Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
104 Cards in this Set
- Front
- Back
Static Packet Filtering
|
Examines the headers of IP packets
|
|
Key Escrow
|
Storing a copy of the encryption keys in a safe location
|
|
Log Analysis
|
The process of examining logs to monitor security. Detective control used to understand prior activity.
|
|
Deep Packet Inspection
|
Examines the contents of an IP packet.
|
|
Symmetric Encryption
|
Uses the same secret key to both encrypt and decrypt
|
|
Asymmetric Encryption
|
Encrypts using two keys. The public key is available to anyone and the private key is secret and known only to its owner. Either key can be used to encrypt but only the other key can be used to decrypt that message.
|
|
Hash
|
A digital summary of a document or file.
|
|
Time Based Security Model
|
P > D+C
Time it takes to attack > Detect and Correct |
|
Defense in Depth
|
Given enough time and resources, any single control, regardless of how sophisticated, can be overcome. Therefore, the use of redundant, overlapping controls maximizes security.
|
|
Patch
|
A code designed to fix a weakness
|
|
Stateful Packet Filtering
|
Examines the header and a state table to determine whether incoming IP packets are part of an already established connection.
|
|
Digital Signature
|
The Sender encrypts a hash using their private key. The recipient decrypts it using the senders public key.
|
|
Compatibility Test
|
Uses an access control matrix to determine what actions an authenticated user is allowed to perform
|
|
Hardening
|
Modifying default configurations to improve security. Disabling unnecessary features.
|
|
Recovery Time Objective (RTO)
|
The length of time to recover and have the system back up and running after a disaster
|
|
Recovery Point Objective (RPO)
|
Represents the amount of time between the last backup and the time of a system disaster
|
|
Field Check
|
Determines if the characters in a field are the proper type.
EX: Only numbers |
|
Limit Check
|
Tests a numerical amount to ensure it doesn't exceed the LIMIT
EX: No more than 40 hours a week |
|
Range Check
|
Tests a numerical amount to ensure it doesn't go above OR below a certain amount.
Ex: Wage is at least minimum but no more than $50/hour |
|
Size check
|
Determines a maximum character limit
EX: Twitter limits 140 characters |
|
Reasonableness Check
|
Determines the correctness of the logical relationship between two data items.
EX: A $1,000 bonus is reasonable for an employee making 40K/year but not 10K/year |
|
Check Digit Verification
|
Authorized ID numbers contain a check digit that the other numbers must add up to.
|
|
Financial Total
|
Sums a field that contains dollar values
EX: The total dollar amount of a sale |
|
Hash Total
|
Sums a non financial numeric field
Ex: The total quantity ordered |
|
Record Count
|
Sums the number of records in a batch
|
|
Closed-loop verification
|
Checks the accuracy of input data by using it to retrieve and display other related information.
EX: Teller gets an account number and then calls the customer "Mr. Bell" |
|
Trailer Record
|
Located at the end of file and contains the batch totals calculated during input
|
|
Transposition Error
|
When two digits are switched
EX: 6.4% instead of 4.6% |
|
Cross-Footing Balance Test
|
Compares the results of an excel computation produced by each method to verify accuracy.
|
|
Zero-Balance Test
|
Applies a cross-footing balance test to control accounts.
EX: Two general ledgers accounts should have a zero balance is debited and credited correctly |
|
Concurrent Update controls
|
Protects records from errors that occur when two or more users attempt to update the same record at the same time.
|
|
Parity Bit
|
Uses binary digits. An extra digit is added to every character to detect errors.
Even Parity: Parity bit is set so that an even number of bits in the character have a value of 1 Odd Parity: Set so an odd number of bits in the character have a value of 1 |
|
Parity Checking
|
Verifying that there are the proper number of bits set to the value of 1 in each character received.
|
|
Echo Check
|
A hardware control that verifies transmitted data by having the receiving device send the message back to the sending device so that the message received can be compared with the message sent.
|
|
Incremental Backup
|
Copying only the data items that have changed since the last backup
|
|
Differential Backup
|
Copies all changes made since the last full backup. Takes longer than incremental
|
|
Real-time mirroring
|
Maintaining two copies of the database at two separate data centers at all times and updating both copies in real-time as each transaction occurs
|
|
Cold site
|
A location that provides everything necessary to quickly install computer equipment in the event of a disaster
|
|
Hot Site
|
Completely operational data processing facility configured to meet the user's requirement that can be made available to a disaster-stricken organization on short notice.
|
|
Value Chain
|
1. Inbound Logistics: Receiving and Storing Materials
2. Operations 3. Outbound Logistics: Distribution 4. Marketing and Sales 5. Service: Repair/Maintenance |
|
Value Chain Support Activities
|
1. Firm Infrastructure: accounting, finance and legal
2. HR: hiring, training 3. Technology: R&D, IT 4. Purchasing: Supplies and RM |
|
Supply Chain
|
RM Supplier ->
Manufacturer -> Distributor -> Retailer -> Consumer |
|
How can AIS add value to an organization?
|
Improve the product quality, reducing costs, improving efficiency, effectiveness, improving internal control structure and improving decision making
|
|
Structured Decisions
|
Repetitive, routine and understood well enough that they can be delegated to lower level employees
|
|
Semistructured Decisions
|
Decisions that require subjective assessment and judgment to supplement formal data analysis
|
|
Unstructured Decisions
|
Nonrecurring and nonroutine decisions. They require considerable judgment and intuition.
|
|
Operational Control
|
Decisions that are concerned with the efficient and effective performance of specific tasks in an organization
|
|
Management Control
|
Activities by management designed to motivate, encourage, and assist officers and employees in achieving corporate goals and objectives as effectively and efficiently as possible.
|
|
Variety-based strategic position
|
Producing or providing a subset of the industry's products or services.
|
|
Needs-based strategic position
|
Trying to serve most or all of the needs of a particular group of customers in a target market
|
|
Access-based strategic position
|
A strategic position that serves a subset of customers who differ from other customers in terms of factors such as geographic location or size.
|
|
Synergy
|
When an entire system of organizational activities is greater than the sum of each individual part.
|
|
Threats to AIS
|
1. Natural and Political Disasters
2. Software errors and equipment malfunctions 3. Unintentional acts 4. Intentional acts |
|
Fraud
|
For an act to be fraud it must be:
1. A false statement 2. A material fact, which is something that induces a person to act 3. An intent to deceive 4. A justifiable reliance; the person relies on the misrepresentation to take an action 5. An injury or loss suffered by the victim |
|
Lapping
|
Concealing the theft of cash by means of a series of delays in posting collections to accounts.
EX: Steal A's payment. Use B's to pay A's. Use C's to pay B's etc. |
|
Kiting
|
A fraud scheme where the perpetrator conceals a theft of cash by creating cash through the transfer of money between banks.
EX: Opens a checking account in banks A, B and C. Deposits '$1,000' in bank A from Bank B, then withdraws the $1,000 from Bank V. Since there are insufficient funs in Bank A, deposit $1,000 from Bank C then deposit $1,000 from B to C and so on. |
|
Bluebugging
|
Taking control of someone else's phone to make calls, send texts, list to calls, or read texts
|
|
Bluesnarfing
|
Stealing contact lists, images, and other data using Bluetooth
EX: This happened to Paris Hilton several times |
|
Chipping
|
Planting a chip that records transaction data in a legitimate credit card reader
|
|
Click fraud
|
Clicking online ads numerous times to inflate advertising bills
|
|
Cyber-extortion
|
Requiring a company to pay a specified amount of money to keep the extortionist from harming the company electronically
|
|
Data diddling
|
Changing data before, during or after they are entered into the system
|
|
Data leakage
|
Copying data without permission
|
|
Denial-of-service attacks
|
Sending e-mail bombs from randomly generated false addresses to overload the receiver and shut their system down.
|
|
Dictionary Attack
|
Using software to guess company addresses and send them blank emails. Unreturned messages are valid addresses that are added to spammer email lists.
|
|
Economic espionage
|
The theft of information, trade secrets, and intellectual property
|
|
Evil Twin
|
A wireless network with the same name as a local wireless access point. The hacker disables the legitimate access point, users unknowingly reconnect to the evil twin and hackers monitor the traffic looking for useful information
|
|
Internet Terrorism
|
Using the internet to disrupt communications and electronic commerce
|
|
Masquerading
|
Accessing a system by pretending to be an authorized user.
|
|
Packet Sniffing
|
Using a computer to find confidential information as it travels the internet and other networks
|
|
Pharming
|
Redirecting traffic to a spoofed website to gain access to personal and confidential information
|
|
Phishing
|
Sending emails requesting recipients to visit a website and verify data or fill in missing data. The emails and web page look like legitimate companies
|
|
Phreaking
|
Attacking phone systems and using telephone lines to transmit viruses and to access, steal and destroy data.
|
|
Posing
|
Creating a seemingly legitimate business, collecting personal information while making a sale and never delivering the item sold
|
|
Pretexting
|
Acting under false pretenses to gain confidential information
|
|
Rootkit
|
Software that conceals processes, files, network connections and system data from the operating system and other programs
|
|
Round-down
|
Truncating interest calculations to two decimal places. The truncated fraction of a cent is placed in a bank account
|
|
Scavenging/Dumpster Diving
|
Searching for confidential information by searching trash cans or scanning contents of computer memory
|
|
Shoulder surfing
|
Watching people or listening as they enter or give confidential information
|
|
Skimming
|
Double-swiping a credit card or covertly swiping it in a credit card reader that records the information for later use.
|
|
Social Engineering
|
Techniques that trick a person into disclosing personal information
|
|
Spoofing
|
Making an email message look as if someone else sent it
|
|
Steganography
|
Hiding data from one file inside a host file such as a large image or sound file
|
|
Superzapping
|
Using special software to bypass system controls and perform illegal acts
|
|
Trojan horse
|
Unauthorized code in an authorized and properly functioning program
|
|
Typosquatting/URL hijacking
|
Setting up websites with names similar to real websites so users making typographical errors entering website names are sent to a site filled with malware.
|
|
Virus
|
A segment of executable code that attaches itself to software, replicates itself and spreads to other systems or files. Triggered by a predefined event, it damages system resources or displays a message on the monitor
|
|
Vishing
|
Voice phishing, where email recipients are asked to call a phone number where they are asked to divulge confidential information
|
|
War driving/rocketing
|
Looking for unprotected wireless networks using a car or rocket
|
|
War dialing
|
Dialing thousands of phone lines searching for idle modems that can be used to enter the system, capture the attached computer, and gain access to the networks to which it is attached.
|
|
Worm
|
Similar to a virus, but a program rather than a code segment hidden in a host program. Copies and actively transmits itself directly to other systems. It usually does not live very long but it is quite destructive while alive.
|
|
Zero-day attack
|
An attack between the time a new software vulnerability is discovered and a software patch that fixes the problem is released.
|
|
General Controls
|
Controls designed to make sure an organization's control environment is stable and well-managed. General controls apply to all sizes of systems, from large and complex mainframe systems to client/server systems
|
|
Application Controls
|
Controls that prevent, detect, and correct transaction errors and fraud. They are concerned with the accuracy, completeness, validity and authorization of the data captured, entered into the system, processed, stored, transmitted to other systems and reported.
|
|
Foreign Corrupt Practices Act
|
Primary purpose is to prevent the bribery of foreign officials in order to obtain business.
|
|
Public Company Accounting Oversight Board (PCAOB)
|
A five member board that regulates the auditing profession. Created as part of SOX
|
|
Diagnostic Control System
|
A performance measurement system that compares actual performances to planned performance
|
|
Interactive Control System
|
Helps top level managers with high level activities that demand frequent and regular attention such as developing company strategy, setting company objectives, understanding and assessing treats and risks, monitoring changes in competitive conditions and emerging technologies and developing responses and action plans to proactively deal with these high level issues
|
|
Control Objectives for Information and related Technology (COBIT)
|
Addresses 3 dimensions
1. Business Objectives 2. IT Resources 3. IT Processes |
|
Expected Loss
|
Expected loss = impact x likelihood
|
|
Digital Signature
|
A piece of data signed on a document by a computer. A digital signature can't be forged and is useful in tracing authorization.
Information encrypted with the creator's private key. |
|
Multifactor authentication
|
Combining two or three of the authentication methods in conjunction.
1. Something they know (Pword) 2. Something they have (ID Card) 3. Some physical characteristic |
|
Demilitarized Zone
|
Separate network that permits controlled access from the Internet to selected resources.
|
|
Fault Tolerance
|
The capability of a system to continue performing when there is a hardware failure
|