Popular in Intro to Management Information Systems
Popular in Business
This 6 page Class Notes was uploaded by Lael Wynne on Tuesday April 12, 2016. The Class Notes belongs to 24418 at University of Illinois at Chicago taught by Erickson in Spring 2016. Since its upload, it has received 14 views. For similar materials see Intro to Management Information Systems in Business at University of Illinois at Chicago.
Reviews for IDS Notes
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 04/12/16
IDS Notes (4/9/16- End of Semester) Chapter 10: Information Systems Security Threat- person/org that seeks to obtain/alter data or other information system’s assets illegally Vulnerability- opportunity for threats to gain access to someone’s assets Safeguard- measure that people/orgs take to block the threat from obtaining the asset Target- asset that is desired by the threat Sources of threats: 1) Human error- caused by employees and non-employees 2) Computer crime- intentional destroying of data and system components 3) Natural events & disasters- fires, floods, etc. Types of security loss: 1) Unauthorized data disclosure- when a threat gets data that’s supposed to be protected 2) Data modification 3) Faulty service- incorrect system operations 4) Denial of service (DoS) 5) Loss of infrastructure Pretexting- deceiving someone by pretending to be someone else or another org. Phishing- obtaining unauthorized data that uses pretexting via email Phisher- pretends to be a company and sends emails requesting confidential data Spoofing- someone pretending to be someone else IP Spoofing- intruder uses another site’s IP address to be that other site Email Spoofing- synonym for phishing Sniffling- technique for intercepting computer communications Wardrivers- take computers with wireless connections by an area and search for unprotected wireless networks Hacking- breaking into computers/networks to steal data Usurpation- criminals invade a computer and replace programs with their own Advanced Persistent Threat (APT) - long running computer hack perpetrated by well-funded organizations Intrusion detection system (IDS) - computer program the detects when another computer is trying to access a computer or network Brute force attack- password-cracking program that tries various combos of characters Cookies- small files that’s stored on the computer by a browser Technical safeguards- involves hardware and software components of an IS. o Identification and authorization o Encryption o Firewalls o Malware protection o Application design Data safeguards- data component of IS. o Data rights and responsibilities o Passwords o Encryptions o Backup and recovery o Physical security Human safeguards- procedures and people components of IS. o Hiring o Training o Education o Procedure design o Administration o Assessment o Compliance o Accountability Identification- when IS identifies a user by asking for the user to sign in with a username and password Authentication- when IS verifies a user Smart card- plastic card, like a credit card, loaded with identifying data Personal identification number (PIN) – a number that only the user only know Biometric authentication- uses physical characteristics to authenticate users o Fingerprints, facial features, retinal scans Encryption-transforming clear text into coded text for secure storage/communication Encryption algorithms- procedures for encrypting data Symmetric encryption- method where the same key is used to encode/decode the message Asymmetric encryption- method where different keys are used to encode/decode the message Public key encryption- each site has a public key for encoding messages and private key for decoding them HTTPS- indication that a browser is using the SSL/TLS protocol to offer secure communications Secure sockets layer (SSL) – uses both asymmetric and symmetric encryption Transport Layer Security (TLS) – new name for a later version of SSL Fire wall- computing device that prevents unauthorized network access Perimeter wall- firewall that sits outside of the orgs network st o 1 device internet traffic encounters Internal firewalls- firewalls inside of the orgs’ network Packet-filtering firewall- checks each packet and decides whether to let the packet pass Malware- broad category of software including viruses, spyware, and adware Virus- computer program that replicates itself Payload- causes unwanted/hurtful actions that are undetected by the user Trojan horses- viruses that masquerade as useful programs/files Worm- virus that self-propagates using the internet/other computer network Spyware- programs installed on the user’s computer without the user’s knowledge/permission Key loggers- captures keystrokes without the user’s knowledge Adware- similar to spyware, resides in the background and watches user’s behavior Malware Safeguards: 1) Install antivirus and antispyware programs 2) Set up antimalware programs to scan your computer frequently 3) Update malware definitions 4) Open email attachments only from known sources 5) Promptly install software updates from legit sources 6) Browse only in reputable internet neighborhoods Chapter Extension 14: Data Breaches Data breach fees: o Notification o Detection o Escalation o Remediation o Legal fees and consultation Personally identifiable info (PII) - data used to identify a person o Names, addresses, birthdates, social security, etc. Carding- validation process that charges a small amount on a stolen credit card to make sure its working Attack vectors- ways of attacking targets Exploit- software used to take advantage of new vulnerability in a target’s app or operating system Spear phishing- targeted phishing attack How to respond to data breaches: 1) Respond quickly 2) Plan for data breach 3) Be honest about the breach Walk-through- meeting that discusses the steps each person takes of the occurrence of data breaches Business continuity planning- how to return the org to normal operations quickly following data breaches Computer security incident response team (CSIRT) - team including staff from leg/public relations departments Notifying users of data breach: 1) Be transparent in activity and demonstrate you’re getting the word out 2) Follow normal media routine 3) Avoid absolutes 4) Avoid misleading statements 5) Don’t withhold key details 6) Stay focused and concise Payment card industry data security standard (PCI DSS) – standards governing secure storage of cardholder data o Standards: 1) Build/maintain secure network & systems 2) Protect cardholder data 3) Maintain a vulnerability management program 4) Implement strong access control measures 5) Regularly monitor/test networks 6) Maintain info security policy Federal info security management act (FISMA) - requires security precautions for Gov. Agencies Gramm-Leach-Bliley Act (GLBA) – financial services modernization act that requires data protection for financial institutions Health Info portability & accountability act (HIPAA) – requires data protection for healthcare institutions Family educational rights & privacy act (FERPA) – gives protection for student education records Countermeasures – software/procedures used to prevent attacks Network intrusion detection system (NIDS) – intrusion detection system that examines traffic passing through a network to identify possible attacks Data loss prevention systems (DLP) – prevent sensitive data from being released to unauthorized people Preventing data loss: 1) Don’t collect more data than necessary 2) Permanently destroy old data 3) Limit number of places data is stored 4) Limit employee access to data 5) Document/log access to critical data 6) Develop effective termination procedures to prevent data theft 7) Develop policies that govern offsite data storage and use 8) Encrypt data when possible 9) Provide training to users about data security standards
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'