Chapter 8

Securing Information System

8.1 SYSTEM VULNERABILITY AND ABUSE

SECURITY AND CONTROLS

Security refers to the policies, procedures, and technical measures used to prevent unauthorized access,
alteration, theft, or physical damage to information systems. Controls are methods, policies, and
organizational procedures that ensure the safety of the organization’s assets; the accuracy and reliability
of its records; and operational adherence to management standards. (Laudon 293). Security is so
important for a company to make their priority because it would be like someone leaving their credit card
or purse sitting in the front seat of their car with the windows down and doors unlocked; it’s putting you
in a compromising position.
Why systems are vulnerable :
- Accessibility of networks
- Hardware problems (breakdowns, configuration errors, damage from improper use or crime)
- Software problems (programming errors, installation errors, unauthorized changes)
- Disasters
- Use of networks/computers outside of firm’s control
- Loss and theft of portable devices
Internet vulnerabilities
- Network open to anyone
- Size of Internet means abuses can have wide impact
- Use of fixed Internet addresses with cable / DSL modems creates fixed targets for hackers

MALICIOUS SOFTWARE: VIRUSES, WORMS, TROJAN HORSES, AND SPYWARE

Malicious software programs are referred to as malware and include a variety of threats, such as computer
viruses, worms, and Trojan horses.
A computer virus is a rogue software program that attaches itself to other software programs or data files
in order to be executed, usually without user knowledge or permission.
Worms is a Independent programs that copy themselves from one computer to other computers over a
network.
Worms and viruses are often spread over the Internet from files of downloaded software, from files
attached to e-mail transmissions, or from compromised e-mail messages or instant messaging.
A Trojan horse is a software program that appears to be benign but then does something other than
expected, such as the Zeus Trojan described in the chapter-opening case.
SQL injection attacks are the largest malware threat. Hackers submit data to Web forms that exploits
site’s unprotected software and sends rogue SQL query to database.
Spyware, small programs install themselves surreptitiously on computers to monitor user Web surfing
activity and serve up advertising. Key loggers: Record every keystroke on computer to steal serial
numbers, passwords, launch Internet attacks. Other types: Reset browser home page, redirect search
requests, and slow computer performance by taking up memory.
Hackers and computer crime
A hacker is an individual who intends to gain unauthorized access to a computer system. Activities
include: System intrusion, system damage and cybervandalism.
Spoofing and Sniffing
Spoofing : - Misrepresenting oneself by using fake e-mail addresses or masquerading as someone else
- Redirecting Web link to address different from intended one, with site masquerading as intended
destination.
Sniffing : - Eavesdropping program that monitors information traveling over network
- Enables hackers to steal proprietary information such as e-mail, company files, and so on.
Denial-of-Service Attacks
Denial-of-Service Attacks (DoS), Flooding server with thousands of false requests to crash the network.
A distributed denial-of-service (DDoS) attack uses numerous computers to inundate and overwhelm the
network from numerous launch points.
Computer Crime
Defined as “any violations of criminal law that involve a knowledge of computer technology for their
perpetration, investigation, or prosecution.
Identity Theft
Identity theft is a crime in which an imposter obtains key pieces of personal information, such as social
security identification numbers, driver’s license numbers, or credit card numbers, to impersonate someone
else.
Phishing, setting up fake Web sites or sending e-mail messages that look like legitimate businesses to ask
users for confidential personal data.
Evil twins are wireless networks that pretend to offer trustworthy Wi-Fi connections to the Internet, such
as those in airport lounges, hotels, or coffee shops.
Pharming redirects users to a bogus Web page, even when the individual types the correct Web page
address into his or her browser.
Click Fraud
Click fraud occurs when an individual or computer program fraudulently clicks on an online ad without
any intention of learning more about the advertiser or making a purchase. Click fraud has become a
serious problem at Google and other Web sites that feature pay-per-click online advertising.
Global Threats: Cyberterrorism and Cyberwarfare
The cybercriminal activities we have described—launching malware, denial-ofservice attacks, and
phishing probes—are borderless. Concern is mounting that the vulnerabilities of the Internet or other
networks make digital networks easy targets for digital attacks by terrorists, foreign intelligence services,
or other groups seeking to create widespread disruption and harm.
INTERNAL THREATS: EMPLOYEES
- Security threats often originate inside an organization
- Inside knowledge
- Sloppy security procedures
 User lack of knowledge
- Social engineering:
 Tricking employees into revealing their passwords by pretending to be legitimate
members of the company in need of information.
SOFTWARE VULNERABILITY
- Commercial software contains flaws that create security vulnerabilities
 Hidden bugs (program code defects)
- Zero defects cannot be achieved because complete testing is not possible with large programs
 Flaws can open networks to intruders
- Patches
 Small pieces of software to repair flaws
 Exploits often created faster than patches can be released and implemented
8.2 BUSINESS VALUE OF SECURITY AND CONTROL
LEGAL AND REGULATORY REQUIREMENTS FOR ELECTRONIC RECORDS
MANAGEMENT
 HIPAA: Medical security and privacy rules and procedures
 Gramm-Leach-Bliley Act: Requires financial institutions to ensure the security and
confidentiality of customer data
 Sarbanes-Oxley Act: Imposes responsibility on companies and their management to safeguard the
accuracy and integrity of financial information that is used internally and released externally
ELECTRONIC EVIDENCE AND COMPUTER FORENSICS
 Electronic evidence
• Computer forensics:
• Information systems controls
•
8.3 ESTABLISHING A FRAMEWORK FOR SECURITY AND CONTROL
INFORMATION SYSTEMS CONTROLS
General controls:
 - Govern design, security, and use of computer programs and security of data files in general
throughout organization’s information technology infrastructure
- Apply to all computerized applications
- Combination of hardware, software, and manual procedures to create overall control environment
Application controls
– Specific controls unique to each computerized application, such as payroll or order
processing
– Include both automated and manual procedures
– Ensure that only authorized data are completely and accurately processed by that
application
– Include: Input controls, processing controls and output controls
Risk assessment
A risk assessment determines the level of risk to the firm if a specific activity or process is not properly
controlled. Not all risks can be anticipated and measured, but most businesses will be able to acquire
some understanding of the risks they face.
SECURITY POLICY

 Ranks information risks, identifies acceptable security goals, and identifies mechanisms for
achieving these goals
 Drives other policies
Identity management consists of business processes and software tools for identifying the valid users of a
system and controlling their access to system resources. It includes policies for identifying and
authorizing different categories of system users, specifying what systems or portions of systems each user
is allowed to access, and the processes and technologies for authenticating users and protecting their
identities.
DISASTER RECOVERY PLANNING AND BUSINESS CONTINUITY PLANNING
Disaster recovery planning devises plans for the restoration of computing and communications services
after they have been disrupted.
Business continuity planning focuses on how the company can restore business operations after a disaster
strikes.
THE ROLE OF AUDITING

 Examines firm’s overall security environment as well as controls governing individual

information systems
 Reviews technologies, procedures, documentation, training, and personnel.
 May even simulate disaster to test response of technology, IS staff, other employees
 Lists and ranks all control weaknesses and estimates probability of their occurrence
 Assesses financial and organizational impact of each threat
8.4 TECHNOLOGIES AND TOOLS FOR PROTECTING INFORMATION RESOURCES
IDENTITY MANAGEMENT AND AUTHENTICATION
• Identity management software
• Authentication
FIREWALLS, INTRUSION DETECTION SYSTEMS, AND ANTIVIRUS SOFTWARE
Without protection against malware and intruders, connecting to the Internet would be very dangerous.
Firewalls, intrusion detection systems, and antivirus software have become essential business tools.
Firewall, combination of hardware and software that prevents unauthorized users from accessing
private networks. Technologies include: Static packet filtering, Stateful inspection, Network address
translation (NAT) and Application proxy filtering.
Intrusion Detection Systems

 Monitors hot spots on corporate networks to detect and deter intruders

 Examines events as they are happening to discover attacks in progress
Antivirus and Antispyware Software

 Checks computers for presence of malware and can often eliminate it as well
 Requires continual updating
Unified Threat Management Systems
To help businesses reduce costs and improve manageability, security vendors have combined into a single
appliance various security tools, including firewalls, virtual private networks, intrusion detection systems,
and Web content filtering and antispam software. These comprehensive security management products
are called unified threat management (UTM) systems.
SECURING WIRELESS NETWORKS

 WEP security can provide some security by:

– Assigning unique name to network’s SSID and not broadcasting SSID
– Using it with VPN technology
 Wi-Fi Alliance finalized WAP2 specification, replacing WEP with stronger standards
– Continually changing keys
– Encrypted authentication system with central server
ENCRYPTION AND PUBLIC KEY INFRASTRUCTURE
Encryption is the process of transforming plain text or data into cipher text that cannot be read by anyone
other than the sender and the intended receiver. Two methods for encrypting network traffic on the Web
are SSL and S-HTTP: Secure Sockets Layer (SSL) and successor Transport Layer Security (TLS) Secure
Hypertext Transfer Protocol (S-HTTP)
ENSURING SYSTEM AVAILABILITY
In online transaction processing, transactions entered online are immediately processed by the computer.
Multitudinous changes to databases, reporting, and requests for information occur each instant. Fault-
tolerant computer systems contain redundant hardware, software, and power supply components that
create an environment that provides continuous, uninterrupted service. Fault tolerance should be
distinguished from high-availability computing high-availability computing helps firms recover quickly
from a system crash, whereas fault tolerance promises continuous availability and the elimination of
recovery time altogether.
Controlling Network Traffic: Deep Packet Inspection
DPI examines data files and sorts out low-priority online material while assigning higher priority to
business-critical files.
Security Outsourcing
Security Outsourcing to Managed security service providers (MSSPs).
SECURITY ISSUES FOR CLOUD COMPUTING AND THE MOBILE DIGITAL PLATFORM
1. Security in the cloud
2. Securing mobile platforms