1

This chapter discusses the need for security to guard information systems and
data, as well as technologies used to secure information systems. what types
of threats can harm an information system. Internet security, or the lack
thereof, will continue to be a topic of major concern to corporations and
countries. Why is there is so much attention paid to Internet security issues in
the press. Has anyone been a victim of a breach in computer security?

2
3
4
5
This slide introduces the need for both security and controls in today’s
businesses in order to safeguard information systems. Can you give an
example of security technique and an example of a control that might be used
in a business.

6
This slide discusses the main categories of threats to information systems.
Note that when large amounts of data are stored digitally on computers and
servers and in databases, they are vulnerable to many more kinds of threats
than when they were stored in manual form, on paper in folders and file
cabinets. When data are available over a network, there are even more
vulnerabilities. Have you ever lost data on their computers? What was the
reason (hardware, software, “disaster,” other people, etc.). On the other hand,
digital records are not vulnerable in ways that manual records in a file cabinet
are vulnerable. For instance, you really can’t tell who has accessed manual
records, or when, in a physical file. In a database, file access is monitored
(unless a hacker has found a way to read records without leaving a digital
trail).

7
Figure 8.1, Page 298.
The architecture of a web-based application typically includes a web client, a
server, and corporate information systems linked to databases. Each of these
components presents security challenges and vulnerabilities. Floods, fires,
power failures, and other electrical problems can cause disruptions at any
point in the network.

This graphic illustrates the types of threats to system security and the points
over the network at which these threats are prevalent. Some problems occur
at the client computer, others through the network lines, corporate servers, or
in corporate hardware and software.

Full description: A diagram shows the common threats against contemporary

information systems. The diagram shows the corporate servers connected to
the client, or users, through communication lines at one end and to the
corporate system linked to databases at the other end. The corporate system
includes the hardware, operating system, and software. The security
challenges at each level shown are as follows. For Client, the User,
Unauthorized access and Errors. For Communication lines, Tapping, Sniffing,
Message Alteration, Theft and fraud, and Radiation. For Corporate Servers,
Hacking, Malware, Theft and fraud, Vandalism, and Denial-of-service attacks.

8
This slide discusses the types of threats that large public networks, such as
the Internet, face because they are open to virtually anyone. Note that the
Internet is so huge that when abuses do occur, they can have an enormously
widespread impact. And when the Internet becomes part of the corporate
network, the organization’s information systems are even more vulnerable to
actions from outsiders. The Internet was not designed at inception to be a
“secure” network, such as, for instance, the telephone system network. We all
get junk spam telephone calls, but hackers have not been able to take control
of your telephone, or systematically disrupt telephone service for individuals.

9
This slide discusses security threats related to wireless networks. Local area
networks (LANs) using the 802.11 standard can be easily penetrated by
outsiders armed with laptops, wireless cards, external antennae, and hacking
software. Hackers use these tools to detect unprotected networks, monitor
network traffic, and, in some cases, gain access to the Internet or to corporate
networks. Have you connected to the Internet through an unknown wireless
network that a person or business had established and left unprotected? Note
that there are stronger encryption and authentication systems available for
wireless networks but users must install them. Today Wi-Fi routers ship today
with pre-installed security protection.

10
Figure 8.2, Page 300.
Many Wi-Fi networks can be penetrated easily by intruders using sniffer
programs to obtain an address to access the resources of a network without
authorization.

This graphic illustrates why wireless networks are vulnerable—the service set
identifiers (SSIDs) identifying the access points in a Wi-Fi network are
broadcast multiple times (as illustrated by the orange sphere) and can be
picked up fairly easily by intruders’ sniffer programs.

11
This slide identifies the various types of malware that threaten information
systems and computers. have you ever had a problem with a virus? Do you
know how they got infected? Note that there are now thousands of viruses and
worms targeting mobile phones, and applications such as Facebook,
Pinterest, and blogs are new conduits for malware and spyware. Malware is a
serious problem—over the past decade, worms and viruses have caused
billions of dollars of damage to corporate networks, e-mail systems, and data.

12
This slide continues the discussion of types of malware on the previous slide.
Note that SQL injection attacks are the largest malware threat. why this is so?
(These attacks enable hackers access to underlying databases that support
web applications, such as sales of products and services, e-commerce
financial data, and other classified information. In other words, the database is
where the information is located. SQL databases have little or no built in
security once a hacker gets beyond the entrance point to a corporate network.

13
This slide looks at the people who commit computer crime, and at the various
types of computer crime.
What is the difference is between hackers and crackers and if they agree with
the differentiation. Have you been the victim of computer crime or invasion of
privacy?

What is the ultimate purpose of spoofing and sniffing ? Note that there are
legitimate uses of sniffing—sniffers can help identify network trouble spots or
spot criminal activity on a network. Sniffers can also be used to identify
copyrighted data being sent over networks, such as pirated music or video
files.

14
This slide continues the discussion of the types of computer crimes. What is
the result of a DoS attack? The Mirai botnet was responsible for a large scale
DoS attack that disrupted the operations of Etsy, Netflix, and other major
websites. Bots and botnets are an extremely serious threat because they can
be used to launch very large attacks using many different techniques.

This slide looks at the legal definition of computer crime and the two main
classes of computer crime. The text lists a variety of other examples for
computers as targets and as instruments of crime. Can you provide more
examples. According to the Ponemon Institute, the median annual cost of
cybercrime for organizations in their study was $11.7 million. However, many
companies are reluctant to report computer crimes. Why? What are the most
economically damaging types of computer crime? (DoS, introducing viruses,
theft of services, disruption of computer systems).

15
This slide continues the discussion of types of computer crime. Have you
encountered any of these types of crimes personally? Note that The U.S.
Congress addressed the threat of computer crime in 1986 with the Computer
Fraud and Abuse Act. This act makes it illegal to access a computer system
without authorization. The text lists other legislation to counter computer crime,
such as the National Information Infrastructure Protection Act in 1996 to make
virus distribution and hacker attacks to disable websites federal crimes.

This slide continues the discussion of types of computer crime. Note that
cybercriminal activities are borderless: The global nature of the Internet makes
it possible for cybercriminals to operate anywhere in the world. Should there
be legislation outlawing click fraud. One concern is the use of computer
attacks by organized governments, and that such attacks might target major
infrastructure such as electrical grids. The text says that at least 20 countries,
including China, are believed to be developing offensive and defensive
cyberwarfare capabilities. One of the leading, if not the leading, countries in
cyberwarfare is the United States.

16
This slide looks at another source of security problems—people inside the
company with access to the system. have you ever worked somewhere with a
vulnerable password system? Have you ever revealed to anyone what their
password is or was? What are some solutions to password security? Some
financial institutions assign users a new password every day, or every hour.

17
This slide looks at security and other vulnerabilities caused by software errors
that open networks to intruders. Equifax software was hacked in 2017
resulting in the loss of personal information of over 150 million people. why is
complete testing not possible with large programs?

The text also gives the example of Microsoft’s service pack upgrades to its
operating system software. Failure to install Windows and Office Service
Packs is one source of security breaches.

18
Please give an example of how inadequate security or control can pose a
serious legal liability. The text gives the example of BJ’s Wholesale Club,
which was sued by the U.S. Federal Trade Commission for allowing hackers to
access its systems and steal credit and debit card data for fraudulent
purchase.

19
20
This slide continues the look at the business value of security and control,
examining the legal requirements for electronic records management. Note
that the Sarbanes-Oxley Act was designed to protect investors after the
scandals at Enron, WorldCom, and other public companies. Sarbanes-Oxley is
fundamentally about ensuring that internal controls are in place to govern the
creation and documentation of information in financial statements. Because
managing this data involves information systems, information systems must
implement controls to make sure this information is accurate and to enforce
integrity, confidentiality, and accuracy.

21
This slide continues the discussion of the business value of security and
control. Security, control, and electronic records management are essential
today for responding to legal actions. what is the most common form of
electronic evidence is (e-mail).

Note that in a legal action, a firm is obligated to respond to a discovery request

for access to information that may be used as evidence, and the company is
required by law to produce those data. The cost of responding to a discovery
request can be enormous if the company has trouble assembling the required
data or the data have been corrupted or destroyed. Courts impose severe
financial and even criminal penalties for improper destruction of electronic
documents. what is ambient data and to give an example. Given the legal
requirements for electronic records, it is important that an awareness of
computer forensics should be incorporated into a firm’s contingency planning
process.

22
To improve security for a firm‘s information systems, it is important to create a framework that supports security. This
includes establishing information systems controls, understanding the risks to the firm’s information systems, and
establishing security policies that are appropriate for the firm. This slide looks at controls used in information systems.
Remember that controls are methods,
policies, and organizational procedures that
ensure safety of an organization’s assets; accuracy and reliability of its
accounting records; and operational adherence to management standards.
Controls may be manual or automated. Can you explain the difference
between manual and automated controls (e.g., making sure that computer
storage areas are secure vs. automated virus updates). There are two main
types of controls: general controls and application controls. General controls
apply to all computerized applications. A list of types of general controls
appears on the next slide. What are the functions of the different types of
general controls.
What are the functions are of the different types of general controls.

This slide examines the second type of information systems controls,

application controls. Think about what each type of application control does.
(Input controls check data for accuracy and completeness when they enter the
system. There are specific input controls for input authorization, data
conversion, data editing, and error handling. Processing controls establish that
data are complete and accurate during updating. Output controls ensure that
the results of computer processing are accurate, complete, and properly
distributed.)

23
This slide looks at another important factor in establishing an appropriate
framework for security and control: risk assessment. Although not all risks can
be anticipated and measured, most businesses should be able identify many
of the risks they face, and understand their potential losses.

24
The table illustrates sample results of a risk assessment for an online order
processing system that processes 30,000 orders per day. The likelihood of
each exposure occurring over a one-year period is expressed as a
percentage. The expected annual loss is the result of multiplying the
probability by the average loss. Please rank the three risks listed here in order
of most important to minimize.

25
This slide looks at the need for a firm to establish a security policy for
protecting a company’s assets, as well as other company policies the security
policy drives, and how information systems support this. what types of issues
would be covered under an AUP. (Privacy, user responsibility, and personal
use of company equipment and networks, unacceptable and acceptable
actions for every user, and consequences for noncompliance.)

This slide looks at the area of security policy involved in managing identities of
system users. Why should businesses consider it important to specify which
portion of an information system a user has access to? What kinds of
information requires very high levels of security access? What rules might be
used to determine access rules? One rule is “need to know.”

26
Figure 8.3, Page 314.
These two examples represent two security profiles or data security patterns
that might be found in a personnel system. Depending on the security profile,
a user would have certain restrictions on access to various systems, locations,
or data in an organization.

This graphic illustrates the security allowed for two sets of users of a
personnel database that contains sensitive information such as employees’
salaries and medical histories. One set of users consists of all employees who
perform clerical functions, such as inputting employee data into the system. All
individuals with this type of profile can update the system but can neither read
nor update sensitive fields, such as salary, medical history, or earnings data.
Another profile applies to a divisional manager, who cannot update the system
but who can read all employee data fields for his or her division, including
medical history and salary. These security profiles are based on access rules
supplied by business groups in the firm.

Full description: A chart shows the access rules for a personnel system. The
chart is titled Security Profile 1 at the top followed by the information as
follows. User, Personnel Department Clerk. Location, Division 1. Employee
identification. Codes with this profile, 0 0 7 5 3, 2 7 8 3 4, 3 7 6 6 5, 4 4 1 1 6.

27
This slide continues the discussion of essential activities a firm performs to
maximize security and control, here looking at planning for activities should a
disaster occur, such as a flood, earthquake, or power outage. Note that
disaster recovery plans focus primarily on the technical issues involved in
keeping systems up and running, such as which files to back up and the
maintenance of backup computer systems or disaster recovery services.
Credit card firms, for instance, maintain a duplicate computer centers to serve
as an emergency backup to their primary computer centers. why is it important
that both business managers and information systems specialists work
together on these plans?

28
This slide looks at the role of auditing. An MIS audit enables a firm to
determine if existing security measures and controls are effective.

29
Figure 8.4, Page 316.
This chart is a sample page from a list of control weaknesses that an auditor
might find in a loan system in a local commercial bank. This form helps
auditors record and evaluate control weaknesses and shows the results of
discussing those weaknesses with management as well as any corrective
actions management takes.

This graphic illustrates a sample page from an auditor’s listing of control

weaknesses for a loan system. It includes a section for notifying management
of such weaknesses and for management’s response. Management is
expected to devise a plan for countering significant weaknesses in controls.

Full description: A table shows the sample auditor’s list of control weaknesses.
The table shows the following information at the top. Function, Loan. Location,
Peoria, Illinois. Prepared by, J Ericson. Date, June 16, 20 18. Received by, T
Benson. Review date, June 28, 20 18. There are three headings labeled
Nature of Weakness, Chance for Error or Abuse, Notification to Management.
Below Chance for Error or Abuse and Notification to Management are the
labels yes or no, justification, report date, and management response. The
data below these labels is as follows. 1. The nature of weakness is User
accounts with missing passwords, Chance for Error or Abuse is yes, the

30
This slide looks at the technologies used for identifying and authenticating
users. which of the various authentication methods seem to be the most
foolproof. Passwords are traditional methods for authentication and newer
methods include tokens, smart cards, and biometric authentication. Have any
of you used authentication methods other than passwords to access a
system? Please give examples of things that can be used for biometric
authentication (voices, irises, fingerprints, palmprints, face recognition.)
Smartphones typically now use fingerprint authentication, and some PCs can
be ordered with fingerprint authentication of the user. What are some problems
with strict biometric authentication for PCs or smartphones?

31
This slide looks at an essential tool used to prevent intruders from accessing
private networks—firewalls. To create a strong firewall, an administrator must
maintain detailed internal rules identifying the people, applications, or
addresses that are allowed or rejected. Firewalls can deter, but not completely
prevent, network penetration by outsiders and should be viewed as one
element in an overall security plan.

Can you differentiate between the screening technologies listed here. Note
that these are often used in combination?

32
Figure 8.5, Page 319.
The firewall is placed between the firm’s private network and the public
Internet or another distrusted network to protect against unauthorized traffic.

This graphic illustrates the use of firewalls on a corporate network. Notice that
here, a second, “inner” firewall protects the web server from access through
the internal network.

Full description: A diagram depicts a corporate firewall. The diagram shows

following components from left to right with a two-way arrow between them.
Internet, Outer firewall, Web server, Inner firewall, Corporate systems, and
Database. The diagram also shows two-way arrows between policy rules and
outer and inner firewalls. Also, various user computers are connected to the
corporate systems through L A N’s.

33
This slide looks at additional tools to prevent unwanted intruders and software
from accessing the network. what antivirus and antispyware tools do you use.
Why do these tools require continual updating. why UTM packages would
include anti-spam software.

34
This slide looks at the tools and technologies used to secure wireless
networks. Those with laptops - what types of wireless security are available to
you, and which one do you use.

35
This slide introduces the use of encryption to ensure that data traveling along
networks cannot be read by unauthorized users. which encryption involves:
use of encryption key (a numerical code) that is used to transform a message
into undecipherable text. The cipher text requires a key to be decrypted and
read by the recipient.

36
This slide discusses the use of encryption to ensure that data traveling along
networks cannot be read by unauthorized users. Please explain the difference
between symmetric key encryption and public key encryption. (In symmetric
key encryption, the sender and receiver establish a secure Internet session by
creating a single encryption key and sending it to the receiver so both the
sender and receiver share the same key. Public key encryption uses two keys:
one shared (or public) and one totally private. The keys are mathematically
related so that data encrypted with one key can be decrypted using only the
other key. To send and receive messages, communicators first create separate
pairs of private and public keys. The public key is kept in a directory and the
private key must be kept secret. The sender encrypts a message with the
recipient’s public key. On receiving the message, the recipient uses his or her
private key to decrypt it. why is public key encryption stronger than symmetric
key encryption. Note that the strength of an encryption key is measured by its
bit length. Today, a typical key will be 128 bits long (a string of 128 binary
digits).

37
Figure 8.6, Page 321.
A public key encryption system can be viewed as a series of public and private
keys that lock data when they are transmitted and unlock the data when they
are received. The sender locates the recipient’s public key in a directory and
uses it to encrypt a message. The message is sent in encrypted form over the
Internet or a private network. When the encrypted message arrives, the
recipient uses his or her private key to decrypt the data and read the message.

This graphic illustrates the steps in public key encryption. The sender encrypts
data using the public key of the recipient; data encrypted with this public key
can only be decrypted with the recipient’s private key.

38
This slide looks at the use of digital certificates as a tool to help protect online
transactions. Digital certificates are used in conjunction with public key
encryption to validate the identities of two parties in a transaction before data
is exchanged.

39
Figure 8.7, Page 322.
Digital certificates help establish the identity of people or electronic assets.
They protect online transactions by providing secure, encrypted, online
communication.

This graphic illustrates the process for using digital certificates. The institution
or individual requests a certificate over the Internet from a CA; the certificate
received from the CA can then be used to validate a transaction with an online
merchant or customer.

Full description: A diagram shows the process of receiving digital certificates.

The diagram shows Certification Authorities or C A’s, at different levels
connected to the Internet. The institution or individual subject requests the
certificate through the Internet. The certificate received is shown as follows.
Digital Certificate Serial Number, Version, Issue Number, Issuance and
Expiration Date, Subject Name, Subject Public Key, C A Signature, and Other
Information. Also, the institution or individual subject is shown connected to the
transaction partner, or online merchant or customer.

40
This slide looks at technologies and tools for ensuring system availability. why
does online transaction processing requires 100% availability. Note that firms
with heavy e-commerce processing or for firms that depend on digital
networks for their internal operations require at minimum high-availability
computing, using tools such as backup servers, distribution of processing
across multiple servers, high-capacity storage, and good disaster recovery
and business continuity plans.

This slide continues the discussion of techniques to minimize downtime and

improve network performance. Deep packet inspection enables a network to
sort low-priority data packets from high-priority ones in order to improve
performance for business critical communication. what types of network traffic
would be suitable for assigning lower priority in a business setting.

41
This slide describes security concerns specific to cloud computing and mobile
computing. What are the key factors to consider in ensuring a provider has
adequate protection (downtime, privacy, and privacy rules in accordance with
jurisdiction, external audits, disaster planning)?

42
This slide looks at securing mobile systems. What specific concerns are there
with mobile devices? One very common security breach involves employees
losing phones while traveling. In some cases, the rule is, “lose your phone,
lose your job.” Mobile devices such as tablets will increasingly store a
considerable amount of corporate information. Then again, if the data is
largely stored in the cloud, and passwords are required for access, then the
threat is reduced.

43
This slide looks at ensuring software quality as a way to improve system
quality and reliability by employing software metrics and rigorous software
testing. Ongoing use of metrics allows the information systems department
and end users to jointly measure the performance of the system and identify
problems as they occur.

44
45
A good opportunity for a class discussion of the new Section on careers.
Would any in the class be interested in a job like this? What do you think are
the most important skills the employer is looking for? How would you answer
the interviewer questions?

46