ITM 100 Class 9: Securing Information Systems

Questions and Answers

What is the primary function of a firewall?

To prevent unauthorized access to networks (correct)

To encrypt sensitive data

To monitor internal network traffic

To detect malware on devices

Which of the following best describes an intrusion detection system?

Hardware that stores backup data

A system that monitors networks for unauthorized access (correct)

Software that repairs damaged files

A tool that encrypts data for secure transmission

What is the role of antivirus and antispyware software?

To prevent physical damage to computers

To manage network traffic

To backup data in case of loss

To check for and eliminate malware (correct)

What does encryption do to plaintext?

Transforms it into ciphertext

Which process is the reverse of encryption?

Decryption

Why is continual updating important for antivirus and antispyware software?

To keep up with emerging threats

What field of study refers to encoded information?

Cryptography

Which statement correctly describes ciphertext?

It is the result of the encryption process.

What best describes computer crime?

A violation of criminal law that involves technology for various purposes.

Which of the following represents a way in which computers can be the target of crime?

Accessing a system without authority.

What is a primary challenge regarding wireless security?

Scanning of radio frequency bands.

What does 'war driving' refer to in the context of wireless security?

Driving by locations to detect wireless networks.

Which of the following is a common internet vulnerability?

Interception of network communications.

What is one potential risk of using email for communication?

Attachments may contain malware.

Why are fixed Internet addresses considered vulnerable?

They provide a consistent target for hackers.

Which of the following is NOT a method through which computers can be used as instruments of crime?

Utilizing social media for promotions.

What is the expected annual loss due to user error, based on the data provided?

$19,698

What is the probability of occurrence for power failure?

30

Which of the following is a focus of business continuity planning?

Restoring business operations after a disaster

Which risk has the highest expected annual loss according to the data presented?

Power failure

Which type of analysis is crucial in both disaster recovery planning and business continuity planning?

Business impact analysis

What role does identity management play in security policy?

It helps in identifying valid users and controlling access.

Based on the information given, which statement about embezzlement is true?

The expected annual loss is $1,275.

Which method is NOT considered a type of biometric authentication?

Smart cards

Why is it important for management to determine which systems to restore first?

To identify the firm's most critical systems.

What is a key guideline for creating a secure password?

Include a mix of uppercase letters, lowercase letters, digits and special characters

Which of the following is an example of two-factor authentication?

Entering a password followed by a verification code sent to your phone

What is a potential risk of biometric authentication like fingerprint analysis?

User characteristics can be easily replicated or stolen

Which practice should be avoided to maintain password security?

Telling friends about passwords for convenience

What characteristic makes a password easier to remember yet harder to guess?

A combination of uppercase letters, lowercase letters, digits, and special characters

Why should a user not leave their computer logged in when away?

It increases the risk of unauthorized access

What is a fundamental reason for using a smart card in authentication?

It contains an embedded memory chip for secure identification

What is the primary purpose of general controls in information systems?

To govern the design, security, and use of computer programs

Which of the following describes application controls?

Controls that are unique to each computerized application

What aspect does the CIA Triad primarily focus on?

Ensuring data confidentiality, integrity, and availability

What is the role of identity management software in information security?

To authenticate users and manage access controls

Which of the following best describes software patches?

Small updates that repair flaws in software

What is the main challenge associated with software patches?

Exploits are often developed faster than patches can be rolled out

Which of the following options is an example of an input control?

Validation of data entered into a system

Which is NOT a component of general controls?

Input controls

What is the primary role of spyware in a computer system?

To monitor user activity and capture sensitive information.

Which of the following best describes a cracker?

A hacker with the intent to commit criminal acts.

What is the definition of phishing in the context of computer crime?

Creating fake websites to collect personal data.

Which method is used in pharming attacks?

Redirecting users to fraudulent websites.

What is a 'back door' in the context of computer security?

An unauthorized way to access a system without detection.

Spoofing is characterized by which of the following actions?

Redirecting communications to appear as a trusted source.

What does sniffing refer to in cyber security?

Eavesdropping on network traffic to capture sensitive data.

Identity theft entails which of the following actions?

Unauthorized acquisition of personal information for fraudulent purposes.

Study Notes

ITM 100 Class 9: Securing Information Systems

• This class focuses on securing information systems.
• The study material is adapted from Management Information Systems: Managing the Digital Firm, 17th Edition by Kenneth C. Laudon and Jane P. Laudon.

Real World Example - TJX

• In 2006, TJX experienced a significant computer system security breach, affecting up to 94 million customers.
• Albert Gonzalez received a 20-year prison sentence in 2010 for his role in the TJX breach.
• The potential financial impact of the breach, according to federal guidelines, exceeded $400 million.
• The breaches began in 2005 with war-driving expeditions to identify vulnerable wireless networks.
• Hackers entered the TJX network, moved upstream to the corporate network, and installed a packet sniffer to capture transaction data.
• Authorities discovered 16.3 million stolen credit card numbers on Gonzalez's Latvian server and another 27.5 million on a server in Ukraine.

Real World Example - Heartland Payment Systems

• In March 2008, a breach exposed 134 million credit cards at Heartland Payment Systems.
• Albert Gonzalez and two unnamed Russian accomplices were indicted in 2009 and Gonzalez was sentenced to 20 years in prison.
• The vulnerability to SQL injection was known, with security analysts warning retailers well in advance, of the potential risks for years.

Top 10 Data Breaches (2008-2019)

• This section provides a list of the top 10 data breaches between 2008 and 2019.
• The companies included are Yahoo!, MySpace, Marriott, LinkedIn, Equifax, Heartland Payment Systems, Target, Capital One, Sony.
• Data is provided on the service, the company involved, and dates.
• Example: Yahoo!, Web services provider, 3000 million (2013)

System Security

• Information systems play a crucial role in many organizations and are extremely vulnerable.
• System failures can significantly impact a firm's business functions and profitability.
• Critical organizational data, like confidential information, trade secrets, and new products are at risk if security measures are insufficient.
• Security breaches can dramatically reduce a company's market value and lead to liability issues.

Why Systems Are Vulnerable

• Hardware issues such as breakdowns, misconfigurations, and improper use can cause system vulnerabilities.
• Software flaws and programming errors, installation problems, and unauthorized modifications are another threat to system security.
• Systems located outside of a firm’s control also increase vulnerabilities.

Software Vulnerability

• Commercial software often has bugs (code defects).
• Achieving zero defects in software is not always possible due to the complexity of large programs.
• Security vulnerabilities frequently exist that enable intrusions. Buffer overflow is an example with such vulnerabilities.

Computer Crime

• Illegal acts against computer systems or using computers to commit crimes are considered computer crimes.
• Gaining unauthorized access, breaching confidentiality of data, or stealing trade secrets are all types of computer-related violations.

Internet Vulnerabilities

• The openness of the internet makes it susceptible to attacks like interception, person-in-the-middle attacks, malicious software, etc.
• The sheer size of the internet means a successful attack can have widespread impact.

Wireless Security Challenges

• The radio frequency spectrum used for wireless communication is easily accessible to eavesdroppers.
• Service set identifiers (SSIDs) can be easily detected through tools like sniffer programs.
• War-driving attempts to identify unprotected or vulnerable wireless networks.

Malicious Software

• Malicious software, often abbreviated as malware, comes in several forms, including viruses, worms, and Trojans.
• This software can cause damage to computers.

Computer Viruses

• Viruses are designed to attach to other programs to execute unauthorized functions.
• They replicate and spread to other programs and computers, sometimes by email attachments. - They can cause data damage and theft.

Worms

• Worms replicate themselves across networks to spread across multiple computer systems.
• They don't require an active host program to run, unlike a Virus.

Trojan Horses

• Trojan horse programs often appear benign initially then carry out harmful actions.
• They frequently spread viruses or malware.

SQL Injection, Spyware

• Hackers use SQL injection attacks against database-driven applications. These attacks use maliciously crafted data submitted in web forms to execute unauthorized commands against databases.
• Spyware includes keyloggers, applications that record user keystrokes to capture sensitive data.

Hackers and Computer Crime

• Hackers are those individuals who attempt to gain unauthorized access to computer systems.
• Crackers are a subset of hackers with malicious intent.

Computer Crime (Continued)

• Identity theft, password guessing, phishing, and pharming are fraudulent activities that involve unauthorized access to personal information, which poses a significant threat.

Spoofing and Sniffing

• Spoofing includes masquerading as another person or redirecting web links to unintended destinations.
• Sniffing is a passive attack that observes data traveling across a network, enabling hackers to steal data like emails and company files.

Denial of Service (DoS) Attacks

• Hackers flood a computer system with extraneous communication to crash the service.
• Distributed DoS attacks utilize many computers to overwhelm the system.
• Botnets are often employed in DoS attacks: networks of compromised computer systems that carry out malicious activities on command from the attacker.

Internal Threats: Employees

• Security threats originate from within organizations, such as through insiders with inside knowledge.
• Sloppy security practices and inadequate user training can cause weaknesses.
• Social engineering tricks employees into revealing passwords or other sensitive data.
• Information systems specialists and end users alike are points of weakness.

Contemporary Security Challenges and Vulnerabilities

• Network security vulnerabilities can arise from numerous sources, including unauthorized access, tapping, message alteration, and radiation.

Security and Controls

• Security measures, encompassing policies and procedures, are steps taken to prevent unauthorized access, damage to data, and theft.

Information Systems Controls

• Controls are procedures employed over the entire organization's information systems, such as general controls, which address systems design or application controls which pertain to specific applications.

CIA Triad of Information Security

• Confidentiality, Integrity, and Availability (CIA) are the three pillars of information security: Confidentiality ensures data stays secret; Integrity ensures data's accuracy and reliability; Availability ensures authorized users can access data when needed.

Tools and Technologies for Safeguarding Information Systems

• Software patches address flaws in software programs.
• Identity management software helps manage user accounts and access privileges.
• Authentication methods such as password systems, tokens, smart cards, and biometric systems control access to sensitive information. Tools such as firewalls block unauthorized users. Intrusion detection systems monitor potential threats. Antivirus software checks for and removes malware.

Preventing Unauthorized Access

• Guidelines for passwords should be easy to remember but hard to guess. This advice includes mixing upper and lowercase letters, numbers, and special characters to avoid simple guessing tactics.

Risk Assessment

• Risk assessments are crucial to determine the probability and potential cost of system vulnerabilities.
• Risk assessment considers types of threats, potential losses, and expected annual losses.

Online Order Processing Risk Assessment

• An example demonstrates classifying exposure to risk with probability of occurrence and loss ranges.

Security Policy

• Security policies outline appropriate security goals, acceptable use policies, and computing equipment standards.

Disaster Recovery Planning and Business Continuity Planning

• Disaster recovery plans aim to restore disrupted services after a disaster.
• Business continuity plans address continuing business operations after a major disruption.

The Role of Auditing

• Information systems audits evaluate the organization’s overall security posture.
• Security audits review technologies, procedures, documentation, training, and personnel.
• Auditors can simulate disaster scenarios to test response capabilities.

Sample Auditor's List of Control Weaknesses

• This is an example of findings from an information systems audit.

Description

This quiz covers key concepts related to the security of information systems as outlined in Management Information Systems: Managing the Digital Firm. The focus will be on real-world examples, particularly the TJX security breach, to illustrate the importance of securing digital information. Test your understanding of the implications of such breaches and the measures needed to protect systems.