1. Securing Information Systems
Chapter 8
Securing Information Systems

2. Management Information Systems Chapter 8 Securing Information Systems
LEARNING OBJECTIVES
Analyze why information systems need special protection from destruction, error, and abuse.
Assess the business value of security and control.
Design an organizational framework for security and control.
Evaluate the most important tools and technologies for safeguarding information resources.

3. Demonstrates IT’s role in combating cyber crime.
Management Information Systems
Chapter 8 Securing Information Systems
Phishing: A Costly New Sport for Internet Users
Problem: Large number of vulnerable users of online financial services, ease of creating bogus Web sites.
Solutions: Deploy anti-phishing software and services and a multilevel authentication system to identify threats and reduce phishing attempts.
Deploying new tools, technologies, and security procedures, along with educating consumers, increases reliability and customer confidence.
Demonstrates IT’s role in combating cyber crime.
Illustrates digital technology as part of a multilevel solution as well as its limitations in overcoming discouraged consumers.

4. Security Controls Management Information Systems
Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse
Security
Policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems
Controls
Methods, policies, and organizational procedures that ensure:
Safety of organization’s assets
Accuracy and reliability of accounting records
Operational adherence to management standards

5. Why systems are vulnerable
Management Information Systems
Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse
Why systems are vulnerable
Electronic data vulnerable to more types of threats than manual data
Networks
Potential for unauthorized access, abuse, or fraud is not limited to single location but can occur at any access point in network
Vulnerabilities exist at each layer and between layers
E.g. user error, viruses, hackers, radiation, hardware or software failure, theft

6. Contemporary Security Challenges and Vulnerabilities
Management Information Systems
Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse
Contemporary Security Challenges and Vulnerabilities
The architecture of a Web-based application typically includes a Web client, a server, and corporate information systems linked to databases. Each of these components presents security challenges and vulnerabilities. Floods, fires, power failures, and other electrical problems can cause disruptions at any point in the network.
Figure 8-1

7. Internet vulnerabilities
Management Information Systems
Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse
Internet vulnerabilities
Public network, so open to anyone
Size of Internet means abuses may have widespread impact
Fixed IP addresses are fixed target for hackers
VoIP phone service vulnerable to interception
, instant messaging vulnerable to malicious software, interception

8. Wireless security challenges
Management Information Systems
Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse
Wireless security challenges
Many home networks and public hotspots open to anyone, so not secure, communication unencrypted
LANs using standard can be easily penetrated
Service set identifiers (SSIDs) identify access points in Wi-Fi network and are broadcast multiple times
WEP (Wired Equivalent Privacy): Initial Wi-Fi security standard not very effective as access point and all users share same password

9. Wi-Fi Security Challenges
Management Information Systems
Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse
Wi-Fi Security Challenges
Many Wi-Fi networks can be penetrated easily by intruders using sniffer programs to obtain an address to access the resources of a network without authorization.
Figure 8-2

10. Malicious software (malware)
Management Information Systems
Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse
Malicious software (malware)
Computer virus
Rogue software program that attaches to other programs or data files
Payload may be relatively benign or highly destructive
Worm:
Independent program that copies itself over network
Viruses and worms spread via:
Downloaded software files
attachments
Infected messages or instant messages
Infected disks or machines

11. Trojan horse Spyware Key loggers Management Information Systems
Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse
Trojan horse
Software program that appears to be benign but then does something other than expected
Does not replicate but often is way for viruses or malicious code to enter computer system
Spyware
Small programs installed surreptitiously on computers to monitor user Web surfing activity and serve advertising
Key loggers
Record and transmit every keystroke on computer
Steal serial numbers, passwords

12. Hacker Cybervandalism Spoofing Sniffer: Management Information Systems
Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse
Hacker
Individual who intends to gain unauthorized access to computer system
Cybervandalism
Intentional disruption, defacement, or destruction of Web site or corporate information system
Spoofing
Misrepresentation, e.g. by using fake addresses or redirecting to fake Web site
Sniffer:
Eavesdropping program that monitors information traveling over network

13. Denial-of-service (DoS) attack:
Management Information Systems
Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse
Denial-of-service (DoS) attack:
Flooding network or Web server with thousands of false requests so as to crash or slow network
Distributed denial-of-service (DDoS) attack
Uses hundreds or thousands of computers to inundate and overwhelm network from many launch points
Botnet
Collection of “zombie” PCs infected with malicious software without their owners’ knowledge and used to launch DDoS or perpetrate other crimes

14. Worldwide Damage from Digital Attacks
Management Information Systems
Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse
Worldwide Damage from Digital Attacks
This chart shows estimates of the average annual worldwide damage from hacking, malware, and spam since These data are based on figures from mi2G and the authors.
Figure 8-3

15. Bot Armies and Network Zombies
Management Information Systems
Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse
Bot Armies and Network Zombies
Read the Interactive Session: Technology, and then discuss the following questions:
What is the business impact of botnets?
What management, organization, and technology factors should be addressed in a plan to prevent botnet attacks?
How easy would it be for a small business to combat botnet attacks? A large business?

16. Computer crime Management Information Systems
Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse
Computer crime
Computer as target of crime
Accessing computer without authority
Breaching confidentiality of protected computerized data
Computer as instrument of crime
Theft of trade secrets and unauthorized copying of software or copyrighted intellectual property
Using for threats or harassment
Most economically damaging computer crimes
DoS attacks and viruses
Theft of service and disruption of computer systems

17. Identity theft Phishing Evil twins Management Information Systems
Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse
Identity theft
Using key pieces of personal information (social security numbers, driver’s license numbers, or credit card numbers) to impersonate someone else
Phishing
Setting up fake Web sites or sending messages that look like those of legitimate businesses to ask users for confidential personal data
Evil twins
Bogus wireless networks used to offer Internet connections, then to capture passwords or credit card numbers

18. Computer Fraud and Abuse Act (1986) Click fraud
Management Information Systems
Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse
Pharming
Redirecting users to bogus Web page, even when individual types correct address into browser
Computer Fraud and Abuse Act (1986)
Makes it illegal to access computer system without authorization
Click fraud
Fraudulently clicking on online ad without intention of learning more about advertiser or making purchase
Cyberterrorism and cyberwarfare:
At least twenty countries are believed to be developing offensive and defensive cyberwarfare capabilities

19. Internal threats: Employees
Management Information Systems
Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse
Internal threats: Employees
Company insiders pose serious security problems
Access to inside information– like security codes and passwords
May leave little trace
User lack of knowledge: Single greatest cause of network security breaches
Compromised passwords
Social engineering
Errors introduced into software by:
Faulty data entry, misuse of system
Mistakes in programming, system design

20. Software vulnerability
Management Information Systems
Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse
Software vulnerability
Software errors are constant threat to information systems
Cost U.S. economy $59.6 billion each year
Can enable malware to slip past antivirus defenses
Patches
Created by software vendors to update and fix vulnerabilities
However, maintaining patches on all firm’s devices is time consuming and evolves more slowly than malware

21. Business value of security and control
Management Information Systems
Chapter 8 Securing Information Systems
Business Value of Security and Control
Business value of security and control
Protection of confidential corporate and personal information
Value of information assets
Security breach of large firm results in average loss of 2.1 % of market value
Legal liability
Electronic Records Management (ERM)
Policies, procedures, and tools for managing retention, destruction, and storage of electronic records

22. Legal and regulatory requirements for ERM
Management Information Systems
Chapter 8 Securing Information Systems
Business Value of Security and Control
Legal and regulatory requirements for ERM
HIPAA
Outlines medical security and privacy rules
Gramm-Leach-Bliley Act
Requires financial institutions to ensure security and confidentiality of customer data
Sarbanes-Oxley Act
Imposes responsibility on companies and their management to safeguard accuracy and integrity of financial information used internally and released externally

23. Electronic evidence and computer forensics
Management Information Systems
Chapter 8 Securing Information Systems
Business Value of Security and Control
Electronic evidence and computer forensics
Legal cases today increasingly rely on evidence represented as digital data
most common electronic evidence
Courts impose severe financial, even criminal penalties for improper destruction of electronic documents, failure to produce records, and failure to store records properly

24. Management Information Systems
Chapter 8 Securing Information Systems
Business Value of Security and Control
Computer forensics
Scientific collection, examination, authentication, preservation, and analysis of data on computer storage media so that it can be used as evidence in a court
Awareness of computer forensics should be incorporated into firm’s contingency planning process

25. ISO 17799 Risk Assessment Management Information Systems
Chapter 8 Securing Information Systems
Establishing a Framework for Security and Control
ISO 17799
International standards for security and control specifies best practices in information systems security and control
Risk Assessment
Determines level of risk to firm if specific activity or process is not properly controlled
Value of information assets
Points of vulnerability
Likely frequency of problem
Potential for damage
Once risks are assessed, system builders concentrate on control points with greatest vulnerability and potential for loss

26. Online Order Processing Risk Assessment
Management Information Systems
Chapter 8 Securing Information Systems
Establishing a Framework for Security and Control
Online Order Processing Risk Assessment
EXPOSURE
PROBABILITY OF OCCURRENCE
LOSS RANGE / (AVERAGE)
EXPECTED ANNUAL LOSS
Power failure
30 %
$5,000 - $200,000
($ )
$30,750
Embezzlement
5 %
$1,000 - $50,000
($25,500)
$1,275
User error
98 %
$200 - $40,000
($20,100)
$19,698
Table 8-3

27. Chief Security Officer (CSO)
Management Information Systems
Chapter 8 Securing Information Systems
Technologies and Tools for Security
Security policy
Statements ranking information risks, identifying acceptable security goals, and identifying mechanisms for achieving these goals
Chief Security Officer (CSO)
Heads security group in larger firms
Responsible for enforcing security policy
Security group
Educates and trains users
Keeps management aware of security threats and breakdowns
Maintains tools chosen to implement security

28. Acceptable Use Policy (AUP)
Management Information Systems
Chapter 8 Securing Information Systems
Technologies and Tools for Security
Acceptable Use Policy (AUP)
Defines acceptable uses of firm’s information resources and computing equipment
A good AUP defines acceptable actions for every user and specifies consequences for noncompliance
Authorization policies
Determine level of access to information assets for different levels of users
Authorization management systems
Allow each user access only to those portions of system that person is permitted to enter, based on information established by set of access rules

29. Security Profiles for a Personnel System
Management Information Systems
Chapter 8 Securing Information Systems
Establishing a Framework for Security and Control
Security Profiles for a Personnel System
Figure 8-4
These two examples represent two security profiles or data security patterns that might be found in a personnel system. Depending on the security profile, a user would have certain restrictions on access to various systems, locations, or data in an organization.

30. Ensuring business continuity
Management Information Systems
Chapter 8 Securing Information Systems
Technologies and Tools for Security
Ensuring business continuity
Fault-tolerant computer systems
Ensure 100% availability
Utilize redundant hardware, software, power supply components
Critical for online transaction processing
High availability computing
Tries to minimize downtime
Helps firms recover quickly from system crash
Utilizes backup servers, distributed processing, high capacity storage, disaster recovery and business continuity plans
Recovery-oriented computing: Designing systems, capabilities, tools that aid in quick recovery, correcting mistakes

31. Disaster recovery planning
Management Information Systems
Chapter 8 Securing Information Systems
Technologies and Tools for Security
Disaster recovery planning
Restoring computing and communication services after earthquake, flood, etc.
Can be outsourced to disaster recovery firms
Business continuity planning
Restoring business operations after disaster
Identifies critical business processes and determines how to handle them if systems go down
Business impact analysis
Use to identify most critical systems and impact system outage has on business

32. Auditing Management Information Systems
Chapter 8 Securing Information Systems
Technologies and Tools for Security
Auditing
MIS audit: Examines firm’s overall security environment as well as controls governing individual information systems
Security audit: Reviews technologies, procedures, documentation, training, and personnel
Audits:
List and rank all control weaknesses
Estimate probability of occurrence
Assess financial and organizational impact of each threat

33. Sample Auditor’s List of Control Weaknesses
Management Information Systems
Chapter 8 Securing Information Systems
Establishing a Framework for Security and Control
Sample Auditor’s List of Control Weaknesses
Figure 8-5
This chart is a sample page from a list of control weaknesses that an auditor might find in a loan system in a local commercial bank. This form helps auditors record and evaluate control weaknesses and shows the results of discussing those weaknesses with management, as well as any corrective actions taken by management.

34. New authentication technologies:
Management Information Systems
Chapter 8 Securing Information Systems
Technologies and Tools for Security
Access control
Policies and procedures used to prevent improper access to systems by unauthorized insiders and outsiders
Users must be authorized and authenticated
Authentication:
Typically established by password systems
New authentication technologies:
Tokens
Smart cards
Biometric authentication

35. Management Information Systems
Chapter 8 Securing Information Systems
Technologies and Tools for Security
Firewalls:
Hardware and software controlling flow of incoming and outgoing network traffic
Prevents unauthorized access
Screening technologies
Packet filtering
Stateful inspection
Network address translation (NAT)
Application proxy filtering

36. A Corporate Firewall Management Information Systems Figure 8-6
Chapter 8 Securing Information Systems
Technologies and Tools for Security
A Corporate Firewall
The firewall is placed between the firm’s private network and the public Internet or another distrusted network to protect against unauthorized traffic.
Figure 8-6

37. Intrusion detection systems:
Management Information Systems
Chapter 8 Securing Information Systems
Technologies and Tools for Security
Intrusion detection systems:
Full-time, real-time monitoring tools
Placed at most vulnerable points of corporate networks to detect and deter intruders
Scanning software looks for patterns such as bad passwords, removal of important files, and notifies administrators

38. Antivirus software, antispyware software
Management Information Systems
Chapter 8 Securing Information Systems
Technologies and Tools for Security
Antivirus software, antispyware software
Antivirus software:
Checks computer systems and drives for presence of computer viruses
To remain effective, antivirus software must be continually updated
Antispyware software tools:
Many leading antivirus software vendors include protection against spyware
Standalone tools available (Ad-Aware, Spybot)

39. Securing wireless networks
Management Information Systems
Chapter 8 Securing Information Systems
Technologies and Tools for Security
Securing wireless networks
WEP: Provides some measure of security if activated
VPN technology: Can be used by corporations to help security
802.11i specification: Tightens security for wireless LANs
Longer encryption keys that are not static
Central authentication server
Mutual authentication
Wireless security should be accompanied by appropriate policies and procedures for using wireless devices

40. Unilever Secures Its Mobile Devices
Management Information Systems
Chapter 8 Securing Information Systems
Technologies and Tools for Security
Unilever Secures Its Mobile Devices
Read the Interactive Session: Management, and then discuss the following questions:
How are Unilever executives’ wireless handhelds related to the company’s business performance?
Discuss the potential impact of a security breach at Unilever.
What management, organization, and technology factors had to be addressed in developing security policies and procedures for Unilever’s wireless handhelds?
Is it a good idea to allow Unilever executives to use both BlackBerrys and cell phones? Why or why not?

41. Two main methods for encrypting network traffic
Management Information Systems
Chapter 8 Securing Information Systems
Technologies and Tools for Security
Encryption:
Transforming message into cipher text, using encryption key
Receiver must decrypt encoded message
Two main methods for encrypting network traffic
Secure Sockets Layer (SSL) /Transport Layer Security (TLS)
Establishes secure connection between two computers
Secure HTTP (S-HTTP)
Encrypts individual messages

42. Two methods of encryption:
Management Information Systems
Chapter 8 Securing Information Systems
Technologies and Tools for Security
Two methods of encryption:
Symmetric key encryption
Shared, single encryption key sent to receiver
Public key encryption
Two keys, one shared/public and one private
Messages encrypted with recipient’s public key but can only be decoded with recipient’s private key

43. Public Key Encryption Management Information Systems Figure 8-7
Chapter 8 Securing Information Systems
Technologies and Tools for Security
Public Key Encryption
A public key encryption system can be viewed as a series of public and private keys that lock data when they are transmitted and unlock the data when they are received. The sender locates the recipient’s public key in a directory and uses it to encrypt a message. The message is sent in encrypted form over the Internet or a private network. When the encrypted message arrives, the recipient uses his or her private key to decrypt the data and read the message.
Figure 8-7

44. Public Key Infrastructure (PKI)
Management Information Systems
Chapter 8 Securing Information Systems
Technologies and Tools for Security
Digital signature
Encrypted message that only sender with private key can create
Used to verify origin and contents of message
Digital certificates
Data files used to establish identity of users and electronic assets for protection of online transactions
Uses trusted third party, certificate authority (CA), to validate user’s identity
Public Key Infrastructure (PKI)
Use of public key cryptography working with certificate authority

45. Digital Certificates Management Information Systems Figure 8-8
Chapter 8 Securing Information Systems
Technologies and Tools for Security
Digital Certificates
Figure 8-8
Digital certificates help establish the identity of people or electronic assets. They protect online transactions by providing secure, encrypted, online communication.