INFORMATION SYSTEMS THREAT AND SECURITY

Hardware Security

*The first thing an organization must consider in a security plan is the physical security of the computer hardware. *All hardware should be kept in a safe and secure place that remains locked at all times. This is especially true for the servers and hardware infrastructure. *Users should keep individual workstations secure according to an organization's policies and procedures. *All employees who have access to the firm's systems should use proper identification and authorizing. Disk drive locks, alarm systems, and locks to protect USB drives are additional security options

There are five components of an information system

1. Hardware 2. Software 3. Data 4. People 5. Procedures

Intentional Technical Threats

1. Unauthorized Access 2.Trojan Horses 3.Back Doors 4.Contamination 5.Eavesdropping 6.Malicious Software Coding

Keeping software secure:

1.Authentication of User 2.Software Firewalls 3.Malware Protection

Examples of Malware

1.Computer Worms 2.Trojan Horses 3.Bootsector Virus

Disaster Recovery Examples

1.Concept of Disaster Recovery 2.Importance of Disaster Recovery Plans

Computing Resources Security Examples

1.Confidentiality 2.Integrity 3.Authentication

Creating a Disaster Recovery Plan Steps

1.Create the Disaster Recovery Plan Committee 2.Conduct the Risk Analysis 3.Identify Recovery Options 4.Create a Disaster Recovery Plan Strategy

Objectives of a Disaster Recovery Plan Steps

1.Decrease risk of disaster 2.Reduce probability of disaster 3.Reduce insurance premiums 4.Protect assets 5.Reduce dependence on human decision making after 6.a disaster 7.Continue organizational stability 8.Improve employee safety

Disaster Recovery Mistakes

1.Improper Planning 2.Lack of Top Management Support 3.Lack of Proper Testing 4. Noninvolvement

Unintentional Threats

1.Natural disasters 2.Human threats 3.Environmental threats 4.Physical threats 5.Technical threats that are not deliberate

Data Backup Technologies Examples

1.Optical Media 2.Semiconductor 3.Magnetic Tape

People Security includes

1.Security during the Hiring Process 2.New Employees 3.Seasoned Employees 4.Procedures Security

Other Technical Threats

1.Sniffing 2.Spoofing 3.Pretexting 4.Phishing 5.Communication Threats 6.Spyware 7.Denial-of-Service Attacks

Environmental Threats Example

1.Temperature too high 2.Water leaks around IS hardware 3.High humidity 4.No ventilation or poor ventilation 5.Electro-magnetic Interference 6. Hazardous Materials

Disaster Recovery

A data disaster for an organization is any event that causes systems to crash or lose data. Disaster recovery refers to what organizations can do to bring their systems and data back online. This includes returning the system and data to their predisaster state. The more quickly an organization can recover, the less financial impact the event will have on its business.

3.Lack of Proper Testing

A good plan is important, but what if it is never practiced? Without practice, employees are unsure of what to do in the event of a disaster. Organizations must conduct disaster recovery plan testing.

Human Threats Intentional threats

All threats that are intentional can be traced to someone or some organization. Those covered here can be traced to a specific person.Most of the intentional threats to information systems involve technical means.

Intentional threats

Any threat to an information system (IS) is considered intentional if its purpose is to do harm, regardless of the reason. Many of these threats are discovered quickly and can be traced to the perpetrator, while many others go undetected for long periods of time.

Data Security Correct Data Rights

Assigning users the correct data rights necessary to do their jobs is also critical for data security. Users in an organization should only have the ability to change or modify data for which they are directly responsible. Users who only need to see the data to do their job should be given read-only access. All other data in a database should be off limits. These limitations can be created through the use of properly assigned user IDs and passwords. Physical security is necessary to protect not only the hardware and software but also the data.

Data and Data Loss Examples

Collecting Data, Data Backup

Collecting Data

Companies that depend on their information for survival often consider data their most valuable asset. The ability to collect data and use it for making business decisions gave birth to the Information Age. Digital data are growing at a rate of more than 80% per year, so organizations must be prepared to maintain and protect them. There are many ways that data can be lost in an organization. Physical ways such as natural disasters, terrorism, or attacks by disgruntled employees are just a few ways. Viruses, software attacks, hackers, and even corporate spies can steal, delete, or compromise data, causing financial harm to organizations. Even accidents such as hard disk crashes, employee error, or spilling a drink on your computer can impact your data. Many organizations have closed after suffering a major data loss. The fact is, most organizations suffer data loss for various reasons. The successful businesses are the ones that are prepared for such a loss and can recover from it.

Contamination

Contamination, or intentional improper mixing of data, can corrupt sensitive information. Examples include improper tagging and unauthorized manipulation of information. If websites are contaminated, financial information could be compromised.

Human Threats Example

Data Entry Errors, Employee Carelessness, Procedural Errors

Data and Data Loss

Data are raw facts that, when processed and manipulated in a database, become meaningful information. Data are contained in an organization's database.

Denial-of-Service Attacks

Denial-of-service attacks occur when someone brings down an organization's computer system so it cannot communicate with its customers. An example of this occurred when a customer was not happy with the way a firm responded to his problem. He wrote a software program that automatically sent thousands of emails to the firm until its server was overwhelmed and its website went down. He was later prosecuted and sentenced to a year in prison.

Review the Disaster Recovery Plan

Each department in the organization should review the DRP so all employees and management are aware of their responsibilities if a disaster strikes. The committee should meet periodically to review the plan and make updates and any needed changes.

People Security Seasoned Employees

Employees should be expected to follow security procedures when handling computer resources. When security breaches happen, it is important that management investigates them and then enforces the security policies and procedures by appropriately admonishing the perpetrators. Consequences for the perpetrators can range from a mild lecture to dismissal.

People Security During the Hiring Process

Ensuring security with regard to people begins during the hiring process. Appropriate interviews, reference checks, and background checks are all part of a good screening process when hiring employees who will be using the organization's computer resources.

Environmental Threats

Environmental threats are usually the result of the external conditions in which the system resides.

Importance of Disaster Recovery Plans

Every organization must be able to recover from a disaster. Statistics show that more than 80% of organizations that lose their systems or data and cannot recover from the loss will go out of business within three years. In fact, almost 50% never reopen their doors! Information systems have become so critical to the operation of a business that firms now spend 2% to 4% of their information technology (IT) budget on disaster recovery. Good disaster recovery plans reduce the financial impact a disaster can have on a business. Disaster recovery plans differ from one business to another based on the business's size and scope, the importance of its data assets, and other factors. These differences do not change the need for a recovery plan; all firms need to develop an efficient plan. It is much easier to execute a prewritten disaster recovery plan than to manage a disaster without a plan. Under such stress, people cannot think logically enough to quickly consider all options.

Authentication of User

Every system should require users to enter their identification and a secure password to gain access. More recent types of software security include the use of smart cards and biometric authentication: Smart cards contain a magnetic strip that includes authentic user identification. Biometric authentication involves scanning personal physical characteristics (such as face, voice, or fingerprints) before allowing use of software and hardware.

Data Backup Technologies Optical Media

Firms can use optical media—DVDs and CDs—to back up relatively small amounts of data. The advantage of this medium is the ability to store the backups both onsite and offsite safely and easily by using numerous copies. Data can also be restored quickly by using this method.

Security Plans

Good security plans take into consideration all system components. When potential security threats surface, a good organization learns to manage the risks and tries to minimize the damage. There are five components of an information system, and organizations must have security plans in place to protect all of them against security threats:

Human Threats

Human errors and accidents can lead to system failure. Thus, it is a good practice for organizations to have well-documented policies and procedures for employees to follow to rectify an accident in the event that one occurs. Most of the time, unintentional human errors and threats are the result of not adhering to the company's policies and procedures. New employee training and occasional employee retraining should be part of all organizations' IS instruction

Noninvolvement

If the organization does not require the support of every functional area and the IT department, it risks an inadequate response if a disaster occurs.

Test the Disaster Recovery Plan

In much the same way that fire departments conduct real-life tests and cities conduct emergency drills, the disaster recovery plan should be tested. The time required for management and employees to conduct the test is a small price to pay if a real disaster takes place. The faster the response, the faster the recovery.

Unauthorized Access

Intrusion, or unauthorized access, is entering systems without authority, usually for the purpose of malicious activity. Examples include Trojan horses, back doors, contamination, eavesdropping, and malicious software coding.

Malicious Software Coding

Malicious software coding enables unauthorized users to make modifications to the system so they can control it.

Malware Protection

Malware includes computer viruses and worms. It can be controlled by using good antimalware protection like the following: Installing antivirus software programs on the organization's systems, including antispyware software Updating antivirus definitions by using Live Update Initiating systematic scanning of files and applications by using the antivirus software Avoiding email messages from unknown senders

Malware

Malware includes many types of software viruses.

Online (or Cloud) Data Storage

Many organizations use cloud data storage, which is provided by third-party firms that specialize in online data storage. The many benefits of online/cloud data storage include the following: Unlimited capacity for storing data No computer infrastructure required by the organization Flexible payment options for businesses of all sizes Data are stored on more than one site Automated backup is initiated based on customer requirements

Create a Disaster Recovery Plan Strategy

Next, the committee should research, evaluate, and choose the best option for recovery for each situation and disaster. The committee must then create the necessary steps to follow for recovery. Each scenario should include the following: A list of key contacts, including customers Hardware and software considerations Data files affected Communications and infrastructure Organizational facilities, if needed Hot sites needed (sites operated remotely, usually by third parties, until full recovery) Cold sites needed (sites operated by the organization until full recovery) Any other items needed for unique scenarios

Disaster Recovery Mistakes

No organization is perfect. In fact, many mistakes have led to improved management techniques and decisions. Organizations that learn from their mistakes and take steps to avoid them in the future tend to be successful.

Data Security Data Back ups

One of the most important security measures in storing data is to ensure periodic backups are made. It is not uncommon for organizations to back up data on a daily, weekly, monthly, and yearly schedule. If something ever goes wrong and data becomes corrupted, the backup files are used to get the systems running again.

Computing Resources Security

Organizations depend on the security of their information systems and the data they use.

Data Security

Organizations that rely on confidential information must go to great lengths to protect that data. This is usually the responsibility of the information system (IS) department. Because data are contained in a database, the database administrator is usually the person who sets security standards that employees are expected to follow when handling data as system users. As a safeguard, data should be encrypted when it is stored.

People Security

People are the most important component of an IS. People use the system to manage data, and they are responsible for following the procedures to run the systems. Without the people component there would be no need for an IS.

Physical Threats

Physical threats include things like a cable being cut accidently during construction. This could cause the system to fail or to make communications impossible. Also, power surges or power outages can affect system availability.

People Security Procedures Security

Procedures security is closely tied to people security. Procedures for users to follow should be written by professionals with help from the IS department. Organizations should ensure that all employees follow strict written procedures when using a database in a system. This helps maintain the security of the data being manipulated.

Data Backup Technologies Semiconductor

Semiconductor data storage consists of nonvolatile memory chips. One of the most popular types is the Flash drive. These drives can accommodate data storage for small- to medium-size firms. This type of storage is fast but expensive.

Software Security

Software security begins with proper authority to access the applications and programs on a system. Organizations should require the use of proper user IDs and passwords to help prevent unauthorized access to a system. Whenever new software applications are developed, they should include sufficient safeguards.

Back Doors

Some hackers gain entrance into a system by using improper credentials or holes in programs. When they are in, hackers can do the same type of damage as Trojan horses.

Technical Threats that are not deliberate,

Technical threats that are unintentional can also occur in organizations. For example, one type of an unintentional technical threat is system errors or failures that cause the system to become corrupt. One of the more common unintentional technical threats is hardware failure when the operational system goes down. There could be many reasons for this, such as lack of maintenance or CPU (central processing unit) malfunction.

Conduct the Risk Analysis

The committee analyzes each functional area of the organization and examines the impact that a disaster would have on each area. Every conceivable type of disaster should be identified and included in the analysis. The analysis report should include the impact each type of disaster would have (including its financial impact) and the general plan for dealing with each disaster.

Develop the Disaster Recovery Plan and Procedures Model

The committee must write a manual containing the policies and procedures that should be followed to recover from a disaster. The DRP policies and procedures manual should be reviewed by each functional department and by top management. The written manual should be used if a disaster occurs.

Identify Recovery Options

The committee should identify recovery options for each function area of the organization affected by the disaster, including the critical time frame of recovery needed, the resources required to complete recovery, and the impact that lost data might have. After this is done, the committee should rank recovery requirements according to functional department and critical organization needs.

Concept of Disaster Recovery

The concept of disaster recovery developed during the late 1970s and early 1980s as computer systems began playing a major part in business operations. As more organizations adopted cross-functional business systems with real-time processing, the disaster recovery industry boomed. Access to the Internet made it even more important for organizations to protect their data and be able to recover from a systems disaster.

Computing Resources Security Authentication

The data and its source should be verifiable.

Computing Resources Security Integrity

The data in the system should always be the correct data (accurate and uncorrupted)

Objectives of a Disaster Recovery Plan

The main objectives of a disaster recovery plan are minimizing the financial risk of a disaster and getting systems up and running as quickly as possible. Other objectives of a good disaster recovery plan include the following:

Create the Disaster Recovery Plan Committee

The organization must create a DRP committee. Committee members should be selected from across the entire organization and should include a number of IT professionals. The purpose of this committee is to develop and administer the DRP.

Computing Resources Security Confidentially

The organization needs to ensure that only those employees who are authorized to use information have access to it.

Data Backup Technologies

There are numerous data backup techniques organizations use to protect their data. The methods an organization uses depend on its size, the importance of the data, and the amount of data to back up. Regardless of the data backup methodology used, all organizations must have a schedule for backing up their data.

Bootsector Virus

This virus is found in the boot disk area of the computer and is usually transferred by portable disks inserted into computers.

Trojan Horses

Trojan horses are applications that are destructive, but masquerade as legitimate programs. They are usually set to activate on a specific date or as a result of a specific action at a later time. In some cases, they allow a hacker entrance to a system.

Eavesdroping

Unauthorized users can use electronic means to spy on protected data. An example is the use of keystroke-recording software to record entries into systems.

Data Backup Technologies Magnetic Tape

Using magnetic tape to back up data was the preferred method for large organizations for many years until more modern techniques were introduced. Magnetic tape data storage is inexpensive but slow compared with most other means.

People Security New Employees

When hired, new employees should receive proper credentials to allow access to the databases needed to accomplish their jobs, including read-only and modification authority for only those parts of the databases for which they are responsible. New employees must receive proper training on use of the firm's computer resources before they are allowed to begin work. Periodic training programs in systems security keep employees properly trained and aware of their responsibilities.

Trojan Horses

are also malware.

Spyware

are programs that are transferred to a computer and then used to monitor the activities on the computer. The main purpose of spyware is to capture personal financial information.

Computer Worms

are replicating bugs that absorb all available space on a computer hard drive. They can be sent to other computers on the network to do the same damage.

Data Backup

ata restoration is a process that recreates data that have been lost. This process can only happen if the organization has stored copies of its data, usually offsite. How often should an organization back up its data? It depends. If the organization is a small business that executes only a few transactions a day, it could back up its data once a week or even once a month. If it is a large organization, it should back up its data once a day or even continually. Federal law requires some businesses to back up their data. Acts of Congress that demand data backup include: The Sarbanes-Oxley Act Health Insurance Portability and Accountability Act (HIPPA) of 1996, which deals with secure health records GLBA (Gramm-Leach-Bliley Act), which allows banks and other financial institutions to merge or form holding companies As a result of 9/11, Congress passed a law that required all financial institutions headquartered in New York City to have their data centers located at least 250 miles away. Most relocated to an area known as the Research Triangle, comprised of an area between Raleigh, Durham, and Chapel Hill in North Carolina.

Threats to Information Systems

can come from many different sources and can be categorized into two types: unintentional threats and intentional threats.

Software Firewalls

help keep intruders from accessing system software by filtering both inbound and outbound communications that are not validated.

Lack of Top Management Support

if a DRP does not have the support of top-level management, then it risks failure or little success

Improper Planning

if organizations do not plan properly and take shortcuts to recovery, they are ill prepared to recover from a disaster.

Natural Disasters

include devastating events such as hurricanes, tornados, floods, earthquakes, and fires. These disasters cause hardware damage and, in some cases, software damage. Damage can include partial or total loss of the information systems and even the infrastructure.

Spoofing

is pretending to be someone else by using the person's IP address to obtain personal information.

Pretexting

is pretending to be someone else to acquire personal information. Examples include scams that are done over the phone, which often target vulnerable people.

Sniffing

is traveling down a street and intercepting communications over unprotected wireless networks.

Phishing

occurs when people use pre-texting via email. One of the most popular examples is to send an email to someone that appears to be from a financial institution

Communication Threats

threats are present when using email and other forms of electronic communication. They are also known as unauthorized data disclosures. For example, there is the possibility of someone sending private data to an unauthorized outside source, potentially jeopardizing a project.