Chapter 8: Securing Information Systems

• Why are information systems vulnerable to destruction,

error, and abuse?
• Security refers to the policies, procedures, and
technical measures used to prevent unauthorized
access, alteration, theft, or physical damage to
information systems.
• Controls are methods, policies, and organizational
procedures that ensure the safety of the organization’s
assets, the accuracy and reliability of its records, and
operational adherence to management standards.
 Why Systems are Vulnerable
• When large amounts of data are stored in
electronic form, they are vulnerable to many
kinds of threats.
• Through communications networks, information
systems in different locations are interconnected.
The potential for unauthorized access, abuse, or
fraud is not limited to a single location but can
occur at any access point in the network
• Without strong safeguards, valuable data could be
lost, destroyed, or fall into the wrong hands, revealing
important trade secrets or information that violates
personal privacy.
• Portability makes cell phones, smartphones, and
tablet computers easy to lose or steal.
• Smartphones share the same security weaknesses as
other Internet devices and are vulnerable to malicious
software and penetration from outsiders.
• Smartphones that corporate employees use often
contain sensitive data such as sales figures, customer
names, phone numbers, and e-mail addresses.
• Intruders may also be able to access internal corporate
systems through these devices.
 Internet Vulnerabilities
• When the Internet becomes part of the corporate network, the organization’s
information systems are even more vulnerable to actions from outsiders.
• Telephone service based on Internet technology is more vulnerable than the
switched voice network if it does not run over a secure private network.
• Most Voice over IP (VoIP) traffic over the Internet is not encrypted.
• Hackers can intercept conversations or shut down voice service by flooding servers
supporting VoIP with bogus traffic.
• e-mail, instant messaging (IM), and peer-to-peer (P2P) file-sharing programs are
more vulnerable.
• E-mail may contain attachments that serve as springboards for malicious software
or unauthorized access to internal corporate systems. Employees may use e-mail
messages to transmit valuable trade secrets, financial data, or confidential
customer information to unauthorized recipients.
• Popular IM applications for consumers do not use a secure layer for text messages,
so they can be intercepted and read by outsiders during transmission over the
Internet. Instant messaging activity over the Internet can in some cases be used as
a back door to an otherwise secure network.
• Sharing files over P2P networks, such as those for illegal music sharing, may also
transmit malicious software or expose information on either individual or
corporate computers to outsiders.
 Wireless Security Challenges
• Even the wireless network in your home is vulnerable because
radio frequency bands are easy to scan.
• Both Bluetooth and Wi-Fi networks are susceptible to hacking by
eavesdroppers.
• Local area networks (LANs) using the 802.11 standard can be
easily penetrated by outsiders armed with laptops, wireless
cards, external antennae, and hacking software.
• Hackers use these tools to detect unprotected networks, monitor
network traffic, and, in some cases, gain access to the Internet or
to corporate networks.
• The service set identifiers (SSIDs) that identify the access points
in a Wi-Fi network are broadcast multiple times and can be
picked up fairly easily by intruders’ sniffer programs.
• war driving , in which eavesdroppers drive by buildings or park
outside and try to intercept wireless network traffic.
 Wireless Security Challenges
• An intruder who has associated with an access point by using
the correct SSID is capable of accessing other resources on the
network. For example, the intruder could use the Windows
operating system to determine which other users are
connected to the network, access their computer hard drives,
and open or copy their files.
• Intruders also use the information they have gleaned to set up
rogue access points on a different radio channel in physical
locations close to users to force a user’s radio network
interface controller (NIC) to associate with the rogue access
point.
• Once this association occurs, hackers using the rogue access
point can capture the names and passwords of unsuspecting
users.
 Malicious Software: Viruses, Worms,
Trojan Horses, and Spyware
• Malicious software programs are referred to as malware and
include a variety of threats such as computer viruses, worms, and
Trojan horses.
• A computer virus is a rogue software program that attaches itself to
other software programs or data files to be executed, usually
without user knowledge or permission.
• Most computer viruses deliver a payload. The payload may be
relatively :
- benign: such as instructions to display a message or image,
- highly destructive: destroying programs or data, clogging computer
memory, reformatting a computer’s hard drive, or causing programs
to run improperly.
• Viruses typically spread from computer to computer when humans
take an action, such as sending an e-mail attachment or copying an
infected file.
 Malicious Software: Viruses, Worms, Trojan Horses,
and Spyware
• worms , which are independent computer programs that copy themselves from
one computer to other computers over a network.
• Unlike viruses, worms can operate on their own without attaching to other
computer program files and rely less on human behavior to spread from
computer to computer.
• computer worms spread much more rapidly than computer viruses.
• Worms destroy data and programs as well as disrupt or even halt the operation of
computer networks.
• Worms and viruses are often spread over the Internet from files of downloaded
software; from files attached to e-mail transmissions; or from compromised e-
mail messages, online ads, or instant messaging.
• Viruses have also invaded computerized information systems from infected disks
or infected machines. Especially prevalent today are drive-by downloads ,
consisting of malware that comes with a downloaded file that a user intentionally
or unintentionally requests.
 Malicious Software: Viruses, Worms,
Trojan Horses, and Spyware
• Many IoT devices such as sensors have simple processors and operating
systems that may not support sophisticated security approaches.
• A Trojan horse is a software program that appears to be benign but then
does something other than expected. It is not itself a virus because it
does not replicate, but it is often a way for viruses or other malicious code
to be introduced into a computer system. For example, the Zeus Trojan
• Spyware: small programs install themselves surreptitiously on computers
to monitor user web-surfing activity and serve up advertising.
• Keyloggers record every keystroke made on a computer to steal serial
numbers for software, to launch Internet attacks, to gain access to e-mail
accounts, to obtain passwords to protected computer systems, or to pick
up personal information such as credit card or bank account numbers.
• the Zeus Trojan uses Keyloggers.
 Hackers and Computer Crime
• A hacker is an individual who intends to gain unauthorized access to a
computer system.
• cracker is typically used to denote a hacker with criminal intent.
• In the public press, the terms hacker and cracker are used
interchangeably.
• Hackers gain unauthorized access by finding weaknesses in the security
protections websites and computer systems employ, often taking
advantage of various features of the Internet that make it an open
system and easy to use.
• Hackers attempting to hide their true identities often spoof, or
misrepresent, themselves by using fake e-mail addresses or
masquerading as someone else.
• Cybervandalism: the intentional disruption, defacement, or even
destruction of a website or corporate information system.
 Spoofing and Sniffing
• Spoofing: involves redirecting a web link to an address
different from the intended one, with the site masquerading
as the intended destination.
For example, if hackers redirect customers to a fake website that looks
almost exactly like the true site, they can then collect and process
orders, effectively stealing business as well as sensitive customer
information from the true site.
• A sniffer: is a type of eavesdropping program that monitors
information traveling over a network. When used legitimately,
sniffers help identify potential network trouble spots or
criminal activity on networks, but when used for criminal
purposes, they can be damaging and very difficult to detect.
• Sniffers enable hackers to steal proprietary information from
anywhere on a network, including e-mail messages, company
files, and confidential reports.
 Denial-of-Service Attacks
• In a denial-of-service (DoS) attack , hackers flood a network
server or web server with many thousands of false
communications or requests for services to crash the
network. The network receives so many queries that it
cannot keep up with them and is thus unavailable to service
legitimate requests.
• A distributed denial-of-service (DDoS) attack uses numerous
computers to inundate and overwhelm the network from
numerous launch points.
• Although DoS attacks do not destroy information or access
restricted areas of a company’s information systems, they
often cause a website to shut down, making it impossible for
legitimate users to access the site.
• For busy e-commerce sites, these attacks are costly; while
the site is shut down, customers cannot make purchases.
 Computer Crime
• Computer crime is defined by the U.S. department of Justice as
“any violations of criminal law that involve a knowledge of
computer technology for their perpetration, investigation, or
prosecution”
 Identity Theft
• Identity theft is a crime in which an imposter obtains key pieces of
personal information, such as social security numbers, driver’s license
numbers, or credit card numbers, to impersonate someone else.
• The information may be used to obtain credit, merchandise, or services in
the name of the victim or to provide the thief with false credentials.
• Phishing: involves setting up fake websites or sending e-mail messages
that look like those of legitimate businesses to ask users for confidential
personal data.
• The e-mail message instructs recipients to update or confirm records by
providing social security numbers, bank and credit card information, and
other confidential data either by responding to the e-mail message, by
entering the information at a bogus website, or by calling a telephone
number.
• In a more targeted form of phishing called spear phishing , messages
appear to come from a trusted source, such as an individual within the
recipient’s own company or a friend.
 Click Fraud
• Click fraud occurs when an individual or computer
program fraudulently clicks an online ad without
any intention of learning more about the advertiser
or making a purchase. Click fraud has become a
serious problem at Google and other websites that
feature pay-per-click online advertising.
• Some companies hire third parties (typically from
low-wage countries) to click a competitor’s ads
fraudulently to weaken them by driving up their
marketing costs.
 Global Threats: Cyberterrorism and
Cyberwarfare
• The global nature of the Internet makes it
possible for cybercriminals to operate and to
do harm anywhere in the world.
• Cyberwarfare is a state-sponsored activity
designed to cripple and defeat another state
or nation by penetrating its computers or
networks to cause damage and disruption.
 Internal Threats: Employees
• Employees have access to privileged information, and in the presence
of sloppy internal security procedures, they are often able to roam
throughout an organization’s systems without leaving a trace.
• Many employees forget their passwords to access computer systems
or allow coworkers to use them, which compromises the system.
• Both end users and information systems specialists are also a major
source of errors introduced into information systems.
• End users introduce errors by entering faulty data or by not following
the proper instructions for processing data and using computer
equipment.
• Information systems specialists may create software errors as they
design and develop new software or maintain existing programs.
 Software Vulnerability
• Software errors pose a constant threat to information systems,
causing untold losses in productivity and sometimes endangering
people who use or depend on systems.
• Growing complexity and size of software programs, coupled with
demands for timely delivery to markets, have contributed to an
increase in software flaws or vulnerabilities.
• A major problem with software is the presence of hidden bugs
or program code defects.
• security researchers spot the software holes but, more often,
they remain undetected until an attack has occurred.
• To correct software flaws once they are identified, the software
vendor creates small pieces of software called patches to repair
the flaws without disturbing the proper operation of the
software.
• It is up to users of the software to track these vulnerabilities,
test, and apply all patches. This process is called patch
management .
What is the business value of security
and control?
• security and control framework that protects
business information assets can thus produce
a high return on investment.
• Strong security and control also increase
employee productivity and lower operational
costs.
 Legal and Regulatory Requirements for
Electronic Records Management
• Data must be stored on a secure medium, and special security measures
must be enforced to protect such data on storage media and during
transmittal.
• Sarbanes-Oxley Act: imposes responsibility on companies and their
management to safeguard the accuracy and integrity of financial
information that is used internally and released externally.
• Because information systems are used to generate, store, and transport
such data, the legislation requires firms to consider information systems
security and other controls required to ensure the integrity, confidentiality,
and accuracy of their data.
• Each system application that deals with critical financial reporting data
requires controls to make sure the data are accurate.
• Controls to secure the corporate network, prevent unauthorized access to
systems and data, and ensure data integrity and availability in the event of
disaster or other disruption of service are essential as well.
 Electronic Evidence and Computer
Forensics
• information from printed or typewritten pages, legal cases today
increasingly rely on evidence represented as digital data stored on
portable storage devices, CDs, and computer hard disk drives as well as in
e-mail, instant messages, and e-commerce transactions over the Internet.
E-mail is currently the most common type of electronic evidence.
• Computer forensics is the scientific collection, examination,
authentication, preservation, and analysis of data held on or retrieved
from computer storage media in such a way that the information can be
used as evidence in a court of law.
• It deals with the following problems:
- Recovering data from computers while preserving evidential integrity
- Securely storing and handling recovered electronic data
- Finding significant information in a large volume of electronic data
- Presenting the information to a court of law
 What are the components of an organizational
framework for security and control
1- Information Systems Controls: automated and manual
• General controls: govern the design, security, and use of computer programs and
the security of data files in general throughout the organization’s information
technology infrastructure. It includes software controls, physical hardware controls,
computer operations controls, data security controls, controls over the systems
development process, and administrative controls.
• Application controls are specific controls unique to each computerized application,
such as payroll or order processing. They include both automated and manual
procedures that ensure that only authorized data are completely and accurately
processed by that application.
• Application controls can be classified as :
1) input controls: check data for accuracy and completeness when they enter
the system such as input authorization, data conversion, data editing, and error
handling
2) processing controls: data are complete and accurate during updating
3) Output controls: ensure that the results of computer processing are accurate,
complete, and properly distributed.
 What are the components of an organizational
framework for security and control
2- Risk Assessment: determines the level of risk to the firm if a specific activity or process is not
properly controlled.
• Not all risks can be anticipated and measured, but most businesses will be able to acquire
some understanding of the risks they face.
• Business managers working with information systems specialists should try to determine the
value of information assets, points of vulnerability, the likely frequency of a problem, and
the potential for damage.
3- Security Policy: consists of statements ranking information risks, identifying acceptable
security goals, and identifying the mechanisms for achieving these goals. What are the firm’s
most important information assets? Who generates and controls this information in the firm?
What existing security policies are in place to protect the information? What level of risk is
management willing to accept for each of these assets? Is it willing, for instance, to lose
customer credit data once every 10 years? Or will it build a security system for credit card data
that can withstand the once-in-a-hundred-year disaster? Management must estimate how much
it will cost to achieve this level of acceptable risk.
• An acceptable use policy (AUP) defines acceptable uses of the firm’s information resources
and computing equipment, including desktop and laptop computers, wireless devices,
telephones, and the Internet. A good AUP defines unacceptable and acceptable actions for
every user and specifies consequences for noncompliance.
 What are the components of an organizational
framework for security and control
4- Disaster recovery planning: such as power outages, floods, earthquakes, or
terrorist attacks, that will prevent your information systems and your business from
operating. It devises plans for the restoration of disrupted computing and
communications services.
• Disaster recovery plans focus primarily on the technical issues involved in keeping
systems up and running, such as which files to back up and the maintenance of
backup computer systems or disaster recovery services.
• Business continuity planning focuses on how the company can restore business
operations after a disaster strikes. The business continuity plan identifies critical
business processes and determines action plans for handling mission-critical
functions if systems go down.
5- The Role of Auditing: How does management know that information systems
security and controls are effective?
• An information systems audit examines the firm’s overall security environment as
well as controls governing individual information systems.
• Security audits review technologies, procedures, documentation, training, and
personnel.
• The audit lists and ranks all control weaknesses and estimates the probability of
their occurrence. It then assesses the financial and organizational impact of each
threat.
 What are the most important tools and
technologies for safeguarding information
resources?
1- Identity Management and Authentication: Authentication refers to the ability to know that
a person is who he or she claims to be. Authentication is often established by using passwords
known only to authorized users.
• New authentication technologies, such as tokens, smart cards, and biometric
authentication, overcome some of passwords problems.
• A token is a physical device, similar to an identification card, that is designed to prove the
identity of a single user.
• Tokens are small gadgets that typically fit on key rings and display passcodes that change
frequently.
• smart card is a device about the size of a credit card that contains a chip formatted with
access permission and other data.
• Biometric authentication uses systems that read and interpret individual human traits,
such as fingerprints, irises, and voices to grant or deny access.
• Two-factor authentication increases security by validating users through a multistep
process. To be authenticated, a user must provide two means of identification, one of
which is typically a physical token, such as a smartcard or chip-enabled bank card, and the
other of which is typically data, such as a password or personal identification number
(PIN).
• Biometric data, such as fingerprints, iris prints, or voice prints, can also be used as one of
the authenticating mechanisms. A common example of two-factor authentication is a bank
card; the card itself is the physical item, and the PIN is the data that go with it.
2- Firewalls, Intrusion Detection Systems, and
Antivirus Software:
• Firewalls prevent unauthorized users from
accessing private networks. A firewall is a
combination of hardware and software that
controls the flow of incoming and outgoing
network traffic. It is generally placed between the
organization’s private internal networks and
distrusted external networks, such as the Internet