is today (valacich & schneider) 5/e copyright © 2012 pearson education, inc. published as...

IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 05/03/23

10-1

Accessories for “war driving” can be easily built usingsimple parts.

Chapter 10 Securing Information Systems



Learning Objectives10-2



Primary Threats to Information Systems Security

10-4

Natural disasters Power outages, hurricanes,

floods, and so onAccidents

Power outages, cats walking across keyboards

Employees and consultants

Links to outside business contacts Travel between business

affiliatesOutsiders

Viruses



Computer Crime

Computer crime—The act of using a computer to commit an illegal act. Targeting a computer while committing an offense. Using a computer to commit an offense. Using computers to support a criminal activity.

Overall trend for computer crime has been declining over the past several years (CSI, 2009).

Many incidents are never reported.

10-5



Hacking and Cracking

Hackers—individuals who are knowledgeable enough to gain access to computer systems without authorization. Term first used in the 1960s at MIT Often the motivation is curiosity, not crime

Crackers—those who break into computer systems with the intention of doing damage or committing a crime.

Hacktivists—Those who attempt to break into systems or deface Web sites to promote political or ideological goals

10-6



Types of Criminals10-7

No clear profile as to who commits computer crimes

Four groups of computer criminals1. Current or former employees

85–95% of theft from businesses comes from the inside2. People with technical knowledge committing

crimes for personal gain3. Career criminals using computers to assist them

in crimes4. Outside crackers hoping to find information of

value About 12 percent of cracker attacks cause damage



Unauthorized Access10-8

Examples1. Employees do personal business on

company computers.

2. Intruders break into government Web sites and change the information displayed.

3. Thieves steal credit card numbers and Social Security numbers from electronic databases, then use the stolen information to charge thousands of dollars in merchandise to victims.

4. An employee at a Swiss bank steals data that could possibly help to charge the bank’s customers for tax evasion, hoping to sell this data to other countries’ governments for hefty sums of money.



Information Modification10-9

User accesses electronic information.

User changes information. Employee

gives herself a raise.



Other Threats to IS Security

Many times, computer security is breached simply because organizations and individuals do not exercise proper care in safeguarding information.

Examples: Keeping passwords or access codes in plain sight Failing to install antivirus software or keep up-to-date Continue to use default network passwords Careless about letting outsiders view computer monitors Failure to limit access to company files and system resources Failure to install effective firewalls or intrusion detection systems, or they install

but fail to monitor them regularly Failure to provide proper employee background checks Unmonitored employees Disgruntled/unhappy workers

10-10



Computer Viruses and Other Destructive Code

10-11

Malware—short for “malicious software” such as viruses, worms, and Trojan horses.

Virus—a destructive program that disrupts the normal functioning of computer software.



Worms, Trojan Horses, and Other Malware

Worm variation of a virus that is targeted at networks, taking

advantage of security holes

Trojan Horse Does not replicate, but causes damage. Codes are hidden.

Logic bombs or time bombs Variations of Trojan horses Time bombs are set off by specific dates; logic bombs are

set off by certain types of operations.

10-12



Denial of Service Attack10-13

Attackers prevent legitimate users from accessing services.

Zombie computers Created by viruses or

worms Attack Web sites

Servers crash under increased load. MyDoom attack on

Microsoft’s Web site



Spyware10-14

Hidden within freeware or shareware, or embedded within Web sites

Gathers information about a user Credit card information Behavior tracking for marketing purposes

Eats up computer’s memory and network bandwidth

Adware Free software paid by advertisements Sometimes contains spyware Collects information for banner ad customization



Spam10-15

Electronic junk mailAdvertisements of

products and servicesEats up storage spaceCompromises network

bandwidth90 percent of all

Internet e-mail is spam!

Spam filters can help.Spim—spam in text

message form



Phishing (Spoofing)

Attempts to trick users into giving away credit card numbers

Phony messagesDuplicates of

legitimate Web sitesExamples: eBay,

PayPal have been used.

10-16



Phishing Example 10-17



CAPTCHA10-18

Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA)

CAPTCHA uses images that computers cannot read.

Combination of techniques is needed to stop spammers.



Cookies10-19

Cookies are messages passed to a Web browser from a Web server.

They are stored in a text file.They are used for Web site customization.Cookies may contain sensitive information.Managing cookies

Cookie killer software Web browser settings



Cyberattack Supply Chain

85 percent of all e-mail spam is sent out by only six major botnets.

Sample phishing attack: A programmer writes and sells a phishing attack template. A phisher who wants to run an attack purchases the template

and designs an attack. The phisher contracts with a cracker to provide hosting space

for the phishing Web sites. The phisher contacts a bot herder to send out the spam e-mail

that carries the attack. The phisher provides the stolen personal information to a

collector who removes funds from the affected financial institutions.

The collector works with a criminal called a mule herder who carries out the withdrawals.

10-20



Identity Theft10-21

Fastest growing “information crime”

Stealing another person’s:1. Credit card number2. Social Security

number3. Other personal

informationResults in bad credit

for victim



Internet Hoaxes10-22

False messages circulated online New viruses (that don’t exist) Collection of funds for certain group

Example: Haiti earthquake victims Possible consequences

Spammers harvesting e-mail addresses from hoaxesWeb sites, such as Hoaxbusters (

www.hoaxbusters.org), Symantec, or McAfee, publish lists of known hoaxes.

http://www.hoaxbusters.org/



Cybersquatting10-23

The practice of registering a domain name and later reselling it.

Some of the victims include: Eminem Panasonic Hertz Avon

Anti-Cybersquatting Consumer Protection Act in 1999 Fines as high as $100,000 Some companies pay the cybersquatters to speed up

the process of getting the domain.



Cyber Harassment, Stalking, and Bullying

10-24

Cyber harassment—Crime that broadly refers to the use of a computer to communicate obscene, vulgar, or threatening content.

Cyber stalking Making false accusations that damage reputation of another Gaining information on a victim by monitoring online

activities Using the Internet to encourage others to harass a victim Attacking data and equipment of a victim by sending e-mail

viruses or other destructive code Using the Internet to place false orders for goods or services



Cyber Bullying10-25

Cyber bullying is the deliberate cause of emotional distress to a victim

Online predator Typically target vulnerable population for financial

purposes Social networking sites have become the playground

for online predators. Most social networking and chat sites provide ways to

report abuse.



Software Piracy

Legal activities Making one backup copy for personal use Sharing free software (shareware or public

domain software)Illegal activities

Making copies of purchased software for others Offering stolen proprietary software (warez

peddling)Intellectual property

Patents: process or machine inventions Copyrights: creations of the mind Various copyright laws applicable to software

10-26



Software Piracy Is a Global Business

Some factors influencing piracy around the world Concept of intellectual property differs between countries Economic reasons for piracy Lack of public awareness about the issue

10-27



Cyberwar

Cyberware—Military’s attempt to disrupt or destroy another country’s information and communication systems Goal is to diminish opponent’s communication

capabilities. It is used in concert with traditional methods.

10-29



Cyberwar Vulnerabilities

Systems at risk: Command and control systems Intelligence collection and distribution systems Information processing and distribution systems Tactical communication systems and methods Troop and weapon positioning systems Friend-or-foe identification systems Smart weapons systems

Propaganda Web vandalism/damage Cyber propaganda

10-30



The New Cold War10-31

A 2007 McAfee report on Internet security listed a cyber cold war as an imminent threat.

Reminiscent of the Cold War between the United States and the Soviet Union from the mid-1940s until the early 1990s —intelligence agencies are testing networks for possible weaknesses.

Patriot Hackers—independent citizens that attack perceived enemies of the state.



Cyberterrorism10-32

Governments are not involved.Attacks can be launched from anywhere in

the world.Goal is to cause fear, panic, and destruction.Cyberterrorism will likely become weapon of

choice.



Use of Internet in Terrorist Attacks10-33



Assessing the Cyberterrorism Threat10-34

Internet infrastructure is extremely vulnerable to cyberterrorism. Some successful attacks

1991—Gulf War Dutch crackers stole information about the movement of U.S.

troops and offered it for sale to Iraq. The Iraqis turned down the offer.

2000—U.S. presidential elections Web sites were targeted by crackers with political motives. DoS attacks launched.

2007—Government and bank networks within Estonia came under attack for the removal of a Soviet-era memorial.

2010—Chinese-based hackers attacked Google who threatened to remove Chinese filter searches from the search engine.



Obstacles to Cyberterrorism10-35

1. Computer systems are complex and attacks may not have desired outcome.

2. Security measures are fast-changing.

3. Cyberattacks rarely cause physical harm to victims.



The Globalization of Terrorism10-36

Increasing dependence on technologyIncreasing possibilities of cyberterrorismInternational laws and treaties must evolve.However: likelihood of large attacks is small.

Successful large attack would require: Intelligence information Years of preparation At least $200 million



Information Systems Security10-38

All systems connected to a network are at risk. Internal threats External threats

Information systems security Precautions to keep IS safe from unauthorized

access and useIncreased need for good computer security

with increased use of the Internet



Safeguarding Information Systems Resources

10-39

Information systems audits Risk analysis

Process of assessing the value of protected assets Cost of loss vs. cost of protection

Risk reduction Measures taken to protect the system

Risk acceptance Measures taken to absorb the damages

Risk transfer Transferring the absorption of risk to a third party



Technological Safeguards

Physical access restrictionsFirewallsEncryptionVirus Monitoring and preventionAudit-control softwareDedicated facilities

10-40



Technological Safeguards

Physical access restrictions Authentication

Use of passwords Photo ID cards, smart

cards Keys to unlock a

computer Combination

Authentication dependent on Something you have Something you know Something you are

10-41



Biometrics10-42

Form of authentication Fingerprints Retinal patterns Facial features and

so onFast authenticationHigh security



Access-Control Software10-43

Access only to files required for workRestriction of access level

Read only, modify, deleteCertain time periods for allowed accessBusiness systems applications

Built-in access control capabilities



Wireless LAN Control10-44

Wireless LAN cheap and easy to install

Use on the riseSignal transmitted

through the air Susceptible to being

intercepted Drive-by hacking



Virtual Private Networks10-45

Connection constructed dynamically within an existing network

Tunneling Send private data

over public network Encrypted

information



Firewalls10-46

Firewall—A system designed to detect intrusion and prevent unauthorized access

Implementation Hardware, software, mixed



Encryption10-47

Message encoded before sendingMessage decoded when received

Cryptography—the science of encryption. It requires use of a key for decoding.

Certificate authority—manages distribution of keys on a busy Web site.

Secure Sockets Layer (SSL)—popular public key encryption method.



Virus Monitoring and Prevention10-48

Virus prevention Purchase and install antivirus software.

Update frequently. Do not download data from unknown sources.

Flash drives, disks, Web sites Delete (without opening) e-mails from unknown

sources. Do not blindly open e-mail attachments

Even if they come from a known source. Report any viruses to the IT department.



Audit-Control Software10-49

Keeps track of computer activity

Spots suspicious actionAudit trail

Record of users Record of activities

IT department needs to monitor this activity.



Secure Data Centers10-50

Specialized facilities are important.

Technical Requirements Power Cooling

How do organizations reliably protect themselves from threats?



Ensuring Availability10-51

High-availability facilities To ensure uninterrupted

service Self-sufficient Backup cooling systems Raised floors (to more

easily reconfigure systems)

Built to withstand stormsCollocation facilitiesUPS servers need

24/7/365 reliability



Securing the Facilities Infrastructure

10-52

1. Backups Secondary storage devices Regular intervals

2. Backup sites Cold backup site

During a cold backup, the database is closed or locked and not available to users

Hot backup site Some database management systems offer a means to generate a

backup image of the database while it is online and usable ("hot")3. Redundant data centers

Different geographic areas4. Closed-circuit television (CCTV)

Monitoring for physical intruders Video cameras display and record all activity Digital video recording

5. Uninterruptible power supply (UPS) Protection against power surges



Human Safeguards10-53

Use of federal and state laws as well as ethics



Computer Forensics

10-54

Use of formal investigative techniques to evaluate digital information Evaluation of storage devices for traces of illegal

activity Restoration of deleted files

Honeypots used to entice and catch hackers and crackers Example: DarkMarket

Some criminals have special “booby-trap” programs to destroy evidence.

10-54



Managing Information Systems Security

10-56

Non-technical safeguards Management of

people’s use of IS Acceptable use

policies Trustworthy

employees Well-treated

employees



Developing an Information Systems Security Plan

10-57

Ongoing five-step process1. Risk analysis

a. Determine value of electronic information.b. Assess threats to confidentiality, integrity, and

availability of information.c. Identify most vulnerable computer operations.d. Assess current security policies.e. Recommend changes to existing practices to

improve computer security.



Security Plan: Step 210-58

2. Policies and procedures —actions to be taken if security is breached

a. Information Policy—handling of sensitive information.b. Security Policy—technical controls on organizational

computers.c. Use Policy—appropriate use of in-house IS.d. Backup Policy—explains backup requirements.e. Account Management Policy—procedures for adding

new users and removing user accounts.f. Incident Handling Procedures—handling security

breach.g. Disaster Recovery Plan—restoration of computer

operations.



Security Plan: Remaining Steps10-59

3. Implementationa. Implementation of network security hardware

and softwareb. IDs and smart cards disseminationc. Responsibilities of the IS department

4. Training—organization’s personnel5. Auditing

a. Assessment of policy adherenceb. Penetration tests



Disaster Planning

Disasters can’t be completely avoided. Need to be prepared.

Business continuity plan describes how a business resumes operation after a

disasterDisaster recovery plan

Subset of business continuity plan Procedures for recovering from systems-related disasters Two types of objectives

Recovery time objectives (Maximum time allowed to recover) Recovery point objectives (How current should the backup

material be?)

10-60



Questions Addressed by Recovery Plan

What events are considered a disaster?What should be done to prepare the backup site?What is the chain of command, and who can declare a

disaster?What hardware and software are needed to recover

from a disaster?Which personnel are needed for staffing the backup

sites?What is the sequence for moving back to the original

location after recovery?Which provider can be drawn on to aid in the disaster

recovery process?

10-61



Responding to a Security Breach10-62

Restore lost data.

Perform new risk audit.

Implement additional safeguards.

Contact law enforcement. Computer Emergency Response Team Coordination

Center (Federal government center of Internet security expertise)



The State of Systems Security Management

10-63

CSI Computer Crime and Security Survey (2009) findings: Financial losses of cybercrime are decreasing. Financial fraud attacks result in the greatest financial

losses. Only about 29 percent of organizations report intrusions

to the law enforcement. Fear of falling stock prices

Most organizations do not outsource security activities. Nearly all organizations conduct routine security audits. Most organizations agree security training is important.

Majority said they do not do enough training.



Use of Security Technologies10-64

CSI Computer Crime and Security Survey (2009) find that most organizations use the following security measures: Activity logging and intrusion detection Antivirus and antispyware software Firewalls and VPNs Encryption for data in transit and at rest



IS Controls, Auditing, and Sarbanes-Oxley Act

10-66

Information Systems control specific IT processes designed to ensure reliability of informationControls should be a combination of

three types: Preventive controls Detective controls Corrective controls



Hierarchy of IS Controls10-67



Types of IS Controls10-68

Policies Define aim and objectives.

Standards Support the requirements of policies.

Organization and management Define the lines of reporting.

Physical and environmental controls Protect the organization’s IS assets.



Types of IS Controls (cont’d)10-69

Systems software controls Enable applications and users to utilize the systems.

Systems development and acquisition controls Ensure systems meet the organization’s needs.

Application-based controls Ensures correct input, processing, storage, and output of data;

maintain record of data as it moves through the system.



IS Auditing10-70

Information Systems audit Performed by external auditors to help organizations assess

the state of their IS controls. To determine necessary changes To assure the IS availability, confidentiality, and integrity

Risk assessment Determine what type of risks the IS infrastructure faces.

Computer-Assisted Auditing Tools (CAAT) Specific software to test applications and data, using test

data or simulations.



The Sarbanes-Oxley Act10-71

The Sarbanes-Oxley Act was formed as a reaction to large-scale accounting scandals. WorldCom, Enron

It primarily addresses the accounting side of organizations.Companies have to demonstrate that:

controls are in place to prevent misuse and fraud, controls are in place to detect potential problems, and measures are in place to correct problems

COBIT (Control Objectives for Information and Related Technology) Set of best practices

Help organizations to maximize the benefits from their IS infrastructure Establish appropriate controls


End of Chapter Content10-72



Managing in the Digital World: Drive-by Hacking

10-73

60–80 percent of corporate wireless networks do not use adequate security.

“War driving”—a new hacker tactic

“War spamming” Attackers link to an e-mail

server and send out millions of spam messages.

Businesses fight back using bogus access points.

Network scanners distinguish between real and fake Apps.

Fast Packet Keying—to fix shortcomings of Wired Equivalent Privacy (WEP)



ETHICAL DILEMMA

Ethical Hacking10-74

Mark Maiffret He started as a hacker. He now designs and sells software for companies

to secure their networks against hackers.eEye Digital Security

Maiffret—Chief Hacking Officer. Software prevents unauthorized access. Don’t hire anyone with a criminal record—“good”

hackers don’t get caught.



NET STATS

Top Cyber Threats

In 1988, Robert Morris’s worm (actually, a bug) crashed 6,000 computers.

According to Kaspersky Lab, for 2010 and beyond they expect to see an increase in the following:1. File sharing network attacks2. Use of botnet services3. Fake antivirus programs4. More sophisticate malware5. Web services attacks6. Popular mobile handsets attacks7. Social networking site attacks8. Third-party software attacks

10-75



Hacking an Airplane10-76

Aircraft use more and more information technologies. For example, Boeing’s 787 Dreamliner has various onboard

networks. Network for providing in-flight Internet access is connected to

control, navigation, and communication systems.

Passengers could possibly access flight controls.IT experts urge Boeing to separate flight controls and

passenger systems.“This is serious.”

In early 2010, the FAA issued a “special conditions alert” specifically aimed at Boeing 747-8/-8F.



COMING ATTRACTIONS

What Were You Thinking?

Some advertisements are considered too raunchy. When this happens, swift and decisive consumer

backlash results in the advertiser pulling the ad.Emsense, a San Francisco-based company, has

developed a headset for tracking brain activity. The headset uses algorithms that translate

physiological data into information about emotions.Other applications: Toshiba, Neurosky,

University of Maryland.

10-77



POWERFUL PARTNERSHIPS

Netscape’s James H. Clark and Marc Andreessen

10-78

World Wide Web came into existence in 1993

1994—James H. Clark and Marc Andreessen founded Mosaic Communications Corporation (and Netscape browser)

Clark—PhD in computer science from University of Utah

Andreessen—Bachelors in computer science from University of Illinois in Urbana-Champaign

Made Netscape free Competition with Microsoft



WHEN THINGS GO WRONG

Backhoe Cyberthreat10-79

Telecommunications infrastructure is vulnerable. Telephone lines, fiber-optic cables, water lines, gas

pipelines have been accidentally damaged. 675,000 incidents reported in 1 year

Underwater cables are frequently cut by accident. Cable cuts happen on average once every three days. Infrastructure information is publicly available. Most of Internet communication goes through cables

buried along major highways and railroads. Only two major routes across United States is for

Internet traffic.



All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic,

mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Printed in the United States of America.

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

is today (valacich & schneider) 5/e copyright © 2012 pearson education, inc. published as...

Documents