BADM 350 Lecture 11Outline of Current Lecture I. Chapter 14 SummaryII. Lecture NotesChapter 14 SummaryCompanies have become data packrats in hopes of making money by licensing databases, targeting advertisements, or cross-selling products. Flatter organizations translates to having lower-level employees having more access to data which increases a company’s risk of an operation error, a renegade employee, or by external forces.Criminals stole over $560 million from U.S. firms in 2009Cash-out fraudsters- criminals who purchase data from harvesters to buy then resell goods using stolen credit cards Botnets- networks of infiltrated and compromised machines controlled by a central command- Spam, click frauds, or DDoS attacks- Some botnets have used Twitter to communicate by sending out coded tweets to instruct compromised macinesDistributed Denial of Service (DDoS)- shutting down websites by overwhelming them with requests sent simultaneously by thousands of machinesThe cost of renting out ten thousand machines (enough to cripple a site like Twitter) has fallen to around $200 a dayStuxnet- one of the most notorious cyberwarefare efforts to date- Infiltrated Iranian nuclear facilities and reprogramed the industrial control software operating uranium-enriching centrifuges making them spin too fast and destroy themselvesHacktivists- target firms, websites, or users as a form of protestThese notes represent a detailed interpretation of the professor’s lecture. GradeBuddy is best used as a supplement to your own notes, not as a substitute.White hat hackers- probe for weaknesses but don’t exploit them. They share this knowledge in hopes that security will be improvedBlack hat hackers- are hackers who exploit security breaches- The research firm Gartner estimates that 70% of loss causing security breaches involves insidersSocial engineering- con games that trick employees into revealing information or performing other tasks that compromise a firmPhishing- cons executed through technology by leveraging the reputation of a trusted firm or friend to trick people into revealing informationBiometrics- technologies that replace conventional typed passwords- Includes things like fingerprint readers, facial recognition, or iris scansMalware- malicious software that tries to compromise a computing system without permissionViruses- programs that infect software or files. They require a running program to spread Worms- programs that take advantage of security vulnerability to automatically spread (do not require a running program to spread)Trojans- try to sneak in as something they’re not Malicious adware- programs installed without full user consent that later serve unwanted advertisementsSpyware- Software that surreptitiously monitors user actions, network traffic, or scan for filesKeylogger- spyware that records keystrokesScreen capture- records the pixels that appear on a user’s screen for later playback in hopes of identifying informationBlended threats- attacks combining multiple malware or hacking Shoulder Surfing- looking over someone’s shoulder to see a passwordSome key ways to stay safe are surf smart, stay vigilant, stay updated, have security software, bepassword savvy, be disposal smart, back up your documents, check with an administratorHoneypots- bogus offerings meant to distract attackers- Firms might use this to recognize the hackerBlacklists- denying entry or exit of specific IP addresses, products, domains, and other restrictionsWhitelists- permitting communication only with approved entities (more restrictive than blacklists)Lecture NotesConfidentiality - limiting information access and disclosure to authorized users – “the right people” – and preventing access by or disclosure to unauthorized ones – “the wrong people.” - The primary focus is information security. Controls are encryption, authentication, and access controls- User IDs and passwordsIntegrity- the trustworthiness of information resources. It includes the concept of “data integrity” – namely, that data have not been changed inappropriately, whether by accident or deliberately malign activity - The primary focus is on operational controls. Controls for integrity would be quality assurance and audit logs.Availability- the availability of information resources. An information system that is not availablewhen you need it is at least as bad as none at all- Primary focus should be on Business continuity planning (what do you do when something goes wrong?) Controls are BCP plans, back up storage, and sufficient capacity to store items.- Can be affected by technical issues, natural phenomena, or human causes (accidental or deliberate)HINT: Privacy and security are not the same thing- Privacy is defined as “a person’s right to control access to his or her personal information” - Privacy of consumer information is the result of good security policies. Most companies have privacy issues handled by a legal team while security is handled by