1 Melissa Hinton CINS 3050 Ch.

10 Review Questions

1. List and describe the primary threats to IS security. a. Natural Disasters i. Power outages, hurricanes, floods, and so on. b. Accidents i. Inexperienced or careless computer operators (or cats walking across keyboards!). c. Employees and Consultants i. People within an organization who have access to electronic files. d. Links to Outside Business Contacts i. Electronic information can be at risk when it travels between or among business affiliates as part of doing business. e. Outsiders i. Hackers and crackers who penetrate networks and computer systems to snoop or to cause damage (viruses, perpetually rampant on the Internet, are included in this category). 2. Define computer crime and list several examples of computer crime. Computer crime is the act of using a computer to commit an illegal act. a. Targeting a computer while committing an offense. i. For example, someone gains unauthorized entry to a computer system in order to cause damage to the computer system or to the data it contains. b. Using a computer to commit an offense. i. In such cases, computer criminals may steal credit card numbers from Web sites or a companys database, skim money from bank accounts, or make unauthorized electronic fund transfers from financial institutions. c. Using computers to support a criminal activity despite the fact that computers are not actually targeted. i. For example, drug dealers and other professional criminals may use computers to store records of their illegal transactions. 3. Explain the purpose of the Computer Fraud and Abuse Act of 1986 and the Electronic Communications Privacy Act of 1986. a. Computer Fraud and Abuse Act of 1986 i. Stealing or compromising data about national defense, foreign relations, atomic energy, or other restricted information ii. Violating data belonging to banks or other financial institutions iii. Intercepting or otherwise intruding on communications between states or foreign countries iv. Threatening to damage computer systems in order to extort money or other valuables from persons, businesses, or institutions b. Electronic Communications Privacy Act of 1986

2 i. Makes it a crime to break into any electronic communications service, including telephone services ii. Prohibits the interception of any type of electronic communications Contrast hackers versus crackers. a. HackerIndividuals who are knowledgeable enough to gain access to computer systems without authorization. b. Crackerthose who break into computer systems with the intention of doing damage or committing a crime. Define unauthorized access and give several examples from recent media reports. Unauthorized access is an information systems security breach where an unauthorized individual sees, manipulates, or otherwise handles electronically stored information. (Examples: Kevin Mitnick & Kevin Poulsen.) a. Employees doing personal business on a company computer b. Thieves stealing credit card numbers and social security numbers through electronic databases c. Intruders break into government websites. Define malware and give several examples. a. Malware i. Malicious software, such as viruses, worms, or Trojan horses. 1. Melissa virus started from MS Outlook 2. I love you (my dad actually got this one in his government email when before he retired from the military facility that he worked at.) Define and contrast spyware, spam, and cookies. a. Spyware i. software that covertly gathers information about a user through an Internet connection without the users knowledge b. Spam i. Electronic junk email c. Cookiesi. Amessage passed by a Web server to a Web browser to ii. be stored on a users computer; this message is then sentback to the server each time the users browser requests a page from that server. 8. Define and contrast cyberharassment, cyberstalking, and cyberbullying. a. Cyberharassment i. The use of a computer to communicate obscene, vulgar, or threatening content that causes a reasonable person to endure distress. b. Cyberstalking i. The use of a computer to repeatedly engage in threatening or harassing behavior. c. Cyberbullying i. The use of a computer to intentionally cause emotional distress to a person. 9. Define and contrast cyberwar and cyberterrorism. a. Cyberwar

4.

5.

6.

7.

3 i. An organized attempt by a countrys military to disrupt or destroy the information and communications systems of another country. b. Cyberterrorism i. The use of computer and networking technologies against persons or property to intimidate or coerce governments, individuals, or any segment of society to attain political, religious, or ideological goals. Describe risk analysis as it relates to IS security and explain three ways to approach systems security risk. a. Risk analysis i. The process in which the value of the assets being protected are assessed, the likelihood of their being compromised is determined, and the costs of their being compromised are compared with the costs of the protections to be taken. 1. Risk Reduction. a. Taking active countermeasures to protect your systems, such as installing firewalls like those described later in this chapter 2. Risk Acceptance. a. Implementing no countermeasures and simply absorbing any damages that occur 3. Risk Transference. a. Having someone else absorb the risk, such as by investing in insurance or by outsourcing certain functions to another organization with specific expertise What are physical access restrictions, and how do they make an information system more secure? a. Physical access restrictions 1. Firewalls 2. Encryption 3. Virus monitoring and prevention 4. Audit-control software 5. Secure data centers Describe several methods for preventing and/or managing the spread of computer viruses. a. Virus protection tools such as Spybot S&D, Panda, Norton and Avast!, help to block and delete viruses, malware or spyware. Describe three human-based approaches for safeguarding information systems. a. Firewalls b. Virus monitoring c. Secure data center What is an IS security plan, and what are the five steps for developing such a plan? a. IS security plan i. Assessing risks, planning ways to reduce risk, implementing the plan, and ongoing monitoring. 1. Risk analysis 2. Policies and procedures 3. Implementation

10.

11.

12.

13.

14.

4 4. Training 5. Auditing 15. Describe how the Sarbanes-Oxley Act impacts the IS security of an organization. a. Information Systems control specific IT processes designed to ensure reliability of information i. Controls should be a combination of three types: 1. Preventive controls 2. Detective controls 3. Corrective controls