Chapter 8: Securing info systems
Computer crime
-Any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution Computer may be target of crime: -Breaching confidentiality of protected computerized data -Accessing a computer system without authority -threatening to cause damage to a protected computer Computer may be instrument of crime: -Theft of trade secrets -Using e-mail for threats or harassment schemes to defrauad
Identity management
-Business process and technologies for identifying valid users of system -Creates different levels or roles of system user and access -Allows each user access only to those portions of system under that user role
Firewall
-Combination of hardware and software that prevents unauthorized access to network Technologies include: -Packet filtering ( examins selected fields in the heaes of data flowing back and fourth between trusted network and the internet) -Stateful inspection ( provides additional security by determining whether packets are part of an ongoing dialogue between a sender and a receiver) -Network address translation (NAT) provide another layer of protection when static packet filtering and inspection are employed' conceals IP addresses of the orgs internal host computers) -Application proxy filtering examines the app content of packets
Business Value of Security and Control
-Failed computer systems can lead to significant or total loss of business function -Firms now more vulnerable than ever -A security breach may cut into firm's market value almost immediately -Inadequate security and controls also bring forth issues of liability
Security policy
-Ranks information risks -Identifies acceptable security goals -Identifies mechanisms for achieving these goals -Drives other policies Acceptable use policy (AUP) defines (un)/acceptable use of firms info resources and computing equipment Authorization policies -Provisions for identity management
Malicious Software: Viruses, Worms, Trojan Horses, and Spyware, con't
-SQL injection attacks Input validation error used to implant SQL Query take advantage of poorly coded web app software to introduce malicious program code -ransomware- extort money from users by taking control of computer -Spyware Small programs install themselves surreptitiously on computers to monitor user Web surfing activity and serve up advertising -Key loggers Record every keystroke on computer to steal serial numbers, passwords, launch Internet attacks
Ensuring Software Quality
-Software Metrics: objective assessments of system in form of quantified measurements, for example: Number of transactions Online response time Payroll checks printed per hour Known bugs per hundred lines of code -Early and regular testing -Walkthrough: review of specification or design document by small group of qualified people -Debugging: process by which errors are eliminated
Types of general controls
-Software controls -Hardware controls -Computer operations controls -Data security controls -Implementation controls -Administrative controls
Application controls
-Specific controls unique to each computerized application, such as payroll or order processing -Include both automated and manual procedures -Ensure that only authorized data are completely and accurately processed by that application Include: Input controls (check data for accuracy and completeness) Processing controls (establish that data are complete and accurate during updating) Output controls (ensure that results of computer processing are accurate, complete, and properly distributed)
Encryption
-Transforming text or data into cipher text that cannot be read by unintended recipients -Two methods for encryption on networks: 1)Secure Sockets Layer (SSL) and successor Transport Layer Security (TLS) secure connection between two computers 2)Secure Hypertext Transfer Protocol (S-HTTP) encrypting data flowing over internet, individual messages
Malicious Software (Malware): Viruses, Worms, Trojan Horses, and Spyware
-Viruses Rogue software program that attaches itself to other software programs or data files in order to be executed (Instructions to display a message or image) -Worms Independent computer programs that copy themselves from one computer to other computers over a network, destroy data & alter operation of computer (drive by downloads: downloaded file with Malware) -Trojan horses(not virus because of no replicating) Software program that appears to be benign but then does something other than expected.
Why systems are vulnerable?
-hardware problems Breakdowns, configuration errors, damage from improper use or crime -software problems Programming errors, installation errors, unauthorized changes -disasters Power failures, flood, fires, etc -use of networks, computers outside of firms control Domestic or offshore outsourcing vendors Mobile devices
What is Secure Hypertext Transfer Protocol?
A protocol for encrypting data transferred over the Internet limited to individual messages, whereas SSL and TLS are designed to establish a secure connection between two computers
System vulnerability and abuse
An unprotected computer connected to internet may be disabled within seconds -Security: Policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to info systems -controls: Methods, policies, and organizational procedures that ensure safety of organizations assets; accuracy and reliability of its accounting records; and operational adherence to management standards
Identity Management and Authentication
Authentication ability to know that a person is who he or she claims to be -Password systems -Tokens (similar to id cards, to prove identity. small gadgets that fit on key rings and display pass codes) -Smart cards (device about the size of a credit card that contains a chip formatted to access to other data) -Biometric authentication Fingerprints, irises, voices - two factor authentication
______ can be destructive to a company when at risk for people or programs deliberately moving through ads, thus driving up advertising costs for a company
Click fraud
Security Issues for Cloud Computing
Cloud computing -Highly distributed computing, difficult to track unauthorized activities -Cloud users should ask for proof of security and privacy procedures, including encryption -Service level agreements (SLAs)
Software Vulnerability
Commercial software contains flaws that create security vulnerabilities -Hidden bugs (program code defects): Zero defects cannot be achieved because complete testing is not possible with large programs -Flaws can open networks to intruders Zero-day Vulnerabilities -Can't protect against malware you don't know about -Surprise: there's new malware everyday -Anti-malware and virus programs always behind
Risk assessment
Determines level of risk to firm if specific activity or process is not properly controlled -Types of threat -Probability of occurrence during year -Potential losses, value of threat -Expected annual loss
Technologies and Tools for Protecting Information Resources, con't
Digital certificate: -Data file used to establish the identity of users and electronic assets for protection of online transactions -Uses certification authority (CA) to validate a user's identity -CA verifies user's identity, stores information in CA server, which generates encrypted digital certificate containing owner ID information and copy of owner's public key Public key infrastructure (PKI) -Use of public key cryptography working with certificate authority -Widely used in e-commerce
9) Which of the following focuses primarily on the technical issues of keeping systems up and running?
Disaster recovery planning
A(n) ______________ specifically addresses plans for power outages, floods, fire, and other calamities
Disaster recovery planning devises plans for the restoration of disrupted computing and communications services. Disaster recovery plans focus primarily on the technical issues involved in keeping systems up and running, such as which files to back up and the maintenance of backup computer systems or disaster recovery services
Disaster Recovery Planning and Business Continuity Planning
Disaster recovery planning: Devises plans for restoration of disrupted services focus on technical issues involved in keeping system up and running Business continuity planning: Focuses on restoring business operations after disaster -Both types of plans needed to identify firm's most critical systems -Business impact analysis to determine impact of an outage Management must determine which systems restored first
Contemporary security challenges and vulnerabilities
Each component presents security challenges and vulnerabilities Floods, fires, power failures and other electrical problems can cause disruptions at any point in the network
Electronic Evidence and Computer Forensics
Evidence for white collar crimes often found in digital form -Data stored on computer devices, e-mail, instant messages, e-commerce transactions Proper control of data can save time, money when responding to legal discovery request Computer forensics: -Scientific collection, examination, authentication, preservation, and analysis of data from computer storage media for use as evidence in court of law -Includes recovery of ambient and hidden data -securly storing and handling recovered electronic data -finding significant info in a large volume of electronic data -presenting the info to a court of law
Legal and Regulatory Requirements for Electronic Records Management
Firms face new legal obligations for the retention and storage of electronic records as well as for privacy protection -HIPAA: medical security and privacy rules and procedures -Gramm-Leach-Bliley Act: requires financial (services) institutions to ensure the security and confidentiality of customer data -Sarbanes-Oxley Act: imposes responsibility on companies and their management to safeguard the accuracy and integrity of financial information that is used internally and released externally protect investors after financial scandals
if your financial institute shares your financial recrds with out your permission, this considered a ______ violation
Gramm-leach biley act
The _____ mandates that financial services firms ensure security and confidentially of consumer data
Gramm-leach biley act Regulates the financial services industry and is also known as the financial services modernization act of 1999
If the dr shares your medical records without your permission, this is considered a _____ violation
HIPPA
What outlines medical security and privacy rules and procedures for simplifying the administration of health care billing and automating the transfer of health care data?
HIPPA Act
Hackers and Computer Crime
Hackers versus crackers gain unauthr access by finding weaknesses in the security protection webs and computer systems Activities include: -System intrusion -Theft of goods and services -System damage -Cybervandalism Intentional disruption, defacement, destruction of Web site or corporate information system
Hackers and Computer Crime, con't 2
Identity theft -Theft of personal information (social security ID, driver's license, or credit card numbers) to impersonate someone else Phishing -Setting up fake Web sites or sending e-mail messages that look like legitimate businesses to ask users for confidential personal data (email to update password, bank info) Evil twins -Wireless networks that pretend to offer trustworthy Wi-Fi connections to the Internet Pharming -Redirects users to a bogus Web page, even when individual types correct Web page address into his or her browser Click fraud -Fraudulent clicks on online ads (when clicking an ad on a search engine, the advertiser typically pays a fee for every click) Global threats -Cyberterrorism -Cyberwarfare (state sponsored activity to cripple an defeat another state or nation by penetrating its computers or networks to cause damage and disruption) Stuxnet
Establishing a Framework for Security and Control
Information systems controls General controls -Govern design, security, and use of computer programs and security of data files in general throughout organization's information technology infrastructure -Apply to all computerized applications -Combination of hardware, software, and manual procedures to create overall control environment
______ check for data entering a system for accuracy and completeness, such as when a clerk confirms a telephone number for a new customer
Input controls
System vulnerabilities and abuse
Internet vulnerabilities -Network open to anyone -Size of Internet means abuses can have wide impact -Use of fixed Internet addresses with permanent connections to Internet eases identification by hackers -E-mail attachments, file downloading, and sharing -E-mail used for transmitting trade secrets -IM messages lack security, can be easily intercepted
Technologies and Tools for Protecting Information Resources
Intrusion detection systems: -Monitor hot spots on corporate networks to detect and deter intruders. -Examine events as they are happening to discover attacks in progress Antivirus and antispyware software: -Check computers for presence of malware and can often eliminate it as well. -Require continual updating Unified Threat Management (UTM) systems: all of the security management products mentioned
The Role of Auditing
MIS audit -Examines firm's overall security environment as well as controls governing individual information systems -Reviews technologies, procedures, documentation, training, and personnel -May even simulate disaster to test response of technology, IS staff, other employees -Lists and ranks all control weaknesses and estimates probability of their occurrence -Assesses financial and organizational impact of each threat
Target was attacked by hackers who installed ____in the company's security and payments system
Malware
Security Issues for the Mobile Digital Platform
Mobile platforms -Mobile device management tools for authorization and inventory -Data loss prevention technology -Mobile security policies: platform, software, procedures, security products -Encryption -BYOD( they can be hacked, and customers can lose valuable information and financial assets) -Mobile protective software products
Ensuring System Availability
Online transaction processing requires 100 percent availability, no downtime Fault-tolerant computer systems -For continuous availability, for example, stock markets -Contain redundant hardware, software, and power supply components that create an environment that provides continuous, uninterrupted service High-availability computing -Helps recover quickly from crash -Minimizes, does not eliminate, downtime
Software Vulnerability, con't
Patches: Small pieces of software to repair flaws released by vendors However, amount of software in use, and shear number of malware programs, can mean exploits are created faster than patches can be released -Large number of software applications -Disparate operating systems -Poor management of patches
Ensuring System Availability, con't
Recovery-oriented computing -Designing systems that recover quickly with capabilities to help operators pinpoint and correct faults in multicomponent systems Controlling network traffic -Deep packet inspection (DPI) (video and music blocking) examines data files and sorts out low priority online material while assigning higher priority to business critical files Security outsourcing -Managed security service providers (MSSPs) monitor network activity and perform vulnerability testing
Because so many web pages use databases, ___ is a major malware threat since poorly coded web application software is vulnerable
SQL injection attack
____ was created as a result of financial scandals such as Eron and WorldCom
Sarbanes-Oxley Act protect investors; imposes responsibility on companies and their management to safeguard the accuracy and integrity of financial info that is used internally and released externally
Internal Threats: Employees
Security threats often originate inside an organization -Inside knowledge -Sloppy security procedures: User lack of knowledge Social engineering: Tricking employees into revealing their passwords by pretending to be legitimate members of the company in need of information -End users introduce errors by entering faulty data -IT peoples may create software errors as the design and develop new software or maintaining existing programs
Hackers and Computer Crime, con't
Spoofing -Misrepresenting oneself by using fake e-mail addresses or masquerading as someone else -Redirecting Web link to address different from intended one, with site masquerading as intended destination Sniffer -Eavesdropping program that monitors information traveling over network -Enables hackers to steal proprietary information such as e-mail, company files, and so on Denial-of-service attacks (DoS) -Flooding server with thousands of false requests to crash the network (do not destroy info, they often cause a website to shutdown, impossible for real user to access it) Distributed denial-of-service attacks (DDoS) -Use of numerous computers to launch a DoS -Botnets: Networks of "zombie" PCs infiltrated by bot malware
Two methods of encryption
Symmetric key encryption -Sender and receiver use single, shared key Public key encryption -Uses two, mathematically related keys: public key and private key -Sender encrypts message with recipient's public key -Recipient decrypts with private key
5) Which of the following is the single greatest cause of network security breaches?
User lack of knowledge
What is Pharming?
Users are redirected to a phony web page when the correct URL is typed in
Securing Wireless Networks
WEP security can be improved: -Activating it -Assigning unique name to network's SSID -Using it with VPN technology Wi-Fi Alliance finalized WPA2 specification, replacing WEP with stronger standards -Continually changing keys -Encrypted authentication system with central server
One wireless security concern is called, ____, where eavesdroppers drive by locations trying to intercept wireless network traffic
War driving
System vulnerabilities and abuse, con't
Wireless security challenges -Radio frequency bands easy to scan -SSIDs (service set identifiers): 1) Identify access points. 2) Broadcast multiple times War driving -Eavesdroppers drive by buildings and try to intercept network traffic -With access to SSID, has access to network's resources Rogue access points
One authentication technology that is about the size of a credit card and contains a chip containing access permission is called ___________________
a smart card
A(n) _________________ policy would indicate if you are able to use your work computer to access social media websites
acceptable use
If your computer allows authentication using your fingerprint, this technology is considered __________________
biometric authentication uses systems that read and interpret individual human traits such as fingerprints, irises, and voices to grant or deny access
4) Evil twins are:
bogus wireless network access points that look legitimate to users
In addition to developing a policy for restoring computer and communication services, some companies go a step further with _____, which focuses on how they can get the business operations up and running again after a disaster
business continuity planning entails more than just getting the hardware and software up and running
8) Application controls:
can be classified as input controls, processing controls, and output controls
Some firms, like Ernst and Young, use ____ to carefully collect and maintain data in such way that they can be used as evidence in a court of law, on behalf of a company or gov't agency
computer forensics scientific collection, examination, authentication, preservation, and analysis of data from storage that can be used as evidence in a court of law
As a way to ensure that data transfers occur quickly, some companies employ _____ to determine the priority of data so important data is sent more quickly than less important data
deep packet inspection examines the data and can delay low priority data transmission to control traffic flow
7) The most common type of electronic evidence is:
corporate firewall
firewall between the firms private network and public internet or another distrusted network to protect against authorized traffic
Using a combination of hardware and software, _______ are able to control incoming and outgoing data on a network.
firewalls they can be on individual computers or on networks
Application controls can be classified as _____ controls, _______controls, and ________ control
input; processing; output
wifi security challenges
many wifi networks can be penetrated easily by intruders using sniffer programs to obtain an address to access the resources of a network w/o authrorization
Public key encryption uses __________________
one public and one private key
Security in an info systems context refers to ______ , which are used to prevent unauthorized access or theft
policies, procedures, & technical measures
A(n) _________________ policy identifies and ranks information risks and goals.
security statements ranking information risks, identifying acceptable security goals, and identifying the mechanisms for achieving these goals
3) Phishing is a form of:
spoofing
1) Specific security challenges that threaten the communications lines in a client/server environment include:
tapping, sniffing, message alteration, and radiation.
10) A digital certificate system:
uses third-party CAs to validate a user's identity.
6) A practice in which eavesdroppers drive by buildings or park outside and try to intercept wireless network traffic is referred to as:
war driving
2) An independent computer program that copies itself from one computer to another over a network is called a:
worm
