Deck 3: Computer and Internet Crime

Although the necessity of security is obvious, it must often be balanced against other business needs and issues. As a result, most organizations spend 5 percent or less of their overall IT budget on information security.

The Computer Fraud and Abuse Act addresses identity theft.

A completed risk assessment identifies the most dangerous threats to a company and helps focus security efforts on the areas of highest payoff.

Crackers break into other people's networks and systems to cause harm-defacing Web pages, crashing computers, and spreading harmful programs or hateful messages.

The USA Patriot Act defines cyberterrorism as hacking attempts that cause $5,000 in aggregate damage in one year, damage to medical equipment, or injury to any person. Because the $5,000 threshold is easy to exceed, many young people who have been involved in what they consider to be "minor computer pranks" have found that they meet the criteria to be tried as cyberterrorists.

Individuals committed to trustworthy computing take a pledge to not send viruses and worms and to refrain from spamming others.

According to the 2008 CSI Computer Crime and Security Survey, virus related incidents were the most common security incident.

Fraud often involves some form of collusion, or cooperation, between an employee and an outsider.

Rootkit is a set of programs that enables its users to gain administrator level access to a computer without the end user's consent or knowledge. Fortunately, rootkits are fairly easy to discover and remove from infected computers.

Societe Generale, France's second largest banking establishment, had long had a reputation for having poor internal controls. It is no wonder that a relatively inexperienced trader was able to take advantage of the bank's system of weak internal controls to exceed his trading limit and cause the bank to lose more than €4.9 billion.

A distributed denial-of-service attack keeps the target so busy responding to a stream of automated requests that legitimate users cannot access the target.

The cost of creating an e-mail campaign for a product or a service can easily exceed the cost of a direct-mail campaign. Such an e-mail campaign also typically takes longer to develop.

A hacktivist is a person who wishes to destroy the infrastructure components of financial institutions, utilities, and emergency response units.

The security of any system or network is a combination of technology, policy, and people and requires a surprisingly narrow range of activities to be effective.

Phishing frequently leads consumers to counterfeit Web sites designed to trick them into initiating a denial-of-service attack.

Unlike a computer worm, which requires users to spread infected files to other users, a virus is a harmful program that resides in the active memory of the computer and duplicates itself. A virus can propagate without human intervention.

Industrial espionage and competitive intelligence are the same thing.

The use of smart cards which contain a memory chip that is updated with encrypted data every time the card is used, is much more popular in the United States than Europe.

The cost to repair the worldwide damage done by a computer worm has exceeded $1 billion on more than one occasion.

A security policy details exactly what needs to be done and how it must be accomplished.

Installation of a corporate firewall is the most common security precaution taken by business. Once a good firewall is in place, the organization is safe from future attacks.

Whenever possible, automated system rules should mirror an organization's written policies.

Organizations must define employee roles so that a single employee can input as well as approve purchase orders. Such action is needed to provide adequate redundancy in the event of a pandemic or other form of disaster.

Antivirus software works to prevent an attack by blocking viruses, malformed packets, and other threats from getting into the protected network.

While it is important that employees should be well aware of an organization's security policies, this information should not be shared with part-time workers and contractors.

An organization can never be prepared for the worst-a successful attack that defeats all or some of a system's defenses and damages data and information systems.

It is not unusual for a security audit to reveal that too many people have access to critical data and that many people have capabilities beyond those needed to perform their jobs.

An intrusion prevention system is software and/or hardware that monitors system and network resources and activities, and notifies network security personnel when it identifies possible intrusions from outside the organization or misuse from within the organization.

Discussing security attacks through public trials and the associated publicity has not only enormous potential costs in public relations but real monetary costs as well.

The use of legal techniques to gather information that is publicly available in order to learn about a competitor is called ____________________.

A(n) ____________________ is a program in which malicious code is hidden inside a seemingly harmless program.

The ____________________ Act went into effect in 2004 and states that it is legal to spam provided messages meet a few basic requirements.

Using e-mail fraudulently to try to get the recipient to reveal personal data is called ____________________.

An employee who seeks to disrupt his firm's information systems or to use them to seek financial gain is called a(n) ____________________.

People, motivated by the potential for monetary gain, who hack into corporate computers to steal are called ____________________.

According to a 2008 CSI Computer Crime and Security Survey, 53 percent of the responding organizations spend 5 percent or less of their overall ____________________ on information security.

To initiate a denial-of-service attack, a tiny program is downloaded surreptitiously from the attacker's computer to dozens, hundreds, or even thousands of computers all over the world. Based on a command by the attacker or at a preset time, these computers called ____________________ go into action, each sending a simple request for access to the target site again and again.

Estimates of the rate at which software vulnerabilities are discovered around the world ____________________.

Spammers can defeat the registration process of free e-mail services by launching a coordinated bot attack that can sign up for thousands of e-mail accounts. A partial solution to this problem is the use of ____________________ to ensure that only humans obtain free accounts.

A(n) ____________________ is a type of Trojan horse which executes when it is triggered by a specific event.

A card, similar to a debit or credit card which contains a memory chip that is updated with encrypted data every time the card is used is called a ____________________.

The sending of fraudulent e-mails to the employees in a specific organization in an attempt to gain personal information is called ____________________.

The cooperation between an employee and company outsider to steal money from a firm is called ____________________.

People who test the limitations of information systems out of intellectual curiosity to see whether they can gain access and how far they can go are called ____________________.

A large group of computers controlled from one or more remote locations by hackers without the knowledge or consent of their owners is called a ____________________.

____________________ differ from viruses in that they propagate without human intervention, sending copies of themselves to other computers by e-mail or Internet Relay Chat.

Most viruses deliver a "payload" or ____________________ software that causes the computer to behave in an unexpected way.

People who use illegal means to obtain trade secrets from a competitor are called ____________________.

Spam is a form of low-cost commercial advertising. It may also be used to deliver harmful worms or other ____________________.