Management Information Systems Chapter 8 ... - WordPress.com

licoricebedsSecurity

Feb 22, 2014 (3 years and 3 months ago)

56 views

8.
1

©

2007 by Prentice Hall

8

Chapter


Securing Information
Systems

8.
2

©

2007 by Prentice Hall

LEARNING OBJECTIVES

Management Information Systems

Chapter 8 Securing Information Systems


Analyze why information systems need special
protection from destruction, error, and abuse.


Assess the business value of security and control.


Design an organizational framework for security and
control.


Evaluate the most important tools and technologies
for safeguarding information resources.

8.
3

©

2007 by Prentice Hall

Phishing: A Costly New Sport for Internet Users


Problem:

Large number of vulnerable users of online
financial services, ease of creating bogus Web sites.


Solutions:
Deploy anti
-
phishing software and
services and a multilevel authentication system

to
identify threats and reduce phishing attempts.


Deploying new tools, technologies, and security
procedures, along with educating consumers,

increases reliability and customer confidence.


Demonstrates IT’s role in combating cyber crime.


Illustrates digital technology as part of a multilevel
solution as well as its limitations in overcoming
discouraged consumers.

Management Information Systems

Chapter 8 Securing Information Systems

8.
4

©

2007 by Prentice Hall

Systems Vulnerability and Abuse


Security


Policies, procedures, and technical measures used to prevent
unauthorized access, alteration, theft, or physical damage to
information systems


Controls


Methods, policies, and organizational procedures that ensure:


Safety of organization’s assets


Accuracy and reliability of accounting records


Operational adherence to management standards


Management Information Systems

Chapter 8 Securing Information Systems

8.
5

©

2007 by Prentice Hall

Systems Vulnerability and Abuse


Why systems are vulnerable


Electronic data vulnerable to more types of threats
than manual data


Networks


Potential for unauthorized access, abuse, or fraud is not
limited to single location but can occur at any access point
in network


Vulnerabilities exist at each layer and between layers


E.g. user error, viruses, hackers, radiation, hardware or
software failure, theft


Management Information Systems

Chapter 8 Securing Information Systems

8.
6

©

2007 by Prentice Hall

Contemporary Security Challenges and Vulnerabilities

Figure 8
-
1

The architecture of a Web
-
based application typically includes a Web client, a server, and corporate information
systems linked to databases. Each of these components presents security challenges and vulnerabilities. Floods,
fires, power failures, and other electrical problems can cause disruptions at any point in the network.

Systems Vulnerability and Abuse

Management Information Systems

Chapter 8 Securing Information Systems

8.
7

©

2007 by Prentice Hall

Systems Vulnerability and Abuse


Internet vulnerabilities


Public network, so open to anyone


Size of Internet means abuses may have
widespread impact


Fixed IP addresses are fixed target for hackers


VoIP phone service vulnerable to interception


E
-
mail, instant messaging vulnerable to malicious
software, interception

Management Information Systems

Chapter 8 Securing Information Systems

8.
8

©

2007 by Prentice Hall

Systems Vulnerability and Abuse


Wireless security challenges


Many home networks and public hotspots open to anyone,
so not secure, communication unencrypted


LANs using 802.11 standard can be easily penetrated


Service set identifiers (SSIDs)
identify access points in

Wi
-
Fi network and are broadcast multiple times


WEP (Wired Equivalent Privacy): Initial Wi
-
Fi security
standard not very effective as access point and all users
share same password

Management Information Systems

Chapter 8 Securing Information Systems

8.
9

©

2007 by Prentice Hall

Wi
-
Fi Security Challenges

Figure 8
-
2

Many Wi
-
Fi networks can
be penetrated easily by
intruders using sniffer
programs to obtain an
address to access the
resources of a network
without authorization.

Systems Vulnerability and Abuse

Management Information Systems

Chapter 8 Securing Information Systems

8.
10

©

2007 by Prentice Hall

Systems Vulnerability and Abuse


Malicious software (malware)


Computer virus


Rogue software program that attaches to other
programs or data files


Payload may be relatively benign or highly destructive


Worm
:


Independent program that copies itself over network



Viruses and worms spread via:


Downloaded software files


E
-
mail attachments


Infected e
-
mail messages or instant messages


Infected disks or machines

Management Information Systems

Chapter 8 Securing Information Systems

8.
11

©

2007 by Prentice Hall

Systems Vulnerability and Abuse


Trojan horse


S
oftware program that appears to be benign but then does
something other than expected


Does not replicate but often is way for viruses or malicious
code to enter computer system


Spyware



Small programs installed surreptitiously on computers to
monitor user Web surfing activity and serve advertising


Key loggers


Record and transmit every keystroke on computer


Steal serial numbers, passwords

Management Information Systems

Chapter 8 Securing Information Systems

8.
12

©

2007 by Prentice Hall

Systems Vulnerability and Abuse


Hacker


I
ndividual who intends to gain unauthorized access to
computer system


Cybervandalism


Intentional disruption, defacement, or destruction of Web
site or corporate information system


Spoofing


Misrepresentation, e.g. by using fake e
-
mail addresses or
redirecting to fake Web site


Sniffer:


Eavesdropping program that monitors information traveling
over network

Management Information Systems

Chapter 8 Securing Information Systems

8.
13

©

2007 by Prentice Hall

Systems Vulnerability and Abuse


Denial
-
of
-
service (DoS) attack:


Flooding network or Web server with thousands of false
requests so as to crash or slow network



Distributed denial
-
of
-
service (DDoS) attack


Uses hundreds or thousands of computers to inundate and
overwhelm network from many launch points


Botnet


Collection of “zombie” PCs infected with malicious
software without their owners’ knowledge and used to
launch DDoS or perpetrate other crimes

Management Information Systems

Chapter 8 Securing Information Systems

8.
14

©

2007 by Prentice Hall

Worldwide Damage from Digital Attacks

Figure 8
-
3

This chart shows estimates of the average annual worldwide damage from hacking, malware, and spam since 1999.
These data are based on figures from mi2G and the authors.

Systems Vulnerability and Abuse

Management Information Systems

Chapter 8 Securing Information Systems

8.
15

©

2007 by Prentice Hall


Read the Interactive Session: Technology, and then
discuss the following questions:


What is the business impact of botnets?


What management, organization, and technology factors
should be addressed in a plan to prevent botnet attacks?


How easy would it be for a small business to combat botnet
attacks? A large business?

Bot Armies and Network Zombies

Systems Vulnerability and Abuse

Management Information Systems

Chapter 8 Securing Information Systems

8.
16

©

2007 by Prentice Hall

Systems Vulnerability and Abuse


Computer crime


Computer as target of crime


Accessing computer without authority


Breaching confidentiality of protected computerized data


Computer as instrument of crime


Theft of trade secrets and unauthorized copying of software or
copyrighted intellectual property


Using e
-
mail for threats or harassment


Most economically damaging computer crimes


DoS attacks and viruses


Theft of service and disruption of computer systems

Management Information Systems

Chapter 8 Securing Information Systems

8.
17

©

2007 by Prentice Hall

Systems Vulnerability and Abuse


Identity theft


Using key pieces of personal information (social security
numbers, driver’s license numbers, or credit card numbers) to
impersonate someone else


Phishing


Setting up fake Web sites or sending e
-
mail messages that look
like those of legitimate businesses to ask users for confidential
personal data


Evil twins


Bogus wireless networks used to offer Internet connections,
then to capture passwords or credit card numbers

Management Information Systems

Chapter 8 Securing Information Systems

8.
18

©

2007 by Prentice Hall

Systems Vulnerability and Abuse


Pharming


Redirecting users to bogus Web page, even when individual
types correct address into browser


Computer Fraud and Abuse Act (1986)


Makes it illegal to access computer system without authorization


Click fraud


Fraudulently clicking on online ad without intention of learning
more about advertiser or making purchase


Cyberterrorism and cyberwarfare
:


At least twenty countries are believed to be developing offensive
and defensive cyberwarfare capabilities

Management Information Systems

Chapter 8 Securing Information Systems

8.
19

©

2007 by Prentice Hall

Systems Vulnerability and Abuse


Internal threats: Employees


Company insiders pose serious security problems


Access to inside information


like security codes and passwords


May leave little trace


User lack of knowledge: Single greatest cause of network
security breaches


Compromised passwords


Social engineering


Errors introduced into software by:


Faulty data entry, misuse of system


Mistakes in programming, system design

Management Information Systems

Chapter 8 Securing Information Systems

8.
20

©

2007 by Prentice Hall

Systems Vulnerability and Abuse


Software vulnerability


Software errors are constant threat to information systems


Cost U.S. economy $59.6 billion each year


Can enable malware to slip past antivirus defenses


Patches


Created by software vendors to update and fix
vulnerabilities


However, maintaining patches on all firm’s devices is time
consuming and evolves more slowly than malware

Management Information Systems

Chapter 8 Securing Information Systems

8.
21

©

2007 by Prentice Hall

Business Value of Security and Control


Business value of security and control


Protection of confidential corporate and personal information


Value of information assets


Security breach of large firm results in average loss of 2.1 %
of market value


Legal liability


Electronic Records Management (ERM)


Policies, procedures, and tools for managing retention,
destruction, and storage of electronic records

Management Information Systems

Chapter 8 Securing Information Systems

8.
22

©

2007 by Prentice Hall

Business Value of Security and Control


Legal and regulatory requirements for ERM


HIPAA


Outlines medical security and privacy rules


Gramm
-
Leach
-
Bliley Act


Requires financial institutions to ensure security and
confidentiality of customer data


Sarbanes
-
Oxley Act


Imposes responsibility on companies and their
management to safeguard accuracy and integrity of
financial information used internally and released externally

Management Information Systems

Chapter 8 Securing Information Systems

8.
23

©

2007 by Prentice Hall

Business Value of Security and Control


Electronic evidence and computer
forensics


Legal cases today increasingly rely on evidence
represented as digital data


E
-
mail most common electronic evidence


Courts impose severe financial, even criminal
penalties for improper destruction of electronic
documents, failure to produce records, and failure
to store records properly

Management Information Systems

Chapter 8 Securing Information Systems

8.
24

©

2007 by Prentice Hall

Business Value of Security and Control


Computer forensics


Scientific collection, examination,
authentication, preservation, and analysis of
data on computer storage media so that it can
be used as evidence in a court


Awareness of computer forensics should be
incorporated into firm’s contingency planning
process

Management Information Systems

Chapter 8 Securing Information Systems

8.
25

©

2007 by Prentice Hall

Establishing a Framework for Security and Control


ISO 17799


I
nternational standards for security and control specifies best
practices in information systems security and control


Risk Assessment


Determines level of risk to firm if specific activity or process is not
properly controlled


Value of information assets


Points of vulnerability


Likely frequency of problem


Potential for damage


Once risks are assessed, system builders concentrate on control
points with greatest vulnerability and potential for loss

Management Information Systems

Chapter 8 Securing Information Systems

8.
26

©

2007 by Prentice Hall

Establishing a Framework for Security and Control

Management Information Systems

Chapter 8 Securing Information Systems

EXPOSURE

PROBABILITY OF
OCCURRENCE

LOSS RANGE /
(AVERAGE)

EXPECTED
ANNUAL LOSS

Power failure

30 %

$5,000
-

$200,000

($102.500)

$30,750

Embezzlement

5 %

$1,000
-

$50,000

($25,500)

$1,275

User error

98 %

$200
-

$40,000

($20,100)

$19,698

Online Order Processing Risk Assessment

Table 8
-
3

8.
27

©

2007 by Prentice Hall


Security policy


Statements ranking information risks, identifying acceptable
security goals, and identifying mechanisms for achieving
these goals


Chief Security Officer (CSO)


Heads security group in larger firms


Responsible for enforcing security policy


Security group


Educates and trains users


Keeps management aware of security threats and
breakdowns


Maintains tools chosen to implement security

Technologies and Tools for Security

Management Information Systems

Chapter 8 Securing Information Systems

8.
28

©

2007 by Prentice Hall


Acceptable Use Policy (AUP)


Defines acceptable uses of firm’s information resources and
computing equipment


A good AUP defines acceptable actions for every user and
specifies consequences for noncompliance


Authorization policies


Determine level of access to information assets for different
levels of users


Authorization management systems


Allow each user access only to those portions of system that
person is permitted to enter, based on information
established by set of access rules

Technologies and Tools for Security

Management Information Systems

Chapter 8 Securing Information Systems

8.
29

©

2007 by Prentice Hall

Security Profiles for a Personnel System

Figure 8
-
4

These two examples represent
two security profiles or data
security patterns that might be
found in a personnel system.
Depending on the security
profile, a user would have
certain restrictions on access
to various systems, locations,
or data in an organization.

Management Information Systems

Chapter 8 Securing Information Systems

Establishing a Framework for Security and Control

8.
30

©

2007 by Prentice Hall


Ensuring business continuity


Fault
-
tolerant computer systems


Ensure 100% availability


Utilize redundant hardware, software, power supply components


Critical for online transaction processing


High availability computing


Tries to minimize downtime


Helps firms recover quickly from system crash


Utilizes backup servers, distributed processing, high capacity
storage, disaster recovery and business continuity plans


Recovery
-
oriented computing:
Designing systems,
capabilities, tools that aid in quick recovery, correcting mistakes

Technologies and Tools for Security

Management Information Systems

Chapter 8 Securing Information Systems

8.
31

©

2007 by Prentice Hall


Disaster recovery planning


Restoring computing and communication services after
earthquake, flood, etc.


Can be outsourced to disaster recovery firms


Business continuity planning


Restoring business operations after disaster


Identifies critical business processes and determines how to
handle them if systems go down


Business impact analysis


Use to identify most critical systems and impact system outage has
on business

Technologies and Tools for Security

Management Information Systems

Chapter 8 Securing Information Systems

8.
32

©

2007 by Prentice Hall


Auditing


MIS audit:
Examines firm’s overall security environment as
well as controls governing individual information systems


Security audit:

Reviews technologies, procedures,
documentation, training, and personnel


Audits:


List and rank all control weaknesses


Estimate probability of occurrence


Assess financial and organizational impact of each threat

Technologies and Tools for Security

Management Information Systems

Chapter 8 Securing Information Systems

8.
33

©

2007 by Prentice Hall

Sample Auditor’s List of Control Weaknesses

Figure 8
-
5

This chart is a sample page
from a list of control
weaknesses that an auditor
might find in a loan system in a
local commercial bank. This
form helps auditors record and
evaluate control weaknesses
and shows the results of
discussing those weaknesses
with management, as well as
any corrective actions taken by
management.

Management Information Systems

Chapter 8 Securing Information Systems

Establishing a Framework for Security and Control

8.
34

©

2007 by Prentice Hall


Access control


Policies and procedures used to prevent improper access to
systems by unauthorized insiders and outsiders


Users must be authorized and authenticated


Authentication:


Typically established by password systems


New authentication technologies:


Tokens


Smart cards


Biometric authentication

Technologies and Tools for Security

Management Information Systems

Chapter 8 Securing Information Systems

8.
35

©

2007 by Prentice Hall


Firewalls:


Hardware and software controlling flow of incoming
and outgoing network traffic


Prevents unauthorized access


Screening technologies


Packet filtering


Stateful inspection


Network address translation (NAT)


Application proxy filtering

Technologies and Tools for Security

Management Information Systems

Chapter 8 Securing Information Systems

8.
36

©

2007 by Prentice Hall

A Corporate Firewall

Figure 8
-
6

The firewall is placed between the firm’s private network and the public Internet or another distrusted
network to protect against unauthorized traffic.

Technologies and Tools for Security

Management Information Systems

Chapter 8 Securing Information Systems

8.
37

©

2007 by Prentice Hall


Intrusion detection systems:


Full
-
time, real
-
time monitoring tools


Placed at most vulnerable points of corporate networks
to detect and deter intruders


Scanning software looks for patterns such as bad
passwords, removal of important files, and notifies
administrators

Technologies and Tools for Security

Management Information Systems

Chapter 8 Securing Information Systems

8.
38

©

2007 by Prentice Hall


Antivirus software, antispyware software


Antivirus software:


Checks computer systems and drives for presence of
computer viruses


To remain effective, antivirus software must be continually
updated


Antispyware software tools
:


Many leading antivirus software vendors include
protection against spyware


Standalone tools available (Ad
-
Aware, Spybot)

Technologies and Tools for Security

Management Information Systems

Chapter 8 Securing Information Systems

8.
39

©

2007 by Prentice Hall


Securing wireless networks


WEP
: Provides some measure of security if activated


VPN technology
: Can be used by corporations to help
security


802.11i specification
: Tightens security for wireless LANs


Longer encryption keys that are not static


Central authentication server


Mutual authentication


Wireless security should be accompanied by appropriate
policies and procedures for using wireless devices

Technologies and Tools for Security

Management Information Systems

Chapter 8 Securing Information Systems

8.
40

©

2007 by Prentice Hall


Read the Interactive Session: Management, and then
discuss the following questions:


How are Unilever executives’ wireless handhelds related to
the company’s business performance?


Discuss the potential impact of a security breach at Unilever.


What management, organization, and technology factors had
to be addressed in developing security policies and
procedures for Unilever’s wireless handhelds?


Is it a good idea to allow Unilever executives to use both
BlackBerrys and cell phones? Why or why not?

Unilever Secures Its Mobile Devices

Technologies and Tools for Security

Management Information Systems

Chapter 8 Securing Information Systems

8.
41

©

2007 by Prentice Hall


Encryption:


Transforming message into cipher text, using encryption key


Receiver must decrypt encoded message


Two main methods for encrypting network traffic


Secure Sockets Layer (SSL) /Transport Layer Security
(TLS)


Establishes secure connection between two computers


Secure HTTP (S
-
HTTP)


Encrypts individual messages



Technologies and Tools for Security

Management Information Systems

Chapter 8 Securing Information Systems

8.
42

©

2007 by Prentice Hall


Two methods of encryption:



Symmetric key encryption


Shared, single encryption key sent to receiver


Public key encryption


Two keys, one shared/public and one private


Messages encrypted with recipient’s public key
but can only be decoded with recipient’s private
key

Technologies and Tools for Security

Management Information Systems

Chapter 8 Securing Information Systems

8.
43

©

2007 by Prentice Hall

Public Key Encryption

Figure 8
-
7

A public key encryption system can be viewed as a series of public and private keys that lock data when they are transmitted
and

unlock the data when they are received. The sender locates the recipient’s public key in a directory and uses it to encrypt a

me
ssage.
The message is sent in encrypted form over the Internet or a private network. When the encrypted message arrives, the recipie
nt
uses
his or her private key to decrypt the data and read the message.

Technologies and Tools for Security

Management Information Systems

Chapter 8 Securing Information Systems

8.
44

©

2007 by Prentice Hall


Digital signature


Encrypted message that only sender with private key can create


Used to verify origin and contents of message


Digital certificates


Data files used to establish identity of users and electronic assets
for protection of online transactions


Uses trusted third party, certificate authority (CA), to validate user’s
identity


Public Key Infrastructure (PKI)


Use of public key cryptography working with certificate authority

Technologies and Tools for Security

Management Information Systems

Chapter 8 Securing Information Systems

8.
45

©

2007 by Prentice Hall

Digital Certificates

Figure 8
-
8

Digital certificates help
establish the identity of
people or electronic
assets. They protect
online transactions by
providing secure,
encrypted, online
communication.

Technologies and Tools for Security

Management Information Systems

Chapter 8 Securing Information Systems