Chapter 8: Securing Information
Systems
8.1

System Vulnerability and Abuse
Security: policies, procedures, and technical measures used to prevent unauthorized access,
alteration, theft or physical damage to information systems

Controls: methods, policies and organizational procedures that ensure the safety of the
organization’s assets, accuracy & reliability of records, and operational adherence to management
standards
Why Systems are Vulnerable

Large amounts of data in electronic form are more vulnerable to threats

In a client/server environment, users at the client level may introduce errors or by accessing
systems without authorization while data is being transferred

Radiation (i.e. accessible)

Denial-of-service attacks or malicious software

Systems malfunction

Domestic or offshore partnering  information resides in places outside the firm’s control
Internet Vulnerabilities

Internet is more susceptible to hackers because it is connected to the computer via a cable model
or DSL which means you have a fixed Internet address where they can be easily identified

Emails & file sharing  attachments of harmful viruses
Wireless Security Challenges

Radio frequency bands are easy to scan

Both Bluetooth and Wi-Fi are susceptible to cracking by eavesdroppers

Poor wireless security has enabled criminals to break into corporate systems to steal major
retailers’ credit card numbers and personal data

Service set identifiers (SSID) identifying Wi-Fi access points are broadcast multiple times and can
be picked up fairly easily by intruders through a sniffer program
o

Sniffer program will obtain an address to access the network resources with authorization
War driving: eavesdroppers drive by buildings or park outside and try to intercept wireless
network traffic

An intruder that has identified the correct SSID is able to access other resources on the network
o
Intruders can access computer with Windows OS through rogue access point
Malicious Software: Viruses, Worms, Trojan Horses, and Spyware

Malware: malicious software programs
o
Viruses, worms, Trojan horses

Computer virus: rogue software program that attaches itself to other software programs or data
files in order to be executed, usually without user knowledge or permission
o
Viruses deliver a “payload” which may be benign (picture or message) to being highly
destructive (destroying programs, clogging computer memory, programs run improperly)
o

Usually transferred when humans take action such as sending out an email attachment
Worms: independent computer programs that copy themselves from one computer to another
over a network
o
Unlike viruses, can operate on their own without attaching to files and also need less
human interaction to spread from computer to computer

o
Worms destroy data and programs and disrupt the operation of computer networks
o
Email worms are currently the most problematic
Mobile device users pose threat to enterprise computing because so many wireless devices are
linked to corporate information systems

Web 2.0 has emerged as new challenges for malware or spyware

Trojan horse: software program that appears to be benign but then does something unexpected
o
Not a virus because it doesn’t duplicate but is often a way for other viruses to introduce
itself onto the computer
o
E.g. using electronic greeting cards in emails and tricks Windows users to launch a
program that will deliver malware programs to infect their machine

Spyware: programs that install themselves repeatedly on computers to monitor user web surfing
activity and serve up advertisements

o
Slow computer performance by taking up too much memory
o
92% of companies have spyware on their networks
Keyloggers record every keystroke to obtain serial numbers for software, passwords, personal
information, etc.
Hackers and Computer Crime

Hacker: individual that intends on gaining unauthorized access to a computer system

Cracker: hacker with criminal intent

Both gain access by finding weaknesses in the security protection employed by websites and
computer systems

Cybervandalism: intentional disruption, defacement, or even destruction of a website or
corporate information system
Spoofing and Sniffing

Spoofing: misrepresentation of the hacker’s true identity and may involve redirecting a web link
to an address different from the intended one and collecting sensitive customer information

Sniffer: eavesdropping program that monitors information travelling over a network
o
When used legitimately it can identify potential trouble but when used for criminal
purposes it can be difficult to detect
o
Sniffers enable hackers to steal information from networks
Denial-of-Service Attacks

Denial-of-service (DoS) attacks: when hackers flood a network server with many thousands of
false communications or requests for services to crash the network

Distributed denial-of-service (DDoS) attack: uses numerous computers to inundate and
overwhelm the network from numerous launch points

Goal is to shut down the website so it is impossible for legitimate users to access the site

Botnet: group of computers that have been infected with bot malware without users’ knowledge,
enabling a hacker to use the amassed resources of the computers to launch DDoS attacks,
phishing campaigns or spam (“zombie PCs”)
Computer Crimes

Computer crime: any criminal activity involving the copy of, use of, removal of, interference with,
access to, manipulation of computer systems, and/or their related functions, data or programs

Many go unreported because employees involved or companies don’t want to hurt reputation
Identity Theft

Identity theft: crime in which an imposter obtains key pieces of personal information (SIN,
license, credit card) to impersonate someone else

E-commerce sites are sources of customer personal information and criminals are able to assume
new identities and establish new credit for their own purposes

Phishing: setting up fake websites or sending email messages to look like legitimate businesses
to ask users for confidential information

Evil twins: wireless networks that pretend to offer trustworthy Wi-Fi connections to the Internet
to capture passwords

Pharming: phishing technique that redirects users to a bogus web page which is done when
criminals gain access to the IP address information stored by the ISP
Click Fraud

Click fraud: when an individual or company program fraudulently clicks on an online ad without
any intent of learning more about the advertiser (usually the competitor)

Goal is to weaken the company by driving up advertising costs
Global Threats: Cyberterrorism and Cyberwarfare

Concern about digital attacks by terrorists, foreign intelligence services, or other groups seeking
to create widespread disruption and harm
Internal Threats: Employees

Lack of user knowledge is the single greatest cause of network security breaches

Social engineering: when intruders trick employees into revealing their passwords by pretending
to be legitimate members of the company in need of information
Software Vulnerability

Software vulnerabilities revolve around hidden bugs = program code defects

Complexity of decision-making code and zero defects cannot be achieved in large programs

Flaws in commercial software impede performance and create security vulnerabilities

Patches: small pieces of software that repairs flaws in software without disturbing the proper
operation of the software
8.2

Business Value of Security and Control
When the security of a firm is compromised, the company loses around 2.1% of its market value
within 2 days of the security breach (avg. $1.65billion in stock market value)

Inadequate security and control may result in serious legal liability
o
E.g. businesses must protect the information of their suppliers and customers and failure
to do so could result in litigation

Strong security and control also increase employee productivity and lower operational costs

C-SOX: Act passed by Parliament that imposes responsibility on companies and their
managements to safeguard the accuracy and integrity of financial information that is used
internally and released externally
o

In response to Sarbanes-Oxley Act
Computer forensics: scientific collection, examination, authentication, preservation, and analysis
of data held on or retrieved from computer storage media in such a way that the information can
be used as evidence in a court of law
8.3
Establishing a Framework for Security and Control
Information Systems Control

General controls: controls that govern the design, security, and use of computer programs and
the security of data files throughout the organization’s IT infrastructure
o
Apply to all computerized applications and consist of a combination of hardware,
software and manual procedures that create an overall control environment

Application controls: controls that are unique to each computerized application (e.g. payroll or
order processing)
o
Input controls  check data for accuracy and completeness when entered in to the
system
o
Process controls  establish that data are complete and accurate during updating
o
Output controls  ensure that the results of computer processing are accurate, compete
and properly distributed
Risk Assessment

Risk assessment: determination of the level of risk to the firm if a specific activity or process is
not properly controlled

Once the risks have been assessed, system developers will concentrate on the control points for
the greatest vulnerability for potential loss
Security Policy

Security policy: includes statements ranking information risks, identifying acceptable security
goals, and identifying the mechanisms for achieving these goals

Acceptable-use policy (AUP)

Authorization policies: different levels of access to information assets for different levels of users
o
Authorization management systems: systems that establish where and when a user is
permitted to access certain parts of a website or corporate website
Disaster Recovery Planning

Disaster recovery planning: planning for the restoration of computing and communications
services after they have been disrupted
o
Which files to back up and the maintenance of backup computer systems or disaster
recovery services

Business continuity planning: how the company can restore business operations after a disaster
strikes
o

Identifies critical business processes and action plans for mission-critical functions
Plans must be tested to make sure they work
The Role of Auditing

MIS audit: examination of the firm’s overall security environment as well as controls governing
individual information systems

Security audits review technologies, procedures, documentation, training and personnel
o
Audit will simulate an attack to test the response of the technology, staff and business
employees
8.4 Technologies and Tools for Safeguarding Information
Resources
Access Control

Access control: all the policies and procedures a company uses to prevent improper access to
systems by authorized insiders and outsiders
o
Authorization: ability to know that a person is who they claim they are (use of passwords)
o
Token: physical device, similar to an identification card, that is designed to prove the
identity of a single user
o
Smart card: device about the size of a credit card that contains a chip formatted with
access permission (a reader will interpret the data and allow or deny the card)
o
Biometric authentication: uses systems that read and interpret individual human traits
(i.e. fingerprints, irises, voices)
Firewalls, Intrusion Detection Systems, and Antivirus Software
Firewalls

Firewall: combination of hardware and software that controls the flow of incoming and outgoing
network traffic
o
Prevents unauthorized users from accessing private networks by examining each user’s
credentials before access is granted to a network

Packet filtering  examines selected fields in the headers of data packets flowing back and forth
between the trusted network and the Internet

Stateful inspection  provides additional security by determining whether packets are part of an
ongoing dialogue between sender and receiver

Network Address Translation (NAT)  conceals the IP addresses of the organization’s internal host
computer(s) to prevent sniffer programs outside the firewall from ascertaining them and using
that information to penetrate internal systems

Application proxy filtering  a proxy server stops data packets originating outside the
organization, inspects them, and passes a proxy to the other side of the firewall
Intrusion Detection Systems

Intrusion detection systems: tools to monitor the most vulnerable points in a network to detect
and deter unauthorized intruders
Antivirus and Antispyware Software

Antivirus software: software designed to detect, and often eliminate, computer viruses from an
information system
Unified Threat Management Systems

Unified threat management (UTM): comprehensive security management tool that combines
multiple security tools, including firewalls, virtual private networks (VPNs), intrusion detection
systems, and Web content filtering and anti-spam software
Securing Wireless Networks

WEP (Wired Equivalent Privacy)

Assign a unique name to network’s SSID and instruct router not to broadcast it

Use Wi-Fi in conjunction with VPNs

June 2004  Wi-Fi Protected Access 2 (WPA2)
Encryption and Public Key Infrastructure

Encryption: process of transforming plan text or data into cipher text that cannot be read by
anyone other than the sender and the intended receiver

Two methods for encrypting network traffic on the Web
o
Secure Sockets Layer (SSL): encryption enabling client and server computers to manage
encryption and decryption activities as they communicate with each other during a secure
Web session

Successor  Transport Layer Security (TLS)
o
Secure Hypertext Transfer Protocol (S-HTTP): another protocol used for encrypting
data flowing over the Internet, but limited to individual messages


SSL and TLS are designed to establish a secure connection between 2 computers
Two alternative methods of encryption:
o
Symmetric key encryption  single encryption key and sending to the receiver so both
sender & receiver share the same key

But this means the key has to be shared somehow between sender and receiver
which exposes the key to outsiders who may to able to intercept and decrypt it
o

Public key encryption: uses two keys  one shared (or public) and one private

Public key is used to encrypt the message (sender)

Private key is used to decrypt the data (receiver)
Digital certificates: data files used to establish the identity of users and electronic assets for
protection of online transactions
o
Trusted third party = certificate authority (CA)
Ensuring System Availability

Minimize downtime
o
Fault-tolerant computer systems

o
Redundant hardware, software and power supply
High-availability computing

Backup servers, distribution of processing across multiple services, high-capacity
storage, good disaster recovery and business continuity plans

Recovery-oriented computing: includes designing systems that recover quickly and pinpoint
sources of fault in multi-component systems and easily correct their mistakes

Deep-packet inspection (DPI): examines data files and sorts out low-priority online material
while assigning higher priority to business-critical files

Managed security service providers (MSSPs): outsourced companies that monitor network
activity and perform vulnerability testing and intrusion detection
Ensuring Software Quality

Software metrics

Rigorous testing
o
Walkthrough
o
Debugging