IT for Business

Session 5-6 | Information Security & Privacy

The state of cybersecurity

http://www.information-age.com/cyber-attacks-number-1-business-risk-123471046/ Millions of Indian debit cards 'compromised' in security breach - BBC News
 Cybercrimes on the rise

Inside story of cyber attacks on India’s banks, airlines, railways… and the fightback - The Week
cyber security: Over 53,000 cyber security incidents observed in 2017 - Times of India (indiatimes.com)
Security Challenges/Vulnerabilities

"Copyright © 2018 Pearson India Education Services Pvt. Ltd".

Management Information System: Managing the Digital Firm
By: Kenneth C. Laudon & Jane P. Laudon
 Information Security Risk Management

• Information systems risk management refers to gaining an understanding

of the interplay between threats, vulnerabilities in an organization’s
systems, and impacts caused if the threats become real.

• Types of Issues: Virus, worms, Trojans, bots. Viruses, worms, Trojans, and
bots are all part of a class of software called malware.

• Malware is short for malicious software. It is code or software that is

specifically designed to damage, disrupt, steal, or in general inflict some
other “bad” or illegitimate action on data, hosts, or networks.
 Malware

• Malware can infect systems by being bundled with other programs or

attached as macros to files.

• Others are installed by exploiting a known vulnerability in an operating

system (OS), network device, or other software, such as a hole in a
browser that only requires users to visit a website to infect their
computers.

• The vast majority, however, are installed by some action from a user, such
as clicking an e-mail attachment or downloading a file from the Internet.
Malware: Viruses, Worms, Bots

• Viruses: A computer virus is a type of malware that propagates by

inserting a copy of itself into and becoming part of another program.

• Worms: In contrast to viruses, which require the spreading of an

infected host file, worms are standalone software and do not require
a host program or human help to propagate.

• To spread, worms either exploit a vulnerability on the target system or

use some kind of social engineering to trick users into executing them.
Bots: Good ones

• "Bot" is derived from the word "robot" and is an automated process

that interacts with other network services.

• Bots can be used for either good or malicious intent. Bots often
automate tasks and provide information or services that would
otherwise be conducted by a human being.

• A typical use of bots is to gather information (such as web crawlers) or

interact automatically with instant messaging (IM), Internet Relay
Chat (IRC), or other web interfaces.
Bots: Bad ones

• A malicious bot is self-propagating malware designed to infect a host and

connect back to a central server or servers that act as a command and
control (C&C) center for an entire network of compromised devices, or
"botnet."

• With a botnet, attackers can launch broad-based, "remote-control," flood-

type attacks against their target(s).

• In addition to the worm-like ability to self-propagate, bots can include the

ability to log keystrokes, gather passwords, capture and analyze packets,
gather financial information, launch DoS attacks, relay spam, and open back
doors on the infected host.
Social Engineering & Phishing

• Social Engineering refers to the psychological manipulation of people

into performing actions or divulging confidential information.

• A type of confidence trick for the purpose of information gathering,

fraud, or system access, it differs from a traditional "con" in that it is
often one of many steps in a more complex fraud scheme.

• Phishing is a form of cyberattack in which the fraudsters induce

Internet users to divulge sensitive, confidential information relating to
bank accounts. The technique uses email to 'fish the internet' hoping
to 'hook' users into supplying them with the login IDs, passwords,
PINs, credit card information, etc.
 Social Engineering Cases

http://www.financialexpress.com/india-news/aadhaar-sim-linking-fraud-how-this-man-lost-rs-1-3-lakh-from-his-
salary-account-is-a-big-lesson-for-all-of-us/894488/

Homeshop18 fake calls

http://www.icomplaints.in/fraud-call-from-homeshop18-online-shopping-034413.html

Dormant Account
https://www.youtube.com/watch?v=8V0GEEGnBtg
Spyware

• Spyware is a term for computer software that is designed to collect

personal information about users without their tacit consent.

• The distributor of spyware usually presents the program as a useful

utility. In some cases, they are pushed in as a "Web accelerator" or as
a helpful software agent.

• Spyware also comes bundled with shareware or other `downloadable

software as well as music CDs. When the user downloads a program
and installs it, the installer additionally installs the spyware on the
computer.
Spyware

• Although the desirable software itself may do no harm, the bundled

spyware is bound to carry out the specific purpose it was intended for.
• Another way of distributing spyware involves tricking users by
manipulating the security features designed to prevent unwanted
installations.
• Some spyware authors infect a system through security holes in the
Web browser or in other software wherein when the user navigates
to a Web page controlled by the spyware author, the page containing
the code will attack the browser and force the download/installation
of the spyware.
Adware

• Some variants called Adware attempt to track the websites a user

visits and then send this information to an advertising agency.

• Adware also frequently refers to any software which displays

advertisements whether or not a user has given his consent.
Cyber harassment, C-bullying, C-Stalking

• Cyber harassment broadly refers to the use of a computer to

communicate obscene, vulgar, or threatening content that causes a
reasonable person to endure distress.

• Cyberbullying is a means of deliberately causing emotional distress in the

victim.

• Cyber stalking refers to repeated contacts with a victim and can include:
making false accusations, gaining information on the victim, encouraging
others to harass the victim, attacking data and equipment of the victim,
or using the Internet to place false orders for goods or services.
 https://www.hindustantimes.com/health/blue-whale-challenge-why-teenagers-are-vulnerable-to-the-game-and-what-you-can-do-about-it/stor
y-Yc91FxDuGBinBJj3LVBq4J.html

https://www.ndtv.com/india-news/what-happens-in-blue-whale-game-agonised-survivor-reveals-1746731?amp=1&akamai-rum=off
Cyber war and Cyber Terrorism

• Cyber-war refers to an organized attempt by a country’s military to

disrupt or destroy the information and communication systems of
another country.

• Cyber-terrorism is the use of computer and networking technologies

against persons or property to intimidate or coerce governments,
civilians, or any segment of society in order to attain political,
religious, or ideological goals.

• Unlike cyber-war, cyber-terrorism is not launched by governments,

but by individuals and organized groups.
Cyber war and Cyber Terrorism News

https://economictimes.indiatimes.com/tech/internet/cyber-crime-becoming-industry-may-occur-very-often-raj
nath/articleshow/63297333.cms

https://www.bloombergquint.com/politics/2018/03/15/russian-hackers-attacking-u-s
-power-grid-aviation-fbi-warns

https://economictimes.indiatimes.com/news/international/world-news/us-hits-russians-with-sanc
tions-for-election-meddling-cyber-attacks/articleshow/63320821.cms

https://www.youtube.com/watch?v=L78r7YD-kNw
Software Vulnerability

• Commercial software contains flaws that create security

vulnerabilities due to bugs (program code defects)
• Zero defects cannot be achieved because complete testing is not
possible with large programs.
• These defect open networks to intruders

• Software providers introduce Patches to repair flaws.

• Exploits often created faster than patches can be released and
implemented.
Business Value of Information Security Breach?

• Significant or total loss of business function(s).

• Risk of loosing confidential personal and financial data

• Risk of divulging trade secrets, new products, strategies

• A security breach may cut into a firm’s market value almost immediately

• Inadequate security and controls also bring forth issues of liability

Developing an IS Security Plan
Step No Step Details
1) Risk Assessment Analyze the value of the data, the risks to it, assess current
policies, and recommend changes.

2) Policies and Create formal policies for use of and safeguarding IS resources
Procedures and outline the procedures to be followed and disaster recovery
plans.

3) Implementation Institute the security practices, policies, and procedures.

4) Training Personnel need to know the policies, plans, what their roles and
tasks are, and how to do them.

5) Auditing This is an ongoing process to ensure practice, compliance, and

effectiveness .
Risk Assessment

• Determines level of risk to firm if specific activity or process is not

properly controlled.

• Types of threat.

• Probability of occurrence during year.

• Potential losses, value of threat and Expected annual loss.

Online Order Processing Risk Assessment

EXPOSURE PROBABILITY OF LOSS RANGE EXPECTED ANNUAL

OCCURRENCE (AVERAGE) ($) LOSS ($)

Power failure 30% $5,000 - $200,000 $30,750

($102,500)

Embezzlement 5% $1,000 - $50,000 $1275

($25,500)

User error 98% $200 - $40,000 ($20,100) $19,698

Security Policy

• Ranks information risks, identifies acceptable security goals and

identifies mechanisms for achieving these goals

• Acceptable use policy (AUP): Defines acceptable uses of the firm’s

information resources and computing equipment

• Identity management
• Identifying valid users
• Controlling access
Implementation

• Risk reduction—taking active countermeasures to protect your

systems, such as installing firewalls

• Risk acceptance—implementing no countermeasures and simply

absorbing any damages that occur

• Risk transference—having someone else absorb the risk, such as by

investing in insurance or by outsourcing certain functions to another
organization with specific expertise.
Information Systems Controls

General controls Application controls

• Govern design, security, and use of

computer programs and security of
• Controls unique to each
data files in general throughout computerized application.
organization.

• Input controls, processing controls,

• Software controls, hardware
controls, computer operations output controls.
controls, data security controls,
system development controls,
administrative controls.
Technological Safeguards

• Physical access restrictions • Virus monitoring and prevention

• Firewalls • Secure data centers

• Encryption • Audit-control software

Tech Safeguards: Physical access

• Something you have : Keys, Smart Cards, Mobile phone

• Something you are: Biometrics

• Something you know: Password, PIN Code

Tech Safeguards: Firewalls

• Filter based on traffic type

• Filter based on traffic source

• Filter based on traffic destination

• Filter based on combinations of parameters

Corporate Firewall

"Copyright © 2018 Pearson India Education Services Pvt. Ltd".

Management Information System: Managing the Digital Firm
By: Kenneth C. Laudon & Jane P. Laudon
Securing Wireless Networks

• Encryption: Transforming text or data into ciphertext that cannot be

read by unintended recipients.

• Two methods for encryption on networks

• Secure Sockets Layer (SSL) and successor Transport Layer Security (TLS)

• Secure Hypertext Transfer Protocol (S-HTTP)

Tech Safeguards: Encryption
Securing Wireless Networks

• WEP security
• Static encryption keys are relatively easy to crack
• Improved if used in conjunction with VPN.

• WPA2 specification
• Replaces WEP with stronger standards.
• Continually changing, longer encryption keys.

• Public key infrastructure (PKI)

• Use of public key cryptography working with certificate authority
• Widely used in e-commerce
Public Key – Private Key Encryption

• Uses two, mathematically related keys: public key and private key.
• Sender encrypts message with recipient’s public key.
• Recipient decrypts with private key.
Digital Certificate

• Data file used to establish the identity of users and electronic assets
for protection of online transactions,

• Uses a trusted third party, certification authority (CA), to validate a

user's identity,

• CA verifies user’s identity, stores information in CA server, which

generates encrypted digital certificate containing owner ID
information and copy of owner’s public key.
Digital Certificates

"Copyright © 2018 Pearson India Education Services Pvt. Ltd".

Management Information System: Managing the Digital Firm
By: Kenneth C. Laudon & Jane P. Laudon
Tech Safeguards: Viruses

• Purchase, install, and maintain antivirus software.

• Do not use flash drives or shareware from unknown or suspect
sources.
• Use reputable sources when downloading material from the Internet.
• Delete without opening any e-mail message received from an
unknown source.
• Do not blindly open e-mail attachments, even if they come from a
known source.
• If your computer system contracts a virus, report it.
Tech Safeguards: Secure data centers

• Backups • Closed-Circuit Television

• Backup Sites • Uninterruptible Power Supply

• Redundant Data Centers

Data center Risks
Disaster & Recovery

• DRP : Devises plans for restoration of disrupted services

• BCP: Focuses on restoring business operations after disaster

• Both types of plans needed to identify firm’s most critical systems

• Business impact analysis to determine impact of an outage

• Management must determine which systems restored first

Security in the Cloud

• Responsibility for security resides with the company owning the data

• Firms must ensure providers provide adequate protection:

• Where data are stored
• Meeting corporate requirements, legal privacy laws
• Segregation of data from other clients
• Audits and security certifications

• Service level agreements (SLAs)

Security on Mobile Platform

• Security policies should include and cover any special requirements

for mobile devices such as guidelines for use of platforms and
applications.

• Mobile device management tools : Authorization, Control updates,

Lock down/erase lost devices, Encryption.

• Software for segregating corporate data on devices.

Role of IT Audit

• Examines firm’s overall security environment as well as controls

governing individual information systems.

• Review technologies, procedures, documentation, training, and

personnel.

• List and rank control weaknesses and the probability of occurrence.

• Assess financial and organizational impact of each threat.

Sample Auditor’s List of Control Weaknesses

"Copyright © 2018 Pearson India Education Services Pvt. Ltd".

Management Information System: Managing the Digital Firm
By: Kenneth C. Laudon & Jane P. Laudon
Human Safeguards
Free & Freedom
Personalization – Privacy Tradeoff

• Personalization: Sophisticated use of consumer data allows for

personalized product offerings and recommendations, price
discounts, free services, and more relevant marketing
communications and media content.

• Privacy Invasions: However, these benefits are also coupled with

the increased negative effects faced by consumers due to privacy
invasion, unwanted marketing communication, and highly targeted,
obtrusive marketing communications that disrupt the rhythm of
the customer.

48
Accessibility

• Maintaining boundaries: family, work, and leisure

• Negative social consequences of systems

• Balancing power: center versus periphery

• Computer crime and abuse

Net Neutrality

• What is it?

• Pros & Cons?

• URL :
• Vox - https://www.youtube.com/watch?v=sBKPacCuXsw

• AIB - https://www.youtube.com/watch?v=mfY1NKrzqi0
Personal Data Protection Bill, 2019

• To provide for the protection of the privacy of individuals relating to

their
• personal data,

• specify the flow and usage of personal data,

• create a relationship of trust between persons and entities processing the

personal data,

• protect the rights of individuals whose personal data are processed

Personal Data Protection Bill, 2019

• To create a framework for organizational and technical measures in

• processing of data,
• laying down norms for social media intermediary,
• cross-border transfer,
• accountability of entities processing personal data,
• remedies for unauthorized and harmful processing, and

• to establish a Data Protection Authority of India for the said purposes

and for matters connected therewith.
https://corporate.cyrilamarchandblogs.com/2019/12/personal-data-protection-bill-2019-analysis-india/
Conclusion - Analyzing vast amount of customer data gives organizations the
opportunity to strengthen the relationship with their customers.
53
Conclusion - However, without adequate customer privacy controls, transparency and
data governance rules, customer data can be exploited leading to privacy failures.
54