MIS - Chapter 8

Smart Card

A device about the size of a credit card that contains a chip formatted with access permission and other data. A reader device interprets the data on the smart card and allows or denies access.

Token

A physical device, similar to an identification card, that is designed to prove the identity of a single user. Tokens are small gadgets that typically fit on key rings and display pass codes that change frequently.

Computer Virus

A rogue software program that attaches itself to other software programs or data files to be executed, usually without user knowledge or permission. Most computer viruses deliver a payload. The payload may be relatively benign, such as instructions to display a message or image, or it may be highly destructive—destroying programs or data, clogging computer memory, reformatting a computer's hard drive, or causing programs to run improperly.

Trojan Horse

A software program that appears to be benign but then does something other than expected. The Trojan horse is not itself a virus because it does not replicate, but it is often a way for viruses or other malicious code to be introduced into a computer system.

Cyber Warfare

A state-sponsored activity designed to cripple and defeat another state or nation by penetrating its computers or networks to cause damage and disruption. Cyber warfare is more complex than conventional warfare. Although many potential targets are military, a country's power grids, financial systems, and communications networks can also be crippled. Non-state actors such as terrorists or criminal groups can mount attacks, and it is often difficult to tell who is responsible. Nations must constantly be on the alert for new malware and other technologies that could be used against them, and some of these technologies developed by skilled hacker groups are openly for sale to interested governments.

Sniffer

A type of eavesdropping program that monitors information traveling over a network. When used legitimately, sniffers help identify potential network trouble spots or criminal activity on networks, but when used for criminal purposes, they can be damaging and very difficult to detect. Sniffers enable hackers to steal proprietary information from anywhere on a network, including email messages, company files, and confidential reports.

Secure Hypertext Transfer Protocol (S-HTTP)

Another protocol used for encrypting data flowing over the Internet, but it is limited to individual messages, whereas SSL and TLS are designed to establish a secure connection between two computers.

Network Address Translation (NAT)

Can provide another layer of protection when static packet filtering and stateful inspection are employed. NAT conceals the IP addresses of the organization's internal host computer(s) to prevent sniffer programs outside the firewall from ascertaining them and using that information to penetrate internal systems.

Identity Management

Consists of business processes and software tools for identifying the valid users of a system and controlling their access to system resources. It includes policies for identifying and authorizing different categories of system users, specifying what systems or portions of systems each user is allowed to access, and the processes and technologies for authenticating users and protecting their identities.

Security Policy

Consists of statements ranking information risks, identifying acceptable security goals, and identifying the mechanisms for achieving these goals.

Fault-Tolerant Computer Systems

Contain redundant hardware, software, and power supply components that create an environment that provides continuous, uninterrupted service. Fault-tolerant computers use special software routines or self-checking logic built into their circuitry to detect hardware failures and automatically switch to a backup device. Parts from these computers can be removed and repaired without disruption to the computer or downtime.

Digital Certificates

Data files used to establish the identity of users and electronic assets for protection of online transactions.

Acceptable Use Policy (AUP)

Defines acceptable uses of the firm's information resources and computing equipment, including desktop and laptop computers, wireless devices, telephones, and the Internet.

Disaster Recovery Planning

Devises plans for the restoration of disrupted computing and communications services.

8-1 Why are information systems vulnerable to destruction, error, and abuse?

Digital data are vulnerable to destruction, misuse, error, fraud, and hardware or software failures. The Internet is designed to be an open system and makes internal corporate systems more vulnerable to actions from outsiders. Hackers can unleash denial-of-service (DoS) attacks or penetrate corporate networks, causing serious system disruptions. Wi-Fi networks can easily be penetrated by intruders using sniffer programs to obtain an address to access the resources of the network. Computer viruses and worms can disable systems and websites. The dispersed nature of cloud computing makes it difficult to track unauthorized activity or to apply controls from afar. Software presents problems because software bugs may be impossible to eliminate and because software vulnerabilities can be exploited by hackers and malicious software. End users often introduce errors.

War Driving

Eavesdroppers drive by buildings or park outside and try to intercept wireless network traffic.

Secure Sockets Layer (SSL)

Enable client and server computers to manage encryption and decryption activities as they communicate with each other during a secure web session.

Deep Packet Inspection (DPI)

Examines data files and sorts out low-priority online material while assigning higher priority to business-critical files. Based on the priorities established by a network's operators, it decides whether a specific data packet can continue to its destination or should be blocked or delayed while more important traffic proceeds.

Packet Filtering

Examines selected fields in the headers of data packets flowing back and forth between the trusted network and the Internet, examining individual packets in isolation. This filtering technology can miss many types of attacks.

Application Proxy Filtering

Examines the application content of packets. A proxy server stops data packets originating outside the organization, inspects them, and passes a proxy to the other side of the firewall. If a user outside the company wants to communicate with a user inside the organization, the outside user first communicates with the proxy application, and the proxy application communicates with the firm's internal computer. Likewise, a computer user inside the organization goes through the proxy to talk with computers on the outside.

Information Systems Audit

Examines the firm's overall security environment as well as controls governing individual information systems. The auditor should trace the flow of sample transactions through the system and perform tests, using, if appropriate, automated audit software. The information systems audit may also examine data quality.

Intrusion Detection Systems

Feature full-time monitoring tools placed at the most vulnerable points or hot spots of corporate networks to detect and deter intruders continually. The system generates an alarm if it finds a suspicious or anomalous event. Scanning software looks for patterns indicative of known methods of computer attacks such as bad passwords, checks to see whether important files have been removed or modified, and sends warnings of vandalism or system administration errors. The intrusion detection tool can also be customized to shut down a particularly sensitive part of a network if it receives unauthorized traffic.

8-4 What are the most important tools and technologies for safeguarding information resources?

Firewalls prevent unauthorized users from accessing a private network when it is linked to the Internet. Intrusion detection systems monitor private networks for suspicious network traffic and attempts to access corporate systems. Passwords, tokens, smart cards, and bio-metric authentication are used to authenticate system users. Antivirus software checks computer systems for infections by viruses and worms and often eliminates the malicious software; anti-spyware software combats intrusive and harmful spyware programs. Encryption, the coding and scrambling of messages, is a widely used technology for securing electronic transmissions over unprotected networks. Digital certificates combined with public key encryption provide further protection of electronic transactions by authenticating a user's identity. Companies can use fault-tolerant computer systems to make sure that their information systems are always available. Use of software metrics and rigorous software testing help improve software quality and reliability.

8-3 What are the components of an organizational framework for security and control?

Firms need to establish a good set of both general and application controls for their information systems. A risk assessment evaluates information assets, identifies control points and control weaknesses, and determines the most cost-effective set of controls. Firms must also develop a coherent corporate security policy and plans for continuing business operations in the event of disaster or disruption. The security policy includes policies for acceptable use and identity management. Comprehensive and systematic information systems auditing helps organizations determine the effectiveness of security and controls for their information systems.

Business Continuity Planning

Focuses on how the company can restore business operations after a disaster strikes.

General Controls

Govern the design, security, and use of computer programs and the security of data files in general throughout the organization's information technology infrastructure.

Zero-Day Vulnerabilities

Holes in the software unknown to its creator. Hackers then exploit this security hole before the vendor becomes aware of the problem and hurries to fix it. This type of vulnerability is called zero day because the author of the software has zero days after learning about it to patch the code before it can be exploited in an attack.

Two-Factor Authentication

Increases security by validating users through a multi step process. To be authenticated, a user must provide two means of identification, one of which is typically a physical token, such as a smart card or chip-enabled bank card, and the other of which is typically data, such as a password or personal identification number (PIN).

Worms

Independent computer programs that copy themselves from one computer to other computers over a network. Unlike viruses, worms can operate on their own without attaching to other computer program files and rely less on human behavior to spread from computer to computer. This explains why computer worms spread much more rapidly than computer viruses. Worms destroy data and programs as well as disrupt or even halt the operation of computer networks.

Phishing

Involves setting up fake websites or sending email messages that look like those of legitimate businesses to ask users for confidential personal data. The email message instructs recipients to update or confirm records by providing social security numbers, bank and credit card information, and other confidential data either by responding to the email message, by entering the information at a bogus website, or by calling a telephone number.

8-2 What is the business value of security and control?

Lack of sound security and control can cause firms relying on computer systems for their core business function to lose sales and productivity. Information assets, such as confidential employee records, trade secrets, or business plans, lose much of their value if they are revealed to outsiders or if they expose the firm to legal liability. New laws, such as HIPAA, the Sarbanes-Oxley Act, and the Gramm-Leach-Bliley Act, require companies to practice stringent electronic records management and adhere to strict standards for security, privacy, and control. Legal actions requiring electronic evidence and computer forensics also require firms to pay more attention to security and electronic records management.

Social Engineering

Malicious intruders seeking system access sometimes trick employees into revealing their passwords by pretending to be legitimate members of the company in need of information.

Malware

Malicious software programs.

Drive-By Downloads

Malware that comes with a downloaded file that a user intentionally or unintentionally requests.

Controls

Methods, policies, and organizational procedures that ensure the safety of the organization's assets, the accuracy and reliability of its records, and operational adherence to management standards.

Managed Security Service Providers (MSSPs)

Monitor network activity and perform vulnerability testing and intrusion detection.

Click Fraud

Occurs when an individual or computer program fraudulently clicks an online ad without any intention of learning more about the advertiser or making a purchase. Click fraud has become a serious problem at Google and other websites that feature pay-per-click online advertising.

Health Insurance Portability and Accountability Act (HIPAA) of 1996

Outlines medical security and privacy rules and procedures for simplifying the administration of health care billing and automating the transfer of health care data between health care providers, payers, and plans. It requires members of the health care industry to retain patient information for six years and ensure the confidentiality of those records. It specifies privacy, security, and electronic transaction standards for health care providers handling patient information, providing penalties for breaches of medical privacy, disclosure of patient records by email, or unauthorized network access.

Firewalls

Prevent unauthorized users from accessing private networks. A firewall is a combination of hardware and software that controls the flow of incoming and outgoing network traffic. It is generally placed between the organization's private internal networks and distrusted external networks, such as the Internet, although firewalls can also be used to protect one part of a company's network from the rest of the network.

Stateful Inspection

Provides additional security by determining whether packets are part of an ongoing dialogue between a sender and a receiver. It sets up state tables to track information over multiple packets. Packets are accepted or rejected based on whether they are part of an approved conversation or attempting to establish a legitimate connection.

Keyloggers

Record every keystroke made on a computer to steal serial numbers for software, to launch Internet attacks, to gain access to email accounts, to obtain passwords to protected computer systems, or to pick up personal information such as credit card and or bank account numbers.

Pharming

Redirects users to a bogus web page, even when the individual types the correct web page address into his or her browser. This is possible if pharming perpetrators gain access to the Internet address information Internet service providers (ISPs) store to speed up web browsing and the ISP companies have flawed software on their servers that allows the fraudsters to hack in and change those addresses.

Authentication

Refers to the ability to know that a person is who he or she claims to be.

Gramm-Leach-Bliley Act of 1999

Requires financial institutions to ensure the security and confidentiality of customer data. Data must be stored on a secure medium, and special security measures must be enforced to protect such data on storage media and during transmittal.

Application Controls

Specific controls unique to each computerized application, such as payroll or order processing.

SQL Injection Attacks

Take advantage of vulnerabilities in poorly coded web application software to introduce malicious program code into a company's systems and networks. These vulnerabilities occur when a web application fails to validate properly or filter data a user enters on a web page, which might occur when ordering something online.

Cyber Vandalism

The intentional disruption, defacement, or even destruction of a website or corporate information system.

Security

The policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems.

Encryption

The process of transforming plain text or data into cipher text that cannot be read by anyone other than the sender and the intended receiver. Data are encrypted by using a secret numerical code, called an encryption key, that transforms plain data into cipher text. The message must be decrypted by the receiver.

Computer Forensics

The scientific collection, examination, authentication, preservation, and analysis of data held on or retrieved from computer storage media in such a way that the information can be used as evidence in a court of law.

Public Key Infrastructure (PKI)

The use of public key cryptography working with a CA.

Unified Threat Management (UTM) Systems

To help businesses reduce costs and improve manageability, security vendors have combined into a single appliance various security tools, including firewalls, virtual private networks, intrusion detection systems, and web content filtering and anti-spam software.

Ransomware

Tries to extort money from users by taking control of their computers or displaying annoying pop-up messages.

Distributed Denial-of-Service (DDoS) Attack

Uses numerous computers to inundate and overwhelm the network from numerous launch points.

Public Key Encryption

Uses two keys: one shared (or public) and one totally private. The keys are mathematically related so that data encrypted with one key can be decrypted using only the other key.

Evil Twins

Wireless networks that pretend to offer trustworthy Wi-Fi connections to the Internet, such as those in airport lounges, hotels, or coffee shops. The bogus network looks identical to a legitimate public network. Fraudsters try to capture passwords or credit card numbers of unwitting users who log on to the network

Denial-of-Service (DoS) Attack

hackers flood a network server or web server with many thousands of false communications or requests for services to crash the network. The network receives so many queries that it cannot keep up with them and is thus unavailable to service legitimate requests.