: Antivirus software 146) is the process of transforming plain text or data into cipher text that cannot be read by anyone other than the sender and the intended receiver. Answer: Encryption 146) 147) encryption uses two keys: one shared (or public) and one private. 147) Answer: Public key 148) A system uses a trusted third party, known as a certificate authority (CA), to validate a user s identity. Answer: digital certificate 149) computer systems contain redundant hardware, software, and power supply components that create an environment that provides continuous, uninterrupted service. Answer: Fault-tolerant 150) Malicious software programs referred to as include a variety of threats such as computer viruses, worms, and Trojan horses. Answer: malware 151) is a crime in which an imposter obtains key pieces of personal information to impersonate someone else. Answer: Identity theft 152) is the scientific collection, examination, authentication, preservation, and analysis of data held on or retrieved from computer storage media in such a way that the information can be used as evidence in a court of law. omputer forensics 153) On the whole, controls apply to all computerized applications and consist of a combination of hardware, software, and manual procedures that create an overall control environment. Answer: general 154) A(n) examines the firm's overall security environment as well as the controls governing individual information systems. Answer: MIS audit 155) consists of all the policies and procedures a company uses to prevent improper entry to systems by unauthorized insiders and outsiders. Answer: Access control 148) 149) 150) 151) 152) 153) 154) 155) 156) refers to the ability to know that a person is who he or she claims to be. 156) Answer: Authentication 157) Comprehensive security management products, with tools for firewalls, VPNs, intrusion detection systems, and more, are called systems. Answer: unified threat management 158) When errors are discovered in software programs, the sources of the errors are found and eliminated through a process called. 157) 158)

16 Answer: debugging ESSAY. Write your answer in the space provided or on a separate sheet of paper. 159) Discuss the issue of security challenges on the Internet as that issue applies to a global enterprise. List at least five Internet security challenges. Answer: Large public networks, including the Internet, are more vulnerable because they are virtually open to anyone and because they are so huge that when abuses do occur, they can have an enormously widespread impact. When the Internet becomes part of the corporate network, the organization's information systems can be vulnerable to actions from outsiders. Computers that are constantly connected to the Internet via cable modem or DSL line are more open to penetration by outsiders because they use a fixed Internet address where they can be more easily identified. The fixed Internet address creates the target for hackers. To benefit from electronic commerce, supply chain management, and other digital business processes, companies need to be open to outsiders such as customers, suppliers, and trading partners. Corporate systems must be extended outside the organization so that employees working with wireless and other mobile computing devices can access them. This requires a new security culture and infrastructure, allowing corporations to extend their security policies to include procedures for suppliers and other business partners. 160) How can a firm's security policies contribute and relate to the six main business objectives? Give examples. Answer: Operational excellence: Security policies are essential to operational excellence. A firm's daily transactions can be severely disrupted by cybercrime such as hackers. A firm's efficiency relies on accurate data. In addition, information assets have tremendous value, and the repercussions can be devastating if they are lost, destroyed, or placed in the wrong hands. New products, services, business models. Security policies protect a company's ideas for new products and services, which could be stolen by competitors. Additionally, enhanced security could be seen by a customer as a way to differentiate your product. Customer and supplier intimacy: Customers rely on your security if they enter personal data into your information system, for example, credit card information into your e-commerce site. The information you receive from customers and suppliers directly affects how able you are to customize your product, service, or communication with them. Improved decision making: Secure systems make data accuracy a priority, and good decision making relies on accurate and timely data. Lost and inaccurate data would lead to compromised decision making. Competitive advantage: The knowledge that your firm has superior security than another would, on an otherwise level playing field, make your firm more attractive to do business with. Also, improved decision-making, new products and services, which are also affected by security (see above), will contribute to a firm's competitive advantage. Strong security and control also increase employee productivity and lower operational costs. Survival: New laws and regulations make keeping your security system up-to-data a matter of survival. Inadequate security and control may result in serious legal liability. Firms have been destroyed by errors in security policies. 161) Three major concerns of system builders and users are disaster, security, and human error. Of the three, which do you think is most difficult to deal with? Why? isaster might be the most difficult because it is unexpected, broad-based, and frequently life threatening. In addition, the company cannot know if the disaster plan will work until a disaster occurs, and then it's too late to make corrections. Security might be the most difficult because it is an ongoing problem, new viruses are devised constantly, and hackers get smarter every day. Furthermore, damage done by a trusted employee from inside cannot be obviated by system security measures. Human error might be most difficult because it isn't caught until too late, and the consequences may be disastrous. Also, administrative error can occur at any level and through any

17 operation or procedure in the company. 162) What are the security challenges faced by wireless networks? Answer: Wireless networks are vulnerable because radio frequency bands are easy to scan. Both Bluetooth and Wi-Fi networks are susceptible to hacking by eavesdroppers. Local area networks (LANs) using the standard can be easily penetrated by outsiders armed with laptops, wireless cards, external antennae, and hacking software. Hackers use these tools to detect unprotected networks, monitor network traffic, and, in some cases, gain access to the Internet or to corporate networks. Wi-Fi transmission technology was designed to make it easy for stations to find and hear one another. The service set identifiers (SSIDs) identifying the access points in a Wi-Fi network are broadcast multiple times and can be picked up fairly easily by intruders' sniffer programs. Wireless networks in many locations do not have basic protections against war driving, in which eavesdroppers drive by buildings or park outside and try to intercept wireless network traffic. A hacker can employ an analysis tool to identify the SSID. An intruder that has associated with an access point by using the correct SSID is capable of accessing other resources on the network, using the Windows operating system to determine which other users are connected to the network, access their computer hard drives, and open or copy their files. Intruders also use the information they have gleaned to set up rogue access points on a different radio channel in physical locations close to users to force a user's radio NIC to associate with the rogue access point. Once this association occurs, hackers using the rogue access point can capture the names and passwords of unsuspecting users. 163) Why is software quality important to security. What specific steps can an organization take to ensure software quality? Answer: Software errors pose a constant threat to information systems, causing untold losses in productivity. Growing complexity and size of software programs, coupled with demands for timely delivery to markets, have contributed to an increase in software flaws or vulnerabilities. A major problem with software is the presence of hidden bugs or program code defects. Studies have shown that it is virtually impossible to eliminate all bugs from large programs. Flaws in commercial software not only impede performance but also create security vulnerabilities that open networks to intruders. To correct software flaws once they are identified, the software vendor creates small pieces of software called patches to repair the flaws without disturbing the proper operation of the software. Organizations must maintain best efforts to both make sure purchased software is up to date and make sure their own software and programming is as bug-free as possible by employing software metrics and rigorous software testing. Ongoing use of metrics allows the information systems department and end users to jointly measure the performance of the system and identify problems as they occur. Examples of software metrics include the number of transactions that can be processed in a specified unit of time, online response time, the number of payroll checks printed per hour, and the number of known bugs per hundred lines of program code. For metrics to be successful, they must be carefully designed, formal, objective, and used consistently. Early, regular, and thorough testing will contribute significantly to system quality. Good testing begins before a software program is even written by using a walkthrough a review of a specification or design document by a small group of people carefully selected based on the skills needed for the particular objectives being tested. Once developers start writing software programs, coding walkthroughs also can be used to review program code. However, code must be tested by computer runs. When errors are discovered, the source is found and eliminated through a process called debugging. 164) Hackers and their companion viruses are an increasing problem, especially on the Internet. What are the most important measurers for a firm to take to protect itself from this? Is full protection feasible? Why or why not? Answer: For protection, a company must institute good security measures, which will include firewalls, investigation of personnel to be hired, physical and software security and controls, antivirus software, and internal education measures. These measures are best put in place at the time the system is

18 designed, and careful attention paid to them. A prudent company will engage in disaster protection measures, frequent updating of security software, and frequent auditing of all security measures and of all data upon which the company depends. Full protection may not be feasible in light of the time and expenses involved, but a risk analysis can provide insights into which areas are most important and vulnerable. These are the areas to protect first. 165) You have just been hired as a security consultant by MegaMalls Inc., a national chain of retail malls, to make sure that the security of their information systems is up to par. Outline the steps you will take to achieve this. Answer: 1. Establish what data and processes are important and essential to the company. Determine what external and internal information is essential to the different employee roles in the company. 2. Conduct an MIS audit, a security audit, and create a risk assessment analysis 3. Establish what legal/governmental/industry standards need to be adhered to and which international standards are relevant. 4. Conduct a business impact analysis and determine a disaster recovery and business continuity plan. 5. Create a security policy that defines an acceptable use policy, authorization policies and processes. 6. Plan for any change management needed. 7. Determine how the success of your policy will be measured and set up means for measuring this. 8. Implement such policies 9. Measure and evaluate the effectiveness of the policy and make any additional adjustments. 166) What is a digital certificate? How does it work? igital certificates are data files used to establish the identity of users and electronic assets for protection of online transactions. A digital certificate system uses a trusted third party, known as a certification authority, to validate a user's identity. The CA verifies a digital certificate user's identity offline. This information is put into a CA server, which generates an encrypted digital certificate containing owner identification information and a copy of the owner's public key. The certificate authenticates that the public key belongs to the designated owner. The CA makes its own public key available publicly either in print or perhaps on the Internet. The recipient of an encrypted message uses the CA's public key to decode the digital certificate attached to the message, verifies it was issued by the CA, and then obtains the sender's public key and identification information contained in the certificate. Using this information, the recipient can send an encrypted reply. The digital certificate system would enable, for example, a credit card user and a merchant to validate that their digital certificates were issued by an authorized and trusted third party before they exchange data. Public key infrastructure (PKI), the use of public key cryptography working with a certificate authority, is now widely used in e-commerce. 167) Define a fault-tolerant computer system and a high-availability computer system. How do they differ? When would each be used? oth systems use backup hardware resources. Fault-tolerant computer systems contain extra memory chips, processors, and disk storage devices that can back the system up and keep it running to prevent a system failure. High-availability computing places the emphasis on quick recovery from a system crash. A high-availability system includes redundant servers, mirroring, load balancing, clustering, storage area networks, and a good disaster recovery plan. The main difference between them is that fault-tolerant computer systems don't go down; high-availability computer systems go down, but can recover quickly. Companies needing a technology platform with 100 percent, 24-hr system availability, use fault-tolerant computer systems. High-availability computing environments are a minimum requirement for firms with heavy electronic commerce processing or that depend on digital networks for their internal operations. 168) How is the security of a firm's information system and data affected by its people, organization, and technology? Is the contribution of one of these dimensions any more important than the other? Why?

19 Answer: There are various technological essentials to protecting an information system: firewalls, authentication, encryption, anti-virus protection etc. Without technology implemented correctly, there is no security. A firm's employees are its greatest threat, in terms of embezzlement and insider fraud, errors, and lax enforcement of security policies. Probably the most important dimension is organization, because this is what determines a firm's business processes and policies. The firm's information policies can most enhance security by stressing intelligent design of security systems, appropriate use of security technology, the usability of its security processes. 169) Robert is in charge of security and control at his financial trading firm. He needs to approach management about investing large sums of money to the area of security and control. He knows that it will be a hard sell to this group because they are very focused on sales revenue and this is not directly related to that. Give Robert some arguments that he might use to convince the board to invest these funds in security and control. Answer: Protecting information systems is so critical to the operation of the business that it deserves to funded and made a priority in the firm. The firm has very valuable information assets to protect. Our systems house confidential information about individuals taxes, financial assets, medical records, and job performance reviews. They also contain information on corporate operations, including trade secrets, new product development plans, and marketing strategies. One study estimated that when the security of a large firm is compromised, the company loses approximately 2.1 percent of its market value within two days of the security breach, which translates into an average loss of $1.65 billion in stock market value per incident. Inadequate security and control may result in serious legal liability. Businesses must protect not only their own information assets but also those of customers, employees, and business partners. Failure to do so may open the firm to costly litigation for data exposure or theft. An organization can be held liable for needless risk and harm created if the organization fails to take appropriate protective action to prevent loss of confidential information, data corruption, or breach of privacy A sound security and control framework that protects business information assets can thus produce a high return on investment. Strong security and control also increase employee productivity and lower operational costs. 170) Sally is the CEO of a chain of health clinics in Ontario. She is growing more and more concerned about the security of records in her company. She is wondering about the legal and regulatory requirements for electronic record management in Canada. What would you advise Sally about the legal and regulatory requirements for electronic record management in Canada? Answer: Recent Canadian government regulations are forcing companies to take security and control more seriously by mandating the protection of data from abuse, exposure, and unauthorized access. Firms face new legal obligations for the retention and storage of electronic records as well as for privacy protection. If you work in the health care industry, your firm will need to comply with the provincial health information privacy legislation mandated in several provinces or with the original Canada Privacy Act or the newer Personal Information Protection and Electronic Documents Act (PIPEDA). These acts specify privacy, security, and electronic transaction standards for health care providers handling patient information, providing penalties for breaches of medical privacy or disclosure of patient records. Almost all organizations, specifically those that conduct transaction, must conform to the Personal Information Protection and Electronic Documents Act. In 2002, the Ontario Legislature passed Bill 198, known as Canadian SOX, or C-SOX, in response to the U.S. Sarbanes-Oxley Act. It imposes responsibility on companies and their management to safeguard the accuracy and integrity of financial information that is used internally and released externally. One of the Learning Tracks for this chapter discusses C-SOX in detail. C-SOX is fundamentally about ensuring that internal controls are in place to govern the creation and documentation of information in financial statements. Because information systems are used to generate, store, and transport such data, the legislation requires firms to consider information systems security and other controls required to ensure the integrity, confidentiality, and accuracy of their data. Each system application that deals with critical financial reporting data requires

20 controls to make sure the data are accurate. Controls to secure the corporate network, prevent unauthorized access to systems and data, and ensure data integrity and availability in the event of disaster or other disruption of service are essential as well. 171) Bob wants to use encryption tools in his firm but he is not sure if he should use public key or private key encryption. He really doesn't understand the differences between the two. describe the two types of encryption for Bob. Answer: There are two alternative methods of encryption: symmetric key encryption and public key encryption. In symmetric key encryption, the sender and receiver establish a secure Internet session by creating a single encryption key and sending it to the receiver so both the sender and receiver share the same key. The strength of the encryption key is measured by its bit length. Today, a typical key will be 128 bits long (a string of 128 binary digits). The problem with all symmetric encryption schemes is that the key itself must be shared somehow among the senders and receivers, which exposes the key to outsiders who might just be able to intercept and decrypt the key. A more secure form of encryption called public key encryption uses two keys: one shared (or public) and one totally private. The keys are mathematically related so that data encrypted with one key can be decrypted using only the other key. To send and receive messages, communicators first create separate pairs of private and public keys. The public key is kept in a directory and the private key must be kept secret. The sender encrypts a message with the recipient s public key. On receiving the message, the recipient uses his or her private key to decrypt it.

21 1) FALSE 2) FALSE 3) FALSE 4) FALSE 5) FALSE 6) FALSE 7) TRUE 8) TRUE 9) TRUE 10) TRUE 11) TRUE 12) TRUE 13) TRUE 14) TRUE 15) FALSE 16) FALSE 17) FALSE 18) TRUE 19) TRUE 20) TRUE 21) FALSE 22) FALSE 23) FALSE 24) TRUE 25) TRUE 26) TRUE 27) TRUE 28) TRUE 29) TRUE 30) FALSE 31) TRUE 32) TRUE 33) TRUE 34) TRUE 35) TRUE 36) FALSE 37) FALSE 38) TRUE 39) FALSE 40) FALSE 41) FALSE 42) TRUE 43) TRUE 44) TRUE 45) TRUE 46) FALSE 47) B 48) B 49) D 50) B 51) B

22 52) C 53) C 54) D 55) D 56) C 57) A 58) C 59) C 60) B 61) B 62) B 63) C 64) C 65) B 66) B 67) D 68) D 69) D 70) D 71) A 72) D 73) A 74) C 75) C 76) A 77) B 78) A 79) C 80) A 81) C 82) D 83) D 84) C 85) A 86) A 87) B 88) C 89) B 90) A 91) A 92) A 93) B 94) B 95) D 96) B 97) C 98) C 99) B 100) C 101) A 102) D 103) A

Securing Information Systems

Securing Information Systems Chapter 7 Securing Information Systems 7.1 Copyright 2011 Pearson Education, Inc. STUDENT LEARNING OBJECTIVES Why are information systems vulnerable to destruction, error, and abuse? What is the business

More information

Securing Information Systems

Securing Information Systems Introduction to Information Management IIM, NCKU System Vulnerability and Abuse (1/6) Securing Information Systems Based on Chapter 8 of Laudon and Laudon (2010). Management Information Systems: Managing

More information

CHAPTER 8 SECURING INFORMATION SYSTEMS

CHAPTER 8 SECURING INFORMATION SYSTEMS CHAPTER 8 SECURING INFORMATION SYSTEMS BY: S. SABRAZ NAWAZ SENIOR LECTURER IN MANAGEMENT & IT SEUSL Learning Objectives Why are information systems vulnerable to destruction, error, and abuse? What is

More information

Information Security in Corporation

Information Security in Corporation Information Security in Corporation System Vulnerability and Abuse Software Vulnerability Commercial software contains flaws that create security vulnerabilities. Hidden bugs (program code defects) Zero

More information

Securing Information Systems

Securing Information Systems Chapter 8 Securing Information Systems 8.1 2010 by Pearson LEARNING OBJECTIVES Explain why information systems are vulnerable to destruction, error, and abuse. Assess the business value of security and

More information

Securing Information Systems

Securing Information Systems Chapter 7 Securing Information Systems 7.1 2007 by Prentice Hall STUDENT OBJECTIVES Analyze why information systems need special protection from destruction, error, and abuse. Assess the business value

More information

تاثیرفناوری اطالعات برسازمان ومدیریت جلسه هشتم و نهم

تاثیرفناوری اطالعات برسازمان ومدیریت جلسه هشتم و نهم بنام خدا تاثیرفناوری اطالعات برسازمان ومدیریت جلسه هشتم و نهم امنیت بخشی به سیستمهای فناوری اطالعات Securing Information Systems 1 Learning Objectives Describe the business value of security and control.

More information

Introduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable?

Introduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable? Introduction Controlling Information Systems When computer systems fail to work as required, firms that depend heavily on them experience a serious loss of business function. M7011 Peter Lo 2005 1 M7011

More information

Securing Information Systems

Securing Information Systems Securing Information Systems System Vulnerability and Abuse Security: Policies, procedures and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information

More information

Securing Information Systems Barbarians at the Gateway

Securing Information Systems Barbarians at the Gateway Securing Information Systems Barbarians at the Gateway Learning Objectives Security breaches are on the rise Understand the potentially damaging impact of security breaches Security must be made a top

More information

IS Today: Managing in a Digital World 9/17/12

IS Today: Managing in a Digital World 9/17/12 IS Today: Managing in a Digital World Chapter 10 Securing Information Systems Worldwide losses due to software piracy in 2005 exceeded $34 billion. Business Software Alliance, 2006 Accessories for war

More information

Securing Information Systems

Securing Information Systems Securing Information Systems You re on LinkedIn? Watch Out! Problem: Massive data breach; using old security practices Solution: Initiative to use minimal up-to-date industry practices, for example, salting

More information

Chapter 6 Network and Internet Security and Privacy

Chapter 6 Network and Internet Security and Privacy Chapter 6 Network and Internet Security and Privacy Learning Objectives LO6.1: Explain network and Internet security concerns LO6.2: Identify online threats LO6.3: Describe cyberstalking and other personal

More information

Chapter 10: Security and Ethical Challenges of E-Business

Chapter 10: Security and Ethical Challenges of E-Business Chapter 10: Security and Ethical Challenges of E-Business Learning Objectives Identify several ethical issues in IT that affect employment, individuality, working condition, privacy, crime health etc.

More information

Securing Information Systems

Securing Information Systems Securing Information Systems You re on LinkedIn? Watch Out! Problem: Massive data breach; using old security practices Solution: Initiative to use minimal up-to-date industry practices, for example, salting

More information

Management of IT Infrastructure Security by Establishing Separate Functional Area with Spiral Security Model

Management of IT Infrastructure Security by Establishing Separate Functional Area with Spiral Security Model Management of IT Infrastructure Security by Establishing Separate Functional Area with Spiral Security Model Abhijit Vitthal Sathe Modern Institute of Business Management, Shivajinagar, Pune 411 005 abhijit_sathe@hotmail.com

More information

Discovering Computers Living in a Digital World

Discovering Computers Living in a Digital World Discovering Computers 2010 Living in a Digital World Objectives Overview Define the term, computer security risks, and briefly describe the types of cybercrime perpetrators Describe various types of Internet

More information

Internet of Things Toolkit for Small and Medium Businesses

Internet of Things Toolkit for Small and Medium Businesses Your Guide #IoTatWork to IoT Security #IoTatWork Internet of Things Toolkit for Small and Medium Businesses Table of Contents Introduction 1 The Internet of Things (IoT) 2 Presence of IoT in Business Sectors

More information

e-commerce Study Guide Test 2. Security Chapter 10

e-commerce Study Guide Test 2. Security Chapter 10 e-commerce Study Guide Test 2. Security Chapter 10 True/False Indicate whether the sentence or statement is true or false. 1. Necessity refers to preventing data delays or denials (removal) within the

More information

5. Execute the attack and obtain unauthorized access to the system.

5. Execute the attack and obtain unauthorized access to the system. Describe how a combination of preventive, detective, and corrective controls can be employed to provide reasonable assurance about information security. Before discussing the preventive, detective, and

More information

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks CISNTWK-440 Intro to Network Security Chapter 4 Network Vulnerabilities and Attacks Objectives Explain the types of network vulnerabilities List categories of network attacks Define different methods of

More information

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief 5 Trends That Will Impact Your IT Planning in 2012 Layered Security Executive Brief a QuinStreet Excutive Brief. 2011 Layered Security Many of the IT trends that your organization will tackle in 2012 aren

More information

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Data Communication. Chapter # 5: Networking Threats. By: William Stalling Data Communication Chapter # 5: By: Networking Threats William Stalling Risk of Network Intrusion Whether wired or wireless, computer networks are quickly becoming essential to everyday activities. Individuals

More information

Chapter 4 Network and Internet Security

Chapter 4 Network and Internet Security Understanding Computers in a Changing Society, 3 rd Edition Chapter 4 Network and Internet Security Learning Objectives Explain why computer users should be concerned about network and Internet security.

More information

Cyber Security Practice Questions. Varying Difficulty

Cyber Security Practice Questions. Varying Difficulty Cyber Security Practice Questions Varying Difficulty 1 : This is a class of programs that searches your hard drive and floppy disks for any known or potential viruses. A. intrusion detection B. security

More information

Security Awareness. Chapter 2 Personal Security

Security Awareness. Chapter 2 Personal Security Security Awareness Chapter 2 Personal Security Objectives After completing this chapter, you should be able to do the following: Define what makes a weak password Describe the attacks against passwords

More information

Chapter 12. Information Security Management

Chapter 12. Information Security Management Chapter 12 Information Security Management We Have to Design It for Privacy... and Security. Tension between Maggie and Ajit regarding terminology to use with Dr. Flores. Overly technical communication

More information

Introduction to Information Technology Turban, Rainer and Potter John Wiley & Sons, Inc. Copyright Chapter 12 1

Introduction to Information Technology Turban, Rainer and Potter John Wiley & Sons, Inc. Copyright Chapter 12 1 Introduction to Information Technology Turban, Rainer and Potter John Wiley & Sons, Inc. Copyright 2005 Chapter 12 1 IT Ethics, Impacts, and Security Chapter 12 2 Chapter Outline Ethical Issues Impact

More information

Most Common Security Threats (cont.)

Most Common Security Threats (cont.) Most Common Security Threats (cont.) Denial of service (DoS) attack Distributed denial of service (DDoS) attack Insider attacks. Any examples? Poorly designed software What is a zero-day vulnerability?

More information

The Tension. Security vs. ease of use: the more security measures added, the more difficult a site is to use, and the slower it becomes

The Tension. Security vs. ease of use: the more security measures added, the more difficult a site is to use, and the slower it becomes s10 Security 1 The Tension Security vs. ease of use: the more security measures added, the more difficult a site is to use, and the slower it becomes Security vs. desire of individuals to act anonymously

More information

3.5 SECURITY. How can you reduce the risk of getting a virus?

3.5 SECURITY. How can you reduce the risk of getting a virus? 3.5 SECURITY 3.5.4 MALWARE WHAT IS MALWARE? Malware, short for malicious software, is any software used to disrupt the computer s operation, gather sensitive information without your knowledge, or gain

More information

MU2a Authentication, Authorization & Accounting Questions and Answers with Explainations

MU2a Authentication, Authorization & Accounting Questions and Answers with Explainations 98-367 MU2a Authentication, Authorization & Accounting Questions and Answers with Explainations Which are common symptoms of a virus infection? (Lesson 5 p 135-136) Poor system performance. Unusually low

More information

10 Hidden IT Risks That Might Threaten Your Business

10 Hidden IT Risks That Might Threaten Your Business (Plus 1 Fast Way to Find Them) Your business depends on intelligence. But can you count on your technology? You may not be in the intelligence technology business, but it s probably impossible to imagine

More information

itexamdump 최고이자최신인 IT 인증시험덤프 일년무료업데이트서비스제공

itexamdump 최고이자최신인 IT 인증시험덤프  일년무료업데이트서비스제공 itexamdump 최고이자최신인 IT 인증시험덤프 http://www.itexamdump.com 일년무료업데이트서비스제공 Exam : CISA Title : Certified Information Systems Auditor Vendor : ISACA Version : DEMO Get Latest & Valid CISA Exam's Question and

More information

IT ACCEPTABLE USE POLICY

IT ACCEPTABLE USE POLICY CIO Signature Approval & Date: IT ACCEPTABLE USE POLICY 1.0 PURPOSE The purpose of this policy is to define the acceptable and appropriate use of ModusLink s computing resources. This policy exists to

More information

A Review Paper on Network Security Attacks and Defences

A Review Paper on Network Security Attacks and Defences EUROPEAN ACADEMIC RESEARCH Vol. IV, Issue 12/ March 2017 ISSN 2286-4822 www.euacademic.org Impact Factor: 3.4546 (UIF) DRJI Value: 5.9 (B+) A Review Paper on Network Security Attacks and ALLYSA ASHLEY

More information

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1: Cybercrime Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1: Organizations can prevent cybercrime from occurring through the proper use of personnel, resources,

More information

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management CompTIA Security+ Lecture Six Threats and Vulnerabilities Vulnerability Management Copyright 2011 - VTC Malware Malicious code refers to software threats to network and systems, including viruses, Trojan

More information

WHAT IS CORPORATE ACCOUNT TAKEOVER? HOW DOES IT HAPPEN?

WHAT IS CORPORATE ACCOUNT TAKEOVER? HOW DOES IT HAPPEN? WHAT IS CORPORATE ACCOUNT TAKEOVER? Corporate Account Takeover (also referred to as CATO) is a type of fraud where criminals gain access to a business financial accounts to make unauthorized transactions.

More information

CHAPTER 3. Information Systems: Ethics, Privacy, and Security

CHAPTER 3. Information Systems: Ethics, Privacy, and Security CHAPTER 3 Information Systems: Ethics, Privacy, and Security CHAPTER OUTLINE 3.1 Ethical Issues 3.2 Threats to Information Security 3.3 Protecting Information Resources LEARNING OBJECTIVES n Describe the

More information

NETWORK SECURITY. Ch. 3: Network Attacks

NETWORK SECURITY. Ch. 3: Network Attacks NETWORK SECURITY Ch. 3: Network Attacks Contents 3.1 Network Vulnerabilities 3.1.1 Media-Based 3.1.2 Network Device 3.2 Categories of Attacks 3.3 Methods of Network Attacks 03 NETWORK ATTACKS 2 3.1 Network

More information

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 1 Introduction to Security

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 1 Introduction to Security Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 1 Introduction to Security Objectives Describe the challenges of securing information Define information security and explain why

More information

Security Solutions. Overview. Business Needs

Security Solutions. Overview. Business Needs Security Solutions Overview Information security is not a one time event. The dynamic nature of computer networks mandates that examining and ensuring information security be a constant and vigilant effort.

More information

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner Is your privacy secure? HIPAA Compliance Workshop September 2008 Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner Agenda Have you secured your key operational, competitive and financial

More information

CTS2134 Introduction to Networking. Module 08: Network Security

CTS2134 Introduction to Networking. Module 08: Network Security CTS2134 Introduction to Networking Module 08: Network Security Denial of Service (DoS) DoS (Denial of Service) attack impacts system availability by flooding the target system with traffic or by exploiting

More information

Security Policies and Procedures Principles and Practices

Security Policies and Procedures Principles and Practices Security Policies and Procedures Principles and Practices by Sari Stern Greene Chapter 3: Information Security Framework Objectives Plan the protection of the confidentiality, integrity and availability

More information

PCI Compliance. What is it? Who uses it? Why is it important?

PCI Compliance. What is it? Who uses it? Why is it important? PCI Compliance What is it? Who uses it? Why is it important? Definitions: PCI- Payment Card Industry DSS-Data Security Standard Merchants Anyone who takes a credit card payment 3 rd party processors companies

More information

Keys to a more secure data environment

Keys to a more secure data environment Keys to a more secure data environment A holistic approach to data infrastructure security The current fraud and regulatory landscape makes it clear that every firm needs a comprehensive strategy for protecting

More information

SECURITY & PRIVACY DOCUMENTATION

SECURITY & PRIVACY DOCUMENTATION Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive

More information

SDR Guide to Complete the SDR

SDR Guide to Complete the SDR I. General Information You must list the Yale Servers & if Virtual their host Business Associate Agreement (BAA ) in place. Required for the new HIPAA rules Contract questions are critical if using 3 Lock

More information

Why you MUST protect your customer data

Why you MUST protect your customer data Why you MUST protect your customer data If you think you re exempt from compliance with customer data security and privacy laws because you re a small business, think again. Businesses of all sizes are

More information

A (sample) computerized system for publishing the daily currency exchange rates

A (sample) computerized system for publishing the daily currency exchange rates A (sample) computerized system for publishing the daily currency exchange rates The Treasury Department has constructed a computerized system that publishes the daily exchange rates of the local currency

More information

Technology in Action

Technology in Action Technology in Action Chapter 7 Networking and Security: Connecting Computers and Keeping Them Safe from Hackers and Viruses 1 Peer-to-Peer Networks Nodes communicate with each other Peers Share peripheral

More information

DONE FOR YOU SAMPLE INTERNET ACCEPTABLE USE POLICY

DONE FOR YOU SAMPLE INTERNET ACCEPTABLE USE POLICY DONE FOR YOU SAMPLE INTERNET ACCEPTABLE USE POLICY Published By: Fusion Factor Corporation 2647 Gateway Road Ste 105-303 Carlsbad, CA 92009 USA 1.0 Overview Fusion Factor s intentions for publishing an

More information

Education Network Security

Education Network Security Education Network Security RECOMMENDATIONS CHECKLIST Learn INSTITUTE Education Network Security Recommendations Checklist This checklist is designed to assist in a quick review of your K-12 district or

More information

Checklist: Credit Union Information Security and Privacy Policies

Checklist: Credit Union Information Security and Privacy Policies Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC

More information

Security Using Digital Signatures & Encryption

Security Using Digital Signatures & Encryption Email Security Using Digital Signatures & Encryption CONTENTS. Introduction The Need for Email Security Digital Signatures & Encryption 101 Digital Signatures & Encryption in Action Selecting the Right

More information

Define information security Define security as process, not point product.

Define information security Define security as process, not point product. CSA 223 Network and Web Security Chapter One What is information security. Look at: Define information security Define security as process, not point product. Define information security Information is

More information

Simple and Powerful Security for PCI DSS

Simple and Powerful Security for PCI DSS Simple and Powerful Security for PCI DSS The regulations AccessEnforcer helps check off your list. Most merchants think they are too small to be targeted by hackers. In fact, their small size makes them

More information

Personal Cybersecurity

Personal Cybersecurity Personal Cybersecurity The Basic Principles Jeremiah School, CEO How big is the issue? 9 8 7 6 5 4 3 2 1 Estimated global damages in 2018 0 2016 2018 2020 2022 2024 2026 2028 2030 Internet Users Billions

More information

Online Threats. This include human using them!

Online Threats.   This include human using them! Online Threats There are many dangers from using the web (and computer in general). One should watch out for malware, automated programs designed to cause harm to you, your data, and your system. You are

More information

Cyber Criminal Methods & Prevention Techniques. By

Cyber Criminal Methods & Prevention Techniques. By Cyber Criminal Methods & Prevention Techniques By Larry.Boettger@Berbee.com Meeting Agenda Trends Attacker Motives and Methods Areas of Concern Typical Assessment Findings ISO-17799 & NIST Typical Remediation

More information

SECURE USE OF IT Syllabus Version 2.0

SECURE USE OF IT Syllabus Version 2.0 ICDL MODULE SECURE USE OF IT Syllabus Version 2.0 Purpose This document details the syllabus for the Secure Use of IT module. The syllabus describes, through learning outcomes, the knowledge and skills

More information

SECURE DATA EXCHANGE

SECURE DATA EXCHANGE POLICY-DRIVEN SOLUTIONS FOR SECURE DATA EXCHANGE Sending and receiving data is a fundamental part of daily business for nearly every organization. Companies need to share financial transaction details,

More information

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information Privacy Statement Introduction Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information about how IT Support (UK) Ltd handle personal information.

More information

Computer Security Policy

Computer Security Policy Administration and Policy: Computer usage policy B 0.2/3 All systems Computer and Rules for users of the ECMWF computer systems May 1995 Table of Contents 1. The requirement for computer security... 1

More information

Access Controls. CISSP Guide to Security Essentials Chapter 2

Access Controls. CISSP Guide to Security Essentials Chapter 2 Access Controls CISSP Guide to Security Essentials Chapter 2 Objectives Identification and Authentication Centralized Access Control Decentralized Access Control Access Control Attacks Testing Access Controls

More information

A practical guide to IT security

A practical guide to IT security Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or

More information

Network Security and Cryptography. December Sample Exam Marking Scheme

Network Security and Cryptography. December Sample Exam Marking Scheme Network Security and Cryptography December 2015 Sample Exam Marking Scheme This marking scheme has been prepared as a guide only to markers. This is not a set of model answers, or the exclusive answers

More information

Chapter 4. Network Security. Part I

Chapter 4. Network Security. Part I Chapter 4 Network Security Part I CCNA4-1 Chapter 4-1 Introducing Network Security Introduction to Network Security CCNA4-2 Chapter 4-1 Introducing Network Security Why is Network Security important? Rapid

More information

ECDL / ICDL IT Security. Syllabus Version 2.0

ECDL / ICDL IT Security. Syllabus Version 2.0 ECDL / ICDL IT Security Syllabus Version 2.0 Module Goals Purpose This document details the syllabus for the IT Security module. The syllabus describes, through learning outcomes, the knowledge and skills

More information

You ve Been Hacked Now What? Incident Response Tabletop Exercise

You ve Been Hacked Now What? Incident Response Tabletop Exercise You ve Been Hacked Now What? Incident Response Tabletop Exercise Date or subtitle Jeff Olejnik, Director Cybersecurity Services 1 Agenda Incident Response Planning Mock Tabletop Exercise Exercise Tips

More information

716 West Ave Austin, TX USA

716 West Ave Austin, TX USA Fundamentals of Computer and Internet Fraud GLOBAL Headquarters the gregor building 716 West Ave Austin, TX 78701-2727 USA TABLE OF CONTENTS I. INTRODUCTION What Is Computer Crime?... 2 Computer Fraud

More information

QuickBooks Online Security White Paper July 2017

QuickBooks Online Security White Paper July 2017 QuickBooks Online Security White Paper July 2017 Page 1 of 6 Introduction At Intuit QuickBooks Online (QBO), we consider the security of your information as well as your customers and employees data a

More information

Integrated Access Management Solutions. Access Televentures

Integrated Access Management Solutions. Access Televentures Integrated Access Management Solutions Access Televentures Table of Contents OVERCOMING THE AUTHENTICATION CHALLENGE... 2 1 EXECUTIVE SUMMARY... 2 2 Challenges to Providing Users Secure Access... 2 2.1

More information

A Security Model for Space Based Communication. Thom Stone Computer Sciences Corporation

A Security Model for Space Based Communication. Thom Stone Computer Sciences Corporation A Security Model for Space Based Communication Thom Stone Computer Sciences Corporation Prolog Everything that is not forbidden is compulsory -T.H. White They are after you Monsters in the Closet Virus

More information

Certified Cyber Security Analyst VS-1160

Certified Cyber Security Analyst VS-1160 VS-1160 Certified Cyber Security Analyst Certification Code VS-1160 Vskills certification for Cyber Security Analyst assesses the candidate as per the company s need for cyber security and forensics. The

More information

Best Practices Guide to Electronic Banking

Best Practices Guide to Electronic Banking Best Practices Guide to Electronic Banking City Bank & Trust Company offers a variety of services to our customers. As these services have evolved over time, a much higher percentage of customers have

More information

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

PASS4TEST. IT Certification Guaranteed, The Easy Way!  We offer free update service for one year PASS4TEST IT Certification Guaranteed, The Easy Way! \ http://www.pass4test.com We offer free update service for one year Exam : GSLC Title : GIAC Security Leadership Certification (GSLC) Vendors : GIAC

More information

Acceptable Use Policy

Acceptable Use Policy Acceptable Use Policy 1. Overview ONS IT s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to ONS established culture of openness, trust and integrity.

More information

MIS5206-Section Protecting Information Assets-Exam 1

MIS5206-Section Protecting Information Assets-Exam 1 Your Name Date 1. Which of the following contains general approaches that also provide the necessary flexibility in the event of unforeseen circumstances? a. Policies b. Standards c. Procedures d. Guidelines

More information

E-Commerce Security Pearson Prentice Hall, Electronic Commerce 2008, Efraim Turban, et al.

E-Commerce Security Pearson Prentice Hall, Electronic Commerce 2008, Efraim Turban, et al. E-Commerce Security 2008 Pearson Prentice Hall, Electronic Commerce 2008, Efraim Turban, et al. Learning Objectives 1. Explain EC-related crimes and why they cannot be stopped. 2. Describe an EC security

More information

SteelGate Overview. Manage perimeter security and network traffic to ensure operational efficiency, and optimal Quality of Service (QoS)

SteelGate Overview. Manage perimeter security and network traffic to ensure operational efficiency, and optimal Quality of Service (QoS) Internet Communications Made Safe SteelGate Overview SteelGate Overview SteelGate is a high-performance VPN firewall appliance that Prevent Eliminate threats & attacks at the perimeter Stop unauthorized

More information

Ethics and Information Security. 10 주차 - 경영정보론 Spring 2014

Ethics and Information Security. 10 주차 - 경영정보론 Spring 2014 Ethics and Information Security 10 주차 - 경영정보론 Spring 2014 Ethical issue in using ICT? Learning Outcomes E-policies in an organization relationships and differences between hackers and viruses relationship

More information

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers Identify Protect Detect Respond Recover Identify: Risk Assessments & Management 1. Risk assessments are conducted frequently (e.g. annually, quarterly). 2. Cybersecurity is included in the risk assessment.

More information

Security Awareness. Presented by OSU Institute of Technology

Security Awareness. Presented by OSU Institute of Technology Security Awareness Presented by OSU Institute of Technology Information Technologies Division Security Awareness Topics Social Engineering Phishing Social Networks Displaying Sensitive Information Wireless

More information

Ethical Hacking and Prevention

Ethical Hacking and Prevention Ethical Hacking and Prevention This course is mapped to the popular Ethical Hacking and Prevention Certification Exam from US-Council. This course is meant for those professionals who are looking for comprehensive

More information

Cyber fraud and its impact on the NHS: How organisations can manage the risk

Cyber fraud and its impact on the NHS: How organisations can manage the risk Cyber fraud and its impact on the NHS: How organisations can manage the risk Chair: Ann Utley, Preparation Programme Manager, NHS Providers Arno Franken, Cyber Specialist, RSM Sheila Pancholi, Partner,

More information

Security+ SY0-501 Study Guide Table of Contents

Security+ SY0-501 Study Guide Table of Contents Security+ SY0-501 Study Guide Table of Contents Course Introduction Table of Contents About This Course About CompTIA Certifications Module 1 / Threats, Attacks, and Vulnerabilities Module 1 / Unit 1 Indicators

More information

Whitepaper on AuthShield Two Factor Authentication with SAP

Whitepaper on AuthShield Two Factor Authentication with SAP Whitepaper on AuthShield Two Factor Authentication with SAP By AuthShield Labs Pvt. Ltd Table of Contents Table of Contents...2 1.Overview...4 2. Threats to account passwords...5 2.1 Social Engineering

More information

Retail/Consumer Client Internet Banking Awareness and Education Program

Retail/Consumer Client Internet Banking Awareness and Education Program Retail/Consumer Client Internet Banking Table of Contents Securing Your Environment... 3 Unsolicited Client Contact... 3 Protecting Your Identity... 3 1) E-mail Risk... 3 2) Internet Risks... 4 3) Telephone

More information

Information Technology Enhancing Productivity and Securing Against Cyber Attacks

Information Technology Enhancing Productivity and Securing Against Cyber Attacks Information Technology Enhancing Productivity and Securing Against Cyber Attacks AGENDA Brief Overview of PortMiami Enhancing Productivity Using Technology Technology Being Using at the Port Cyber Attacks

More information

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND October 2005 Table of Contents Introduction... 1 Purpose Of This Policy... 1 Responsibility... 1 General Policy... 2 Data Classification Policy...

More information

Wireless Network Security Fundamentals and Technologies

Wireless Network Security Fundamentals and Technologies Wireless Network Security Fundamentals and Technologies Rakesh V S 1, Ganesh D R 2, Rajesh Kumar S 3, Puspanathan G 4 1,2,3,4 Department of Computer Science and Engineering, Cambridge Institute of Technology

More information

Certified Information Systems Auditor (CISA)

Certified Information Systems Auditor (CISA) Certified Information Systems Auditor (CISA) 1. Domain 1 The Process of Auditing Information Systems Provide audit services in accordance with IT audit standards to assist the organization in protecting

More information

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person) Cyber Security Presenters: - Brian Everest, Chief Technology Officer, Starport Managed Services - Susan Pawelek, Accountant, Compliance and Registrant Regulation February 13, 2018 (webinar) February 15,

More information

Acceptable Use Policy

Acceptable Use Policy Acceptable Use Policy 1. Overview The Information Technology (IT) department s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to Quincy College s established

More information

Acceptable Use Policy

Acceptable Use Policy Acceptable Use Policy. August 2016 1. Overview Kalamazoo College provides and maintains information technology resources to support its academic programs and administrative operations. This Acceptable

More information

Home Computer and Internet User Security

Home Computer and Internet User Security Home Computer and Internet User Security Lawrence R. Rogers Version 1.0.4 CERT Training and Education Networked Systems Survivability Software Engineering Institute Carnegie Mellon University Pittsburgh,

More information

Cyber Security Guidelines for Public Wi-Fi Networks

Cyber Security Guidelines for Public Wi-Fi Networks Cyber Security Guidelines for Public Wi-Fi Networks Version: 1.0 Author: Cyber Security Policy and Standards Document Classification: PUBLIC Published Date: April 2018 Document History: Version Description

More information