1. Module 2: Information Technology Infrastructure
Chapter 7: Information Systems Security

2. Learning Objectives
Identify the reasons for Information Systems’ vulnerabilities
Discuss the reasons for security for business
Discuss the different types of threats
Identify the components of an organizational framework for security and control
Discuss the various tools and technologies for safeguarding IS

3. Security and Control Security Control
Policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft or physical damage to Information Systems
Control
Methods, policies, and organizational procedures that ensure that safety of the organizational assets; the accuracy and reliability or records; operational adherence to management standards

4. Why Systems are Vulnerable?
Data stored in electronic form is vulnerable
In communication network, breach can occur at any access point
Steal data, alter messages
Intruders with DoS attacks disrupts Web sites operations
Hardware breakdowns
Bad configuring, improper installation, or unauthorized changes
Offshore partnering also adds to system vulnerability
Portability makes cell phones, smart phones, tablets to be easily stolen
Apps for mobile phones can be used to malicious purposes

5. Internet and Wireless Security Challenges
Internet more vulnerable than internal networks
Widespread impact of attack
Always-on connection have fixed address becomes fixed target
Also most VoIP transmission is not encrypted, so susceptible to interception
Vulnerability also increases because of s, IMs and peer-to-peer(P2P) file sharing

6. Wireless Security Challenges
Wireless communication is vulnerable because radio frequency bands are easier to scan (eavesdropping)
Hackers use wireless cards, external antenna and hacking software to intrude into WLANs
Sniffer programs
OS have the ability to identify the SSID of the network, and configures the NIC accordingly
Wired Equivalent Privacy (WEP)
Security standard
Allows access point users to share a 40-bit encrypted password
Stronger encryption: WPA2

7. Malicious Software (Malware)
Virus
Malicious software program that attaches itself to another program or file to be executed
Mostly they deliver a ‘payload’, (just a message or destroys data)
Spread from computer to computer, triggered by human actions
Worm
Copy themselves from computer to computer through network
Destroy data and halt operations of computer network
Usually come through downloaded programs, attachments
Malware target mobile devices too, thus being a serious threat to enterprise computing

8. Malicious Software Trojan Horse SQL injection attacks Spyware
Looks like a legitimate program
Does not replicate itself, but creates way for virus and other malicious code
Based on the Greek Trojan war
SQL injection attacks
Malware that takes advantage of vulnerabilities in poorly coded web application software
Enter data into online form to check for vulnerability to a SQL injection
Spyware
Small programs that temporarily install themselves on the computer to monitor web surfing for advertising, but they also act as malware, affecting the computer performance

9. Hacking and Computer Crime
Accessing a computer system unauthorized
Usually “cracker” is an individual with criminal intent
Find weaknesses in the security features of web sites or computer systems
CyberVandalism
Intentional disruption, defacement of web site or corporate information
Spoofing
Hackers hide themselves behind fake ids
Also involves redirecting a Web link to a fake ones that looks like the original site

10. Hacking and Computer Crime
Sniffing
Eavesdropping program that monitors information traveling over a network
They have a legitimate use as well, but otherwise can be very lethal
DoS Attack
Hackers flood a network server or web server will many requests for services to crash the network
For e-commerce sites, these attacks can be costly

11. Hacking and Computer Crime
“Any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation or prosecution”
Computers as targets of crime
Computer as instruments of crime
Breaching the confidentiality of protected computerized data
Accessing a computer without authority
Accessing a protected computer to commit fraud
Accessing a protected computer to cause damage
Transmitting a program that intentionally causes damage
Threatening to cause damage to protected computer
Theft of trade secrets
Unauthorized copying of software or copyrighted intellectual property
Schemes to defraud
Using for threats and harassment
Intentionally attempting to intercept electronic communication
Illegally accessing stored electronic documents

12. Hacking and Computer Crime
Identity Theft
Crime in which an imposter obtains key pieces of key personal information to impersonate someone else, eg. Credit card theft
Phishing
Setting up fake web sites or sending fake s that look legitimate to ask users for personal data
Pharming
Redirects users to fake web page even when they have entered the correct web address
Happens when ISP companies have flawed software
Cyberterrorism
Cyber attacks that target software that run electric power grids, air traffic control, or bank networks (on large scale)

13. Business Value of Security and Control
Usually businesses don’t put much effort in security
However, security and control is critical to businesses
They lose 2.1% of market value if security breach happens
Valuable and confidential info needs protection
Inadequacy can lead to
Legal liability
Data exposure
Implementation Advantages
High return on investment
Employee productivity
Lower operational costs

14. Electronic Evidence and Computer Forensics
Nowadays, legal cases rely on digital data stored on storage media along with and e-commerce transactions
Effective electronic document policy
Records organized, discarded not too soon
Computer Forensics
scientific collection, examination, authentication, preservation and analysis of data retrieved from storage media
Used for court evidence
Also includes ambient data
Firm’s contingency planning process should have awareness of this

15. Case Study: When Antivirus software cripples your computers
Company: McAfee – prominent antivirus software
Product: AntiVirus Plus
Problem: released an update that caused the computers to crash and failed to reboot
Lost network capability
Couldn’t detect USB drives
Usually Windows XP service pack 3, McAfee VirusScan version 8.7
Conducted investigation to figure out ‘why’ was the mistake made and ‘who’ got affected

16. Case Study: When Antivirus software cripples your computers
Result
Users did not receive a warning that svchost.exe was going to be quarantined
Quality assurance failed to detect the critical error
Testing was not conducted on the mentioned operating system
Created a “SuperDAT Remediation tool” to fix the problem

17. Case Study: When Antivirus software cripples your computers
Management factors
Did not apply proper quality assurance procedures
Organizational factors
Had recently changed their QA environment
Technology factors
The users did not receive a warning that a critical file will be quarantined
Business Impact
Damage an antivirus company’s reputation because people blindly trust such companies
Customer’s businesses became non-functional and had to shut down until computers were fixed