Computer Crime and Information Systems Security

Questions and Answers

What is the term used to describe individuals who gain unauthorized access to computer systems out of curiosity and not malicious intent?

White Hats

What is the term used for computer criminals who break into systems with the intention of causing damage or committing a crime?

Crackers or Black Hats

What is the term used for web vandals who attempt to break into systems or deface websites to promote political or ideological goals?

Hacktivists

Which of the following groups commit the most computer crime infractions, according to the provided text?

Current or former employees (D)

Which of the following methods is NOT mentioned as a way computer criminals gain access to systems?

Social engineering (C)

Approximately 10% of computer criminals cause damage.

True (A)

Industrial espionage is a type of crime that rarely involves computers.

False (B)

What are the three main aspects of information systems security that organizations must consider?

Availability, Integrity, Confidentiality

What is the term used to describe the process of understanding the potential risks to the availability, integrity, and confidentiality of data and systems?

Risk Assessment

Which of the following is NOT a common approach organizations take to manage identified risks?

Risk Mitigation (E)

Risk avoidance is always the most practical and feasible approach to manage information security risks in today's networked environment.

False (B)

What are the three main categories of information systems controls that a security strategy should address?

Technology, People, Policies

What term is used to describe computer criminals who attempt to break into systems or deface websites for political or ideological reasons?

Hacktivists

Which group of computer criminals commits the most infractions, according to the text?

Current or former employees

The term 'hackers' is still commonly used to describe computer criminals today.

False (B)

What is a 'vulnerability scanner' used for?

To automatically test targeted systems for weaknesses.

What is the purpose of 'keyloggers'?

To capture every keystroke, including emails, passwords, and credit card numbers.

What is the primary goal of information systems security?

To protect all aspects of information systems from destruction, manipulation, or unauthorized access or use.

Which of the following is NOT a key aspect of information systems security?

Efficiency (C)

What are the two main components of a risk assessment?

Threats and vulnerabilities

Which risk management approach involves taking steps to reduce the likelihood or impact of a risk?

Risk Reduction (B)

Risk avoidance is always the most practical and feasible approach to managing risk.

False (B)

What are information systems controls?

Technology, people, and policies implemented to protect information systems.

Flashcards

Crackers

Individuals who access computer systems illegally with malicious intent, often for personal gain.

White Hats

Individuals who access computer systems without authorization but are motivated by curiosity and a desire to learn, not to cause harm.

Hacktivists

Individuals who break into computer systems to promote political or ideological goals, often through website defacement or disruption.

Industrial Espionage

The act of using computers to steal confidential information, trade secrets, or other sensitive data from businesses or organizations.

Vulnerability Scanners

Software designed to automatically scan systems for vulnerabilities that can be exploited by attackers.

Packet Sniffers

Software used to analyze network traffic, potentially capturing unencrypted passwords or other sensitive data.

Keyloggers

Software that logs every keystroke made on a computer, potentially capturing sensitive information such as passwords or credit card numbers.

Brute Force Attack

A method of trying every possible combination of characters until the correct password is found.

Availability

The concept of ensuring that legitimate users can access and use information systems without hindrance.

Integrity

The concept of protecting information systems from unauthorized modifications that could compromise data integrity or accuracy.

Confidentiality

The concept of preventing unauthorized access to sensitive information by restricting access to authorized users.

Accountability

The concept of tracking and recording actions performed on information systems to ensure accountability for user actions.

Risk Assessment

The process of identifying and analyzing potential risks to information systems, including threats and vulnerabilities, to determine their impact and likelihood.

Threats

Unfavorable events that could potentially cause harm to information systems, such as natural disasters, system failures, or malicious attacks.

Vulnerabilities

Weaknesses in information systems or security policies that can be exploited by attackers to cause damage or compromise system integrity.

Risk Reduction

A strategy for managing risks that involves taking steps to reduce the likelihood or impact of potential threats.

Risk Acceptance

A strategy for managing risks that involves accepting the possibility of a threat occurring and the potential impact it may have.

Risk Transference

A strategy for managing risks that involves transferring the risk to a third party, such as an insurance company.

Risk Avoidance

A strategy for managing risks that involves avoiding activities or actions that could expose the organization to potential threats.

Information Systems Controls

Measures implemented to protect information systems from unauthorized access, use, disclosure, modification, or destruction.

Security Strategy

A strategy for managing risks that involves investing in controls to mitigate the likelihood or impact of potential threats.

Virus

Any program designed to spread from one computer to another, potentially causing damage or disrupting system functionality.

Disaster Recovery Costs

The costs associated with recovering from a disaster, including lost time, money, and goodwill.

Disaster Recovery

The process of restoring information systems to their operational state after a disaster event, including data recovery and system restoration.

Hacking

The act of breaking into a computer system to gain unauthorized access to data or information.

Phishing

An attempt to deceive or manipulate a user into providing private information, often through malicious websites, emails, or other deceptive tactics.

Computer Abuse

The unauthorized use of computer resources, such as computing power or bandwidth, for personal gain or malicious purposes.

Computer Crime

The use of computers to commit crimes, including fraud, identity theft, or cyberbullying

Identity Theft

The theft of personal or financial data, often through phishing, malware, or data breaches.

Website Defacement

The unauthorized modification of websites or online accounts for malicious purposes.

Study Notes

Computer Crime and Information Systems Security

• Types of Computer Criminals:

  • Hackers/Crackers: Originally, hackers were motivated by curiosity, but the term "cracker" emerged for those intentionally breaking in. "White hat" hackers are motivated by curiosity, while "black hat" crackers aim to cause harm.
  • Hacktivists: Crackers motivated by political or ideological goals, often defacing websites or disrupting systems.
  • Insider Threats: Current or former employees who misuse access for theft or damage; frequently the most common cause of crime.
  • People with technical knowledge: Individuals using tech skills to commit business or information sabotage.
  • Career criminals: Utilizing computers to aid existing criminal activities.
  • Outsiders: Hackers/crackers who penetrate systems for malicious intent or information gathering.
    • This includes those attempting to gain access without authorization to store records of illegal transactions, or for electronic money laundering.
  • Priorities by frequency of violations:
    • Current/former employees (most common)
    • Individuals with technical knowledge
    • Career criminals
    • Outsiders/crackers (committing millions of intrusions but often causing little harm)

• Methods of Computer Criminal Intrusion:

  • Vulnerability scanners: Automated tools for identifying system weaknesses.
  • Packet sniffers: Analyze network traffic, capturing unencrypted passwords.
  • Keyloggers: Record every keystroke, gathering sensitive data.
  • Brute-force attacks: Tools attempting to guess passwords.

• Industrial Espionage:

  • Covert activities (theft of trade secrets, bribery, blackmail, technological surveillance) to gain a competitive edge.
  • Increasingly involves cracking into company computer systems to steal confidential data and trade secrets.

• Information Systems Security:

  • Safeguarding all aspects of information systems (hardware, software, networks, data) from unauthorized access, destruction, or manipulation, while allowing authorized users access.
  • Key aspects:
    • Availability: Legitimate user access to the system.
    • Integrity: Preventing unauthorized data manipulation.
    • Confidentiality: Protecting data from unauthorized access.
    • Accountability: Tracing actions within the system.

• Information Systems Security Process:

  • Risk assessment: Understanding risks to availability, integrity, and confidentiality. Assess asset value, probability of compromise, and associated costs (protection costs vs asset value and probability). Consider technical (databases, hardware) and non-technical information (processes, physical/personnel security). A "risk rating" guides security strategy.
  • Security strategy development: Implementing policies and controls based on risk assessment, addressing information systems controls (technology, people, policies).
    • Risk Management Strategies:
      • Risk reduction: Lessening potential negative impacts.
      • Risk acceptance: Acknowledging and accepting some risks.
      • Risk transference: Transferring risk (e.g., insurance).
      • Risk avoidance: Avoiding risk entirely (often impractical).

• Vulnerabilities & Threats:

  • Exploitable weaknesses in systems or security policies ("known" or "expected").
  • Undesirable events causing harm (internal or external agents).