05-02-2013

Management Information Systems

Chapter 8 Chapter 8 Securing Information Systems

LEARNING OBJECTIVES

• Explain why information systems are vulnerable to

destruction, error, and abuse.
• Assess the business value of security and control.
Securing Information • Identify the components of an organizational
framework for security and control.
Systems
• Evaluate the most important tools and technologies
for safeguarding information resources.

8.1 © 2010 by Prentice Hall 8.2 © 2010 by Prentice Hall

Management Information Systems Management Information Systems

Chapter 8 Securing Information Systems Chapter 8 Securing Information Systems

Boston Celtics Score Big Points Against Spyware System Vulnerability and Abuse

• Problem: Spyware infecting laptops during team travel • Security:

affecting accessibility and performance of proprietary
• Policies, procedures and technical measures used to prevent
system
unauthorized access, alteration, theft, or physical damage to
• Solutions: Deploy security software to reduce spyware. information systems

• Mi5 Network’s Webgate security appliance tool sits • Controls:

between corporate firewall and network to prevent
spyware entering network or infected computers • Methods, policies, and organizational procedures that ensure
connecting to network safety of organization’s assets; accuracy and reliability of its
accounting records; and operational adherence to
• Demonstrates IT’s role in combating malicious software management standards
• Illustrates digital technology’s role in achieving security
on the Web

8.3 © 2010 by Prentice Hall 8.4 © 2010 by Prentice Hall

Management Information Systems Management Information Systems

Chapter 8 Securing Information Systems Chapter 8 Securing Information Systems

System Vulnerability and Abuse System Vulnerability and Abuse

Contemporary Security Challenges and Vulnerabilities

• Why systems are vulnerable
• Hardware problems
• Breakdowns, configuration errors, damage from improper
use or crime
• Software problems
• Programming errors, installation errors, unauthorized
changes)
• Disasters
• Power failures, flood, fires, etc.
• Use of networks and computers outside of
firm’s control The architecture of a Web-based application typically includes a Web client, a server, and corporate information
systems linked to databases. Each of these components presents security challenges and vulnerabilities.
Floods, fires, power failures, and other electrical problems can cause disruptions at any point in the network.
• E.g., with domestic or offshore outsourcing vendors
Figure 8-1
8.5 © 2010 by Prentice Hall 8.6 © 2010 by Prentice Hall

1
 05-02-2013

Management Information Systems Management Information Systems

Chapter 8 Securing Information Systems Chapter 8 Securing Information Systems

System Vulnerability and Abuse System Vulnerability and Abuse

• Internet vulnerabilities • Wireless security challenges

• Radio frequency bands easy to scan
• Network open to anyone • SSIDs (service set identifiers)
• Size of Internet means abuses can have wide impact • Identify access points
• Broadcast multiple times
• Use of fixed Internet addresses with permanent • War driving
connections to Internet eases identification by hackers • Eavesdroppers drive by buildings and try to intercept network traffic
• When hacker gains access to SSID, has access to network’s
• E-mail attachments resources
• WEP (Wired Equivalent Privacy)
• E-mail used for transmitting trade secrets • Security standard for 802.11
• Basic specification uses shared password for both users and access
• IM messages lack security, can be easily intercepted point
• Users often fail to use security features

8.7 © 2010 by Prentice Hall 8.8 © 2010 by Prentice Hall

Management Information Systems Management Information Systems

Chapter 8 Securing Information Systems Chapter 8 Securing Information Systems

System Vulnerability and Abuse System Vulnerability and Abuse

Wi-Fi Security Challenges The Worst Data Theft Ever?

• Read the Interactive Session: Organizations and then
discuss the following questions:
• List and describe the security control weaknesses at TJX
Companies
• What management, organization, and technology factors
contributed to these weaknesses?
• What was the business impact of TJX’s data loss on TJX,
consumers, and banks?
• How effectively did TJX deal with these problems?
• Who should be held liable for the losses caused by the use of
Figure 8-2 fraudulent credit cards in this case? The banks issuing the
Many Wi-Fi networks can be
penetrated easily by intruders cards or the consumers? Justify your answer.
using sniffer programs to obtain
an address to access the
resources of a network without • What solutions would you suggest to prevent the problems?
authorization.

8.9 © 2010 by Prentice Hall 8.10 © 2010 by Prentice Hall

Management Information Systems Management Information Systems

Chapter 8 Securing Information Systems Chapter 8 Securing Information Systems

System Vulnerability and Abuse System Vulnerability and Abuse

• Malicious software (malware) • Hackers and computer crime

• Viruses: Rogue software program that attaches itself to other • Hackers vs. crackers
software programs or data files in order to be executed
• Activities include
• Worms: Independent computer programs that copy themselves from
one computer to other computers over a network • System intrusion
• Trojan horses: Software program that appears to be benign but
then does something other than expected
• Theft of goods and information
• Spyware: Small programs install themselves surreptitiously on • System damage
computers to monitor user Web surfing activity and serve up
• Cybervandalism
advertising

• Key loggers: Record every keystroke on computer to steal

• Intentional disruption, defacement,
serial numbers, passwords, launch Internet attacks destruction of Web site or corporate
information system
8.11 © 2010 by Prentice Hall 8.12 © 2010 by Prentice Hall

2
 05-02-2013

Management Information Systems Management Information Systems

Chapter 8 Securing Information Systems Chapter 8 Securing Information Systems

System Vulnerability and Abuse System Vulnerability and Abuse

• Spoofing • Computer crime

• Misrepresenting oneself by using fake e-mail addresses or • Defined as “any violations of criminal law that involve a
masquerading as someone else knowledge of computer technology for their perpetration,
• Redirecting Web link to address different from intended one, investigation, or prosecution”
with site masquerading as intended destination
• Computer may be target of crime, e.g.:
• Sniffer: Eavesdropping program that monitors information
• Breaching confidentiality of protected computerized data
traveling over network
• Denial-of-service attacks (DoS): Flooding server with • Accessing a computer system without authority
thousands of false requests to crash the network • Computer may be instrument of crime, e.g.:
• Distributed denial-of-service attacks (DDoS): Use of • Theft of trade secrets
numerous computers to launch a DoS
• Using e-mail for threats or harassment
• Botnets: Networks of “zombie” PCs infiltrated by bot malware

8.13 © 2010 by Prentice Hall 8.14 © 2010 by Prentice Hall

Management Information Systems Management Information Systems

Chapter 8 Securing Information Systems Chapter 8 Securing Information Systems

System Vulnerability and Abuse System Vulnerability and Abuse

• Identity theft: Theft of personal Information (social security id, • Click fraud
driver’s license or credit card numbers) to impersonate someone
else • Individual or computer program clicks online ad
without any intention of learning more or making a
• Phishing: Setting up fake Web sites or sending e-mail
messages that look like legitimate businesses to ask users for purchase
confidential personal data.
• Global threats - Cyberterrorism and cyberwarfare
• Evil twins: Wireless networks that pretend to offer trustworthy
Wi-Fi connections to the Internet • Concern that Internet vulnerabilities and other
networks make digital networks easy targets for
• Pharming: Redirects users to a bogus Web page, even when
individual types correct Web page address into his or her browser digital attacks by terrorists, foreign intelligence
services, or other groups

8.15 © 2010 by Prentice Hall 8.16 © 2010 by Prentice Hall

Management Information Systems Management Information Systems

Chapter 8 Securing Information Systems Chapter 8 Securing Information Systems

System Vulnerability and Abuse System Vulnerability and Abuse

• Internal threats – Employees • Software vulnerability

• Security threats often originate inside an • Commercial software contains flaws that create
organization security vulnerabilities
• Inside knowledge • Hidden bugs (program code defects)
• Zero defects cannot be achieved because complete
• Sloppy security procedures
testing is not possible with large programs
• User lack of knowledge
• Flaws can open networks to intruders
• Social engineering:
• Patches
• Tricking employees into revealing their passwords by
• Vendors release small pieces of software to repair flaws
pretending to be legitimate members of the company
in need of information • However, amount of software in use can mean exploits
created faster than patches be released and implemented

8.17 © 2010 by Prentice Hall 8.18 © 2010 by Prentice Hall

3
 05-02-2013

Management Information Systems Management Information Systems

Chapter 8 Securing Information Systems Chapter 8 Securing Information Systems

Business Value of Security and Control Business Value of Security and Control

• Lack of security, control can lead to • Legal and regulatory requirements for electronic
• Loss of revenue records management
• Failed computer systems can lead to significant or • Firms face new legal obligations for the retention
total loss of business function
and storage of electronic records as well as for
• Lowered market value: privacy protection
• Information assets can have tremendous value
• HIPAA: Medical security and privacy rules and procedures
• A security breach may cut into firm’s market value
almost immediately • Gramm-Leach-Bliley Act: Requires financial institutions to
ensure the security and confidentiality of customer data
• Legal liability
• Sarbanes-Oxley Act: Imposes responsibility on companies
• Lowered employee productivity and their management to safeguard the accuracy and integrity
• Higher operational costs of financial information that is used internally and released
externally

8.19 © 2010 by Prentice Hall 8.20 © 2010 by Prentice Hall

Management Information Systems Management Information Systems

Chapter 8 Securing Information Systems Chapter 8 Securing Information Systems

Business Value of Security and Control Establishing a Framework for Security and Control

• Electronic evidence • Information systems controls

• Evidence for white collar crimes often found in • General controls
digital form • Govern design, security, and use of computer programs
• Data stored on computer devices, e-mail, instant messages, and data throughout organization’s IT infrastructure
e-commerce transactions • Combination of hardware, software, and manual
• Proper control of data can save time, money when procedures to create overall control environment
responding to legal discovery request • Types of general controls
• Software controls
• Computer forensics: • Hardware controls
• Scientific collection, examination, authentication, preservation, • Computer operations controls
and analysis of data from computer storage media for use as • Data security controls
evidence in court of law • Implementation controls
• Includes recovery of ambient and hidden data • Administrative controls

8.21 © 2010 by Prentice Hall 8.22 © 2010 by Prentice Hall

Management Information Systems Management Information Systems

Chapter 8 Securing Information Systems Chapter 8 Securing Information Systems

Establishing a Framework for Security and Control Establishing a Framework for Security and Control

• Application controls • Risk assessment

• Specific controls unique to each computerized application, • Determines level of risk to firm if specific activity or process is
such as payroll or order processing not properly controlled
• Types of threat
• Include both automated and manual procedures
• Probability of occurrence during year
• Ensure that only authorized data are completely and • Potential losses, value of threat
accurately processed by that application • Expected annual loss
• Types of application controls:
EXPOSURE PROBABILITY LOSS RANGE (AVERAGE) EXPECTED
• Input controls ANNUAL LOSS

Power failure 30% $5K - $200K ($102,500) $30,750

• Processing controls
Embezzlement 5% $1K - $50K ($25,500) $1,275
• Output controls
User error 98% $200 - $40K ($20,100) $19,698

8.23 © 2010 by Prentice Hall 8.24 © 2010 by Prentice Hall

4
 05-02-2013

Management Information Systems Management Information Systems

Chapter 8 Securing Information Systems Chapter 8 Securing Information Systems

Establishing a Framework for Security and Control Establishing a Framework for Security and Control

Security Profiles for a Personnel System

• Security policy
• Ranks information risks, identifies acceptable security goals,
and identifies mechanisms for achieving these goals
• Drives other policies
• Acceptable use policy (AUP): Defines acceptable uses
of firm’s information resources and computing equipment
• Authorization policies: Determine differing levels of user
access to information assets Figure 8-3
These two examples

• Authorization management systems represent two security

profiles or data security
patterns that might be
found in a personnel

• Allow each user access only to those portions of system that system. Depending on
the security profile, a
user would have certain
person is permitted to enter, based on information established restrictions on access to
various systems,
by set of access rules, profile locations, or data in an
organization.

8.25 © 2010 by Prentice Hall 8.26 © 2010 by Prentice Hall

Management Information Systems Management Information Systems

Chapter 8 Securing Information Systems Chapter 8 Securing Information Systems

Establishing a Framework for Security and Control Establishing a Framework for Security and Control

• Disaster recovery planning: Devises plans for • MIS audit

restoration of disrupted services • Examines firm’s overall security environment as well as
controls governing individual information systems
• Business continuity planning: Focuses on restoring
business operations after disaster • Reviews technologies, procedures, documentation, training,
and personnel
• Both types of plans needed to identify firm’s most
• May even simulate disaster to test response of technology, IS
critical systems and business processes staff, other employees
• Business impact analysis to determine impact of an outage • Lists and ranks all control weaknesses and estimates
• Management must determine probability of their occurrence

• Maximum time systems can be down • Assesses financial and organizational impact of each threat

• Which systems must be restored first

8.27 © 2010 by Prentice Hall 8.28 © 2010 by Prentice Hall

Management Information Systems Management Information Systems

Chapter 8 Securing Information Systems Chapter 8 Securing Information Systems

Establishing a Framework for Security and Control Technologies and Tools for Security

Sample Auditor’s List of Control Weaknesses

• Access control: Policies and procedures to prevent
improper access to systems by unauthorized
insiders and outsiders
• Authorization
• Authentication
• Password systems
• Tokens
Figure 8-4
This chart is a sample page from
a list of control weaknesses that
• Smart cards
an auditor might find in a loan
system in a local commercial
bank. This form helps auditors
• Biometric authentication
record and evaluate control
weaknesses and shows the
results of discussing those
weaknesses with management,
as well as any corrective actions
taken by management.

8.29 © 2010 by Prentice Hall 8.30 © 2010 by Prentice Hall

5
 05-02-2013

Management Information Systems Management Information Systems

Chapter 8 Securing Information Systems Chapter 8 Securing Information Systems

Technologies and Tools for Security Technologies and Tools for Security

A Corporate Firewall
• Firewall: Hardware and/or software to prevent
unauthorized access to private networks
• Screening technologies
• Packet filtering
• Stateful inspection
• Network address translation (NAT)
• Application proxy filtering
• Intrusion detection systems: Monitor vulnerable
points on networks to detect and deter intruders
• Examines events as they are happening to discover attacks The firewall is placed between the firm’s private
in progress network and the public Internet or another
distrusted network to protect against
unauthorized traffic.
• Scans network to find patterns indicative of attacks Figure 8-5

8.31 © 2010 by Prentice Hall 8.32 © 2010 by Prentice Hall

Management Information Systems Management Information Systems

Chapter 8 Securing Information Systems Chapter 8 Securing Information Systems

Technologies and Tools for Security Technologies and Tools for Security

• Antivirus and antispyware software: • Securing wireless networks

• Checks computers for presence of malware and can often
eliminate it as well
• WEP security can be improved:
• Require continual updating • Activating it
• Unified threat management (UTM) • Assigning unique name to network’s SSID
• Comprehensive security management products • Using it with VPN technology
• Tools include
• Wi-Fi Alliance finalized WAP2 specification,
• Firewalls
• Intrusion detection
replacing WEP with stronger standards
• VPNs • Continually changing keys
• Web content filtering • Encrypted authentication system with central server
• Antispam software

8.33 © 2010 by Prentice Hall 8.34 © 2010 by Prentice Hall

Management Information Systems Management Information Systems

Chapter 8 Securing Information Systems Chapter 8 Securing Information Systems

Technologies and Tools for Security Technologies and Tools for Security

• Encryption: Public Key Encryption

• Transforming text or data into cipher text that cannot
be read by unintended recipients
• Two methods for encrypting network traffic
• Secure Sockets Layer (SSL) and successor Transport Layer
Security (TLS)
• Secure Hypertext Transfer Protocol (S-HTTP)
• Two methods of encryption A public key encryption system can be viewed as a series of public and private keys that lock data when they are
transmitted and unlock the data when they are received. The sender locates the recipient’s public key in a directory and

• Symmetric key encryption uses it to encrypt a message. The message is sent in encrypted form over the Internet or a private network. When the
encrypted message arrives, the recipient uses his or her private key to decrypt the data and read the message.

• Public key encryption

Figure 7-6
8.35 © 2010 by Prentice Hall 8.36 © 2010 by Prentice Hall

6
 05-02-2013

Management Information Systems Management Information Systems

Chapter 8 Securing Information Systems Chapter 8 Securing Information Systems

Technologies and Tools for Security Technologies and Tools for Security

Digital Certificates
• Digital certificate:
• Data file used to establish the identity of users and electronic
assets for protection of online transactions
• Uses a trusted third party, certification authority (CA), to
validate a user’s identity
• CA verifies user’s identity, stores information in CA server,
which generates encrypted digital certificate containing
owner ID information and copy of owner’s public key
• Public key infrastructure (PKI)
• Use of public key cryptography working with certificate
authority Figure 8-7
Digital certificates help

• Widely used in e-commerce establish the identity of

people or electronic assets.
They protect online
transactions by providing
secure, encrypted, online
communication.

8.37 © 2010 by Prentice Hall 8.38 © 2010 by Prentice Hall

Management Information Systems Management Information Systems

Chapter 8 Securing Information Systems Chapter 8 Securing Information Systems

Technologies and Tools for Security Technologies and Tools for Security

• Ensuring system availability • Recovery-oriented computing

• Online transaction processing requires 100% • Designing systems that recover quickly with capabilities to
availability, no downtime help operators pinpoint and correct of faults in multi-
component systems
• Fault-tolerant computer systems
• Controlling network traffic
• For continuous availability
• Deep packet inspection (DPI)
• Contain redundant hardware, software, and power
supply components to provide continuous, uninterrupted • Security outsourcing
service • Managed security service providers (MSSPs)
• High-availability computing
• Helps recover quickly from crash
• Minimizes, does not eliminate downtime
8.39 © 2010 by Prentice Hall 8.40 © 2010 by Prentice Hall

Management Information Systems Management Information Systems

Chapter 8 Securing Information Systems Chapter 8 Securing Information Systems

Technologies and Tools for Security Technologies and Tools for Security

Can Salesforce.com On-Demand Remain in Demand?

• Ensuring software quality
• Read the Interactive Session: Technology and then • Software Metrics: Objective assessments of system in
discuss the following questions: form of quantified measurements
• How did the problems experienced by Salesforce.com • Number of transactions
impact its business?
• Online response time
• How did the problems impact its customers? • Payroll checks printed per hour
• What steps did Salesforce.com take to solve the • Known bugs per hundred lines of code
problems? Were these steps sufficient?
• Testing: Early and regular testing
• List and describe other vulnerabilities discussed in this
chapter that might create outages at Salesforce.com and • Walkthrough: Review of specification or design
measures to safeguard against them. document by small group of qualified people
• Debugging: Process by which errors are eliminated

8.41 © 2010 by Prentice Hall 8.42 © 2010 by Prentice Hall

7
 05-02-2013

All rights reserved. No part of this publication may be reproduced, stored in a

retrieval system, or transmitted, in any form or by any means, electronic,
mechanical, photocopying, recording, or otherwise, without the prior written
permission of the publisher. Printed in the United States of America.

Copyright © 2010 Pearson Education, Inc.

Publishing as Prentice Hall

8.43 © 2010 by Prentice Hall