Upgrade to remove ads
Only $35.99/year

AIS Ch14 Terms

Terms in this set (43)

Confidentiality, Integrity, Availability
CIA of Information
Virus
a self-replicating program that runs and spreads by modifying other programs or files
Worm
A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself.
Trojan Horse
a non-self-replicating program that seems to have a useful purpose in appearance, but in reality has a different, malicious purpose
Spam
sending unsolicited bulk information
Botnet (bot)
a collection of software robots that overruns computers to act automatically in response to the bot-herder's control inputs through the internet
Denial of Service (DoS)
The prevention of authorized access to resources (such as servers) or the delaying of time-critical operations.
Spyware
software that is secretly installed into an information system to gather information on individuals or organizations without their knowledge; a type of malicious code
Spoofing
sending a network packet that appears to come from a source other than its actual source
Social Engineering
manipulating someone to take certain action that may not be in that person's best interest, such as revealing confidential information or granting access to physical assets, networks, or information
Encryption
Using algorithmic schemes to encode plaintext into nonreadable form. Preventive control providing confidentiality and privacy for data transmission and storage
Main factors of encryption
key length, encryption algorithm, key management
symmetric-key encryption
Both the sender and the receiver use the same key to encrypt and decrypt messages. Fast and suitable for encrypting large data sets or messages. Key distribution and key management are problematic because both the sender and the receiver use the same key to encrypt and decrypt messages.
asymmetric-key encryption
To transmit confidential information, the sender uses the receiver's public key to encrypt the message; the receiver uses his or her own private key for decryption upon receiving the message. Also known as public-key encryption or two-key encryption. Slow and not appropriate for encrypting large data sets. The sender uses the receiver's public key to encrypt the message; the receiver uses his or her own private key for decryption upon receiving the message
Public Key
A string of bits created with the private key and widely distributed and available to other users.
Private key
A string of bits kept secret and known only to the owner of the key.
authentication
A process that establishes the origin of information or determines the identity of a user, process, or device.
Session key
A symmetric key that is valid for a certain timeframe only.
Digital signature
A message digest of a document (or data file) that is encrypted using the document creator's private key.
Message digest (MD)
A short code, such as one 256 bits long, resulting from hashing a plaintext message using an algorithm.
Hashing
A process to run an original document or data through an algorithm to generate a message digest.
Data integrity
Maintaining and assuring the accuracy and consistency of data during transmission and at storage.
Certificate Authority (CA)
A trusted entity that issues and revokes digital certificates.
Digital certificate
A digital document issued and digitally signed by the private key of a Certificate Authority that binds the name of a subscriber to a public key.
Public-key infrastructure
A set of policies, processes, server platforms, software, and workstations used for the purpose of administering certificates and public-/private-key pairs, including the ability to issue, maintain, and revoke public-key certificates.
Fraud Triangle
Three conditions exist for a fraud to be perpetrated: incentive, opportunity, and rationalization.
Incentive (Pressure)
Provides a reason to commit fraud
Opportunity
Absence of controls, ineffective controls, or the ability of management to override controls
Rationalization
Attitude of fraudster
AUP
Acceptable use policy
Examples of Vulnerabilities within a Physical IT Environment
Physical intrusion
Natural disasters
Excessive heat or humidity
Examples of Vulnerabilities within an Information System
system intrusion
logical access control failure
interruption of a system
Examples of Vulnerabilities within the Processes of IT operations
social engineering
unintentional disclosure of sensitive information by employee
intentional destruction of information
inappropriate end-user computing
Main components of vulnerability management and assessment
maintenance
identification
remediation
assessment
uninterruptible power supply
A device using battery power to enable a system to operate long enough to back up critical data and shut down properly during the loss of power.
fault tolerance
Redundant units providing a system with the ability to continue functioning when part of the system fails.
virtualization
Using various techniques and methods to create a virtual (rather than actual) version of a hardware platform, storage device, or network resources.
cloud computing
Using redundant servers in multiple locations to host virtual machines.
SOC 1
Focuses on the impact of the cloud provider's controls on the user company's financial statements
SOC 1, SOC 2
provide evaluations on a broader set of controls relevant to the security, availability, processing integrity, confidentiality, or privacy implemented by the service provider
disaster recovery planning (DRP)
A process that identifies significant events that may threaten a firm's operations and outlines the procedures to ensure that the firm will resume operations when the events occur.
business continuity management (BCM)
The activities required to keep a firm running during a period of displacement or interruption of normal operations.
DRP, BCM
Both are important to firms because they are about whether the firms can continue their business or not
Other sets by this creator