Cybersecurity and Data Management in Information Systems

Data Breach

Occurs when an organization loses control of information to outsiders.

Information

An asset that must be protected.

Security

Policies, procedures, and technical measures to prevent theft, alteration, physical damage, and unauthorized access to information systems.

Controls

Methods, policies, and organizational procedures that ensure safety or an organization's assets, records, and operation adherence.

Identity Theft

A crime in which someone obtains key pieces of information to impersonate someone else.

Click Fraud

Occurs when an individual or computer program fraudulently clicks on an online ad without intent of making a purchase.

Click Farm

A business that pays employees to click on website elements to boost the status of a client's website/product.

CAPTCHA

A program that protects websites against bots by giving tests that humans can pass and computer programs can't.

Wireless security challenges

Radio frequencies bands easy to scan; both Bluetooth and Wi-Fi are susceptible to hacking.

War driving

Eavesdroppers drive by buildings/areas or park outside and try to intercept network traffic.

Malware

Malicious software, written with intent to cause annoyance or damage to a computer system or network.

Virus

Rogue software program that attaches itself to other software programs or data files to be executed without user knowledge or permission.

Worms

Independent programs that copy themselves from one computer to others over a network.

Trojan Horse

Software program that appears to be okay but is a destructive code intending to disrupt the computer.

SQL Injection Attacks

Takes advantage of vulnerabilities in poorly coded web application software to inject malicious program code into a company's system and networks.

Ransomware

A type of malware that tries to extort money from users by taking control of their computers.

Spyware

Technology that aids in gathering information about a person or organization without their knowledge.

Keyloggers

Monitor and record keystrokes and mouse clicks made on a computer.

Sniffers

Type of eavesdropping program that monitors information traveling over a network.

Denial of Service Attacks (DOS)

Floods a network server or web server with thousands of false requests to crash the network.

IoT DDoS Botnets

IoT devices are being used as a botnet to launch DDoS attacks.

Spoofing

Tricking or deceiving systems or users by hiding one's identity or taking the identity of another user on the internet.

Phishing

A high tech scam in which an e-mail requests the update or confirmation of sensitive personal information.

Spear Phishing

A more targeted form of phishing, messages appear to come from a trusted source.

Pharming

A type of phishing technique that involves web spoofing.

Evil Twins

A type of phishing technique involving network spoofing.

Insiders

Legitimate users who purposely or accidentally misuse their access of information to cause a business affecting event.

Hacker

A person who gains unauthorized access to a network for profit, mischief, or personal pleasure.

Commercial Software

Can contain flaws that create security vulnerabilities.

Zero Day Vulnerabilities

Holes in software that are unknown to the creator so hackers can exploit this flaw.

Patches

Small pieces of software released by a software vendor to repair flaws.

Evidence for white collar crimes

Found in digital form - data stored on computer devices, e-mail, instant messages, e-commerce transactions.

Proper control of data

Can save time and money when responding to legal discovery requests.

Computer forensics

Scientific collection, examination, authentication, preservation, and analysis of data from computer storage media for use as evidence in court of law.

General controls

Govern design, security, and use of computer programs in general throughout organization's information technology infrastructure.

Application controls

Specific controls unique to each computerized application, such as payroll or order processing, ensure that only authorized data are completely and accurately processed by that application.

Risk assessment

Determines the level of risk to the firm if a specific activity or process is not properly controlled.

Security Policy

Ranks information risks, identifies acceptable security goals, and identifies mechanisms for achieving these goals.

Acceptable use policy (AUP)

Defines acceptable use of firm's information resources and computing equipment.

Authorization policies

Determine differing levels of user access to information assets.

Business continuity planning

Focuses on restoring business operations after a disaster.

Disaster recovery planning

Plans for restoration of disrupted services, focuses primarily on the technical issues involved in keeping systems up and running.

Backup

Copies of critical systems and data, done on a regular basis.

Hot site

Separate and fully equipped facility where the firm can move immediately after a disaster and resume business.

Cold site

Separate facility without any computer equipment but is a place employees can move after a disaster, provides a shell to get started 'computer ready.'

Information systems audit

Examines firm's overall security environment as well as controls governing individual information systems.

Identity management systems

Include business processes and technologies for identifying valid users of systems and what they are allowed to access/change.

Zero trust

Popular cyber security framework based on the principle of strict access controls and not trusting anyone or anything by default.

Authentication

The ability to know that a person is who he or she claims to be; method of confirming users' identities.

Authorization

Determines what actions, rights, or privileges the user has, based on the verified identity.

User Id

Combination of numbers, characters, and symbols used to identify a person as a legitimate user of a system.

Password

Combination of numbers, characters, and symbols, used to authenticate a user and allow access to a specified system.

Passphrase

Series of characters that is longer than a password but is still easy to memorize.

What attackers do

They use technology to do brute force attacks, dictionary attacks, hybrid attacks, rainbow tables.

Password management applications

Allow user to store username and password, along with other account details.

Cognitive Password

Requires the user to answer a question to verify their identity; commonly used as a form of secondary access.

Multifactor authentication

Validate users using a multistep process to increase security.

Two Factor authentication

A subset of multi factor that uses just two factors.

Security Token

A small electronic device to change user passcodes automatically.

Smart Card

A device about the same size of a credit card, containing a chip formatted with access permission and other data.

Terminal resource security

SW feature that erases the screen and signs the user off automatically after a specified length of inactivity.

Biometrics

Systems that read and interpret individual human traits to enhance security measures.

Issues in using biometrics

Costs, accuracy, perceived intrusiveness, effort required on part of user, cultural preferences/issues, context/environmental situation.

Firewall

HW and SW placed in between an organization's internal network and external network to prevent outsiders from invading private networks.

Intrusion detection systems (IDS)

Full time monitoring tools placed at vulnerable spots on corporate networks to detect and deter intruders.

Intrusion prevention systems

Same functionalities as IDS but can also block suspicious activities.

Anti malware SW

Prevents, detects, and removes malware.

Unified Threat Management systems (UTM)

Combination of firewalls and VPNs and anti spam SW.

Encryption

The process of encoding messages before they enter the network and then decoding them on the receiving end.

Digital Certificate

Data file or electronic document used to establish the identity of users and electronic assets for protection of online transactions.

Blockchain

A type of distributed ledger that stores a permanent and tamper proof record of transactions and shares them among a distributed network of computers.

Security outsourcing

Using managed security service providers.

Cloud computing security

Accountability and responsibility for privacy and security reside with the cloud user, although the cloud provider is actually doing the hosting.

Security of mobile computing devices

Must be secured like other in house, non-mobile resources against malware, theft, accidental loss, unauthorized access, and hacking attempts.

Enterprise Resource Planning Systems (ERP)

Integrate all departments and functions throughout an organization into a single IT system.

Legacy system

A system that has been in existence for a long time and that continues to be used to avoid the high cost of replacing or redesigning them.

Supply chain

An integrated network consisting of an organization, its suppliers, transportation companies and brokers used to deliver goods and services to customers.

Upstream

A firm's suppliers, suppliers' suppliers, processes for managing relationships with them.

Transformation

The company's internal supply chain - processing of materials/resources into semifinished and finished products/services.

Downstream

Organizations and processes responsible for delivering products to customers.

Poor SCM leads to inefficiencies

Effective SCM can support just in time strategy.

Pushed base model (build to stock)

Schedules based on forecasts or best guesses of demand.

Pull based model (demand driven, build to order)

Customer order triggers events in supply chain.

Customer Relationship Management systems

Capture and integrate customer data from the entire organization.

Customer Touch Point

A method of interaction with a customer.

Sales for automation CRM modules

Increases profits.

Marketing CRM modules

Capture prospective and current customer data.

Cross selling

Selling additional products or services to increase the value of the sale.

Up-selling

Increasing the value of the sale by selling a larger amount or size of the same product.

Automatic call distribution

A phone switch routes inbound calls to available agents.

Predictive dialing

Automatically dials outbound calls and when someone answers, the call is forwarded to an available agent/rep.

Interactive voice response (IVR)

Directs customers to use touch-tone phones or keywords to navigate or provide information.

Call scripting systems

Agent/rep can access organizational databases that track similar issues or questions.

Web based self service

Allows customers to use the web to find answers to their questions or solutions to their problems.