CHAPTER 8:

SECURING INFORMATION
SYSTEMS

COM 2KA3:
INFORMATION SYSTEMS IN MGMT
System Vulnerability & Abuse

Security:
Policies, procedures, and technical measures used to prevent
unauthorized access, alteration, theft, or physical damage to
information systems

Controls:
Methods, policies, and organizational procedures that ensure safety
of organizations assets; accuracy and reliability of its accounting
records; and operational adherence to management standards
https://www.youtube.com/watch?v=eUxUUarTRW4
System Vulnerability & Abuse
Why systems are vulnerable?
1. Hardware problems (breakdowns, configuration errors, damage
from improper use or crime)
2. Software problems (programming errors, installation errors,
unauthorized changes)
3. Disasters
4. Use of networks/computers outside of firms control
5. Loss and theft of portable devices
6. Accessibility of networks
System Vulnerability & Abuse
System Vulnerability & Abuse
Vulnerabilities:

Partners Mobile Internet Wireless

System Vulnerability & Abuse
Malicious Software programs (aka Malware)

Rogue software programs that attach to other programs in

order to be executed, usually without user knowledge or
permission

Programs that copy themselves from one computer to another

over networks
Can destroy data, programs, and halt operation of computer
networks
System Vulnerability & Abuse
Malicious Software programs (aka Malware) (Cont.)

A software program that appears to be nonthreatening, but then does something

unexpected
Not itself a virus or other malicious codes to be introduced into a computer system
Often transports a virus into a computer system

Hackers submit data to Web forms that exploits sites unprotected

software and sends rogue SQL query to database

Keyloggers: records every keystroke made on a computer to

steal numbers for software
Can steal passwords, etc
System Vulnerability & Abuse
Hackers and Computer Crime
Hacker: individual who intends to gain unauthorized access to
computer system
Cracker: used to denote a hacker with criminal intent although, in
the public press, the terms hacker and cracker are used
interchangeably
Both gain unauthorized access by finding weaknesses in the
security protections employed by web sites and computer systems
Cybervandalism

Spoofing
camouflaged as someone else, or redirecting a Web link to an
unintended address

Sniffing
an eavesdropping program that monitors information travelling over a
network
Enables hackers to steal exclusive information such as e-mail, company
files, and so on
System Vulnerability & Abuse
Hackers and Computer Crime
Denial of Service (Dos) Attacks

Hackers flood a server with false communications in order to crash

the system

Distributed Denial of Service (DDoS): uses numerous computers to

launch a DoS

https://www.youtube.com/watch?v=OhA9PAfk
J10
System Vulnerability & Abuse
Hackers and Computer Crime
Identity theft
A crime in which the imposter obtains key
pieces of personal information (e.g. SIN
number, credit card numbers) to impersonate
someone else

Phishing
Setting up fake Web sites or sending email
messages that look legitimate, and using
them to ask for confidential data
Techniques are called evil twins: wireless
networks that pretend to offer trustworthy
Wi-Fi connections to the internet
System Vulnerability & Abuse
Hackers and Computer Crime
Pharming
Redirects users to a bogus web site
even when the individual types the
correct Web page address

Possible if pharming perpetrators gain

access to the Internet address
information stored by ISP companies
and ISP companies have flawed
software that allows fraudsters to hack
in and change those addresses
System Vulnerability & Abuse
Hackers and Computer Crime
Click fraud
Individual or computer program fraudulently click
on an online ad without any intention of learning
more about the advertiser or making a purchase
Bogus clicks to drive up pay-per-clicks

Some companies hire third parties to fraudulently

click on a competitors ads to weaken them by
driving up their marketing costs

Cyberwarfare: state-sponsored activity

designed to cripple and defeat another state or
nation by penetrating its computers or
networks for the purpose of causing damage
and disruption
System Vulnerability & Abuse
Internal threats (employees)
Security threats often originate inside an
organization
Sloppy security procedures
User lack of knowledge is the greatest single
cause of network security breaches
Social engineering:
Tricking employees into revealing their
passwords by pretending to be legitimate
members of the company in need of
information
System Vulnerability & Abuse
Software vulnerability
Commercial software contains flaws that create security vulnerabilities

Hidden bugs (program code defects)

Virtually impossible to eliminate all bugs from large programs

Main source of bugs is the complexity of decision-making code

Flaws can open networks to intruders

Patches: software vendor create small pieces of software

Used to repair the flaws without disturbing the proper operation of the
software
Business Value of Security & Control

A security breach may cut into firms market value

almost immediately
Inadequate security and controls also bring forth
issues of liability
Some believe that 40% of all businesses will not
recover from application or data losses that are not
repaired within 3 days
Strong security and control also increase employee
productivity and lower operational costs
Business Value of Security & Control
Legal & regulatory requirements for Electronic Records Management

PIPEDA

Protection, privacy, confidentiality, integrity, and accuracy

Canadian Sox (C-Sox) and Sarbanes-Oxley Act were designed to protect investors after the financial scandals

C-sox imposes responsibility on companies and their management to safeguard the accuracy and integrity of financial
information that is used internally and released externally

Electronic evidence & computer forensics

Electronic document retention policy

Courts now impose sever financial and even criminal penalties for improper destruction of electronic documents

Computer forensics:

The scientific collection, examination, authentication, preservation, and analysis of data in such a way that the information
can be used as evidence in a court of law

Deals with:

Recovering data from computers while persevering evidential integrity

Securely storing and handling recovered electric data

Finding significant information in a large volume of electric data

Presenting the information to a court of law

Business Value of Security & Control

Targets security teams malware detector alerted of a possible breach on

November 30th and December 2nd
Management did not respond swiftly; could have cut short the breach that affected
November 27- December 18
Stolen: 40,000,000 credit and debit card records +
70,000,000 other records with other customer information
Function to automatically delete detected malware was turned off by the security
team
Target is currently overhauling their information security practices.
https://www.youtube.com/watch?v=pom42RDo_wE
A Framework for Security & Control

Information system controls

General controls
Applyto all computerized applications and consist of a
combination of hardware, software, and manual
procedures that create an overall control environment
A Framework for Security & Control

Software
controls

Administrative Hardware
controls controls

General
Controls
Computer
Implementation
operations
controls
control

Data security
controls
A Framework for Security & Control
A Framework for Security & Control
Information system controls
Application controls
Specific controls unique to each computized application

Input
controls

Application
controls
Output Processing
controls controls
A Framework for Security & Control

Risk Assessment
Determine level of risk to the firm in the case of improper controls
After they have been analyzed, system developers will concentrate on
the control points with greatest vulnerability and potential for loss
 A Framework for Security & Control
Security policy: ranking information risks, identifying
acceptable security goals, and identifying the mechanisms
for achieving these goals
Acceptable Use Policy (AUP): define acceptable uses of
the firms information resources and computing
equipment, including desktop and laptop computers,
wireless devices, telephones and the internet
Clarify company policy regarding privacy, user
responsibility, and personal use of company
equipment and network Authorization
A good AUP defines unacceptable and acceptable
actions for every user and specifies consequences
for noncompliance
Identity management: firms processes and software
tools for identifying the valid users of a system and
controlling their access to system resource
Identity management systems
A Framework for Security & Control

Disaster recovery planning

devises plans for the restoration of computing and communications services after they have
been disrupted

Focus primarily on technical issues involved in keeping systems up and running

Business continuity planning

focuses on how the company can restore business operations after a disaster strikes.

identifies critical business processes and determines action plans for handling mission-critical
functions if systems go down
A Framework for Security & Control
The role of auditing
An MIS audit examines the firms overall security environment as well as
controls governing individual information systems

reviews technologies, procedures, documentation, training, and personnel

lists and ranks all control weaknesses and estimates the probability of their
occurrence

assesses the financial and organizational impact of each threat

Thorough audit will even simulate an attack or disaster to test the response
of the technology, IS staff, and business employees

Audit lists and ranks all control weakness and estimates the probability of their
occurrence
 Technologies and Tools
Identity management and authentication
Authentication is the ability to know that a
person is who he or she claims to be

https://www.youtube.com/watch?v=4Kusj
m-fapA
Technologies and Tools
Prevention and Resistance
Firewalls

Prevent unauthorized users from accessing private networks

Hardware and software controlling flow of incoming and outgoing
network traffic
Create a good firewall, an administrator must maintain detailed internal
rules identifying the people, applications, or addresses that are allowed
or rejected
Technologies and Tools
Technologies and Tools
Prevention and Resistance
Intrusion Detection Systems

Full-time monitoring tools placed at the most vulnerable points of the corporate networks to detect
and deter intruders continually

Can also be customized to shut down a particularly sensitive part of a network if it receives unauthorized
traffic

Antivirus and Antispyware Software

Prevents, detects, and remove malware

Most antivirus software is effective only against malware already known when the software was written

Antivirus software must be continually updated

Unified Threat Management Systems

Security vendors have combined into a single appliance various security tools

Available for all sizes of networks

Technologies and Tools
Encryption and public key infrastructure

Encryption:

Coding and scrambling of messages to prevent unauthorized access to, or understanding of, the data
being transmitted

Data are encrypted by using a secret numerical code

Secure sockets layer (SSL) and Transport Layer Security (TLS) enable client and server computers
to manage encryption and decryption activities as they communicate with each other during a secure
web session

Secure hypertext transfer Protocol (S-HTTP) used for encrypting data flowing over the internet

Client and the server negotiate what key and what level of security to use
 Two methods of encryption

Symmetric key encryption: sender and receiver establish a secure

internet session by creating a single encryption key and sending it to
the receiver so both the sender and receiver share the same key

Strength of the encryption key is measured by its bit length

Problem: key must be shared somehow among both parties

which exposes the key to outsiders

Public key encryption: uses 2 keys one shared (or public) and one
totally private; keys are mathematically related so that data encrypted
with one key can only be decrypted using the other key
Technologies and Tools
Digital Certificates
Data files used to establish the identity of users and
electronic assets for protection of online
transactions
Public key infrastructure (PKI): use of
public key cryptography working with a CA,
is now widely used in e-commerce

https://www.youtube.com/watch?v=i-rtxrEz_E8
Technologies and Tools
Ensuring System Availability

Online transaction processing: transactions entered online are immediately processed by the computer

Downtime: periods of time in which a system is not operational

High-availability computing: try to minimize downtime; helps firms recover quickly from a system crash

Minimum requirement for firms with heavy e-commerce processing of that depend on digital networks for their internal
operations

Fault tolerant systems: redundant hardware, software, and power supply components that create an environment that provides
continuous, uninterrupted service; and the elimination of recovery time altogether

Recovery-oriented computing: recover quickly and implementing capabilities and tools to help operations pinpoint the sources of
faults in mutli-component systems and easily correct their mistakes

Controlling Network Traffic

Deep packet inspection (DPI): examines data files and sorts out low-priority online material while assigning higher priority
to business critical files

Security outsourcing

Managed security service provider (MSSP) that monitor network activity and perform vulnerability testing and intrusion
detection
Technologies and Tools
Security in the cloud
Allcloud providers use encryption to secure the
data they handle while the data are being
transmitted
https://www.youtube.com/watch?v=55jdSe7Ro68
Securing mobile platforms
Firms should encrypt communication whenever
possible
Employees use only company-issued smartphones
Blackberry devices are considered the most secure
because they run within their own secure system