Chapter 15 - Information Security & Controls

What are access controls?

Controls that restrict unauthorized individuals from
using information resources and are concerned with user identification.

What is adware?

Alien software designed to help pop-up advertisements appear on your screen.

What is alien software?

Clandestine (kept secret or done secretively) software that is installed on your computer
through duplicitous methods.

What are an anti-malware systems/antivirus software?

Software packages
that attempt to identify and eliminate viruses, worms, and other malicious software.

What are application controls?

Security countermeasures that protect specific
applications in functional areas.

What is an audit?

The accumulation and evaluation of evidence that is used to prepare a report about the information or controls that are being examined,
using established criteria and standards.

What is authentication?

A process that determines the identity of the person
requiring access.

What is authorization?

A process that determines which actions, rights, or privileges the person has, based on verified identity.

What is back door/trap door?

Typically a password, known only to the attacker, that allows the attacker to access the system without having to go through any security procedures.

What is biometrics?

The science and technology of authentication (i.e., establishing the identity of an individual) by measuring the subject's physiological or behavioural characteristics.

What is blacklisting?

A process in which a company identifies certain types of
software that are not allowed to run in the company environment.

What is bot/zombie?

A computer that has been compromised by, and is under the control of, a hacker.

What is botnet?

A network of computers that has been compromised by, and is
under the control of, a hacker, who is called the botmaster.

What is business continuity planning?

The chain of events linking planning to protection and to recovery.

What is a certificate authority?

A third party that acts as a trusted intermediary between computers (and companies) by issuing digital certificates and verifying the worth and integrity of the certificates.

What are communications controls/network controls?

Controls that deal
with the movement of data across networks.

What is a control environment?

Controls that encompass management attitudes
toward controls, as evidenced by management actions, as well as by stated policies and procedures that address ethical issues and the quality of

What are controls/countermeasures?

Defence mechanisms used to safeguard assets, optimize the use of the organization's resources, and prevent or detect errors or fraud.

What are cookies?

Small amounts of information that websites store on your
computer, temporarily or more or less permanently.

What is copyright?

A grant that provides the creator of intellectual property with ownership of it for a specified period of time, currently the life of the creator plus 50 years.

What is a cybercrime?

Illegal activities executed on the Internet.

What is cyberterrorism?

A premeditated, politically motivated attack against
information, computer systems, computer programs, and data that results in violence against noncombatant targets by subnational groups or
clandestine agents.

What is cyberwarfare?

War in which a country's information systems could be paralyzed from a massive attack by destructive software.

What is a demilitarized zone?

A separate organizational local area network that is located between an organization's internal network and an external network, usually the Internet.

What is denial-of-service attack?

A cyberattack in which an attacker sends a flood of data packets to the target computer, with the aim of overloading its resources.

What is a digital certificate?

An electronic document attached to a file certifying that this file is from the organization it claims to be from and has not been modified from its original format or content.

What is distributed denial-of-service attack?

A denial-of-service attack that
sends a flood of data packets from many compromised computers simultaneously.

What are employee monitoring systems?

Systems that monitor employees'
computers, email activities, and Internet surfing activities.

What is encryption?

The process of converting an original message into a form
that cannot be read by anyone except the intended receiver.

What is exposure?

The harm, loss, or damage that can result if a threat compromises an information resource.

What is a firewall?

A system (either hardware, software, or a combination of both)
that prevents a specific type of information from moving between untrusted networks, such as the Internet, and private networks, such as your company's network.

What are general controls?

Controls that apply to more than one functional area.

What is identity theft?

Crime in which someone uses the personal information
of others to create a false identity and then uses it for some fraud.

What is information security?

Protecting an organization's information and in-
formation systems from unauthorized access, use, disclosure, disruption,
modification, or destruction.

What are information systems audit?

An examination of information systems, their inputs, outputs, and processing.

What is intellectual property?

The intangible property created by individuals or corporations, which is protected under trade secret, patent, and copyright laws.

What is the least privilege?

A principle that users be granted the privilege for some
activity only if there is a justifiable need to grant this authorization.

What are logic bombs?

Segments of computer code embedded within an organization's existing computer programs.

What are logical controls?

Controls that are implemented by software.

What is malware?

Malicious software such as viruses and worms.

What is a password?

A private combination of characters that only the user
should know.

What is a virus?

Malicious software that can attach itself with (or "infect") other
computer programs without the owner of the program being aware of the infection.

What is vulnerability?

The possibility that an information resource will be harmed by a threat.

What is whitelisting?

A process in which a company identifies acceptable
software and permits it to run, and either prevents anything else from running or lets new software run in a quarantined environment until the
company can verify its validity.

What is a patent?

A document that grants the holder exclusive rights on an invention or process for a specified period of time, currently 20 years.

What is a phishing attack?

An attack that uses deception to fraudulently acquire
sensitive personal information by masquerading as an official-looking

What are physical controls?

Controls that restrict unauthorized individuals from
gaining access to a company's computer facilities.

What is piracy?

Copying a software program (other than freeware, demo software, etc.) without making payment to the owner.

What is privilege?

A collection of related computer system operations that can
be performed by users of the system.

What is public-key encryption/asymmetric encryption?

A type of encryption that uses two different keys: a public key and a private key.

What is a risk?

The likelihood that a threat will occur.

What is risk acceptance?

A strategy in which the organization accepts the potential risk, continues to operate with no controls, and absorbs any damages that occur.

What is risk analysis?

The process by which an organization assesses the value
of each asset being protected, estimates the probability that each asset might be compromised, and compares the probable costs of each being compromised with the costs of protecting it.

What is risk limitation?

A strategy in which the organization limits its risk by implementing controls that minimize the impact of a threat.

What is risk management?

A process that identifies, controls, and minimizes the impact of threats, in an effort to reduce risk to manageable levels.

What is risk mitigation?

A process whereby the organization takes concrete actions against risks, such as implementing controls and developing a disaster recovery plan.

What is risk transference?

A process in which the organization transfers the risk by using other means to compensate for a loss, such as by purchasing insurance.

What is a secure socket layer/transport layer security?

An encryption standard used for secure transactions such as credit card purchases and online banking.

What is social engineering?

Getting around security systems by tricking computer users inside a company into revealing sensitive information or gaining unauthorized access privileges.

What is spam?

Unsolicited email.

What is spamware?

Alien software that uses your computer as a launch plat-
form for spammers.

What is spear phishing?

An attack that uses deception to target large groups of people, by masquerading as official-looking emails or instant messages.

What is spyware?

Alien software that can record your keystrokes and/or capture
your passwords.

What is a threat?

Any danger to which an information resource may be exposed.

What is a trade secret?

Intellectual work, such as a business plan, that is a company secret and is not based on public information.

What is a Trojan horse?

A software program containing a hidden function that
presents a security risk.

What is tunnelling?

A process that encrypts each data packet to be sent and
places each encrypted packet inside another packet.

What is a virtual private network?

A private network that uses a public network (usually the Internet) to securely connect users by using encryption.

What are worms?

Destructive programs that replicate themselves without requiring another program to provide a safe environment for replication.

What are the 5 factors that contribute to the increasing vulnerability of information resources?

-Today's interconnected, interdependent, etc. business environment
-Smaller, faster, cheaper computer devices
-Decreasing skills necessary to be a computer hacker
-International organized crime taking over cybercrime
-Lack of management support

What are human mistakes?

Unintentional errors

What are some types of deliberate software attacks?

-Information extortion
-Sabotage and vandalism
-Theft of equipment and information
-Identity theft
-Compromises to intellectual property
-Software attacks
-Alien software
-Supervisory control and data acquisition

What is espionage/trespass?

Occurs when an unauthorized person attempts to gain illegal access to organizational information

What is information extortion?

Occurs when an attacker either threatens to steal, or actually steals, information from a company. The perpetrator demands payment for not stealing the information, for returning stolen information, or for agreeing not to disclose the information

What is sabotage/vandalism?

Deliberate acts that involve defacing an organization's website, possibly causing the organization to lose its image and experience a loss of confidence by its customers

What is meant by compromises to intellectual property?

A vital issue for people who make their livelihood in knowledge fields. Protecting intellectual property is particularly difficult when that property is in digital form.

What is meant by supervisory control/data acquisition?

A large-scale, distributed
measurement and control system. SCADA systems are used to monitor or control chemical, physical, and transport processes. A SCADA attack attempts to compromise such a system in order to cause damage to the real-world processes t

What are the 6 types of controls that organizations can use to protect their information resources?

-General controls
-Application controls
-Physical controls
-Logical controls
-Access controls
-Communication controls

What are some general controls?

Include controls for the prevention, deterrence, detection, damage
control, recovery, and correction of information systems

What are some physical controls?

Security guards or locks

What are some logical controls?

Passwords or automated calculations

What are some access controls?

Multifactor authentication

What are some communication controls?


What are some application controls?

Include input, processing, and output controls

What are some difficulties in protecting information resources?

-Hundreds of potential threats exist.
-Computer networks can be located outside the organization, making them difficult to protect.
-Rapid technological changes
-People tend to violate security procedures because the procedures are inconvenient.
-Etc. (Pg

What does communications controls consist of?

-anti-malware systems
-virtual private networks (VPNs)
-transport layer security
-employee monitoring systems

How does the IS auditor decide on audits?

IS auditors conduct their work
using a risk-based approach. They consider the likelihood of errors or fraud, or the risk of orga-
nizations not following their procedures. Then, they design procedures to test compliance or
the percentages of errors.
-A pl

What are the different type of auditors?

-Specialist (Ex: information systems)