Chapter 8

➢ Reasons for Vulnerabilities

● Vulnerability of Systems
❖ Using internet without a firewall of antivirus could cause the computer to be disabled for
days, affecting business activity. Outsiders could intrude to steal or destroy data; you
may not be able to recover it.
❖ Thus security and control should be a top priority.
❖ Security – policies, procedures and technical measures used to prevent unauthorized
access, alteration, theft or physical damage to information.
❖ Controls – methods, policies and organizational procedures that ensure safety of
organization’s assets, the accuracy and reliability of its records and operational
adherence to management standards.
❖ Interconnected systems increase vulnerability of data towards threats.
❖ In multitier client/server computing the following can serve as vulnerable stages
1) Users (unauthorized access, stealth, alteration of data)
2) Radiation
3) Intruders (denial of service attacks, stealth, penetration)
4) System malfunction and errors (not configured properly, improper use)
5) Domestic and offshore partnering (lack of strong safeguards)
6) Portable devices (easy penetration)
❖ Internet Vulnerabilities
1) Large public networks, virtually open, can have enormously widespread impact
if attacked.
2) VoIP (not encrypted), email (attachments), IM (lack of secure layer), P2P file
sharing (illegal downloads may transmit malicious software) have increased
vulnerability.
❖ Wireless Security Challenges
1) Bluetooth, Wi-Fi and LANs vulnerable a radio frequency bands are easy to scan.
2) Hackers detect unprotected software, monitor and may gain access.
3) Service Set Identifiers (SSIDs) can be used, capable of accessing other resources
on the network.
4) Wireless networks lack protection against war driving (eavesdropping)
capabilities.
5) Intruders can set up rogue access points in order to get names and passwords.
● Malicious Software
❖ Also called malware, includes variety of threats.
❖ Computer Virus – rogue software program, attaches to software or data files, deliver
payload, spread from computer to computer by human action, spread over the internet
or through infected disks and machines.
❖ Worms – independent computer programs, copy themselves across computers on a
network, spread more rapidly, no human action required, spread over the internet.
❖ Drive-by Downloads – user intentionally or unintentionally downloads.
❖ Trojan – appears benign, not itself a virus, forms a way for viruses or malicious codes to
be introduced into the computer.
 ❖ Zeus Trojan – captures keystrokes, spread by Drive-by Downloads.
❖ SQL Injection Attacks – major threat, takes advantage of poorly coded web app software
which fails to validate properly or filter data the user enters on a webpage.
❖ Ransomware – extorts money from users.
❖ Keyloggers – record keystrokes.
❖ Spyware – install themselves on computers and monitor web activity.
❖ Mobiles biggest security threat of current time.
❖ Blogs, wikis and social networks are the new conduits for malware.
❖ Growth of the IoT has increased vulnerability.
● Hackers and Computer Crime
❖ Hacker – individual gaining unauthorized access
❖ Cracker – has criminal intent
❖ Cybervandalism - intentional disruption, defacement or destruction of corporate
website or IS.
❖ Spoofing – hidden identities, redirecting links to wrong websites.
❖ Sniffer – eavesdropping program, monitors traffic across a network.
❖ Denial-of-Service (DOS) Attacks – hacker floods network of web server with false
communication, a distributed DOS does the same using various computers.
❖ Botnets – slaved or zombie computers
❖ Computer Crime – violation of criminal law involving knowledge of computer technology
❖ Identity Theft – imposter obtains and misuses key pieces of information of another
individual, false credentials.
❖ Phishing – false or look-a-like websites
❖ Evil Twins – phishing technique where a wireless network pretends to offer trustworthy
Wi-Fi connection
❖ Pharming - phishing technique of redirection to bogus websites
❖ Click Fraud – click on online fraud advertisements
❖ Cyberwarfare – state sponsored activities carried out with the help of non-state actors,
also involves defence against such attacks.
● Internal Threats – Employees
❖ Sloppy Internet Procedures
❖ Users lack of knowledge
❖ Social Engineering – intruders pretend to be legitimate members and seek information
❖ End users – add faulty data, don’t follow instructions
❖ IS Specialists – create software errors while designing, developing or maintaining
● Software Vulnerability
❖ Bugs – zero defects are difficult and costly to achieve
❖ Zero-Day Vulnerabilities – holes in the software that are unknown to the creator
❖ Patch Management – creators make patches to deal with issues, up-to user to apply.
➢ Business Value of Security and Control
● Firms reluctant as not directly linked to revenues yet it is important.
● Valuable assets, put at risk, repercussions can lead to serious legal liabilities and can be
devastating with permanent effects.
● Legal and Regulatory Requirements
❖ HIPPA (health care related
 ❖ Gramm-Leach-Bliley Act (financial institutions related)
❖ Sarbanes-Oxley Act (investors related)
● Electronic Evidence and Computer Forensics
❖ Largely digital, email most common.
❖ Company records need to be kept, largely maintained digitally, may reside on computers
also as ambient data (not visible to average user).
❖ Computer Forensics – recovering data, securely storing recovered data, finding
significant information and presenting before the court
❖ Awareness of computer forensics is important for firms
➢ Organizational Framework of Security and Control
● IS Control
❖ General Control – govern the design security and use of computer programs and the
security of data files across an organization. Combination of hardware, software and
manual procedures.
❖ Application Control – specific controls unique to each computerized application which
include both manual and automated procedures. Includes the following that are checked
for completions and accuracy:
1) Input Controls (checks data)
2) Processing Controls (checks procedures)
3) Output Controls (checks results)
❖ Should not be afterthought, need to be integrated into the design of the system.
● Risk Assessment
❖ Determines the risk if a specific activity or process is not properly controlled
❖ Not all risks can be anticipated or measured
❖ Businesses need to determine the values of information assets, points of vulnerability,
likely frequency of problem and the potential damage that can be caused.
❖ System builders will concentrate on the pints with greatest vulnerabilities or potential
risks.
● Security Policy
❖ Statement ranking information risks, identifying acceptable security goals and identifying
the mechanisms for achieving these goals.
❖ Acceptable Use Policy (AUP) – defines acceptable uses of firm’s information resources
and computing equipment, good ones define acceptable and unacceptable actions for
each user and specifies consequences for noncompliance.
❖
●