1.

why systems are vulnerable

Computer system vulnerabilities exist because programmers fail to fully understand

the inner programs. While designing and programming, programmers don't really take
into account all aspects of computer systems and this, in turn, causes computer system
vulnerability.

Threats to computerized information systems include hardware and software failure; user
errors; physical disasters such as fire or power failure; theft of data, services, and
equipment; unauthorized use of data; and telecommunications disruptions. On-line systems
and telecommunications are especially vulnerable because data and files can be
immediately and directly accessed through computer terminals or at points in the
telecommunications network.

 Accessibility of networks

• Hardware problems (breakdowns, configuration errors, damage from improper use or crime)

• Software problems (programming errors, installation errors, unauthorized changes)

• Use of networks/computers outside of firm’s control

• Loss and theft of portable devices

INTERNET VULNERABILITIES

Large public networks such as the Internet are more vulnerable than internal networks
because they are virtually open to anyone. The Internet is so huge that when abuses do
occur, they can have an enormously widespread impact. When the Internet becomes part of
the corporate network, the organization’s information systems are even more vulnerable to
actions from outsiders.

           Computers that are constantly connected to the Internet by cable modems or Digital
Subscriber Line (DSL) are more open to penetration by outsiders because they use fixed
Internet addresses where they can be easily identified. (With dial-up service, a temporary
Internet address is assigned for each session.) A fixed Internet address creates a fixed
target for hackers.

           Telephone service based on Internet technology (see Chapter 8) can be more
vulnerable than the switched voice network if it does not run over a secure private network.
Most Voice over IP (VoIP) traffic over the public Internet is not encrypted, so anyone linked
to a network can listen in on conversations. Hackers can intercept conversations to obtain
credit card and other confidential personal information or shut down voice service by
flooding servers supporting VoIP with bogus traffic.

           Vulnerability has also increased from widespread use of e-mail and instant
messaging (IM). E-mail can contain attachments that serve as springboards for malicious
software or unauthorized access to internal corporate systems. Employees may use e-mail
messages to transmit valuable trade secrets, financial data, or confidential customer
information to unauthorized recipients. Popular instant messaging applications for
consumers do not use a secure layer for text messages, so they can be intercepted and
read by outsiders during transmission over the public Internet. IM activity over the Internet
can in some cases be used as a back door to an otherwise secure network. (IM systems
designed for corporations, such as IBM’s SameTime, include security features.

Attachments with malicious software, downloading, sharing

Transmitting trade secrets
IM messages lack security, can be easily intercepted
WIRELESS SECURITY CHALLENGES

Wireless Security Challenges • Radio frequency bands easy to scan • S SI Ds (service set identifiers) –
Identify access points, broadcast multiple times, can be identified by sniffer programs • War driving –
Eavesdroppers drive by buildings and try to detect S SI D and gain access to network and resources –
Once access point is breached, intruder can gain access to networked drives and files • Rogue access
points.
Wireless networks using radio-based technology are even more vulnerable to penetration
because radio frequency bands are easy to scan. Although the range of Wireless Fidelity
(Wi- Fi) networks is only several hundred feet, it can be extended up to one-fourth of a mile
using external antennae. Local area networks (LANs) that use the 802.11b (Wi-Fi) standard
can be easily penetrated by outsiders armed with laptops, wireless cards, external
antennae, and freeware hacking software. Hackers use these tools to detect unprotected
networks, monitor network traffic, and in some cases, gain access to the Internet or to
corporate networks.

           Wi-Fi transmission technology uses spread spectrum transmission in which a signal
is spread over a wide range of frequencies, and the particular version of spread spectrum
transmission used in the 802.11 standard was designed to make it easier for stations to find
and hear one another. The service set identifiers (SSID) identifying the access points in a
Wi-Fi network are broadcast multiple times and can be picked up fairly easily by intruders’
sniffer programs. Wireless networks in many locations do not have basic protections against
war driving, in which eavesdroppers drive by buildings or park outside and try to intercept
wireless network traffic.

Internal Threats: Employees

Internal Threats: Employees • Security threats often originate inside an organization • Inside knowledge
• Sloppy security procedures – User lack of knowledge • Social engineering • Both end users and
information systems specialists are sources of risk

it is tend to think the security threats to a business originate outside the organization. In fact, the
largest financial threats to business institutions come from insiders. Some of the largest
disruptions to service, destruction of e-commerce sites, and diversion of customer credit data and
personal information have come from insiders—once trusted employees. Employees have access
to privileged information, and in the presence of sloppy internal security procedures, they are
often able to roam throughout an organization’s systems without leaving a trace.

           Studies have found that users’ lack of knowledge is the single greatest cause of network
security breaches. Many employees forget their passwords to access computer systems or allow
other coworkers to use them, which compromises the system. Malicious intruders seeking system
access sometimes trick employees into revealing their passwords by pretending to be legitimate
members of the company in need of information. This practice is called social engineering.

           Employees—both end users and information systems specialists—are also a major source
of errors introduced into an information system. Employees can introduce errors by entering
faulty data or by not following the proper instructions for processing data and using computer
equipment. Information systems specialists can also create software errors as they design and
develop new software or maintain existing programs.

Software Vulnerability

Software errors are also a threat to information systems and cause untold losses in
productivity. Hidden bugs or program code defects, unintentionally overlooked by
programmers working with thousands of line of programming code, can cause performance
issues and security vulnerabilities.

Software errors also pose a constant threat to information systems, causing untold losses in
productivity.
           A major problem with software is the presence of hidden bugs, or program code
defects. Studies have shown that it is virtually impossible to eliminate all bugs from large
programs. The main source of bugs is the complexity of decision-making code. Important
programs within most corporations may contain tens of thousands or even millions of lines
of code, each with many alternative decision paths. Such complexity is difficult to document
and design—designers may document some reactions incorrectly or may fail to consider
some possibilities. Even after rigorous testing, developers do not know for sure that a piece
of software is dependable until the product proves itself after much operational use.

2. Types of Malicious Software

Malware is an umbrella term for any piece of software that has malicious

intent. There are several types of malware and each of them has a unique
way of infiltrating computer which may include attempts at gaining
unauthorized control of computer systems, stealing personal information,
encrypting important files, or causing other harm to computers. Sometimes
the damage can be irrevocable.

• Malware (malicious software)

• Viruses

• Worms
• Mobile device malware

 Trojan horse
 Ransomware
 Spyware

1. Ransomware

Ransomware is software that uses encryption to disable a target’s access to its data
until a ransom is paid. The victim organization is rendered partially or totally unable
to operate until it pays, but there is no guarantee that payment will result in the
necessary decryption key or that the decryption key provided will function properly.

2. Spyware

Spyware collects information about users’ activities without their knowledge or

consent. This can include passwords, pins, payment information and unstructured
messages.

The use of spyware is not limited to the desktop browser: it can also operate in a
critical app or on a mobile phone.

3. Trojan

A Trojan disguises itself as desirable code or software. Once downloaded by

unsuspecting users, the Trojan can take control of victims’ systems for malicious
purposes. Trojans may hide in games, apps, or even software patches, or they may
be embedded in attachments included in phishing emails.

4. Worms

Worms target vulnerabilities in operating systems to install themselves into

networks. They may gain access in several ways: through backdoors built into
software, through unintentional software vulnerabilities, or through flash drives.
Once in place, worms can be used by malicious actors to launch DDoS attacks,
steal sensitive data, or conduct ransomware attacks.

5. Virus

Viruses are designed to damage the target computer or device by corrupting

data, reformatting your hard disk, or completely shutting down your system. They
can also be used to steal information, harm computers and networks, create
botnets, steal money, render advertisements, and more.
Computer viruses require human action to infect computers and mobile devices
and are often spread through email attachments and internet downloads.

A virus is a piece of code that inserts itself into an application and executes when
the app is run. Once inside a network, a virus may be used to steal sensitive data,
launch DDoS attacks or conduct ransomware attacks.

6. Mobile Malware

Attacks targeting mobile devices have risen 50 percent since last year. Mobile

malware threats are as various as those targeting desktops and include Trojans,
ransomware, advertising click fraud and more. They are distributed through phishing
and malicious downloads and are a particular problem for jailbroken phones, which
tend to lack the default protections that were part of those devices’ original
operating systems.

3. Why are information systems so essential for running and managing a

business today? List and describe six reasons why information systems
are so important for business today.

Six reasons why information systems are so important for business today
include:

(1)Operational excellence
(2)New products, services, and business models
(3)Customer and supplier intimacy
(4)Improved decision making
(5)Competitive advantage
(6)Survival

 Operational excellence: Businesses continuously seek to improve the efficiency of their

operations in order to achieve higher profitability. Information systems and technologies are some
of the most important tools available to managers for achieving higher levels of efficiency and
 productivity in business operations, especially when coupled with changes in business practices and
management behavior.

 New products, services, and business models

New Products, Services, and Business Models Information systems and technologies are a major
enabling tool for firms to create new products and services, as well as entirely new business
models. A business model describes how a company produces, delivers, and sells a product or
service to create wealth. Today’s music industry is vastly different from the industry a decade
ago. Apple Inc. transformed an old business model of music distribution based on records,
tapes, and CDs into an online, legal distribution model based on its own iPod technology
platform. Apple has prospered from a continuing stream of iPod innovations, including the iPod,
the iTunes music service, the IPad, and the iPhone.

 Customer and supplier intimacy

When a business really knows its customers, and serves them well, the customers generally
respond by returning and purchasing more. This raises revenues and profits. Likewise with
suppliers: the more a business engages its suppliers, the better the suppliers can provide vital
inputs. The Mandarin Oriental in Manhattan and other high-end hotels exemplify the use of
information systems and technologies to achieve customer intimacy. These hotels use
computers to keep track of guests’ preferences, such as their preferred room temperature,
check-in time, frequently dialed telephone numbers, and television programs, and store these
data in a large data repository. Individual rooms in the hotels are networked to a central
network server computer so that they can be remotely monitored or controlled. When a
customer arrives at one of these hotels, the system automatically changes the room conditions,
such as dimming the lights, setting the room temperature, or selecting appropriate music, based
on the customer’s digital profile. The hotels also analyze their customer data to identify their
best customers and to develop individualized marketing campaigns based on customers’
preferences.
 Improved decision making
Information systems assist managers in creating informed decisions with the help of
real-time data. Continuously making informed decision improves decision power and
avoid wastage of time looking for information. Many business managers operate in an
information fog bank, never really having the right information at the right time to make an
informed decision. Instead, managers rely on forecasts, best guesses, and luck. The result is over
or underproduction of goods and services, misallocation of resources, and poor response times.
These poor outcomes raise costs and lose customers. In the past decade, information systems
and technologies have made it possible for managers to use real-time data from the
marketplace when making decisions.

 Competitive advantage
 When firms achieve one or more of these business objectives—operational excellence; new
products, services, and business models; customer/supplier intimacy; and improved decision
making—chances are they have already achieved a competitive advantage.

 Survival
Business firms also invest in information systems and technologies because they are necessities
of doing business. Sometimes these “necessities” are driven by industry-level changes. For
instance, after Citibank introduced the first automated teller machines (ATMs) in the New York
region in 1977 to attract customers through higher service levels, its competitors rushed to
provide ATMs to their customers to keep up with Citibank. Today, virtually all banks in the
United States have regional ATMs and link to national and international ATM networks, such as
CIRRUS. Providing ATM services to retail banking customers is simply a requirement of being in
and surviving in the retail banking business.