BULE HORA UNIVERSITY

NAGELLE CAMPUS
COLLEGE OF BUSINESS AND ECONOMICS
DEPARTMENT OF MANAGEMENT
ASSIGNMENT OF MANAGEMENT
INFORMATIOM SYSTEM(MIS)
DONE BY :AYANTU ABEBE
ID No: WU/2313/12

SUBMISSION DATE:-FEB,2023

SUBMITTED TO INSTRUCTOR

NAGELLE
ETHIOPIA
 ETHICAL AND SECURITY ISSUES
Ethical and security issues in information system
Ethics refers to the principles of right and wrong that individuals, acting as
free moral agents, use to make choices to guide their behaviors.
Information systems raise new ethical questions for both individuals and societies because they create
opportunities for intense social change, and thus threaten existing distributions of power, money, rights,
and obligations.
The development of information technology will produce benefits for many and costs for others.
Ethical issues in information systems have been given new urgency by the rise of the Internet and
electronic commerce.
Information Security:

Key operations include Information Security.

Information security has become an important management topic and is a cross cutting concern.

Even with world class technical security, management needs to make sure all employees follow security
policies.

Internet-based threats and countermeasures have becoming increasingly important so management need
to continuously fund security work to protect its businesses.

Although threats to information systems are evolving and abundant, they can all be broken down into two
categories:

 Unintentional threats

 Intentional/deliberate threats

CONTEMPORARY SECURITY CHALLENGES AND VULNERABILITIES

Unintentional Threats
Can you think of unintentional threats to information systems?
Unintentional threats to information systems basically include the unauthorized or accidental modification
of software.
Unintentional threats to information systems includes; human errors, environmental hazards and
computer systems failure.
Human errors: can occur in the design of the hardware and/or information system also can occur in
programming, testing, data collection, data entry, authorization and procedures and operator error.
Environmental hazards, including Earthquakes, severe storms and floods, power failures or strong
fluctuations, fires (most common hazard).
Computer system failures: can occur as the result of poor manufacturing or defective materials.

Intentional/Deliberate Threats
Computer crimes are the best examples of intentional threats, or when someone purposely damages property or
information.

Computer crimes include espionage, identity theft, child pornography, and credit card crime.

Hacker vs cracker

Hacker: An outside person who has penetrated a computer system, usually with no criminal intent.

A cracker is someone who breaks into someone else's computer system, often on a network; bypasses passwords or
licenses in computer programs; A cracker can be doing this for profit.

Espionage or Trespass act of gaining access to the information of an organization is trying to protect by an
unauthorized individual:-

Social engineering: Computer crimes or espionage by getting around security systems by building an inappropriate
trust relationship with insider.

A sniffer is a type of eavesdropping(spying) program that monitors information traveling over a network. When
used legitimately, sniffers help identify potential network trouble spots or criminal activity on networks, but when
used for criminal purposes, they can be damaging and very difficult to detect.

Spoofing also may involve redirecting a Web link to an address different from the intended one, with the site
masquerading(masked) as the intended destination. For example, if hackers redirect customers to a fake Web site that
looks almost exactly like the true site, they can then collect and process orders, effectively stealing business as well
as sensitive customer information from the true site.

Denial-of-Service Attacks

In a denial-of-service (DoS) attack, hackers flood a network server or Web server with many thousands of false
communications or requests for services to crash the network.

WI-FI SECURITY CHALLENGES

Many Wi-Fi networks can be penetrated easily by intruders using sniffer programs to obtain an address to access the
resources of a network without authorization.

Information Extortion: When an attacker or formerly trusted employee steal information from a computer system
and then demands compensation for its return or an agreement not to disclose it.

Shoulder surfing is looking at a computer monitor or ATM screen over another person’s shoulder.

Sabotage or Vandalism

Hacktivist or cyber activist: use of technology for high-tech civil disobedience to protest operations, policies, or
actions of an individual, an organization, or a government agency.

Cyberterrorism is a pre meditated (planed),politically motivated attack against information, computer systems,
computer programs, and data that results in violence against noncombatant targets by sub-national groups.
Cyberwar: War in which a country’s information systems could be paralyzed from a massive attack by destructive
software.

Theft: the illegal taking of property that belongs to another individual/organization.

Software attacks
Software programs designed to do unintended action, damage, destroy, or deny service to the targeted systems.
Most common types of software attacks are:-
- viruses - logic bombs - phishing
- worms - back doors
- Trojan horses, - denial-of-service,
- alien software - pharming.
Viruses:- Segments of computer code that performs unintended actions ranging from
merely annoying to destructive.
Worms :-Destructive programs that replicate themselves without requiring another
program to provide a safe environment for replication.
Trojan horses :-Software programs that hide in other computer programs and reveal
their designed behavior only when they are activated.
Spyware :- Software that gathers user information through the user’s Internet
connection without their knowledge.
Phishing :-Uses deception to fraudulently acquire sensitive personal information
such as account numbers and passwords disguised as an official-looking e-
mail.
Cybercrimes:- are fraudulent activities committed using computers and
communications networks, particularly the Internet.

Securing IS
What prevention mechanism do you know to protect information systems from different threats?

The trend in computer security is toward defining security policies and then centrally managing and enforcing
those policies via security products and services or policy-based management.

General security controls:- are those established to protect the system regardless of their application:
Physical controls: Physical protection of computer facilities and resources.
Access controls: Restriction of unauthorized user access to computer resources; use biometrics and passwords
controls for user identification.
Application controls are those security controls that protect specific applications and include: input, processing, and
output controls.
Communications (networks) controls: The main IS security measures to protect the movement of data across
networks include firewalls, encryption, Virtual Private Networking (VPN), and authentication.

A. Firewalls
System that enforces access-control policy between two networks.Firewall is used to separate intranets and
extranets from the Internet so that only employees and authorized business partners can access.
It can consist of hardware and software.
It will protect the system by using packet filtering to block “illegal” traffic, which is defined by the security policy
or by using a proxy server, which acts as an intermediary server between, say, the Internet and the intranet.
B. Encryption
Encryption is a process of converting an original message into a form that cannot be read by anyone except the
intended receiver.

Secret Key encryption (also known as symmetric encryption, private key encryption) and Public Key encryption
(also known as Asymmetric encryption).

C. Virtual Private Networking (VPN)

Virtual Private Networking (VPN) uses the Internet to carry information within a company and among business
partners but with increased security by using encryption, authentication and access control.

It maintains data security as it is transmitted by using tunneling , technology and encryption:

Tunneling: creates a temporary connection between a remote computer and the ISP’s local data center, which blocks
access to anyone trying to intercept messages sent over that link and Encryption:

D. Authentication
Authentication is the security process of verifying that a user is who he or she says they are. It uses Passwords and
Digital signatures.

Digital signatures are now gaining popularity for authenticating transmitted information.

Digital signatures take the place of ordinary signatures in online transactions to prove that the sender of a message is
who he or she claims to be.

When received, the digital signature is compared with a known copy of the sender’s digital signature.

Digital signatures are also sent in encrypted form to ensure they have not been forged.

RISK ASSESSMENT:-A risk assessment helps answer questions and determine the most cost-effective set of controls
for protecting assets.

A risk assessment determines the level of risk to the firm if a specific activity or process is not properly controlled.

Security Policy:-Once you’ve identified the main risks to your systems, your company will need to develop a
security policy for protecting the company’s assets.

A security policy consists of statements ranking information risks, identifying acceptable security goals, and
identifying the mechanisms for achieving these goals.
DISASTER RECOVERY PLANNING AND BUSINESS CONTINUITY PLANNING
Disaster recovery planning
devises plans for the restoration of computing and communications services after they have been disrupted.
Disaster recovery plans focus primarily on the technical issues involved in keeping systems up and running, such as
which files to back up and the maintenance of backup computer systems or disaster recovery services.
Business continuity planning focuses on how the company can restore business operations after a disaster strikes.
IS monitoring to recommend security measures

Controls evaluation: Identifies security deficiencies and calculates the costs of implementing adequate control
measures.

Information systems auditing: Independent or unbiased observers task to ensure that information systems work
properly. Types of Auditors and Audits

• Internal. Performed by corporate internal auditors.

• External. Reviews internal audit as well as the inputs, processing and outputs of information systems.