● Vulnerability of Systems ❖ Using internet without a firewall of antivirus could cause the computer to be disabled for days, affecting business activity. Outsiders could intrude to steal or destroy data; you may not be able to recover it. ❖ Thus security and control should be a top priority. ❖ Security – policies, procedures and technical measures used to prevent unauthorized access, alteration, theft or physical damage to information. ❖ Controls – methods, policies and organizational procedures that ensure safety of organization’s assets, the accuracy and reliability of its records and operational adherence to management standards. ❖ Interconnected systems increase vulnerability of data towards threats. ❖ In multitier client/server computing the following can serve as vulnerable stages 1) Users (unauthorized access, stealth, alteration of data) 2) Radiation 3) Intruders (denial of service attacks, stealth, penetration) 4) System malfunction and errors (not configured properly, improper use) 5) Domestic and offshore partnering (lack of strong safeguards) 6) Portable devices (easy penetration) ❖ Internet Vulnerabilities 1) Large public networks, virtually open, can have enormously widespread impact if attacked. 2) VoIP (not encrypted), email (attachments), IM (lack of secure layer), P2P file sharing (illegal downloads may transmit malicious software) have increased vulnerability. ❖ Wireless Security Challenges 1) Bluetooth, Wi-Fi and LANs vulnerable a radio frequency bands are easy to scan. 2) Hackers detect unprotected software, monitor and may gain access. 3) Service Set Identifiers (SSIDs) can be used, capable of accessing other resources on the network. 4) Wireless networks lack protection against war driving (eavesdropping) capabilities. 5) Intruders can set up rogue access points in order to get names and passwords. ● Malicious Software ❖ Also called malware, includes variety of threats. ❖ Computer Virus – rogue software program, attaches to software or data files, deliver payload, spread from computer to computer by human action, spread over the internet or through infected disks and machines. ❖ Worms – independent computer programs, copy themselves across computers on a network, spread more rapidly, no human action required, spread over the internet. ❖ Drive-by Downloads – user intentionally or unintentionally downloads. ❖ Trojan – appears benign, not itself a virus, forms a way for viruses or malicious codes to be introduced into the computer. ❖ Zeus Trojan – captures keystrokes, spread by Drive-by Downloads. ❖ SQL Injection Attacks – major threat, takes advantage of poorly coded web app software which fails to validate properly or filter data the user enters on a webpage. ❖ Ransomware – extorts money from users. ❖ Keyloggers – record keystrokes. ❖ Spyware – install themselves on computers and monitor web activity. ❖ Mobiles biggest security threat of current time. ❖ Blogs, wikis and social networks are the new conduits for malware. ❖ Growth of the IoT has increased vulnerability. ● Hackers and Computer Crime ❖ Hacker – individual gaining unauthorized access ❖ Cracker – has criminal intent ❖ Cybervandalism - intentional disruption, defacement or destruction of corporate website or IS. ❖ Spoofing – hidden identities, redirecting links to wrong websites. ❖ Sniffer – eavesdropping program, monitors traffic across a network. ❖ Denial-of-Service (DOS) Attacks – hacker floods network of web server with false communication, a distributed DOS does the same using various computers. ❖ Botnets – slaved or zombie computers ❖ Computer Crime – violation of criminal law involving knowledge of computer technology ❖ Identity Theft – imposter obtains and misuses key pieces of information of another individual, false credentials. ❖ Phishing – false or look-a-like websites ❖ Evil Twins – phishing technique where a wireless network pretends to offer trustworthy Wi-Fi connection ❖ Pharming - phishing technique of redirection to bogus websites ❖ Click Fraud – click on online fraud advertisements ❖ Cyberwarfare – state sponsored activities carried out with the help of non-state actors, also involves defence against such attacks. ● Internal Threats – Employees ❖ Sloppy Internet Procedures ❖ Users lack of knowledge ❖ Social Engineering – intruders pretend to be legitimate members and seek information ❖ End users – add faulty data, don’t follow instructions ❖ IS Specialists – create software errors while designing, developing or maintaining ● Software Vulnerability ❖ Bugs – zero defects are difficult and costly to achieve ❖ Zero-Day Vulnerabilities – holes in the software that are unknown to the creator ❖ Patch Management – creators make patches to deal with issues, up-to user to apply. ➢ Business Value of Security and Control ● Firms reluctant as not directly linked to revenues yet it is important. ● Valuable assets, put at risk, repercussions can lead to serious legal liabilities and can be devastating with permanent effects. ● Legal and Regulatory Requirements ❖ HIPPA (health care related ❖ Gramm-Leach-Bliley Act (financial institutions related) ❖ Sarbanes-Oxley Act (investors related) ● Electronic Evidence and Computer Forensics ❖ Largely digital, email most common. ❖ Company records need to be kept, largely maintained digitally, may reside on computers also as ambient data (not visible to average user). ❖ Computer Forensics – recovering data, securely storing recovered data, finding significant information and presenting before the court ❖ Awareness of computer forensics is important for firms ➢ Organizational Framework of Security and Control ● IS Control ❖ General Control – govern the design security and use of computer programs and the security of data files across an organization. Combination of hardware, software and manual procedures. ❖ Application Control – specific controls unique to each computerized application which include both manual and automated procedures. Includes the following that are checked for completions and accuracy: 1) Input Controls (checks data) 2) Processing Controls (checks procedures) 3) Output Controls (checks results) ❖ Should not be afterthought, need to be integrated into the design of the system. ● Risk Assessment ❖ Determines the risk if a specific activity or process is not properly controlled ❖ Not all risks can be anticipated or measured ❖ Businesses need to determine the values of information assets, points of vulnerability, likely frequency of problem and the potential damage that can be caused. ❖ System builders will concentrate on the pints with greatest vulnerabilities or potential risks. ● Security Policy ❖ Statement ranking information risks, identifying acceptable security goals and identifying the mechanisms for achieving these goals. ❖ Acceptable Use Policy (AUP) – defines acceptable uses of firm’s information resources and computing equipment, good ones define acceptable and unacceptable actions for each user and specifies consequences for noncompliance. ❖ ●