is today (valacich & schneider) 5/e copyright © 2012 pearson education, inc. published as...
DESCRIPTION
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 1/23/2016 Learning Objectives Define computer crime and describe several types of computer crime. 2. Describe and explain the differences between cyberwar and cyberterrorism. 3. Explain what is meant by the term “IS security” and describe both technology and human-based safeguards for information systems. 4. Discuss how to better manage IS security and explain the process of developing an IS security plan. 5. Describe how organizations can establish IS controls to better ensure IS security.TRANSCRIPT
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
10-1
Accessories for “war driving” can be easily built usingsimple parts.
Chapter 10 Securing Information Systems
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Learning Objectives10-2
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Learning Objectives10-3
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Primary Threats to Information Systems Security
10-4
Natural disasters Power outages, hurricanes,
floods, and so onAccidents
Power outages, cats walking across keyboards
Employees and consultants
Links to outside business contacts Travel between business
affiliatesOutsiders
Viruses
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Computer Crime
Computer crime—The act of using a computer to commit an illegal act. Targeting a computer while committing an offense. Using a computer to commit an offense. Using computers to support a criminal activity.
Overall trend for computer crime has been declining over the past several years (CSI, 2009).
Many incidents are never reported.
10-5
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Hacking and Cracking
Hackers—individuals who are knowledgeable enough to gain access to computer systems without authorization. Term first used in the 1960s at MIT Often the motivation is curiosity, not crime
Crackers—those who break into computer systems with the intention of doing damage or committing a crime.
Hacktivists—Those who attempt to break into systems or deface Web sites to promote political or ideological goals
10-6
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Types of Criminals10-7
No clear profile as to who commits computer crimes
Four groups of computer criminals1. Current or former employees
85–95% of theft from businesses comes from the inside2. People with technical knowledge committing
crimes for personal gain3. Career criminals using computers to assist them
in crimes4. Outside crackers hoping to find information of
value About 12 percent of cracker attacks cause damage
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Unauthorized Access10-8
Examples1. Employees do personal business on
company computers.
2. Intruders break into government Web sites and change the information displayed.
3. Thieves steal credit card numbers and Social Security numbers from electronic databases, then use the stolen information to charge thousands of dollars in merchandise to victims.
4. An employee at a Swiss bank steals data that could possibly help to charge the bank’s customers for tax evasion, hoping to sell this data to other countries’ governments for hefty sums of money.
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Information Modification10-9
User accesses electronic information.
User changes information. Employee
gives herself a raise.
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Other Threats to IS Security
Many times, computer security is breached simply because organizations and individuals do not exercise proper care in safeguarding information.
Examples: Keeping passwords or access codes in plain sight Failing to install antivirus software or keep up-to-date Continue to use default network passwords Careless about letting outsiders view computer monitors Failure to limit access to company files and system resources Failure to install effective firewalls or intrusion detection systems, or they install
but fail to monitor them regularly Failure to provide proper employee background checks Unmonitored employees Disgruntled/unhappy workers
10-10
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Computer Viruses and Other Destructive Code
10-11
Malware—short for “malicious software” such as viruses, worms, and Trojan horses.
Virus—a destructive program that disrupts the normal functioning of computer software.
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Worms, Trojan Horses, and Other Malware
Worm variation of a virus that is targeted at networks, taking
advantage of security holes
Trojan Horse Does not replicate, but causes damage. Codes are hidden.
Logic bombs or time bombs Variations of Trojan horses Time bombs are set off by specific dates; logic bombs are
set off by certain types of operations.
10-12
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Denial of Service Attack10-13
Attackers prevent legitimate users from accessing services.
Zombie computers Created by viruses or
worms Attack Web sites
Servers crash under increased load. MyDoom attack on
Microsoft’s Web site
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Spyware10-14
Hidden within freeware or shareware, or embedded within Web sites
Gathers information about a user Credit card information Behavior tracking for marketing purposes
Eats up computer’s memory and network bandwidth
Adware Free software paid by advertisements Sometimes contains spyware Collects information for banner ad customization
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Spam10-15
Electronic junk mailAdvertisements of
products and servicesEats up storage spaceCompromises network
bandwidth90 percent of all
Internet e-mail is spam!
Spam filters can help.Spim—spam in text
message form
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Phishing (Spoofing)
Attempts to trick users into giving away credit card numbers
Phony messagesDuplicates of
legitimate Web sitesExamples: eBay,
PayPal have been used.
10-16
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Phishing Example 10-17
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
CAPTCHA10-18
Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA)
CAPTCHA uses images that computers cannot read.
Combination of techniques is needed to stop spammers.
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Cookies10-19
Cookies are messages passed to a Web browser from a Web server.
They are stored in a text file.They are used for Web site customization.Cookies may contain sensitive information.Managing cookies
Cookie killer software Web browser settings
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Cyberattack Supply Chain
85 percent of all e-mail spam is sent out by only six major botnets.
Sample phishing attack: A programmer writes and sells a phishing attack template. A phisher who wants to run an attack purchases the template
and designs an attack. The phisher contracts with a cracker to provide hosting space
for the phishing Web sites. The phisher contacts a bot herder to send out the spam e-mail
that carries the attack. The phisher provides the stolen personal information to a
collector who removes funds from the affected financial institutions.
The collector works with a criminal called a mule herder who carries out the withdrawals.
10-20
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Identity Theft10-21
Fastest growing “information crime”
Stealing another person’s:1. Credit card number2. Social Security
number3. Other personal
informationResults in bad credit
for victim
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Internet Hoaxes10-22
False messages circulated online New viruses (that don’t exist) Collection of funds for certain group
Example: Haiti earthquake victims Possible consequences
Spammers harvesting e-mail addresses from hoaxesWeb sites, such as Hoaxbusters (
www.hoaxbusters.org), Symantec, or McAfee, publish lists of known hoaxes.
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Cybersquatting10-23
The practice of registering a domain name and later reselling it.
Some of the victims include: Eminem Panasonic Hertz Avon
Anti-Cybersquatting Consumer Protection Act in 1999 Fines as high as $100,000 Some companies pay the cybersquatters to speed up
the process of getting the domain.
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Cyber Harassment, Stalking, and Bullying
10-24
Cyber harassment—Crime that broadly refers to the use of a computer to communicate obscene, vulgar, or threatening content.
Cyber stalking Making false accusations that damage reputation of another Gaining information on a victim by monitoring online
activities Using the Internet to encourage others to harass a victim Attacking data and equipment of a victim by sending e-mail
viruses or other destructive code Using the Internet to place false orders for goods or services
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Cyber Bullying10-25
Cyber bullying is the deliberate cause of emotional distress to a victim
Online predator Typically target vulnerable population for financial
purposes Social networking sites have become the playground
for online predators. Most social networking and chat sites provide ways to
report abuse.
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Software Piracy
Legal activities Making one backup copy for personal use Sharing free software (shareware or public
domain software)Illegal activities
Making copies of purchased software for others Offering stolen proprietary software (warez
peddling)Intellectual property
Patents: process or machine inventions Copyrights: creations of the mind Various copyright laws applicable to software
10-26
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Software Piracy Is a Global Business
Some factors influencing piracy around the world Concept of intellectual property differs between countries Economic reasons for piracy Lack of public awareness about the issue
10-27
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Learning Objectives10-28
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Cyberwar
Cyberware—Military’s attempt to disrupt or destroy another country’s information and communication systems Goal is to diminish opponent’s communication
capabilities. It is used in concert with traditional methods.
10-29
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Cyberwar Vulnerabilities
Systems at risk: Command and control systems Intelligence collection and distribution systems Information processing and distribution systems Tactical communication systems and methods Troop and weapon positioning systems Friend-or-foe identification systems Smart weapons systems
Propaganda Web vandalism/damage Cyber propaganda
10-30
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
The New Cold War10-31
A 2007 McAfee report on Internet security listed a cyber cold war as an imminent threat.
Reminiscent of the Cold War between the United States and the Soviet Union from the mid-1940s until the early 1990s —intelligence agencies are testing networks for possible weaknesses.
Patriot Hackers—independent citizens that attack perceived enemies of the state.
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Cyberterrorism10-32
Governments are not involved.Attacks can be launched from anywhere in
the world.Goal is to cause fear, panic, and destruction.Cyberterrorism will likely become weapon of
choice.
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Use of Internet in Terrorist Attacks10-33
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Assessing the Cyberterrorism Threat10-34
Internet infrastructure is extremely vulnerable to cyberterrorism. Some successful attacks
1991—Gulf War Dutch crackers stole information about the movement of U.S.
troops and offered it for sale to Iraq. The Iraqis turned down the offer.
2000—U.S. presidential elections Web sites were targeted by crackers with political motives. DoS attacks launched.
2007—Government and bank networks within Estonia came under attack for the removal of a Soviet-era memorial.
2010—Chinese-based hackers attacked Google who threatened to remove Chinese filter searches from the search engine.
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Obstacles to Cyberterrorism10-35
1. Computer systems are complex and attacks may not have desired outcome.
2. Security measures are fast-changing.
3. Cyberattacks rarely cause physical harm to victims.
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
The Globalization of Terrorism10-36
Increasing dependence on technologyIncreasing possibilities of cyberterrorismInternational laws and treaties must evolve.However: likelihood of large attacks is small.
Successful large attack would require: Intelligence information Years of preparation At least $200 million
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Learning Objectives10-37
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Information Systems Security10-38
All systems connected to a network are at risk. Internal threats External threats
Information systems security Precautions to keep IS safe from unauthorized
access and useIncreased need for good computer security
with increased use of the Internet
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Safeguarding Information Systems Resources
10-39
Information systems audits Risk analysis
Process of assessing the value of protected assets Cost of loss vs. cost of protection
Risk reduction Measures taken to protect the system
Risk acceptance Measures taken to absorb the damages
Risk transfer Transferring the absorption of risk to a third party
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Technological Safeguards
Physical access restrictionsFirewallsEncryptionVirus Monitoring and preventionAudit-control softwareDedicated facilities
10-40
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Technological Safeguards
Physical access restrictions Authentication
Use of passwords Photo ID cards, smart
cards Keys to unlock a
computer Combination
Authentication dependent on Something you have Something you know Something you are
10-41
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Biometrics10-42
Form of authentication Fingerprints Retinal patterns Facial features and
so onFast authenticationHigh security
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Access-Control Software10-43
Access only to files required for workRestriction of access level
Read only, modify, deleteCertain time periods for allowed accessBusiness systems applications
Built-in access control capabilities
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Wireless LAN Control10-44
Wireless LAN cheap and easy to install
Use on the riseSignal transmitted
through the air Susceptible to being
intercepted Drive-by hacking
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Virtual Private Networks10-45
Connection constructed dynamically within an existing network
Tunneling Send private data
over public network Encrypted
information
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Firewalls10-46
Firewall—A system designed to detect intrusion and prevent unauthorized access
Implementation Hardware, software, mixed
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Encryption10-47
Message encoded before sendingMessage decoded when received
Cryptography—the science of encryption. It requires use of a key for decoding.
Certificate authority—manages distribution of keys on a busy Web site.
Secure Sockets Layer (SSL)—popular public key encryption method.
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Virus Monitoring and Prevention10-48
Virus prevention Purchase and install antivirus software.
Update frequently. Do not download data from unknown sources.
Flash drives, disks, Web sites Delete (without opening) e-mails from unknown
sources. Do not blindly open e-mail attachments
Even if they come from a known source. Report any viruses to the IT department.
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Audit-Control Software10-49
Keeps track of computer activity
Spots suspicious actionAudit trail
Record of users Record of activities
IT department needs to monitor this activity.
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Secure Data Centers10-50
Specialized facilities are important.
Technical Requirements Power Cooling
How do organizations reliably protect themselves from threats?
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Ensuring Availability10-51
High-availability facilities To ensure uninterrupted
service Self-sufficient Backup cooling systems Raised floors (to more
easily reconfigure systems)
Built to withstand stormsCollocation facilitiesUPS servers need
24/7/365 reliability
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Securing the Facilities Infrastructure
10-52
1. Backups Secondary storage devices Regular intervals
2. Backup sites Cold backup site
During a cold backup, the database is closed or locked and not available to users
Hot backup site Some database management systems offer a means to generate a
backup image of the database while it is online and usable ("hot")3. Redundant data centers
Different geographic areas4. Closed-circuit television (CCTV)
Monitoring for physical intruders Video cameras display and record all activity Digital video recording
5. Uninterruptible power supply (UPS) Protection against power surges
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Human Safeguards10-53
Use of federal and state laws as well as ethics
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Computer Forensics
10-54
Use of formal investigative techniques to evaluate digital information Evaluation of storage devices for traces of illegal
activity Restoration of deleted files
Honeypots used to entice and catch hackers and crackers Example: DarkMarket
Some criminals have special “booby-trap” programs to destroy evidence.
10-54
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Learning Objectives10-55
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Managing Information Systems Security
10-56
Non-technical safeguards Management of
people’s use of IS Acceptable use
policies Trustworthy
employees Well-treated
employees
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Developing an Information Systems Security Plan
10-57
Ongoing five-step process1. Risk analysis
a. Determine value of electronic information.b. Assess threats to confidentiality, integrity, and
availability of information.c. Identify most vulnerable computer operations.d. Assess current security policies.e. Recommend changes to existing practices to
improve computer security.
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Security Plan: Step 210-58
2. Policies and procedures —actions to be taken if security is breached
a. Information Policy—handling of sensitive information.b. Security Policy—technical controls on organizational
computers.c. Use Policy—appropriate use of in-house IS.d. Backup Policy—explains backup requirements.e. Account Management Policy—procedures for adding
new users and removing user accounts.f. Incident Handling Procedures—handling security
breach.g. Disaster Recovery Plan—restoration of computer
operations.
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Security Plan: Remaining Steps10-59
3. Implementationa. Implementation of network security hardware
and softwareb. IDs and smart cards disseminationc. Responsibilities of the IS department
4. Training—organization’s personnel5. Auditing
a. Assessment of policy adherenceb. Penetration tests
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Disaster Planning
Disasters can’t be completely avoided. Need to be prepared.
Business continuity plan describes how a business resumes operation after a
disasterDisaster recovery plan
Subset of business continuity plan Procedures for recovering from systems-related disasters Two types of objectives
Recovery time objectives (Maximum time allowed to recover) Recovery point objectives (How current should the backup
material be?)
10-60
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Questions Addressed by Recovery Plan
What events are considered a disaster?What should be done to prepare the backup site?What is the chain of command, and who can declare a
disaster?What hardware and software are needed to recover
from a disaster?Which personnel are needed for staffing the backup
sites?What is the sequence for moving back to the original
location after recovery?Which provider can be drawn on to aid in the disaster
recovery process?
10-61
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Responding to a Security Breach10-62
Restore lost data.
Perform new risk audit.
Implement additional safeguards.
Contact law enforcement. Computer Emergency Response Team Coordination
Center (Federal government center of Internet security expertise)
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
The State of Systems Security Management
10-63
CSI Computer Crime and Security Survey (2009) findings: Financial losses of cybercrime are decreasing. Financial fraud attacks result in the greatest financial
losses. Only about 29 percent of organizations report intrusions
to the law enforcement. Fear of falling stock prices
Most organizations do not outsource security activities. Nearly all organizations conduct routine security audits. Most organizations agree security training is important.
Majority said they do not do enough training.
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Use of Security Technologies10-64
CSI Computer Crime and Security Survey (2009) find that most organizations use the following security measures: Activity logging and intrusion detection Antivirus and antispyware software Firewalls and VPNs Encryption for data in transit and at rest
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Learning Objectives10-65
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Controls, Auditing, and Sarbanes-Oxley Act
10-66
Information Systems control specific IT processes designed to ensure reliability of informationControls should be a combination of
three types: Preventive controls Detective controls Corrective controls
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Hierarchy of IS Controls10-67
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Types of IS Controls10-68
Policies Define aim and objectives.
Standards Support the requirements of policies.
Organization and management Define the lines of reporting.
Physical and environmental controls Protect the organization’s IS assets.
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Types of IS Controls (cont’d)10-69
Systems software controls Enable applications and users to utilize the systems.
Systems development and acquisition controls Ensure systems meet the organization’s needs.
Application-based controls Ensures correct input, processing, storage, and output of data;
maintain record of data as it moves through the system.
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Auditing10-70
Information Systems audit Performed by external auditors to help organizations assess
the state of their IS controls. To determine necessary changes To assure the IS availability, confidentiality, and integrity
Risk assessment Determine what type of risks the IS infrastructure faces.
Computer-Assisted Auditing Tools (CAAT) Specific software to test applications and data, using test
data or simulations.
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
The Sarbanes-Oxley Act10-71
The Sarbanes-Oxley Act was formed as a reaction to large-scale accounting scandals. WorldCom, Enron
It primarily addresses the accounting side of organizations.Companies have to demonstrate that:
controls are in place to prevent misuse and fraud, controls are in place to detect potential problems, and measures are in place to correct problems
COBIT (Control Objectives for Information and Related Technology) Set of best practices
Help organizations to maximize the benefits from their IS infrastructure Establish appropriate controls
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
End of Chapter Content10-72
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Managing in the Digital World: Drive-by Hacking
10-73
60–80 percent of corporate wireless networks do not use adequate security.
“War driving”—a new hacker tactic
“War spamming” Attackers link to an e-mail
server and send out millions of spam messages.
Businesses fight back using bogus access points.
Network scanners distinguish between real and fake Apps.
Fast Packet Keying—to fix shortcomings of Wired Equivalent Privacy (WEP)
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
ETHICAL DILEMMA
Ethical Hacking10-74
Mark Maiffret He started as a hacker. He now designs and sells software for companies
to secure their networks against hackers.eEye Digital Security
Maiffret—Chief Hacking Officer. Software prevents unauthorized access. Don’t hire anyone with a criminal record—“good”
hackers don’t get caught.
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
NET STATS
Top Cyber Threats
In 1988, Robert Morris’s worm (actually, a bug) crashed 6,000 computers.
According to Kaspersky Lab, for 2010 and beyond they expect to see an increase in the following:1. File sharing network attacks2. Use of botnet services3. Fake antivirus programs4. More sophisticate malware5. Web services attacks6. Popular mobile handsets attacks7. Social networking site attacks8. Third-party software attacks
10-75
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
Hacking an Airplane10-76
Aircraft use more and more information technologies. For example, Boeing’s 787 Dreamliner has various onboard
networks. Network for providing in-flight Internet access is connected to
control, navigation, and communication systems.
Passengers could possibly access flight controls.IT experts urge Boeing to separate flight controls and
passenger systems.“This is serious.”
In early 2010, the FAA issued a “special conditions alert” specifically aimed at Boeing 747-8/-8F.
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
COMING ATTRACTIONS
What Were You Thinking?
Some advertisements are considered too raunchy. When this happens, swift and decisive consumer
backlash results in the advertiser pulling the ad.Emsense, a San Francisco-based company, has
developed a headset for tracking brain activity. The headset uses algorithms that translate
physiological data into information about emotions.Other applications: Toshiba, Neurosky,
University of Maryland.
10-77
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
POWERFUL PARTNERSHIPS
Netscape’s James H. Clark and Marc Andreessen
10-78
World Wide Web came into existence in 1993
1994—James H. Clark and Marc Andreessen founded Mosaic Communications Corporation (and Netscape browser)
Clark—PhD in computer science from University of Utah
Andreessen—Bachelors in computer science from University of Illinois in Urbana-Champaign
Made Netscape free Competition with Microsoft
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
WHEN THINGS GO WRONG
Backhoe Cyberthreat10-79
Telecommunications infrastructure is vulnerable. Telephone lines, fiber-optic cables, water lines, gas
pipelines have been accidentally damaged. 675,000 incidents reported in 1 year
Underwater cables are frequently cut by accident. Cable cuts happen on average once every three days. Infrastructure information is publicly available. Most of Internet communication goes through cables
buried along major highways and railroads. Only two major routes across United States is for
Internet traffic.
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic,
mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Printed in the United States of America.
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall