Managing Information Systems

Seventh Canadian Edition

Laudon, Laudon and Brabston

CHAPTER 8
Securing Information Systems

Copyright © 2015 Pearson Canada Inc. 8-1

 System Vulnerability and Abuse

• Security:
– Policies, procedures, and technical measures used to
prevent unauthorized access, alteration, theft, or
physical damage to information systems
• Controls:
– Methods, policies, and organizational procedures that
ensure safety of organization’s assets; accuracy and
reliability of its accounting records; and operational
adherence to management standards

Copyright © 2015 Pearson Canada Inc. 8-2

 System Vulnerability and Abuse

Why systems are vulnerable

– Accessibility of networks
– Hardware problems (breakdowns, configuration
errors, damage from improper use or crime)
– Software problems (programming errors,
installation errors, unauthorized changes)
– Disasters
– Use of networks/computers outside of firm’s
control
– Loss and theft of portable devices

Copyright © 2015 Pearson Canada Inc. 8-3

 [INSERT FIGURE 8.1]

Copyright © 2015 Pearson Canada Inc. 8-4

 Internet Vulnerabilities

• Network open to anyone

• E-maiI
• Attachments with malicious software
• Transmitting trade secrets
• Interception

Copyright © 2015 Pearson Canada Inc. 8-5

 Malicious Software: Viruses, Worms, Trojan
Horses, and Spyware

Computer viruses:
• Rogue software programs that attach to other
programs in order to be executed, usually without
user knowledge or permission
Worms: programs with ill intent that can copy
themselves from one computer to another over
networks by exploiting security vulnerabilities
Trojan horses: software programs that appear to be
benign, but then does something unexpected

Copyright © 2015 Pearson Canada Inc. 8-6

 Spoofing and Sniffing

Spoofing
• masquerading as someone else, or redirecting a
Web link to an unintended address
Sniffing
• an eavesdropping program that
monitors
information travelling over a
network

Distributed Denial of Service (DDoS):

Hackers flood a server with false
communications
Copyright © 2015 Pearson Canada Inc. 8-7
 Computer Crime

Identity theft
•A crime in which the imposter obtains key pieces of
personal information
Phishing
•Setting up fake Web sites or sending email messages
that look legitimate, and using them to ask for
confidential data
Pharming
•Redirects users to a bogus web site

Copyright © 2015 Pearson Canada Inc. 8-8

 The Real Threat of DoS

On Oct 5, 2012, Hotmail shut down all communications with UW e-mail

servers
All e-mails between Hotmail accounts and UW accounts are
rejected
What happened
Some hacker got control of several hundred UW e-mail accounts
and used them to sent mass e-mails to Hotmail, presumably
attempting to crash it.
Hotmail identified the problem (all e-mails from UW server) and as
the only means of defense, rejected all e-mails from UW accounts
Denial of service to all UW users.

9
 [INSERT TABLE 8.3]

Copyright © 2015 Pearson Canada Inc. 8-10

 Hackers and Computer Crime

Hackers:
• individuals who attempt to gain unauthorized
access to a computer system
• Cracker: a hacker with criminal intent

Cybervandalism:
• intentional disruption, defacement, or destruction of a
Web site or system

Computer Crime: violation of criminal law that involves a

knowledge of technology for perpetration, investigation,
or prosecution
Copyright © 2015 Pearson Canada Inc. 8-11
 Computer Crime (cont.)

Click Fraud
• Bogus clicks to drive up pay-per-clicks
Cyberterrorism and Cyberwarfare
• Exploitation of systems by terrorists
Adware – any software package that automatically
downloads, displays, or plays advertisements to a
computer, often without the user’s permission in the
form of a pop-up
Spyware – software that secretly installs on a user’s
machine and collects information about the user
without their knowledge
Copyright © 2015 Pearson Canada Inc. 8-12
 More

Replay attack – valid data transmission is maliciously

repeated at a later time

Salami attack – how to add smalls into large

Email spam – junk emails, subset of spam that sends

nearly identical message to numerous recipients by e-
mail, often for advertisement

Copyright © 2015 Pearson Canada Inc. 8-13

Security Services

• assurance that the communicating entity is the

Authentication one claimed

• prevention of the unauthorized use of a resource

Access Control
• protection of data from unauthorized disclosure
Data Confidentiality
• assurance that data received is as sent by an
Data Integrity authorized entity

• assurance that services are available when

Availability needed

• protection against denial by one of the parties in a

Non-Repudiation communication

14
Implementation

Firewall
Provide authentication and access control
Example: packet filtering firewall, proxy firewall
Antivirus software
Provide data and system integrity, access control
Example: Norton, Trend Micro, AVG etc.
Hardware Controls
Provide authentication, access control, availability
Example: dedicated hardware, smartcard, fingerprint scan, retina scan, VPN
dongle, backup etc
Security software
Service provided depends on type of security software used (authentication,
confidentiality, integrity, access control etc.)
User awareness
Core of any implementation

15
 Firewalls, Intrusion Detection Systems, and
Antivirus Software

Firewalls: Hardware and software controlling

flow of incoming and outgoing network
traffic
• Packet Filtering (examines fields in
headers of data packets within
network)
• Stateful Inspection (whether packets are
part of an ongoing dialogue between
sender and receiver)
Copyright © 2015 Pearson Canada Inc. 8-16
 Firewalls, Intrusion Detection Systems and
Antivirus Software

Intrusion Detection Systems

• Full-time monitoring tools placed at the most
vulnerable points of the corporate networks to
detect and deter intruders
Antivirus and Antispyware
• Checks computer systems for viruses

Copyright © 2015 Pearson Canada Inc. 8-17

Cryptography

It is the study of encryption – render a message

unreadable based on a key
Foundation of many security services mentioned above
The strength of an encryption depends on the size
of the key
Longer the key used, harder to guess what the message is about
Analogy: longer the password, harder to guess it

Transformation
meet me after PHHW PH DIWHU
based on a key
the toga party WKH WRJD SDUWB

18
Brute Force Search

Always possible to simply try every key to guess the

actual key used in an encryption
Difficulty is proportional to key size

Key Size Number of Time required at 106

(bits) Alternative Keys Decryption/µs
32 232 = 4.3 x 109 2.15 milliseconds
56 256 = 7.2 x 1016 10 hours
128 2128 = 3.4 x 1038 5.4 x 1018 years
168 2168 = 3.7 x 1050 5.9 x 1030 years
 Symmetric Key Encryption vs. Public Key
Encryptions

Symmetric key encryption: the same key is used to encrypt

and decrypt the data
This is what people usually refer to as “encryption”
Protect secrecy
Examples: DES, Triple DES, AES, RC4/5, WEP
Public key encryption: use a pair of keys (one called public
key and one called private key). One key used for encrypt
and other is used to decrypt it
Thought it can be used to protect secrecy, it is often used to generate digital
signature
Example: PKI, RSA

20
Image Source: http://techliberation.com/wp-content/uploads/2011/01/encryption.jpg
Digital Signature

Protect data authenticity and integrity, and non-

repudiation
A digital signature is a unique mathematical value for a digital message or
document. A valid digital signature gives a recipient reason to believe that
the message was created by a known sender, and that it was not altered in
transit.
Sender’s private key is used to sign the document and
its public key is used to verify the signature
Only the sender can sign as
his private key is “private”
Easy to verify as his public
key is “public”

Signed text

21
Image Source: https://tspace.library.utoronto.ca/html/1807/4637/jmir_v4i2e12_fig2.jpg
Digital Certificate
It bears the digital signature of certain certificate
authority whose identify is built into the
operating system/web browser
The OS can verity the legitimacy of the digital signature, hence the legitimacy of the
certificate, and hence the identify of the certificate holder
The certificate also contains the public key of the certificate holder

 https and SSL

 Secure protocols over the

Internet, based on certificate.

22
 How to Secure online Conversation with
Strangers

eBay first creates a pair of keys, one public key and one private key
It then submits the public key to VeriSign to get a certificate
The certificate contains information about eBay and its public key
VeriSign is the biggest certificate authority
When Romeo contacts eBay to sign up for an account, eBay presents its
certificate to his web browser.
The process to verify a certificate is built into the browser.
The browser verifies that the certificate is valid and it belongs to eBay
This step proves that Romeo is indeed in contact with eBay, not an impersonator
The browser then extracts eBay’s public key from the certificate.
It then randomly generates a symmetric key and encrypts it using eBay’s public
key and sends it back to eBay.
Since it is encrypted with eBay’s public key, it can be decrypted only by eBay’s private key.
eBay then decrypts the systematic key with its private key.
Now Romeo and eBay shares a symmetric key and all subsequent conversation
can be encrypted using this symmetric key.

23
 Steganography

An alternative to encryption for secrecy

Hides existence of message
Using only a subset of letters/words in a longer message marked in
some way
Hiding data in graphic image or sound file
Using invisible ink
Drawbacks
High overhead to hide relatively few info bits
Become useless once comprised

24
 System Vulnerability

Patches
• Small pieces of software to repair flaws
• Exploits often created faster than patches can be
released and implemented

Copyright © 2015 Pearson Canada Inc. 8-25

Wireless Security

The risks to users of wireless technology have

increased as the service has become more
popular
Wireless transmission is broadcasted over the air. Anyone with the right equipment
can intercept the signal
Wireless transmission by default is NOT encrypted!
Wardriving
Common solutions
Encrypt the transmission!
WEP (not recommended), WPA1 and WPA2
Smart card and USB token
Use wired network for highly sensitive communication

26
Image source: http://en.wikipedia.org/wiki/Wardriving
Software vulnerability: the Other Side of the
Story

Commercial software contains flaws that create

security vulnerabilities
Hidden bugs (program code defects)
Zero defects cannot be achieved because complete testing is not technically or
economically possible with large programs
Flaws can open networks to intruders
Patches
Vendors release small pieces of software to repair flaws
However, the amount of software in use can mean exploits created faster than
patches be released and implemented

27
 Business Value of Security and Control

Inadequate security and control results in loss of

business and may create serious legal liability
Businesses must protect not only their own information assets but also those of
customers, employees, and business partners. Failure to do so can lead to costly litigation
for data exposure or theft
A sound security and control framework that
protects business information assets can thus
produce a high return on investment

28
Legal and Regulatory Requirements

CSOX: Canadian Rules for Sarbanes-Oxley Act,

Bill 198
Called SOX in US
Internal controls must be put in place to govern information in financial statements
ERM: Electronic Records Management
Managing the retention, storage and destruction of electronic records
These controls can be realized by the security
services and their implementations introduced
earlier

29
 Risk Assessment

Risk Assessment
• Determine level of risk to the firm in the case of
improper controls
Security policy
• Acceptable Use Policy (AUP)
• Authorization Policies
• Authorization Management systems

Copyright © 2015 Pearson Canada Inc. 8-30

Security Policy

Acceptable Use Policy (AUP)

Acceptable uses and users of information and computers
Example
Authorization Policies
Determine the levels of access for different users
Often based on security profiles
Business continuity plan
Technical measures used to enforce the policies

31
Security Profiles for a
Personnel System

Figure 8-4
32
Business Continuity Planning

Getting the business up and running after a

disaster
Safeguarding people as well as machines
Business measures:
Documenting business processes
Not relying on people who may be unavailable
Drill and training
Technical measures:
High-availability computer systems help firms recover quickly from a crash
Fault-tolerant computer systems promise continuous availability and eliminate
recovery time altogether
Often use a backup system

33
 Business Value of Security and Control

• Failed computer systems can lead to significant or

total loss of business function
• Firms now more vulnerable than ever
– Confidential personal and financial data
– Trade secrets, new products, strategies
• A security breach may cut into firm’s market value
almost immediately
• Inadequate security and controls also bring forth
issues of liability

Copyright © 2015 Pearson Canada Inc. 8-34

 Legal and Regulatory Requirements for
Electronic Records Management

• Securely storing and handling recovered electronic

data

Continued …

Copyright © 2015 Pearson Canada Inc. 8-35

 Establishing a Framework for Security and
Control

Information System Controls

• General controls
• apply to all computerized applications and consist of
a combination of hardware, software, and manual
procedures
• Application controls
• Input controls
• Processing controls
• Output controls

Copyright © 2015 Pearson Canada Inc. 8-36

 Disaster Recovery Planning and Business
Continuity Planning

Disaster recovery planning

devises plans for the restoration of computing and
communications services after they have been
disrupted

Copyright © 2015 Pearson Canada Inc. 8-37

 Disaster Recovery Planning and Business
Continuity Planning

Business continuity planning

• focuses on how the company can restore
business operations after a disaster strikes.
• identifies critical business processes and
determines action plans for handling mission-
critical functions if systems go down

Copyright © 2015 Pearson Canada Inc. 8-38

 The Role of Auditing

• examines the firm’s overall

security environment as
well as controls governing
individual information
systems
• assesses the financial and
organizational impact of
each threat

Copyright © 2015 Pearson Canada Inc. 8-39

 Securing Wireless Networks

Encryption and Public Key Infrastructure

• Coding and scrambling of messages to prevent
unauthorized access to, or understanding of, the
data being transmitted

Copyright © 2015 Pearson Canada Inc. 8-40

 Securing Wireless Networks

Public key encryption:

• Uses two different keys, one private and one
public. The keys are mathematically related so
that data encrypted with one key can be
decrypted using only the other key

Copyright © 2015 Pearson Canada Inc. 8-41

 [INSERT FIGURE 8.6]

Copyright © 2015 Pearson Canada Inc. 8-42

 Managing Information Systems
Seventh Canadian Edition

Laudon, Laudon and Brabston

CHAPTER 8
Securing Information Systems

Copyright © 2015 Pearson Canada Inc. 8-43