Exam Slide Flashcards

Management Information Systems IS 300 Spring 2026 Information Security & Technology Guide #2

Presentation Accessibility

  • This presentation conforms to a UMBC PowerPoint Template for Universal Accessibility.

  • Material is intended solely for educational use at UMBC and is not for further distribution.

Learning Objectives

  • Identify factors contributing to increasing vulnerability of information resources, along with specific examples of each factor.

  • Compare and contrast human mistakes and social engineering, accompanied by specific examples.

  • Discuss types of deliberate attacks on information resources.

  • Describe three risk mitigation strategies.

  • Identify major types of controls organizations can use to protect their information resources.

  • Discuss major software issues confronting modern organizations.

  • Describe the general functions of operating systems.

  • Identify major types of application software.

Human Errors

  • Social Engineering: Perpetrator uses social skills to manipulate legitimate employees into providing confidential company information (e.g., passwords).

    • Common Example: Attacker impersonating a company manager or information system employee over the phone.

    • Tailgating: Technique where the perpetrator follows a legitimate employee into restricted areas by asking them to hold the door after the employee gains entry.

    • Shoulder Surfing: Watching an employee's screen from behind, commonly successful in public areas (e.g., airports, trains).

The Human Factor

  • Personnel Risks: Employees in Human Resources and Information Systems/Technology pose the most significant risks to information security; other employees might be overlooked.

Definitions: Information Security

  • Security: Degree of protection against criminal activity, danger, damage, or loss.

  • Information Security: Processes and policies to protect organization’s information and information systems (IS) from unauthorized access, use, disclosure, disruption, modification, or destruction.

  • Threat: Any danger that can compromise an information system.

  • Exposure: Harm, loss, or damage that can result if a threat compromises an information resource.

  • Vulnerability: The possibility that the system will be harmed by a threat.

  • Cybercrime: Illegal activities conducted over computer networks, particularly the Internet.

Five Key Factors Increasing Vulnerability

  1. Increasing interconnectedness in the business environment.

  2. Smaller, faster, cheaper computers/storages.

  3. Decreasing skills required for computer hacking.

  4. Rise of international organized crime in cybercrime.

  5. Lack of management support for security measures.

Threat Classification

  • Threats to information systems are categorized as:

    • Unintentional Threats

    • Deliberate (Intentional) Threats

Key Points About Threats

  • Computing resources located in various locations.

  • Multiple individuals control or access information assets.

  • Computer networks often reside outside the organization, complicating protection.

  • Rapid technological changes lead to obsolescence of controls.

  • Many computer crimes go undetected, challenging organizational learning.

  • Employees often violate security procedures due to inconvenience.

  • Minimal computer knowledge required for committing crimes.

  • High costs of preventing hazards deter organizations from comprehensive protection.

  • Difficulties in conducting cost-benefit justifications for controls pre-attack.

Deliberate Threats to Information Systems

  • Espionage or Trespass: Unauthorized access attempts to organizational information.

  • Information Extortion: Threatening to steal or demanding payment to not disclose stolen information.

  • Sabotage and Vandalism: Deliberate acts damaging organizational image and customer trust.

  • Theft of Equipment or Information: Smaller, powerful devices are easier to steal; includes practices like dumpster diving.

  • Identity Theft: Assuming another's identity for financial access or framing purposes.

  • Compromises to Intellectual Property: Engaging threats against trade secrets, patents, trademarks, copyrights.

Specific Deliberate Threats

  • SCADA Attacks: Involves large distributed systems controlling essential services like oil refineries and power plants.

  • Cyberterrorism and Cyberwarfare: Malicious acts causing real-world harm or disruptions for political agendas.

Software Attacks Requiring User Action

  • Viruses: Programs that attach to other programs with or without user permission.

  • Worms: Malicious code segments that replicate by themselves.

  • Trojan Horses: Software that disguises malicious features as benign until activated.

  • Key Loggers: Record keystrokes for data theft (e.g., passwords).

  • Back Door: A secret password allowing unauthorized access without security procedures.

  • Fileless: Malevolent code executed directly in RAM.

Software Attacks Explained

  • Spear Phishing: Targeted phishing aimed at individuals.

  • Ransomware: Blocks access to systems until payment is made.

  • Logic Bomb: Code embedded to activate destructive actions at a specific time.

  • Phishing: Deceptive tactics to acquire sensitive information through false communications.

  • Whaling Attack: Phishing targeting high-level executives for stealing sensitive information.

Alien Software

  • Alien Software: Software installed through dishonest means.

    • Adware: Causes unsolicited advertisements to appear.

    • Spyware: Collects personal data without consent, including keystroke loggers and screen scrapers.

    • Spamware: Launches unsolicited advertising through user’s computer.

    • Cookies: Data stored by websites for tracking purposes.

Complexity of Software

  • Increased software complexity leads to a higher potential for bugs.

  • Managing software defects, licensing, updates, and open-source concerns.

  • DevOps: Extension of agile methods facilitating development and operations.

  • Application Software: Programs providing specific functionality (e.g., word processing).

  • Systems Software: Intermediary instructions between hardware and application programs (operating systems).

Open Source Software

  • Definition: Software with available code for free use and modification, managed by a community.

  • Advantages: High quality, community-driven maintenance, flexibility.

  • Disadvantages: Potential security vulnerabilities and supply chain attacks.

Information Security Controls

  • Access Controls: Restrict unauthorized individuals from accessing information resources.

    • Major Functions:

      • Authentication: Confirming identity using various methods (biometrics, ID cards, etc.).

      • Authorization: Determining privileges granted to authenticated individuals.

Audit Trails & Procedures

  • Audit Trail: Documented sequence of actions for transaction verification.

  • Categories of Auditing Procedures:

    • Auditing Around the Computer: Verifying known outputs against specific inputs.

    • Auditing Through the Computer: Checking inputs/outputs and reviewing program logic.

    • Auditing With the Computer: Using a combination of client and auditor tools for data simulation.

Communication / Network Controls

  • Firewall: Blocks unauthorized access, often integrated into routers or standalone hardware.

  • Whitelisting: Allows only pre-approved software to run on systems.

  • Blacklist: Prevents designated software from running within an environment.

  • DMZ (Demilitarized Zone): Network segment that separates trusted internal networks from untrusted external networks.

  • Transport Layer Security (TLS): Provides encryption for secure transactions.

  • Anti-Malware Systems: Software identifying and eliminating malevolent software.

  • Intrusion Detection Systems (IDS): Monitor and respond to unauthorized access attempts.

Business Continuity Planning

  • Business Continuity: Protection and recovery processes aligned for continuous operations post-disaster.

  • Business Continuity Plan: Guidelines to maintain operations after disruptions.

    • Hot Sites: Fully equipped facilities with all services and resources (most expensive).

    • Warm Sites: Services and infrastructure without complete applications.

    • Cold Sites: Basic facilities with no computing hardware (least expensive).

Virtual Private Network (VPN)

  • Definition: Private networks using public infrastructure for encrypted data transmission.

  • Types of VPN Connections:

    • Remote Access: Via VPN client.

    • Site-to-Site: Between intranets and extranets.

How Encryption Works

  • Encryption Programs: Scramble transmitted data into ciphertext from plaintext.

  • Primary Methods:

    • Symmetric Encryption: Shared key system among sender and receiver (128 bits or greater).

    • Public or Asymmetric Encryption: Involves a public key and a private key (exchanged via Public Key Infrastructure).

Example Flow: Digital Certificates

  • Digital certificates provide authentication through these elements:

    • Serial Number

    • Issuer Name

    • Validity Dates

    • Subject Public Key

    • CA Signature

Types of Information Systems

  • Functional Area Information System (FAIS): Collection of application programs within a specific department.

  • Enterprise Resource Planning (ERP): Tightly integrates FAISs via common databases.

Information Systems, Business Processes, and IT Responses

  • Business Processes: Activities generating value through inputs, resources, and outputs evaluated by efficiency and effectiveness.

  • Robotic Process Automation (RPA): Automates tasks traditionally performed by employees.

Business Pressures and IT Support

  • Labor cost disparities encourage relocation to low-cost regions.

  • Societal pressure highlighted by the digital divide.

  • Porter's Value Chain Model: Framework for analyzing business activities.

Competitive Advantage Strategies

  • Cost Leadership: Produce at the lowest industry cost.

  • Differentiation: Offer unique products/services.

  • Innovation: Introduce new solutions or features.

  • Operational Effectiveness: Enhance internal processes effectiveness.

  • Customer Orientation: Focus on enhancing customer satisfaction.

Ethics in Information Technology

  • Ethics: Principles of right and wrong guiding actions.

  • Frameworks: Five widely used ethical standards to resolve organizational conflicts.

  • Privacy: Right to control personal information, protected under various amendments.

Ethical Considerations

  • Responsibility: Accept consequences for decisions.

  • Accountability: Determine responsibility for actions.

  • Liability: Legal right to recover damages.

Summary of Ethics & Privacy Concerns

  • Ethics guide behavior within organizations.

  • Privacy issues encompass data collection, accuracy, property, and accessibility.

  • Threats include electronic surveillance and personal data infringement.

  • Importance of privacy policies in mitigating legal issues around data handling.