chapter 4 technology and system information

Opening Case 93
Wawa In October 2019 security researchers found approximately 1.2

Founded in 1964, Wawa, Inc. (www.wawa.com) is a U.S. chain of con‑ billion records of consumer data on an unsecured, easily accessible
venience stores and gasoline stations located along the East Coast. server. The data contained 50 million unique home and cell phone
In December 2019 Wawa disclosed a major security breach, stating numbers; associated social media profiles from Facebook, Twitter,
that hackers had inserted malicious software, known as malware, on LinkedIn, and Github; work histories seemingly scraped from Linke‑
the company’s point‑of‑sale systems. The breach impacted all 860 of dIn; and 622 million unique email addresses. The data did not con‑
Wawa’s convenience retail stores, and the malware had operated from tain sensitive data such as passwords, credit card numbers, or Social
March 4 until December 12, 2019. The attackers stole data on 30 million Security numbers.
U.S. customers as well as more than 1 million non‑U.S. cardholders. Security researchers asserted that the data appeared to come
On January 27, 2020, a Dark Web marketplace known as Joker’s Stash from PDL and Oxydata. PDL responded that they did not know how
began selling card data from the breach. the data appeared on the exposed server. Oxydata maintained
The retailer further stated that the data included debit and credit that, although the data on the exposed server could have come
card numbers, expiration dates, and cardholder names, but not debit from one of its customers, it definitely was not leaked from the
card PINs, credit card CVV2 numbers, or other personal information. Oxydata database.
However, security researchers concluded that the Wawa data actu‑ The researchers did not know who actually collected the data
ally did include CVV2 numbers. A CVV2 number is a three‑ or four‑digit or if the data in fact were stolen. They reported the exposure to the
number printed on the back or front of credit cards, debit cards, and Federal Bureau of Investigation (FBI). Within a few hours, an unknown
prepaid cards that you provide for security purposes when making person(s) took the server and the exposed data offline.
a purchase online or over the phone. Neither data broker could rule out the possibility that one of their
customers had mishandled their data. Further, the two firms could
Verifications.io have left the data exposed themselves. This situation emphasizes
Email validation companies are an important component of the email the security and privacy issues inherent in the business of collecting,
marketing industry. These firms do not send out marketing emails for buying, and selling data. What is important here is that huge volumes
themselves. Instead, they check their customers’ mailing lists to ensure of data are being collected, aggregated, stored, and commercialized
that the email addresses contained in them are valid. without the knowledge of the data owners. Who are these owners?
This process entails sending a message to the email address and They are all of us!
confirming that it was delivered. Mainstream email marketing firms Final thoughts: Damage from data breaches impacts not only con‑
often outsource the process rather than face the risk of being black‑ sumers but companies as well. Wishbone, Wawa, and People Data Labs
listed by spam filters or lowering their online reputation scores. In are facing class action lawsuits over their respective data breaches. As
early 2019, security researchers discovered an unprotected, publicly of July 2020 it appeared that Verifications.io had gone out of business.
accessible database belonging to Verifications.io, an email validation At that time, there was no evidence of a lawsuit against Oxydata.
firm. The data contained 809 million records of detailed, plaintext
marketing data. Sources: Compiled from “All Data Breaches in 2019 & 2020—An Alarming
The data consisted of 2 billion unencrypted records. These records Timeline,” SelfKey Blog, June 7, 2020; J. Lugo, “Wishbone App Breached,
contained 763 million unique email addresses, as well as names, Affecting More than 40 Million Users,” Security Boulevard, June 3, 2020;
phone numbers, physical addresses, genders, dates of birth, personal C. Cimpanu, “Hacker Leaks 40 Million User Records from Popular Wish‑
mortgage amounts, interest rates, various social media accounts asso‑ bone App,” ZDNet , May 20, 2020; A. Culafi, “Payment Cards from Wawa
ciated with email addresses, and characterizations of people’s credit Data Breach Found on Dark Web,” TechTarget , January 30, 2020; “2020
Q1 Report,” RiskBased Security , 2020; “Wawa Says Data Breach Affected
scores (such as average, above average, and so on). The data did not
Thousands over 10 Months,” Associated Press, December 20, 2019;
include Social Security numbers or credit card numbers.
C. Cimpanu, “Wawa Says POS Malware Incident Impacts ‘Potentially All
Verifications.io responded that the database contained data gath‑
Locations’,” ZDNet , December 19, 2019; L. Newman, “1.2 Billion Records
ered from public sources, asserting that the company was not liable for Found Exposed on a Single Server,” Wired , November 22, 2019; L. Dignan,
any negative consequences caused by its data leak. That being said, “Nation State Actors, Affiliates behind Increasing Amount of Data
the company took its website and the database offline the same day Breaches,” ZDNet , May 8, 2019; M. Tatham, “Identity Theft Statistics,”
that the security researchers reported the problem. Experian, March 15, 2018; R. Schultz, “Email Vendor Verifications.io Seems
to Be out of Business Following Breach,” Email Marketing Daily, March 15,
People Data Labs and Oxydata 2019; D. Winder, “(Updated) 2 Billion Unencrypted Records Leaked in
People Data Labs (PDL; www.peopledatalabs.com ) and Oxydata Marketing Data Breach—What to Do Next,” Forbes , March 10, 2019;
(www.oxydata.io) are data brokers. A data broker collects and inte‑ L. Newman, “An Email Marketing Company Left 809 Million Records
Exposed Online,” Wired, March 7, 2019; A. Greenberg, “Hackers Are Passing
grates data from a variety of sources—public records, census and
around a Megaleak of 2.2 Billion Records,” Wired , January 30, 2019.
change of address records, motor vehicle and driving records, user‑
contributed material to social media websites, media and court Questions
reports, voter registration lists, consumer purchase histories, bank
1. What is the common problem in all the of data breaches discussed
card transaction records, Web‑browsing histories, and many other
in this case? Hint: Consider user credentials.
sources—and then sells the data to other organizations.
PDL claims to have data for sale on more than 1.5 billion peo‑ 2. How would you solve the common problem in all of these data
ple around the world, including personal email addresses, LinkedIn breaches?
addresses, Facebook addresses and IDs, and phone numbers. Oxydata 3. Place yourself as a victim in any of these data breaches. What
claims to have similar data on 380 million people in 85 industries and should you do when you are notified (or when you believe) that
195 countries. your personal data have been compromised?
94 CHAPTER 4 Information Security
Introduction
The cases in this chapter provide several lessons. First, it is difficult, if not impossible, for orga‑
nizations to provide perfect security for their data. Second, there is a growing danger that coun‑
tries are engaging in economic cyberwarfare. Third, it appears that it is impossible to secure the
Internet. Information security impacts each and every one of us. This chapter’s opening case
illustrates that our personally identifiable, private data are not secure.
The solutions for these and other related issues are not clear. As you learn about informa‑
tion security in the context of information technology, you will acquire a better understanding
of these issues, their importance, their relationships, and their trade‑offs. Keep in mind that the
issues involved in information security impact individuals and small organizations as well as
large organizations.
Information security is especially important to small businesses. Large organizations that
experience an information security problem have greater resources to both resolve and survive
the problem. In contrast, small businesses have fewer resources and therefore can be more
easily crippled by a data breach.
When properly used, information technologies can have enormous benefits for individ‑
uals, organizations, and entire societies. In Chapters 1 and 2 you read about diverse ways in
which IT has made businesses more productive, efficient, and responsive to consumers. You
also explored fields such as medicine and philanthropy in which IT has improved people’s
health and well‑being. Unfortunately, bad actors can misuse information technologies, often
with devastating consequences. Consider the following scenarios:
• Individuals can have their personal data and subsequently their identities stolen.
• Organizations can have customer information stolen, leading to financial losses, erosion of
customer confidence, and legal actions.
• Countries face the threats of cyberterrorism and cyberwarfare, terms for Internet‑based
attacks. Cyberwarfare is a critical problem for the U.S. government. In fact, President
Obama signed a cyberwarfare directive in October 2012 that, for the first time, laid
out specific ground rules for how and when the U.S. military can carry out offensive
and defensive cyber operations against foreign threats. The directive emphasized the
U.S. government’s focus on cybersecurity as a top priority, a focus that continues to grow
in importance.
Clearly, the misuse of information technologies has come to the forefront of any discussion of
IT. In fact, according to security analysts, cybercrime will cost the world approximately $6 tril‑
lion per year by 2021.
With organizations facing the loss or theft of 17 billion records since the beginning of 2019
(see this chapter’s opening case), they must be aware of the full financial impact that a data
breach will have. According to IBM Security’s annual study of the financial impact of data
breaches in organizations, the average cost of a breach in the United States is about $8 million,
more than double the worldwide average cost. While less common, breaches of more than
1 million records cost companies an average of $42 million in losses and breaches of 50 million
records cost companies $388 million. The average length of a breach was 279 days, with com‑
panies taking 206 days to first identify the breach after it occurs and an additional 73 days to
contain the breach.
FIN The direct costs of a data breach include hiring forensic experts, notifying custom‑
ers, setting up telephone hotlines to field queries from concerned or affected customers, offer‑
ing free credit monitoring, and providing discounts for future products and services. The more
intangible costs of a breach include the loss of business from increased customer turnover—
called customer churn—and decreases in customer trust.
HRM Unfortunately, employee negligence causes many data breaches, meaning that
organizational employees are a weak link in information security. It is therefore very important
for you to learn about information security so that you will be better prepared when you enter
the workforce.
Introduction to Information Security 95
4.1 Introduction to Information Security

Security can be defined as the degree of protection against criminal activity, danger, damage, or Author Lecture Videos are
loss. Following this broad definition, information security refers to all of the processes and pol‑ available exclusively in
icies designed to protect an organization’s information and information systems (IS) from unau‑ WileyPLUS .
thorized access, use, disclosure, disruption, modification, or destruction. You have seen that Apply the Concept activities
information and information systems can be compromised by deliberate criminal actions and are available in the Appendix
by anything that can impair the proper functioning of an organization’s information systems. and in WileyPLUS .
Before continuing, let’s consider these key concepts. Organizations collect huge amounts
of information, and they employ numerous information systems that are subject to myriad
threats. A threat to an information resource is any danger to which a system may be exposed.
The exposure of an information resource is the harm, loss, or damage that can result if a threat
compromises that resource. An information resource’s vulnerability is the possibility that
a threat will harm that resource.
Today, five key factors are contributing to the increasing vulnerability of organizational
information resources, making it much more difficult to secure them:
1. Today’s interconnected, interdependent, wirelessly networked business environment

2. Smaller, faster, cheaper computers and storage devices
3. Decreasing skills necessary to be a computer hacker
4. International organized crime taking over cybercrime
5. Lack of management support
The first factor is the evolution of the IT resource from mainframe‑only to today’s highly
complex, interconnected, interdependent, wirelessly networked business environment. The
Internet now enables millions of computers and computer networks to communicate freely and
seamlessly with one another. Organizations and individuals are exposed to a world of untrusted
networks and potential attackers. In general, a trusted network is any network within your organi‑
zation, and an untrusted network is any network external to your organization. Also, wireless tech‑
nologies enable employees to compute, communicate, and access the Internet anywhere and at
any time. Significantly, wireless is an inherently unsecure broadcast communications medium.
The second factor reflects the fact that modern computers and storage devices—for exam‑
ple, thumb drives or flash drives—continue to become smaller, faster, cheaper, and more por‑
table, with greater storage capacity. These characteristics make it much easier to steal or lose
a computer or a storage device that contains huge amounts of sensitive information. Also, far
more people are able to afford powerful computers and connect inexpensively to the Internet,
thus raising the potential of an attack on information assets.
The third factor is that the computing skills necessary to be a hacker are decreasing. The
reason is that the Internet contains information and computer programs called scripts that
users with limited skills can download and use to attack any information system that is con‑
nected to the Internet. (Security experts can also use these scripts for legitimate purposes, such
as testing the security of various systems.)
The fourth factor is that international organized crime is taking over cybercrime.
Cybercrime refers to illegal activities conducted over computer networks, particularly the
Internet. Consulting company Accenture (www.accenture.com) maintains that groups of well‑
organized criminal organizations have taken control of a global billion‑dollar crime network.
The network, powered by skillful hackers, targets known software security weaknesses. These
crimes are typically nonviolent; however, they are quite lucrative. Consider, for example, that
losses from armed robberies average hundreds of dollars and those from white‑collar crimes can
average tens of thousands of dollars. In contrast, losses from computer crimes can average hun‑
dreds of thousands of dollars. Furthermore, computer crimes can be committed from anywhere
in the world at any time, effectively providing an international safe haven for cybercriminals.
The fifth, and final, factor is lack of management support. For the entire organization to
take security policies and procedures seriously, senior managers must set the tone. Unfortu‑
nately, senior managers often do not do so. Ultimately, however, lower‑level managers may be
even more important. These managers are in close contact with employees every day and are
thus in a better position to determine whether employees are following security procedures.
IT’s About Business 4.1

MIS Thieves Steal 100 Luxury Vehicles from quickly arrest almost two dozen joyriders. Many of them claimed that
they had innocently rented the vehicles from people in the neigh‑
Car2Go borhood without realizing that anything was wrong. The only person
Car2Go was a car‑sharing service available in six North American charged with a felony had phony credit cards in his possession.
cities. Car2Go did not charge recurring membership fees, nor did it In total, more than 100 cars were compromised. All of them
charge for gas. After paying a $35 joining fee, members rented cars were eventually recovered, though some only after they were
for a fixed fee of 41 cents per minute, or $14.99 per hour. stripped of doors, seats, and other parts. In response, Car2Go rein‑
With the map on the Car2Go app, customers could find cars on stated its original policy of manually reviewing new accounts. The
the streets and in designated lots around a city. They waved their company subsequently reported that it had not experienced any
RFID‑enabled membership card over the windshield, and the doors serious issues in the following two months.
unlocked. The keys and a credit card for refueling were kept in the In spring 2019, Car2Go and DriveNow merged to become
glove compartment. Customers could leave the car anywhere in Share Now (www.share‑now.com). In December 2019 Daimler
the Home Area—that is, Car2Go’s operating area in a particular announced that Share Now would no longer operate in North
city—and they did not have to refuel it. America, effective February 29, 2020. Daimler noted that a key
Car2Go’s executive team in Europe, where fraud rates were strategy for Share Now was to move to electric vehicles and that
much lower than in the United States, wanted to make it easier for North America did not have the infrastructure (i.e., charging sta‑
people to sign up for the service. In the past, the company required tions) to support that strategy. Share Now made no mention of
all customers to undergo background checks conducted manu‑ security concerns contributing to its decision to cease operations
ally by humans. These checks took one to two days to complete, in North America.
which irritated some customers. Therefore, in April 2019 the service
stopped requiring these checks. Sources: Compiled from “How to Protect against Hacks on Car Sharing
Within a week after dopping these requirements, the com‑ Services,” Upstream.com , 2020; R. Pegoraro, “An Elegy for Car2Go, the
pany reported that about 20 people had set up approximately 80 Smarter Zipcar Rival that Lost Its Way,” Fast Company, December 21, 2019;
bogus accounts in Chicago, using fake or stolen credit cards as their A. Migdal, “Hundreds of Thousands of Car2Go Members to Lose Service
payment methods. In several instances, hackers with lists of stolen as Company Pulls out of North America,” CBC News, December 18, 2019;
A. Hawkins, “Share Now, Formerly Car2Go, Is Leaving North America,” The
email addresses and passwords had written computer programs to
Verge, December 18, 2019; L. Zimberoff, “How a Rental App Lost Control of
locate car‑sharing accounts using those fake credentials.
Its Cars,” Bloomberg Businessweek, July 15, 2019; J. Brustein, “Mercedes
Almost immediately, there was an increase in rentals for Thieves Showed Just How Vulnerable Car‑Sharing Can Be,” Bloomberg
Car2Go’s Mercedes CLA sedans and GLA sport utility vehicles. These Businessweek, July 11, 2019; D. Solomon, “Thefts of Austin‑Based Car2Go
rentals lasted much longer than Car2Go’s average 90‑minute rental. Rentals Show the Vulnerability of Our App‑Based World,” Texas Monthly ,
In fact, many of the Mercedes were not returned at all. Instead, April 21, 2019; “21 People Arrested in Car2Go Fraud Incident that Caused
employees at Car2Go headquarters in Austin, Texas, watched on a App to Temporarily Suspend Its Service in Chicago,” CBS News Chicago,
digital map as many of their cars gathered in West Chicago, a neigh‑ April 19, 2019; “Car2Go and DriveNow Merge to Become Share Now,”
borhood just outside the company’s coverage area. New Mobility, March 4, 2019; “More Members, More Rentals: Car2Go Has
Car2Go sent several workers to retrieve the vehicles, only to find Successful Financial Year 2018,” Car2Go Press Release, January 10, 2019;
E. Kovacs, “Car Sharing Apps Vulnerable to Hacker Attacks: Kaspersky,”
that thieves had them. Some of the thieves blocked the vehicles to pre‑
Security Week, July 25, 2018; www.share‑now.com, accessed July 5, 2020.
vent repossession, and others threatened the employees. Car2Go was
able to remotely disable vehicles, but the confusing situation made it Questions
difficult to know which cars to actually disable. At the same time that
1. How could Daimler executives have tested their decision to
Car2Go was noticing the increase in rentals, Facebook ads featuring
eliminate background checks before fully implementing it?
short‑term Mercedes rentals began to target Chicagoans. Two days
later, Car2Go suspended operations in Chicago because the company 2. Consider yourself a Daimler executive. Rather than eliminat‑
could not distinguish its legitimate customers from the thieves. ing the background checks altogether, would it be possible
Car2Go asked the Chicago Police Department for help. Accord‑ to redesign the process so that it took much less time? If so,
ing to the police, all of the stolen cars had functioning GPS trackers how would you have done this?
and license plates that started with the letter AX. Further, many still 3. Describe how hacking played a role in the theft of luxury
had visible Car2Go stickers on them. As a result, officers were able to vehicles from Car2Go.
Management can also make decisions that lead to problems. IT’s About Business 4.1
shows how a management decision adversely impacted Car2Go. As you read this case, note
that not all security problems are caused by high‑tech wizardry.
Before you go on…

1. Define information security.
2. Differentiate among a threat, an exposure, and a vulnerability.
3. Why are the skills needed to be a hacker decreasing?
Unintentional Threats to Information Systems 97
4.2 Unintentional Threats

to Information Systems
Information systems are vulnerable to many potential hazards and threats, as you can see Author Lecture Videos are
in Figure 4.1. The two major categories of threats are unintentional threats and deliber‑ available exclusively in
ate threats. This section discusses unintentional threats, and the next section addresses WileyPLUS .
deliberate threats. Apply the Concept activities
Unintentional threats are acts performed without malicious intent that nevertheless rep‑ are available in the Appendix
resent a serious threat to information security. A major category of unintentional threats is and in WileyPLUS .
human error.
OUTSIDE THREATS
Natural Disasters
Internet (floods, storms)
(
esuriv
) . c t e erawlaM
Man‑Made Disasters
r o w ,s
D
,sre esu U
laine
Fire
sr t u a n
Power outages
kca (
)sre kcarc
s
s fo
iroh
h
Other accidents
,
e
de z
i v r
ec
CORPORATE LAN (I NTRANET)
EMPLOYEES OTHER INSIDERS HARDWARE THREATS

Application Programmer Consultants, contract labor, Terminals
janitors
• Programming of • Located in nonsecure
applications to function environment
contrary to specifications • Unauthorized access
• Theft PCS
• Copying
Systems Programmer
• Fraudulent identification
• Bypassing security • Illegal leakage of
mechanisms authorized information
• Disabling security • Viruses, worms, and
mechanisms other malware

• Installing nonsecure • Physical theft
systems
Databases
Operators Systems Software
• Unauthorized access
• Duplication of • Failure of protection • Copying
confidential reports mechanisms • Theft
• Initializing nonsecure • Information leakage
system • Installed unauthorized
• Theft of confidential software

material
Users
INSIDE THREATS
• Data entry errors
• Weak passwords
• Lack of training
FIGURE 4.1 Security threats.

Human Errors
HRM Organizational employees span the breadth and depth of the organization, from mail
clerks to the CEO, and across all functional areas. There are two important points to be made
about employees. First, the higher the level of employee, the greater the threat he or she poses
to information security. This is true because higher‑level employees typically have greater
access to corporate data, and they enjoy greater privileges on organizational information sys‑
tems. Second, employees in two areas of the organization pose especially significant threats
to information security: human resources and information systems. Human resources employ‑
ees generally have access to sensitive personal information about all employees. Likewise, IS
employees not only have access to sensitive organizational data, but they also frequently con‑
trol the means to create, store, transmit, and modify those data. Consider these two examples.
• MIS POM For 10 years, a Siemens contractor created spreadsheets that the company
used to manage equipment orders. The spreadsheets contained custom macros that
enabled Siemens to automate inventory and order management. The contractor embed‑
ded logic bombs that would trigger after a certain date and crash the spreadsheets. Each
time the spreadsheets would crash, Siemens would call him and he would “fix the prob‑
lem” for a fee.
The scheme fell apart when he was out of town and had to give his password for the
spreadsheets to Siemens IT staff so that they could use the spreadsheets to fill an urgent
order. They found the logic bombs and the police arrested the contractor.
• MKT A marketing and software company in the United Kingdom terminated an IT
employee. After he left, he could still access the company’s systems because he had stolen
a fellow employee’s login credentials. He then deleted each of the firm’s 23 Amazon Web
Services servers. As a result, the firm said that it lost “big contracts with some clients” total‑
ing about $700,000. The perpetrator was sentenced to two years in prison.
Other relevant employees include contract labor, consultants, and janitors and guards.
Contract labor, such as temporary hires, may be overlooked in information security arrange‑
ments. However, these employees often have access to the company’s network, information
systems, and information assets. Consultants, although technically not employees, perform
work for the company. Depending on the nature of their work, they may also have access to the
company’s network, information systems, and information assets.
Finally, janitors and guards are the most frequently ignored people in information secu‑
rity systems. Companies frequently outsource their security and janitorial services. As with
contractors, then, these individuals work for the company although they technically are not
employees. Moreover, they are usually present when most—if not all—other employees have
gone home. They typically have keys to every office, and nobody questions their presence
in even the most sensitive parts of the building. In fact, an article from 2600: The Hacker
Quarterly ( www.2600.com) described how to get a job as a janitor for the purpose of gaining
physical access to an organization.
Human errors or mistakes by employees pose a serious problem. These errors are typically
the result of laziness, carelessness, or a lack of awareness concerning information security. This
lack of awareness arises from poor education and training efforts by the organization. Human
mistakes manifest themselves in many different ways, as illustrated in Table 4.1.
The human errors you have just studied, although unintentional, are committed entirely by
employees. However, employees also can make unintentional mistakes in response to actions
by an attacker. Attackers often employ social engineering to induce individuals to make unin‑
tentional mistakes and disclose sensitive information.
Social Engineering
Social engineering is an attack in which the perpetrator uses social skills to trick or manipulate
legitimate employees into providing confidential company information such as passwords. The
Unintentional Threats to Information Systems 99
TABLE 4.1 Human Mistakes
Human Mistake Description and Examples

Carelessness with computing devices Losing or misplacing devices, leaving them in taxis, and
(e.g., laptops, tablets, smartphones) so on
Carelessness with computing devices Losing or misplacing these devices, or using them
carelessly so that malware is introduced into an
organization’s network
Opening questionable e‑mails Opening e‑mails from someone unknown, or clicking on

links embedded in e‑mails (see phishing attack in Table 4.2)
Careless Internet surfing Accessing questionable websites; can result in malware

and alien software being introduced into the organization’s
network
Poor password selection and use Choosing and using weak passwords (see strong passwords
in the “Authentication” section later in this chapter)
Carelessness with one’s office Leaving desks and filing cabinets unlocked when
employees go home at night; not logging off the company
network when leaving the office for any extended period
of time
Carelessness using unmanaged Unmanaged devices are those outside the control of
devices an organization’s IT department and company security
procedures. These devices include computers belonging
to customers and business partners, computers in the
business centers of hotels, and so on.
Carelessness with discarded Discarding old computer hardware and devices without
equipment completely wiping the memory; includes computers,
smartphones, BlackBerry® units, and digital copiers and
printers
Careless monitoring of These hazards, which include dirt, dust, humidity, and
environmental hazards static electricity, are harmful to the operation of computing
equipment
most common example of social engineering occurs when the attacker impersonates someone
else on the telephone, such as a company manager or an IS employee. The attacker claims he
forgot his password and asks the legitimate employee to give him a password to use. Other
common ploys include posing as an exterminator, an air conditioning technician, or a fire
marshal. Examples of social engineering abound.
In one company, a perpetrator entered a company building wearing a company ID card
that looked legitimate. He walked around and put up signs on bulletin boards reading “The
help desk telephone number has been changed. The new number is 555‑1234.” He then exited
the building and began receiving calls from legitimate employees thinking they were calling
the company help desk. Naturally, the first thing the perpetrator asked for was each caller’s
username and password. He now had the information necessary to access the company’s
information systems.
Two other social engineering techniques are tailgating and shoulder surfing. Tailgating
is a technique designed to allow the perpetrator to enter restricted areas that are controlled
with locks or card entry. The perpetrator follows closely behind a legitimate employee and,
when the employee gains entry, the attacker asks him or her to “hold the door.” Shoulder surf‑
ing occurs when a perpetrator watches an employee’s computer screen over the employee’s
shoulder. This technique is particularly successful in public areas such as in airports and on
commuter trains and airplanes.
Before you go on…

1. What is an unintentional threat to an information system?
2. Provide examples of social engineering attacks other than the ones just discussed.
4.3Deliberate Threats to
Information Systems
Author Lecture Videos are There are many types of deliberate threats to information systems. We provide a list of 10 com‑
available exclusively in mon types for your convenience:
WileyPLUS.
Apply the Concept activities 1. Espionage or trespass
are available in the Appendix 2. Information extortion
and in WileyPLUS.
3. Sabotage or vandalism
4. Theft of equipment or information
5. Identity theft
6. Compromises to intellectual property
7. Software attacks
8. Alien software
9. Supervisory control and data acquisition (SCADA) attacks
10. Cyberterrorism and cyberwarfare
Espionage or Trespass
Espionage or trespass occurs when an unauthorized individual attempts to gain illegal access
to organizational information. It is important to distinguish between competitive intelligence
and industrial espionage. Competitive intelligence consists of legal information‑gathering tech‑
niques, such as studying a company’s website and press releases, attending trade shows, and
similar actions. In contrast, industrial espionage crosses the legal boundary.
Information Extortion
Information extortion occurs when an attacker either threatens to steal, or actually steals, infor‑
mation from a company. The perpetrator demands payment for not stealing the information,
for returning stolen information, or for agreeing not to disclose the information. An increasingly
serious type of information extortion is ransomware.
Ransomware, or digital extortion, blocks access to a computer system or encrypts an orga‑
nization’s data until the organization pays a sum of money. Victims are told to pay the ransom,
usually in Bitcoin. Attackers typically use the anonymizing Tor network ( www.torproject.org).
Ransomware attacks are growing rapidly. In 2020 ransomware attacks extorted approxi‑
mately $20 billion globally. As bad as these figures look, the reality is probably worse. Experts
estimate that fewer than 25 percent of ransomware attacks are reported. Significantly,
security analysts note that over half of the companies compromised by ransomware pay
the ransom.
Methods of Attack. Most commonly, ransomware attacks use spear phishing and
whaling attacks. These emails are carefully tailored to look as convincing as possible, so they
appear no different from any other email the victim might receive.
Deliberate Threats to Information Systems 101
Some ransomware developers distribute ransomware to any hacker who wants to use it.
This process is called ransomware‑as‑a‑service. In this type of ransomware, the original creators
publish the software on the Dark Web, allowing other criminals to use the code in return for
receiving 40 to 50 percent of each ransom paid.
Rather than threatening to delete encrypted data, some cybercriminals are beginning to
threaten to release it to the public, a strategy known as doxxing. For organizations that deal
with private and sensitive customer data, such as financial services, hospitals, and law firms,
such attacks can have severe consequences. In addition to the impact to brand reputation, reg‑
ulations such as the Health Information Portability and Accountability Act (HIPAA) require cus‑
tomer notifications and other activities that can quickly total hundreds of thousands of dollars.
Compared to other industry segments, personal health information is 50 times more valuable
than financial information on the Dark Web.
The Costs of Ransomware. Direct costs are the ransom payment. Indirect costs
include the cost of recovering files from backup and restoring encrypted systems, business
interruption, loss of reputation, liability (lawsuits), loss of data, investments in additional
cybersecuritry software, additional staff training, and increased cyber insurance (particularly
covering ransomware attacks).
Protection against Ransomware. There are many steps that organizations can
take to protect itself against ransomware infections.
• Perhaps most importantly, all organizations must provide education and training so that
users are aware of phishing, spear phishing, and whaling attacks and do not click on any
suspicious emails or links in emails.
• Organizations must install the latest versions of software and apply patches immediately.
• Organizations must back up crucial data and information often, preferably through an
encrypted cloud‑based storage company or an online backup service. Examples are iDrive
(www.idrive.com) and Carbonite (www.carbonite.com). Important: the backup data
storage must be connected to your system only when you are backing up the data.
• Organizations should employ anti‑ransomware software. Packages such as Acronis Ran‑
somware Protection (www.acronis.com) and Malwarebytes Anti‑Ransomware Beta (www
.malwarebytes.com) use two methods to defeat ransomware. First, they detect the dig‑
ital signatures of known malware to recognize it going forward. This approach does not
work if the software has not yet encountered a particular type of malware.
Second, they detect malware by its behavior. These programs monitor the activity of
apps, and they quarantine processes that perform suspicious actions, such as generating
an encryption key or starting to encrypt files. This method is more effective at detecting
and stopping ransomware than simply searching for malware signatures because it can
detect new threats as well as known threats.
• Organizations should utilize the No More Ransom initiative ( www.nomoreransom.org).
The portal offers information and advice on how to avoid falling victim to ransomware as
well as free decryption tools for various types of ransomware to help victims retrieve their
encrypted data. The portal is updated as often as possible to ensure that tools are available
to fight the latest forms of ransomware. The platform is available in multiple languages,
and more than 100 partners across the public and private sectors support the initiative.
As of July 2020 No More Ransom offered 138 decryption tools covering many fam‑
ilies of ransomware. These tools had deprived cybercriminals of at least $108 million in
ransoms.
• Organizations should also be aware that individual security companies regularly release
decryption tools to counter the ongoing evolution of ransomware. Many of these compa‑
nies post updates about these tools on their company blogs as soon as they have cracked
the malware’s code.
IT’s About Business 4.2 provides examples of ransomware. As you read this case, pay special
attention to how each organization responded to the ransomware attack.

MIS FIN Ransomware Is Alive and Well Further, the city did not believe that any employee information was
compromised.
Unfortunately, examples of successful ransomware attacks abound. New Orleans IT officials stated that it would take months
These attacks can seriously affect both the organizations involved before the city was able to rebuild its systems. The city did not dis‑
and the organizations’ customers and business partners. In this close whether it had paid a ransom.
case, we take a look at several ransomware attacks, paying particu‑ The attack cost New Orleans at least $7 million in financial
lar attention to the organizations’ responses and the results of the damages. The city was able to recover $3 million from a cyber insur‑
attacks. ance policy it had purchased prior to the incident. Following the
attack the city increased its cyber insurance coverage to $10 million.
Universities There have been many cases where smaller companies decided
On August 21, 2020, the University of Utah (www.utah.edu) to shut down, lacking the funds to (a) pay a ransom demand to
revealed that it paid a ransomware gang just over $450,000. The retrieve their data and (b) rebuild their IT infrastructure. Here are
university asserted that the hackers encrypted only a very small two recent examples.
amount of its data and that its IT staff restored the data from back‑
ups. However, when the gang threatened to release student‑related The Heritage Company
data online, the university agreed to pay the ransom. The Heritage Company, an Arkansas‑based telemarketing firm,
On June 1, 2020, a ransomware attack encrypted a lim‑ experienced a ransomware attack at the beginning of Octo‑
ited number of servers within the University of California San ber 2019. CEO Sandra Franecke reported that the company lost
Francisco’s (UCSF; www.ucsf.edu) School of Medicine. The attack‑ “hundreds of thousands of dollars” as a result of the incident.
ers revealed some data as proof of their actions in their demand IT recovery efforts were not successful, and the firm’s lead‑
for a ransom payment. ership halted operations and left more than 300 employees
The attackers first demanded $3 million. After conducting without jobs.
negotiations with UCSF on the Dark Web, they agreed to lower that
total to $1.14 million. When the university transferred 116.4 bit‑ Brookside Ear Nose and Throat & Hearing Service
coins to the hackers, it received a decryption tool to unlock the data In April 2019 Brookside Ear Nose and Throat (ENT) & Hearing Ser‑
encrypted in the attack. vice in Battle Creek, Michigan, experienced a ransomware attack
UCSF did not specify which data were affected. The university when a virus injected itself into the practice’s electronic medical
did state that it did not believe that patient medical records were system. The virus deleted and overwrote every medical record, bill,
exposed. The incident also did not affect patient care delivery oper‑ and appointment, including backup data files. The virus did leave
ations or COVID‑19‑related work. behind a duplicate of the deleted files, which could be unlocked
with a password. The attackers promised to provide that password
Norsk Hydro ASA for $6,500 in U.S. currency wired to an account.
Norsk Hydro ASA (www.hydro.com ) is a Norwegian aluminum and The practice’s two ENT surgeons refused to pay the ransom.
renewable energy company with operations in 50 countries. In June They felt that there was no guarantee that the password would
2019 an employee opened an infected email from a trusted cus‑ work or that the malware would not show up again. Lacking med‑
tomer, resulting in a ransomware attack on the company. The hack‑ ical and billing records, the doctors closed the business on April 1,
ers crippled 22,000 computers across 170 sites around the world. 2019, and retired about a year before they had planned.
Law enforcement agencies consider the company’s response
to be the “gold standard” answer to hackers. Norsk did not respond Sources: Compiled from C. Cimpanu, “University of Utah Pays
to the attackers at all, not even to ask what the ransom would be. $457,000 to Ransomware Gang,” ZDNet , August 21, 2020; M. Novinson,
Instead, they opted to restore their data from trusted backup serv‑ “The 11 Biggest Ransomware Attacks of 2020 (So Far),” CRN, June 30,
ers. Additionally, Norsk was completely open and transparent with 2020; “UCSF Hospital Paid $1.14 Million in Bitcoin after Ransomware
Attack,” Coindesk, June 30, 2020; D. Winder, “The University of
everyone about what had happened. Here is what Norsk did.
California Pays $1 Million Ransom Following Cyber Attack,” Forbes ,
The entire workforce, consisting of 35,000 employees, turned
June 29, 2020; J. Tidy, “How Hackers Extorted $1.14 Million from
to pen and paper. The firm switched production lines that shaped
University of California, San Francisco,” BBC News, June 29, 2020;
molten metal to manual functions. In some cases, retired work‑ A. Scroxton, “Facilities Firm ISS World Crippled by Ransomware
ers came back to help their colleagues operate the lines “the old‑ Attack,” Computer Weekly, February 20, 2020; D. Kobialka, “New
fashioned way.” In some cases, though, production lines did have Orleans Mayor: Ransomware Attack Cost City $7 Million,” MSSP Alert,
to stop. When Norsk recovered, it had spent roughly $70 million. January 16, 2020; C. Cimpanu, “Company Shuts Down because of
Ransomware, Leaves 300 without Jobs just before Holidays,” ZDNet,
The City of New Orleans January 3, 2020; D. Kobialka, “New Orleans Ransomware Attack Update:
On December 13, 2019, the City of New Orleans experienced a ran‑ City to Raise Cyber Insurance to $10 Million,” MSSP Alert, December 24,
2019; D. Winder, “New Orleans Declares State of Emergency Following
somware attack. In response, Mayor LaToya Cantrell declared a city‑
Cyber Attack,” Forbes, December 14, 2019; Z. Zorz, “Danish Company
wide state of emergency. The city’s IT department shut down all city
Demant Expects to Suffer Huge Losses Due to Cyber Attack,” Help Net
servers and ordered all employees to shut down their computers Security , October 1, 2019; C. Cimpanu, “Ransomware Incident to Cost
and disconnect from Wi‑Fi. In total, the city shut down most of its Danish Company a Whopping $95 Million,” ZDNet, September 30, 2019;
government systems and more than 4,000 government computers. J. Tidy, “How a Ransomware Attack Cost One Firm £45m,” BBC News ,
Fortunately, the attack did not impact the city’s 911 service, police June 25, 2019; J. Carlson, “All of Records Erased, Doctor’s Office Closes
department, fire department, and emergency medical services. after Ransomware Attack,” Star Tribune, April 6, 2019.
Questions Is this a good decision? Draw implications for any organiza‑

1. Why has ransomware become such a serious global prob‑ tion after a successful ransomware attack. Pay or not pay?
lem? (Hint: What is a so‑called “victimless crime”?) 3. Describe the different methods that the organizations dis‑
2. In many ransomware attacks, the perpetrators ask for far cussed in this case employed to deal with ransomware
less money than the victims end up paying to recover from attacks. Which methods seem to be the most effective? The
the attack. Would it not save money and time for victims to least effective?
pay the ransom? Why don’t victims simply pay the ransom?
Sabotage or Vandalism
Sabotage and vandalism are deliberate acts that involve defacing an organization’s website,
potentially damaging the organization’s image and causing its customers to lose faith. One
form of online vandalism is a hacktivist or cyberactivist operation. These are cases of high‑tech
civil disobedience to protest the operations, policies, or actions of an organization or govern‑
ment agency. For example, in February 2020 Anonymous, a decentralized hacktivist move‑
ment, hacked the United Nations Department of Economic and Social Affairs (www.un.org/
development/desa). The group created a web page for Taiwan, a country that had not had
a seat at the UN since 1971. The hacked page featured a Taiwan independence flag and the
Anonymous logo.
Theft of Equipment or Information

Computing devices and storage devices are becoming smaller yet more powerful with vastly
increased storage. Common examples are laptops, iPads, smartphones, digital cameras, thumb
drives, and iPods. As a result, these devices are becoming easier to steal and easier for attack‑
ers to use to steal information. In fact, not all attacks on organizations involve sophisticated
software.
Table 4.1 points out that one type of human mistake is carelessness with laptops and
other small computers such as tablets and, particularly, smartphones. In fact, many computing
devices have been stolen because of such carelessness. The cost of a stolen device includes the
loss of data, the loss of intellectual property, device replacement, legal and regulatory costs,
investigation fees, and lost productivity.
One form of theft, known as dumpster diving, involves rummaging through commercial or
residential trash to find discarded information. Paper files, letters, memos, photographs, IDs,
passwords, credit cards, and other forms of information can be found in dumpsters. Unfortu‑
nately, many people never consider that the sensitive items they throw in the trash might be
recovered and used for fraudulent purposes.
Dumpster diving is not necessarily theft, because the legality of this act varies. Because
dumpsters are usually located on private premises, dumpster diving is illegal in some parts of
the United States. Even in these cases, however, these laws are enforced with varying degrees
of rigor.
Identity Theft
Identity theft is the deliberate assumption of another person’s identity, usually to gain access
to his or her financial information or to frame him or her for a crime. Techniques for illegally
obtaining personal information include the following:
• Stealing personal data in computer databases

• Infiltrating organizations that store large amounts of personal data; for example, data
aggregators such as Acxiom (www.acxiom.com)
• Impersonating a trusted organization in an electronic communication (phishing)

• Stealing mail or dumpster diving
Consider this identity‑theft scheme in May 2020. With 40 million Americans filing for jobless
benefits as a result of the COVID‑19 pandemic, criminals targeted outdated computer systems
in some state unemployment offices. A Nigerian crime ring called Scattered Canary used stolen
password data and Social Security numbers to file false unemployment claims in Washington
and several other states.
The criminals stole approximately $650 million from Washington. When the state detected
the breach in June 2020, officials were able to recover $333 million of the money. The dam‑
age was so extensive that the state used its National Guard to examine nearly 200,000 claims
for fraud.
Recovering from identity theft is costly, time consuming, and burdensome. Victims also
report problems in obtaining credit and obtaining or holding a job, as well as adverse effects on
insurance or credit rates. Victims also state that it is often difficult to remove negative informa‑
tion from their records, such as their credit reports.
Compromises to Intellectual Property

Protecting intellectual property is a vital issue for people who make their livelihood in knowl‑
edge fields. Intellectual property is the property created by individuals or corporations that is
protected under trade secret, patent, and copyright laws.
A trade secret is an intellectual work, such as a business plan, that is a company secret
and is not based on public information. An example is the formula for Coca‑Cola. A patent is
an official document that grants the holder exclusive rights on an invention or a process for
a specified period of time. Copyright is a statutory grant that provides the creators or owners of
intellectual property with ownership of the property, also for a designated period. Current U.S.
laws award patents for 20 years and copyright protection for the life of the creator plus 70 years.
Owners are entitled to collect fees from anyone who wants to copy their creations. It is import‑
ant to note that these are definitions under U.S. law. There is some international standardiza‑
tion of copyrights and patents, but it is far from total. Therefore, there can be discrepancies
between U.S. law and other countries’ laws.
The most common intellectual property related to IT deals with software. In 1980, the
U.S. Congress amended the Copyright Act to include software. The amendment provides pro‑
tection for the source code and object code of computer software, but it does not clearly identify
what is eligible for protection. For example, copyright law does not protect fundamental con‑
cepts, functions, and general features such as pull‑down menus, colors, and icons. However,
copying a software program without making payment to the owner—including giving a disc to
a friend to install on his or her computer—is a copyright violation. Not surprisingly, this practice,
called piracy, is a major problem for software vendors. The BSA (www.bsa.org) Global Software
Piracy Study found that the commercial value of software theft totals billions of dollars per year.
Software Attacks
Software attacks have evolved from the early years of the computer era, when attackers used
malicious software—called malware—to infect as many computers worldwide as possible,
to the profit‑driven, Web‑based attacks of today. Modern cybercriminals use sophisticated,
blended malware attacks, typically through the Web, to make money.
Software attacks target all Internet‑connected devices, even smart televisions. As increas‑
ing numbers of Internet of Things devices (see Chapter 8) are installed, they provide billions of
new targets for cybercriminals to target. As a result, hackers could hold your connected home
or connected car hostage. There is even the potential that hackers could infect medical devices,
thereby putting lives directly at risk.
Table 4.2 displays a variety of software attacks. These attacks are grouped into three cate‑
gories: remote attacks requiring user action, remote attacks requiring no user action, and soft‑
ware attacks initiated by programmers during the development of a system.
TABLE 4.2 Types of Software Attacks
Type Description
Remote Attacks Requiring User Action
Virus Segment of computer code that performs malicious actions by attaching to
another computer program
Polymorphic virus Segment of computer code that modifies itself (i.e., changes its computer
code) to avoid detection by anti‑malware systems, while keeping its same
functionality
Worm Segment of computer code that performs malicious actions and will replicate,
or spread, by itself (without requiring another computer program)
Phishing attack Attacks that use deception to acquire sensitive personal information by
masquerading as official looking emails or instant messages
Spear phishing Phishing attacks target large groups of people. In spear phishing attacks, the
attack attackers find out as much information about an individual as possible to
improve their chances that phishing techniques will be successful and obtain
sensitive, personal information.
Whaling attack Attack that targets high‑value individuals such as senior executives in an
attempt to steal sensitive information from a company such as financial data or
personal details about employees
Remote Attacks Needing No User Action

Denial‑of‑service An attacker sends so many information requests to a target computer system
attack that the target cannot manage them successfully and typically ceases to
function (crashes).
Distributed An attacker first takes over many computers, typically by using malicious
denial‑of‑service software. These computers are called zombies or bots. The attacker uses these
attack bots—which form a botnet —to deliver a coordinated stream of information
requests to a target computer, causing it to crash.
Attacks by a Programmer Developing a System

Trojan horse Software programs that hide in other computer programs and reveal their
designed behavior only when they are activated
Back door Typically a password, known only to the attacker, that allows him or her to
access a computer system at will, without having to go through any security
procedures (also called a trap door)
Logic bomb A segment of computer code that is embedded within an organization’s

existing computer programs and is designed to activate and perform a
destructive action at a certain time or date
Not all cybercriminals are sophisticated, however. For example, a student at a U.S. uni‑
versity was sentenced to one year in prison for using keylogging software (discussed later in
this chapter) to steal 750 fellow students’ passwords and vote himself and four of his fraternity
brothers into the student government’s president and four vice president positions. The five
positions would have brought the students a combined $36,000 in stipends.
The student was caught when university security personnel noticed strange activity on the
campus network. Authorities identified the computer used in the activity from its IP address. On
this computer, which belonged to the student in question, authorities found a PowerPoint pre‑
sentation detailing the scheme. Authorities also found research on his computer, with queries
such as “how to rig an election” and “jail time for keylogger.”
Once the university caught on to the scheme, the student reportedly turned back to hack‑
ing to try to get himself out of trouble. He created new Facebook accounts in the names of
actual classmates, going as far as conducting fake conversations between the accounts to try to
deflect the blame. Those actions contributed to the one‑year prison sentence, which the judge
imposed even after the student pleaded guilty and requested probation.
Consider another example. In July 2019 the FBI and the bank Capital One ( www
.capitalone.com) announced a huge data breach. Data stolen in the breach included 106 million
credit card applications and compromised data such as names, addresses, phone numbers,
email addresses, dates of birth, 140,000 Social Security numbers, 80,000 bank account num‑
bers, and some credit scores. The breach affected over 100 million Americans and 6 million
Canadians. The bank stated that responding to the incident would cost between $100 million
and $150 million.
On July 17, 2019, an unidentified person notified Capital One that the data had been
posted on a GitHub account. The FBI examined the account and discovered the account owner’s
full name and résumé. Not only that, but the suspect posted about her actions on Slack
and Twitter. A search of her bedroom found “files and items” that referenced Capital One.
Authorities charged her with computer fraud and wire fraud.
Alien Software
Many personal computers have alien software, or pestware, running on them that the own‑
ers are unaware of. Alien software is clandestine software that is installed on your computer
through duplicitous methods. It typically is not as malicious as viruses, worms, or Trojan horses,
but it does use up valuable system resources. It can also enable other parties to track your Web
surfing habits and other personal behaviors.
The vast majority of pestware is adware—software that causes pop‑up advertisements to
appear on your screen. Adware is common because it works. According to advertising agencies,
for every 100 people who close a pop‑up ad, 3 click on it. This “hit rate” is extremely high for
Internet advertising.
Spyware is software that collects personal information about users without their consent.
Three common types of spyware are stalkerware, keystroke loggers, and screen scrapers.
Stalkerware is spyware used to monitor people close to the perpetrator. Victims typically
do not know the stalkerware is on their device unless they run an antivirus scan. Developers of
stalkerware market their apps as child safety or anti‑theft tools. However, these apps can easily
be used for the purpose of spying on a partner.
This software has powerful surveillance functions which include: keylogging; making
screenshots; monitoring Internet activity; recording location; recording video and phone calls;
and intercepting app communications made via Skype, Facebook, WhatsApp, and iMessage,
as well as others. Most stalkerware apps are not available on official app stores. Installation
does not necessarily require access to the victim’s device. Rather, a perpetrator can send the
intended victim an innocuous‑seeming download, such as a picture.
Keystroke loggers, also called keyloggers, record both your individual keystrokes and your
Web browsing history. The purposes range from criminal—for example, theft of passwords and
sensitive personal information such as credit card numbers—to annoying—for example, record‑
ing your Internet search history for targeted advertising.
Companies have attempted to counter keyloggers by switching to other forms of identify‑
ing users. For example, at some point all of us have been forced to look at wavy, distorted letters
and type them correctly into a box. That string of letters is called a CAPTCHA, and it is a test. The
point of CAPTCHA is that computers cannot (yet) accurately read those distorted letters. There‑
fore, the fact that you can transcribe them means that you are probably not a software program
run by an unauthorized person, such as a spammer. As a result, attackers have turned to screen
scrapers , or screen grabbers. This software records a continuous “movie” of a screen’s contents
rather than simply recording keystrokes.
Spamware is pestware that uses your computer as a launch pad for spammers. Spam
is unsolicited e‑mail, usually advertising for products and services. When your computer is
infected with spamware, e‑mails from spammers are sent to everyone in your e‑mail address
book, but they appear to come from you.
Not only is spam a nuisance, but it wastes time and money. Spam costs U.S. companies
billions of dollars every year. These costs arise from productivity losses, clogged email systems,
additional storage, user support, and antispam software. Spam can also carry viruses and
worms, making it even more dangerous.
A new tool from DoNotPay (www.donotpay.com) offers help in unsubscribing from email
lists. To use most subscription management tools, such as Unroll.me, you have to grant the
service access to your email account, so that it can analyze your messages.
DoNotpay’s antispam service works differently. You just forward your spam emails to
spam@donotpay.com and a bot (software robot) will automatically unsubscribe you from that
mailing list. In that way, DoNotPay does not need access to your account and only sees emails
that you want it to manage.
Going further, DoNotPay will check if there is currently a class action settlement against
the organization that sent you the email. If there is, you can instruct DoNotPay to automatically
claim any compensation for which you are eligible on your behalf. If your claim is successful,
you will receive payment. DoNotPay is not involved in the payment transaction.
Cookies are small amounts of information that websites store on your computer, tem‑
porarily or more or less permanently. In many cases, cookies are useful and innocuous. For
example, some cookies are passwords and user IDs that you do not want to retype every time
you access the website that issued the cookie. Cookies are also necessary for online shopping
because merchants use them for your shopping carts.
Tracking cookies, however, can be used to track your path through a website, the time
you spend there, what links you click on, and other details that the company wants to record,
usually for marketing purposes. Tracking cookies can also combine this information with your
name, purchases, credit card information, and other personal data to develop an intrusive pro‑
file of your spending habits.
Most cookies can be read only by the party that created them. However, some companies
that manage online banner advertising are, in essence, cookie‑sharing rings. These companies
can track information such as which pages you load and which ads you click on. They then
share this information with their client websites, which may number in the thousands.
Supervisory Control and Data Acquisition (SCADA) Attacks

SCADA refers to a large‑scale distributed measurement and control system. SCADA systems
are used to monitor or to control chemical, physical, and transport processes such as those
used in oil refineries, water and sewage treatment plants, electrical generators, and nuclear
power plants. Essentially, SCADA systems provide a link between the physical world and the
electronic world.
SCADA systems consist of multiple sensors, a master computer, and communications infra‑
structure. The sensors connect to physical equipment. They read status data such as the open/
closed status of a switch or a valve, as well as measurements such as pressure, flow, voltage,
and current. They control the equipment by sending signals to it, such as opening or closing
a switch or a valve or setting the speed of a pump. The sensors are connected in a network, and
each sensor typically has an Internet address (Internet Protocol, or IP, address, discussed in
Chapter 6). If attackers gain access to the network, then they can cause serious damage, such
as disrupting the power grid over a large area or upsetting the operations of a large chemical
or nuclear plant. Such actions could have catastrophic results. Consider these examples in May
and June 2020.
• China requires foreign companies to choose between several tax‑reporting software pack‑
ages. Security analysts discovered that the most widely used package contained a back‑
door that could allow malicious actors to conduct network reconnaissance or attempt to
take remote control of company systems.
• North Korean state hackers sent COVID‑19–themed phishing emails to more than 5 million
businesses and individuals in Singapore, Japan, the United States, South Korea, India, and
the UK in an attempt to steal personal and financial data.
• North Korean state hackers compromised one of India’s nuclear power plants. The Nuclear
Power Corporation of India stated that the malware only infected the plant’s administra‑
tive network but did not reach its internal network, which controls the plant’s nuclear
reactors.
• Security experts discovered bugs placed by Iranian state hackers in a large number of
enterprise virtual private network servers, including those sold by Pulse Secure (www
.pulsesecure.net), Palo Alto Networks (www.paloaltonetworks.com), Fortinet (www
.fortinet.com), and Citrix (www.citrix.com). The bugs are designed to plant backdoors in
companies around the world.
• Japan’s defense ministry announced it was investigating a large‑scale cyber attack against
Mitsubishi Electric ( www.mitsubishielectric.com) that could have compromised details
of new state‑of‑the‑art missile designs.
• Israeli hackers disrupted operations at an Iranian port for several days, causing massive
backups and delays. Officials characterized the attack as a retaliation against a failed Ira‑
nian hack in April targeting the command and control systems of Israeli water distribution
systems.
Cyberterrorism and Cyberwarfare

Cyberterrorism and cyberwarfare refer to malicious acts in which attackers use a target’s
computer systems, particularly through the Internet, to cause physical, real‑world harm or
severe disruption, often to carry out a political agenda. These actions range from gathering
data to attacking critical infrastructure; for example, through SCADA systems. We treat the two
types of attacks as synonymous here, even though cyberterrorism is typically carried out by
individuals or groups, whereas cyberwarfare is carried out by nation‑states or non‑state actors
such as terrorists.
Before you go on…

1. Why has the theft of computing devices become more serious over time?
2. What are the three types of software attacks?
3. Define alien software and explain why it is a serious problem.
4. What is a SCADA system? Why can attacks against SCADA systems have catastrophic consequences?
4.4What Organizations Are Doing

to Protect Information Resources
Author Lecture Videos are Why is stopping cybercriminals such a challenge? Table 4.3 illustrates the many major difficul‑
available exclusively in ties involved in protecting information. Because organizing an appropriate defense system is so
WileyPLUS. important to the entire enterprise, it is one of the major responsibilities of any prudent CIO as
Apply the Concept activities well as of the functional managers who control information resources. In fact, IT security is the
are available in the Appendix business of everyone in an organization.
and in WileyPLUS. In addition to the problems listed in Table 4.3, another reason why information resources
are difficult to protect is that the online commerce industry is not particularly willing to install
safeguards that would make completing transactions more difficult or complicated. As one
example, merchants could demand passwords or personal identification numbers for all credit
card transactions. However, these requirements might discourage people from shopping
online. For credit card companies, it is cheaper to block a stolen credit card and move on than
to invest time and money prosecuting cybercriminals.
The final reason why information resources are difficult to protect is that it is extremely
difficult to catch perpetrators. However, it is possible to catch attackers, albeit with great effort,
time, and expense, as this chapter’s closing case illustrates.
Organizations spend a great deal of time and money protecting their information resources.
Before doing so, they perform risk management.
What Organizations Are Doing to Protect Information Resources 109
TABLE 4.3 Difficulties in Protecting Information Resources
Hundreds of potential threats exist.

Computing resources may be situated in many locations.
Many individuals control or have access to information assets.
Computer networks can be located outside the organization, making them difficult to protect.
Rapid technological changes make some controls obsolete as soon as they are installed.
Many computer crimes are undetected for a long period of time, so it is difficult to learn from experience.
People tend to violate security procedures because the procedures are inconvenient.
The amount of computer knowledge necessary to commit computer crimes is usually minimal. As a
matter of fact, a potential criminal can learn hacking, free, from the Internet.
The costs of preventing hazards can be very high. Therefore, most organizations simply cannot afford
to protect themselves against all possible hazards.
It is difficult to conduct a cost‑benefit justification for controls before an attack occurs because it is
difficult to assess the impact of a hypothetical attack.
A risk is the probability that a threat will impact an information resource. The goal of risk
management is to identify, control, and minimize the impact of threats. In other words, risk
management seeks to reduce risk to acceptable levels.
FIN The Enterprise Risk Management (ERM) framework guides risk management in the
enterprise. ERM is a risk‑based approach to managing an enterprise that integrates internal con‑
trol, the Sarbanes–Oxley Act mandates, and strategic planning. ERM consists of several steps:
• Determine the relationship of risk to organizational goals.

• Differentiate between risks and opportunities.
• Assess risk, which involves three steps: (1) assess the value of each asset being protected,
(2) estimate the probability that each asset will be compromised, and (3) compare the
probable costs of the asset’s being compromised with the costs of protecting that asset.
The organization then considers how to mitigate the risk.
Risk mitigation has two functions: (1) implementing controls to prevent identified
threats from occurring, and (2) developing a means of recovery if the threat becomes a
reality. The three most common risk mitigation strategies are:
Risk acceptance: Accept the potential risk, continue operating with no controls, and
absorb any damages that occur.
Risk transference: Transfer the risk by using other means to compensate for the loss,
such as by purchasing insurance.
Risk limitation: Limit the risk by implementing controls that minimize the impact of
the threat.
• Implement controls.
• Evaluate the controls. Examine the costs of implementing adequate control measures
against the value of those control measures. If the costs of implementing a control are
greater than the value of the asset being protected, the control is not cost effective. Organi‑
zations evaluate controls through information systems auditing.
Companies implement security controls to ensure that information systems function
properly. These controls can be installed in the original system, or they can be added after
a system is in operation. Installing controls is necessary but not sufficient to provide ade‑
quate security. People who are also responsible for security need to answer questions such
as: Are all controls installed as intended? Are they effective? Has any breach of security
occurred? If so, what actions are required to prevent future breaches?
These questions must be answered by independent and unbiased observers. Such
observers perform the task of information systems auditing. In an IS environment, an audit
is an examination of information systems, their inputs, outputs, and processing.
Created by the International Systems Audit and Control Association (ISACA; www.isaca
.org), COBIT 5 provides a framework for IT security and IT auditing. The framework’s intent is
to align IT with business objectives and manage risk. The COBIT 5 framework is based on five
principles, the first three of which apply most directly to security issues.
1. Meeting stakeholder needs: A system should be in place that addresses enterprise infor‑
mation security requirements. The system should include metrics for the number of clearly
defined key security roles and the number of security‑related incidents reported.
2. Covering the enterprise end‑to‑end: A security plan should be accepted and communicated
throughout the organization. This process includes the level of stakeholder satisfaction
with the plan, the number of security solutions that are different from those in the plan,
and the number of security solutions deviating from the enterprise security architecture
that can lead to security gaps and possibly increase the time needed to resolve security or
compliance issues.
3. Applying a single, integrated framework: Information security solutions are implemented
throughout the organization. The solutions include the number of services and solutions
that align with the security plan and security incidents caused by noncompliance with the
security plan.
4. Enabling a holistic approach
5. Separating governance from management
Before you go on…

1. Identify and discuss several reasons why it is difficult to protect information resources.
2. Compare and contrast risk management and risk analysis.
4.5 Information Security Controls

Author Lecture Videos are To protect their information assets, organizations implement controls, or defense mechanisms
available exclusively in (also called countermeasures). These controls are designed to protect all of the components of
WileyPLUS. an information system, including data, software, hardware, and networks. Because there are so
Apply the Concept activities many diverse threats, organizations use layers of controls, or defense‑in‑depth.
are available in the Appendix Controls are intended to prevent accidental hazards, deter intentional acts, detect prob‑
and in WileyPLUS. lems as early as possible, enhance damage recovery, and correct problems. Before you study
controls in more detail, it is important to emphasize that the single most valuable control is user
education and training. Effective and ongoing education makes every member of the organiza‑
tion aware of the vital importance of information security.
In this section, you will learn about three major types of controls: physical controls, access
controls, and communications controls. Figure 4.2 illustrates these controls. In addition to
applying controls, organizations plan for business continuity in case of a disaster, and they peri‑
odically audit their information resources to detect possible threats. You will study these topics
in this section as well.
Physical Controls
Physical controls prevent unauthorized individuals from gaining access to a company’s
facilities. Common physical controls include walls, doors, fencing, gates, locks, badges, guards,
and alarm systems. More sophisticated physical controls include pressure sensors, tempera‑
ture sensors, and motion detectors. One shortcoming of physical controls is that they can be
inconvenient to employees.
Information Security Controls 111
PHYSICAL CONTROLS
ACCESS CONTROLS
Authentication
Access password
Personal ID
Employee Employee or pORATE LAN

or attacker in
attacker guard biometric) office
, Firewall
Internet
ID System Denial-of-service protection

Encryption Intrusion detection system
Access password Anti-malware software
ACCESS COMMUNICATIONS
CONTROLS CONTROLS
FIGURE 4.2 Where defense mechanisms are located.
Guards deserve special mention because they have very difficult jobs, for at least two rea¬
sons. First, their jobs are boring and repetitive and generally do not pay welt. Second, if guards
perform their jobs thoroughly, the other employees may harass them, particularly if they slow
up the process of entering the facility.
Organizations also implement physical security measures that limit computer users to
acceptable login times and locations. These controls also limit the number of unsuccessful
login attempts, and they require all employees to logoff their computers when they leave for
the day. They also set the employees’ computers to automatically log offthe user after a certain
period of disuse.
A basic security strategy for organizations is to be prepared for any eventuality. A crit¬
ical element in any security system is a business continuity plan, also known as a disaster
recovery plan.
Business continuity is the chain of events linking planning to protection and to recov¬
ery. The purpose of the business continuity plan is to provide guidance to people who keep
the business operating after a disaster occurs. Employees use this plan to prepare for, respond
to, and recover from events that affect the security of information assets. The objective is to
restore the business to normal operationsas quickly as possible following an attack. The plan is
intended to ensure that critical business functions continue.
In the event of a major disaster, organizations can employ several strategies for business
continuity. These strategies include hot sites, warm sites, and cold sites. A hot site is a fully con¬
figured computerfacility with all of the company’s services, communications links, and physical
plant operations. A hot site duplicates computing resources, peripherals, telephone systems,
applications, and workstations. A warm site provides many of the same servicesand options as
the hot site. However, it typically does not include the actual applications the company needs.
A warm site includes computing equipment such as servers, but it often does not include user
workstations. A cold site provides only rudimentary services and facilities, such as a building or
a room with heating, air conditioning, and humidity control. This type of site provides no com‑
puter hardware or user workstations.
Hot sites reduce risk to the greatest extent, but they are the most expensive option. Con‑
versely, cold sites reduce risk the least, but they are the least expensive option.
Access Controls
Access controls restrict unauthorized individuals from using information resources. These con‑
trols involve two major functions: authentication and authorization. Authentication confirms
the identity of the person requiring access. After the person is authenticated (identified), the
next step is authorization. Authorization determines which actions, rights, or privileges the
person has, based on his or her verified identity. Let’s examine these functions more closely.
Authentication. To authenticate (identify) authorized personnel, an organization can

use one or more of the following methods: something the user is, something the user has,
something the user does, or something the user knows.
Something the user is , also known as biometrics, is an authentication method that exam‑
ines a person’s innate physical characteristics. There are many different types of biometrics,
which include fingerprint scanning, retinal scanning, iris scanning, analysis of heartbeats and
body temperature, voice recognition, and facial recognition. Let’s look at examples of how orga‑
nizations use biometrics for authentication.
• POM Your voice changes as you age, becoming a little rougher each year. Nuance Com‑
munications Gatekeeper (www.nuance.com), a voice biometrics tool, analyzes the caller’s
voice “roughness” and other “micro‑characteristics” that humans cannot hear to confirm
that an older person is calling. Nuance customer Telefonica (www.telefonica.com) uses
the tool to help with increased contact center volume during the COVID‑19 pandemic.
When the tool identifies an older person, the company routes them to priority customer
service with shorter wait times and protocols to prevent fraudulent account takeover.
• FIN At Barclays Bank ( www.barclays.co.uk), over 65 percent of calls are now handled
by voice recognition, providing enrolled customers much faster, easier access to account
services. Rather than spending five minutes providing passwords, PINs, and answering
security questions, Barclays’ customers spend just 20 seconds verifying their identities
with voice recognition.
• FIN Security personnel were watching activity in a bank branch. Biometric sensors had
detected unusual heartbeats and body heat patterns from new customers who had entered
to open an account. It turns out that those “customers” had entered the United States days
before as human cargo on a ship from another country. A criminal gang was using them to
orchestrate financial fraud. The sensors had detected telltale signs of stress, alerting bank
personnel to the attempted fraud.
Note that some applications of facial recognition increase security where others can lead to
increased surveillance by governments with subsequent loss of personal privacy. (See IT’s
About Business 3.2, IT’s About Business 3.3, and IT’s About Business 4.3).
Something the user has is an authentication mechanism that includes regular identification
(ID) cards, smart ID cards, and tokens. Regular ID cards , or dumb cards, typically have the per‑
son’s picture and often his or her signature. Smart ID cards have an embedded chip that stores
pertinent information about the user. (Smart ID cards used for identification differ from smart
cards used in electronic commerce, which you learn about in Chapter 7. Both types of card have
embedded chips, but they are used for different purposes.) Tokens have embedded chips and
a digital display that presents a login number that the employees use to access the organiza‑
tion’s network. The number changes with each login.
Something the user does is an authentication mechanism that includes voice and signature
recognition. In voice recognition, the user speaks a phrase—for example, his or her name and
department—that has previously been recorded under controlled conditions. The voice recog‑
nition system matches the two voice signals. In signature recognition, the user signs his or her
name, and the system matches this signature with one previously recorded under controlled,

MIS A Facial Recognition Failure that a second witness had been at the store during the incident
but had not been asked to look at a photo lineup. The spokesper‑
In January 2020 Robert Williams was arrested by officers of the son continued that if the individual made an identification in the
Detroit Police Department. The officers charged Williams with steal‑ future, then the prosecutor’s office would decide whether to issue
ing $3,800 in watches from a store called Shinola 15 months earlier. charges again.
Williams had an alibi, and he denied the charges. Shortly after the prosecutor made these statements, the
The police took Williams to a detention center, where they American Civil Liberties Union (ACLU; www.aclu.org) of Michigan
took his his mug shot, fingerprints, and DNA. They held him for filed a complaint with the city, requesting an absolute dismissal
30 hours before he was released on a $1,000 personal bond. of the case, an apology, and the removal of Williams’s information
The next day, the police showed Williams an image from a sur‑ from Detroit’s criminal databases. In response to the complaint
veillance video taken in the store. The image was of a heavyset man and the case’s publicity, the Wayne County prosecutor’s office
dressed in black and wearing a red St. Louis Cardinals cap stand‑ announced that Williams could have both the case and his finger‑
ing in front of a watch display. Williams denied that the image was print data expunged. The prosecutor stated, “We apologize. This
of him. does not in any way make up for the hours that Mr. Williams spent
Here is how the process played out. The shoplifting inci‑ in jail.”
dent occurred in October 2018. A loss‑prevention contractor for Williams’s case is the first known instance of mistaken charges
the store reviewed the surveillance video and sent a copy to the filed as a result of facial recognition software. His case became even
Detroit police. The following March a digital image examiner for the more noteworthy when in June 2020 Detroit’s police chief admitted
Michigan State Police uploaded a “probe image”—a still image from that facial recognition technology used by the department mis‑
the video, showing the man in the Cardinals cap—to the state’s identifies suspects about 96 percent of the time.
facial recognition database. The system would have mapped the
man’s face and searched for similar ones among 49 million photos. Sources: Compiled from T. Lee, “Detroit Police Chief Cops to 96‑Percent
A company called DataWorks Plus (www.dataworksplus.com) Facial Recognition Error Rate,” Ars Technica, June 30, 2020; S. Ovide,
provides the facial recognition technology for the state. The soft‑ “When the Police Think Software Is Magic,” The New York Times, June
ware incorporates components developed by NEC (www.necam 25, 2020; “Man Wrongfully Arrested Because Face Recognition Can’t
.com) and Rank One Computing (www.rankone.io). In 2019 the Tell Black People Apart,” ACLU , June 24, 2020; S. Fussell, “A Flawed
federal government conducted a study of more than 100 facial rec‑ Facial‑Recognition System Sent this Man to Jail,” Wired, June 24,
ognition systems including algorithms from both companies. The 2020; B. Allyn, “‘The Computer Got It Wrong’: How Facial Recognition
study found that facial recognition systems in general were biased, Led to False Arrest of Black Man,” NPR, June 24, 2020; K. Hill, “Wrong‑
fully Accused by an Algorithm,” The New York Times , June 24, 2020;
falsely identifying African‑American and Asian‑American faces 10 to
S. Ovide, “A Case for Banning Facial Recognition,” The New York Times,
100 times more often than Caucasian faces.
June 9, 2020; P. Grother, M. Ngan, and K. Hanaoka, “Face Recognition
After the digital image examiner ran her search of the probe Vendor Test,” National Institute of Standards and Technology , Decem‑
image, the state system would have provided a row of images gen‑ ber 2019; T. Simonite, “The Best Algorithms Struggle to Recognize
erated by NEC and a row from Rank One, along with confidence Black Faces Equally,” Wired , July 22, 2019; A. Harmon, “As Cameras
scores for each image. A confidence score is the probability that Track Detroit’s Residents, a Debate Ensues over Racial Bias,” The
the man’s image from the store video matched an image from the New York Times , July 8, 2019; “London’s Police’s Face Recognition
photos in the police database. Williams’s driver’s license photo was System Gets It Wrong 81% of the Time,” MIT Technology Review, July 4,
among the matches. The examiner sent this photo to the Detroit 2019; S. Levin, “Half of US Adults Are Recorded in Police Facial Recog‑
police as an “Investigative Lead Report.” The police file states, “This nition Databases, Study Says,” The Guardian , October 18, 2016.
document is not a positive identification. It is an investigative lead Questions
only, and it is not probable cause for arrest.”
1. Was the mistaken arrest of Mr. Williams the fault of the facial
After receiving the “match,” investigators looked for evidence
recognition technology itself, the process in which the tech‑
that would corroborate the case against Williams. Reporters noted
nology was employed, the police investigation itself, or
that the police did not check Williams’s phone for location data.
some combination of all three? Support your answer with
They also failed to check whether Williams had an alibi or if he
specific examples.
owned the clothing that the suspect was wearing. Instead, the
police asked the loss‑prevention contractor, who was not in the 2. Given that we badly need to replace user authentication
store at the time of the incident, if Williams was the man in with username and password credentials, are you comfort‑
the surveillance footage. She identified him, which prompted able having facial recognition technology used to authenti‑
the arrest. cate you? (For example, using facial recognition to unlock
Two weeks after Williams’s arrest, the prosecutor moved to your iPhone.) Why or why not?
dismiss the charges, but “without prejudice,” meaning that Williams 3. Refer to Chapter 14. How do we remove bias from facial rec‑
could be charged again. A spokesperson for the prosecutor revealed ognition technology algorithms?
monitored conditions. Signature recognition systems also match the speed and the pressure of
the signature.
Something the user knows is an authentication mechanism that includes passwords and
passphrases. Passwords present a huge information security problem in all organizations.
Most of us have to remember numerous passwords for different online services, and we typi‑
cally must choose complicated strings of characters to make them harder to guess. Passwords
must effectively manage the tradeoff between convenience and security. For example, if pass‑
words are 50 characters in length and include special symbols, they might keep your computer
and its files safe, but they would be impossible to remember.
We have all bought into the idea that a password is sufficient to protect our data, as long as
it is sufficiently elaborate. In reality, however, passwords by themselves can no longer protect
us, regardless of how unique or complex we make them. In fact, security experts refer to pass‑
words and PINs as a “double fail.” First, they are easily stolen or hacked and easily forgotten.
Second, they provide very poor security and a terrible customer experience at the same time.
Attackers employ a number of strategies to obtain our passwords, no matter how strong
they are. They can guess them, steal them (with phishing or spear phishing attacks), crack them
using brute force computation, or obtain them online. ( Brute force password cracking means
that a computer system tries all possible combinations of characters until a password is discov‑
ered.) Given these problems with passwords, what are users and businesses supposed to do?
To identify authorized users more efficiently and effectively, organizations are implement‑
ing more than one type of authentication, a strategy known as multifactor authentication. This
system is particularly important when users log in from remote locations.
Single‑factor authentication, which is notoriously weak, commonly consists simply
of a password. Two‑factor authentication consists of a password plus one type of biometric
identification, such as a fingerprint. Three‑factor authentication is any combination of three
authentication methods.
Multifactor authentication is useful for several reasons. For example, voice recognition is
effective when a user calls from an office but is less optimal when calling from a crowded sub‑
way or busy street. Similarly, fingerprint and iris scanners are effective when users are not busy
with other tasks, but less than optimal when users are driving.
Multifactor authentication enables increasingly powerful security processes. For exam‑
ple, a quick fingerprint scan in a mobile banking app could enable a customer to access their
account balance or perform other low‑level functions. However, a request to transfer money,
pay bills, or apply for a line of credit would trigger a request for voice or iris recognition. In most
cases, the more factors the system uses, the more reliable it is. However, stronger authentica‑
tion is also more expensive, and, as with strong passwords, it can be irritating to users.
Several initiatives are under way to improve the authentication process under the aus‑
pices of the Fast Identity Online (FIDO) alliance (https://fidoalliance.org). FIDO is an industry
consortium that was created to address the inability of strong authentication devices to work
together and the problems that users face in creating and remembering multiple usernames
and passwords.
The concept underlying FIDO is that identifiers such as a person’s fingerprint, iris scan, and
the unique identifier of any USB device or contactless ring will not be sent over the Internet.
Rather, they will be checked locally. The only data that will be transferred over the Internet are
cryptographic keys that cannot be reverse‑engineered to steal a person’s identity. Let’s con‑
sider Google’s Trust API.
Google has announced a new way of securing Android apps called Trust API. Rather than
using standard passwords, Trust API uses biometrics such as facial recognition, your typing pat‑
tern, and even how you walk to help determine that you are who you say you are. Each metric
contributes to an overall “trust score” that will let you unlock your apps. The program will run
in the background of an Android phone, using the phone’s sensors to continuously monitor the
user’s behavior. If the trust score falls below a certain threshold, then a user might be prompted
to provide additional authentication.
If you must use passwords, make them strong passwords, which are more difficult for
hackers to discover. However, most of the standards that we use to determine the strength
of passwords are wrong, according to Bill Burr, a former employee of the National Institute
of Standards and Technology (NIST) and the man responsible for originally publishing the
standards.
Burr asserted that long, easy-to-remember passphrases were the most valuable. A
passphrase is a series of characters that is longer than a password but is still easy to memorize.
Examples of passphrases are “maytheforcebewithyoualways” and “thisisasgoodasitgets.”
In place of passwords and passphrases, security experts recommend the use of password
managers. Password managers are software packages that provide users with the capability
to generate unique, long, complex, easily changed passwords for their online accounts. These
packages also offer the secure, encrypted storage of these passwords in either a local or cloud¬
based password vault. Users must provide a single master password to access the vault. By
using a password manager, users do not have to memorize different passwords for all their
online accounts.
However, if hackers access the password to the vault, then they have access to all the
user’s accounts. Therefore, many password managers provide two-factor authentication for
additional security.
Authorization. After users have been properly authenticated, the rights and privileges
to which they are entitled on the organization's systems are established in a process called
authorization. A privilege is a collection of related computer system operations that a user is
authorized to perform. Companies typically base authorization policieson the principle of least
privilege, which posits that users be granted the privilege for an activity only if there is a justifi¬
able need for them to perform that activity.
Communications Controls
Communications controls (also called network controls) secure the movement of data across
networks. Communications controls consist of firewalls, anti-malware systems, whitelisting
and blacklisting, encryption, virtual private networks (VPNs), transport layer security (TLS), and
employee monitoring systems.
Firewalls. Afirewall is a system that prevents a specific type of information from moving
between untrusted networks, such as the Internet, and private networks, such as your compa¬
ny’s network. Put simply, firewalls prevent unauthorized Internet users from accessing private
networks. All messages entering or leaving your company’s network pass through a firewall.
The firewall examines each message and blocks those that do not meet specified security rules.
Firewalls range from simple, for home use, to very complex for organizational use.
Figure 4.3(a) illustrates a basic firewall for a home computer. In this case, the firewall is imple¬
mented as software on the home computer. Figure 4.3(b) shows an organization that has
implemented an external firewall, which faces the Internet, and an internal firewall, which
FIGURE 4.3 (a) Basic firewall

fora home computer, (b) Orga¬
nization with two firewalls and
a demilitarized zone.
faces the company network. Corporate firewalls typically consist of software running on a com‑
puter dedicated to the task. A demilitarized zone (DMZ) is located between the two firewalls.
Messages from the Internet must first pass through the external firewall. If they conform to the
defined security rules, they are then sent to company servers located in the DMZ. These servers
typically handle web page requests and e‑mail. Any messages designated for the company’s
internal network—for example, its intranet—must pass through the internal firewall, again with
its own defined security rules, to gain access to the company’s private network.
The danger from viruses and worms is so severe that many organizations are placing fire‑
walls at strategic points inside their private networks. In this way, if a virus or worm does get
through both the external and internal firewalls, then the internal damage may be contained.
Anti‑malware Systems. Anti‑malware systems, also called antivirus or AV, soft‑

ware, are software packages that attempt to identify and eliminate viruses and worms, and
other malicious software. AV software is implemented at the organizational level by the IS
department. Hundreds of AV software packages are currently available. Among the best known
are Norton AntiVirus (www.broadcom.com), McAfee VirusScan (www.mcafee.com), and Trend
Micro Maximum Security ( www.trendmicro.com).
Anti‑malware systems are generally reactive. Whereas firewalls filter network traffic
according to categories of activities that are likely to cause problems, anti‑malware systems
filter traffic according to a database of specific problems. These systems create definitions, or
signatures, of various types of malware and then update these signatures in their products.
The anti‑malware software then examines suspicious computer code to determine whether it
matches a known signature. If the software identifies a match, then it removes the code. For this
reason, organizations regularly update their malware definitions.
Because malware is such a serious problem, the leading vendors are rapidly developing
anti‑malware systems that function proactively as well as reactively. These systems evaluate
behavior rather than relying entirely on signature matching. In theory, therefore, it is possible
to catch malware before it can infect systems.
It is important to note that organizations must not rely only on anti‑malware systems. The
reason is that new types of malware are appearing too rapidly for such systems to keep pace.
Therefore, multifactor authentication is critically important.
Whitelisting and Blacklisting. A report by the Yankee Group ( www.451research

.com), a technology research and consulting firm, stated that 99 percent of organizations had
installed anti‑malware systems, but 62 percent still suffered malware attacks. As we have seen,
anti‑malware systems are usually reactive, and malware continues to infect companies.
One solution to this problem is whitelisting. Whitelisting is a process in which a company
identifies the software that it will allow to run on its computers. Whitelisting permits acceptable
software to run, and it either prevents any other software from running or lets new software run
only in a quarantined environment until the company can verify its validity.
Whereas whitelisting allows nothing to run unless it is on the whitelist, blacklisting allows
everything to run unless it is on the blacklist. A blacklist, then, includes certain types of software
that are not allowed to run in the company environment. For example, a company might black‑
list peer‑to‑peer file sharing on its systems. Besides software, people, devices, and websites can
also be whitelisted and blacklisted.
Encryption. Organizations that do not have a secure channel for sending information
use encryption to stop unauthorized eavesdroppers. Encryption is the process of converting
an original message into a form that cannot be read by anyone except the intended receiver.
All encryption systems use a key, which is the code that scrambles and then decodes
the messages. The majority of encryption systems use public‑key encryption. Public‑key
encryption—also known as asymmetric encryption—uses two different keys: a public key and
a private key (see Figure 4.4). The public key (locking key) and the private key (the unlocking
key) are created simultaneously using the same mathematical formula or algorithm. Because
the two keys are mathematically related, the data encrypted with one key can be decrypted by
using the other key. The public key is publicly available in a directory that all parties can access.
The private key is kept secret, never shared with anyone, and never sent across the Internet.
In this system, if Hannah wants to send a message to Harrison, she first obtains Harrison’s public
Locking key
1 Hannah wants to send Harrison an encrypted
message. Hannah has the message. Harrison
Unlocking key
has a "two‑lock box" (encryption method) and
both a locking key and an unlocking key.
Message
LOCK UNLOCK
Harrison sends Hannah the

Locking key "two‑lock box" with the "locking key." 2
He keeps the unlocking key to himself.
Unlocking key
LOCK UNLOCK
Message
3 4
Locking key Unlocking key

LOCK UNLOCK
Hannah puts her message in the box and locks
the box with her "lock" key. She then sends the message to
Harrison. Only he can open it with his "unlocking" key.
FIGURE 4.4 How public‑key encryption works.
key (locking key), which she uses to encrypt her message (put the message in the “two‑lock
box”). When Harrison receives Hannah’s message, he uses his private key to decrypt it (open
the box).
Although this arrangement is adequate for personal information, organizations that con‑
duct business over the Internet require a more complex system. In these cases, a third party,
called a certificate authority, acts as a trusted intermediary between the companies. The cer‑
tificate authority issues digital certificates and verifies the integrity of the certificates. A digital
certificate is an electronic document attached to a file that certifies that the file is from the
organization it claims to be from and has not been modified from its original format. As you
can see in Figure 4.5, Sony requests a digital certificate from VeriSign, a certificate authority,
and it uses this certificate when it conducts business with Dell. Note that the digital certif‑
icate contains an identification number, the issuer, validity dates, and the requester’s public
key. For examples of certificate authorities, see www.entrust.com, www.verisign.com, www
.cybertrust.com, www.secude.com, and www.thawte.com.
Virtual Private Networking. A virtual private network (VPN) is a private network

that uses a public network (usually the Internet) to connect users. VPNs essentially integrate
the global connectivity of the Internet with the security of a private network and thereby extend
the reach of the organization’s networks. VPNs are called virtual because they have no sepa‑
rate physical existence. They use the public Internet as their infrastructure. They are created by
using logins, encryption, and other techniques to enhance the user’s privacy, which we defined
in Chapter 3 as the right to be left alone and to be free of unreasonable personal intrusion.
VPNs have several advantages. First, they allow remote users to access the company net‑
work. Second, they provide flexibility. That is, mobile users can access the organization’s net‑
work from properly configured remote devices. Third, organizations can impose their security
policies through VPNs. For example, an organization may dictate that only corporate e‑mail
applications are available to users when they connect from unmanaged devices.
To provide secure transmissions, VPNs use a process called tunneling. Tunneling encrypts
each data packet to be sent and places each encrypted packet inside another packet. In this
FIGURE 4.5 How digital certificates work. Sony and Dell, business partners, use a digital certificate from VeriSign for
authentication.
manner, the packet can travel across the Internet with confidentiality, authentication, and
integrity. Figure 4.6 illustrates a VPN and tunneling.
Transport Layer Security. Transport layer security (TLS), formerly called secure
socket layer (SSL), is an encryption standard used for secure transactions such as credit card
purchases and online banking. TLS encrypts and decrypts data between a Web server and
a browser end to end.
TLS is indicated by a URL that begins with “https” rather than “http,” and it often displays
a small padlock icon in the browser’s status bar. Using a padlock icon to indicate a secure con¬
nection and placing this icon in a browser’s status bar are artifacts of specific browsers. Other
browsers use different icons; for example, a key that is either broken or whole. The important
thing to remember is that browsers usually provide visual confirmation of a secure connection.
HRM Employee Monitoring Systems. Many companies are taking a proactive

approach to protecting their networks against what they view as one of their major security
threats, namely, employee mistakes. These companies are implementing employee moni¬
toring systems, which scrutinize their employees’ computers, e-mail activities, and Internet
INTERNET
Tunnel
Your Your
organization's business partner's
intranet intranet
FIGURE 4.6 Virtual private network and tunneling.

surfing activities. These products are useful to identify employees who spend too much time
surfing on the Internet for personal reasons, who visit questionable websites, or who download
music illegally. Vendors that provide monitoring software include Veriato ( www.veriato.com)
and Forcepoint (www.forcepoint.com).
Before you go on…

1. What is the single most important information security control for organizations?
2. Differentiate between authentication and authorization. Which of these processes is always per‑
formed first?
3. Compare and contrast whitelisting and blacklisting.
4. What is the purpose of a disaster recovery plan?
What’s in IT for me?

ACCT For the Accounting Major angry. It can also lead to lawsuits, and it could cause companies to
lose customers to competitors. CRM operations and tracking cus‑
Public companies, their accountants, and their auditors have sig‑ tomers’ online buying habits can expose data to misuse (if they are
nificant information security responsibilities. Accountants are now not encrypted) or result in privacy violations.
being held professionally responsible for reducing risk, assuring
compliance, eliminating fraud, and increasing the transparency of POM For the Production/Operations
transactions according to Generally Accepted Accounting Principles
(GAAP). The SEC and the Public Company Accounting Oversight Management Major
Board (PCAOB), among other regulatory agencies, require infor‑ Every process in a company’s operations—inventory purchas‑
mation security, fraud prevention and detection, and internal con‑ ing, receiving, quality control, production, and shipping—can be
trols over financial reporting. Forensic accounting, a combination disrupted by an IT security breach either in the company or at a
of accounting and information security, is one of the most rapidly business partner. Any weak link in supply chain management or
growing areas in accounting today. enterprise resource management systems puts the entire chain
at risk. Companies may be held liable for IT security failures that
FIN For the Finance Major impact other companies.
Because information security is essential to the success of organiza‑ HRM For the Human Resource Management
tions today, it is no longer the concern only of the CIO. As a result of
global regulatory requirements and the passage of the Sarbanes– Major
Oxley Act, responsibility for information security also lies with HR managers have responsibilities to secure confidential employee
the CEO and CFO. Consequently, all aspects of the security audit, data. They must also ensure that all employees explicitly verify that
including the security of information and information systems, are they understand the company’s information security policies and
a key concern for financial managers. procedures.
CFOs and treasurers are also increasingly involved with invest‑
ments in information technology. They know that a security breach MIS For the MIS Major
of any kind can have devastating financial effects on a company.
Banking and financial institutions are prime targets for computer The MIS function provides the security infrastructure that protects
criminals. A related problem is fraud involving stocks and bonds the organization’s information assets. This function is critical to the
that are sold over the Internet. Finance personnel must be aware of success of the organization, even though it is almost invisible until
both the hazards and the available controls associated with these an attack succeeds. All application development, network deploy‑
activities. ment, and introduction of new information technologies have to
be guided by IT security considerations. MIS personnel must cus‑
tomize the risk exposure security model to help the company iden‑
MKT For the Marketing Major tify security risks and prepare responses to security incidents and
Marketing professionals have new opportunities to collect data disasters.
on their customers; for example, through business‑to‑consumer Senior executives of publicly held companies look to the MIS
electronic commerce. Customers expect their data to be properly function for help in meeting Sarbanes–Oxley Act requirements,
secured. However, profit‑motivated criminals want those data. particularly in detecting “significant deficiencies” or “material
Therefore, marketing managers must analyze the risk of their oper‑ weaknesses” in internal controls and remediating them. Other
ations. Failure to protect corporate and customer data will cause functional areas also look to the MIS function to help them meet
significant public relations problems and make customers very their security responsibilities.
Summary
4.1 Identify the five factors that contribute to the increasing Sabotage and vandalism are deliberate acts that involve defac‑
vulnerability of information resources, and specific examples of ing an organization’s website, possibly causing the organiza‑
tion to lose its image and experience a loss of confidence by its
each factor.
customers.
Theft of equipment and information is becoming a larger problem
The five factors are the following: because computing devices and storage devices are becoming
• Today’s interconnected, interdependent, wirelessly networked smaller yet more powerful with vastly increased storage, making
business environment. these devices easier and more valuable to steal.
• Example: The Internet Identity theft is the deliberate assumption of another person’s
identity, usually to gain access to his or her financial information
• Smaller, faster, cheaper computers and storage devices
or to frame him or her for a crime.
• Examples: Netbooks, thumb drives, iPads
Preventing compromises to intellectual property is a vital issue for
• Decreasing skills necessary to be a computer hacker people who make their livelihood in knowledge fields. Protecting
• Example: Information system hacking programs circulating on intellectual property is particularly difficult when that property is
the Internet in digital form.
• International organized crime taking over cybercrime Software attacks occur when malicious software penetrates an
• Example: Organized crime has formed transnational cyber‑ organization’s computer system. Today, these attacks are typi‑
cally profit‑driven and Web‑based.
crime cartels. Because it is difficult to know exactly where
cyberattacks originate, these cartels are extremely hard to Alien software is clandestine software that is installed on a com‑
bring to justice. puter through duplicitous methods. It is typically not as malicious
as viruses, worms, or Trojan horses, but it does use up valuable
• Lack of management support
system resources.
• Example: Suppose that your company spent $10 million on
Supervisory control and data acquisition refers to a large‑scale
information security countermeasures last year, and they did
distributed measurement and control system. SCADA systems
not experience any successful attacks on their information
are used to monitor or control chemical, physical, and transport
resources. Short‑sighted management might conclude that
processes. A SCADA attack attempts to compromise such a sys‑
the company could spend less during the next year and obtain tem to cause damage to the real‑world processes that the system
the same results. Bad idea. controls.
With both cyberterrorism and cyberwarfare, attackers use a tar‑
4.2 Compare and contrast human mistakes and social engi‑
get’s computer systems, particularly through the Internet, to
neering, along with specific examples of each one. cause physical, real‑world harm or severe disruption, usually to
carry out a political agenda.
Human mistakes are unintentional errors. However, employees can
also make unintentional mistakes as a result of actions by an attacker,
such as social engineering. Social engineering is an attack through 4.4 Describe the three risk‑mitigation strategies and exam‑
which the perpetrator uses social skills to trick or manipulate a legiti‑ ples of each one in the context of owning a home.
mate employee into providing confidential company information.
An example of a human mistake is tailgating. An example of social The three risk‑mitigation strategies are the following:
engineering is when an attacker calls an employee on the phone and
impersonates a superior in the company. Risk acceptance, in which the organization accepts the potential
risk, continues operating with no controls, and absorbs any dam‑
ages that occur. If you own a home, you may decide not to insure it.
4.3 Discuss the 10 types of deliberate attacks.
Thus, you are practicing risk acceptance. Clearly, this is a bad idea.
Risk limitation, in which the organization limits the risk by imple‑
The 10 types of deliberate attacks are the following:
menting controls that minimize the impact of threats. As a home‑
Espionage or trespass occurs when an unauthorized individual owner, you practice risk limitation by putting in an alarm system
attempts to gain illegal access to organizational information. or cutting down weak trees near your house.
Information extortion occurs when an attacker either threatens Risk transference , in which the organization transfers the risk by
to steal, or actually steals, information from a company. The per‑ using other means to compensate for the loss, such as by pur‑
petrator demands payment for not stealing the information, for chasing insurance. The vast majority of homeowners practice risk
returning stolen information, or for agreeing not to disclose the transference by purchasing insurance on their houses and other
information. possessions.
Chapter Glossary 121
4.5 Identify the three major types of controls that organiza‑ authentication and authorization. Authentication confirms the identity
tions can use to protect their information resources, along with of the person requiring access. An example is biometrics. After the per‑
son is authenticated (identified), the next step is authorization. Author‑
an example of each one.
ization determines which actions, rights, or privileges the person has,
based on his or her verified identity. Authorization is generally based
Physical controls prevent unauthorized individuals from gaining access on least privilege.
to a company’s facilities. Common physical controls include walls, Communications (network) controls secure the movement of data
doors, fencing, gates, locks, badges, guards, and alarm systems. More across networks. Communications controls consist of firewalls, anti‑
sophisticated physical controls include pressure sensors, temperature malware systems, whitelisting and blacklisting, encryption, virtual pri‑
sensors, and motion detectors. vate networking, secure socket layer, and vulnerability management
Access controls restrict unauthorized individuals from using systems.
information resources. These controls involve two major functions:
Chapter Glossary
access controls Controls that restrict communications controls (also network flood of data packets from many compromised
unauthorized individuals from using informa‑ controls) Controls that deal with the move‑ computers simultaneously.
tion resources and are concerned with user ment of data across networks. employee monitoring systems Systems that
identification.
controls Defense mechanisms (also called monitor employees’ computers, e‑mail activi‑
adware Alien software designed to help countermeasures). ties, and Internet surfing activities.
pop‑up advertisements appear on your screen.
cookies Small amounts of information that encryption The process of converting an orig‑
alien software Clandestine software that is websites store on your computer, temporarily or inal message into a form that cannot be read by
installed on your computer through duplicitous more or less permanently. anyone except the intended recipient.
methods.
copyright A grant from a governmental exposure The harm, loss, or damage that can
anti‑malware systems (antivirus software) authority that provides the creator of intellec‑ result if a threat compromises an information
Software packages that attempt to identify and tual property with ownership of it for a specified resource.
eliminate viruses, worms, and other malicious period of time, currently the life of the creator firewall A system (either hardware, software,
software. plus 70 years. or a combination of both) that prevents a spe‑
audit An examination of information systems, cybercrime Illegal activities executed on the cific type of information from moving between
their inputs, outputs, and processing. Internet. untrusted networks, such as the Internet, and
authentication A process that determines the private networks, such as your company’s
cyberterrorism A premeditated, politically
identity of the person requiring access. network.
motivated attack against information, com‑
authorization A process that determines puter systems, computer programs, and data identity theft Crime in which someone uses
which actions, rights, or privileges the person that results in violence against noncombatant the personal information of others to create a
has, based on verified identity. targets by subnational groups or clandestine false identity and then uses it fraudulently.
biometrics The science and technology of agents. information security Protecting an organi‑
authentication (i.e., establishing the identity of cyberwarfare War in which a country’s infor‑ zation’s information and information systems
an individual) by measuring the subject’s physi‑ mation systems could be paralyzed from a mas‑ from unauthorized access, use, disclosure, dis‑
ological or behavioral characteristics. sive attack by destructive software. ruption, modification, or destruction.
blacklisting A process in which a company demilitarized zone (DMZ) A separate organ‑ intellectual property The intangible property
identifies certain types of software that are not izational local area network that is located created by individuals or corporations, which is
allowed to run in the company environment. between an organization’s internal network and protected under trade secret, patent, and cop‑
bot A computer that has been compromised an external network, usually the Internet. yright laws.
by, and under the control of, a hacker. denial‑of‑service attack A cyberattack in least privilege A principle that users be
botnet A network of computers that have which an attacker sends a flood of data packets granted the privilege for some activity only
been compromised by, and under control of, a to the target computer with the aim of overload‑ if there is a justifiable need to grant this
hacker, who is called the botmaster. ing its resources. authorization.
business continuity The chain of events link‑ digital certificate An electronic document logic bombs Segments of computer code
ing planning to protection and to recovery. attached to a file certifying that the file is from embedded within an organization’s existing
the organization it claims to be from and has computer programs.
certificate authority A third party that acts
not been modified from its original format or malware Malicious software such as viruses
as a trusted intermediary between computers
(and companies) by issuing digital certificates content. and worms.
and verifying the worth and integrity of the distributed denial of service (DDoS) network controls See communications
certificates. attack A denial of service attack that sends a controls.
passphrase A series of characters that is longer risk The likelihood that a threat will occur. transport layer security (TLS) An encryption
than a password but is still easy to memorize. standard used for secure transactions such as
risk management A process that identifies,
password A private combination of characters controls, and minimizes the impact of threats, credit card purchases and online banking.
that only the user should know. in an effort to reduce risk to manageable levels. Trojan horse A software program containing a
patent A document that grants the holder hidden function that presents a security risk.
secure socket layer (SSL) See transport
exclusive rights on an invention or process for a layer security tunneling A process that encrypts each data
specified period of time, currently 20 years. packet to be sent and places each encrypted
security The degree of protection against
phishing attack An e‑mail attack that uses packet inside another packet.
criminal activity, danger, damage, or loss.
deception to fraudulently acquire sensitive virtual private network (VPN) A private
social engineering Getting around security
personal information by masquerading as an network that uses a public network (usually
systems by tricking computer users inside
official looking e‑mail. the Internet) to securely connect users by using
a company into revealing sensitive information
physical controls Controls that restrict unau‑ or gaining unauthorized access privileges. encryption.
thorized individuals from gaining access to a virus Malicious software that can attach itself
spam Unsolicited e‑mail.
company’s computer facilities. to (or “infect”) other computer programs with‑
spamware Alien software that uses your com‑ out the owner of the program being aware of
piracy Copying a software program (other
puter as a launch platform for spammers. the infection.
than freeware, demo software, etc.) without
making payment to the owner. spear phishing An attack in which the perpe‑ vulnerability The possibility that an informa‑
trators find out as much information about an tion resource will be harmed by a threat.
privilege A collection of related computer sys‑
individual as possible to improve their chances
tem operations that can be performed by users whitelisting A process in which a company
that phishing techniques will obtain sensitive,
of the system. identifies acceptable software and permits it to
personal information.
public‑key encryption (also called asymmet‑ run, and either prevents anything else from run‑
ric encryption) A type of encryption that uses
spyware Alien software that can record your ning or lets new software run in a quarantined
two different keys: a public key and a keystrokes or capture your passwords. environment until the company can verify its
private key. threat Any danger to which an information validity.
ransomware (or digital extortion) Malicious resource may be exposed. worm Destructive programs that replicate
software that blocks access to a computer sys‑ trade secret Intellectual work, such as a busi‑ themselves without requiring another
tem or encrypts an organization’s data until the ness plan, that is a company secret and is not program to provide a safe environment for
organization pays a sum of money. based on public information. replication.
Discussion Questions
1. Why are computer systems so vulnerable? 6. Why is cross‑border cybercrime expanding rapidly? Discuss possi‑
2. Why should information security be a prime concern to management? ble solutions.
3. Is security a technical issue? A business issue? Both? Support your 7. What types of user authentication are used at your university
answer. or place of work? Do these measures seem to be effective? What if a
higher level of authentication were implemented? Would it be worth it,
4. Compare information security in an organization with insuring a
or would it decrease productivity?
house.
8. Why are federal authorities so worried about SCADA attacks?
5. Why are authentication and authorization important to e‑commerce?
Problem‑Solving Activities
1. A critical problem is assessing how far a company is legally obli‑ 4. Visit www.dhs.gov (Department of Homeland Security). Search the
gated to go in order to secure personal data. Because there is no such site for “National Strategy to Secure Cyberspace” and write a report on
thing as perfect security (i.e., there is always more that one can do), their agenda and accomplishments to date.
resolving this question can significantly affect cost. 5. Enter www.alltrustnetworks.com and other vendors of biomet‑
a. When are security measures that a company implements suffi‑ rics. Find the devices they make that can be used to control access into
cient to comply with its obligations? information systems. Prepare a list of products and major capabilities
b. Is there any way for a company to know if its security measures of each vendor.
are sufficient? Can you devise a method for any organization to 6. Software piracy is a global problem. Access the following websites:
determine if its security measures are sufficient? www.bsa.org and www.microsoft.com/piracy. What can organiza‑
3. Enter www.scambusters.org. Find out what the organization does. tions do to mitigate this problem? Are some organizations dealing with
Learn about e‑mail scams and website scams. Report your findings. the problem better than others?
Closing Case 123
7. Investigate the Sony PlayStation Network hack that occurred in 8. Investigate the Equifax hacks in 2017.
April 2011. a. What type of attack was it?
a. What type of attack was it? b. What actions should Equifax have taken to prevent the
b. Was the success of the attack due to technology problems at breaches? Provide specific examples to support your answer.
Sony, management problems at Sony, or a combination of both? c. Place yourself as a victim in the Equifax breaches. What should
Provide specific examples to support your answer. you do when you are notified (or when you think) that your per‑
c. Which Sony controls failed? sonal data has been compromised?
d. Could the hack have been prevented? If so, how? d. In light of the Equifax breaches, should all consumers have the
e. Discuss Sony’s response to the hack. option to opt out of credit bureaus? Why or why not?
f. Describe the damages that Sony incurred from the hack.
Closing Case
To disrupt Necurs, Microsoft analyzed a technique that the bot‑
MIS Successful Operations against Cybercrime
net used to generate new domains through an algorithm. The firm
European Authorities and Encrochat then predicted more than 6 million domains that would be created in
Beginning in 2017, an international coalition of law enforcement agen‑ the next two years. It reported these domains to registries around the
cies infiltrated a chat platform used by organized crime syndicates. The world, enabling authorities to block them.
suspects all communicated through Encrochat, an encrypted service FBI and WeLeakInfo
that required specialized phones to operate. Investigators did not try
The website Have I Been Pwned (www.haveibeenpwned.com ) main‑
to break the encryption. Instead, they installed malware on the phones
tains a massive database of leaked user credentials so that victims can
themselves that allowed officials to read messages before they were
see if they are impacted. The criminal versions of this website are sites
encrypted and sent.
such as WeLeakInfo, which takes that same data breach data and sells
The suspects used modified Android phones that Encrochat
them for very low prices to hackers who want to exploit exposed user
advertised as guaranteeing “perfect anonymity.” Encrochat physi‑
credentials. In January 2020 the FBI (www.fbi.gov) seized WeLinkInfo,
cally removed the GPS, camera, USB, and microphone functions from
which had brokered 12 billion records.
the phones so that users could not be recorded or traced through the
Dutch and Northern Irish police arrested two men in connection
devices. Further, the company installed dual operating systems on
with the website. The FBI had previously taken down LeakedSource,
each device—standard Android as well as the Encrochat system—so
which operated similarly to WeLeakInfo. However, other comparable
the phones could appear as normal devices. The phones also had
sites remained online.
a function that allowed them to be wiped completely when a user
entered a certain PIN. U.S. Department of Justice and Child Pornography
Authorities monitored and investigated more than 100 million Website
messages in real time sent between Encrochat users, leading to arrests
In October 2019 the U.S. Department of Justice (DOJ) (www.justice
in the United Kingdom, Norway, Sweden, France, and the Netherlands.
.gov) announced that it had taken down the massive Dark Web child
By July 3, 2020, UK agencies had arrested 746 suspects and seized
pornography site Welcome to Video, which was a Tor network‑based
77 guns, 2 metric tons of drugs, 28 million illicit pills, 55 “high value”
site that accepted Bitcoin. The site had operated from June 2015 until
cars, and more than $67 million in cash. Dutch agencies had arrested
March 2018, generating and distributing exploitative content. Note:
more than 100 suspects and seized more than 8,000 kilograms of
The delay from March 2018 until October 2019 emphasizes the length
cocaine, 1,200 kilograms of crystal meth, dozens of guns and luxury
of time often necessary to prepare a criminal case.
cars, and almost $22.5 million in cash.
The takedown resulted from investigators tracing Bitcoin trans‑
After attempting to recover from the attack, Encrochat deter‑
actions. The investigation began by examining illegal transactions
mined that the attack originated from a nation‑state. The company
involving virtual currency on the Dark Web. By following the funds
decided to shut down and advised users to power off and physically
on a blockchain (discussed in Chapter 7), investigators uncovered the
dispose of their phones.
extent of users on the Welcome to Video site.
Almost immediately after the arrests began, other encrypted
Authorities gathered evidence in two ways: they examined the
phone companies started to advertise for Encrochat customers. A
Welcome to Video website, and they followed the money. When they
company called Omerta offered 10 percent off to “communicate with
examined the website, they found two unconcealed Internet Protocol
impunity.”
(IP) addresses (see Chapter 6) managed by a South Korean Internet
service provider. The IP addresses were assigned to an account that
Microsoft and the Necurs Botnet provided service to the site operator’s home address.
In March 2020 Microsoft and partners from 35 countries disrupted a To follow the money, agents sent small amounts of Bitcoin—
botnet, called Necurs, behind the world’s largest cybercrime net‑ roughly $125 to $290—to the Bitcoin wallets that Welcome to Video
work. The botnet was behind stock scams, fake pharmaceutical spam listed for payments. Because the Bitcoin blockchain leaves all trans‑
emails, “Russian dating” scams, and financial malware and ransom‑ actions visible and verifiable, the agents could observe the virtual
ware distribution. Authorities believe that Russian cybercriminals currency in these wallets being transferred to another wallet. They
operated the botnet. learned from a Bitcoin exchange that the second wallet was registered
to the site’s operator with his personal phone number and one of his cryptojacking. Cryptojacking is the unauthorized use of any computing
personal email addresses. Agents found the physical server in his device by cybercriminals to mine for cryptocurrency.
home that was running the website, along with more than 1 million In March 2019 security analysts at Avast traced an increase in
addresses of the site’s users. stealthy cryptocurrency mining infections to a type of malware called
A U.S. federal grand jury indicted the site’s operator. South Korean Retadup. The analysts also studied the command‑and‑control commu‑
officials had already arrested him on separate charges related to child nications used to control infected computers. Avast alerted France’s
sexual abuse, and he was serving his sentence there. national cybercrime investigation team, C3N, that servers in France
Officials around the world arrested a total of 337 Welcome to appeared to be hosting the majority of the command‑and‑control
Video users in 23 U.S. states, Washington D.C., and 11 other coun‑ infrastructure for distributing the malware and controlling infected
tries. Authorities seized 250,000 unique videos. These authorities, machines. C3N secured judicial cooperation with the FBI, and in July
in conjunction with the National Center for Missing and Exploited 2019 authorities seized control of the servers in both France and
Children, analyzed the videos and rescued at least 23 children who the United States. Avast researchers had discovered a design flaw in
were being abused by site participants. Investigators continue Retadup’s command‑and‑control communications protocol. This flaw
to analyze the videos to identify more children and perpetrators enabled authorities to instruct the malware to delete itself from all
of exploitation. 850,000 infected computers.
Security researchers from data breach monitoring service and
U.S. Department of Justice and BEC Scammers prevention service Under the Breach (www.underthebreach.com )
Business email compromise (BEC) schemes involve creating compel‑ were able to track down the Retadup author’s real world identity. How‑
ling scam emails, often purporting to be from senior executives. These ever, as of September 2020 it was unclear if authorities had arrested
emails trick employees, customers, or vendors into wiring payment for anyone who was involved in this operation.
goods or services to alternate bank accounts. BEC scammers are well
known to quickly adapt to major global news themes and use them
to legitimize their fake emails. For example, they quickly integrated Sources: Compiled from J. Cox, “How Police Secretly Took over a Global
Phone Network for Organized Crime,” Motherboard , July 2, 2020; K. Cox,
COVID‑19 pandemic themes into their messages.
“Police Infiltrate Encrypted Phones, Arrest Hundreds in Organized
The FBI has noted that between June 2016 and July 2019 there
Crime Bust,” Ars Technica, July 2, 2020; F. Abbasi, “COVID‑19 Themed
have been more than 166,000 domestic and international reports of BEC Scams,” Trustwave, April 15, 2020; J. Murdock, “Botnet Linked to
email fraud resulting in more than $26 billion in losses. A large propor‑ Criminals in Russia that Infected 9 Million Computers to Spew Spam and
tion of BEC scams originates from the West African nation of Nigeria. Malware Is Disrupted,” Newsweek, March 11, 2020; C. Fisher, “Microsoft
The scams have been reported in all 50 U.S. states and in 177 countries. Disrupts a Botnet that Infected 9 Million Computers,” Engadget, March
BEC schemes include traditional email scamming, tax fraud, check 10, 2020; B. Barrett, “How Microsoft Dismantled the Infamous Necurs
fraud, gift card scams, and many others. Botnet,” Wired, March 10, 2020; C. Cimpanu, “FBI Seizes WeLeakInfo, a
In September 2019 the U.S. Department of Justice (www.justice Website that Sold Access to Breached Data,” ZDNet , January 17, 2020;
.gov) announced the arrests of 281 suspects in connection with BEC B. Barrett, “FBI Takes Down Site with 12 Billion Stolen Records,” Wired,
January 10, 2020; P. LeBlanc, “Justice Department Announces Takedown
scams and wire fraud. The action was the largest of its kind to date
of the ‘Largest’ Darknet Child Pornography Site,” CNN, October 16, 2019;
against this type of scammer. The investigation took four months to
L. Newman, “How a Bitcoin Trail Led to a Massive Dark Web Child‑Porn
carry out across 10 countries, and it resulted in the seizure of almost
Site Takedown,” Wired , October 16, 2019; L. Newman, “281 Alleged Email
$4 million in cash. In all, 167 arrests were carried out in Nigeria, 74 in Scammers Arrested in Massive Global Sweep,” Wired , September 18, 2019;
the United States, 18 in Turkey, and 15 in Ghana, plus several more in M. Schwartz, “Police Trick Malware Gang into Disinfecting 850,000 Sys‑
other countries. tems,” Bank Info Security, August 28, 2019; C. Cimpanu, “Avast and French
Police Take over Botnet and Disinfect 850,000 Computers,” ZDNet, August
French Authorities, Avast, and the Retadup Malware Gang 28, 2019; “A Multimillion‑Dollar Criminal Crypto‑Mining Ecosystem Has
In August 2019 antivirus company Avast (www.avast.com) and the Been Uncovered,” MIT Technology Review, March 25, 2019.
French National Gendarmerie announced that they had taken down
the IT infrastructure of the Retadup malware gang. Retadup malware Questions
had infected Windows personal computers and servers across more
than 140 countries, with the majority of the infections occurring in 1. Describe the various methods that authorities used in the
Latin America. Significantly, more than 85 percent of the infected vignettes in this case to stop illegal cyberactivity and apprehend
machines had no antivirus software installed. suspects.
The gang used the processing power of the infected machines 2. Were these methods technical, behavioral, or a combination of
to mine for monero cryptocurrency, an illegal process called both? Provide examples to support your answer.

chapter 4 technology and system information

Uploaded by

Copyright:

Available Formats

chapter 4 technology and system information

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

chapter 4 technology and system information

Uploaded by

Copyright:

Available Formats

Opening Case 93

Wawa In October 2019 security researchers found approximately 1.2

4.1 Introduction to Information Security

1. Today’s interconnected, interdependent, wirelessly networked business environment

IT’s About Business 4.1

Before you go on…

4.2 Unintentional Threats

CORPORATE LAN (I NTRANET)

EMPLOYEES OTHER INSIDERS HARDWARE THREATS

mechanisms other malware

• Initializing nonsecure • Information leakage

system • Installed unauthorized

• Theft of confidential software

FIGURE 4.1 Security threats.

TABLE 4.1 Human Mistakes

Human Mistake Description and Examples

Opening questionable e‑mails Opening e‑mails from someone unknown, or clicking on

Careless Internet surfing Accessing questionable websites; can result in malware

Before you go on…

IT’s About Business 4.2

Questions Is this a good decision? Draw implications for any organiza‑

Theft of Equipment or Information

• Stealing personal data in computer databases

• Impersonating a trusted organization in an electronic communication (phishing)

Compromises to Intellectual Property

TABLE 4.2 Types of Software Attacks

Remote Attacks Needing No User Action

Attacks by a Programmer Developing a System

Logic bomb A segment of computer code that is embedded within an organization’s

Supervisory Control and Data Acquisition (SCADA) Attacks

Cyberterrorism and Cyberwarfare

Before you go on…

4.4What Organizations Are Doing

TABLE 4.3 Difficulties in Protecting Information Resources

Hundreds of potential threats exist.

Many individuals control or have access to information assets.

• Determine the relationship of risk to organizational goals.

Before you go on…

4.5 Information Security Controls

Employee Employee or pORATE LAN

ID System Denial-of-service protection

FIGURE 4.2 Where defense mechanisms are located.

Authentication. To authenticate (identify) authorized personnel, an organization can

IT’s About Business 4.3

FIGURE 4.3 (a) Basic firewall

Anti‑malware Systems. Anti‑malware systems, also called antivirus or AV, soft‑

Whitelisting and Blacklisting. A report by the Yankee Group ( www.451research

Harrison sends Hannah the

Locking key Unlocking key

FIGURE 4.4 How public‑key encryption works.

Virtual Private Networking. A virtual private network (VPN) is a private network

HRM Employee Monitoring Systems. Many companies are taking a proactive

FIGURE 4.6 Virtual private network and tunneling.

Before you go on…

What’s in IT for me?

f. Describe the damages that Sony incurred from the hack.

You might also like