UNIT-IV

SECURITY AND CONTROL

Malware (malicious software)

Is any program of file that is harmful to a computer user. Thus, malware includes computer
viruses, worms, Trojan horses, and also spyware, programming that gathers information about a
computer user without permission.
Virus
A computer virus attaches itself to a program or file enabling it to spread from one computer
to another, leaving infections as it travels. Like a human virus, a computer virus can range in
severity; some may cause only mildly annoying effects while others can damage your hardware,
software or files. Almost all viruses are attached to an executable file, which means the virus may
exist on your computer but it actually cannot infect your computer unless you run or open the
malicious program. It is important to note that a virus cannot be spread without a human action
Worms
A worm is similar to a virus by design and is considered to be a sub-class of a virus. Worms
spread from computer to computer, but unlike a virus, it has the capability to travel without any
human action. A worm takes advantage of file or information transport features on your system,
which is what allows it to travel unaided.
Trojan horse
Is a program that a appears to be valid and useful but contains hidden instruction that can
cause damage. For example, a Trojan horse could identify a particular account number and bypass
it or could accumulated difference due to rounding and place them in a particular account.
Logic bomb
Is a type of Trojan horse, when destructive actions are set to occur when a particular
conditions occurs, such as reaching a particular clock time or the initiation of a particular program.
Spyware
Can also act as malicious software. There small programs install themselves on computer to
monitor user web surfing activity and serve up advertising.

Prepared by: R.Sivakumar Assistant Professor Department of Management studies V.S.B

Engineering college. Karur
 VALUE CHAIN FOR SYSTEM SECURITY AND CONTROL

DEVELOP THE SYSTEM ESTABLISH SECURITY CONTROL OPERATIONS ANTICIPATE

PROPERLY PROBLEMS

control system development Provide security training Control transaction processing Prepare for disaster
and modifications Maintain physical security Motivate efficient and effective
Control access to data, operation
computer and network Audit the system

Prepared by: R.Sivakumar Assistant Professor Department of Management studies V.S.B Engineering college. Karur
 Tools of security management
1. Encryption
2. Firewalls
3. Denial of software defenses
4. E-mail monitoring
5. Virus defenses / antivirus
Other tools
1. Security code
2. Backup file
3. Security monitors
4. Biometric security
5. Computer failure controls
6. Fault, tolerant system
7. Disaster recovery
Encryption

The most widely used encryption method uses a pair of public and private keys
unique to each individual. For example, e-mail could be scrambled and encoded using a
unique public key for recipient that is known to the sender. After the e-mail is transmitted,
only the recipient’s secret private key could unscramble the message.
Firewalls
A firewall serves as a “gatekeeper” system that protects a company’s intranets and
other from the internet and other networks. It screens all network traffic for proper passwords
or other security code, and only allows authorized transmissions in and out of the network.

Prepared by: R.Sivakumar Assistant Professor Department of Management studies V.S.B

Engineering college. Karur
 Denial of service defenses

Denial of service assaults via the internet depend on three layers of networked
computer systems;

1. At the zombie machines: set and enforce security policies. Scan regularly fro
‘Trojan horse’ programs and vulnerabilities. Close unused ports. Remind users
not to open .exe mail attachments.
2. At the ISP: Monitor and block traffic spikes. filter spoofed IP addresses.
Coordinate security with network providers.
3. At the victim’s website: create backup servers and network connections. Limit
connections to each server. Install multiple intrusion-detection systems and
multiple routers for incoming traffic to reduce choke points.

e-mail monitoring

The tide is turning toward systematic monitoring of corporate e-mail traffic using
content-monitoring software that scans for troublesome words that might compromise
corporate security.

Virus defenses

Thus many companies are building defenses against the spread of viruses by
centralizing the distribution and updating of antivirus software as a responsibility of there IS
department. Other companies are outsourcing the virus protection responsibility to their
internet service providers.

Other tools
1. Security code

A multilevel password system is used for security management .first, an end user logs
on to the computer system by entering his or her unique identification code, or used ID. The
end user is then asked to enter a password in order to gain access into the system. Password
should be changed frequently and consist of unusual combinations of upper and lower case
letters and numbers.

2. Backup files

Which are duplicate files of data or programs, are another important security
measures? Files can also be protected by file retention measures that involve storing copies of
files from previous periods.

3. Security monitors

System security monitors are program that monitor the use of computer systems and
networks and protect them from unauthorized users to access the networks security monitors
also control the use of the hardware, software and data resources of a computer system.

Prepared by: R.Sivakumar Assistant Professor Department of Management studies V.S.B

Engineering college. Karur
 4. Biometric security:
Biometric security is a fast-growing area of computer security. These are security
measures provided by computer devices that measure physical traits that make each
individual unique. This includes voice verification, finger-prints, hand geometry, signature
dynamic, keystroke analysis, retina scanning, face recognition, and genetic pattern analysis.
Biometric control devices use special-purpose sensors to measure and digitize a biometric
profile of an individual’s fingerprint, voice, or other physical trait.
5. Computer failure controls:
A variety of controls can prevent such computer failure or minimize its effects.
Computer system fail for several reasons - power failure, electronic circuitry malfunctions,
telecommunications network problems, hidden programming errors, computer viruses,
computer operator errors and electronic vandalism. Programs of preventive maintenance of
hardware and management of software updates are commonplace. A backup computer system
capability can be arranged with disaster recovery organizations.
6. Fault tolerant system:
This may provide a failsafe capability where the computer system continues to
operate at the same level even if there is a hardware or software failure. However, many fault
tolerant computer systems offer a fail soft capability where the computer system can continue
the operate at a reduces but acceptable level in the event of a major system failure.
7. Disaster Recovery:
Natural and man-made disasters to happen. Hurricanes, earthquakes, fires, floods,
criminal and terrorist acts, human error can all severely damage an organization's computer
resources, and thus the health of the organization itself. Many firms could survive only a few
days without computing facility. That's why organizations develop disaster recovery
procedures and formalize them in a disaster recovery plan. its specifics which employees will
participate in disaster recovery and what their duties will be; what hardware, software and
facilities will be used; and the priority if applications that will be processed. Arrangements
with other companies for use of alternative facilities as disaster recovery site and offsite
storage of an organization's database are also part of an effective disaster recovery effort.
SECURITY
Policies, procedures and technical measures used to prevent theft, or physical damage
to information system.
Errors
Bugs
Program code defects or errors
CONTROL ENVIRONMENT

Controls: All of the methods, policies, and procedures that ensure protection of the
organization’s assets, accuracy and reliability of its records, and operational adherence to
management standards.

Computer systems are controlled by a combination of general controls and application

controls.

General controls
Overall controls that establish a framework for controlling the design, security and
use of computer programs throughout an organization.
Types of general controls
 Software controls
 Hardware controls

Prepared by: R.Sivakumar Assistant Professor Department of Management studies V.S.B

Engineering college. Karur
  Computer operations controls
 Data security controls
 Implementation controls
 Administrative controls
Software controls
Monitor the use of system software and prevent unauthorized access of software
program, system software and computer programs.
Hardware controls
Ensure that computer hardware is physically secure, and check for equipment
malfunctions. Computer equipment should be specially protected against fires, and extremes
of temperature and humidity.
Computer operations controls
Oversee the work of the computer department to ensure that programmed procedures
are consistently and correctly applied to the storage and processing data.
Data security controls
Controls to ensure that data files on either disk or tape are not subject to unauthorized
access, change or destruction.
Implementation controls
Audit the system development process at various points to ensure that the properly
controlled and managed.
Administrative controls
Formalized standards, rules, procedures and disciplines to ensure that the
organization’s controls are properly executed and enforced.
Application controls
Application controls include both automated and manual procedures that ensure that
only authorized data are completely and accurately processed by an application.
Application controls can be classified as
 Input controls
 Processing controls
 Output controls
Input controls
The procedures to check data for accuracy and completeness when they enter the
system
Processing controls
The routines for establishing that data are complete and accurate during updating.
Output controls
Measures that ensure that the results of computer processing are accurate, complete
and properly distributed.

Prepared by: R.Sivakumar Assistant Professor Department of Management studies V.S.B

Engineering college. Karur
 IS vulnerability

It is termed as a flaw or weakness in system security procedures, design,

implementation, or internal controls that could be exercised and result in a security breach or
a violation of the system’s security policy.

Causes of vulnerability

1. Complexity: large, complex systems increase the probability of flaws and unintended
access points
2. Familiarity: using common, well-known code, software, operating systems, and
hardware increases the probability an attacker has or can find the knowledge and tools
to exploit the flaw.
3. Password management flaws: The computer user uses weak passwords that could be
discovered by brute force. The computer user stores the password on the computer
where a program can access it. Users re-use passwords between many programs and
websites.
4. Connectivity: More physical connections, privileges, ports, protocols, and services
and time each of those are accessible increase vulnerability.
5. Fundamental operating system design flaws: The operating system designer
chooses to enforce sub optimal policies on user management. For example operating
systems with policies such as default permit grant every program and every user full
access to the entire computer.
6. Internet website browsing: Some intranet website may contain harmful spyware
that can be installed automatically on the computer systems. After visiting those
websites, the computer system becomes infected and personal information will be
collected and passed on to third party individuals.
7. Software bugs: The programmer leaves an exploitable bug in a software program.
The software bug may allow an attacker to misuse an application.
8. Unchecked user input: The program assumes that all user input is safe. Programs
that do not check user can allow unintended direct execution of commands

Identify vulnerabilities:

1) Vulnerability scanners: Software that can examine an operating system, network

application or code for known flaws by comparing the system to a database of
flaw signature
2) Penetration testing: An attempt by human security analysts to exercise threads
against the system. This includes operational vulnerabilities, such as social
engineering
3) Audit of operational and management controls: A through review of
operational and management controls by comparing the current documentation to
best practices ( such as ISO 17799) and by comparing actual practices against
current documentation processes.

Prepared by: R.Sivakumar Assistant Professor Department of Management studies V.S.B

Engineering college. Karur
 COMPUTER CRIME

Computer crime is a growing threat to society caused by the criminal or irresponsible

action of individual who are taking advantage of widespread use and vulnerability of
computers and the internet and other networks. Computer crime is defined by the association
of information technology professional (AITP) as including (1) the unauthorized use, access,
modification, and destruction of hardware, software, data, or networking resource; (2) the
unauthorized release of information; (3) the unauthorized copying of software; (4) denying an
end user access to his or her own hardware, software, data, or network resource; and (5) using
or conspiring to use computer or network resource to illegally obtain information or tangible
property.

Security technologies used:

 Antivirus 96%
 Virtual private network 86%
 Intrusion detection system 85%
 Content filtering / monitoring 77%
 Public key infrastructure 45%
 Smart card 43%
 Biometrics 19%

Security management:

 Security is used about 6 to 8% of the IT budget in the developed countries.

 63% currently have or plan to establish in the next 2 years the position of chief
security officers or chief information security officer.
 40% have a chief privacy officers and another 6% intend to appoint 1 within the next
2 years.
 39% acknowledge that a system had been compromised in some way within the past
year.
 24% have cyber risk insurance and another 5% intend to acquire such coverage.

Hacking:

Hackers can be outsiders or company employees who use the internet and other
networks to steal or damage data and programs. Hackers can monitor email, web server
access, or file transfers to extract passwords or steal network file or to plant data that will
cause a system to welcome intruders. A hacker may also use remote services that allow one
computer on a network to execute program on another computer to gain privileged access
within a network.

Cyber theft:

Many computer crimes involve that theft of money. In the majority of cases, they are
“inside jobs” that involve unauthorized network entry and fraudulent alteration of computer

Prepared by: R.Sivakumar Assistant Professor Department of Management studies V.S.B

Engineering college. Karur
 databases to cover the tracks of the employees’ involved. The latest and fastest growing
internet scam monitored of Fraud Watch is called “phishing”. The term (pronounced
“fishing”) refers to an internet scam that is exactly that – fishing for information – usually
personal information such as credit card, bank account or social security numbers.

Unauthorized use of work:

The unauthorized use of computer system and networks can be called time and
resource theft. A common example is unauthorized use of computer-owned computer
networks b employees. This may range from doing private consulting or personal fiancé, or
playing video games, to unauthorized use of the internet or company networks. Network
monitoring software, called sniffers, is frequently used to monitoring network traffic to
evaluate network capacity, as well as reveal evidence of improper use.

Software piracy:

Computer programs are valuable property and thus are the subject of theft from
computer system. However, unauthorized copying of software, or software piracy, is also a
major form of software theft. Widespread unauthorized copying of software by company
employees is a major form of software piracy. Unauthorized copying is illegal because
software is intellectual property that is protected by copyright law and user licensing
agreements.

Piracy intellectual property:

Software is not only property subject to computer-based piracy. Other intellectual

property in the forms of copyrighted material, such as music, videos, images, articles, books
and other written works are especially vulnerable to copyright infringement, which most
courts have deemed illegal. Digitized version can easily websites, or can be readily
disseminated by e-mail as file attachments.

Computer viruses and worms:

One of the most examples of computer crime involves the creation of computer
viruses or worms. Virus is the most popular term but, technically, a virus is a program code
that cannot work without being inserted into another program. A worm is a distinct program
that can run unaided.

Biometric security:

Biometric security is a fast-growing area of computer security. These are security

measures provided by computer devices that measure physical traits that make each
individual unique. This includes voice verification, finger-prints, hand geometry, signature
dynamic, keystroke analysis, retina scanning, face recognition, and genetic pattern analysis.
Biometric control devices use special-purpose sensors to measure and digitize a biometric
profile of an individual’s fingerprint, voice, or other physical trait.

Prepared by: R.Sivakumar Assistant Professor Department of Management studies V.S.B

Engineering college. Karur
 Computer failure controls:

A variety of controls can prevent such computer failure or minimize its effects.
Computer system fail for several reasons - power failure, electronic circuitry malfunctions,
telecommunications network problems, hidden programming errors, computer viruses,
computer operator errors and electronic vandalism.

Programs of preventive maintenance of hardware and management of software updates are

commonplace. A backup computer system capability can be arranged with disaster recovery
organizations.

Fault tolerant system:

This may provide a failsafe capability where the computer system continues to
operate at the same level even if there is a hardware or software failure. However, many fault
tolerant computer systems offer a fail soft capability where the computer system can continue
the operate at a reduces but acceptable level in the event of a major system failure.

Securing intranet, web, wireless network

i. Firewalls
ii. IDS
iii. Antivirus software
iv. Physical security
v. Using managed security service provider

i. Firewalls:
ii. IDS: An IDS works like a burglar alarm in that it detects a violation of its configuration
and activates an alarm. This alarm can be audible or visual or it can be silent
Why use IDS
a) To prevent problem behaviors by increasing the perceived risk of discovery and
punishment for those who would attack or otherwise abuse the system
b) To detect attacks and other security violations that are not prevented by other
security measures
c) To detect and deal with the preambles to attacks (commonly experienced as
network probes and other doorknob rattling activities)
d) To document the existing threat to an organization
e) To act as quality control for security design and administration, especially of
large and complex enterprises.
f) To provide useful information about intrusions that do take place, allowing
improved diagnosis, recovery and correction of causative factors.
iii. Antivirus software: Is designed to check computer system and drives for the
presence of computer viruses, often the software can eliminate the virus from the
infected area.

Prepared by: R.Sivakumar Assistant Professor Department of Management studies V.S.B

Engineering college. Karur
 iv. Physical security: There are a number of physical security controls and issues that an
organization’s communities of interest should consider when implementing physical
security inside and outside the facility. Some of the major controls are:
a. Walls, gates
b. Guards
c. Dogs
d. ID cards
e. Locks and keys
f. Electronic monitoring
g. Alarms
h. Computer rooms and wiring closets
i. Interior walls and doors
v. Using managed security service provider: Many are outsourcing their network
security operations to managed security service providers such as counterpane,
Guardent, Internet Security Service, Riptech, and Symantec.

INTERNET, INTRANET EXTRANET

INTERNET: The internet transmits data from one computer to another. If the receiving
computer is on a network to which the first computer is directly connected, it can sent the
message directly. Is a collection of interconnected network, all freely exchanging
information.

Affiliation ID Affiliation
.com Business organization
.edu Educational sites
.gov Government sites
.net Networking organizations
.org organisations

INTRANET: is a internal corporate network built using internet and world wide web
technology employees of an organization use it to gain access to corporate information

Benefits:

 People are already familiar with internet technology, so they need little or no training
to make effective use of their corporate network
 Reduce paper work
 Is an inexpensive and powerful alternative to other forms of internal communications

EXTRANET: Is a network that links selected resources of the intranet of a company with its
customers, suppliers, or other business partners. Again, an extranet is built around web
technologies.

Prepared by: R.Sivakumar Assistant Professor Department of Management studies V.S.B

Engineering college. Karur
 Web browsers and search engines

Web browsers: creates a unique, hypermedia-based menu on your computer screen that
provides a graphical interface to the web. The menu consists of graphics, titles and text with
hypertext links. The hypermedia menu links you to internet resources, including text
document, graphics, and sounds files and newsgroups servers.

Search engines and web research: Looking for information on the web is like browsing in a
library—without the alphabetic listing of books in the card catalog, it is difficult to find
information.

SECURITY AND ELECTRONIC COMMERCE

 Encryption
 Authentication
 Message integrity
 Digital signature
 Digital certificate
Encryption
The coding and scrambling of message to prevent their being read or accessed without
authorization.
Authentication
The ability of each party in a transaction to ascertain the identity of the other party
Message integrity
The ability to ascertain that a transmitted message has not been copied or altered.
Digital signature
A digital code that can be attached to an electronically transmitted message to
uniquely identify its contents and the sender.
Digital certificate
An attachment to an electronic message to verify the identity of the sender and to
provide the receiver with means to encode a reply.

AUDIT: audits provide an independent evaluation of software products or processes to

ascertain compliance to standards, specifications and procedures based on objective criteria
that included documents

Software audit: software audit is a regular investigation of the software installed on all
computers in an organization to ensure that it is authorized or licensed. Software audits
minimize the risk of prospection for software theft, minimize the risk of viruses through
uncontrolled software coping and ensure technical support is available to all users.

Prepared by: R.Sivakumar Assistant Professor Department of Management studies V.S.B

Engineering college. Karur
 PURPOSE OF OR NEED FOR SOFTWARE AUDIT

1. To identify critical security issues before they are exploited be malicious attackers
2. To perform extensive, regular security audit on the installed software or systems, in
order the vulnerabilities of software and minimize the correction of requirements
needed after a product or an update gets live.
3. To locate the most problematic crashes of the application, and train the team into
cognitive debugging for future improving their debugging capabilities
4. To restore compromised network to their previous security level.
5. To conduct software vulnerability assessment

ROLE OF SOFTWARE AUDIT

1. The initiator
2. The lead auditor
3. The recorder
4. The auditors
5. The audited organization

1. The initiator: who must be a manager in the audited organization, a customer or user
representative of the audited organization, or a third party, decides upon the need for an
audit, establishes its purpose and scope, specifies the evaluation criteria, identifies the
audit personnel, decides what follow-up actions will be required and distributes the audit
report.
2. The lead auditor: Who must be someone free from bias and influence that could reduce
his ability to make independent, objective evaluations. Is responsible for administrative
tasks such as preparing the audit plan and assembling and managing the audit team, and
for ensuring that the audit meets its objectives
3. The recorder: Documents anomalies, action items, decisions and recommendation made
by the audit team.
4. The auditors: Who must be, like the lead auditor, free from bias, examine products
defined in the audit plan, document their observations and recommend corrective actions.
5. The audited organization: Provides a liaison to the auditors and provides all information
requested by a auditors. When the audit is completed, the audited organization should
implement corrective actions and recommendations.

Types of auditors and audits

There are two types: internal and external

An external auditor is a corporate outside. This type of auditor reviews the find-ings of the
internal audit and the inputs, processing and outputs of information system. The external
audit of information system is frequently a part of the overall external auditing performed by
a certified public accounting firms

Prepared by: R.Sivakumar Assistant Professor Department of Management studies V.S.B

Engineering college. Karur
 ETHICS IN INFORMATION TECHNOLOGY
ETHICS
Ethics refers to the principles of right and wrong that individuals, acting as free moral
agents, use to make choices to guide their behaviour.

ETHICS IN AN INFORMATION SOCIETY

BASIC CONCEPTS:
Responsibility:
Accepting the potential costs, duties and obligations for the decisions one makes.
Accountability:
The mechanisms for assessing responsibility for decisions made and actions taken.
Liability:
The existence of laws that permit individuals to recover the damages done to them by
other actors, systems, or organizations.
Due Process:
A process in which laws are well-known and understood and there is an ability to
appeal to higher authorities to ensure that laws are applied correctly.

HOW TO CONDUCT AN ETHICAL ANALYSIS

Identify and describe clearly the facts: Find out who did what to whom, and where, when,
and how. In many instances we can sort out the errors at the initial stages of reported facts
and this helps in clearly defining the solution.
Define the conflict or Dilemma and identify the higher order values involved: Ethical,
social, and Political issues always reference higher values. The parties to a dispute all claim
to be pursuing higher values.(eg.,freedom, privacy and protection of intellectual property).
For instance, the use of NORA technology to find out the hidden connections between people
or other entities.
Identify the Stakeholders: Every ethical, social, and political issue has stakeholders: players
in the game who have an interest in the outcome, who have invested in the situation, and
usually who have vocal opinions. Finding the identity of these groups will better help in
designing a solution.
Identify the options that you can reasonably take: You may find that none of the options
satisfy all the parties involved but some options do a better job than others.
Identify the potential consequences of your options: Some options may be ethically
correct but disastrous from other points of view. Other options may work at some instances
and not in all other situations.

Candidate Ethical Principles

1. Golden rule
2. Immanuel Kant's Categorical Imperative
3. Descartes' Rule of Change
4. Utilitarian Principle
5. Risk Aversion Principle
6. Ethical " no free lunch rule"
Golden rule
Do unto others as you would have them do unto you. Putting yourself into the place of
others, and thinking of yourself as the object of the decision, can help you think about
"fairness" in decision making.

Prepared by: R.Sivakumar Assistant Professor Department of Management studies V.S.B

Engineering college. Karur
 Immanuel Kant's Categorical Imperative
A principle that states that if an action is not right for everyone to take it is not right for
anyone.
Descartes' Rule of Change
A principle that states that if an action cannot be taken repeatedly, then it is not right to be
taken at any time.
Utilitarian Principle
Principle that assumes one can put values in rank order and understand the consequences of
various courses of action.
Risk Aversion Principle
Principle that one should take the action that produces the least harm or incurs the least
cost.
Ethical “no free lunch rule"
Assumption that all the tangible and intangible objects are owned by someone else,
unless there is a specific declaration otherwise, and that the creator wants compensation for
this work.

PROPERTY RIGHTS:

Intellectual Property
Intangible property created by individuals or corporations that is subject to protections
under trade secret, copyright, and patent law.
Trade Secrets
Any intellectual property work or product used for a business purpose that can be
classified as belonging to that business, provided it is not based on information in the public
domain.
Copyright
A statutory grant that protects creators of intellectual property against copying by others
for any purpose for a minimum of 70 years.
Patent
A legal document that grants the owner an exclusive monopoly on the ideas behind an
invention for 20 years : designed to ensure that inventors of new machines or methods are
rewarded for their labour while making wide-spread use of their inventions.

Prepared by: R.Sivakumar Assistant Professor Department of Management studies V.S.B

Engineering college. Karur