Management Information Systems

Lecture 7: Information Security

Gabriella Kereszturi
 MAIN POINTS

Describing the relationships and differences between

hackers and viruses
Describing the relationship between information
security policies and an information security plan
Providing an example of each of the three primary
security areas: (1) authentication and authorization,
(2) prevention and resistance, and (3) detection and
response
 Systems Vulnerability and Abuse

• Why systems are vulnerable

– Accessibility of networks
– Hardware problems (breakdowns, configuration errors,
damage from improper use or crime)
– Software problems (programming errors, installation
errors, unauthorized changes)
– Disasters
– Use of networks/computers outside of firm’s control
– Loss and theft of portable devices

Source: Laudon & Laudon

(2016)
 Security Challenges & Vulnerabilities

The architecture of a Web-based application typically includes a Web client, a server, and
corporate information systems linked to databases. Each of these components presents security
challenges and vulnerabilities. Floods, fires, power failures, and other electrical problems can
cause disruptions at any point in the network.

Source: Laudon & Laudon (2016)

 System Vulnerability and Abuse
• Internet vulnerabilities
– Network open to anyone
– Size of Internet means abuses can have wide impact
– Use of fixed Internet addresses …… creates fixed targets
for hackers
– E-mail, IM, ….
• Interception
• Attachments with malicious software
• Transmitting trade secrets
- Wireless security challenges
- Etc…
Source: Laudon & Laudon
(2016)
 WI-FI Security Challenges

Many Wi-Fi networks

can be penetrated
easily by intruders
using sniffer programs
to obtain an address to
access the resources of
a network without
authorization.

Source: Laudon & Laudon

 Protecting Intellectual Assets

• Organizational information is intellectual

capital - it must be protected
• Information security – The protection of
information from accidental or intentional
misuse by persons inside or outside an
organization
• Downtime – Refers to a period of time when a
system is unavailable
 Security Threats Caused by Hackers and
Malware

• Hacker – Experts in technology who use their

knowledge to break into computers and computer
networks, either for profit / benefit or just motivated
by the challenge
– Black-hat hacker
– White-hat hacker
– Hactivist
– Cracker
– Cyberterrorist
 Hackers

• White-hat hackers—work at the request of the system

owners to find system vulnerabilities and plug the holes

• Black-hat hackers —break into other people’s computer

systems and may just look around or may steal and destroy
information

• Hactivists—have philosophical and political reasons for

breaking into systems and will often deface the website as a
protest
 Hackers

• Cracker—a hacker with criminal intent

• Cyberterrorists—seek to cause harm to people or to

destroy critical systems or information and use the Internet
as a weapon of mass destruction
 Malware (Malicious Software)

– Viruses
• Malicious software program that attaches itself to
other software programs or data files in order to be
executed
– Worms
• Independent programs that copy themselves from one
computer to other computers over a network.
– Worms and viruses spread by
• Downloads (drive-by downloads)
• E-mail, IM attachments
• Downloads on Web sites and social networks

Source: Laudon & Laudon

(2016)
 Malware (Malicious Software)

• Denial-of-service attacks (DoS)

– Flooding server with thousands of false requests to crash
the network

• Distributed denial-of-service attacks (DDoS)

– Use of numerous computers to launch a DoS

Source: Laudon & Laudon

(2016)
 Malware (Malicious Software)

– Trojan horses
• Software that appears harmless but does something
other than expected

– Spyware
• Small programs install themselves in secret/by
improper means on computers to monitor user Web
surfing activities…..

Source: Laudon & Laudon

(2016)
How Malicious Software Spread?
 Security threats ….

• Malicious code includes a variety of threats (eg viruses,

worms, and Trojan horses)

• Spoofing is the forging of the return address on an email so

that the email message appears to come from someone other
than the actual sender. This is not a virus but rather a way
by which virus authors hide their identities as they send out
viruses.
 Security threats ….

• A sniffer is a program or device that can monitor data

traveling over a network. Sniffers can show all the data being
transmitted over a network, including passwords and sensitive
information. Sniffers tend to be a favorite weapon in the
hacker’s arsenal.
 Security threats ….
• Pharming
– Redirects users to a bogus Web page, even when individual
types correct Web page address into his or her browser
• Identity theft
– Theft of personal Information (social security ID, driver’s
license, or credit card numbers) to impersonate someone else
• Phishing
– Sending an e-mail messages that look like from a legitimate
businesses to ask users for confidential personal data and this
may include a link to a fake Web sites

Source: Laudon & Laudon

(2016)
 The First Line of Defense - People

• Organizations must enable employees, customers, and partners

to access information electronically
• The biggest issue surrounding information security is not a
technical issue, but a people issue
 The First Line of Defense - People

• The first line of defense an organization should follow

to help combat insider issues is to develop information
security policies and an information security plan
– Information security policies – identify the rules required to
maintain information security
– Information security plan – details how an organization will
implement the information security policies
 The Second Line of Defense - Technology

• There are three primary information technology security

areas
 Authentication and Authorization

• Authentication – A method for confirming users’ identities

• Authorization – The process of giving someone permission to
do or have something
• The most secure type of authentication involves
1. Something the user knows
2. Something the user has
3. Something that is part of the user
 Something the User Knows Such As a User ID and
Password

• This is the most common way to

identify individual users and typically
contains a user ID and a password
• This is also the most ineffective form of
authentication
• Over 50 % of help-desk calls are
password related
 Something the User has Such As Smart cards and
tokens

• Smart cards and tokens are more effective

than a user ID and a password
– Tokens – Small electronic devices that
change user passwords automatically
– Smart card – A device that is around the
same size as a credit card, containing
embedded technologies that can store
information and small amounts of software to
perform some limited processing
 Something That Is Part Of The User Such As a
Fingerprint or Iris

• This is by far the best and most effective way to

manage authentication
– Biometrics – The identification of a user based on a
physical characteristic, such as a fingerprint, iris,
voice, or handwriting
• Unfortunately, this method can be costly and
intrusive
 Prevention and Resistance

• Downtime can cost an organization anywhere from

$100 to $1 million per hour
• Technologies available to help prevent and build
resistance to attacks include
1. Content filtering
2. Encryption
3. Firewalls
 Prevention and Resistance

• Content filtering - Prevents emails containing sensitive

information from transmitting and stops spam and
viruses from spreading
 Prevention and Resistance

• If there is an information security breach and the

information was encrypted, the person stealing the
information would be unable to read it
– Encryption
– Public key encryption (PKE)
 Prevention and Resistance

Encryption – scrambles information into an alternative form

that requires a key or password to decrypt the information

Public key encryption (PKE) – an encryption system that

uses two keys: a public key for everyone and a private key
for the recipient
 Public Key Encryption

A public key encryption system can be viewed as a series of public and private keys that lock data
when they are transmitted and unlock the data when they are received. The sender locates the
recipient’s public key in a directory and uses it to encrypt a message. The message is sent in encrypted
form over the Internet or a private network. When the encrypted message arrives, the recipient uses his
or her private key to decrypt the data and read the message.

Source: Laudon & Laudon

(2016)
 Watch this video

• https://www.youtube.com/watch?v=E5FEqGYLL0o
• https://www.youtube.com/watch?v=EJd8zqN3zTw
 Prevention and Resistance

Firewall:
– Combination of hardware and software that
prevents
unauthorized users from accessing private networks

Source: Laudon & Laudon

(2016)
 A Corporate Firewall

The firewall is placed between the firm’s private network and the public Internet or another distrusted
network to protect against unauthorized
traffic.
Source: Laudon & Laudon (2016)
 Detection and Response

• If prevention and resistance strategies

fail and there is a security breach, an
organization can use detection and
response technologies to mitigate the
damage
 Detection and Response
• Intrusion detection systems:
– Monitors hot spots on corporate networks to detect and
deter intruders
– Examines events as they are happening to discover
attacks in progress
• Antivirus and antispyware software:
– Checks computers for presence of malware and can often
eliminate it as well
– Requires continual updating
• Unified threat management (UTM) systems

Source: Laudon & Laudon

(2016)
Task

• Read chapter 8 (textbook) and related material and

videos.
 References

• Baltzan, P. ( 2016) Business Driven Information Systems.

Global Edition, 5th ed McGraw-Hill/NY.

• Laudon K.C. and Laudon J.P. (2016) Management Information

Systems, Managing the Digital Firm, 14th ed. Prentice Hall.

• Laudon K.C. and Laudon J.P. (2020) Management Information

Systems, Managing the Digital Firm, 16th ed. Prentice Hall.