You are on page 1of 51

Chapter 8

Securing Information
Systems

8.1

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
LEARNING OBJECTIVES

Analyze why information systems need special


protection from destruction, error, and abuse.
Assess the business value of security and control.
Design an organizational framework for security and
control.
Evaluate the most important tools and technologies
for safeguarding information resources.

8.2

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse

Can you imagine what would happen if you tried to link to the
Internet without a firewall or antivirus software?
Your computer would be disabled in few seconds, and it might take
you many days to recover.
You might not be able to sell to your customers or place orders to
your suppliers while it was down.
In short, if you operate a business today, you need to make security
and control a top priority.

8.3

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse

Security
Policies, procedures, and technical measures used to prevent
unauthorized access, alteration, theft, or physical damage to
information systems

Controls
Methods, policies, and organizational procedures that ensure:
Safety of organizations assets
Accuracy and reliability of accounting records
Operational adherence to management standards

8.4

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse

Why systems are vulnerable


Electronic data vulnerable to more types of threats
than manual data
Networks
Through communications networks, information systems iin
different locations are interconnected. Potential for
unauthorized access, abuse, or fraud is not limited to single
location but can occur at any access point in network
In the multi-tier client/server environment, vulnerabilities
exist at each layer and between layer.

8.5

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse

8.6

Users at the client layer can cause harm by introducing errors or by accessing systems
without authorization.
It is possible to access data flowing over networks and hackers steal valuable data
during data transmission, or alter messages without authorization.
Radiation may disrupt a network at various points as well.
Intruders can launch denial-of-service attacks or malicious software to disrupt the
operation of web sites.
Those capable of penetrating corporate systems can destroy or alter corporate data
stored in databases in files.
System malfunction if computer hardware breaks down, is not configured properly, or
is damaged by improper use of criminal acts.
Errors in programming, improper installation, or unauthorized changes cause
computer software to fail.
Power failures, floods, fires, or other natural disasters can also disupt compuer
systems.

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse

8.7

Domestic or offshore partnering with another company adds to system vulnerability


if valuable information resides on networks and computers outside the
organizations control.
Without strong safeguards, data could be lost, destroyed, or could fall into the
wrong hands, revealing important trade secrets or information that violates personal
privacy.
The growing use of mobile devices for business computing adds to these woes.
Portability makes cell phones and smart phones easy to lose or steal, and their
networks are vulnerable to access by outsiders.
Smartphones used by corporate executives may contain sensitive data such as sales
figures, customer names, phone number, and email address.
Intruders may be able to access internal corporate networks through these devices.
Unauthorized downloads may introduce disabling software.

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse

Contemporary Security Challenges and Vulnerabilities

The architecture of a Web-based application typically includes a Web client, a server, and corporate information
systems linked to databases. Each of these components presents security challenges and vulnerabilities. Floods,
fires, power failures, and other electrical problems can cause disruptions at any point in the network.

Figure 8-1
8.8

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse

Internet vulnerabilities
Public network, so open to anyone
Size of Internet means abuses may have
widespread impact
Fixed IP addresses are fixed target for hackers
VoIP phone service vulnerable to interception
E-mail, instant messaging vulnerable to malicious
software, interception
8.9

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse

Wireless security challenges


Many home networks and public hotspots open to anyone,
so not secure, communication unencrypted
LANs using 802.11 standard can be easily penetrated
Service set identifiers (SSIDs) identify access points in
Wi-Fi network and are broadcast multiple times
WEP (Wired Equivalent Privacy): Initial Wi-Fi security
standard not very effective as access point and all users
share same password

8.10

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse

Wi-Fi Security Challenges

Many Wi-Fi networks can


be penetrated easily by
intruders using sniffer
programs to obtain an
address to access the
resources of a network
without authorization.

8.11

Figure 8-2
2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse

Malicious software (malware)


Computer virus
Rogue software program that attaches to other
programs or data files
Payload may be relatively benign or highly destructive
Worm:
Independent program that copies itself over network

Viruses and worms spread via:


Downloaded software files
E-mail attachments
Infected e-mail messages or instant messages
Infected disks or machines
8.12

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse

Trojan horse
Software program that appears to be benign but then does
something other than expected
Does not replicate but often is way for viruses or malicious
code to enter computer system

Spyware
Small programs installed surreptitiously on computers to
monitor user Web surfing activity and serve advertising

Key loggers
Record and transmit every keystroke on computer
Steal serial numbers, passwords
8.13

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse

Hacker
Individual who intends to gain unauthorized access to
computer system

Cybervandalism
Intentional disruption, defacement, or destruction of Web
site or corporate information system

Spoofing
Misrepresentation, e.g. by using fake e-mail addresses or
redirecting to fake Web site

Sniffer:
Eavesdropping program that monitors information traveling
over network
8.14

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse

Denial-of-service (DoS) attack:


Flooding network or Web server with thousands of false
requests so as to crash or slow network

Distributed denial-of-service (DDoS) attack


Uses hundreds or thousands of computers to inundate
and overwhelm network from many launch points

Botnet
Collection of zombie PCs infected with malicious
software without their owners knowledge and used to
launch DDoS or perpetrate other crimes
8.15

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse

Worldwide Damage from Digital Attacks

This chart shows estimates of the average annual worldwide damage from hacking, malware, and spam since 1999.
These data are based on figures from mi2G and the authors.

Figure 8-3
8.16

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse

Bot Armies and Network Zombies


Read the Interactive Session: Technology, and then
discuss the following questions:
What is the business impact of botnets?
What management, organization, and technology factors
should be addressed in a plan to prevent botnet attacks?
How easy would it be for a small business to combat botnet
attacks? A large business?

8.17

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse

Computer crime
Computer as target of crime
Accessing computer without authority
Breaching confidentiality of protected computerized data

Computer as instrument of crime


Theft of trade secrets and unauthorized copying of software or
copyrighted intellectual property
Using e-mail for threats or harassment

Most economically damaging computer crimes


DoS attacks and viruses
Theft of service and disruption of computer systems
8.18

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse

Identity theft
Using key pieces of personal information (social security
numbers, drivers license numbers, or credit card numbers) to
impersonate someone else

Phishing
Setting up fake Web sites or sending e-mail messages that look
like those of legitimate businesses to ask users for confidential
personal data

Evil twins
Bogus wireless networks used to offer Internet connections,
then to capture passwords or credit card numbers

8.19

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse

Pharming
Redirecting users to bogus Web page, even when individual
types correct address into browser

Computer Fraud and Abuse Act (1986)


Makes it illegal to access computer system without authorization

Click fraud
Fraudulently clicking on online ad without intention of learning
more about advertiser or making purchase

Cyberterrorism and cyberwarfare:


At least twenty countries are believed to be developing offensive
and defensive cyberwarfare capabilities
8.20

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse

Internal threats: Employees


Company insiders pose serious security problems
Access to inside information like security codes and passwords
May leave little trace

User lack of knowledge: Single greatest cause of network


security breaches
Compromised passwords
Social engineering

Errors introduced into software by:


Faulty data entry, misuse of system
Mistakes in programming, system design

8.21

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Systems Vulnerability and Abuse

Software vulnerability
Software errors are constant threat to information systems
Cost U.S. economy $59.6 billion each year
Can enable malware to slip past antivirus defenses

Patches
Created by software vendors to update and fix
vulnerabilities
However, maintaining patches on all firms devices is time
consuming and evolves more slowly than malware

8.22

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Business Value of Security and Control

8.23

Many firms are reluctant to spend heavily on security because it is not directly
related to sales revenue. But this attitude seems to be inappropriate because of the
following reasons:
Companies have very valuable information assets to protect. Systems often house
confidential information about individuals taxes, financial assets, medical records,
and job performance reviews.
They also can contain information on corporate operations, including trade secrets,
new product development plans, and marketing strategies.
Government systems may store information on weapons systems, intelligence
operations, and military targets.
These information have tremendous value, and the repercussions can be
devastating if they are lost, destroyed, or placed in the wrong hands.
Businesses must protect not only their own information assets but also those of
customers, employees, and business partners. Failure to do so may open the firm to
costly litigation for data exposure or theft.
2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Business Value of Security and Control

Business value of security and control


Protection of confidential corporate and personal information
Value of information assets
Security breach of large firm results in average loss of 2.1 %
of market value
Legal liability

Electronic Records Management (ERM)


Policies, procedures, and tools for managing retention,
destruction, and storage of electronic records

8.24

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Business Value of Security and Control

Legal and regulatory requirements for ERM


HIPAA
Outlines medical security and privacy rules

Gramm-Leach-Bliley Act
Requires financial institutions to ensure security and
confidentiality of customer data

Sarbanes-Oxley Act
Imposes responsibility on companies and their
management to safeguard accuracy and integrity of
financial information used internally and released externally

8.25

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Business Value of Security and Control

The government of Bangladesh is planning to form two


separate tribunals to prevent growing cyber crimes. The
process to set up the tribunals in Dhaka and Chittagong is
under progress. Currently there are not enough laws to
prevent cyber related crimes in Bangladesh. One major
regulations in this sector is 'The Bangladesh Information &
Communication Law 2006(As amended in 2009)'. Under
section 56(1) of this act, the cyber related offences will be
punishable maximum 10 years imprisonment with or
without fine. Section 68 of this act discussed establishment
of tribunal.

8.26

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Business Value of Security and Control

Electronic evidence and computer


forensics
Legal cases today increasingly rely on evidence
represented as digital data
E-mail most common electronic evidence
Courts impose severe financial, even criminal penalties for
improper destruction of electronic documents, failure to
produce records, and failure to store records properly

8.27

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Business Value of Security and Control

Computer forensics
Scientific collection, examination, authentication,
preservation, and analysis of data on computer
storage media so that it can be used as
evidence in a court
Awareness of computer forensics should be
incorporated into firms contingency planning
process

8.28

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Business Value of Security and Control

Controls
Information systems controls or both manual and automated and consist of
both general controls and application controls.
General controls govern the design, security, and use of computer programs
and the security of data files in general throughout the organizations
information technology infrastructure. On the whole, general controls apply to
all computerized applications and consist of a combination of hardware,
software, and manual procedures that create an overall control environment.
General controls include software controls, physical hardware controls,
computer operations controls, data security controls, controls over
implementation of system processes, and administrative controls.
Application controls are specific controls unique to each computerized
application. Application controls can be classified as (1) input controls, (2)
processing controls, and (3) output controls.
8.29

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Establishing a Framework for Security and Control

ISO 17799
International standards for security and control specifies best
practices in information systems security and control

Risk Assessment
Determines level of risk to firm if specific activity or process is not
properly controlled

Value of information assets


Points of vulnerability
Likely frequency of problem
Potential for damage

Once risks are assessed, system builders concentrate on control


points with greatest vulnerability and potential for loss
8.30

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Establishing a Framework for Security and Control

Online Order Processing Risk Assessment


EXPOSURE
Power failure
Embezzlement
User error

PROBABILITY OF
OCCURRENCE

LOSS RANGE /
(AVERAGE)

EXPECTED
ANNUAL LOSS

30 %

$5,000 - $200,000
($102.500)

$30,750

5%

$1,000 - $50,000
($25,500)

$1,275

$200 - $40,000
($20,100)

$19,698

98 %

Table 8-3
8.31

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Technologies and Tools for Security

Security policy
Statements ranking information risks, identifying acceptable
security goals, and identifying mechanisms for achieving
these goals

Chief Security Officer (CSO)


Heads security group in larger firms
Responsible for enforcing security policy

Security group
Educates and trains users
Keeps management aware of security threats and
breakdowns
Maintains tools chosen to implement security
8.32

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Technologies and Tools for Security

Acceptable Use Policy (AUP)


Defines acceptable uses of firms information resources and
computing equipment
A good AUP defines acceptable actions for every user and
specifies consequences for noncompliance

Authorization policies
Determine level of access to information assets for different
levels of users

Authorization management systems


Allow each user access only to those portions of system that
person is permitted to enter, based on information
established by set of access rules
8.33

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Establishing a Framework for Security and Control

Security Profiles for a Personnel System

Figure 8-4
These two examples represent
two security profiles or data
security patterns that might be
found in a personnel system.
Depending on the security
profile, a user would have
certain restrictions on access
to various systems, locations,
or data in an organization.

8.34

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Technologies and Tools for Security

Ensuring business continuity


Fault-tolerant computer systems
Ensure 100% availability
Utilize redundant hardware, software, power supply components
Critical for online transaction processing

High availability computing


Tries to minimize downtime
Helps firms recover quickly from system crash
Utilizes backup servers, distributed processing, high capacity
storage, disaster recovery and business continuity plans

Recovery-oriented computing: Designing systems,


capabilities, tools that aid in quick recovery, correcting mistakes
8.35

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Technologies and Tools for Security

Disaster recovery planning


Restoring computing and communication services after
earthquake, flood, etc.
Can be outsourced to disaster recovery firms

Business continuity planning


Restoring business operations after disaster
Identifies critical business processes and determines how to
handle them if systems go down

Business impact analysis


Use to identify most critical systems and impact system outage
has on business
8.36

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Technologies and Tools for Security

Auditing
MIS audit: Examines firms overall security environment as
well as controls governing individual information systems
Security audit: Reviews technologies, procedures,
documentation, training, and personnel
Audits:
List and rank all control weaknesses
Estimate probability of occurrence
Assess financial and organizational impact of each threat

8.37

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Establishing a Framework for Security and Control

Sample Auditors List of Control Weaknesses

Figure 8-5
This chart is a sample page
from a list of control
weaknesses that an auditor
might find in a loan system in a
local commercial bank. This
form helps auditors record and
evaluate control weaknesses
and shows the results of
discussing those weaknesses
with management, as well as
any corrective actions taken by
management.

8.38

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Technologies and Tools for Security

Access control
Policies and procedures used to prevent improper access to
systems by unauthorized insiders and outsiders
Users must be authorized and authenticated

Authentication:
Typically established by password systems

New authentication technologies:


Tokens
Smart cards
Biometric authentication

8.39

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Technologies and Tools for Security

Firewalls:
Hardware and software controlling flow of incoming
and outgoing network traffic
Prevents unauthorized access
Screening technologies
Packet filtering
Stateful inspection
Network address translation (NAT)
Application proxy filtering
8.40

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Business Value of Security and Control

Packet filtering examines selected fields in the headers of data packets


flowing back and forth between the trusted network and the Internet,
examining individual packets in isolation. This filtering technology can miss
out many types of attacks.
Stateful inspection provides additional security by determining whether
packets are part of an ongoing dialogue between a sender and a receiver. It
sets up state tables to track information over multiple packets.
Network Address Translation (NAT) can provide another layer of protection
when static packet filtering and stateful inspection are employed. NAT
conceals the IP address of the organizations internal hst computer(s) to
prevent sniffer programs outside the firewall from ascertaining them.
Application proxy filtering examines the application content of the packets.
A proxy server stops data packets originating outside the organization,
inspects them, and passes a proxy to the other side of the firewall.
8.41

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Technologies and Tools for Security

A Corporate Firewall

The firewall is placed between the firms private network and the public Internet or another distrusted
network to protect against unauthorized traffic.

Figure 8-6
8.42

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Technologies and Tools for Security

Intrusion detection systems:


Full-time, real-time monitoring tools
Placed at most vulnerable points of corporate networks
to detect and deter intruders
Scanning software looks for patterns such as bad
passwords, removal of important files, and notifies
administrators

8.43

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Technologies and Tools for Security

Antivirus software, antispyware software


Antivirus software:
Checks computer systems and drives for presence of
computer viruses
To remain effective, antivirus software must be continually
updated

Antispyware software tools:


Many leading antivirus software vendors include
protection against spyware
Standalone tools available (Ad-Aware, Spybot)

8.44

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Technologies and Tools for Security

Securing wireless networks


WEP: Provides some measure of security if activated
VPN technology: Can be used by corporations to help
security
802.11i specification: Tightens security for wireless LANs
Longer encryption keys that are not static
Central authentication server
Mutual authentication

Wireless security should be accompanied by appropriate


policies and procedures for using wireless devices
8.45

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Technologies and Tools for Security

Unilever Secures Its Mobile Devices


Read the Interactive Session: Management, and then
discuss the following questions:
How are Unilever executives wireless handhelds related to
the companys business performance?
Discuss the potential impact of a security breach at Unilever.
What management, organization, and technology factors had
to be addressed in developing security policies and
procedures for Unilevers wireless handhelds?
Is it a good idea to allow Unilever executives to use both
BlackBerrys and cell phones? Why or why not?
8.46

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Technologies and Tools for Security

Encryption:
Transforming message into cipher text, using encryption key
Receiver must decrypt encoded message

Two main methods for encrypting network traffic


Secure Sockets Layer (SSL) /Transport Layer Security
(TLS)
Establishes secure connection between two computers
Secure HTTP (S-HTTP)
Encrypts individual messages

8.47

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Technologies and Tools for Security

Two methods of encryption:


Symmetric key encryption
Shared, single encryption key sent to receiver
Public key encryption
Two keys, one shared/public and one private
Messages encrypted with recipients public key
but can only be decoded with recipients private
key
8.48

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Technologies and Tools for Security

Public Key Encryption

A public key encryption system can be viewed as a series of public and private keys that lock data when they are transmitted and
unlock the data when they are received. The sender locates the recipients public key in a directory and uses it to encrypt a message.
The message is sent in encrypted form over the Internet or a private network. When the encrypted message arrives, the recipient uses
his or her private key to decrypt the data and read the message.

Figure 8-7
8.49

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Technologies and Tools for Security

Digital signature
Encrypted message that only sender with private key can create
Used to verify origin and contents of message

Digital certificates
Data files used to establish identity of users and electronic assets
for protection of online transactions
Uses trusted third party, certificate authority (CA), to validate
users identity

Public Key Infrastructure (PKI)


Use of public key cryptography working with certificate authority

8.50

2007 by Prentice Hall

Management Information Systems


Chapter 8 Securing Information Systems
Technologies and Tools for Security

Digital Certificates

Figure 8-8
Digital certificates help
establish the identity of
people or electronic
assets. They protect
online transactions by
providing secure,
encrypted, online
communication.

8.51

2007 by Prentice Hall