Chapter Four - Summary Information Syst & Application PDF

Preview

Summary

this is the comprehensive notes; whats important from both class and lecture combined in preparation for the tests...

Description

Chapter Four Information Ethics is what governs the ethical and moral issues that arise from the development of information technology. Information doesn’t have ethics, people do.       

Rule 41 covers search and seizure of physical and digital evidence Intellectual property is intangible creative work in physical form Patents are the exclusive right to make, use and sell inventions granted by government Ethics are the principles and standards that guide our behavior Privacy is consent, control, solitude; Confidentiality is things staying between persons Pirated Software and counterfeit software: pirated means unauthorized use of copyrighted software and counterfeit is manufactured to look like the real thing and sold as such Digital rights management is the technical solution to control digital media and minimize theft - Ediscovery company can pull digital information in various ways to satisfy issues or inquiries - The Children Online Protection Act (COPA) protects minors from inappropriate material on the internet - Information Secrecy, Governance, Compliance, Management, Property

Developing Information Management Policies  







Epolicies are the policies and procedures addressing information management, ethical use of computers, and the internet in the business environment Ethical Computer Use Policy are the general principals for computer use behavior o Cyberbullying is sending negativity and threats via the internet o Click Fraud is the abusing pay-per-revenue models by repeatedly clicking links to increase charges or costs to advertisers  Competitive Click Fraud is a crime in which somebody increases a company’s search engine advertising costs by repeatedly clicking advertiser’s links o Bring Your own Device Police (BYOD) is when companies allow employees to access enterprises on personal devices Information Privacy Policy o Fair information practices are a set of standards governing the use of personal data and addressing issues of privacy and accuracy  “Data Protection” and “Personal Data Privacy” Acceptable Use Policy requires a user to agree to follow it in order to be provided access to corporate email, information systems, and the internet o Nonrepudiation is a contractual stipulation to ensure that ebusiness participants don’t deny their actions o Internet use policy are the principles that guide the use of the internet o Cybervandalism is the electronic defacing of an existing website o Typosquatting is a problem that occurs when a person registers purposely misspelled or variations of well-known domain names which lures consumers who make typographical errors o Website name stealing is the theft of a website’s name occurring when somebody poses as said site’s administrator and changes ownership of the domain name assigned to the website to another website owner o Internet censorship is when the government controls internet traffic and hides material Email Privacy Policy is the extent to which emails may be read by others o Mail bombs are sending massive amounts of email to a user or system which may cause a user’s server to stop functioning





o Spam and anti-spam policies; opt-in, opt-out o Teergrubing is when a computer that receives spam launches a return attack on the spammer Social Media Policy are the guidelines governing all online employee communications o Social Media Monitoring is when there is somebody to view and respond to statements about a company, products, and brand o Social Media Manager filters, monitors, and contributes to the social media presence of a company or brand Workplace Monitoring Policy o Physical Security is tangible protection o Workplace MIS Monitoring tracks activity by measurement of keystrokes, error rate, number of transactions processed, etc.  Employee monitoring policy

Protecting Intellectual Assets  

Downtime is the period of time when a system is unavailable Information Security is the protection of information from accidental or intentional misuse by persons inside or outside an organization

Dangerous Threats to Business 



Hackers are experts who break into computers or networks for profit or for a challenge o Driveby Hacking is when an attacker accesses a wireless computer network, intercepts data, uses network services, and/or sends attack instructions without entering the office or an organization that owns the network  Bug bounty programs are a crowd sourcing initiative designed to reward those who discover and report software bugs; also referred to as vulnerability reward programs Viruses are software written with malicious intent to cause annoyance or damage o Malware is software that is intended to damage or disable computers and computer systems o Worms spread themselves from file to file and even computer to computer o Adware is software that allows internet advertisers to display ads without the consent of the computer user o Spyware is a special class of adware which collects data about the user and transmits it via the internet without the knowledge or consent of the user o Ransomware is malicious software which infects the computer and asks for $ o Scareware tricks victims into giving personal information to purchase or download useless or potentially dangerous software

The First Line of Defense – People Insiders are legitimate users who purposely or accidentally misuse their access to their environment and cause some sort of business-affecting accident Social Engineering are hackers who use social skills to trick people into revealing information o Pretexting is a form of social engineering in which one lies to obtain confidential information about another Dumpster diving is when hackers look through trash to obtain information Information Security Policies, Information Security Plans The Second Line of Defense – Technology



Destructive agents are malicious agents designed by spammers and other internet attackers to farm email addresses off websites or deposit spyware on machines

People: Authentication & Authorization  



Information secrecy is the protection of data Identity theft is forging another’s identity for the purpose of fraud o Phishing is sending fraudulent emails that look as though they came from legitimate businesses which ask you to verify personal information  Phishing expedition is a masquerade attack that combines spamming with spoofing  Spear phishing are emails are carefully designed to target a specific person or organization  Vishing or voice phishing are phone scams o Pharming reroutes requests for legitimate websites to false websites  Zombie programs secretly take over another computer to launch attacks on other computers  Zombie farms are groups of computers a hacker has planted zombie programs on  Pharming attack uses zombie farm to launch a massive phishing attack Sock puppet marketing is using a false identity to stimulate demand for a product, brand, or service o Astroturfing is artificially stimulating online conversation and positive reviews about a product, service, or brand

Authentication & Authorization 1. User ID and password Single Factor Authentication (1) 2. Possession; smart card or token 2 Factor Authentication (1+2) 3. Part of user; fingerprint, signature, biometrics, voiceprint Multifactor Authentication is (1+2+3) Data: Prevention and Resistance 

  

Privilege escalation are network intrusion attacks that take advantage of programming errors and design flaws to grant the attacker elevated access to the network and associated data and applications o Vertical Privilege Escalation are attackers who grant themselves higher access level (admin) allowing attacker to perform illegal action (run code, delete data) o Horizontal Privilege Escalation are attackers granting themselves the same access levels they already have but assume identity of another user Time bombs are viruses that execute instructions on a specific date and wait for said date Content Filtering are when organizations use software that filters content to prevent accidental or malicious transmission of unauthorized information Encryption scrambles all information into an alternate form requiring a password or key to decrypt (opposite of encrypt; decoding information) o Cryptography is the science of studying encryption o Advanced Encryption Standard or AES was introduced by National Institute of Standards and Technology to keep the government information secure o Personally Identifiable Information or PII; non-sensitive PII which is transmitted without encryption, is public, does no harm, while sensitive PII is transmitted with encryption, privacy, can cause harm o HIPPA Security Rule

o Public Key Encryption or PKE is two keys, one everyone has and a private key for only one recipient  Certificate authority  Digital certificate  Firewall o Antivirus Software prevents, detects, removes viruses and some malware Attack: Detection and Response  

Network behavior analysis tracks network patterns; flags suspicious or unusual operations Intrusion Detection Software (IDS) full time netowork monitoring to identify intruders o Cyber war o Cyber terrorism o Cyber espionage o Cyber vigilantes...