TRUE/FALSE. Write 'T' if the statement is true and 'F' if...

Exam

Name___________________________________

TRUE/FALSE. Write 'T' if the statement is true and 'F' if the statement is false.

1) The potential for unauthorized access is usually limited to the communications lines of a

network.

1) _______

Answer: True False

2) Large public networks, such as the Internet, are less vulnerable than internal networks because

they are virtually open to anyone.

2) _______

Answer: True False

3) Malicious software programs are referred to as badware and include a variety of threats, such as

computer viruses, worms, and Trojan horses.

3) _______

Answer: True False

4) A computer bacteria is a rogue software program that attaches itself to other software programs

or data files in order to be executed, usually without user knowledge or permission.

4) _______

Answer: True False

5) Web 2.0 applications, such as blogs, wikis, and social networking sites such as Facebook and

MySpace, have are not conduits for malware or spyware.

5) _______

Answer: True False

6) A Trojan horse is a software program that appears threatening but is really benign. 6) _______

Answer: True False

7) Keyloggers record every keystroke made on a computer to steal serial numbers for software, to

launch Internet attacks, to gain access to e-mail accounts, to obtain passwords to protected

computer systems, or to pick up personal information such as credit card numbers.

7) _______

Answer: True False

8) A hacker is an individual who intends to gain unauthorized access to a computer system. 8) _______

Answer: True False

9) The term cracker is typically used to denote a hacker with criminal intent. 9) _______

Answer: True False

10) The term cybervandalism, is the intentional disruption, defacement, or even destruction of a

Web site or corporate information system.

10) ______

Answer: True False

11) Computer crime is defined as “any criminal activity involving the copy of, use of, removal of,

interference with, access to, manipulation of computer systems, and/or their related functions,

data or programs”.

11) ______

Answer: True False

12) Identity theft is a crime in which an imposter obtains key pieces of personal information, such as

social insurance numbers, driver’s licence numbers, or credit card numbers, to impersonate

someone else.

12) ______

Answer: True False

13) Pharming redirects users to a bogus Web page, even when the individual types the correct Web

page address into his or her browser.

13) ______

Answer: True False

14) One increasingly popular tactic is a form of spoofing called phishing. 14) ______

Answer: True False

15) Social Bookmarking is tricking people into revealing their passwords or other information by

pretending to be legitimate users or members of a company in need of information.

15) ______

Answer: True False

16) Software errors are no threat to information systems, that could cause untold losses in

productivity.

16) ______

Answer: True False

17) Many firms spend heavily on security because it is directly related to sales revenue. 17) ______

Answer: True False

18) Computer forensics is the scientific collection, examination, authentication, preservation, and

analysis of data held on or retrieved from computer storage media in such a way that the

information can be used as evidence in a court of law.

18) ______

Answer: True False

19) General controls govern the design, security, and use of computer programs and the security of

data files throughout the organization’s IT infrastructure.

19) ______

Answer: True False

20) Application controls are specific controls unique to each computerized application, such as

payroll or order processing.

20) ______

Answer: True False

21) Output controls check data for accuracy and completeness when they enter the system. 21) ______

Answer: True False

22) A risk audit includes statements ranking information risks, identifying acceptable security goals,

and identifying the mechanisms for achieving these goals.

22) ______

Answer: True False

23) Disaster recovery planning devises plans for the restoration of computing and communications

services before they have been disrupted.

23) ______

Answer: True False

24) An MIS audit examines the firm’s overall security environment as well as controls governing

individual information systems.

24) ______

Answer: True False

25) Authentication refers to the ability to know that a person is who he or she claims to be. 25) ______

Answer: True False

26) An MIS audit examines the firm’s overall security environment as well as controls governing

individual information systems.

26) ______

Answer: True False

27) A firewall is a combination of hardware and software that controls the flow of incoming and

outgoing network traffic.

27) ______

Answer: True False

28) Computers using cable modems to connect to the Internet are more open to penetration than

those connecting via dial-up.

28) ______

Answer: True False

29) Wireless networks are vulnerable to penetration because radio frequency bands are easy to scan. 29) ______

Answer: True False

30) The range of Wi-Fi networks can be extended up to two miles by using external antennae. 30) ______

Answer: True False

31) The WEP specification calls for an access point and its users to share the same 40-bit encrypted

password.

31) ______

Answer: True False

32) Viruses can be spread through e-mail. 32) ______

Answer: True False

33) Computer worms spread much more rapidly than computer viruses. 33) ______

Answer: True False

34) One form of spoofing involves forging the return address on an e-mail so that the e-mail

message appears to come from someone other than the sender.

34) ______

Answer: True False

35) Sniffers enable hackers to steal proprietary information from anywhere on a network, including

e-mail messages, company files, and confidential reports.

35) ______

Answer: True False

36) DoS attacks are used to destroy information and access restricted areas of a company's

information system.

36) ______

Answer: True False

37) The most economically damaging kinds of computer crime are e-mail viruses. 37) ______

Answer: True False

38) Zero defects cannot be achieved in larger software programs because fully testing programs that

contain thousands of choices and millions of paths would require thousands of years.

38) ______

Answer: True False

39) An acceptable use policy defines the acceptable level of access to information assets for different

users.

39) ______

Answer: True False

40) Biometric authentication is the use of physical characteristics such as retinal images to provide

identification.

40) ______

Answer: True False

41) Packet filtering catches most types of network attacks. 41) ______

Answer: True False

42) NAT conceals the IP addresses of the organization's internal host computers to deter sniffer

programs.

42) ______

Answer: True False

43) SSL is a protocol used to establish a secure connection between two computers. 43) ______

Answer: True False

44) Public key encryption uses two keys. 44) ______

Answer: True False

45) Fault-tolerant computers contain redundant hardware, software, and power supply components. 45) ______

Answer: True False

46) High-availability computing is also referred to as fault tolerance. 46) ______

Answer: True False

MULTIPLE CHOICE. Choose the one alternative that best completes the statement or answers the question.

47) ________ are methods, policies, and organizational procedures that ensure the safety of the

organization’s assets, the accuracy and reliability of its records, and operational adherence to

management standards.

47) ______

A) "Algorithms" B) "Controls"

C) "Security" D) "Benchmarking"

Answer: B

48) John clicks into his online banking website. He is already to type in his password when he

notices that something is just not right. Upon further examination he notices that it is not the

actual bank site but one that looks almost identical. John was almost a victim of ________.

48) ______

A) a Trojan horse B) spoofing C) worms D) keyloggers

Answer: B

49) Betty downloaded a peer to peer file sharing program. She is worried that it might have come

with spyware attached to it. She had a friend who had a spyware problem where all of her

keystrokes were stolen which included her bank passwords. Betty's friend was a victim of

________.

49) ______

A) spoofing B) a Trojan horse C) worms D) keyloggers

Answer: D

50) Helen downloaded a greeting card program from the internet. She was surprised that it really

didn't do what it was supposed to do. What the program did was send nasty, profane emails to

all the people in her contact list. Helen is the victim of ________.

50) ______

A) spoofing B) a Trojan horse C) keyloggers D) worms

Answer: B

51) Robert knows that he got an independent program off of his network on his computer. It

deleted all of his spreadsheet files on his hard drive. Robert feels that this problem may have

resulted from him opening up an attachment file on his email. Robert is the victim of ________.

51) ______

A) spoofing B) worms C) a Trojan horse D) keyloggers

Answer: B

52) A ________ is a type of eavesdropping program that monitors information travelling over a

network.

52) ______

A) worms B) keyloggers C) sniffer D) a Trojan horse

Answer: C

53) ________ involves setting up fake Web sites or sending e-mail messages that look like those of

legitimate businesses to ask users for confidential personal data.

53) ______

A) Fishing B) Farming C) Phishing D) Pharming

Answer: C

54) Jimmy Clark is sitting home one night and is very bored. He gets on his computer and starts to

surf the net. He comes to a military site. He thinks he might be able to get around the security

of the site and into the military computer system. He spends the next two hours trying to find

his way into their system. Jimmy is ________.

54) ______

A) a dumpster diver B) a cracker

C) a social engineer D) a hacker

Answer: D

55) Daniel is sitting home one night and is very bored. He gets on his computer and starts to surf

the net. He comes to a bank site. He thinks he might be able to get around the security of the

site and into the bank computer system. He spends the next two hours trying to find his way

into their system. Daniel gets into the system and puts $200 into his account from just some

random name he found in the banking system. Daniel is ________.

55) ______

A) a dumpster diver B) a hacker

C) a social engineer D) a cracker

Answer: D

56) Bart Black walks into a local bank. He does not work there but he has a tag on his shirt that

reads "IT Department". He goes up to a loans officer and tells him he needs to check the

security on the loan officer's computer. Bart sits in front of the keyboard and asks the officer for

his username and password. The loan officer gives him the information. Bart then thanks him

and leaves the bank. Outside in his car Bart Black gets into the bank system using the

information. This loan officer is a victim of ________.

56) ______

A) a hacker B) a cracker

C) social engineering D) dumpster diving

Answer: C

57) ________ defects cannot be achieved in larger programs. 57) ______

A) Zero B) Thirty C) Two D) One hundred

Answer: A

58) Many firms are reluctant to spend heavily on security because ________. 58) ______

A) it is not directly related to sales expense.

B) it is not directly related to sales forecasting.

C) it is not directly related to sales revenue

D) it is not directly related to sales tax.

Answer: C

59) ________ govern the design, security, and use of computer programs and the security of data

files throughout the organization’s IT infrastructure.

59) ______

A) Application controls B) Input controls

C) General controls D) Output controls

Answer: C

60) ________ are specific controls unique to each computerized application, such as payroll or order

processing.

60) ______

A) Output controls B) Application controls

C) Input controls D) General controls

Answer: B

61) ________ consists of all the policies and procedures a company uses to prevent improper access

to systems by unauthorized insiders and outsiders.

61) ______

A) Output control B) Access control C) Input control D) General control

Answer: B

62) ________ is the process of transforming plain text or data into cipher text that cannot be read by

anyone other than the sender and the intended receiver.

62) ______

A) Risk audit B) Encryption

C) Application control D) Spoofing

Answer: B

63) ________ refers to policies, procedures, and technical measures used to prevent unauthorized

access, alternation, theft, or physical damage to information systems.

63) ______

A) "Controls" B) "Benchmarking"

C) "Security" D) "Algorithms"

Answer: C

64) ________ refers to all of the methods, policies, and organizational procedures that ensure the

safety of the organization's assets, the accuracy and reliability of its accounting records, and

operational adherence to management standards.

64) ______

A) "SSID standards" B) "Vulnerabilities"

C) "Controls" D) "Legacy systems"

Answer: C

65) Large amounts of data stored in electronic form are ________ than the same data in manual

form.

65) ______

A) more critical to most businesses B) vulnerable to many more kinds of

threats

C) less vulnerable to damage D) more secure

Answer: B

66) Electronic data are more susceptible to destruction, fraud, error, and misuse because information

systems concentrate data in computer files that

66) ______

A) are not secure because the technology to secure them did not exist at the time the files were

created.

B) have the potential to be accessed by large numbers of people and by groups outside of the

organization.

C) are frequently available on the Internet.

D) are usually bound up in legacy systems that are difficult to access and difficult to correct in

case of error.

Answer: B

67) Specific security challenges that threaten the communications lines in a client/server

environment include

67) ______

A) hacking; vandalism; denial of service attacks.

B) theft, copying, alteration of data; hardware or software failure.

C) unauthorized access; errors; spyware.

D) tapping; sniffing; message alteration; radiation.

Answer: D

68) Specific security challenges that threaten clients in a client/server environment include 68) ______

A) hacking; vandalism; denial of service attacks.

B) tapping; sniffing; message alteration; radiation.

C) theft, copying, alteration of data; hardware or software failure.

D) unauthorized access; errors; spyware.

Answer: D

69) Specific security challenges that threaten corporate servers in a client/server environment

include

69) ______

A) tapping; sniffing; message alteration; radiation.

B) theft, copying, alteration of data; hardware or software failure.

C) unauthorized access; errors; spyware.

D) hacking; vandalism; denial of service attacks.

Answer: D

70) The Internet poses specific security problems because 70) ______

A) Internet standards are universal. B) everyone uses the Internet.

C) it changes so rapidly. D) it was designed to be easily accessible.

Answer: D

71) The main security problem on the Internet is 71) ______

A) hackers. B) bandwidth theft.

C) natural disasters, such as floods and

fires.

D) radiation.

Answer: A

72) An independent computer program that copies itself from one computer to another over a

network is called a

72) ______

A) bug. B) Trojan horse. C) pest. D) worm.

Answer: D

73) Sobig.F and MyDoom.A are 73) ______

A) worms attached to e-mail that spread from computer to computer.

B) multipartite viruses that can infect files as well as the boot sector of the hard drive.

C) viruses that use Microsoft Outlook to spread to other systems.

D) Trojan horses used to create bot nets.

Answer: A

74) In 2004, ICQ users were enticed by a sales message from a supposed anti-virus vendor. On the

vendor's site, a small program called Mitglieder was downloaded to the user's machine. The

program enabled outsiders to infiltrate the user's machine. What type of malware is this an

example of?

74) ______

A) spyware B) worm C) Trojan horse D) virus

Answer: C

75) Redirecting a Web link to a different address is a form of 75) ______

A) sniffing. B) war driving. C) spoofing. D) snooping.

Answer: C

76) A key logger is a type of 76) ______

A) spyware. B) worm. C) Trojan horse. D) virus.

Answer: A

77) How do hackers create a botnet? 77) ______

A) by infecting Web search bots with malware

B) by causing other people's computers to become "zombie" PCs following a master computer

C) by using Web search bots to infect other computers

D) by infecting corporate servers with "zombie" Trojan horses that allow undetected access

through a back door

Answer: B

78) Using numerous computers to inundate and overwhelm the network from numerous launch

points is called a ________ attack.

78) ______

A) DDoS B) pharming C) phishing D) DoS

Answer: A

79) Which of the following is NOT an example of a computer used as a target of crime? 79) ______

A) threatening to cause damage to a protected computer

B) accessing a computer system without authority

C) illegally accessing stored electronic communication

D) knowingly accessing a protected computer to commit fraud

Answer: C

80) Which of the following is NOT an example of a computer used as an instrument of crime? 80) ______

A) breaching the confidentiality of protected computerized data

B) intentionally attempting to intercept electronic communication

C) unauthorized copying of software

D) theft of trade secrets

Answer: A

81) Phishing is a form of 81) ______

A) sniffing. B) spinning. C) spoofing. D) snooping.

Answer: C

82) Phishing involves 82) ______

A) using e-mails for threats or harassment.

B) pretending to be a legitimate business's representative in order to garner information about

a security system.

C) setting up bogus Wi-Fi hot spots.

D) setting up fake Web sites to ask users for confidential information.

Answer: D

83) Evil twins are 83) ______

A) fraudulent Web sites that mimic a legitimate business's Web site.

B) e-mail messages that mimic the e-mail messages of a legitimate business.

C) Trojan horses that appears to the user to be a legitimate commercial software application.

D) bogus wireless networks that look legitimate to users.

Answer: D

84) Pharming involves 84) ______

A) using e-mails for threats or harassment.

B) pretending to be a legitimate business's representative in order to garner information about

a security system.

C) redirecting users to a fraudulent Web site even when the user has typed in the correct

address in the Web browser.

D) setting up fake Web sites to ask users for confidential information.

Answer: C

85) You have been hired as a security consultant for a legal firm. Which of the following constitutes

the greatest threat, in terms of security, to the firm?

85) ______

A) employees B) wireless network

C) authentication procedures D) lack of data encryption

Answer: A

86) Tricking employees to reveal their passwords by pretending to be a legitimate member of a

company is called

86) ______

A) social engineering B) phishing

C) sniffing D) pharming

Answer: A

87) How do software vendors correct flaws in their software after it has been distributed? 87) ______

A) re-release software B) issue patches

C) issue updated versions D) issue bug fixes

Answer: B

88) The most common type of electronic evidence is 88) ______

A) voice-mail. B) instant messages.

C) e-mail. D) spreadsheets.

Answer: C

89) Electronic evidence on computer storage media that is not visible to the average user is called

________ data.

89) ______

A) recovery B) ambient C) forensic D) defragmented

Answer: B

90) Application controls 90) ______

A) can be classified as input controls, processing controls, and output controls.

B) include software controls, computer operations controls, and implementation controls.

C) apply to all computerized applications and consist of a combination of hardware, software,

and manual procedures that create an overall control environment.

D) govern the design, security, and use of computer programs and the security of data files in

general throughout the organization.

Answer: A

91) ________ controls ensure that valuable business data files on either disk or tape are not subject to

unauthorized access, change, or destruction while they are in use or in storage.

91) ______

A) Data security B) Administrative

C) Software D) Implementation

Answer: A

92) Analysis of an information system that rates the likelihood of a security incident occurring and

its cost is included in a(n)

92) ______

A) risk assessment. B) security policy.

C) AUP. D) business impact analysis.

Answer: A

93) Statements ranking information risks and identifying security goals are included in a(n) 93) ______

A) business impact analysis. B) security policy.

C) risk assessment. D) AUP.

Answer: B

94) An analysis of the firm's most critical systems and the impact a system's outage would have on

the business is included in a(n)

94) ______

A) AUP. B) business impact analysis.

C) risk assessment. D) security policy.

Answer: B

95) Rigorous password systems 95) ______

A) are often disregarded by employees.

B) are costly to implement.

C) are one of the most effective security tools.

D) may hinder employee productivity.

Answer: D

96) An authentication token is a(n) 96) ______

A) type of smart card.

B) gadget that displays passcodes.

C) electronic marker attached to a digital authorization file.

D) device the size of a credit card that contains access permission data.

Answer: B

97) Biometric authentication 97) ______

A) only uses physical traits as a measurement.

B) is used widely in Europe for security applications.

C) can use a person's face as a unique, measurable trait.

D) is inexpensive.

Answer: C

98) A firewall allows the organization to 98) ______

A) check the content of all incoming and outgoing e-mail messages.

B) check the accuracy of all transactions between its network and the Internet.

C) enforce a security policy on traffic between its network and the Internet.

D) create an enterprise system on the Internet.

Answer: C

99) In which technique are network communications are analyzed to see whether packets are part of

an ongoing dialogue between a sender and a receiver?

99) ______

A) application proxy filtering B) stateful inspection

C) intrusion detection system D) packet filtering

Answer: B

100) ________ use scanning software to look for known problems such as bad passwords, the removal of impor

tant files,

security

attacks in

progress,

and

system

administ

ration

errors.

100) ____

_

A) Stateful inspections B) Application proxy filtering technologies

C) Intrusion detection systems D) Packet filtering technologies

Answer: C

101) Currently, the protocols used for secure information transfer over the Internet are 101) _____

A) SSL, TLS, and S-HTTP. B) S-HTTP and CA.

C) TCP/IP and SSL. D) HTTP and TCP/IP.

Answer: A

102) Most antivirus software is effective against 102) _____

A) any virus.

B) any virus except those in wireless communications applications.

C) only those viruses active on the Internet and through e-mail.

D) only those viruses already known when the software is written.

Answer: D

103) In which method of encryption is a single encryption key sent to the receiver so both sender and

receiver share the same key?

103) _____

A) symmetric key encryption B) private key encryption

C) public key encryption D) SSL

Answer: A

104) A digital certificate system 104) _____

A) uses tokens to validate a user's identity.

B) uses third-party CAs to validate a user's identity.

C) uses digital signatures to validate a user's identity.

D) are used primarily by individuals for personal correspondence.

Answer: B

105) Downtime refers to periods of time in which a 105) _____

A) computer is not online.

B) corporation or organization is not operational.

C) computer system is malfunctioning.

D) computer system is not operational.

Answer: D

106) Online transaction processing requires 106) _____

A) more processing time. B) dedicated phone lines.

C) fault-tolerant computer systems. D) a large server network.

Answer: C

107) In controlling network traffic to minimize slow-downs, a technology called ________ is used to

examine data files and sort low-priority data from high-priority data.

107) _____

A) application proxy filtering B) stateful inspection

C) deep-packet inspection D) high availability computing

Answer: C

108) The development and use of methods to make computer systems recover more quickly after

mishaps is called

108) _____

A) fault tolerant computing. B) disaster recovery planning.

C) high availability computing. D) recovery oriented computing.

Answer: D

109) Smaller firms can outsource security functions to 109) _____

A) CSOs B) MISs C) CAs D) MSSPs

Answer: D

SHORT ANSWER. Write the word or phrase that best completes each statement or answers the question.

110) A practice in which eavesdroppers drive by buildings or park outside and try to

intercept wireless network traffic is referred to as ________.

110) ____________

Answer: war driving

111) ________ refers to the policies, procedures, and technical measures used to prevent

unauthorized access, alteration, theft, or physical damage to information systems.

111) ____________

Answer: Security

112) ________ are methods, policies, and organizational procedures that ensure the safety of

the organization’s assets, the accuracy and reliability of its records, and operational

adherence to management standards.

112) ____________

Answer: Controls

113) Large public networks, such as the Internet, are more ________ than internal networks

because they are virtually open to anyone.

113) ____________

Answer: vulnerable

114) A fixed Internet address creates a ________ target for hackers. 114) ____________

Answer: fixed

115) Malicious software programs are referred to as ________. 115) ____________

Answer: malware

116) A ________ is a rogue software program that attaches itself to other software programs

or data files in order to be executed, usually without user knowledge or permission.

116) ____________

Answer: virus

117) ________ are independent computer programs that copy themselves from one computer

to other computers over a network.

117) ____________

Answer: Worms

118) A ________ is a software program that appears to be benign but then does something

other than expected.

118) ____________

Answer: Trojan horse

119) A ________ is an individual who intends to gain unauthorized access to a computer

system.

119) ____________

Answer: hacker

120) The term ________ is typically used to denote a hacker with criminal intent. 120) ____________

Answer: cracker

121) ________ is the intentional disruption, defacement, or even destruction of a Web site or

corporate information system.

121) ____________

Answer: Cybervandalism

122) ________ also may involve redirecting a Web link to an address different from the

intended one, with the site masquerading as the intended destination.

122) ____________

Answer: Spoofing

123) A ________ is a type of eavesdropping program that monitors information travelling

over a network.

123) ____________

Answer: sniffer

124) In a ________ ,hackers flood a network server or Web server with many thousands of

false communications or requests for services to crash the network.

124) ____________

Answer: denial-of-service (DoS) attack

125) ________ involves setting up fake Web sites or sending e-mail messages that look like

those of legitimate businesses to ask users for confidential personal data.

125) ____________

Answer: Phishing

126) ________ redirects users to a bogus Web page, even when the individual types the

correct Web page address into his or her browser.

126) ____________

Answer: Pharming

127) ________ occurs when an individual or computer program fraudulently clicks on an

online ad without any intention of learning more about the advertiser or making a

purchase.

127) ____________

Answer: Click fraud

128) ________ is tricking people into revealing their passwords or other information by

pretending to be legitimate users or members of a company in need of information.

128) ____________

Answer: Social engineering

129) Growing complexity and size of software programs, coupled with demands for timely

delivery to markets, have contributed to an increase in software ________ or

vulnerabilities.

129) ____________

Answer: flaws

130) ________ defects cannot be achieved in larger programs. 130) ____________

Answer: Zero

131) Many firms are reluctant to spend heavily on security because it is not directly related to

________.

131) ____________

Answer: sales revenue

132) ________ controls are specific controls unique to each computerized application, such as

payroll or order processing.

132) ____________

Answer: Application

133) ________ controls establish that data are complete and accurate during updating. 133) ____________

Answer: Processing

134) ________ controls ensure that the results of computer processing are accurate, complete,

and properly distributed.

134) ____________

Answer: Output

135) A ________ determines the level of risk to the firm if a specific activity or process is not

properly controlled.

135) ____________

Answer: risk assessment

136) A ________ includes statements ranking information risks, identifying acceptable

security goals, and identifying the mechanisms for achieving these goals.

136) ____________

Answer: security policy

137) An ________ defines acceptable uses of the firm’s information resources and computing

equipment, including desktop and laptop computers, wireless devices, telephones, and

the Internet.

137) ____________

Answer: acceptable-use policy (AUP)

138) ________ devises plans for the restoration of computing and communications services

after they have been disrupted.

138) ____________

Answer: Disaster recovery planning

139) A ________ is a physical device, similar to an identification card, that is designed to

prove the identity of a single user.

139) ____________

Answer: token

140) A ________ is a device about the size of a credit card that contains a chip formatted with

access permission and other data.

140) ____________

Answer: smart card

141) ________ uses systems that read and interpret individual human traits, such as

fingerprints, irises, and voices, in order to grant or deny access.

141) ____________

Answer: Biometric authentication

142) A ________ is a combination of hardware and software that controls the flow of

incoming and outgoing network traffic.

142) ____________

Answer: firewall

143) ________ examines selected fields in the headers of data packets flowing back and forth

between the trusted network and the Internet, examining individual packets in isolation.

143) ____________

Answer: Packet filtering

144) ________ feature full-time monitoring tools placed at the most vulnerable points or “hot

spots” of corporate networks to detect and deter intruders continually.

144) ____________

Answer: Intrusion detection systems

145) ________ is designed to check computer systems and drives for the presence of

computer viruses.

145) ____________

Answer: Antivirus software

146) ________ is the process of transforming plain text or data into cipher text that cannot be

read by anyone other than the sender and the intended receiver.

146) ____________

Answer: Encryption

147) ________ encryption uses two keys: one shared (or public) and one private. 147) ____________

Answer: Public key

148) A ________ system uses a trusted third party, known as a certificate authority (CA), to

validate a user’s identity.

148) ____________

Answer: digital certificate

149) ________ computer systems contain redundant hardware, software, and power supply

components that create an environment that provides continuous, uninterrupted service.

149) ____________

Answer: Fault-tolerant

150) Malicious software programs referred to as ________ include a variety of threats such as

computer viruses, worms, and Trojan horses.

150) ____________

Answer: malware

151) ________ is a crime in which an imposter obtains key pieces of personal information to

impersonate someone else.

151) ____________

Answer: Identity theft

152) ________ is the scientific collection, examination, authentication, preservation, and

analysis of data held on or retrieved from computer storage media in such a way that the

information can be used as evidence in a court of law.

152) ____________

Answer: Computer forensics

153) On the whole, ________ controls apply to all computerized applications and consist of a

combination of hardware, software, and manual procedures that create an overall

control environment.

153) ____________

Answer: general

154) A(n) ________ examines the firm's overall security environment as well as the controls

governing individual information systems.

154) ____________

Answer: MIS audit

155) ________ consists of all the policies and procedures a company uses to prevent improper

entry to systems by unauthorized insiders and outsiders.

155) ____________

Answer: Access control

156) ________ refers to the ability to know that a person is who he or she claims to be. 156) ____________

Answer: Authentication

157) Comprehensive security management products, with tools for firewalls, VPNs, intrusion

detection systems, and more, are called ________ systems.

157) ____________

Answer: unified threat management

158) When errors are discovered in software programs, the sources of the errors are found

and eliminated through a process called ________.

158) ____________

Answer: debugging

ESSAY. Write your answer in the space provided or on a separate sheet of paper.

159) Discuss the issue of security challenges on the Internet as that issue applies to a global enterprise. List at least

five Internet security challenges.

Answer: Large public networks, including the Internet, are more vulnerable because they are virtually open to

anyone and because they are so huge that when abuses do occur, they can have an enormously

widespread impact. When the Internet becomes part of the corporate network, the organization's

information systems can be vulnerable to actions from outsiders. Computers that are constantly

connected to the Internet via cable modem or DSL line are more open to penetration by outsiders

because they use a fixed Internet address where they can be more easily identified. The fixed Internet

address creates the target for hackers. To benefit from electronic commerce, supply chain

management, and other digital business processes, companies need to be open to outsiders such as

customers, suppliers, and trading partners. Corporate systems must be extended outside the

organization so that employees working with wireless and other mobile computing devices can access

them. This requires a new security culture and infrastructure, allowing corporations to extend their

security policies to include procedures for suppliers and other business partners.

160) How can a firm's security policies contribute and relate to the six main business objectives? Give examples.

Answer: Operational excellence: Security policies are essential to operational excellence. A firm's daily

transactions can be severely disrupted by cybercrime such as hackers. A firm's efficiency relies on

accurate data. In addition, information assets have tremendous value, and the repercussions can be

devastating if they are lost, destroyed, or placed in the wrong hands.

New products, services, business models. Security policies protect a company's ideas for new

products and services, which could be stolen by competitors. Additionally, enhanced security could be

seen by a customer as a way to differentiate your product.

Customer and supplier intimacy: Customers rely on your security if they enter personal data

into your information system, for example, credit card information into your e-commerce site. The

information you receive from customers and suppliers directly affects how able you are to customize

your product, service, or communication with them.

Improved decision making: Secure systems make data accuracy a priority, and good decision

making relies on accurate and timely data. Lost and inaccurate data would lead to compromised

decision making.

Competitive advantage: The knowledge that your firm has superior security than another

would, on an otherwise level playing field, make your firm more attractive to do business with. Also,

improved decision-making, new products and services, which are also affected by security (see

above), will contribute to a firm's competitive advantage. Strong security and control also increase

employee productivity and lower operational costs.

Survival: New laws and regulations make keeping your security system up-to-data a matter of

survival. Inadequate security and control may result in serious legal liability. Firms have been

destroyed by errors in security policies.

161) Three major concerns of system builders and users are disaster, security, and human error. Of the three,

which do you think is most difficult to deal with? Why?

Answer: Disaster might be the most difficult because it is unexpected, broad-based, and frequently life

threatening. In addition, the company cannot know if the disaster plan will work until a disaster

occurs, and then it's too late to make corrections.

Security might be the most difficult because it is an ongoing problem, new viruses are devised

constantly, and hackers get smarter every day. Furthermore, damage done by a trusted employee from

inside cannot be obviated by system security measures.

Human error might be most difficult because it isn't caught until too late, and the

consequences may be disastrous. Also, administrative error can occur at any level and through any

operation or procedure in the company.

162) What are the security challenges faced by wireless networks?

Answer: Wireless networks are vulnerable because radio frequency bands are easy to scan. Both Bluetooth and

Wi-Fi networks are susceptible to hacking by eavesdroppers. Local area networks (LANs) using the

802.11 standard can be easily penetrated by outsiders armed with laptops, wireless cards, external

antennae, and hacking software. Hackers use these tools to detect unprotected networks, monitor

network traffic, and, in some cases, gain access to the Internet or to corporate networks. Wi-Fi

transmission technology was designed to make it easy for stations to find and hear one another. The

service set identifiers (SSIDs) identifying the access points in a Wi-Fi network are broadcast multiple

times and can be picked up fairly easily by intruders' sniffer programs. Wireless networks in many

locations do not have basic protections against war driving, in which eavesdroppers drive by

buildings or park outside and try to intercept wireless network traffic. A hacker can employ an 802.11

analysis tool to identify the SSID. An intruder that has associated with an access point by using the

correct SSID is capable of accessing other resources on the network, using the Windows operating

system to determine which other users are connected to the network, access their computer hard

drives, and open or copy their files. Intruders also use the information they have gleaned to set up

rogue access points on a different radio channel in physical locations close to users to force a user's

radio NIC to associate with the rogue access point. Once this association occurs, hackers using the

rogue access point can capture the names and passwords of unsuspecting users.

163) Why is software quality important to security. What specific steps can an organization take to ensure

software quality?

Answer: Software errors pose a constant threat to information systems, causing untold losses in productivity.

Growing complexity and size of software programs, coupled with demands for timely delivery to

markets, have contributed to an increase in software flaws or vulnerabilities. A major problem with

software is the presence of hidden bugs or program code defects. Studies have shown that it is

virtually impossible to eliminate all bugs from large programs. Flaws in commercial software not only

impede performance but also create security vulnerabilities that open networks to intruders. To

correct software flaws once they are identified, the software vendor creates small pieces of software

called patches to repair the flaws without disturbing the proper operation of the software.

Organizations must maintain best efforts to both make sure purchased software is up to date and

make sure their own software and programming is as bug-free as possible by employing software

metrics and rigorous software testing. Ongoing use of metrics allows the information systems

department and end users to jointly measure the performance of the system and identify problems as

they occur. Examples of software metrics include the number of transactions that can be processed in a

specified unit of time, online response time, the number of payroll checks printed per hour, and the

number of known bugs per hundred lines of program code. For metrics to be successful, they must be

carefully designed, formal, objective, and used consistently. Early, regular, and thorough testing will

contribute significantly to system quality. Good testing begins before a software program is even

written by using a walkthrough– a review of a specification or design document by a small group of

people carefully selected based on the skills needed for the particular objectives being tested. Once

developers start writing software programs, coding walkthroughs also can be used to review program

code. However, code must be tested by computer runs. When errors are discovered, the source is

found and eliminated through a process called debugging.

164) Hackers and their companion viruses are an increasing problem, especially on the Internet. What are the

most important measurers for a firm to take to protect itself from this? Is full protection feasible? Why or

why not?

Answer: For protection, a company must institute good security measures, which will include firewalls,

investigation of personnel to be hired, physical and software security and controls, antivirus software,

and internal education measures. These measures are best put in place at the time the system is

designed, and

careful attention

paid to them. A

prudent company

will engage in disaster protection measures, frequent updating of security software, and frequent

auditing of all security measures and of all data upon which the company depends. Full protection

may not be feasible in light of the time and expenses involved, but a risk analysis can provide insights

into which areas are most important and vulnerable. These are the areas to protect first.

165) You have just been hired as a security consultant by MegaMalls Inc., a national chain of retail malls, to make

sure that the security of their information systems is up to par. Outline the steps you will take to achieve this.

Answer: 1. Establish what data and processes are important and essential to the company. Determine what

external and internal information is essential to the different employee roles in the company.

2. Conduct an MIS audit, a security audit, and create a risk assessment analysis

3. Establish what legal/governmental/industry standards need to be adhered to and which

international standards are relevant.

4. Conduct a business impact analysis and determine a disaster recovery and business continuity

plan.

5. Create a security policy that defines an acceptable use policy, authorization policies and processes.

6. Plan for any change management needed.

7. Determine how the success of your policy will be measured and set up means for measuring this.

8. Implement such policies

9. Measure and evaluate the effectiveness of the policy and make any additional adjustments.

166) What is a digital certificate? How does it work?

Answer: Digital certificates are data files used to establish the identity of users and electronic assets for

protection of online transactions. A digital certificate system uses a trusted third party, known as a

certification authority, to validate a user's identity. The CA verifies a digital certificate user's identity

offline. This information is put into a CA server, which generates an encrypted digital certificate

containing owner identification information and a copy of the owner's public key. The certificate

authenticates that the public key belongs to the designated owner. The CA makes its own public key

available publicly either in print or perhaps on the Internet. The recipient of an encrypted message

uses the CA's public key to decode the digital certificate attached to the message, verifies it was issued

by the CA, and then obtains the sender's public key and identification information contained in the

certificate. Using this information, the recipient can send an encrypted reply. The digital certificate

system would enable, for example, a credit card user and a merchant to validate that their digital

certificates were issued by an authorized and trusted third party before they exchange data. Public key

infrastructure (PKI), the use of public key cryptography working with a certificate authority, is now

widely used in e-commerce.

167) Define a fault-tolerant computer system and a high-availability computer system. How do they differ? When

would each be used?

Answer: Both systems use backup hardware resources. Fault-tolerant computer systems contain extra memory

chips, processors, and disk storage devices that can back the system up and keep it running to prevent

a system failure. High-availability computing places the emphasis on quick recovery from a system

crash. A high-availability system includes redundant servers, mirroring, load balancing, clustering,

storage area networks, and a good disaster recovery plan. The main difference between them is that

fault-tolerant computer systems don't go down; high-availability computer systems go down, but can

recover quickly.

Companies needing a technology platform with 100 percent, 24-hr system availability, use

fault-tolerant computer systems. High-availability computing environments are a minimum

requirement for firms with heavy electronic commerce processing or that depend on digital networks

for their internal operations.

168) How is the security of a firm's information system and data affected by its people, organization, and

technology? Is the contribution of one of these dimensions any more important than the other? Why?

Answer: There are various technological essentials to protecting an information system: firewalls,

authentication, encryption, anti-virus protection etc. Without technology implemented correctly, there

is no security. A firm's employees are its greatest threat, in terms of embezzlement and insider fraud,

errors, and lax enforcement of security policies. Probably the most important dimension is

organization, because this is what determines a firm's business processes and policies. The firm's

information policies can most enhance security by stressing intelligent design of security systems,

appropriate use of security technology, the usability of its security processes.

169) Robert is in charge of security and control at his financial trading firm. He needs to approach management

about investing large sums of money to the area of security and control. He knows that it will be a hard sell

to this group because they are very focused on sales revenue and this is not directly related to that. Give

Robert some arguments that he might use to convince the board to invest these funds in security and control.

Answer: Protecting information systems is so critical to the operation of the business that it deserves to funded

and made a priority in the firm.

The firm has very valuable information assets to protect. Our systems house confidential

information about individuals’ taxes, financial assets, medical records, and job performance reviews.

They also contain information on corporate operations, including trade secrets, new product

development plans, and marketing strategies. One study estimated that when the security of a large

firm is compromised, the company loses approximately 2.1 percent of its market value within two

days of the security breach, which translates into an average loss of $1.65 billion in stock market value

per incident. Inadequate security and control may result in serious legal liability. Businesses must

protect not only their own information assets but also those of customers, employees, and business

partners. Failure to do so may open the firm to costly litigation for data exposure or theft. An

organization can be held liable for needless risk and harm created if the organization fails to take

appropriate protective action to prevent loss of confidential information, data corruption, or breach of

privacy A sound security and control framework that protects business information assets can thus

produce a high return on investment. Strong security and control also increase employee

productivity and lower operational costs.

170) Sally is the CEO of a chain of health clinics in Ontario. She is growing more and more concerned about the

security of records in her company. She is wondering about the legal and regulatory requirements for

electronic record management in Canada. What would you advise Sally about the legal and regulatory

requirements for electronic record management in Canada?

Answer: Recent Canadian government regulations are forcing companies to take security and control more

seriously by mandating the protection of data from abuse, exposure, and unauthorized access. Firms

face new legal obligations for the retention and storage of electronic records as well as for privacy

protection. If you work in the health care industry, your firm will need to comply with the provincial

health information privacy legislation mandated in several provinces or with the original Canada

Privacy Act or the newer Personal Information Protection and Electronic Documents Act (PIPEDA). These

acts specify privacy, security, and electronic transaction standards for health care providers handling

patient information, providing penalties for breaches of medical privacy or disclosure of patient

records.

Almost all organizations, specifically those that conduct transaction, must conform to the

Personal Information Protection and Electronic Documents Act. In 2002, the Ontario Legislature passed

Bill 198, known as Canadian SOX, or C-SOX, in response to the U.S. Sarbanes-Oxley Act. It imposes

responsibility on companies and their management to safeguard the accuracy and integrity of financial

information that is used internally and released externally. One of the Learning Tracks for this chapter

discusses C-SOX in detail. C-SOX is fundamentally about ensuring that internal controls are in place

to govern the creation and documentation of information in financial statements. Because information

systems are used to generate, store, and transport such data, the legislation requires firms to consider

information systems security and other controls required to ensure the integrity, confidentiality, and

accuracy of their data. Each system application that deals with critical financial reporting data requires

controls to make

sure the data are

accurate. Controls

to secure the corporate network, prevent unauthorized access to systems and data, and ensure data

integrity and availability in the event of disaster or other disruption of service are essential as well.

171) Bob wants to use encryption tools in his firm but he is not sure if he should use public key or private key

encryption. He really doesn't understand the differences between the two. describe the two types of

encryption for Bob.

Answer: There are two alternative methods of encryption: symmetric key encryption and public key

encryption. In symmetric key encryption, the sender and receiver establish a secure Internet session by

creating a single encryption key and sending it to the receiver so both the sender and receiver share

the same key. The strength of the encryption key is measured by its bit length. Today, a typical key

will be 128 bits long (a string of 128 binary digits).

The problem with all symmetric encryption schemes is that the key itself must be shared

somehow among the senders and receivers, which exposes the key to outsiders who might just be able

to intercept and decrypt the key. A more secure form of encryption called public key encryption uses

two keys: one shared (or public) and one totally private. The keys are mathematically related so that

data encrypted with one key can be decrypted using only the other key. To send and receive messages,

communicators first create separate pairs of private and public keys. The public key is kept in a

directory and the private key must be kept secret. The sender encrypts a message with the recipient’s

public key. On receiving the message, the recipient uses his or her private key to decrypt it.

1) FALSE

2) FALSE

3) FALSE

4) FALSE

5) FALSE

6) FALSE

7) TRUE

8) TRUE

9) TRUE

10) TRUE

11) TRUE

12) TRUE

13) TRUE

14) TRUE

15) FALSE

16) FALSE

17) FALSE

18) TRUE

19) TRUE

20) TRUE

21) FALSE

22) FALSE

23) FALSE

24) TRUE

25) TRUE

26) TRUE

27) TRUE

28) TRUE

29) TRUE

30) FALSE

31) TRUE

32) TRUE

33) TRUE

34) TRUE

35) TRUE

36) FALSE

37) FALSE

38) TRUE

39) FALSE

40) FALSE

41) FALSE

42) TRUE

43) TRUE

44) TRUE

45) TRUE

46) FALSE

47) B

48) B

49) D

50) B

51) B

52) C

53) C

54) D

55) D

56) C

57) A

58) C

59) C

60) B

61) B

62) B

63) C

64) C

65) B

66) B

67) D

68) D

69) D

70) D

71) A

72) D

73) A

74) C

75) C

76) A

77) B

78) A

79) C

80) A

81) C

82) D

83) D

84) C

85) A

86) A

87) B

88) C

89) B

90) A

91) A

92) A

93) B

94) B

95) D

96) B

97) C

98) C

99) B

100) C

101) A

102) D

103) A

104) B

105) D

106) C

107) C

108) D

109) D

110) war driving

111) Security

112) Controls

113) vulnerable

114) fixed

115) malware

116) virus

117) Worms

118) Trojan horse

119) hacker

120) cracker

121) Cybervandalism

122) Spoofing

123) sniffer

124) denial-of-service (DoS) attack

125) Phishing

126) Pharming

127) Click fraud

128) Social engineering

129) flaws

130) Zero

131) sales revenue

132) Application

133) Processing

134) Output

135) risk assessment

136) security policy

137) acceptable-use policy (AUP)

138) Disaster recovery planning

139) token

140) smart card

141) Biometric authentication

142) firewall

143) Packet filtering

144) Intrusion detection systems

145) Antivirus software

146) Encryption

147) Public key

148) digital certificate

149) Fault-tolerant

150) malware

151) Identity theft

152) Computer forensics

153) general

154) MIS audit

155) Access control

156) Authentication

157) unified threat management

158) debugging

159) Large public networks, including the Internet, are more vulnerable because they are virtually open to anyone and

because they are so huge that when abuses do occur, they can have an enormously widespread impact. When the

Internet becomes part of the corporate network, the organization's information systems can be vulnerable to actions

from outsiders. Computers that are constantly connected to the Internet via cable modem or DSL line are more

open to penetration by outsiders because they use a fixed Internet address where they can be more easily identified.

The fixed Internet address creates the target for hackers. To benefit from electronic commerce, supply chain

management, and other digital business processes, companies need to be open to outsiders such as customers,

suppliers, and trading partners. Corporate systems must be extended outside the organization so that employees

working with wireless and other mobile computing devices can access them. This requires a new security culture

and infrastructure, allowing corporations to extend their security policies to include procedures for suppliers and

other business partners.

160) Operational excellence: Security policies are essential to operational excellence. A firm's daily transactions can be

severely disrupted by cybercrime such as hackers. A firm's efficiency relies on accurate data. In addition,

information assets have tremendous value, and the repercussions can be devastating if they are lost, destroyed, or

placed in the wrong hands.

New products, services, business models. Security policies protect a company's ideas for new products and

services, which could be stolen by competitors. Additionally, enhanced security could be seen by a customer as a

way to differentiate your product.

Customer and supplier intimacy: Customers rely on your security if they enter personal data into your

information system, for example, credit card information into your e-commerce site. The information you receive

from customers and suppliers directly affects how able you are to customize your product, service, or

communication with them.

Improved decision making: Secure systems make data accuracy a priority, and good decision making relies

on accurate and timely data. Lost and inaccurate data would lead to compromised decision making.

Competitive advantage: The knowledge that your firm has superior security than another would, on an

otherwise level playing field, make your firm more attractive to do business with. Also, improved decision-making,

new products and services, which are also affected by security (see above), will contribute to a firm's competitive

advantage. Strong security and control also increase employee productivity and lower operational costs.

Survival: New laws and regulations make keeping your security system up-to-data a matter of survival.

Inadequate security and control may result in serious legal liability. Firms have been destroyed by errors in security

policies.

161) Disaster might be the most difficult because it is unexpected, broad-based, and frequently life threatening. In

addition, the company cannot know if the disaster plan will work until a disaster occurs, and then it's too late to

make corrections.

Security might be the most difficult because it is an ongoing problem, new viruses are devised constantly,

and hackers get smarter every day. Furthermore, damage done by a trusted employee from inside cannot be

obviated by system security measures.

Human error might be most difficult because it isn't caught until too late, and the consequences may be

disastrous. Also, administrative error can occur at any level and through any operation or procedure in the

company.

162) Wireless networks are vulnerable because radio frequency bands are easy to scan. Both Bluetooth and Wi-Fi

networks are susceptible to hacking by eavesdroppers. Local area networks (LANs) using the 802.11 standard can

be easily penetrated by outsiders armed with laptops, wireless cards, external antennae, and hacking software.

Hackers use these tools to detect unprotected networks, monitor network traffic, and, in some cases, gain access to

the Internet or to corporate networks. Wi-Fi transmission technology was designed to make it easy for stations to

find and hear one another. The service set identifiers (SSIDs) identifying the access points in a Wi-Fi network are

broadcast multiple times and can be picked up fairly easily by intruders' sniffer programs. Wireless networks in

many locations do not have basic protections against war driving, in which eavesdroppers drive by buildings or

park outside and try to intercept wireless network traffic. A hacker can employ an 802.11 analysis tool to identify

the

SSID

. An

intru

der

that

has associated with an access point by using the correct SSID is capable of accessing other resources on the network,

using the Windows operating system to determine which other users are connected to the network, access their

computer hard drives, and open or copy their files. Intruders also use the information they have gleaned to set up

rogue access points on a different radio channel in physical locations close to users to force a user's radio NIC to

associate with the rogue access point. Once this association occurs, hackers using the rogue access point can capture

the names and passwords of unsuspecting users.

163) Software errors pose a constant threat to information systems, causing untold losses in productivity. Growing

complexity and size of software programs, coupled with demands for timely delivery to markets, have contributed

to an increase in software flaws or vulnerabilities. A major problem with software is the presence of hidden bugs or

program code defects. Studies have shown that it is virtually impossible to eliminate all bugs from large programs.

Flaws in commercial software not only impede performance but also create security vulnerabilities that open

networks to intruders. To correct software flaws once they are identified, the software vendor creates small pieces

of software called patches to repair the flaws without disturbing the proper operation of the software.

Organizations must maintain best efforts to both make sure purchased software is up to date and make sure their

own software and programming is as bug-free as possible by employing software metrics and rigorous software

testing. Ongoing use of metrics allows the information systems department and end users to jointly measure the

performance of the system and identify problems as they occur. Examples of software metrics include the number

of transactions that can be processed in a specified unit of time, online response time, the number of payroll checks

printed per hour, and the number of known bugs per hundred lines of program code. For metrics to be successful,

they must be carefully designed, formal, objective, and used consistently. Early, regular, and thorough testing will

contribute significantly to system quality. Good testing begins before a software program is even written by using a

walkthrough– a review of a specification or design document by a small group of people carefully selected based on

the skills needed for the particular objectives being tested. Once developers start writing software programs, coding

walkthroughs also can be used to review program code. However, code must be tested by computer runs. When

errors are discovered, the source is found and eliminated through a process called debugging.

164) For protection, a company must institute good security measures, which will include firewalls, investigation of

personnel to be hired, physical and software security and controls, antivirus software, and internal education

measures. These measures are best put in place at the time the system is designed, and careful attention paid to

them. A prudent company will engage in disaster protection measures, frequent updating of security software, and

frequent auditing of all security measures and of all data upon which the company depends. Full protection may

not be feasible in light of the time and expenses involved, but a risk analysis can provide insights into which areas

are most important and vulnerable. These are the areas to protect first.

165) 1. Establish what data and processes are important and essential to the company. Determine what external and

internal information is essential to the different employee roles in the company.

2. Conduct an MIS audit, a security audit, and create a risk assessment analysis

3. Establish what legal/governmental/industry standards need to be adhered to and which international standards

are relevant.

4. Conduct a business impact analysis and determine a disaster recovery and business continuity plan.

5. Create a security policy that defines an acceptable use policy, authorization policies and processes.

6. Plan for any change management needed.

7. Determine how the success of your policy will be measured and set up means for measuring this.

8. Implement such policies

9. Measure and evaluate the effectiveness of the policy and make any additional adjustments.

166) Digital certificates are data files used to establish the identity of users and electronic assets for protection of online

transactions. A digital certificate system uses a trusted third party, known as a certification authority, to validate a

user's identity. The CA verifies a digital certificate user's identity offline. This information is put into a CA server,

which generates an encrypted digital certificate containing owner identification information and a copy of the

owner's public key. The certificate authenticates that the public key belongs to the designated owner. The CA

makes its own public key available publicly either in print or perhaps on the Internet. The recipient of an encrypted

message uses the CA's public key to decode the digital certificate attached to the message, verifies it was issued by

the CA, and then obtains the sender's public key and identification information contained in the certificate. Using

this information, the recipient can send an encrypted reply. The digital certificate system would enable, for

exam

ple, a

credi

t card user and a merchant to validate that their digital certificates were issued by an authorized and trusted third

party before they exchange data. Public key infrastructure (PKI), the use of public key cryptography working with a

certificate authority, is now widely used in e-commerce.

167) Both systems use backup hardware resources. Fault-tolerant computer systems contain extra memory chips,

processors, and disk storage devices that can back the system up and keep it running to prevent a system failure.

High-availability computing places the emphasis on quick recovery from a system crash. A high-availability system

includes redundant servers, mirroring, load balancing, clustering, storage area networks, and a good disaster

recovery plan. The main difference between them is that fault-tolerant computer systems don't go down;

high-availability computer systems go down, but can recover quickly.

Companies needing a technology platform with 100 percent, 24-hr system availability, use fault-tolerant

computer systems. High-availability computing environments are a minimum requirement for firms with heavy

electronic commerce processing or that depend on digital networks for their internal operations.

168) There are various technological essentials to protecting an information system: firewalls, authentication, encryption,

anti-virus protection etc. Without technology implemented correctly, there is no security. A firm's employees are its

greatest threat, in terms of embezzlement and insider fraud, errors, and lax enforcement of security policies.

Probably the most important dimension is organization, because this is what determines a firm's business processes

and policies. The firm's information policies can most enhance security by stressing intelligent design of security

systems, appropriate use of security technology, the usability of its security processes.

169) Protecting information systems is so critical to the operation of the business that it deserves to funded and made a

priority in the firm.

The firm has very valuable information assets to protect. Our systems house confidential information about

individuals’ taxes, financial assets, medical records, and job performance reviews. They also contain information on

corporate operations, including trade secrets, new product development plans, and marketing strategies. One

study estimated that when the security of a large firm is compromised, the company loses approximately 2.1

percent of its market value within two days of the security breach, which translates into an average loss of $1.65

billion in stock market value per incident. Inadequate security and control may result in serious legal liability.

Businesses must protect not only their own information assets but also those of customers, employees, and business

partners. Failure to do so may open the firm to costly litigation for data exposure or theft. An organization can be

held liable for needless risk and harm created if the organization fails to take appropriate protective action to

prevent loss of confidential information, data corruption, or breach of privacy A sound security and control

framework that protects business information assets can thus produce a high return on investment. Strong

security and control also increase employee productivity and lower operational costs.

170) Recent Canadian government regulations are forcing companies to take security and control more seriously by

mandating the protection of data from abuse, exposure, and unauthorized access. Firms face new legal obligations

for the retention and storage of electronic records as well as for privacy protection. If you work in the health care

industry, your firm will need to comply with the provincial health information privacy legislation mandated in

several provinces or with the original Canada Privacy Act or the newer Personal Information Protection and Electronic

Documents Act (PIPEDA). These acts specify privacy, security, and electronic transaction standards for health care

providers handling patient information, providing penalties for breaches of medical privacy or disclosure of patient

records.

Almost all organizations, specifically those that conduct transaction, must conform to the Personal

Information Protection and Electronic Documents Act. In 2002, the Ontario Legislature passed Bill 198, known as

Canadian SOX, or C-SOX, in response to the U.S. Sarbanes-Oxley Act. It imposes responsibility on companies and

their management to safeguard the accuracy and integrity of financial information that is used internally and

released externally. One of the Learning Tracks for this chapter discusses C-SOX in detail. C-SOX is fundamentally

about ensuring that internal controls are in place to govern the creation and documentation of information in

financial statements. Because information systems are used to generate, store, and transport such data, the

legislation requires firms to consider information systems security and other controls required to ensure the

integrity, confidentiality, and accuracy of their data. Each system application that deals with critical financial

reporting data requires controls to make sure the data are accurate. Controls to secure the corporate network,

prevent unauthorized access to systems and data, and ensure data integrity and availability in the event of disaster

or other disruption of service are essential as well.

171) There are two alternative methods of encryption: symmetric key encryption and public key encryption. In

symmetric key encryption, the sender and receiver establish a secure Internet session by creating a single

encryption key and sending it to the receiver so both the sender and receiver share the same key. The strength of

the encryption key is measured by its bit length. Today, a typical key will be 128 bits long (a string of 128 binary

digits).

The problem with all symmetric encryption schemes is that the key itself must be shared somehow among

the senders and receivers, which exposes the key to outsiders who might just be able to intercept and decrypt the

key. A more secure form of encryption called public key encryption uses two keys: one shared (or public) and one

totally private. The keys are mathematically related so that data encrypted with one key can be decrypted using

only the other key. To send and receive messages, communicators first create separate pairs of private and public

keys. The public key is kept in a directory and the private key must be kept secret. The sender encrypts a message

with the recipient’s public key. On receiving the message, the recipient uses his or her private key to decrypt it.

TRUE/FALSE. Write 'T' if the statement is true and 'F' if...

Documents

Transcript of TRUE/FALSE. Write 'T' if the statement is true and 'F' if...