Chapter 15

Managing Information
Resources and Security

Information Technology For Management 4th Edition

Turban, McLean, Wetherbe
Lecture Slides by A. Lekacos,
Stony Brook University
John Wiley & Sons, Inc.
Chapter 15 1
IS Vulnerability
Information resources (physical resources, data, software, procedures,
and other information resources) are scattered throughout the firm.
Information is transmitted to and from the firm’s components.
Therefore vulnerabilities exist at many points and at any time.

Chapter 15 2
System Vulnerability
{ A universal vulnerability is a state in a computing system
which either: allows an attacker to execute commands as
another user; allows an attacker to access data that is
contrary to the access restrictions for that data; allows an
attacker to pose as another entity; or allows an attacker to
conduct a denial of service.
{ An exposure is a state in a computing system (or set of
systems) which is not a universal vulnerability, but either:
allows an attacker to conduct information gath-ering
activities; allows an attacker to hide activities; includes a
capability that behaves as expected, but can be easily
compromised; is a primary point of entry that an attacker
may attempt to use to gain access to the system or data;
and is considered a problem according to some reasonable
security policy.

Chapter 15 3
System Vulnerability Continued
The vulnerability of information systems is increasing as we move
to a world of networked and especially wireless computing.
Theoretically, there are hundreds of points in a corporate
information system that can be subject to some threats.

{ These threats can be classified as:

z Unintentional
{ Human errors
{ Environmental hazards
{ Computer system failures
z Intentional
{ Theft of data
{ Inappropriate use of data
{ Theft of mainframe com-puter time
{ Theft of equipment and/or programs

Chapter 15 4
System Vulnerability Continued
z Intentional continued

{ Deliberate manipulation in handling

{ Entering data
{ Processing data
{ Transferring data
{ Programming data
{ Labor strikes
{ Riots
{ Sabotage
{ Malicious damage to computer resources
{ Destruction from viruses and similar attacks
{ Miscellaneous computer abuses
{ Internet fraud.
{ Terrorists’ attack

Chapter 15 5
Programming Attack – One method
Programming attack is implemented through the modification of a
computer program.

Chapter 15 6
Viruses – One method
The most common attack method is the virus a program that
attaches itself to (“infect”) other computer programs, without the
owner of the program being aware of the infection. It spreads,
causing damage to that program and possibly to others. When a
virus is attached to a legitimate software program, the legitimate
software is acting as a Trojan horse, a program that contains a
hidden function.

Chapter 15 7
Protecting Information Resources
Information security problems are increasing rapidly, causing
damage to many organizations. Protection is expensive and
complex. Therefore, companies must not only use controls to
prevent and detect security problems, they must do so in an
organized manner. An approach similar to TQM (total quality
management) would have the following characteristics:
{ Aligned. The program must be aligned with organizational goals.
{ Enterprisewide. Everyone in the organization must be included.
{ Continuous. The program must be operational all the time.
{ Proactive. Use innovative, preventive, and protective measures.
{ Validated. The program must be tested to ensure it works.
{ Formal. It must include authority, responsibility & accountability.

Chapter 15 8
Corporate Security Plan - Protecting

Chapter 15 9
Difficulties - Protecting

Chapter 15 10
Defense Strategy - Protecting
Knowing about potential threats to IS is necessary, but
understanding ways to defend against these threats is equally
critical. Because of its importance to the entire enterprise,
organizing an appropriate defense system is one of the major
activities of the CIO. It is accomplished by inserting controls
(defense mechanisms) and developing awareness.

{ The major objectives of a defense strategy are:

1. Prevention and deterrence.
2. Detection.
3. Limitation of damage.
4. Recovery.
5. Correction
6. Awareness and compliance

Chapter 15 11
Defense Strategy - Controls
Any defense strategy involves the use of several controls. These
controls are divided into two categories general controls that
protect the system regardless of the specific application and
application controls that safeguard specific applications.

General Application

Chapter 15 12
Defense Strategy – Internet Security
Over the Internet, messages are sent from one computer to
another. This makes the network difficult to protect, since there
are many points to tap into the network.

Web Attack Threats

Chapter 15 13
Defense Strategy – Internet Security
The major objective of border security is access control. Then
authentication or proof of identity and finally authorization
which determine the action or activities a user is allowed to
perform.

Security Layers
Chapter 15 14
Chapter 15
Copyright © 2003 John Wiley & Sons, Inc. All rights
reserved. Reproduction or translation of this work
beyond that permitted in Section 117 of the 1976
United States Copyright Act without the express
written permission of the copyright owner is
unlawful. Request for further information should be
addressed to the Permissions Department, John
Wiley & Sons, Inc. The purchaser may make back-
up copies for his/her own use only and not for
distribution or resale. The Publisher assumes no
responsibility for errors, omissions, or damages,
caused by the use of these programs or from the
use of the information contained herein.

Chapter 15 15