Chapter 8: Securing Information System

8.1 Why are information systems vulnerable to destruction, error, and abuse?

1. Security - Security refers to the policies, procedures, and technical measures used to
prevent unauthorized access, alteration, theft, or physical damage to information
systems.
2. Controls - Controls are methods, policies, and organizational procedures that ensure
the safety of the organization’s assets, the accuracy and reliability of its records, and
operational adherence to management standards.
3. War driving - eavesdroppers drive by buildings or park outside and try to intercept
wireless network traffic.
4. Malware - Malicious software programs
5. Computer virus - rogue software program that attaches itself to other software
programs or data files in order to be executed, usually without user knowledge or
permission.
6. Worms - Most recent attacks have come from worms, which are independent
computer programs that copy themselves from one computer to other computers over
a network. Unlike viruses, worms can operate on their own without attaching to other
computer program files and rely less on human behavior in order to spread from
computer to computer.
7. Drive by downloads - Viruses have also invaded computerized information systems
from “infected” disks or infected machines. Especially prevalent today are drive-by
downloads, consisting of malware that comes with a downloaded file that a user
intentionally or unintentionally requests.
8. Trojan horse - a software program that appears to be benign but then does something
other than expected. The Trojan horse is not itself a virus because it does not replicate,
but it is often a way for viruses or other malicious code to be introduced into a computer
system.
9. SQL Injection attacks - SQL injection attacks have become a major malware threat.
SQL injection attacks take advantage of vulnerabilities in poorly coded Web application
software to introduce malicious program code into a company’s systems and networks.
10. Ransomware - Malware known as ransomware is proliferating on both desktop and
mobile devices. Ransomware tries to extort money from users by taking control of their
computers or displaying annoying pop-up messages. One nasty example,
CryptoLocker, encrypts an infected computer’s files, forcing users to pay hundreds of
dollars to regain access.
11. Spyware - Some types of spyware also act as malicious software. These small
programs install themselves surreptitiously on computers to monitor user Web surfing
activity and serve up advertising. Thousands of forms of spyware have been
documented.
12. Keyloggers - Keyloggers record every keystroke made on a computer to steal serial
numbers for software, to launch Internet attacks, to gain access to e-mail accounts, to
obtain passwords to protected computer systems, or to pick up personal information
such as credit card and or bank account numbers.
13. Hacker - A hacker is an individual who intends to gain unauthorized access to a
computer system. Within the hacking community, the term cracker is typically used to
denote a hacker with criminal intent, although in the public press, the terms hacker and
cracker are used interchangeably.
14. Cyber-vandalism - the intentional disruption, defacement, or even destruction of a
Web site or corporate information system.
15. Spoofing - Spoofing may also involve redirecting a Web link to an address different
from the intended one, with the site masquerading as the intended destination. For
example, if hackers redirect customers to a fake Web site that looks almost exactly like
the true site, they can then collect and process orders, effectively stealing business as
well as sensitive customer information from the true site.
16. Sniffing - A sniffer is a type of eavesdropping program that monitors information
traveling over a network. When used legitimately, sniffers help identify potential
network trouble spots or criminal activity on networks, but when used for criminal
purposes, they can be damaging and very difficult to detect. Sniffers enable hackers
to steal proprietary information from anywhere on a network, including e-mail
messages, company files, and confidential reports.
17. Denial of service (DoS) attack - hackers flood a network server or Web server with
many thousands of false communications or requests for services to crash the network.
The network receives so many queries that it cannot keep up with them and is thus
unavailable to service legitimate requests.
18. Distributed denial of service (DDoS) - distributed denial-of-service (DDoS) attack
uses numerous computers to inundate and overwhelm the network from numerous
launch points.
19. Botnet - thousands of “zombie” PCs infected with malicious software without their
owners’ knowledge and organized into a botnet. Hackers create these botnets by
infecting other people’s computers with bot malware that opens a back door through
which an attacker can give instructions.
20. Computer crime - Computer crime is defined by the U.S. Department of Justice as
“any violations of criminal law that involve a knowledge of computer technology for
their perpetration, investigation, or prosecution.
21. Identity theft - Identity theft is a crime in which an imposter obtains key pieces of
personal information, such as social security identification numbers, driver’s license
numbers, or credit card numbers, to impersonate someone else.
22. Phishing - Phishing involves setting up fake Web sites or sending e-mail messages
that look like those of legitimate businesses to ask users for confidential personal data.
23. Evil twins - Phishing techniques called evil twins and pharming are harder to detect.
Evil twins are wireless networks that pretend to offer trustworthy Wi-Fi connections to
the Internet, such as those in airport lounges, hotels, or coffee shops. The bogus
network looks identical to a legitimate public network.
24. Pharming - Pharming redirects users to a bogus Web page, even when the individual
types the correct Web page address into his or her browser.
25. Click-fraud - Click fraud occurs when an individual or computer program fraudulently
clicks on an online ad without any intention of learning more about the advertiser or
making a purchase. Click fraud has become a serious problem at Google and other
Web sites that feature pay-per-click online advertising.
26. Cyberwarfare - Cyberwarfare is a state-sponsored activity designed to cripple and
defeat another state or nation by penetrating its computers or networks for the
purposes of causing damage and disruption.
27. Social engineering - Malicious intruders seeking system access sometimes trick
employees into revealing their passwords by pretending to be legitimate members of
the company in need of information.
28. Bugs - A major problem with software is the presence of hidden bugs or program code
defects. Studies have shown that it is virtually impossible to eliminate all bugs from
large programs. The main source of bugs is the complexity of decision-making code.
A relatively small program of several hundred lines will contain tens of decisions
leading to hundreds or even thousands of different paths.
29. Patches - To correct software flaws once they are identified, the software vendor
creates small pieces of software called patches to repair the flaws without disturbing
the proper operation of the software. An example is Microsoft’s Windows 7 Service
Pack 1
8.2 What is the business value of security and control?

1. HIPAA - Health Insurance Portability and Accountability Act (HIPAA) of 1996.

outlines medical security and privacy rules and procedures for simplifying the
administration of health care billing and automating the transfer of health care data
between health care providers, payers, and plans. It requires members of the health
care industry to retain patient information for six years and ensure the confidentiality
of those records.
2. Gramm-Leach-Billy Act - This act requires financial institutions to ensure the security
and confidentiality of customer data.
3. Sarbanes-Oxley Act - This Act was designed to protect investors after the financial
scandals at Enron, WorldCom, and other public companies. It imposes responsibility
on companies and their management to safeguard the accuracy and integrity of
financial information that is used internally and released externally.
4. Computer forensics - Computer forensics is the scientific collection, examination,
authentication, preservation, and analysis of data held on or retrieved from computer
storage media in such a way that the information can be used as evidence in a court
of law. It deals with the following problems:
• Recovering data from computers while preserving evidential integrity
• Securely storing and handling recovered electronic data.
• Finding significant information in a large volume of electronic data
• Presenting the information to a court of law
8.3 What are the components of an organizational framework for security and control?

1. General controls (6) - General controls govern the design, security, and use of
computer programs and the security of data files in general throughout the
organization’s information technology infrastructure. On the whole, general controls
apply to all computerized applications and consist of a combination of hardware,
software, and manual procedures that create an overall control environment.
• Software controls - Monitor the use of system software and prevent
unauthorized access of software programs, system software, and computer
programs.
• Hardware controls - Ensure that computer hardware is physically secure, and
check for equipment malfunction.
• Computer operations controls - Oversee the work of the computer department
to ensure that programmed procedures are consistently and correctly applied
to the storage and processing of data.
• Data security controls - Ensure that valuable business data files on either disk
or tape are not subject to unauthorized access, change, or destruction while
they are in use or in storage.
• Implementation controls -Audit the systems development process at various
points to ensure that the process is properly controlled and managed.
• Administrative controls - Formalize standards, rules, procedures, and control
disciplines to ensure that the organization’s general and application controls
are properly executed and enforced.

2. Application controls - Application controls are specific controls unique to each

computerized application, such as payroll or order processing. They include both
automated and manual procedures that ensure that only authorized data are
completely and accurately processed by that application.
• Input controls - check data for accuracy and completeness when they enter the
system.
• Processing controls - establish that data is complete and accurate during
updating.
• Output controls - ensure that the results of computer processing are accurate,
complete, and properly distributed.

3. Risk assessment - A risk assessment determines the level of risk to the firm if a
specific activity or process is not properly controlled. Not all risks can be anticipated
and measured, but most businesses will be able to acquire some understanding of the
risks they face.
4. Security policy - security policy consists of statements ranking information risks,
identifying acceptable security goals, and identifying the mechanisms for achieving
these goals.
5. Acceptable use policy (AUP) - acceptable uses of the firm’s information resources
and computing equipment, including desktop and laptop computers, wireless devices,
telephones, and the Internet.
6. Identity management - consists of business processes and software tools for
identifying the valid users of a system and controlling their access to system resources.
7. Disaster recovery planning - Disaster recovery planning devises plans for the
restoration of computing and communications services after they have been disrupted.
8. Business continuity planning - Business continuity planning focuses on how the
company can restore business operations after a disaster strikes.
9. Information systems audit - An information systems audit examines the firm’s overall
security environment as well as controls governing individual information systems. The
auditor should trace the flow of sample transactions through the system and perform
tests, using, if appropriate, automated audit software.
8.4 What are the most important tools and technologies for safeguarding information
resources?

1. Authentication - the ability to know that a person is who he or she claims to be.
2. Passwords - An end user uses a password to log on to a computer system and may
also use passwords for accessing specific systems and files.
3. Token - a physical device, similar to an identification card, that is designed to prove
the identity of a single user. Tokens are small gadgets that typically fit on key rings and
display passcodes that change frequently.
4. Smart card - a device about the size of a credit card that contains a chip formatted
with access permission and other data. (Smart cards are also used in electronic
payment systems.)
5. Biometric authentication - Biometric authentication uses systems that read and
interpret individual human traits, such as fingerprints, irises, and voices, in order to
grant or deny access.
6. Two-factor authentication - increases security by validating users with a multi-step
process. To be authenticated, a user must provide two means of identification, one of
which is typically a physical token, such as a smartcard or chip-enabled bank card,
and the other of which is typically data, such as a password or PIN (personal
identification number).
7. Firewalls - Firewalls prevent unauthorized users from accessing private networks. A
firewall is a combination of hardware and software that controls the flow of incoming
and outgoing network traffic.
• Packet filtering
• Stateful inspection
• Network Adress Translation
• Application proxy filtering
8. Intrusion detection system - feature full-time monitoring tools placed at the most
vulnerable points or “hot spots” of corporate networks to detect and deter intruders
continually. The system generates an alarm if it finds a suspicious or anomalous event.
9. Antivirus software - Antivirus software prevents, detects, and removes malware,
including computer viruses, computer worms, Trojan horses, spyware, and adware.
However, most antivirus software is effective only against malware already known
when the software was written.
10. Unified thread management (UTM) - help businesses reduce costs and improve
manageability, security vendors have combined into a single appliance various security
tool, including firewalls, virtual private networks, intrusion detection systems, and Web
content filtering and antispam software.
11. Encryption - the process of transforming plain text or data into cipher text that cannot
be read by anyone other than the sender and the intended receiver.
12. Secure Sockets layer (SSL) - Secure Sockets Layer (SSL) and its successor
Transport Layer Security (TLS) enable client and server computers to manage
encryption and decryption activities as they communicate with each other during a
secure Web session.
13. Secure hypertext transfer protocol (S-HTTP) - Secure Hypertext Transfer Protocol
(S-HTTP) is another protocol used for encrypting data flowing over the Internet, but it
is limited to individual messages, whereas SSL and TLS are designed to establish a
secure connection between two computers.
14. Public key encryption - A more secure form of encryption called public key encryption
uses two keys: one shared (or public) and one totally private. The keys are
mathematically related so that data encrypted with one key can be decrypted using
only the other key. To send and receive messages, communicators first create
separate pairs of private and public keys. The public key is kept in a directory and the
private key must be kept secret. The sender encrypts a message with the recipient’s
public key. On receiving the message, the recipient uses his or her private key to
decrypt it.
15. Digital certificates - Digital certificates are data files used to establish the identity of
users and electronic assets for protection of online transactions.
16. Public key infrastructure (PKI) - the use of public key cryptography working with a
CA (certification authority), is now widely used in e-commerce.
17. Online transaction processing - transactions entered online are immediately
processed by the computer. Multitudinous changes to databases, reporting, and
requests for information occur each instant.
18. Fault-tolerant computer systems - contain redundant hardware, software, and
power supply components that create an environment that provides continuous,
uninterrupted service.
19. Downtime - Downtime refers to periods of time in which a system is not operational.
20. Deep packet inspection (DPI) - DPI examines data files and sorts out low-priority
online material while assigning higher priority to business-critical files. Based on the
priorities established by a network’s operators, it decides whether a specific data
packet can continue to its destination or should be blocked or delayed while more
important traffic proceeds.
21. Managed security service providers (MSSPs) - monitor network activity and perform
vulnerability testing and intrusion detection.