Chapter 8 Securing Information System
Chapter 8 Securing Information System
Chapter 8 Securing Information System
Securing Information
Systems
LEARNING OBJECTIVES
• Security:
– Policies, procedures, and technical measures used to
prevent unauthorized access, alteration, theft, or
physical damage to information systems
• Controls:
– Methods, policies, and organizational procedures that
ensure safety of organization’s assets; accuracy and
reliability of its accounting records; and operational
adherence to management standards
• Internet vulnerabilities
– Network open to anyone
– Size of Internet means abuses can have wide impact
– Use of fixed Internet addresses with cable / DSL
modems creates fixed targets for hackers
– Unencrypted VOIP
– E-mail, P2P, IM
• Interception
• Attachments with malicious software
• Transmitting trade secrets
• Malware (cont.)
– Smartphones as vulnerable as computers
• Study finds 13,000 types of smartphone malware
– Trojan horses
• Software that appears benign but does something
other than expected
– SQL injection attacks
• Hackers submit data to Web forms that exploits site’s
unprotected software and sends rogue SQL query to
database
– Ransomware
• Malware (cont.)
– Spyware
• Small programs install themselves surreptitiously on
computers to monitor user Web surfing activity and serve up
advertising
• Key loggers
– Record every keystroke on computer to steal serial
numbers, passwords, launch Internet attacks
• Other types:
– Reset browser home page
– Redirect search requests
– Slow computer performance by taking up memory
• Spoofing
– Misrepresenting oneself by using fake e-mail addresses
or masquerading as someone else
– Redirecting Web link to address different from intended
one, with site masquerading as intended destination
• Sniffer
– Eavesdropping program that monitors information
traveling over network
– Enables hackers to steal proprietary information such as
e-mail, company files, and so on
• Identity theft
– Theft of personal Information (social security ID,
driver’s license, or credit card numbers) to
impersonate someone else
• Phishing
– Setting up fake Web sites or sending e-mail messages
that look like legitimate businesses to ask users for
confidential personal data
• Evil twins
– Wireless networks that pretend to offer trustworthy
Wi-Fi connections to the Internet
8.12 Copyright © 2016 Pearson Education, Inc.
Management Information Systems
Chapter 8: Securing Information Systems
• Pharming
– Redirects users to a bogus Web page, even when
individual types correct Web page address into his or
her browser
• Click fraud
– Occurs when individual or computer program
fraudulently clicks on online ad without any intention
of learning more about the advertiser or making a
purchase
• Cyberterrorism and Cyberwarfare
• Software vulnerability
– Commercial software contains flaws that create
security vulnerabilities
• Hidden bugs (program code defects)
– Zero defects cannot be achieved because complete testing is
not possible with large programs
• Flaws can open networks to intruders
– Patches
• Small pieces of software to repair flaws
• Exploits often created faster than patches can be
released and implemented
8.15 Copyright © 2016 Pearson Education, Inc.
Management Information Systems
Chapter 8: Securing Information Systems
• Electronic evidence
– Evidence for white collar crimes often in digital form
• Data on computers, e-mail, instant messages,
e-commerce transactions
– Proper control of data can save time and money
when responding to legal discovery request
• Computer forensics:
– Scientific collection, examination, authentication,
preservation, and analysis of data from computer
storage media for use as evidence in court of law
– Includes recovery of ambient and hidden data
8.18 Copyright © 2016 Pearson Education, Inc.
Management Information Systems
Chapter 8: Securing Information Systems
• Application controls
– Specific controls unique to each computerized
application, such as payroll or order processing
– Include both automated and manual procedures
– Ensure that only authorized data are completely and
accurately processed by that application
– Include:
• Input controls
• Processing controls
• Output controls
8.20 Copyright © 2016 Pearson Education, Inc.
Management Information Systems
Chapter 8: Securing Information Systems
EXPECTED
EXPOSURE PROBABILITY LOSS RANGE (AVG) ANNUAL LOSS
Power failure 30% $5K–$200K ($102,500) $30,750
• Security policy
– Ranks information risks, identifies acceptable security
goals, and identifies mechanisms for achieving these goals
– Drives other policies
• Acceptable use policy (AUP)
– Defines acceptable uses of firm’s information
resources and computing equipment
• Authorization policies
– Determine differing levels of user access to
information assets
• Identity management
– Business processes and tools to identify valid users
of system and control access
• Identifies and authorizes different categories of
users
• Specifies which portion of system users can access
• Authenticating users and protects identities
– Identity management systems
• Captures access rules for different levels of users
• Firewall:
– Combination of hardware and software that prevents
unauthorized users from accessing private networks
– Technologies include:
• Static packet filtering
• Stateful inspection
• Network address translation (NAT)
• Application proxy filtering
• Encryption:
– Transforming text or data into cipher text that cannot
be read by unintended recipients
– Two methods for encryption on networks
• Secure Sockets Layer (SSL) and successor Transport
Layer Security (TLS)
• Secure Hypertext Transfer Protocol (S-HTTP)