Chapter 8

Securing Information
Systems
 Management Information Systems
Chapter 8 Securing Information Systems

LEARNING OBJECTIVES

• Explain why information systems are vulnerable to destruction, error, and

abuse.
• Assess the business value of security and control.
• Evaluate the most important tools and technologies for safeguarding
information resources.
 Management Information Systems
Chapter 8 Securing Information Systems

System Vulnerability and Abuse

• Security:

• Policies, procedures and technical measures used to prevent

unauthorized access, alteration, theft, or physical damage to
information systems
• Controls:

• Methods, policies, and organizational procedures that ensure safety

of organization’s assets; accuracy and reliability of its accounting
records; and operational adherence to management standards
 Management Information Systems
Chapter 8 Securing Information Systems

System Vulnerability and Abuse

• Why systems are vulnerable

• Hardware problems
• Breakdowns, configuration errors, damage from improper use
or crime
• Software problems
• Programming errors, installation errors, unauthorized changes)
• Disasters
• Power failures, flood, fires, etc.
• Use of networks and computers outside of firm’s control
• E.g., with domestic or offshore outsourcing vendors
 Management Information Systems
Chapter 8 Securing Information Systems

System Vulnerability and Abuse

Contemporary Security Challenges and Vulnerabilities

The architecture of a Web-based application typically includes a Web client, a server, and corporate information
systems linked to databases. Each of these components presents security challenges and vulnerabilities.
Floods, fires, power failures, and other electrical problems can cause disruptions at any point in the network.

Figure 8-1
 Management Information Systems
Chapter 8 Securing Information Systems

System Vulnerability and Abuse

• Internet vulnerabilities

• Network open to anyone

• Size of Internet means abuses can have wide impact

• E-mail attachments

• E-mail used for transmitting trade secrets

• IM messages lack security, can be easily intercepted

 Management Information Systems
Chapter 8 Securing Information Systems

System Vulnerability and Abuse

• Wireless security challenges

• SSIDs (service set identifiers)
• Identify access points
• Broadcast multiple times

• War driving
• Eavesdroppers drive by buildings and try to intercept network traffic
• When hacker gains access to SSID, has access to network’s resources
 Management Information Systems
Chapter 8 Securing Information Systems

System Vulnerability and Abuse

Wi-Fi Security Challenges

Figure 8-2
Many Wi-Fi networks can be
penetrated easily by intruders
using sniffer programs to obtain
an address to access the
resources of a network without
authorization.
 Management Information Systems
Chapter 8 Securing Information Systems

System Vulnerability and Abuse

• Malicious software (malware)

• Viruses: Rogue software program that attaches itself to other software
programs or data files in order to be executed
• Worms: Independent computer programs that copy themselves from one
computer to other computers over a network
• Trojan horses: Software program that appears to be benign but then does
something other than expected

• Spyware: Small programs install themselves surreptitiously on computers

to monitor user Web surfing activity and serve up advertising
• Key loggers: Record every keystroke on computer to steal serial
numbers, passwords, launch Internet attacks
 Management Information Systems
Chapter 8 Securing Information Systems

System Vulnerability and Abuse

• Hackers and computer crime

• Hackers vs. crackers
• Activities include
• System intrusion
• Theft of goods and information
• System damage
• Cybervandalism
• Intentional disruption, defacement, destruction of Web site or
corporate information system
 Management Information Systems
Chapter 8 Securing Information Systems

System Vulnerability and Abuse

• Computer crime
• Defined as “any violations of criminal law that involve a knowledge
of computer technology for their perpetration, investigation, or
prosecution”
• Computer may be target of crime, e.g.:
• Breaching confidentiality of protected computerized data
• Accessing a computer system without authority
• Computer may be instrument of crime, e.g.:
• Theft of trade secrets
• Using e-mail for threats or harassment
 Management Information Systems
Chapter 8 Securing Information Systems

System Vulnerability and Abuse

• Identity theft: Theft of personal Information (social security id, driver’s

license or credit card numbers) to impersonate someone else
• Phishing: Setting up fake Web sites or sending e-mail messages that look
like legitimate businesses to ask users for confidential personal data.
• Evil twins: Wireless networks that pretend to offer trustworthy Wi-Fi
connections to the Internet
• Pharming: Redirects users to a bogus Web page, even when individual
types correct Web page address into his or her browser
 Management Information Systems
Chapter 8 Securing Information Systems

System Vulnerability and Abuse

• Click fraud
• Individual or computer program clicks online ad without any intention of
learning more or making a purchase
• Global threats - Cyberterrorism and cyberwarfare
• Concern that Internet vulnerabilities and other networks make digital
networks easy targets for digital attacks by terrorists, foreign intelligence
services, or other groups
 Management Information Systems
Chapter 8 Securing Information Systems

System Vulnerability and Abuse

• Internal threats – Employees

• Security threats often originate inside an organization

• Inside knowledge
• Sloppy security procedures
• User lack of knowledge
• Social engineering:
• Tricking employees into revealing their passwords by
pretending to be legitimate members of the company in
need of information
 Management Information Systems
Chapter 8 Securing Information Systems

System Vulnerability and Abuse

• Software vulnerability
• Commercial software contains flaws that create security vulnerabilities
• Hidden bugs (program code defects)
• Zero defects cannot be achieved because complete testing
is not possible with large programs
• Flaws can open networks to intruders
• Patches
• Vendors release small pieces of software to repair flaws
• However, amount of software in use can mean exploits created
faster than patches be released and implemented
 Management Information Systems
Chapter 8 Securing Information Systems

Business Value of Security and Control

• Lack of security, control can lead to:

• Loss of revenue
• Failed computer systems can lead to significant or total loss of
business function
• Lowered market value:
• Information assets can have tremendous value
• A security breach may cut into firm’s market value almost
immediately
• Legal liability
• Lowered employee productivity
• Higher operational costs
 Management Information Systems
Chapter 8 Securing Information Systems

Business Value of Security and Control

• Electronic evidence
• Evidence for white collar crimes often found in digital form
• Data stored on computer devices, e-mail, instant messages, e-
commerce transactions
• Proper control of data can save time, money when responding to legal discovery
request
• Computer forensics:
• Scientific collection, examination, authentication, preservation, and
analysis of data from computer storage media for use as evidence in
court of law
• Includes recovery of ambient and hidden data
 Management Information Systems
Chapter 8 Securing Information Systems

Technologies and Tools for Security

• Access control: Policies and procedures to prevent improper access to

systems by unauthorized insiders and outsiders
• Authorization
• Authentication
• Password systems
• Tokens
• Smart cards
• Biometric authentication
 Management Information Systems
Chapter 8 Securing Information Systems

Technologies and Tools for Security

• Firewall: Hardware and/or software to prevent unauthorized access to private

networks

• Intrusion detection systems: Monitor vulnerable points on networks to detect

and deter intruders
• Examines events as they are happening to discover attacks in
progress
• Scans network to find patterns indicative of attacks
 Management Information Systems
Chapter 8 Securing Information Systems

Technologies and Tools for Security

A Corporate Firewall

The firewall is placed between the firm’s private

network and the public Internet or another
distrusted network to protect against
unauthorized traffic.

Figure 8-5
 Management Information Systems
Chapter 8 Securing Information Systems

Technologies and Tools for Security

• Antivirus and antispyware software:

• Checks computers for presence of malware and can often eliminate
it as well
• Require continual updating
• Unified threat management (UTM)
• Comprehensive security management products
• Tools include
• Firewalls
• Intrusion detection
• VPNs
• Web content filtering
• Antispam software