Intro to MIS Chapter #8 : Security

Security

The policies, procedures, and technical measures used to preventunauthorized access, alteration, theft, or physical damage to information systems

Controls

The methods, policies, and organizational procedures that ensure thesafety of assets, the accuracy of records, and operational adherence to managementstandards

Interconnection

Systems in different locations are linked by networks.

Threat Actor

An individual or a group that attempts to exploit vulnerabilities to cause or force a threat to occur.

Client

Unauthorized access, errors

Communications

Tapping, sniffing, message alteration, theft,fraud

Corporate Servers

Hacking, malware, vandalism, denial-of-serviceattacks

Corporate Systems (Backend)

Theft/copying of data, alteration of data,hardware/software failure

Mobile Devices

Electronic devices that fit into the palm of your hand, such as personal digital assistants (PDAs), calculators, smart phones and other cell phones, electronic organizers, and handheld games.

Internet vulnerabilities

Network open to anyone

Size of Internet means abuses can have wide impact

Use of fixed Internet addresses with permanent connections to Internet eases identification by hackers

E-mail attachments, file downloading, and sharing

E-mail used for transmitting trade secrets

IM messages lack security, can be easily intercepted

Sniffer

a type of eavesdropping program that monitors information traveling over a network

Wifi

a local area network that uses high frequency radio signals to transmit and receive data over distances of a few hundred feet

Rogue Access Points

Unauthorized wireless network access device.

5G

The fifth-generation wireless broadband technology based on the 802.11ac standard engineered to greatly increase the speed and responsiveness of wireless networks

Malware

software that is intended to damage or disable computers and computer systems.

Drive-by Download

Program which automatically downloads when a user visits a web page, usually without their knowledge or consent.

Malvertising

fake online advertising designed to trick into downloading malicious software onto your computer

Virus

A piece of code that is capable of copying itself and typically has a detrimental effect, such as corrupting the system or destroying data

Worm

A destructive computer program that bores its way through a computer's files or through a computer's network.

Trojan Horse

a program that appears desirable but actually contains something harmful

Ransomware

Software that encrypts programs and data until a ransom is paid to remove it.

Bot

Malicious code that acts like a remotely controlled "robot" for an attacker, with other Trojan and worm capabilities.

Botnet

a network of internet-connected devices (computers, IoT gadgets, etc.) secretly infected with malware

PUP (potentially Unwanted Program)

Software that cannot definitively be classed as malicious, but may not have been chosen by or wanted by the user.

Keylogger

a malicious program that records keystrokes.

Cybercriminals

Primarily motivated by financial gain

Hacker

a person who uses computers to gain unauthorized access to data.

Ethical Hacker

An expert at breaking into systems and can attack systems on behalf of the system's owner and with the owner's consent.

Hacktivist

Someone who uses computers and computer networks to disrupt services or share secret information in an effort to draw attention to political or social issues.

Cybervandalism

the electronic defacing of an existing website

Nation-State / Terrorist Group

Geopolitical motives

Social Engineering

hackers use their social skills to trick people into revealing access credentials or other valuable information

Spoofing

a technique intruders use to make their network or internet transmission appear legitimate to a victim computer or network

Phishing

An attack that sends an email or displays a Web announcement that falsely claims to be from a legitimate enterprise in an attempt to trick the user into surrendering private information

Spear Phishing

a phishing expedition in which the emails are carefully designed to target a particular person or organization

Business Email Compromise (BEC)

A type of phishing attack where a threat actor impersonates a known source to obtain financial advantage

Evil Twins

Wireless networks that pretend to offer trustworthy Wi-Fi connections to the Internet

Pharming

Reroutes requests for legitimate websites to false websites

Living off the Land (LOTL)

A tactic used by attackers that leverages existing tools and applications within an organization against itself to avoid detection.

Advanced Persistent Threat (APT)

a sophisticated, possibly long-running computer hack that is perpetrated by large, well-funded organizations such as governments

Denial of Service (DOS) Attack

Flooding a server with false requests to crash it

Distributed DoS (DDoS) Attack

An attack in which multiple hosts simultaneously flood a target host with traffic, rendering the target unable to function.

Data Breach

The loss of control over an organization's data

Credential Stuffing

Brute force attack in which stolen user account names and passwords are tested against multiple websites.

Identity Theft

A crime that involves someone pretending to be another person in order to steal money or obtain benefits

Cyberwarfare

war in which a country's information systems could be paralyzed from a massive attack by destructive software

Cyberterrorism

Like cyber warfare, but executed by a terrorist group

Bug

An error in a program.

Zero Day Vulnerability

software vulnerability that has been previously unreported and for which no patch yet exists

SQL Injection Attack

occurs when users enter a SQL statement into a form in which they are supposed to enter a name or other data

Patch

code released by software developers that fixes a particular vulnerability

Patch management

management of patches

Software Supply Chain Attack

hackers target development environments to infect software that is then downloaded by end users

Deepfake

Creates bogus media—images, sound, or video—created by artificial intelligence that distort media in a way that makes it appear that a false event actually took place.

Prompt Injection (Jailbreaking)

Using special prompts to trick anLLM into bypassing its safety guardrails to produce harmful content.

HIPAA

(Health) Protects medical data.

Gramm-Leach-Bliley Act

(Financial) Requires security for customer data

Sarbanes-Oxley Act (SOX)

(Publicly Traded) Requires controls to ensurethe accuracy and integrity of financial data.

Electronic Evidence (ESI)

Most legal evidence is now digital

Digital Forensics

the discovery, collection, and analysis of evidence found on computers and networks

General Controls

Govern the design, security, and use of computerprograms and data files throughout the organization's IT infrastructure

Application Controls

Specific controls unique to each application (e.g.,payroll, order processing).

Input Controls

Check data for accuracy and completeness

*when data enters the system

Processing Controls

establish that data are complete and accurate during updating

Output Controls

ensure the results of processing are accurate, complete, and properly distributed

Risk Assessment

evaluation of the short-term and long-term risks associated with a particular activity or hazard

Security Policy

A document or series of documents that clearly defines the defense mechanisms an organization will employ to keep information secure.

Acceptable Use Policy

a policy that a user must agree to follow in order to be provided access to a network or to the internet

Disaster Recovery Planning

Devises plans for restoration of disrupted services

Business Continuity Planning

outlines procedures for keeping an organization operational in the event of a natural disaster or network attack

Identity and Access Management (IAM) Software

operating system software for administering rights and attributes to manage, enforce, and monitor user entitlements and access activities to the ERP system

Zero Trust

"never trust, always verify"

Least Privilege Access

User is only given access needed to perform job.

Firewall

Prevents unauthorized users from accessing a private network. Acts as a "gatekeeper" that filters network traffic.

Intrusion Detection Systems

A system that monitors network use for potential hacking attempts.

Intrusion Prevention System

Has all the features of an IDS, but can also take steps to prevent or block the suspiciousactivity.

Unified Threat Management

A single appliance that bundles multiple security tools (firewall, IDS/IPS, anti-malware, etc.).

Encryption

Process of converting readable data into unreadable characters to prevent unauthorized access.

Transport Layer Security

A protocol for managing the security of message transmissions on the Internet.

HTTPS

Hypertext Transfer Protocol Secure

Symmetric Key Encryption

The sender and receiver use a single, shared secretkey. (Fast, but securely sharing the key is a challenge)

Public Key Encryption

pairs a public key for encryption and a private key for decryption. The sender does not need the receiver's private key to encrypt a message, but the receiver's private key is required to decrypt the message

How does Public Key Encryption work?

1. Bob publishes his public encryption key

2. Alice encrypts her message to Bob using his public key

3. Bob receives the message and decrypts it using his secret decryption key.

Digital Certificate

a data file that identifies individuals or organizations online and is comparable to a digital signature

Public Key Infrastructure (PKI)

the system for issuing pairs of public and private keys and corresponding digital certificates

Blockchain

A digital ledger in which transactions made in bitcoin or another cryptocurrency are recorded chronologically and publicly

Fault Tolerant Computer System

Contains redundant hardware, software, and power supply components toprovide continuous, uninterrupted service (no downtime).