1 Average: 85%, Median: 90%…Good Work!

2 Chapter 15 Managing Information Resources & Security

3 Case: Cyber Crime  On Feb. 6, the biggest EC sites were hit by cyber crime. Yahoo!, eBay, Amazon.com, E*Trade  The attacker(s) used a method called denial of service (DOS). By hammering a Web site’s equipment with too many requests for information, an attacker can effectively clog a system.  The total damage worldwide was estimated at $5-10 billion (U.S.). The alleged attacker, from the Philippines, was not prosecuted because he did not break any law in the Philippines.

4 Lessons Learned from the Case  Information resources that include computers, networks, programs, and data are vulnerable to unforeseen attacks.  Many countries do not have sufficient laws to deal with computer criminals.  Protection of networked systems can be a complex issue.  Attackers can zero on a single company, or can attack many companies, without discrimination.  Attackers use different attack methods.  Although variations of the attack methods are known, the defence against them is difficult and/or expensive.

5 Key Terminology Backup Decryption Encryption Exposure Fault tolerance IS controls Integrity (of data) Risk Threats (or hazards) Vulnerability

6 Security Threats

7 Cyber Crime  Crimes can be performed by outsiders who penetrate a computer system (hackers) or by insiders who are authorized to use the computer system but are misusing their authorization. A cracker is a malicious hacker, who may represent a serious problem for a corporation.  Two basic methods of attack are used in deliberate attacks on computer systems: data tampering programming fraud, e.g. Viruses

8 U.S. Federal Statutes  According to the FBI, an average white-collar crime involves $23,000; but an average computer crime involves about $600,000.  The following U.S. federal statutes deal with computer crime: Counterfeit Access Device and Computer Fraud Act of 1984 Computer Fraud and Abuse Act of 1986 Computer Abuse Amendment Act of 1994 (prohibits transmission of viruses) Computer Security Act of 1987 Electronic Communications Privacy Act of 1986 Electronic Funds Transfer Act of 1980 Video privacy protection act of 1988

9 Defending Information Systems  Hundreds of potential threats exist.  Computing resources may be situated in many locations.  Many individuals control information assets.  Computer networks can be outside the organization and difficult to protect.  Rapid technological changes make some controls obsolete as soon as they are installed.  Many computer crimes are undetected for a long period of time.  People tend to violate security procedures because they are inconvenient. Defending information systems is not a simple or inexpensive task for the following reasons:

10 Defense Strategies  The following are the major objectives of defense strategies:  Prevention & deterrence  Detection  Limitation  Recovery  Correction

11 Types of Defense Controls The defense controls are divided into two major categories: General controls Protect the system regardless of the specific application. Application controls Safeguards that are intended to protect specific applications.

12 Types of Controls  General Controls Physical controls Access controls Biometric controls Data security controls Communications (networks) controls Administrative controls  Application Controls Input controls Processing controls Output controls

13 Security Measures  An access control system guards against unauthorized dial-in attempts. The use of preassigned personal identification number (PIN).  Modems. It is quite easy for attackers to penetrate them and for employees to leak secret corporate information to external networks.  Encryption is used extensively in EC for protecting payments and privacy.  Troubleshooting packages such as cable tester can find almost any fault that can occur with LAN cabling.

14 Security Measures (cont.)  Payload security involves encryption or other manipulation of data being sent over networks.  Commercial Products. Hundreds of commercial security products exist on the market.  Intrusion Detecting. It is worthwhile to place an intrusion detecting device near the entrance point of the Internet to the intranet.  A Firewall is commonly used as a barrier between the secure corporate intranet, or other internal networks, and the Internet.

15 IT Auditing  In the information system environment, auditing can be viewed as an additional layer of controls or safeguards. It involves a periodical examination and check of financial and accounting records and procedures.  Two types of auditors (and audits): Internal An internal auditor is usually a corporate employee who is not a member of the ISD. External An external auditor is a corporate outsider.

16 IT Auditing (cont.) Auditors attempt to answer questions such as: 1.Are there sufficient controls in the system? 2.Which areas are not covered by controls? 3.Which controls are not necessary? 4.Are the controls implemented properly? 5.Are the controls effective; do they check the output of the system? 6.Is there a clear separation of duties of employees? 7.Are there procedures to ensure compliance with the controls? 8.Are there procedures to ensure reporting and corrective actions in case of violations of controls?

17 How is Auditing Executed? IT auditing procedures can be classified into three categories: Auditing around the computer - verifying processing by checking for known outputs using specific inputs. Auditing through the computer - inputs, outputs, and processing are checked. Auditing with the computer - using a combination of client data, auditor software, and client and auditor hardware.

18 Disaster Recovery Plan  A disaster recovery plan is essential to any security system.  Here are some key thoughts about disaster recovery by Knoll (1986): The purpose of a recovery plan is to keep the business running after a disaster occurs. Recovery planning is part of asset protection. Planning should focus first on recovery from a total loss of all capabilities. Proof of capability usually involves some kind of what-if analysis that shows that the recovery plan is current. All critical applications must be identified and their recovery procedures addressed in the plan.

19 Backup Location  In the event of a major disaster, it is often necessary to move a centralized computing facility to a far-away backup location.  External hot-site vendors provide access to a fully configured backup data center. E.g., When an earthquake hit San Francisco in 1989, Charles Schwab & Co. was ready. Within a few minutes, the company’s disaster plan was activated. Programmers, engineers, and backup computer tapes were flown to New Jersey, where Comdisco Disaster Recovery Service provided a hot site.

20 Risk Management

21 Risk-Management (cont.)  A risk-management approach helps identify threats and selects cost-effective security measures.  Risk-management analysis can be enhanced by the use of DSS software packages. Calculations can be used to compare the expected loss with the cost of preventing it.  A business continuity plan outlines the process in which businesses should recover from a major disaster.

22 IT Security in the 21 st Century  Increasing the Reliability of Systems. The objective relating to reliability is to use fault tolerance to keep the information systems working, even if some parts fail.  Intelligent Systems for Early Detection. Detecting intrusion in its beginning is extremely important, especially for classified information and financial data.  Intelligent Systems in Auditing. Intelligent systems are used to enhance the task of IS auditing.

23 IT Security in the 21 st Century (cont.)  Artificial Intelligence in Biometrics. Expert systems, neural computing, voice recognition, and fuzzy logic can be used to enhance the capabilities of several biometric systems.  Expert Systems for Diagnosis, Prognosis, and Disaster Planning. Expert systems can be used to diagnose troubles in computer systems and to suggest solutions.  Smart Cards. Smart card technology can be used to protect PCs on LANs.  Fighting Hackers. Several new products are available for fighting hackers.

24 Case: The Euro Conversion Some major IT issues involved in the Euro conversion are:  Time and cost estimates are difficult.  The decision on a conversion date was delegated to individual companies, and it varies.  Legal requirements force organizations to keep accounting data in their original form. This will create problems for comparisons over time.  It is necessary to convert the code and the existing applications that involve currencies.  It is necessary to change all the data and data files in the organizations’ databases.

25 Case: The Euro Conversion (cont.) In order to execute the conversion properly a CIO must…  Coordinate the execution with the business side of the enterprise, creating a joint team with members of the ISD & other functional units.  Outsourcing some of the tasks is advisable.  Business impact analysis should be done first.  Both business and IT strategies for the conversion must be done, coordinated, and assessed periodically.  A proper project management process must be conducted.  A proper testing program must be prepared and properly implemented.  A deployment strategy for the conversion should be determined.

26 Managerial Issues  To whom should the ISD report?  Who needs a CIO?  End-users are friends, not enemies, of the IS department.  Ethical Issues.

27 Managerial Issues (cont.)  Responsibilities for security should be assigned in all areas.  Security awareness programs are important for any organization, especially if it is heavily dependent on IT.  Auditing information systems should be institutionalized into the organizational culture.  Organizing the ISD in a multinational corporation is a complex issue.