Topic 7

Securing Information System

Adapted from slides provided by the authors of the textbook

“Management Information Systems : Managing the Digital Firms”
by Kenneth C. Laudon and Jane P. Laudon
HASLINDA BINTI NORADZAN
Lesson Outcomes:
Explain why information systems are vulnerable to destruction,
error, and abuse.

Describe the business value of security and control.

Describe the components of an organizational framework for

security and control.

Describe the tools and technologies used for safeguarding

information resources.
System Vulnerability and Abuse
• Unauthorized access
Security  Policies to
used to prevent • Alteration
 Procedures information systems
• Theft
 technical measures
• Physical damage

• safety of organization’s assets

 Methods
that ensure • accuracy and reliability of its accounting
 Policies
Controls records
 organizational
• operational adherence to management
procedures
standards

Why systems are vulnerable??? Disasters

Accessibility of networks

Use of networks/computers
Hardware problems outside of firm’s control

Software problems Loss and theft of portable devices

 Internet vulnerabilities Wireless security challenges
 Radio frequency bands easy to scan
 Network open to anyone  SSIDs (service set identifiers)
 Size of Internet means abuses can have wide  Identify access points
impact  Broadcast multiple times
 Use of fixed Internet addresses with cable / DSL  Can be identified by sniffer programs
modems creates fixed targets for hackers  War driving
 Unencrypted VOIP  Eavesdroppers drive by buildings and
 E-mail, P2P, IM try to detect SSID and gain access to
 Interception network and resources
 Attachments with malicious software  Once access point is breached, intruder can
 Transmitting trade secrets use OS to access networked drives and files
 Rogue software program that attaches itself to other software
Virus programs or data files in order to be executed

Independent programs that copy themselves from one computer to

Worm other computers over a network.
Malicious
Software that appears benign but does something other than expected; e.g.
software
Trojan Horse Zeus Trojan – runs on computers with MS Windows OS – used to steal
programs login credentials for banking
Malware
Hackers submit data to Web forms that exploits site’s unprotected
SQL Injection Attack software and sends rogue SQL query to database

Proliferating on both desktop & mobile devices; tries to extort money

Ransomware from users by taking control of their computers or displaying
annoying pop-up messages

Spyware Small programs install themselves surreptitiously on computers to

monitor user Web surfing activity and serve up advertising
Key loggers
Record every keystroke on computer to steal serial
numbers, passwords, launch Internet attacks
Hackers and Computer Crime

Hacker Cracker
individual who intends to gain used to denote a hacker with
unauthorized access to a criminal intent, although in
computer system public press.

ACTIVITIES

System Intrusion
System Damage
Cybervandalism - Intentional disruption, defacement,
destruction of Web site or corporate information
system
Hackers and Computer Crime
Spoofing Sniffing
Misrepresenting oneself by using fake e-mail Eavesdropping program that monitors
addresses or masquerading as someone else information traveling over network

Redirecting Web link to address different from Enables hackers to steal proprietary
intended one, with site masquerading as information such as e-mail, company files,
intended destination and so on
Hackers and Computer Crime
Denial-of-service attacks (DoS) Distributed denial-of-service attacks (DDoS)
Flooding server with thousands of false Use of numerous computers to launch a DoS
requests to crash the network

Networks of “zombie” PCs infiltrated by bot malware

Botnets
Deliver 90 percent of world spam, 80 percent of world malware
 Computer Crime
“any violations of criminal law that involve a knowledge of computer technology
for their perpetration, investigation, or prosecution”

Computer as target Computer as instrument

Breaching confidentiality of Theft of trade secrets

protected computerized data
Using e-mail for threats or harassment
Accessing a computer system without
authority
Pharming
Redirects users to a bogus Web page,
Identity theft Phishing even when individual types correct
Theft of personal Information (social security Setting up fake Web sites or sending Web page address into his or her
ID, driver’s license, or credit card numbers) to e-mail messages that look like browser
impersonate someone else legitimate businesses to ask users
for confidential personal data Click fraud
Evil twins Occurs when individual or computer program
fraudulently clicks on online ad without any
Wireless networks that pretend to offer
intention of learning more about the
trustworthy Wi-Fi connections to the
advertiser or making a purchase
Internet
PHISHING

IDENTITY THEFT PHARMING

CLICK FRAUD

EVIL TWINS
Cyberterrorism
cyber criminal activities – launching malware, DoS attacks & phishing probes – are
borderless

China, the U.S, South Korea, Russia & Taiwan are currently the sources of most of the
world’s malware

The global nature of the Internet makes it possible for cybercriminals to operate- and
to do harm – anywhere in the world

Cyberwarfare
State-sponsored activity designed to cripple & defeat another state or nation by
penetrating its computers or networks for the purposes of causing damage & disruption

Have become much more widespread, sophisticated & potentially devastating

 Sloppy security
Inside knowledge
procedures

Internal threats: Employees

Social engineering

Hidden bugs (program

Commercial software contains flaws code defects)
that create security vulnerabilities
Software vulnerability Flaws can open
networks to intruders
Patches

Confidential Small pieces of

Failed computer
personal and software to repair
systems can lead
financial data flaws
to significant or
Firms now are
total loss of
more vulnerable Exploits often created faster
business function. Trade secrets,
than ever than patches can be released
new products,
strategies and implemented
Business Value of Security and Control
Electronic evidence
• Evidence for white collar crimes often in digital form
• Proper control of data can save time and money when responding to
legal discovery request

Computer forensics
• Scientific collection, examination, authentication, preservation, and
analysis of data from computer storage media for use as evidence in
court of law
• Includes recovery of ambient and hidden data
 Organizational Frameworks for Security and Control
General Control Computer
Hardware
Software Control Operation
 Govern design, security, and use of computer Control
programs and security of data files in general
Control
throughout organization’s information
technology infrastructure
 Apply to all computerized applications
Data Security Implementation Administrative
Control Control Control
Information System
Control

Application Control Input Controls

 Specific controls unique to each computerized
application, such as payroll or order processing
 Include both automated and manual procedures Processing
 Ensure that only authorized data are completely Controls
and accurately processed by that application

Output Controls
  Types of threat
Determines level of risk to firm if specific  Probability of occurrence during year
Risk Assessment  Potential losses, value of threat
activity or process is not properly controlled
 Expected annual loss
Security policy Ranks information risks, identifies acceptable  Acceptable use policy (AUP)
security goals, and identifies mechanisms for  Defines acceptable uses of firm’s information
achieving these goals resources and computing equipment
 Identity management
Disaster Devises plans for restoration of  Business processes and tools to identify valid users of
Recovery disrupted services system and control access
Planning •Identifies and authorizes different categories
of users
Business Focuses on restoring business operations •Specifies which portion of system users can
Continuity after disaster access
•Authenticating users and protects identities
Planning

Information  Examines firm’s overall security environment as well as controls governing individual information systems
systems audit  Reviews technologies, procedures, documentation, training, and personnel
 May even simulate disaster to test response of technology, IS staff, other employees
 Lists and ranks all control weaknesses and estimates probability of their occurrence
 Assesses financial and organizational impact of each threat
Tools and Technologies for Safeguarding Information
Resources
Identity management software

Automates keeping track of all users and privileges

Authenticates users, protecting identities, controlling access

Password systems

Tokens

Smart cards Authentication

Biometric authentication

Two-factor authentication
Firewalls
Antivirus and Antispyware System
Combination of hardware and software that prevents
unauthorized users from accessing private networks  Checks computers for presence of malware and can often
eliminate it as well
 Requires continual updating
Static packet Stateful
filtering inspection

Unified Threat Management System

Network  Comprehensive security management products
address Application
translation proxy filtering  Includes: firewalls, VPN, IDS, web content filtering &
(NAT) antispam software
 Aim: small & medium-sized businesses
 Available for all sizes of networks
Intrusion Detection System  Leading UTM Vendors: Blue Coat, Fortinent & Check
 Monitor hot spots on corporate networks to detect Point
and deter intruders  Networking vendors: Cisco Systems & Juniper Networks
 Examines events as they are happening to discover
attacks in progress
 Wired Equivalent Privacy (WEP) security
 Assigning unique name to network’s SSID and not broadcasting SSID
 Using it with VPN technology
Securing wireless networks  Not very effective because easy to crack

Wi-Fi Alliance finalized WPA2 specification,

replacing WEP with stronger standards
 Continually changing keys
 Encrypted authentication system with central server

Secure Sockets Layer (SSL) and successor

Transport Layer Security (TLS)

Enable client & server computers to manage encryption & decryption activities; so
Encryption they communicate with each other during a secure web session.

Secure Hypertext Transfer Protocol (S-HTTP)

Used for encrypt data flowing over the Internet but it is limited to individual messages,
whereas SSL & TLS are designed to establish a secure connection between 2 computers
 Symmetric key encryption
Sender and receiver use single encryption key, shared key
Two methods of encryption

Public key encryption (more secure)

Uses two, mathematically related keys: Public key and private key
Public key – kept in directory
private key – kept secret
Sender encrypts message with recipient’s public key
Recipient decrypts with private key (receive the message)
Digital certificate

 Data file used to establish the

identity of users and electronic
assets for protection of online
transactions
 Uses a trusted third party,
certification authority (CA), to
validate a user's identity
 CA verifies user’s identity, stores
information in CA server, which
generates encrypted digital
certificate containing owner ID
information and copy of owner’s
public key
Public key  Use of public key cryptography working with certificate authority
infrastructure  Widely used in e-commerce
(PKI)
Ensuring system availability Security in the cloud
• Online transaction processing requires 100% availability, • Responsibility for security resides with
no downtime company owning the data
• Firms must ensure providers provides
adequate protection

Fault-tolerant computer systems

• For continuous availability
• Contain redundant hardware, software, and power supply Securing mobile platforms
components • Security policies should include and cover any
• Downtime: periods of time in which a system is not special requirements for mobile devices
operational • Mobile device management tools

Controlling network traffic

• Technology: Deep packet inspection (DPI)
• Examines data files and sorts low priority material
Security outsourcing
• Managed security service providers (MSSPs) – monitor
network activity and perform vulnerability testing &
intrusion detection
Ensuring software quality
• Software metrics: Objective assessments of
system in form of quantified measurements
• Walkthrough: Review of specification or design
document by small group of qualified people
• Debugging: Process by which errors are
eliminated
Do you think security is one of business issues instead of technology
issues? Or can it be both?

How to minimize threats when you are owning a business that

allow customers to use online payment using credit card?

Who poses the biggest security threat : insiders or outsiders?

Examples of Past Semester Examination
January 2018 (PART B- Question 7)

Organization has been strengthening their security due to cyber threats

a) Define computer crime and provide an appropriate example 4 marks
b) Describe ransomware 3 marks
c) State how do we prevent and protect our computers from ransomware 3 marks
d) Discuss the effects of computer crime to an organization 4 marks

July 2017 (PART B- Question 7)

Malicious software programs are referred to as malware. Describe FOUR(4)
types of malicious software 8 marks