MIS Chapter 8

Computer Crime

*) "any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution". *) Computer may be target of crime, e.g.: - Breaching confidentiality of protected computerized data - Accessing a computer system without authority *) Computer may be instrument of crime, e.g.: - Theft of trade secrets - Using e-mail for threats or harassment.

Establishing a Framework for Security and Control

*) A firm need to know where is the company risk and what kind of control they must have to protect their information systems. *) Also, they need to develop a security policy and plans for keeping their business running.

Software vulnerability

*) A major problem with software is the presence of hidden bugs or program code defects. - Commercial software contains flaws that create security vulnerabilities *) Hidden bugs (program code defects) Zero defects cannot be achieved because complete testing is not possible with large programs *) Flaws can open networks to intruders

Security policy

*) A security policy consists of statements ranking information risks, identifying acceptable security goals, and identifying the mechanisms for achieving these goals. *) The security policy drives policies determining acceptable use of the firm's information resources and which members of the company have access to its information assets.

Digital certificate

*) A technology used to associate a user's identity to a public key, in which the user's public key is digitally signed by a trusted third party. *) Data file used to establish the identity of users and electronic assets for protection of online transactions *) Uses a trusted third party, certification authority (CA), to validate a user's identity *) CA verifies user's identity, stores information in CA server, which generates encrypted digital certificate containing owner ID information and copy of owner's public key

Public key encryption

*) A two key system used for securing electronic transmissions. One key distributed publicly is used to encrypt (lock) data, but it cannot unlock data. Unlocking can only be performed with the private key. The private key also cannot be reverse engineered from the public key. By distributing public keys, but keeping the private key, Internet services can ensure transmissions to their site are secure. - Uses two, mathematically related keys: Public key and private key - Sender encrypts message with recipient's public key - Recipient decrypts with private key

Drives other policies

*) An acceptable use policy (AUP) defines acceptable uses of the firm's information resources and computing equipment, including desktop and laptop computers, wireless devices, telephones, and the internet. The policy should clarify company policy regarding privacy, user responsibility, and personal use of company equipment and network. *) Authorization policies: Determine differing levels of user access to information assets.

Antivirus and Antispyware Software

*) Antivirus software is designed to check computer systems and drives for the presence of computer viruses. Often the software eliminates the virus from the infected area. *) Require continual updating

Application controls

*) Are specific controls unique to each computerized application, such as payroll or order processing. *) They include both automated and manual procedures that ensure that only authorized data are completely and accurately processed by that application. *) Application controls can be classified as (1) input controls, (2) processing controls, and (3) output controls

Identity management systems

*) Business processes and tools to identify valid users of system and control access - Identifies and authorizes different categories of users - Specifies which portion of system users can access - Authenticating users and protects identities *) Security policy also includes provisions of identity management. Identity management consists of business processes and software tools for identifying the valid users of a system and controlling their access to system resources.

Business value of security and control

*) Companies have very valuable information assets to protect. Systems often house confidential information about individual's taxes, financial assets, medical records, and job performance reviews. They also can contain information on corporate operations, including trade secrets, new product development plans, and marketing strategies. *) Government systems may store information on weapons systems, intelligence operations, and military targets. *) These information assets have tremendous value, and the repercussions can be devastating if they are lost, destroyed, or placed in the wrong hands. Inadequate security and control may result in serious legal liability.

Unified threat management (UTM) systems

*) Describes devices that combine several security controls into one all-inclusive product. *) A solution that provides many security services at once for simplicity, easy maintenance and access control, and provides holistic point of view

Risk assessment

*) Determines the level of risk to the firm if a specific activity or process is not properly controlled. *) Not all risks can be anticipated and measured, but most businesses will be able to acquire some understanding of the risks they face. *) Once the risks have been assessed, system builders will concentrate on the control points with the greatest vulnerability and potential for loss. In this case, controls should focus on ways to minimize the risk of power failures and user errors because anticipated annual losses are highest for these areas.

Internal Threats

*) Employees have access to privileged information *) The presence of sloppy internal security procedures, they are often able to roam throughout an organization's systems without leaving a trace.

Wireless security challenges

*) Even the wireless network in your home is vulnerable because radio frequency bands are easy to scan. *) Bluetooth and Wi-Fi networks are susceptible to hacking by eavesdroppers. *) The service set identifiers (SSIDs) identifying the access points in a Wi-Fi network are broadcast multiple times and can be picked up fairly easily by intruders' sniffer programs.

Firewall

*) Firewalls prevent unauthorized users from accessing private networks. *) A firewall is a combination of hardware and software that controls the flow of incoming and outgoing network traffic. It is generally placed between the organization's private internal networks and distrusted external networks, such as the Internet. *) The firewall acts like gate keeper who examines each user's credentials before access is granted to a network. The firewall identifies names, IP addresses, applications, and other characteristics of incoming traffic. *) Technologies include: - Static packet filtering - Network address translation (NAT) - Application proxy filtering

Sarbanes-Oxley Act

*) For those who work in publicity traded company. *) Also known as the Public Company Accounting Reform and Investor Protection Act of 2002. *) This act was designed to protect investors after the financial scandals at Enron, WorldCom, and other public companies. *) It imposes responsibility on companies and their management to safeguard the accuracy and integrity of financial information that is used internally and releases externally.

HIPAA (Health insurance portability and accounting Act.)

*) HIPAA of 1996, outlines medical security and privacy rules and procedures for simplifying the administration of health care billing and automating the transfer of health care data between health care providers, payers, and plans. It requires members of the health care industry to retain patient information for six years and ensure the confidentiality of those records. *) Those who breach the medical privacy and disclosure patient records will be providing with penalties.

Hackers vs. Crackers

*) Hackers and crackers gain unauthorized access by finding weaknesses in the security protections employed by Web sites and computer systems, often taking advantage of various features of the internet that make it an open system that is easy to use.

High-availability computing

*) Helps recover quickly from crash *) Minimizes, does not eliminate downtime

General controls

*) Is govern the design, security, and use of computer programs and the security of data files in general throughout the organization's information technology infrastructure. *) General controls apply to all computerized applications and consist of a combination of hardware, software, and manual procedures that create an overall control environment.

Internet Vulnerabilities

*) Large public networks, such as the Internet, are more vulnerable than internal networks because they are virtually open to anyone. *) The Internet is so huge that when abuses do occur, they can have an enormously widespread impact. *) When the Internet becomes part of the corporate network, the organization's information systems are even more vulnerable to actions from outsiders. *) Computers that are constantly connected to the Internet by cable modems or digital subscriber line (DSL) lines are more open to penetration by outsiders because they creates fixed targets hackers. *) Unencrypted VOIP *) Vulnerability also increased from widespread use of e-mail, instant messaging (IM) and peer-to-peer files-sharing programs. - Interception - Attachments with malicious software - Transmitting trade secrets.

Malicious Software:

*) Malicious software programs are referred to as malware and include a variety of threats such as: a) Computer Virus b) Worms c) Trojan Horse d) SQL injection attacks e) Spyware k) Key loggers

The role of auditing

*) Organizations must conduct comprehensive and systematic audits. *) MIS audit examines the firm's overall security environment as well as controls governing individual information systems. *) The auditor should trace the flow of sample transactions through the system and perform tests, using, if appropriate, automated audit software. *) The MIS audit may also examine data quality. *) Security audits review technologies, procedures, documentation, training, and personnel. *) A thorough audit will even simulate an attack or disaster to test the response of the technology, information systems staff, and business employees. *) The audit lists and ranks all control weaknesses and estimates the probability of their occurrence. *) It then assesses the financial and organizational impact of each threat.

Security in the cloud

*) Responsibility for security resides with company owning the data *) Firms must ensure providers provides adequate protection *) Service level agreement (SLAs)

Distributed denial-of-service attacks (DDoS)

*) Use of numerous computers to launch a DoS *) Botnets Networks of "zombie" PCs infiltrated by bot malware Worldwide, 6 - 24 million computers serve as zombie PCs in thousands of botnets

Patches

*) Vendors release small pieces of software to repair flaws *) However exploits often created faster than patches be released and implemented.

Identity theft

*) With the growth of the Internet and electronic commerce, identity theft has become especially troubling. Identity theft is a crime in which an imposter obtains key pieces of personal information, such as social security numbers, to impersonate someone else. *) The information may be used to obtain credit, merchandise, or services in the name of the victim or to provide the thief with false credentials.

Security

*) a system of safeguards for protecting information technology against disasters, system failures, and unauthorized access that result in damage or loss. or *) refers to the policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems.

WEP security can provide some security by

*) assigning unique name to network's SSID and not broadcasting SSID *) Using it with VPN technology

Identity management software

*) automates the process of keeping track of all these users and their system privileges, *) assigning each user a unique digital identity for accessing each system. *) It also includes tools for authenticating users, protecting user identities, and controlling access to system resources.

Intrusion Detection Systems

*) full-time monitoring tools placed at the most vulnerably points or "hot spots" of corporate networks to detect and deter intruders continually. *) The systems generates an alarm if it finds a suspicious or anomalous event. *) Examines events as they are happening to discover attacks in progress

Spoofing

*) involve redirecting a Web link to an address different from the intended one, with the site masquerading as the intended destination. *) Misrepresenting oneself by using fake e-mail addresses or masquerading as someone else

Phishing

*) involves setting up fake Web sites or sending e-mail or text messages that look like those of legitimate businesses to ask users for confidential personal data.

Sniffer

*) is a type of eavesdropping program that monitors information traveling over a network. Sniffers enable hackers to steal proprietary information from anywhere on a network, including e-mail messages, company files, and confidential reports.

Authentication

*) refers to the ability to know that a person is who he or she claims to be. *) Authentication is often established by using passwords known only to authorized users. *) An end user uses password to log on to a computer system and may also use passwords for accessing specific systems and files. - However, users often forget passwords, share them, or choose poor passwords that are easy to guess, which compromises security. - New authentication technologies, such as tokens, smart cards, and biometric authentication, overcome some of these problems.

Why Systems Are Vulnerable

- Accessibility of networks *) When large amounts of data are stored digitally, on computers and servers and in databases, they are vulnerable to many more kinds of threats than when they were stored in manual form, on paper in folders and file cabinets. *) When data are available over a network, there are even more vulnerabilities. - Hardware problems (breakdowns, configuration errors, damage from improper use or crime) - Software problems (programming errors, installation errors, unauthorized changes) - Disasters such as power failures, floods, fires, or other natural disasters can also disrupt computer systems. - Use of networks/computers outside of firm's control - Loss and theft of portable devices *) Without strong safeguards, valuable data could be lost, destroyed, or could fall into the wrong hands, revealing important trade secrets or information that violates personal privacy.

Gamm-Leach Billey Act

- Also known as Financial Services Modernization Act of 1999. - For firm providing financial services. - This act requires financial institutions to ensure the security and confidentiality of customer data.

Firms now more vulnerable than ever

- Confidential personal and financial data - Trade secrets, new products, strategies

Electronic evidence

- Evidence for white collar crimes often in digital form *) Data on computers, e-mail, instant messages, e-commerce transactions - Proper control of data can save time and money when responding to legal discovery request

Fault-tolerant computer systems

- For continuous availability, e.g. stock markets - Contain redundant hardware, software, and power supply components that create an environment that provides continuous, uninterrupted service

Legal and regulatory requirements for electronic records management

- HIPAA (Health insurance portability and accounting Act.) - Gamm-Leach Billey Act - Sarbanes-Oxley Act

Computer forensics

- Scientific collection, examination, authentication, preservation, and analysis of data from computer storage media for use as evidence in court of law - Includes recovery of ambient and hidden data.

Two Methods for encryption networks

- Secure Sockets Layer (SSL) and successor Transport Layer Security (TLS) - Secure Hypertext Transfer Protocol (S-HTTP)

WEP (Wired Equivalent Privacy)

- Security standard for 802.11; use is optional - Uses shared password for both users and access point - Users often fail to implement WEP or stronger systems

Types of general controls

- Software controls - Hardware controls - Computer operations controls - Data Security controls - Implementation controls - Administrative controls

Hackers and crackers activities

- System intrusion - System damage - Cybervandalism

Risk Example

- Type of threat - Probability of occurrence during year - Potential losses, value of threat - Expected annual loss

Public key infrastructure (PKI)

- Use of public key cryptography working with certificate authority - Widely used in e-commerce

Public Key Encryption - Figure 8-6

A public key encryption system can be viewed as a series of public and private keys that lock data when they are transmitted and unlock the data when they are received. The sender locates the recipient's public key in a directory and uses it to encrypt a message. The message is sent in encrypted form over the Internet or a private network. When the encrypted message arrives, the recipient uses his or her private key to decrypt the data and read the message.

Symmetric key encryption

An encryption key that is used for both encryption and decryption of messages. sender and receiver

Digital certificates - Figure 8-7

Digital certificates help establish the identity of people or electronic assets. They protect online transactions by providing secure, encrypted, online communication.

Disaster recovery planning and business continuity planning

If you run a business, you need to plan for events, such as power outages, floods, earthquakes, or terrorist attacks that will prevent your information systems and your business from operating.

Information systems controls

Information systems controls are both manual and automated and consist of both general controls and application controls.

Cybervandalism-hacker activities

Intentional disruption, defacement, destruction of Web site or corporate information system.

System Vulnerability and Abuse

Many Wi-Fi networks can be penetrated easily by intruders using sniffer programs to obtain an address to access the resources of a network without authorization.

Ensuring system availability

Online transaction processing requires 100% availability and no downtime.

Securing mobile platforms

Security policies should include and cover any special requirements for mobile devices. * E.g. updating smart phones with latest security patches etc.

Contemporary security challenges and vulnerabilities

The architecture of a Web-based application typically includes a Web client, a server, and corporate information systems linked to databases. Each of these components presents security challenges and vulnerabilities. Floods, fires, power failures, and other electrical problems can cause disruptions at any point in the network.

Encryption

The conversion of data into a special format that cannot be read by anyone unless they have a software key to convert it back into its usable form.

A Corporate Firewall

The firewall is placed between the firm's private network and the public Internet or another distrusted network to protect against unauthorized traffic.

Global Threats

The vulnerabilities of the internet or other networks make digital networks easy to targets for digital attacks by terrorists, foreign intelligence service, or other groups seeking to create widespread disruption and harm.

Recovery-oriented computing

This work includes designing systems that recover quickly, and implementing capabilities and tools to help operators pinpoint the sources of faults in multi-component systems and easily correct their mistakes. To help systems recover even more rapidly when mishaps occur.

Social engineering

Tricking employees into revealing their passwords by pretending to be legitimate members of the company in need of information.

Wi-Fi alliance finalized WPA2 specification, replacing

WEP with stronger standards. *) continually changing keys *) encrypted authentication system with central server

Evil twins

Wireless networks that pretend to offer trustworthy Wi-Fi connections to the Internet

Worms

are independent computer programs that copy themselves from one computer to other computers over a network. Worms destroy data and programs as well as disrupt or even halt the operation of computer networks.

Controls

are methods, policies, and organizational procedures that ensure the safety of the organization's assets; the accuracy and reliability of its records; and operational adherence to management standards.

SQL injection attacks

are the largest malware threat. SQL injection attacks take advantage of vulnerabilities in poorly coded Web application software to introduce malicious program code into a company's systems and network

Biometric

authentication uses systems that read ad interpret individual human traits, such as fingerprints, irises, and voices, in order to grant or deny access. It compares a person's unique characteristics, such as the fingerprints, face, or retinal image, against a stored profile of these characteristics to determine whether there are any differences between these characteristics and the stored profile.

Controlling network traffic

deep packet inspection (DPI) - video and music blocking

Disaster recovery planning

devises plans for the restoration of computing and communications services after they have been disrupted. Disaster recovery plans focus primarily on the technical issues involved in keeping systems up and running, such as which files to back up and the maintenance of backup computer systems or disaster recovery services.

Output controls

ensure that the results of computer processing are accurate, complete, and properly distributed.

Processing controls

establish that data are complete and accurate during updating.

A security breach may cut into

firm's market value almost immediately

Business continuity planning

focuses on how the company can restore business operations after a disaster strikes. The business continuity plan identifies critical business processes and determines action plans for handling mission-critical functions if systems go down.

Input controls

for input authorization, data conversion, data editing, and error handling.

Cracker

hacker with criminal intent

Denial-of-service (DoS) Attacks

hackers flood a network server or Web Server with many thousands of false communications or requests for services to crash the networks.

War Driving

in which eavesdroppers drive by buildings or park outside and try to intercept wireless network traffic.

Spyware

install themselves surreptitiously on computers to monitor user Web surfing activity and serve up advertising.

Smart card

is a device about the size of a credit card that contains a chip formatted with access permission and other data.

Tokens

is a physical device, similar to an identification card that is designed to prove the identity of a single user. Tokens are small gadgets that typically fit on key rings and display passcodes that change frequently.

Computer Virus

is a rogue software program that attaches itself to other software programs or files in order to be executed, usually without user knowledge or permission.

Trojan Horse

is a software program that appears to be benign but then do something other than expected.

Hackers

is an individual who intends to gain unauthorized access to a computer system.

Inadequate security and controls also bring forth issues of

liability

Security outsourcing

managed security service provides (MSSPs) monitor network activity and perform vulnerability testing and intrusion detection

Click Fraud

occurs when an individual or computer program fraudulently clicks on an online ad without any intention of learning more about the advertiser or making purchase. Click fraud has become a serious problem at Google and other Web sites that feature pay-per-click online advertising. *) Cyberterrorism and Cyberwarfare

Key loggers

record every keystroke made on a computer to steal serial numbers for software, to launch Internet attacks, to gain access to e-mail accounts, to obtain passwords to protected computer systems, or to pick up personal information such as credit card numbers.

Pharming

redirects users to a bogus web page, even when the individual types the correct Web page address into his or her browser.

Failed computer systems can lead to

significant or total loss of business function

Business managers and information technology specialists need to work together on both

types of plans to determine which systems and business processes are most critical to the company. *) They must conduct a business impact analysis to identify the firm's most critical systems and the impact a systems outage would have on the business. *) Management must determine the maximum amount of time the business can survive with its systems down and which parts of the business must be restored first.

Electronic Evidence And Computer Forensics

• Legal cases today increasing rely on evidence represented as digital data stored on portable floppy disks, CDs, and computer hard disk drives, as well as in e-mail, instant messages, and e-commerce transactions over the internet. • Email is currently the most common type of electronic evidence. • Computer Forensics is the scientific collection, examination, authentication, preservation, and analysis of data held on or retrieved from computer storage media in such a way that the information can be used as evidence in a court of law. - Includes recovery of ambient and hidden data.