Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Exam
Name___________________________________
TRUE/FALSE. Write 'T' if the statement is true and 'F' if the statement is false.
1) The potential for unauthorized access is usually limited to the communications lines of a
network.
1) _______
Answer: True False
2) Large public networks, such as the Internet, are less vulnerable than internal networks because
they are virtually open to anyone.
2) _______
Answer: True False
3) Malicious software programs are referred to as badware and include a variety of threats, such as
computer viruses, worms, and Trojan horses.
3) _______
Answer: True False
4) A computer bacteria is a rogue software program that attaches itself to other software programs
or data files in order to be executed, usually without user knowledge or permission.
4) _______
Answer: True False
5) Web 2.0 applications, such as blogs, wikis, and social networking sites such as Facebook and
MySpace, have are not conduits for malware or spyware.
5) _______
Answer: True False
6) A Trojan horse is a software program that appears threatening but is really benign. 6) _______
Answer: True False
7) Keyloggers record every keystroke made on a computer to steal serial numbers for software, to
launch Internet attacks, to gain access to e-mail accounts, to obtain passwords to protected
computer systems, or to pick up personal information such as credit card numbers.
7) _______
Answer: True False
8) A hacker is an individual who intends to gain unauthorized access to a computer system. 8) _______
Answer: True False
9) The term cracker is typically used to denote a hacker with criminal intent. 9) _______
Answer: True False
10) The term cybervandalism, is the intentional disruption, defacement, or even destruction of a
Web site or corporate information system.
10) ______
Answer: True False
11) Computer crime is defined as “any criminal activity involving the copy of, use of, removal of,
interference with, access to, manipulation of computer systems, and/or their related functions,
data or programs”.
11) ______
Answer: True False
12) Identity theft is a crime in which an imposter obtains key pieces of personal information, such as
social insurance numbers, driver’s licence numbers, or credit card numbers, to impersonate
someone else.
12) ______
Answer: True False
13) Pharming redirects users to a bogus Web page, even when the individual types the correct Web
page address into his or her browser.
13) ______
Answer: True False
14) One increasingly popular tactic is a form of spoofing called phishing. 14) ______
Answer: True False
15) Social Bookmarking is tricking people into revealing their passwords or other information by
pretending to be legitimate users or members of a company in need of information.
15) ______
Answer: True False
16) Software errors are no threat to information systems, that could cause untold losses in
productivity.
16) ______
Answer: True False
17) Many firms spend heavily on security because it is directly related to sales revenue. 17) ______
Answer: True False
18) Computer forensics is the scientific collection, examination, authentication, preservation, and
analysis of data held on or retrieved from computer storage media in such a way that the
information can be used as evidence in a court of law.
18) ______
Answer: True False
19) General controls govern the design, security, and use of computer programs and the security of
data files throughout the organization’s IT infrastructure.
19) ______
Answer: True False
20) Application controls are specific controls unique to each computerized application, such as
payroll or order processing.
20) ______
Answer: True False
21) Output controls check data for accuracy and completeness when they enter the system. 21) ______
Answer: True False
22) A risk audit includes statements ranking information risks, identifying acceptable security goals,
and identifying the mechanisms for achieving these goals.
22) ______
Answer: True False
23) Disaster recovery planning devises plans for the restoration of computing and communications
services before they have been disrupted.
23) ______
Answer: True False
24) An MIS audit examines the firm’s overall security environment as well as controls governing
individual information systems.
24) ______
Answer: True False
25) Authentication refers to the ability to know that a person is who he or she claims to be. 25) ______
Answer: True False
26) An MIS audit examines the firm’s overall security environment as well as controls governing
individual information systems.
26) ______
Answer: True False
27) A firewall is a combination of hardware and software that controls the flow of incoming and
outgoing network traffic.
27) ______
Answer: True False
28) Computers using cable modems to connect to the Internet are more open to penetration than
those connecting via dial-up.
28) ______
Answer: True False
29) Wireless networks are vulnerable to penetration because radio frequency bands are easy to scan. 29) ______
Answer: True False
30) The range of Wi-Fi networks can be extended up to two miles by using external antennae. 30) ______
Answer: True False
31) The WEP specification calls for an access point and its users to share the same 40-bit encrypted
password.
31) ______
Answer: True False
32) Viruses can be spread through e-mail. 32) ______
Answer: True False
33) Computer worms spread much more rapidly than computer viruses. 33) ______
Answer: True False
34) One form of spoofing involves forging the return address on an e-mail so that the e-mail
message appears to come from someone other than the sender.
34) ______
Answer: True False
35) Sniffers enable hackers to steal proprietary information from anywhere on a network, including
e-mail messages, company files, and confidential reports.
35) ______
Answer: True False
36) DoS attacks are used to destroy information and access restricted areas of a company's
information system.
36) ______
Answer: True False
37) The most economically damaging kinds of computer crime are e-mail viruses. 37) ______
Answer: True False
38) Zero defects cannot be achieved in larger software programs because fully testing programs that
contain thousands of choices and millions of paths would require thousands of years.
38) ______
Answer: True False
39) An acceptable use policy defines the acceptable level of access to information assets for different
users.
39) ______
Answer: True False
40) Biometric authentication is the use of physical characteristics such as retinal images to provide
identification.
40) ______
Answer: True False
41) Packet filtering catches most types of network attacks. 41) ______
Answer: True False
42) NAT conceals the IP addresses of the organization's internal host computers to deter sniffer
programs.
42) ______
Answer: True False
43) SSL is a protocol used to establish a secure connection between two computers. 43) ______
Answer: True False
44) Public key encryption uses two keys. 44) ______
Answer: True False
45) Fault-tolerant computers contain redundant hardware, software, and power supply components. 45) ______
Answer: True False
46) High-availability computing is also referred to as fault tolerance. 46) ______
Answer: True False
MULTIPLE CHOICE. Choose the one alternative that best completes the statement or answers the question.
47) ________ are methods, policies, and organizational procedures that ensure the safety of the
organization’s assets, the accuracy and reliability of its records, and operational adherence to
management standards.
47) ______
A) "Algorithms" B) "Controls"
C) "Security" D) "Benchmarking"
Answer: B
48) John clicks into his online banking website. He is already to type in his password when he
notices that something is just not right. Upon further examination he notices that it is not the
actual bank site but one that looks almost identical. John was almost a victim of ________.
48) ______
A) a Trojan horse B) spoofing C) worms D) keyloggers
Answer: B
49) Betty downloaded a peer to peer file sharing program. She is worried that it might have come
with spyware attached to it. She had a friend who had a spyware problem where all of her
keystrokes were stolen which included her bank passwords. Betty's friend was a victim of
________.
49) ______
A) spoofing B) a Trojan horse C) worms D) keyloggers
Answer: D
50) Helen downloaded a greeting card program from the internet. She was surprised that it really
didn't do what it was supposed to do. What the program did was send nasty, profane emails to
all the people in her contact list. Helen is the victim of ________.
50) ______
A) spoofing B) a Trojan horse C) keyloggers D) worms
Answer: B
51) Robert knows that he got an independent program off of his network on his computer. It
deleted all of his spreadsheet files on his hard drive. Robert feels that this problem may have
resulted from him opening up an attachment file on his email. Robert is the victim of ________.
51) ______
A) spoofing B) worms C) a Trojan horse D) keyloggers
Answer: B
52) A ________ is a type of eavesdropping program that monitors information travelling over a
network.
52) ______
A) worms B) keyloggers C) sniffer D) a Trojan horse
Answer: C
53) ________ involves setting up fake Web sites or sending e-mail messages that look like those of
legitimate businesses to ask users for confidential personal data.
53) ______
A) Fishing B) Farming C) Phishing D) Pharming
Answer: C
54) Jimmy Clark is sitting home one night and is very bored. He gets on his computer and starts to
surf the net. He comes to a military site. He thinks he might be able to get around the security
of the site and into the military computer system. He spends the next two hours trying to find
his way into their system. Jimmy is ________.
54) ______
A) a dumpster diver B) a cracker
C) a social engineer D) a hacker
Answer: D
55) Daniel is sitting home one night and is very bored. He gets on his computer and starts to surf
the net. He comes to a bank site. He thinks he might be able to get around the security of the
site and into the bank computer system. He spends the next two hours trying to find his way
into their system. Daniel gets into the system and puts $200 into his account from just some
random name he found in the banking system. Daniel is ________.
55) ______
A) a dumpster diver B) a hacker
C) a social engineer D) a cracker
Answer: D
56) Bart Black walks into a local bank. He does not work there but he has a tag on his shirt that
reads "IT Department". He goes up to a loans officer and tells him he needs to check the
security on the loan officer's computer. Bart sits in front of the keyboard and asks the officer for
his username and password. The loan officer gives him the information. Bart then thanks him
and leaves the bank. Outside in his car Bart Black gets into the bank system using the
information. This loan officer is a victim of ________.
56) ______
A) a hacker B) a cracker
C) social engineering D) dumpster diving
Answer: C
57) ________ defects cannot be achieved in larger programs. 57) ______
A) Zero B) Thirty C) Two D) One hundred
Answer: A
58) Many firms are reluctant to spend heavily on security because ________. 58) ______
A) it is not directly related to sales expense.
B) it is not directly related to sales forecasting.
C) it is not directly related to sales revenue
D) it is not directly related to sales tax.
Answer: C
59) ________ govern the design, security, and use of computer programs and the security of data
files throughout the organization’s IT infrastructure.
59) ______
A) Application controls B) Input controls
C) General controls D) Output controls
Answer: C
60) ________ are specific controls unique to each computerized application, such as payroll or order
processing.
60) ______
A) Output controls B) Application controls
C) Input controls D) General controls
Answer: B
61) ________ consists of all the policies and procedures a company uses to prevent improper access
to systems by unauthorized insiders and outsiders.
61) ______
A) Output control B) Access control C) Input control D) General control
Answer: B
62) ________ is the process of transforming plain text or data into cipher text that cannot be read by
anyone other than the sender and the intended receiver.
62) ______
A) Risk audit B) Encryption
C) Application control D) Spoofing
Answer: B
63) ________ refers to policies, procedures, and technical measures used to prevent unauthorized
access, alternation, theft, or physical damage to information systems.
63) ______
A) "Controls" B) "Benchmarking"
C) "Security" D) "Algorithms"
Answer: C
64) ________ refers to all of the methods, policies, and organizational procedures that ensure the
safety of the organization's assets, the accuracy and reliability of its accounting records, and
operational adherence to management standards.
64) ______
A) "SSID standards" B) "Vulnerabilities"
C) "Controls" D) "Legacy systems"
Answer: C
65) Large amounts of data stored in electronic form are ________ than the same data in manual
form.
65) ______
A) more critical to most businesses B) vulnerable to many more kinds of
threats
C) less vulnerable to damage D) more secure
Answer: B
66) Electronic data are more susceptible to destruction, fraud, error, and misuse because information
systems concentrate data in computer files that
66) ______
A) are not secure because the technology to secure them did not exist at the time the files were
created.
B) have the potential to be accessed by large numbers of people and by groups outside of the
organization.
C) are frequently available on the Internet.
D) are usually bound up in legacy systems that are difficult to access and difficult to correct in
case of error.
Answer: B
67) Specific security challenges that threaten the communications lines in a client/server
environment include
67) ______
A) hacking; vandalism; denial of service attacks.
B) theft, copying, alteration of data; hardware or software failure.
C) unauthorized access; errors; spyware.
D) tapping; sniffing; message alteration; radiation.
Answer: D
68) Specific security challenges that threaten clients in a client/server environment include 68) ______
A) hacking; vandalism; denial of service attacks.
B) tapping; sniffing; message alteration; radiation.
C) theft, copying, alteration of data; hardware or software failure.
D) unauthorized access; errors; spyware.
Answer: D
69) Specific security challenges that threaten corporate servers in a client/server environment
include
69) ______
A) tapping; sniffing; message alteration; radiation.
B) theft, copying, alteration of data; hardware or software failure.
C) unauthorized access; errors; spyware.
D) hacking; vandalism; denial of service attacks.
Answer: D
70) The Internet poses specific security problems because 70) ______
A) Internet standards are universal. B) everyone uses the Internet.
C) it changes so rapidly. D) it was designed to be easily accessible.
Answer: D
71) The main security problem on the Internet is 71) ______
A) hackers. B) bandwidth theft.
C) natural disasters, such as floods and
fires.
D) radiation.
Answer: A
72) An independent computer program that copies itself from one computer to another over a
network is called a
72) ______
A) bug. B) Trojan horse. C) pest. D) worm.
Answer: D
73) Sobig.F and MyDoom.A are 73) ______
A) worms attached to e-mail that spread from computer to computer.
B) multipartite viruses that can infect files as well as the boot sector of the hard drive.
C) viruses that use Microsoft Outlook to spread to other systems.
D) Trojan horses used to create bot nets.
Answer: A
74) In 2004, ICQ users were enticed by a sales message from a supposed anti-virus vendor. On the
vendor's site, a small program called Mitglieder was downloaded to the user's machine. The
program enabled outsiders to infiltrate the user's machine. What type of malware is this an
example of?
74) ______
A) spyware B) worm C) Trojan horse D) virus
Answer: C
75) Redirecting a Web link to a different address is a form of 75) ______
A) sniffing. B) war driving. C) spoofing. D) snooping.
Answer: C
76) A key logger is a type of 76) ______
A) spyware. B) worm. C) Trojan horse. D) virus.
Answer: A
77) How do hackers create a botnet? 77) ______
A) by infecting Web search bots with malware
B) by causing other people's computers to become "zombie" PCs following a master computer
C) by using Web search bots to infect other computers
D) by infecting corporate servers with "zombie" Trojan horses that allow undetected access
through a back door
Answer: B
78) Using numerous computers to inundate and overwhelm the network from numerous launch
points is called a ________ attack.
78) ______
A) DDoS B) pharming C) phishing D) DoS
Answer: A
79) Which of the following is NOT an example of a computer used as a target of crime? 79) ______
A) threatening to cause damage to a protected computer
B) accessing a computer system without authority
C) illegally accessing stored electronic communication
D) knowingly accessing a protected computer to commit fraud
Answer: C
80) Which of the following is NOT an example of a computer used as an instrument of crime? 80) ______
A) breaching the confidentiality of protected computerized data
B) intentionally attempting to intercept electronic communication
C) unauthorized copying of software
D) theft of trade secrets
Answer: A
81) Phishing is a form of 81) ______
A) sniffing. B) spinning. C) spoofing. D) snooping.
Answer: C
82) Phishing involves 82) ______
A) using e-mails for threats or harassment.
B) pretending to be a legitimate business's representative in order to garner information about
a security system.
C) setting up bogus Wi-Fi hot spots.
D) setting up fake Web sites to ask users for confidential information.
Answer: D
83) Evil twins are 83) ______
A) fraudulent Web sites that mimic a legitimate business's Web site.
B) e-mail messages that mimic the e-mail messages of a legitimate business.
C) Trojan horses that appears to the user to be a legitimate commercial software application.
D) bogus wireless networks that look legitimate to users.
Answer: D
84) Pharming involves 84) ______
A) using e-mails for threats or harassment.
B) pretending to be a legitimate business's representative in order to garner information about
a security system.
C) redirecting users to a fraudulent Web site even when the user has typed in the correct
address in the Web browser.
D) setting up fake Web sites to ask users for confidential information.
Answer: C
85) You have been hired as a security consultant for a legal firm. Which of the following constitutes
the greatest threat, in terms of security, to the firm?
85) ______
A) employees B) wireless network
C) authentication procedures D) lack of data encryption
Answer: A
86) Tricking employees to reveal their passwords by pretending to be a legitimate member of a
company is called
86) ______
A) social engineering B) phishing
C) sniffing D) pharming
Answer: A
87) How do software vendors correct flaws in their software after it has been distributed? 87) ______
A) re-release software B) issue patches
C) issue updated versions D) issue bug fixes
Answer: B
88) The most common type of electronic evidence is 88) ______
A) voice-mail. B) instant messages.
C) e-mail. D) spreadsheets.
Answer: C
89) Electronic evidence on computer storage media that is not visible to the average user is called
________ data.
89) ______
A) recovery B) ambient C) forensic D) defragmented
Answer: B
90) Application controls 90) ______
A) can be classified as input controls, processing controls, and output controls.
B) include software controls, computer operations controls, and implementation controls.
C) apply to all computerized applications and consist of a combination of hardware, software,
and manual procedures that create an overall control environment.
D) govern the design, security, and use of computer programs and the security of data files in
general throughout the organization.
Answer: A
91) ________ controls ensure that valuable business data files on either disk or tape are not subject to
unauthorized access, change, or destruction while they are in use or in storage.
91) ______
A) Data security B) Administrative
C) Software D) Implementation
Answer: A
92) Analysis of an information system that rates the likelihood of a security incident occurring and
its cost is included in a(n)
92) ______
A) risk assessment. B) security policy.
C) AUP. D) business impact analysis.
Answer: A
93) Statements ranking information risks and identifying security goals are included in a(n) 93) ______
A) business impact analysis. B) security policy.
C) risk assessment. D) AUP.
Answer: B
94) An analysis of the firm's most critical systems and the impact a system's outage would have on
the business is included in a(n)
94) ______
A) AUP. B) business impact analysis.
C) risk assessment. D) security policy.
Answer: B
95) Rigorous password systems 95) ______
A) are often disregarded by employees.
B) are costly to implement.
C) are one of the most effective security tools.
D) may hinder employee productivity.
Answer: D
96) An authentication token is a(n) 96) ______
A) type of smart card.
B) gadget that displays passcodes.
C) electronic marker attached to a digital authorization file.
D) device the size of a credit card that contains access permission data.
Answer: B
97) Biometric authentication 97) ______
A) only uses physical traits as a measurement.
B) is used widely in Europe for security applications.
C) can use a person's face as a unique, measurable trait.
D) is inexpensive.
Answer: C
98) A firewall allows the organization to 98) ______
A) check the content of all incoming and outgoing e-mail messages.
B) check the accuracy of all transactions between its network and the Internet.
C) enforce a security policy on traffic between its network and the Internet.
D) create an enterprise system on the Internet.
Answer: C
99) In which technique are network communications are analyzed to see whether packets are part of
an ongoing dialogue between a sender and a receiver?
99) ______
A) application proxy filtering B) stateful inspection
C) intrusion detection system D) packet filtering
Answer: B
100) ________ use scanning software to look for known problems such as bad passwords, the removal of impor
tant files,
security
attacks in
progress,
and
system
administ
ration
errors.
100) ____
_
A) Stateful inspections B) Application proxy filtering technologies
C) Intrusion detection systems D) Packet filtering technologies
Answer: C
101) Currently, the protocols used for secure information transfer over the Internet are 101) _____
A) SSL, TLS, and S-HTTP. B) S-HTTP and CA.
C) TCP/IP and SSL. D) HTTP and TCP/IP.
Answer: A
102) Most antivirus software is effective against 102) _____
A) any virus.
B) any virus except those in wireless communications applications.
C) only those viruses active on the Internet and through e-mail.
D) only those viruses already known when the software is written.
Answer: D
103) In which method of encryption is a single encryption key sent to the receiver so both sender and
receiver share the same key?
103) _____
A) symmetric key encryption B) private key encryption
C) public key encryption D) SSL
Answer: A
104) A digital certificate system 104) _____
A) uses tokens to validate a user's identity.
B) uses third-party CAs to validate a user's identity.
C) uses digital signatures to validate a user's identity.
D) are used primarily by individuals for personal correspondence.
Answer: B
105) Downtime refers to periods of time in which a 105) _____
A) computer is not online.
B) corporation or organization is not operational.
C) computer system is malfunctioning.
D) computer system is not operational.
Answer: D
106) Online transaction processing requires 106) _____
A) more processing time. B) dedicated phone lines.
C) fault-tolerant computer systems. D) a large server network.
Answer: C
107) In controlling network traffic to minimize slow-downs, a technology called ________ is used to
examine data files and sort low-priority data from high-priority data.
107) _____
A) application proxy filtering B) stateful inspection
C) deep-packet inspection D) high availability computing
Answer: C
108) The development and use of methods to make computer systems recover more quickly after
mishaps is called
108) _____
A) fault tolerant computing. B) disaster recovery planning.
C) high availability computing. D) recovery oriented computing.
Answer: D
109) Smaller firms can outsource security functions to 109) _____
A) CSOs B) MISs C) CAs D) MSSPs
Answer: D
SHORT ANSWER. Write the word or phrase that best completes each statement or answers the question.
110) A practice in which eavesdroppers drive by buildings or park outside and try to
intercept wireless network traffic is referred to as ________.
110) ____________
Answer: war driving
111) ________ refers to the policies, procedures, and technical measures used to prevent
unauthorized access, alteration, theft, or physical damage to information systems.
111) ____________
Answer: Security
112) ________ are methods, policies, and organizational procedures that ensure the safety of
the organization’s assets, the accuracy and reliability of its records, and operational
adherence to management standards.
112) ____________
Answer: Controls
113) Large public networks, such as the Internet, are more ________ than internal networks
because they are virtually open to anyone.
113) ____________
Answer: vulnerable
114) A fixed Internet address creates a ________ target for hackers. 114) ____________
Answer: fixed
115) Malicious software programs are referred to as ________. 115) ____________
Answer: malware
116) A ________ is a rogue software program that attaches itself to other software programs
or data files in order to be executed, usually without user knowledge or permission.
116) ____________
Answer: virus
117) ________ are independent computer programs that copy themselves from one computer
to other computers over a network.
117) ____________
Answer: Worms
118) A ________ is a software program that appears to be benign but then does something
other than expected.
118) ____________
Answer: Trojan horse
119) A ________ is an individual who intends to gain unauthorized access to a computer
system.
119) ____________
Answer: hacker
120) The term ________ is typically used to denote a hacker with criminal intent. 120) ____________
Answer: cracker
121) ________ is the intentional disruption, defacement, or even destruction of a Web site or
corporate information system.
121) ____________
Answer: Cybervandalism
122) ________ also may involve redirecting a Web link to an address different from the
intended one, with the site masquerading as the intended destination.
122) ____________
Answer: Spoofing
123) A ________ is a type of eavesdropping program that monitors information travelling
over a network.
123) ____________
Answer: sniffer
124) In a ________ ,hackers flood a network server or Web server with many thousands of
false communications or requests for services to crash the network.
124) ____________
Answer: denial-of-service (DoS) attack
125) ________ involves setting up fake Web sites or sending e-mail messages that look like
those of legitimate businesses to ask users for confidential personal data.
125) ____________
Answer: Phishing
126) ________ redirects users to a bogus Web page, even when the individual types the
correct Web page address into his or her browser.
126) ____________
Answer: Pharming
127) ________ occurs when an individual or computer program fraudulently clicks on an
online ad without any intention of learning more about the advertiser or making a
purchase.
127) ____________
Answer: Click fraud
128) ________ is tricking people into revealing their passwords or other information by
pretending to be legitimate users or members of a company in need of information.
128) ____________
Answer: Social engineering
129) Growing complexity and size of software programs, coupled with demands for timely
delivery to markets, have contributed to an increase in software ________ or
vulnerabilities.
129) ____________
Answer: flaws
130) ________ defects cannot be achieved in larger programs. 130) ____________
Answer: Zero
131) Many firms are reluctant to spend heavily on security because it is not directly related to
________.
131) ____________
Answer: sales revenue
132) ________ controls are specific controls unique to each computerized application, such as
payroll or order processing.
132) ____________
Answer: Application
133) ________ controls establish that data are complete and accurate during updating. 133) ____________
Answer: Processing
134) ________ controls ensure that the results of computer processing are accurate, complete,
and properly distributed.
134) ____________
Answer: Output
135) A ________ determines the level of risk to the firm if a specific activity or process is not
properly controlled.
135) ____________
Answer: risk assessment
136) A ________ includes statements ranking information risks, identifying acceptable
security goals, and identifying the mechanisms for achieving these goals.
136) ____________
Answer: security policy
137) An ________ defines acceptable uses of the firm’s information resources and computing
equipment, including desktop and laptop computers, wireless devices, telephones, and
the Internet.
137) ____________
Answer: acceptable-use policy (AUP)
138) ________ devises plans for the restoration of computing and communications services
after they have been disrupted.
138) ____________
Answer: Disaster recovery planning
139) A ________ is a physical device, similar to an identification card, that is designed to
prove the identity of a single user.
139) ____________
Answer: token
140) A ________ is a device about the size of a credit card that contains a chip formatted with
access permission and other data.
140) ____________
Answer: smart card
141) ________ uses systems that read and interpret individual human traits, such as
fingerprints, irises, and voices, in order to grant or deny access.
141) ____________
Answer: Biometric authentication
142) A ________ is a combination of hardware and software that controls the flow of
incoming and outgoing network traffic.
142) ____________
Answer: firewall
143) ________ examines selected fields in the headers of data packets flowing back and forth
between the trusted network and the Internet, examining individual packets in isolation.
143) ____________
Answer: Packet filtering
144) ________ feature full-time monitoring tools placed at the most vulnerable points or “hot
spots” of corporate networks to detect and deter intruders continually.
144) ____________
Answer: Intrusion detection systems
145) ________ is designed to check computer systems and drives for the presence of
computer viruses.
145) ____________
Answer: Antivirus software
146) ________ is the process of transforming plain text or data into cipher text that cannot be
read by anyone other than the sender and the intended receiver.
146) ____________
Answer: Encryption
147) ________ encryption uses two keys: one shared (or public) and one private. 147) ____________
Answer: Public key
148) A ________ system uses a trusted third party, known as a certificate authority (CA), to
validate a user’s identity.
148) ____________
Answer: digital certificate
149) ________ computer systems contain redundant hardware, software, and power supply
components that create an environment that provides continuous, uninterrupted service.
149) ____________
Answer: Fault-tolerant
150) Malicious software programs referred to as ________ include a variety of threats such as
computer viruses, worms, and Trojan horses.
150) ____________
Answer: malware
151) ________ is a crime in which an imposter obtains key pieces of personal information to
impersonate someone else.
151) ____________
Answer: Identity theft
152) ________ is the scientific collection, examination, authentication, preservation, and
analysis of data held on or retrieved from computer storage media in such a way that the
information can be used as evidence in a court of law.
152) ____________
Answer: Computer forensics
153) On the whole, ________ controls apply to all computerized applications and consist of a
combination of hardware, software, and manual procedures that create an overall
control environment.
153) ____________
Answer: general
154) A(n) ________ examines the firm's overall security environment as well as the controls
governing individual information systems.
154) ____________
Answer: MIS audit
155) ________ consists of all the policies and procedures a company uses to prevent improper
entry to systems by unauthorized insiders and outsiders.
155) ____________
Answer: Access control
156) ________ refers to the ability to know that a person is who he or she claims to be. 156) ____________
Answer: Authentication
157) Comprehensive security management products, with tools for firewalls, VPNs, intrusion
detection systems, and more, are called ________ systems.
157) ____________
Answer: unified threat management
158) When errors are discovered in software programs, the sources of the errors are found
and eliminated through a process called ________.
158) ____________
Answer: debugging
ESSAY. Write your answer in the space provided or on a separate sheet of paper.
159) Discuss the issue of security challenges on the Internet as that issue applies to a global enterprise. List at least
five Internet security challenges.
Answer: Large public networks, including the Internet, are more vulnerable because they are virtually open to
anyone and because they are so huge that when abuses do occur, they can have an enormously
widespread impact. When the Internet becomes part of the corporate network, the organization's
information systems can be vulnerable to actions from outsiders. Computers that are constantly
connected to the Internet via cable modem or DSL line are more open to penetration by outsiders
because they use a fixed Internet address where they can be more easily identified. The fixed Internet
address creates the target for hackers. To benefit from electronic commerce, supply chain
management, and other digital business processes, companies need to be open to outsiders such as
customers, suppliers, and trading partners. Corporate systems must be extended outside the
organization so that employees working with wireless and other mobile computing devices can access
them. This requires a new security culture and infrastructure, allowing corporations to extend their
security policies to include procedures for suppliers and other business partners.
160) How can a firm's security policies contribute and relate to the six main business objectives? Give examples.
Answer: Operational excellence: Security policies are essential to operational excellence. A firm's daily
transactions can be severely disrupted by cybercrime such as hackers. A firm's efficiency relies on
accurate data. In addition, information assets have tremendous value, and the repercussions can be
devastating if they are lost, destroyed, or placed in the wrong hands.
New products, services, business models. Security policies protect a company's ideas for new
products and services, which could be stolen by competitors. Additionally, enhanced security could be
seen by a customer as a way to differentiate your product.
Customer and supplier intimacy: Customers rely on your security if they enter personal data
into your information system, for example, credit card information into your e-commerce site. The
information you receive from customers and suppliers directly affects how able you are to customize
your product, service, or communication with them.
Improved decision making: Secure systems make data accuracy a priority, and good decision
making relies on accurate and timely data. Lost and inaccurate data would lead to compromised
decision making.
Competitive advantage: The knowledge that your firm has superior security than another
would, on an otherwise level playing field, make your firm more attractive to do business with. Also,
improved decision-making, new products and services, which are also affected by security (see
above), will contribute to a firm's competitive advantage. Strong security and control also increase
employee productivity and lower operational costs.
Survival: New laws and regulations make keeping your security system up-to-data a matter of
survival. Inadequate security and control may result in serious legal liability. Firms have been
destroyed by errors in security policies.
161) Three major concerns of system builders and users are disaster, security, and human error. Of the three,
which do you think is most difficult to deal with? Why?
Answer: Disaster might be the most difficult because it is unexpected, broad-based, and frequently life
threatening. In addition, the company cannot know if the disaster plan will work until a disaster
occurs, and then it's too late to make corrections.
Security might be the most difficult because it is an ongoing problem, new viruses are devised
constantly, and hackers get smarter every day. Furthermore, damage done by a trusted employee from
inside cannot be obviated by system security measures.
Human error might be most difficult because it isn't caught until too late, and the
consequences may be disastrous. Also, administrative error can occur at any level and through any
operation or procedure in the company.
162) What are the security challenges faced by wireless networks?
Answer: Wireless networks are vulnerable because radio frequency bands are easy to scan. Both Bluetooth and
Wi-Fi networks are susceptible to hacking by eavesdroppers. Local area networks (LANs) using the
802.11 standard can be easily penetrated by outsiders armed with laptops, wireless cards, external
antennae, and hacking software. Hackers use these tools to detect unprotected networks, monitor
network traffic, and, in some cases, gain access to the Internet or to corporate networks. Wi-Fi
transmission technology was designed to make it easy for stations to find and hear one another. The
service set identifiers (SSIDs) identifying the access points in a Wi-Fi network are broadcast multiple
times and can be picked up fairly easily by intruders' sniffer programs. Wireless networks in many
locations do not have basic protections against war driving, in which eavesdroppers drive by
buildings or park outside and try to intercept wireless network traffic. A hacker can employ an 802.11
analysis tool to identify the SSID. An intruder that has associated with an access point by using the
correct SSID is capable of accessing other resources on the network, using the Windows operating
system to determine which other users are connected to the network, access their computer hard
drives, and open or copy their files. Intruders also use the information they have gleaned to set up
rogue access points on a different radio channel in physical locations close to users to force a user's
radio NIC to associate with the rogue access point. Once this association occurs, hackers using the
rogue access point can capture the names and passwords of unsuspecting users.
163) Why is software quality important to security. What specific steps can an organization take to ensure
software quality?
Answer: Software errors pose a constant threat to information systems, causing untold losses in productivity.
Growing complexity and size of software programs, coupled with demands for timely delivery to
markets, have contributed to an increase in software flaws or vulnerabilities. A major problem with
software is the presence of hidden bugs or program code defects. Studies have shown that it is
virtually impossible to eliminate all bugs from large programs. Flaws in commercial software not only
impede performance but also create security vulnerabilities that open networks to intruders. To
correct software flaws once they are identified, the software vendor creates small pieces of software
called patches to repair the flaws without disturbing the proper operation of the software.
Organizations must maintain best efforts to both make sure purchased software is up to date and
make sure their own software and programming is as bug-free as possible by employing software
metrics and rigorous software testing. Ongoing use of metrics allows the information systems
department and end users to jointly measure the performance of the system and identify problems as
they occur. Examples of software metrics include the number of transactions that can be processed in a
specified unit of time, online response time, the number of payroll checks printed per hour, and the
number of known bugs per hundred lines of program code. For metrics to be successful, they must be
carefully designed, formal, objective, and used consistently. Early, regular, and thorough testing will
contribute significantly to system quality. Good testing begins before a software program is even
written by using a walkthrough– a review of a specification or design document by a small group of
people carefully selected based on the skills needed for the particular objectives being tested. Once
developers start writing software programs, coding walkthroughs also can be used to review program
code. However, code must be tested by computer runs. When errors are discovered, the source is
found and eliminated through a process called debugging.
164) Hackers and their companion viruses are an increasing problem, especially on the Internet. What are the
most important measurers for a firm to take to protect itself from this? Is full protection feasible? Why or
why not?
Answer: For protection, a company must institute good security measures, which will include firewalls,
investigation of personnel to be hired, physical and software security and controls, antivirus software,
and internal education measures. These measures are best put in place at the time the system is
designed, and
careful attention
paid to them. A
prudent company
will engage in disaster protection measures, frequent updating of security software, and frequent
auditing of all security measures and of all data upon which the company depends. Full protection
may not be feasible in light of the time and expenses involved, but a risk analysis can provide insights
into which areas are most important and vulnerable. These are the areas to protect first.
165) You have just been hired as a security consultant by MegaMalls Inc., a national chain of retail malls, to make
sure that the security of their information systems is up to par. Outline the steps you will take to achieve this.
Answer: 1. Establish what data and processes are important and essential to the company. Determine what
external and internal information is essential to the different employee roles in the company.
2. Conduct an MIS audit, a security audit, and create a risk assessment analysis
3. Establish what legal/governmental/industry standards need to be adhered to and which
international standards are relevant.
4. Conduct a business impact analysis and determine a disaster recovery and business continuity
plan.
5. Create a security policy that defines an acceptable use policy, authorization policies and processes.
6. Plan for any change management needed.
7. Determine how the success of your policy will be measured and set up means for measuring this.
8. Implement such policies
9. Measure and evaluate the effectiveness of the policy and make any additional adjustments.
166) What is a digital certificate? How does it work?
Answer: Digital certificates are data files used to establish the identity of users and electronic assets for
protection of online transactions. A digital certificate system uses a trusted third party, known as a
certification authority, to validate a user's identity. The CA verifies a digital certificate user's identity
offline. This information is put into a CA server, which generates an encrypted digital certificate
containing owner identification information and a copy of the owner's public key. The certificate
authenticates that the public key belongs to the designated owner. The CA makes its own public key
available publicly either in print or perhaps on the Internet. The recipient of an encrypted message
uses the CA's public key to decode the digital certificate attached to the message, verifies it was issued
by the CA, and then obtains the sender's public key and identification information contained in the
certificate. Using this information, the recipient can send an encrypted reply. The digital certificate
system would enable, for example, a credit card user and a merchant to validate that their digital
certificates were issued by an authorized and trusted third party before they exchange data. Public key
infrastructure (PKI), the use of public key cryptography working with a certificate authority, is now
widely used in e-commerce.
167) Define a fault-tolerant computer system and a high-availability computer system. How do they differ? When
would each be used?
Answer: Both systems use backup hardware resources. Fault-tolerant computer systems contain extra memory
chips, processors, and disk storage devices that can back the system up and keep it running to prevent
a system failure. High-availability computing places the emphasis on quick recovery from a system
crash. A high-availability system includes redundant servers, mirroring, load balancing, clustering,
storage area networks, and a good disaster recovery plan. The main difference between them is that
fault-tolerant computer systems don't go down; high-availability computer systems go down, but can
recover quickly.
Companies needing a technology platform with 100 percent, 24-hr system availability, use
fault-tolerant computer systems. High-availability computing environments are a minimum
requirement for firms with heavy electronic commerce processing or that depend on digital networks
for their internal operations.
168) How is the security of a firm's information system and data affected by its people, organization, and
technology? Is the contribution of one of these dimensions any more important than the other? Why?
Answer: There are various technological essentials to protecting an information system: firewalls,
authentication, encryption, anti-virus protection etc. Without technology implemented correctly, there
is no security. A firm's employees are its greatest threat, in terms of embezzlement and insider fraud,
errors, and lax enforcement of security policies. Probably the most important dimension is
organization, because this is what determines a firm's business processes and policies. The firm's
information policies can most enhance security by stressing intelligent design of security systems,
appropriate use of security technology, the usability of its security processes.
169) Robert is in charge of security and control at his financial trading firm. He needs to approach management
about investing large sums of money to the area of security and control. He knows that it will be a hard sell
to this group because they are very focused on sales revenue and this is not directly related to that. Give
Robert some arguments that he might use to convince the board to invest these funds in security and control.
Answer: Protecting information systems is so critical to the operation of the business that it deserves to funded
and made a priority in the firm.
The firm has very valuable information assets to protect. Our systems house confidential
information about individuals’ taxes, financial assets, medical records, and job performance reviews.
They also contain information on corporate operations, including trade secrets, new product
development plans, and marketing strategies. One study estimated that when the security of a large
firm is compromised, the company loses approximately 2.1 percent of its market value within two
days of the security breach, which translates into an average loss of $1.65 billion in stock market value
per incident. Inadequate security and control may result in serious legal liability. Businesses must
protect not only their own information assets but also those of customers, employees, and business
partners. Failure to do so may open the firm to costly litigation for data exposure or theft. An
organization can be held liable for needless risk and harm created if the organization fails to take
appropriate protective action to prevent loss of confidential information, data corruption, or breach of
privacy A sound security and control framework that protects business information assets can thus
produce a high return on investment. Strong security and control also increase employee
productivity and lower operational costs.
170) Sally is the CEO of a chain of health clinics in Ontario. She is growing more and more concerned about the
security of records in her company. She is wondering about the legal and regulatory requirements for
electronic record management in Canada. What would you advise Sally about the legal and regulatory
requirements for electronic record management in Canada?
Answer: Recent Canadian government regulations are forcing companies to take security and control more
seriously by mandating the protection of data from abuse, exposure, and unauthorized access. Firms
face new legal obligations for the retention and storage of electronic records as well as for privacy
protection. If you work in the health care industry, your firm will need to comply with the provincial
health information privacy legislation mandated in several provinces or with the original Canada
Privacy Act or the newer Personal Information Protection and Electronic Documents Act (PIPEDA). These
acts specify privacy, security, and electronic transaction standards for health care providers handling
patient information, providing penalties for breaches of medical privacy or disclosure of patient
records.
Almost all organizations, specifically those that conduct transaction, must conform to the
Personal Information Protection and Electronic Documents Act. In 2002, the Ontario Legislature passed
Bill 198, known as Canadian SOX, or C-SOX, in response to the U.S. Sarbanes-Oxley Act. It imposes
responsibility on companies and their management to safeguard the accuracy and integrity of financial
information that is used internally and released externally. One of the Learning Tracks for this chapter
discusses C-SOX in detail. C-SOX is fundamentally about ensuring that internal controls are in place
to govern the creation and documentation of information in financial statements. Because information
systems are used to generate, store, and transport such data, the legislation requires firms to consider
information systems security and other controls required to ensure the integrity, confidentiality, and
accuracy of their data. Each system application that deals with critical financial reporting data requires
controls to make
sure the data are
accurate. Controls
to secure the corporate network, prevent unauthorized access to systems and data, and ensure data
integrity and availability in the event of disaster or other disruption of service are essential as well.
171) Bob wants to use encryption tools in his firm but he is not sure if he should use public key or private key
encryption. He really doesn't understand the differences between the two. describe the two types of
encryption for Bob.
Answer: There are two alternative methods of encryption: symmetric key encryption and public key
encryption. In symmetric key encryption, the sender and receiver establish a secure Internet session by
creating a single encryption key and sending it to the receiver so both the sender and receiver share
the same key. The strength of the encryption key is measured by its bit length. Today, a typical key
will be 128 bits long (a string of 128 binary digits).
The problem with all symmetric encryption schemes is that the key itself must be shared
somehow among the senders and receivers, which exposes the key to outsiders who might just be able
to intercept and decrypt the key. A more secure form of encryption called public key encryption uses
two keys: one shared (or public) and one totally private. The keys are mathematically related so that
data encrypted with one key can be decrypted using only the other key. To send and receive messages,
communicators first create separate pairs of private and public keys. The public key is kept in a
directory and the private key must be kept secret. The sender encrypts a message with the recipient’s
public key. On receiving the message, the recipient uses his or her private key to decrypt it.
1) FALSE
2) FALSE
3) FALSE
4) FALSE
5) FALSE
6) FALSE
7) TRUE
8) TRUE
9) TRUE
10) TRUE
11) TRUE
12) TRUE
13) TRUE
14) TRUE
15) FALSE
16) FALSE
17) FALSE
18) TRUE
19) TRUE
20) TRUE
21) FALSE
22) FALSE
23) FALSE
24) TRUE
25) TRUE
26) TRUE
27) TRUE
28) TRUE
29) TRUE
30) FALSE
31) TRUE
32) TRUE
33) TRUE
34) TRUE
35) TRUE
36) FALSE
37) FALSE
38) TRUE
39) FALSE
40) FALSE
41) FALSE
42) TRUE
43) TRUE
44) TRUE
45) TRUE
46) FALSE
47) B
48) B
49) D
50) B
51) B
52) C
53) C
54) D
55) D
56) C
57) A
58) C
59) C
60) B
61) B
62) B
63) C
64) C
65) B
66) B
67) D
68) D
69) D
70) D
71) A
72) D
73) A
74) C
75) C
76) A
77) B
78) A
79) C
80) A
81) C
82) D
83) D
84) C
85) A
86) A
87) B
88) C
89) B
90) A
91) A
92) A
93) B
94) B
95) D
96) B
97) C
98) C
99) B
100) C
101) A
102) D
103) A
104) B
105) D
106) C
107) C
108) D
109) D
110) war driving
111) Security
112) Controls
113) vulnerable
114) fixed
115) malware
116) virus
117) Worms
118) Trojan horse
119) hacker
120) cracker
121) Cybervandalism
122) Spoofing
123) sniffer
124) denial-of-service (DoS) attack
125) Phishing
126) Pharming
127) Click fraud
128) Social engineering
129) flaws
130) Zero
131) sales revenue
132) Application
133) Processing
134) Output
135) risk assessment
136) security policy
137) acceptable-use policy (AUP)
138) Disaster recovery planning
139) token
140) smart card
141) Biometric authentication
142) firewall
143) Packet filtering
144) Intrusion detection systems
145) Antivirus software
146) Encryption
147) Public key
148) digital certificate
149) Fault-tolerant
150) malware
151) Identity theft
152) Computer forensics
153) general
154) MIS audit
155) Access control
156) Authentication
157) unified threat management
158) debugging
159) Large public networks, including the Internet, are more vulnerable because they are virtually open to anyone and
because they are so huge that when abuses do occur, they can have an enormously widespread impact. When the
Internet becomes part of the corporate network, the organization's information systems can be vulnerable to actions
from outsiders. Computers that are constantly connected to the Internet via cable modem or DSL line are more
open to penetration by outsiders because they use a fixed Internet address where they can be more easily identified.
The fixed Internet address creates the target for hackers. To benefit from electronic commerce, supply chain
management, and other digital business processes, companies need to be open to outsiders such as customers,
suppliers, and trading partners. Corporate systems must be extended outside the organization so that employees
working with wireless and other mobile computing devices can access them. This requires a new security culture
and infrastructure, allowing corporations to extend their security policies to include procedures for suppliers and
other business partners.
160) Operational excellence: Security policies are essential to operational excellence. A firm's daily transactions can be
severely disrupted by cybercrime such as hackers. A firm's efficiency relies on accurate data. In addition,
information assets have tremendous value, and the repercussions can be devastating if they are lost, destroyed, or
placed in the wrong hands.
New products, services, business models. Security policies protect a company's ideas for new products and
services, which could be stolen by competitors. Additionally, enhanced security could be seen by a customer as a
way to differentiate your product.
Customer and supplier intimacy: Customers rely on your security if they enter personal data into your
information system, for example, credit card information into your e-commerce site. The information you receive
from customers and suppliers directly affects how able you are to customize your product, service, or
communication with them.
Improved decision making: Secure systems make data accuracy a priority, and good decision making relies
on accurate and timely data. Lost and inaccurate data would lead to compromised decision making.
Competitive advantage: The knowledge that your firm has superior security than another would, on an
otherwise level playing field, make your firm more attractive to do business with. Also, improved decision-making,
new products and services, which are also affected by security (see above), will contribute to a firm's competitive
advantage. Strong security and control also increase employee productivity and lower operational costs.
Survival: New laws and regulations make keeping your security system up-to-data a matter of survival.
Inadequate security and control may result in serious legal liability. Firms have been destroyed by errors in security
policies.
161) Disaster might be the most difficult because it is unexpected, broad-based, and frequently life threatening. In
addition, the company cannot know if the disaster plan will work until a disaster occurs, and then it's too late to
make corrections.
Security might be the most difficult because it is an ongoing problem, new viruses are devised constantly,
and hackers get smarter every day. Furthermore, damage done by a trusted employee from inside cannot be
obviated by system security measures.
Human error might be most difficult because it isn't caught until too late, and the consequences may be
disastrous. Also, administrative error can occur at any level and through any operation or procedure in the
company.
162) Wireless networks are vulnerable because radio frequency bands are easy to scan. Both Bluetooth and Wi-Fi
networks are susceptible to hacking by eavesdroppers. Local area networks (LANs) using the 802.11 standard can
be easily penetrated by outsiders armed with laptops, wireless cards, external antennae, and hacking software.
Hackers use these tools to detect unprotected networks, monitor network traffic, and, in some cases, gain access to
the Internet or to corporate networks. Wi-Fi transmission technology was designed to make it easy for stations to
find and hear one another. The service set identifiers (SSIDs) identifying the access points in a Wi-Fi network are
broadcast multiple times and can be picked up fairly easily by intruders' sniffer programs. Wireless networks in
many locations do not have basic protections against war driving, in which eavesdroppers drive by buildings or
park outside and try to intercept wireless network traffic. A hacker can employ an 802.11 analysis tool to identify
the
SSID
. An
intru
der
that
has associated with an access point by using the correct SSID is capable of accessing other resources on the network,
using the Windows operating system to determine which other users are connected to the network, access their
computer hard drives, and open or copy their files. Intruders also use the information they have gleaned to set up
rogue access points on a different radio channel in physical locations close to users to force a user's radio NIC to
associate with the rogue access point. Once this association occurs, hackers using the rogue access point can capture
the names and passwords of unsuspecting users.
163) Software errors pose a constant threat to information systems, causing untold losses in productivity. Growing
complexity and size of software programs, coupled with demands for timely delivery to markets, have contributed
to an increase in software flaws or vulnerabilities. A major problem with software is the presence of hidden bugs or
program code defects. Studies have shown that it is virtually impossible to eliminate all bugs from large programs.
Flaws in commercial software not only impede performance but also create security vulnerabilities that open
networks to intruders. To correct software flaws once they are identified, the software vendor creates small pieces
of software called patches to repair the flaws without disturbing the proper operation of the software.
Organizations must maintain best efforts to both make sure purchased software is up to date and make sure their
own software and programming is as bug-free as possible by employing software metrics and rigorous software
testing. Ongoing use of metrics allows the information systems department and end users to jointly measure the
performance of the system and identify problems as they occur. Examples of software metrics include the number
of transactions that can be processed in a specified unit of time, online response time, the number of payroll checks
printed per hour, and the number of known bugs per hundred lines of program code. For metrics to be successful,
they must be carefully designed, formal, objective, and used consistently. Early, regular, and thorough testing will
contribute significantly to system quality. Good testing begins before a software program is even written by using a
walkthrough– a review of a specification or design document by a small group of people carefully selected based on
the skills needed for the particular objectives being tested. Once developers start writing software programs, coding
walkthroughs also can be used to review program code. However, code must be tested by computer runs. When
errors are discovered, the source is found and eliminated through a process called debugging.
164) For protection, a company must institute good security measures, which will include firewalls, investigation of
personnel to be hired, physical and software security and controls, antivirus software, and internal education
measures. These measures are best put in place at the time the system is designed, and careful attention paid to
them. A prudent company will engage in disaster protection measures, frequent updating of security software, and
frequent auditing of all security measures and of all data upon which the company depends. Full protection may
not be feasible in light of the time and expenses involved, but a risk analysis can provide insights into which areas
are most important and vulnerable. These are the areas to protect first.
165) 1. Establish what data and processes are important and essential to the company. Determine what external and
internal information is essential to the different employee roles in the company.
2. Conduct an MIS audit, a security audit, and create a risk assessment analysis
3. Establish what legal/governmental/industry standards need to be adhered to and which international standards
are relevant.
4. Conduct a business impact analysis and determine a disaster recovery and business continuity plan.
5. Create a security policy that defines an acceptable use policy, authorization policies and processes.
6. Plan for any change management needed.
7. Determine how the success of your policy will be measured and set up means for measuring this.
8. Implement such policies
9. Measure and evaluate the effectiveness of the policy and make any additional adjustments.
166) Digital certificates are data files used to establish the identity of users and electronic assets for protection of online
transactions. A digital certificate system uses a trusted third party, known as a certification authority, to validate a
user's identity. The CA verifies a digital certificate user's identity offline. This information is put into a CA server,
which generates an encrypted digital certificate containing owner identification information and a copy of the
owner's public key. The certificate authenticates that the public key belongs to the designated owner. The CA
makes its own public key available publicly either in print or perhaps on the Internet. The recipient of an encrypted
message uses the CA's public key to decode the digital certificate attached to the message, verifies it was issued by
the CA, and then obtains the sender's public key and identification information contained in the certificate. Using
this information, the recipient can send an encrypted reply. The digital certificate system would enable, for
exam
ple, a
credi
t card user and a merchant to validate that their digital certificates were issued by an authorized and trusted third
party before they exchange data. Public key infrastructure (PKI), the use of public key cryptography working with a
certificate authority, is now widely used in e-commerce.
167) Both systems use backup hardware resources. Fault-tolerant computer systems contain extra memory chips,
processors, and disk storage devices that can back the system up and keep it running to prevent a system failure.
High-availability computing places the emphasis on quick recovery from a system crash. A high-availability system
includes redundant servers, mirroring, load balancing, clustering, storage area networks, and a good disaster
recovery plan. The main difference between them is that fault-tolerant computer systems don't go down;
high-availability computer systems go down, but can recover quickly.
Companies needing a technology platform with 100 percent, 24-hr system availability, use fault-tolerant
computer systems. High-availability computing environments are a minimum requirement for firms with heavy
electronic commerce processing or that depend on digital networks for their internal operations.
168) There are various technological essentials to protecting an information system: firewalls, authentication, encryption,
anti-virus protection etc. Without technology implemented correctly, there is no security. A firm's employees are its
greatest threat, in terms of embezzlement and insider fraud, errors, and lax enforcement of security policies.
Probably the most important dimension is organization, because this is what determines a firm's business processes
and policies. The firm's information policies can most enhance security by stressing intelligent design of security
systems, appropriate use of security technology, the usability of its security processes.
169) Protecting information systems is so critical to the operation of the business that it deserves to funded and made a
priority in the firm.
The firm has very valuable information assets to protect. Our systems house confidential information about
individuals’ taxes, financial assets, medical records, and job performance reviews. They also contain information on
corporate operations, including trade secrets, new product development plans, and marketing strategies. One
study estimated that when the security of a large firm is compromised, the company loses approximately 2.1
percent of its market value within two days of the security breach, which translates into an average loss of $1.65
billion in stock market value per incident. Inadequate security and control may result in serious legal liability.
Businesses must protect not only their own information assets but also those of customers, employees, and business
partners. Failure to do so may open the firm to costly litigation for data exposure or theft. An organization can be
held liable for needless risk and harm created if the organization fails to take appropriate protective action to
prevent loss of confidential information, data corruption, or breach of privacy A sound security and control
framework that protects business information assets can thus produce a high return on investment. Strong
security and control also increase employee productivity and lower operational costs.
170) Recent Canadian government regulations are forcing companies to take security and control more seriously by
mandating the protection of data from abuse, exposure, and unauthorized access. Firms face new legal obligations
for the retention and storage of electronic records as well as for privacy protection. If you work in the health care
industry, your firm will need to comply with the provincial health information privacy legislation mandated in
several provinces or with the original Canada Privacy Act or the newer Personal Information Protection and Electronic
Documents Act (PIPEDA). These acts specify privacy, security, and electronic transaction standards for health care
providers handling patient information, providing penalties for breaches of medical privacy or disclosure of patient
records.
Almost all organizations, specifically those that conduct transaction, must conform to the Personal
Information Protection and Electronic Documents Act. In 2002, the Ontario Legislature passed Bill 198, known as
Canadian SOX, or C-SOX, in response to the U.S. Sarbanes-Oxley Act. It imposes responsibility on companies and
their management to safeguard the accuracy and integrity of financial information that is used internally and
released externally. One of the Learning Tracks for this chapter discusses C-SOX in detail. C-SOX is fundamentally
about ensuring that internal controls are in place to govern the creation and documentation of information in
financial statements. Because information systems are used to generate, store, and transport such data, the
legislation requires firms to consider information systems security and other controls required to ensure the
integrity, confidentiality, and accuracy of their data. Each system application that deals with critical financial
reporting data requires controls to make sure the data are accurate. Controls to secure the corporate network,
prevent unauthorized access to systems and data, and ensure data integrity and availability in the event of disaster
or other disruption of service are essential as well.
171) There are two alternative methods of encryption: symmetric key encryption and public key encryption. In
symmetric key encryption, the sender and receiver establish a secure Internet session by creating a single
encryption key and sending it to the receiver so both the sender and receiver share the same key. The strength of
the encryption key is measured by its bit length. Today, a typical key will be 128 bits long (a string of 128 binary
digits).
The problem with all symmetric encryption schemes is that the key itself must be shared somehow among
the senders and receivers, which exposes the key to outsiders who might just be able to intercept and decrypt the
key. A more secure form of encryption called public key encryption uses two keys: one shared (or public) and one
totally private. The keys are mathematically related so that data encrypted with one key can be decrypted using
only the other key. To send and receive messages, communicators first create separate pairs of private and public
keys. The public key is kept in a directory and the private key must be kept secret. The sender encrypts a message
with the recipient’s public key. On receiving the message, the recipient uses his or her private key to decrypt it.