CHAPTER 8 "Securing Information Systems"
8.1 System Vulnerability and Abuse
If you operate a business today, you need to make security and control
a top priority. Security refers to the policies, procedures, and technical measures used to
prevent unauthorized access, alteration, theft, or physical damage to
information systems. Controls are methods, policies, and organizational procedures that ensure
the safety of the organization’s assets; the accuracy and reliability of its
records; and operational adherence to management standards.
Why Systems Are Vulnerable
When large amounts of data are stored in electronic form, they are
vulnerable to many more kinds of threats than when they existed in manual form.
Internet Vulnerabilities
Large public networks, such as the Internet, are more vulnerable than
internal networks because they are virtually open to anyone. The Internet is so
huge that when abuses do occur, they can have an enormously widespread impact. Computers
that are constantly connected to the Internet by cable modems or digital
subscriber line (DSL) lines are more open to penetration by outsiders because
they use fixed Internet addresses where they can be easily identified. Vulnerability
has also increased from widespread use of e-mail, instant messaging (IM), and
peer-to-peer file-sharing programs.
Wireless Security Challenges
Even the wireless network in your home is vulnerable because radio
frequency bands are easy to scan. Both Bluetooth and Wi-Fi networks are
susceptible to hacking by eavesdroppers.
Malicious Software: Viruses, Worms, Trojan Horses, and Spyware
Malicious software programs are referred to as malware and include a variety of
threats, such as computer viruses, worms, and Trojan horses. A computer virus is a rogue software program
that attaches itself to other software programs or data files in order to be
executed, usually without user knowledge or permission.
Most recent attacks have come from worms, which are independent computer
programs that copy themselves from one computer to other computers over a
network. A Trojan horse is a
software program that appears to be benign but then does something other than
expected. At the moment, SQL
injection attacks are the largest malware
threat. SQL injection attacks take advantage of vulnerabilities in poorly coded
Web application software to introduce malicious program code into a company’s
systems and networks.
Many users find such spyware
annoying and some critics
worry about its infringement on computer users’ privacy. Some forms of spyware
are especially nefarious. Keyloggers record every keystroke made on a computer to steal serial numbers
for software, to launch Internet attacks, to gain access to e-mail accounts, to
obtain passwords to protected computer systems, or to pick up personal
information such as credit card numbers.
Hacker and Computer Crime
A hacker is an individual who intends to gain unauthorized access to a
computer system. Hacker activities have broadened beyond mere system intrusion
to include theft of goods and information, as well as system damage and cybervandalism, the
intentional disruption, defacement, or even destruction of a Web site or corporate
information system.
Spoofing and Sniffing
Spoofing also may
involve redirecting a Web link to an address different from the intended one,
with the site masquerading as the intended destination. A sniffer is a type of eavesdropping
program that monitors information traveling over a network.
Denial-of-Service Attacks
In a denial-of-service (DoS)
attack, hackers flood a network
server or Web server with many thousands of false communications or requests
for services to crash the network. A distributed
denial-of-service (DDoS) attack uses
numerous computers to inundate
and overwhelm the network
from numerous launch points.
Computer Crime
Most hacker activities are criminal offenses, and the
vulnerabilities of systems we have just described make them targets for other
types of computer crime as well.
Identity Theft
Identity theft is
a crime in which an imposter obtains key pieces of personal information, such
as social security identification numbers, driver’s license numbers, or credit
card numbers, to impersonate someone else.
Click Fraud
Click fraud occurs when
an individual or computer program fraudulently clicks on an online ad without
any intention of learning more about the advertiser or making a purchase.
Global Threats: Cyberterrorism and Cyberwarfare
Concern is mounting that the vulnerabilities of the Internet or
other networks make digital networks easy targets for digital attacks by
terrorists, foreign intelligence services, or other groups seeking to create
widespread disruption and harm. Such cyberattacks might target the software
that runs electrical power grids, air traffic control systems, or networks of
major banks and financial institutions.
Internal Threats: Employees
Employees have access to privileged information, and in the
presence of sloppy internal security procedures, they are often able to roam
throughout an organization’s systems without leaving a trace. Many employees forget
their passwords to access computer systems or allow co-workers to use them,
which compromises the system. Malicious intruders seeking system access
sometimes trick employees into revealing their passwords by pretending to be
legitimate members of the company in need of information. This practice is
called social engineering.
Software Vulnerability
A major problem with software is the presence of hidden bugs or program code
defects. Flaws in commercial software
not only impede performance but also create security vulnerabilities that open
networks to intruders. To correct software flaws once they are identified, the
software vendor creates small pieces of software called patches to repair the flaws without disturbing
the proper operation of the software.
8.2 Business Value of Security and Control
Protecting information systems is so critical to the operation of
the business that it deserves a second look because companies have very valuable
information assets to protect. Businesses must protect not only their own information
assets but also those of customers, employees, and business partners. Failure
to do so may open the firm to costly litigation for data exposure or theft.
Legal and Regulatory Requirements For Electronic Records Management
If you work in the health care industry, your firm will need to
comply with the Health Insurance Portability and Accountability Act (HIPAA) of
1996. HIPAA outlines medical security and privacy rules and procedures for simplifying
the administration of health care billing and automating the transfer of health
care data between health care providers, payers, and plans.
If you work in a firm providing financial services, your firm will
need to comply with the Gramm-Leach-Bliley
Act. This act requires financial
institutions to ensure the security and confidentiality of customer data.
If you work in a publicly traded company, your company will need
to comply with the Sarbanes-Oxley Act. This Act was designed to protect investors after the financial scandals
at Enron, WorldCom, and other public companies. It imposes responsibility on
companies and their management to safeguard the accuracy and integrity of
financial information that is used internally and released externally.
Electronic Evidence and Computer Forensics
Computer forensics is
the scientific collection, examination, authentication, preservation, and
analysis of data held on or retrieved from computer storage media in such a way
that the information can be used as evidence in a court of law. It deals with
the following problems:
- Recovering data from computers while preserving evidential integrity
- Securely storing and handling recovered electronic data
- Finding significant information in a large volume of electronic data
- Presenting the information to a court of law
8.3 Establishing A Framework For Security and Control
You’ll need to develop a security policy and plans for keeping
your business running if your information systems aren’t operational.
Information Systems Controls
General controls govern
the design, security, and use of computer programs and the security of data
files in general throughout the organization’s information technology
infrastructure. Application controls are specific controls unique to each computerized application,
such as payroll or order processing.
Risk Assessment
A risk assessment determines the level of risk to the firm if a specific activity or
process is not properly controlled. Not all risks can be anticipated and measured,
but most businesses will be able to acquire some understanding of the risks
they face.
Security Policy
A security policy consists of statements ranking information risks, identifying
acceptable security goals, and identifying the mechanisms for achieving these
goals. The security policy drives policies determining acceptable use of the
firm’s information resources and which members of the company have access to
its information assets. An acceptable
use policy (AUP) defines acceptable uses of the
firm’s information resources and computing equipment, including desktop and
laptop computers, wireless devices, telephones, and the Internet.
Security policy also includes provisions for identity management. Identity management consists
of business processes and software tools for identifying the valid users of a system
and controlling their access to system resources.
Disaster Recovery Planning and Business Continuity Planning
Disaster recovery planning devises
plans for the restoration of computing and communications services after they have
been disrupted. Business continuity planning
focuses on how the company
can restore business operations after a disaster strikes.
The Role of Auditing
An MIS audit examines the firm’s overall security environment as well as
controls governing individual information systems. The auditor should trace the
flow of sample transactions through the system and perform tests, using, if
appropriate, automated audit software. The MIS audit may also examine data
quality.
8.4 Technologies and Tools For Protecting Information Resources
Businesses have an array of technologies for protecting their
information resources. They include tools for managing user identities,
preventing unauthorized access to systems and data, ensuring system
availability, and ensuring software quality.
Identity Management and Authentication
To gain access to a system, a user must be authorized and
authenticated. Authentication refers to the ability to know that a person is who he or she claims
to be. Authentication is often established by using passwords known only
to authorized users. New authentication technologies, such as tokens, smart
cards, and biometric authentication, overcome some of these problems. A token is a physical device, similar
to an identification card, that is designed to prove the identity of a single
user.
A smart card is a device about the size of a credit card that contains a chip
formatted with access permission and other data. Biometric authentication uses
systems that read and interpret individual human traits, such as fingerprints,
irises, and voices, in order to grant or deny access.
Firewalls, Intrusion Detection Systems, and Antivirus Software
Firewalls
Firewalls prevent
unauthorized users from accessing private networks. A firewall is a combination
of hardware and software that controls the flow of incoming and outgoing
network traffic.
Intrusion Detection Systems
Intrusion detection systems feature full-time monitoring tools placed at the most vulnerable
points or “hot spots” of corporate networks to detect and deter intruders
continually.
Antivirus and Antispyware Software
Antivirus software is
designed to check computer systems and drives for the presence of computer
viruses.
Unified Threat Management Systems
To help businesses reduce costs and improve manageability,
security vendors have combined into a single appliance various security tools,
including firewalls, virtual private networks, intrusion detection systems, and
Web content filtering and antispam software. These comprehensive security
management products are called unified
threat management (UTM) systems.
Securing Wireless Networks
Despite its flaws, WEP provides some margin of security if Wi-Fi
users remember to activate it. A simple first step to thwart hackers is to
assign a unique name to your network’s SSID and instruct your router not to
broadcast it.
Encryption and Public Key Infrastructure
Encryption is the
process of transforming plain text or data into cipher text that cannot be read
by anyone other than the sender and the intended receiver. Two methods for
encrypting network traffic on the Web are SSL and S-HTTP.
Secure Sockets Layer (SSL) and
its successor Transport Layer Security (TLS) enable client and server computers
to manage encryption and decryption activities as they communicate with each
other during a secure Web session. Secure
Hypertext Transfer Protocol (S-HTTP) is
another protocol used for encrypting data flowing over the Internet, but it is
limited to individual messages, whereas SSL and TLS are designed to establish a
secure connection between two computers.
A more secure form of encryption called public key encryption uses
two keys: one shared (or public) and one totally private as shown in Figure 8-6.
The keys are mathematically related so that data encrypted with one key can be decrypted
using only the other key. Digital
certificates are data files used to establish
the identity of users and electronic assets for protection of online
transactions
Ensuring System Availability
As companies increasingly rely on digital networks for revenue and
operations, they need to take additional steps to ensure that their systems and
applications are always available. In online
transaction processing, transactions
entered online are immediately processed by the computer. Multitudinous changes
to databases, reporting, and requests for information occur each instant.
Fault-tolerant computer systems contain redundant hardware, software, and power supply components
that create an environment that provides continuous, uninterrupted service. Fault
tolerance should be distinguished from high-availability
computing. Both fault tolerance and
high-availability computing try to minimize downtime. Downtime refers to
periods of time in which a system is not operational. Researchers are exploring
ways to make computing systems recover even more rapidly when mishaps occur, an
approach called recovery-oriented computing.
Controlling Network Traffic: Deep Packet Inspection
A technology called deep
packet inspection (DPI) helps solve
this problem. DPI examines data files and sorts out low-priority online
material while assigning higher priority to business-critical files.
Security Outsourcing
Many companies, especially small businesses, they can outsource
many security functions to managed
security service providers (MSSPs) that
monitor network activity and perform vulnerability testing and intrusion
detection.
Security Issues for Cloud Computing and the Mobile Digital Platform
Although cloud computing and the emerging mobile digital platform
have the potential to deliver powerful benefits, they pose new challenges to
system security and reliability.
Security in the Cloud
When processing takes place in the cloud, accountability and
responsibility for protection of sensitive data still reside with the company
owning that data. Cloud users need to confirm that regardless of where their
data are stored or transferred, they are protected at a level that meets their
corporate requirements. Cloud users should also ask whether cloud providers
will submit to external audits and security certifications. These kinds of
controls can be written into the service level agreement (SLA) before to signing
with a cloud provider.
Securing Mobile Platforms
If mobile devices are performing many of the functions of
computers, they need to be secured like desktops and laptops against malware,
theft, accidental loss, unauthorized access, and hacking attempts. Companies
should make sure that their corporate security policy includes mobile devices,
with additional details on how mobile devices should be supported, protected,
and used. Companies will need to ensure that all smartphones are up to date
with the latest security patches and antivirus/antispam software, and they
should encrypt communication whenever possible.
Ensuring Software Quality
In addition to implementing effective security and controls,
organizations can improve system quality and reliability by employing software
metrics and rigorous software testing. Software metrics are objective
assessments of the system in the form of quantified measurements. Good testing
begins before a software program is even written by using a walkthrough—a review of a specification or design document by a small group of
people carefully selected based on the skills needed for the particular
objectives being tested.
----------------------------------------------------End-------------------------------------------------------------
source: "Management Information System" e-book, 12th edition, written by Kenneth C. Laudon and Jane P. Laudon.