REPORT:

MANAGEMENT INFORMATION SYSTEM

___

● MAHNOOR SHAHZAD
● SAAD BUTT
● ANZALA UMER
● SARIA CHEEMA
● KAMRAN NASEER
 1

SECURING INFORMATION SYSTEMS

INTRODUCTION:
A company's data must be securely protected from being compromised, as the results
of probable hackings might be disastrous for the company's reputation. Because
technology in our global world is continually evolving and changing, the necessity to
secure information has become a critical concern for businesses. In the modern world,
technology and people are linked and existing in networked working settings.
Employees engage with information technology aspects to complete their everyday
activities and responsibilities. On the basis of the organization's structure and future
use, appropriate technical systems are being built.

SECURITY:
All elements of risk management for an organization's assets - including computers,
people, buildings, and other assets – are covered under security management. A
security management plan begins with the identification of these assets, the
development and implementation of policies and procedures to secure them, and the
ongoing maintenance and maturation of these programs.

CONTROLS:
In an organization, control is a major goal-oriented function of management. It is the
process of comparing actual performance to the company's stated standards to verify
that operations are carried out as planned and, if not, corrective action is taken. Every
manager must keep track of and analyze his employees' activity. It assists the
management in taking remedial steps within the specified time frame to prevent a
contingency or corporate loss.

WHY SYSTEMS ARE VULNERABLE?

Large volumes of data kept electronically are exposed to a variety of attacks.
Information systems in many places are linked together through communications
networks. Unauthorized access or harm can occur at any point in the network, not just
one. It includes:
 2

HARDWARE PROBLEMS:
Factors That Can Damage your computer, Electricity interruptions and failures,
overheating, attacks by hackers.

SOFTWARE PROBLEMS:
Slow Downloading and Uploading, New Applications Don’t Install, Inability to Access
Email.

DISASTERS:
Whether the calamity is a hurricane, tornado, earthquake, mudslides, or something else
entirely, it may devastate a company's carefully planned plans and predictions. Supply
chains may be disrupted, personnel may be unable to report to work, and critical
infrastructure or equipment may be harmed.

FRAUDS:
Computer fraud is a cybercrime and the act of using a computer to take or alter
electronic data, or to gain unlawful use of a computer or system.

INTERNET VULNERABILITIES
A network vulnerability is a fault or weakness in software, hardware, or organizational
procedures that can lead to a security incident if used by a threat.

Network open to anyone:

If someone on the same public Wi-Fi as you has bad intentions, they could plant
malware on your computer if it is not protected properly. A suspect Wi-Fi provider could
use the hotspot itself to infect your computer with one or more of these threats.

Poor impersonality:
There is little doubt that the internet facilitates contact between suppliers and
customers; yet, because people never meet face to face, there is a significant risk of
impersonation. Unlike when they meet the seller in person, a consumer who places an
order and then waits to get it will never experience the attention of the person providing
them.
 3

Worrying security:
People who do business using the internet are overly facing the problem of hackers who
put their businesses at stake. Through the internet hackers find it easy to access
people’s bank accounts, passwords, details on credit cards and addresses among many
others, such information is extremely sensitive to a business and if accessed by an
unauthorized person could greatly damage the entire business.

Email attachments:
Cybercriminals may use an attached document, PDF, presentation or image to disguise
their malware and it will launch once a user opens the attachment.

WIRELESS SECURITY CHALLENGE

Whether it’s a home or business network, the risks to an unsecured wireless network
are the same. Some of the risks include:

WIFI network:
When you are connected to a public Wi-Fi network, anyone within range of your
computer can intercept everything you send or receive. If you are connected to an
unencrypted website, it will all be fully readable.

Wireless sniffing:
Many public access points are not secured and the traffic they carry is not encrypted.
This can put your sensitive communications or transactions at risk. Because your
connection is being transmitted “in the clear,” malicious actors could use sniffing tools to
obtain sensitive information such as passwords or credit card numbers.

Theft of mobile phones:

Not all attackers rely on gaining access to your data via wireless means. By physically
stealing your device, attackers could have unrestricted access to all of its data, as well
as any connected cloud accounts. Taking measures to protect your devices from loss or
theft is important, but should the worst happen, a little preparation may protect the data
inside.
 4

MALICIOUS SOFTWARE PROGRAMS

Malware is any software intentionally designed to cause disruption to a computer,
server, client, or computer network, leak private information, gain unauthorized access
to information or systems, and deprive user’s access to information or which
unknowingly interferes with the user's computer security and privacy.

Viruses:
A computer virus is a type of malicious software, or malware that spreads between
computers and causes damage to data and software. Computer viruses aim to disrupt
systems, cause major operational issues, and result in data loss and leakage.

Worms:
A computer worm is a type of malware whose primary function is to self-replicate and
infect other computers while remaining active on infected systems. A computer worm
duplicates itself to spread to uninfected computers.

Spyware:
Spyware is software with malicious behavior that aims to gather information about a
person or organization and send it to another entity in a way that harms the user.

For example, by violating their privacy or endangering their device's security.

Keylogger:
A keylogger is an insidious form of spyware. You enter sensitive data onto your
keyboard, believing nobody is watching. In fact, keylogging software is hard at work
logging everything that you type. Keyloggers are activity-monitoring software programs
that give hackers access to your personal data.
 5

Hackers
A hacker is someone who solves a technological problem by using computers,
networking, or other skills. Anyone who uses their skills to obtain unauthorized access
to systems or networks in order to conduct crimes is referred to as a hacker.

Types:
Black hat:
Black hat hackers are malicious hackers, sometimes called crackers. Black hats lack
ethics, sometimes violate laws, and break into computer systems with malicious intent,
and they may violate the confidentiality, integrity, or availability of an organization's
system.

White hat:
White-hat hackers are hackers that use their powers for good.

Gray hat:
Gray hat hackers enact a blend of both black hat and white hat activities. Gray hat
hackers often look for vulnerabilities in a system without the owner's permission or
knowledge. If issues are found, they report them to the owner, sometimes requesting a
small fee to fix the problem.

Crackers
A computer cracker is an old phrase for someone who purposefully broke into computer
systems, bypassed passwords or licensing in computer programming, or violated
computer security in other ways. Computer crackers were driven by malicious intent,
profit, or simply the thrill of the challenge.
 6

Types:
Script kiddie:
· Script kids are inexperienced hackers who lack the skills and competence of
more experienced hackers in the industry. To compensate, they use previously created
malware created by other hackers to carry out their attacks.

Computer crime:
● Computer fraud The use of information technology for illegal objectives or
unauthorized access to a computer system with the goal to harm, erase, or alter
the data stored on the computer is referred to as computer crimes. Identity theft,
gadget misuse, and electronic fraud are all considered computer crimes.
● Cybercrime, e-crime, electronic crime, and hi-tech crime are all terms
used to describe computer criminality.
● A competent computer user, also referred to as a hacker, who illegally
browses or steals a company's or individuals confidential information commits
computer crime. This person or group of people may be malicious and destroy or
corrupt the computer or data files in some situations.

Examples of computer crime:

Copyright violation:
Copyright violation Stealing or using another person's Copyrighted material without
permission.

Cyber terrorism:
Cyber terrorism Hacking, threats, and blackmailing towards a business or person.

Cyberbully:
Cyberbully or cyber stalking Harassing or stalking others online.

Creating Malware Writing, creating, or distributing malware (e.g., viruses and spyware.)
 7

Fraud:
Fraud manipulating data, e.g., changing banking records to transfer money to an
account or participating in credit card fraud.

Illegal sales:
Illegal sales buying or selling illicit goods online including drugs, guns, and psychotropic
substances.

Scam tricking:
Scam Tricking people into believing something that is not true.

Software copying:
Software piracy Copying, distributing, or using software that is copyrighted that you did
not purchase.

Spoofing:
Spoofing deceiving a system into thinking you are someone you really are not.

Unauthorized access:
Unauthorized access gaining access to systems you have no permission to access.

Click fraud
Individual or computer program clicks online ad without any intention of learning more or
making a purchase

Global threats:
Concern that Internet vulnerabilities and other networks make digital networks easy
targets for digital attacks by terrorists, foreign intelligence services, or other groups
 8

Internal threats – Employees

Security threats often originate inside an organization

Inside knowledge:

● Sloppy security procedures

● User lack of knowledge
●

Social engineering:
Tricking employees into revealing their passwords by pretending to be legitimate
members of the company in need of information

Lack of security, control can lead to:

● Loss of revenue
● Failed computer systems can lead to significant or total loss of business function

Lowered market value:

● Information assets can have tremendous value

● A security breach may cut into firm’s market value almost immediately
● Legal liability(e.g.: banks)
● Lowered employee productivity

Higher operational costs:

Strong security and control also increase employee productivity and lower operational
costs.
 9

Information systems controls

General controls:

● Govern design, security, and use of computer programs and data throughout
organization’s IT infrastructure
● Combination of hardware, software, and manual procedures to create overall
control environment

Types of general controls

Software controls:
Monitor the use of system software and prevent unauthorized access.

Hardware controls:
Ensure that computer hardware is physically secure, and check for equipment
malfunction and prepare backups.

Computer operations controls:

controls for computer processing jobs.

Data security controls:

valuable business data files are not subject to unauthorized access.

Implementation controls:
Regular audit of the system to ensure control.

Administrative controls:
Formal rules and procedures to maintain discipline.
 10

Application controls

● Specific controls unique to each computerized application, such as payroll or

order processing
● Include both automated and manual procedures
● Ensure that only authorized data are completely and accurately processed by
that application

Types of application controls:

● Input controls
● Processing controls
● Output controls
● Security policy

•Ranks information risks, identifies acceptable security goals, and identifies

mechanisms for achieving these goals

•Drives other policies

Acceptable use policy (AUP):

Defines acceptable uses of firm’s information resources and computing equipment

Authorization policies:
Determine differing levels of user access to information assets

Authorization management systems:

Allow each user access only to those portions of system that person is permitted to
enter, based on information established by set of access rules, profile

Disaster recovery planning:

Devises plans for restoration of disrupted services
 11

Business continuity planning:

Focuses on restoring business operations after disaster

● Both types of plans needed to identify firm’s most critical systems and business
processes
● Business impact analysis to determine impact of an outage
● Management must determine
● Maximum time systems can be down
● Which systems must be restored first

•Access control:

Policies and procedures to prevent improper access to systems by unauthorized

insiders and outsiders

● Authorization
● Authentication
● Password systems
● Token
● Smart cards
● Biometric authentication

Authorization:
The process of granting someone access to a resource is known as authorization. Of
course, this description may appear cryptic, but many real-life scenarios may make you
understand what authorisation implies and how to apply those notions to computer
systems. House ownership is a wonderful example.

Authentication:
The process of verifying a user's identity is known as authentication. It's the process of
connecting a set of identifying credentials with an incoming request.
 12

Password systems:
A password is a word, phrase, or string of characters used to recognize an authorized
user or program (for the purpose of granting access) from an unauthorized user, or to
put it another way, a password is used to prove one's identity or to grant access to a
resource.

Token:
A token is an object that symbolizes something else, such as another object (physical or
virtual) or an abstract notion, such as a gift. Tokens come in a variety of shapes and
sizes in computers.
Smart cards:
A smart card is a device having an embedded integrated circuit chip (ICC), which can
be a secure microcontroller or comparable intelligence with internal memory, or just a
memory chip. Direct physical touch or a remote contactless radio frequency interface
are used to link the card to a reader.

Biometric authentication:
Biometric authentication entails utilizing a piece of your bodily composition to verify your
identity. A fingerprint, iris scan, retina scan, or other physical trait might be used. It is
possible to utilize a single or several qualities.