IS CHAP 7 part 2

Card Set Information

IS CHAP 7 part 2
2011-11-08 04:11:10
CHAP part

IS CHAP 7 part 2
Show Answers:

  1. SW vulnerability
    • Commercial sw contains flaws that create security vulnerabilities
    • -hidden bugs
    • -open networks to computers

    • Patches
    • vendors release small pieces of sw to repair flaws
    • -amount of sw that can be used can mean exploits created faster patches can be release and
    • implemented.

    • -failed computer can lead to total loss of business
    • -firms vulberable now then ever
    • -issues of liability
    • -security breach may cut into firms market value almost immediately.
  2. Legal and Regulatory Requirments for Electronic Records Management

    •Firms face new legal obligations for the retention and storage of electronic records as well as for privacy protection
    HIPPA-medical security privacy rules and security

    Gram Leach Bliley Act-requires financial instituions to ensure the security and confidentiality of customer data

    Sarbanes Oxly Act-imposes responsibilty on companies and their management to safeguard accuracy and integrity of financial info used internally and released externally
  3. electronic evidence and computer forensics

    data stored on computer devices, emails instant messages, e-commerce transactions
    • computer forensics-scientific collection, examination authenciation, preservation and analysis of data from computer storage media for use as evidence in court of law
    • includes recovery of ambient and hidden data
  4. General Controls
    govern design, security, and use of computer prgrams and security of data files in general throughout organizations info technology infrastructure.

    apply to all computerized applications

    combo of hw, sw, and manual procedures to create an overall control of enviroment
  5. Application Controls
    specific controls unique to each computerized application, such as payroll or ordering processing

    include automated and manual procedures

    • ensure that only authorized data are completely and accurately processed by that application
    • include:
    • input controls
    • processing controls
    • output controls
  6. risk assesment
    • determines level of risk to if specific activity or process is not controlled properly
    • -types of threat
    • -probablity of occurence during the year
    • -potential losses, value of threat
    • -expected annual loss
  7. security policy
    ranks info risks, identifies acceptable security goals and identifies mechanisms for achieving these goals

    drives other policies

    • AUP( acceptable use policy)
    • -defines acceptable uses of firms info resources and computing equipment

    • authorization policies
    • determines differing levels of user access to info access
  8. authorization management systems
    -establish when and where a user is permitted to access certain parts of Web Site or corporate database

    -allow each user access only to those portions of system that a person is permitted to enter, based on info established by set of access, rules or profiles
  9. disaster recovery planning-dvises plan for restoration of disrupted services
    back up-copies of critical systems and data, done on a regular basis

    hot site-seperate and fully equipped facility where the firm can move immediately after a disaster and resume in business

    cold site-seperate facility without any computer equipment but is a place employees can move after a disaster , provides a shell to get started "computer ready"
  10. business continuity planning-focuses on restoring business operations after disaster
    • -identify firms most critical systems
    • -business impact analysis to determine impact of an outage
    • -management must determine which systems restored list
    • -determine action plans for handling mission critical functions
    • -examines firms overall security enviroment as well as cotnrols governing individual info systems
    • -reviews technolgies, procedures, documentation, training, and personel
    • -may even stimulate disaster to test response of technoogy, IS staff , other employees,
    • -lists and ranks all control weakness and estimates probablity of occerence
    • -assesses financial and organizational impact of each threat
  12. Access Control
    -policies and procedures to prevent improper access to systems by unauthorized insiders and outsiders

    -to gain access a user must be authorized and authenticated

    -authentication- the ability to know who he or she is or claims to be; a method of confirming users identities

    • -authorization-the process of giving permission
    • examples:
    • -user ID's and pw
    • -security profile
    • -token
    • -biometrics
    • -terminal resource security
    • -cognitive pw
    combination of numbers, characters, symbols thats entered to allow access to a system

    length and complexibility its vulnerability to discovery

    • Cognitive passwords-answer questions to verify identity
    • whats your mothers maiden name?

    • secuirty profile-made up of 2 parts
    • -a unique picture and descriptive phrase chosen by you to verify that you are on legitmate site

    • token-(security token)
    • -small electronic device to change user pw automatically
    • -designed to prove the identity of single use

    • smart card
    • about the same size of credit card, containing a chip formatted with access permission and other data- a reader device intreprets the data on the card and allows or denies access

    • biometrics- physiological element enhance security measures, unique to person cant be stolen or lost
    • ex: fingerprints
    • facial recog
    • palm prints
    • retinal scanning
    • iris analysis
  14. issues in biometric choosing
    • -cost
    • -accuracy
    • -perceived intrusiveness
    • -effort required on part of user
  15. terminal resource secuirty
    sw feature that erases the screen and signs the user off automatically after specified length of inactivity
  16. Firewalls
    combo of hw and software that enables unauthorized users to access private networks

    • technologies include:
    • static packet filtering
    • NAT-network address translation
    • application process filtering
  17. Intrusion detection systems
    monitor hot spots on coperate networks to detect and deter intruders

    examine events as they are happening to disvoer attacks in progess.
  18. antivirus and anti sw
    • -checks computers for detection of malware and can often eliminate as well
    • -requires continual updating
  19. UTM
    unified threat managment systems
    combination of security tools, including firewalls, intrusion of detection systems, VPN's, web content filtering, and anti spam SW
  20. WEP can be improved
    • -users must activate it
    • -assign unique name to SSID and instruct your browser to contact it.
    • -use it with VPN technology

    • WAP2-Wi-fi alliance finalized replacing WEP
    • -uses longer keys that continually charge
    • -encrypted autentication system with central server
  21. Encryption
    •Process of encoding messages before they enter the network & then decoding at the receiving end

    •Transforming (encrypting” text or data, called “plaintext” or “cleartext” into “cipher text” that cannot be read by unintended recipients

    •The data or text is then unscrambled, or decrypted at the receiving end

    •Rules for encryption determine how simple or complex the transformation process should be - known as the “encryption algorithm”

  22. Two methods (protocols) for encryption on networks
    •Secure Sockets Layer (SSL) and successor Transport Layer Security (TLS) – enable client and server computers to manage encryption and decryption activities as they communicate with each other during a secure web session; establish a secure connection between two computers

    •Secure Hypertext Transfer Protocol (S-HTTP) – is limited to individual messages
  23. Encryption algorithms use a “key” to encrypt and decrypt data – the strength of a key is measured by its bit length (typical key is 128 bits

    two methods
    • Symmetric key encryption
    • Sender and receiver use single, shared key

    • Public key encryption

    Uses two, mathematically related keys: public key and private key

    Sender encrypts message with recipient’s public key

    Recipient decrypts with private key
  24. Digital certificate
    •Data file used to establish the identity of users and electronic assets for protection of online transactions

    •Uses a trusted third party, certification authority (CA), to validate a user’s identity

    •CA verifies user’s identity, stores information in CA server, which generates encrypted digital certificate containing owner ID information and copy of owner’s public key

    •The digital certificate system enable a credit card user and a merchant to validate that their digital certificates were issued by a trusted CA before they exchange data

    Public key infrastructure (PKI)


    Online transaction processing requires 100 percent availability, no downtime.
    • •Fault-tolerant computer systems
    • -Contain redundant hardware, software, and power supply components that create an environment that provides continuous, uninterrupted service

    -Use special SW routines or self-checking logic built into their circuitry to detect HW failures and automatically switch to a backup device

    • •High-availability computing
    • -Helps recover quickly from crash

    -Minimizes, does not eliminate, downtime

    • •Recovery-oriented computing

    •Designing systems that recover quickly with capabilities to help operators pinpoint and correct faults in multicomponent systems

    • •Controlling network traffic
    • -Deep packet inspection (DPI)

    -Sorts out low-priority online material while assigning a higher priority to business-critical files and data

    • •Security outsourcing
    • -Using managed security service providers (MSSPs)
  26. Cloud Computing -
    -Accountability and responsibility for privacy and security reside with the Cloud user, although the Cloud provider is actually doing the hosting ...

    -Mobile Computing devices must be secured like other in-house, non-mobile resources against malware, theft, accidental loss, unauthorized access, and hacking attempts
    Software Metrics: objective assessments of system in form of quantified measurements


    -Number of transactions processed per minute

    -Online response time

    -Payroll checks printed per hour

    -Known bugs per hundred lines of code

    • •Early and regular testing during the development process

    •Walkthrough: review of specification or design document by small group of qualified people

    •Debugging: process by which errors are discovered and eliminated